WO2021036627A1 - Communication system, method, and apparatus - Google Patents

Abstract

A communication system, method, and apparatus, relating to the technical field of communications. The communication system comprises a mobile management network element, an authentication service network element, and a data management network element. A terminal device is used for sending an access request to the mobile management network element, and the access request comprises a first user identifier; the mobile management network element is used for sending a first user authentication request to the authentication service network element in response to the access request, and the first user authentication request comprises the first user identifier; the authentication service network element is used for sending a second user authentication request to the data management network element in response to the first user authentication request, and the second user authentication request comprises the first user identifier; the data management network element is used for returning a second user authentication response to the authentication service network element in response to the second user authentication request, the second user authentication response comprises a second user identifier, and the second user identifier is an anonymization identity identifier of the terminal device. According to the technical solution, the second user identifier is introduced, thereby facilitating improving the security and reliability of communication.

Description

一种通信***、方法及装置Communication system, method and device

相关申请的交叉引用Cross-references to related applications

本申请要求在2019年08月27日提交中国专利局、申请号为201910795258.8、申请名称为“一种通信***、方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中；本申请要求在2020年04月02日提交中国专利局、申请号为202010256020.0、申请名称为“一种通信***、方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910795258.8, and the application name is "a communication system, method and device" on August 27, 2019, the entire content of which is incorporated into this application by reference Medium; This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 202010256020.0, and the application name is "a communication system, method and device" on April 02, 2020, the entire content of which is incorporated by reference In this application.

技术领域Technical field

本申请涉及通信技术领域，特别涉及一种通信***、方法及装置。This application relates to the field of communication technology, and in particular to a communication system, method, and device.

背景技术Background technique

第五代(5th generation，5G)通信中，通常用户永久标识符(subscription permanent identifier，SUPI)应用于密钥KAMF的计算，因此SUPI属于敏感信息。而核心网中的各网元之间通信是采用用户永久标识符(subscription permanent identifier，SUPI)标识终端设备的，如果核心网中网元被攻击或网元中的数据被盗取，容易导致SUPI泄露，影响用户通信隐私性。In the 5th generation (5G) communication, the user's subscription permanent identifier (SUPI) is usually applied to the calculation of the key KAMF, so SUPI is sensitive information. The communication between the network elements in the core network uses the subscription permanent identifier (SUPI) to identify the terminal equipment. If the network element in the core network is attacked or the data in the network element is stolen, it is easy to cause SUPI Leakage affects user communication privacy.

发明内容Summary of the invention

本申请实施例提供一种通信***、方法及装置，有助于提高通信的安全性和可靠性。The embodiments of the present application provide a communication system, method, and device, which help improve the security and reliability of communication.

第一方面，本申请实施例提供的一种通信***，包括移动管理网元、认证服务网元和数据管理网元；In the first aspect, a communication system provided by an embodiment of the present application includes a mobility management network element, an authentication service network element, and a data management network element;

终端设备用于向所述移动管理网元发送接入请求；所述接入请求包括第一用户标识，所述第一用户标识是对SUPI加密得到的，所述SUPI为所述终端设备的身份标识；The terminal device is used to send an access request to the mobility management network element; the access request includes a first user identity, the first user identity is obtained by encrypting SUPI, and the SUPI is the identity of the terminal device Logo

所述移动管理网元用于响应于所述接入请求，向所述认证服务网元发送第一用户认证请求；所述第一用户认证请求包括所述第一用户标识；The mobility management network element is configured to send a first user authentication request to the authentication service network element in response to the access request; the first user authentication request includes the first user identifier;

所述认证服务网元用于响应于所述第一用户认证请求，向所述数据管理网元发送第二用户认证请求，所述第二用户认证请求包括所述第一用户标识；The authentication service network element is configured to send a second user authentication request to the data management network element in response to the first user authentication request, where the second user authentication request includes the first user identifier;

所述数据管理网元用于响应于所述第二用户认证请求，向所述认证服务网元返回第二用户认证响应，所述第二用户认证响应包括第二用户标识；所述第二用户标识为所述终端设备的匿名化身份标识；The data management network element is configured to return a second user authentication response to the authentication service network element in response to the second user authentication request, where the second user authentication response includes a second user identifier; the second user The identifier is the anonymized identity identifier of the terminal device;

所述认证服务网元还用于响应于所述第二用户认证响应，向所述移动管理网元返回第一用户认证响应。The authentication service network element is further configured to return a first user authentication response to the mobility management network element in response to the second user authentication response.

本申请实施例通过引入第二用户标识，使得核心网中各网元可以通过第二用户标识标识终端设备，而第二用户标识为终端设备的匿名化身份标识，与现有技术中核心网中各网元通过SUPI标识终端设备相比，有助于提高通信的安全性和可靠性。The embodiment of this application introduces the second user identity, so that each network element in the core network can identify the terminal device through the second user identity, and the second user identity is the anonymized identity of the terminal device, which is similar to that in the core network in the prior art. Compared with the identification of terminal equipment by SUPI, each network element helps to improve the security and reliability of communication.

在一种可能的设计中，所述第一用户认证响应还包括所述第二用户标识。有助于简化移动管理网元获取第二用户标识的方式。In a possible design, the first user authentication response further includes the second user identifier. It helps to simplify the manner in which the mobile management network element obtains the second user ID.

在一种可能的设计中，所述移动管理网元还用于响应于所述第一用户认证响应，从所述认证服务网元获取所述第二用户标识。便于移动管理网元获取第二用户标识。In a possible design, the mobility management network element is further configured to obtain the second user identifier from the authentication service network element in response to the first user authentication response. It is convenient for the mobile management network element to obtain the second user ID.

在一种可能的设计中，所述第一用户认证请求还包括第一指示信息，则所述认证服务网元响应于所述第一用户认证请求，向所述数据管理网元发送的所述第二用户认证请求还包括所述第一指示信息；所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。有助于数据管理网元确定服务网络支持用户匿名化处理，从而返回第二用户标识。In a possible design, the first user authentication request further includes first indication information, and the authentication service network element sends the data management network element to the data management network element in response to the first user authentication request. The second user authentication request further includes the first indication information; the first indication information is used to indicate that the mobility management network element supports user identity anonymization processing. It is helpful for the data management network element to determine that the service network supports user anonymization processing, thereby returning the second user identification.

需要说明的是，所述移动管理网元支持用户身份匿名化处理，还可以理解为：所述移动管理网元所在的网络支持用户身份匿名化处理，其中，所述移动管理网络所在的网络为终端设备请求接入的网络，用于为终端设备提供服务。其中该网络可以称之为服务网络。It should be noted that the mobile management network element supports user identity anonymization processing, which can also be understood as: the network where the mobile management network element is located supports user identity anonymization processing, where the network where the mobile management network is located is The network that the terminal device requests to access is used to provide services for the terminal device. The network can be called a service network.

在一种可能的设计中，所述第二用户认证响应还包括第二指示信息，则所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回的所述第一用户认证响应还包括所述第二指示信息；所述第二指示信息用于指示所述数据管理网元支持用户身份匿名化处理。有助于移动管理网元确定归属网络支持用户身份匿名化处理，从而获取第二用户标识。In a possible design, the second user authentication response further includes second indication information, and the authentication service network element responds to the second user authentication response to the mobility management network element. The first user authentication response further includes the second indication information; the second indication information is used to instruct the data management network element to support user identity anonymization processing. It is helpful for the mobile management network element to determine that the home network supports the anonymization of the user identity, thereby obtaining the second user identity.

需要说明的是，所述数据管理网元支持用户身份匿名化处理，还可以理解为：所述数据管理网元所在的网络支持用户身份匿名化处理，其中，所述数据管理网络所在的网络为用于提供终端设备注册相关信息(例如注册状态等)的网络。其中该网络可以称之为归属网络。It should be noted that the data management network element supports user identity anonymization processing, which can also be understood as: the network where the data management network element is located supports user identity anonymization processing, wherein the network where the data management network is located is A network used to provide terminal device registration related information (such as registration status, etc.). The network can be called the home network.

在一种可能的设计中，所述通信***还包括第一网元；In a possible design, the communication system further includes a first network element;

所述数据管理网元还用于：向所述第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述第一用户标识，以及接收所述第一网元返回的所述第二用户标识；所述第一网元用于响应于所述匿名化用户标识获取请求，对所述第一用户标识解密，以得到所述SUPI；根据所述SUPI，获取所述第二用户标识，以及向所述数据管理网元返回所述第二用户标识。有助于简化实现方式。The data management network element is further configured to: send an anonymized user identification acquisition request to the first network element, where the anonymized user identification acquisition request includes the first user identification, and receive a return from the first network element The second user ID; the first network element is used to decrypt the first user ID in response to the anonymized user ID acquisition request to obtain the SUPI; obtain the SUPI according to the SUPI A second user identification, and returning the second user identification to the data management network element. Helps simplify the implementation.

在一种可能的设计中，所述通信***还包括第一网元；In a possible design, the communication system further includes a first network element;

所述数据管理网元还用于：对所述第一用户标识解密，以得到所述SUPI，并向所述第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述SUPI，以及接收所述第一网元返回的所述第二用户标识；所述第一网元用于响应于所述匿名化用户标识获取请求，根据所述SUPI，获取所述第二用户标识，以及向所述数据管理网元返回所述第二用户标识。有助于简化实现方式。The data management network element is further configured to: decrypt the first user ID to obtain the SUPI, and send an anonymized user ID acquisition request to the first network element, where the anonymized user ID acquisition request includes The SUPI, and receiving the second user identification returned by the first network element; the first network element is configured to respond to the anonymized user identification acquisition request and obtain the second user identification according to the SUPI User identification, and returning the second user identification to the data management network element. Helps simplify the implementation.

在一种可能的设计中，所述认证服务网元还用于：向所述第一网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；并接收所述第一网元返回的密钥K _AMF，以及向所述移动管理网元发送所述密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥；所述第一网元用于响应于所述密钥获取请求，根据所述第二用户标识，生成所述密钥K _AMF，并向所述认证服务网元返回所述密钥K _AMF；所述移动管理网元还用于：接收所述认证服务网元发送的所述密钥K _AMF。以便于移动管理网元能够通过密钥K _AMF实现与终端设备之间的安全通信。 In a possible design, the authentication service network element is further configured to: send a key acquisition request to the first network element, where the key acquisition request includes the second user identifier; and receive the first network element _{A key K AMF} returned by a network element, and sending the key K _AMF to the mobility management network element; the key K _AMF is a key between the terminal device and the mobility management network element; _{The first network element is configured to generate the key K AMF} according to the second user ID in response to the key acquisition request, and return the key K _AMF to the authentication service network element; The mobility management network element is further configured to: receive the key K _AMF sent by the authentication service network element. So that the mobile management network element can realize secure communication with the terminal device _{through the key K AMF.}

在一种可能的设计中，所述第一网元用于根据所述第二用户标识获取所述SUPI，并根据所述SUPI生成所述密钥K _AMF。以便于移动管理网元能够通过密钥K _AMF实现与终端设备之间的安全通信。 In a possible design, the first network element is configured to obtain the SUPI according to the second user identity, and generate the key K _AMF according to the SUPI. So that the mobile management network element can realize secure communication with the terminal device _{through the key K AMF.}

在一种可能的设计中，所述移动管理网元，还用于向所述认证服务器发送第一参数；所述认证服务网元，还用于向所述第一网元发送所述第一参数；所述第一网元用于根据所述SUPI和所述第一参数生成所述密钥K _AMF。有助于简化密钥K _AMF的生成方式。 In a possible design, the mobility management network element is further used to send the first parameter to the authentication server; the authentication service network element is further used to send the first parameter to the first network element Parameters; the first network element is used to generate the key K _AMF according to the SUPI and the first parameter. It helps to simplify the way of generating the _{key K AMF.}

在一种可能的设计中，所述数据管理网元还用于对所述第一用户标识解密，以得到所述SUPI；根据所述SUPI，获取所述第二用户标识。有助于简化实现方式。In a possible design, the data management network element is also used to decrypt the first user identity to obtain the SUPI; and obtain the second user identity according to the SUPI. Helps simplify the implementation.

在一种可能的设计中，所述移动管理网元还用于：根据所述第二用户标识，生成密钥K _AMF；所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥。有助于简化实现方式。 In a possible design, the mobility management network element is further configured to: generate a key K _AMF according to the second user identification; the key K _AMF is between the terminal device and the mobility management network element Key. Helps simplify the implementation.

在一种可能的设计中，所述认证服务网元还用于向所述数据管理网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；并接收所述数据管理网元返回的密钥K _AMF，以及向所述移动管理网元发送所述密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥；所述数据管理网元，还用于响应于所述密钥获取请求，根据所述第二用户标识，生成所述密钥K _AMF，并向所述认证服务网元返回所述密钥K _AMF；所述移动管理网元还用于接收所述认证服务网元发送的所述密钥K _AMF。有助于简化实现方式。 In a possible design, the authentication service network element is further configured to send a key acquisition request to the data management network element, where the key acquisition request includes the second user identifier; and receive the data management NE return key K _AMF, and the key management element sends to the mobile K _AMF; key K _AMF is the key between the terminal device and the mobility management network element according to; the The data management network element is further configured to generate the key K _AMF according to the second user identifier in response to the key acquisition request, and return the key K _AMF to the authentication service network element; The mobility management network element is further configured to receive the key K _AMF sent by the authentication service network element. Helps simplify the implementation.

第二方面，本申请实施例提供的一种通信方法，所述方法包括：In the second aspect, an embodiment of the present application provides a communication method, the method includes:

移动管理网元接收到终端设备发送的接入请求，所述接入请求包括第一用户标识，所述第一用户标识是对SUPI加密得到的，所述SUPI为所述终端设备的身份标识；所述移动管理网元响应于所述接入请求，向所述认证服务网元发送第一用户认证请求，所述第一用户认证请求包括所述第一用户标识；所述移动管理网元接收认证服务网元响应于所述第一用户认证请求，返回的第一用户认证响应；The mobility management network element receives an access request sent by a terminal device, the access request includes a first user identity, the first user identity is obtained by encrypting SUPI, and the SUPI is the identity of the terminal device; In response to the access request, the mobility management network element sends a first user authentication request to the authentication service network element, where the first user authentication request includes the first user identifier; the mobility management network element receives The first user authentication response returned by the authentication service network element in response to the first user authentication request;

其中，所述第一用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识；或者，所述移动管理网元响应于所述第一用户认证响应，从所述认证服务网元获取所述第二用户标识。Wherein, the first user authentication response includes a second user identifier, and the second user identifier is an anonymized identity identifier of the terminal device; or, the mobility management network element responds to the first user authentication response, Acquiring the second user identifier from the authentication service network element.

在一种可能的设计中，所述第一用户认证请求还包括第一指示信息，所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。In a possible design, the first user authentication request further includes first indication information, and the first indication information is used to indicate that the mobility management network element supports user identity anonymization processing.

在一种可能的设计中，第一用户认证响应还包括第二指示信息，所述第二指示信息用于指示所述数据管理网元支持用户身份匿名化处理。In a possible design, the first user authentication response further includes second indication information, and the second indication information is used to indicate that the data management network element supports user identity anonymization processing.

在一种可能的设计中，所述移动管理网元根据所述第二用户标识，生成密钥K _AMF；或者，所述移动管理网元接收所述认证服务网元返回的密钥K _AMF； In a possible design, the mobility management network element generates a key K _AMF according to the second user identifier; or, the mobility management network element receives the key K _AMF returned by the authentication service network element;

所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥。 The key K _AMF is a key between the terminal device and the mobility management network element.

在一种可能的设计中，所述移动管理网元还向所述认证服务网元发送第一参数；所述第一参数用于生成所述密钥K _AMF。 In a possible design, the mobility management network element also sends a first parameter to the authentication service network element; the first parameter is used to generate the key K _AMF .

第三方面，本申请实施例提供的另一种通信方法，所述方法包括：In the third aspect, another communication method provided by an embodiment of the present application, the method includes:

认证服务网元接收到移动管理网元发送的第一用户认证请求；所述第一用户认证请求包括第一用户标识，所述第一用户标识是对SUPI加密得到的，所述SUPI为终端设备的身份标识；所述认证服务网元响应于所述第一用户认证请求，向数据管理网元发送第二用户认证请求，所述第二用户认证请求包括所述第一用户标识；所述认证服务网元接收到所述数据管理网元响应于所述第二用户认证请求，返回的第二用户认证响应，所述第二用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识；所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回第一用户认证响应。The authentication service network element receives the first user authentication request sent by the mobility management network element; the first user authentication request includes a first user identification, the first user identification is obtained by encrypting SUPI, and the SUPI is a terminal device In response to the first user authentication request, the authentication service network element sends a second user authentication request to the data management network element, the second user authentication request includes the first user ID; the authentication The service network element receives a second user authentication response returned by the data management network element in response to the second user authentication request, where the second user authentication response includes a second user ID, and the second user ID is The anonymized identity of the terminal device; the authentication service network element returns a first user authentication response to the mobility management network element in response to the second user authentication response.

在一种可能的设计中，所述第一用户认证响应包括所述第二用户标识。In a possible design, the first user authentication response includes the second user identifier.

在一种可能的设计中，所述第一用户认证请求还包括第一指示信息，则所述认证服务网元响应于所述第一用户认证请求，向所述数据管理网元发送的所述第二用户认证请求还包括所述第一指示信息；所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。In a possible design, the first user authentication request further includes first indication information, and the authentication service network element sends the data management network element to the data management network element in response to the first user authentication request. The second user authentication request further includes the first indication information; the first indication information is used to indicate that the mobility management network element supports user identity anonymization processing.

在一种可能的设计中，所述第二用户认证响应还包括第二指示信息，则所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回的所述第一用户认证响应还包括所述第二指示信息；所述第二指示信息用于指示所述数据管理网元支持用户身份匿名化处理。In a possible design, the second user authentication response further includes second indication information, and the authentication service network element responds to the second user authentication response to the mobility management network element. The first user authentication response further includes the second indication information; the second indication information is used to instruct the data management network element to support user identity anonymization processing.

在一种可能的设计中，所述认证服务网元向第一网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；所述认证服务网元接收所述第一网元响应于所述密钥获取请求，返回的密钥K _AMF，所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥K _AMF；所述认证服务网元向所述移动管理网元发送的所述密钥K _AMF。 In a possible design, the authentication service network element sends a key acquisition request to a first network element, and the key acquisition request includes the second user identifier; the authentication service network element receives the first network element. key network element in response to the acquisition request, the key K _AMF returned, as the key K _AMF K _AMF key between the terminal device and the mobility management network element; the authentication service network element _{The key K AMF} sent to the mobility management network element.

在一种可能的设计中，所述认证服务网元接收所述移动管理网元发送的第一参数，并将所述第一参数发送给所述第一网元，所述第一参数用于生成所述密钥K _AMF。 In a possible design, the authentication service network element receives the first parameter sent by the mobility management network element, and sends the first parameter to the first network element, and the first parameter is used for Generate the key K _AMF .

在一种可能的设计中，所述认证服务网元向所述数据管理网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；并接收所述数据管理网元响应于所述密钥获取请求返回的密钥K _AMF，向所述移动管理网元发送的所述密钥K _AMF，所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥K _AMF。 In a possible design, the authentication service network element sends a key acquisition request to the data management network element, where the key acquisition request includes the second user identifier; and receives a response from the data management network element acquisition request is returned to the key K _AMF key, the key K _AMF sent to the mobility management network element, the key K _AMF between the terminal device and the mobility management network element The key K _AMF .

第四方面，本申请实施例提供的另一种通信方法，所述方法包括：In a fourth aspect, another communication method provided by an embodiment of the present application, the method includes:

数据管理网元接收到认证服务网元发送的第二用户认证请求，所述第二用户认证请求包括第一用户标识，所述第一用户标识是对SUPI加密得到的，所述SUPI为终端设备的身份标识；所述数据管理网元响应于所述第二用户认证请求，向所述认证服务网元返回第二用户认证响应，所述第二用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识。The data management network element receives a second user authentication request sent by the authentication service network element, the second user authentication request includes a first user identification, the first user identification is obtained by encrypting SUPI, and the SUPI is a terminal device In response to the second user authentication request, the data management network element returns a second user authentication response to the authentication service network element, the second user authentication response includes a second user identifier, and the first 2. The user identifier is the anonymized identity identifier of the terminal device.

在一种可能的设计中，所述数据管理网元向第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述第一用户标识；所述数据管理网元接收所述第一网元响应于所述匿名化用户标识获取请求返回的所述第二用户标识。In a possible design, the data management network element sends an anonymized user identification acquisition request to a first network element, and the anonymized user identification acquisition request includes the first user identification; the data management network element receives The second user identification returned by the first network element in response to the anonymized user identification acquisition request.

在一种可能的设计中，所述数据管理网元对所述第一用户标识解密，以得到所述SUPI，并向第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述SUPI；所述数据管理网元接收所述第一网元响应于所述匿名化用户标识获取请求返回的所述第二用户标识。In a possible design, the data management network element decrypts the first user identification to obtain the SUPI, and sends an anonymized user identification acquisition request to the first network element, and the anonymized user identification acquires The request includes the SUPI; the data management network element receives the second user identification returned by the first network element in response to the anonymized user identification acquisition request.

在一种可能的设计中，所述数据管理网元对所述第一用户标识解密，以得到所述SUPI；并根据所述SUPI，获取所述第二用户标识。In a possible design, the data management network element decrypts the first user identity to obtain the SUPI; and obtains the second user identity according to the SUPI.

在一种可能的设计中，所述数据管理网元接收到所述认证服务网元发送的密钥获取请求，所述密钥获取请求包括第二用户标识；所述数据管理网元响应于所述密钥获取请求，向所述认证服务网元返回密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥。 In a possible design, the data management network element receives a key acquisition request sent by the authentication service network element, and the key acquisition request includes a second user identifier; the data management network element responds to the The key acquisition request returns a key K _AMF to the authentication service network element; the key K _AMF is a key between the terminal device and the mobility management network element.

第五方面，本申请提供的另一种通信方法，所述方法包括：In the fifth aspect, another communication method provided by this application, the method includes:

第一网元接收到数据管理网元发送的匿名化用户标识获取请求，所述匿名化用户标识获取请求包括第一用户标识或者SUPI；所述第一用户标识是对所述SUPI加密得到的，所 述SUPI为终端设备的身份标识；所述第一网元响应于所述匿名化用户标识获取请求向数据管理网元返回所述第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识。The first network element receives an anonymized user identification acquisition request sent by a data management network element, where the anonymized user identification acquisition request includes a first user identification or SUPI; the first user identification is obtained by encrypting the SUPI, The SUPI is the identity of the terminal device; the first network element returns the second user identity to the data management network element in response to the anonymized user identity acquisition request, and the second user identity is the terminal device Anonymized identity.

在一种可能的设计中，所述第一网元根据所述SUPI，获取所述第二用户标识，所述SUPI是从所述匿名化用户标识获取请求中得到的，或者对所述第一用户标识解密得到的。In a possible design, the first network element obtains the second user ID according to the SUPI, and the SUPI is obtained from the anonymized user ID obtaining request, or for the first network element. The user ID is decrypted.

在一种可能的设计中，所述第一网元接收到认证服务网元发送的密钥获取请求，所述密钥获取请求包括所述第二用户标识；所述第一网元响应于所述密钥获取请求，根据所述第二用户标识，生成密钥K _AMF，并向所述认证服务网元返回所述密钥KAMF；所述密钥KAMF为所述终端设备与移动管理网元之间的密钥。 In a possible design, the first network element receives a key acquisition request sent by an authentication service network element, and the key acquisition request includes the second user identifier; the first network element responds to the The key acquisition request generates a key K _AMF according to the second user ID, and returns the key KAMF to the authentication service network element; the key KAMF is the terminal device and the mobility management network element The key between.

在一种可能的设计中，所述第一网元接收认证服务网元发送的第一参数；所述第一参数是移动管理网元发送给所述认证服务网元的；所述第一参数用于生成所述密钥K _AMF。 In a possible design, the first network element receives the first parameter sent by the authentication service network element; the first parameter is sent by the mobility management network element to the authentication service network element; the first parameter Used to generate the key K _AMF .

第五方面，本申请提供的另一种通信***，包括移动管理网元、认证服务网元和数据管理网元；In the fifth aspect, another communication system provided by this application includes a mobility management network element, an authentication service network element, and a data management network element;

所述终端设备用于向所述移动管理网元发送接入请求；所述接入请求包括第一用户标识，所述第一用户标识是对SUPI加密得到的，所述SUPI为所述终端设备的身份标识；The terminal device is used to send an access request to the mobility management network element; the access request includes a first user identity, the first user identity is obtained by encrypting SUPI, and the SUPI is the terminal device ’S identity;

所述移动管理网元用于响应于所述接入请求，向所述认证服务网元发送第一用户认证请求；所述第一用户认证请求包括所述第一用户标识；The mobility management network element is configured to send a first user authentication request to the authentication service network element in response to the access request; the first user authentication request includes the first user identifier;

所述认证服务网元用于响应于所述第一用户认证请求，向所述数据管理网元发送第二用户认证请求，所述第二用户认证请求包括所述第一用户标识；The authentication service network element is configured to send a second user authentication request to the data management network element in response to the first user authentication request, where the second user authentication request includes the first user identifier;

所述数据管理网元用于响应于所述第二用户认证请求，向所述认证服务网元返回第二用户认证响应，所述第二用户认证响应中包括第二用户标识；The data management network element is configured to return a second user authentication response to the authentication service network element in response to the second user authentication request, and the second user authentication response includes a second user identifier;

所述认证服务网元还用于接收到所述第二用户认证响应，向所述移动管理网元返回第一用户认证响应；示例的，第一用户认证响应包括第二用户标识。The authentication service network element is further configured to receive the second user authentication response, and return a first user authentication response to the mobility management network element; for example, the first user authentication response includes a second user identifier.

所述移动管理网元还用于响应于所述第一用户认证响应，向所述终端设备发送第三用户认证请求，所述第三用户认证请求包括所述第一用户标识；The mobility management network element is further configured to send a third user authentication request to the terminal device in response to the first user authentication response, where the third user authentication request includes the first user identifier;

所述终端设备还用于响应于所述第三用户认证请求，根据SUPI得到所述第二用户标识，并根据所述第二用户标识，生成密钥K _AMF；然后向所述移动管理网元返回第三用户认证响应；所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥； The terminal device is further configured to respond to the third user authentication request, obtain the second user ID according to SUPI, and generate the key K _AMF according to the second user ID; and then send it to the mobility management network element Return a third user authentication response; the key K _AMF is the key between the terminal device and the mobility management network element;

所述移动管理网元还用于响应于所述第三用户认证响应，向所述认证服务网元发送第四用户认证请求；The mobility management network element is further configured to send a fourth user authentication request to the authentication service network element in response to the third user authentication response;

所述认证服务网元响应于第四用户认证请求，向所述移动管理网元返回第四用户认证响应，所述第四用户认证响应包括所述第二用户标识；In response to a fourth user authentication request, the authentication service network element returns a fourth user authentication response to the mobility management network element, where the fourth user authentication response includes the second user identifier;

所述移动管理网元响应于第四用户认证响应，根据所述第二用户标识，生成所述密钥K _AMF。 In response to the fourth user authentication response, the mobility management network element generates the key K _AMF according to the second user identifier.

第六方面，本申请实施例的通信装置，该装置可以是平台上实例化的虚拟化功能，也可以是硬件设备或硬件设备中的网络元件等。该装置具有实现上述各方面以及各方面可能设计的技术方案的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。In the sixth aspect, the communication device of the embodiment of the present application may be a virtualization function instantiated on the platform, or may be a hardware device or a network element in a hardware device. The device has the function of realizing the above-mentioned aspects and the technical solutions that may be designed in each aspect. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.

在一种可能的设计中，该装置包括处理单元和通信单元，处理单元例如可以是处理器，通信单元例如可以是收发器，收发器可以包括射频电路。例如，处理单元用于响应于接入请求，触发通信单元向认证服务单元发送第一用户认证请求；再例如处理单元用于响应于 第一用户认证请求，触发通信单元向数据管理单元发送第二用户认证请求等。In a possible design, the device includes a processing unit and a communication unit. The processing unit may be, for example, a processor, the communication unit may be, for example, a transceiver, and the transceiver may include a radio frequency circuit. For example, the processing unit is used to trigger the communication unit to send the first user authentication request to the authentication service unit in response to the access request; for another example, the processing unit is used to trigger the communication unit to send the second user authentication request to the data management unit in response to the first user authentication request. User authentication request, etc.

在另一种可能的设计中，该装置包括处理器和存储器，其中存储器用于存储程序，处理器用于调用存储器中存储的程序，以实现各方面以及各方面任意一项可能的设计中消息保护的方法。需要说明的是，处理器可以通过输入/输出接口、管脚或电路等发送或者接收数据。存储器可以为芯片内的寄存器、缓存等。此外，存储器还可以是终端设备内的位于芯片外部的存储单元，如只读存储器(read-only memory，ROM)、可存储静态信息和指令的其他类型的静态存储设备、随机存取存储器(random access memory，RAM)等。In another possible design, the device includes a processor and a memory, where the memory is used to store programs, and the processor is used to call the programs stored in the memory to implement various aspects and any possible design message protection in each aspect. Methods. It should be noted that the processor can send or receive data through input/output interfaces, pins, or circuits. The memory can be a register, cache, etc. in the chip. In addition, the memory can also be a storage unit outside the chip in the terminal device, such as read-only memory (ROM), other types of static storage devices that can store static information and instructions, and random access memory (random access memory). access memory, RAM), etc.

其中，上述任一处提到的处理器，可以是一个通用的中央处理器(central processing unit，CPU)，微处理器，特定应用集成电路(application-specific integrated circuit，ASIC)，或一个或多个用于控制执行上述各方面或者各方面任意一项可能设计的消息保护的方法的程序的集成电路。Among them, the processor mentioned in any of the above can be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more An integrated circuit that is used to control the program that executes the above aspects or the method of message protection that may be designed by any of the aspects.

第七方面，本申请实施例还提供一种计算机可读存储介质，该计算机可读存储介质存储有程序，当该程序在计算机上运行时，使得计算机执行上述各方面所述的方法。In a seventh aspect, the embodiments of the present application also provide a computer-readable storage medium that stores a program, and when the program runs on a computer, the computer executes the methods described in the above aspects.

第八方面，本申请还提供一种包含程序的计算机程序产品，当其在计算机上运行时，使得计算机执行上述各方面所述的方法。In an eighth aspect, the present application also provides a computer program product containing a program, which when it runs on a computer, causes the computer to execute the methods described in the foregoing aspects.

另外，第二方面至第九方面中任一种可能设计方式所带来的技术效果可参见第一方面中不同设计方式所带来的技术效果，此处不再赘述。In addition, the technical effects brought by any one of the possible design methods of the second aspect to the ninth aspect can be referred to the technical effects brought about by the different design methods in the first aspect, which will not be repeated here.

附图说明Description of the drawings

图1为本申请实施例的一种通信***的架构示意图；FIG. 1 is a schematic diagram of the architecture of a communication system according to an embodiment of the application;

图2为本申请实施例的另一通信***的架构示意图；2 is a schematic diagram of the architecture of another communication system according to an embodiment of the application;

图3为本申请实施例的一种通信方法的流程示意图；FIG. 3 is a schematic flowchart of a communication method according to an embodiment of the application;

图4为本申请实施例的另一通信方法的流程示意图；4 is a schematic flowchart of another communication method according to an embodiment of the application;

图5为本申请实施例的另一通信方法的流程示意图；FIG. 5 is a schematic flowchart of another communication method according to an embodiment of the application;

图6为本申请实施例的一种通信方法的流程示意图；FIG. 6 is a schematic flowchart of a communication method according to an embodiment of the application;

图7为本申请实施例的另一通信方法的流程示意图；FIG. 7 is a schematic flowchart of another communication method according to an embodiment of the application;

图8为本申请实施例的另一通信方法的流程示意图；FIG. 8 is a schematic flowchart of another communication method according to an embodiment of the application;

图9为本申请实施例的另一通信方法的流程示意图；FIG. 9 is a schematic flowchart of another communication method according to an embodiment of this application;

图10为本申请实施例的一通信装置的结构示意图；FIG. 10 is a schematic structural diagram of a communication device according to an embodiment of the application;

图11为本申请实施例的另一通信装置的结构示意图；FIG. 11 is a schematic structural diagram of another communication device according to an embodiment of the application;

图12为本申请实施例的另一通信方法的流程示意图；FIG. 12 is a schematic flowchart of another communication method according to an embodiment of this application;

图13为本申请实施例的另一通信方法的流程示意图；FIG. 13 is a schematic flowchart of another communication method according to an embodiment of this application;

图14为本申请实施例的另一通信方法的流程示意图；FIG. 14 is a schematic flowchart of another communication method according to an embodiment of this application;

图15为本申请实施例的另一通信方法的流程示意图。FIG. 15 is a schematic flowchart of another communication method according to an embodiment of this application.

具体实施方式detailed description

本申请实施例中“至少一个”是指一个或者多个，“多个”是指两个或两个以上。“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B的情况，其中A、B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一(项)个”或其类似表达，是指的 这些项中的任意组合，包括单项(个)或复数项(个)的任意组合。例如，a、b或c中的至少一项(个)，可以表示：a，b，c，a和b，a和c，b和c，或a、b和c，其中a、b、c中的每一个本身可以是元素，也可以是包含一个或多个元素的集合。In the embodiments of the present application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of the associated object, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. "The following at least one (item)" or similar expressions refers to any combination of these items, including any combination of single item (item) or plural items (item). For example, at least one of a, b, or c can mean: a, b, c, a and b, a and c, b and c, or a, b and c, where a, b, c Each of them can be an element or a collection containing one or more elements.

在本申请中，“示例的”“在一些实施例中”“在另一些实施例中”等用于表示作例子、例证或说明。本申请中被描述为“示例”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言，使用示例的一词旨在以具体方式呈现概念。In this application, "exemplary", "in some embodiments", "in other embodiments", etc. are used to represent examples, illustrations, or illustrations. Any embodiment or design solution described as an "example" in this application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, the term example is used to present the concept in a concrete way.

本申请中“的(of)”，“相应的(corresponding，relevant)”和“对应的(corresponding)”有时可以混用，应当指出的是，在不强调其区别时，其所要表达的含义是一致的。本申请实施例中通信、传输有时可以混用，应当指出的是，在不强调区别是，其所表达的含义是一致的。例如传输可以包括发送和/或接收，可以为名词，也可以是动词。In this application, "of", "corresponding, relevant" and "corresponding" can sometimes be used together. It should be pointed out that when the difference is not emphasized, the meanings to be expressed are the same of. In the embodiments of this application, communication and transmission can sometimes be used together. It should be noted that, without emphasizing the difference, the meanings expressed are the same. For example, transmission can include sending and/or receiving, and can be a noun or a verb.

需要指出的是，本申请实施例中涉及的“第一”、“第二”等词汇，仅用于区分描述的目的，而不能理解为指示或暗示相对重要性，也不能理解为指示或暗示顺序。It should be pointed out that the terms "first" and "second" involved in the embodiments of this application are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor can it be understood as indicating or implying. order.

为解决背景技术提到的问题，本申请提供一种通信***，如图1所示，该通信***包括移动管理网元、认证服务网元、数据管理网元。此外，在一些实施例中该通信***还包括第一网元。其中第一网元又可以命名为用户标识匿名化网元等，对第一网元的名称不作限定。In order to solve the problems mentioned in the background art, this application provides a communication system, as shown in FIG. 1, the communication system includes a mobility management network element, an authentication service network element, and a data management network element. In addition, in some embodiments, the communication system further includes a first network element. The first network element may also be named as a user identification anonymization network element, etc., and the name of the first network element is not limited.

其中，移动管理网元、认证服务网元和数据管理网元为核心网中的网元。此外，对于终端设备来说，移动管理网元为服务网络中的网元，认证服务网元、数据管理网元、第一网元为归属网络中的网元。Among them, mobile management network elements, authentication service network elements, and data management network elements are network elements in the core network. In addition, for the terminal device, the mobility management network element is a network element in the service network, and the authentication service network element, the data management network element, and the first network element are network elements in the home network.

示例地，移动管理网元用于在终端设备发起接入时，向认证服务网元发送第一用户认证请求，第一用户认证请求包括第一用户标识，该第一用户标识是对SUPI加密得到的，SUPI为终端设备的身份标识；For example, the mobility management network element is used to send a first user authentication request to the authentication service network element when the terminal device initiates access. The first user authentication request includes a first user identity, and the first user identity is obtained by encrypting SUPI Yes, SUPI is the identity of the terminal equipment;

认证服务网元用于响应于第一用户认证请求，向数据管理网元发送第二用户认证请求，第二用户认证请求包括第一用户标识；The authentication service network element is configured to send a second user authentication request to the data management network element in response to the first user authentication request, where the second user authentication request includes the first user identifier;

数据管理网元用于响应于第二用户认证请求，向认证服务网元返回第二用户认证响应，第二用户认证响应包括第二用户标识，第二用户标识为终端设备的匿名化身份标识；The data management network element is configured to return a second user authentication response to the authentication service network element in response to the second user authentication request, the second user authentication response includes a second user identifier, and the second user identifier is an anonymized identity identifier of the terminal device;

认证服务网元响应于第二用户认证响应，向移动管理网元返回第一用户认证响应。在一些实施例中，第一用户认证响应包括第二用户标识。或者，移动管理网元在接收到第一用户认证响应后，向认证服务网元获取第二用户标识。In response to the second user authentication response, the authentication service network element returns the first user authentication response to the mobility management network element. In some embodiments, the first user authentication response includes a second user identification. Alternatively, after receiving the first user authentication response, the mobility management network element obtains the second user identifier from the authentication service network element.

在一些实施例中，第二用户标识可以是第一网元生成的，也可以是数据管理网元生成的。示例的，第二用户标识是第一网元生成的，数据管理网元用于响应于第一用户认证请求，向第一网元发送匿名化用户标识获取请求，第一网元用于响应于匿名化用户标识获取请求，向数据管理网元返回第二用户标识。数据管理网元在接收到第一网元返回的第二用户标识后，再向认证服务网元发送第二用户认证请求。例如，第一网元可以向数据管理网元返回匿名化用户标识获取响应，该匿名化用户标识获取响应中包括第二用户标识。In some embodiments, the second user identifier may be generated by the first network element, or may be generated by the data management network element. For example, the second user identification is generated by the first network element, the data management network element is used to send an anonymized user identification acquisition request to the first network element in response to the first user authentication request, and the first network element is used to respond to Anonymize the user ID acquisition request, and return the second user ID to the data management network element. After receiving the second user identifier returned by the first network element, the data management network element sends a second user authentication request to the authentication service network element. For example, the first network element may return an anonymized user identification acquisition response to the data management network element, and the anonymized user identification acquisition response includes the second user identification.

例如，匿名化用户标识获取请求包括第一用户标识，第一网元可以对第一用户标识解密，以得到SUPI，并根据SUPI，得到第二用户标识。再例如，匿名化用户标识获取请求包括SUPI，第一网元可以根据SUPI，得到第二用户标识。For example, the anonymized user identification acquisition request includes the first user identification, and the first network element may decrypt the first user identification to obtain SUPI, and obtain the second user identification according to SUPI. For another example, the anonymized user identity acquisition request includes SUPI, and the first network element can obtain the second user identity according to the SUPI.

示例的，第二用户标识是数据管理网元生成的，所述数据管理网元响应于第一用户认证请求，根据第一用户标识，得到第二用户标识，然后向认证服务网元返回第二用户认证 响应。例如，数据管理网元可以对第一用户标识解密，以得到SUPI，然后根据SUPI，得到第二用户标识。For example, the second user ID is generated by the data management network element, and the data management network element obtains the second user ID according to the first user ID in response to the first user authentication request, and then returns the second user ID to the authentication service network element. User authentication response. For example, the data management network element may decrypt the first user ID to obtain SUPI, and then obtain the second user ID according to SUPI.

本申请实施例通过引入第二用户标识，使得核心网中的各网元之间通信时可以通过第二用户标识标识终端设备，与现有技术中通过SUPI标识终端设备相比，有助于降低通信中用户隐私泄露的风险。The embodiment of the present application introduces the second user ID, so that the terminal device can be identified by the second user ID when communicating between the network elements in the core network. Compared with the identification of the terminal device by SUPI in the prior art, it helps to reduce The risk of user privacy leakage in communications.

在一些实施例中，移动管理网元还可以用于通过认证服务网元向数据管理网元指示移动管理网元支持用户身份匿名化处理。示例的，移动管理网元向认证服务网元发送第一用户认证请求，第一用户认证请求包括第一用户标识和第一指示信息，第一指示信息用于指示移动管理网元支持用户身份匿名化处理。需要说明的是，移动管理网元支持用户身份匿名化处理，还可以理解为：移动管理网元所在的网络支持用户身份匿名化处理，其中，所述移动管理网络所在的网络为终端设备请求接入的网络，用于为终端设备提供服务。其中该网络可以称之为服务网络。认证服务网元接收到第一用户认证请求后，响应于第一用户认证请求，向数据管理网元发送第二用户认证请求，第二用户认证请求包括第一用户标识和第一指示信息，从而达到移动管理网元向数据管理网元指示终端设备的服务网络支持用户身份匿名化处理的目的。In some embodiments, the mobility management network element may also be used to indicate to the data management network element through the authentication service network element that the mobility management network element supports user identity anonymization processing. For example, the mobility management network element sends a first user authentication request to the authentication service network element, the first user authentication request includes a first user ID and first indication information, and the first indication information is used to instruct the mobility management network element to support user identity anonymity化处理。 Treatment. It should be noted that the mobile management network element supports user identity anonymization processing, which can also be understood as: the network where the mobile management network element is located supports user identity anonymization processing, where the network where the mobile management network is located is the terminal device requesting access. The connected network is used to provide services for terminal devices. The network can be called a service network. After receiving the first user authentication request, the authentication service network element sends a second user authentication request to the data management network element in response to the first user authentication request. The second user authentication request includes the first user identification and the first indication information, thereby The purpose of the mobile management network element instructing the data management network element of the service network of the terminal device to support the anonymization of the user identity is achieved.

在又一些实施例中，数据管理网元还可以用于通过认证服务网元向移动管理网元指示数据管理网元支持用户身份匿名化处理。示例的，数据管理网元用于响应于第二用户认证请求，向认证服务网元返回第二用户认证响应，第二用户认证响应包括第二用户标识和第二指示信息，第二指示信息用于指示数据管理网元支持用户身份匿名化处理。需要说明的是，数据管理网元支持用户身份匿名化处理，还可以理解为：数据管理网元所在的网络支持用户身份匿名化处理，其中，数据管理网络所在的网络为用于提供终端设备注册相关信息(例如注册状态等)的网络。其中该网络可以称之为归属网络。认证服务网元接收到第二用户认证响应，响应于该第二用户认证响应，向移动管理网元发送第一用户认证响应，第一用户认证响应包括第二指示信息，从而到达指示移动管理网元终端设备的归属网络支持用户身份匿名化处理的目的。In still other embodiments, the data management network element may also be used to indicate to the mobility management network element through the authentication service network element that the data management network element supports user identity anonymization processing. For example, the data management network element is used to respond to the second user authentication request and return a second user authentication response to the authentication service network element. The second user authentication response includes the second user identifier and the second indication information. The second indication information is used for Yu indicates that the data management network element supports the anonymization of user identity. It should be noted that the data management network element supports user identity anonymization processing, which can also be understood as: the network where the data management network element is located supports user identity anonymization processing, where the network where the data management network is located is used to provide terminal device registration Related information (such as registration status, etc.) of the network. The network can be called the home network. The authentication service network element receives the second user authentication response, and in response to the second user authentication response, sends a first user authentication response to the mobility management network element. The first user authentication response includes the second indication information, thereby reaching the indication mobility management network. The home network of the meta terminal device supports the purpose of anonymizing the user identity.

基于本申请实施例提供的通信***，在不改变终端设备中生成密钥K _AMF的方式的情况下，为了避免移动管理网元根据第二用户标识从数据管理网元或第一网元获取SUPI，来得到终端设备与移动管理网元之间的密钥K _AMF，在一些实施例中，移动管理网元还可以用于根据第二用户标识，生成密钥K _AMF，其中，移动管理网元根据第二用户标识，生成密钥K _AMF所使用的算法使得移动管理网元生成的密钥K _AMF与终端设备根据SUPI生成的密钥K _AMF相同。或者，在另一些实施例中，认证服务网元用于向第一网元发送密钥获取请求，密钥获取请求包括第二用户标识，第一网元用于响应于密钥获取请求，根据第二用户标识得到SUPI，并根据SUPI得到密钥K _AMF，然后将密钥K _AMF返回给认证服务网元，再由认证服务网元将密钥K _AMF发送给移动管理网元。或者，在又一些实施例中，认证服务网元用于向数据管理网元发送密钥获取请求，密钥获取请求包括第二用户标识，数据管理网元用于响应于密钥获取请求，根据第二用户标识得到SUPI，并根据SUPI得到密钥K _AMF，然后将密钥K _AMF返回给认证服务网元，再由认证服务网元将密钥K _AMF发送给移动管理网元。 Based on the communication system provided by the embodiments of the present application, without changing _{the way in which the key K AMF} is generated in the terminal device, in order to prevent the mobility management network element from obtaining SUPI from the data management network element or the first network element according to the second user identifier _{, To obtain the key K AMF} between the terminal device and the mobility management network element. In some embodiments, the mobility management network element may also be used to generate the key K _AMF according to the second user identifier, where the mobility management network element According to the second user identification, _{the algorithm used to generate the key K AMF makes the key K AMF} generated by the mobility management network element the same as _{the key K AMF} generated by the terminal device according to SUPI. Or, in other embodiments, the authentication service network element is used to send a key acquisition request to the first network element, the key acquisition request includes the second user identifier, and the first network element is used to respond to the key acquisition request, according to The second user ID obtains SUPI, and obtains the key K _AMF according to SUPI, and then returns the key K _AMF to the authentication service network element, and the authentication service network element sends the key K _AMF to the mobility management network element. Or, in other embodiments, the authentication service network element is used to send a key acquisition request to the data management network element, the key acquisition request includes the second user identifier, and the data management network element is used to respond to the key acquisition request, according to The second user ID obtains SUPI, and obtains the key K _AMF according to SUPI, and then returns the key K _AMF to the authentication service network element, and the authentication service network element sends the key K _AMF to the mobility management network element.

示例的，第一网元可以根据第二用户标识和第一参数(例如ABBA参数等)，得到密钥K _AMF，例如，第一参数是由移动管理网元通过认证服务网元发送给第一网元的。例如 移动管理网元可以通过将第一参数携带在第一用户认证请求中发送给认证服务网元，再由认证服务网元将第一参数携带在第二用户认证请求中发送给数据管理网元。然后，由数据管理网元将第一参数携带在密钥获取请求中，发送给第一网元。 _{For example, the first network element may obtain the key K AMF} according to the second user ID and the first parameters (such as ABBA parameters, etc.). For example, the first parameter is sent by the mobility management network element to the first network element through the authentication service network element. Network element. For example, the mobility management network element may carry the first parameter in the first user authentication request and send it to the authentication service network element, and then the authentication service network element may carry the first parameter in the second user authentication request and send it to the data management network element. . Then, the data management network element carries the first parameter in the key acquisition request and sends it to the first network element.

应理解，本申请实施例中的终端设备(terminal device)，也可以称为用户设备(user equipment，UE)，是一种具有无线收发功能的设备，可以部署在陆地上，包括室内或室外、手持或车载；也可以部署在水面上(如轮船等)；还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality，VR)终端、增强现实(augmented reality，AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。以下将终端设备称之为UE进行介绍。It should be understood that the terminal device (terminal device) in the embodiments of the present application, which may also be referred to as user equipment (UE), is a device with a wireless transceiver function, which can be deployed on land, including indoor or outdoor, Hand-held or vehicle-mounted; can also be deployed on the water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons, and satellites, etc.). The terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, etc. In the following, the terminal equipment is referred to as UE for introduction.

具体的，本申请实施例可以应用于5G通信***中，也可以应用于其它通信***中，比如第六代(6th generation，6G)通信***等未来通信***中。Specifically, the embodiments of the present application may be applied to 5G communication systems, and may also be applied to other communication systems, such as future communication systems such as the 6th generation (6G) communication system.

示例的，如图2所示，为本申请实施例一种5G通信***的网络架构的示意图。该5G通信***的网络架构可以包括接入与移动性管理功能(access and mobility management function，AMF)网元、鉴权服务功能(authentication server function，AUSF)网元、统一数据管理(unified data management，UDM)网元、会话管理功能(session management function，SMF)网元、(无线)接入网((radio)access network，(R)AN)以及用户面功能(user plane function，UPF)网元等。此外，5G通信***的网络架构中还包括数据网络(data network，DN)、认证凭证存储和处理功能(Authentication Credential Repository and Processing Function，ARPF)网元、安全锚点功能(security anchor function，SEAF)网元、第一网元等。As an example, as shown in FIG. 2, it is a schematic diagram of a network architecture of a 5G communication system according to an embodiment of the application. The network architecture of the 5G communication system may include access and mobility management function (AMF) network elements, authentication server function (authentication server function, AUSF) network elements, unified data management (unified data management), UDM) network elements, session management function (session management function, SMF) network elements, (radio) access network ((radio) access network, (R) AN), and user plane function (user plane function, UPF) network elements, etc. . In addition, the network architecture of the 5G communication system also includes data network (DN), authentication credential storage and processing functions (Authentication Credential Repository and Processing Function, ARPF) network elements, and security anchor function (SEAF) Network element, first network element, etc.

RAN的主要功能是控制UE通过无线接入到移动通信网络。RAN是移动通信***的一部分。它实现了一种无线接入技术。从概念上讲，它驻留某个设备之间(如移动电话、一台计算机，或任何远程控制机)，并提供与其核心网的连接。RAN设备包括但不限于：5G中的(g nodeB，gNB)、演进型节点B(evolved node B，eNB)、无线网络控制器(radio network controller，RNC)、节点B(node B，NB)、基站控制器(base station controller，BSC)、基站收发台(base transceiver station，BTS)、家庭基站(例如，home evolved nodeB，或home node B，HNB)、基带单元(base band unit，BBU)、传输点(transmitting and receiving point，TRP)、发射点(transmitting point，TP)、移动交换中心等，此外，还可以包括无线保真(wireless fidelity，wifi)接入点(access point，AP)等。The main function of the RAN is to control the UE to access the mobile communication network through wireless access. RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network. RAN equipment includes but is not limited to: (nodeB, gNB) in 5G, evolved node B (evolved node B, eNB), radio network controller (RNC), node B (node B, NB), Base station controller (BSC), base transceiver station (BTS), home base station (for example, home evolved nodeB, or home node B, HNB), baseband unit (BBU), transmission Point (transmitting and receiving point, TRP), transmitting point (TP), mobile switching center, etc., in addition, may also include wireless fidelity (wireless fidelity, wifi) access point (AP), etc.

AMF网元负责UE的接入管理和移动性管理，在实际应用中，其包括了4G通信***架构中移动管理实体(mobility management entity，MME)的移动性管理功能，并加入了接入管理功能。The AMF network element is responsible for the access management and mobility management of the UE. In practical applications, it includes the mobility management function of the mobility management entity (MME) in the 4G communication system architecture, and adds the access management function.

AUSF网元具有鉴权服务功能，用于终结SEAF请求的认证功能。The AUSF network element has an authentication service function, which is used to terminate the authentication function requested by the SEAF.

UDM网元为控制面网元，负责存储签约用户的用户永久标识符(subscriber permanent identifier，SUPI)、信任状(credential)、安全上下文(security context)、用户签约数据等信息。UDM网元所存储的这些信息可用于UE接入5G网络的认证和授权。其中，上述签约用户具体可为使用5G网络提供的业务的用户。上述签约用户的SUPI可为该手机芯卡的号 码等。The UDM network element is a control plane network element and is responsible for storing subscriber permanent identifier (SUPI), credential, security context, user subscription data and other information of the subscriber. The information stored in the UDM network element can be used for authentication and authorization for the UE to access the 5G network. Among them, the aforementioned subscribers may specifically be users who use the services provided by the 5G network. The SUPI of the aforementioned subscriber can be the number of the mobile phone core card, etc.

SMF网元负责会话管理，如用户的会话建立等。The SMF network element is responsible for session management, such as user session establishment.

UPF网元是用户面的功能网元，主要负责连接外部网络，其包括了4G通信***的网络架构中服务网关(serving gateway，S-GW)、分组数据网络网关(packet data network gateway，PDN gateway，P-GW)的相关功能。The UPF network element is a functional network element of the user plane. It is mainly responsible for connecting to external networks. It includes the serving gateway (S-GW) and packet data network gateway (PDN gateway) in the network architecture of the 4G communication system. , P-GW) related functions.

DN负责为UE提供服务的网络，如一些DN为终端设备提供上网功能，另一些DN为终端设备提供短信功能等等。The DN is responsible for the network that provides services for the UE. For example, some DNs provide terminal devices with Internet access functions, and other DNs provide terminal devices with short message functions.

SEAF网元于完成对UE的认证过程，在5G通信中，SEAF的功能可以合并到AMF网元中。The SEAF network element completes the authentication process for the UE. In 5G communication, the function of the SEAF can be incorporated into the AMF network element.

ARPF网元具有认证凭证存储和处理功能，用于存储UE的长期认证凭证，如永久密钥K等。在5G通信中，ARPF网元的功能可以合并到UDM网元中。ARPF network elements have authentication credential storage and processing functions, which are used to store long-term authentication credential of the UE, such as a permanent key K. In 5G communications, the functions of ARPF network elements can be incorporated into UDM network elements.

可以理解的是，上述网元或者功能既可以是硬件设备中的网络元件，也可以是在专用硬件上运行软件功能，或者是平台(例如，云平台)上实例化的虚拟化功能。可选的，上述网元或者功能可以由一个设备实现，也可以由多个设备共同实现，还可以是一个设备内的一个功能模块，本申请实施例对此不作具体限定。It is understandable that the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform). Optionally, the foregoing network element or function may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in the embodiment of the present application.

在本申请实施例中，图1中所示的移动管理网元可以为图2中所示的AMF网元，也可以为图2中未示出的SEAF网元，图1中所示的认证服务网元可以为图2中所示的AUSF网元，图1中所示的数据管理网元可以为图2中所示的UDM网元，也可以为图2中未示出的ARPF网元等。In the embodiment of this application, the mobility management network element shown in FIG. 1 may be the AMF network element shown in FIG. 2, or may be a SEAF network element not shown in FIG. 2, and the authentication shown in FIG. 1 The serving network element can be the AUSF network element shown in Figure 2, and the data management network element shown in Figure 1 can be the UDM network element shown in Figure 2 or the ARPF network element not shown in Figure 2 Wait.

为方便说明，以图1所示的5G通信***的网络架构为例，对本申请实施例的通信方法进行详细说明。For ease of description, taking the network architecture of the 5G communication system shown in FIG. 1 as an example, the communication method of the embodiment of the present application will be described in detail.

示例的，如图3所示，为本申请实施例的一种通信方法的流程示意图，具体包括以下步骤。As an example, as shown in FIG. 3, it is a schematic flowchart of a communication method according to an embodiment of this application, which specifically includes the following steps.

301、UE向AMF网元发送接入请求；接入请求包括第一用户标识，第一用户标识是对SUPI加密得到的，SUPI为UE的身份标识。301. A UE sends an access request to an AMF network element; the access request includes a first user identity, the first user identity is obtained by encrypting SUPI, and SUPI is the identity of the UE.

在一些实施例中，第一用户标识可以用户隐藏标识(subscriber permanent identifier，SUCI)，也可以对SUPI加密得到的不同于SUCI的用户标识，对此不作限定。In some embodiments, the first user identifier may be a subscriber permanent identifier (SUCI), or a user identifier different from SUCI obtained by SUPI encryption, which is not limited.

302、AMF网元响应于接入请求，向AUSF网元发送第一用户认证请求；其中，该第一用户认证请求包括第一用户标识。302. In response to the access request, the AMF network element sends a first user authentication request to the AUSF network element; where the first user authentication request includes the first user identifier.

在一些实施例中，第一用户认证请求还包括第一指示信息，第一指示信息用于指示AMF网元支持用户身份匿名化处理。以达到通知UDM网元支持用户身份匿名或处理的目的，有助于简化实现方式。此外，AMF网元还可以通过其它方式向UDM网元通知AMF网元支持用户身份匿名化处理，例如，AMF网元可以将第一指示信息携带在自定义的消息中发送给AUSF网元，通过AUSF网元通知给UDM网元。其中，AMF网元可以在发送第一用户认证请求之前或之后发送携带第一指示信息的自定义的消息，也可以同时发送第一用户认证请求、和携带第一指示信息的自定义的消息，对此不作限定。In some embodiments, the first user authentication request further includes first indication information, and the first indication information is used to instruct the AMF network element to support user identity anonymization processing. In order to achieve the purpose of notifying UDM network elements to support user identity anonymization or processing, it helps to simplify the implementation. In addition, the AMF network element can also notify the UDM network element that the AMF network element supports the anonymization of user identity processing in other ways. For example, the AMF network element can carry the first indication information in a custom message and send it to the AUSF network element. The AUSF network element notifies the UDM network element. Wherein, the AMF network element may send a customized message carrying the first indication information before or after sending the first user authentication request, and may also send the first user authentication request and a customized message carrying the first indication information at the same time, There is no restriction on this.

303、AUSF网元响应于第一用户认证请求，向UDM网元发送第二用户认证请求，第二用户认证请求包括第一用户标识。303. In response to the first user authentication request, the AUSF network element sends a second user authentication request to the UDM network element, where the second user authentication request includes the first user identifier.

在一些实施例中，第二用户认证请求还包括第一指示信息。例如，AUSF网元在第一用户认证请求还包括第一指示信息时，则向UDM网元发送的第二用户认证请求还可以包 括第一指示信息，以指示UDM网元AMF网元支持用户身份匿名化处理。或者，AUSF网元接收到其它包括第一指示信息的消息后，也可以在响应于第一用户认证请求，向UDM网元发送的第二用户认证请求中包括第一指示信息。第一指示信息的相关实现方式可以参见上述相关介绍，在此不再赘述。In some embodiments, the second user authentication request further includes first indication information. For example, when the first user authentication request of the AUSF network element further includes the first indication information, the second user authentication request sent to the UDM network element may also include the first indication information to instruct the UDM network element and the AMF network element to support user identity Anonymization. Alternatively, after receiving other messages including the first indication information, the AUSF network element may also include the first indication information in the second user authentication request sent to the UDM network element in response to the first user authentication request. For the related implementation of the first indication information, refer to the above related introduction, which will not be repeated here.

304、UDM网元响应于第二用户认证请求，向AUSF网元返回第二用户认证响应，第二用户认证响应中包括第二用户标识。第二用户标识为UE的匿名化身份标识。304. In response to the second user authentication request, the UDM network element returns a second user authentication response to the AUSF network element, and the second user authentication response includes the second user identifier. The second user identity is the anonymized identity of the UE.

其中，第二用户标识不同于SUPI，可以与第一用户标识相同，也可以与第一用户标识不同，对此不作限定。Wherein, the second user ID is different from SUPI, and may be the same as the first user ID or different from the first user ID, which is not limited.

具体的，第二用户标识可以是由UDM网元得到的，也可以是由第一网元得到的。Specifically, the second user identifier may be obtained by the UDM network element, or may be obtained by the first network element.

在一些实施例中，UDM网元响应于第二用户认证请求，根据第一用户标识，得到第二用户标识，然后向AUSF返回第二用户认证响应。例如，UDM网元可以对第一用户标识解密，以得到SUPI，然后根据SUPI，得到第二用户标识。比如，UDM网元根据对第一用户标识解密得到的SUPI，从预先配置的SUPI和匿名化用户标识的对应关系中，查找第二用户标识。SUPI和匿名化用户标识的对应关系可以通过协议预先定义，也可以通过其它方式预先配置在UDM中。再比如，UDM网元还可以根据SUPI，基于第一算法，得到第二用户标识，然后记录SUPI与第二用户标识的对应关系。第一算法可以是通过协议预定义的，也可以通过其它方式预配置的，如第二用户标识＝f1(SUPI)。再例如，根据第一用户标识，基于预设算法，得到第二用户标识，如第二用户标识＝f0(第一用户标识)。In some embodiments, in response to the second user authentication request, the UDM network element obtains the second user ID according to the first user ID, and then returns the second user authentication response to the AUSF. For example, the UDM network element may decrypt the first user ID to obtain SUPI, and then obtain the second user ID according to SUPI. For example, the UDM network element searches for the second user ID from the pre-configured correspondence between the SUPI and the anonymized user ID according to the SUPI obtained by decrypting the first user ID. The correspondence between the SUPI and the anonymized user identity can be pre-defined through the protocol, or pre-configured in the UDM through other methods. For another example, the UDM network element may also obtain the second user ID based on the SUPI and the first algorithm, and then record the correspondence between the SUPI and the second user ID. The first algorithm may be pre-defined through the protocol, or pre-configured through other methods, such as the second user identity=f1 (SUPI). For another example, according to the first user ID, the second user ID is obtained based on the preset algorithm, for example, the second user ID=f0 (first user ID).

在另一些实施例中，UDM网元响应于第二用户认证请求，向第一网元发送匿名化用户标识获取请求，匿名化用户标识获取请求包括第一用户标识。第一网元响应于匿名化用户标识获取请求，向UDM网元返回第二用户标识，UDM网元接收到第一网元返回的第二用户标识，再向AUSF网元返回第二用户认证响应。示例的，第一网元响应于匿名化用户标识获取请求，向UDM返回匿名化用户标识获取响应，匿名化用户标识获取响应包括第二用户标识。In other embodiments, the UDM network element sends an anonymized user identification acquisition request to the first network element in response to the second user authentication request, and the anonymized user identification acquisition request includes the first user identification. In response to the anonymized user identification acquisition request, the first network element returns the second user identification to the UDM network element, and the UDM network element receives the second user identification returned by the first network element, and then returns the second user authentication response to the AUSF network element . For example, in response to the anonymized user identification acquisition request, the first network element returns an anonymized user identification acquisition response to the UDM, and the anonymized user identification acquisition response includes the second user identification.

需要说明的是，第一网元得到第二用户标识的具体实现方式可以参见UDM网元得到第二用户标识的方式，在此不再赘述。It should be noted that the specific implementation manner for the first network element to obtain the second user identifier may refer to the manner in which the UDM network element obtains the second user identifier, which will not be repeated here.

在又另一些实施例中，UDM网元响应于第二用户认证请求，对第一用户标识解密，得到SUPI，并向第一网元发送匿名化用户标识获取请求，匿名化用户标识获取请求包括SUPI。第一网元响应于匿名化用户标识获取请求，向UDM网元返回第二用户标识，UDM网元接收到第一网元返回的第二用户标识，再向AUSF网元返回第二用户认证响应。需要说明的是，第一网元根据SUPI得到第二用户标识的具体实现方式可以参见UDM网元根据SUPI得到第二用户标识的方式，在此不再赘述。In still other embodiments, in response to the second user authentication request, the UDM network element decrypts the first user ID to obtain SUPI, and sends an anonymized user ID acquisition request to the first network element. The anonymized user ID acquisition request includes SUPI. In response to the anonymized user identification acquisition request, the first network element returns the second user identification to the UDM network element, and the UDM network element receives the second user identification returned by the first network element, and then returns the second user authentication response to the AUSF network element . It should be noted that the specific implementation manner for the first network element to obtain the second user identifier according to SUPI can refer to the manner in which the UDM network element obtains the second user identifier according to SUPI, which will not be repeated here.

在一些实施例中，第二用户认证响应还包括第二指示信息，第二指示信息用于指示UDM网元支持用户身份匿名化处理。以达到指示AMF网元UDM网元支持用户身份匿名化处理的目的。In some embodiments, the second user authentication response further includes second indication information, and the second indication information is used to indicate that the UDM network element supports user identity anonymization processing. In order to achieve the purpose of instructing the AMF network element and the UDM network element to support the anonymization of user identity.

305、AUSF网元响应于第二用户认证响应，向AMF网元返回第一用户认证响应。示例的，第一用户认证响应包括第二用户标识。305. In response to the second user authentication response, the AUSF network element returns a first user authentication response to the AMF network element. For example, the first user authentication response includes the second user identification.

在一些实施例中，AUSF网元响应于的第二用户响应包括第二指示信息，则向AMF网元返回的第一用户认证响应也可以包括第二指示信息。In some embodiments, the second user response that the AUSF network element responds to includes the second indication information, and the first user authentication response returned to the AMF network element may also include the second indication information.

306、AMF网元响应于第一用户认证响应，向UE发送第三用户认证请求。示例的， 第三用户认证请求用于向UE发起对网络的验证，例如，第三用户认证请求包括从UDM网元获取的网络的相关信息。306. In response to the first user authentication response, the AMF network element sends a third user authentication request to the UE. For example, the third user authentication request is used to initiate network verification to the UE. For example, the third user authentication request includes network related information obtained from the UDM network element.

307、UE响应于第三用户认证请求，向AMF网元返回第三用户认证响应。例如，UE在对网络验证通过后，向AMF网元返回第三用户认证响应。再例如，UE在对网络验证未通过时，不向AMF网元返回用户认证响应，也可以向AMF网元返回网络验证失败响应。307. In response to the third user authentication request, the UE returns a third user authentication response to the AMF network element. For example, after the UE passes the network verification, it returns a third user authentication response to the AMF network element. For another example, when the UE fails the network verification, it does not return a user authentication response to the AMF network element, and may also return a network verification failure response to the AMF network element.

示例的，第三用户认证响应可以包括用于验证UE的相关信息，例如RES、或RES*。For example, the third user authentication response may include related information used to verify the UE, such as RES or RES*.

308、AMF网元响应于第三用户认证响应，向AUSF网元发送第四用户认证请求。示例的，第四用户认证请求用于发起对UE的验证。308. In response to the third user authentication response, the AMF network element sends a fourth user authentication request to the AUSF network element. For example, the fourth user authentication request is used to initiate authentication of the UE.

309、AUSF网元响应于第四用户认证请求，向AMF网元返回第四用户认证响应。示例的，第四用户认证响应包括第二用户标识。例如，AUSF网元对UE验证通过后，向AMF网元返回第四用户认证响应。再例如，AUSF网元对UE验证未通过时，可以不向AMF网元发送用户认证响应，也可以向AMF网元返回UE验证失败响应。309. In response to the fourth user authentication request, the AUSF network element returns a fourth user authentication response to the AMF network element. For example, the fourth user authentication response includes the second user identification. For example, after the AUSF network element passes the UE verification, it returns a fourth user authentication response to the AMF network element. For another example, when the AUSF network element fails the UE verification, it may not send a user authentication response to the AMF network element, or may return a UE verification failure response to the AMF network element.

需要说明的是，第一用户认证响应包括第二用户标识时，第四用户认证响应可以不包括第二用户标识。或者，第四用户认证响应包括第二用户标识时，第一用户认证响应可以不包括第二用户标识。或者，第一用户认证响应和第四用户认证响应也可以均包括第二用户标识。It should be noted that, when the first user authentication response includes the second user identification, the fourth user authentication response may not include the second user identification. Alternatively, when the fourth user authentication response includes the second user identification, the first user authentication response may not include the second user identification. Alternatively, both the first user authentication response and the fourth user authentication response may also include the second user identifier.

进一步的，在另一些实施例中，AUSF网元响应于第四用户认证请求，向第一网元发送密钥获取请求，密钥获取请求包括第二用户标识。第一网元响应于密钥获取请求，向AUSF网元返回密钥K _AMF。AUSF网元接收到第一网元返回密钥K _AMF，再向AMF网元返回第四用户认证响应。示例的，第四用户认证响应还包括密钥K _AMF。从而使得AMF网元获取到密钥K _AMF。示例的，第一网元可以根据第二用户标识，从预先配置的SUPI和匿名化用户标识对应关系，查找与第二用户标识对应的SUPI，然后根据SUPI，得到密钥K _AMF。在一些实施例中，第一网元根据SUPI和第一参数，得到K _AMF。其中，第一参数可以为ABBA参数，可以是AMF网元通过AUSF网元发送给第一网元的。例如，AMF网元将第一参数携带在第四用户认证请求中发送给AUSF网元，AUSF网元将第一参数携带在密钥获取请求中发送给第一网元。 Further, in other embodiments, the AUSF network element sends a key acquisition request to the first network element in response to the fourth user authentication request, and the key acquisition request includes the second user identifier. In response to the key acquisition request, the first network element returns the key K _AMF to the AUSF network element. The AUSF network element receives the key K _AMF returned by the first network element, and then returns a fourth user authentication response to the AMF network element. For example, the fourth user authentication response further includes the key K _AMF . Thus, the AMF network element can obtain the key K _AMF . For example, the first network element may search for the SUPI corresponding to the second user ID from the pre-configured SUPI and the anonymized user ID correspondence relationship according to the second user ID, and then obtain the key K _AMF according to the SUPI. In some embodiments, the first network element obtains K _AMF according to the SUPI and the first parameter. The first parameter may be an ABBA parameter, which may be sent by the AMF network element to the first network element through the AUSF network element. For example, the AMF network element carries the first parameter in the fourth user authentication request and sends it to the AUSF network element, and the AUSF network element carries the first parameter in the key acquisition request and sends it to the first network element.

示例的，根据SUPI，得到密钥K _AMF的具体实现方式可以参见现有的得到密钥K _AMF的实现方式。 Example, of SUPI according, to obtain the key K _AMF specific implementation may refer to a conventional key to obtain K _AMF implementation.

或者，AUSF网元响应于第四用户认证请求，向UDM网元发送密钥获取请求，密钥获取请求包括第二用户标识。UDM网元响应于密钥获取请求，向AUSF网元返回密钥K _AMF。AUSF网元接收到UDM网元返回密钥K _AMF，再向AMF网元返回第四用户认证响应。示例的，第四用户认证响应还包括密钥K _AMF。从而使得AMF网元获取到密钥K _AMF。 Alternatively, the AUSF network element sends a key acquisition request to the UDM network element in response to the fourth user authentication request, and the key acquisition request includes the second user identifier. In response to the key acquisition request, the UDM network element returns the key K _AMF to the AUSF network element. The AUSF network element receives the key K _AMF returned by the UDM network element, and then returns a fourth user authentication response to the AMF network element. For example, the fourth user authentication response further includes the key K _AMF . Thus, the AMF network element can obtain the key K _AMF .

需要说明的是，UDM网元生成密钥K _AMF的具体实现方式，可以参见第一网元生成密钥K _AMF的具体实现方式，在此不再赘述。 It should be noted that, _{for the specific implementation manner of UDM network element generating key K AMF} , please refer to the specific implementation manner of first network element generating key K _AMF , which will not be repeated here.

或者，AMF网元接收到第四用户认证响应后，根据第二用户标识，基于第二算法，得到密钥K _AMF。 Alternatively, after receiving the fourth user authentication response, the AMF network element obtains the key K _AMF based on the second user identifier and the second algorithm.

需要说明的是，上述实施例中AMF网元与AUSF网元之间用户认证请求又可以称之为Nausf_UE Authentication_Authenticate Request，例如，第一用户认证请求和第四用户认证请求又可以称之为Nausf_UE Authentication_Authenticate Request；AMF网元与AUSF网 元之间的用户认证响应又可以称之为Nausf_UE Authentication_Authenticate Response，例如，第一用户认证响应和第四用户认证响应。上述实施例中AUSF网元与UDM网元之间的用户认证请求又可以称之为Nudm_UE Authentication_Get Request，例如第二用户认证请求；AUSF网元与UDM网元之间的用户认证响应又可以称之为Nudm_UE Authentication_Get Response，例如第二用户认证响应。上述实施例中AMF网元与UE之间的用户认证请求又可以称之为Authentication-Request，例如第三用户认证请求；AUSF网元与UDM/ARPF网元之间的用户认证响应又可以称之为Authentication-Response，例如第三用户认证响应。本申请实施例对用户认证请求和用户认证响应的名称不作限定。It should be noted that the user authentication request between the AMF network element and the AUSF network element in the above embodiment can also be referred to as Nausf_UE Authentication_Authenticate Request. For example, the first user authentication request and the fourth user authentication request can also be referred to as Nausf_UE Authentication_Authenticate. Request; The user authentication response between the AMF network element and the AUSF network element can also be referred to as Nausf_UEAuthentication_AuthenticateResponse, for example, the first user authentication response and the fourth user authentication response. The user authentication request between the AUSF network element and the UDM network element in the above embodiment can also be called Nudm_UEAuthentication_Get Request, such as the second user authentication request; the user authentication response between the AUSF network element and the UDM network element can also be called It is Nudm_UE Authentication_Get Response, such as the second user authentication response. In the above embodiment, the user authentication request between the AMF network element and the UE can also be referred to as Authentication-Request, such as the third user authentication request; the user authentication response between the AUSF network element and the UDM/ARPF network element can also be referred to as Is Authentication-Response, such as the third user authentication response. The embodiment of the present application does not limit the names of the user authentication request and the user authentication response.

可以理解的是，图3所示的通信方法中还可以由SEAF网元执行AMF网元执行的步骤，和/或，由ARPF网元执行UDM网元执行的步骤。It is understandable that, in the communication method shown in FIG. 3, the SEAF network element may also perform the steps performed by the AMF network element, and/or the ARPF network element may perform the steps performed by the UDM network element.

以第二用户标识和密钥K _AMF是由第一网元得到的为例，示例的，本申请实施例的通信方法可以如图4所示，具体包括以下步骤。 Taking the second user identification and key K _AMF obtained by the first network element as an example, as an example, the communication method of the embodiment of the present application may be as shown in FIG. 4, and specifically includes the following steps.

401、UE向AMF网元发送接入请求；接入请求包括SUCI。401. The UE sends an access request to the AMF network element; the access request includes SUCI.

402、AMF网元接收到接入请求，向AUSF网元发送Nausf_UE Authentication_Authenticate Request1；Nausf_UE Authentication_Authenticate Request1包括SUCI和指示信息1，指示信息1用于指示AMF网元支持用户身份匿名化处理。402. The AMF network element receives the access request and sends Nausf_UE Authentication_Authenticate Request1 to the AUSF network element; Nausf_UE Authentication_Authenticate Request1 includes SUCI and indication information 1, and indication information 1 is used to indicate that the AMF network element supports user identity anonymization processing.

403、AUSF网元接收到Nausf_UE Authentication_Authenticate Request1，向UDM网元发送Nudm_UE Authentication_Get Request，Nudm_UE Authentication_Get Request包括SUCI、和指示信息1。403. The AUSF network element receives the Nausf_UE Authentication_Authenticate Request1, and sends a Nudm_UE Authentication_Get Request to the UDM network element. The Nudm_UE Authentication_Get Request includes SUCI and indication information 1.

404、UDM网元接收到Nudm_UE Authentication_Get Request，在UDM网元支持用户身份匿名化处理时，向第一网元发送匿名化用户标识获取请求，该匿名化用户标识获取请求包括SUCI。404. The UDM network element receives the Nudm_UE Authentication_Get Request, and when the UDM network element supports user identity anonymization processing, it sends an anonymized user identity acquisition request to the first network element, where the anonymized user identity acquisition request includes SUCI.

405、第一网元接收到匿名化用户标识获取请求，对SUCI进行解密，得到SUPI。然后根据SUPI，从预先配置的SUPI与SUPI*的对应关系中，得到与该SUPI对应的SUPI*，并向UDM网元返回匿名化用户标识获取响应，该匿名化用户标识获取响应包括与SUPI对应的SUPI*。405. The first network element receives the anonymized user identification acquisition request, and decrypts the SUCI to obtain the SUPI. Then, according to SUPI, from the pre-configured correspondence between SUPI and SUPI*, the SUPI* corresponding to the SUPI is obtained, and an anonymized user identification acquisition response is returned to the UDM network element. The anonymized user identification acquisition response includes the corresponding SUPI SUPI*.

406、UDM网元接收到匿名化用户标识获取响应，根据SUPI*，从预先配置的SUPI*与用户签约数据的对应关系中，确定UE的用户签约数据，并根据用户签约数据，得到XRES*，向AUSF网元返回Nudm_UE Authentication_Get Response，该Nudm_UE Authentication_Get Response包括指示信息2、SUPI*和XRES*。指示信息2用于指示UDM网元支持用户身份匿名化处理。406. The UDM network element receives the anonymized user identification acquisition response, and according to SUPI*, determines the user subscription data of the UE from the pre-configured corresponding relationship between SUPI* and user subscription data, and obtains XRES* according to the user subscription data, Return Nudm_UE Authentication_Get Response to the AUSF network element, and this Nudm_UE Authentication_Get Response includes indication information 2, SUPI* and XRES*. Indication information 2 is used to instruct the UDM network element to support the anonymization of user identity.

407、AUSF网元接收到Nudm_UE Authentication_Get Response，向AMF网元返回Nausf_UE Authentication_Authenticate Response1，Nausf_UE Authentication_Authenticate Response1包括指示信息2和XRES*。407. The AUSF network element receives Nudm_UEAuthentication_GetResponse, and returns Nausf_UEAuthentication_AuthenticateResponse1 to the AMF network element, and Nausf_UEAuthentication_AuthenticateResponse1 includes indication information 2 and XRES*.

408、AMF网元接收到Nausf_UE Authentication_Authenticate Response1，向UE发送Authentication-Request。408. The AMF network element receives Nausf_UEAuthentication_AuthenticateResponse1, and sends an Authentication-Request to the UE.

409、UE接收到Authentication-Request，生成RES*，并向AMF网元返回Authentication-Response，Authentication-Response包括RES*。409. The UE receives the Authentication-Request, generates RES*, and returns Authentication-Response to the AMF network element, and the Authentication-Response includes RES*.

410、AMF网元接收到Authentication-Response，判断RES*和XRES*相同，向AUSF网元发送Nausf_UE Authentication_Authenticate Request2，Nausf_UE  Authentication_Authenticate Request2包括RES*。410. The AMF network element receives the Authentication-Response, determines that RES* is the same as XRES*, and sends Nausf_UE Authentication_Authenticate Request2 to the AUSF network element, and Nausf_UE Authentication_Authenticate Request2 includes RES*.

411、AUSF网元接收到Nausf_UE Authentication_Authenticate Request2，根据RES*，生成第一HXRES*，判断第一HXRES*与第二HXRES*相同，向第一网元发送密钥获取请求，密钥获取请求包括SUPI*和ABBA参数。示例的，密钥获取请求还可以包括Kseaf等。411. The AUSF network element receives the Nausf_UE Authentication_Authenticate Request2, generates a first HXRES* according to the RES*, determines that the first HXRES* is the same as the second HXRES*, and sends a key acquisition request to the first network element. The key acquisition request includes SUPI * And ABBA parameters. For example, the key acquisition request may also include Kseaf and the like.

示例的，ABBA参数可以是AMF网元发送给AUSF网元的，例如，AMF网元将ABBA参数携带在Nausf_UE Authentication_Authenticate Request2中发送给AUSF网元的，即Nausf_UE Authentication_Authenticate Request2还包括ABBA参数。For example, the ABBA parameter may be sent by the AMF network element to the AUSF network element. For example, the AMF network element carries the ABBA parameter in the Nausf_UEAuthentication_Authenticate Request2 and sends it to the AUSF network element, that is, the Nausf_UEAuthentication_Authenticate Request2 also includes the ABBA parameter.

412、第一网元接收到密钥获取请求，根据SUPI*，从预先配置的SUPI*与SUPI的对应关系中，确定UE的SUPI，并根据SUPI和ABBA参数，基于预设算法得到密钥K _AMF，然后向AUSF网元返回密钥获取响应，该密钥获取响应包括SUPI*和密钥K _AMF。 412. The first network element receives the key acquisition request, determines the SUPI of the UE from the pre-configured correspondence between SUPI* and SUPI according to SUPI*, and obtains the key K based on the SUPI and ABBA parameters based on the preset algorithm. _AMF then returns a key acquisition response to the AUSF network element, the key acquisition response includes SUPI* and the key K _AMF .

413、AUSF网元接收到密钥获取响应，向AMF网元返回Nausf_UE Authentication_Authenticate Response2，Nausf_UE Authentication_Authenticate Response2包括SUPI*和密钥K _AMF。 413. The AUSF network element receives the key acquisition response, and returns Nausf_UE Authentication_Authenticate Response2 to the AMF network element. The Nausf_UE Authentication_Authenticate Response2 includes SUPI* and the key K _AMF .

由于UE中也是根据SUPI、ABBA参数，基于预设算法，得到密钥K _AMF的，因此本申请实施例中可以基于密钥K _AMF实现AMF网元与UE的安全通信。 _{Since the UE also obtains the key K AMF} based on the SUPI and ABBA parameters and based on the preset algorithm, in this embodiment of the present application, the secure communication between the AMF network element and the UE _{can be realized based on the key K AMF.}

需要说明的是，第二用户标识和/或密钥K _AMF还可以由UDM网元得到。例如，第二用户标识由UDM网元得到，在这种情况下，将步骤404～406可以替换为：404A，UDM网元接收到Nudm_UE Authentication_Get Request，在UDM网元支持用户身份匿名化处理时，对SUCI解密，得到SUPI，根据SUPI，从预先配置的SUPI与SUPI*的对应关系中，得到与该SUPI对应的SUPI*，以及根据SUPI，从预先配置的SUPI与用户签约数据的对应关系中，确定UE的用户签约数据，并根据用户签约数据，得到XRES*，向AUSF网元返回Nudm_UE Authentication_Get Response，该Nudm_UE Authentication_Get Response包括指示信息2、SUPI*和XRES*。 It should be noted that the second user identification and/or key K _AMF may also be obtained by the UDM network element. For example, the second user identity is obtained by the UDM network element. In this case, steps 404 to 406 can be replaced with: 404A. The UDM network element receives the Nudm_UE Authentication_Get Request. When the UDM network element supports user identity anonymization, Decrypt SUCI to obtain SUPI, according to SUPI, from the pre-configured SUPI and SUPI* correspondence, obtain the SUPI* corresponding to the SUPI, and according to SUPI, from the pre-configured SUPI and user subscription data correspondence, Determine the user subscription data of the UE, obtain XRES* according to the user subscription data, and return Nudm_UE Authentication_Get Response to the AUSF network element. The Nudm_UE Authentication_Get Response includes indication information 2, SUPI*, and XRES*.

再例如，密钥K _AMF由UDM网元得到，在这种情况下，可以将步骤411、步骤412中的第一网元替换为UDM网元。 For another example, the key K _AMF is obtained by a UDM network element. In this case, the first network element in step 411 and step 412 can be replaced with a UDM network element.

再例如，第二用户标识和密钥K _AMF均是由UDM网元得到时，在这种情况下，将步骤404～406替换为：404B，UDM网元接收到Nudm_UE Authentication_Get Request，在UDM网元支持用户身份匿名化处理时，对SUCI解密，得到SUPI；根据SUPI，从预先配置的SUPI与SUPI*的对应关系中，得到与该SUPI对应的SUPI*，以及根据SUPI，从预先配置的SUPI与用户签约数据的对应关系中，确定UE的用户签约数据，并根据用户签约数据，得到XRES*；根据SUPI，基于预设算法得到密钥K _AMF，向AUSF网元返回Nudm_UE Authentication_Get Response，该Nudm_UE Authentication_Get Response包括指示信息2、SUPI*、XRES*和密钥K _AMF。将步骤411～413可以替换为：411A、AUSF网元接收到Nausf_UE Authentication_Authenticate Request2，根据RES*，生成第一HXRES*，判断第一HXRES*与第二HXRES*相同，向AMF网元返回Nausf_UE Authentication_Authenticate Response2，Nausf_UE Authentication_Authenticate Response2包括SUPI*和密钥K _AMF。 For another example, when the second user ID and the key K _AMF are both obtained by the UDM network element, in this case, replace steps 404 to 406 with: 404B, the UDM network element receives the Nudm_UE Authentication_Get Request, and the UDM network element When supporting user identity anonymization, the SUCI is decrypted to obtain SUPI; according to SUPI, from the pre-configured SUPI and SUPI* correspondence, the SUPI* corresponding to the SUPI is obtained, and according to SUPI, the pre-configured SUPI and SUPI In the corresponding relationship of user subscription data, determine the user subscription data of the UE, and obtain XRES* according to the user subscription data; according to SUPI, obtain the key K _AMF based on the preset algorithm, and return Nudm_UE Authentication_Get Response to the AUSF network element. This Nudm_UE Authentication_Get Response includes indication information 2, SUPI*, XRES* and key K _AMF . Steps 411 to 413 can be replaced with: 411A, the AUSF network element receives the Nausf_UE Authentication_Authenticate Request2, generates the first HXRES* according to the RES*, determines that the first HXRES* is the same as the second HXRES*, and returns Nausf_UE Authentication_Authenticate Response2 to the AMF network element , Nausf_UE Authentication_Authenticate Response2 includes SUPI* and key K _AMF .

以第二用户标识和密钥K _AMF是由UDM网元得到的为例，示例的，本申请实施例的通信方法可以如图5所示，具体包括以下步骤。 Taking the second user identification and the key K _AMF obtained by the UDM network element as an example, as an example, the communication method of the embodiment of the present application may be as shown in FIG. 5, and specifically includes the following steps.

501、UE向AMF网元发送接入请求；接入请求包括SUCI。501. The UE sends an access request to an AMF network element; the access request includes SUCI.

502、AMF网元接收到接入请求，向AUSF网元发送Nausf_UE  Authentication_Authenticate Request1；Nausf_UE Authentication_Authenticate Request1包括SUCI、和指示信息1，指示信息1携带ABBA参数，且用于指示AMF网元支持用户身份匿名化处理。502. The AMF network element receives the access request and sends Nausf_UE Authentication_Authenticate Request1 to the AUSF network element; Nausf_UE Authentication_Authenticate Request1 includes SUCI and indication information 1, which carries ABBA parameters and is used to instruct the AMF network element to support user identity anonymization deal with.

503、AUSF网元接收到Nausf_UE Authentication_Authenticate Request1，向UDM网元发送Nudm_UE Authentication_Get Request，Nudm_UE Authentication_Get Request包括SUCI、和指示信息1。503. The AUSF network element receives the Nausf_UE Authentication_Authenticate Request1, and sends a Nudm_UE Authentication_Get Request to the UDM network element. The Nudm_UE Authentication_Get Request includes SUCI and indication information 1.

504、UDM网元接收到Nudm_UE Authentication_Get Request，在UDM网元支持用户身份匿名化处理时，对SUCI进行解密，得到SUPI，根据SUPI、ABBA参数，基于第一算法，得到SUPI*，并记录SUPI与SUPI*的对应关系，以及根据SUPI，从预先配置的SUPI与用户签约数据的对应关系中查找该UE的用户签约数据，根据该UE的用户签约数据生成XRES*，以及向AUSF返回Nudm_UE Authentication_Get Response，该Nudm_UE Authentication_Get Response包括指示信息2、SUPI*和XRES*。指示信息2用于指示UDM网元支持用户身份匿名化处理。504. The UDM network element receives the Nudm_UE Authentication_Get Request, and when the UDM network element supports the anonymization of the user identity, it decrypts the SUCI to obtain SUPI. According to the SUPI and ABBA parameters, based on the first algorithm, the SUPI* is obtained, and the SUPI and the The corresponding relationship between SUPI*, and according to SUPI, search for the UE’s user subscription data from the pre-configured SUPI and user subscription data, generate XRES* based on the UE’s user subscription data, and return Nudm_UEAuthentication_GetResponse to AUSF, The Nudm_UE Authentication_Get Response includes indication information 2, SUPI*, and XRES*. Indication information 2 is used to instruct the UDM network element to support the anonymization of user identity.

505、AUSF网元接收到Nudm_UE Authentication_Get Response，向AMF网元返回Nausf_UE Authentication_Authenticate Response1，Nausf_UE Authentication_Authenticate Response1包括指示信息2和XRES*。505. The AUSF network element receives Nudm_UEAuthentication_GetResponse, and returns Nausf_UEAuthentication_AuthenticateResponse1 to the AMF network element, and Nausf_UEAuthentication_AuthenticateResponse1 includes indication information 2 and XRES*.

506、AMF网元接收到Nausf_UE Authentication_Authenticate Response1，向UE发送Authentication-Request。506. The AMF network element receives Nausf_UEAuthentication_AuthenticateResponse1, and sends an Authentication-Request to the UE.

507、UE接收到Authentication-Request，生成RES*，并向AMF网元返回Authentication-Response，Authentication-Response包括RES*。507. The UE receives the Authentication-Request, generates an RES*, and returns an Authentication-Response to the AMF network element, and the Authentication-Response includes the RES*.

508、AMF网元接收到Authentication-Response，判断RES*和XRES*相同，向AUSF网元发送Nausf_UE Authentication_Authenticate Request2，Nausf_UE Authentication_Authenticate Request2包括RES*。508. The AMF network element receives the Authentication-Response, determines that RES* is the same as XRES*, and sends Nausf_UE Authentication_Authenticate Request2 to the AUSF network element, and Nausf_UE Authentication_Authenticate Request2 includes RES*.

509、AUSF网元接收到Nausf_UE Authentication_Authenticate Request2，根据RES*，生成第一HXRES*，判断第一HXRES*与第二HXRES*相同，向AMF网元返回Nausf_UE Authentication_Authenticate Response2，Nausf_UE Authentication_Authenticate Response2包括SUPI*。509. The AUSF network element receives the Nausf_UEAuthentication_Authenticate Request2, generates a first HXRES* according to the RES*, determines that the first HXRES* is the same as the second HXRES*, and returns Nausf_UEAuthentication_AuthenticationResponse2 to the AMF network element, and Nausf_UEAuthentication_AuthenticationResponse2 includes SUPponseResponse2.

510、AMF网元接收到Nausf_UE Authentication_Authenticate Response2，根据SUPI*、ABBA参数，基于第二算法，得到密钥K _AMF。 510. The AMF network element receives Nausf_UE Authentication_Authenticate Response2, and obtains the key K _AMF according to the SUPI* and ABBA parameters and the second algorithm.

其中，根据SUPI*、ABBA参数基于第二算法得到的密钥K _AMF，与UE根据SUPI、ABBA参数得到的密钥K _AMF相同，从而有助于基于密钥K _AMF实现AMF网元与UE的安全通信。 Wherein, according SUPI *, ABBA _AMF parameters based on the key K of the second algorithm, the UE according to a key K _AMF SUPI, ABBA obtained the same parameters, thereby contributing to implement AMF _AMF network element based on the key K and the UE Secure communication.

需要说明的是，图4、图5所示的通信方法仅为示例性说明，并不构成对本申请的限定。It should be noted that the communication methods shown in FIG. 4 and FIG. 5 are only exemplary descriptions, and do not constitute a limitation to the present application.

本申请实施例中由于在用户认证过程中可以得到第二用户标识，因此核心网中的网元通信时可以通过第二用户标识标识UE。In the embodiment of the present application, since the second user identity can be obtained during the user authentication process, the network element in the core network can identify the UE through the second user identity when communicating.

示例的，如图6所示，为会话连接建立场景中使用第二用户标识标识UE的方法的流程示意图，具体包括以下步骤。As an example, as shown in FIG. 6, a schematic flow diagram of a method for using a second user identifier to identify a UE in a session connection establishment scenario specifically includes the following steps.

601、AMF网元向SMF网元发送会话连接建立请求，会话连接建立请求中包括第二用 户标识。601. The AMF network element sends a session connection establishment request to the SMF network element, and the session connection establishment request includes the second user identifier.

602、SMF网元接收到会话连接建立请求，根据第二用户标识寻址对应的UDM网元，并向该UDM网元发送用户签约数据查询请求，该用户签约数据查询请求包括第二用户标识。602. The SMF network element receives the session connection establishment request, addresses the corresponding UDM network element according to the second user identifier, and sends a user subscription data query request to the UDM network element, where the user subscription data query request includes the second user identifier.

603、UDM网元接收到用户签约数据查询请求，根据第二用户标识，查询UE的用户签约数据。603. The UDM network element receives the user subscription data query request, and queries the user subscription data of the UE according to the second user identifier.

示例的，UDM网元可以根据第二用户标识，从预先配置的匿名化用户标识和用户签约数据的对应关系中，查询UE的用户签约数据。或者，UDM网元可以对第二用户标识解密，得到SUPI，根据SUPI，从预先配置的SUPI与用户签约数据的对应关系中，查询UE的用户签约数据。For example, the UDM network element may query the user subscription data of the UE from the pre-configured correspondence between the anonymized user ID and the user subscription data according to the second user ID. Alternatively, the UDM network element may decrypt the second user identity to obtain SUPI, and according to the SUPI, query the user subscription data of the UE from the pre-configured correspondence between the SUPI and the user subscription data.

由于上述过程中AMF网元、SMF网元和UDM网元在会话连接建立过程中查询用户签约数据时，是通过第二用户标识标识UE的，因而大大降低了通信过程中隐私泄露的风险。Since the AMF network element, the SMF network element and the UDM network element in the above process identify the UE through the second user identifier when querying the user subscription data during the session connection establishment process, the risk of privacy leakage in the communication process is greatly reduced.

示例的，如图7所示，为注册状态查询的场景中使用第二用户标识标识UE的方法的流程示意图，具体包括以下步骤。As an example, as shown in FIG. 7, it is a schematic flowchart of a method for identifying a UE using a second user identifier in a registration status query scenario, which specifically includes the following steps.

701、AMF网元根据第二用户标识寻址到对应的UDM网元，并向该UDM网元发送注册状态查询请求，注册状态查询请求包括第二用户标识。701. The AMF network element addresses the corresponding UDM network element according to the second user identifier, and sends a registration status query request to the UDM network element, where the registration status query request includes the second user identifier.

702、UDM网元接收到注册状态查询请求，记录第二用户标识标识的UE的注册状态。702. The UDM network element receives the registration status query request, and records the registration status of the UE identified by the second user identifier.

示例的，UE的注册状态包括去注册、注册等状态。For example, the registration status of the UE includes deregistration, registration and other statuses.

需要说明的是，第二用户标识还可以应用于其它场景中核心网的各网元通信时用于标识UE，例如AMF网元和PCF网元、SMF网元和PCF网元等通信时，可以采用第二用户标识标识UE。It should be noted that the second user identity can also be used to identify the UE when communicating with each network element of the core network in other scenarios, for example, when communicating between AMF network elements and PCF network elements, SMF network elements and PCF network elements, etc. The second user identifier is used to identify the UE.

在一些实施例中，AMF网元还可以记录全球唯一临时UE标识(globally unique temporary UE identity，GUTI)与第二用户标识的对应关系，以便于AMF网元在接收到GUTI时，便于查找第二用户标识。In some embodiments, the AMF network element may also record the correspondence between the globally unique temporary UE identity (GUTI) and the second user identity, so that when the AMF network element receives the GUTI, it is convenient to find the second user identity. User ID.

此外，在一些实施例中，还可以通过改变UE计算密钥K _AMF时使用的参数，以UE计算密钥K _AMF时使用的参数为第二用户标识为例，示例的，本申请实施例提供的另一种通信方法，如图8所示，具体包括以下步骤。 In addition, in some embodiments, _{the parameter used when the UE calculates the key K AMF} can also be changed, and the parameter used when the UE calculates the key K _AMF is the second user ID as an example. For example, the embodiment of the present application provides Another communication method of, as shown in Figure 8, specifically includes the following steps.

801、UE向AMF网元发送接入请求；接入请求包括第一用户标识。第一用户标识是对SUPI加密得到的，SUPI为UE的身份标识。801. The UE sends an access request to the AMF network element; the access request includes the first user identifier. The first user identity is obtained by encrypting SUPI, and SUPI is the identity of the UE.

示例的，第一用户标识为SUCI。For example, the first user identifier is SUCI.

在一些实施例中，接入请求还包括第一指示信息，第一指示信息用于指示UE支持用户身份匿名化处理。In some embodiments, the access request further includes first indication information, and the first indication information is used to indicate that the UE supports user identity anonymization processing.

802、AMF网元响应于接入请求，向AUSF网元发送第一用户认证请求；第一用户认证请求包括第一用户标识。802. In response to the access request, the AMF network element sends a first user authentication request to the AUSF network element; the first user authentication request includes the first user identifier.

示例的，接入请求包括第一指示信息时，第一用户认证请求也可以包括第一指示信息。For example, when the access request includes the first indication information, the first user authentication request may also include the first indication information.

803、AUSF网元响应于第一用户认证请求，向UDM网元发送第二用户认证请求，第二用户认证请求包括第一用户标识。803. In response to the first user authentication request, the AUSF network element sends a second user authentication request to the UDM network element, where the second user authentication request includes the first user identifier.

示例的，第一用户认证请求包括第一指示信息时，第二用户认证请求也可以包括第一指示信息。For example, when the first user authentication request includes the first indication information, the second user authentication request may also include the first indication information.

804、UDM网元响应于第二用户认证请求，向AUSF网元返回第二用户认证响应，第二用户认证响应中包括第二用户标识符；第二用户标识为UE的匿名化身份标识。例如，第二用户标识可以为SUPI*。804. In response to the second user authentication request, the UDM network element returns a second user authentication response to the AUSF network element. The second user authentication response includes a second user identifier; the second user identifier is the anonymized identity of the UE. For example, the second user identification may be SUPI*.

进一步的，在一些实施例中，第二用户认证响应还可以包括第二指示信息，第二指示信息用于指示UDM网元支持用户身份匿名化处理。Further, in some embodiments, the second user authentication response may further include second indication information, and the second indication information is used to instruct the UDM network element to support user identity anonymization processing.

其中，第二用户标识可以是UDM网元得到的，也可以是第一网元得到的，具体实现方式可以参见上述相关介绍，在此不再赘述。Wherein, the second user identifier may be obtained by the UDM network element, or may be obtained by the first network element. For a specific implementation manner, please refer to the above related introduction, which will not be repeated here.

805、AUSF网元响应于第二用户认证响应，向AMF网元返回第一用户认证响应。示例的，第一用户认证响应包括第二指示信息。或者，第一用户认证响应也可以包括第二用户标识。805. In response to the second user authentication response, the AUSF network element returns a first user authentication response to the AMF network element. For example, the first user authentication response includes the second indication information. Alternatively, the first user authentication response may also include the second user identification.

806、AMF网元响应于第一用户认证响应，向UE发送第三用户认证请求。示例的，第三用户认证请求还包括第二指示信息。例如，第三用户认证请求用于向UE发起对网络的验证。806. In response to the first user authentication response, the AMF network element sends a third user authentication request to the UE. For example, the third user authentication request further includes second indication information. For example, the third user authentication request is used to initiate network authentication to the UE.

807、UE响应于第三用户认证请求，根据SUPI得到第二用户标识，并根据第二用户标识生成密钥K _AMF；以及向AMF网元返回第三用户认证响应； 807. In response to the third user authentication request, the UE obtains the second user ID according to SUPI, and generates the key K _AMF according to the second user ID; and returns a third user authentication response to the AMF network element;

需要说明的是，根据SUPI得到第二用户标识、根据第二用户标识生成密钥K _AMF的具体实现方式可以参见上述各实施例中的相关介绍。 It should be noted that the specific implementation of obtaining the second user ID according to SUPI and generating the key K _AMF according to the second user ID can refer to the relevant introduction in the foregoing embodiments.

808、AMF网元响应于第三用户认证响应，向AUSF网元发送第四用户认证请求。例如，第四用户认证请求可以用于发起对UE的验证。808. In response to the third user authentication response, the AMF network element sends a fourth user authentication request to the AUSF network element. For example, the fourth user authentication request may be used to initiate authentication of the UE.

809、AUSF网元响应于第四用户认证请求，向AMF网元返回第四用户认证响应，第四用户认证响应中包括第二用户标识。809. In response to the fourth user authentication request, the AUSF network element returns a fourth user authentication response to the AMF network element, and the fourth user authentication response includes the second user identifier.

810、AMF网元响应于第四用户认证响应，根据第二用户标识，生成密钥K _AMF。从而使得AMF网元生成的密钥K _AMF与UE生成的密钥K _AMF相同，有助于实现安全通信。 810. In response to the fourth user authentication response, the AMF network element generates a key K _AMF according to the second user identifier. _{As a result, the key K AMF} generated by the AMF network element is the _{same as the key K AMF} generated by the UE, which helps to realize secure communication.

在一些实施例中，第一用户认证响应包括第二用户标识时，AMF网元可以响应于第一用户认证响应，根据第二用户标识，生成密钥K _AMF，当接收到第四用户认证响应后，无需根据第二用户标识，生成密钥K _AMF。 In some embodiments, when the first user authentication response includes the second user identification, the AMF network element may respond to the first user authentication response and generate the key K _AMF according to the second user identification, and when the fourth user authentication response is received After that, there is no need to generate the key K _AMF according to the second user ID.

示例的，如图9所示，为本申请实施例还提供又一种通信方法，具体包括以下步骤。As an example, as shown in FIG. 9, this embodiment of the present application also provides yet another communication method, which specifically includes the following steps.

901、配置在网元1上的第一用户标识转换模块接收到来自网元2的第一业务请求，第一业务请求包括用户标识1，用户标识1为终端设备A的身份标识。例如，用户标识1可以为SUPI，也可以为SUCI、或者临时用户身份标识等。901. A first user identity conversion module configured on network element 1 receives a first service request from network element 2, where the first service request includes user identity 1, and user identity 1 is the identity of terminal device A. For example, the user identity 1 can be SUPI, SUCI, or temporary user identity.

902、第一用户标识转换模块对将第一业务请求中的用户标识1替换为用户标识2，用户标识2为终端设备A的匿名化身份标识。例如，用户标识2可以为上述实施例中的第二用户标识。902. The first user identity conversion module replaces the user identity 1 in the first service request with the user identity 2, and the user identity 2 is the anonymized identity of the terminal device A. For example, the user ID 2 may be the second user ID in the foregoing embodiment.

例如，第一用户标识转化模块可以根据预先设置的用户标识1与用户标识2的对应关系，将第一业务请求中的用户标识1替换为对应的用户标识2。再例如，第一用户标识转换模块还可以基于第一算法，对第一业务请求中的用户标识1进行相应的运算，得到 用户标识2，并将第一业务请求中的用户标识1替换为得到的用户标识2。For example, the first user ID conversion module may replace the user ID 1 in the first service request with the corresponding user ID 2 according to the preset correspondence between the user ID 1 and the user ID 2. For another example, the first user identification conversion module may also perform a corresponding operation on the user identification 1 in the first service request based on the first algorithm to obtain the user identification 2, and replace the user identification 1 in the first service request with the obtained User ID 2.

903、第一用户标识转换模块将用户标识1替换为用户标识2的第一业务请求发送给网元1。903. The first user identity conversion module sends the first service request for replacing the user identity 1 with the user identity 2 to the network element 1.

904、网元1响应于第一业务请求，向配置在网元1上的第二用户标识转换模块发送第一业务响应，第一业务响应包括用户标识2，用户标识2为终端设备A的匿名化身份标识。904. In response to the first service request, the network element 1 sends a first service response to the second user identity conversion module configured on the network element 1. The first service response includes the user identity 2, and the user identity 2 is the anonymity of the terminal device A化identification.

905、第二用户标识转换模块将第一业务响应中的用户标识2替换为用户标识1，用户标识1为终端设备A的身份标识。905. The second user identity conversion module replaces the user identity 2 in the first service response with the user identity 1, and the user identity 1 is the identity of the terminal device A.

第二用户标识转换模块将第一业务响应中的用户标识2替换为用户标识1，可以看做是将消息中的用户标识1替换为用户标识2的逆过程，例如，第一用户标识转换模块根据预先设置的用户标识1与用户标识2的对应关系，将第一业务请求中的用户标识1替换为对应的用户标识2，则第二用户标识转换模块也可以根据预先设置的用户标识1与用户标识2的对应关系，将第一业务响应中的用户标识2替换为对应的用户标识1。再例如，第一用户标识转换模块还可以基于第一算法和密钥1，对第一业务请求中的用户标识1进行相应的运算，得到用户标识2，并将第一业务请求中的用户标识1替换为得到的用户标识2。则第二用户标识转换模块可以基于第二算法和密钥2，对第一业务响应中的用户标识2进行相应的运算，得到用户标识1，并将第一业务响应中的用户标识2替换为得到的用户标识1。第二算法可以为第一算法的逆运算。需要说明的是，密钥1和密钥2可以相同，也可以不同。此外，第一算法、和密钥1可以预配置在第一用户标识转换模块，也可以是第一用户标识转换模块从其它网元(例如UDM网元、第一网元等)获取的，对此不作限定。第二算法和密钥2可以预配置在第二用户标识转换模块，也可以是第二用户标识转换模块从其它网元(例如UDM网元、第一网元等)获取的，对此不作限定。The second user identification conversion module replaces the user identification 2 in the first service response with the user identification 1, which can be regarded as the reverse process of replacing the user identification 1 in the message with the user identification 2, for example, the first user identification conversion module According to the preset correspondence between the user ID 1 and the user ID 2, replace the user ID 1 in the first service request with the corresponding user ID 2, and the second user ID conversion module can also be based on the preset user ID 1 and For the corresponding relationship of the user ID 2, replace the user ID 2 in the first service response with the corresponding user ID 1. For another example, the first user identity conversion module may also perform a corresponding operation on the user identity 1 in the first service request based on the first algorithm and the key 1, to obtain the user identity 2, and then combine the user identity in the first service request 1 is replaced with the obtained user ID 2. Then the second user ID conversion module can perform a corresponding operation on the user ID 2 in the first service response based on the second algorithm and the key 2, to obtain the user ID 1, and replace the user ID 2 in the first service response with The obtained user ID 1. The second algorithm may be the inverse operation of the first algorithm. It should be noted that Key 1 and Key 2 can be the same or different. In addition, the first algorithm and key 1 can be pre-configured in the first user identity conversion module, or the first user identity conversion module can be obtained from other network elements (such as UDM network elements, first network elements, etc.). This is not limited. The second algorithm and key 2 can be pre-configured in the second user identity conversion module, or the second user identity conversion module can be obtained from other network elements (such as UDM network elements, first network elements, etc.), which is not limited .

另外，还需要说明的是，上述仅为用户标识1和用户标识2具体转换方法的示例性说明，本申请实施例对用户标识1和用户标识2转换的方式不作限定。In addition, it should be noted that the foregoing is only an exemplary description of the specific conversion method of the user ID 1 and the user ID 2, and the embodiment of the present application does not limit the conversion method of the user ID 1 and the user ID 2.

906、第二用户标识转换模块将用户标识2替换为用户标识1的第一业务响应返回给网元2。906. The second user identity conversion module returns the first service response in which the user identity 2 is replaced with the user identity 1 to the network element 2.

需要说明的是，上述网元1可以为AMF网元、AUSF网元、SMF网元等核心网中的网元，对此不作限定。网元2可以为终端设备，也可以核心网中的网元，例如AMF网元、AUSF网元、SMF网元等。It should be noted that the foregoing network element 1 may be a network element in a core network such as AMF network element, AUSF network element, SMF network element, etc., which is not limited. The network element 2 may be a terminal device or a network element in the core network, such as AMF network element, AUSF network element, SMF network element, and so on.

需要说明的是，第一用户标识转换模块和第二用户标识转换模块可以为两个独立的模块，分别配置在网元1上，也可以为一个模块，配置在网元1上，例如，第一用户标识转换模块和第二用户标识转换模块对于网元1来说是可拆卸的。需要说明的是，第一用户标识转换模块和第二用户标识转换模块的生产商与网元1的生产商可以不同。It should be noted that the first user identity conversion module and the second user identity conversion module can be two independent modules, respectively configured on the network element 1, or can be one module, configured on the network element 1, for example, the first A user identification conversion module and a second user identification conversion module are detachable for the network element 1. It should be noted that the manufacturers of the first user identification conversion module and the second user identification conversion module and the manufacturer of the network element 1 may be different.

通过该技术方案，使得网元无法获取终端设备的身份标识，有助于提高通信的安全性。Through this technical solution, the network element cannot obtain the identity of the terminal device, which helps to improve the security of communication.

以上各个实施例可以独立使用，也可以相互结合使用，以实现不同的技术效果。The above embodiments can be used independently or in combination with each other to achieve different technical effects.

上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是，上述实现各网元为了实现上述功能，其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到，结合本申请中所公开的实施例描述的各示例的单元及算法步骤，本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬 件还是计算机软件驱动硬件的方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solution provided by this application from the perspective of interaction between various network elements. It can be understood that, in order to realize the above-mentioned functions, each network element described above includes hardware structures and/or software modules corresponding to each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed in this application, this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraints of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

如图10所示，为本申请所涉及的装置的一种可能的示例性框图，该装置1000可以以软件或硬件的形式存在。装置1000可以包括：处理单元1002和通信单元1001。作为一种实现方式，该通信单元1001可以包括接收单元和发送单元。处理单元1002用于对装置1000的动作进行控制管理。通信单元1001用于支持装置1000与其他网络实体的通信。As shown in FIG. 10, it is a possible exemplary block diagram of the apparatus involved in this application. The apparatus 1000 may exist in the form of software or hardware. The apparatus 1000 may include: a processing unit 1002 and a communication unit 1001. As an implementation manner, the communication unit 1001 may include a receiving unit and a sending unit. The processing unit 1002 is used to control and manage the actions of the device 1000. The communication unit 1001 is used to support communication between the device 1000 and other network entities.

其中，处理单元1002可以是处理器或控制器，例如可以是通用中央处理器(central processing unit，CPU)，通用处理器，数字信号处理(digital signal processing，DSP)，专用集成电路(application specific integrated circuits，ASIC)，现场可编程门阵列(field programmable gate array，FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框，模块和电路。所述处理器也可以是实现计算功能的组合，例如包括一个或多个微处理器组合，DSP和微处理器的组合等等。通信单元1001是一种该装置的接口电路，用于从其它装置接收信号。例如，当该装置以芯片的方式实现时，该通信单元1001是该芯片用于从其它芯片或装置接收信号的接口电路，或者，是该芯片用于向其它芯片或装置发送信号的接口电路。The processing unit 1002 may be a processor or a controller, for example, a general-purpose central processing unit (central processing unit, CPU), a general-purpose processor, a digital signal processing (digital signal processing, DSP), and an application specific integrated circuit (application specific integrated circuit). circuits, ASIC), field programmable gate array (FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in conjunction with the disclosure of this application. The processor may also be a combination for realizing computing functions, for example, including a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and so on. The communication unit 1001 is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented as a chip, the communication unit 1001 is an interface circuit used by the chip to receive signals from other chips or devices, or an interface circuit used by the chip to send signals to other chips or devices.

该装置1000可以为上述实施例中的移动管理网元、认证服务网元、数据管理网元或第一网元，还可以为用于移动管理网元、认证服务网元、数据管理网元或第一网元的芯片。例如，当装置1000为移动管理网元、认证服务网元、数据管理网元或第一网元时，该处理单元1002例如可以是处理器，该通信单元1001例如可以是收发器。可选的，该收发器可以包括射频电路，该存储单元例如可以是存储器。例如，当装置1000为用于移动管理网元、认证服务网元、数据管理网元或第一网元的芯片时，该处理单元1002例如可以是处理器，该通信单元1001例如可以是输入/输出接口、管脚或电路等。该处理单元1002可执行存储单元存储的计算机执行指令，示例的，该存储单元为该芯片内的存储单元，如寄存器、缓存等，该存储单元还可以是该移动管理网元、认证服务网元、数据管理网元或第一网元内的位于该芯片外部的存储单元，如只读存储器(read-only memory，ROM)或可存储静态信息和指令的其他类型的静态存储设备，随机存取存储器(random access memory，RAM)等。The device 1000 may be a mobility management network element, an authentication service network element, a data management network element, or the first network element in the foregoing embodiment, and may also be a mobility management network element, an authentication service network element, a data management network element, or The chip of the first network element. For example, when the device 1000 is a mobility management network element, an authentication service network element, a data management network element, or a first network element, the processing unit 1002 may be a processor, for example, and the communication unit 1001 may be a transceiver, for example. Optionally, the transceiver may include a radio frequency circuit, and the storage unit may be, for example, a memory. For example, when the device 1000 is a chip for a mobility management network element, an authentication service network element, a data management network element, or a first network element, the processing unit 1002 may be a processor, for example, and the communication unit 1001 may be an input/ Output interface, pin or circuit, etc. The processing unit 1002 can execute computer execution instructions stored in the storage unit. For example, the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit may also be the mobility management network element or the authentication service network element. , Data management network element or storage unit outside the chip in the first network element, such as read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access Memory (random access memory, RAM), etc.

在一实施例中，该装置1000为上述实施例中的移动管理网元。处理单元1002，用于在通信单元1001接收到终端设备发送的接入请求时，响应于接入请求，触发通信单元1001向认证服务网元发送第一用户认证请求。通信单元1001还有于接收认证服务单元响应于第一用户认证请求，返回的第一用户认证响应。第一用户认证响应包括第二用户标识；或者，处理单元1002响应于第一用户认证响应，通过通信单元1001从认证服务单元获取第二用户标识。In an embodiment, the device 1000 is the mobility management network element in the foregoing embodiment. The processing unit 1002 is configured to, in response to the access request, trigger the communication unit 1001 to send the first user authentication request to the authentication service network element when the communication unit 1001 receives the access request sent by the terminal device. The communication unit 1001 is further configured to receive the first user authentication response returned by the authentication service unit in response to the first user authentication request. The first user authentication response includes the second user identification; or, in response to the first user authentication response, the processing unit 1002 obtains the second user identification from the authentication service unit through the communication unit 1001.

在另一实施例中，该装置1000为上述实施例中的认证服务网元。处理单元1002，用于在通信单元1001接收到移动管理网元发送的第一用户认证请求时，响应于第一用户认证请求，向数据管理网元发送第二用户认证请求。第一用户认证请求包括第一用户标识，通信单元1001还用于接收数据管理网元响应于第二用户认证请求，返回的第二用户认证响应，第二用户认证响应包括第二用户标识。处理单元1002还用于响应于第二用户认证 响应，向移动管理网元返回第一用户认证响应。In another embodiment, the device 1000 is the authentication service network element in the foregoing embodiment. The processing unit 1002 is configured to send a second user authentication request to the data management network element in response to the first user authentication request when the communication unit 1001 receives the first user authentication request sent by the mobility management network element. The first user authentication request includes the first user identification, and the communication unit 1001 is further configured to receive a second user authentication response returned by the data management network element in response to the second user authentication request, and the second user authentication response includes the second user identification. The processing unit 1002 is further configured to return a first user authentication response to the mobility management network element in response to the second user authentication response.

在另一实施例中，该装置1000为上述实施例中的数据管理网元。处理单元1002，用于在通信单元1001接收到认证服务网元发送的第二用户认证请求时，响应于第二用户认证请求，触发通信单元1001向认证服务王艳返回第二用户认证响应，第二用户认证响应包括第二用户标识。In another embodiment, the device 1000 is the data management network element in the foregoing embodiment. The processing unit 1002 is configured to, in response to the second user authentication request, trigger the communication unit 1001 to return the second user authentication response to the authentication service Wang Yan when the communication unit 1001 receives the second user authentication request sent by the authentication service network element. 2. The user authentication response includes the second user identification.

在另一实施例中，该装置1000为上述实施例中的会话管理网元。处理单元1002，用于在通信单元1001接收到数据管理网元发送的匿名化用户标识获取请求，响应于匿名化用户标识获取请求，触发通信单元1001向数据管理网元返回第二用户标识。其中，匿名化用户标识获取请求包括第一用户标识或SUPI。In another embodiment, the device 1000 is the session management network element in the foregoing embodiment. The processing unit 1002 is configured to receive the anonymized user identification acquisition request sent by the data management network element in the communication unit 1001, and in response to the anonymized user identification acquisition request, trigger the communication unit 1001 to return the second user identification to the data management network element. Wherein, the anonymized user identification acquisition request includes the first user identification or SUPI.

可以理解的是，该装置1000执行本申请实施例通信方法的具体过程以及相应的有益效果，可以参考前述方法实施例中的相关描述，这里不再赘述。It can be understood that, for the specific process and corresponding beneficial effects of the device 1000 executing the communication method of the embodiment of the present application, reference may be made to the related description in the foregoing method embodiment, and details are not described herein again.

若该装置是移动性管理网元、认证服务网元、数据管理网元或第一网元，则移动管理网元认证服务网元、数据管理网元或第一网元以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC，电路，执行一个或多个软件或固件程序的处理器和存储器，集成逻辑电路，和/或其他可以提供上述功能的器件。在一个简单的实施例中，本领域的技术人员可以想到该移动管理网元、认证服务网元、数据管理网元或第一网元可以采用图11所示的形式。If the device is a mobility management network element, an authentication service network element, a data management network element, or the first network element, the mobility management network element authentication service network element, data management network element, or first network element is divided in an integrated manner The form of each functional module is presented. The "module" here may refer to a specific ASIC, a circuit, a processor and memory that executes one or more software or firmware programs, an integrated logic circuit, and/or other devices that can provide the above-mentioned functions. In a simple embodiment, those skilled in the art can imagine that the mobility management network element, the authentication service network element, the data management network element, or the first network element may adopt the form shown in FIG. 11.

比如，图11中的处理器1102可以通过调用存储器1101中存储的程序指令，使得移动性管理网元、认证服务网元、数据管理网元或第一网元执行上述方法实施例中的方法。For example, the processor 1102 in FIG. 11 may invoke the program instructions stored in the memory 1101 to cause the mobility management network element, the authentication service network element, the data management network element, or the first network element to execute the method in the foregoing method embodiment.

具体的，图10中的通信单元1001、处理单元1002的功能/实现过程可以通过图11中的处理器1102调用存储器1101中存储的计算机执行指令来实现。或者，图10中的处理单元1002的功能/实现过程可以通过图11中的处理器1102调用存储器1101中存储的计算机执行指令来实现，图10中的通信单元1001的功能/实现过程可以通过图11中的通信接口1103来实现。Specifically, the function/implementation process of the communication unit 1001 and the processing unit 1002 in FIG. 10 may be implemented by the processor 1102 in FIG. 11 calling a computer execution instruction stored in the memory 1101. Alternatively, the function/implementation process of the processing unit 1002 in FIG. 10 may be implemented by the processor 1102 in FIG. 11 calling computer execution instructions stored in the memory 1101, and the function/implementation process of the communication unit 1001 in FIG. 11 in the communication interface 1103 to achieve.

可选的，当该装置1000是芯片或电路时，则通信单元1001的功能/实现过程还可以通过管脚或电路等来实现。Optionally, when the device 1000 is a chip or a circuit, the function/implementation process of the communication unit 1001 may also be implemented by pins or circuits.

如图11所示，为本申请提供的又一种装置示意图，该装置可以是上述实施例中的移动管理网元、认证服务网元、数据管理网元或第一网元。该装置1100包括：处理器1102和通信接口1103，可选的，装置1100还可以包括存储器1101。可选的，装置1100还可以包括通信线路1104。其中，通信接口1103、处理器1102以及存储器1101可以通过通信线路1104相互连接；通信线路1104可以是外设部件互连标准(peripheral component interconnect，简称PCI)总线或扩展工业标准结构(extended industry standard architecture，简称EISA)总线等。所述通信线路1104可以分为地址总线、数据总线、控制总线等。为便于表示，图11中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。As shown in FIG. 11, it is a schematic diagram of another apparatus provided in this application. The apparatus may be the mobility management network element, the authentication service network element, the data management network element, or the first network element in the above-mentioned embodiment. The device 1100 includes a processor 1102 and a communication interface 1103. Optionally, the device 1100 may further include a memory 1101. Optionally, the apparatus 1100 may further include a communication line 1104. Among them, the communication interface 1103, the processor 1102, and the memory 1101 may be connected to each other through a communication line 1104; the communication line 1104 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (extended industry standard architecture). , Referred to as EISA) bus and so on. The communication line 1104 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used to represent in FIG. 11, but it does not mean that there is only one bus or one type of bus.

处理器1102可以是一个CPU，微处理器，ASIC，或一个或多个用于控制本申请方案程序执行的集成电路。The processor 1102 may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits used to control the execution of the program of the present application.

通信接口1103，使用任何收发器一类的装置，用于与其他设备或通信网络通信，如以太网，无线接入网(radio access network，RAN)，无线局域网(wireless local area networks，WLAN)，有线接入网等。 Communication interface 1103, using any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area networks (WLAN), Wired access network, etc.

存储器1101可以是ROM或可存储静态信息和指令的其他类型的静态存储设备，RAM 或者可存储信息和指令的其他类型的动态存储设备，也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory，EEPROM)、只读光盘(compact disc read-only memory，CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质，但不限于此。存储器可以是独立存在，通过通信线路1104与处理器相连接。存储器也可以和处理器集成在一起。The memory 1101 can be ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, or can be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory). read-only memory, EEPROM), compact disc (read-only memory, CD-ROM) or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital universal discs, Blu-ray discs, etc.), magnetic disks A storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory can exist independently, and is connected to the processor through a communication line 1104. The memory can also be integrated with the processor.

其中，存储器1101用于存储执行本申请方案的计算机执行指令，并由处理器1102来控制执行。处理器1102用于执行存储器1101中存储的计算机执行指令，从而实现本申请上述实施例提供的会话管理网元的选择方法。The memory 1101 is used to store computer-executable instructions for executing the solutions of the present application, and the processor 1102 controls the execution. The processor 1102 is configured to execute computer-executable instructions stored in the memory 1101, so as to implement the method for selecting a session management network element provided in the foregoing embodiment of the present application.

可选的，本申请实施例中的程序指令也可以称之为应用程序代码、计算机程序、计算机指令等，本申请实施例对此不作具体限定。Optionally, the program instructions in the embodiments of the present application may also be referred to as application program codes, computer programs, computer instructions, etc., which are not specifically limited in the embodiments of the present application.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘(Solid State Disk，SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website site, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).

本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器，数字信号处理器，专用集成电路(ASIC)，现场可编程门阵列(FPGA)或其它可编程逻辑装置，离散门或晶体管逻辑，离散硬件部件，或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器，可选地，该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现，例如数字信号处理器和微处理器，多个微处理器，一个或多个微处理器联合一个数字信号处理器核，或任何其它类似的配置来实现。The various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions. The general-purpose processor may be a microprocessor. Alternatively, the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine. The processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. achieve.

本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地，存储媒介可以与处理器连接，以使得处理器可以从存储媒介中读取信息，并可以向存储媒介存写信息。可选地，存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。The steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two. The software unit can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other storage medium in the art. Exemplarily, the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium. Optionally, the storage medium may also be integrated into the processor. The processor and the storage medium can be arranged in the ASIC.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方 框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

尽管结合具体特征及其实施例对本申请进行了描述，显而易见的，在不脱离本申请的精神和范围的情况下，可对其进行各种修改和组合。相应地，本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明，且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然，本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样，倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内，则本申请也意图包括这些改动和变型在内。Although the application has been described in combination with specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the application. Correspondingly, the specification and drawings are merely exemplary descriptions of the application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations or equivalents within the scope of the application. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

此外，在一些实施例中，还需要考虑UE是否支持匿名化处理，可以通过UE与网络交换指示的方式来确定是否进行匿名化处理，示例的，本申请实施例提供的另一种通信方法，如图12所示，具体包括以下步骤。In addition, in some embodiments, it is also necessary to consider whether the UE supports anonymization processing. The UE can exchange instructions with the network to determine whether to perform anonymization processing. For example, another communication method provided in the embodiment of the present application, As shown in Figure 12, it specifically includes the following steps.

1201、UE向AMF网元发送接入请求；接入请求包括第一用户标识。第一用户标识是对SUPI加密得到的，SUPI为UE的身份标识。1201. The UE sends an access request to an AMF network element; the access request includes a first user identifier. The first user identity is obtained by encrypting SUPI, and SUPI is the identity of the UE.

示例的，第一用户标识为SUCI。For example, the first user identifier is SUCI.

在一些实施例中，接入请求还包括指示信息1，指示信息1用于指示UE支持用户身份匿名化处理。In some embodiments, the access request further includes indication information 1, which is used to instruct the UE to support user identity anonymization processing.

1202、AMF网元响应于接入请求，向AUSF网元发送第一用户认证请求；第一用户认证请求包括第一用户标识和服务网络名称。1202. In response to the access request, the AMF network element sends a first user authentication request to the AUSF network element; the first user authentication request includes the first user identifier and the service network name.

示例的，服务网络名称包含PLMN ID和/或网络标识(network identifier，NID)。其中，PLMN ID和NID联合用于标识非公共网络(例如，独立组网的非公共网络(standalone non-public network，SNPN))。For example, the service network name includes PLMN ID and/or network identifier (NID). Among them, PLMN ID and NID are jointly used to identify non-public networks (for example, standalone non-public network (SNPN)).

在一些实施例中，AMF网元或AMF网元所在的网络支持用户身份匿名化处理时，第一用户认证请求也可以包括指示信息2，指示信息2用于指示AMF网元或AMF网元所在网络和/或UE支持用户身份匿名化处理。例如，在指示信息2用于指示UE支持用户身份匿名化处理的情况下，可以隐含向UDM网元指示AMF网元或AMF网元所在的网络也支持用户身份匿名化处理。In some embodiments, when the AMF network element or the network where the AMF network element is located supports user identity anonymization, the first user authentication request may also include indication information 2, and the indication information 2 is used to indicate the location of the AMF network element or the AMF network element. The network and/or UE supports anonymization of user identity. For example, when the indication information 2 is used to indicate that the UE supports user identity anonymization processing, it may implicitly indicate to the UDM network element that the AMF network element or the network where the AMF network element is located also supports user identity anonymization processing.

在一些实施例中，接入请求包括指示信息1时，第一用户认证请求也可以包括指示信息1。In some embodiments, when the access request includes indication information 1, the first user authentication request may also include indication information 1.

在一些实施例中，接入请求包括指示信息1、且AMF网元或AMF网元所在网络支持用户身份匿名化处理时，第一用户认证请求也可以包括指示信息1和/或指示信息2，指示信息2用于指示AMF网元或AMF网元所在网络和/或UE支持用户身份匿名化处理。In some embodiments, when the access request includes indication information 1, and the AMF network element or the network where the AMF network element is located supports user identity anonymization, the first user authentication request may also include indication information 1 and/or indication information 2. The indication information 2 is used to indicate that the AMF network element or the network where the AMF network element is located and/or the UE supports user identity anonymization processing.

1203、AUSF网元响应于第一用户认证请求，向UDM网元发送第二用户认证请求，第二用户认证请求包括第一用户标识和服务网络名称。1203. In response to the first user authentication request, the AUSF network element sends a second user authentication request to the UDM network element, where the second user authentication request includes the first user identification and the service network name.

在一些实施例中，第一用户认证请求包括指示信息1时，用户认证请求也可以包括指示信息1。In some embodiments, when the first user authentication request includes indication information 1, the user authentication request may also include indication information 1.

在一些实施例中，第一用户认证请求中包括指示信息2时，第二用户认证请求也可以包括指示信息2。In some embodiments, when the first user authentication request includes the indication information 2, the second user authentication request may also include the indication information 2.

1204、UDM网元响应于第二用户认证请求，向AUSF网元返回第二用户认证响应，第二用户认证响应中包括第二用户标识；1204. In response to the second user authentication request, the UDM network element returns a second user authentication response to the AUSF network element, and the second user authentication response includes the second user identifier.

示例的，第二用户标识为UE的SUPI。又示例的，第二用户标识为UE的匿名化身份标识。例如第二用户标识为SUPI*。此外，UDM网元还记录SUPI与SUPI*的对应关系。For example, the second user identifier is the SUPI of the UE. For another example, the second user identity is the anonymized identity of the UE. For example, the second user is identified as SUPI*. In addition, the UDM network element also records the correspondence between SUPI and SUPI*.

例如，UDM网元在第二用户认证请求包括指示信息1和/或指示信息2的情况下，第二用户标识为UE的匿名化身份标识。以UE的匿名化身份标识为SUPI*为例，UDM网元还记录SUPI与SPUI*的对应关系。For example, when the UDM network element includes the indication information 1 and/or the indication information 2 in the second user authentication request, the second user identifier is the anonymized identity of the UE. Taking the anonymized identity of the UE as SUPI* as an example, the UDM network element also records the corresponding relationship between SUPI and SPUI*.

又例如，UDM网元在第二用户认证请求包括指示信息1和/或服务网络名称包括NID的情况下，第二用户标识为UE的匿名化身份标识。以UE的匿名化身份标识为SUPI*为例，UDM网元还记录SUPI与SPUI*的对应关系。For another example, when the UDM network element includes the indication information 1 in the second user authentication request and/or the service network name includes the NID, the second user identifier is the anonymized identity identifier of the UE. Taking the anonymized identity of the UE as SUPI* as an example, the UDM network element also records the corresponding relationship between SUPI and SPUI*.

又例如，UDM网元在UE签约能力指示UE支持用户身份匿名化处理和/或第二用户认证请求包括指示信息2的情况下，第二用户标识为UE的匿名化身份标识。以UE的匿名化身份标识为SUPI*为例，UDM网元还记录SUPI与SUPI*的对应关系。For another example, when the UE's subscription capability indicates that the UE supports user identity anonymization processing and/or the second user authentication request includes indication information 2, the second user identity is the anonymized identity identity of the UE. Taking the anonymized identity of the UE as SUPI* as an example, the UDM network element also records the corresponding relationship between SUPI and SUPI*.

又例如，UDM网元在UE签约能力指示UE支持用户身份匿名化处理和/或第二用户认证请求包括的服务网络名称包含NID的情况下，第二用户标识为UE的匿名化身份标识。以UE的匿名化身份标识为SUPI*为例，UDM网元还记录SUPI与SPUI*的对应关系。For another example, when the UE subscription capability indicates that the UE supports user identity anonymization processing and/or the service network name included in the second user authentication request includes the NID, the second user identity is the anonymized identity identity of the UE. Taking the anonymized identity of the UE as SUPI* as an example, the UDM network element also records the corresponding relationship between SUPI and SPUI*.

在一些实施例中，UE的匿名化身份标识(例如SUPI*)是由UDM网元根据以下参数中一种或者多种，基于某一算法或策略生成的：In some embodiments, the anonymized identity of the UE (such as SUPI*) is generated by the UDM network element according to one or more of the following parameters, based on a certain algorithm or strategy:

新鲜性参数，包括但不限于：随机数(RAND)、序列号(sequence number，SQN)、计数(count)；其中，计数指的是UE和网络侧维护的计数器所计的数值，例如NAS计数器所计的值。Freshness parameters, including but not limited to: random number (RAND), sequence number (SQN), count (count); where count refers to the value counted by the counter maintained by the UE and the network side, such as the NAS counter The calculated value.

UE的标识，包括但不限于：SUPI、5G全球唯一临时标识符(5G globally unique temporary identifier,5G-GUTI)、SUCI、通用公共订阅标识符(generic public subscription identifier，GPSI)等；The identification of the UE includes but is not limited to: SUPI, 5G globally unique temporary identifier (5G-GUTI), SUCI, generic public subscription identifier (GPSI), etc.;

UE和网络侧之间的共享密钥，包括但不限于：KAUSF、加密密钥CK、完整性密钥IK、匿名密钥AK、长期密钥K、以及由KAUSF、KAKMA、CK、IK、AK和K中的任意一项或多项生成的密钥，比如SEAF密钥KSEAF等。具体的，KSEAF由KAUSF生成。The shared key between the UE and the network side, including but not limited to: KAUSF, encryption key CK, integrity key IK, anonymous key AK, long-term key K, and KAUSF, KAKMA, CK, IK, AK A key generated by any one or more of K, such as SEAF key KSEAF, etc. Specifically, KSEAF is generated by KAUSF.

公私钥，包括但不限于：UE的公钥、UE的私钥、UE的归属网络的公钥、UE的归属网络的私钥等；Public and private keys, including but not limited to: UE’s public key, UE’s private key, UE’s home network public key, UE’s home network private key, etc.;

网络标识，包括但不限于：服务网络标识、服务网络名称、归属网络名称、路由参数routing indicator等；Network identification, including but not limited to: service network identification, service network name, home network name, routing indicator, etc.;

其中UDM网元生成UE的匿名化身份标识所使用的算法或策略包括：推演，和/或拼接等，本申请实施例不作限定。The algorithm or strategy used by the UDM network element to generate the anonymized identity of the UE includes: deduction, and/or splicing, etc., which are not limited in the embodiment of the present application.

在一些实施例中，第二用户认证响应还可以包括指示信息3，指示信息3用于指示UDM网元支持用户身份匿名化处理，其中，UDM网元支持用户身份匿名化处理又可以表述为UDM网元进行了用户身份匿名化处理，和/或，UDM网元所在归属网络支持用户身份匿名化处理。In some embodiments, the second user authentication response may further include indication information 3, which is used to indicate that the UDM network element supports user identity anonymization processing, where the UDM network element supports user identity anonymization processing and can be expressed as UDM The network element has performed user identity anonymization processing, and/or the home network where the UDM network element is located supports user identity anonymization processing.

在一些实施例中，第二用户认证响应还可以包括指示信息4，指示信息4用于指示UE支持用户身份匿名化处理。In some embodiments, the second user authentication response may further include indication information 4, which is used to indicate that the UE supports user identity anonymization processing.

1205、AUSF网元响应于第二用户认证响应，向AMF网元返回第一用户认证响应。示例的，第一用户认证响应包括指示信息3和/或第三用户标识。1205. In response to the second user authentication response, the AUSF network element returns a first user authentication response to the AMF network element. For example, the first user authentication response includes the indication information 3 and/or the third user identification.

在一些实施例中，AUSF网元根据指示信息1和/或指示信息4和/或指示信息2和/或服务网络名称包含NID，生成第三用户标识，第三用户标识为UE的匿名化身份标识。例如第三用户标识为SUPI*。In some embodiments, the AUSF network element generates a third user ID according to the indication information 1 and/or indication information 4 and/or indication information 2 and/or the service network name including the NID, which is the anonymized identity of the UE Logo. For example, the third user is identified as SUPI*.

其中，第三用户标识可以是第二用户标识，也可以AUSF网元根据第二用户标识计算得到的。具体计算包含的参数与UDM网元生成SUPI*的方式一致，这里不再赘述。Wherein, the third user identification may be the second user identification, or may be calculated by the AUSF network element according to the second user identification. The parameters included in the specific calculation are consistent with the way the UDM network element generates SUPI*, and will not be repeated here.

1206、AMF网元响应于第一用户认证响应，向UE发送第三用户认证请求，第三用户认证请求用于向UE发起认证。示例的，第三用户认证请求还可以包括指示信息3。1206. In response to the first user authentication response, the AMF network element sends a third user authentication request to the UE, and the third user authentication request is used to initiate authentication to the UE. For example, the third user authentication request may further include indication information 3.

在一些实施例中，指示信息3可以携带在认证令牌AUTN中。In some embodiments, the indication information 3 may be carried in the authentication token AUTN.

1207、UE响应于第三用户认证请求，向AMF网元返回第三用户认证响应，以及根据SUPI和/或指示信息3生成第二用户标识，并根据第二用户标识生成密钥KAMF。1207. In response to the third user authentication request, the UE returns a third user authentication response to the AMF network element, generates a second user identity according to SUPI and/or indication information 3, and generates a key KAMF according to the second user identity.

需要说明的是，UE根据SUPI生成第二用户标识与上述UDM生成SUPI*的方式一致。UE根据第二用户标识生成密钥KAMF的具体实现方式可以参见上述各实施例中的相关介绍。It should be noted that the UE generating the second user identity according to SUPI is consistent with the above-mentioned UDM generating SUPI*. For the specific implementation manner of the UE generating the key KAMF according to the second user identity, reference may be made to the relevant introduction in the foregoing embodiments.

UE可以在向AMF返回第三用户认证响应之后，生成第二用户标识和密钥KAMF，也可以在返回第三用户认证响应之前生成第二用户标识和密钥KAMF，对此不作限定。此外，UE生成第二用户标识和密钥KAMF的方式可参见上述相关介绍，在此不再赘述。The UE may generate the second user identification and key KAMF after returning the third user authentication response to the AMF, or may generate the second user identification and key KAMF before returning the third user authentication response, which is not limited. In addition, the manner in which the UE generates the second user identity and the key KAMF can refer to the above related introduction, which will not be repeated here.

在一些实施例中，生成密钥KAMF时只用SUPI*除去PLMN ID和/或路由信息的部分。In some embodiments, only SUPI* is used to remove the part of the PLMN ID and/or routing information when generating the key KAMF.

1208、AMF网元响应于第三用户认证响应，向AUSF网元发送第四用户认证请求。例如，第四用户认证请求可以用于发起对UE的验证。1208. In response to the third user authentication response, the AMF network element sends a fourth user authentication request to the AUSF network element. For example, the fourth user authentication request may be used to initiate authentication of the UE.

1209、AUSF网元响应于第四用户认证请求，向AMF网元返回第四用户认证响应，第四用户认证响应中也可以包括第三用户标识。1209. In response to the fourth user authentication request, the AUSF network element returns a fourth user authentication response to the AMF network element, and the fourth user authentication response may also include the third user identifier.

在一些实施例中，AUSF网元根据指示信息1和/或指示信息4和/或指示信息2和/或服务网络名称包含NID生成第三用户标识，第三用户标识为UE的匿名化身份标识。例如第三用户标识为SUPI*。In some embodiments, the AUSF network element generates a third user ID according to the indication information 1 and/or the indication information 4 and/or the indication information 2 and/or the service network name contains the NID, and the third user ID is the anonymized identity of the UE . For example, the third user is identified as SUPI*.

其中，第三用户标识可以是第二用户标识，也可以AUSF根据第二用户标识计算得到的。具体计算包含的参数与UDM网元生成SUPI*的方式一致，这里不再赘述。Wherein, the third user identification may be the second user identification, or it may be calculated by the AUSF according to the second user identification. The parameters included in the specific calculation are consistent with the way the UDM network element generates SUPI*, and will not be repeated here.

在一些实施例中，AUSF网元在认证UE成功后，向UDM网元返回用户认证结果，其中用户认证结果包括第三用户标识和/或SUPI。In some embodiments, the AUSF network element returns a user authentication result to the UDM network element after successfully authenticating the UE, where the user authentication result includes the third user identification and/or SUPI.

1210、AMF网元响应于第四用户认证响应，根据第三用户标识，生成密钥KAMF。从而使得AMF网元生成的密钥KAMF与UE生成的密钥KAMF相同，有助于实现安全通信。1210. In response to the fourth user authentication response, the AMF network element generates a key KAMF according to the third user ID. As a result, the key KAMF generated by the AMF network element is the same as the key KAMF generated by the UE, which helps to realize secure communication.

进一步的，在一些实施例中，在UE接入网络后，还可以由AMF网元主动发起用户认证，更新UE与网络之间通信交互所使用的UE的匿名化身份标识，例如SUPI*。Further, in some embodiments, after the UE accesses the network, the AMF network element may also actively initiate user authentication, and update the anonymized identity of the UE used in the communication interaction between the UE and the network, such as SUPI*.

示例的，AMF网元可以在UE接入网络后周期性触发发起用户认证，也可以通过事件(例如小区切换、NAS COUNT wrap around等)触发发起用户认证。For example, the AMF network element may periodically trigger the initiation of user authentication after the UE accesses the network, or may trigger the initiation of user authentication through events (such as cell handover, NAS count wrap around, etc.).

例如，以UE的匿名化用户标识为SUPI*1为例，如图13所示，为AMF网络主动发起用户认证时的通信方法，具体包括以下步骤。For example, taking the anonymized user identifier of the UE as SUPI*1 as an example, as shown in FIG. 13, the communication method when the AMF network actively initiates user authentication includes the following steps.

1301、AMF网元向AUSF网元发送第一用户认证请求；第一用户认证请求包括SUPI*1和服务网络名称。1301. The AMF network element sends a first user authentication request to the AUSF network element; the first user authentication request includes SUPI*1 and a service network name.

示例的，服务网络名称包含PLMN ID和/或NID。For example, the service network name includes PLMN ID and/or NID.

在一些实施例中，AMF网元或AMF网元所在的网络支持用户身份匿名化处理时，第一用户认证请求也可以包括指示信息2，指示信息2用于指示AMF网元或AMF网元所在网络和/或UE支持用户身份匿名化处理。In some embodiments, when the AMF network element or the network where the AMF network element is located supports user identity anonymization, the first user authentication request may also include indication information 2, and the indication information 2 is used to indicate the location of the AMF network element or the AMF network element. The network and/or UE supports anonymization of user identity.

在一些实施例中，当UE支持用户身份匿名化处理时，AMF网元存储指示信息1，指示信息1用于指示UE支持用户身份匿名化处理，在这种情况下，第一用户认证请求还可以包括指示信息1。In some embodiments, when the UE supports user identity anonymization processing, the AMF network element stores indication information 1, which is used to indicate that the UE supports user identity anonymization processing. In this case, the first user authentication request is also Can include instruction information 1.

1302、AUSF网元响应于第一用户认证请求，向UDM网元发送第二用户认证请求，第二用户认证请求包括SUPI*1和服务网络名称。1302. In response to the first user authentication request, the AUSF network element sends a second user authentication request to the UDM network element, where the second user authentication request includes SUPI*1 and the service network name.

在一些实施例中，第一用户认证请求包括指示信息2时，用户认证请求也可以包括指示信息2。In some embodiments, when the first user authentication request includes indication information 2, the user authentication request may also include indication information 2.

1303、UDM网元响应于第二用户认证请求，向AUSF网元返回第二用户认证响应，第二用户认证响应中包括SUPI*1和SUPI*2；1303. In response to the second user authentication request, the UDM network element returns a second user authentication response to the AUSF network element, and the second user authentication response includes SUPI*1 and SUPI*2;

在一些实施例中，第二用户认证响应包括指示信息2、和/或UDM网元支持用户身份匿名化处理时，UDM网元若根据SUPI*1，从记录的SUPI与SUPI*的对应关系中查找到与SUPI*1对应的SUPI，则判断UE支持用户身份匿名化处理，生成SUPI*2，以及记录SUPI与SUPI*2的对应关系。具体的，生成SUPI*2的方式可以参见上述步骤1204中生成第二用户标识的相关介绍，在此不再赘述。In some embodiments, the second user authentication response includes indication information 2 and/or when the UDM network element supports user identity anonymization, if the UDM network element is based on SUPI*1, from the recorded correspondence between SUPI and SUPI* If the SUPI corresponding to SUPI*1 is found, it is judged that the UE supports the anonymization of user identity, SUPI*2 is generated, and the corresponding relationship between SUPI and SUPI*2 is recorded. Specifically, for the manner of generating SUPI*2, please refer to the related introduction of generating the second user identifier in step 1204 above, which will not be repeated here.

进一步，示例的，在UDM网元判定判断UE支持用户身份匿名化处理的情况下，第二用户认证响应还可以包括指示信息1，用于指示UE支持用户身份匿名化处理。以便于显示向AMF网元指示UE支持用户身份匿名化处理。Further, as an example, in a case where the UDM network element determines that the UE supports the user identity anonymization processing, the second user authentication response may further include indication information 1 for indicating that the UE supports the user identity anonymization processing. In order to display and indicate to the AMF network element that the UE supports the anonymization of user identity.

在另一些实施例中，UDM网元若根据SUPI*1，从记录的SUPI与SUPI*的对应关系中未查找到与SUPI*1对应的SUPI，则将SUPI*1作为SUPI处理。In other embodiments, if the UDM network element does not find the SUPI corresponding to SUPI*1 from the recorded correspondence between SUPI*1 according to SUPI*1, it will treat SUPI*1 as SUPI.

在另一些实施例中，当AMF网元不支持用户身份匿名化处理时，UDM网元响应于第二用户认证请求，向AUSF网元返回第二用户认证响应包括SUPI，不包括指示信息3，指示信息3用于指示UDM网元支持用户身份匿名化处理。In other embodiments, when the AMF network element does not support user identity anonymization processing, the UDM network element responds to the second user authentication request and returns the second user authentication response to the AUSF network element including SUPI but not the indication information 3. Indication information 3 is used to instruct the UDM network element to support the anonymization of user identity.

在一些实施例中，第二用户认证响应包括指示信息2、和/或UDM网元支持用户身份匿名化处理时，第二用户认证响应还可以包括指示信息3，其中，UDM网元支持用户身份匿名化处理又可以表述为UDM网元进行了用户身份匿名化处理，和/或，UDM网元所在归属网络支持用户身份匿名化处理。In some embodiments, the second user authentication response includes indication information 2 and/or when the UDM network element supports user identity anonymization, the second user authentication response may also include indication information 3, where the UDM network element supports user identity The anonymization processing can also be expressed as that the UDM network element has performed the user identity anonymization processing, and/or the home network where the UDM network element is located supports the user identity anonymization processing.

1304、AUSF网元响应于第二用户认证响应，向AMF网元返回第一用户认证响应。示例的，第一用户认证响应包括指示信息3。1304. In response to the second user authentication response, the AUSF network element returns a first user authentication response to the AMF network element. For example, the first user authentication response includes indication information 3.

1305、AMF网元响应于第一用户认证响应，向UE发送第三用户认证请求，第三用户认证请求用于向UE发起认证。示例的，第三用户认证请求还可以包括指示信息3。1305. In response to the first user authentication response, the AMF network element sends a third user authentication request to the UE, where the third user authentication request is used to initiate authentication to the UE. For example, the third user authentication request may further include indication information 3.

在一些实施例中，指示信息3可以携带在认证令牌AUTN中。In some embodiments, the indication information 3 may be carried in the authentication token AUTN.

1306、UE响应于第三用户认证请求，向AMF网元返回第三用户认证响应，以及根据SUPI和/或指示信息3生成SUPI*2，并根据SUPI*2生成密钥KAMF。1306. In response to the third user authentication request, the UE returns a third user authentication response to the AMF network element, and generates SUPI*2 according to SUPI and/or indication information 3, and generates a key KAMF according to SUPI*2.

需要说明的是，UE根据SUPI生成SUPI*2与上述UDM生成SUPI*的方式一致。UE根据SUPI*2生成密钥KAMF的具体实现方式可以参见上述各实施例中的相关介绍。It should be noted that the way that the UE generates SUPI*2 according to SUPI is the same as the way the UDM generates SUPI*. For the specific implementation of the UE generating the key KAMF according to SUPI*2, refer to the relevant introduction in the foregoing embodiments.

UE可以在向AMF返回第三用户认证响应之后，生成SUPI*2和密钥KAMF，也可以在返回第三用户认证响应之前生成SUPI*2和密钥KAMF，对此不作限定。此外，UE生成SUPI*2和密钥KAMF的方式可参见上述相关介绍，在此不再赘述。The UE may generate SUPI*2 and the key KAMF after returning the third user authentication response to the AMF, or may generate SUPI*2 and the key KAMF before returning the third user authentication response, which is not limited. In addition, the manner in which the UE generates SUPI*2 and the key KAMF can refer to the above related introduction, which will not be repeated here.

1307、AMF网元响应于第三用户认证响应，向AUSF网元发送第四用户认证请求。例如，第四用户认证请求可以用于发起对UE的验证。1307. In response to the third user authentication response, the AMF network element sends a fourth user authentication request to the AUSF network element. For example, the fourth user authentication request may be used to initiate authentication of the UE.

1308、AUSF网元响应于第四用户认证请求，向AMF网元返回第四用户认证响应，第四用户认证响应中可以包括第三用户标识、SUPI*2。在一些实施例中，第四用户认证响应中也可以包括SUPI*1。1308. In response to the fourth user authentication request, the AUSF network element returns a fourth user authentication response to the AMF network element. The fourth user authentication response may include the third user ID and SUPI*2. In some embodiments, the fourth user authentication response may also include SUPI*1.

第三用户标识的相关介绍可以参见步骤1209中的描述，这里不再赘述。For the related introduction of the third user identifier, refer to the description in step 1209, which will not be repeated here.

1309、AMF网元响应于第四用户认证响应，当SUPI*2与SUPI*1不同时，将SUPI*1替换为SUPI*2，并记录SUPI*1与SUPI*2的对应关系，并根据SUPI*2，生成密钥KAMF。从而实现用户匿名身份标识的更新，有助于实现安全通信。1309. In response to the fourth user authentication response, the AMF network element replaces SUPI*1 with SUPI*2 when SUPI*2 is different from SUPI*1, and records the correspondence between SUPI*1 and SUPI*2, and according to SUPI*2 *2, generate the key KAMF. In this way, the user's anonymous identity can be updated, which is helpful for the realization of secure communication.

进一步的，AMF网元还可以通过比较SUPI*2与SUPI*1，当SUPI*2与SUPI*1不同时，判定UE支持用户身份匿名化处理。从而实现隐式判定UE支持用户身份匿名化处理。Further, the AMF network element can also compare SUPI*2 with SUPI*1, and when SUPI*2 is different from SUPI*1, determine that the UE supports the anonymization of user identity. In this way, it is realized that the UE supports the anonymization processing of the user identity implicitly.

又进一步的，在一些实施例中，如图14所示，AMF网元在将SUPI*1替换为SUPI*2后，还包括：Furthermore, in some embodiments, as shown in FIG. 14, after replacing SUPI*1 with SUPI*2, the AMF network element further includes:

1401、AMF网元向SMF网元发送会话连接建立请求，该会话连接建立请求包括SUPI*1和SUPI*2。1401. The AMF network element sends a session connection establishment request to the SMF network element, where the session connection establishment request includes SUPI*1 and SUPI*2.

1402、SMF网元在接收到会话建立连接请求后，将SUPI*1替换为SUPI*2，以便于后续SMF网元通过SUPI*2标识UE。1402. After receiving the session establishment connection request, the SMF network element replaces SUPI*1 with SUPI*2, so that subsequent SMF network elements can identify the UE through SUPI*2.

示例的，会话连接建立请求可以为Nsmf_PDUSession_CreateSMContext Request。For example, the session connection establishment request may be Nsmf_PDUSession_CreateSMContext Request.

上述是以SMF网元为例进行介绍的，也就是说，AMF网元在针对某一UE更新用户身份匿名化标识后，可以通过与核心网中其它网元之间的业务消息中携带更新后的UE的用户身份匿名化标识，从而有助于节省资源开销。The above description is based on the SMF network element as an example. That is to say, after the AMF network element updates the user identity anonymization for a certain UE, it can carry the updated information in the business message with other network elements in the core network. The user identity of the UE is anonymized, thereby helping to save resource overhead.

此外，对于核心网中的除AMF网元以外的其它网元还可以在每次获取到UE的用户身份匿名化标识后，通过向AMF网元订阅，以使得AMF网元在再次更新UE的用户身份匿名化标识后，向其它网元发送更新后的UE的用户身份匿名化标识。In addition, for network elements other than the AMF network element in the core network, after obtaining the user identity anonymization identifier of the UE each time, they can subscribe to the AMF network element so that the AMF network element can update the user of the UE again. After the identity anonymization identifier, the updated UE user identity anonymization identifier is sent to other network elements.

以NF网元1已获取到UE的用户身份匿名化标识为SUPI*1为例，本申请实施例订阅用户匿名化身份标识更新的方法可以如图15所示，具体包括以下步骤：Taking the NF network element 1 that has obtained the UE's user identity anonymization identifier as SUPI*1 as an example, the method for subscribing to the user anonymization identity update in the embodiment of the present application may be as shown in FIG. 15, and specifically includes the following steps:

1501、NF网元1向AMF网元发送订阅用户匿名化身份标识更新请求，其中订阅用户匿名化身份标识更新请求包括SUPI*1。1501. The NF network element 1 sends a subscription user anonymized identity update request to the AMF network element, where the subscription user anonymized identity update request includes SUPI*1.

例如，订阅用户匿名化身份标识更新请求为一个新定义的消息，例如AMF_UEIdentifier_UpdateSubscribe。再例如，订阅用户匿名化身份标识更新请求可以为已有的业务消息。For example, the subscriber anonymized identity update request is a newly defined message, such as AMF_UEIdentifier_UpdateSubscribe. For another example, the subscription user anonymized identity update request may be an existing business message.

1502、AMF网元接收到订阅用户匿名化身份标识更新请求后，若将SUPI*1替换为SUPI*2，则向NF网元1发送订阅用户匿名化身份标识更新响应，订阅用户匿名化身份标识更新响应中包括SUPI*1和SUPI*2。1502. After the AMF network element receives the subscriber's anonymized identity update request, if it replaces SUPI*1 with SUPI*2, it sends the subscriber anonymized identity update response to NF network element 1, and the subscriber anonymizes the identity. The update response includes SUPI*1 and SUPI*2.

例如，订阅用户匿名化身份标识更新响应可以为一个新定义的消息，例如AMF_UEIdentifier_UpdateNotification。再例如，订阅用户匿名化身份标识更新响应可以为已有的业务消息。For example, the subscriber's anonymized identity update response may be a newly defined message, such as AMF_UEIdentifier_UpdateNotification. For another example, the subscription user anonymized identity update response may be an existing business message.

1503、NF网元1接收到订阅用户匿名化身份标识更新响应后，将SUPI*1替换为SUPI*2。1503. The NF network element 1 replaces SUPI*1 with SUPI*2 after receiving the subscriber's anonymized identity update response.

进一步的，为避免后续AMF网元再次更新SUPI*2，NF网元1将SUPI*1替换为SUPI*2后，再次向AMF网元发送订阅用户匿名化身份标识更新请求，或者，AMF网元再将SUPI*1替换为SUPI*2后，将对SUPI*1的订阅替换为对SUPI*2的订阅。Further, in order to prevent the subsequent AMF network element from updating SUPI*2 again, after NF network element 1 replaces SUPI*1 with SUPI*2, it again sends a subscription user anonymized identity update request to the AMF network element, or the AMF network element After replacing SUPI*1 with SUPI*2, replace the subscription to SUPI*1 with the subscription to SUPI*2.

此外，需要说明的是，本申请各实施例中涉及的接入请求可以理解为注册请求，即本申请实施例中涉及的接入请求可以替换为注册请求。In addition, it should be noted that the access request involved in each embodiment of this application can be understood as a registration request, that is, the access request involved in the embodiment of this application can be replaced with a registration request.

Claims (39)

1. 一种通信***，其特征在于，包括移动管理网元、认证服务网元和数据管理网元；A communication system, characterized in that it includes a mobility management network element, an authentication service network element, and a data management network element;

   所述移动管理网元用于接收终端设备发送的接入请求；所述接入请求包括第一用户标识，所述第一用户标识是对用户标识SUPI加密得到的，所述SUPI为所述终端设备的身份标识；The mobility management network element is used to receive an access request sent by a terminal device; the access request includes a first user identification, the first user identification is obtained by encrypting the user identification SUPI, and the SUPI is the terminal The identity of the device;

   所述移动管理网元用于响应于所述接入请求，向所述认证服务网元发送第一用户认证请求；所述第一用户认证请求包括所述第一用户标识；The mobility management network element is configured to send a first user authentication request to the authentication service network element in response to the access request; the first user authentication request includes the first user identifier;

   所述认证服务网元用于响应于所述第一用户认证请求，向所述数据管理网元发送第二用户认证请求，所述第二用户认证请求包括所述第一用户标识；The authentication service network element is configured to send a second user authentication request to the data management network element in response to the first user authentication request, where the second user authentication request includes the first user identifier;

   所述数据管理网元用于响应于所述第二用户认证请求，向所述认证服务网元返回第二用户认证响应，所述第二用户认证响应包括第二用户标识；所述第二用户标识为所述终端设备的匿名化身份标识；The data management network element is configured to return a second user authentication response to the authentication service network element in response to the second user authentication request, where the second user authentication response includes a second user identifier; the second user The identifier is the anonymized identity identifier of the terminal device;

   所述认证服务网元还用于响应于所述第二用户认证响应，向所述移动管理网元返回第一用户认证响应。The authentication service network element is further configured to return a first user authentication response to the mobility management network element in response to the second user authentication response.
2. 如权利要求1所述的通信***，其特征在于，所述第一用户认证响应还包括所述第二用户标识。The communication system according to claim 1, wherein the first user authentication response further includes the second user identification.
3. 如权利要求1或2所述的通信***，其特征在于，所述移动管理网元还用于：The communication system according to claim 1 or 2, wherein the mobility management network element is further used for:

   响应于所述第一用户认证响应，从所述认证服务网元获取所述第二用户标识。In response to the first user authentication response, obtain the second user identifier from the authentication service network element.
4. 如权利要求1至3任一所述的通信***，其特征在于，所述第一用户认证请求还包括第一指示信息，则所述认证服务网元响应于所述第一用户认证请求，向所述数据管理网元发送的所述第二用户认证请求还包括所述第一指示信息；所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。The communication system according to any one of claims 1 to 3, wherein the first user authentication request further includes first indication information, and the authentication service network element responds to the first user authentication request to The second user authentication request sent by the data management network element further includes the first indication information; the first indication information is used to indicate that the mobility management network element supports user identity anonymization processing.
5. 如权利要求1至4任一所述的通信***，其特征在于，所述第二用户认证响应还包括第二指示信息，则所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回的所述第一用户认证响应还包括所述第二指示信息；所述第二指示信息用于指示所述数据管理网元支持用户身份匿名化处理。The communication system according to any one of claims 1 to 4, wherein the second user authentication response further includes second indication information, and the authentication service network element responds to the second user authentication response to The first user authentication response returned by the mobility management network element further includes the second indication information; the second indication information is used to indicate that the data management network element supports user identity anonymization processing.
6. 如权利要求1至5任一所述的通信***，其特征在于，还包括第一网元；The communication system according to any one of claims 1 to 5, further comprising a first network element;

   所述数据管理网元还用于：The data management network element is also used for:

   向所述第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述第一用户标识，以及接收所述第一网元返回的所述第二用户标识；Sending an anonymized user identification acquisition request to the first network element, where the anonymized user identification acquisition request includes the first user identification and receiving the second user identification returned by the first network element;

   所述第一网元用于响应于所述匿名化用户标识获取请求，对所述第一用户标识解密，以得到所述SUPI；根据所述SUPI，获取所述第二用户标识，以及向所述数据管理网元返回所述第二用户标识。The first network element is configured to decrypt the first user identity to obtain the SUPI in response to the anonymized user identity acquisition request; obtain the second user identity according to the SUPI, and send the The data management network element returns the second user identification.
7. 如权利要求1至5任一所述的通信***，其特征在于，还包括第一网元；The communication system according to any one of claims 1 to 5, further comprising a first network element;

   所述数据管理网元还用于：The data management network element is also used for:

   对所述第一用户标识解密，以得到所述SUPI，并向所述第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述SUPI，以及接收所述第一网元返回的所述第二用户标识；Decrypt the first user ID to obtain the SUPI, and send an anonymized user ID acquisition request to the first network element, where the anonymized user ID acquisition request includes the SUPI and receives the first The second user identifier returned by the network element;

   所述第一网元用于响应于所述匿名化用户标识获取请求，根据所述SUPI，获取所述第 二用户标识，以及向所述数据管理网元返回所述第二用户标识。The first network element is configured to respond to the anonymized user identification acquisition request, obtain the second user identification according to the SUPI, and return the second user identification to the data management network element.
8. 如权利要求6或7所述的通信***，其特征在于，所述认证服务网元还用于：The communication system according to claim 6 or 7, wherein the authentication service network element is further used for:

   向所述第一网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；并接收所述第一网元返回的密钥K _AMF，以及向所述移动管理网元发送所述密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥； Send a key acquisition request to the first network element, where the key acquisition request includes the second user ID; receive the key K _AMF returned by the first network element, and send it to the mobility management network element Sending the key K _AMF ; the key K _AMF is a key between the terminal device and the mobility management network element;

   所述第一网元用于响应于所述密钥获取请求，根据所述第二用户标识，生成所述密钥K _AMF，并向所述认证服务网元返回所述密钥K _AMF； _{The first network element is configured to generate the key K AMF} according to the second user ID in response to the key acquisition request, and return the key K _AMF to the authentication service network element;

   所述移动管理网元还用于：接收所述认证服务网元发送的所述密钥K _AMF。 The mobility management network element is further configured to receive the key K _AMF sent by the authentication service network element.
9. 如权利要求8所述的通信***，其特征在于，所述第一网元用于根据所述第二用户标识获取所述SUPI，并根据所述SUPI生成所述密钥K _AMF。 The communication system according to claim 8, wherein the first network element is configured to obtain the SUPI according to the second user ID, and generate the key K _AMF according to the SUPI.
10. 如权利要求9所述的通信***，其特征在于，The communication system according to claim 9, wherein:

    所述移动管理网元，还用于向所述认证服务器发送第一参数；The mobility management network element is further configured to send the first parameter to the authentication server;

    所述认证服务网元，还用于向所述第一网元发送所述第一参数；The authentication service network element is further configured to send the first parameter to the first network element;

    所述第一网元用于根据所述SUPI和所述第一参数生成所述密钥K _AMF。 The first network element is configured to generate the key K _AMF according to the SUPI and the first parameter.
11. 如权利要求1至5任一所述的通信***，其特征在于，所述数据管理网元，还用于：The communication system according to any one of claims 1 to 5, wherein the data management network element is further used for:

    对所述第一用户标识解密，以得到所述SUPI；根据所述SUPI，获取所述第二用户标识。Decrypt the first user ID to obtain the SUPI; obtain the second user ID according to the SUPI.
12. 如权利要求11所述的通信***，其特征在于，所述认证服务网元还用于：The communication system according to claim 11, wherein the authentication service network element is further used for:

    向所述数据管理网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；并接收所述数据管理网元返回的密钥K _AMF，以及向所述移动管理网元发送所述密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥； Send a key acquisition request to the data management network element, where the key acquisition request includes the second user identification; receive the key K _AMF returned by the data management network element, and send it to the mobility management network element Sending the key K _AMF ; the key K _AMF is a key between the terminal device and the mobility management network element;

    所述数据管理网元，还用于：The data management network element is also used for:

    响应于所述密钥获取请求，根据所述第二用户标识，生成所述密钥K _AMF，并向所述认证服务网元返回所述密钥K _AMF； In response to the key acquisition request, generate the key K _AMF according to the second user ID, and return the key K _AMF to the authentication service network element;

    所述移动管理网元还用于：接收所述认证服务网元发送的所述密钥K _AMF。 The mobility management network element is further configured to receive the key K _AMF sent by the authentication service network element.
13. 如权利要求11所述的通信***，其特征在于，所述移动管理网元还用于：The communication system according to claim 11, wherein the mobility management network element is further used for:

    根据所述第二用户标识，生成密钥K _AMF；所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥。 According to the second user identifier, a key K _{AMF is} generated; the key K _AMF is a key between the terminal device and the mobility management network element.
14. 一种通信方法，其特征在于，所述方法包括：A communication method, characterized in that the method includes:

    移动管理网元接收到终端设备发送的接入请求，所述接入请求包括第一用户标识，所述第一用户标识是对用户标识SUPI加密得到的，所述SUPI为所述终端设备的身份标识；The mobility management network element receives an access request sent by the terminal device, the access request includes a first user identity, the first user identity is obtained by encrypting the user identity SUPI, and the SUPI is the identity of the terminal device Logo

    所述移动管理网元响应于所述接入请求，向所述认证服务网元发送第一用户认证请求，所述第一用户认证请求包括所述第一用户标识；In response to the access request, the mobility management network element sends a first user authentication request to the authentication service network element, where the first user authentication request includes the first user identifier;

    所述移动管理网元接收认证服务网元响应于所述第一用户认证请求，返回的第一用户认证响应；Receiving, by the mobility management network element, the first user authentication response returned by the authentication service network element in response to the first user authentication request;

    其中，所述第一用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识；或者，所述移动管理网元响应于所述第一用户认证响应，从所述认证服务网元获取所述第二用户标识。Wherein, the first user authentication response includes a second user identifier, and the second user identifier is an anonymized identity identifier of the terminal device; or, the mobility management network element responds to the first user authentication response, Acquiring the second user identifier from the authentication service network element.
15. 如权利要求14所述的方法，其特征在于，所述第一用户认证请求还包括第一指 示信息，所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。The method according to claim 14, wherein the first user authentication request further includes first indication information, and the first indication information is used to instruct the mobility management network element to support user identity anonymization.
16. 如权利要求14或15所述的方法，其特征在于，第一用户认证响应还包括第二指示信息，所述第二指示信息用于指示数据管理网元支持用户身份匿名化处理。The method according to claim 14 or 15, wherein the first user authentication response further includes second indication information, and the second indication information is used to instruct the data management network element to support user identity anonymization.
17. 如权利要求14至15任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 14 to 15, wherein the method further comprises:

    所述移动管理网元根据所述第二用户标识，生成密钥K _AMF；或者， The mobility management network element generates a key K _AMF according to the second user identifier; or,

    所述移动管理网元接收所述认证服务网元返回的密钥K _AMF； The mobility management network element receives the key K _AMF returned by the authentication service network element;

    所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥。 The key K _AMF is a key between the terminal device and the mobility management network element.
18. 如权利要求17所述的方法，其特征在于，所述方法还包括：The method of claim 17, wherein the method further comprises:

    所述移动管理网元还向所述认证服务网元发送第一参数；所述第一参数用于生成所述密钥K _AMF。 The mobility management network element also sends a first parameter to the authentication service network element; the first parameter is used to generate the key K _AMF .
19. 一种通信方法，其特征在于，所述方法包括：A communication method, characterized in that the method includes:

    认证服务网元接收到移动管理网元发送的第一用户认证请求；所述第一用户认证请求包括第一用户标识，所述第一用户标识是对用户标识SUPI加密得到的，所述SUPI为终端设备的身份标识；The authentication service network element receives the first user authentication request sent by the mobility management network element; the first user authentication request includes a first user ID, and the first user ID is obtained by encrypting the user ID SUPI, and the SUPI is The identity of the terminal device;

    所述认证服务网元响应于所述第一用户认证请求，向数据管理网元发送第二用户认证请求，所述第二用户认证请求包括所述第一用户标识；The authentication service network element sends a second user authentication request to the data management network element in response to the first user authentication request, where the second user authentication request includes the first user identifier;

    所述认证服务网元接收到所述数据管理网元响应于所述第二用户认证请求，返回的第二用户认证响应，所述第二用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识；The authentication service network element receives a second user authentication response returned by the data management network element in response to the second user authentication request, where the second user authentication response includes a second user identifier, and the second user The identifier is the anonymized identity identifier of the terminal device;

    所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回第一用户认证响应。In response to the second user authentication response, the authentication service network element returns a first user authentication response to the mobility management network element.
20. 如权利要求19所述的方法，其特征在于，所述第一用户认证响应包括所述第二用户标识。The method of claim 19, wherein the first user authentication response includes the second user identification.
21. 如权利要求19或20所述的方法，其特征在于，所述第一用户认证请求还包括第一指示信息，则所述认证服务网元响应于所述第一用户认证请求，向所述数据管理网元发送的所述第二用户认证请求还包括所述第一指示信息；所述第一指示信息用于指示所述移动管理网元支持用户身份匿名化处理。The method according to claim 19 or 20, wherein the first user authentication request further includes first indication information, and the authentication service network element sends the data to the data in response to the first user authentication request. The second user authentication request sent by the management network element further includes the first indication information; the first indication information is used to instruct the mobility management network element to support user identity anonymization processing.
22. 如权利要求19至21任一所述的方法，其特征在于，所述第二用户认证响应还包括第二指示信息，则所述认证服务网元响应于所述第二用户认证响应，向所述移动管理网元返回的所述第一用户认证响应还包括所述第二指示信息；所述第二指示信息用于指示所述数据管理网元支持用户身份匿名化处理。The method according to any one of claims 19 to 21, wherein the second user authentication response further includes second indication information, and the authentication service network element responds to the second user authentication response to The first user authentication response returned by the mobility management network element further includes the second indication information; the second indication information is used to indicate that the data management network element supports user identity anonymization processing.
23. 如权利要求19至22任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 19-22, wherein the method further comprises:

    所述认证服务网元向第一网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；Sending, by the authentication service network element, a key acquisition request to a first network element, the key acquisition request including the second user identifier;

    所述认证服务网元接收所述第一网元响应于所述密钥获取请求返回的密钥K _AMF，所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥K _AMF； _{The authentication service network element receives the key K AMF} returned by the first network element in response to the key acquisition request, where the key K _AMF is the secret between the terminal device and the mobility management network element Key K _AMF ;

    所述认证服务网元向所述移动管理网元发送的所述密钥K _AMF。 _{The key K AMF} sent by the authentication service network element to the mobility management network element.
24. 如权利要求23所述的方法，其特征在于，所述方法还包括：The method of claim 23, wherein the method further comprises:

    所述认证服务网元接收所述移动管理网元发送的第一参数，并将所述第一参数发送给所述第一网元，所述第一参数用于生成所述密钥K _AMF。 The authentication service network element receives the first parameter sent by the mobility management network element, and sends the first parameter to the first network element, where the first parameter is used to generate the key K _AMF .
25. 如权利要求23所述的方法，其特征在于，所述方法还包括：The method of claim 23, wherein the method further comprises:

    所述认证服务网元向所述数据管理网元发送密钥获取请求，所述密钥获取请求包括所述第二用户标识；The authentication service network element sends a key acquisition request to the data management network element, where the key acquisition request includes the second user identifier;

    所述认证服务网元接收所述数据管理网元响应于所述密钥获取请求返回的密钥K _AMF，所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥K _AMF； _{The authentication service network element receives the key K AMF} returned by the data management network element in response to the key acquisition request, where the key K _AMF is the secret key between the terminal device and the mobility management network element. Key K _AMF ;

    所述认证服务网元向所述移动管理网元发送的所述密钥K _AMF。 _{The key K AMF} sent by the authentication service network element to the mobility management network element.
26. 一种通信方法，其特征在于，所述方法包括：A communication method, characterized in that the method includes:

    数据管理网元接收到认证服务网元发送的第二用户认证请求，所述第二用户认证请求包括第一用户标识，所述第一用户标识是对用户标识SUPI加密得到的，所述SUPI为终端设备的身份标识；The data management network element receives a second user authentication request sent by the authentication service network element, the second user authentication request includes a first user identification, the first user identification is obtained by encrypting the user identification SUPI, and the SUPI is The identity of the terminal device;

    所述数据管理网元响应于所述第二用户认证请求，向所述认证服务网元返回第二用户认证响应，所述第二用户认证响应包括第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识。In response to the second user authentication request, the data management network element returns a second user authentication response to the authentication service network element, where the second user authentication response includes a second user identifier, and the second user identifier is The anonymized identity of the terminal device.
27. 如权利要求26所述的方法，其特征在于，所述方法还包括：The method of claim 26, wherein the method further comprises:

    所述数据管理网元向第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述第一用户标识；Sending, by the data management network element, an anonymized user identification acquisition request to a first network element, where the anonymized user identification acquisition request includes the first user identification;

    所述数据管理网元接收所述第一网元响应于所述匿名化用户标识获取请求返回的所述第二用户标识。The data management network element receives the second user identification returned by the first network element in response to the anonymized user identification acquisition request.
28. 如权利要求26所述的方法，其特征在于，所述方法还包括：The method of claim 26, wherein the method further comprises:

    所述数据管理网元向第一网元发送匿名化用户标识获取请求，所述匿名化用户标识获取请求包括所述SUPI；The data management network element sends an anonymized user identification acquisition request to a first network element, where the anonymized user identification acquisition request includes the SUPI;

    所述数据管理网元接收所述第一网元响应于所述匿名化用户标识获取请求返回的所述第二用户标识。The data management network element receives the second user identification returned by the first network element in response to the anonymized user identification acquisition request.
29. 如权利要求26所述的方法，其特征在于，所述方法还包括：The method of claim 26, wherein the method further comprises:

    所述数据管理网元根据所述SUPI，获取所述第二用户标识。The data management network element obtains the second user identifier according to the SUPI.
30. 如权利要求26～29任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 26-29, wherein the method further comprises:

    所述数据管理网元接收到所述认证服务网元发送的密钥获取请求，所述密钥获取请求包括第二用户标识；The data management network element receives a key acquisition request sent by the authentication service network element, and the key acquisition request includes a second user identifier;

    所述数据管理网元响应于所述密钥获取请求，向所述认证服务网元返回密钥K _AMF；所述密钥K _AMF为所述终端设备与所述移动管理网元之间的密钥。 In response to the key acquisition request, the data management network element returns a key K _AMF to the authentication service network element; the key K _AMF is the secret key between the terminal device and the mobility management network element key.
31. 一种通信方法，其特征在于，所述方法包括：A communication method, characterized in that the method includes:

    第一网元接收到数据管理网元发送的匿名化用户标识获取请求，所述匿名化用户标识获取请求包括第一用户标识或者用户标识SUPI；所述第一用户标识是对所述SUPI加密得到的，所述SUPI为终端设备的身份标识；The first network element receives the anonymized user identification acquisition request sent by the data management network element, where the anonymized user identification acquisition request includes a first user identification or a user identification SUPI; the first user identification is obtained by encrypting the SUPI Yes, the SUPI is the identity of the terminal device;

    所述第一网元响应于所述匿名化用户标识获取请求向数据管理网元返回所述第二用户标识，所述第二用户标识为所述终端设备的匿名化身份标识。The first network element returns the second user identifier to the data management network element in response to the anonymized user identifier acquisition request, where the second user identifier is the anonymized identity identifier of the terminal device.
32. 如权利要求31所述的方法，其特征在于，所述方法还包括：The method of claim 31, wherein the method further comprises:

    所述第一网元根据所述SUPI，获取所述第二用户标识，所述SUPI是从所述匿名化用户标识获取请求中得到的，或者对所述第一用户标识解密得到的。The first network element obtains the second user identity according to the SUPI, and the SUPI is obtained from the anonymized user identity obtaining request or obtained by decrypting the first user identity.
33. 如权利要求31或32所述的方法，其特征在于，所述方法还包括：The method according to claim 31 or 32, wherein the method further comprises:

    所述第一网元接收到认证服务网元发送的密钥获取请求，所述密钥获取请求包括所述第二用户标识；The first network element receives a key acquisition request sent by an authentication service network element, where the key acquisition request includes the second user identifier;

    所述第一网元响应于所述密钥获取请求，向所述认证服务网元返回所述密钥K _AMF；所述密钥K _AMF为所述终端设备与移动管理网元之间的密钥。 In response to the key acquisition request, the first network element returns the key K _AMF to the authentication service network element; the key K _AMF is the secret key between the terminal device and the mobility management network element key.
34. 如权利要求33所述的方法，其特征在于，所述方法还包括：The method of claim 33, wherein the method further comprises:

    所述第一网元接收所述认证服务网元发送的第一参数；所述第一参数是移动管理网元发送给所述认证服务网元的；所述第一参数用于生成所述密钥K _AMF。 The first network element receives the first parameter sent by the authentication service network element; the first parameter is sent by the mobility management network element to the authentication service network element; the first parameter is used to generate the secret Key K _AMF .
35. 一种通信装置，其特征在于，包括处理器和存储器，其中：A communication device, characterized in that it comprises a processor and a memory, wherein:

    所述存储器存储有程序指令；The memory stores program instructions;

    所述处理器用于调用所述存储器中存储的程序指令，执行如权利要求14至18任一所述的方法。The processor is used to call the program instructions stored in the memory to execute the method according to any one of claims 14 to 18.
36. 一种通信装置，其特征在于，包括处理器和存储器，其中:A communication device, characterized in that it comprises a processor and a memory, wherein:

    所述存储器存储有程序指令；The memory stores program instructions;

    所述处理器用于调用所述存储器中存储的程序指令，执行如权利要求19至25任一所述的方法。The processor is used to call the program instructions stored in the memory to execute the method according to any one of claims 19 to 25.
37. 一种通信装置，其特征在于，包括处理器和存储器，其中:A communication device, characterized in that it comprises a processor and a memory, wherein:

    所述存储器存储有程序指令；The memory stores program instructions;

    所述处理器用于调用所述存储器中存储的程序指令，执行如权利要求26至30任一所述的方法。The processor is used to call the program instructions stored in the memory to execute the method according to any one of claims 26 to 30.
38. 一种通信装置，其特征在于，包括处理器和存储器，其中:A communication device, characterized in that it comprises a processor and a memory, wherein:

    所述存储器存储有程序指令；The memory stores program instructions;

    所述处理器用于调用所述存储器中存储的程序指令，执行如权利要求31至34任一所述的方法。The processor is used to call the program instructions stored in the memory to execute the method according to any one of claims 31 to 34.
39. 一种计算机可读存储介质，其特征在于，所述计算机可读存储介质存储有程序，所述程序在计算机上运行时，使得所述计算机执行如权利要求14至34任一所述的方法。A computer-readable storage medium, wherein the computer-readable storage medium stores a program, and when the program runs on a computer, the computer executes the method according to any one of claims 14 to 34.

Images