CN117082504A - Key generation method and device and network equipment - Google Patents

Key generation method and device and network equipment Download PDF

Info

Publication number
CN117082504A
CN117082504A CN202210502335.8A CN202210502335A CN117082504A CN 117082504 A CN117082504 A CN 117082504A CN 202210502335 A CN202210502335 A CN 202210502335A CN 117082504 A CN117082504 A CN 117082504A
Authority
CN
China
Prior art keywords
network element
authentication identity
information
identifier
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210502335.8A
Other languages
Chinese (zh)
Inventor
王珂
黄晓婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210502335.8A priority Critical patent/CN117082504A/en
Publication of CN117082504A publication Critical patent/CN117082504A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a key generation method and device and network equipment, wherein the method comprises the following steps: after receiving a key generation request message sent by a second network element, a first network element checks whether a first network element identifier contained in the key generation request message has a corresponding relation with an authentication identity of the second network element; and if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier and sending the key to the second network element.

Description

Key generation method and device and network equipment
Technical Field
The present application relates to the field of wireless communications technologies, and in particular, to a method and an apparatus for generating a key, and a network device.
Background
When a User Equipment (UE) initiates communication with an application function (Application Function, AF), the AF needs to obtain an authentication and key management (Authentication and Key Management, AKMA) application key (i.e., K) AF ). AF requests generation of K to AKMA anchor function (AKMA Anchor node Function, AAnF) AF In the process (1), AF provides AF_ID to AAnF, and AanF derives K according to AF_ID AF And K is taken up in AF Provided to the AF. However, this information of AF_ID is public or configurable, which will lead to K used when AF communicates with UE AF The communication security between AF and UE is not guaranteed because of easy leakage.
Disclosure of Invention
In order to solve the technical problems, the embodiment of the application provides a key generation method and device, network equipment, a chip and a computer readable storage medium.
The key generation method provided by the embodiment of the application comprises the following steps:
after receiving a key generation request message sent by a second network element, a first network element checks whether a first network element identifier contained in the key generation request message has a corresponding relation with an authentication identity of the second network element;
and if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier and sending the key to the second network element.
The key generation device provided by the embodiment of the application is applied to a first network element, and comprises:
a receiving unit, configured to receive a key generation request message sent by a second network element;
The processing unit is used for checking whether the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element; if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier;
and the sending unit is used for sending the secret key to the second network element.
The network device provided by the embodiment of the application comprises: the system comprises a processor and a memory, wherein the memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory and executing any one of the key generation methods.
The chip provided by the embodiment of the application comprises: and a processor for calling and running the computer program from the memory, so that the device on which the chip is mounted performs any one of the methods described above.
The core computer readable storage medium provided by the embodiments of the present application is used for storing a computer program, where the computer program makes a computer execute any one of the methods described above.
In the technical scheme of the embodiment of the application, after the first network element receives the key generation request message sent by the second network element, the first network element checks whether the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, and only when the first network element identifier has a corresponding relation with the authentication identity of the second network element, the first network element generates the key for the second network element based on the first network element identifier, so that the key acquired by the second network element is generated based on the network element identifier corresponding to the authentication identity of the second network element, the second network element is prevented from stealing keys of other network elements, the other network elements are prevented from stealing keys of the second network element, and the security of the key is ensured.
Drawings
FIG. 1 is a diagram of a 5G network system architecture;
FIG. 2 is a schematic diagram of an AKMA key hierarchy;
FIG. 3 is K AKMA A flow diagram of the pushing and the deriving;
FIG. 4 is K AF A flow diagram of the pushing and the deriving;
fig. 5 is a schematic flow chart of a key generation method according to an embodiment of the present application;
fig. 6 is a second flowchart of a key generation method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a key generating device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 9 is a schematic structural view of a chip of an embodiment of the present application.
Detailed Description
The following description of the technical solutions according to the embodiments of the present application will be given with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following description describes related technologies of the embodiments of the present application, and the following related technologies may be optionally combined with the technical solutions of the embodiments of the present application as alternatives, which all belong to the protection scope of the embodiments of the present application.
5G network system architecture
Fig. 1 is a diagram of a 5G network system architecture, and as shown in fig. 1, network elements involved in the 5G network system include: user Equipment (UE), radio access Network (Radio Access Network, RAN), user plane function (User Plane Function, UPF), data Network (DN), access and mobility management function (Access and Mobility Management Function, AMF), session management function (Session Management Function, SMF), policy control function (Policy Control Function, PCF), application function (Application Function, AF), authentication server function (Authentication Server Function, AUSF), unified Data management (Unified Data Management, UDM).
The technical solution of the embodiment of the present application may be applied to, but not limited to, the 5G network system architecture shown in fig. 1, for example, an enhanced 5G network system architecture, a 6G network system architecture, a future network system architecture, or the like.
AKMA
In the related art, an architecture and a procedure for providing authentication and key management capabilities for an upper layer application based on 3GPP credentials in 5G are formulated. In the 5G network, based on terminal cards and network resources grasped by operators and the capabilities of terminal identity authentication and data security transmission, authentication and session keys are provided for service applications, and a lightweight application layer authentication and security channel establishment solution is provided for the access of the user terminal to the service applications in the mobile Internet age.
As shown in fig. 2, the key hierarchy of AKMA includes the following keys: k (K) AUSF ,K AKMA ,K AF . Wherein K is AUSF Generated by AUSF. K (K) AKMA Is ME and AUSF from K AUSF The derived key is the AAnF key. K (K) AF Is ME and AAnF slave K AKMA The derived key is the key of the AF.
AanF and AF in fig. 2 are explained below.
AAnF: AAnF is an anchor function deployed in the local public land mobile network (Home Public Land Mobile Network, HPLMN), and stores an AKMA anchor key (i.e., K) for AKMA services AKMA ) The key is sent to AAnF by the AUSF after the UE successfully completes the 5G master authentication. AAnF also generates keying material for use between UE and AF and maintains the AKMA context of the UE.
AF: an AF with AKMA service can request an AKMA application key (i.e. K) from AAnF through AKMA key identification (i.e. A-KID) AF ). AF should be able to acquire K through authentication and authorization of the operator network AF . The AF deployed within the operator network should perform AAnF selection functions.
The AKMA function does not require additional UE authentication, but only re-uses the 5G master authentication to authenticate the UE, e.g. performs a 5G master authentication procedure during UE registration. After the 5G master authentication is successful, K is AUSF Should be stored in AUSF and UE according to K AUSF Derived from K AKMA . Specifically, as shown in fig. 3, the method comprises the following steps:
Step 301: the AUSF sends a UE authentication request message to the UDM.
Here, the UE authentication Request message may be a nudm_ue authentication_get Request, which contains the SUPI/sui of the UE.
Step 302: the UDM sends a UE authentication response message to the AUSF.
Here, the UE authentication Response message may be a nudm_ue authentication_get Response message, which contains the following information: AV, [ AKMA Ind ], [ RID ].
Step 303a: UE and AUSF according to K AUSF Generating K AKMA
Step 303b: the UE and the AUSF generate a-KID.
Step 304: the AUSF sends an AKMA anchor key registration request message to AAnF.
Here, the AKMA anchor key registration Request message may be a naanf_akma_anchor key_register Request, which contains the following information: SUPI, A-KID, K AKMA
Step 305: AAnF sends an AKMA anchor key registration response message to AUSF.
Here, the AKMA anchor key registration response message may be naanf_akma_anchor key_ Register Response.
The UE should follow K before interacting with the AKMA application server AUSF Derived from K AKMA And a-KID, see step 303a and step 303b in fig. 3. Before communication between the UE and the AF starts, the UE and the AF need to know whether AKMA can be used or not, which is implicit in the specific application of the UE and the AF or indicated to the UE by the AF. When the AF is located inside the operator network, the AF directly requests to obtain the AKMA application key (i.e. K AF ) Specifically, as shown in fig. 4, the method comprises the following steps:
step 401: the UE sends an application session establishment request message to the AF, the message containing the a-KID.
Here, when the UE initiates communication with the AF, the UE sends an application session establishment request message to the AF, the message containing the a-KID. The UE may be according to K before or after sending the message AKMA Push and derive K AF
Step 402: the AF sends a key generation request message to AAnF, which contains A-KID and AF_ID.
Here, the key generation Request message may be naanf_akma_application key_get Request.
If there is no activation context associated with the A-KID in the AF, the AF makes an AAnF selection and sends a key generation request message to the selected AAnF, the message containing the A-KID and the AF_ID. The af_id includes an FQDN of the AF and a Ua-protocol identifier, wherein the Ua-protocol identifier is used to identify a security protocol used between the AF and the UE.
The AAnF should check whether the AAnF can provide services to the AF using the af_id according to the configured local policy, or authorization information or policy provided by the NRF. If yes, the AAnF executes the following procedure, otherwise, the AAnF shall reject the following procedure.
AAnF can find the corresponding K by verifying whether it can be found by A-KID AKMA (i.e. effective K AKMA ) To determine if the user is authorized to use AKMA.
If there is a valid K in AAnF AKMA AAnF should continue to step 403.
If there is no valid K in AAnF AKMA AAnF should continue to execute step 404 and send an error response.
Step 403: AAnF according to K AKMA Deduction K AF
Here, if AAnF does not have K AF If so, AAnF is according to K AKMA Push and derive K AF . When AAnF is according to K AKMA Push and derive K AF When the input key of the Key Deduction Function (KDF) is K AKMA The following parameters are used to construct the input S of the KDF:
-FC=0x82;
-P0=AF_ID;
l0=length of af_id.
The af_id is constituted as follows: af_id=fqdn||ua of AF, wherein Ua is used to identify the security protocol used between AF and UE.
Step 404: AAnF sends key generation response message to AF, the message contains K AF ,K AF Life cycle (K) AF expTime),SUPI。
Here, the key generation Response message may be naanf_akma_application key_get Response.
If the information in step 404 indicates that the AKMA key request failed, the AF shall reject the application session establishment request and carry the error cause in this step. The UE may then initiate a new application session establishment request message to the AF and carry the new a-KID.
Step 405: the AF sends an application session establishment response message to the UE.
In the flow shown in fig. 4, the AF with the AKMA service can request the AKMA application key (i.e. K) from AAnF through the AKMA key identification (i.e. a-KID) and the af_id identifying the application AF ) The af_id is configured as: af_id=fqdn||ua of AF, wherein Ua is used to identify the security protocol used between AF and UE. However, the af_id is easily falsified, considering the following scenario: application a (i.e., AF a, identified as af_ida) and application b (i.e., AF b, identified as af_idb) both have AKMA services, and both can request AKMA application keys (i.e., K) from AAnF through AKMA key identification (i.e., a-KID) AF ) The AKMA key of the UE is identified as A-KID, when the UE starts the AKMA flow of AF a and AF b and accesses AF a and AF b, the AF a and AF b obtain A-KID, the AF a sends a key generation request message to AAnF (comprising A-KID and AF_IDa) to obtain an application key K for the communication between the UE and AF a AFa Af_ida is not readily available, it is public or configurable, so AF b can also send a key generation request message (containing a-KID and af_ida) to AAnF, whereas in the present flow only reference is made to "AAnF should check if AAnF can provide service to AF using af_id according to configured local policy, or authorization information or policy provided by NRF", it is not explicitly stated how to check, if AAnF is only based on af_id, such as checking if received af_id is in the service list of AAnF, in the above scenario, because af_ida is also in the service list of AAnF, AAnF checks pass and is based on the same K AKMA And AF_IDa generates K for it AFa That is AF b also obtains K AFa Furthermore, the key can be used for cracking the encrypted communication between the UE and the AF a, namely, the key is leaked, so that interception of other legal AF by the legal AF can not be prevented. Although AF should be authenticated and authorized through the operator network to obtain K AF (illegal AF eavesdropping can be prevented), however, according to the SBA mechanism, it is generally referred to as AAnF judges whether to respond to the key generation request of AF according to the authentication result of AF, and the risk of divulgence still occurs when the authentication result is not associated with AF_ID. For this reason, the following technical solutions of the embodiments of the present application are provided.
In order to facilitate understanding of the technical solution of the embodiments of the present application, the technical solution of the present application is described in detail below through specific embodiments. The above related technologies may be optionally combined with the technical solutions of the embodiments of the present application, which all belong to the protection scope of the embodiments of the present application. Embodiments of the present application include at least some of the following.
Fig. 5 is a flowchart of a key generation method according to an embodiment of the present application, as shown in fig. 5, where the key generation method includes the following steps:
step 501: after receiving a key generation request message sent by a second network element, a first network element checks whether a first network element identifier contained in the key generation request message has a corresponding relation with an authentication identity of the second network element.
In the embodiment of the present application, the first network element may be AAnF, and the second network element may be AF. It should be noted that the names of the first network element and the second network element are not limited in the present application.
In the embodiment of the application, after receiving the key generation request message sent by the second network element, the first network element performs authentication authorization on the second network element, and after the authentication authorization passes, it is checked whether the first network element identifier contained in the key generation request message has a corresponding relationship with the authentication identity of the second network element.
When the authentication and authorization are performed on the second network element, the first network element can obtain the authentication identity of the second network element, that is, obtain the authentication result of the second network element.
In the embodiment of the present application, the first network element obtains first information, where the first information may be stored on the first network element or may also be stored on another network element, and the first information includes a correspondence between a network element authentication identity and a network element identifier. Optionally, in the first information, the network element authentication identity and the network element corresponding to the network element authentication identity are identified as the same content, or the network element authentication identity and the network element corresponding to the network element authentication identity are identified as different contents. And under the condition that the network element authentication identity and the corresponding network element identifier are different contents, one network element authentication identity corresponds to one or more network element identifiers. Here, one network element authentication identity corresponds to one network element identifier, and may also be described as a one-to-one correspondence between the network element authentication identity and the network element identifier; one network element authentication identity corresponds to a plurality of network element identifications, and can also be described as a one-to-many correspondence between the network element authentication identity and the network element identifications.
As an example: the network element identifier is af_id, the correspondence between the preset network element authentication identities in the first network element and the af_id is shown in table 1 below, the af_ids corresponding to the network element authentication identities are listed in table 1, and one network element authentication identity may correspond to one or more af_ids. The "whether to provide service" in table 1 is optional content, and when the content does not exist, it is the provision of service by default.
TABLE 1
As an example: the network element identifier is a sequence number, the correspondence between the network element authentication identities preset in the first network element and the sequence numbers is shown in the following table 2, the sequence numbers corresponding to the network element authentication identities are listed in the table 2, each sequence number corresponds to one af_id, and one network element authentication identity can correspond to one or more sequence numbers (i.e. corresponds to one or more af_ids). The "whether to provide service" in table 2 is optional content, and when the content does not exist, it is the provision of service by default.
TABLE 2
As an example: the network element identifier is af_id, the correspondence between the preset network element authentication identities in the first network element and the af_id is shown in table 3 below, the network element authentication identities corresponding to the af_ids are listed in table 3, and the network element authentication identities corresponding to different af_ids may be different or the same. The "whether to provide service" in table 3 is optional content, and when the content does not exist, it is the provision of service by default.
TABLE 3 Table 3
As an example: the network element identifier is a serial number, the correspondence between the network element authentication identities preset in the first network element and the serial numbers is shown in the following table 4, the network element authentication identities corresponding to the serial numbers are listed in the table 4, each serial number corresponds to an af_id, and the network element authentication identities corresponding to the different serial numbers can be different or the same. It should be noted that, in this case, the sequence number is unique for all network element authentication identities or different af_ids correspond to different sequence numbers. The "whether to provide service" in table 4 is optional content, and when the content does not exist, it is the provision of service by default.
TABLE 4 Table 4
In the embodiment of the application, after receiving a key generation request message sent by a second network element, a first network element checks whether a first network element identifier contained in the key generation request message has a corresponding relationship with an authentication identity of the second network element or not based on the first information. The following describes how the first network element checks, based on the first information, whether or not there is a correspondence between the first network element identifier included in the key generation request message and the authentication identity of the second network element.
Scheme one
As an alternative embodiment, the first network element may check whether the first network element identifier included in the key generation request message has a correspondence with the authentication identity of the second network element by:
S11: determining a network element identifier corresponding to the authentication identity of the second network element based on the first information;
s12: checking whether a first network element identifier contained in the key generation request message belongs to a network element identifier corresponding to the authentication identity of the second network element;
s131: and if the first network element identifier belongs to the network element identifier corresponding to the authentication identity of the second network element, determining that the first network element identifier has a corresponding relation with the authentication identity of the second network element.
Optionally, the method further comprises the following steps:
s132: if the first network element identifier does not belong to the network element identifier corresponding to the authentication identity of the second network element, an error response message is sent to the second network element; or checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
In some alternative embodiments, before the step S11, the following step S09 is further included:
s09: checking whether the authentication identity of the second network element exists in the first information.
And if the authentication identity of the second network element exists in the first information, executing the step S11. If the authentication identity of the second network element does not exist in the first information, the following S10 is executed.
S10: transmitting an error response message to the second network element; or checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
Scheme II
As an alternative embodiment, the first network element may check whether the first network element identifier included in the key generation request message has a correspondence with the authentication identity of the second network element by:
s21: determining a network element authentication identity corresponding to a first network element identifier contained in the key generation request message based on the first information;
s22: checking whether the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier;
s231: and if the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier, determining that a corresponding relationship exists between the first network element identifier and the authentication identity of the second network element.
Optionally, the method further comprises the following steps:
s232: if the authentication identity of the second network element is not the network element authentication identity corresponding to the first network element identifier, an error response message is sent to the second network element; or checking whether the authentication identity of the second network element exists in the first information; if the authentication identity of the second network element exists in the first information, determining a second network element identifier corresponding to the authentication identity of the second network element based on the first information, and taking the second network element identifier as a network element identifier for generating the secret key; and if the authentication identity of the second network element does not exist in the first information, sending an error response message to the second network element.
In some alternative embodiments, before the step S21, the following step S19 is further included:
s19: and checking whether a first network element identifier contained in the key generation request message exists in the first information.
And if the first information includes the first network element identifier included in the key generation request message, executing S21. If the first network element identifier included in the key generation request message does not exist in the first information, the following S20 is executed.
S20: transmitting an error response message to the second network element; or setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information.
Step 502: and if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier and sending the key to the second network element.
In the embodiment of the present application, the first network element identifier included in the key generation request message is a sequence number, or null, or af_id (i.e. includes a FQDN and a security protocol identifier).
As an alternative way, the first network element contained in the key generation request message is identified as af_id, and if the af_id contained in the key generation request message has a correspondence with the authentication identity of the second network element, a key is generated based on the af_id and sent to the second network element.
As an alternative way, the first network element identifier included in the key generation request message is a sequence number, if a correspondence exists between the sequence number included in the key generation request message and the authentication identity of the second network element, the af_id corresponding to the authentication identity of the second network element is centrally located to the af_id corresponding to the sequence number, and a key is generated based on the af_id corresponding to the sequence number and sent to the second network element. Here, since the cost occupied by the sequence number is far less than the cost occupied by the af_id, in order to save the cost, the sequence number may be carried in the key generation request message instead of the af_id itself, the sequence number may be, for example, 0,1,2, … …, the sequence number refers to the sequence number corresponding to the af_id, and the first network element may locate the af_id corresponding to the sequence number in the af_id set corresponding to the authentication identity of the second network element.
As one implementation manner, the first network element identifier included in the key generation request message is null, and a key is generated based on the af_id corresponding to the authentication identity of the second network element and sent to the second network element. Here, if one AF has only one af_id, the af_id may not be transmitted in the key generation request message (i.e., the first network element is identified as empty), but the unique af_id may be determined by the first network element according to the authentication identity of the second network element. In this way, overhead can be greatly saved.
Fig. 6 is a second flowchart of a key generation method according to an embodiment of the present application, where a first network element is, for example, AAnF, and a second network element is, for example, AF, and as shown in fig. 6, the key generation method includes the following steps:
in one aspect, the UE should follow K before interacting with the AKMA application server AUSF Derived from K AKMA And A-KID. On the other hand, the AAnF is preset with a corresponding relation between the AF authentication identity and the AF network element identification.
Step 601: the UE sends an application session establishment request message to the AF, the message containing the a-KID.
Here, when the UE initiates communication with the AF, the UE sends an application session establishment request message to the AF, the message containing the a-KID. The UE may be according to K before or after sending the message AKMA Push and derive K AF
Step 602: the AF sends a key generation request message to the AAnF, wherein the message comprises the A-KID and the AF network element identification.
Here, the key generation Request message may be naanf_akma_application key_get Request.
If the AF has no activation context associated with the A-KID, the AF makes an AAnF selection and sends a key generation request message to the selected AAnF, the message containing the A-KID and the AF network element identification. The AF network element identifier is used to identify the AF, and may be a sequence number, or be null, or be an af_id, where the af_id includes an FQDN of the AF and a ua_protocol identifier, where the ua_protocol identifier is used to identify a security protocol used between the AF and the UE.
The AAnF should check whether the AAnF can provide services to the AF using the af_id according to the configured local policy, or authorization information or policy provided by the NRF. If yes, the AAnF executes the following procedure, otherwise, the AAnF shall reject the following procedure.
Step 603: the AAnF checks whether the AF network element identification in the key generation request message has a corresponding relation with the AF authentication identity based on a preset corresponding relation, and if the corresponding relation exists, the AF_ID which can provide service for AF is determined.
As an implementation manner, AAnF checks, based on a preset correspondence, whether an AF network element identifier in a key generation request message has a correspondence with an AF authentication identity, including the following options:
Option a) if the AF network element identification in the key generation request message is null, determining the af_id corresponding to the AF authentication identity based on the correspondence, using the af_id as the af_id for providing service to the AF, i.e. as the af_id for generating K AF Is defined as af_id of (c).
Option b) if the AF network element identifier in the key generation request message is a sequence number (denoted as sequence number 1), determining a sequence number set corresponding to the AF authentication identity based on the correspondence, checking whether the sequence number 1 belongs to the sequence number set, if so, using the af_id corresponding to the sequence number 1 in the af_id set corresponding to the AF authentication identity as the af_id for providing service to the AF, that is, as the af_id for generating K AF If not, the subsequent flow can be rejected.
Option c) if the AF network element in the key generation request message is identified as af_id (denoted as af_id1), determining the af_id set corresponding to the AF authentication identity based on the correspondence, checking if af_id1 belongs to the af_id set, if soThen, af_id1 is used as af_id for providing service to AF, i.e. for generating K AF If not, the subsequent flow may be rejected, or whether the af_id1 has a correspondence with other AF authentication identities may be found in the correspondence, if yes, the subsequent flow may be rejected, and if not, the correspondence between the af_id1 and the AF authentication identities may be added.
In the above scheme, the precondition that the AAnF checks whether the AF network element identifier in the key generation request message has a correspondence with the AF authentication identity based on a preset correspondence is: the AAnF finds the AF authentication identity in the corresponding relation. If the AAnF cannot find the AF authentication identity in the correspondence, the subsequent flow may be refused, or if the AF network element identifier (for example, af_id1) carried in the key generation request message has a correspondence with other AF authentication identities in the correspondence on the premise that the policy allows service for AF, the subsequent flow may be refused, and if not, the correspondence between af_id1 and the AF authentication identity may be added.
As another implementation manner, the AAnF checks whether the AF network element identifier (for example, af_id1) in the key generation request message has a correspondence with the AF authentication identity based on a preset correspondence, and includes the following options:
option a) determining an AF authentication identity corresponding to af_id1 based on the correspondence, checking whether the AF authentication identity corresponding to af_id1 is identical to the AF authentication identity, if yes, using af_id1 as af_id for providing service to AF, i.e. as af_id for generating K AF If not, the subsequent flow can be refused.
In the above scheme, the precondition that the AAnF determines the AF authentication identity corresponding to the af_id1 based on the correspondence is: AAnF finds af_id1 in the correspondence. If the AAnF cannot find the AF_ID1 in the corresponding relation, the subsequent flow can be refused or the corresponding relation between the AF_ID1 and the AF authentication identity can be added on the premise that the policy allows the AF to be provided with service.
AAnF can find the corresponding K by verifying whether it can be found by A-KID AKMA (i.e. effective K AKMA ) To determine if the user is authorized to use AKMA.
If there is a valid in AAnFK of (2) AKMA AAnF should continue to step 604.
If there is no valid K in AAnF AKMA AAnF should continue to step 605 and send an error response.
Step 604: AAnF according to K AKMA Deduction K AF
Here, if AAnF does not have K AF If so, AAnF is according to K AKMA Push and derive K AF . When AAnF is according to K AKMA Push and derive K AF When the input key of the Key Deduction Function (KDF) is K AKMA The following parameters are used to construct the input S of the KDF:
-FC=0x82;
-P0=AF_ID;
l0=length of af_id.
Here, the af_id refers to an af_id having a correspondence with an AF authentication identity, or an af_id serving an AF. The af_id is constituted as follows: af_id=fqdn||ua of AF, wherein Ua is used to identify the security protocol used between AF and UE.
Step 605: AAnF sends key generation response message to AF, the message contains K AF ,K AF Life cycle (K) AF expTime),SUPI。
Here, the key generation Response message may be naanf_akma_application key_get Response.
If the information in step 605 indicates that the AKMA key request fails, the AF shall reject the application session establishment request and carry the error cause in this step. The UE may then initiate a new application session establishment request message to the AF and carry the new a-KID.
Step 606: the AF sends an application session establishment response message to the UE.
According to the technical scheme of the embodiment of the application, the corresponding relation between the AF authentication identity and the AF network element identity is preset on the AAnF, so that whether the AF network element identity contained in the key generation request message has the corresponding relation with the AF network element authentication identity or not can be checked based on the corresponding relation, and legal AF can be prevented from acquiring by sending AF network element identities of other legal AFTaking K of UE to access other AF AF Preventing eavesdropping risk on other legitimate AF accesses.
Fig. 7 is a schematic structural diagram of a key generating device according to an embodiment of the present application, which is applied to a first network element, as shown in fig. 7, where the key generating device includes:
a receiving unit 701, configured to receive a key generation request message sent by a second network element;
a processing unit 702, configured to check whether a first network element identifier included in the key generation request message has a correspondence with an authentication identity of the second network element; if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier;
a sending unit 703, configured to send the key to the second network element.
In some optional embodiments, the first network element stores first information, where the first information includes a correspondence between a network element authentication identity and a network element identifier;
the processing unit 702 is configured to check, based on the first information, whether a first network element identifier included in the key generation request message has a correspondence with an authentication identity of the second network element.
In some optional embodiments, in the first information, the network element authentication identity and the network element corresponding to the network element authentication identity are identified as the same content, or the network element authentication identity and the network element corresponding to the network element authentication identity are identified as different contents.
In some optional embodiments, in the first information, one network element authentication identity corresponds to one or more network element identities.
In some optional embodiments, the processing unit 702 is configured to determine, based on the first information, a network element identifier corresponding to an authentication identity of the second network element; checking whether a first network element identifier contained in the key generation request message belongs to a network element identifier corresponding to the authentication identity of the second network element; and if the first network element identifier belongs to the network element identifier corresponding to the authentication identity of the second network element, determining that the first network element identifier has a corresponding relation with the authentication identity of the second network element.
In some optional embodiments, the processing unit 702 is configured to send an error response message to the second network element if the first network element identifier does not belong to a network element identifier corresponding to the authentication identity of the second network element; or checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
In some optional embodiments, the processing unit 702 is configured to check whether the authentication identity of the second network element exists in the first information; and if the authentication identity of the second network element exists in the first information, determining a network element identifier corresponding to the authentication identity of the second network element based on the first information.
In some optional embodiments, the processing unit 702 is configured to send an error response message to the second network element if the authentication identity of the second network element does not exist in the first information; or checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
In some optional embodiments, the processing unit 702 is configured to determine, based on the first information, a network element authentication identity corresponding to a first network element identifier included in the key generation request message; checking whether the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier; and if the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier, determining that a corresponding relationship exists between the first network element identifier and the authentication identity of the second network element.
In some optional embodiments, the processing unit 702 is configured to send an error response message to the second network element if the authentication identity of the second network element is not the network element authentication identity corresponding to the first network element identifier; or checking whether the authentication identity of the second network element exists in the first information; if the authentication identity of the second network element exists in the first information, determining a second network element identifier corresponding to the authentication identity of the second network element based on the first information, and taking the second network element identifier as a network element identifier for generating the secret key; and if the authentication identity of the second network element does not exist in the first information, sending an error response message to the second network element.
In some optional embodiments, the processing unit 702 is configured to check whether a first network element identifier included in the key generation request message exists in the first information; and if the first information contains the first network element identifier contained in the key generation request message, determining the network element authentication identity corresponding to the first network element identifier contained in the key generation request message based on the first information.
In some optional embodiments, the processing unit 702 is configured to send an error response message to the second network element if the first network element identifier included in the key generation request message does not exist in the first information; or setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information.
In some alternative embodiments, the first network element contained in the key generation request message is identified as a sequence number, or null, or includes a FQDN and a security protocol identifier.
In some alternative embodiments, the first network element is AAnF and the second network element is AF.
Those skilled in the art will appreciate that the implementation functions of the units in the key generation apparatus shown in fig. 7 can be understood with reference to the description of the foregoing method. The functions of the respective units in the key generation apparatus shown in fig. 7 may be realized by a program running on a processor or by a specific logic circuit.
Fig. 8 is a schematic block diagram of a communication device 800 according to an embodiment of the present application. The communication device 800 shown in fig. 8 comprises a processor 810, from which the processor 810 may call and run a computer program to implement the method in an embodiment of the application.
Optionally, as shown in fig. 8, the communication device 800 may also include a memory 820. Wherein the processor 810 may call and run a computer program from the memory 820 to implement the method in embodiments of the present application.
Wherein the memory 820 may be a separate device from the processor 810 or may be integrated into the processor 810.
Optionally, as shown in fig. 8, the communication device 800 may further include a transceiver 830, and the processor 810 may control the transceiver 830 to communicate with other devices, and in particular, may send information or data to other devices, or receive information or data sent by other devices.
Among other things, transceiver 830 may include a transmitter and a receiver. Transceiver 830 may further include antennas, the number of which may be one or more.
The communication device 800 may be specifically a network device (e.g., a first network element) according to the embodiment of the present application, and the communication device 800 may implement a corresponding flow implemented by the network device (e.g., the first network element) in each method according to the embodiment of the present application, which is not described herein for brevity.
Fig. 9 is a schematic structural view of a chip of an embodiment of the present application. The chip 900 shown in fig. 9 includes a processor 910, and the processor 910 may call and execute a computer program from a memory to implement the method in an embodiment of the present application.
Optionally, as shown in fig. 9, the chip 900 may further include a memory 920. Wherein the processor 910 may invoke and run a computer program from the memory 920 to implement the method in the embodiments of the present application.
Wherein the memory 920 may be a separate device from the processor 910 or may be integrated in the processor 910.
Optionally, the chip 900 may also include an input interface 930. The processor 910 may control the input interface 930 to communicate with other devices or chips, and in particular, may acquire information or data sent by the other devices or chips.
Optionally, the chip 900 may also include an output interface 940. Wherein the processor 910 may control the output interface 940 to communicate with other devices or chips, and in particular, may output information or data to the other devices or chips.
The chip may be applied to a network device (e.g., a first network element) in the embodiment of the present application, and the chip may implement a corresponding flow implemented by the network device (e.g., the first network element) in each method in the embodiment of the present application, which is not described herein for brevity.
It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, or the like.
It should be appreciated that the processor of an embodiment of the present application may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
It will be appreciated that the memory in embodiments of the application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that the above memory is illustrative but not restrictive, and for example, the memory in the embodiments of the present application may be Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), direct RAM (DR RAM), and the like. That is, the memory in embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The embodiment of the application also provides a computer readable storage medium for storing a computer program. The computer readable storage medium may be applied to a network device (e.g., a first network element) in the embodiment of the present application, and the computer program causes a computer to execute a corresponding flow implemented by the network device (e.g., the first network element) in each method of the embodiment of the present application, which is not described herein for brevity.
The embodiment of the application also provides a computer program product comprising computer program instructions. The computer program product may be applied to a network device (e.g., a first network element) in the embodiment of the present application, and the computer program instructions cause a computer to execute a corresponding procedure implemented by the network device (e.g., the first network element) in each method of the embodiment of the present application, which is not described herein for brevity.
The embodiment of the application also provides a computer program. The computer program may be applied to a network device (e.g., a first network element) in the embodiment of the present application, and when the computer program runs on a computer, the computer executes a corresponding flow implemented by the network device (e.g., the first network element) in each method of the embodiment of the present application, which is not described herein for brevity.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (18)

1. A key generation method, the method comprising:
after receiving a key generation request message sent by a second network element, a first network element checks whether a first network element identifier contained in the key generation request message has a corresponding relation with an authentication identity of the second network element;
and if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier and sending the key to the second network element.
2. The method according to claim 1, wherein the method further comprises:
the first network element acquires first information, wherein the first information comprises a corresponding relation between a network element authentication identity and a network element identification;
the checking whether the first network element identifier contained in the key generation request message has a correspondence with the authentication identity of the second network element includes:
based on the first information, checking whether a first network element identifier contained in the key generation request message has a corresponding relation with an authentication identity of the second network element.
3. The method according to claim 2, wherein in the first information, the network element authentication identity and its corresponding network element are identified as the same content, or the network element authentication identity and its corresponding network element are identified as different content.
4. The method according to claim 2, wherein in the first information, one network element authentication identity corresponds to one or more network element identities.
5. The method according to claim 2, wherein the checking whether the first network element identifier included in the key generation request message has a correspondence relationship with the authentication identity of the second network element based on the first information includes:
determining a network element identifier corresponding to the authentication identity of the second network element based on the first information;
checking whether a first network element identifier contained in the key generation request message belongs to a network element identifier corresponding to the authentication identity of the second network element;
and if the first network element identifier belongs to the network element identifier corresponding to the authentication identity of the second network element, determining that the first network element identifier has a corresponding relation with the authentication identity of the second network element.
6. The method of claim 5, wherein the method further comprises:
if the first network element identifier does not belong to the network element identifier corresponding to the authentication identity of the second network element, then:
transmitting an error response message to the second network element; or,
checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
7. The method of claim 5, wherein the step of determining the position of the probe is performed,
before determining the network element identifier corresponding to the authentication identity of the second network element based on the first information, the method further includes: checking whether the authentication identity of the second network element exists in the first information;
the determining, based on the first information, a network element identifier corresponding to the authentication identity of the second network element includes: and if the authentication identity of the second network element exists in the first information, determining a network element identifier corresponding to the authentication identity of the second network element based on the first information.
8. The method of claim 7, wherein the method further comprises:
if the authentication identity of the second network element does not exist in the first information, then:
transmitting an error response message to the second network element; or,
checking whether the first network element identifier is a network element identifier corresponding to other network element authentication identities based on the first information; if the first network element identifier is a network element identifier corresponding to the authentication identity of other network elements, an error response message is sent to the second network element; if the first network element identifier is not the network element identifier corresponding to the authentication identity of other network elements, setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information; wherein the other network element authentication identity is a network element authentication identity different from the authentication identity of the second network element.
9. The method according to claim 2, wherein the checking whether the first network element identifier included in the key generation request message has a correspondence relationship with the authentication identity of the second network element based on the first information includes:
determining a network element authentication identity corresponding to a first network element identifier contained in the key generation request message based on the first information;
checking whether the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier;
and if the authentication identity of the second network element is the network element authentication identity corresponding to the first network element identifier, determining that a corresponding relationship exists between the first network element identifier and the authentication identity of the second network element.
10. The method according to claim 9, wherein the method further comprises:
if the authentication identity of the second network element is not the network element authentication identity corresponding to the first network element identifier, then:
transmitting an error response message to the second network element; or,
checking whether the authentication identity of the second network element exists in the first information; if the authentication identity of the second network element exists in the first information, determining a second network element identifier corresponding to the authentication identity of the second network element based on the first information, and taking the second network element identifier as a network element identifier for generating the secret key; and if the authentication identity of the second network element does not exist in the first information, sending an error response message to the second network element.
11. The method of claim 9, wherein the step of determining the position of the substrate comprises,
before determining the network element authentication identity corresponding to the first network element identifier included in the key generation request message based on the first information, the method further includes: checking whether a first network element identifier contained in the key generation request message exists in the first information;
the determining, based on the first information, a network element authentication identity corresponding to a first network element identifier included in the key generation request message includes: and if the first information contains the first network element identifier contained in the key generation request message, determining the network element authentication identity corresponding to the first network element identifier contained in the key generation request message based on the first information.
12. The method of claim 11, wherein the method further comprises:
if the first network element identifier contained in the key generation request message does not exist in the first information, then:
transmitting an error response message to the second network element; or,
setting a corresponding relation between the first network element identifier and the authentication identity of the second network element, and adding the corresponding relation between the authentication identity of the second network element and the first network element identifier into the first information.
13. The method according to any of claims 1 to 12, wherein the first network element contained in the key generation request message is identified as a sequence number, or as null, or comprises a fully qualified domain name, FQDN, and a security protocol identifier.
14. The method according to any of claims 1 to 12, wherein the first network element is an authentication and key management, AKMA, anchor function, AAnF, and the second network element is an application function, AF.
15. A key generation apparatus for use with a first network element, the apparatus comprising:
a receiving unit, configured to receive a key generation request message sent by a second network element;
the processing unit is used for checking whether the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element; if the first network element identifier contained in the key generation request message has a corresponding relation with the authentication identity of the second network element, generating a key based on the first network element identifier;
and the sending unit is used for sending the secret key to the second network element.
16. A network device, comprising: a processor and a memory for storing a computer program, the processor being for invoking and running the computer program stored in the memory, performing the method of any of claims 1 to 14.
17. A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any one of claims 1 to 14.
18. A computer readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 1 to 14.
CN202210502335.8A 2022-05-09 2022-05-09 Key generation method and device and network equipment Pending CN117082504A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210502335.8A CN117082504A (en) 2022-05-09 2022-05-09 Key generation method and device and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210502335.8A CN117082504A (en) 2022-05-09 2022-05-09 Key generation method and device and network equipment

Publications (1)

Publication Number Publication Date
CN117082504A true CN117082504A (en) 2023-11-17

Family

ID=88710277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210502335.8A Pending CN117082504A (en) 2022-05-09 2022-05-09 Key generation method and device and network equipment

Country Status (1)

Country Link
CN (1) CN117082504A (en)

Similar Documents

Publication Publication Date Title
CN110798833B (en) Method and device for verifying user equipment identification in authentication process
US11956361B2 (en) Network function service invocation method, apparatus, and system
US20180091978A1 (en) Universal Integrated Circuit Card Having A Virtual Subscriber Identity Module Functionality
JP5579938B2 (en) Authentication of access terminal identification information in roaming networks
US9319413B2 (en) Method for establishing resource access authorization in M2M communication
US11870765B2 (en) Operation related to user equipment using secret identifier
CN114268943B (en) Authorization method and device
US9025769B2 (en) Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone
US9088565B2 (en) Use of a public key key pair in the terminal for authentication and authorization of the telecommunication user with the network operator and business partners
US20190289463A1 (en) Method and system for dual-network authentication of a communication device communicating with a server
EP2701362A1 (en) Communications device authentication
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
CN102934470A (en) Method and apparatus for binding subscriber authentication and device authentication in communication systems
CN111630882B (en) User equipment, authentication server, medium, and method and system for determining key
US20220263832A1 (en) Method and server for providing user consent to edge application
CN110351725B (en) Communication method and device
CN117082504A (en) Key generation method and device and network equipment
CN116868609A (en) User equipment authentication and authorization procedure for edge data networks
CN114640992A (en) Method and device for updating user identity
RU2282311C2 (en) Method for using a pair of open keys in end device for authentication and authorization of telecommunication network user relatively to network provider and business partners
WO2023221502A1 (en) Data transmission method and system, and signaling security management gateway
CN109587187B (en) Method, device and system for calling network function service
WO2024093923A1 (en) Communication method and communication apparatus
WO2024049335A1 (en) Two factor authentication
CN117678255A (en) Edge enabler client identification authentication procedure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination