[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2020215272A1 - Procédé de communication, appareil de communication et système de communication - Google Patents

Procédé de communication, appareil de communication et système de communication Download PDF

Info

Publication number
WO2020215272A1
WO2020215272A1 PCT/CN2019/084266 CN2019084266W WO2020215272A1 WO 2020215272 A1 WO2020215272 A1 WO 2020215272A1 CN 2019084266 W CN2019084266 W CN 2019084266W WO 2020215272 A1 WO2020215272 A1 WO 2020215272A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
terminal
mobility management
management function
security context
Prior art date
Application number
PCT/CN2019/084266
Other languages
English (en)
Chinese (zh)
Inventor
托尔古巴克西施·辛格
雷中定
王海光
郭龙华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2019/084266 priority Critical patent/WO2020215272A1/fr
Publication of WO2020215272A1 publication Critical patent/WO2020215272A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • This application relates to the field of communication, and more specifically to communication methods, communication devices, and communication systems.
  • Non-public network refers to a network different from the public land mobile network (PLMN).
  • PLMN public land mobile network
  • NPN is mainly used in specialized or private networks in vertical industries. NPN can be specifically configured and deployed according to the special circumstances of different industries. It can be deployed by vertical industries or by mobile operators.
  • NPN itself is a relatively independent network
  • PLMN there is a connection between NPN and PLMN. This deployment mode allows certain terminals in the NPN to access the PLMN through the NPN, or allows certain terminals in the PLMN to access the NPN through the PLMN.
  • the terminal When the terminal accesses the PLMN through the NPN, the terminal first registers with the NPN and is authenticated by the NPN to access the NPN. After the terminal accesses the NPN, if it also wants to access the PLMN network, it must perform further registration and authentication with the PLMN (using the authentication method supported by the PLMN).
  • the terminal When the terminal accesses the NPN through the PLMN, the terminal first registers with the PLMN and is authenticated by the PLMN to access the PLMN. If the terminal also wants to access the NPN, similarly, the terminal also needs to go through the registration and authentication of the NPN (using the authentication method supported by the NPN).
  • the present application provides a communication method, a communication device, and a communication system.
  • the authentication process is saved, thereby avoiding wasting resources.
  • a communication method includes: a first mobility management function entity receives first information from a second mobility management function entity, and the first information is used to request registration of a first terminal with The first network where the first mobility management function entity is located; the first mobility management function entity obtains the first security context of the first terminal, and the first security context is the security between the first terminal and the second mobility management function entity Context; the first mobility management function entity communicates with the first terminal according to the first security context.
  • a communication method includes: a second mobility management function entity receives first information from a first terminal, and the first information is used to request registration of the first terminal to the first mobility management The first network where the functional entity is located; the second mobility management functional entity sends the first information to the first mobility management functional entity; the second mobility management functional entity sends the first terminal information to the first mobility management functional entity Security context.
  • the second mobility management function entity sends the security context of the first terminal to the first mobility management function entity in the first network, so that the first mobility management function entity can be based on the security context Communicate with the first terminal, so that when the first terminal registers with the first network, authentication may not be performed, thereby saving network resources.
  • the second mobility management function entity may be deployed in the second network.
  • the first mobility management function entity communicates with the first terminal according to the first security context, which may include: the first mobility management function entity obtains the second security context according to the first security context; A mobility management function entity communicates with the first terminal according to the second security context.
  • it may further include: the first mobility management function entity sends third information to the first terminal, where the third information is used to instruct the first terminal to update the first security context.
  • the first mobility management function entity may send second information to the second mobility management function entity, where the second information is used to request the security context of the first terminal.
  • the second mobility management function entity receives the second information, and in response to the second information, sends the first security context to the first mobility management function entity.
  • the first mobility management function entity receives the first security context from the second mobility management function entity.
  • the first mobility management function entity sends second information to the second mobility management function entity, requesting the security context of the first terminal, that is, the second mobility management function entity is in the first mobility management function entity.
  • the security context of the first terminal is sent to the first mobility management function entity only when requested to avoid the second mobility management function entity from sending unnecessary security context to the first mobility management function network element, thereby avoiding security leakage , Waste of resources.
  • the second network is a slice of the first network; or, the second network is a CAG group of the first network.
  • the first network is a slice of the second network; or, the first network is a CAG group of the second network.
  • the first network is NPN and the second network is PLMN; or, the first network is PLMN, and the second network is NPN.
  • a communication device in a third aspect, includes a unit for executing the communication method in the first aspect.
  • the units included in the communication device may be implemented in software and/or hardware.
  • a communication device including a unit for executing the communication method in the second aspect.
  • the units included in the communication device may be implemented in software and/or hardware.
  • a communication device in a fifth aspect, includes at least one processor and a communication interface.
  • the communication interface is used for information interaction between the communication device and other communication devices, and when the program instructions are executed in the at least one processor, the communication method in the first aspect is implemented.
  • the communication device may also include a memory.
  • the memory is used to store programs and data.
  • the communication device may be a mobility management functional entity.
  • a communication device in a sixth aspect, includes at least one processor and a communication interface.
  • the communication interface is used for the communication device to exchange information with other communication devices, and when the program instructions are executed in the at least one processor, the communication method in the second aspect is implemented.
  • the communication device may also include a memory.
  • the memory is used to store programs and data.
  • the communication device may be a mobility management functional entity.
  • a computer-readable storage medium stores program codes for execution by the communication device.
  • the program code includes instructions for executing the communication methods in the above aspects.
  • the computer-readable medium may store program code for execution by the mobility management functional entity, and the program code includes instructions for executing the communication method in the first aspect.
  • the computer-readable medium may store program code for execution by the mobility management functional entity, and the program code includes instructions for executing the communication method in the second aspect.
  • this application provides a computer program product containing instructions.
  • the computer program product runs on a communication device, the communication device is caused to execute the instructions of the methods in the foregoing aspects.
  • the computer program product when executed on the mobility management functional entity, it causes the terminal device to execute the instructions of the communication method in the first aspect.
  • the computer program product when executed on the mobility management functional entity, it causes the network device to execute the instructions of the communication method in the second aspect.
  • the present application provides a system chip including an input and output interface and at least one processor, and the at least one processor is used to call instructions in a memory to perform operations of the methods in the foregoing aspects.
  • system chip may further include at least one memory and a bus, and the at least one memory is used to store instructions executed by the processor.
  • a communication system including the aforementioned network device.
  • Figure 1 is a schematic diagram of an application scenario that can be used in the communication method of the present application
  • Fig. 2 is a schematic flowchart of the communication method of the present application
  • FIG. 3 is a schematic flowchart of a communication method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication system that can be used in the communication method of the present application.
  • FIG. 6 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 7 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 9 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 10 is a schematic flowchart of a communication device according to an embodiment of the present application.
  • FIG. 11 is a schematic flowchart of a communication device according to another embodiment of the present application.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • Wideband Code Division Multiple Access Wideband Code Division Multiple Access
  • WCDMA Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • 5G 5th Generation
  • NR New Radio
  • the terminal equipment of this application also called user equipment (UE), is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; or on water (Such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites, etc.).
  • UE user equipment
  • the terminal may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, and an industrial control (industrial control) Wireless terminals in, self-driving (self-driving), wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, Wireless terminals in a smart city, wireless terminals in a smart home, etc.
  • the embodiment of the present application does not limit the terminal device.
  • the mobility management function entity in this application may be a control plane function entity, which may be provided by the operator's network, and is responsible for the access control and mobility management of terminal equipment accessing the operator's network, including, for example, mobility status management and allocating user temporary identities Functions such as identification, authentication and authorization of users.
  • control plane function entity which may be provided by the operator's network, and is responsible for the access control and mobility management of terminal equipment accessing the operator's network, including, for example, mobility status management and allocating user temporary identities Functions such as identification, authentication and authorization of users.
  • Network slicing in this application may also be referred to as “network slicing” or “network slicing instance”, and the three have the same meaning, and are explained here in a unified manner and will not be repeated in the following.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • 3GPP 3rd Generation Partnership Project
  • network slices do not affect each other. For example, a large number of sudden meter reading services should not affect normal mobile broadband services.
  • 3GPP In order to meet diverse needs and isolation between slices, relatively independent management and operation and maintenance between businesses are required, and tailor-made business functions and analysis capabilities are provided. Instances of different types of services are deployed on different network slices, and different instances of the same service type can also be deployed on different network slices.
  • a scenario where a terminal needs to access two networks is disclosed. For example, after a terminal accesses one of these two networks, it accesses the other network through the accessed network.
  • the network that the terminal has accessed is the second network
  • the other network that the terminal has not accessed but requested to access through the second network is the first network.
  • the terminal may have credentials of the two networks.
  • the trust certificate can be stored on a universal integrated circuit card (UICC) (the UICC card will also be installed in the terminal), or it can be stored on other tamper-resistant hardware or software modules , There is no limitation here.
  • UICC universal integrated circuit card
  • SIM subscriber identity module
  • a control check mechanism can be introduced in the first network to determine whether a terminal from the second network needs the authentication of the first network to access the first network.
  • the terminal when the two networks belong to the same security domain or trust domain, after the terminal accesses the second network, when accessing the first network through the second network, the terminal can be authorized to access by the first network without re-authentication.
  • the terminal can be authorized to access by the first network without re-authentication.
  • the authentication methods of the two networks are the same, or the second network is a slice of the first network (or the first network is a slice of the second network), or the second network is a private access of the first network Group (closed access group, CAG) (or, the first network is a private access group of the second network), or the first network when the first network and the second network are operated by the same operator, etc.
  • the second network is deployed separately but can communicate with each other.
  • the first network serves the general public while the second network only serves CAG group members or the second network is a network slice. After the terminal accesses the second network, when accessing the first network through the second network, the terminal may be authorized to access by the first network without re-authentication.
  • the meaning of the CAG group of the first network includes: the first network is a public network deployed by the operator, and all subscribers can access the first network normally.
  • CAG is also deployed by the operator and is usually part of the first network. CAG can only be accessed by special subscribers.
  • the terminal When the terminal signs a contract, it will configure a list of CAG groups that can be accessed, and this list can also be updated when the terminal accesses the first network. In addition to being able to access certain CAGs, whether the terminal can directly access the first network or access the first network through CAG depends on the operator's network configuration and contract conditions.
  • each CAG will broadcast its CAG identity (ID) within its coverage area.
  • the terminal After receiving the broadcast, the terminal can synchronize to the CAG and include the CAG ID in the registration application, indicating that it wants to access the CAG.
  • the terminal may only be covered by CAG, may only be covered by the first network used by the public, and may be covered by both CAG and PLMN used by the public.
  • the meaning of the CAG group of the second network is similar to the meaning of the CAG group of the first network, and will not be repeated here.
  • the terminal accesses the second network, when accessing the first network through the second network, it does not need to be re-authenticated and can be the first Authorized access to the network.
  • the security context used for information exchange between the first network and the terminal can be used according to the information exchange between the terminal and the second network
  • the security context is obtained.
  • the security context obtained after the second network authenticates the terminal for the first time can be simply transferred to the first network through the secure channel.
  • the security context may be a security context used in the second network, or a security context updated specifically for the first network.
  • the first network can directly use the received security context in the first network, or update the received security context, so as to obtain the security context for information interaction between it and the terminal in the first network.
  • Fig. 1 is a schematic diagram of an application scenario of the communication method implemented in this application.
  • the terminal device 110 accesses the first network 130 through the second network 120, usually, the terminal device first registers with the second network and is authenticated by the second network to access the second network; After the terminal accesses the second network, if it also wants to access the first network, it must perform further registration and authentication with the first network (using the authentication method supported by the first network).
  • the authentication method can be the authentication method of the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP), such as Extensible Authentication Protocol (EAP)-Authentication and Key Agreement (AKA)' Or 5G-AKA, or a non-AKA authentication method based on the EAP framework.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • EAP Extensible Authentication Protocol
  • AKA Access and Key Agreement
  • the terminal After the terminal accesses the NPN, if it also wants to access the PLMN network, it must perform further registration and authentication with the PLMN (using the authentication method supported by the PLMN).
  • the terminal when the first network is NPN and the second network is PLMN, if the terminal wants to access the NPN through the PLMN, the terminal first registers with the PLMN. In order to obtain access authorization to the PLMN network, the terminal must first be authenticated by the PLMN network. After the terminal accesses the PLMN, if it also wants to access the NPN network, it must perform further registration and authentication with the NPN (using the authentication method supported by the NPN).
  • the authentication method supported by NPN can be a mandatory authentication method (EAP-AKA' or 5G-AKA) in 3GPP, or a non-AKA authentication method based on the EAP framework.
  • the above method of accessing the network may cause the terminal to repeatedly perform the same authentication process.
  • the NPN network allows the use of EAP-AKA' (or 5G-AKA) authentication method
  • EAP-AKA' or 5G-AKA
  • the terminal will repeat the EAP-AKA' (or 5G-AKA) authentication method and process in the PLMN network. The reverse is also true (registered PLMN first, and then access the NPN network).
  • this application proposes a new technical solution to eliminate additional authentication procedures, thereby improving the seamless continuity of services between the two networks, reducing computing costs and reducing the waste of network resources.
  • the communication method proposed in this application may include S210, S220, S230, and S240. It should be understood that FIG. 2 shows the steps or operations of the communication method, but these steps or operations are only examples, and the technical solution proposed in this application may also perform other operations or variations of each operation in FIG. 2.
  • the first terminal sends first information to the second mobility management function entity, where the first information is used to request registration of the first terminal to the first network.
  • the second mobility management function entity receives the first information from the first terminal.
  • the first terminal may initiate a registration request to the second network and have completed the authentication and registration process. That is to say, before this step, the second network may obtain the first security context for the first terminal to communicate with the second network.
  • the first security context includes the root key K and a series of keys derived from K, such as Intermediate key IK, CK; intermediate key Kausf, anchor key Keaf, intermediate key Kamf, non-access stratum key (K-NASint and K-NASenc), base station key KgNB and next hop key (next hop, NH) etc.
  • the first security context can include a key (which can be stored at the second mobility management function entity and the terminal), a subkey derived from the key, the terminal's identity (ID), and the key
  • the parameters used for generation (such as random numbers, uplink or downlink non-access stratum count value NAS count), etc.
  • the ID of the terminal may be a subscription ID, such as a subscription permanent identifier (SUPI), or may be a temporary ID, such as a 5G Globally Unique Temporary UE Identity (5G-GUTI).
  • SUPI subscription permanent identifier
  • 5G-GUTI 5G Globally Unique Temporary UE Identity
  • the key can be the key K-AMF, or called the AMF key.
  • the AMF entity and the terminal can use the key K-AMF to derive the subkeys K-NASint and K-NASenc respectively.
  • the AMF entity and the terminal can use these two keys to perform integrity protection/verification and encryption/decryption on non-access stratum (NAS) control signaling respectively.
  • the AMF entity and the terminal can also use the key K-AMF to derive the subkey K-gNB, respectively, as the root key required for the terminal to interact with the base station (the AMF entity will send the key K-gNB to the base station).
  • the second mobility management function entity may be deployed in the second network.
  • S220 The second mobility management function entity sends the first information to the first mobility management function entity in the first network.
  • the first mobility management function entity receives the first information from the second mobility management function entity.
  • the first mobility management function entity in the first network can be understood as: the first mobility management function entity is deployed in the first network.
  • the second mobility management function entity sending the first information to the first mobility management function entity in the first network may include: in response to the first information in S210, the second mobility management function entity sends the first information to the first network The first mobility management function entity in sends first information.
  • the first mobility management function entity acquires the first security context of the first terminal.
  • the first mobility management function entity acquiring the first security context of the first terminal may include: in response to the first information, the first mobility management function entity acquiring the first security context of the first terminal.
  • S240 The first mobility management function entity communicates with the first terminal according to the first security context.
  • the authentication process required for the first terminal to access the first network can further reduce the calculation cost and waste of resources, and can improve the seamless continuity of services between the first network and the second network.
  • S220 that is, the second mobility management function entity sending the first information to the first mobility management function entity in the first network may include: the second mobility management function entity determines The first network is a trusted network of the second network, and sends the first information to the first mobility management function entity.
  • the trusted network of the second network includes: a network that a terminal accessing the second network can directly access through the second network. That is, if the first network is a trusted network of the second network, the terminal that has accessed the second network can access the first network without being authenticated by the first network.
  • the trusted network of the second network can be understood as: a network to which the security context of the terminal can be sent.
  • the second network may send the security context of the terminal that has accessed the first network to the first network.
  • the trusted network of the second network may have one or more of the following characteristics: the authentication method of the second network is the same, or, it is a slice of the second network, or the second network is its slice, or, it is the second network.
  • the meaning of the CAG group of the first network includes: the first network is a public network deployed by the operator, and all subscribers can access the first network normally.
  • CAG is also deployed by the operator and is usually part of the first network. CAG can only be accessed by special subscribers.
  • the terminal When the terminal signs a contract, it will configure a list of CAG groups that can be accessed, and this list can also be updated when the terminal accesses the first network. In addition to being able to access certain CAGs, whether the terminal can directly access the first network or access the first network through CAG depends on the operator's network configuration and contract conditions.
  • each CAG will broadcast its CAG identity (ID) within its coverage area.
  • the terminal After receiving the broadcast, the terminal can synchronize to the CAG and include the CAG ID in the registration application, indicating that it wants to access the CAG.
  • the terminal may only be covered by CAG, may only be covered by the first network used by the public, and may be covered by both CAG and PLMN used by the public.
  • the meaning of the CAG group of the second network is similar to the meaning of the CAG group of the first network, and will not be repeated here.
  • the trusted network of the second network may be preset, or a security policy may be preset in the second network, and according to the security policy, it can be determined which networks are the trusted networks of the second network.
  • a list of trusted network identities may be preset in the second network, and the list includes identities of the trusted network of the second network. If the preset trusted network identifier list includes the identifier of the first network, it can be determined that the first network is a trusted network of the second network.
  • the following security policy can be configured in the second network: the network with the same authentication method as the second network is a trusted network, or the network that is a slice of the second network is a trusted network, or the second network is The sliced network is a trusted network, or the network in the CAG group of the second network is a trusted network, or the second network is a trusted network in the CAG group, or, and the second network belongs to the same operation
  • the provider’s network is a trusted network. If the first network complies with the aforementioned at least one policy, it can be determined that the first network is a trusted network of the second network.
  • the second network sends the first information to the first network only when it determines that the first network is a trusted network, which can further improve communication security.
  • the second mobility management function network may also send the first security context to the first mobility management function entity only when it is determined that the first network is a trusted network, so as to improve communication security.
  • the second mobility management function entity may send the first security context to the first mobility management function entity.
  • S230 that is, the first mobility management function entity acquiring the first security context of the first terminal may include: the first mobility management function entity receives the first security context from the second mobility management function entity.
  • the second mobility management function entity may send the first security context to the first mobility management function entity at the request of the first mobility management function entity.
  • the second mobility management function entity can be prevented from sending the security context that the first mobility management function entity does not need to the first mobility management function entity, thereby avoiding the leakage of the security context and the waste of resources.
  • the first mobility management function entity may send second information to the second mobility management function entity, and the second information is used for Request the security context of the first terminal.
  • the second mobility management function entity receives the second information from the first mobility management function entity, and, in response to the second information, sends a message to the first mobility management function entity Send the first security context.
  • S310 in FIG. 3 can refer to S210
  • S320 can refer to S220
  • S350 can refer to S240, which will not be repeated here.
  • the first mobility management function entity may send the second information to the second mobility management function entity only when it is determined that the second network is a trusted network of the first network. That is, S330, that is, the first mobility management function entity sending the second information to the second mobility management function entity, may include: the first mobility management function entity determines that the second network is a trusted network of the first network, And send second information to the second mobility management function entity.
  • the first network obtains the first security context, which can improve communication security and avoid resource waste.
  • the trusted network of the first network includes a network that can directly access the terminal to the first network after the terminal is connected.
  • the second network is a trusted network of the first network
  • a terminal that has already accessed the second network can access the first network without being authenticated by the first network.
  • the trusted network of the first network may have one or more of the following characteristics: the authentication method of the first network is the same, or, it is a slice of the first network, or the second network is a slice of it, or, it is the first network.
  • the CAG group of the network, or, the second network is its CAG group, or, the same operator as the first network, or the first terminal has been authenticated.
  • the trusted network of the first network may be preset, or a security policy may be preset in the first network, and according to the security policy, it can be determined which networks are the trusted networks of the first network.
  • a list of trusted network identities may be preset in the first network, and the list includes identities of the trusted network of the first network. If the preset trusted network identifier list includes the identifier of the second network, it can be determined that the second network is a trusted network of the first network.
  • the following security policy can be configured in the first network: the network with the same authentication method as the first network is a trusted network, or the network that is a slice of the first network is a trusted network, or the second network is The sliced network is a trusted network, or the network in the CAG group of the first network is a trusted network, or the second network is a trusted network in the CAG group of the second network, or it belongs to the same operation as the first network
  • the provider’s network is a trusted network. If the second network complies with the aforementioned at least one policy, it can be determined that the second network is a trusted network of the first network.
  • the first mobility management function entity may also determine whether the second network is a trusted network of the first network after acquiring the first security context, and determine whether the second network is a trusted network of the first network. In this case, it communicates with the first terminal according to the first security context, which can also improve the security of communication.
  • the first mobility management function entity communicates with the first terminal according to the first security context, which may include: the first mobility management function entity obtains the first terminal according to the first security context Two security context; the first mobility management function entity communicates with the first terminal according to the second security context.
  • the first mobility management function entity may use the key in the first security context and a random number as the input of the key generator to generate the updated key.
  • the updated key and other information in the first security context can be used as the second security context.
  • the first mobility management function entity sends third information to the first terminal, and the third information is used to instruct the first terminal to update the first security context on the first terminal , As shown in S450 in Figure 4.
  • the first mobility management function entity sends the information needed to update the first security context to the first terminal or directly sends the updated value in the second security context, that is, the third information includes updating the first security context The required information or the updated value.
  • the first terminal can update the first security context on the first terminal according to the third information, and use the updated security context to communicate with the network element in the first network.
  • the first mobility management function network element may send the random number used in key update to the terminal, so that the terminal can perform synchronous update.
  • the second mobility management function entity may use the key in the first security context and a random number as the input of the key generator to generate an updated key, and then combine the updated key with the first security context
  • the other information in is sent to the first mobility management function entity as the second security context.
  • the first mobility management function entity may directly use the second security context to communicate with the first terminal.
  • the second mobility management function entity needs to send the random number to the first terminal so that the first terminal can update the security context synchronously.
  • the first network receives the second security context (including the updated key) and does not know the key originally used in the second network, the effect of key isolation between networks can be achieved.
  • the first network receives the second security context, it can similarly update the second security context again, so that the second network does not know the security context used by the first network to achieve further key isolation between networks effect.
  • S410 in FIG. 4 can refer to S210
  • S420 can refer to S220
  • S410 can refer to S330
  • S440 can refer to S340
  • S460 can refer to S240, which will not be repeated here.
  • the second mobility management function entity sends fourth information to the first mobility management function entity, and the fourth information is used to indicate that the first terminal has passed the second network. Certification.
  • the first mobility management function entity receives the fourth information from the second mobility management function entity.
  • the first mobility management function entity may send the second information to the second mobility management function entity after receiving the fourth information and determining according to the fourth information that the first terminal has been authenticated by the second network. This can further improve the security of communication and avoid waste of resources.
  • the first mobility management function entity may communicate with the first terminal according to the first security context after receiving the fourth information and determining according to the fourth information that the first terminal has been authenticated by the second network. This can improve communication security.
  • the first information and the fourth information may be carried in the same signaling or message.
  • the first mobility management function entity sends the second information to the second mobility management function entity, it may be determined whether the first terminal is a terminal that must be authenticated. If the first terminal is not a terminal that must be authenticated, the first mobility management function entity sends the second information; otherwise, the first terminal needs to be authenticated by the first network. This can further improve the security of communication.
  • the first mobility management function entity may first determine whether the first terminal is a terminal that must be authenticated. If the first terminal is not a terminal that must be authenticated, the first mobility management function entity communicates with the first terminal according to the first security context; otherwise, the first terminal needs to be authenticated by the first network. This can further improve the security of communication.
  • An implementation method for determining whether the first terminal is a terminal that must be authenticated may include: a blacklist of terminals can be preset in the first network, and all terminals on the blacklist need to be authenticated; if the first mobility management function entity determines If the first terminal is not included in the blacklist, it can be determined that the first terminal is not a terminal that must be authenticated, otherwise the first terminal is a terminal that must be authenticated.
  • the 5G network architecture shown in FIG. 5 may include three parts, which are terminal equipment, data network (DN), and operator network.
  • DN data network
  • operator network operator network
  • the operator network may include network exposure function (NEF), network storage function (network function repository function, NRF), policy control function (PCF), unified data management (unified data management, UDM) ) Network function, application function (AF), authentication server function (authentication server function, AUSF), access and mobility management function (AMF), session management function (session management function, SMF) ), (radio) access network ((radio) access network, (R) AN), and user plane function (UPF), etc.
  • NEF network exposure function
  • NRF network storage function repository function
  • PCF policy control function
  • UDM unified data management
  • UDM unified data management
  • AF application function
  • authentication server function authentication server function
  • AMF access and mobility management function
  • SMF session management function
  • SMF session management function
  • the part other than the (wireless) access network part is called the core network part.
  • the core network part For the convenience of description, the following takes (R)AN called RAN as an example for description.
  • the terminal device can establish a connection with the operator's network through an interface (such as N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network.
  • the terminal device can also access the DN through the operator's network, and use the operator's service deployed on the DN and/or the service provided by a third party.
  • the aforementioned third party may be a service party other than the operator's network and terminal equipment, and may provide other services such as data and/or voice for the terminal equipment.
  • the specific form of expression of the aforementioned third party can be determined according to actual application scenarios, and is not limited here.
  • RAN is a sub-network of an operator's network, and an implementation system between service nodes and terminal equipment in the operator's network.
  • the terminal device To access the operator's network, the terminal device first passes through the RAN, and then can be connected to the service node of the operator's network through the RAN.
  • Access network equipment is a device that provides wireless communication functions for terminal equipment.
  • Access network equipment includes, but is not limited to: next-generation base stations (gnodeB, gNB) in 5G, evolved node B (evolved node B, eNB), radio network controller (RNC), node B (node B) B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
  • next-generation base stations evolved node B, eNB
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • home base station for example, home evolved nodeB, or home node B, HNB
  • baseband unit baseBand
  • the AMF network function is the control plane network function provided by the operator's network, which is responsible for the access control and mobility management of terminal equipment accessing the operator's network, such as mobile status management, allocation of temporary user identification, authentication and authorization of users, etc. .
  • the SMF network function is a control plane network function provided by the operator network, and is responsible for managing the protocol data unit (PDU) session of the terminal device.
  • a PDU session is a channel used to transmit PDUs, and terminal devices need to transmit PDUs to each other through the PDU session and DN.
  • the PDU session is established, maintained, and deleted by the SMF network element.
  • SMF network elements include session management (such as session establishment, modification and release, including tunnel maintenance between UPF and AN), UPF network element selection and control, service and session continuity (Service and Session Continuity, SSC) mode selection, Session-related functions such as roaming.
  • the UPF network function is a gateway provided by the operator, and is a network function for the operator's network to communicate with the DN.
  • UPF network functions include data packet routing and transmission, packet inspection, service usage reporting, quality of service (QoS) processing, lawful monitoring, upstream packet inspection, downstream packet storage and other user-related functions.
  • QoS quality of service
  • DN also called packet data network (PDN)
  • PDN packet data network
  • the operator’s network can be connected to multiple DNs, and multiple services can be deployed on the DN to provide terminal equipment. Services such as data and/or voice.
  • DN is the private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • a DN is an internal office network of a company.
  • the mobile phones or computers of employees of the company can be terminal devices, and the mobile phones or computers of employees can access information and data resources on the company's internal office network.
  • the UDM network function is a control plane network function provided by the operator. It is responsible for storing the subscriber permanent identifier (SUPI), credential, security context, and subscription data of subscribers in the operator’s network. And other information. Among them, SUPI will be encrypted first in the transmission process, and the encrypted SUPI is called a subscription concealed identifier (SUCI).
  • SUPI subscriber permanent identifier
  • credential credential
  • security context security context
  • SUPI will be encrypted first in the transmission process, and the encrypted SUPI is called a subscription concealed identifier (SUCI).
  • SUCI subscription concealed identifier
  • the information stored in the UDM network function can be used for authentication and authorization of terminal equipment accessing the operator's network.
  • the contracted users of the above-mentioned operator's network may specifically be users who use the services provided by the operator's network, such as users who use China Telecom's mobile phone core card, or users who use China Mobile's mobile phone core card.
  • the permanent contract identifier SUPI of the aforementioned subscriber may be the number of the mobile phone core card, etc.
  • the credential and security context of the aforementioned subscriber may be a small file stored such as the encryption key of the mobile phone core card or information related to the encryption of the mobile phone core card for authentication and/or authorization.
  • the aforementioned security context may be data (cookie) or token (token) stored on the user's local terminal (for example, mobile phone).
  • the contract data of the above-mentioned subscriber may be the supporting service of the mobile phone core card, such as the flow package of the mobile phone core card or the network usage.
  • permanent identifiers, credentials, security contexts, authentication data (cookies), and tokens are equivalent to information related to authentication and authorization.
  • no distinction or restriction is made for the convenience of description. If no special instructions are given, the embodiments of the present application will be described using a security context as an example, but the embodiments of the present application are also applicable to authentication and/or authorization information in other expression modes.
  • the UDM network function is referred to as UDM for short.
  • the AUSF network function is a control plane network function provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device (subscriber) and the operator's network. After the AUSF receives the authentication request initiated by the subscriber, it can authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM, or generate the subscriber’s authentication and/or authorization information through the UDM. AUSF can feed back authentication information and/or authorization information to subscribers.
  • NEF is a control plane network function provided by operators. NEF opens the external interface of the operator's network to third parties in a safe manner.
  • the NEF network function can be used as a relay for the communication between the SMF and the third-party network function.
  • the NEF network function can be used as a relay, it can be used as the translation of the identification information of the subscriber and the translation of the identification information of the third-party network element. For example, when NEF sends the SUPI of the subscriber from the operator network to the third party, it can translate the SUPI into its corresponding external identity (identity, ID). Conversely, when NEF sends an external ID (ID used in a third-party network) to the operator's network, it can be translated into SUPI.
  • ID external identity
  • the PCF network function is a control plane function provided by the operator to provide a PDU session strategy to the SMF.
  • Policies can include charging-related policies, QoS-related policies, and authorization-related policies.
  • the network slice selection function (NSSF) (not shown in Figure 5) is responsible for determining the network slice instance, selecting AMF, and so on.
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of these interface serial numbers can refer to the meaning defined in the 3GPP standard protocol, which is not limited here.
  • FIG. 6 is a schematic flowchart of a communication method according to an embodiment of the application. It should be understood that FIG. 6 shows the steps or operations of the method, but these steps or operations are only examples, and the technical solution proposed in this application may also perform other operations or variations of each operation in FIG. 6.
  • the terminal attempts to access the PLMN through NPN.
  • the authentication method used by the terminal during NPN registration is EAP-AKA' or 5G-AKA. That is, the first network is PLMN, the second network is NPN, and both the first mobility management function entity and the second mobility management function entity are AMF entities.
  • the AMF entity is referred to as AMF for short.
  • S610 The terminal initiates a registration request to the NPN, and completes the authentication and registration process.
  • the NPN or the terminal can record the authentication method used. For example, if you are using EAP-AKA’ or 5G AKA authentication method, you can set the "authentication type” parameter to 1, otherwise it is set to 0. (When recording, you can also distinguish between EAP-AKA’ and 5G AKA authentication, for example, the former is set to 2, the latter is set to 1, etc. There is no limitation here).
  • the registration request may include indication information for requesting access to the PLMN, so as to distinguish that the registration request is a request for accessing the PLMN through an NPN instead of a request for accessing the NPN.
  • the indication information can be realized by setting a value different from the request to access the NPN in the "registration type".
  • a value different from the request to access the NPN in the "registration type” For example, in the existing 5G standard, there is a parameter table of "registered type value", as shown in Table 1. Among them, different values represent different registration types. You can set the "Registration Type Value" to 1 0 1 to indicate that other networks (such as PLMN) are accessed through NPN.
  • the registration request may also include "authentication type” indication information to indicate the authentication method used by the terminal when accessing the NPN before. For example, when the parameter of "authentication type” described in step S210 is set to 1, it is EAP-AKA' or 5G AKA authentication, and when it is set to 0, it refers to non-AKA authentication.
  • the registration request may not include the "authentication type" indication information.
  • the AMF or UDM of the NPN can store the authentication type used when the terminal accesses the NPN.
  • the AMF of the NPN can obtain the authentication type used by the terminal when accessing the NPN by querying local (AMF) or other network functions, such as UDM.
  • NPNAMF selects the corresponding PLMN and AMF according to the information in the registration request received from the terminal.
  • NPN NPN and AMF according to local policies or query other network functions of NPN, such as NPNUDM, verify whether the PLMN the terminal is trying to connect to is in the list of PLMNs that the terminal is allowed to directly access.
  • the NPN queries whether the identity of the PLMN that the terminal is trying to connect to is in the list of PLMN identities that the terminal is allowed to directly access.
  • the PLMN corresponding to the identifiers in the list allows direct access by terminals that have passed NPN EAP-AKA’ or 5G AKA authentication.
  • the PLMN in the list can allow the terminal to access directly, and other PLMNs will require the terminal to access the PLMN according to the normal procedure.
  • one or more PLMNIDs can be included.
  • the PLMN that allows the terminal to directly access has a pre-arranged agreement with the NPN.
  • NPN itself is hosted by PLMN or implemented as a network slice of PLMN.
  • NPN AMF forwards the registration request in S620 to PLMNAMF.
  • the registration request may carry an authentication type parameter to indicate the authentication method used by the current terminal to access the NPN.
  • the registration request may also carry other indication information, indicating that the terminal has passed NPN authentication and meets the conditions for direct access to the PLMN.
  • the registration request may be the Namf_Communication_N1MessageNotify message described in the 5G standard. If the registration request carries an authentication type parameter, the authentication type needs to be added as a new parameter in the registration request message.
  • PLMNAMF After receiving the registration request message forwarded by NPNAMF, PLMNAMF checks the authentication type used by the terminal when registering with NPN. If EAP-AKA' or 5G AKA authentication method is used when registering with NPN, the terminal is allowed to not perform PLMN authentication , Continue to execute S670.
  • PLMN can maintain an NPN "white list” list, and only requests from NPNs in this list can skip PLMN authentication.
  • PLMN can maintain a "blacklist" list of terminals, and all terminals in the list must be authenticated.
  • step S670 can be continued.
  • PLMNAMF For a terminal that does not need to perform PLMN authentication, PLMNAMF sends a request message to NPNAMF, requesting to obtain a security context generated after the terminal is authenticated with the NPN.
  • the PLMN AMF can request the security context of the terminal by sending the Namf_communication_UEContextTransfer (registration request complete) message in the 5G standard.
  • NPN AMF replies to PLMNAMF, and sends the security context of the terminal to PLMNAMF.
  • NPNAMF can send the security context through Namf_communication_UEContextTransfer in the 5G standard.
  • the security context may include the key K-AMF, the subkey derived from the K-AMF, the subscription ID of the UE, and the random number used for key generation.
  • PLMNAMF After PLMNAMF obtains the security context from NPN and AMF, the PLMN can use the security context to exchange information with the terminal.
  • PLMNAMF uses the key K-AMF in the security context and a random number as the input of the key generator to generate the updated key K-AMF.
  • the updated key K-AMF and other content in the security context constitute the updated security context.
  • the PLMN AMF sends the above random number to the terminal, so that the terminal can update and synchronize the key. In this way, the PLMN and the terminal can communicate using the updated security context.
  • FIG. 7 is a schematic flowchart of a communication method according to another embodiment of the application. It should be understood that FIG. 7 shows the steps or operations of the method, but these steps or operations are only examples, and the technical solution proposed in this application can also perform other operations or variations of the operations in FIG. 7
  • This embodiment describes a scenario where the terminal accesses the NPN through the PLMN.
  • the authentication method adopted when the terminal registers with the PLMN is EAP-AKA’ or 5G AKA authentication. That is, the first network is NPN, the second network is PLMN, and both the first mobility management function entity and the second mobility management function entity are AMF entities.
  • the AMF entity is referred to as AMF for short.
  • S710 The terminal completes the authentication and registration process in the PLMN. During the registration process, the terminal adopts EAP-AKA’ or 5G AKA authentication method.
  • S720 The terminal initiates a registration request to PLMNAMF, requesting to connect to the NPN.
  • PLMNAMF selects the corresponding NPN AMF according to the information in the registration request.
  • the PLMNAMF verifies whether the NPN that the terminal is trying to connect to is an NPN that allows the terminal to directly access according to the local policy or query PLMNUDM.
  • This step is similar to S640.
  • PLMNAMF forwards the registration request to NPN AMF. This step is similar to S650.
  • the NPNAMF After receiving the registration request forwarded by PLMNAMF, the NPNAMF confirms the authentication method that the terminal will use if it registers with the NPN. If the EAP-AKA’ or 5G AKA authentication method is used, the terminal is allowed to not perform NPN authentication and continue to perform S770.
  • NPNAMF For a terminal that does not perform NPN authentication, NPNAMF sends a request message to PLMNAMF, requesting to obtain a security context generated after the terminal is authenticated with the PLMN.
  • PLMNAMF replies to NPNAMF, and sends the security context of the terminal to NPNAMF.
  • FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the application. It should be understood that FIG. 8 shows the steps or operations of the method, but these steps or operations are only examples, and the technical solution proposed in this application may also perform other operations or variations of each operation in FIG. 8
  • the terminal tries to access the PLMN through NPN.
  • the terminal accesses the PLMN alone, it uses EAP-AKA' or 5G-AKA authentication method, and the terminal uses authentication different from EAP-AKA' or 5G-AKA when it authenticates with NPN. method.
  • the first network is PLMN
  • the second network is NPN
  • both the first mobility management function entity and the second mobility management function entity are AMF entities.
  • the AMF entity is referred to as AMF for short.
  • S810 to S830 please refer to S610 to S630 respectively.
  • NPN AMF checks whether the PLMN that the terminal is trying to connect to allows the terminal to directly access according to the local policy or query NPN UDM.
  • This step can refer to S640.
  • the PLMN that allows the terminal to directly access not only allows the terminal to use EAP-AKA' or 5G-AKA authentication method in the NPN, but also accepts the terminal to use other authentication methods in the NPN. For example, EAP-TLS.
  • Another difference from S640 is that for the case where other authentication methods (different from EAP-AKA' or 5G-AKA authentication methods) are used when the terminal registers with the NPN, the NPN may not generate the temporary identifier 5G-GUTI for the terminal. Because 5G-GUTI is usually generated for EAP-AKA’ or 5G-AKA authentication methods, for example, based on the identity identification code SUPI used in EAP-AKA’ or 5G-AKA authentication methods.
  • NPN needs to generate an additional NPN GUTI for the terminal.
  • NPN can generate a pseudo SUPI, and then generate a corresponding 5G-GUTI that can be used in PLMN based on the virtual SUPI.
  • the NPN AMF can replace the TMSI with an identifier in the same format as the 5G TMSI, thereby generating 5G-GUTI.
  • the identity can be identified by the PLMN AMF as a user of the NPN, and the selection and implementation of the identity are determined by the NPN operator's strategy.
  • the NPN AMF forwards the registration request to the AMF of the PLMN.
  • NPN AMF also needs to forward the 5G-GUTI generated by NPN to PLMN AMF, so that PLMNAMF can use the 5G-GUTI to identify the security context of the terminal and the terminal to which the terminal belongs.
  • NPNAMF NPNAMF.
  • S860 to S880 can refer to S660 to S680 respectively.
  • FIG. 9 is a schematic flowchart of a communication method according to another embodiment of this application. It should be understood that FIG. 9 shows the steps or operations of the method, but these steps or operations are only examples, and the technical solution proposed in this application may also perform other operations or variations of each operation in FIG. 9
  • the terminal tries to access the NPN through the PLMN.
  • the terminal uses the EAP-AKA' or 5G-AKA authentication method in the PLMN network, and does not use the EAP-AKA' or 5G-AKA authentication method in the NPN network. That is, the first network is NPN, the second network is PLMN, and both the first mobility management function entity and the second mobility management function entity are AMF entities.
  • the AMF entity is referred to as AMF for short.
  • S910 to S930 can refer to S710 to S730.
  • the PLMNAMF checks whether the NPN that the terminal is trying to connect to allows the terminal to directly access according to the local policy or query PLMN UDM.
  • This step can refer to S740.
  • the NPN that allows the terminal to directly access does not use EAP-AKA’ or 5G-AKA authentication, but can accept the EAP-AKA’ or 5G-AKA authentication method in the PLMN.
  • the PLMN needs to generate an identifier recognized by the NPN for the NPN to identify the terminal. For example, for an NPN that uses a network access identifier (network access identity, NAI), the PLMN needs to generate an NAI acceptable to the NPN to identify the terminal. If the NPN also uses other temporary identifiers, the PLMN needs to generate corresponding temporary identifiers.
  • NAI network access identity
  • PLMN AMF forwards the registration request to NPN AMF.
  • NPN recognized identifier such as NAI
  • S960 to S980 can refer to S760 to S780.
  • pre-set and pre-defined can be achieved by pre-saving corresponding codes, tables or other information that can be used to indicate related information in the device (for example, including terminal devices and network devices).
  • This application does not limit the specific implementation method.
  • the mobility management function entity includes hardware structures and/or software modules corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the present application provides a communication device corresponding to the first mobility management function entity in each of the foregoing method embodiments, and the communication device includes a module or unit that performs corresponding steps in each of the foregoing method embodiments.
  • FIG. 10 shows a schematic structural diagram of a communication device 1000 according to an embodiment of the present application.
  • the communication device 1000 includes a communication unit 1010 and a processing unit 1020.
  • the communication unit in the embodiments of the present application may also be referred to as a transceiver unit (module), and the processing unit may be referred to as a processing module.
  • the communication unit 1010 is configured to receive first information from the second mobility management function entity, and the first information is used to request registration of the first terminal to the first network where the communication device is located.
  • the processing unit 1020 is configured to obtain a first security context of the first terminal, where the first security context is a security context between the first terminal and a second mobility management function entity.
  • the communication unit 1010 is further configured to communicate with the first terminal according to the first security context.
  • the processing unit is specifically configured to call the communication unit to perform the following operations: in response to the received first information, send second information to the second mobility management function entity, and the second The information is used to request the security context of the first terminal; to receive the first security context from the second mobility management functional entity.
  • the communication unit is specifically configured to: obtain a second security context according to the first security context; and communicate with the first terminal according to the second security context.
  • the communication unit is further configured to send third information to the first terminal, where the third information is used to instruct the first terminal to update the first security context.
  • the second mobility management function entity is deployed in a second network.
  • the second network is a slice of the first network; or, the second network is a non-public access group CAG group of the first network.
  • the first network is a slice of the second network; or, the first network is a non-public access group CAG group of the second network.
  • the first network is NPN and the second network is PLMN; or, the first network is PLMN, and the second network is NPN.
  • processing unit 1020 may be implemented by a processor, and the communication unit 1010 may be implemented by a transceiver.
  • the communication device may also include a storage unit.
  • the storage unit is used to store instructions, and the processing unit executes the instructions stored in the storage unit, so that the communication device executes the foregoing method.
  • the storage unit can be realized by a memory.
  • the communication device 1100 may include a processor 1110, a memory 1120, and a transceiver 1130.
  • the steps of the above method can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the communication device 1000 may be a chip.
  • the communication device may be a field-programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller). unit, MCU), and may also be a programmable logic device (PLD) or other integrated chips.
  • FPGA field-programmable gate array
  • ASIC application specific integrated circuit
  • SoC system on chip
  • CPU central processor unit
  • NP network processor
  • DSP digital signal processing circuit
  • microcontroller microcontroller
  • unit, MCU and may also be a programmable logic device (PLD) or other integrated chips.
  • PLD programmable logic device
  • the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the above-mentioned processor may be a general-purpose processor, a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (application specific integrated crcuit, ASIC), a ready-made programmable gate array (field programmable gate array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated crcuit
  • FPGA ready-made programmable gate array
  • Programming logic devices discrete gates or transistor logic devices, discrete hardware components.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electronic Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • serial link DRAM SLDRAM
  • direct rambus RAM direct rambus RAM
  • An embodiment of the present application also provides a communication system, which includes the aforementioned communication device.
  • the embodiment of the present application also provides a computer-readable medium on which a computer program is stored, and when the computer program is executed by a computer, the communication method in any of the foregoing method embodiments is implemented.
  • the embodiments of the present application also provide a computer program product, which, when executed by a computer, implements the communication method in any of the foregoing method embodiments.
  • the embodiment of the present application also provides a system chip.
  • the system chip includes a processing unit and a communication unit.
  • the processing unit may be, for example, a processor, and the communication unit may be, for example, an input/output interface, a pin, or a circuit.
  • the processing unit can execute computer instructions, so that the chip in the communication device executes any of the communication methods provided in the foregoing embodiments of the present application.
  • the computer instructions are stored in a storage unit.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc.
  • the storage unit can also be a storage unit in the terminal located outside the chip, such as a read-only memory or can store static information and instructions Other types of static storage devices, random access memory, etc.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
  • the computer instruction can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instruction can be transmitted from a website, computer, server, or data center through a cable.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium can be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (SSD)). ))Wait.
  • one embodiment or “an embodiment” mentioned throughout the specification means that a specific feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Therefore, the appearance of "in one embodiment” or “in an embodiment” in various places throughout the specification does not necessarily refer to the same embodiment. In addition, these specific features, structures, or characteristics can be combined in one or more embodiments in any suitable manner. It should be understood that, in the various embodiments of the present application, the size of the sequence number of the above-mentioned processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, rather than corresponding to the embodiments of the present application. The implementation process constitutes any limitation.
  • component used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution.
  • the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor.
  • the application running on the computing device and the computing device can be components.
  • One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed among two or more computers.
  • these components can be executed from various computer readable media having various data structures stored thereon.
  • the component may be based on, for example, a signal having one or more data packets (such as data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
  • a signal having one or more data packets (such as data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the unit is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé de communication, un appareil de communication et un système de communication. Une première entité de fonction de gestion de mobilité reçoit des premières informations en provenance d'une seconde entité de fonction de gestion de mobilité, les premières informations étant utilisées pour demander l'enregistrement d'un premier terminal auprès d'un premier réseau où se trouve la première entité de fonction de gestion de mobilité. La première entité de fonction de gestion de mobilité acquiert un premier contexte de sécurité du premier terminal, le premier contexte de sécurité étant un contexte de sécurité entre le premier terminal et la seconde entité de fonction de gestion de mobilité. La première entité de fonction de gestion de mobilité communique avec le premier terminal selon le premier contexte de sécurité. Le procédé de communication, l'appareil de communication et le système de communication selon la présente invention permettent à un terminal de réduire les processus d'authentification lorsqu'il est en cours de connexion, au moyen d'un réseau, à un autre réseau, ce qui permet d'éviter le gaspillage de ressources.
PCT/CN2019/084266 2019-04-25 2019-04-25 Procédé de communication, appareil de communication et système de communication WO2020215272A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084266 WO2020215272A1 (fr) 2019-04-25 2019-04-25 Procédé de communication, appareil de communication et système de communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084266 WO2020215272A1 (fr) 2019-04-25 2019-04-25 Procédé de communication, appareil de communication et système de communication

Publications (1)

Publication Number Publication Date
WO2020215272A1 true WO2020215272A1 (fr) 2020-10-29

Family

ID=72941252

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/084266 WO2020215272A1 (fr) 2019-04-25 2019-04-25 Procédé de communication, appareil de communication et système de communication

Country Status (1)

Country Link
WO (1) WO2020215272A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595368A (zh) * 2011-01-17 2012-07-18 华为技术有限公司 一种注册方法、系统和设备
US20190037454A1 (en) * 2017-07-28 2019-01-31 Qualcomm Incorporated Security key derivation for handover
CN109392082A (zh) * 2017-08-14 2019-02-26 中兴通讯股份有限公司 消息发送方法及装置、终端、接入及移动性管理实体
CN109587685A (zh) * 2017-05-04 2019-04-05 华为技术有限公司 获取密钥的方法、设备和通信系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595368A (zh) * 2011-01-17 2012-07-18 华为技术有限公司 一种注册方法、系统和设备
CN109587685A (zh) * 2017-05-04 2019-04-05 华为技术有限公司 获取密钥的方法、设备和通信系统
US20190037454A1 (en) * 2017-07-28 2019-01-31 Qualcomm Incorporated Security key derivation for handover
CN109392082A (zh) * 2017-08-14 2019-02-26 中兴通讯股份有限公司 消息发送方法及装置、终端、接入及移动性管理实体

Similar Documents

Publication Publication Date Title
WO2020207156A1 (fr) Procédé de vérification, appareil, et dispositif
US20230319556A1 (en) Key obtaining method and communication apparatus
US20220086145A1 (en) Secondary Authentication Method And Apparatus
US20230048066A1 (en) Slice authentication method and apparatus
TWI799064B (zh) 一種金鑰標識的生成方法以及相關裝置
WO2021063298A1 (fr) Procédé de mise en œuvre d'authentification, dispositif de communication, et système de communication
WO2023011630A1 (fr) Procédé et appareil de vérification d'autorisation
WO2021254172A1 (fr) Procédé de communication et appareil associé
JP7416984B2 (ja) サービス取得方法、装置、通信機器及び可読記憶媒体
WO2024149148A1 (fr) Procédé de communication, appareil de communication et système de communication
EP4135376A1 (fr) Procédé et dispositif de communication sécurisée
CN114600487B (zh) 身份认证方法及通信装置
US20220264435A1 (en) Access control method and communications apparatus
WO2022247812A1 (fr) Procédé d'authentification, dispositif de communication et système
WO2020215331A1 (fr) Procédé et appareil de communication
US20240346126A1 (en) Network node and communication method
US20240179525A1 (en) Secure communication method and apparatus
WO2024067619A1 (fr) Procédé de communication et appareil de communication
WO2023016160A1 (fr) Procédé d'établissement de session et appareil associé
WO2021031054A1 (fr) Procédé et appareil de communication
WO2020215272A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2021195816A1 (fr) Procédé, appareil et système de communication
WO2024093923A1 (fr) Procédé et appareil de communication
WO2024146315A1 (fr) Procédé de communication et appareil de communication
WO2024094047A1 (fr) Procédé de communication et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19925668

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19925668

Country of ref document: EP

Kind code of ref document: A1