CN111866871B - Communication method and device - Google Patents

Communication method and device Download PDF

Info

Publication number
CN111866871B
CN111866871B CN201910356343.4A CN201910356343A CN111866871B CN 111866871 B CN111866871 B CN 111866871B CN 201910356343 A CN201910356343 A CN 201910356343A CN 111866871 B CN111866871 B CN 111866871B
Authority
CN
China
Prior art keywords
network element
authentication
identifier
request
shared key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910356343.4A
Other languages
Chinese (zh)
Other versions
CN111866871A (en
Inventor
张博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910356343.4A priority Critical patent/CN111866871B/en
Priority to PCT/CN2020/082105 priority patent/WO2020220903A1/en
Publication of CN111866871A publication Critical patent/CN111866871A/en
Application granted granted Critical
Publication of CN111866871B publication Critical patent/CN111866871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides a communication method and a device, wherein the method comprises the following steps: a first network element receives a first request from a terminal device; wherein the first request comprises an identification of the terminal device; the first network element sends a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device; the first network element receiving a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network. The first authentication framework and the second authentication framework can realize intercommunication, and communication flexibility is improved.

Description

Communication method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method and apparatus.
Background
With the development of communication technology, the requirement for reliability of network services in the communication process is higher and higher, so operators and users usually need to ensure the reliability of network services through an authentication mechanism. The authentication mechanism may specifically be that bidirectional authentication is implemented between a User Equipment (UE) and an application server through a key and the like.
Currently, the authentication between the UE and the application server is implemented in the following ways: the authentication method is realized based on the Generic Bootstrapping Architecture (GBA), and is applicable to third-generation mobile communication (3G) and fourth-generation mobile communication (4G); with the development of the fifth-generation mobile communication (5G), Authentication applicable to the 5G system is also in a research and exploration phase, for example, a way of implementing security Authentication based on an Authentication and Key Management for Applications (AKMA) architecture for Applications.
However, the existing GBA-based authentication system and the AKMA-based authentication system are independent from each other and cannot communicate with each other, which results in poor authentication flexibility.
Disclosure of Invention
The application provides a communication method and a communication device, so that intercommunication can be realized between two authentication architecture systems, and the authentication flexibility can be improved.
In a first aspect, the present application provides a communication method, including:
a first network element receives a first request from a terminal device; wherein the first request comprises an identification of the terminal device;
the first network element sends a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device;
the first network element receiving a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In the foregoing process, the first network element and the second network element may implement interworking, and specifically, after the first network element receives, from the terminal device, a first request including an identifier of the terminal device, the first network element sends, to the second network element, a second request including the identifier of the terminal device, the second network element may determine, in response to the second request, a first shared key according to the second shared key, and send the first shared key to the first network element, and after receiving, in the first network element, the first network element may further implement, with the terminal device, first authentication based on the first shared key. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, after the first network element sends the second request to the second network element according to the first request, the method further includes:
the first network element determines a first temporary identifier of the terminal equipment; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
and the first network element sends the first temporary identifier to the terminal equipment.
In an exemplary manner, after the first network element sends the second request to the second network element according to the first request, the method further includes:
the first network element determines a validity period of the first shared key; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
and the first network element sends the validity period of the first shared key to the terminal equipment.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
In an exemplary manner, the second shared key is: and after receiving the second request, the second network element responds to the second request and performs second authentication on the terminal equipment to obtain the second authentication result.
In a second aspect, the present application provides a method of communication, the method comprising:
the second network element receives a second request from the first network element; the second request comprises an identification of the terminal device;
the second network element determines a second shared secret key according to the identifier of the terminal equipment;
the second network element determines a first shared key according to the second shared key;
the second network element sends the first shared key to the first network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the determining, by the second network element, the second shared key according to the identifier of the terminal device includes:
and the second network element determines a second shared key corresponding to the identifier of the terminal equipment according to the identifier of the terminal equipment and the mapping relation between the pre-acquired terminal identifier and the shared key in the second network.
In an exemplary manner, the determining, by the second network element, the second shared key according to the identifier of the terminal device includes:
and the second network element responds to the second request, and performs second authentication with the terminal equipment to obtain the second shared secret key.
In an exemplary manner, after the second network element receives the second request from the first network element, the method further includes:
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element sends the validity period of the second shared secret key to the first network element;
or the like, or, alternatively,
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element determines the validity period of the first shared secret key according to the validity period of the second shared secret key; and the second network element sends the validity period of the first shared key to the first network element.
In an exemplary manner, after the second network element receives the second request from the first network element, the method further includes:
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element sends the second temporary identifier to the first network element; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network;
or the like, or, alternatively,
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element determines a first temporary identifier according to the second temporary identifier; the second network element sends the first temporary identifier to the first network element; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
In a third aspect, the present application provides a communication method, including:
the terminal equipment sends a first request to a first network element; wherein the first request comprises an identification of the terminal device; the first request is used for indicating the first network element to obtain a first shared key from a second network element;
the terminal equipment determines the first shared key according to a second shared key; the second shared key is determined when the terminal equipment performs second authentication in the second network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, before the terminal device determines the first shared key according to the second shared key, the method further includes:
the terminal equipment receives a first temporary identifier from the first network element; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal equipment; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network;
or the like, or, alternatively,
the terminal equipment determines a first temporary identifier according to the second temporary identifier; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network.
In an exemplary manner, after the terminal device sends the first request to the first network element, the method further includes:
the terminal equipment receives the validity period of the first shared key from the first network element; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
or the like, or, alternatively,
the terminal equipment determines the validity period of the first shared secret key according to the validity period of the second shared secret key; the validity period of the second shared secret key is determined when the terminal equipment performs second authentication in the second network element.
In a fourth aspect, the present application provides a communication method, including:
the third network element receives a third request from the fifth network element; wherein, the third request is sent to the fifth network element by the terminal device; the third request comprises an identification of the terminal device;
the third network element sends a fourth request to a fourth network element according to the third request; wherein the fourth request comprises an identification of the terminal device;
the third network element receiving a first authentication vector from the fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector, and the second authentication vector is determined by the fourth network element according to the identifier of the terminal device; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
In a fifth aspect, the present application provides a communication method, including:
the fourth network element receives a fourth request from the third network element; the fourth request comprises an identification of the terminal device;
the fourth network element determines a second authentication vector according to the identifier of the terminal equipment;
the fourth network element determines a first authentication vector according to the second authentication vector;
the fourth network element sends the first authentication vector to the third network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
In a sixth aspect, the present application provides a communication method, including:
the fifth network element receives a third request from the terminal device; wherein the third request comprises an identification of the terminal device;
the fifth network element sends a third request to a third network element; the third request is used for indicating the third network element to acquire a first authentication vector from a fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector; the first authentication vector is used for security protection in a first network, and the second authentication vector is used for security protection in a second network;
the fifth network element receives the first authentication vector from the fourth network element.
In a seventh aspect, the present application provides a communication method, including:
the terminal equipment sends a third request to the fifth network element; wherein the third request comprises an identification of the terminal device; the third request is used for instructing the fifth network element to send the third request to a third network element and instructing the third network element to acquire a first authentication vector from a fourth network element;
the terminal equipment determines a first authentication vector according to the second authentication vector; the second authentication vector is determined when the terminal equipment performs second authentication in the fourth network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
In an eighth aspect, the present application provides a first network element, including:
a request receiving module, configured to receive a first request from a terminal device; wherein the first request comprises an identification of the terminal device;
a sending module, configured to send a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device;
a shared key receiving module, configured to receive a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, the first network element further includes:
the temporary identifier determining module is used for determining a first temporary identifier of the terminal equipment; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
and the temporary identifier sending module is used for sending the first temporary identifier to the terminal equipment.
In an exemplary manner, the first network element further includes:
a validity period determining module for determining a validity period of the first shared key; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
and the validity period sending module is used for sending the validity period of the first shared secret key to the terminal equipment.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
In an exemplary manner, the second shared key is: and after receiving the second request, the second network element responds to the second request and performs second authentication on the terminal equipment to obtain the second authentication result.
In a ninth aspect, the present application provides a second network element, including:
a request receiving module, configured to receive a second request from the first network element; the second request comprises an identification of the terminal device;
the second shared key determining module is used for determining a second shared key according to the identifier of the terminal equipment;
a first shared key determining module, configured to determine a first shared key according to the second shared key;
a first shared key sending module, configured to send the first shared key to the first network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the second shared key determining module is further configured to:
and determining a second shared key corresponding to the identifier of the terminal equipment according to the identifier of the terminal equipment and the mapping relation between the pre-acquired terminal identifier and the shared key in the second network.
In an exemplary manner, the second shared key determining module is further configured to:
and responding to the second request, and performing second authentication with the terminal equipment to obtain the second shared secret key.
In an exemplary manner, the second network element further includes a second validity period determining module, configured to:
determining the validity period of the second shared secret key according to the identifier of the terminal equipment; sending the validity period of the second shared secret key to the first network element;
or the like, or, alternatively,
determining the validity period of the second shared secret key according to the identifier of the terminal equipment; determining the validity period of the first shared secret key according to the validity period of the second shared secret key; and sending the validity period of the first shared key to the first network element.
In an exemplary manner, the second network element further includes a temporary identity determining module, configured to:
determining a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; sending the second temporary identifier to the first network element; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network;
or the like, or, alternatively,
determining a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; determining a first temporary identifier according to the second temporary identifier; sending the first temporary identifier to the first network element; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
In a tenth aspect, the present application provides a terminal device, including:
a request sending module, configured to send a first request to a first network element; wherein the first request comprises an identification of the terminal device; the first request is used for indicating the first network element to obtain a first shared key from a second network element;
a shared key determining module, configured to determine, by a terminal device, the first shared key according to a second shared key; the second shared key is determined when the terminal equipment performs second authentication in the second network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, the terminal device further includes a temporary identifier determining module, configured to:
receiving a first temporary identification from the first network element; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal equipment; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network;
or the like, or, alternatively,
determining a first temporary identifier according to the second temporary identifier; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network.
In an exemplary manner, the terminal device further includes a validity period determining module, configured to:
receiving a validity period of the first shared key from the first network element; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
or the like, or, alternatively,
determining the validity period of the first shared secret key according to the validity period of the second shared secret key; the validity period of the second shared secret key is determined when the terminal equipment performs second authentication in the second network element.
In an eleventh aspect, the present application provides a third network element, including:
a request receiving module, configured to receive a third request from a fifth network element; wherein, the third request is sent to the fifth network element by the terminal device; the third request comprises an identification of the terminal device;
a request sending module, configured to send a fourth request to a fourth network element according to the third request; wherein the fourth request comprises an identification of the terminal device;
an authentication vector receiving module, configured to receive a first authentication vector from the fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector, and the second authentication vector is determined by the fourth network element according to the identifier of the terminal device; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
In a twelfth aspect, the present application provides a fourth network element, including:
a request receiving module, configured to receive, by the fourth network element, a fourth request from the third network element; the fourth request comprises an identification of the terminal device;
the second authentication vector determining module is used for determining a second authentication vector according to the identifier of the terminal equipment;
the first authentication vector determining module is used for determining a first authentication vector according to the second authentication vector;
a first authentication vector sending module, configured to send the first authentication vector to the third network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
In a thirteenth aspect, the present application provides a fifth network element, including:
a request receiving module, configured to receive a third request from the terminal device; wherein the third request comprises an identification of the terminal device;
a request sending module, configured to send a third request to a third network element; the third request is used for indicating the third network element to acquire a first authentication vector from a fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector; the first authentication vector is used for security protection in a first network, and the second authentication vector is used for security protection in a second network;
an authentication vector receiving module, configured to receive, by the fifth network element, the first authentication vector from the fourth network element.
In a fourteenth aspect, the present application provides a terminal device, including:
a request sending module, configured to send a third request to a fifth network element; wherein the third request comprises an identification of the terminal device; the third request is used for instructing the fifth network element to send the third request to a third network element and instructing the third network element to acquire a first authentication vector from a fourth network element;
the authentication vector determining module is used for determining a first authentication vector by the terminal equipment according to a second authentication vector; the second authentication vector is determined when the terminal equipment performs second authentication in the fourth network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
A fifteenth aspect of the present application provides a first network element comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the first network element to perform the method of any of the methods provided by the exemplary aspects and aspects of the present application.
A sixteenth aspect of the present application provides a second network element comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the first network element to perform the method of any of the methods provided by the exemplary aspects and exemplary manners of the second aspect of the present application.
A seventeenth aspect of the present application provides a terminal device UE, comprising a processor, a memory and a transceiver, wherein the memory is configured to store instructions and the transceiver is configured to communicate with other devices, and the processor is configured to execute the instructions stored in the memory to cause the UE to perform the method according to any one of the methods provided in the exemplary manners of the third and the aspects of the present application.
An eighteenth aspect of the present application provides a third network element comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the first network element to perform the method of any of the methods provided by the fourth and further aspects of the present application.
A nineteenth aspect of the present application provides a fourth network element comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the first network element to perform the method of any of the methods provided by the fifth and exemplary aspects of the present application.
A twentieth aspect of the present application provides a fifth network element comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the first network element to perform the method of any one of the methods provided in the sixth aspect and the exemplary manners of the aspects of the present application.
A twenty-first aspect of the present application provides a terminal device UE, comprising a processor, a memory and a transceiver, the memory being configured to store instructions, the transceiver being configured to communicate with other devices, the processor being configured to execute the instructions stored in the memory to cause the UE to perform the method according to any one of the methods provided in the exemplary manner of the seventh aspect and aspects of the present application.
A twenty-second aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods as provided by the exemplary manners of the first and aspects of the present application.
A twenty-third aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods provided by the exemplary manners of the second and third aspects of the present application.
A twenty-fourth aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods as provided by the exemplary manners of the third and aspects of the present application.
A twenty-fifth aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods provided by the exemplary manners of the fourth and aspects of the present application.
A twenty-sixth aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods provided by the exemplary manners of the fifth and aspects of the present application.
A twenty-seventh aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods provided by the exemplary manners of the sixth and aspects of the present application.
A twenty-eighth aspect of the present application provides a computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform any of the methods as provided by the exemplary manners of the seventh and aspects of the present application.
A twenty-ninth aspect of the present application provides a computer program product comprising instructions that, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the first and aspects of the present application.
A thirty-first aspect of the present application provides a computer program product comprising instructions which, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the second and the aspects of the present application.
A thirty-first aspect of the present application provides a computer program product comprising instructions that, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the third and aspects of the present application.
A thirty-second aspect of the present application provides a computer program product comprising instructions that, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the fourth and the aspects of the present application.
A thirty-third aspect of the present application provides a computer program product comprising instructions that, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the fifth and aspects of the present application.
A thirty-fourth aspect of the present application provides a computer program product comprising instructions which, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the sixth and aspects of the present application.
A thirty-fifth aspect of the present application provides a computer program product comprising instructions that, when executed, cause a computer to perform the method as any one of the methods provided by the exemplary manners of the seventh and aspects of the present application.
A thirty-sixth aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a first network element, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor interconnected by a bus, the processor causing the first network element to perform any of the methods provided by the exemplary manner of the first aspect and aspects of the present application by executing instructions stored in the memory.
A thirty-seventh aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a second network element, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor interconnected by a bus, the processor causing the second network element to perform any of the methods provided by the exemplary manner of the second aspect and aspects of the present application by executing instructions stored in the memory.
A thirty-eighth aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a terminal device, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor interconnected by a bus, the processor causing the terminal device to perform any of the methods as provided by the exemplary aspects of the third and fourth aspects of the present application by executing instructions stored in the memory.
A thirty-ninth aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a third network element, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor interconnected by a bus, the processor causing the third network element to perform any of the methods provided by the exemplary manner of the fourth and the aspects of the present application by executing instructions stored in the memory.
A forty-first aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a fourth network element, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor being interconnected by a bus, the processor causing the fourth network element to perform any of the methods provided by the exemplary manner of the fifth aspect and aspects of the present application by executing instructions stored in the memory.
A forty-first aspect of the present application provides a system-on-chip or a system-on-chip, where the system-on-chip or the system-on-chip is applicable to a fifth network element, and the system-on-chip or the system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory, and the processor interconnected by a bus, the processor causing the fifth network element to perform any of the methods provided by the exemplary manners of the sixth aspect and aspects of the present application by executing instructions stored in the memory.
A forty-second aspect of the present application provides a system-on-chip or system-on-chip, where the system-on-chip or system-on-chip is applicable to a terminal device, and the system-on-chip or system-on-chip includes: at least one communication interface, at least one processor, at least one memory, the communication interface, the memory and the processor interconnected by a bus, the processor causing the terminal device to perform any of the methods as provided by the exemplary aspects of the seventh and aspects of the present application by executing instructions stored in the memory.
In the communication method and apparatus provided in the embodiment of the present application, the first network element and the second network element may implement interworking, and specifically, after the first network element receives, from the terminal device, a first request including an identifier of the terminal device, the first network element sends, to the second network element, a second request including the identifier of the terminal device, and the second network element may determine, in response to the second request, a first shared key according to the second shared key and send the first shared key to the first network element, and after receiving, in the first network element, the first network element may further implement, with the terminal device, first authentication based on the first shared key. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Drawings
Fig. 1 is an architecture diagram of a communication system according to an embodiment of the present application;
FIG. 2 is a GBA architecture diagram provided by an embodiment of the present application;
fig. 3 is a diagram of a first AKMA architecture provided in an embodiment of the present application;
fig. 4 is a diagram of a second AKMA architecture provided in an embodiment of the present application;
fig. 5 is a diagram of a third AKMA architecture provided in an embodiment of the present application;
fig. 6 is a flowchart illustrating a communication method according to an embodiment of the present application;
fig. 7 is a schematic specific flowchart of a communication method according to a second embodiment of the present application;
fig. 8 is another specific flowchart of a communication method according to a third embodiment of the present application;
fig. 9 is a schematic flowchart of a first network element side of a communication method according to a fourth embodiment of the present application;
fig. 10 is a schematic flowchart of a second network element side of a communication method according to a fifth embodiment of the present application;
fig. 11 is a schematic flowchart of a terminal device side of a communication method according to a sixth embodiment of the present application;
fig. 12 is a schematic flowchart of another communication method according to a seventh embodiment of the present application;
fig. 13 is a schematic detailed flowchart of another communication method according to an eighth embodiment of the present application;
fig. 14 is another specific flowchart of another communication method according to the ninth embodiment of the present application;
fig. 15 is a schematic flowchart of a third network element side of another communication method according to a tenth embodiment of the present application;
fig. 16 is a schematic flowchart of a fourth network element side of another communication method according to an eleventh embodiment of the present application;
fig. 17 is a schematic flowchart of a fifth network element side of another communication method according to a twelfth embodiment of the present application;
fig. 18 is a schematic flowchart of a terminal device side in another communication method according to a thirteenth embodiment of the present application;
fig. 19 is a schematic structural diagram of a first network element according to a fourteenth embodiment of the present application;
fig. 20 is a schematic structural diagram of a second network element according to a fifteenth embodiment of the present application;
fig. 21 is a schematic structural diagram of a terminal device according to a sixteenth embodiment of the present application;
fig. 22 is a schematic structural diagram of a third network element according to a seventeenth embodiment of the present application;
fig. 23 is a schematic structural diagram of a fourth network element according to an eighteenth embodiment of the present application;
fig. 24 is a schematic structural diagram of a fifth network element according to nineteenth embodiment of the present application;
fig. 25 is a schematic structural diagram of a terminal device according to a twentieth embodiment of the present application;
fig. 26 is a schematic structural diagram of a first network element according to twenty-first embodiment of the present application;
fig. 27 is a schematic structural diagram of a second network element according to twenty-second embodiment of the present application;
fig. 28 is a schematic structural diagram of a UE according to twenty-third embodiment of the present application.
Detailed Description
First, a communication scenario and a part of vocabulary according to the embodiment of the present application will be explained.
The technical solution shown in the embodiment of the present application may be applied to interconnection and interworking between a system performing authentication based on GBA and a system performing authentication based on AKMA, for example, may be applied to interconnection and interworking between a 3G system and a 5G system, and may also be applied to interconnection and interworking between a 4G system and a 5G system; the method and the system can also be applied to interconnection and intercommunication between other systems performing authentication based on GBA and systems performing authentication based on AKMA, and the embodiment of the application is not limited to this.
Fig. 1 is an architecture diagram of a communication system according to an embodiment of the present application. As shown in fig. 1, the communication system according to the embodiment of the present application may include a terminal apparatus 101, a first network 102, and a second network 103. Of course, the communication system may further include a plurality of terminal devices 101, which is not limited in this embodiment of the application. In consideration of the similarity of the authentication process between each terminal device 101 and the first network 102 and the second network 103, the present embodiment will be described by taking as an example the authentication process between any terminal device 101 and the first network 102 and the second network 103.
In the embodiment of the present application, an execution subject for executing the method on the terminal device side may be the terminal device, or may be a device in the terminal device (it should be noted that, in the embodiment provided in the present application, description is given by taking the terminal device as an example). For example, the apparatus in the terminal device may be a chip system, a circuit or a module, and the like, and the application is not limited thereto.
In this embodiment of the present application, an execution subject for executing the first network-side method may be the first network device, or may be a device in the first network device. For example, the devices in the first network may be a chip system, a circuit or a module, and the like, and the application is not limited thereto.
In this embodiment of the present application, an execution subject for executing the second network-side method may be the second network device, or may be a device in the second network device. For example, the devices in the second network may be a chip system, a circuit or a module, and the like, and the application is not limited thereto.
In this embodiment of the present application, when the first network performs authentication based on GBA, the second network may perform authentication based on AKMA; in the case where the second network is GBA-based authentication, the first network may be AKMA-based authentication; the first network and the second network are enabled to realize authentication based on different authentication architectures.
Specifically, referring to fig. 2, an architecture diagram of GBA authentication is shown, where a terminal device is a User Equipment (UE), and a Bootstrapping Server Function (BSF) network element is configured to interact with the UE and perform authentication between the UE and the BSF; each Application may correspond to a Network Application Function (NAF) on the Network side, and the NAF may be configured to provide services for Application operation, so that the BSF and the UE may interact with one or more NAFs; a mapping relationship between the UE and a Home Subscriber System (HSS) network element may be stored in a subscription Server Locator Function (SLF) network element, and it can be understood that, in a single HSS scene, the SLF may not be set, and in a plurality of HSS scenes, the BSF may obtain an HSS name corresponding to the UE from the SLF; the HSS may be configured to store subscription information of the UE, generate an authentication vector, and the like; there is an interface Zh between the BSF and the HSS so that the BSF can obtain UE authentication related parameters from the HSS.
The GBA may be used to implement Authentication based on A Key Agreement (AKA), and the specific process may be: UE sends a Hyper Text Transfer Protocol (HTTP) request to BSF, wherein the request carries a user identification (UE ID); the BSF obtains a user root Key and an Authentication Vector (AV) of the UE from the HSS via a Zh interface, where the AV may include a random number RAND, an Authentication token (AUTN), a Cipher Key (CK), an Integrity Key (IK), and an EXpected user RESponse (XRES); and sends AV to BSF; the BSF sends the RAND and the AUTN to the UE; the UE generates a new AUTN by using the RAND, and compares the AUTN with the AUTN sent by the BSF, and if the comparison result is consistent, the network is successfully authenticated; the UE also generates CK, IK and user RESponse (RES) by using an AKA algorithm; the UE sends an HTTP request to the BSF, the request containing a summary AKA response, the response using RES as an authentication code; the BSF compares the RES with the XRES so as to authenticate the UE; if RES is the same as XRES, the authentication is successful, BSF generates a shared key Ks by using CK and IK, and generates a bootstrap Transaction Identifier (B-TID), wherein the B-TID can be used as a temporary Identifier to identify the authentication event, so that subsequent NAF can ask the BSF for an agreed related key Ks _ NAF according to the value of the B-TID; the BSF sends the B-TID and the validity period (Key lifetime) of the Ks to the UE; ks can be generated in the UE according to CK and IK, and key sharing between the UE and the BSF is realized; subsequently, in the GBA-based service access phase, the UE and the BSF may further generate an authentication key Ks _ NAF using Ks, and use Ks _ NAF as an authentication key for information interaction between the UE and the NAF.
Referring to fig. 3, an architecture diagram of a first type of AKMA Authentication is shown, in which an AKMA Authentication Function (AAuF) network element may have interfaces with a Unified Data Management Function (UDM) network element, an Authentication Server Function (AUSF) network element, and a Security Anchor Function (SEAF) network element, and the AAuF may be configured to obtain parameters related to UE Authentication or authenticated keys from the UDM/AUSF/SEAF, and then complete the Authentication of the UE through interaction with the UDM/AUSF/SEAF; each Application may correspond to an AKMA Application Function (AApF) network element, and AApF may be used to provide services for Application operations, so that AAuF and UE may interact with one or more AApF; the UDM may be used for data management of a user, and specifically may include generating an authentication vector of the UE, registration, subscription information management, group management, and the like; the AUSF may be used to perform an authentication procedure and key derivation function of the UE; the SEAF may be used to perform authentication procedures and key derivation functions for the UE.
In a specific application, when performing the AKMA authentication, the UE, AAuF, SEAF/AUSF/UDM may be used as a participant to implement key agreement for sharing the key Ks between the UE and AAuF, and fig. 3 shows a first possibility in the AKMA authentication, where the participant to perform the AKMA authentication is: UE, AAuF, AUSF, UDM; fig. 4 shows a second possibility in the AKMA authentication, where the parties performing the AKMA authentication are: UE, AAuF, UDM; fig. 5 shows a third possibility in the AKMA authentication, where the parties performing the AKMA authentication are: UE, AAuF, SEAF, AUSF, UDM.
It can be understood that, because the AKMA authentication in 5G is currently in the exploration phase, the advantages and disadvantages of the three aforementioned AKMA authentication possibilities are not described herein, in the embodiment of the present application, the AKMA authentication procedure corresponding to the first possibility in fig. 3 is taken as an example to illustrate the process of the AKMA authentication.
The process of performing the AKMA authentication based on the first possibility of the AKMA authentication architecture may be: the UE sends an authentication request to the AMF/SEAF to the AAuF (assuming here that the UE needs to interact with the AAuF through the AMF/SEAF, it is understood that there are other possibilities, for example, the UE interacts directly with the AAuF, or the UE interacts with the AAuF through other functional modules); AAuF sends an authentication request to AUSF/UDM and obtains an authentication vector AV; the UE and AAuF execute authentication based on EAP-AKA' or 5G AKA or other newly defined AKMA AKA; specifically, the authentication procedure may be that the UE sends a request to the AAuF, where the request carries the UE ID, the AAuF sends the UE ID to the AUSF, and the AUSF sends the UE ID to the UDM. The AUSF obtains an authentication vector from the UDM, including (RAND, AUTN, XRES, CK ', IK') or (RAND, AUTN, XRES, Kausf), based on which the AUSF can perform bidirectional authentication with the UE through AAuF. And after the AUSF succeeds in authentication, if the authentication vector obtained by the AUSF includes Kakma, directly sending the Kakma to the AAuF. Or AUSF determines Kakma based on CK 'and IK', or Kausf, and then sends the Kakma to AAuF; and then the AAuF sends an authentication success message to the UE through the AMF/SEAF, wherein the message comprises the key validity time and the temporary identification temporary ID.
The terminal device referred to in this application may alternatively be referred to as a terminal. A terminal may be a wireless terminal, which may be a device that provides voice and/or other traffic data connectivity to a user, a handheld device having wireless connection capability, or other processing device connected to a wireless modem. Wireless terminals, which may be mobile terminals such as mobile telephones (or "cellular" telephones) and computers having mobile terminals, such as portable, pocket, hand-held, computer-included, or vehicle-mounted mobile devices, may communicate with one or more core networks via a Radio Access Network (RAN). Examples of such devices include Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, Personal Digital Assistants (PDAs), and the like. A wireless terminal may also be referred to as a system, a subscriber unit (subscriber unit), a subscriber station (subscriber station), a mobile station (mobile), a remote station (remote station), a remote terminal (remote terminal), an access terminal (access terminal), a user terminal (user terminal), a user agent (user agent), or a UE, but is not limited thereto.
The terminal device related to the application can comprise a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer. The hardware layer includes hardware such as a Central Processing Unit (CPU), a Memory Management Unit (MMU), and a memory (also referred to as a main memory). The operating system may be any one or more computer operating systems that implement business processing through processes (processes), such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a windows operating system. The application layer comprises applications such as a browser, an address list, word processing software, instant messaging software and the like.
The first network and the second network may include AN Access Network (AN) and a core network. Optionally, a Data Network (DN) may also be included. The access network device is mainly used for realizing functions of a wireless physical layer, resource scheduling and wireless resource management, wireless access control, mobility management and the like; the core network device may include a management device and a gateway device, the management device is mainly used for device registration, security authentication, mobility management, location management, and the like of the terminal device, the gateway device is mainly used for establishing a channel with the terminal device, and forwarding a data packet between the terminal device and an external data network on the channel; the data network may include network devices (e.g., servers, routers, etc.), and is mainly used for providing various data service services for the terminal devices.
The first network may be an LTE network and the second network may be an NR network, or the first network may be an NR network and the second network may be an LTE network. Namely, the method of the embodiment of the application is applicable to a scene of intercommunication between an LTE network and an NR network, wherein the LTE network adopts a GBA authentication mode at present, and the NR network adopts an AKMA authentication mode.
The access network device may be a base station and a Transmission Reception Point (TRP). Wherein, the base station: also called Radio Access Network (RAN) equipment, which is an equipment for accessing a terminal to a wireless network, may be a Base Transceiver Station (BTS) in global system for mobile communication (GSM) or Code Division Multiple Access (CDMA), a base station (nodeB, NB) in Wideband Code Division Multiple Access (WCDMA), an evolved node B (eNB or eNodeB) in Long Term Evolution (LTE), or a relay station or an access point, which is not limited herein.
A first network element, which may be a BSF or an AAuF, may be included in the first network for performing at least one of authentication, temporary identity generation and distribution, key generation, and key lifecycle determination of the first authenticated network.
A second network element, which may be a BSF or an AAuF, may be included in the second network and configured to perform at least one of authentication, temporary identity generation and distribution, key generation, and key lifecycle determination of the second authenticated network.
In a specific application, after the first network element and the terminal device share the first shared key, the terminal device and the first network may perform key distribution between subsequent UE and AF based on the first shared key. In particular, a key distribution process between the UE and the AF is not described in detail in the embodiments of the present application.
The validity period of the first shared key in the embodiment of the present application represents the life cycle of the first shared key, and beyond the limited period of the first key, the first shared key cannot be used any more.
The first temporary identifier related in the embodiment of the present application is a temporary identity that may be generated when the terminal device performs the first authentication based on the authentication architecture of the first network, and in a specific application, the first shared key retrieval may be performed based on the first temporary identifier.
In a specific application, after the second network element and the terminal device share the second shared key, the terminal device and the second network may perform subsequent key distribution between the UE and the AF based on the second shared key. In particular, a key distribution process between the UE and the AF is not described in detail in the embodiments of the present application.
The validity period of the second shared secret key referred to in the embodiments of the present application represents the life cycle of the second shared secret key, and the second shared secret key cannot be used any more after the second shared secret key exceeds the limited period of the second shared secret key.
The second temporary identifier related in the embodiment of the present application is a temporary identity that may be generated when the terminal device performs the second authentication based on the authentication framework of the second network, and in a specific application, the second shared key retrieval may be performed based on the second temporary identifier.
The first network element, the third network element, and the fifth network element related to the embodiments of the present application may operate in the first network.
The second network element and the fourth network element related to the embodiments of the present application may operate in the second network.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Referring to fig. 6, fig. 6 is a flowchart illustrating a communication method according to a first embodiment of the present application; the method of the embodiment of the application can comprise the following steps:
step S201: the terminal equipment sends a first request to a first network element; wherein the first request comprises an identification of the terminal device.
In the embodiment of the present application, the Identifier of the terminal device may be a user Permanent Identifier (SUPI) of the terminal, or an International Mobile Subscriber Identity (IMSI) of the terminal, or an IP Multimedia Private Identifier (IMPI) of the terminal, or a Global Unique Temporary Identifier (GUTI) of the terminal, or an IP Multimedia common Identifier (IMPU) of the terminal, or a Temporary Mobile Subscriber Identifier (TMSI) of the terminal (e.g., a system architecture evolution Temporary Mobile Subscriber Identifier (S-TMSI) or a Mobile management function Temporary Mobile Subscriber Identifier (M-TMSI) or a group domain Subscriber Temporary Identifier (P-TMSI)), or an International Mobile Station Identifier (International Mobile Station Identity) of the terminal, IMEI), or a Subscription related Identifier (SUCI) of the terminal, etc., without limitation. The SUCI may be a cryptographic encapsulation to SUPI. The identifier of the terminal device in this embodiment of the application may also be a second temporary identifier, and this embodiment of the application does not limit the identifier of the terminal device.
In this embodiment of the present application, the first network element is a network element in the first network, which performs first authentication based on a first authentication architecture, where the first authentication architecture may be GBA, and the first authentication architecture may also be AKMA; the first request is used for indicating the first network element to obtain a first shared key from the second network element; the second network element is a network element in the second network that performs second authentication based on a second authentication architecture, where the second authentication architecture may be GBA and the second authentication architecture may also be AKMA; in a specific application, under the condition that the first authentication architecture is GBA, the first network element is BSF, the second authentication architecture is AKMA, and the second network element is AAuf; under the condition that the first authentication architecture is AKMA, the first network element is AAuf, the second authentication architecture is GBA, and the second network element is BSF; an interface may be provided between the first network element and the second network element, and data transmission is implemented between the first network element and the second network element through the interface between the first network element and the second network element.
In an optional implementation manner of the embodiment of the present application, if the terminal device has been authenticated in the second network element, the terminal device and the second network element may share the second shared key, the second temporary identifier, and the validity period of the second shared key; the terminal device indicates that the terminal device wishes to establish a parameter negotiation with the first network element by sending a first request to the first network element via the authentication parameters already present in the second network element.
In another optional implementation manner of the embodiment of the present application, if the terminal device does not authenticate in the second network element, there is no shared authentication parameter between the terminal device and the second network element; the terminal equipment sends a first request to the first network element to indicate that the terminal equipment hopes to trigger a second network element to perform second authentication with the terminal equipment through the first network element, and establishes parameter negotiation with the first network element according to authentication parameters generated when the second network element performs second authentication with the terminal equipment.
Optionally, the first request further includes at least one of: first indication information, integrity protection information, and a playback identification of the first request; the first indication information is used to indicate the first network element to acquire the first shared key in the first network from the second network, and the integrity protection information is used to verify the validity of the terminal device; the replay identification of the first request is used to verify whether the first request is a replay message.
In this embodiment of the application, the first indication information may be information related to the second network, and is used to instruct the first network element to acquire the first shared key of the first network from the second network. For example, the first indication message may be a GBA indicator or an AKMA indicator.
In this embodiment of the present application, the integrity protection information may be a Message Authentication Code (MAC), the MAC may be calculated by performing integrity protection on the entire Message based on the second shared key (or based on the second shared key and the first integrity protection information input parameter) by using an integrity protection algorithm, and the second network element may check whether the terminal device is a legal terminal according to the Message Authentication Code, so as to improve the security coefficient of communication. Specifically, the integrity protection algorithm may be a hash operation, and the embodiment of the present application is not particularly limited.
In this embodiment of the application, the replay identifier of the first request may be a first freshness parameter, specifically, a counter, a random number, and the like, and the first freshness parameter is used for inputting integrity protection information, so that replay attack of the integrity protection information can be prevented, and a security coefficient of communication is improved.
Step S202: and the first network element sends a second request to a second network element according to the first request, wherein the second request comprises the identifier of the terminal equipment.
In this embodiment, the first network element may send, to the second network element, a second request including an identifier of the terminal device according to the first request. In a specific application, the identifier of the second network element may be: the second temporary identity of the terminal device sent from the terminal device or the first indication information received from the terminal device.
In this embodiment of the application, the second request is used to request the first shared key from the second network element.
Optionally, the second request further includes at least one of: a first network element identifier, the integrity protection information and the first integrity protection information input parameter; wherein the first network element identifier is used for identifying an address and identity information of the first network element.
In this embodiment of the application, the second network element may determine the address and the identity information of the first network element according to the first network element identifier, and may subsequently perform data transmission with the first network element according to the first network element identifier.
The first network element may forward, to the second network element, a second request including integrity protection information and the first integrity protection information input parameter, which is sent by the terminal device, so as to improve the security coefficient of communication, which is not described herein again.
Step S203: and the second network element determines a second shared key according to the identifier of the terminal equipment and determines a first shared key according to the second shared key.
In an optional implementation manner of the embodiment of the present application, if the terminal device has been authenticated in the second network element, the second network element may match, in the pre-made storage space, the second shared key corresponding to the identifier of the terminal device; and the mapping relation between the identifier of the terminal equipment and the second shared secret key is stored in the prefabricated storage space.
In another optional implementation manner of the embodiment of the present application, if the terminal device does not authenticate in the second network element, the second network element may perform, in response to the second request, second authentication with the terminal device to obtain the second shared key.
In a specific application, in response to the second request, the second network element and the terminal device may perform a second authentication based on a second authentication architecture, and it may be understood that the second authentication may be a conventional authentication of GBA, a conventional authentication of AKMA, or an authentication manner such as 5G AKA or EAP AKA', which is not limited in this embodiment of the application, and details of the second authentication are not described here. It should be noted that, in the embodiment of the present application, in response to the second request, a conventional second authentication is used between the second network element and the terminal device, but the second request is sent by the first network element, that is, the second authentication is performed by the first network element in participation in parameter transfer, so that the authentication process between the terminal device and the second network element of the present application is different from the existing authentication process.
In a specific application, the manner of determining, by the second network element, the first shared key according to the second shared key may be:
and the second network element obtains the first shared key by adopting a key derivation function according to the second shared key. In a specific application, when the key derivation function is used to derive the first shared key, the parameter according to may include at least one of the following parameters: the identification of the first network element, the indication of the interconnection and interworking between the AKMA and the GBA, the second freshness parameter, the identification of the terminal equipment, and the identification of the second authentication architecture. The identity of the first network element is used to bind this key to the first network element. And indicating the interconnection and interworking of the AKMA and the GBA, wherein the indication is used for indicating a scene that the key is used for the interconnection and interworking. The second freshness parameter is used to ensure freshness of the key and may be a counter or a randomly selected random number. The identifier of the terminal device may be the received second temporary identifier or the permanent identifier; or the permanent identification of the terminal equipment determined according to the encapsulation identification of the terminal equipment. The second authentication architecture identification is used to indicate that the key is associated with the second authentication architecture. In this embodiment of the present application, the identifier of the first network element may be sent by the first network element to the second network element, or may be determined by the second network element according to the interface connection between the second network element and the first network element. The second freshness parameter may be sent to the terminal device via the first network element.
It should be noted that, if the second request further includes the message authentication code and the first fresh parameter, the second network element may check, according to the second shared key and the first fresh parameter, whether the received message authentication code is correct through a message authentication code algorithm. If the verification is correct, the execution is continued, otherwise, the second request is rejected, and optionally, a rejection response message or a rejection indication is sent to the first network element to inform the first network element that the verification of the message verification code fails; optionally, after receiving the rejection response message or the rejection indication, the first network element sends the rejection response message or the rejection indication to the terminal device, so as to notify the terminal that the check code of the message is failed to be checked. It is to be understood that if the terminal device shares the first freshness parameter with the second network element, the terminal may not send the first freshness parameter to the first network element, and the first network element does not need to send the first freshness parameter to the second network element.
Step S204: the second network element sends the first shared key to the first network element.
In this embodiment of the present application, the second network element sends the first shared key to the first network element, so that the terminal device establishes a parameter negotiation with the first network element through the existing authentication parameters in the second network element.
Optionally, a second freshness parameter is also sent.
Optionally, an indication of interworking between the AKMA and the GBA or at least one of an identifier of the second authentication architecture is further sent.
Step S205: the first network element sends a first response message to the terminal device.
In this embodiment of the application, the first response message is used to indicate that the first network element has acquired the first shared key.
Optionally, the first response message includes at least one of the second freshness parameter, an indication of interworking of AKMA with GBA, and an identification of the second authentication architecture.
Optionally, the first response message includes: the validity period of the first temporary identity and/or the first shared key.
In an optional implementation manner of this embodiment of the present application, the validity period of the first temporary identifier and/or the first shared key may be calculated by the first network element or the second network element, and then the first network element sends the validity period of the first temporary identifier and/or the first shared key to the terminal device.
Specifically, the specific implementation of the first network element determining the first temporary identifier may be: the first network element receives a second temporary identifier from the second network element; the first network element calculates the first temporary identifier according to the second temporary identifier; and the second temporary identifier is a temporary identifier obtained by performing second authentication on the terminal equipment in the second network element. Specifically, the second temporary identifier generally includes a temporary identity identifier of the terminal device and a second network element identifier of the second network element. The first network element may replace the second network element identifier in the second temporary identifier with the first network element identifier. The optional second temporary identifier further includes a second authentication framework identifier, and the first network element may replace the second authentication framework identifier in the second temporary identifier with the first authentication framework identifier or directly remove the second authentication framework identifier.
The specific implementation of the first network element determining the first temporary identifier may also be: the first network element receives a first temporary identifier from the second network element; the first temporary identifier is calculated by the second network element according to the second temporary identifier; specifically, the second network element participates in the above description in a manner of determining the first temporary identifier, and then sends the first temporary identifier to the first network element.
The specific implementation of the first network element determining the validity period of the first shared key may be: the first network element receiving a validity period of the second shared key from the second network element; and the first network element calculates the validity period of the first shared secret key according to the validity period of the second shared secret key. Specifically, the first network element may determine the validity period of the first shared secret key according to the remaining life cycle of the validity period of the second shared secret key; the first network element may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in this application.
The specific implementation of the first network element determining the validity period of the first shared key may also be: the first network element receiving a validity period of a first shared key from the second network element; and the validity period of the first shared secret key is calculated by the second network element according to the validity period of the second shared secret key. Specifically, the second network element may determine the validity period of the first shared key according to the remaining life cycle of the validity period of the second shared key; the second network element may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in the present application, and then send the first temporary identifier to the first network element.
In another optional implementation manner of the embodiment of the present application, the first network element or the second network element calculates a validity period of the first temporary identifier and/or the first shared key, and the terminal device also calculates the validity period of the first temporary identifier and/or the first shared key, so that the first network element does not need to send the validity period of the first temporary identifier and/or the first shared key to the terminal device.
The specific implementation of the terminal device determining the first temporary identifier may refer to the above determination manner.
The specific implementation of the terminal device determining the validity period of the first shared key may be: the terminal device may determine the validity period of the first shared secret key according to the remaining life cycle of the validity period of the second shared secret key; the terminal device may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in the present application.
Step S206: and the terminal equipment determines the first shared key according to the second shared key.
In a specific application, the method for determining the first shared key by the terminal device according to the second shared key may be derived in the same manner as the second network element to obtain the first shared key, which is not described herein again.
Optionally, if the terminal device shares the second freshness parameter with the second network element, the second freshness parameter may not be sent in steps 204 and 205.
Optionally, if the terminal device lacks any derivation parameter for determining the first shared key according to the second shared key, the derivation parameter may be sent to the first network element by the second network element, and the first network element is further sent to the terminal device.
After the terminal device and the first network element share the first shared key and the first temporary identifier and/or the validity period of the first shared key, the terminal device and the first network element may perform subsequent operations such as a security procedure based on the first shared key.
In a specific application, the terminal device may execute the process of step S206 after receiving the first response message; the terminal device may also execute the process of step S206 before receiving the first response message; the embodiment of the present application does not limit this; the embodiment of the present application does not limit the specific position where the terminal device determines the first shared key according to the second shared key.
In specific application, the communication method of the embodiment of the present application may include two implementation manners: in a first implementation manner, the first network element is a BSF, and the second network element is an AAuF; in a second implementation manner, the first network element is an AAuF, and the second network element is a BSF.
Referring to fig. 7, a specific flowchart of a first implementation manner of a communication method according to a second embodiment of the present application is shown. In the embodiment of the present application, a first network element is a BSF, and a second network element is an AAuF, which are taken as an example, to describe a process of obtaining a first shared key ks in a GBA based on a second shared key kakma in an AKMA. In the embodiment corresponding to fig. 7, the first Temporary identifier is B-TID, the first shared key is Ks, the validity period of the first shared key is key lifetime1, the second Temporary identifier is Temporary ID, the second shared key is Kakma, and the validity period of the second shared key is key lifetime 2. In an embodiment of the present application, the method may include:
step S2011, the UE sends a first request to the BSF; wherein the first request comprises an identification of the terminal device.
In the embodiment of the application, two application scenarios may be included, in the first application scenario, when the terminal device performs AKMA authentication in the 5G network, the UE and the AAuF share Kakma, Temporary ID, and key lifetime 2; in the second application scenario, the terminal device does not perform AKMA authentication in the 5G network, and the UE and the AAuF do not share Kakma, the temporal ID, and the key lifetime 2.
In a first application scenario, the identifier of the terminal device may be a Temporary identifier, which includes both an AAuF identifier and an identifier of the terminal device; the first request may further include a permanent identity of the terminal device and an AAuF identifier serving as the first indication information, so that the BSF may determine, through the AAuF identifier, that the first request is a request for AKMA, where the specific AAuF identifier may include: AAuF address information AAuF domain name/address, or AKMA authentication indication AKMA indicator, for indicating that the first request is based on the result of AKMA existing authentication; the first request can also comprise a Temporary identity Temporary ID and an AAuF identifier of the terminal equipment; the embodiment of the present application is not particularly limited to this.
In a second application scenario, the first request may include a permanent identity identifier and an AAuF identifier of the terminal device, so that the BSF may determine, through the AAuF identifier, that the first request is a request for AKMA, where the specific AAuF identifier may include: AAuF address information AAuF domain name/address. The first request can also comprise an encapsulation identifier and an AAuF identifier of the permanent identity identifier of the terminal equipment; the first request may further include an encapsulated permanent identity of the terminal device or a permanent identity of the terminal device.
Optionally, in both the first application scenario and the second application scenario, the first request may include: the message authentication code MAC, specifically, the MAC may be calculated based on Kakma for integrity protection of the entire message, so that the AAuF checks the MAC to determine that the message is sent by a legitimate UE.
Optionally, in both the first application scenario and the second application scenario, the first request may include: the fresh parameter 1 is used for inputting MAC calculation and preventing replay attack of MAC, and the fresh parameter 1 can be a counter, a random number, a nonce and the like.
Optionally, in both the first application scenario and the second application scenario, the first request may include first indication information: an AKMA indicator (AKMA indicator) for indicating that the first request is AKMA related.
And S2021, the BSF sends a second request to the AAuF according to the first request, wherein the second request comprises the identifier of the terminal equipment.
In the first application scenario, the BSF may determine a specific AAuF through the Temporary ID and/or the AAuF domain name/address; the identifier of the terminal device may be a Temporary ID or a permanent identity of the terminal device. It is also possible that the BSF determines the specific AAuF by a permanent identity of the terminal device, e.g. the first identity includes information of the network where the AAuF is located. In the second application scenario, the BSF may determine a specific AAuF through the AAuF domain name/address; the identifier of the terminal device may be a permanent identifier of the terminal device or an encapsulated identifier of the permanent identifier of the terminal device. It is also possible that the BSF determines the specific AAuF through the permanent id of the terminal device or the encapsulated identifier of the permanent id of the terminal device, for example, the permanent id of the terminal device or the encapsulated identifier of the permanent id of the terminal device includes information of the network where the AAuF is located.
If the BSF receives the AKMA indicator, the BSF determines that the request is related to AKMA.
Alternatively, the BSF may determine that the request is related to the AKMA by the identifier of the terminal device and/or the AAuF domain name/address.
Optionally, the second request may further include a BSF identity, and/or a message authentication code MAC, and/or a freshness parameter 1.
The BSF identifier can be address information BSF domain name and the like of the BSF, so that the AauF can interact with the BSF subsequently according to the BSF identifier; the MAC can be calculated for the integrity protection of the whole message based on Kakma, so that AAuF determines that the message is sent by legal UE through checking the MAC; the fresh parameter 1 is used for inputting MAC calculation and preventing replay attack of MAC, and the fresh parameter 1 can be a counter, a random number, a nonce and the like.
Step S2031, the AAuF determines the Kakma according to the identification of the terminal equipment; ks is generated according to Kakma, and key life time1 can be determined according to the key life time 2.
In the first application scenario, the mapping relationship among the Temporary ID, Kakma and key life 2 is stored in the AAuF, and the AAuF may determine Kakma and key life 2 according to the Temporary ID; furthermore, AAuF derives Ks from Kakma, and the parameters for deriving Ks may include at least one of the following parameters in addition to Kakma: BSF domain, indication of interworking of AKMA with GBA, freshness parameter 2, identity of terminal device, identity of second authentication architecture. Refer to the derivation description of step S203, and are not described herein again. The BSF domain name can be sent to AAuF for BSF, and the AAuF can also determine the BSF domain name according to the interface connection between the AAuF and the BSF; AAuF determines key life time1 from key life time 2. For example, the lifetime of the key lifetime1 may be determined for the remaining lifetime from the key lifetime 2; in addition, the validity period of the key lifetime1 can also be determined by simultaneously referring to other local policies (e.g., the key lifetime1 does not exceed 1 hour).
It should be noted that, if the second request further includes the message authentication code and the first freshness parameter, the AAuF may check, according to Kakma and the first freshness parameter, whether the received message authentication code is correct through a message authentication code algorithm. If the verification is correct, the execution is continued, otherwise, the second request is rejected, and optionally, a rejection response message or a rejection indication is sent to the BSF to inform the BSF that the verification of the message verification code fails; optionally, after receiving the rejection response message or the rejection indication, the BSF sends the rejection response message or the rejection indication to the terminal device, so as to notify the terminal that the check code of the message is failed to be checked. It is understood that if the terminal device shares the first freshness parameter with the AAuF, the terminal may not send the first freshness parameter to the BSF, and the BSF does not need to send the first freshness parameter to the AAuF.
In the second application scenario, the terminal device and the AAuF do not perform the second authentication, and then the AAuF may perform the bidirectional authentication of the AKMA with the terminal device in real time in response to the second request, so that the AAuF shares the temporal ID, Kakma, and key lifetime2 with the UE, specifically, the AAuF may perform the bidirectional authentication of the AKMA with the terminal device through the AUSF/UDM based on the AKMA architecture, which is not described herein again; then, the AAuF may perform the process of determining Ks and the like in the application scenario in the first embodiment, which is not described herein again.
It should be noted that the process of determining the key lifetime1 according to the key lifetime2 may also be implemented by the BSF, and then the AAuF may send the key lifetime2 to the BSF.
Step S2041, AAuF sends Ks to BSF, and also sends Temporary ID and/or key life time 1.
In the first application scenario and the second application scenario, the AAuF may send Ks, and may also send Temporary ID and/or key lifetime1 to the BSF.
Optionally, the AAuF may further send a fresh parameter 2 to the BSF, so as to prevent a duplicate attack, where the fresh parameter 2 may be a counter, a random number, a nonce, or the like. Optionally, the AAuF may further send, to the BSF, an indication of interworking between the AKMA and the GBA, or an identifier of the second authentication framework, and the like.
And S2051, the BSF determines the B-TID according to the Temporary ID.
In this embodiment, the B-TID may be generated by the BSF, or may be determined by the BSF according to the received temporary ID. For example, the BSF determines the B-TID according to the Temporary ID by replacing the domain name following the Temporary ID with the BSF domain name; so that the final B-TID includes the temporary identity of the UE in the temporary ID, and the BSF domain name.
It should be noted that the process of determining the B-TID according to the Temporary ID may also be implemented by the AAuF, and the AAuF may send the B-TID to the BSF.
Step S2061, BSF sends B-TID and key lifetime1 to UE.
Optionally, the BSF may further send to the UE at least one of a freshness parameter 2, an indication of interworking of the AKMA with the GBA, and an identity of the second authentication architecture.
Optionally, the UE may also determine the B-TID and the key lifetime1 according to the Temporary ID, Kakma, and key lifetime2 stored in the UE, so that the BSF does not need to send the B-TID and the key lifetime1 to the UE.
Step S2071, the UE determines the Ks according to the Kakma.
In the embodiment of the present application, the manner in which the UE determines Ks according to Kakma is the same as the manner in which the AAuF generates Ks, and is not described herein again. It should be noted that if AAuF adopts the fresh parameter 2, the UE also receives the fresh parameter 2 from the BSF.
Optionally, if the terminal device shares the second freshness parameter with the AAuF, the second freshness parameter may not be sent in the above step.
Optionally, if any derivation parameter for determining Ks according to Kakma is absent in the terminal device, the derived parameter may be sent by the AAuF to the BSF, and the BSF may further send the BSF to the UE.
The UE and the BSF complete the sharing of Ks, B-TID, and Key lifetime1, and the subsequent UE and AF may perform Key distribution and other processes based on Ks, B-TID, and Key lifetime1, which is not described in detail in this embodiment of the present application.
Referring to fig. 8, a specific flowchart of a second implementation manner of the communication method according to the third embodiment of the present application is shown. In the embodiment of the present application, a procedure for obtaining Kakma in AKMA based on ks in GBA is described with a first network element as AAuF and a second network element as BSF as examples. In the embodiment corresponding to fig. 8, the first Temporary identifier is Temporary ID, the first shared key is Kakma, the validity period of the first shared key is key lifetime1, the second Temporary identifier is B-TID, the second shared key is Ks, and the validity period of the second shared key is key lifetime 2. In an embodiment of the present application, the method may include:
step S2012, the UE sends a first request to the AAuF; wherein the first request comprises an identification of the terminal device.
In the embodiment of the application, two application scenarios may be included, where in the first application scenario, when the terminal device performs GBA authentication in the 4G network, the UE and the BSF share B-TID, Ks, and key lifetime 2; in the second application scenario, the terminal device does not perform GBA authentication in the 4G network, and the UE and the BSF do not share the B-TID, Ks, and key lifetime 2.
In a first application scenario, the identifier of the terminal device may be a temporary identifier B-TID, where the B-TID includes both a BSF identifier and an identifier of the terminal device; the first request may further include a permanent identity identifier of the terminal device and a BSF identifier serving as the first indication information, so that the BSF may determine, through the BSF identifier, that the first request corresponds to a GBA request, where the specific BSF identifier may include: BSF address information BSF domain name/address, which is used for indicating that the first request is based on the result of GBA existing authentication; the first request can also comprise a Temporary identity Temporary ID and an AAuF identifier of the terminal equipment; the embodiment of the present application is not particularly limited to this.
In a second application scenario, the first request may include a permanent identity identifier of the terminal device and a BSF identifier, so that the BSF may determine, through the BSF identifier, that the first request is a GBA request, where a specific BSF identifier may include: the BSF address information BSF domain name/address first request may further include an encapsulation identifier of the permanent identity identifier of the terminal device and a BSF identifier; the first request may further include an encapsulated permanent identity of the terminal device or a permanent identity of the terminal device.
Optionally, in both the first application scenario and the second application scenario, the first request may include: the message authentication code MAC, specifically, the MAC can be based on KsThe integrity protection of the whole message is calculated, so that the BSF can determine that the message is sent by legal UE through checking the MAC.
Optionally, in both the first application scenario and the second application scenario, the first request may include: the fresh parameter 1 is used for inputting MAC calculation and preventing replay attack of MAC, and the fresh parameter 1 can be a counter, a random number, a nonce and the like.
In two optional scenarios, in the first application scenario and the second application scenario, the first request may include first indication information: a GBA indicator (GBA indicator) for indicating that the first request is AKMA related.
Step S2022, the AAuF sends a second request to the BSF according to the BSF identifier, wherein the second request includes the identifier of the terminal device, and the second request may further include the BSF identifier and/or the message authentication code MAC.
In the first application scenario, the AAuF may determine the specific BSF through the B-TID and/or the BSF domain name/address; the identification of the terminal device can be B-TID, and can also be permanent identification of the terminal device. It is also possible that the AAuF determines the specific BSF by means of a permanent identity of the terminal device, e.g. the first identity includes information about the network in which the BSF is located.
In the second application scenario, the AAuF may determine a specific BSF through a BSF domain name/address, or a GBA indicator; the identifier of the terminal device may be a permanent identifier of the terminal device or an encapsulated identifier of the permanent identifier of the terminal device. It is also possible that the AAuF determines the specific BSF by using the permanent id of the terminal device or the encapsulated permanent id of the terminal device, for example, the permanent id of the terminal device or the encapsulated permanent id of the terminal device includes information about the network where the BSF is located.
If the AAuF receives a GBA indicator, the AAuF determines that the request is associated with GBA.
Alternatively, the AAuF may determine that the request is related to the GBA by the identifier of the terminal device and/or the BSF domain name/address.
Optionally, the second request may further include an AAuF identification, and/or a message authentication code MAC, and/or a freshness parameter 1.
The AAuF identifier can be address information AAuF domain name of the AAuF, and the like, so that the BSF can interact with the AAuF subsequently according to the AAuF identifier; the MAC may be calculated for integrity protection of the entire message based on Ks, so that the BSF determines that the message is sent by a legitimate UE by checking the MAC; the fresh parameter 1 is used for inputting MAC calculation and preventing replay attack of MAC, and the fresh parameter 1 can be a counter, a random number, a nonce and the like.
S2032, the BSF determines the Ks according to the mark of the terminal device; kakma is generated according to Ks, and key life time1 can be determined according to the key life time 2.
In the first application scenario, the BSF stores the mapping relationship of B-TID, Ks and key life 2, and AAuF can determine Ks and key life 2 according to the B-TID; furthermore, the BSF derives Kakma from Ks, and the parameters for deriving Kakma may include at least one of the following parameters in addition to Ks: AAuF domainname, an indication of the interworking of AKMA with GBA, a freshness parameter 2, an identification of the terminal device, an identification of the second authentication architecture. Refer to the derivation description of step S203, and are not described herein again. Here, the AAuF domain name may be sent to the BSF for AAuF, or the BSF determines the AAuF domain name according to the interface connection with the AAuF; the BSF determines a key life time1 from the key life time 2. For example, the lifetime of the key lifetime1 may be determined for the remaining lifetime from the key lifetime 2; in addition, the validity period of the key lifetime1 can also be determined by simultaneously referring to other local policies (e.g., the key lifetime1 does not exceed 1 hour).
It should be noted that, if the second request further includes the message authentication code and the first fresh parameter, the BSF may check whether the received message authentication code is correct through a message authentication code algorithm according to the Ks and the first fresh parameter. If the check is correct, the execution is continued, otherwise, the second request is rejected, and optionally, a reject response message or a reject indication is sent to the AAuF to inform the AAuF that the check code check fails; optionally, after receiving the rejection response message or the rejection indication, the AAuF sends the rejection response message or the rejection indication to the terminal device to notify the terminal that the check code of the message is failed to check. It is understood that if the terminal device shares the first freshness parameter with the BSF, the terminal may not send the first freshness parameter to the AAuF, and the AAuF does not need to send the first freshness parameter to the BSF.
In the second application scenario, the terminal device and the BSF do not perform the second authentication, and then the BSF may perform the bidirectional authentication of the GBA with the terminal device in real time in response to the second request, so that the BSF and the UE share the B-TID, Ks, and key lifetime2, specifically, the BSF may perform the bidirectional authentication of the GBA with the terminal device through the HSS based on the GBA architecture, which is not described herein again; then, the BSF may perform the process of determining Kakma and the like in the first application scenario, which is not described herein again.
It should be noted that the process of determining the key lifetime1 according to the key lifetime2 may also be implemented by the AAuF, and then the BSF may send the key lifetime2 to the AAuF.
Step S2042, BSF sends Kakma to AAuF, and also sends B-TID and key lifetime 1.
In the first and second application scenarios, the BSF may send Kakma to the AAuF, and may also send B-TID and key lifetime 1.
Optionally, the BSF may further send a fresh parameter 2 to the AAuF to prevent a duplicate attack, and the fresh parameter 2 may be a counter, a random number, a nonce, or the like.
And S2052, the AAuF determines the Temporary ID according to the B-TID.
In the embodiment of the present application, the Temporary ID may be generated by AAuF, or may be determined by AAuF according to the received B-TID. For example, the determination manner of determining the Temporary ID by the AAuF according to the B-TID may be to replace the domain name following the B-TID with the AAuF domain name; so that the final Temporary ID includes the Temporary identity of the UE in the B-TID, as well as the AAuF domain name. Optionally, the Temporary ID may also include an indication that the Temporary ID is associated with AKMA.
It should be noted that the process of determining the Temporary ID according to the B-TID may also be implemented by the BSF, and then the BSF may send the B-TID to the AAuF.
Step S2062, AAuF sends Temporary ID and key lifetime1 to UE.
Optionally, the AAuF may further send to the UE at least one of a freshness parameter 2, an indication of interworking of AKMA with GBA, and an identity of the second authentication architecture.
Optionally, the UE may also determine the temporal ID and the key lifetime1 according to the B-TID, Ks, and key lifetime2 stored in the UE, so that the AAuF does not need to send the temporal ID and the key lifetime1 to the UE.
And step S2072, the UE determines the Kakma according to the Ks.
In the embodiment of the present application, the manner in which the UE determines the Kakma according to the Ks is the same as the manner in which the BSF generates the Kakma, and is not described herein again. It should be noted that if the BSF adopts the fresh parameter 2, the UE also receives the fresh parameter 2 from the BSF.
Optionally, if the terminal device shares the second freshness parameter with the BSF, the second freshness parameter may not be sent in the above step.
Optionally, if any derivation parameter for determining Kakma according to Ks is absent in the terminal device, the derivation parameter may be sent by the BSF to the AAuF, and the AAuF may further send the parameter to the UE.
In an alternative embodiment, the AAuF interfaces with the SEAF/AUSF/UDM. The UE shares a key with the SEAF/AUSF/UDM, referred to as a third shared key, and an identification of the third shared key. The generation method of the third shared key is not limited by the prior art, such as an AUSF key, a SEAF key, an AMF key, and a UDM key; the corresponding identifier may be an AUSF key identifier, a SEAF key identifier, an AMF key identifier, or a UDM key identifier. The SEAF/AUSF/UDM can derive a second shared key based on the third shared key; and sends the second shared key and the third shared key identification to the AAUF. The procedure is the same as the above embodiment, except that the AAuF needs to transfer the third shared key id to the UE. So that the UE determines the third shared key according to the third shared key identification and determines the second shared key according to the third shared key. The flows of other UEs are similar to the above embodiments, and are not described herein. And if the UE cannot determine the third shared key according to the received third shared key identifier (for example, the third shared key identifier is not locally stored), rejecting the process. Optionally, the UE sends an error indication to the AAuF indicating that the context corresponds to the third shared key identifier. Here, SEAF/AUSF/UDM represents the relationship of OR.
The UE and the AAuF complete the sharing of Kakma, Temporary ID, and Key life time1, and the subsequent UE and AF may perform Key distribution and other processes based on Kakma, Temporary ID, and Key life time1, which is not described in detail in the embodiment of the present application.
To sum up, in this embodiment of the application, after the first network element receives the first request including the identifier of the terminal device from the terminal device, the first network element sends the second request including the identifier of the terminal device to the second network element, the second network element may determine the first shared key according to the second shared key in response to the second request, and send the first shared key to the first network element, and after receiving the first shared key in the first network element, the first network element may further implement the first authentication based on the first shared key with the terminal device. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 9, a schematic diagram of a communication flow at a first network element side in a fourth embodiment of the present application is shown, where the method specifically may include:
step S301: a first network element receives a first request from a terminal device; wherein the first request comprises an identification of the terminal device.
Step S302: the first network element sends a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device.
Step S303: the first network element receiving a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
Optionally, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
Optionally, the method further includes:
the first network element determines a first temporary identifier of the terminal equipment; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
and the first network element sends the first temporary identifier to the terminal equipment.
Optionally, the method further includes:
the first network element determines a validity period of the first shared key; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
and the first network element sends the validity period of the first shared key to the terminal equipment.
Optionally, the second request further includes a first network element identifier of the first network element; wherein the first network element identifier is used for identifying the identity of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
Optionally, the second shared secret key is: and after receiving the second request, the second network element responds to the second request and performs second authentication on the terminal equipment in real time to obtain the second authentication result.
The specific implementation process of the embodiment of the present application may refer to actions performed by the first network element in the embodiments corresponding to fig. 6 to 8, and the embodiment of the present application is different from the embodiments corresponding to fig. 6 to 8 in that: when other executing bodies send requests to the first network element, the first network element may receive the requests accordingly, and the execution principles thereof are similar, and the method in which the first network element is the executing body is not described herein again.
To sum up, in this embodiment of the application, after the first network element receives the first request including the identifier of the terminal device from the terminal device, the first network element sends the second request including the identifier of the terminal device to the second network element, the second network element may determine the first shared key according to the second shared key in response to the second request, and send the first shared key to the first network element, and after receiving the first shared key in the first network element, the first network element may further implement the first authentication based on the first shared key with the terminal device. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 10, a schematic diagram of a communication flow at the second network element side in a fifth embodiment of the present application is shown, where the method specifically may include:
step S401: the second network element receives a second request from the first network element; the second request includes an identification of the terminal device.
Step S402: and the second network element determines a second shared secret key according to the identifier of the terminal equipment.
Step S403: and the second network element determines a first shared key according to the second shared key.
Step S404: the second network element sends the first shared key to the first network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
Optionally, the determining, by the second network element, a second shared key according to the identifier of the terminal device includes:
and the second network element determines a second shared key corresponding to the identifier of the terminal equipment according to the identifier of the terminal equipment and the mapping relation between the pre-acquired terminal identifier and the shared key in the second network.
Optionally, the determining, by the second network element, a second shared key according to the identifier of the terminal device includes:
and the second network element responds to the second request, and performs second authentication with the terminal equipment to obtain the second shared secret key.
Optionally, the method further includes:
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element sends the validity period of the second shared secret key to the first network element;
or the like, or, alternatively,
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element determines the validity period of the first shared secret key according to the validity period of the second shared secret key; and the second network element sends the validity period of the first shared key to the first network element.
Optionally, the method further includes:
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element sends the second temporary identifier to the first network element; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network;
or the like, or, alternatively,
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element determines a first temporary identifier according to the second temporary identifier; the second network element sends the first temporary identifier to the first network element; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network.
Optionally, the second request further includes a first network element identifier of the first network element; wherein the first network element identifier is used for identifying the identity of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
The specific implementation process of the embodiment of the present application may refer to actions performed by the second network element in the embodiments corresponding to fig. 6 to 8, and the embodiment of the present application is different from the embodiments corresponding to fig. 6 to 8 in that: when other executing bodies send requests to the second network element, the second network element may receive the requests accordingly, and the execution principle is similar, which is not described herein again for the method in which the second network element is the executing body.
To sum up, in this embodiment of the application, after the first network element receives the first request including the identifier of the terminal device from the terminal device, the first network element sends the second request including the identifier of the terminal device to the second network element, the second network element may determine the first shared key according to the second shared key in response to the second request, and send the first shared key to the first network element, and after receiving the first shared key in the first network element, the first network element may further implement the first authentication based on the first shared key with the terminal device. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 11, a schematic diagram of a communication flow at a terminal device side in a sixth embodiment of the present application is shown, where the method specifically may include:
step S501: the terminal equipment sends a first request to a first network element; wherein the first request comprises an identification of the terminal device; the first request is used for indicating the first network element to obtain a first shared key from a second network element;
step S502: the terminal equipment determines a first shared key according to a second shared key; the second shared key is determined when the terminal equipment performs second authentication in the second network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
Optionally, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
Optionally, before the terminal device determines the first shared key according to the second shared key, the method further includes:
the terminal equipment receives a first temporary identifier from the first network element; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal equipment; the identifier of the terminal device is used for identifying the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
or the like, or, alternatively,
the terminal equipment determines a first temporary identifier according to the second temporary identifier; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network.
Optionally, before the terminal device determines the first shared key according to the second shared key, the method further includes:
the terminal equipment receives the validity period of the first shared key from the first network element; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
or the like, or, alternatively,
the terminal equipment determines the validity period of the first shared secret key according to the validity period of the second shared secret key; the validity period of the second shared secret key is determined when the terminal equipment performs second authentication in the second network element.
The specific implementation process of the embodiment of the present application may refer to actions performed by the terminal device in the embodiments corresponding to fig. 6 to 8, and the embodiment of the present application is different from the embodiments corresponding to fig. 6 to 8 in that: when other executing bodies send requests to the terminal device, the terminal device may correspondingly receive the requests, and the executing principles thereof are similar, and the method for the executing body of the terminal device is not described herein again.
To sum up, in this embodiment of the application, after the first network element receives the first request including the identifier of the terminal device from the terminal device, the first network element sends the second request including the identifier of the terminal device to the second network element, the second network element may determine the first shared key according to the second shared key in response to the second request, and send the first shared key to the first network element, and after receiving the first shared key in the first network element, the first network element may further implement the first authentication based on the first shared key with the terminal device. That is, the first network element can implement the first authentication of the terminal device based on the second shared key in the second network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
It should be noted that, for the above-mentioned embodiment of the present application, the features for generating and distributing the first shared key to the first network element, the feature for determining the first temporary identifier, and the feature for determining the validity period of the first shared key may belong to three independent features, where the three features may be three independent steps, or any two of the three features may be combined into one step, or the three features may be combined into one step flow; the embodiment of the present application does not limit this.
Referring to fig. 12, a flowchart of another communication method according to a seventh embodiment of the present application is shown. The embodiment of the application can comprise:
step S601: the terminal equipment sends a third request to the fifth network element; wherein the third request comprises an identification of the terminal device.
In the embodiment of the application, the identifier of the terminal device may be a permanent identity of the terminal device or an encapsulated identifier of the permanent identity of the terminal device; the identifier of the terminal device may also be a second temporary identifier of the terminal device, which is not described herein again.
In this embodiment of the present application, the third network element is a network element that performs first authentication based on a first authentication architecture, where the first authentication architecture may be GBA, and the first authentication architecture may also be AKMA; the fourth network element identifier is used for identifying a fourth network element, the fourth network element is a network element performing second authentication based on a second authentication architecture, the second authentication architecture may be GBA, and the second authentication architecture may also be AKMA; in a specific application, under the condition that the first authentication architecture is GBA, the third network element is HSS, the second authentication architecture is AKMA, and the fourth network element is SEAF/AUSF/UDM; under the condition that the first authentication architecture is AKMA, the third network element is SEAF/AUSF/UDM, the second authentication architecture is GBA, and the fourth network element is HSS; an interface may be provided between the third network element and the fourth network element, and data transmission is implemented between the third network element and the fourth network element through the interface between the third network element and the fourth network element.
In an optional implementation manner of the embodiment of the present application, if the terminal device has been authenticated in the fourth network element, the terminal device and the fourth network element may share a second authentication vector, and the second authentication vector may include a second shared key; the terminal device sends a third request to the fifth network element, indicating that the terminal device wants to establish a parameter negotiation with the fifth network element by using the existing authentication parameters in the fourth network element.
Step S602: and the fifth network element sends the third request to the third network element.
In this embodiment of the application, the fifth network element needs to establish a communication connection with the fourth network element through the third network element, and therefore, the fifth network element sends a request to the fifth network element, where the request includes an identifier of the terminal device.
Optionally, the request further comprises an identification of the fourth network element.
Step S603: the third network element sends a fourth request to a fourth network element according to the third request; wherein the fourth request comprises an identification of the terminal device.
The third network element may determine the identifier of the fourth network element according to the identifier of the terminal device.
In this embodiment of the application, the fourth request may further include a fourth network element identifier, and the third network element may send the fourth request including the identifier of the terminal device to the fourth network element according to the fourth network element identifier.
In an embodiment of the application, the fourth request is configured to request the first authentication vector from the fourth network element.
Optionally, the fourth request further includes: and the third network element identifier enables the fourth network element to determine the identity or address information of the third network element according to the third network element identifier, and subsequently perform data transmission with the third network element according to the third network element identifier.
Step S604: the fourth network element determines a second authentication vector according to the identifier of the terminal equipment; and determining a first authentication vector according to the second authentication vector.
In an optional implementation manner of the embodiment of the present application, the fourth network element determines the second authentication vector according to the identifier of the terminal device, and a specific confirmation manner may be a second authentication of an existing second network, which is not limited.
In a specific application, in response to the fourth request, the fourth network element and the terminal device may perform a second authentication based on the second authentication architecture, and it may be understood that the second authentication may be a conventional authentication of GBA, a conventional authentication of AKMA, or an authentication manner such as 5G AKA or EAP AKA', which is not limited in this embodiment of the application, and details of the second authentication are not described here. It should be noted that, in the embodiment of the present application, in response to the fourth request, a conventional second authentication is used between the fourth network element and the terminal device, but the fourth request is sent by the third network element, that is, the second authentication is performed by the third network element in participation in parameter transfer, so that an authentication process between the terminal device and the fourth network element of the present application is different from an existing authentication process.
In a specific application, the specific implementation of determining, by the fourth network element, the first authentication vector according to the second authentication vector may be: and the fourth network element obtains the first authentication vector by utilizing a key deduction function according to the second authentication vector.
Step S605: and the fourth network element sends the first authentication vector to the third network element.
Step S606: and the third network element sends the first authentication vector to a fifth network element.
In this embodiment, the third network element forwards the first authentication vector of the fourth network element to the fifth network element, so that the terminal device establishes a parameter negotiation with the fifth network element through the existing authentication parameters in the fourth network element.
Step S607: and the fifth network element executes bidirectional authentication with the terminal equipment according to the first authentication vector and determines a first shared key.
In this embodiment, the first authentication vector may include a first shared key. The fifth network element may further send an authentication indication to the terminal device in the authentication process.
Step S608: and the terminal equipment determines a first shared key according to the first authentication vector.
In a specific application, the terminal device may first determine a first authentication vector according to the second authentication vector, and then obtain the first shared key in the first authentication vector. The method for determining the first authentication vector by the terminal device according to the second authentication vector may be the same as that of the fourth network element, and is not described herein again.
After the terminal device and the fifth network element share the first shared key, the terminal device and the fifth network element may perform subsequent operations such as a security procedure based on the first shared key.
In the above flow, optionally, the terminal device and the fifth network element may further share the validity period of the first temporary identifier and the first shared key.
In an optional implementation manner of the embodiment of the present application, the validity periods of the first temporary identifier and the first shared key may be calculated by a fifth network element, and then the fifth network element sends the validity periods of the first temporary identifier and the first shared key to the terminal device.
Specifically, the specific implementation of the fifth network element determining the first temporary identifier may be: the fifth network element receives a second temporary identifier from the third network element; the fifth network element calculates the first temporary identifier according to the second temporary identifier; and the second temporary identifier is a temporary identifier obtained by performing second authentication on the terminal equipment in the fourth network element. Specifically, the second temporary identifier generally includes a second authentication architecture identifier, and the fifth network element may replace the second authentication architecture identifier in the second temporary identifier with the first authentication architecture identifier.
The specific implementation of the fifth network element determining the first temporary identifier may also be: the fifth network element receives a first temporary identifier from the third network element; wherein the first temporary identifier is calculated by the fourth network element according to the second temporary identifier; the second temporary identifier is a temporary identifier obtained by authenticating the terminal device in the fourth network element. Specifically, the second temporary identifier generally includes a second authentication framework identifier, the fourth network element may replace the second authentication framework identifier in the second temporary identifier with the first authentication framework identifier to obtain a first temporary identifier, and then the fourth network element sends the first temporary identifier to the fifth network element through the third network element.
The specific implementation of the fifth network element determining the validity period of the first shared key may be: the fifth network element receiving a validity period of the second shared key from the third network element; and the fifth network element calculates the validity period of the first shared secret key according to the validity period of the second shared secret key. Specifically, the fifth network element may determine the validity period of the first shared secret key according to the remaining life cycle of the validity period of the second shared secret key; the fifth network element may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in this application.
The specific implementation of the fifth network element determining the validity period of the first shared key may also be: the fifth network element receiving a validity period of a first shared key from the third network element; and the validity period of the first shared secret key is calculated by the fourth network element according to the validity period of the second shared secret key. Specifically, the fourth network element may determine the validity period of the first shared secret key according to the remaining life cycle of the validity period of the second shared secret key; the fourth network element may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in the present application, and then the fourth network element sends the first temporary identifier to the fifth network element through the third network element.
In another optional implementation manner of the embodiment of the present application, the fifth network element calculates a validity period of the first temporary identifier and the first shared key, and the terminal device also calculates a validity period of the first temporary identifier and the first shared key, so that the fifth network element does not need to send the validity period of the first temporary identifier and the first shared key to the terminal device.
The fifth network element may also determine the validity period and/or the first temporary identity of the first key by means of a local policy.
The specific implementation of the terminal device determining the first temporary identifier may be: and the terminal equipment replaces the second authentication architecture identification in the second temporary identification with the first authentication architecture identification to obtain the first temporary identification.
The specific implementation of the terminal device determining the validity period of the first shared key may be: the terminal device may determine the validity period of the first shared secret key according to the remaining life cycle of the validity period of the second shared secret key; the terminal device may also determine the validity period of the first shared key by referring to other local policies (for example, the validity period of the first shared key does not exceed 1 hour), which is not limited in the present application.
In specific application, the communication method of the embodiment of the present application may include two implementation manners: in a first implementation manner, the third network element is an HSS, the fourth network element is a SEAF/AUSF/UDM, and the fifth network element is a BSF; in a second implementation manner, the third network element is SEAF/AUSF/UDM, the fourth network element is HSS, and the fifth network element is AAuF.
Referring to fig. 13, a specific flowchart of a first implementation manner of the communication method according to the eighth embodiment of the present application is shown. In the embodiment of the present application, a procedure for obtaining GBA AV based on AKMA AV is described with an example in which the third network element is an HSS, the fourth network element is SEAF/AUSF/UDM, and the fifth network element is BSF. In the embodiment corresponding to fig. 13, the first authentication vector is GBA AV, the first Temporary identifier is B-TID, the first shared key is Ks, the validity period of the first shared key is key lifetime1, the second authentication vector is AKMA AV, the second Temporary identifier is Temporary ID, the second shared key is Kakma, and the validity period of the second shared key is key lifetime 2. In an embodiment of the present application, the method may include:
wherein the third request comprises a SEAF/AUSF/UDM identifier and an identifier for identifying the terminal equipment;
step S6011: the terminal equipment sends a third request to the BSF; wherein the third request comprises an identity for the terminal device.
The third request may include the permanent identity of the terminal device or an encapsulated identity of the permanent identity of the terminal device.
It is also possible to include a SEAF/AUSF/UDM route identifier, so that the BSF can determine, through the SEAF/AUSF/UDM route identifier, that the third request corresponds to a request that is an AKMA.
Optionally, an AKMA authentication indicator is further included, which is used to indicate that the third request is related to AKM A.
Step S6021: the BSF sends the third request to the HSS.
In the embodiment of the application, the BSF needs to communicate with the SEAF/AUSF/UDM through the HSS.
Optionally, the third request may further include a BSF domain name.
It is also possible to include a SEAF/AUSF/UDM route identifier, so that the BSF can determine, through the SEAF/AUSF/UDM route identifier, that the third request corresponds to a request that is an AKMA.
Alternatively, if the third request includes an AKMA indicator, it is determined to be associated with AKMA.
Step S6031: the HSS sends a fourth request to the SEAF/AUSF/UDM according to the third request; wherein the fourth request comprises an identification of the terminal device.
The identity of the SEAF/AUSF/UDM may be received from the BSF or determined from the identity of the terminal device. The specific determination mode is the prior art, and the embodiment of the application is not limited.
In this embodiment of the present application, the fourth network element may be a SEAF, an AUSF, or a UDM, and therefore the HSS may send the fourth request to the SEAF/AUSF/UDM correspondingly according to the SEAF/AUSF/UDM identifier.
Step S6041: the SEAF/AUSF/UDM determines AKMA AV according to the identification of the terminal equipment; determining GBA AV from the AKMA AV.
In the case of the HSS interfacing to the UDM, the current 5G UDM may generate three authentication vectors: 5G AKA vectors (CK ', IK ', RAND, AUTN, XRES), EAP AKA ' authentication vectors (Kausf, RAND, AUTN, XRES), AKMA authentication vectors (Kakma, RAND, AUTN, XRES). The UDM determines a GBA authentication vector GBA AV (Ks, RAND, AUTN, XRES) based on at least one of the three authentication vectors. The generation of Ks may be based on CK ', IK', or Kausf or Kakma generation, which may also include at least one of the following parameters: BSF domain name, an indication of interworking between AKMA and GBA (optionally, the received AKMA indicator), a freshness parameter 2, an identifier of the terminal device, and an identifier of the second authentication framework. Here, the BSF domain name may be sent to the UDM by the HSS, or the BSF domain name may be determined by the UDM according to its interface connection with the HSS. Here, Ks may also be CK, and IK.
In the case of HSS interfacing with AUSF, the current 5G AUSF may have three authentication vectors: 5G AKA vectors (Kausf, RAND, AUTN, XRES), EAP AKA' authentication vectors (Kausf, RAND, AUTN, XRES), AKMA authentication vectors (Kakma, RAND, AUTN, XRES). The UDM determines a GBA authentication vector (Ks, RAND, AUTN, XRES) according to at least one of the three authentication vectors, and generates the Ks based on Kausf. Here, Ks may also be CK, and IK.
In case the HSS has an interface with the SEAF, the current 5G SEAF may have three authentication vectors: 5G AKA vector (Ksaf, RAND, AUTN, XRES), EAP AKA' authentication vector (Ksaf, RAND, AUTN, XRES), AKMA authentication vector (Ksaf, RAND, AUTN, XRES). The UDM determines a GBA authentication vector (Ks, RAND, AUTN, XRES) according to at least one of the three authentication vectors, and generates Ks based on Kseaf. Here, Ks may also be CK, and IK.
Optionally, the SEAF/AUSF/UDM may also determine a key life time1 from the key life time 2. For example, the lifetime of the key lifetime1 may be determined for the remaining lifetime from the key lifetime 2; in addition, the validity period of the key lifetime1 can also be determined by simultaneously referring to other local policies (e.g., the key lifetime1 does not exceed 1 hour).
Possibly, the SEAF/AUSF/UDM may respond to the second request, and perform bidirectional authentication with the terminal device for AKMA in real time, so that the SEAF/AUSF/UDM shares AKMA AV, temporal ID, Kakma, and key lifetime2 with the UE, specifically, the SEAF/AUSF/UDM may perform bidirectional authentication with the terminal device for AKMA through AAuF based on the AKMA framework, which is not described herein; then, the SEAF/AUSF/UDM may perform the process of determining GBA AV and the like in the first application scenario, which is not described herein again.
It should be noted that the process of determining the key lifetime1 according to the key lifetime2 may also be implemented by the BSF, and the SEAF/AUSF/UDM may send the key lifetime2 to the BSF.
It should be noted that the process of determining GBA AV according to AKMA AV may also be implemented by the HSS, and the SEAF/AUSF/UDM may send AKMA a to the HSS.
Step S6051: SEAF/AUSF/UDM sends the GBA AV to HSS.
The SEAF/AUSF/UDM may all send GBA AV to the HSS, possibly along with a Temporary ID and/or a key lifetime 1.
Optionally, the SEAF/AUSF/UDM may further send an authentication indicator (indicator) to the HSS, where the authentication indicator may indicate which authentication vector is used to generate the GBA authentication parameter, or indicate the GBA authentication parameter determined based on the AKMA mechanism.
Optionally, the SEAF/AUSF/UDM may further send a fresh parameter 2 to the HSS to ensure the freshness of key derivation, where the fresh parameter 2 may be a counter, a random number, a nonce, or the like.
Step S6061: the HSS sends the GBA AV to the BSF.
Optionally, the HSS may further send an authentication indication indicator to the BSF.
Step S6071: and the BSF executes bidirectional authentication with the terminal equipment according to the GBA AV and determines the Ks.
Optionally, the BSF may further send an authentication indicator to the terminal device.
Step S6081: and the terminal equipment determines the Ks according to the GBA AV.
In this embodiment of the application, the terminal device may determine, according to the authentication indicator, which authentication vector is used to generate the authentication parameter, or determine, according to the authentication indicator, the GBA authentication parameter determined based on the AKMA mechanism, and generate the Ks in the same manner as the SEAF, AUSF, or UDM.
Optionally, after the authentication is finished, the BSF may further send the B-TID and Key lifetime1 to the terminal device UE.
Optionally, the UE may also determine the B-TID and Key lifetime1 by itself.
Optionally, the fifth network element may not receive the B-TID and the lifetime1 from the third network element or the fourth network element, and the fifth network element may determine the fifth network element according to the local policy.
The UE and the BSF complete the sharing of Ks, B-TID, and Key lifetime1, and the subsequent UE and AF may perform Key distribution and other processes based on Ks, B-TID, and Key lifetime1, which is not described in detail in this embodiment of the present application.
Referring to fig. 14, a specific flowchart of a second implementation manner of the communication method according to the ninth embodiment of the present application is shown. In the embodiment of the present application, a procedure for obtaining KMAAV based on GBA AVA is described with a third network element being SEAF/AUSF/UDM, a fourth network element being HSS, and a fifth network element being AAuF. In the corresponding embodiment of fig. 14, the first authentication vector is AKMAAV, the first Temporary identifier is Temporary ID, the first shared key is Kakma, the validity period of the first shared key is key lifetime1, the second authentication vector is GBAAV, the second Temporary identifier is B-TID, the second shared key is Ks, and the validity period of the second shared key is key lifetime 2. In an embodiment of the present application, the method may include:
step S6012: the terminal equipment sends a third request to the AAuF; wherein the third request comprises an identification of the terminal device.
Step S6022: the AAuF sends the third request to the SEAF/AUSF/UDM.
Step S6032: the SEAF/AUSF/UDM sends a fourth request to the HSS according to the third request; wherein the fourth request comprises an identification of the terminal device. The SEAF/AUSF/UDM may determine the HSS according to the identifier of the terminal device, and the specific determination method is not limited by the prior art.
Step S6042: the HSS determines GBA AV according to the identifier of the terminal equipment; determining AKMA AV from the GBA AV.
Step S6052: HSS sends the AKMA AV to SEAF/AUSF/UDM.
Step S6062: SEAF/AUSF/UDM sends the AKMA AV to AAuF.
Step S6072: and the AAuF executes bidirectional authentication with the terminal equipment according to the AKMA AV and determines Kakma.
Step S6082: and the terminal equipment executes bidirectional authentication with the terminal equipment according to the AKMA AV and determines Kakma.
The difference between this application and the embodiment of fig. 13 is that UE accesses AAuF, and AAuF accesses HSS through SEAF/AUSF/UDM, thereby obtaining the authentication vector of AKMA, and in case AAuF interfaces SEAF, SEAF interacts with HSS through AUSF and/or UDM; under the condition that the AAuF and the AUSF have interfaces, the AUSF interacts with the HSS through the UDM, or the AUSF directly interacts with the HSS; in case the AAuF interfaces with the UDM, the UDM interacts directly with the HSS.
The specific processing manner in the embodiment of the present application is similar to that in the embodiment of fig. 13, and detailed implementation processes are not described herein again.
The UE and the AAuF complete the sharing of Kakma, Temporary ID, and Key life time1, and the subsequent UE and AF may perform Key distribution and other processes based on Kakma, Temporary ID, and Key life time1, which is not described in detail in the embodiment of the present application.
To sum up, in this embodiment of the application, after the third network element receives the third request including the identifier of the terminal device from the fifth network element, the third network element sends the fourth request including the identifier of the terminal device to the fourth network element, the fourth network element may determine the first authentication vector according to the second authentication vector in response to the fourth request, and send the first authentication vector to the third network element, and after receiving the first authentication vector in the third network element, the first authentication based on the first authentication vector may be further implemented by the fifth network element and the terminal device. That is, the fifth network element can implement the first authentication of the terminal device based on the second authentication vector in the fourth network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 15, a schematic diagram of a communication flow at a third network element side in which this application is a tenth embodiment is shown, where the method specifically may include:
step S701: the third network element receives a third request from the fifth network element; wherein, the third request is sent to the fifth network element by the terminal device; the third request comprises an identification of the terminal device.
Step S702: the third network element sends a fourth request to a fourth network element according to the third request; wherein the fourth request comprises an identification of the terminal device.
Step S703: the third network element receiving a first authentication vector from the fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector, and the second authentication vector is determined by the fourth network element according to the identifier of the terminal device; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The specific implementation process of the embodiment of the present application may refer to actions performed by the third network element in the embodiments corresponding to fig. 12 to 14, and the difference between the embodiment of the present application and the embodiments corresponding to fig. 12 to 14 is that: when other executing bodies send requests to the third network element, the third network element may correspondingly receive the requests, and the execution principle is similar, which is not described herein again for the method in which the third network element is the executing body.
To sum up, in this embodiment of the application, after the third network element receives the third request including the identifier of the terminal device from the fifth network element, the third network element sends the fourth request including the identifier of the terminal device to the fourth network element, the fourth network element may determine the first authentication vector according to the second authentication vector in response to the fourth request, and send the first authentication vector to the third network element, and after receiving the first authentication vector in the third network element, the first authentication based on the first authentication vector may be further implemented by the fifth network element and the terminal device. That is, the fifth network element can implement the first authentication of the terminal device based on the second authentication vector in the fourth network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 16, a schematic diagram of a communication flow at a fourth network element side according to an eleventh embodiment of the present application is shown, where the method specifically includes:
step S801: the fourth network element receives a fourth request from the third network element; the fourth request includes an identification of the terminal device.
Step S802: and the fourth network element determines a second authentication vector according to the identifier of the terminal equipment.
Step S803: and the fourth network element determines a first authentication vector according to the second authentication vector.
Step S804: the fourth network element sends the first authentication vector to the third network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The specific implementation process of the embodiment of the present application may refer to actions performed by the fourth network element in the embodiments corresponding to fig. 12 to 14, and the difference between the embodiment of the present application and the embodiments corresponding to fig. 12 to 14 is that: when other executing bodies send requests to the fourth network element, the fourth network element may receive the requests accordingly, and the execution principle is similar, which is not described herein again for the method in which the fourth network element is the executing body.
To sum up, in this embodiment of the application, after the third network element receives the third request including the identifier of the terminal device from the fifth network element, the third network element sends the fourth request including the identifier of the terminal device to the fourth network element, the fourth network element may determine the first authentication vector according to the second authentication vector in response to the fourth request, and send the first authentication vector to the third network element, and after receiving the first authentication vector in the third network element, the first authentication based on the first authentication vector may be further implemented by the fifth network element and the terminal device. That is, the fifth network element can implement the first authentication of the terminal device based on the second authentication vector in the fourth network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 17, a schematic communication flow diagram at a fifth network element side in a twelfth embodiment of the present application is shown, where the method specifically may include:
step S901: the fifth network element receives a third request from the terminal device; wherein the third request comprises an identification of the terminal device.
Step S902: the fifth network element sends a third request to a third network element; the third request is used for indicating the third network element to acquire a first authentication vector from a fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
Step S903: the fifth network element receives the first authentication vector from the fourth network element.
The specific implementation process of the embodiment of the present application may refer to actions performed by a fifth network element in the embodiments corresponding to fig. 12 to 14, and the difference between the embodiment of the present application and the embodiments corresponding to fig. 12 to 14 is that: when other executing bodies send requests to the fifth network element, the fifth network element may receive the requests accordingly, and the execution principle is similar, which is not described herein again for the method in which the fifth network element is the executing body.
To sum up, in this embodiment of the application, after the third network element receives the third request including the identifier of the terminal device from the fifth network element, the third network element sends the fourth request including the identifier of the terminal device to the fourth network element, the fourth network element may determine the first authentication vector according to the second authentication vector in response to the fourth request, and send the first authentication vector to the third network element, and after receiving the first authentication vector in the third network element, the first authentication based on the first authentication vector may be further implemented by the fifth network element and the terminal device. That is, the fifth network element can implement the first authentication of the terminal device based on the second authentication vector in the fourth network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Referring to fig. 18, a schematic diagram of a communication flow at a terminal device side in a thirteenth embodiment of the present application is shown, where the method specifically may include:
step S1001: the terminal equipment sends a third request to the fifth network element; wherein the third request comprises an identification of the terminal device; the third request is used to instruct the fifth network element to send the third request to a third network element, and instruct the third network element to obtain a first authentication vector from a fourth network element.
Step S1002: the terminal equipment determines a first authentication vector according to the second authentication vector; the second authentication vector is determined when the terminal equipment performs second authentication in the fourth network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The specific implementation process of the embodiment of the present application may refer to actions performed by the terminal device in the embodiments corresponding to fig. 12 to 14, and the embodiment of the present application is different from the embodiments corresponding to fig. 12 to 14 in that: when other executing bodies send requests to the terminal device, the terminal device may correspondingly receive the requests, and the executing principles thereof are similar, and the method for the executing body of the terminal device is not described herein again.
To sum up, in this embodiment of the application, after the third network element receives the third request including the identifier of the terminal device from the fifth network element, the third network element sends the fourth request including the identifier of the terminal device to the fourth network element, the fourth network element may determine the first authentication vector according to the second authentication vector in response to the fourth request, and send the first authentication vector to the third network element, and after receiving the first authentication vector in the third network element, the first authentication based on the first authentication vector may be further implemented by the fifth network element and the terminal device. That is, the fifth network element can implement the first authentication of the terminal device based on the second authentication vector in the fourth network element, thereby implementing the intercommunication between the first authentication architecture and the second authentication architecture and improving the flexibility of communication.
Fig. 19 is a schematic structural diagram of a first network element according to a fourteenth embodiment of the present application, and as shown in fig. 19, the first network element includes:
a request receiving module 11, configured to receive a first request from a terminal device; wherein the first request comprises an identification of the terminal device;
a sending module 12, configured to send a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device;
a shared key receiving module 13, configured to receive a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, the first network element further includes:
the temporary identifier determining module is used for determining a first temporary identifier of the terminal equipment; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
and the temporary identifier sending module is used for sending the first temporary identifier to the terminal equipment.
In an exemplary manner, the first network element further includes:
a validity period determining module for determining a validity period of the first shared key; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
and the validity period sending module is used for sending the validity period of the first shared secret key to the terminal equipment.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
In an exemplary manner, the second shared key is: and after receiving the second request, the second network element responds to the second request and performs second authentication on the terminal equipment to obtain the second authentication result.
The first network element of this embodiment may be configured to execute the method implemented by the first network element in the foregoing embodiment, and a specific implementation manner and a technical effect are similar, which are not described herein again.
Fig. 20 is a schematic structural diagram of a second network element according to a fifteenth embodiment of the present application, and as shown in fig. 20, the second network element includes:
a request receiving module 21, configured to receive a second request from the first network element; the second request comprises an identification of the terminal device;
a second shared key determining module 22, configured to determine a second shared key according to the identifier of the terminal device;
a first shared key determining module 23, configured to determine a first shared key according to the second shared key;
a first shared key sending module 24, configured to send the first shared key to the first network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the second shared key determining module is further configured to:
and determining a second shared key corresponding to the identifier of the terminal equipment according to the identifier of the terminal equipment and the mapping relation between the pre-acquired terminal identifier and the shared key in the second network.
In an exemplary manner, the second shared key determining module is further configured to:
and responding to the second request, and performing second authentication with the terminal equipment to obtain the second shared secret key.
In an exemplary manner, the second network element further includes a second validity period determining module, configured to:
determining the validity period of the second shared secret key according to the identifier of the terminal equipment; sending the validity period of the second shared secret key to the first network element;
or the like, or, alternatively,
determining the validity period of the second shared secret key according to the identifier of the terminal equipment; determining the validity period of the first shared secret key according to the validity period of the second shared secret key; and sending the validity period of the first shared key to the first network element.
In an exemplary manner, the second network element further includes a temporary identity determining module, configured to:
determining a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; sending the second temporary identifier to the first network element; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network;
or the like, or, alternatively,
determining a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; determining a first temporary identifier according to the second temporary identifier; sending the first temporary identifier to the first network element; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network.
In an exemplary manner, the second request further includes a first network element identifier of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
The second network element of this embodiment may be configured to execute the method for implementing the second network element in the foregoing embodiment, and the specific implementation manner and the technical effect are similar, and are not described herein again.
Fig. 21 is a schematic structural diagram of a terminal device according to a sixteenth embodiment of the present application, and as shown in fig. 21, the terminal device includes:
a request sending module 31, configured to send a first request to a first network element; wherein the first request comprises an identification of the terminal device; the first request is used for indicating the first network element to obtain a first shared key from a second network element;
a shared key determining module 32, configured to determine, by the terminal device, the first shared key according to a second shared key; the second shared key is determined when the terminal equipment performs second authentication in the second network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network.
In an exemplary manner, the first request further includes first indication information, where the first indication information is used to indicate that the first network element acquires the first shared key in the first network from the second network.
In an exemplary manner, the terminal device further includes a temporary identifier determining module, configured to:
receiving a first temporary identification from the first network element; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal equipment; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network;
or the like, or, alternatively,
determining a first temporary identifier according to the second temporary identifier; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network.
In an exemplary manner, the terminal device further includes a validity period determining module, configured to:
receiving a validity period of the first shared key from the first network element; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
or the like, or, alternatively,
determining the validity period of the first shared secret key according to the validity period of the second shared secret key; the validity period of the second shared secret key is determined when the terminal equipment performs second authentication in the second network element.
The terminal device of this embodiment may be configured to execute the method implemented by the terminal device in the foregoing embodiment, and the specific implementation manner and the technical effect are similar, which are not described herein again.
Fig. 22 is a schematic structural diagram of a third network element provided in a seventeenth embodiment of the present application, and as shown in fig. 22, the third network element includes:
a request receiving module 41, configured to receive a third request from a fifth network element; wherein, the third request is sent to the fifth network element by the terminal device; the third request comprises an identification of the terminal device;
a request sending module 42, configured to send a fourth request to a fourth network element according to the third request; wherein the fourth request comprises an identification of the terminal device;
an authentication vector receiving module 43, configured to receive a first authentication vector from the fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector, and the second authentication vector is determined by the fourth network element according to the identifier of the terminal device; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The third network element of this embodiment may be configured to execute the method implemented by the third network element in the foregoing embodiment, and the specific implementation manner and the technical effect are similar, and are not described herein again.
Fig. 23 is a schematic structural diagram of a fourth network element provided in an eighteenth embodiment of the present application, and as shown in fig. 23, the fourth network element includes:
a request receiving module 51, configured to receive, by the fourth network element, a fourth request from the third network element; the fourth request comprises an identification of the terminal device;
a second authentication vector determining module 52, configured to determine a second authentication vector according to the identifier of the terminal device;
a first authentication vector determining module 53, configured to determine a first authentication vector according to the second authentication vector;
a first authentication vector sending module 54, configured to send the first authentication vector to the third network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The fourth network element of this embodiment may be configured to execute the method implemented by the fourth network element in the foregoing embodiment, and a specific implementation manner and a technical effect are similar, which are not described herein again.
Fig. 24 is a schematic structural diagram of a fifth network element provided in nineteenth embodiment of the present application, and as shown in fig. 24, the fifth network element includes:
a request receiving module 61, configured to receive a third request from the terminal device; wherein the third request comprises an identification of the terminal device;
a request sending module 62, configured to send a third request to a third network element; the third request is used for indicating the third network element to acquire a first authentication vector from a fourth network element; the first authentication vector is determined by the fourth network element according to a second authentication vector; the first authentication vector is used for security protection in a first network, and the second authentication vector is used for security protection in a second network;
an authentication vector receiving module 63, configured to receive, by the fifth network element, the first authentication vector from the fourth network element.
The fifth network element of this embodiment may be configured to execute the method implemented by the fifth network element in the foregoing embodiment, and a specific implementation manner and a technical effect are similar, and are not described herein again.
Fig. 25 is a schematic structural diagram of a terminal device according to a twenty-first embodiment of the present application, and as shown in fig. 25, the terminal device includes:
a request sending module 71, configured to send a third request to the fifth network element; wherein the third request comprises an identification of the terminal device; the third request is used for instructing the fifth network element to send the third request to a third network element and instructing the third network element to acquire a first authentication vector from a fourth network element;
an authentication vector determination module 72, configured to determine, by the terminal device, a first authentication vector according to the second authentication vector; the second authentication vector is determined when the terminal equipment performs second authentication in the fourth network element; the first authentication vector is used for security protection in a first network and the second authentication vector is used for security protection in a second network.
The terminal device of this embodiment may be configured to execute the method implemented by the terminal device in the foregoing embodiment, and the specific implementation manner and the technical effect are similar, which are not described herein again.
Fig. 26 is a schematic structural diagram of a first network element according to twenty-first embodiment of the present application, and as shown in fig. 26, the first network element 800 includes: a processor 81, a memory 82 and a transceiver 83, wherein the memory 82 is configured to store instructions, the transceiver 83 is configured to communicate with other devices, and the processor 81 is configured to execute the instructions stored in the memory, so as to cause the first network element 800 to perform the method performed by the first network element in the above method embodiment.
Fig. 27 is a schematic structural diagram of a second network element according to twenty-second embodiment of the present application, and as shown in fig. 27, the second network element 900 includes: a processor 91, a memory 92 and a transceiver 93, said memory 92 being configured to store instructions, said transceiver 93 being configured to communicate with other devices, said processor 91 being configured to execute instructions stored in said memory, so as to cause said second network element 900 to perform the method performed by the second network element in the above-mentioned method embodiment.
Fig. 28 is a schematic structural diagram of a UE according to twenty-third embodiment of the present application, and as shown in fig. 28, the UE 1000 includes: a processor 101, a memory 102 and a transceiver 103, wherein the memory 102 is configured to store instructions, the transceiver 103 is configured to communicate with other devices, and the processor 101 is configured to execute the instructions stored in the memory, so as to cause the UE 1000 to perform the method performed by the UE in the above method embodiments.
The embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program, and the computer program is used to implement the communication method described in the above embodiment.
It is understood that the processor in the embodiments of the present application may be a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
The bus described in the embodiments of the present application may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (enhanced industrial Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

Claims (15)

1. A method of communication, comprising:
a first network element receives a first request from a terminal device; wherein the first request comprises an identification of the terminal device;
the first network element sends a second request to a second network element according to the first request; wherein the second request comprises an identification of the terminal device;
the first network element receiving a first shared key from the second network element; the first shared key is determined by the second network element according to a second shared key, and the second shared key is determined by the second network element according to the identifier of the terminal device; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network;
the first network element is a network element which performs first authentication based on a first authentication architecture in a first network, the second network element is a network element which performs second authentication based on a second authentication architecture in a second network, and the first authentication architecture is different from the second authentication architecture.
2. The method of claim 1, wherein after the first network element sends a second request to a second network element according to the first request, further comprising:
the first network element determines a first temporary identifier of the terminal equipment; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal device, and the first temporary identifier is used for identifying the temporary identity of the terminal device in the first network;
and the first network element sends the first temporary identifier to the terminal equipment.
3. The method according to any of claims 1 to 2, wherein after the first network element sends a second request to a second network element according to the first request, further comprising:
the first network element determines a validity period of the first shared key; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
and the first network element sends the validity period of the first shared key to the terminal equipment.
4. The method according to any of claims 1 to 2, wherein the second request further comprises a first network element identification of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
5. The method of claim 1 or 2, the first authentication architecture being a GBA authentication architecture and the second authentication architecture being an AKMA authentication architecture.
6. A method of communication, comprising:
the second network element receives a second request from the first network element; the second request comprises an identification of the terminal device;
the second network element determines a second shared secret key according to the identifier of the terminal equipment;
the second network element determines a first shared key according to the second shared key;
the second network element sends the first shared key to the first network element; wherein the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network;
the first network element is a network element which performs first authentication based on a first authentication architecture in a first network, the second network element is a network element which performs second authentication based on a second authentication architecture in a second network, and the first authentication architecture is different from the second authentication architecture.
7. The method of claim 6, wherein after receiving the second request from the first network element, the second network element further comprises:
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element sends the validity period of the second shared secret key to the first network element;
or the like, or, alternatively,
the second network element determines the validity period of the second shared secret key according to the identifier of the terminal equipment; the second network element determines the validity period of the first shared secret key according to the validity period of the second shared secret key; and the second network element sends the validity period of the first shared key to the first network element.
8. The method of claim 6 or 7, wherein after receiving the second request from the first network element, the second network element further comprises:
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element sends the second temporary identifier to the first network element; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network;
or the like, or, alternatively,
the second network element determines a second temporary identifier of the terminal equipment according to the identifier of the terminal equipment; the second network element determines a first temporary identifier according to the second temporary identifier; the second network element sends the first temporary identifier to the first network element; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network.
9. The method according to claim 6 or 7, wherein the second request further comprises a first network element identification of the first network element;
the first shared key is derived by the second network element according to the second shared key and the first network element identifier.
10. A method of communication, comprising:
the terminal equipment sends a first request to a first network element; wherein the first request comprises an identification of the terminal device; the first request is used for indicating the first network element to obtain a first shared key from a second network element;
the terminal equipment determines the first shared key according to a second shared key; the second shared key is determined when the terminal equipment performs second authentication in the second network element; the first shared key is used for security protection in a first network, and the second shared key is used for security protection in a second network;
the first network element is a network element which performs first authentication based on a first authentication architecture in a first network, the second network element is a network element which performs second authentication based on a second authentication architecture in a second network, and the first authentication architecture is different from the second authentication architecture.
11. The method of claim 10, wherein after the terminal device sends the first request to the first network element, the method further comprises:
the terminal equipment receives a first temporary identifier from the first network element; the first temporary identifier is calculated by the first network element or the second network element according to the identifier of the terminal equipment; the first temporary identifier is used for identifying the temporary identity of the terminal equipment in the first network;
or the like, or, alternatively,
the terminal equipment determines a first temporary identifier according to the second temporary identifier; the second temporary identifier is used for identifying the temporary identity of the terminal equipment in the second network.
12. The method of claim 10, wherein after the terminal device sends the first request to the first network element, the method further comprises:
the terminal equipment receives the validity period of the first shared key from the first network element; wherein the validity period of the first shared key is determined by the first network element or the second network element according to the validity period of the second shared key; the validity period of the second shared secret key is determined by the second network element according to the identifier of the terminal equipment;
or the like, or, alternatively,
the terminal equipment determines the validity period of the first shared secret key according to the validity period of the second shared secret key; the validity period of the second shared secret key is determined when the terminal equipment performs second authentication in the second network element.
13. A first network element, comprising a processor, a memory, and a transceiver, the memory configured to store instructions, the transceiver configured to communicate with other devices, and the processor configured to execute the instructions stored in the memory to cause the first network element to perform the method of any one of claims 1-5.
14. A second network element, comprising a processor, a memory and a transceiver, the memory for storing instructions and the transceiver for communicating with other devices, the processor for executing the instructions stored in the memory to cause the first network element to perform the method of any one of claims 6-9.
15. A terminal device, UE, comprising a processor, a memory for storing instructions, and a transceiver for communicating with other devices, the processor being configured to execute the instructions stored in the memory to cause the UE to perform the method of any of claims 10-12.
CN201910356343.4A 2019-04-29 2019-04-29 Communication method and device Active CN111866871B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910356343.4A CN111866871B (en) 2019-04-29 2019-04-29 Communication method and device
PCT/CN2020/082105 WO2020220903A1 (en) 2019-04-29 2020-03-30 Communication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910356343.4A CN111866871B (en) 2019-04-29 2019-04-29 Communication method and device

Publications (2)

Publication Number Publication Date
CN111866871A CN111866871A (en) 2020-10-30
CN111866871B true CN111866871B (en) 2021-11-26

Family

ID=72965375

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910356343.4A Active CN111866871B (en) 2019-04-29 2019-04-29 Communication method and device

Country Status (2)

Country Link
CN (1) CN111866871B (en)
WO (1) WO2020220903A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112672345B (en) * 2019-09-30 2023-02-10 华为技术有限公司 Communication authentication method and related equipment
CN112311543B (en) * 2020-11-17 2023-04-18 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN114980076A (en) * 2021-02-20 2022-08-30 华为技术有限公司 Method and communication device for protecting identity privacy
WO2023245388A1 (en) * 2022-06-20 2023-12-28 北京小米移动软件有限公司 Secure communication method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656956A (en) * 2008-08-22 2010-02-24 华为技术有限公司 Method, system and gateway for accessing 3GPP network
CN109089288A (en) * 2017-06-14 2018-12-25 华为技术有限公司 A kind of method and apparatus of data transmission
CN109560919A (en) * 2017-09-27 2019-04-02 华为技术有限公司 A kind of machinery of consultation of cipher key derivative algorithm and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20050384A0 (en) * 2005-04-14 2005-04-14 Nokia Corp Use of generic authentication architecture for distribution of Internet protocol keys in mobile terminals
US7626963B2 (en) * 2005-10-25 2009-12-01 Cisco Technology, Inc. EAP/SIM authentication for mobile IP to leverage GSM/SIM authentication infrastructure
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
DE112016006932T5 (en) * 2016-06-01 2019-02-28 Intel IP Corporation User Equipment (UE) and method for receiving downlink data services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656956A (en) * 2008-08-22 2010-02-24 华为技术有限公司 Method, system and gateway for accessing 3GPP network
CN109089288A (en) * 2017-06-14 2018-12-25 华为技术有限公司 A kind of method and apparatus of data transmission
CN109560919A (en) * 2017-09-27 2019-04-02 华为技术有限公司 A kind of machinery of consultation of cipher key derivative algorithm and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《3rd Generation Partnership Project;Technical Specification Group Services and System Aspects;Study on authentication and key management for applications;based on 3GPP credential in 5G(Release 16)》;www.3GPP.org;《3GPP TR 33.835 V0.4.0》;20190401;正文第1-62页,图6.4.1 *

Also Published As

Publication number Publication date
CN111866871A (en) 2020-10-30
WO2020220903A1 (en) 2020-11-05

Similar Documents

Publication Publication Date Title
CN111866871B (en) Communication method and device
JP6778843B2 (en) Subscription concealment identifier
EP3668042B1 (en) Registration method and apparatus based on service-oriented architecture
RU2663972C1 (en) Security assurance at connection between communication device and network device
KR102315881B1 (en) Mutual authentication between user equipment and an evolved packet core
US9467431B2 (en) Application specific master key selection in evolved networks
US10348721B2 (en) User authentication
US11582602B2 (en) Key obtaining method and device, and communications system
US9331993B2 (en) Authentication server and communication device
CN110891271B (en) Authentication method and device
US20190289463A1 (en) Method and system for dual-network authentication of a communication device communicating with a server
CN111147421B (en) Authentication method based on general guide architecture GBA and related equipment
CN111630882B (en) User equipment, authentication server, medium, and method and system for determining key
CN108012266B (en) Data transmission method and related equipment
CN112512045B (en) Communication system, method and device
US10158993B2 (en) Wireless communications
TW202142010A (en) Method for updating subscriber data, and apparatus, node and storage medium
CN112672345B (en) Communication authentication method and related equipment
US20190149326A1 (en) Key obtaining method and apparatus
CN109982319B (en) User authentication method, device, system, node, server and storage medium
CN115396126A (en) Authentication method, equipment and storage medium of NSWO (non-symmetric wo) service
CN109155913B (en) Network connection method, and method and device for determining security node
CN111866870A (en) Key management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant