WO2020248624A1 - Communication method, network device, user equipment and access network device - Google Patents
Communication method, network device, user equipment and access network device Download PDFInfo
- Publication number
- WO2020248624A1 WO2020248624A1 PCT/CN2020/076975 CN2020076975W WO2020248624A1 WO 2020248624 A1 WO2020248624 A1 WO 2020248624A1 CN 2020076975 W CN2020076975 W CN 2020076975W WO 2020248624 A1 WO2020248624 A1 WO 2020248624A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network device
- group list
- group
- access
- list
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/06—Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
- H04W4/08—User group management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/11—Allocation or use of connection identifiers
Definitions
- This application relates to the field of communications, in particular to a communication method, user equipment, access network equipment and network equipment.
- a group allows a group of subscribers in one or more specific cells to access.
- the access of the group requires the support of user equipment (UE), access network equipment, and core network.
- UE user equipment
- core network When the UE accesses the group, the core network and the UE perform information transmission to complete the verification.
- the signal it is necessary for the signal to realize data interaction between the core network device and the UE to be reliable and effective, without data leakage, and to protect the privacy of the UE.
- This application provides a communication method, network equipment, user equipment, and access network equipment, which can avoid data leakage and protect the privacy of the UE.
- a communication method including: a first network device receives an encrypted first group list sent by a user equipment UE, the first group list includes one or more of which the UE requests access The identification of the group; the first network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list saved by the unified data management UDM; The first network device determines a second group list according to the first group list and the subscription group list, and the second group list includes the identifier of the group to which the UE is allowed to access; In the second group list, the first network device sends the second group list to the access network device.
- the first network device receives and decrypts the request to access the group list sent by the UE in an encrypted manner, thereby avoiding data leakage and protecting the privacy of the UE.
- the first network device sends the identifier of the group that the UE is allowed to access to the access network device, and the access network device can prepare for data transmission after the UE accesses the group.
- the first network device receiving the encrypted first group list sent by the UE includes: the first network device receives the UE through the non-access stratum NAS security Mode SM completes the encrypted first group list sent by the message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by a NAS security context.
- the first network device receives the encrypted first group list, and realizes the encrypted transmission of the first group list without adding additional procedures.
- the receiving UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
- the method further includes: when the second group list does not exist, the first network device determines the relationship between the UE and the first network device.
- a message verification code is calculated by calculating the shared key of, and the first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
- the UE can verify the registration rejection message to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.
- the method includes: the first network device receives a third group list sent by the access network device, and the third group list includes the access network device.
- the first access network device verifies the group list supported by the access network device, the group list that the UE requests to access, and the subscription group list to ensure the accuracy of the groups that the UE is allowed to access.
- the method includes: the first network device receives access group request information sent by the access network device, and the access group request information is used to instruct the UE Request access to the group.
- a communication method including: a user equipment UE encrypts a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, the first group list
- the identifier includes one or more groups that the UE requests to access; the UE sends the encrypted first group list.
- the UE sends a request to access the group list in an encrypted manner, avoiding data leakage and protecting the privacy of the UE.
- the UE sending the encrypted first group list includes: the UE sending the encrypted first network device through a NAS security mode SM complete message Or, the UE sends the encrypted first group list through an uplink NAS message protected by a NAS security context.
- the UE sends the encrypted first group list through the NAS SM completion message or the uplink NAS message protected by the NAS security context, which realizes the encrypted transmission of the first group list without adding additional procedures.
- the UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
- the method further includes: the UE receiving a registration rejection message sent by the first network device, the registration rejection message including a message verification code, and the UE according to the message The verification code verifies the registration rejection message.
- the UE verifies the registration rejection message according to the message verification code, so as to prevent the UE from being unable to access the group due to a forged or modified registration rejection message.
- the method includes: the UE sends access group request information to the access network device, and the access group request information is used to instruct the UE to request access to the group group.
- a communication method including: an access network device receives an encrypted first group list sent by a user equipment UE, and the first closed access service identification group includes one or more of which the UE requests access.
- the identifier of a group service the access network device sends the encrypted first group list; the access network device receives a second group list sent by the first network device, the second group list It includes the identification of one or more groups that the UE is allowed to access; the access network device sends the quality of service QoS of the one or more groups to the UE.
- the method includes: the access network device receives the access group request information sent by the UE, and the access group request information is used to instruct the UE to request access. Join the group.
- the access network device receives the identifier of the group that the UE is allowed to access sent by the network device, and prepares for subsequent UE access to the group, which can reduce the system delay.
- a network device including: a transceiver module, a decryption module, and a determination module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, the first group list including the The identification of one or more groups to which the UE requests access; a decryption module, used to decrypt the encrypted first group list to obtain the first closed access service identification group; a determining module, used to determine unified data
- the management UDM network element determines the saved subscription group list; the determining module is further configured to determine a second group list according to the first group list and the subscription group list, the second group list includes the permission The identifier of the group to which the UE accesses; the transceiver module is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.
- the transceiver module is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
- the user equipment further includes a calculation module, which is configured to: when the second group list does not exist, determine the relationship between the UE and the first network device The shared key between the two is calculated to obtain a message verification code; the transceiver module is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
- the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device
- the identification of the supported groups is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
- a user equipment including: an encryption module and a transceiver module; the encryption module is used to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list,
- the first group list includes the identities of one or more groups that the UE requests to access;
- the transceiver module is configured to send the encrypted first group list.
- the transceiver module is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the transceiver module is configured to:
- the encrypted first group list is sent through an uplink NAS message protected by the NAS security context.
- the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code; the user equipment further includes a verification module , The verification module is used to verify the registration rejection message according to the message verification code.
- an access network device which is characterized by comprising: a transceiver module and a generating module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service
- the identification group includes the identification of one or more group services that the UE requests to access; the transceiver module is also used to send the encrypted first group list; the transceiver module is also used to receive the information sent by the first network device A second group list, where the second group list includes the identifiers of one or more groups that the UE is allowed to access; the generating module is configured to generate the one or more groups according to the identifiers of the one or more groups The quality of service QoS information of multiple groups; the transceiver module is further configured to send the quality of service QoS information to the UE.
- a network device including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes the UE The identification of one or more groups that request access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group; the processor is further configured to: It is determined that the unified data management UDM network element determines the saved subscription group list; the processor is further configured to determine a second group list according to the first group list and the subscription group list, and the second group The list includes the identification of the group that the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.
- the communication interface is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
- the processor when the second group list does not exist, is further configured to: according to the shared key between the UE and the first network device A message verification code is calculated; the communication interface is further used to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
- the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device With an identifier of a supported group, the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
- a user equipment including: a processor and a communication interface; the processor is configured to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list
- the first group list includes the identities of one or more groups that the UE requests to access; the communication interface is used to send the encrypted first group list.
- the communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication The interface is used to send the encrypted first group list through an uplink NAS message protected by a NAS security context.
- the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code, and the message verification code is used for all The UE verifies the registration rejection message.
- an access network device including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identification group Includes the identification of one or more group services that the UE requests to access; the communication interface is also used to send the encrypted first group list; the communication interface is also used to receive the first network device The sent second group list, the second group list includes the identification of one or more groups that the UE is allowed to access; the communication interface is also used to send the one or more groups to the UE QoS for each group.
- a communication system including the aforementioned access network equipment, network equipment, and user equipment.
- a computer program storage medium has program instructions, and when the program instructions are executed, the method described above is executed.
- a chip in a twelfth aspect, includes at least one processor, and when a program instruction is executed by the at least one processor, the method described above is executed.
- FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
- Fig. 2 is a schematic flowchart of a method for a terminal device to access a group.
- Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- Figure 4 is a schematic flow chart of establishing an access layer security mode.
- Figure 5 is a schematic flow chart for establishing a non-access layer security mode.
- Figure 6 is a schematic flow chart of authentication.
- FIG. 7 is a schematic flowchart of a communication method provided by another embodiment of the present application.
- FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the present application.
- FIG. 9 is a schematic flowchart of a communication method according to another embodiment of the present application.
- FIG. 10 is a schematic flowchart of a communication method according to another embodiment of the present application.
- FIG. 11 is a schematic flowchart of a communication method according to another embodiment of the present application.
- FIG. 12 is a schematic flowchart of a communication method according to another embodiment of the present application.
- FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
- FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.
- FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
- FIG. 16 is a schematic structural diagram of a user equipment according to another embodiment of the present application.
- FIG. 17 is a schematic structural diagram of a network device provided by another embodiment of the present application.
- FIG. 18 is a schematic structural diagram of an access network device according to another embodiment of the present application.
- GSM global system for mobile communications
- CDMA code division multiple access
- WCDMA broadband code division multiple access
- GPRS general packet radio service
- LTE long term evolution
- FDD frequency division duplex
- TDD LTE Time division duplex
- UMTS universal mobile telecommunication system
- WiMAX worldwide interoperability for microwave access
- the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application.
- the provided method can be used for communication.
- the execution subject of the method provided in the embodiments of the present application may be a terminal or a network device, or a functional module in a UE or a network device that can call and execute the program.
- FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
- the network architecture shown in Figure 1 may specifically include the following network elements:
- User equipment it can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device.
- the UE can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the future 5G network or terminals in the future evolution of the public land mobile network (PLMN) Devices, etc., can also be end devices, logical entities, smart devices, such as mobile phones, smart terminals and other terminal devices, or servers, gateways, base stations, controllers and other communication devices, or Internet of Things devices, such as sensors, electricity meters, water meters, etc. Internet of things (IoT) devices.
- the UE may also be a wired device, such as
- Access network Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and service requirements.
- the access network may be an access network using different access technologies.
- 3rd Generation Partnership Project 3rd Generation Partnership Project, 3GPP
- 3GPP 3rd Generation Partnership Project
- non-3GPP non-third-generation cooperation Partnership Project
- the 3GPP access technology refers to the access technology that complies with the 3GPP standard specifications.
- the access network that adopts the 3GPP access technology is called the radio access network (Radio Access Network, RAN).
- the access network equipment in the 5G system is called Next generation Node Base station (gNB).
- gNB Next generation Node Base station
- a non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.
- AP access point
- An access network that implements access network functions based on wired communication technology can be called a wired access network.
- An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN).
- the wireless access network can manage wireless resources, provide access services for the terminal, and complete the forwarding of control signals and user data between the terminal and the core network.
- the radio access network can be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the access network device can be a relay station, access point, in-vehicle device, wearable device, and network in the future 5G network Equipment or network equipment in the future evolved PLMN network, etc.
- the embodiment of the present application does not limit the specific technology and specific device form adopted by the radio access network device.
- Access and mobility management function (AMF) entities mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, for example, lawful interception, or access authorization (or authentication) functions. In the embodiment of the present application, it can be used to realize the functions of accessing and mobility management network elements.
- MME mobility management entity
- Session management function (SMF) entity Mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.
- IP Internet Protocol
- User plane function (UPF) entity namely, data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc.
- User data can be connected to the data network (DN) through this network element. In the embodiment of this application, it can be used to realize the function of the user plane gateway.
- DN data network
- Data network A network used to provide data transmission.
- DN Data network
- An operator s business network, an Internet network, a third-party business network, etc.
- Authentication server function authentication server function, AUSF
- AUSF authentication server function
- Network exposure function (NEF) entity used to safely open services and capabilities provided by 3GPP network functions to the outside.
- Network storage function (NF) repository function (NRF) entity used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.
- PCF Policy control function
- Unified data management (UDM) entity used to process user identification, access authentication, registration, or mobility management, etc.
- Application function (AF) entity used to route data affected by applications, access network open function network elements, or interact with policy frameworks for policy control, etc.
- the N1 interface is the reference point between the terminal and the AMF entity;
- the N2 interface is the reference point between the AN and AMF entities, used for non-access stratum (NAS) message transmission, etc.;
- N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.;
- the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information;
- N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.
- the name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application.
- the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.
- the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.
- AMF network element, SMF network element, UPF network element, NSSF network element, NEF network element, AUSF network element, NRF network element, PCF network element, and UDM network element shown in Figure 1 can all be understood as The network elements used to implement different functions in the core network, for example, can be combined into network slices on demand. These core network elements may be independent devices, or they may be integrated in the same device to implement different functions, which is not limited in this application.
- a device that performs the functions of a core network element can also be called a core network device or a network device.
- Authentication and key agreement (authentication and key agreement, AKA): The user can perform the AKA process with the network during the startup and registration process. Through the AKA process, two-way authentication between the terminal and the network can be realized, so that the key of the terminal and the network can reach an agreement, so as to ensure the secure communication between the two.
- KSEAF the key sent by AUSF to SEAF during UE registration; SEAF calculates KAMF, and then sends KAMF to AMF. SEAF and AMF can be deployed independently or combined.
- Key KAMF the key KAMF obtained by the UE and AMF respectively during the UE registration process.
- the key KAMF is determined according to the key KSEAF.
- KAMF is related to the key set identifier (KSI in 5G, ngKSI) in 5G.
- the UE and the AMF may respectively pre-store a one-to-one correspondence between at least one KAMF and at least one ngKSI. Therefore, each ngKSI can be used to uniquely indicate a KAMF.
- KAMF can be used to subsequently generate the key KgNB.
- Key KgNB the key derived from the key KAMF, that is, the key KgNB that can be determined according to the key KAMF.
- the key KgNB can be generated based on algorithms such as key derivation function (KDF), KAMF, and the like.
- Encryption key the parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiving end can decrypt the cipher text according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.
- Integrity protection key the parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
- the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
- Security capabilities including but not limited to: security algorithms, security parameters, keys, etc.
- the security capability may include, for example, the security capability of the UE and the security capability of the user plane gateway.
- Security algorithm the algorithm used in data security protection. For example, it may include: encryption/decryption algorithms, integrity protection algorithms, etc.
- Security context information that can be used to implement data encryption and decryption and/or integrity protection.
- the security context may include, for example, encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.
- Ordinary cells can allow all legitimate subscribers (and roaming users) of the operator to access.
- the group allows a group of subscribers in one or more specific cells to access. In other words, the users who can access the group are limited and conditional.
- the same user can belong to multiple groups, that is, can access multiple groups.
- Each group corresponds to a group ID.
- Group access requires the support of UE, access network equipment and core network.
- the embodiments of this application are applicable to scenarios where the UE needs to access a group.
- the group may be, for example, a closed access group (CG) or a closed subscriber group (CSG).
- CG closed access group
- CSG closed subscriber group
- CAG closed subscriber group
- Fig. 2 is a schematic flowchart of a method for a UE to access a group.
- the user identity decryption function (subscription identifier de-concealing function, SIDF) network element can be configured in a unified data management function (unified data management, UDM) network element, or it can be deployed independently.
- UDM network elements can provide the user identity decryption function through the SIDF deployed by themselves or by calling the SIDF.
- the UE is configured with a list 1, and the list 1 may be referred to as an allowed CAG identification (identification, ID) list (allowed CAG ID list).
- List 1 includes the identification of the CAG that the UE can access.
- the access network device sends List 2 to the UE.
- List 2 is a list of CAG IDs supported by the cell, and List 2 includes the IDs of CAGs supported by the cell.
- the access network device sends list 2 by broadcasting.
- the broadcast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the information broadcast by the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
- the access network device can also send list 2 through unicast.
- the unicast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the unicast information of the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
- the UE matches List 1 and List 2, and obtains the CAG ID contained in both List 1 and List 2, that is, the matched CAG ID (selected matching CAG ID).
- the UE obtains a first matching group, and the first matching group includes one or more matching CAG IDs.
- List 1 includes CAG IDs in the first matching group, and List 2 all include CAG IDs in the first matching group. In other words, both List 1 and List 2 include the first matching group.
- step 103 the UE sends registration request (registration request, RR) information and the first matching group to the access network device.
- the RR information includes Subscriber Concealed Identifier (SUCI).
- the SUCI is obtained by encrypting the user's permanent identifier (subscription permanent identifier, SUPI) according to the public key corresponding to the home network public key identifier (home network public key identifier).
- the home network public key identifier is used to indicate the public key and/or private key used for SUPI encryption and SUCI decryption. That is, the UE uses a protection scheme with the original public key (ie, the home network public key) to generate the SUCI.
- the UDM stores the private key corresponding to the home network public key identifier. Algorithms for user privacy should be executed in the UDM's secure environment.
- SIDF is used to decrypt SUCI to get SUPI.
- SIDF will use the home network private key stored securely in the home operator's network to decrypt SUCI. Decryption should be done in UDM.
- the access authority to SIDF should be defined so that only network elements of the home network are allowed to request SIDF.
- the first matching group is sent through a radio resource control (radio resource control, RRC) layer.
- RRC radio resource control
- step 104 the access network device sends the RR information and the second matching group to the access and mobility management function (AMF) network element.
- AMF access and mobility management function
- the second matching group may be the same as the first matching group.
- the access network device may match the first matching group with List 2 to obtain the second matching group.
- the second matching group includes one or more CAG IDs. Both the first matching group and List 2 include the second matching group.
- the RR information and the second matching group are sent through the N2 interface between the access network device and the AMF network element.
- AMF sends an authentication request message to the unified data management function (UDM)/(subscription identifier de-concealing function, SIDF) network element to the authentication server function (authentication server function, AUSF), where Carry SUCI.
- UDM unified data management function
- SIDF subscription identifier de-concealing function
- the UDM/SIDF network element determines the SUPI of the UE according to the SUCI.
- step 105 authentication and security procedures are performed.
- the UDM/SIDF network element generates an authentication vector and sends it to the AUSF network element.
- the AUSF network element sends the key KSEAF to the SEAF network element.
- the SEAF network element generates the key KAMF according to the key KSEAF, and sends the key KAMF to the AMF network element.
- the SEAF network element can also be deployed in the equipment where the AMF network element is located.
- the SEAF network element sends a key set identifier (KSI) to the UE.
- the KSI may be a 5G key set identifier (key set identifier in 5G, ngKSI).
- the UE can determine the key KAMF through the KSI.
- NAS non-access stratum
- AS access stratum
- the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
- the contract data may also be called contract information.
- the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access. List 3 includes one or more CAG IDs.
- step 106 the AMF network element receives list 3 sent by the UDM/SIDF network element.
- the AMF network element matches the second matching group with List 3.
- AMF checks whether the second matching group and List 3 include at least one CAG ID.
- step 108a If there is a target CAG ID, proceed to step 108a.
- step 108a the AMF sends registration acceptance information to the UE.
- step 108b If there is no target CAG ID, proceed to step 108b.
- step 108b the AMF sends registration rejection information to the UE.
- step 108b the UE deletes the CAG ID corresponding to the first matching group from the list 1.
- the UE can perform the corresponding CAG service.
- the CAG service that the UE wants to perform is related to the type of UE, and each CAG service can only be accessed and used by a specific UE. Therefore, the CAG service that the UE wants to perform involves privacy.
- the attacker obtains the CAG ID that the UE requests to access by tapping the air interface, thereby leaking privacy.
- an embodiment of the present application provides a communication method.
- the CAG ID that the UE requests to access is sent in an encrypted manner. In this way, the possibility of privacy leakage can be reduced.
- Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- step 201 the UE generates an encrypted first group list.
- the group list can also be called a group identification set.
- the first group list includes the identities of one or more groups to which the UE requests access.
- the group may be CAG, CSG, etc., for example.
- the identity of one or more groups that the UE requests to access may be all or part of the identity of the second group list configured for the UE.
- step 202 the UE sends the encrypted first group list.
- the UE may send the encrypted first group list to the AMF network element.
- the UE may establish a NAS security context with an AMF network element, that is, establish a NAS security mode.
- AMF network element that is, establish a NAS security mode.
- the establishment of NAS security context can be seen in Figure 4.
- the UE may send the first group group to the AMF network element through the NAS SM complete message in the NAS security context establishment process.
- the UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through the NAS message protected by the NAS security context.
- the UE can authenticate with the AMF network element to obtain a shared key.
- the UE can establish a NAS security context with the AMF network element according to the shared key.
- the establishment of NAS security context can be seen in Figure 4.
- the AMF can decrypt the encrypted first group list sent by the UE.
- AMF can decrypt the encrypted first group list through the confidentiality algorithm.
- the UE may encrypt the first group list with the AMF public key.
- the UE may send the encrypted first group list to the AMF network element.
- the AMF public key may be sent by the AMF to the UE, or may be pre-configured by the UE.
- the AMF network element is configured with an AMF private key corresponding to the AMF public key.
- the AMF network element can decrypt the encrypted first group list according to the AMF private key.
- the UE may send the encrypted first group list to the UDM network element.
- the UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.
- the UE may send the encrypted first group list and the home network public key identifier to the UDM network element.
- the home network public key identifier is used to indicate the home network key.
- the UDM network element receives the encrypted first group list and the home network public key identifier.
- the UDM network element can determine the home network private key according to the home network public key identifier.
- the UDM network element can decrypt the encrypted first group list according to the private key of the home network.
- the UE may send the encrypted first group list to the access network device.
- the UE may establish an AS security context with the access network device, that is, establish an AS security mode.
- AS security context can be seen in Figure 5.
- the UE may send the first group list to the access network device through the AS SM complete message in the AS security context establishment process.
- the UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through the AS message protected by the AS security context.
- AMF distributes KgNB to access network equipment.
- the UE generates KgNB according to KAMF. After that, the UE and the access network device can establish the access layer AS security mode SM.
- the access network device may decrypt the encrypted first group list sent by the UE.
- the access network device can decrypt the encrypted first group list through the confidentiality algorithm.
- the access network device can decrypt the received encrypted first group list.
- the access network device can decrypt the encrypted first group list through the confidentiality algorithm.
- the UE may encrypt the first group list through the public key of the access network device.
- the UE may send the encrypted first group list to the access network device.
- the public key of the access network device may be sent by the access network device to the UE, or may be pre-configured by the UE.
- the access network device is configured with an AMF private key corresponding to the public key of the access network device.
- the access network device can decrypt the encrypted first group list according to the private key of the access network device.
- the UE may receive a registration rejection message sent by the AMF network element.
- the registration rejection message includes a message verification code, and the message verification code is used by the UE to verify the registration rejection message.
- the registration rejection message can also include a rejection code.
- the rejection code can be used to indicate the rejection of UE registration, or the rejection code can be used to indicate the reason for rejection of UE registration.
- the reason for rejecting the UE registration may be that the AMF network element verification fails, or the UE authentication fails.
- the verification failure of the AMF network element means that the AMF network element determines that the second group list does not exist.
- the second group list includes the identifiers of the same group in the subscription group list saved by the UDM and the first group list.
- the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
- step 201 to step 202 the UE sends the first group list in an encrypted manner, which can avoid leakage.
- Figure 4 is a schematic flow chart for establishing a NAS security context.
- step 301a the AMF network element activates integrity protection.
- the AMF network element sends a NAS SM command message to the UE.
- the NAS SM command message includes an integrity algorithm, an encryption algorithm, a NAS message authentication code (message authentication code, MAC), UE security capabilities, KSI, etc.
- the NAS MAC can be used to verify the integrity of the NAS SM command message.
- step 301c the AMF network element starts uplink decryption
- step 302a the UE verifies the integrity of the NAS SM completion message. If the verification is successful, the UE starts uplink encryption, downlink decryption and integrity protection
- the UE sends a NAS security mode complete message to the AMF network element.
- the NAS security mode completion message includes NAS MAC.
- the NAS MAC can be used to verify the integrity of the NAS SM completion message.
- step 301d the AMF network element starts downlink encryption.
- the AMF network element triggers the NAS SMC process and sends a NAS security mode instruction to the UE; the UE sends a NAS security mode completion message.
- the AMF network element sends a NAS SM command message to the UE, with only integrity protection.
- the UE sends a NAS security mode completion message to the AMF network element, which has confidentiality and integrity protection.
- the UE and the AMF share the NAS security context.
- the UE and the AMF network element can protect the message to be sent through the NAS security context, and protect the NAS message through the NAS security context with integrity and confidentiality protection.
- the NAS security context is established.
- FIG. 4 only briefly describes the processing flow of the NAS SMC. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
- Figure 5 is a schematic flow chart for establishing an AS security context.
- the RAN receives the key KgNB.
- the key KgNB is determined by the AMF network element according to the key KAMF.
- AMF shall generate the key KgNB and send the key to the RAN.
- step 401a the RAN initiates RRC integrity protection.
- the RAN sends an AS SM command message to the UE.
- the AS SM command message includes an integrity algorithm, an encryption algorithm, and MAC-I, where the MAC-I is determined according to the key KgNB.
- step 401c the RAN initiates RRC downlink ciphering.
- step 402a the UE verifies the integrity of the AS SM command message.
- the UE verifies the integrity of the AS SM command message according to the MAC-I. If the verification is successful, the UE starts RRC integrity protection and RRC downlink decryption. The UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.
- the UE sends an AS SM complete message to the RAN.
- the AS SM completion message includes MAC-I, which is determined according to the key KgNB.
- the RAN can decrypt the AS SM completion message and verify the integrity of the AS SM completion message.
- step 402c the UE starts RRC uplink encryption.
- step 401d the RAN initiates RRC uplink decryption.
- the RAN triggers the AS SMC process and sends an AS security mode command message to the UE.
- the UE sends an AS security mode complete message to the RAN.
- the message in step 401b only performs integrity protection, and the message in step 402b performs confidentiality and integrity protection at the same time.
- the integrity and confidentiality of the message transmitted between the UE and the RAN in the AS security mode can be protected.
- the UE and the access network device share the AS security context, the UE and the access network device can send AS messages through the AS security context protection, and the AS messages protected by the AS security context have integrity and confidentiality protection.
- the AS security context is established.
- FIG. 5 only briefly describes the processing flow of AS security context establishment. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
- Fig. 6 is a schematic flowchart of an authentication method. Authentication authentication can also be called identity authentication.
- the process of authentication can refer to
- step 501 the UDM/ARPF network element generates an authentication vector.
- the UDM/ARPF network element sends a first authentication reply message to the AUSF network element.
- the first authentication reply message may be a Nudm_UEAuthentication_Get Response message.
- the first authentication reply message includes an authentication vector.
- step 503 the UE performs mutual authentication with the AUSF network element.
- step 504 AUSF generates and sends the key KSEAF to the SEAF network element.
- step 505 the SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE.
- the KSI is used to indicate the key KAMF.
- the SEAF network element can be deployed independently from the AMF network element, or it can be deployed separately.
- the SEAF network element can send KAMF to the AMF network element.
- Figure 6 shows only one authentication method, which also includes other authentication methods, such as 5G authentication and key agreement; it is also possible that authentication includes both UE and AMF authentication, UE and AUSF authentication, etc., which is not done in this application embodiment limit.
- FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the first network device includes an AMF network element.
- the first network device may also include SMF network elements, AUSF network elements, SEAF network elements, UDM network elements, and other network function (network function, NF) network elements, which are not limited in the embodiment of this application.
- the UE encrypts the first group list by using the NAS security context to obtain an encrypted first group list.
- the first group list includes identities of one or more groups to which the UE requests access.
- the first group list may include all or part of the identities in the UE group list configured for the UE.
- the UE may use the UE group list as the first group list.
- the UE receives the access network group list sent by the access network device, and the access network group list includes the identifier of the group supported by the access network device.
- the UE may determine the first group list according to the access network group list and the UE group list, and the first group list includes the identifiers of the same group in the access network group list and the UE group list.
- step 1102 the UE sends the encrypted first group list.
- the UE may establish a NAS security context with the AMF.
- the UE may send the encrypted first group list through the NAS message protected by the NAS security context.
- the UE sends the encrypted first group list to the first network device through a NAS SM complete message.
- the first network device receives the encrypted first group list.
- the first network device decrypts the encrypted first group list.
- the first network device performs verification.
- the AMF determines the second group list according to the first group list and the contracted group list.
- the second group list includes the identifiers of the same group in the first group list and the contracted group list.
- the second group list includes identities of groups that the UE is allowed to access. That is, the identity of the same group is used as the identity of the group that the UE is allowed to access.
- the first network device determines the list of subscription groups saved by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element.
- the first network device includes a UDM network element, and the first network device can obtain a list of subscription groups saved by the UDM network element.
- step 1104 is performed.
- the first network device sends the second group list to the access network device.
- the access network device receives the second group list, and obtains the identifier of the group that is allowed to access the UE.
- step 1105 may be performed.
- the access network device sends the radio resource allocation information and/or quality of service (QoS) information of the group corresponding to each identifier in the second group list to the UE.
- QoS quality of service
- the first network device sends a registration rejection message to the UE.
- AMF can send registration rejection messages in the following ways.
- the first network device may send a registration rejection message to the UE through a NAS message.
- whether the AMF and the UE establish the NAS security context is not limited in the embodiment of the present application.
- the first network device may send a registration rejection message to the UE through the NAS security context. That is, the registration rejection message may be a NAS message protected by the NAS security context.
- the first network device may calculate the message verification code according to the shared key between the UE and the AMF.
- the first network device may send a registration rejection message to the UE, and the registration rejection message includes a message verification code.
- the message verification code is used by the UE to verify the registration rejection message.
- the first network device may also calculate a digital signature according to the AMF private key.
- the first network device may send a registration rejection message to the UE, and the registration rejection message includes the digital signature.
- the UE decrypts the digital signature according to the AMF public key.
- the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
- the UE sends the identification of the group requested to be accessed in an encrypted manner, which can avoid leakage of UE privacy.
- the group may be CAG, CSG, etc., for example.
- the following takes the UE request to access CAG as an example for description.
- FIG. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the UE may send the first matching group to the AMF network element through the encrypted NAS message.
- the UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list).
- List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1.
- List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
- the access network device broadcasts system information.
- the system information includes List 2, which is a list of CAG IDs supported by the cell.
- the cell is the cell where the UE is located in one or more cells covered by the access network device.
- the broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
- the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell.
- the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
- the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID.
- the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
- the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
- the UE sends a registration request (registration request, RR) message to the access network device, where the registration request message includes SUCI.
- the registration request message may be a control plane message.
- the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
- SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
- the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
- the protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI.
- the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
- the UE sends the first indication information to the access network device.
- the first indication information is used to indicate that the UE requests to access the CAG.
- the first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
- the first indication information is carried in a registration request message or other messages.
- the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
- RRC radio resource control
- the first indication information may take multiple forms.
- the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
- the access network device forwards the registration request message to the AMF network element.
- the registration request message includes SUCI.
- the forwarded registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the forwarded registration request message may be an N2 message.
- the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
- the second indication information indicates that the UE requests to access the CAG service.
- the second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE's request to access the CAG.
- the second indication information may be carried in the forwarded registration request message.
- the second indication information may also be carried in other messages.
- the access network device may send List 2 to the AMF network element.
- the second indication information may include List 2.
- the access network device may send List 2 to the AMF network element.
- the AMF network element sends SUCI to AUSF.
- the SUCI may be carried in the first identity authentication request message.
- the first authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
- the AMF may receive the second indication information and/or List 2.
- the AUSF network element sends SUCI to the UDM/SIDF network element.
- SUCI can be carried in the second identity authentication request message.
- the second authentication request message may be a Nudm_UEAuthentication_Get Request message.
- the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
- Step 608 is an authentication process, which is used for identity authentication of the UE.
- the UDM/SIDF network element sends the authentication vector to the AUSF network element.
- the authentication vector can be carried in the authentication reply message.
- the authentication reply message may be a Nudm_UEAuthentication_Get Response message.
- the UE and the AUSF network element perform mutual authentication.
- the AUSF generates and sends the key KSEAF to the SEAF network element.
- the SEAF network element generates the key KAMF according to the key KSEAF.
- SEAF sends KSI to UE, KSI is used to indicate the key KAMF.
- the UE can determine the key KAMF according to the KSI.
- SEAF sends KAMF to AMF.
- SEAF can be deployed independently from AMF, or separately.
- the embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
- the AMF network element and the UE share the key KAMF.
- steps 609-610 the AMF network element and the UE perform a non-access stratum security mode command (NAS SMC) process.
- NAS SMC non-access stratum security mode command
- the UE and the AMF network element can determine the integrity key and the confidentiality key between the UE and the AMF network element, so as to protect the integrity and confidentiality of the message between the UE and the AMF network element .
- Confidentiality protection that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
- step 609 the AMF network element sends a NAS security mode instruction message to the UE.
- the NAS safe mode command message has integrity protection. The integrity protection is the prior art and will not be repeated here.
- step 610 the UE sends a NAS security mode complete message to the AMF network element.
- the NAS security mode completion message may include the first matching group.
- the NAS security mode completion message is confidential and integrity protected. Therefore, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.
- the NAS security context is established. Sending the first matching group through the NAS SMC completion message, or sending the first matching group in the NAS message protected by the NAS security context, can encrypt the first matching group without adding additional processing procedures.
- the UE and the AMF network element establish a security context through the NAS SMC process, and the message between the AMF network element and the UE can be encrypted for transmission.
- the messages between the AMF network element and the UE can have integrity protection and confidentiality protection.
- step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish a security context through the NAS SMC procedure.
- step 611 the UE sends the first matching group to the AMF through an uplink (UL) NAS message.
- the first matching group is sent through NAS security protection.
- the AMF network element receives the list 3 sent by the UDM network element.
- List 3 includes the CAG ID that the network side allows the UE to access.
- the AMF network element can receive the subscription data sent by the UDM network element, and the subscription data includes List 3.
- the AMF network element may send a request message to the UDM network element to obtain the SUPI corresponding subscription data from the UDM.
- the request message includes SUPI.
- the subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
- the AMF matches List 3 with the first matching group to determine whether there is a second matching group.
- List 3 includes CAG IDs in the second matching group
- the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
- the AMF matches List 2, List 3, and the first matching group to determine whether there is a second matching group.
- List 2 includes CAG IDs in the second matching group
- List 3 includes CAG IDs in the second matching group
- the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
- steps 601-602 may not be performed.
- the UE may use List 1 as the first matching group.
- the access network device Since the first matching group is sent to the AMF network element through a NAS message, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all lists The CAG ID in 2. Therefore, the AMF network element can generate the second matching group according to List 2.
- the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2.
- the access network device may not send List 2 to the AMF network element.
- List 2 is used as the second indication information to instruct the UE to request access to the CAG service.
- the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3.
- the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
- the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
- the AMF may send the second matching group to the access network device.
- the second matching group can be sent through N2 messages.
- the second matching group includes the identification of the CAG that the UE is allowed to access.
- the access network device receives the second matching group to obtain the CAG ID that allows the UE to access.
- the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending each CAG ID in the second matching group to the UE Corresponding CAG resource configuration information, etc.
- the access network device sends to the UE the policy information corresponding to the CAG ID in the second matching group, such as QoS information of each CAG.
- the policy information is used to indicate the relevant parameters for data transmission after the UE accesses the CAG.
- the access network device does not limit the specific operation of the CAG ID in the second matching group.
- the AMF network element sends a registration response message to the UE.
- the registration response message may be a registration acceptance message or a registration rejection message.
- the AMF network element sends a registration acceptance message to the UE.
- the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
- the AMF network element sends a registration rejection message to the UE.
- the registration rejection message includes verification failure indication information.
- the verification failure indication information may be used to indicate the reason for the registration rejection, for example, the CAG ID verification fails or the UE identity authentication fails.
- the AMF sends to the UE information about whether to allow the UE to access the CAG through other downlink NAS messages. .
- the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.
- the protection indication information is used to instruct the UE to encrypt the first matching group, and send the first matching group in an encrypted manner.
- the UE performs a registration procedure. During this registration access process, the registration reception message includes protection indication information. In the subsequent process of the UE accessing the CAG, the registration rejection message is protected in the above manner.
- the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
- the UE may send the first indication information to the AMF network element through a NAS message other than the RR message.
- the AMF determines the flow of the UE requesting to access the CAG through the first indication information.
- the base station does not broadcast list 2, or the UE does not match the base station broadcast list 2 with list 1; the UE sends encrypted list 1 to AMF through NAS messages.
- the subsequent operations are the same as the following procedures, except that the first matching group is listed in List 1.
- the UE encrypts the first matching group based on the public key of the AMF to obtain the ciphertext of the first matching group. And by sending the ciphertext of the first matching group to the AMF through the NAS message, for example, through the RR message and the SUCI to the AMF; or through other NAS messages to the AMF. AMF decrypts the ciphertext of the first matching group through the AMF's private key to obtain the first matching group.
- the subsequent determination process is the same as the above-mentioned embodiment.
- the process by which the UE obtains the public key of the AMF may be preset or distributed to the UE by the AMF in the previous registration process; there is no restriction.
- FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element, the UDM network element decrypts the encrypted first matching group, and decrypts the decrypted first matching group Send to AMF.
- the UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list).
- List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1.
- List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
- the access network device broadcasts system information, and the system information includes List 2, which is a list of CAG IDs supported by the cell covered by the access network device.
- the broadcast content is not encrypted and protected, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
- the access network device unicasts system information, and the system information includes List 2, and List 2 is a list of CAG IDs supported by the cell.
- the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
- the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID.
- the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
- the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
- the UE sends a registration request message to the access network device, and the registration request message includes SUCI.
- the registration request message may be a control plane message.
- the registration request message also includes the encrypted first matching group.
- the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
- SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
- the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
- the protection scheme identifier is used to indicate the protection scheme adopted by the above SUCI, that is, the scheme for encrypting the SUPI.
- the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
- the UE Before step 703, the UE encrypts the first matching group according to the home network public key to obtain the encrypted first matching group.
- the UE encrypts the first matching group according to the home network public key, which may also be referred to as the UE encapsulating the first matching group.
- the UE may use the same encryption method as the SUCI to encrypt the first matching group.
- the UE can jointly encrypt the SUPI and the first matching group and encapsulate them in one message.
- the SUCI and the encrypted first matching group can be carried in the same message.
- the UE may separately encrypt the SUPI and the first matching group.
- the encrypted first matching group includes one or more of information such as a routing indicator, a protection scheme identifier, and a home network public key identifier.
- the SUCI and the encrypted first matching group can be carried in the same or different messages.
- the UE may also use an encryption method different from that of SUCI to encrypt the first matching group.
- the first matching group of SUCI and encryption may correspond to different home network keys, that is, to different home network public key identifiers.
- the encrypted first matching group includes one or more of routing indicator, protection scheme identifier, home network public key identifier, and other information.
- the SUCI and the encrypted first matching group can be carried in the same or different messages.
- the home network key includes the home network public key and the home network private key.
- the UE and the UDM network element include the corresponding relationship with the home network public key identifier, the home network public key, and the home network private key.
- the UE sends the first indication information to the access network device.
- the first indication information is used to indicate that the UE requests to access the CAG service.
- the first indication information is carried in a registration request message or other messages.
- the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
- RRC radio resource control
- the first indication information may take multiple forms.
- the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
- the access network device sends a registration request message to the AMF network element.
- the registration request message includes the SUCI and the encrypted first matching group.
- the registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
- the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
- the second indication information indicates that the UE requests to access the CAG service.
- the second indication information may be carried in the registration request message.
- the second indication information may also be carried in other messages.
- the access network device may send List 2 to the AMF network element.
- the second indication information may include List 2.
- the AMF network element sends the encrypted first matching group and SUCI to AUSF.
- the SUCI may be carried in the first identity authentication request message.
- the encrypted first matching group may be carried in the first identity authentication request message or other messages.
- the first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
- the AMF may receive the second indication information and/or List 2.
- the AUSF network element sends the encrypted first matching group and SUCI to the UDM/SIDF network element.
- the SUCI may be carried in the second authentication request message.
- the encrypted first matching group may be carried in the second authentication request message or other messages.
- the second authentication request message type may be Nudm_UEAuthentication_Get Request message.
- the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
- the UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
- the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
- the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
- the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
- the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
- the UDM/SIDF network element matches the first matching group with List 3 to obtain the third matching group.
- the third matching group includes the same CAG ID in the first matching group and List 3.
- the UDM/SIDF network element determines that there is no third matching group, the UE authentication process and step 614 are not performed. If there is no third matching group and the verification fails, there is no need to perform subsequent UE authentication procedures, which saves system signaling overhead.
- the UDM/SIDF network element can reject the registration of the UE.
- UDM can send rejection indication information to AMF network element through or without AUSF network element.
- the UDM network element may send the first rejection indication information to the AMF network element through or without the AUSF network element.
- the first rejection indication information may include the reason for registration rejection. That is, the first rejection indication information may be used to indicate that there is no third matching group, that is, the verification fails, and there is no CAG that allows the UE to access.
- the AMF network element receives the rejection indication information sent by the UDM network element, and determines that there is no second matching group, that is, there is no CAG that allows the UE to access.
- step 615 the AMF network element sends a registration rejection message to the UE.
- Steps 709-710 are steps in the authentication process, which is used for identity authentication of the UE.
- the UDM/SIDF network element sends the authentication vector to the AUSF network element.
- the authentication vector may be carried in the first authentication reply message.
- the first authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
- the AUSF network element sends an authentication vector to the AMF network element.
- the authentication vector may be carried in the second authentication reply message.
- the second authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
- the UDM/SIDF network element may send the third matching group to the AMF network element.
- the UDM/SIDF network element may send the third matching group to the AUSF network element.
- the AUSF network element sends the third matching group to the AMF network element.
- the third matching group can be forwarded by the AUSF network element and sent to the AMF network element.
- the third matching group may be carried in the first authentication reply message or other messages.
- the third matching group may be carried in the second authentication reply message or other messages.
- UDM/SIDF can also send the third matching group to the AMF network element through other messages, without being forwarded by other network elements.
- the UE and the AUSF network element perform mutual authentication. After successful authentication, AUSF generates and sends the key KSEAF to the SEAF network element.
- the SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE.
- the KSI is used to indicate the key KAMF.
- the UE can determine the key KAMF according to the KSI.
- SEAF sends KAMF to AMF.
- SEAF can be deployed independently from AMF, or separately.
- the embodiment of the application does not limit the specific details and flow of the authentication steps between the UE and the AUSF network element.
- the AMF network element and the UE share the key KAMF.
- the UE and the AMF can establish the NAS security context, and the UE and the access network device can establish the AS security context.
- the AMF network element receives the third matching group sent by the UDM network element.
- the AMF network element determines the second matching group according to the third matching group.
- the AMF network element may use the third matching group as the second matching group.
- the AMF network element may match the third matching group with List 2 to determine the second matching group.
- the second matching group includes the same CAG ID of the third matching group as in List 2.
- the access network device Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all CAG ID in List 2. Therefore, the AMF network element can generate the second matching group according to List 2.
- the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2.
- the access network device may not send List 2 to the AMF network element.
- the list 2 sent by the access network device to the AMF network element may be used as the second indication information to instruct the UE to request access to the CAG service.
- the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3.
- the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
- step 614 If there is a second matching group, go to step 614.
- the AMF network element may send the second matching group to the access network device.
- the second matching group can be sent through N2 messages.
- the second matching group includes the identification of the CAG that the UE is allowed to access.
- the access network device obtains the CAG ID that allows the UE to access.
- the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group.
- the embodiment of the present application does not limit the specific operation of the access network device.
- the AMF network element sends a registration reply message to the UE.
- the registration reply message can be a registration acceptance message or a registration rejection message.
- the AMF network element determines that there is a second matching group and the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE.
- the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
- the AMF network element sends a registration rejection message to the UE.
- the registration rejection message includes second rejection indication information, and the second rejection indication information is used to indicate the reason for the registration failure, for example, the CAG ID verification fails or the authentication fails.
- the registration reply message may be a downlink NAS message.
- the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
- the UDM/SIDF network element Before performing the authentication process of the UE, the UDM/SIDF network element verifies whether the UE can access the CAG, that is, matches the first matching group with the list 3.
- the first matching group and list 3 may be matched by the AMF for verification.
- the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
- the UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
- the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
- the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
- the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
- the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
- step 707 the authentication process is used for the identity authentication of the UE.
- the UDM/SIDF network element sends the first matching group and list 3 to the AMF network element.
- the UDM/SIDF network element may send the first matching group and list 3 to the AMF network element.
- the first matching group and/or list 3 may be carried in the first identity authentication reply message or other messages.
- the UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element.
- the AUSF network element sends the first matching group and list 3 to the AMF network element.
- the first matching group and list 3 can be forwarded by the AUSF network element and sent to the AMF network element.
- the first matching group and/or list 3 may be carried in the second authentication reply message or other messages.
- the AMF network element performs matching according to the first matching group and List 3 to determine the second matching group.
- the second matching group includes the same CAG ID of the first matching group and List 3 China.
- AMF may use the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
- the AMF may also use the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
- step 614 if the UE is allowed to access, the AMF may send the second matching group to the access network device.
- the AMF network element sends a registration reply message to the UE.
- the registration reply message can be a registration acceptance message or a registration rejection message.
- the UE may not match List 2 with List 1, and the base station may not broadcast List 2.
- the UE sends the encrypted list 1 to the AMF network element through the NAS message.
- the subsequent operation is the same as the above process.
- the difference of this method is that the first matching group is now List 1. That is to say, for the case where AMF matches the third matching group with List 2, steps 601-602 may not be performed.
- the UE may use List 1 as the first matching group.
- FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the UE may send the first matching group to the network element of the access network device through the encrypted AS message.
- the UE is configured with List 1.
- List 1 includes the CAG ID that the UE supports to access.
- the access network device sends List 2 to the UE.
- Table 2 includes CAG IDs supported by the cells covered by the access network equipment.
- the cell is the cell where the UE is located among one or more cells covered by the access network equipment.
- the broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
- the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell.
- the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
- the UE matches List 1 and List 2 to obtain a first matching group.
- the first matching group includes the same CAG ID in List 1 and List 2.
- the UE matches List 1 and List 2, that is, the UE determines the first matching group, and the first matching group includes at least one CAG ID.
- the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
- the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
- step 603 the UE sends a registration request message to the access network device, and the registration request message includes SUCI.
- the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
- SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
- the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
- the protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI.
- the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
- the UE sends the first indication information to the access network device.
- the first indication information is used to indicate that the UE requests to access the CAG.
- the first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
- the first indication information is carried in a registration request message or other messages.
- the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
- RRC radio resource control
- the first indication information may take multiple forms.
- the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
- the access network device sends a registration request message to the AMF network element.
- the registration request message includes SUCI.
- the registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
- the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
- the second indication information indicates that the UE requests to access the CAG service.
- the second indication information may be carried in the registration request message.
- the second indication information may also be carried in other messages.
- the access network device may send List 2 to the AMF network element.
- the second indication information may include List 2.
- the AMF network element sends SUCI to AUSF.
- the SUCI may be carried in the first identity authentication request message.
- the first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
- the AMF may receive the second indication information and/or List 2.
- the AUSF network element sends SUCI to the UDM/SIDF network element.
- SUCI can be carried in the second identity authentication request message.
- the second identity authentication request message type may be a Nudm_UEAuthentication_Get Request message.
- the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
- Step 608 is an authentication process, which is used for identity authentication of the UE.
- the UDM/SIDF network element sends the authentication vector to the AUSF network element.
- the authentication vector can be carried in the identity authentication reply message.
- the identity authentication reply message may be a Nudm_UEAuthentication_Get Response message.
- the UE and the AUSF network element perform mutual authentication.
- the AUSF generates and sends the key KSEAF to the SEAF network element.
- the SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE.
- the KSI is used to indicate the key KAMF.
- the UE can determine the key KAMF according to the KSI.
- SEAF sends KAMF to AMF.
- SEAF can be deployed independently from AMF, or separately.
- the embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
- the AMF network element and the UE share the key KAMF.
- the access network device and the UE establish an access layer security mode (access stratum security mode, NAS SM).
- access layer security mode access stratum security mode
- the AMF calculates and sends the key KgNB to the access network device.
- the key KgNB is determined based on the key KAMF.
- the UE and the access network device can determine the integrity key and the confidentiality key between the UE and the access network device, so as to protect the integrity and confidentiality of the message between the UE and the access network device sexual protection. Confidentiality protection is carried out, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
- step 809 the access network device sends an AS security mode instruction message to the UE.
- the AS security mode command message has integrity protection.
- step 810a the UE sends an AS security mode complete message to the access network device.
- the AS security mode completes the message with confidentiality and integrity protection.
- the AS security mode completion message may include the first matching group. Therefore, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.
- the UE and the access network device network element establish a security context through the AS SMC process, and the message between the access network device and the UE can be encrypted for transmission.
- the message between the AMF network element and the UE can have integrity protection and confidentiality protection.
- Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC procedure.
- step 810b the UE sends the first matching group transmission to the AMF through an uplink (UL) AS message.
- the first matching group is sent under the protection of the AS security context.
- the access network device decrypts the first matching group received through the AS security mode completion message or the uplink AS message protected by the AS security context.
- the access network device performs decryption according to the AS security context to obtain the decrypted first matching group.
- the access network device may check the first matching group.
- the access network device may match the first matching group with List 2.
- the access network device may remove CAG IDs outside of List 2 in the first matching group to obtain a new first matching group.
- the access network device receives the first matching group sent by the UE.
- the access network device determines whether the CAG ID in the first matching group is in the list 2 of CAG IDs supported by the access network device. If the first matching group belongs to list 2, that is, the first matching group is in list 2, the access network device sends the first matching group to the AMF network element. Otherwise, the access network device does not send the first matching group; optionally, the access network device rejects the UE's access.
- the AMF network element may match the first matching group with the list 2.
- AMF network elements can be pre-configured with List 2.
- the AMF network element may receive List 2 sent by the access network device.
- the access network device sends List 2 to the AMF network element.
- the AMF network element can match List 2, List 3, and the first matching group. That is, the AMF network element can determine the second matching group, and the second matching group includes the same CAG ID in List 2, List 3, and the first matching group.
- neither the access network device nor the AMF may perform matching between the first matching group and the list 2.
- the UE sends the decrypted first matching group to the AMF network element.
- the decrypted first matching group may be the first matching group after verification.
- the second matching group can be sent through N2 messages.
- the second matching group includes the identification of the CAG that the UE is allowed to access.
- the AMF network element receives the list 3 sent by the UDM network element.
- List 3 includes the CAG ID that the network side allows the UE to access.
- the AMF network element can receive the subscription data sent by the UDM network element.
- the subscription data includes List 3
- the AMF network element may send a subscription data request to the UDM network element, and obtain the subscription data corresponding to the UE from the UDM network element.
- the subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
- the AMF matches List 3 with the first matching group to determine whether there is a second matching group.
- List 3 includes CAG IDs in the second matching group
- the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
- the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
- the AMF network element sends a registration reply message to the UE.
- the registration reply message can be a registration acceptance message or a registration rejection message.
- the AMF network element sends a registration acceptance message to the UE.
- the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
- the AMF network element sends a registration rejection message to the UE.
- the registration rejection message includes verification failure indication information, and the verification failure indication information is used to indicate that the CAG ID verification fails.
- the verification failure indication information may indicate the reason for the registration rejection, that is, the CAG ID verification failed.
- the registration reply message may be a downlink NAS message sent by the AMF to the UE.
- the access network device may also encrypt the first matching group according to other public keys of the access network device.
- the UE may pre-configure the public key of the access network device, and the UE may receive the public key sent by the access network device.
- the access network device may broadcast the public key of the access network device.
- the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.
- the UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through the AS SMC completion message, which may cause information leakage. At the same time, the impact on the process of UE access to CAG is small.
- FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the UE When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
- the AMF needs to send a registration rejection message to the UE.
- the AMF network element determines that there is no CAG ID that allows the UE to access, and the AMF network element sends a registration rejection message to the UE.
- the UDM network element determines that there is no CAG ID that allows the UE to access, and the UDM network element sends a verification failure message to the AMF network element.
- the AMF network element sends a registration rejection message to the UE according to the verification failure information.
- the UE and the AMF network element share the key KAMF.
- the security context between the UE and the AMF network element is established, that is, the NAS protection context.
- the AMF network element can send a registration rejection message to the UE through the NAS message protected by the NAS security context. Messages protected by the NAS security context have confidentiality protection, which can prevent attackers from attacking. Alternatively, the AMF network element may send a registration rejection message to the UE through steps 901-902.
- the AMF network element can also send a registration rejection message to the UE through steps 901-902.
- step 901 UE identity authentication is performed.
- the UE and the AMF network element share the key KAMF.
- step 901 the AMF network element determines that the check fails and calculates the MAC.
- the AMF network element may receive a verification failure message sent by UDM.
- the AMF network element may determine that the verification fails according to the verification failure message.
- the AMF network element may perform verification and determine that the verification fails.
- AMF checks see Figure 2, Figure 7, Figure 9.
- the AMF network element first calculates the MAC based on the key KAMF.
- MAC can also be called message authentication code, file message authentication code, message authentication code, and information authentication code. It is a small piece of information generated after a specific algorithm to check the integrity of a certain piece of message.
- MAC can be used for authentication.
- MAC can be used to check whether the content has been changed during message delivery. At the same time, MAC can be used as the identity verification of the source of the message to confirm the source of the message.
- the AMF network element calculates according to the message verification code function to obtain the MAC.
- the input parameters of the message verification code function include the key KAMF, and the input parameters of the message verification code function can also include at least one of the following parameters: rejection indication information, ngKSI, NAS uplink counter, NAS downlink counter, first matching group, defense architecture Dimensionality reduction attack parameters (ABBA, anti-bidding down between architectures), AMF ID, AMF set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network identification, etc.
- the fresh parameter randomly selected by the AMF may be, for example, a non-repeated random number (number used once or number once, nonce) and other random numbers that are used once.
- the service network identifier is the service network where the AMF is located.
- the first matching group includes the CAG ID that the UE requests to access.
- the rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG to which the UE requests access fails, or the registration request of the UE is rejected.
- the reason for registration rejection can also be other verification failures, authentication failures, etc.
- step 902 the AMF network element sends a registration rejection message to the UE.
- the registration rejection message includes the MAC.
- the registration rejection message may also include rejection indication information.
- the registration rejection message can also be ngKSI, which is used to indicate KAMF.
- the registration rejection message may also include at least one of the multiple input parameters of the message verification code function except KAMF.
- the registration rejection message may include at least one of the following parameters: NAS uplink counter, NAS downlink counter, first matching group, anti-bidding down between architectures (ABBA), AMF ID, AMF Set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network ID, etc.
- the first matching group is determined by the UE according to the CAG ID list 1 configured for the UE and the CAG ID list 2 supported by the access network device.
- the first matching group includes the same CAG IDs in the list 1 and the list 2.
- the AMF network element may also send the input parameters of the message verification code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends ngKSI to the UE.
- the UE may also store the input parameters of the message verification code function. After determining the first matching group, the UE saves the first matching group. The UE may also store SUCI, SUPI, etc. AMF can send the UE unsaved parameters among the input parameters of the message verification code function.
- the UE verifies the MAC.
- the UE calculates the MAC according to the message verification code function and the input parameters of the message verification code function.
- the UE determines whether the verification is passed according to the calculated MAC and the MAC in the registration rejection message.
- the UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the verification passes.
- the UE may delete the first matching group from the CAG ID list 1 configured for the UE.
- the UE determines that the calculated MAC is different from the MAC in the registration rejection message, and the verification fails.
- the UE determines that the registration rejection message is a forged message.
- the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, preventing an attacker from modifying and forging the registration rejection message.
- FIG. 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the UE When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
- the AMF/UDM network element determines that the verification fails, and steps 1001-1003 are performed.
- step 1001 the AMF/UDM network element calculates a digital signature.
- step 1002 the AMF/UDM network element sends the digital signature to the UE.
- UDM verification fails, and the digital signature can be calculated based on the private key of the home network and the rejection indication information.
- UDM performs verification, see Figure 9.
- UDM calculates the digital signature according to the digital signature function.
- the input parameters of the digital signature function include the home network private key.
- the input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), and service network identification (the service network where the AMF is located), Home network identification and rejection indication information.
- the first matching group includes the CAG ID that the UE requests to access.
- the rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG that the UE requests to access fails, or the authentication authentication fails.
- the UDM network element sends a digital signature to the UE.
- the digital signature can be forwarded by the AMF network element and/or the AUSF network element, etc.
- the UDM network element may send rejection indication information to the AMF network element to indicate that the verification fails.
- the AMF sends a registration rejection message to the UE, which carries the digital signature sent by the UDM.
- the UE receives the registration rejection message.
- the UE can verify the digital signature according to the rejection indication information corresponding to the possible rejection reasons, that is, verify the correctness of the digital signature.
- the UE may verify the digital signature according to the received rejection indication information.
- the UDM network element may also send a key identifier for signing to the UE through AMF and/or AUSF.
- the UDM network element may also send a public key identifier, so that the UE can determine the public key used for digital signature calculation according to the public key identifier.
- the UDM network element may also send an algorithm indication, and the UE may determine the algorithm used for digital signature calculation according to the algorithm indication.
- the parameters sent by the UDM network element may also include at least one of the following parameters: SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), service network identification (the service network where the AMF is located), Home network identification and rejection indication information, etc.
- the UDM and/or AMF network element can also send other unsaved parameters of the UE, so that the UE can correctly verify the MAC.
- a digital signature can be calculated for the rejection indication information based on the AMF's private key.
- the AMF network element performs verification, see Figure 2, Figure 8, Figure 10. If the AMF verification fails, the AMF can calculate the digital signature based on the AMF's private key and rejection indication information.
- the AMF calculates the digital signature according to the digital signature function.
- the input parameters of the digital signature function include the private key saved by the AMF.
- the input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, AMF randomly selected fresh parameters (nonce, random number, etc.), service network identification (the service network where the AMF is located), AMF public key identification and rejection instructions;
- step 1002 the AMF network element sends a registration rejection message to the UE.
- the registration rejection message includes a digital signature.
- the registration rejection message may also include rejection indication information.
- the registration rejection message may also include a key identifier for calculating the digital signature, and the UE can determine the AMF public key corresponding to the key identifier according to the key identifier, thereby verifying the digital signature.
- the registration rejection message may also include at least one of the multiple input parameters of the digital signature function except the AMF public key.
- the registration rejection message may include at least one of the following parameters: the first matching group, SUCI, SUPI, UDM randomly selected freshness parameters (nonce, random number, etc.), AMF randomly selected freshness parameters (nonce, random number, etc.) , The service network identifier (the service network where the AMF is located), the AMF public key identifier and rejection indication information.
- step 1003 the UE verifies the correctness of the digital signature.
- the UE receives the digital signature.
- the UE verifies the digital signature. If the verification passes, it is determined that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.
- the UE stores the public key of the home network. There is no restriction on the specific way of obtaining the home network public key.
- the UE can delete the first matching group from the CAG ID list 1 configured for the UE.
- the UE determines that the registration rejection message is a forged message.
- the AMF/UDM network element sends a digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, prevent attackers from modifying and forging the registration rejection message, and complete the protection of the rejection indication information.
- FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
- the user equipment 1300 includes an encryption module 1310 and a transceiver module 1320.
- the encryption module 1310 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access Logo.
- the transceiver module 1320 is configured to send the encrypted first group list.
- the transceiver module 1320 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
- the transceiver module 1320 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
- the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
- the user equipment 1300 further includes a verification module configured to verify the registration rejection message according to the message verification code.
- FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.
- the network device 1400 includes: a transceiver module 1410, a decryption module 1420, and a determination module 1430.
- the transceiver module 1410 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.
- the decryption module 1420 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
- the determining module 1430 is configured to determine the list of subscription groups that the UDM network element determines to save.
- the determining module 1430 is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access.
- the transceiver module 1410 is further configured to, when there is a second group list, the first network device sends the second group list to the access network device.
- the transceiver module 1410 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
- the user equipment 1400 further includes a calculation module configured to, when the second group list does not exist, calculate the message verification code according to the shared key between the UE and the first network device.
- the transceiver module 1410 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
- the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes the identities of the groups supported by the access network device.
- the determining module 1430 is configured to determine the second group list according to the first group list, the third group list, and the contracted group list.
- FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
- the access network device 1500 includes: a transceiver module 1510 and a generating module 1520.
- the transceiver module 1510 is configured to receive the encrypted first group list sent by the user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access.
- the transceiver module 1510 is also configured to send the encrypted first group list.
- the transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access.
- the generating module 1520 is configured to generate the quality of service QoS information of one or more groups according to the identities of one or more groups.
- the transceiver module 1510 is further configured to send quality of service QoS information to the UE.
- FIG. 16 is a schematic structural diagram of a network device provided by an embodiment of the present application.
- the network device 1600 is characterized in that it includes a processor 1610 and a communication interface 1620.
- the communication interface 1620 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes the identities of one or more groups that the UE requests to access.
- the processor 1610 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
- the processor 1610 is further configured to determine the list of subscription groups that the UDM network element determines to save.
- the processor 1610 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes the identifier of the group that the UE is allowed to access.
- the communication interface 1620 is configured to send the second group list to the access network device when the second group list exists.
- the communication interface 1620 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
- the processor 1610 is further configured to, when there is no second group list, calculate the message verification code according to the shared key between the UE and the first network device.
- the communication interface 1620 is also used to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
- the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes the identifier of the group supported by the access network device.
- the processor 1610 is configured to determine the second group list according to the first group list, the third group list, and the contract group list.
- FIG. 17 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
- the user equipment 1700 includes: a processor 1710 and a communication interface 1720;
- the processor 1710 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access The logo;
- the communication interface 1720 is used to send the encrypted first group list.
- the communication interface 1720 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
- the communication interface 1720 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
- the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
- the processor 1710 is further configured to verify the registration rejection message according to the message verification code.
- FIG. 18 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
- the access network device 1800 includes a communication interface 1810.
- the communication interface 1810 is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;
- the communication interface 1810 is also used to send the encrypted first group list
- the communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;
- the communication interface 1810 is further configured to send the quality of service QoS information of the one or more groups to the UE.
- the access network device 1800 includes a processor configured to generate the quality of service QoS information of the one or more groups according to the second group list.
- the embodiment of the present application provides a computer program storage medium having program instructions, and when the program instructions are executed, the first network device, the access network device, and the user in the above method The function of any one of the devices is realized.
- An embodiment of the present application provides a chip that includes at least one processor. When program instructions are executed by the at least one processor, the first network device, the access network device, and the The function of any one of the user equipment is realized.
- An embodiment of the present application provides a communication system, including the above-mentioned first network device, user equipment, and access network device.
- the disclosed system, device, and method may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented.
- the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
- each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
- the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
- the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present application provides a communication method, comprising: a first network device receiving an encrypted first group list sent by user equipment (UE), the first group list comprising identifiers of one or more groups to which the UE requests to access; the first network device decrypting the encrypted first group list, so as to obtain a first closed access service identification group; the first network device determining a subscription group list stored by the unified data management (UDM); the first network device determining a second group list according to the first group list and the subscription group list, the second group list comprising an identifier of a group to which the UE is allowed to access; and when the second group list exists, the first network device sending the second group list to the access network device. The first network device receives a list of groups, to which the UE requests to access, sent by the UE in an encryption manner and decrypts same, thereby avoiding data leakage and protecting the privacy of the UE.
Description
本申请要求于2019年6月13日提交中国专利局、申请号为201910511766.9、申请名称为“一种通信方法、网络设备、用户设备和接入网设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910511766.9, and the application name is "a communication method, network equipment, user equipment, and access network equipment" on June 13, 2019. All of them The content is incorporated in this application by reference.
本申请涉及通信领域,具体涉及一种通信方法、用户设备、接入网设备和网络设备。This application relates to the field of communications, in particular to a communication method, user equipment, access network equipment and network equipment.
群组允许一个或多个特定小区的一群签约用户接入。群组的接入需要用户设备(user equipment,UE)、接入网设备和核心网的支持。在UE接入群组时,核心网与UE进行信息的传输以完成校验。在信息传输过程中,需要核心网设备和UE之间实现数据交互的信号可靠有效,不发生数据泄露,保护UE的隐私。A group allows a group of subscribers in one or more specific cells to access. The access of the group requires the support of user equipment (UE), access network equipment, and core network. When the UE accesses the group, the core network and the UE perform information transmission to complete the verification. In the process of information transmission, it is necessary for the signal to realize data interaction between the core network device and the UE to be reliable and effective, without data leakage, and to protect the privacy of the UE.
发明内容Summary of the invention
本申请提供一种通信方法、网络设备、用户设备和接入网设备,能够避免数据泄露,保护UE的隐私。This application provides a communication method, network equipment, user equipment, and access network equipment, which can avoid data leakage and protect the privacy of the UE.
第一方面,提供了一种通信方法,包括:第一网络设备接收用户设备UE发送的加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;所述第一网络设备解密所述加密的第一群组列表,以得到第一闭合访问业务标识组;所述第一网络设备确定统一数据管理UDM保存的签约群组列表;所述第一网络设备根据所述第一群组列表和所述签约群组列表,确定第二群组列表,第二群组列表包括允许所述UE接入的群组的标识;当存在所述第二群组列表时,所述第一网络设备向所述接入网设备发送所述第二群组列表。In a first aspect, a communication method is provided, including: a first network device receives an encrypted first group list sent by a user equipment UE, the first group list includes one or more of which the UE requests access The identification of the group; the first network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list saved by the unified data management UDM; The first network device determines a second group list according to the first group list and the subscription group list, and the second group list includes the identifier of the group to which the UE is allowed to access; In the second group list, the first network device sends the second group list to the access network device.
通过第一网络设备接收UE以加密方式发送的请求接入群组列表并进行解密,避免了数据泄露,保护了UE的隐私。第一网络设备将允许UE接入的群组的标识发送至接入网设备,接入网设备可以为UE接入群组后的数据传输进行准备。The first network device receives and decrypts the request to access the group list sent by the UE in an encrypted manner, thereby avoiding data leakage and protecting the privacy of the UE. The first network device sends the identifier of the group that the UE is allowed to access to the access network device, and the access network device can prepare for data transmission after the UE accesses the group.
结合第一方面,在一些可能的实现方式中,所述第一网络设备接收UE发送的加密的第一群组列表,包括:所述第一网络设备接收所述UE通过非接入层NAS安全模式SM完成消息发送的所述加密的第一群组列表;或者,所述第一网络设备接收所述UE通过NAS安全上下文保护的上行NAS消息发送的所述加密的第一群组列表。With reference to the first aspect, in some possible implementations, the first network device receiving the encrypted first group list sent by the UE includes: the first network device receives the UE through the non-access stratum NAS security Mode SM completes the encrypted first group list sent by the message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by a NAS security context.
通过NAS SM完成消息或者NAS安全上下文保护的上行NAS消息,第一网络设备接收加密的第一群组列表,实现了对第一群组列表的加密传输,不需要增加额外的流程。接收UE通过NAS SM完成消息发送加密的第一群组列表,可以减少UE与第一网络设备之间的信息交互,降低对系统的影响。Through the NAS SM completion message or the uplink NAS message protected by the NAS security context, the first network device receives the encrypted first group list, and realizes the encrypted transmission of the first group list without adding additional procedures. The receiving UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
结合第一方面,在一些可能的实现方式中,所述方法还包括:当不存在所述第二群组列表时,所述第一网络设备根据所述UE与所述第一网络设备之间的共享密钥计算得到消息验证码;所述第一网络设备向所述接入网设备发送注册拒绝消息,所述消息验证码用于所述UE验证所述注册拒绝消息。With reference to the first aspect, in some possible implementation manners, the method further includes: when the second group list does not exist, the first network device determines the relationship between the UE and the first network device. A message verification code is calculated by calculating the shared key of, and the first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
通过第一网络设备发送的消息验证码,UE可以对注册拒绝消息进行验证,避免UE因为伪造或修改后的注册拒绝消息导致无法接入群组。Through the message verification code sent by the first network device, the UE can verify the registration rejection message to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.
结合第一方面,在一些可能的实现方式中,所述方法包括:所述第一网络设备接收所述接入网设备发送的第三群组列表,所述第三群组列表包括所述接入网设备支持的群组的标识,所述第一网络设备根据所述第一群组列表和所述签约群组列表,确定第二群组列表,包括:所述第一网络设备根据所述第一群组列表、所述第三群组列表和所述签约群组列表,确定所述第二群组列表。With reference to the first aspect, in some possible implementations, the method includes: the first network device receives a third group list sent by the access network device, and the third group list includes the access network device. The identification of the group supported by the network access device, the first network device determining the second group list according to the first group list and the subscription group list, including: the first network device according to the The first group list, the third group list, and the subscription group list determine the second group list.
通过第一接入网设备对接入网设备支持的群组列表、UE请求接入的群组列表、签约群组列表进行校验,保证允许UE接入的群组的准确。The first access network device verifies the group list supported by the access network device, the group list that the UE requests to access, and the subscription group list to ensure the accuracy of the groups that the UE is allowed to access.
结合第一方面,在一些可能的实现方式中,所述方法包括:所述第一网络设备接收所述接入网设备发送的接入群组请求信息,接入群组请求信息用于指示UE请求接入群组。With reference to the first aspect, in some possible implementation manners, the method includes: the first network device receives access group request information sent by the access network device, and the access group request information is used to instruct the UE Request access to the group.
第二方面,提供了一种通信方法,包括:用户设备UE利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;所述UE发送所述加密的第一群组列表。In a second aspect, a communication method is provided, including: a user equipment UE encrypts a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, the first group list The identifier includes one or more groups that the UE requests to access; the UE sends the encrypted first group list.
UE以加密方式发送的请求接入群组列表,避免了数据泄露,保护了UE的隐私。The UE sends a request to access the group list in an encrypted manner, avoiding data leakage and protecting the privacy of the UE.
结合第二方面,在一些可能的实现方式中,所述UE发送所述加密的第一群组列表,包括:所述UE通过NAS安全模式SM完成消息向所述第一网络设备发送所述加密的第一群组列表;或者,所述UE通过NAS安全上下文保护的上行NAS消息发送所述加密的第一群组列表。With reference to the second aspect, in some possible implementation manners, the UE sending the encrypted first group list includes: the UE sending the encrypted first network device through a NAS security mode SM complete message Or, the UE sends the encrypted first group list through an uplink NAS message protected by a NAS security context.
UE通过NAS SM完成消息或者NAS安全上下文保护的上行NAS消息发送加密的第一群组列表,实现了对第一群组列表的加密传输,不需要增加额外的流程。UE通过NAS SM完成消息发送加密的第一群组列表,可以减少UE与第一网络设备之间的信息交互,降低对系统的影响。The UE sends the encrypted first group list through the NAS SM completion message or the uplink NAS message protected by the NAS security context, which realizes the encrypted transmission of the first group list without adding additional procedures. The UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
结合第二方面,在一些可能的实现方式中,所述方法还包括:所述UE接收第一网络设备发送的注册拒绝消息,所述注册拒绝消息包括消息验证码,所述UE根据所述消息验证码验证所述注册拒绝消息。With reference to the second aspect, in some possible implementations, the method further includes: the UE receiving a registration rejection message sent by the first network device, the registration rejection message including a message verification code, and the UE according to the message The verification code verifies the registration rejection message.
通过UE根据消息验证码对注册拒绝消息进行验证,避免UE因为伪造或修改后的注册拒绝消息导致无法接入群组。The UE verifies the registration rejection message according to the message verification code, so as to prevent the UE from being unable to access the group due to a forged or modified registration rejection message.
结合第二方面,在一些可能的实现方式中,所述方法包括:所述UE向所述接入网设备发送接入群组请求信息,接入群组请求信息用于指示UE请求接入群组。With reference to the second aspect, in some possible implementations, the method includes: the UE sends access group request information to the access network device, and the access group request information is used to instruct the UE to request access to the group group.
第三方面,提供一种通信方法,包括:接入网设备接收用户设备UE发送的加密的第一群组列表,所述第一闭合访问业务标识组包括所述UE请求接入的一个或多个群组务的标识;所述接入网设备发送所述加密的第一群组列表;所述接入网设备接收第一网络设备发送的第二群组列表,所述第二群组列表包括允许所述UE接入的一个或多个群组的标识;所述接入网设备向所述UE发送所述一个或多个群组的服务质量QoS。In a third aspect, a communication method is provided, including: an access network device receives an encrypted first group list sent by a user equipment UE, and the first closed access service identification group includes one or more of which the UE requests access. The identifier of a group service; the access network device sends the encrypted first group list; the access network device receives a second group list sent by the first network device, the second group list It includes the identification of one or more groups that the UE is allowed to access; the access network device sends the quality of service QoS of the one or more groups to the UE.
结合第三方面,在一些可能的实现方式中,所述方法包括:所述接入网设备接收所述UE向发送的接入群组请求信息,接入群组请求信息用于指示UE请求接入群组。With reference to the third aspect, in some possible implementations, the method includes: the access network device receives the access group request information sent by the UE, and the access group request information is used to instruct the UE to request access. Join the group.
在UE接入群组的过程中,接入网设备接收网络设备发送的允许所述UE接入的群组的标识,为后续UE接入群组进行准备,能够减小系统延时。In the process of the UE accessing the group, the access network device receives the identifier of the group that the UE is allowed to access sent by the network device, and prepares for subsequent UE access to the group, which can reduce the system delay.
第四方面,提供一种网络设备,包括:收发模块、解密模块和确定模块;收发模块,用于接收用户设备UE发送的加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;解密模块,用于对所述加密的第一群组列表进行解密,以得到第一闭合访问业务标识组;确定模块,用于确定统一数据管理UDM网元确定保存的签约群组列表;确定模块还用于,根据所述第一群组列表和所述签约群组列表,确定第二群组列表,第二群组列表包括允许所述UE接入的群组的标识;收发模块还用于,当存在所述第二群组列表时,所述第一网络设备向所述接入网设备发送所述第二群组列表。In a fourth aspect, a network device is provided, including: a transceiver module, a decryption module, and a determination module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, the first group list including the The identification of one or more groups to which the UE requests access; a decryption module, used to decrypt the encrypted first group list to obtain the first closed access service identification group; a determining module, used to determine unified data The management UDM network element determines the saved subscription group list; the determining module is further configured to determine a second group list according to the first group list and the subscription group list, the second group list includes the permission The identifier of the group to which the UE accesses; the transceiver module is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.
结合第四方面,在一些可能的实现方式中,收发模块用于,接收所述UE通过非接入层NAS安全模式SM完成消息发送的所述加密的第一群组列表。With reference to the fourth aspect, in some possible implementation manners, the transceiver module is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
结合第四方面,在一些可能的实现方式中,所述用户设备还包括计算模块,计算模块用于,当不存在所述第二群组列表时,根据所述UE与所述第一网络设备之间的共享密钥计算得到消息验证码;所述收发模块还用于,向所述接入网设备发送注册拒绝消息,所述消息验证码用于所述UE验证所述注册拒绝消息。With reference to the fourth aspect, in some possible implementation manners, the user equipment further includes a calculation module, which is configured to: when the second group list does not exist, determine the relationship between the UE and the first network device The shared key between the two is calculated to obtain a message verification code; the transceiver module is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
结合第四方面,在一些可能的实现方式中,所述收发模块还用于,接收所述接入网设备发送的第三群组列表,所述第三群组列表包括所述接入网设备支持的群组的标识,确定模块用于,根据所述第一群组列表、所述第三群组列表和所述签约群组列表,确定所述第二群组列表。With reference to the fourth aspect, in some possible implementations, the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device The identification of the supported groups, the determining module is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
第五方面,提供一种用户设备,包括:加密模块和收发模块;加密模块用于,利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;收发模块用于,发送所述加密的第一群组列表。In a fifth aspect, a user equipment is provided, including: an encryption module and a transceiver module; the encryption module is used to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list, The first group list includes the identities of one or more groups that the UE requests to access; the transceiver module is configured to send the encrypted first group list.
结合第五方面,在一些可能的实现方式中,收发模块用于,通过NAS安全模式SM完成消息向所述第一网络设备发送所述加密的第一群组列表;或者,收发模块用于,通过NAS安全上下文保护的上行NAS消息发送所述加密的第一群组列表。With reference to the fifth aspect, in some possible implementation manners, the transceiver module is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the transceiver module is configured to: The encrypted first group list is sent through an uplink NAS message protected by the NAS security context.
结合第五方面,在一些可能的实现方式中,所述收发模块还用于,接收第一网络设备发送的注册拒绝消息,所述注册拒绝消息包括消息验证码;所述用户设备还包括验证模块,验证模块用于根据所述消息验证码验证所述注册拒绝消息。With reference to the fifth aspect, in some possible implementations, the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code; the user equipment further includes a verification module , The verification module is used to verify the registration rejection message according to the message verification code.
第六方面,提供一种接入网设备,其特征在于,包括:收发模块和生成模块;收发模块用于,接收用户设备UE发送的加密的第一群组列表,所述第一闭合访问业务标识组包括所述UE请求接入的一个或多个群组务的标识;收发模块还用于,发送所述加密的第一群组列表;收发模块还用于,接收第一网络设备发送的第二群组列表,所述第二群组列表包括允许所述UE接入的一个或多个群组的标识;生成模块用于根据所述一个或多个群组的标识生成所述一个或多个群组的服务质量QoS信息;收发模块还用于,向所述UE发送所述服务质量QoS信息。In a sixth aspect, an access network device is provided, which is characterized by comprising: a transceiver module and a generating module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service The identification group includes the identification of one or more group services that the UE requests to access; the transceiver module is also used to send the encrypted first group list; the transceiver module is also used to receive the information sent by the first network device A second group list, where the second group list includes the identifiers of one or more groups that the UE is allowed to access; the generating module is configured to generate the one or more groups according to the identifiers of the one or more groups The quality of service QoS information of multiple groups; the transceiver module is further configured to send the quality of service QoS information to the UE.
第七方面,提供一种网络设备,包括:处理器和通信接口;所述通信接口用于,接收 用户设备UE发送的加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;所述处理器用于,对所述加密的第一群组列表进行解密,以得到第一闭合访问业务标识组;所述处理器还用于,确定统一数据管理UDM网元确定保存的签约群组列表;所述处理器还用于,根据所述第一群组列表和所述签约群组列表,确定第二群组列表,第二群组列表包括允许所述UE接入的群组的标识;当存在所述第二群组列表时,所述第一网络设备向所述接入网设备发送所述第二群组列表。In a seventh aspect, a network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes the UE The identification of one or more groups that request access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group; the processor is further configured to: It is determined that the unified data management UDM network element determines the saved subscription group list; the processor is further configured to determine a second group list according to the first group list and the subscription group list, and the second group The list includes the identification of the group that the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.
结合第七方面,在一些可能的实现方式中,所述通信接口用于,接收所述UE通过非接入层NAS安全模式SM完成消息发送的所述加密的第一群组列表。With reference to the seventh aspect, in some possible implementation manners, the communication interface is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
结合第七方面,在一些可能的实现方式中,当不存在所述第二群组列表时,所述处理器还用于,根据所述UE与所述第一网络设备之间的共享密钥计算得到消息验证码;所述通信接口还用于,向所述接入网设备发送注册拒绝消息,所述消息验证码用于所述UE验证所述注册拒绝消息。With reference to the seventh aspect, in some possible implementation manners, when the second group list does not exist, the processor is further configured to: according to the shared key between the UE and the first network device A message verification code is calculated; the communication interface is further used to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
结合第七方面,在一些可能的实现方式中,所述通信接口还用于,接收所述接入网设备发送的第三群组列表,所述第三群组列表包括所述接入网设备支持的群组的标识,所述处理器用于,根据所述第一群组列表、所述第三群组列表和所述签约群组列表,确定所述第二群组列表。With reference to the seventh aspect, in some possible implementation manners, the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device With an identifier of a supported group, the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
第八方面,提供一种用户设备,包括:处理器和通信接口;所述处理器用于,利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;所述通信接口用于,发送所述加密的第一群组列表。In an eighth aspect, a user equipment is provided, including: a processor and a communication interface; the processor is configured to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list The first group list includes the identities of one or more groups that the UE requests to access; the communication interface is used to send the encrypted first group list.
结合第八方面,在一些可能的实现方式中,所述通信接口用于,通过NAS安全模式SM完成消息向所述第一网络设备发送所述加密的第一群组列表;或者,所述通信接口用于,通过NAS安全上下文保护的上行NAS消息发送所述加密的第一群组列表。With reference to the eighth aspect, in some possible implementation manners, the communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication The interface is used to send the encrypted first group list through an uplink NAS message protected by a NAS security context.
结合第八方面,在一些可能的实现方式中,所述通信接口还用于,接收第一网络设备发送的注册拒绝消息,所述注册拒绝消息包括消息验证码,所述消息验证码用于所述UE验证所述注册拒绝消息。With reference to the eighth aspect, in some possible implementation manners, the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code, and the message verification code is used for all The UE verifies the registration rejection message.
第九方面,提供一种接入网设备,包括:处理器和通信接口;所述通信接口用于,接收用户设备UE发送的加密的第一群组列表,所述第一闭合访问业务标识组包括所述UE请求接入的一个或多个群组务的标识;所述通信接口还用于,发送所述加密的第一群组列表;所述通信接口还用于,接收第一网络设备发送的第二群组列表,所述第二群组列表包括允许所述UE接入的一个或多个群组的标识;所述通信接口还用于,向所述UE发送所述一个或多个群组的服务质量QoS。In a ninth aspect, an access network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identification group Includes the identification of one or more group services that the UE requests to access; the communication interface is also used to send the encrypted first group list; the communication interface is also used to receive the first network device The sent second group list, the second group list includes the identification of one or more groups that the UE is allowed to access; the communication interface is also used to send the one or more groups to the UE QoS for each group.
第十方面,提供一种通信系统,包括上文所述的接入网设备、网络设备、用户设备。In a tenth aspect, a communication system is provided, including the aforementioned access network equipment, network equipment, and user equipment.
第十一方面,提供一种计算机程序存储介质,所述计算机程序存储介质具有程序指令,当所述程序指令被执行时,使得上文所述的方法被执行。In an eleventh aspect, a computer program storage medium is provided, the computer program storage medium has program instructions, and when the program instructions are executed, the method described above is executed.
第十二方面,提供一种芯片,所述芯片包括至少一个处理器,当程序指令被所述至少一个处理器中执行时,使得上文所述的方法被执行。In a twelfth aspect, a chip is provided, the chip includes at least one processor, and when a program instruction is executed by the at least one processor, the method described above is executed.
图1是适用于本申请实施例提供的方法的网络架构的示意图。FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
图2是一种终端设备接入群组的方法的示意性流程图。Fig. 2 is a schematic flowchart of a method for a terminal device to access a group.
图3是本申请一个实施例提供的一种通信方法的示意性流程图。Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
图4是一种接入层安全模式建立的示意性流程图。Figure 4 is a schematic flow chart of establishing an access layer security mode.
图5是一种非接入层安全模式建立的示意性流程图。Figure 5 is a schematic flow chart for establishing a non-access layer security mode.
图6是一种鉴权认证的示意性流程图。Figure 6 is a schematic flow chart of authentication.
图7是本申请另一个实施例提供的一种通信方法的示意性流程图。FIG. 7 is a schematic flowchart of a communication method provided by another embodiment of the present application.
图8是本申请又一个实施例提供的一种通信方法的示意性流程图。FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the present application.
图9是本申请又一个实施例提供的一种通信方法的示意性流程图。FIG. 9 is a schematic flowchart of a communication method according to another embodiment of the present application.
图10是本申请又一个实施例提供的一种通信方法的示意性流程图。FIG. 10 is a schematic flowchart of a communication method according to another embodiment of the present application.
图11是本申请又一个实施例提供的一种通信方法的示意性流程图。FIG. 11 is a schematic flowchart of a communication method according to another embodiment of the present application.
图12是本申请又一个实施例提供的一种通信方法的示意性流程图。FIG. 12 is a schematic flowchart of a communication method according to another embodiment of the present application.
图13是本申请一个实施例提供的一种用户设备的示意性结构图。FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
图14是本申请一个实施例提供的一种网络设备的示意性结构图。FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.
图15是本申请一个实施例提供的一种接入网设备的示意性结构图。FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
图16是本申请另一个实施例提供的一种用户设备的示意性结构图。FIG. 16 is a schematic structural diagram of a user equipment according to another embodiment of the present application.
图17是本申请另一个实施例提供的一种网络设备的示意性结构图。FIG. 17 is a schematic structural diagram of a network device provided by another embodiment of the present application.
图18是本申请另一个实施例提供的一种接入网设备的示意性结构图。FIG. 18 is a schematic structural diagram of an access network device according to another embodiment of the present application.
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below in conjunction with the drawings.
本申请实施例的技术方案可以应用于各种通信系统,例如:全球移动通信(global system for mobile communications,GSM)系统、码分多址(code division multiple access,CDMA)系统、宽带码分多址(wideband code division multiple access,WCDMA)系统、通用分组无线业务(general packet radio service,GPRS)、长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、通用移动通信系统(universal mobile telecommunication system,UMTS)、全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统、未来的第五代(5th generation,5G)系统或新无线(new radio,NR)等。The technical solutions of the embodiments of this application can be applied to various communication systems, such as: global system for mobile communications (GSM) system, code division multiple access (CDMA) system, broadband code division multiple access (wideband code division multiple access, WCDMA) system, general packet radio service (GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE Time division duplex (TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, the future fifth generation (5th generation, 5G) system or new radio (NR), etc.
应理解,本申请实施例并未对本申请实施例提供的方法的执行主体的具体结构特别限定,只要能够通过运行记录有本申请实施例的提供的方法的代码的程序,以根据本申请实施例提供的方法进行通信即可,例如,本申请实施例提供的方法的执行主体可以是终端或网络设备,或者,是UE或网络设备中能够调用程序并执行程序的功能模块。It should be understood that the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application. The provided method can be used for communication. For example, the execution subject of the method provided in the embodiments of the present application may be a terminal or a network device, or a functional module in a UE or a network device that can call and execute the program.
为便于理解本申请实施例,首先结合图1详细说明本申请实施例的一个应用场景。In order to facilitate the understanding of the embodiment of the present application, first, an application scenario of the embodiment of the present application is described in detail with reference to FIG. 1.
图1是适用于本申请实施例提供的方法的网络架构的示意图。图1所示的网络架构具体可以包括下列网元:FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. The network architecture shown in Figure 1 may specifically include the following network elements:
1、用户设备(user equipment,UE):可以称终端设备、终端、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置。UE还可以是蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,未来5G网络中的终端设备或者未来演进的公用陆地移动通信网络(public land mobile network,PLMN)中的终端设备等,还可以是端设备,逻辑实体,智能设备,如手机,智能终端等终端设备,或者服务器,网关,基站,控制器等通信设备,或者物联网设备,如传感器,电表,水表等物联网(Internet of things,IoT)设备。UE还可以是有线设备,如计算机、笔记本电脑等。本申请实施例对此并不限定。1. User equipment (UE): it can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device. The UE can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the future 5G network or terminals in the future evolution of the public land mobile network (PLMN) Devices, etc., can also be end devices, logical entities, smart devices, such as mobile phones, smart terminals and other terminal devices, or servers, gateways, base stations, controllers and other communication devices, or Internet of Things devices, such as sensors, electricity meters, water meters, etc. Internet of things (IoT) devices. The UE may also be a wired device, such as a computer, a laptop, and so on. The embodiment of the application does not limit this.
2、接入网(access network,AN):为特定区域的授权用户提供入网功能,并能够根据用户的级别,业务的需求等使用不同质量的传输隧道。接入网络可以为采用不同接入技术的接入网络。目前的无线接入技术有两种类型:第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入技术(例如3G、4G或5G系统中采用的无线接入技术)和非第三代合作伙伴计划(non-3GPP)接入技术。3GPP接入技术是指符合3GPP标准规范的接入技术,采用3GPP接入技术的接入网络称为无线接入网络(Radio Access Network,RAN),其中,5G系统中的接入网设备称为下一代基站节点(next generation Node Base station,gNB)。非3GPP接入技术是指不符合3GPP标准规范的接入技术,例如,以wifi中的接入点(access point,AP)为代表的空口技术。2. Access network (AN): Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and service requirements. The access network may be an access network using different access technologies. There are currently two types of wireless access technologies: 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) access technologies (such as those used in 3G, 4G or 5G systems) and non-third-generation cooperation Partnership Project (non-3GPP) access technology. The 3GPP access technology refers to the access technology that complies with the 3GPP standard specifications. The access network that adopts the 3GPP access technology is called the radio access network (Radio Access Network, RAN). Among them, the access network equipment in the 5G system is called Next generation Node Base station (gNB). A non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.
基于有线通信技术实现接入网络功能的接入网可以称为有线接入网。An access network that implements access network functions based on wired communication technology can be called a wired access network.
基于无线通信技术实现接入网络功能的接入网可以称为无线接入网(radio access network,RAN)。无线接入网能够管理无线资源,为终端提供接入服务,进而完成控制信号和用户数据在终端和核心网之间的转发。An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN). The wireless access network can manage wireless resources, provide access services for the terminal, and complete the forwarding of control signals and user data between the terminal and the core network.
无线接入网例如可以是基站(NodeB)、演进型基站(evolved NodeB,eNB或eNodeB)、5G移动通信系统中的基站(gNB)、未来移动通信系统中的基站或WiFi系统中的AP等,还可以是云无线接入网络(cloud radio access network,CRAN)场景下的无线控制器,或者该接入网设备可以为中继站、接入点、车载设备、可穿戴设备以及未来5G网络中的网络设备或者未来演进的PLMN网络中的网络设备等。本申请的实施例对无线接入网设备所采用的具体技术和具体设备形态不做限定。The radio access network can be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the access network device can be a relay station, access point, in-vehicle device, wearable device, and network in the future 5G network Equipment or network equipment in the future evolved PLMN network, etc. The embodiment of the present application does not limit the specific technology and specific device form adopted by the radio access network device.
3、接入和移动管理功能(access and mobility management function,AMF)实体:主要用于移动性管理和接入管理等,可以用于实现移动性管理实体(mobility management entity,MME)功能中除会话管理之外的其它功能,例如,合法监听、或接入授权(或鉴权)等功能。在本申请实施例中,可用于实现接入和移动管理网元的功能。3. Access and mobility management function (AMF) entities: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, for example, lawful interception, or access authorization (or authentication) functions. In the embodiment of the present application, it can be used to realize the functions of accessing and mobility management network elements.
4、会话管理功能(session management function,SMF)实体:主要用于会话管理、UE的网际协议(internet protocol,IP)地址分配和管理、选择可管理用户平面功能、策略控制、或收费功能接口的终结点以及下行数据通知等。在本申请实施例中,可用于实现会话管理网元的功能。4. Session management function (SMF) entity: Mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.
5、用户平面功能(user plane function,UPF)实体:即,数据面网关。可用于分组路由和转发、或用户面数据的服务质量(quality of service,QoS)处理等。用户数据可通过该网元接入到数据网络(data network,DN)。在本申请实施例中,可用于实现用户面网关的功能。5. User plane function (UPF) entity: namely, data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc. User data can be connected to the data network (DN) through this network element. In the embodiment of this application, it can be used to realize the function of the user plane gateway.
6、数据网络(DN):用于提供传输数据的网络。例如,运营商业务的网络、因特(Internet)网、第三方的业务网络等。6. Data network (DN): A network used to provide data transmission. For example, an operator’s business network, an Internet network, a third-party business network, etc.
7、认证服务功能(authentication server function,AUSF)实体:主要用于用户鉴权等。7. Authentication server function (authentication server function, AUSF) entity: mainly used for user authentication.
8、网络开放功能(network exposure function,NEF)实体:用于安全地向外部开放由3GPP网络功能提供的业务和能力等。8. Network exposure function (NEF) entity: used to safely open services and capabilities provided by 3GPP network functions to the outside.
9、网络存储功能((network function(NF)repository function,NRF)实体:用于保存网络功能实体以及其提供服务的描述信息,以及支持服务发现,网元实体发现等。9. Network storage function (NF) repository function (NRF) entity: used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.
10、策略控制功能(policy control function,PCF)实体:用于指导网络行为的统一策略框架,为控制平面功能网元(例如AMF,SMF网元等)提供策略规则信息等。10. Policy control function (PCF) entity: a unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).
11、统一数据管理(unified data management,UDM)实体:用于处理用户标识、接入鉴权、注册、或移动性管理等。11. Unified data management (UDM) entity: used to process user identification, access authentication, registration, or mobility management, etc.
12、应用功能(application function,AF)实体:用于进行应用影响的数据路由,接入网络开放功能网元,或,与策略框架交互进行策略控制等。12. Application function (AF) entity: used to route data affected by applications, access network open function network elements, or interact with policy frameworks for policy control, etc.
在该网络架构中,N1接口为终端与AMF实体之间的参考点;N2接口为AN和AMF实体的参考点,用于非接入层(non-access stratum,NAS)消息的发送等;N3接口为(R)AN和UPF实体之间的参考点,用于传输用户面的数据等;N4接口为SMF实体和UPF实体之间的参考点,用于传输例如N3连接的隧道标识信息,数据缓存指示信息,以及下行数据通知消息等信息;N6接口为UPF实体和DN之间的参考点,用于传输用户面的数据等。In this network architecture, the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and AMF entities, used for non-access stratum (NAS) message transmission, etc.; N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.; the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information; N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.
图1中的各个网元之间的接口名称只是一个示例,具体实现中接口的名称可能为其他的名称,本申请对此不作具体限定。此外,上述各个网元之间的所传输的消息(或信令)的名称也仅仅是一个示例,对消息本身的功能不构成任何限定。The name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.
应理解,上述应用于本申请实施例的网络架构仅是举例说明的从传统点到点的架构和服务化架构的角度描述的网络架构,适用本申请实施例的网络架构并不局限于此,任何能够实现上述各个网元的功能的网络架构都适用于本申请实施例。It should be understood that the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.
还应理解,图1中所示的AMF网元、SMF网元、UPF网元、NSSF网元、NEF网元、AUSF网元、NRF网元、PCF网元、UDM网元,均可以理解为核心网中用于实现不同功能的网元,例如可以按需组合成网络切片。这些核心网网元可以各自独立的设备,也可以集成于同一设备中实现不同的功能,本申请对此不做限定。执行核心网网元功能的设备又可以称为核心网设备或网络设备。It should also be understood that the AMF network element, SMF network element, UPF network element, NSSF network element, NEF network element, AUSF network element, NRF network element, PCF network element, and UDM network element shown in Figure 1 can all be understood as The network elements used to implement different functions in the core network, for example, can be combined into network slices on demand. These core network elements may be independent devices, or they may be integrated in the same device to implement different functions, which is not limited in this application. A device that performs the functions of a core network element can also be called a core network device or a network device.
上述命名仅为用于区分不同的功能,并不代表这些网元分别为独立的物理设备,本申请对于上述网元的具体形态不作限定,例如,可以集成在同一个物理设备中,也可以分别是不同的物理设备。此外,上述命名仅为便于区分不同的功能,而不应对本申请构成任何限定,本申请并不排除在5G网络以及未来其它的网络中采用其他命名的可能。例如,在6G网络中,上述各个网元中的部分或全部可以沿用5G中的术语,也可能采用其他名称等。在此进行统一说明,以下不再赘述。The above naming is only used to distinguish different functions, and does not mean that these network elements are independent physical devices. This application does not limit the specific form of the above network elements. For example, they can be integrated in the same physical device or separately It is a different physical device. In addition, the above-mentioned naming is only to facilitate the distinction between different functions, and should not constitute any limitation to this application. This application does not exclude the possibility of adopting other naming in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above-mentioned network elements may use the terminology in 5G, or may adopt other names. Here is a unified description, and will not be repeated here.
为便于理解,在描述本申请实施例之前,首先对本申请涉及的几个术语做简单介绍。For ease of understanding, before describing the embodiments of the present application, a brief introduction of several terms involved in the present application will be given first.
1、鉴权与密钥协商(authentication and key agreement,AKA):用户可以在开机发起注册过程中,与网络进行AKA过程。通过AKA过程可以实现终端和网络端的双向鉴权,使终端和网络端密钥达成一致,这样才能保证两者之间安全地通信。1. Authentication and key agreement (authentication and key agreement, AKA): The user can perform the AKA process with the network during the startup and registration process. Through the AKA process, two-way authentication between the terminal and the network can be realized, so that the key of the terminal and the network can reach an agreement, so as to ensure the secure communication between the two.
2、密钥KSEAF:在UE注册过程中AUSF向SEAF发送的密钥;SEAF计算得到KAMF,再发送KAMF至AMF。SEAF与AMF可以独立部署,也可以合并部署。2. Key KSEAF: the key sent by AUSF to SEAF during UE registration; SEAF calculates KAMF, and then sends KAMF to AMF. SEAF and AMF can be deployed independently or combined.
3、密钥KAMF:在UE注册过程中UE和AMF分别获取到的密钥KAMF。密钥KAMF根据密钥KSEAF确定。KAMF与5G中的密钥集标识符(KSI in 5G,ngKSI)相关。例如,UE和AMF可以分别预先保存至少一个KAMF与至少一个ngKSI的一一对应关系。因此每个ngKSI可用于唯一地指示一个KAMF。KAMF可用于后续生成密钥KgNB。3. Key KAMF: the key KAMF obtained by the UE and AMF respectively during the UE registration process. The key KAMF is determined according to the key KSEAF. KAMF is related to the key set identifier (KSI in 5G, ngKSI) in 5G. For example, the UE and the AMF may respectively pre-store a one-to-one correspondence between at least one KAMF and at least one ngKSI. Therefore, each ngKSI can be used to uniquely indicate a KAMF. KAMF can be used to subsequently generate the key KgNB.
4、密钥KgNB:由密钥KAMF派生出的密钥,即根据密钥KAMF,可以确定的密钥KgNB。例如,密钥KgNB可以基于密钥派生函数(key derivation function,KDF)等算法、KAMF等生成。4. Key KgNB: the key derived from the key KAMF, that is, the key KgNB that can be determined according to the key KAMF. For example, the key KgNB can be generated based on algorithms such as key derivation function (KDF), KAMF, and the like.
还应理解,上文列举的中间密钥、根密钥的名称仅为便于区分而命名,不应对本申请构成任何限定,本申请并不排除采用其他的名称来替代上述中间密钥或根密钥以实现相同或相似功能的可能。It should also be understood that the names of the intermediate keys and root keys listed above are only named for easy distinction and should not constitute any limitation to this application. This application does not exclude the use of other names to replace the aforementioned intermediate keys or root secrets. Key to achieve the same or similar functions.
5、加密密钥:发送端根据加密算法对明文进行加密以生成密文时输入的参数。若使用对称加密的方法,加密密钥和解密密钥是相同的。接收端可以根据相同的加密算法和加密密钥对密文进行解密。换句话说,发送端和接收端可以基于同一个密钥去加密和解密。5. Encryption key: the parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiving end can decrypt the cipher text according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.
6、完整性保护密钥:发送端根据完整性保护算法对明文或密文进行完整性保护时输入的参数。接收端可以根据相同的完整性保护算法和完整性保护密钥对进行了完整性保护的数据进行完整性验证。6. Integrity protection key: the parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
7、安全能力:包括但不限于:安全算法、安全参数、密钥等。在本申请实施例中,安全能力例如可以包括UE的安全能力和用户面网关的安全能力等。7. Security capabilities: including but not limited to: security algorithms, security parameters, keys, etc. In the embodiment of the present application, the security capability may include, for example, the security capability of the UE and the security capability of the user plane gateway.
8、安全算法:用于在对数据安全保护时使用的算法。例如可包括:加/解密算法、完整性保护算法等。8. Security algorithm: the algorithm used in data security protection. For example, it may include: encryption/decryption algorithms, integrity protection algorithms, etc.
9、安全上下文:可以用于实现数据加解密和/或完整性保护的信息。安全上下文例如可以包括:加/解密密钥、完整性保护密钥、新鲜参数(比如NAS Count)、ngKSI以及安全算法。9. Security context: information that can be used to implement data encryption and decryption and/or integrity protection. The security context may include, for example, encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.
普通蜂窝小区可允许运营商的所有合法签约用户(和漫游用户)接入。而群组允许一个或多个特定小区的一群签约用户接入。也就是说,可以接入群组的用户是受限的、有条件的。同一用户可属于多个群组,即可以接入多个群组。每个群组对应于一个群组标识。群组的接入需要UE、接入网设备和核心网的支持。Ordinary cells can allow all legitimate subscribers (and roaming users) of the operator to access. The group allows a group of subscribers in one or more specific cells to access. In other words, the users who can access the group are limited and conditional. The same user can belong to multiple groups, that is, can access multiple groups. Each group corresponds to a group ID. Group access requires the support of UE, access network equipment and core network.
本申请实施例适用UE需要接入群组的场景,群组例如可以为闭合接入组(closed access group,CAG),或者封闭用户组(closed subscriber group,CSG)等。下文以CAG为例进行描述。The embodiments of this application are applicable to scenarios where the UE needs to access a group. The group may be, for example, a closed access group (CG) or a closed subscriber group (CSG). The following uses CAG as an example for description.
图2是一种UE接入群组的方法的示意性流程图。Fig. 2 is a schematic flowchart of a method for a UE to access a group.
用户身份解密功能(subscription identifier de-concealing function,SIDF)网元可以配置在统一的数据管理功能(unified data management,UDM)网元中,也可独立部署。也就是说,UDM网元可以通过自己部署的SIDF,或者通过调用SIDF,提供用户身份解密功能。The user identity decryption function (subscription identifier de-concealing function, SIDF) network element can be configured in a unified data management function (unified data management, UDM) network element, or it can be deployed independently. In other words, UDM network elements can provide the user identity decryption function through the SIDF deployed by themselves or by calling the SIDF.
UE配置有列表1,列表1可以称为被允许的CAG标识(identification,ID)列表(allowed CAG ID list)。列表1包括UE可以接入的CAG的标识。The UE is configured with a list 1, and the list 1 may be referred to as an allowed CAG identification (identification, ID) list (allowed CAG ID list). List 1 includes the identification of the CAG that the UE can access.
在步骤101,接入网设备向UE发送列表2,列表2是小区支持的CAG ID列表,列表2包括小区支持的CAG的ID。In step 101, the access network device sends List 2 to the UE. List 2 is a list of CAG IDs supported by the cell, and List 2 includes the IDs of CAGs supported by the cell.
接入网设备通过广播的方式发送列表2。广播的内容可能没有加密保护,即接入网设备覆盖范围内的设备都可以获取接入网设备广播的信息。因此,接入网设备覆盖范围内的设备都可以获取列表2。The access network device sends list 2 by broadcasting. The broadcast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the information broadcast by the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
接入网设备也可以通过单播的方式发送列表2。单播的内容可能没有加密保护,即接入网设备覆盖范围内的设备都可以获取接入网设备单播的信息。因此,接入网设备覆盖范围内的设备都可以获取列表2。The access network device can also send list 2 through unicast. The unicast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the unicast information of the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
在步骤102,UE对列表1和列表2进行匹配,获取列表1和列表2中均包含的CAG ID,即匹配的CAG ID(selected matching CAG ID)。UE获取第一匹配组,第一匹配组包括一个或多个匹配的CAG ID。列表1包括第一匹配组中的CAG ID,列表2中均包括第一匹配组中的CAG ID。或者说,列表1和列表2均包括第一匹配组。In step 102, the UE matches List 1 and List 2, and obtains the CAG ID contained in both List 1 and List 2, that is, the matched CAG ID (selected matching CAG ID). The UE obtains a first matching group, and the first matching group includes one or more matching CAG IDs. List 1 includes CAG IDs in the first matching group, and List 2 all include CAG IDs in the first matching group. In other words, both List 1 and List 2 include the first matching group.
在步骤103,UE向接入网设备发送注册请求(registration request,RR)信息和第一匹配组。In step 103, the UE sends registration request (registration request, RR) information and the first matching group to the access network device.
RR信息包括用户隐藏标识符(Subscriber Concealed Identifier,SUCI)。SUCI是根据归属网络公钥标识符(home network public key identifier)对应的公钥对用户永久标识(subscription permanent identifier,SUPI)进行加密得到的。归属网络公钥标识符用于指示SUPI加密和SUCI解密采用的公钥和/或私钥。也就是说,UE使用具有原始公钥(即归属网络公钥)的保护方案来生成SUCI。The RR information includes Subscriber Concealed Identifier (SUCI). The SUCI is obtained by encrypting the user's permanent identifier (subscription permanent identifier, SUPI) according to the public key corresponding to the home network public key identifier (home network public key identifier). The home network public key identifier is used to indicate the public key and/or private key used for SUPI encryption and SUCI decryption. That is, the UE uses a protection scheme with the original public key (ie, the home network public key) to generate the SUCI.
UDM保存有归属网络公钥标识符对应的私钥。用于用户隐私的算法应在UDM的安全环境中执行。The UDM stores the private key corresponding to the home network public key identifier. Algorithms for user privacy should be executed in the UDM's secure environment.
SIDF用于根据SUCI解密以得到SUPI。当归属网络公钥用于SUPI的加密时,SIDF将使用安全存储在归属运营商网络中的归属网络私钥来解密SUCI。解密应在UDM中进行。应定义对SIDF的访问权限,以便仅允许归属网络的网元请求SIDF。SIDF is used to decrypt SUCI to get SUPI. When the home network public key is used for SUPI encryption, SIDF will use the home network private key stored securely in the home operator's network to decrypt SUCI. Decryption should be done in UDM. The access authority to SIDF should be defined so that only network elements of the home network are allowed to request SIDF.
第一匹配组是通过无线资源控制(radio resource control,RRC)层发送的。The first matching group is sent through a radio resource control (radio resource control, RRC) layer.
在步骤104,接入网设备向接入和移动管理功能(access and mobility management function,AMF)网元发送RR信息和第二匹配组。In step 104, the access network device sends the RR information and the second matching group to the access and mobility management function (AMF) network element.
第二匹配组可以与第一匹配组相同。The second matching group may be the same as the first matching group.
在步骤104之前,可选的,接入网设备可以对第一匹配组与列表2进行匹配,以获得第二匹配组。第二匹配组包括一个或多个CAG ID。第一匹配组和列表2均包括第二匹配组。通过接入网设备的匹配,可以降低UE接入CAG注册错误的概率。Before step 104, optionally, the access network device may match the first matching group with List 2 to obtain the second matching group. The second matching group includes one or more CAG IDs. Both the first matching group and List 2 include the second matching group. Through the matching of access network equipment, the probability of UE access to CAG registration error can be reduced.
RR信息和第二匹配组是通过接入网设备与AMF网元之间的N2接口发送的。The RR information and the second matching group are sent through the N2 interface between the access network device and the AMF network element.
在步骤105之前,AMF向统一的数据管理功能(unified data management,UDM)/(subscription identifier de-concealing function,SIDF)网元发送认证请求消息至身份验证服务器功能(authentication server function,AUSF),其中携带SUCI。AUSF发送得到请求之前UDM,其中携带SUCIBefore step 105, AMF sends an authentication request message to the unified data management function (UDM)/(subscription identifier de-concealing function, SIDF) network element to the authentication server function (authentication server function, AUSF), where Carry SUCI. UDM before AUSF sends the request, which carries SUCI
UDM/SIDF网元根据SUCI,确定UE的SUPI。The UDM/SIDF network element determines the SUPI of the UE according to the SUCI.
在步骤105,鉴权认证和安全流程。In step 105, authentication and security procedures are performed.
鉴权认证流程和安全流程可以参见协议第三代合作伙伴计划(3rd generation partnership project,3GPP)技术规范(technical specification,TS)33.501 V15.4.0(2019-03)。在身份认证过程中,UDM/SIDF网元生成认证向量,并发送至AUSF网元。For the authentication process and security process, please refer to the technical specification (TS) 33.501 V15.4.0 (2019-03) of the 3rd generation partnership project (3GPP). In the identity authentication process, the UDM/SIDF network element generates an authentication vector and sends it to the AUSF network element.
鉴权认证流程中,经过AUSF网元、SEAF网元和UE之间的认证过程后,AUSF网元向SEAF网元发送密钥KSEAF。SEAF网元根据密钥KSEAF生成密钥KAMF,并向AMF网元发送密钥KAMF。SEAF网元也可以部署在AMF网元所在的设备中。SEAF网元向UE发送密钥集标识符(key set identifier,KSI)。KSI可以是5G密钥集标识符(key set identifier in 5G,ngKSI)。UE通过该KSI可以确定密钥KAMF。通过上述方式,UE和AMF网元实现了密钥KAMF的共享。上述给出了一种认证的实现方式,不排除认证方式进一步演进,以及其他双向认证的机制。本专利不做赘述。In the authentication process, after the authentication process between the AUSF network element, the SEAF network element and the UE, the AUSF network element sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends the key KAMF to the AMF network element. The SEAF network element can also be deployed in the equipment where the AMF network element is located. The SEAF network element sends a key set identifier (KSI) to the UE. The KSI may be a 5G key set identifier (key set identifier in 5G, ngKSI). The UE can determine the key KAMF through the KSI. Through the above method, the UE and the AMF network element realize the sharing of the key KAMF. The foregoing provides an authentication implementation method, which does not exclude further evolution of the authentication method and other mutual authentication mechanisms. This patent does not go into details.
在鉴权认证流程之后,可以进行非接入层(non-access stratum,NAS)安全模式命令(security mode command,SMC)和接入层(access stratum,AS)安全模式命令(security mode command,SMC)。After the authentication process, the non-access stratum (NAS) security mode command (SMC) and the access stratum (AS) security mode command (security mode command, SMC) can be performed after the authentication process. ).
在步骤106之前,UDM/SIDF网元根据SUPI确定UE的签约数据。签约数据也可以称为签约信息。UE的签约数据包括列表3,列表3包括网络侧允许UE接入的CAG ID。列表3包括一个或多个CAG ID。Before step 106, the UDM/SIDF network element determines the subscription data of the UE according to SUPI. The contract data may also be called contract information. The subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access. List 3 includes one or more CAG IDs.
在步骤106,AMF网元接收UDM/SIDF网元发送的列表3。In step 106, the AMF network element receives list 3 sent by the UDM/SIDF network element.
在步骤107,AMF网元对第二匹配组和列表3进行匹配。AMF检查第二匹配组和列表3是否包括至少一个相同的CAG ID。该至少一个相同的CAG ID作为目标CAG IDIn step 107, the AMF network element matches the second matching group with List 3. AMF checks whether the second matching group and List 3 include at least one CAG ID. The at least one CAG ID that is the same as the target CAG ID
如果存在目标CAG ID,进行步骤108a。If there is a target CAG ID, proceed to step 108a.
在步骤108a,AMF向UE发送注册接受信息。In step 108a, the AMF sends registration acceptance information to the UE.
如果不存在目标CAG ID,进行步骤108b。If there is no target CAG ID, proceed to step 108b.
在步骤108b,AMF向UE发送注册拒绝信息。In step 108b, the AMF sends registration rejection information to the UE.
在步骤108b之后,UE从列表1中删除第一匹配组对应的CAG ID。After step 108b, the UE deletes the CAG ID corresponding to the first matching group from the list 1.
通过上述方式,可以使UE进行对应的CAG业务。Through the above method, the UE can perform the corresponding CAG service.
UE希望进行的CAG业务与UE的类型有关,每种CAG业务仅特定的UE可以接入和使用。因此,UE希望进行的CAG业务涉及隐私。UE向接入网设备发送第一匹配组时,攻击者通过窃听空口从而获取UE请求接入的CAG ID,泄露隐私。The CAG service that the UE wants to perform is related to the type of UE, and each CAG service can only be accessed and used by a specific UE. Therefore, the CAG service that the UE wants to perform involves privacy. When the UE sends the first matching group to the access network device, the attacker obtains the CAG ID that the UE requests to access by tapping the air interface, thereby leaking privacy.
为了解决上述问题,本申请实施例提供了一种通信方法。通过加密的方式发送UE请求接入的CAG ID。通过该方式,可以降低隐私泄露的可能性。In order to solve the foregoing problem, an embodiment of the present application provides a communication method. The CAG ID that the UE requests to access is sent in an encrypted manner. In this way, the possibility of privacy leakage can be reduced.
图3是本申请实施例提供的一种通信方法的示意性流程图。Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
在步骤201,UE生成加密的第一群组列表。In step 201, the UE generates an encrypted first group list.
群组列表又可以称为群组标识集合。第一群组列表包括UE请求接入的一个或多个群组的标识。群组例如可以是CAG、CSG等。The group list can also be called a group identification set. The first group list includes the identities of one or more groups to which the UE requests access. The group may be CAG, CSG, etc., for example.
UE请求接入的一个或多个群组的标识可以是配置给UE的第二群组列表的全部或部分标识。The identity of one or more groups that the UE requests to access may be all or part of the identity of the second group list configured for the UE.
在步骤202,UE发送加密的第一群组列表。In step 202, the UE sends the encrypted first group list.
UE可以向AMF网元发送加密的第一群组列表。The UE may send the encrypted first group list to the AMF network element.
在一些实施例中,UE可以与AMF网元建立NAS安全上下文,即建立NAS安全模式。NAS安全上下文的建立可以参见图4。In some embodiments, the UE may establish a NAS security context with an AMF network element, that is, establish a NAS security mode. The establishment of NAS security context can be seen in Figure 4.
UE可以通过NAS安全上下文建立过程中的NAS SM完成消息向AMF网元发送第一群组组。UE也可以在NAS安全上下文建立之后,向AMF网元发送所述加密的第一群组列表,即UE可以通过NAS安全上下文保护的NAS消息向AMF网元发送第一群组列表。The UE may send the first group group to the AMF network element through the NAS SM complete message in the NAS security context establishment process. The UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through the NAS message protected by the NAS security context.
UE可以与AMF网元进行认证,以获取共享密钥。UE的认证可以参见图6。UE可以根据该共享密钥与AMF网元建立NAS安全上下文。NAS安全上下文的建立可以参见图4。The UE can authenticate with the AMF network element to obtain a shared key. Refer to Figure 6 for UE authentication. The UE can establish a NAS security context with the AMF network element according to the shared key. The establishment of NAS security context can be seen in Figure 4.
AMF可以对UE发送的加密的第一群组列表进行解密。AMF可以通机密性算法对加密的第一群组列表进行解密。The AMF can decrypt the encrypted first group list sent by the UE. AMF can decrypt the encrypted first group list through the confidentiality algorithm.
在另一些实施例中,UE可以通过AMF公钥对第一群组列表进行加密。UE可以向AMF网元发送加密的第一群组列表。AMF公钥可以是AMF向UE发送的,或者可以是UE预配置的。In other embodiments, the UE may encrypt the first group list with the AMF public key. The UE may send the encrypted first group list to the AMF network element. The AMF public key may be sent by the AMF to the UE, or may be pre-configured by the UE.
AMF网元配置有AMF公钥对应的AMF私钥。AMF网元可以根据AMF私钥对加密的第一群组列表进行解密。The AMF network element is configured with an AMF private key corresponding to the AMF public key. The AMF network element can decrypt the encrypted first group list according to the AMF private key.
UE可以向UDM网元发送加密的第一群组列表。The UE may send the encrypted first group list to the UDM network element.
UE可以根据所述归属网络密钥对所述第一群组列表进行加密,以得到加密的第一群组列表。The UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.
UE可以向UDM网元发送加密的第一群组列表和归属网络公钥标识符。归属网络公钥标识符用于指示所述归属网络密钥。The UE may send the encrypted first group list and the home network public key identifier to the UDM network element. The home network public key identifier is used to indicate the home network key.
UDM网元接收加密的第一群组列表和归属网络公钥标识符。UDM网元可以根据归属网络公钥标识符确定归属网络私钥。UDM网元可以根据归属网络私钥对加密的第一群组列表进行解密。The UDM network element receives the encrypted first group list and the home network public key identifier. The UDM network element can determine the home network private key according to the home network public key identifier. The UDM network element can decrypt the encrypted first group list according to the private key of the home network.
UE可以向接入网设备发送加密的第一群组列表。The UE may send the encrypted first group list to the access network device.
在一些实施例中,UE可以与接入网设备建立AS安全上下文,即建立AS安全模式。AS安全上下文的建立可以参见图5。In some embodiments, the UE may establish an AS security context with the access network device, that is, establish an AS security mode. The establishment of AS security context can be seen in Figure 5.
UE可以通过AS安全上下文建立过程中的AS SM完成消息向接入网设备发送第一群组列表。UE也可以在AS安全上下文建立之后,向接入网设备发送所述加密的第一群组列表,即UE可以通过AS安全上下文保护的AS消息向接入网设备发送第一群组。The UE may send the first group list to the access network device through the AS SM complete message in the AS security context establishment process. The UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through the AS message protected by the AS security context.
AMF向接入网设备分发KgNB。UE根据KAMF生成KgNB。之后UE与接入网设备可以建立接入层AS安全模式SM。AMF distributes KgNB to access network equipment. The UE generates KgNB according to KAMF. After that, the UE and the access network device can establish the access layer AS security mode SM.
接入网设备可以对UE发送的加密的第一群组列表进行解密。接入网设备可以通机密性算法对加密的第一群组列表进行解密。The access network device may decrypt the encrypted first group list sent by the UE. The access network device can decrypt the encrypted first group list through the confidentiality algorithm.
接入网设备可以对接收的加密的第一群组列表进行解密。接入网设备可以通过机密性算法对加密的第一群组列表进行解密。在另一些实施例中,UE可以通过接入网设备公钥对第一群组列表进行加密。UE可以向接入网设备发送加密的第一群组列表。接入网设备公钥可以是接入网设备向UE发送的,或者可以是UE预配置的。接入网设备配置有接入网设备公钥对应的AMF私钥。接入网设备可以根据接入网设备私钥对加密的第一群组列表进行解密。The access network device can decrypt the received encrypted first group list. The access network device can decrypt the encrypted first group list through the confidentiality algorithm. In other embodiments, the UE may encrypt the first group list through the public key of the access network device. The UE may send the encrypted first group list to the access network device. The public key of the access network device may be sent by the access network device to the UE, or may be pre-configured by the UE. The access network device is configured with an AMF private key corresponding to the public key of the access network device. The access network device can decrypt the encrypted first group list according to the private key of the access network device.
可选地,UE可以接收AMF网元发送的注册拒绝消息。注册拒绝消息包括消息验证码,所述消息验证码用于所述UE验证所述注册拒绝消息。注册拒绝消息还可以包括拒绝码。拒绝码可以用于指示拒绝UE注册,或者拒绝码可以用于指示拒绝UE注册的原因。 拒绝UE注册的原因可以是AMF网元校验失败,或者,UE认证失败等。AMF网元校验失败是指AMF网元确定不存在第二群组列表。第二群组列表包括UDM保存的签约群组列表与第一群组列表中相同的群组的标识。Optionally, the UE may receive a registration rejection message sent by the AMF network element. The registration rejection message includes a message verification code, and the message verification code is used by the UE to verify the registration rejection message. The registration rejection message can also include a rejection code. The rejection code can be used to indicate the rejection of UE registration, or the rejection code can be used to indicate the reason for rejection of UE registration. The reason for rejecting the UE registration may be that the AMF network element verification fails, or the UE authentication fails. The verification failure of the AMF network element means that the AMF network element determines that the second group list does not exist. The second group list includes the identifiers of the same group in the subscription group list saved by the UDM and the first group list.
可选地,UE可以向接入网设备发送接入群组请求信息,所述接入群组请求信息用于指示所述UE请求接入群组。Optionally, the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
通过步骤201-步骤202,UE通过加密的方式发送第一群组列表,可以避免泄密。Through step 201 to step 202, the UE sends the first group list in an encrypted manner, which can avoid leakage.
图4是一种建立NAS安全上下文的示意性流程图。Figure 4 is a schematic flow chart for establishing a NAS security context.
在步骤301a,AMF网元启动完整性保护。In step 301a, the AMF network element activates integrity protection.
在步骤301b,AMF网元向UE发送NAS SM指令消息。NAS SM指令消息包括完整性算法,加密算法,NAS消息验证码(message authentication code,MAC),UE安全能力、KSI等。该NAS MAC可以用于验证NAS SM指令消息的完整性。In step 301b, the AMF network element sends a NAS SM command message to the UE. The NAS SM command message includes an integrity algorithm, an encryption algorithm, a NAS message authentication code (message authentication code, MAC), UE security capabilities, KSI, etc. The NAS MAC can be used to verify the integrity of the NAS SM command message.
在步骤301c,AMF网元启动上行链路解密In step 301c, the AMF network element starts uplink decryption
在步骤302a,UE验证NAS SM完成消息完整性。如果验证成功,UE启动上行链路加密,下行链路解密和完整性保护In step 302a, the UE verifies the integrity of the NAS SM completion message. If the verification is successful, the UE starts uplink encryption, downlink decryption and integrity protection
在步骤302b,UE向AMF网元发送NAS安全模式完成消息。NAS安全模式完成消息包括NAS MAC。该NAS MAC可以用于验证NAS SM完成消息的完整性。In step 302b, the UE sends a NAS security mode complete message to the AMF network element. The NAS security mode completion message includes NAS MAC. The NAS MAC can be used to verify the integrity of the NAS SM completion message.
在步骤301d,AMF网元启动下行链路加密。In step 301d, the AMF network element starts downlink encryption.
AMF网元触发NAS SMC流程,发送NAS安全模式指令至UE;UE发送NAS安全模式完成消息。步骤301b中,AMF网元向UE发送NAS SM指令消息,仅有完整性保护。步骤302b中,UE向AMF网元发送NAS安全模式完成消息,具有机密性和完整性保护。之后,UE与AMF共享NAS安全上下文。UE与AMF网元可以通过NAS安全上下文保护要发送的消息,通过NAS安全上下文保护NAS消息具有完整性和机密性保护。通过步骤301a-302d,建立了NAS安全上下文。The AMF network element triggers the NAS SMC process and sends a NAS security mode instruction to the UE; the UE sends a NAS security mode completion message. In step 301b, the AMF network element sends a NAS SM command message to the UE, with only integrity protection. In step 302b, the UE sends a NAS security mode completion message to the AMF network element, which has confidentiality and integrity protection. After that, the UE and the AMF share the NAS security context. The UE and the AMF network element can protect the message to be sent through the NAS security context, and protect the NAS message through the NAS security context with integrity and confidentiality protection. Through steps 301a-302d, the NAS security context is established.
需要说明的是,为了方便理解,图4只是简述了NAS SMC的处理流程,具体在应用中可以增加其他的处理过程和/或参数,或者减少上述部分处理过程和/或参数。It should be noted that, for ease of understanding, FIG. 4 only briefly describes the processing flow of the NAS SMC. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
图5是一种建立AS安全上下文的示意性流程图。Figure 5 is a schematic flow chart for establishing an AS security context.
在步骤401a之前,RAN接收密钥KgNB。密钥KgNB是AMF网元根据密钥KAMF确定的。AMF应生成密钥KgNB并向RAN发送该密钥。Before step 401a, the RAN receives the key KgNB. The key KgNB is determined by the AMF network element according to the key KAMF. AMF shall generate the key KgNB and send the key to the RAN.
在步骤401a,RAN启动RRC完整性保护。In step 401a, the RAN initiates RRC integrity protection.
在步骤401b,RAN向UE发送AS SM指令消息,AS SM指令消息包括完整性算法,加密算法,MAC-I,其中,MAC-I是根据密钥KgNB确定的。In step 401b, the RAN sends an AS SM command message to the UE. The AS SM command message includes an integrity algorithm, an encryption algorithm, and MAC-I, where the MAC-I is determined according to the key KgNB.
在步骤401c,RAN启动RRC下行链路加密。In step 401c, the RAN initiates RRC downlink ciphering.
在步骤402a,UE验证AS SM指令消息的完整性。UE根据MAC-I验证AS SM指令消息的完整性。如果验证成功,UE启动RRC完整性保护和RRC下行链路解密。UE根据AS SMC信息指示的加密算法,对RRC下行链路解密。In step 402a, the UE verifies the integrity of the AS SM command message. The UE verifies the integrity of the AS SM command message according to the MAC-I. If the verification is successful, the UE starts RRC integrity protection and RRC downlink decryption. The UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.
在步骤402b,UE向RAN发送AS SM完成消息。AS SM完成消息包括MAC-I,MAC-I是根据密钥KgNB确定的。RAN根据MAC-I可以对AS SM完成消息进行解密,并验证AS SM完成消息的完整性。In step 402b, the UE sends an AS SM complete message to the RAN. The AS SM completion message includes MAC-I, which is determined according to the key KgNB. According to the MAC-I, the RAN can decrypt the AS SM completion message and verify the integrity of the AS SM completion message.
在步骤402c,UE启动RRC上行链路加密。In step 402c, the UE starts RRC uplink encryption.
在步骤401d,RAN启动RRC上行链路解密。In step 401d, the RAN initiates RRC uplink decryption.
RAN触发AS SMC流程,向UE发送AS安全模式指令消息。UE向RAN发送AS安全模式完成消息。其中,步骤401b中的消息仅进行完整性保护,步骤402b的消息同时进行机密性和完整性保护。根据密钥KgNB可以对AS安全模式下UE和RAN之间传输的消息进行完整性和机密性保护。之后,UE与接入网设备共享AS安全上下文,UE与接入网设备可以通过AS安全上下文保护发送AS消息,通过AS安全上下文保护的AS消息具有完整性和机密性保护。通过步骤401a-402d,建立了AS安全上下文。The RAN triggers the AS SMC process and sends an AS security mode command message to the UE. The UE sends an AS security mode complete message to the RAN. Wherein, the message in step 401b only performs integrity protection, and the message in step 402b performs confidentiality and integrity protection at the same time. According to the key KgNB, the integrity and confidentiality of the message transmitted between the UE and the RAN in the AS security mode can be protected. After that, the UE and the access network device share the AS security context, the UE and the access network device can send AS messages through the AS security context protection, and the AS messages protected by the AS security context have integrity and confidentiality protection. Through steps 401a-402d, the AS security context is established.
需要说明的是,为了方便理解,图5只是简述了AS安全上下文建立的处理流程,具体在应用中可以增加其他的处理过程和/或参数,或者减少上述部分处理过程和/或参数。It should be noted that, for ease of understanding, FIG. 5 only briefly describes the processing flow of AS security context establishment. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
图6是一种鉴权认证的方法的示意性流程图。鉴权认证也可以称为身份认证。Fig. 6 is a schematic flowchart of an authentication method. Authentication authentication can also be called identity authentication.
在通信网络中,UE请求访问服务提供商提供的服务时,对该UE是否具有访问权限进行校验。鉴权认证的过程可以参见In the communication network, when the UE requests access to the service provided by the service provider, it is checked whether the UE has the access authority. The process of authentication can refer to
在步骤501,UDM/ARPF网元生成认证向量。In step 501, the UDM/ARPF network element generates an authentication vector.
在步骤502,UDM/ARPF网元向AUSF网元发送第一认证回复消息,第一认证回复消息可以是Nudm_UEAuthentication_Get ReSponse消息。第一认证回复消息包括认证向量。In step 502, the UDM/ARPF network element sends a first authentication reply message to the AUSF network element. The first authentication reply message may be a Nudm_UEAuthentication_Get Response message. The first authentication reply message includes an authentication vector.
在步骤503,UE与AUSF网元进行双向认证。In step 503, the UE performs mutual authentication with the AUSF network element.
在步骤504,AUSF生成并向SEAF网元发送密钥KSEAF。In step 504, AUSF generates and sends the key KSEAF to the SEAF network element.
在步骤505,SEAF网元根据密钥KSEAF生成密钥KAMF,并向UE发送KSI,KSI用于指示密钥KAMF。In step 505, the SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE. The KSI is used to indicate the key KAMF.
SEAF网元可以与AMF网元独立部署,也可以单独部署。SEAF网元可以向AMF网元发送KAMF。The SEAF network element can be deployed independently from the AMF network element, or it can be deployed separately. The SEAF network element can send KAMF to the AMF network element.
图6仅给出了一种认证方法,也包括其他的的认证方式,例如5G认证和密钥协议;也可能认证同时包括UE与AMF认证,UE与AUSF的认证等,本申请实施例不做限制。Figure 6 shows only one authentication method, which also includes other authentication methods, such as 5G authentication and key agreement; it is also possible that authentication includes both UE and AMF authentication, UE and AUSF authentication, etc., which is not done in this application embodiment limit.
图7是本申请实施例提供的一种通信方法的示意性流程图。FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application.
第一网络设备包括AMF网元。第一网络设备也可以包括SMF网元,AUSF网元,SEAF网元UDM网元等网络功能(network function,NF)的网元,本申请实施例不做限制。The first network device includes an AMF network element. The first network device may also include SMF network elements, AUSF network elements, SEAF network elements, UDM network elements, and other network function (network function, NF) network elements, which are not limited in the embodiment of this application.
在步骤1101,UE利用NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表。第一群组列表包括所述UE请求接入的一个或多个群组的标识。In step 1101, the UE encrypts the first group list by using the NAS security context to obtain an encrypted first group list. The first group list includes identities of one or more groups to which the UE requests access.
第一群组列表可以包括配置给UE的UE群组列表中的全部或部分标识。The first group list may include all or part of the identities in the UE group list configured for the UE.
UE可以将UE群组列表作为第一群组列表。The UE may use the UE group list as the first group list.
在步骤1101之前,UE接收接入网设备发送的接入网群组列表,接入网群组列表包括接入网设备支持的群组的标识。UE可以根据接入网群组列表和UE群组列表,确定第一群组列表,第一群组列表包括接入网群组列表和UE群组列表中相同的群组的标识。Before step 1101, the UE receives the access network group list sent by the access network device, and the access network group list includes the identifier of the group supported by the access network device. The UE may determine the first group list according to the access network group list and the UE group list, and the first group list includes the identifiers of the same group in the access network group list and the UE group list.
在步骤1102,UE发送所述加密的第一群组列表。In step 1102, the UE sends the encrypted first group list.
在步骤1102之前,UE可以与AMF建立NAS安全上下文。UE可以通过NAS安全上下文保护的NAS消息发送加密的第一群组列表。Before step 1102, the UE may establish a NAS security context with the AMF. The UE may send the encrypted first group list through the NAS message protected by the NAS security context.
或者,在UE与AMF之间的NAS安全上下文建立过程中,在UE建立NAS安全上下文后,UE通过NAS SM完成消息向第一网络设备发送加密的第一群组列表。Alternatively, in the process of establishing the NAS security context between the UE and the AMF, after the UE establishes the NAS security context, the UE sends the encrypted first group list to the first network device through a NAS SM complete message.
第一网络设备接收加密的第一群组列表。第一网络设备对加密的第一群组列表进行解 密。The first network device receives the encrypted first group list. The first network device decrypts the encrypted first group list.
在步骤1103,第一网络设备进行校验。AMF根据第一群组列表和签约群组列表,确定第二群组列表。第二群组列表包括第一群组列表和签约群组列表中相同的群组的标识。第二群组列表包括允许UE接入的群组的标识。即该相同的群组的标识作为允许UE接入的群组的标识。In step 1103, the first network device performs verification. The AMF determines the second group list according to the first group list and the contracted group list. The second group list includes the identifiers of the same group in the first group list and the contracted group list. The second group list includes identities of groups that the UE is allowed to access. That is, the identity of the same group is used as the identity of the group that the UE is allowed to access.
在步骤1103之前,第一网络设备确定UDM网元保存的签约群组列表。也就是说,第一网络设备不包括UDM网元,第一网络设备可以接收UDM网元发送的签约群组列表。第一网络设备包括UDM网元,第一网络设备可以获取UDM网元保存的签约群组列表。Before step 1103, the first network device determines the list of subscription groups saved by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element. The first network device includes a UDM network element, and the first network device can obtain a list of subscription groups saved by the UDM network element.
当存在第二群组列表时,进行步骤1104。When the second group list exists, step 1104 is performed.
在步骤1104,第一网络设备向接入网设备发送第二群组列表。接入网设备接收第二群组列表,获取允许允许UE接入的群组的标识。In step 1104, the first network device sends the second group list to the access network device. The access network device receives the second group list, and obtains the identifier of the group that is allowed to access the UE.
可选地,在步骤1104之后,可以进行步骤1105。Optionally, after step 1104, step 1105 may be performed.
在步骤1105,接入网设备向UE发送第二群组列表中每个标识对应的群组的无线资源分配信息和/或服务质量(quality of service,QoS)信息等。In step 1105, the access network device sends the radio resource allocation information and/or quality of service (QoS) information of the group corresponding to each identifier in the second group list to the UE.
当不存在第二群组列表时,进行步骤1106。When there is no second group list, proceed to step 1106.
在步骤1106,第一网络设备向UE发送注册拒绝消息。为了避免攻击者修改或伪造注册拒绝消息,AMF可以通过以下方式发送注册拒绝消息。In step 1106, the first network device sends a registration rejection message to the UE. In order to prevent attackers from modifying or forging registration rejection messages, AMF can send registration rejection messages in the following ways.
第一网络设备可以通过NAS消息向UE发送注册拒绝消息。在步骤1106之前,AMF与UE是否进行NAS安全上下文的建立,本申请实施例不作限定。在建立NAS安全上下文的情况下,第一网络设备可以通过NAS安全上下文向UE发送注册拒绝消息。即注册拒绝消息可以是通过NAS安全上下文保护的NAS消息。The first network device may send a registration rejection message to the UE through a NAS message. Before step 1106, whether the AMF and the UE establish the NAS security context is not limited in the embodiment of the present application. In the case of establishing the NAS security context, the first network device may send a registration rejection message to the UE through the NAS security context. That is, the registration rejection message may be a NAS message protected by the NAS security context.
参见图11,第一网络设备可以根据UE与AMF之间的共享密钥计算得到消息验证码。第一网络设备可以向UE发送注册拒绝消息,注册拒绝消息包括消息验证码。消息验证码用于UE验证注册拒绝消息。Referring to FIG. 11, the first network device may calculate the message verification code according to the shared key between the UE and the AMF. The first network device may send a registration rejection message to the UE, and the registration rejection message includes a message verification code. The message verification code is used by the UE to verify the registration rejection message.
参见图12,第一网络设备也可以根据AMF私钥计算数字签名。第一网络设备可以向UE发送注册拒绝消息,注册拒绝消息包括该数字签名。UE根据AMF公钥对该数字签名进行解密。Referring to Fig. 12, the first network device may also calculate a digital signature according to the AMF private key. The first network device may send a registration rejection message to the UE, and the registration rejection message includes the digital signature. The UE decrypts the digital signature according to the AMF public key.
可选地,UE可以向接入网设备发送接入群组请求信息,所述接入群组请求信息用于指示所述UE请求接入群组。Optionally, the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
通过步骤1101-1106,UE以加密的方式发送请求接入的群组的标识,可以避免UE隐私的泄露。Through steps 1101-1106, the UE sends the identification of the group requested to be accessed in an encrypted manner, which can avoid leakage of UE privacy.
群组例如可以是CAG、CSG等。下面以UE请求接入CAG为例进行说明。The group may be CAG, CSG, etc., for example. The following takes the UE request to access CAG as an example for description.
图8是本申请实施例提供的一种通信方法的示意性流程图。FIG. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.
UE可以通过加密的NAS消息,向AMF网元发送第一匹配组。The UE may send the first matching group to the AMF network element through the encrypted NAS message.
UE保存有列表1,列表1可以称为被允许的CAG ID列表(allowed CAG ID list)。列表1包括配置给UE的CAG的标识。即列表1表示UE支持接入的CAG。具体UE如何获得列表1不做限制。例如,列表1可以包括UE可以从运营商处获取的CAG ID,可以包括网管配置的CAG ID,可以包括UE出厂时配置的CAG ID等。The UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list). List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1. For example, List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
在步骤601,接入网设备广播系统信息,系统信息包括列表2,列表2是小区支持的 CAG ID列表,该小区是接入网设备覆盖的一个或多个小区中该UE所在的小区。广播的内容可能没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备广播的信息。In step 601, the access network device broadcasts system information. The system information includes List 2, which is a list of CAG IDs supported by the cell. The cell is the cell where the UE is located in one or more cells covered by the access network device. The broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
可选的,在步骤601,接入网设备单播发送系统信息,系统信息包括列表2,列表2包括小区支持的CAG ID。单播的内容可能没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备单播的信息。Optionally, in step 601, the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell. The unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
在步骤602,UE对列表1和列表2进行匹配,即UE检查是否存在第一匹配组,第一匹配组包括至少一个CAG ID。第一匹配组中的CAG ID即属于列表1,又同时属于列表2。可以将第一匹配组中的CAG ID称为匹配的CAG ID(selected matching CAG ID)。In step 602, the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID. The CAG ID in the first matching group belongs to both list 1 and list 2 at the same time. The CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
在步骤603,UE向接入网设备发送注册请求(registration request,RR)消息,注册请求消息包括SUCI。注册请求消息可以是控制面消息。In step 603, the UE sends a registration request (registration request, RR) message to the access network device, where the registration request message includes SUCI. The registration request message may be a control plane message.
在步骤603之前,UE计算SUCI,所述SUCI为对于永久身份SUPI的封装,以使攻击者不能通过窃听空口获得SUPI。SUPI是UE的永久身份标识。也就是说,UE对SUPI加密以得到SUCI。Before step 603, the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
SUCI可以包括SUPI类型、路由指示符、保护方案标识符、归属网络公钥标识符等信息中的一种或多种。其中,路由指示符和归属网络公钥标识符不进行加密。保护方案标识符用于指示商城SUCI采用的保护方案,即对SUPI加密的方案。路由指示符可用于指示能够为UE提供服务的UDM网元。SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI. The routing indicator can be used to indicate UDM network elements that can provide services for the UE.
可选地,UE向接入网设备发送第一指示信息。第一指示信息用于指示UE请求接入CAG。Optionally, the UE sends the first indication information to the access network device. The first indication information is used to indicate that the UE requests to access the CAG.
UE可以向接入网设备发送的第一指示信息用于指示UE请求接入CAG。由于RR消息中与UE注册相关的信息由UE发送给AMF网元,接入网设备需要对该信息进行转发,无法感知该信息。因此,通过UE向接入网设备发送第一指示信息,可以向接入网设备指示进行对应于UE请求接入CAG的流程。The first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
可选地,第一指示信息承载在注册请求消息或其他消息中。例如,第一指示信息可以通过无线资源控制(radio resource control,RRC)消息发送。第一指示信息可以采用多种形式,例如,第一指示信息可以包括UE接收的列表2,或者,第一指示信息可以占用注册请求消息的某个字段。Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take multiple forms. For example, the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
在步骤604,接入网设备向AMF网元转发该注册请求消息。注册请求消息包括SUCI。转发的注册请求消息可以通过接入网设备与AMF网元之间的N2接口发送,即转发的注册请求消息可以是N2消息。In step 604, the access network device forwards the registration request message to the AMF network element. The registration request message includes SUCI. The forwarded registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the forwarded registration request message may be an N2 message.
可选地,接入网设备可以向AMF网元发送第二指示信息。例如,若接入网设备接收到第一指示信息,则接入网设备向AMF网元发送第二指示信息。第二指示信息指示UE请求接入CAG业务。Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.
接入网设备发送的第二指示信息,可以指示AMF进行对应于UE请求接入CAG的流程。The second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE's request to access the CAG.
第二指示信息可以承载在转发的注册请求消息中。第二指示信息也可以承载在其他消息中。The second indication information may be carried in the forwarded registration request message. The second indication information may also be carried in other messages.
可选地,接入网设备可以向AMF网元发送列表2。第二指示信息可以包括列表2。例 如,若接入网设备接收到第一指示信息,则接入网设备向AMF网元发送列表2。Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include List 2. For example, if the access network device receives the first indication information, the access network device sends List 2 to the AMF network element.
在步骤605,AMF网元向AUSF发送SUCI。SUCI可以承载在第一身份认证请求消息中。第一认证请求消息可以是Nausf_UEAuthentication_Authenticate Request消息。In step 605, the AMF network element sends SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The first authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
可选的,AMF可以接收第二指示信息和/或列表2。Optionally, the AMF may receive the second indication information and/or List 2.
在步骤606,AUSF网元向UDM/SIDF网元发送SUCI。SUCI可以承载在第二身份认证请求消息种中。第二认证请求消息可以是Nudm_UEAuthentication_Get Request消息。In step 606, the AUSF network element sends SUCI to the UDM/SIDF network element. SUCI can be carried in the second identity authentication request message. The second authentication request message may be a Nudm_UEAuthentication_Get Request message.
在步骤607,UDM/SIDF网元对SUCI解密以得到SUPI,并执行认证算法选择,根据选择的认证算法生成认证向量。In step 607, the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
步骤608为认证流程,用于UE的身份认证。Step 608 is an authentication process, which is used for identity authentication of the UE.
具体地,UDM/SIDF网元向AUSF网元发送认证向量。认证向量可以承载在认证回复消息中。认证回复消息可以是Nudm_UEAuthentication_Get ReSponse消息。Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector can be carried in the authentication reply message. The authentication reply message may be a Nudm_UEAuthentication_Get Response message.
UE与AUSF网元进行双向认证。AUSF生成并向SEAF网元发送密钥KSEAF。SEAF网元根据密钥KSEAF生成密钥KAMF。SEAF向UE发送KSI,KSI用于指示密钥KAMF。UE根据KSI可以确定密钥KAMF。SEAF向AMF发送KAMF。这里SEAF可以与AMF独立部署,也可以单独部署。本申请实施例对上述UE与AUSF网元进行认证的步骤具体细节和流程不做限制。The UE and the AUSF network element perform mutual authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF. SEAF sends KSI to UE, KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
通过上述步骤,AMF网元与UE共享密钥KAMF。Through the above steps, the AMF network element and the UE share the key KAMF.
在步骤609-610,AMF网元与UE进行非接入层安全模式命令(non access stratum security mode command,NAS SMC)流程。In steps 609-610, the AMF network element and the UE perform a non-access stratum security mode command (NAS SMC) process.
根据密钥K
AMF,UE和AMF网元可以确定UE和AMF网元之间的完整性密钥和机密性密钥,从而对UE和AMF网元之间的消息进行完整性保护和机密性保护。进行机密性保护,即信息发送端对信息进行加密,信息接收端对信息进行解密。
According to the key K AMF , the UE and the AMF network element can determine the integrity key and the confidentiality key between the UE and the AMF network element, so as to protect the integrity and confidentiality of the message between the UE and the AMF network element . Confidentiality protection, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
在步骤609,AMF网元向UE发送NAS安全模式指令消息。NAS安全模式指令消息具有完整性保护。这里完整性保护为已有技术不做赘述。In step 609, the AMF network element sends a NAS security mode instruction message to the UE. The NAS safe mode command message has integrity protection. The integrity protection is the prior art and will not be repeated here.
在步骤610,UE向AMF网元发送NAS安全模式完成消息。In step 610, the UE sends a NAS security mode complete message to the AMF network element.
可选地,NAS安全模式完成消息可以包括第一匹配组。NAS安全模式完成消息是机密性和完整性保护的。因此,第一匹配组以加密的方式发送至AMF网元。此时,可以不进行步骤611。Optionally, the NAS security mode completion message may include the first matching group. The NAS security mode completion message is confidential and integrity protected. Therefore, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.
在UE接入CAG的过程中,建立了NAS安全上下文。通过NAS SMC完成消息发送第一匹配组,或者在NAS安全上下文保护的NAS消息中发送第一匹配组,可以对第一匹配组进行加密,且不会增加额外的处理过程。When the UE accesses the CAG, the NAS security context is established. Sending the first matching group through the NAS SMC completion message, or sending the first matching group in the NAS message protected by the NAS security context, can encrypt the first matching group without adding additional processing procedures.
通过步骤609-610,UE与AMF网元通过NAS SMC流程建立了安全上下文,AMF网元与UE之间的消息可以加密传输。通过NAS安全模式,AMF网元与UE之间的消息可以具有完整性保护和机密性保护。Through steps 609-610, the UE and the AMF network element establish a security context through the NAS SMC process, and the message between the AMF network element and the UE can be encrypted for transmission. Through the NAS security mode, the messages between the AMF network element and the UE can have integrity protection and confidentiality protection.
在NAS安全模式完成消息不包括第一匹配组的情况下,可以进行步骤611。步骤611在UE与AMF网元通过NAS SMC流程建立安全上下文之后进行。In the case that the NAS security mode completion message does not include the first matching group, step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish a security context through the NAS SMC procedure.
在步骤611,UE通过上行(uplink,UL)的NAS消息,向AMF发送第一匹配组。也就是说,第一匹配组是通过NAS安全保护发送的。In step 611, the UE sends the first matching group to the AMF through an uplink (UL) NAS message. In other words, the first matching group is sent through NAS security protection.
在步骤612,AMF网元接收UDM网元发送的列表3。列表3包括网络侧允许UE接 入的CAG ID。AMF网元可以接收UDM网元发送的签约数据,签约数据包括列表3。In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes the CAG ID that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element, and the subscription data includes List 3.
在步骤612之前,AMF网元可以向UDM网元发送请求消息,从UDM获得SUPI对应的签约数据。可选的,所述请求消息包括SUPI。所述签约数据包括列表3,列表3包括网络侧允许UE接入的CAG ID。Before step 612, the AMF network element may send a request message to the UDM network element to obtain the SUPI corresponding subscription data from the UDM. Optionally, the request message includes SUPI. The subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
在步骤613,AMF将列表3和第一匹配组进行匹配,以确定是否存在第二匹配组。列表3包括第二匹配组中的CAG ID,并且,第一匹配组包括第二匹配组中的CAG ID。也就是说,AMF将列表3、第一匹配组中相同的CAG ID作为第二匹配组中的CAG ID。In step 613, the AMF matches List 3 with the first matching group to determine whether there is a second matching group. List 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
可选地,AMF将列表2、列表3、第一匹配组进行匹配,以确定是否存在第二匹配组。列表2包括第二匹配组中的CAG ID,列表3包括第二匹配组中的CAG ID,并且,第一匹配组包括第二匹配组中的CAG ID。也就是说,AMF将列表2、列表3、第一匹配组中相同的CAG ID作为第二匹配组中的CAG ID。Optionally, the AMF matches List 2, List 3, and the first matching group to determine whether there is a second matching group. List 2 includes CAG IDs in the second matching group, List 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
对于AMF将列表2、列表3、第一匹配组进行匹配的情况,可以不进行步骤601-602。UE可以将列表1作为第一匹配组。For the case where AMF matches List 2, List 3, and the first matching group, steps 601-602 may not be performed. The UE may use List 1 as the first matching group.
由于第一匹配组通过NAS消息发送至AMF网元,接入网设备无法对UE发送的第一匹配组进行检查和验证,不能确保UE的匹配结果即第一匹配组中的CAG ID均为列表2中的CAG ID。因此,AMF网元可以根据列表2生成第二匹配组。Since the first matching group is sent to the AMF network element through a NAS message, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all lists The CAG ID in 2. Therefore, the AMF network element can generate the second matching group according to List 2.
可选地,AMF网元预配置有接入网设备支持的CAG ID,即AMF预配置有列表2。此时步骤604步中,接入网设备可以不向AMF网元发送列表2。或者列表2作为第二指示信息,指示UE请求接入CAG业务。Optionally, the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2. At this time, in step 604, the access network device may not send List 2 to the AMF network element. Or List 2 is used as the second indication information to instruct the UE to request access to the CAG service.
由于第一匹配组是UE已经进行匹配的得到的,为了减小计算量,AMF也可以不再对列表2进行匹配。即AMF可以进对第一匹配组和列表3进行匹配。此时,接入网设备向AMF网元发送的列表2可以作为第二指示信息,第二指示信息用于指示UE请求接入CAG业务。Since the first matching group is obtained by the UE having performed matching, in order to reduce the amount of calculation, the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
如果存在第二匹配组,则允许UE接入第二匹配组中CAG ID对应的CAG业务。If there is a second matching group, the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
在步骤614,若允许UE接入,则AMF可以向接入网设备发送第二匹配组。第二匹配组可以通过N2消息发送。第二匹配组包括允许UE接入的CAG的标识。接入网设备接收第二匹配组,以获取允许UE接入的CAG ID。可选的,接入网设备接收到允许UE接入的第二匹配组之后,执行第二匹配组中CAG ID对应的无线资源管理等操作,例如向UE发送第二匹配组中每个CAG ID对应的CAG的资源配置信息等。可选的,接入网设备向UE发送所述第二匹配组内CAG ID对应的策略信息,例如每个CAG的QoS信息等。策略信息用于指示UE接入CAG之后,进行数据传输的相关参数。本申请实施例中接入网设备对于第二匹配组内CAG ID的具体操作不做限制。In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access. The access network device receives the second matching group to obtain the CAG ID that allows the UE to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending each CAG ID in the second matching group to the UE Corresponding CAG resource configuration information, etc. Optionally, the access network device sends to the UE the policy information corresponding to the CAG ID in the second matching group, such as QoS information of each CAG. The policy information is used to indicate the relevant parameters for data transmission after the UE accesses the CAG. In the embodiment of this application, the access network device does not limit the specific operation of the CAG ID in the second matching group.
在步骤615,AMF网元向UE发送注册响应消息。注册响应消息可以是注册接受消息或注册拒绝消息。In step 615, the AMF network element sends a registration response message to the UE. The registration response message may be a registration acceptance message or a registration rejection message.
若允许UE接入,则AMF网元向UE发送注册接受消息。可选的,AMF网元向UE发送第二匹配组,即允许UE接入的CAG ID。If the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
若不允许UE接入,则AMF网元向UE发送注册拒绝消息。可选的,所述注册拒绝消息包括校验失败指示信息。校验失败指示信息可以用于指示注册拒绝的原因,例如CAG ID校验不通过或或UE身份认证失败等。If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information. The verification failure indication information may be used to indicate the reason for the registration rejection, for example, the CAG ID verification fails or the UE identity authentication fails.
可选的,AMF通过其他下行NAS消息向UE发送是否允许UE接入CAG的信息。。Optionally, the AMF sends to the UE information about whether to allow the UE to access the CAG through other downlink NAS messages. .
可选地,在步骤610之前,进一步地,在步骤603之前,UE可以接收保护指示信息,保护指示信息用于指示UE发送加密的第一匹配组。也就是说,保护指示信息用于指示UE对第一匹配组进行加密,并通过加密的方式发送第一匹配组。例如,在步骤603之前,UE进行了一次注册的流程。该次注册接入过程中,注册接收消息包括保护指示信息。在后续UE接入CAG的过程中,采用上述方式对注册拒绝消息进行保护。Optionally, before step 610, further, before step 603, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group. In other words, the protection indication information is used to instruct the UE to encrypt the first matching group, and send the first matching group in an encrypted manner. For example, before step 603, the UE performs a registration procedure. During this registration access process, the registration reception message includes protection indication information. In the subsequent process of the UE accessing the CAG, the registration rejection message is protected in the above manner.
通过步骤601-615,UE通过加密的方式发送第一匹配组,可以避免信息的泄露。Through steps 601-615, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
在一些实施例中,UE可以通过除RR消息之外的NAS消息向AMF网元发送第一指示信息。AMF通过第一指示信息确定UE请求接入CAG的流程。In some embodiments, the UE may send the first indication information to the AMF network element through a NAS message other than the RR message. The AMF determines the flow of the UE requesting to access the CAG through the first indication information.
在一些实施例中,也可能基站不广播列表2,或者UE不进行基站广播列表2与列表1的匹配;UE通过NAS消息发送加密的列表1至AMF。后续的操作与后面流程相同,不同点在于第一匹配组,此时为列表1。In some embodiments, it is also possible that the base station does not broadcast list 2, or the UE does not match the base station broadcast list 2 with list 1; the UE sends encrypted list 1 to AMF through NAS messages. The subsequent operations are the same as the following procedures, except that the first matching group is listed in List 1.
在一些实施例中,还可能UE基于AMF的公钥加密第一匹配组,得到第一匹配组的密文。并通过将第一匹配组的密文通过NAS消息发送给AMF,例如通过RR消息与SUCI一起发送给AMF;或者通过其他NAS消息发送给AMF。AMF通过AMF的私钥解密第一匹配组的密文得到第一匹配组。后面判定的流程与上述实施例相同。这里UE获得AMF的公钥的过程,可以为预置,或者在之前注册流程中有AMF分发给UE的;不做限制。In some embodiments, it is also possible that the UE encrypts the first matching group based on the public key of the AMF to obtain the ciphertext of the first matching group. And by sending the ciphertext of the first matching group to the AMF through the NAS message, for example, through the RR message and the SUCI to the AMF; or through other NAS messages to the AMF. AMF decrypts the ciphertext of the first matching group through the AMF's private key to obtain the first matching group. The subsequent determination process is the same as the above-mentioned embodiment. Here, the process by which the UE obtains the public key of the AMF may be preset or distributed to the UE by the AMF in the previous registration process; there is no restriction.
图9是本申请实施例提供的一种通信方法的示意性流程图。FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.
UE可以根据归属网络密钥对第一匹配组进行加密,并将加密的第一匹配组发送至UDM网元,UDM网元对加密的第一匹配组进行解密,将解密后的第一匹配组发送至AMF。The UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element, the UDM network element decrypts the encrypted first matching group, and decrypts the decrypted first matching group Send to AMF.
UE保存有列表1,列表1可以称为被允许的CAG ID列表(allowed CAG ID list)。列表1包括配置给UE的CAG的标识。即列表1表示UE支持接入的CAG。具体UE如何获得列表1不做限制。例如,列表1可以包括UE可以从运营商处获取的CAG ID,可以包括网管配置的CAG ID,可以包括UE出厂时配置的CAG ID等。The UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list). List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1. For example, List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
在步骤601,接入网设备广播系统信息,系统信息包括列表2,列表2是接入网设备覆盖的小区支持的CAG ID列表。广播的内容没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备广播的信息。In step 601, the access network device broadcasts system information, and the system information includes List 2, which is a list of CAG IDs supported by the cell covered by the access network device. The broadcast content is not encrypted and protected, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
可选地,在步骤601,接入网设备单播发送系统信息,系统信息包括列表2,列表2是小区支持的CAG ID列表。单播的内容可能没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备单播的信息。Optionally, in step 601, the access network device unicasts system information, and the system information includes List 2, and List 2 is a list of CAG IDs supported by the cell. The unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
在步骤602,UE对列表1和列表2进行匹配,即UE检查是否存在第一匹配组,第一匹配组包括至少一个CAG ID。第一匹配组中的CAG ID即属于列表1,又同时属于列表2。可以将第一匹配组中的CAG ID称为匹配的CAG ID(selected matching CAG ID)。In step 602, the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID. The CAG ID in the first matching group belongs to both list 1 and list 2 at the same time. The CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
在步骤703,UE向接入网设备发送注册请求消息,注册请求消息包括SUCI。注册请求消息可以是控制面消息。In step 703, the UE sends a registration request message to the access network device, and the registration request message includes SUCI. The registration request message may be a control plane message.
注册请求消息还包括,加密的第一匹配组。The registration request message also includes the encrypted first matching group.
在步骤703之前,UE计算SUCI,所述SUCI为对于永久身份SUPI的封装,以使攻击者不能通过窃听空口获得SUPI。SUPI是UE的永久身份标识。也就是说,UE对SUPI加密以得到SUCI。Before step 703, the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
SUCI可以包括SUPI类型、路由指示符、保护方案标识符、归属网络公钥标识符等信息中的一种或多种。其中,路由指示符和归属网络公钥标识符不进行加密。保护方案标识符用于指示上述SUCI采用的保护方案,即对SUPI加密的方案。路由指示符可用于指示能够为UE提供服务的UDM网元。SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the above SUCI, that is, the scheme for encrypting the SUPI. The routing indicator can be used to indicate UDM network elements that can provide services for the UE.
在步骤703之前,UE根据归属网络公钥对第一匹配组进行加密,以得到加密的第一匹配组。UE根据归属网络公钥对第一匹配组进行加密,也可以称为UE对第一匹配组进行封装。Before step 703, the UE encrypts the first matching group according to the home network public key to obtain the encrypted first matching group. The UE encrypts the first matching group according to the home network public key, which may also be referred to as the UE encapsulating the first matching group.
UE可以采用与SUCI相同的加密方式对第一匹配组进行加密。UE可以对SUPI和第一匹配组共同进行加密,封装在一个信息中。也就是说,SUCI与加密的第一匹配组可以承载在相同的消息中。或者,UE可以分别对SUPI和第一匹配组进行加密。可选的,加密的第一匹配组包括路由指示符、保护方案标识符、归属网络公钥标识符等信息中的一种或多种。SUCI与加密的第一匹配组可以承载在相同或不同的消息中。The UE may use the same encryption method as the SUCI to encrypt the first matching group. The UE can jointly encrypt the SUPI and the first matching group and encapsulate them in one message. In other words, the SUCI and the encrypted first matching group can be carried in the same message. Alternatively, the UE may separately encrypt the SUPI and the first matching group. Optionally, the encrypted first matching group includes one or more of information such as a routing indicator, a protection scheme identifier, and a home network public key identifier. The SUCI and the encrypted first matching group can be carried in the same or different messages.
UE也可以采用与SUCI不同的加密方式对第一匹配组进行加密。例如,SUCI与加密的第一匹配组可以对应于不同的归属网络密钥,即对应于不同的归属网络公钥标识符。加密的第一匹配组包括路由指示符、保护方案标识符、归属网络公钥标识符等信息中的一种或多种。SUCI与加密的第一匹配组可以承载在相同或不同的消息中。归属网络密钥包括归属网络公钥和归属网络私钥。UE和UDM网元包括与归属网络公钥标识符与归属网络公钥、归属网络私钥的对应关系。The UE may also use an encryption method different from that of SUCI to encrypt the first matching group. For example, the first matching group of SUCI and encryption may correspond to different home network keys, that is, to different home network public key identifiers. The encrypted first matching group includes one or more of routing indicator, protection scheme identifier, home network public key identifier, and other information. The SUCI and the encrypted first matching group can be carried in the same or different messages. The home network key includes the home network public key and the home network private key. The UE and the UDM network element include the corresponding relationship with the home network public key identifier, the home network public key, and the home network private key.
可选地,UE向接入网设备发送第一指示信息。第一指示信息用于指示UE请求接入CAG业务。Optionally, the UE sends the first indication information to the access network device. The first indication information is used to indicate that the UE requests to access the CAG service.
可选地,第一指示信息承载在注册请求消息或其他消息中。例如,第一指示信息可以通过无线资源控制(radio resource control,RRC)消息发送。第一指示信息可以采用多种形式,例如,第一指示信息可以包括UE接收的列表2,或者,第一指示信息可以占用注册请求消息的某个字段。Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take multiple forms. For example, the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
在步骤704,接入网设备向AMF网元发送注册请求消息。注册请求消息包括SUCI和加密的第一匹配组。注册请求消息可以通过接入网设备与AMF网元之间的N2接口发送,即注册请求消息可以是N2消息。In step 704, the access network device sends a registration request message to the AMF network element. The registration request message includes the SUCI and the encrypted first matching group. The registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
可选地,接入网设备可以向AMF网元发送第二指示信息。例如,若接入网设备接收到第一指示信息,则接入网设备向AMF网元发送第二指示信息。第二指示信息指示UE请求接入CAG业务。Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.
第二指示信息可以承载在注册请求消息中。第二指示信息也可以承载在其他消息中。The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.
可选地,接入网设备可以向AMF网元发送列表2。第二指示信息可以包括列表2。Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include List 2.
在步骤705,AMF网元向AUSF发送加密的第一匹配组和SUCI。SUCI可以承载在第一身份认证请求消息中。加密的第一匹配组可以承载在第一身份认证请求消息或其他消息中。第一身份认证请求消息可以是Nausf_UEAuthentication_Authenticate Request消息。In step 705, the AMF network element sends the encrypted first matching group and SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The encrypted first matching group may be carried in the first identity authentication request message or other messages. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
可选的,AMF可以接收第二指示信息和/或列表2。Optionally, the AMF may receive the second indication information and/or List 2.
在步骤706,AUSF网元向UDM/SIDF网元发送加密的第一匹配组和SUCI。SUCI可以承载在第二认证请求消息中。加密的第一匹配组可以承载在第二认证请求消息或其他消息中。第二认证请求消息种可以是Nudm_UEAuthentication_Get Request消息。In step 706, the AUSF network element sends the encrypted first matching group and SUCI to the UDM/SIDF network element. The SUCI may be carried in the second authentication request message. The encrypted first matching group may be carried in the second authentication request message or other messages. The second authentication request message type may be Nudm_UEAuthentication_Get Request message.
在步骤707,UDM/SIDF网元可以根据归属网络公钥标识符对应的归属网络私钥,对SUCI和加密的第一匹配组进行解密。In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
UDM/SIDF网元对SUCI解密以得到SUPI,并执行认证算法选择,根据选择的认证算法生成认证向量。UDM/SIDF网元对加密的第一匹配组进行解密,以得到第一匹配组。The UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm. The UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
或者,UDM/SIDF网元对与SUPI、第一匹配组对应的一个信息进行解密,得到SUPI、第一匹配组。Alternatively, the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
UDM/SIDF网元根据SUPI确定UE的签约数据。UE的签约数据包括列表3,列表3包括网络侧允许UE接入的CAG ID。The UDM/SIDF network element determines the subscription data of the UE according to SUPI. The subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
UDM/SIDF网元对第一匹配组和列表3进行匹配,以获取第三配匹配组。第三匹配组中包括第一匹配组和列表3中相同的CAG ID。The UDM/SIDF network element matches the first matching group with List 3 to obtain the third matching group. The third matching group includes the same CAG ID in the first matching group and List 3.
若UDM/SIDF网元确定不存在第三匹配组不进行步骤UE认证流程及步骤614。在不存在第三匹配组,校验失败的情况下,无需进行后续的UE认证流程,节省了系统的信令开销。If the UDM/SIDF network element determines that there is no third matching group, the UE authentication process and step 614 are not performed. If there is no third matching group and the verification fails, there is no need to perform subsequent UE authentication procedures, which saves system signaling overhead.
UDM/SIDF网元可以拒绝UE的注册。UDM可以经过或不经过AUSF网元,向AMF网元发送拒绝指示信息。The UDM/SIDF network element can reject the registration of the UE. UDM can send rejection indication information to AMF network element through or without AUSF network element.
在步骤615之前,UDM网元可以经过或不经过AUSF网元向AMF网元发送第一拒绝指示信息。第一拒绝指示信息可以包括注册拒绝的原因。也就是说,第一拒绝指示信息可以用于指示不存在第三匹配组,即校验失败,不存在允许UE接入的CAG。Before step 615, the UDM network element may send the first rejection indication information to the AMF network element through or without the AUSF network element. The first rejection indication information may include the reason for registration rejection. That is, the first rejection indication information may be used to indicate that there is no third matching group, that is, the verification fails, and there is no CAG that allows the UE to access.
AMF网元接收UDM网元发送的拒绝指示信息,确定不存在第二匹配组,即不存在允许UE接入的CAG。The AMF network element receives the rejection indication information sent by the UDM network element, and determines that there is no second matching group, that is, there is no CAG that allows the UE to access.
在步骤615,AMF网元向UE发送注册拒绝消息。In step 615, the AMF network element sends a registration rejection message to the UE.
若UDM/SIDF网元确定存在第三匹配组,进行步骤709-710。步骤709-710为认证流程中的步骤,认证流程用于UE的身份认证。If the UDM/SIDF network element determines that there is a third matching group, perform steps 709-710. Steps 709-710 are steps in the authentication process, which is used for identity authentication of the UE.
具体地,在步骤709,UDM/SIDF网元向AUSF网元发送认证向量。认证向量可以承载在第一认证回复消息中。第一认证回复消息可以是Nudm_UEAuthentication_Get ReSponse消息。Specifically, in step 709, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector may be carried in the first authentication reply message. The first authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
在步骤710,AUSF网元向AMF网元发送认证向量。认证向量可以承载在第二认证回复消息中。第二认证回复消息可以是Nudm_UEAuthentication_Get ReSponse消息。In step 710, the AUSF network element sends an authentication vector to the AMF network element. The authentication vector may be carried in the second authentication reply message. The second authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
UDM/SIDF网元可以向AMF网元发送第三匹配组。The UDM/SIDF network element may send the third matching group to the AMF network element.
UDM/SIDF网元可以向AUSF网元发送第三匹配组。AUSF网元向AMF网元发送第三匹配组。也就是说,第三匹配组可以经过经AUSF网元转发,发送至AMF网元。第三匹配组可以承载在第一认证回复消息或其他消息中。第三匹配组可以承载在第二认证回复消息或其他消息中。The UDM/SIDF network element may send the third matching group to the AUSF network element. The AUSF network element sends the third matching group to the AMF network element. In other words, the third matching group can be forwarded by the AUSF network element and sent to the AMF network element. The third matching group may be carried in the first authentication reply message or other messages. The third matching group may be carried in the second authentication reply message or other messages.
UDM/SIDF还可以通过其他消息向AMF网元发送第三匹配组,不经过其他网元的转发。UDM/SIDF can also send the third matching group to the AMF network element through other messages, without being forwarded by other network elements.
UE与AUSF网元进行双向认证。认证成功之后,AUSF生成并向SEAF网元发送密钥KSEAF。SEAF网元根据密钥KSEAF生成密钥KAMF,并向UE发送KSI,KSI用于指示密钥KAMF。UE根据KSI可以确定密钥KAMF。SEAF向AMF发送KAMF。这里SEAF可以与AMF独立部署,也可以单独部署。本申请实施例对上述UE与AUSF网元 进行认证的步骤具体细节和流程不做限制。The UE and the AUSF network element perform mutual authentication. After successful authentication, AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE. The KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and flow of the authentication steps between the UE and the AUSF network element.
通过上述步骤,AMF网元与UE共享密钥KAMF。Through the above steps, the AMF network element and the UE share the key KAMF.
在认证流程之后,根据密钥KAMF,UE与AMF可以建立NAS安全上下文,UE与接入网设备可以建立AS安全上下文。After the authentication process, according to the key KAMF, the UE and the AMF can establish the NAS security context, and the UE and the access network device can establish the AS security context.
在步骤614之前,AMF网元接收UDM网元发送的第三匹配组。AMF网元根据第三匹配组确定第二匹配组。Before step 614, the AMF network element receives the third matching group sent by the UDM network element. The AMF network element determines the second matching group according to the third matching group.
AMF网元可以将第三匹配组作为第二匹配组。The AMF network element may use the third matching group as the second matching group.
AMF网元可以对第三匹配组与列表2进行匹配,以确定第二匹配组。第二匹配组包括第三匹配组与列表2中相同的CAG ID。The AMF network element may match the third matching group with List 2 to determine the second matching group. The second matching group includes the same CAG ID of the third matching group as in List 2.
由于第一匹配组通过加密的方式发送至UDM网元,接入网设备无法对UE发送的第一匹配组进行检查和验证,不能确保UE的匹配结果即第一匹配组中的CAG ID均为列表2中的CAG ID。因此,AMF网元可以根据列表2生成第二匹配组。Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all CAG ID in List 2. Therefore, the AMF network element can generate the second matching group according to List 2.
可选地,AMF网元预配置有接入网设备支持的CAG ID,即AMF预配置有列表2。此时步骤704步中,接入网设备可以不向AMF网元发送列表2。或者接入网设备向AMF网元发送的列表2可以作为第二指示信息,指示UE请求接入CAG业务。Optionally, the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2. At this time, in step 704, the access network device may not send List 2 to the AMF network element. Or the list 2 sent by the access network device to the AMF network element may be used as the second indication information to instruct the UE to request access to the CAG service.
由于第一匹配组是UE已经进行匹配的得到的,为了减小计算量,AMF也可以不再对列表2进行匹配。即AMF可以进对第一匹配组和列表3进行匹配。此时,接入网设备向AMF网元发送的列表2可以作为第二指示信息,第二指示信息用于指示UE请求接入CAG业务。Since the first matching group is obtained by the UE having performed matching, in order to reduce the amount of calculation, the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
若存在第二匹配组,进行步骤614。If there is a second matching group, go to step 614.
在步骤614,则AMF网元可以向接入网设备发送第二匹配组。第二匹配组可以通过N2消息发送。第二匹配组包括允许UE接入的CAG的标识。接入网设备获取允许UE接入的CAG ID。可选的,接入网设备接收到允许UE接入的第二匹配组之后,执行第二匹配组中CAG ID对应的无线资源管理等操作。本申请实施例对于接入网设备的具体操作不做限制。In step 614, the AMF network element may send the second matching group to the access network device. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access. The access network device obtains the CAG ID that allows the UE to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group. The embodiment of the present application does not limit the specific operation of the access network device.
在步骤615,AMF网元向UE发送注册回复消息。注册回复消息可以是注册接受消息或注册拒绝消息。In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.
若AMF网元确定存在第二匹配组,允许UE接入,则AMF网元向UE发送注册接受消息。可选的,AMF网元向UE发送第二匹配组,即允许UE接入的CAG ID。If the AMF network element determines that there is a second matching group and the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
若不允许UE接入,则AMF网元向UE发送注册拒绝消息。可选的,所述注册拒绝消息包括第二拒绝指示信息,第二拒绝指示信息用于指示注册失败的原因,例如CAG ID校验不通过,或认证失败。If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes second rejection indication information, and the second rejection indication information is used to indicate the reason for the registration failure, for example, the CAG ID verification fails or the authentication fails.
可选的,注册回复消息可以是下行NAS消息。Optionally, the registration reply message may be a downlink NAS message.
通过上述步骤,UE通过加密的方式发送第一匹配组,可以避免信息的泄露。Through the above steps, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
在进行UE的认证流程之前,UDM/SIDF网元对UE能够是否能够接入CAG进行校验,即对第一匹配组和列表3进行匹配。Before performing the authentication process of the UE, the UDM/SIDF network element verifies whether the UE can access the CAG, that is, matches the first matching group with the list 3.
在一些实施例中,可以由AMF对第一匹配组和列表3进行匹配,进行校验。In some embodiments, the first matching group and list 3 may be matched by the AMF for verification.
在步骤707,UDM/SIDF网元可以根据归属网络公钥标识符对应的归属网络私钥,对SUCI和加密的第一匹配组进行解密。In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
UDM/SIDF网元对SUCI解密以得到SUPI,并执行认证算法选择,根据选择的认证算法生成认证向量。UDM/SIDF网元对加密的第一匹配组进行解密,以得到第一匹配组。The UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm. The UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
或者,UDM/SIDF网元对与SUPI、第一匹配组对应的一个信息进行解密,得到SUPI、第一匹配组。Alternatively, the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
UDM/SIDF网元根据SUPI确定UE的签约数据。UE的签约数据包括列表3,列表3包括网络侧允许UE接入的CAG ID。The UDM/SIDF network element determines the subscription data of the UE according to SUPI. The subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
在步骤707之后,认证流程,用于UE的身份认证。After step 707, the authentication process is used for the identity authentication of the UE.
UDM/SIDF网元向AMF网元发送第一匹配组和列表3。The UDM/SIDF network element sends the first matching group and list 3 to the AMF network element.
UDM/SIDF网元可以向AMF网元发送第一匹配组和列表3。第一匹配组和/或列表3可以承载在第一身份认证回复消息或其他消息中。The UDM/SIDF network element may send the first matching group and list 3 to the AMF network element. The first matching group and/or list 3 may be carried in the first identity authentication reply message or other messages.
UDM/SIDF网元可以向AUSF网元发送第一匹配组和列表3。AUSF网元向AMF网元发送第一匹配组和列表3。也就是说,第一匹配组和列表3可以经过经AUSF网元转发,发送至AMF网元。第一匹配组和/或列表3可以承载在第二认证回复消息或其他消息中。The UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element. The AUSF network element sends the first matching group and list 3 to the AMF network element. In other words, the first matching group and list 3 can be forwarded by the AUSF network element and sent to the AMF network element. The first matching group and/or list 3 may be carried in the second authentication reply message or other messages.
在步骤614之前,AMF网元根据第一匹配组和列表3进行匹配,以确定第二匹配组。第二匹配组中包括第一匹配组和列表3中国相同的CAG ID。Before step 614, the AMF network element performs matching according to the first matching group and List 3 to determine the second matching group. The second matching group includes the same CAG ID of the first matching group and List 3 China.
AMF可以将列表3、第一匹配组中相同的CAG ID作为第二匹配组中的CAG ID。,AMF也可以将列表2、列表3、第一匹配组中相同的CAG ID作为第二匹配组中的CAG ID。AMF may use the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group. The AMF may also use the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
在步骤614,若允许UE接入,则AMF可以向接入网设备发送第二匹配组。In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device.
在步骤615,AMF网元向UE发送注册回复消息。注册回复消息可以是注册接受消息或注册拒绝消息。In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.
在一些实施例中,UE可以不进行列表2与列表1的匹配,基站也可以不广播列表2,。UE通过NAS消息向AMF网元发送加密的列表1。后续的操作与上述流程相同。与上述流程相比,该方式的不同点在于第一匹配组此时为列表1。也就是说,对于AMF将第三匹配组与列表2进行匹配的情况,可以不进行步骤601-602。UE可以将列表1作为第一匹配组。In some embodiments, the UE may not match List 2 with List 1, and the base station may not broadcast List 2. The UE sends the encrypted list 1 to the AMF network element through the NAS message. The subsequent operation is the same as the above process. Compared with the above process, the difference of this method is that the first matching group is now List 1. That is to say, for the case where AMF matches the third matching group with List 2, steps 601-602 may not be performed. The UE may use List 1 as the first matching group.
图10是本申请实施例提供的一种通信方法的示意性流程图。FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.
UE可以通过加密的AS消息,向接入网设备网元发送第一匹配组。The UE may send the first matching group to the network element of the access network device through the encrypted AS message.
UE配置有列表1。列表1包括UE支持接入的CAG ID。The UE is configured with List 1. List 1 includes the CAG ID that the UE supports to access.
在步骤601,接入网设备向UE发送列表2。列表2包括接入网设备覆盖的小区支持的CAG ID。该小区是接入网设备覆盖的一个或多个小区中该UE所在的小区。广播的内容可能没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备广播的信息。In step 601, the access network device sends List 2 to the UE. Table 2 includes CAG IDs supported by the cells covered by the access network equipment. The cell is the cell where the UE is located among one or more cells covered by the access network equipment. The broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
可选的,在步骤601,接入网设备单播发送系统信息,系统信息包括列表2,列表2包括小区支持的CAG ID。单播的内容可能没有加密保护,接入网设备覆盖范围内的设备都可以获取接入网设备单播的信息。Optionally, in step 601, the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell. The unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
在步骤602,UE对列表1和列表2进行匹配,以获得第一匹配组。第一匹配组包括列表1和列表2中相同的CAG ID。UE对列表1和列表2进行匹配,即UE确定第一匹配组,第一匹配组包括至少一个CAG ID。第一匹配组中的CAG ID即属于列表1,又同时属于列表2。可以将第一匹配组中的CAG ID称为匹配的CAG ID(selected matching CAG ID)。In step 602, the UE matches List 1 and List 2 to obtain a first matching group. The first matching group includes the same CAG ID in List 1 and List 2. The UE matches List 1 and List 2, that is, the UE determines the first matching group, and the first matching group includes at least one CAG ID. The CAG ID in the first matching group belongs to both list 1 and list 2 at the same time. The CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
在步骤603,UE向接入网设备发送注册请求消息,注册请求消息包括SUCI。In step 603, the UE sends a registration request message to the access network device, and the registration request message includes SUCI.
在步骤603之前,UE计算SUCI,所述SUCI为对于永久身份SUPI的封装,以使攻击者不能通过窃听空口获得SUPI。SUPI是UE的永久身份标识。也就是说,UE对SUPI加密以得到SUCI。Before step 603, the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
SUCI可以包括SUPI类型、路由指示符、保护方案标识符、归属网络公钥标识符等信息中的一种或多种。其中,路由指示符和归属网络公钥标识符不进行加密。保护方案标识符用于指示商城SUCI采用的保护方案,即对SUPI加密的方案。路由指示符可用于指示能够为UE提供服务的UDM网元。SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI. The routing indicator can be used to indicate UDM network elements that can provide services for the UE.
可选地,UE向接入网设备发送第一指示信息。第一指示信息用于指示UE请求接入CAG。Optionally, the UE sends the first indication information to the access network device. The first indication information is used to indicate that the UE requests to access the CAG.
UE可以向接入网设备发送的第一指示信息用于指示UE请求接入CAG。由于RR消息中与UE注册相关的信息由UE发送给AMF网元,接入网设备需要对该信息进行转发,无法感知该信息。因此,通过UE向接入网设备发送第一指示信息,可以向接入网设备指示进行对应于UE请求接入CAG的流程。The first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
可选地,第一指示信息承载在注册请求消息或其他消息中。例如,第一指示信息可以通过无线资源控制(radio resource control,RRC)消息发送。第一指示信息可以采用多种形式,例如,第一指示信息可以包括UE接收的列表2,或者,第一指示信息可以占用注册请求消息的某个字段。Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take multiple forms. For example, the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
在步骤604,接入网设备向AMF网元发送注册请求消息。注册请求消息包括SUCI。注册请求消息可以通过接入网设备与AMF网元之间的N2接口发送,即注册请求消息可以是N2消息。In step 604, the access network device sends a registration request message to the AMF network element. The registration request message includes SUCI. The registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
可选地,接入网设备可以向AMF网元发送第二指示信息。例如,若接入网设备接收到第一指示信息,则接入网设备向AMF网元发送第二指示信息。第二指示信息指示UE请求接入CAG业务。Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.
第二指示信息可以承载在注册请求消息中。第二指示信息也可以承载在其他消息中。The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.
可选地,接入网设备可以向AMF网元发送列表2。第二指示信息可以包括列表2。Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include List 2.
在步骤605,AMF网元向AUSF发送SUCI。SUCI可以承载在第一身份认证请求消息中。第一身份认证请求消息可以是Nausf_UEAuthentication_Authenticate Request消息。In step 605, the AMF network element sends SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
可选的,AMF可以接收第二指示信息和/或列表2。Optionally, the AMF may receive the second indication information and/or List 2.
在步骤606,AUSF网元向UDM/SIDF网元发送SUCI。SUCI可以承载在第二身份认证请求消息种中。第二身份认证请求消息种可以是Nudm_UEAuthentication_Get Request消息。In step 606, the AUSF network element sends SUCI to the UDM/SIDF network element. SUCI can be carried in the second identity authentication request message. The second identity authentication request message type may be a Nudm_UEAuthentication_Get Request message.
在步骤607,UDM/SIDF网元对SUCI解密以得到SUPI,并执行认证算法选择,根据选择的认证算法生成认证向量。In step 607, the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
步骤608为认证流程,用于UE的身份认证。Step 608 is an authentication process, which is used for identity authentication of the UE.
具体地,UDM/SIDF网元向AUSF网元发送认证向量。认证向量可以承载在身份认证回复消息中。身份认证回复消息可以是Nudm_UEAuthentication_Get ReSponse消息。Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector can be carried in the identity authentication reply message. The identity authentication reply message may be a Nudm_UEAuthentication_Get Response message.
UE与AUSF网元进行双向认证。AUSF生成并向SEAF网元发送密钥KSEAF。SEAF网元根据密钥KSEAF生成密钥KAMF,并向UE发送KSI,KSI用于指示密钥KAMF。 UE根据KSI可以确定密钥KAMF。SEAF向AMF发送KAMF。这里SEAF可以与AMF独立部署,也可以单独部署。本申请实施例对上述UE与AUSF网元进行认证的步骤具体细节和流程不做限制。The UE and the AUSF network element perform mutual authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE. The KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
通过上述步骤,AMF网元与UE共享密钥KAMF。Through the above steps, the AMF network element and the UE share the key KAMF.
在步骤809-810a,接入网设备与UE进行接入层安全模式(access stratum security mode,NAS SM)的建立。In steps 809-810a, the access network device and the UE establish an access layer security mode (access stratum security mode, NAS SM).
在步骤809之前,AMF计算并向接入网设备发送密钥KgNB。密钥KgNB是根据密钥KAMF确定的。根据密钥KgNB,UE和接入网设备可以确定UE和接入网设备之间的完整性密钥和机密性密钥,从而对UE和接入网设备之间的消息进行完整性保护和机密性保护。进行机密性保护,即信息发送端对信息进行加密,信息接收端对信息进行解密。Before step 809, the AMF calculates and sends the key KgNB to the access network device. The key KgNB is determined based on the key KAMF. According to the key KgNB, the UE and the access network device can determine the integrity key and the confidentiality key between the UE and the access network device, so as to protect the integrity and confidentiality of the message between the UE and the access network device Sexual protection. Confidentiality protection is carried out, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
在步骤809,接入网设备向UE发送AS安全模式指令消息。AS安全模式指令消息具有完整性保护。In step 809, the access network device sends an AS security mode instruction message to the UE. The AS security mode command message has integrity protection.
在步骤810a,UE向接入网设备发送AS安全模式完成消息。AS安全模式完成消息具有机密性和完整性保护。In step 810a, the UE sends an AS security mode complete message to the access network device. The AS security mode completes the message with confidentiality and integrity protection.
可选地,AS安全模式完成消息可以包括第一匹配组。因此,第一匹配组以加密的方式发送至接入网设备。此时,可以不进行步骤611。Optionally, the AS security mode completion message may include the first matching group. Therefore, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.
通过步骤809-810a,UE与接入网设备网元通过AS SMC流程建立了安全上下文,接入网设备与UE之间的消息可以加密传输。通过AS安全模式,AMF网元与UE之间的消息可以具有完整性保护和机密性保护。Through steps 809-810a, the UE and the access network device network element establish a security context through the AS SMC process, and the message between the access network device and the UE can be encrypted for transmission. Through the AS security mode, the message between the AMF network element and the UE can have integrity protection and confidentiality protection.
还可能,在AS安全模式完成消息不包括第一匹配组,通过步骤810b进行第一匹配组的发送。步骤810b在UE与接入网设备通过AS SMC流程建立AS安全上下文之后进行。It is also possible that when the AS security mode completion message does not include the first matching group, the first matching group is sent through step 810b. Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC procedure.
在步骤810b,UE通过上行(uplink,UL)AS消息,向AMF发送第一匹配组发送。也就是说,第一匹配组是通过AS安全上下文保护的情况下发送的。In step 810b, the UE sends the first matching group transmission to the AMF through an uplink (UL) AS message. In other words, the first matching group is sent under the protection of the AS security context.
在步骤814之前,接入网设备对通过AS安全模式完成消息,或者AS安全上下文保护的上行AS消息接收的第一匹配组进行解密。接入网设备根据AS安全上下文进行解密,以获取解密后的第一匹配组。Before step 814, the access network device decrypts the first matching group received through the AS security mode completion message or the uplink AS message protected by the AS security context. The access network device performs decryption according to the AS security context to obtain the decrypted first matching group.
在一些实施例中,在步骤814之前,接入网设备可以对第一匹配组进行检验。In some embodiments, before step 814, the access network device may check the first matching group.
可选的,接入网设备可以对第一匹配组和列表2进行匹配。接入网设备可以去除第一匹配组中的列表2之外的CAG ID,以获得新的第一匹配组。Optionally, the access network device may match the first matching group with List 2. The access network device may remove CAG IDs outside of List 2 in the first matching group to obtain a new first matching group.
可选的,接入网设备接收UE发送的第一匹配组。接入网设备确定第一匹配组中的CAG ID是否在接入网设备所支持的CAG ID的列表2中。如果第一匹配组属于列表2,即第一匹配组在列表2中,则接入网设备向AMF网元发送第一匹配组。否则,接入网设备不发送第一匹配组;可选的,接入网设备拒绝UE的接入。Optionally, the access network device receives the first matching group sent by the UE. The access network device determines whether the CAG ID in the first matching group is in the list 2 of CAG IDs supported by the access network device. If the first matching group belongs to list 2, that is, the first matching group is in list 2, the access network device sends the first matching group to the AMF network element. Otherwise, the access network device does not send the first matching group; optionally, the access network device rejects the UE's access.
在另一些实施列中,可以由AMF网元对第一匹配组进行和列表2进行匹配。In some other embodiments, the AMF network element may match the first matching group with the list 2.
AMF网元可以预配置列表2。或者,AMF网元可以接收接入网设备发送的列表2。例如步骤604中,接入网设备向AMF网元发送列表2。AMF网元可以对列表2、列表3、第一匹配组进行匹配。即AMF网元可以确定第二匹配组,第二匹配组包括列表2、列表3、第一匹配组中相同的CAG ID。AMF network elements can be pre-configured with List 2. Alternatively, the AMF network element may receive List 2 sent by the access network device. For example, in step 604, the access network device sends List 2 to the AMF network element. The AMF network element can match List 2, List 3, and the first matching group. That is, the AMF network element can determine the second matching group, and the second matching group includes the same CAG ID in List 2, List 3, and the first matching group.
或者,接入网设备和AMF可以均不进行第一匹配组和列表2的匹配。Or, neither the access network device nor the AMF may perform matching between the first matching group and the list 2.
在步骤814,UE向AMF网元发送解密后的第一匹配组。解密后的第一匹配组可以是校验后的第一匹配组。第二匹配组可以通过N2消息发送。第二匹配组包括允许UE接入的CAG的标识。In step 814, the UE sends the decrypted first matching group to the AMF network element. The decrypted first matching group may be the first matching group after verification. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access.
在步骤612,AMF网元接收UDM网元发送的列表3。列表3包括网络侧允许UE接入的CAG ID。AMF网元可以接收UDM网元发送的签约数据,签约数据包括列表3In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes the CAG ID that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element. The subscription data includes List 3
本申请实施例对步骤814和步骤612的先后顺序不进行限定。The embodiment of the present application does not limit the sequence of step 814 and step 612.
可选的,在步骤612之前,AMF网元可以向UDM网元发送签约数据请求,从UDM网元获得UE对应的签约数据。所述签约数据包括列表3,列表3包括网络侧允许UE接入的CAG ID。Optionally, before step 612, the AMF network element may send a subscription data request to the UDM network element, and obtain the subscription data corresponding to the UE from the UDM network element. The subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
在步骤613,AMF将列表3和第一匹配组进行匹配,以确定是否存在第二匹配组。列表3包括第二匹配组中的CAG ID,并且,第一匹配组包括第二匹配组中的CAG ID。也就是说,AMF将列表3、第一匹配组中相同的CAG ID作为第二匹配组中的CAG ID。In step 613, the AMF matches List 3 with the first matching group to determine whether there is a second matching group. List 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
如果存在第二匹配组,则允许UE接入第二匹配组中CAG ID对应的CAG业务。If there is a second matching group, the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
在步骤615,AMF网元向UE发送注册回复消息。注册回复消息可以是注册接受消息或注册拒绝消息。In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.
若允许UE接入,则AMF网元向UE发送注册接受消息。可选的,AMF网元向UE发送第二匹配组,即允许UE接入的CAG ID。If the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
若不允许UE接入,则AMF网元向UE发送注册拒绝消息。可选的,所述注册拒绝消息包括校验失败指示信息,所述校验失败指示信息用于指示CAG ID校验不通过。校验失败指示信息可以指示注册拒绝的原因,即CAG ID校验不通过。If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information, and the verification failure indication information is used to indicate that the CAG ID verification fails. The verification failure indication information may indicate the reason for the registration rejection, that is, the CAG ID verification failed.
可选地,注册回复消息可以是AMF向UE发送的下行NAS消息。Optionally, the registration reply message may be a downlink NAS message sent by the AMF to the UE.
在另一些实施例中,接入网设备也可以根据接入网设备的其他公钥对第一匹配组进行加密。UE可以预配置接入网设备的公钥,UE可以接收接入网设备发送的公钥,例如,接入网设备可以广播接入网设备的公钥等。In other embodiments, the access network device may also encrypt the first matching group according to other public keys of the access network device. The UE may pre-configure the public key of the access network device, and the UE may receive the public key sent by the access network device. For example, the access network device may broadcast the public key of the access network device.
可选地,在步骤810a之前,UE可以接收保护指示信息,保护指示信息用于指示UE发送加密的第一匹配组。Optionally, before step 810a, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.
UE在AS SM下发送加密的第一匹配组,或者UE通过AS SMC完成消息发送加密的第一匹配组,可以方式信息泄露。同时,对UE接入CAG流程的影响小。The UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through the AS SMC completion message, which may cause information leakage. At the same time, the impact on the process of UE access to CAG is small.
图11是本申请实施例提供的一种通信方法的示意性流程图。FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.
在UE接入CAG的过程中,UE接收注册拒绝消息后,会将第一匹配组中的CAG ID从列表1中删除。如果攻击者可以伪造注册拒绝消息,那么攻击者通过伪造多个拒绝消息,可能导致UE将列表1清空。列表1清空后,UE不能使用CAG服务。When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
如果AMF网元或UDM网元校验失败,即不存在允许UE接入的CAG ID,AMF需要向UE发送注册拒绝消息。If the verification of the AMF network element or UDM network element fails, that is, there is no CAG ID that allows the UE to access, the AMF needs to send a registration rejection message to the UE.
AMF网元确定不存在允许UE接入的CAG ID,则AMF网元向UE发送注册拒绝消息。The AMF network element determines that there is no CAG ID that allows the UE to access, and the AMF network element sends a registration rejection message to the UE.
UDM网元确定不存在允许UE接入的CAG ID,UDM网元向AMF网元发送校验失败信息。AMF网元根据校验失败信息,向UE发送注册拒绝消息。The UDM network element determines that there is no CAG ID that allows the UE to access, and the UDM network element sends a verification failure message to the AMF network element. The AMF network element sends a registration rejection message to the UE according to the verification failure information.
UE身份认证完成后,UE与AMF网元共享密钥KAMF。After the UE identity authentication is completed, the UE and the AMF network element share the key KAMF.
如果在NAS SM的建立完成之后,建立了UE与AMF网元之间的安全上下文,即NAS保护上下文。AMF网元可以通过NAS安全上下文保护的NAS消息向UE发送注册拒绝消息。通过NAS安全上下文保护的的消息具有机密性保护,可以防止攻击者的攻击。或者,AMF网元可以通过步骤901-902向UE发送注册拒绝消息。If after the establishment of the NAS SM is completed, the security context between the UE and the AMF network element is established, that is, the NAS protection context. The AMF network element can send a registration rejection message to the UE through the NAS message protected by the NAS security context. Messages protected by the NAS security context have confidentiality protection, which can prevent attackers from attacking. Alternatively, the AMF network element may send a registration rejection message to the UE through steps 901-902.
另外,不管NAS安全上下文是否建立,AMF网元还可以通过步骤901-902向UE发送注册拒绝消息。In addition, regardless of whether the NAS security context is established, the AMF network element can also send a registration rejection message to the UE through steps 901-902.
在步骤901之前,进行了UE身份认证。UE与AMF网元共享密钥KAMF。Before step 901, UE identity authentication is performed. The UE and the AMF network element share the key KAMF.
在步骤901,AMF网元确定校验不通过,计算MAC。In step 901, the AMF network element determines that the check fails and calculates the MAC.
在步骤901之前,AMF网元可以接收UDM发送的校验失败消息。AMF网元可以根据校验失败消息,确定校验不通过。或者,AMF网元可以进行校验,确定校验不通过。AMF进行校验,参见图2、图7、图9。Before step 901, the AMF network element may receive a verification failure message sent by UDM. The AMF network element may determine that the verification fails according to the verification failure message. Alternatively, the AMF network element may perform verification and determine that the verification fails. AMF checks, see Figure 2, Figure 7, Figure 9.
AMF网元基于首先基于密钥KAMF计算MAC。The AMF network element first calculates the MAC based on the key KAMF.
MAC又可以称为消息鉴别码、文件消息认证码、讯息鉴别码、信息认证码,是经过特定算法后产生的一小段信息,检查某段消息的完整性。MAC可以作身份验证。MAC可以用来检查在消息传递过程中,内容是否被更改。同时,MAC可以作为消息来源的身份验证,确认消息的来源。MAC can also be called message authentication code, file message authentication code, message authentication code, and information authentication code. It is a small piece of information generated after a specific algorithm to check the integrity of a certain piece of message. MAC can be used for authentication. MAC can be used to check whether the content has been changed during message delivery. At the same time, MAC can be used as the identity verification of the source of the message to confirm the source of the message.
AMF网元根据消息验证码函数计算以得到MAC。The AMF network element calculates according to the message verification code function to obtain the MAC.
消息验证码函数的输入参数包括密钥KAMF,消息验证码函数的输入参数还可以包含以下参数中的至少一个:拒绝指示信息,ngKSI,NAS上行计数器,NAS下行计数器,第一匹配组,防架构之间降维攻击参数(ABBA,anti-bidding down between architectures),AMF ID,AMF集合标识(AMF set ID),SUCI,SUPI,AMF随机选择的新鲜参数,服务网络标识等。AMF随机选择的新鲜参数例如可以是被使用一次的非重复的随机数(number used once或number once,nonce)等随机数。服务网络标识即AMF所在的服务网络。第一匹配组包括UE请求接入的CAG ID。拒绝指示信息用于指示注册拒绝的原因,例如UE请求接入的CAG的标识校验未通过,或者指示UE的注册请求被拒绝。注册拒绝的原因还可以是其他校验失败,鉴权认证失败等。The input parameters of the message verification code function include the key KAMF, and the input parameters of the message verification code function can also include at least one of the following parameters: rejection indication information, ngKSI, NAS uplink counter, NAS downlink counter, first matching group, defense architecture Dimensionality reduction attack parameters (ABBA, anti-bidding down between architectures), AMF ID, AMF set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network identification, etc. The fresh parameter randomly selected by the AMF may be, for example, a non-repeated random number (number used once or number once, nonce) and other random numbers that are used once. The service network identifier is the service network where the AMF is located. The first matching group includes the CAG ID that the UE requests to access. The rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG to which the UE requests access fails, or the registration request of the UE is rejected. The reason for registration rejection can also be other verification failures, authentication failures, etc.
在步骤902,AMF网元向UE发送注册拒绝消息。In step 902, the AMF network element sends a registration rejection message to the UE.
注册拒绝消息包括MAC。The registration rejection message includes the MAC.
注册拒绝消息还可以包括拒绝指示信息。The registration rejection message may also include rejection indication information.
注册拒绝消息还可以ngKSI,ngKSI用于指示KAMF。The registration rejection message can also be ngKSI, which is used to indicate KAMF.
注册拒绝消息还可以包括消息验证码函数的多个输入参数中除KAMF之外的至少一个。例如,注册拒绝消息可以包括以下参数中至少一种:NAS上行计数器,NAS下行计数器,第一匹配组,防架构之间降维攻击参数(anti-bidding down between architectures,ABBA),AMF ID,AMF集合标识(AMF set ID),SUCI,SUPI,AMF随机选择的新鲜参数,服务网络标识等。第一匹配组是UE根据配置给UE的CAG ID列表1和接入网设备支持的CAG ID列表2确定的,第一匹配组包括列表1和列表2中相同的CAG ID。The registration rejection message may also include at least one of the multiple input parameters of the message verification code function except KAMF. For example, the registration rejection message may include at least one of the following parameters: NAS uplink counter, NAS downlink counter, first matching group, anti-bidding down between architectures (ABBA), AMF ID, AMF Set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network ID, etc. The first matching group is determined by the UE according to the CAG ID list 1 configured for the UE and the CAG ID list 2 supported by the access network device. The first matching group includes the same CAG IDs in the list 1 and the list 2.
AMF网元也可以通过其他消息向UE发送消息验证码函数的输入参数。例如,在身份认证过程中,AMF网元向UE发送ngKSI。The AMF network element may also send the input parameters of the message verification code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends ngKSI to the UE.
UE也可以保存有消息验证码函数的输入参数。UE在确定第一匹配组后,保存第一匹配组。UE还可以保存有SUCI、SUPI等。AMF可以向UE发送消息验证码函数的输入参数中UE未保存的参数。The UE may also store the input parameters of the message verification code function. After determining the first matching group, the UE saves the first matching group. The UE may also store SUCI, SUPI, etc. AMF can send the UE unsaved parameters among the input parameters of the message verification code function.
在步骤902之后,UE对MAC进行验证。UE根据消息验证码函数和消息验证码函数的输入参数,计算MAC。After step 902, the UE verifies the MAC. The UE calculates the MAC according to the message verification code function and the input parameters of the message verification code function.
UE根据计算得到的MAC与注册拒绝消息中的MAC,确定是否校验通过。The UE determines whether the verification is passed according to the calculated MAC and the MAC in the registration rejection message.
UE确定计算得到的MAC与注册拒绝消息中的MAC相同,则验证通过。UE可以将第一匹配组从配置给UE的CAG ID列表1中删除。The UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the verification passes. The UE may delete the first matching group from the CAG ID list 1 configured for the UE.
UE确定计算得到的MAC与注册拒绝消息中的MAC不同,则验证未通过。UE确定注册拒绝消息为伪造的消息。The UE determines that the calculated MAC is different from the MAC in the registration rejection message, and the verification fails. The UE determines that the registration rejection message is a forged message.
通过步骤901-902,AMF网元发送MAC,UE可以通过MAC确定注册拒绝消息的真伪,防止攻击者修改和伪造注册拒绝消息。Through steps 901-902, the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, preventing an attacker from modifying and forging the registration rejection message.
图12是本申请实施例提供的一种通信方法的示意性流程图。FIG. 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.
在UE接入CAG的过程中,UE接收注册拒绝消息后,会将第一匹配组中的CAG ID从列表1中删除。如果攻击者可以伪造注册拒绝消息,那么攻击者通过伪造多个拒绝消息,可能导致UE将列表1清空。列表1清空后,UE不能使用CAG服务。When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
AMF/UDM网元确定校验不通过,进行步骤1001-1003。The AMF/UDM network element determines that the verification fails, and steps 1001-1003 are performed.
在步骤1001,AMF/UDM网元计算数字签名。In step 1001, the AMF/UDM network element calculates a digital signature.
在步骤1002,AMF/UDM网元向UE发送该数字签名。In step 1002, the AMF/UDM network element sends the digital signature to the UE.
对于UDM进行校验的情况,UDM校验不通过,可以基于归属网络的私钥和拒绝指示信息计算数字签名。UDM进行校验,参见图9。In the case of UDM verification, the UDM verification fails, and the digital signature can be calculated based on the private key of the home network and the rejection indication information. UDM performs verification, see Figure 9.
可选地,UDM根据数字签名函数计算得到数字签名。数字签名函数的输入参数包括归属网络私钥。数字签名函数的输入参数还可以包含以下参数中的至少一个,第一匹配组,SUCI,SUPI,UDM随机选择的新鲜参数(nonce,随机数等),服务网络标识(AMF所在的服务网络),归属网络标识和拒绝指示信息。第一匹配组包括UE请求接入的CAG ID。拒绝指示信息用于指示注册拒绝的原因,例如UE请求接入的CAG的标识校验未通过,或者鉴权认证失败等。Optionally, UDM calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the home network private key. The input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), and service network identification (the service network where the AMF is located), Home network identification and rejection indication information. The first matching group includes the CAG ID that the UE requests to access. The rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG that the UE requests to access fails, or the authentication authentication fails.
UDM网元向UE发送数字签名。该数字签名可以经过AMF网元和/或AUSF网元等的转发。The UDM network element sends a digital signature to the UE. The digital signature can be forwarded by the AMF network element and/or the AUSF network element, etc.
可选地,UDM网元可以向AMF网元发送拒绝指示信息,用于指示校验失败。AMF发送注册拒绝消息至UE,其中携带UDM发送的数字签名。Optionally, the UDM network element may send rejection indication information to the AMF network element to indicate that the verification fails. The AMF sends a registration rejection message to the UE, which carries the digital signature sent by the UDM.
UE接收注册拒绝消息。UE可以根据可能的拒绝原因对应的拒绝指示信息,验证该数字签名,即校验数字签名的正确性。或者,UE可以根据接收的拒绝指示信息验证该数字签名。The UE receives the registration rejection message. The UE can verify the digital signature according to the rejection indication information corresponding to the possible rejection reasons, that is, verify the correctness of the digital signature. Alternatively, the UE may verify the digital signature according to the received rejection indication information.
可选的,UDM网元还可以通过AMF和/或AUSF向UE发送用于签名的密钥标识。可选的,UDM网元还可以发送公钥标识,以使UE可以根据公钥标识确定数字签名计算所用的公钥。Optionally, the UDM network element may also send a key identifier for signing to the UE through AMF and/or AUSF. Optionally, the UDM network element may also send a public key identifier, so that the UE can determine the public key used for digital signature calculation according to the public key identifier.
可选的,UDM网元还可以发送算法指示,UE可以根据算法指示确定数字签名计算所用的算法。Optionally, the UDM network element may also send an algorithm indication, and the UE may determine the algorithm used for digital signature calculation according to the algorithm indication.
可选的,UDM网元发送的参数还可以包括以下参数中的至少一种:SUCI,SUPI,UDM随机选择的新鲜参数(nonce,随机数等),服务网络标识(AMF所在的服务网络),归属网络标识和拒绝指示信息等。UDM和/或AMF网元还可以发送其他UE未保存的参数,以使UE可以正确的校验MAC。Optionally, the parameters sent by the UDM network element may also include at least one of the following parameters: SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), service network identification (the service network where the AMF is located), Home network identification and rejection indication information, etc. The UDM and/or AMF network element can also send other unsaved parameters of the UE, so that the UE can correctly verify the MAC.
对于AMF网元进行校验的情况,AMF网元校验不通过,可以基于AMF的私钥,对拒绝指示信息计算数字签名。In the case where the AMF network element is verified and the AMF network element fails the verification, a digital signature can be calculated for the rejection indication information based on the AMF's private key.
AMF网元进行校验,参见图2、图8、图10。AMF校验不通过,AMF可以基于AMF的私钥和拒绝指示信息计算数字签名。The AMF network element performs verification, see Figure 2, Figure 8, Figure 10. If the AMF verification fails, the AMF can calculate the digital signature based on the AMF's private key and rejection indication information.
可选地,AMF根据数字签名函数计算得到数字签名。数字签名函数的输入参数包括AMF保存私钥。数字签名函数的输入参数还可以包含以下参数中的至少一个,第一匹配组,SUCI,SUPI,AMF随机选择的新鲜参数(nonce,随机数等),服务网络标识(AMF所在的服务网络),AMF公钥标识和拒绝指示信息;Optionally, the AMF calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the private key saved by the AMF. The input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, AMF randomly selected fresh parameters (nonce, random number, etc.), service network identification (the service network where the AMF is located), AMF public key identification and rejection instructions;
在步骤1002,AMF网元向UE发送注册拒绝消息。In step 1002, the AMF network element sends a registration rejection message to the UE.
注册拒绝消息包括数字签名。The registration rejection message includes a digital signature.
注册拒绝消息还可以包括拒绝指示信息。The registration rejection message may also include rejection indication information.
注册拒绝消息还可以包括用于计算数字签名的密钥标识,UE根据密钥标识可以确定密钥标识对应的AMF公钥,从而对数字签名进行验证。The registration rejection message may also include a key identifier for calculating the digital signature, and the UE can determine the AMF public key corresponding to the key identifier according to the key identifier, thereby verifying the digital signature.
注册拒绝消息还可以包括数字签名函数的多个输入参数中除AMF公钥之外的至少一个。例如,注册拒绝消息可以包括以下参数中至少一种:第一匹配组,SUCI,SUPI,UDM随机选择的新鲜参数(nonce,随机数等),AMF随机选择的新鲜参数(nonce,随机数等),服务网络标识(AMF所在的服务网络),AMF公钥标识和拒绝指示信息。The registration rejection message may also include at least one of the multiple input parameters of the digital signature function except the AMF public key. For example, the registration rejection message may include at least one of the following parameters: the first matching group, SUCI, SUPI, UDM randomly selected freshness parameters (nonce, random number, etc.), AMF randomly selected freshness parameters (nonce, random number, etc.) , The service network identifier (the service network where the AMF is located), the AMF public key identifier and rejection indication information.
在步骤1003,UE校验数字签名的正确性。In step 1003, the UE verifies the correctness of the digital signature.
UE接收该数字签名。UE对该数字签名进行校验。如果校验通过,确定UE不被允许接入第一匹配组中CAG ID对应的CAG。The UE receives the digital signature. The UE verifies the digital signature. If the verification passes, it is determined that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.
UE保存有归属网络的公钥。具体获得归属网络公钥的方式不做限制。The UE stores the public key of the home network. There is no restriction on the specific way of obtaining the home network public key.
若验证通过,UE可以将第一匹配组从配置给UE的CAG ID列表1中删除。If the verification is passed, the UE can delete the first matching group from the CAG ID list 1 configured for the UE.
若验证未通过,UE确定注册拒绝消息为伪造的消息。If the verification fails, the UE determines that the registration rejection message is a forged message.
通过步骤1001-1003,AMF/UDM网元发送数字签名,UE可以通过数字签名确定注册拒绝消息的真伪,防止攻击者修改和伪造注册拒绝消息,完成对拒绝指示信息的保护。Through steps 1001-1003, the AMF/UDM network element sends a digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, prevent attackers from modifying and forging the registration rejection message, and complete the protection of the rejection indication information.
上文结合图1至图12的描述了本申请实施例的方法实施例,下面结合图13至图18,描述本申请实施例的装置实施例。应理解,方法实施例的描述与装置实施例的描述相互对应,因此,未详细描述的部分可以参见前面方法实施例。The method embodiments of the embodiments of the present application are described above with reference to FIGS. 1 to 12, and the device embodiments of the embodiments of the present application are described below with reference to FIGS. 13 to 18. It should be understood that the description of the method embodiment and the description of the device embodiment correspond to each other, and therefore, the parts that are not described in detail can refer to the previous method embodiment.
图13是本申请实施例提供的一种用户设备的示意性结构图。用户设备1300包括:加密模块1310和收发模块1320。FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1300 includes an encryption module 1310 and a transceiver module 1320.
加密模块1310用于,利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,第一群组列表包括UE请求接入的一个或多个群组的标识。The encryption module 1310 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access Logo.
收发模块1320用于,发送加密的第一群组列表。The transceiver module 1320 is configured to send the encrypted first group list.
可选地,收发模块1320用于,通过NAS安全模式SM完成消息向第一网络设备发送加密的第一群组列表。Optionally, the transceiver module 1320 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
可选地,收发模块1320用于,通过NAS安全上下文保护的上行NAS消息发送加密的第一群组列表。Optionally, the transceiver module 1320 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
可选地,收发模块1320还用于,接收第一网络设备发送的注册拒绝消息,注册拒绝消息包括消息验证码。Optionally, the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
用户设备1300还包括验证模块,验证模块用于根据消息验证码验证注册拒绝消息。The user equipment 1300 further includes a verification module configured to verify the registration rejection message according to the message verification code.
图14是本申请实施例提供的一种网络设备的示意性结构图。网络设备1400,包括:收发模块1410、解密模块1420和确定模块1430。FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1400 includes: a transceiver module 1410, a decryption module 1420, and a determination module 1430.
收发模块1410用于,接收用户设备UE发送的加密的第一群组列表,第一群组列表包括UE请求接入的一个或多个群组的标识。The transceiver module 1410 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.
解密模块1420用于,对加密的第一群组列表进行解密,以得到第一闭合访问业务标识组。The decryption module 1420 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
确定模块1430用于,确定UDM网元确定保存的签约群组列表。The determining module 1430 is configured to determine the list of subscription groups that the UDM network element determines to save.
确定模块1430还用于,根据第一群组列表和签约群组列表,确定第二群组列表,第二群组列表包括允许UE接入的群组的标识。The determining module 1430 is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access.
收发模块1410还用于,当存在第二群组列表时,第一网络设备向接入网设备发送第二群组列表。The transceiver module 1410 is further configured to, when there is a second group list, the first network device sends the second group list to the access network device.
可选地,收发模块1410用于,接收UE通过非接入层NAS安全模式SM完成消息发送的加密的第一群组列表。Optionally, the transceiver module 1410 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
可选地,用户设备1400还包括计算模块,计算模块用于,当不存在第二群组列表时,根据UE与第一网络设备之间的共享密钥计算得到消息验证码。Optionally, the user equipment 1400 further includes a calculation module configured to, when the second group list does not exist, calculate the message verification code according to the shared key between the UE and the first network device.
收发模块1410还用于,向接入网设备发送注册拒绝消息,消息验证码用于UE验证注册拒绝消息。The transceiver module 1410 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
可选地,收发模块1410还用于,接收接入网设备发送的第三群组列表,第三群组列表包括接入网设备支持的群组的标识。Optionally, the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes the identities of the groups supported by the access network device.
确定模块1430用于,根据第一群组列表、第三群组列表和签约群组列表,确定第二群组列表。The determining module 1430 is configured to determine the second group list according to the first group list, the third group list, and the contracted group list.
图15是本申请实施例提供的一种接入网设备的示意性结构图。接入网设备1500包括:收发模块1510和生成模块1520。FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1500 includes: a transceiver module 1510 and a generating module 1520.
收发模块1510用于,接收用户设备UE发送的加密的第一群组列表,第一闭合访问业务标识组包括UE请求接入的一个或多个群组务的标识。The transceiver module 1510 is configured to receive the encrypted first group list sent by the user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access.
收发模块1510还用于,发送加密的第一群组列表。The transceiver module 1510 is also configured to send the encrypted first group list.
收发模块1510还用于,接收第一网络设备发送的第二群组列表,第二群组列表包括允许UE接入的一个或多个群组的标识。The transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access.
生成模块1520用于,根据一个或多个群组的标识生成一个或多个群组的服务质量QoS信息,。The generating module 1520 is configured to generate the quality of service QoS information of one or more groups according to the identities of one or more groups.
收发模块1510还用于,向UE发送服务质量QoS信息。The transceiver module 1510 is further configured to send quality of service QoS information to the UE.
图16是本申请实施例提供的一种网络设备的示意性结构图。网络设备1600,其特征在于,包括:处理器1610和通信接口1620。FIG. 16 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1600 is characterized in that it includes a processor 1610 and a communication interface 1620.
通信接口1620用于,接收用户设备UE发送的加密的第一群组列表,第一群组列表 包括UE请求接入的一个或多个群组的标识。The communication interface 1620 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes the identities of one or more groups that the UE requests to access.
处理器1610用于,对加密的第一群组列表进行解密,以得到第一闭合访问业务标识组。The processor 1610 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
处理器1610还用于,确定UDM网元确定保存的签约群组列表。The processor 1610 is further configured to determine the list of subscription groups that the UDM network element determines to save.
处理器1610还用于,根据第一群组列表和签约群组列表,确定第二群组列表,第二群组列表包括允许UE接入的群组的标识。The processor 1610 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes the identifier of the group that the UE is allowed to access.
通信接口1620用于,当存在第二群组列表时,向接入网设备发送第二群组列表。The communication interface 1620 is configured to send the second group list to the access network device when the second group list exists.
可选地,通信接口1620用于,接收UE通过非接入层NAS安全模式SM完成消息发送的加密的第一群组列表。Optionally, the communication interface 1620 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
可选地,处理器1610还用于,当不存在第二群组列表时,根据UE与第一网络设备之间的共享密钥计算得到消息验证码。Optionally, the processor 1610 is further configured to, when there is no second group list, calculate the message verification code according to the shared key between the UE and the first network device.
通信接口1620还用于,向接入网设备发送注册拒绝消息,消息验证码用于UE验证注册拒绝消息。The communication interface 1620 is also used to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
可选地,通信接口1620还用于,接收接入网设备发送的第三群组列表,第三群组列表包括接入网设备支持的群组的标识。Optionally, the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes the identifier of the group supported by the access network device.
处理器1610用于,根据第一群组列表、第三群组列表和签约群组列表,确定第二群组列表。The processor 1610 is configured to determine the second group list according to the first group list, the third group list, and the contract group list.
图17是本申请实施例提供的一种用户设备的示意性结构图。用户设备1700包括:处理器1710和通信接口1720;FIG. 17 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1700 includes: a processor 1710 and a communication interface 1720;
处理器1710用于,利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,第一群组列表包括UE请求接入的一个或多个群组的标识;The processor 1710 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access The logo;
通信接口1720用于,发送加密的第一群组列表。The communication interface 1720 is used to send the encrypted first group list.
可选地,通信接口1720用于,通过NAS安全模式SM完成消息向第一网络设备发送加密的第一群组列表。Optionally, the communication interface 1720 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
可选地,通信接口1720用于,通过NAS安全上下文保护的上行NAS消息发送加密的第一群组列表。Optionally, the communication interface 1720 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
可选地,通信接口1720还用于,接收第一网络设备发送的注册拒绝消息,注册拒绝消息包括消息验证码。Optionally, the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
处理器1710还用于,根据消息验证码验证注册拒绝消息。The processor 1710 is further configured to verify the registration rejection message according to the message verification code.
图18是本申请实施例提供的一种接入网设备的示意性结构图。接入网设备1800包括通信接口1810。FIG. 18 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1800 includes a communication interface 1810.
通信接口1810用于,接收用户设备UE发送的加密的第一群组列表,第一闭合访问业务标识组包括UE请求接入的一个或多个群组务的标识;The communication interface 1810 is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;
通信接口1810还用于,发送加密的第一群组列表;The communication interface 1810 is also used to send the encrypted first group list;
通信接口1810还用于,接收第一网络设备发送的第二群组列表,第二群组列表包括允许UE接入的一个或多个群组的标识;The communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;
通信接口1810还用于,向UE发送该一个或多个群组的服务质量QoS信息。The communication interface 1810 is further configured to send the quality of service QoS information of the one or more groups to the UE.
可选地,接入网设备1800包括处理器,处理器用于根据第二群组列表生成该一个或多个群组的服务质量QoS信息。Optionally, the access network device 1800 includes a processor configured to generate the quality of service QoS information of the one or more groups according to the second group list.
本申请实施例提供一种计算机程序存储介质,所述计算机程序存储介质具有程序指令,当所述程序指令被执行时,使得上文中的方法中所述第一网络设备、接入网设备、用户设备中任一个的功能得以实现。The embodiment of the present application provides a computer program storage medium having program instructions, and when the program instructions are executed, the first network device, the access network device, and the user in the above method The function of any one of the devices is realized.
本申请实施例提供一种芯片,所述芯片包括至少一个处理器,当程序指令被所述至少一个处理器中执行时,使得上文中的方法中所述第一网络设备、接入网设备、用户设备中任一个的功能得以实现。An embodiment of the present application provides a chip that includes at least one processor. When program instructions are executed by the at least one processor, the first network device, the access network device, and the The function of any one of the user equipment is realized.
本申请实施例提供一种通信系统,包括上文中的第一网络设备、用户设备和接入网设备。An embodiment of the present application provides a communication system, including the above-mentioned first network device, user equipment, and access network device.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.
Claims (20)
- 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:第一网络设备接收用户设备UE发送的加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;The first network device receives the encrypted first group list sent by the user equipment UE, where the first group list includes identities of one or more groups to which the UE requests access;所述第一网络设备解密所述加密的第一群组列表,以得到第一闭合访问业务标识组;Decrypting the encrypted first group list by the first network device to obtain a first closed access service identification group;所述第一网络设备确定统一数据管理UDM保存的签约群组列表;The first network device determines the list of subscription groups saved in the unified data management UDM;所述第一网络设备根据所述第一群组列表和所述签约群组列表,确定第二群组列表,第二群组列表包括允许所述UE接入的群组的标识;Determining, by the first network device, a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access;当存在所述第二群组列表时,所述第一网络设备向所述接入网设备发送所述第二群组列表。When the second group list exists, the first network device sends the second group list to the access network device.
- 根据权利要求1所述的方法,其特征在于,所述第一网络设备接收UE发送的加密的第一群组列表,包括:The method according to claim 1, wherein the first network device receiving the encrypted first group list sent by the UE comprises:所述第一网络设备接收所述UE通过非接入层NAS安全模式SM完成消息发送的所述加密的第一群组列表;或者,所述第一网络设备接收所述UE通过NAS安全上下文保护的上行NAS消息发送的所述加密的第一群组列表。The first network device receives the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message; or, the first network device receives the UE through the NAS security context protection The encrypted first group list sent by the uplink NAS message.
- 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:当不存在所述第二群组列表时,所述第一网络设备根据所述UE与所述第一网络设备之间的共享密钥计算得到消息验证码;When the second group list does not exist, the first network device calculates a message verification code according to the shared key between the UE and the first network device;所述第一网络设备向所述接入网设备发送注册拒绝消息,所述消息验证码用于所述UE验证所述注册拒绝消息。The first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
- 根据权利要求1-3中任一项所述的方法,其特征在于,所述方法包括:The method according to any one of claims 1-3, wherein the method comprises:所述第一网络设备接收所述接入网设备发送的第三群组列表,所述第三群组列表包括所述接入网设备支持的群组的标识;Receiving, by the first network device, a third group list sent by the access network device, where the third group list includes identities of groups supported by the access network device;所述第一网络设备根据所述第一群组列表和所述签约群组列表,确定第二群组列表,包括:所述第一网络设备根据所述第一群组列表、所述第三群组列表和所述签约群组列表,确定所述第二群组列表。The first network device determines a second group list according to the first group list and the subscription group list, including: the first network device according to the first group list, the third group list The group list and the contracted group list determine the second group list.
- 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:用户设备UE利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;The user equipment UE encrypts the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, and the first group list includes one or more groups to which the UE requests access Group ID;所述UE发送所述加密的第一群组列表。The UE sends the encrypted first group list.
- 根据权利要求5所述的方法,其特征在于,The method of claim 5, wherein:所述UE发送所述加密的第一群组列表,包括:所述UE通过NAS安全模式SM完成消息向所述第一网络设备发送所述加密的第一群组列表;或者,所述UE通过NAS安全上下文保护的上行NAS消息发送所述加密的第一群组列表。The UE sending the encrypted first group list includes: the UE sends the encrypted first group list to the first network device through a NAS security mode SM complete message; or, the UE passes The uplink NAS message protected by the NAS security context sends the encrypted first group list.
- 根据权利要求5或6所述的方法,其特征在于,所述方法包括:The method according to claim 5 or 6, wherein the method comprises:所述UE接收第一网络设备发送的注册拒绝消息,所述注册拒绝消息包括消息验证码,Receiving, by the UE, a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code,所述UE根据所述消息验证码验证所述注册拒绝消息。The UE verifies the registration rejection message according to the message verification code.
- 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:接入网设备接收用户设备UE发送的加密的第一群组列表,所述第一闭合访问业务标识组包括所述UE请求接入的一个或多个群组务的标识;The access network device receives the encrypted first group list sent by the user equipment UE, where the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;所述接入网设备发送所述加密的第一群组列表;Sending the encrypted first group list by the access network device;所述接入网设备接收第一网络设备发送的第二群组列表,所述第二群组列表包括允许所述UE接入的一个或多个群组的标识;Receiving, by the access network device, a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;所述接入网设备向所述UE发送所述一个或多个群组的服务质量QoS信息。The access network device sends the quality of service QoS information of the one or more groups to the UE.
- 一种网络设备,其特征在于,包括:处理器和通信接口;A network device, characterized by comprising: a processor and a communication interface;所述通信接口用于,接收用户设备UE发送的加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;The communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identities of one or more groups that the UE requests to access;所述处理器用于,对所述加密的第一群组列表进行解密,以得到第一闭合访问业务标识组;The processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group;所述处理器还用于,确定统一数据管理UDM网元确定保存的签约群组列表;The processor is further configured to determine a list of subscription groups that the unified data management UDM network element determines to save;所述处理器还用于,根据所述第一群组列表和所述签约群组列表,确定第二群组列表,第二群组列表包括允许所述UE接入的群组的标识;The processor is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access;所述通信接口还用于,当存在所述第二群组列表时,向所述接入网设备发送所述第二群组列表。The communication interface is further configured to send the second group list to the access network device when the second group list exists.
- 根据权利要求9所述的网络设备,其特征在于,所述通信接口用于,接收所述UE通过非接入层NAS安全模式SM完成消息发送的所述加密的第一群组列表。The network device according to claim 9, wherein the communication interface is configured to receive the encrypted first group list sent by the UE through a non-access stratum NAS security mode SM completion message.
- 根据权利要求9或10所述的方法网络设备,其特征在于,The method network device according to claim 9 or 10, characterized in that,所述处理器还用于,当不存在所述第二群组列表时,根据所述UE与所述第一网络设备之间的共享密钥计算得到消息验证码;The processor is further configured to: when the second group list does not exist, calculate a message verification code according to the shared key between the UE and the first network device;所述通信接口还用于,向所述接入网设备发送注册拒绝消息,所述消息验证码用于所述UE验证所述注册拒绝消息。The communication interface is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
- 根据权利要求9-11中任一项所述的网络设备,其特征在于,The network device according to any one of claims 9-11, wherein:所述通信接口还用于,接收所述接入网设备发送的第三群组列表,所述第三群组列表包括所述接入网设备支持的群组的标识;The communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes identities of groups supported by the access network device;所述处理器用于,根据所述第一群组列表、所述第三群组列表和所述签约群组列表,确定所述第二群组列表。The processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
- 一种用户设备,其特征在于,包括:处理器和通信接口;A user equipment, characterized by comprising: a processor and a communication interface;所述处理器用于,利用非接入层NAS安全上下文对第一群组列表进行加密,以获得加密的第一群组列表,所述第一群组列表包括所述UE请求接入的一个或多个群组的标识;The processor is configured to encrypt a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, where the first group list includes one or more of which the UE requests to access Identification of multiple groups;所述通信接口用于,发送所述加密的第一群组列表。The communication interface is used to send the encrypted first group list.
- 根据权利要求13所述的用户设备,其特征在于,The user equipment according to claim 13, wherein:所述通信接口用于,通过NAS安全模式SM完成消息向所述第一网络设备发送所述加密的第一群组列表;或者,所述通信接口用于,通过NAS安全上下文保护的上行NAS消息发送所述加密的第一群组列表。The communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication interface is configured to use an uplink NAS message protected by a NAS security context Send the encrypted first group list.
- 根据权利要求13或14所述的用户设备,其特征在于,The user equipment according to claim 13 or 14, characterized in that:所述通信接口还用于,接收第一网络设备发送的注册拒绝消息,所述注册拒绝消息包 括消息验证码,The communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code,所述处理器还用于,根据所述消息验证码验证所述注册拒绝消息。The processor is further configured to verify the registration rejection message according to the message verification code.
- 一种接入网设备,其特征在于,包括:处理器和通信接口;An access network device, characterized by comprising: a processor and a communication interface;所述通信接口用于,接收用户设备UE发送的加密的第一群组列表,所述第一闭合访问业务标识组包括所述UE请求接入的一个或多个群组务的标识;The communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;所述通信接口还用于,发送所述加密的第一群组列表;The communication interface is also used to send the encrypted first group list;所述通信接口还用于,接收第一网络设备发送的第二群组列表,所述第二群组列表包括允许所述UE接入的一个或多个群组的标识;The communication interface is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;所述通信接口还用于,向所述UE发送所述一个或多个群组的服务质量QoS信息。The communication interface is further configured to send quality of service QoS information of the one or more groups to the UE.
- 一种通信设备,其特征在于,包括用于执行如权利要求1至8中任一项所述的方法的模块。A communication device, characterized by comprising a module for executing the method according to any one of claims 1 to 8.
- 一种计算机程序存储介质,其特征在于,所述计算机程序存储介质具有程序指令,当所述程序指令被执行时,使得如权利要求1至8中任一项所述的方法被执行。A computer program storage medium, wherein the computer program storage medium has program instructions, and when the program instructions are executed, the method according to any one of claims 1 to 8 is executed.
- 一种芯片,其特征在于,所述芯片包括至少一个处理器,当程序指令被所述至少一个处理器中执行时,使得如权利要求1至8中任一项所述的方法被执行。A chip, characterized in that the chip includes at least one processor, and when a program instruction is executed by the at least one processor, the method according to any one of claims 1 to 8 is executed.
- 一种通信系统,其特征在于,包括如权利要求9-12中任一项所述的网络设备,如权利要求13-15中任一项所述的用户设备,以及如权利要求16所述的接入网设备。A communication system, characterized by comprising the network equipment according to any one of claims 9-12, the user equipment according to any one of claims 13-15, and the network equipment according to claim 16. Access network equipment.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910511766.9A CN112087724A (en) | 2019-06-13 | 2019-06-13 | Communication method, network equipment, user equipment and access network equipment |
CN201910511766.9 | 2019-06-13 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020248624A1 true WO2020248624A1 (en) | 2020-12-17 |
Family
ID=73733715
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/076975 WO2020248624A1 (en) | 2019-06-13 | 2020-02-27 | Communication method, network device, user equipment and access network device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112087724A (en) |
WO (1) | WO2020248624A1 (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116746182A (en) * | 2021-01-08 | 2023-09-12 | 华为技术有限公司 | Secure communication method and apparatus |
CN114980076A (en) * | 2021-02-20 | 2022-08-30 | 华为技术有限公司 | Method and communication device for protecting identity privacy |
WO2022193220A1 (en) * | 2021-03-18 | 2022-09-22 | Zte Corporation | Method, device, and system for core network device re-allocation in wireless network |
CN115314841B (en) * | 2021-05-06 | 2024-07-30 | 华为技术有限公司 | Communication method and communication device |
CN115811728A (en) * | 2021-09-14 | 2023-03-17 | 华为技术有限公司 | Network element selection method, communication device and communication system |
CN114785544B (en) * | 2022-03-12 | 2024-07-02 | 海南电网有限责任公司 | Method for improving safety access service surface system of management surface system in network system |
CN117061141A (en) * | 2022-05-07 | 2023-11-14 | 维沃移动通信有限公司 | Privacy protection information processing method and device and communication equipment |
CN117295138B (en) * | 2023-10-17 | 2024-10-25 | 泸州卓远液压有限公司 | Control method and device for hydraulic equipment cluster |
CN117221884B (en) * | 2023-11-08 | 2024-02-23 | 深圳简谱技术有限公司 | Base station system information management method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008152611A1 (en) * | 2007-06-15 | 2008-12-18 | Nokia Corporation | Apparatus, method and computer program product providing transparent container |
CN101945390A (en) * | 2009-07-08 | 2011-01-12 | 华为技术有限公司 | Admission control method and device |
CN104469977A (en) * | 2014-09-10 | 2015-03-25 | 北京佰才邦技术有限公司 | Mobile communication method, device and system |
CN109716809A (en) * | 2016-09-23 | 2019-05-03 | 高通股份有限公司 | Access stratum safety for efficient packet transaction |
CN110536293A (en) * | 2019-08-15 | 2019-12-03 | 中兴通讯股份有限公司 | The methods, devices and systems of access closure access group |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8072953B2 (en) * | 2007-04-24 | 2011-12-06 | Interdigital Technology Corporation | Wireless communication method and apparatus for performing home Node-B identification and access restriction |
US8082000B2 (en) * | 2009-05-12 | 2011-12-20 | Motorola Mobility, Inc. | Method of selecting a private cell for providing communication to a communication device and a communication device |
CN102045648A (en) * | 2009-10-15 | 2011-05-04 | 中兴通讯股份有限公司 | Closed subscriber group white list transmitting method, device and system |
CN102056109A (en) * | 2010-12-28 | 2011-05-11 | 北京握奇数据系统有限公司 | Methods for group sending and returning short message services (SMSs) and telecom smart card |
US9986420B2 (en) * | 2014-07-08 | 2018-05-29 | Alcatel-Lucent Usa Inc. | Validating cell access mode |
CN109788474A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and device of message protection |
-
2019
- 2019-06-13 CN CN201910511766.9A patent/CN112087724A/en active Pending
-
2020
- 2020-02-27 WO PCT/CN2020/076975 patent/WO2020248624A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008152611A1 (en) * | 2007-06-15 | 2008-12-18 | Nokia Corporation | Apparatus, method and computer program product providing transparent container |
CN101945390A (en) * | 2009-07-08 | 2011-01-12 | 华为技术有限公司 | Admission control method and device |
CN104469977A (en) * | 2014-09-10 | 2015-03-25 | 北京佰才邦技术有限公司 | Mobile communication method, device and system |
CN109716809A (en) * | 2016-09-23 | 2019-05-03 | 高通股份有限公司 | Access stratum safety for efficient packet transaction |
CN110536293A (en) * | 2019-08-15 | 2019-12-03 | 中兴通讯股份有限公司 | The methods, devices and systems of access closure access group |
Also Published As
Publication number | Publication date |
---|---|
CN112087724A (en) | 2020-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020248624A1 (en) | Communication method, network device, user equipment and access network device | |
CN110830991B (en) | Secure session method and device | |
US11856402B2 (en) | Identity-based message integrity protection and verification for wireless communication | |
US11057775B2 (en) | Key configuration method, security policy determining method, and apparatus | |
US10694376B2 (en) | Network authentication method, network device, terminal device, and storage medium | |
US10455414B2 (en) | User-plane security for next generation cellular networks | |
US9240881B2 (en) | Secure communications for computing devices utilizing proximity services | |
KR101508576B1 (en) | Home node-b apparatus and security protocols | |
CN107018676B (en) | Mutual authentication between user equipment and evolved packet core | |
RU2708951C2 (en) | Method and device for binding subscriber authentication and device authentication in communication systems | |
CN113395693B (en) | Encrypted IMSI-based scheme for 802.1x bearer hotspot and Wi-Fi call authentication | |
JP5480890B2 (en) | Control signal encryption method | |
JP2023539174A (en) | Privacy of relay selection in sliced cellular networks | |
WO2019062996A1 (en) | Method, apparatus, and system for security protection | |
JP2022502908A (en) | Systems and methods for securing NAS messages | |
US10027636B2 (en) | Data transmission method, apparatus, and system | |
US11082843B2 (en) | Communication method and communications apparatus | |
US20200228977A1 (en) | Parameter Protection Method And Device, And System | |
WO2012083873A1 (en) | Method, apparatus and system for key generation | |
WO2022134089A1 (en) | Method and apparatus for generating security context, and computer-readable storage medium | |
WO2022228455A1 (en) | Communication method and related apparatus | |
CN114245372B (en) | Authentication method, device and system | |
Rani et al. | Study on threats and improvements in LTE Authentication and Key Agreement Protocol | |
CN116325840A (en) | Key derivation method, device and system thereof | |
KR20100053407A (en) | Method of sharing security information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20822940 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20822940 Country of ref document: EP Kind code of ref document: A1 |