WO2021168713A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2021168713A1
WO2021168713A1 PCT/CN2020/076855 CN2020076855W WO2021168713A1 WO 2021168713 A1 WO2021168713 A1 WO 2021168713A1 CN 2020076855 W CN2020076855 W CN 2020076855W WO 2021168713 A1 WO2021168713 A1 WO 2021168713A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
message
identity
tmsi
network element
Prior art date
Application number
PCT/CN2020/076855
Other languages
French (fr)
Chinese (zh)
Inventor
郭龙华
胡力
李�赫
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/076855 priority Critical patent/WO2021168713A1/en
Publication of WO2021168713A1 publication Critical patent/WO2021168713A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to communication methods and devices.
  • terminal equipment has the risk of being tracked.
  • 5G fifth generation
  • 5G-Temporary Mobile Subscriber Identity, 5G-TMSI fifth generation temporary mobile subscriber identity
  • the attacker can identify the terminal device based on the 5G-TMSI
  • the identity of the terminal device can be combined with the location of the terminal device to track the terminal device.
  • the network side may send a new 5G-TMSI to the terminal device.
  • the attacker can still track the terminal device. For example, an attacker can intercept a message used to carry the updated 5G-TMSI and discard the message, so that the terminal device cannot update the 5G-TMSI. Since the terminal device cannot update the 5G-TMSI, the terminal device may use the same 5G-TMSI for a long time, and there is a risk of being tracked by an attacker.
  • the embodiments of the present application provide a communication method and device to prevent terminal equipment from being tracked by an attacker.
  • an embodiment of the present application provides a communication method, including: a terminal device in a registered state determines whether a temporary identity identifier allocated to itself by the network side has expired; in the case where it is determined that the temporary identity identifier has expired, the terminal device The device sends a first message to the access device through the access device, where the first message includes a routing identifier and an encrypted permanent identity identifier corresponding to the terminal device.
  • the route identifier is used to determine a mobility management network element serving the terminal device.
  • the terminal device uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the terminal device from being tracked.
  • the terminal device determines that the temporary identity assigned to itself by the network side has expired, it does not use the expired temporary identity when communicating with the network side, but uses the encrypted permanent identity. This makes it impossible for an attacker to obtain the identity information of the terminal device, and thus cannot track the location of the terminal device.
  • the terminal device determining that the temporary identity assigned to itself by the network side expires includes one or more of the following: the terminal device determines that a timer expires, and the duration of the timer is used for Determine the maximum length of time that the terminal device waits to receive the updated temporary identity identifier in the service request process; or, the terminal device determines that the number of times the terminal device does not receive a reply after sending the service request message reaches the first threshold; or, the terminal device The temporary identity of the terminal device was not updated during the last non-access stratum NAS connection; or, when the terminal device requests the mobility management network element to update the temporary identity, the terminal device The updated temporary identity has not been received.
  • the terminal device can determine that it may be attacked or is at risk of being attacked, and thus determine that the temporary identity assigned to itself by the network side has expired, and then determine that it needs to use an encrypted permanent identity.
  • the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
  • the first message is a service request message, or a periodic registration message, or a mobility registration message.
  • an embodiment of the present application provides a communication method, including: a terminal device sends a service request message to a mobility management network element, the service request message includes a first identity; when it is necessary to release the terminal device and the During the NAS connection of the service request process between the mobility management network elements, the terminal device starts a timer, and the length of the timer is the maximum length of time for maintaining the NAS connection; before the timer expires, the terminal device starts from The mobility management network element receives a configuration update request message, where the configuration update request message includes a second identity identifier.
  • the judgment logic is added to the terminal device, so that the terminal device can not release the NAS connection within a certain period of time, and then the terminal device waits for the configuration update process to occur to ensure that the identity update is completed, thereby preventing the terminal device from being attacked User tracking to achieve the purpose of protecting user privacy and security.
  • the need to release the NAS connection of the service request process between the terminal device and the mobility management network element includes: when the terminal device is disconnected from the mobility management network element After a certain period of time is reached after receiving the service response message or sending the service request message, it is necessary to release the NAS connection of the service request process between the terminal device and the mobility management network element.
  • the AMF should trigger a timer after sending a service response message, and send a configuration update request carrying the second identity within the timer range.
  • the duration of the timer is determined according to the timer for releasing the local NAS connection after the UE receives the service response message, or is pre-configured by the operator.
  • the method before the terminal device starts the timer, the method further includes: the terminal device receives first indication information from the mobility management network element, and the first indication information is used to indicate the The terminal device maintains the NAS connection; or, the terminal device determines that the updated temporary identity identifier has not been received.
  • the mobility management network element may notify the terminal device to maintain the NAS connection through the first indication information, or the terminal device may determine that it needs to maintain the NAS connection.
  • the terminal device triggers a timer for a certain period of time after sending a service request message, or triggers a timer after receiving a service response message from the mobility management network element, the terminal device needs to keep contact with the timer before the timer expires.
  • NAS connection for service request flow between mobility management network elements.
  • the method before the terminal device receives the configuration update request message from the mobility management network element, the method further includes: the terminal device sends a NAS message to the mobility management network element, and the NAS The message is used to request the mobility management network element to send an updated temporary identity.
  • the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
  • the terminal device after the terminal device maintains the NAS connection, it can actively request the mobility management network element to obtain the updated temporary identity, thereby saving time and improving the possibility of obtaining the updated temporary identity.
  • the duration of the timer is determined according to the retransmission time interval of the configuration update request message sent by the mobility management network element; or, the duration of the timer is that of the terminal device Pre-configured by the manufacturer.
  • an embodiment of the present application provides a communication method, including: a terminal device in a registered state determines whether the temporary identity assigned to itself by the network side has expired; in the case of determining that the temporary identity has expired, the terminal The device initiates a de-registration process and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity that the network side updates to itself.
  • the terminal device determines that the temporary identity has expired, it initiates the de-registration process, and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity updated by the network side, so as to realize the temporary identity Logo update. Since the updated temporary identity obtained by the terminal device in the initial registration process is securely protected and cannot be obtained by an attacker, the terminal device is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
  • the terminal device determining that the temporary identity assigned to itself by the network side expires includes one or more of the following: the terminal device determines that a timer expires, and the duration of the timer is used for Determine the maximum length of time that the terminal device waits to receive the updated temporary identity identifier in the service request process; or, the terminal device determines that the number of times the terminal device does not receive a reply after sending the service request message reaches the first threshold; or, the terminal device The temporary identity of the terminal device was not updated during the last non-access stratum NAS connection; or, when the terminal device requests the mobility management network element to update the temporary identity, the terminal device The updated temporary identity has not been received.
  • the encrypted permanent identity is the contract hidden identity SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity, and
  • the temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device excluding the home network identity.
  • an embodiment of the present application provides a communication method, including: a terminal device receives a second NAS message from a mobility management network element through a second NSA connection, where the second NAS message is passed by the mobility management network element Sent after the first NSA connection has retransmitted the first NAS message to the terminal device the maximum number of times and the confirmation message is not received, the first NAS message and the second NAS message contain the updated temporary identity of the UE Identifier; the terminal device obtains the updated temporary identity identifier from the second NAS message.
  • the first NAS connection corresponds to a first access mode
  • the second NAS connection corresponds to a second access mode
  • the first access mode is one of 3GPP access and non-3GPP access
  • the second access mode is the other of 3GPP access and non-3GPP access.
  • the terminal device and the core network can transmit the updated temporary identity of the terminal device through the second access method, so that the terminal device can Update the temporary identity to prevent the terminal device from being tracked by an attacker and achieve the purpose of protecting user privacy and security.
  • the first NAS message is a configuration update request message
  • the second NAS message is a configuration update request message
  • the first NAS message is a NAS session management transmission message
  • the The second NAS message is a NAS session management transmission message.
  • an embodiment of the present application provides a communication method, including: a mobility management network element receives a first message from a terminal device in a registered state, the first message containing the encrypted permanent identity of the terminal device And the routing identifier of the mobility management network element; the mobility management network element sends the encrypted permanent identity to the decryption network element; the mobility management network element receives the decrypted identity from the decryption network element .
  • the terminal device uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the terminal device from being tracked.
  • the 5G-TMSI used by the terminal device in this solution remains unchanged, but the 5G-TMSI is not used directly, but an encrypted permanent identity is used, so that the attacker cannot obtain the identity information of the terminal device , And then unable to track the location of the terminal device.
  • the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
  • the mobility management network element determines that the first message does not carry 5G-TMSI according to the type of the first message and/or the format of the content in the first message, Then, the decryption network element is determined according to the encrypted permanent identity.
  • the first message is a service request message, or a periodic registration message, or a mobility registration message.
  • an embodiment of the present application provides a communication method, including: a mobility management network element receives a service request message from a terminal device, the service request message includes a first identity; the mobility management network element sends the The terminal device sends first indication information, where the first indication information is used to instruct the terminal device to maintain a NAS connection; the mobility management network element sends a configuration update request message to the terminal device, and the configuration update request message includes The second identity.
  • the terminal device can not release the NAS connection for a certain period of time, and then the terminal device waits for the configuration update process to occur to ensure that the terminal device’s identity update is completed, thereby preventing the terminal device from being tracked by attackers and protecting user privacy The purpose of security.
  • the sending of the first indication information by the mobility management network element to the terminal device includes: the mobility management network element sending a service response message to the terminal device, the service response The message includes the first indication information.
  • the method before the mobility management network element sends a configuration update request message to the terminal device, the method further includes: the mobility management network element receives a NAS message from the terminal device, and the NAS The message is used to request the mobility management network element to send an updated temporary identity.
  • the terminal device after the terminal device maintains the NAS connection, it can actively request the mobility management network element to obtain the updated temporary identity, thereby saving time and improving the possibility of obtaining the updated temporary identity.
  • the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
  • an embodiment of the present application provides a communication method, including: the method is applied to a mobility management network element, and a terminal device establishes a first NAS connection with the mobility management network element through a first access mode, A second NAS connection is established with the mobility management network element through a second access method, and the method includes: the mobility management network element determines to retransmit a first NAS message to the terminal device through the first NAS connection The number of times reaches the maximum number and no confirmation message is received; the first NAS message is used to update the temporary identity of the terminal device; the mobility management network element sends a second NAS message to the terminal device through the second NAS connection , The second NAS message includes the updated temporary identity of the terminal device.
  • the terminal device and the core network can transmit the updated temporary identity of the terminal device through the second access method, so that the terminal device can Update the temporary identity to prevent the terminal device from being tracked by an attacker and achieve the purpose of protecting user privacy and security.
  • the first access mode is 3GPP access mode
  • the second access mode is non-3GPP access mode; or, the first access mode is non-3GPP access mode.
  • Access mode, the second access mode is 3GPP access mode.
  • the first NAS message is a configuration update request message
  • the second NAS message is a configuration update request message
  • the first NAS message is a NAS session management transmission message
  • the The second NAS message is a NAS session management transmission message.
  • the maximum number of times is 5 times.
  • an embodiment of the present application provides a communication device.
  • the device may be a terminal device or a chip for the terminal device.
  • the device has the function of realizing any aspect of the first aspect to the fourth aspect, or any embodiment of the first aspect to the fourth aspect. This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a communication device, which may be a mobility management network element, or a chip used for a mobility management network element.
  • the device has the function of realizing any aspect of the fifth aspect to the seventh aspect, or any embodiment of the fifth aspect to the seventh aspect.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a terminal device, including a processor and a memory; the memory is used to store computer execution instructions, and when the terminal device is running, the processor executes the The computer executes instructions to make the terminal device execute any aspect of the foregoing first aspect to the fourth aspect, or the method of any embodiment of the first aspect to the fourth aspect.
  • an embodiment of the present application provides a mobility management network element, including a processor and a memory; the memory is used to store computer-executed instructions, and when the mobility management network element is running, the processor executes The computer-executed instructions stored in the memory enable the mobility management network element to execute any aspect of the fifth aspect to the seventh aspect, or the method of any embodiment of the fifth aspect to the seventh aspect.
  • an embodiment of the present application provides a communication device including a processor and a memory; the memory is used to store a computer program; the processor is used to call and run the computer program from the memory, To perform the method of any aspect of the first aspect to the seventh aspect, or any embodiment of the first aspect to the seventh aspect.
  • an embodiment of the present application provides a processor configured to execute any aspect of the first aspect to the seventh aspect, or the method of any embodiment of the first aspect to the seventh aspect.
  • an embodiment of the present application provides a chip system, including: a processor and a memory; the memory is used to store a computer program; the processor is used to call and run the computer program from the memory , So that the device installed with the chip system executes any aspect of the first aspect to the seventh aspect, or the method of any embodiment of the first aspect to the seventh aspect.
  • an embodiment of the present application provides a computer-readable storage medium, including a computer program, which, when run on a computer, causes the computer to execute any aspect of the first aspect to the seventh aspect, or the first aspect To the method of any embodiment of the seventh aspect.
  • embodiments of the present application provide a computer program product.
  • the computer program product includes a computer program.
  • the computer program runs on a computer, the computer executes any aspect of the first to seventh aspects, Or the method of any embodiment of the first aspect to the seventh aspect.
  • an embodiment of the present application provides a communication device configured to execute any aspect of the foregoing first aspect to the fourth aspect, or the method of any embodiment of the first aspect to the fourth aspect.
  • an embodiment of the present application provides a communication device configured to execute any aspect of the fifth aspect to the seventh aspect, or the method of any embodiment of the fifth aspect to the seventh aspect.
  • Figure 1 is a schematic diagram of 5G network architecture
  • Fig. 2 is a schematic diagram of a process in which an attacker in the prior art tracks a terminal device through a man-in-the-middle;
  • 3A is a schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 3B is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 4 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 5 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 6 is a schematic diagram of a communication device provided by an embodiment of this application.
  • FIG. 7 is a schematic diagram of another communication device provided by an embodiment of this application.
  • FIG. 8 is a schematic diagram of a terminal device provided by an embodiment of this application.
  • FIG. 9 is a schematic diagram of a mobility management network element provided by an embodiment of this application.
  • the 5G network architecture shown in FIG. 1 may include three parts, namely a terminal equipment part, a data network (DN), and an operator network part.
  • DN data network
  • the functions of some of the network elements are briefly introduced below.
  • the operator network includes, but is not limited to, one or more of the following network elements: policy control function (PCF) network elements, application function (AF) network elements, access and mobility management Function (access and mobility management function, AMF) network element, session management function (session management function, SMF) network element, access network and user plane function (UPF) network element, unified database (Unified Data Repository, UDR) (not shown in the figure), Unified Data Management (UDM) network elements (not shown in the figure), etc.
  • PCF policy control function
  • AF application function
  • AMF access and mobility management Function
  • SMF session management function
  • UPF access network and user plane function
  • UDR Unified Data Management
  • UDM Unified Data Management
  • a terminal device is a device with wireless transceiver function. It can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air ( For example, airplanes, balloons, satellites, etc.).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, user equipment (UE), etc.
  • a mobile phone mobile phone
  • a tablet computer pad
  • a computer with wireless transceiver function a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, user equipment (UE), etc.
  • VR virtual reality
  • AR augmented reality
  • industrial control industrial control
  • the above-mentioned terminal device may establish a connection with the operator's network through an interface (such as N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network.
  • the terminal device can also access the data network through the operator's network, and use the operator's services deployed on the data network and/or the services provided by a third party.
  • the above-mentioned third party may be a service party other than the operator's network and terminal equipment, and may provide other services such as data and/or voice for the terminal equipment.
  • the specific form of expression of the above-mentioned third party can be determined according to actual application scenarios, and is not limited here.
  • the access network is a sub-network of the operator's network, and is an implementation system between service nodes and terminal equipment in the operator's network.
  • the terminal device To access the operator's network, the terminal device first passes through the access network, and then can be connected to the service node of the operator's network through the access network.
  • the access network includes the 3rd generation partnership project (3rd generation partnership project, 3GPP) access network and the non-3GPP (Non-3GPP) access network.
  • the access device in the 3GPP access network may be referred to as a radio access network (radioaccess network, RAN) device.
  • radio access network radioaccess network
  • RAN equipment is a type of equipment that provides wireless communication functions for terminal equipment.
  • RAN equipment includes but is not limited to: next-generation base stations (gnodeB, gNB) in 5G, evolved node B (evolved node B, eNB), and wireless networks Controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, Or home node B (HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • HNB home evolved nodeB, Or home node B
  • BBU baseband unit
  • TRP transmission point
  • TP transmission point
  • mobile switching center etc.
  • the access device in the non-3GPP access network may be referred to as a non-3GPP interworking function (Non-3GPP InterWorking Function, N3IWF) device.
  • N3IWF devices may include routers, WiFi devices, Bluetooth devices, etc., for example.
  • AMF network element responsible for access and mobility management, is the termination point of the N2 interface, terminates non-access stratum (NAS) messages, completes registration management, connection management, reachability management, and allocation tracking area list (tracking area list, TA list) and mobility management, etc., and transparently route session management messages to SMF.
  • NAS non-access stratum
  • the SMF network element is responsible for session management, the allocation and management of the UE's Internet Protocol (IP) address, the allocation and selection of user plane anchor functions, and the (re)selection of UPF and user plane paths.
  • IP Internet Protocol
  • the UPF network element is responsible for data packet routing and forwarding, legal monitoring, and downstream data packet buffering and triggering downstream data packet notification messages.
  • the AF network element mainly conveys the requirements of the application side to the network side, for example, quality of service (QoS) requirements or user status event subscriptions.
  • QoS quality of service
  • the AF can be a third-party functional entity, or an application service deployed by an operator, such as an IP Multimedia Subsystem (IMS) voice call service.
  • IMS IP Multimedia Subsystem
  • the PCF network element is mainly responsible for policy control functions such as billing, QoS bandwidth guarantee and mobility management, and UE policy decision-making for the session and service flow levels.
  • the PCF connected to the AMF and the SMF corresponds to AM PCF (PCF for Access and Mobility Control) and SM PCF (PCF for Session Management), and may not be the same PCF entity in actual deployment scenarios.
  • UDR is mainly responsible for the access function of contract data, strategy data, application data and other types of data.
  • the UDM network element is mainly responsible for functions such as management of contract data and user access authorization.
  • a DN is a network located outside the operator's network.
  • the operator's network can access multiple DNs.
  • a variety of services can be deployed on the DN to provide terminal equipment with services such as data and/or voice.
  • DN is the private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • a control server for the sensors is deployed in the DN, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • the DN is the internal office network of a company.
  • the mobile phones or computers of the employees of the company can be terminal devices, and the mobile phones or computers of the employees can access the information and data resources on the internal office network of the company.
  • the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • a platform for example, a cloud platform.
  • the foregoing network element or function may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in the embodiment of the present application.
  • the mobility management network element, the session management network element, the policy control network element, the data management network element, and the user plane network element in the embodiment of this application may be AMF, SMF, PCF, UDM, UPF in Figure 1, respectively, or It is a network element that has the above-mentioned AMF, SMF, PCF, UDM, and UPF functions in future communications, such as the 6th generation (6G) network, which is not limited in the embodiment of the present application.
  • 6G 6th generation
  • the embodiments of this application are described by taking the above-mentioned AMF, SMF, PCF, UDM, and UPF as examples for the mobility management network element, session management network element, policy control network element, data management network element, and user plane network element respectively.
  • the embodiment of the present application takes the terminal device as the UE as an example for description.
  • 5G Globally Unique Temporary Identity 5G-Globally Unique Temporary UE Identity, 5G-GUTI
  • the 5G-GUTI is allocated to the UE by the AMF for the purpose of protecting the UE's permanent subscription identity (Subscription Permanent Identifier, SUPI). Specifically, after 5G-GUTI is allocated to the UE, 5G-GUTI communication is used between the UE and the network instead of SUPI, so that SUPI is not exposed and the purpose of protecting SUPI can be achieved.
  • SUPI Subscribescription Permanent Identifier
  • 5G-GUTI consists of two parts: Globally Unique AMF Identifier (GUAMI) and 5G-TMSI.
  • GUAMI Globally Unique AMF Identifier
  • 5G-TMSI is used to identify the UE in the AMF, that is, 5G-TMSI is the identity of the UE.
  • ⁇ GUAMI> ⁇ MCC> ⁇ MNC> ⁇ AMFRegionID> ⁇ AMFSetID> ⁇ AMFPointer>.
  • MCC is the mobile country code (Mobile Country Code)
  • MNC is the mobile network code (Mobile Network Code)
  • AMF Region ID represents the region identifier of the AMF
  • AMF Set ID represents the identifier of the AMF set to which the AMF belongs, and how many are in the AMF Set An AMF instance
  • AMF Pointer represents a specific AMF instance in the AMF Set.
  • AMF After the UE enters the network, in the network, AMF will allocate a 5G-TMSI according to SUPI, and it will remain unchanged for a certain period of time.
  • the 5G-GUTI is carried in the service request message to identify the identity of the UE.
  • 5G service temporary mobile subscriber identity 5G-Serving-TemporaryMobile Subscriber Identity, 5G-S-TMSI
  • 5G-GUTI and 5G-S-TMSI include 5G-TMSI.
  • SUCI is the identity of SUPI encryption, that is, SUCI is obtained by encrypting SUPI.
  • SUCI ⁇ SUPI type> ⁇ home network ID> ⁇ Routing indicator> ⁇ Protection Scheme ID> ⁇ Home Network Public key id> ⁇ Scheme Output>.
  • SUPI type represents the type, for example, 0 represents the International Mobile Subscriber Identity (IMSI), and 1 represents the specific network identity.
  • ⁇ home network ID> represents the home network ID, which has the same function as ⁇ MCC> ⁇ MNC>.
  • ⁇ Routing indicator> represents the routing information of the AUSF and UDM instances of the Subscriber Identity Module (SIM) card serving the UE.
  • SIM Subscriber Identity Module
  • ⁇ Protection Scheme ID> identifies the protection algorithm
  • ⁇ Home Network Public key id> represents the home network public key identifier
  • ⁇ Scheme Output> represents the cipher text encrypted by SUPI.
  • the status of the UE can be divided into a registered state and an unregistered state.
  • the UE In the unregistered state, the UE is not connected to the network.
  • the effective location and routing information of the UE are not stored in the AMF, so the AMF cannot find the UE.
  • the registration state the UE is registered in the network, and the UE can receive services that need to be registered to be able to enjoy.
  • the UE attempts to register to the selected public land mobile network (Public Land Mobile Network, PLMN) through the initial registration process.
  • PLMN Public Land Mobile Network
  • the UE uses SUCI as its identity.
  • the UE sends a registration message carrying the SUCI to the AMF side, and the AMF selects and processes the UDM of the UE according to the routing identifier in the SUCI.
  • UDM calculates the authentication vector according to the stored UE root key, and decrypts the encrypted identity in SUCI to obtain the decrypted UE identity SUPI.
  • the UE and the network side perform mutual authentication.
  • the AMF obtains the SUPI from the UDM.
  • the SUCI used by the UE is different each time.
  • the UE In the registered state, the UE can be divided into an idle state and a connected state. No NAS signaling connection is established between the UE and the AMF in the idle state. When the UE is in the connected state, a NAS signaling connection with the AMF is established. In the connected state, the UE also has an inactive state. In the inactive state, the UE saves the access layer security context. When the UE is in an idle state, it does not save the access layer security context. In the idle state, the UE enters the connected state through the service request process.
  • the UE has the risk of being tracked, that is, the UE may expose its own identity information, so that an attacker can track the UE based on the identity information of the UE and the location of the UE. For example, when the 5G-TMSI used by the UE is intercepted by an attacker, the attacker can identify the identity of the UE according to the 5G-TMSI, thereby combining the location of the UE to achieve the purpose of tracking the UE.
  • the AMF can send a new 5G-TMSI to the UE.
  • the AMF may also send a new 5G-TMSI to the UE.
  • FIG. 2 it is a schematic diagram of a flow of tracking a UE through a man-in-the-middle by an attacker in the prior art.
  • the man-in-the-middle here refers to devices that perform man-in-the-middle attacks, such as pseudo base stations.
  • the UE accesses the RAN equipment through the intermediary (that is, the intermediary can be attached to the UE), and then connects to the AMF of the core network. Initially, the UE accesses the core network through the initial registration process. In this process, the AMF will allocate a 5G-GUTI to the UE (the embodiment of this application may be referred to as the first 5G-GUTI).
  • the 5G-GUTI contains 5G-TMSI ( The embodiment of this application is referred to as the first 5G-TMSI).
  • the AMF When the UE is in an idle state and the AMF wishes to establish a signaling connection with the UE or activate a user plane connection to transmit user plane data, the AMF sends a paging message to the RAN device, and the paging message contains the first 5G-TMSI.
  • Step 201 The RAN device sends a paging message to a UE in an idle state, carrying the first 5G-TMSI.
  • the paging message is a broadcast message, and all UEs and intermediaries can obtain the first 5G-TMSI.
  • Step 202 After the UE receives the paging message, a service request process is performed between the UE and the AMF.
  • the service request process includes an uplink service request (service request) message and a downlink service response (service response) message.
  • service request uplink service request
  • service response downlink service response
  • the service request message carries the first 5G-TMSI.
  • the service response message includes a service accept message or a service reject message.
  • Step 203 The AMF sends a configuration update request message to the UE, which carries the second 5G-TMSI.
  • the AMF needs to send a new 5G-TMSI (referred to as the second 5G-TMSI in this application embodiment) to the UE.
  • the configuration update request message may carry a new 5G-GUTI (this embodiment of the application may be referred to as the second 5G-GUTI), and the 5G-GUTI may carry the second 5G-TMSI.
  • the AMF sends the second 5G-TMSI to the UE in the configuration update process.
  • the configuration update process includes a downlink configuration update request message sent by the AMF to the UE and an uplink configuration update complete message returned by the UE to the AMF.
  • the configuration update process can be in the service request process or after the service request process ends.
  • the second 5G-TMSI sent by the AMF to the UE is carried in the configuration update request message, and the second 5G-TMSI should be sent before the current NAS connection is released.
  • the NAS connection is the NAS connection established in the service request process.
  • the configuration update request message is a downlink NAS message.
  • the configuration update request message is forwarded through the RAN device and the middleman.
  • the cells contained in the message include mandatory cells and optional cells.
  • Optional cells are not carried in most scenarios, so the attacker can use the message Determine whether the downlink NAS message is a configuration update request message carrying the second 5G-TMSI. That is, the attacker can identify and intercept the configuration update request message sent by the AMF to the UE.
  • Step 204 The middleman discards the configuration update request message.
  • the middleman cannot obtain the second 5G-TMSI in the configuration update request message. Therefore, once the UE receives the configuration update request message and updates the 5G-TMSI, that is, the 5G-TMSI used by the UE is updated to the second 5G-TMSI, the attacker will not be able to track the UE.
  • the intermediary In order to prevent the UE from updating the 5G-TMSI, after intercepting the configuration update request message in step 203, the intermediary actively discards the configuration update request message. That is, the intermediary does not send the configuration update request message to the UE, so the UE cannot receive the configuration update request message, and thus cannot obtain the second 5G-TMSI, that is, the 5G-TMSI cannot be updated. Or it can be understood that the 5G-TMSI used by the UE is still the first 5G-TMSI.
  • the UE since the UE did not receive the configuration update request message, the UE naturally does not send the configuration update complete message to the AMF.
  • the AMF After the AMF sends a configuration update request message, it waits for the configuration update complete message and starts the timer T3555. If the timer expires, the AMF retransmits the configuration update request message to the UE. If after 4 retransmissions, when the 5th time expires, the AMF abandons the configuration update process. That is, after the AMF resends the configuration update request message 5 times, but still cannot receive the configuration update complete message, the AMF no longer sends the configuration update request message, so the AMF no longer sends the second 5G-TMSI.
  • the intermediary can intercept the configuration used to carry the second 5G-TMSI Update the request message and discard the message, so that the UE cannot update the 5G-TMSI. Since the UE has not updated the 5G-TMSI, the UE is at risk of being tracked.
  • the following describes the implementation method of the middleman tracking UE, which mainly includes the following steps 205 to 206.
  • Step 205 If the middleman wants to actively track the location of the UE, he broadcasts a paging message to all UEs, and the paging message carries the first 5G-TMSI.
  • This step is optional. When the middleman wants to actively track the UE, this step 205 is executed. Otherwise, you do not need to perform this step.
  • the first 5G-TMSI obtained by the intermediary is obtained in step 201 above.
  • Step 206 The UE initiates a service request process, and carries the first 5G-TMSI in the service request message.
  • the intermediary can identify the first 5G-TMSI carried in the service request message, and then identify the identity of the UE, and then the intermediary can combine the current location of the UE to reach the UE Purpose of tracking.
  • the intermediary can achieve the purpose of tracking the UE.
  • the intermediary can also track the UE multiple times or in real time. Specifically, after the UE sends the service request message, it triggers the timer T3517 and waits for the downlink NAS message (that is, the service response message). When the timer expires, the UE resends the service request message and adds 1 to the counter used to count the number of times the service request message is retransmitted. If the counter is greater than 5, the UE stops sending service request messages for a period of time. Therefore, the intermediary can track the location of the UE in real time during the period when the UE retransmits the service request message.
  • the intermediary intercepts the service request message carrying the first 5G-TMSI sent by the UE, the service request message is discarded, so that the UE retransmits the service request message, thereby achieving continuous tracking. Purpose.
  • the number of times the UE can retransmit the service request message is not limited. Or it can be understood that as long as the intermediary actively pages the UE (that is, the above step 205 is performed), the number of times the UE can retransmit the service request message will not be limited, so that the time for the UE to be tracked continues to increase.
  • the intermediary can intercept the configuration used to carry the second 5G-TMSI Update the request message and discard the message, so that the UE cannot update the 5G-TMSI. Since the UE has not updated the 5G-TMSI, the UE is at risk of being tracked. Moreover, the intermediary can also implement continuous tracking of the UE, so that the UE is at risk of being exposed.
  • the UE may also be tracked. For example, after the UE completes the initial registration, it obtains the above-mentioned first 5G-TMSI, and then the above-mentioned steps 201 to 204 occur. Therefore, the 5G-TMSI of the UE is not updated successfully, that is, the UE always stores the first 5G-TMSI . Then, when the UE initiates a periodic registration request message or a mobility registration request message, it carries the first 5G-TMSI.
  • the intermediary can identify the first 5G-TMSI carried in the message, Then the identity of the UE is recognized, and then the intermediary can combine the current location of the UE to achieve the purpose of tracking the UE.
  • the embodiments of the present application provide a variety of different methods, so that the UE can complete the update of the UE's identity. Since the intermediary cannot obtain the updated temporary identity, the UE is prevented from being tracked.
  • the temporary identity of the UE that needs to be updated may be the 5G-TMSI described above, or may also be other identities.
  • the temporary identity that the UE wants to update is not limited to 5G-TMSI, but may also be other identities.
  • the temporary identity that needs to be updated is 5G-TMSI as an example for description.
  • an embodiment of the present application provides a communication method.
  • the 5G-GUTI (including GUAMI and 5G-TMSI) sent by the UE in the prior art is replaced with GUAMI and the encrypted permanent identity, where GUAMI is used as the routing identity of the AMF, and the encrypted permanent identity is used as the UE.
  • GUAMI is used as the routing identity of the AMF
  • the encrypted permanent identity is used as the UE
  • the identity of the attacker cannot obtain the identity of the UE, so that the UE cannot be tracked, and the purpose of protecting user privacy and security is achieved.
  • This embodiment is applicable to the service request process initiated by the UE from the registration state (such as the idle state or the inactive state), or the UE performs periodic registration or the mobility registration process in the registration state.
  • this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.).
  • the following uses the UE and AMF to execute the method as an example for description.
  • the method includes the following steps:
  • Step 301a The UE in the registered state determines whether the temporary identity allocated to itself by the network side has expired.
  • Step 302a In the case where it is determined that the temporary identity identifier has expired, the UE sends a first message to the AMF through the access device, and accordingly, the AMF can receive the first message.
  • the first message includes the AMF routing identifier and the encrypted permanent identity identifier, and the AMF routing identifier is used by the access device to determine the AMF serving the UE.
  • the routing identifier of the AMF may be GUAMI, which is used to identify the AMF.
  • the encrypted permanent identity is SUCI, which is the identity after SUPI is encrypted.
  • the encrypted permanent identity can be It is the remainder of SUCI after removing ⁇ home network ID>. That is, in this implementation method, the encrypted permanent identity identifier may be ⁇ SUPI type> ⁇ Routing indicator> ⁇ Protection Scheme ID> ⁇ Home Network Public key id> ⁇ Scheme Output>.
  • the encrypted permanent identity can also be obtained by encrypting the temporary identity of the UE (such as 5G-TMSI), that is, the encrypted permanent identity is the encrypted 5G-TMSI.
  • the first message carries the encrypted permanent identity, even if the attacker can intercept the first message, the encrypted permanent identity cannot be decrypted, so the UE’s identity cannot be tracked and identified. Unable to track the location of the UE, reducing security risks.
  • step 303a the AMF sends a request message to the decryption network element (the decryption network element is UDM as an example), and the request message contains the encrypted permanent identity.
  • the decryption network element is UDM as an example
  • the AMF After the AMF receives the first message, it obtains the AMF routing identifier and the encrypted permanent identity. AMF determines whether the first message carries 5G-based on the type of the first message and/or the format of the content in the first message. TMSI. If it carries 5G-TMSI, the AMF queries the AMF for the SUPI corresponding to 5G-TMSI.
  • the decryption network element may be UDM or other network elements, and then send a request message containing the encrypted permanent identity to the decryption network element, in order to hope that the decryption network element decrypts the encrypted permanent identity.
  • the routing indicator in the routing indicator finds a decryption network element that can decrypt the encrypted permanent identity.
  • the request message may be a Nudm_UEAuthentication_Get request message or other messages.
  • step 304a the UDM sends a response message to the AMF, which carries the decrypted identity.
  • the decrypted identity can be SUPI or 5G-TMSI.
  • the response message may be a Nudm_UEAuthentication_Get response message.
  • the UE uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the UE from being tracked.
  • the 5G-TMSI used by the UE remains unchanged, but the 5G-TMSI is not used directly, but an encrypted permanent identity is used, so that the attacker cannot obtain the identity of the UE. Information, and the UE’s location cannot be tracked.
  • the above-mentioned first message may be a service request message or a registration message (such as a mobility registration message or a periodic registration message), which will be described separately below.
  • Case 1 The first message is a service request message
  • the embodiment corresponding to FIG. 3A may be executed in the service request process, and the above-mentioned first message may be a service request message.
  • the method for the UE to determine whether the temporary identity assigned to itself by the network side has expired may be any of the following:
  • Method 1 The UE determines that the first timer expires, and then determines that the temporary identity assigned to itself by the network side has expired.
  • the UE Before step 301a, the UE starts the first timer after sending the service request message in the service request process or after receiving the service response message. Maximum duration.
  • the stop condition of the first timer is: the first timer expires or the UE receives the updated 5G-TMSI sent by the AMF (this embodiment of the application refers to the 5G-TMSI before the UE update as the first 5G-TMSI, and the updated 5G-TMSI 5G-TMSI is called the second 5G-TMSI).
  • the UE determines that tracking may occur, so the UE triggers the UE to encrypt the temporary identity .
  • Method 2 The UE determines that the number of times that it has not received a reply after sending the service request message reaches the first threshold, and then determines that the temporary identity assigned to itself by the network side has expired. For example, the UE may set a counter, the counter is initially set to 0, and before step 301a, the counter is increased by 1 after the service request message is sent for the first time, and the second timer is started. If the second timer expires, the UE restarts the second timer, resends the service request message, and increments the counter by 1.
  • the count value of the counter When the number of retransmissions of the service request message reaches the first threshold, the count value of the counter also reaches the first threshold, so that the UE determines that the temporary identity assigned to itself by the network side has expired. Wherein, when the UE does not receive a reply (such as a service response message) after the service request message has occurred, the UE will resend the service request message.
  • the stopping condition of the second timer is: the UE receives the service response message sent by the AMF or the second timer expires, and the stopping condition of the counter is: reaching the preset first threshold or receiving the service response message. That is, the counter is used to count the number of retransmissions of the service request message, and to control the maximum number of retransmissions not to exceed the preset first threshold.
  • the second timer is used to control the length of time to wait for a service response message after each service request message is sent.
  • the UE judges that a tracked situation similar to the one described in the embodiment in FIG. 2 may occur, and therefore triggers the UE to pair
  • the temporary identity is encrypted.
  • Method 3 The UE did not update the temporary identity of the UE during the last NAS connection process.
  • the last NAS connection process may be the NAS connection established in the last service request process.
  • the 5G-TMSI since the 5G-TMSI was not updated during the last NAS connection process, the 5G-TMSI currently used by the UE has security risks and the risk of being tracked. Therefore, the UE is triggered to encrypt the identity.
  • Method 4 In the case where the UE requests the AMF to update the temporary identity, the updated temporary identity is not received.
  • the UE requested to update the temporary identity, but did not receive the updated temporary identity, which caused the temporary identity update to fail.
  • the 5G-TMSI Taking the temporary identity as 5G-TMSI as an example, because the 5G-TMSI is not successfully updated, the 5G-TMSI currently used by the UE has security risks and the risk of being tracked, so the UE is triggered to encrypt the identity.
  • the first message when it is a service request message, before step 301, it further includes: the RAN device (also referred to as an access device) sends a paging message to the UE, which carries the first 5G-TMSI (that is, the pre-update) 5G-TMSI).
  • the paging message is a broadcast message, and all UEs and intermediaries can obtain the first 5G-TMSI.
  • the service request message sent by the UE carries ⁇ GUAMI> ⁇ 5G-TMSI>.
  • 5G-TMSI is not protected by security, such as encryption protection, the UE may suffer from attackers. Tracking.
  • the service request message carries GUAMI and an encrypted permanent identity, that is, the unprotected 5G-TMSI is replaced with an encrypted permanent identity, so that the attacker cannot obtain the encryption. Permanent identity, so that the UE cannot be tracked.
  • the first message is a registration message (such as a mobility registration message, or a periodic registration message, etc.)
  • the embodiment corresponding to FIG. 3A may be executed in the registration process, and the above-mentioned first message may be a registration message.
  • the method for the UE to determine whether the temporary identity allocated to itself by the network side has expired for example, may be the same as the method 3 or the method 4 in the above scenario 1.
  • the mobility registration message or periodic registration message sent by the UE carries ⁇ GUAMI> ⁇ 5G-TMSI>. Since 5G-TMSI is not protected by security, such as encryption protection, As a result, the UE may be tracked by an attacker. Based on the solution of the above-mentioned embodiment of this application, the mobility registration message or periodic registration message carries GUAMI and an encrypted permanent identity, that is, the unprotected 5G-TMSI is replaced with an encrypted permanent identity. As a result, the attacker cannot obtain the encrypted permanent identity, so that the UE cannot be tracked.
  • the initial registration message of the UE carries the SUCI, which is an encrypted permanent identity. Therefore, for the initial registration message of the UE, it is not necessary to perform the operations of the foregoing embodiment of the present application.
  • the content carried in the first message in the embodiment of this application is different from the content carried in the initial registration message in the prior art, specifically: the initial registration message in the prior art carries SUCI, this application
  • the first message of the embodiment is a mobility registration message or a periodic registration message, it carries GUAMI and an encrypted permanent identity.
  • the encrypted permanent identity can be SUCI, encrypted 5G-TMSI or SUCI. The remaining part after network ID>.
  • an embodiment of the present application provides yet another communication method.
  • the UE initiates the de-registration process, then re-initiates the registration process, and obtains the 5G-TMSI during the registration process. Since the attacker cannot obtain the 5G-TMSI, the UE cannot be tracked and the user's privacy and security are protected. .
  • this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.).
  • the following uses the UE and AMF to execute the method as an example for description.
  • the method includes the following steps:
  • step 301b the UE in the registered state determines whether the temporary identity allocated to itself by the network side has expired.
  • step 302b when it is determined that the temporary identity has expired, the UE initiates a de-registration process and initiates an initial registration process using the encrypted permanent identity to obtain the temporary identity updated by the network side.
  • the method for the UE to determine whether the temporary identity assigned to itself by the network side has expired may be any one of the four methods described in the embodiment corresponding to FIG. 3A, and reference may be made to the foregoing description.
  • the UE when the UE determines that the temporary identity has expired, it initiates the de-registration process, and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity updated by the network side, so as to realize the temporary identity Update. Since the updated temporary identity obtained by the UE in the initial registration process is secured and cannot be obtained by an attacker, the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
  • the encrypted permanent identity is SUCI.
  • one or more of the following operations can be performed: delete the temporary identity on the UE (for example, 5G-TMSI is also called the first 5G-TMSI), delete the tracking area identity on the UE List and delete the security context on the UE.
  • delete the temporary identity on the UE for example, 5G-TMSI is also called the first 5G-TMSI
  • delete the tracking area identity on the UE List delete the security context on the UE.
  • an embodiment of the present application provides yet another communication method.
  • this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.).
  • the following uses the UE and AMF to execute the method as an example for description.
  • the service request process and the configuration update process are independent of each other.
  • the configuration update process can be performed during the service request process or after the service request process.
  • the configuration update process is performed after the service request process, the following situations may occur: the UE may release the NAS connection after finishing the service request process, resulting in the UE not receiving the configuration update request message, and the UE cannot receive the updated 5G -TMSI.
  • the judgment logic is set on the UE.
  • the UE does not receive the updated 5G-TMSI
  • the UE continues to maintain the NAS connection, and the UE can also actively request the AMF to obtain the updated 5G-TMSI, thereby Prevent the UE from using the same identity multiple times.
  • the UE can enter the de-registration state, then re-initiate the registration process, and obtain the new 5G-TMSI during the registration process. Since the 5G-TMSI in the registration process is protected by security and cannot be obtained by an attacker, the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
  • the method includes the following steps:
  • Step 401 The UE in the connected state sends a service request message to the AMF, which carries the first 5G-TMSI.
  • the AMF can receive the service request message.
  • the first 5G-TMSI is the 5G-TMSI currently used by the UE.
  • Step 402 The AMF sends a service response message to the UE.
  • the UE can receive the service response message.
  • the AMF Before the service response message is sent, if the AMF has not performed the configuration update process, that is, the UE has not obtained the updated 5G-TMSI (referred to as the second 5G-TMSI in this embodiment).
  • the AMF may carry first indication information in the service response message, and the first indication information is used to instruct the UE to maintain the NAS connection.
  • the AMF may not be carried in the service response message.
  • the above first indication information is that when the UE itself determines that the updated 5G-TMSI has not been obtained, the NAS connection is maintained. That is, after receiving the service response message, the UE determines whether the updated 5G-TMSI has been obtained before preparing to release the NAS connection. If the updated 5G-TMSI has not been obtained, the UE maintains the NAS connection for a period of time.
  • Step 403 The UE starts the first timer, and maintains the NAS connection before the first timer expires.
  • the UE starts the first timer according to the first indication information, and maintains the NAS connection before the first timer expires.
  • the UE determines that it is ready to release the NAS connection of the service request process between the UE and the AMF. At this time, the UE determines whether The updated 5G-TMSI has been obtained. If it is determined that the updated 5G-TMSI has not been obtained, the UE starts the first timer, and maintains the NAS connection before the first timer expires.
  • the condition for stopping the first timer is: the timer expires or the UE receives the configuration update request message carrying the second 5G-TMSI sent by the AMF.
  • the duration of the first timer may be set by the UE manufacturer.
  • the duration of the first timer may also be determined according to the retransmission time interval of the configuration update request message sent by the AMF. For example, if the time interval for the AMF to send the configuration update request message twice is T, and the AMF sends the configuration update request message 5 times at most, the first timer can be set to 5*T.
  • Step 404 The UE sends a NAS message to the AMF.
  • the AMF can receive the NAS message.
  • the NAS information is used to instruct the AMF to send the updated 5G-TMSI.
  • the NAS message may be an independent NAS message, and the name of the NAS message may be used to instruct the AMF to send the updated 5G-TMSI.
  • the NAS message may also be an existing NAS message, and the existing NAS message carries second indication information, and the second indication information is used to request the AMF to send the updated 5G-TMSI.
  • This step 404 is an optional step, that is, the UE may not actively request the AMF to send the updated 5G-TMSI, but keep the NAS connection and wait for the AMF to send the updated 5G-TMSI.
  • Step 405 Before the UE releases the NAS connection, the AMF sends a configuration update request message, which carries the second 5G-TMSI.
  • this step 405 may be triggered by the above step 404, or be actively sent by the AMF when the above step 404 is not executed.
  • Step 406 After receiving the second 5G-TMSI, the UE sends a configuration update complete message to the AMF. Correspondingly, the AMF can receive the configuration update complete message.
  • steps 405 and 406 are optional steps.
  • AMF sends a configuration update complete message.
  • Step 407 When the first condition is met, the UE enters the de-registration state, re-initiates the registration process, and obtains the second 5G-TMSI during the registration process.
  • step 407 is not required to be executed.
  • the first condition here includes one or more of the following:
  • Condition 1 The first timer in step 403 expires.
  • the first timer expires means that the UE has not received the updated 5G-TMSI (ie the second 5G-TMSI), and the duration of maintaining the NAS connection has been reached, the UE will release the NAS connection, so the UE will not Upon receiving the second 5G-TMSI, the UE triggers to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
  • the second timer is started, and before the second timer expires, the configuration update request message carrying the second 5G-TMSI is not received. That is, the meaning of the timeout of the second timer is that the second 5G-TMSI is not received within the set time period after the UE sends the NAS message.
  • the UE can trigger to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
  • Condition 3 The counter reaches the preset maximum number of times threshold.
  • step 404 After the UE sends the NAS message, the third timer and counter (initially 0) are started, and the counter is incremented by 1. If the configuration update request message carrying the second 5G-TMSI is not received before the third timer expires, step 404 is executed again, the third timer is restarted, and the counter is incremented by one again. If the counter reaches the preset maximum times threshold and the UE still does not receive the second 5G-TMSI, it indicates that the UE will not receive the configuration update request message carrying the second 5G-TMSI.
  • the meaning of the counter reaching the preset maximum number of times threshold is: the UE does not receive the second 5G-TMSI after sending the NAS message, the UE retransmits the NAS message, until the maximum number of retransmissions is reached, the UE never receives the second 5G-TMSI. TMSI, the UE stops sending NAS messages, and determines that the reception of the second 5G-TMSI fails.
  • the UE can trigger to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
  • one or more of the following operations can be performed: delete the 5G-TMSI (that is, the first 5G-TMSI) on the UE, delete the tracking area identification list on the UE, and delete the Security context.
  • delete the 5G-TMSI that is, the first 5G-TMSI
  • the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
  • the UE re-initiates the registration process, the registration type is initial registration, and the carried identity is SUCI.
  • the UE configuration update process may be restricted to be performed in the service request process, so as to ensure as far as possible that the UE can receive the configuration update request message before the NAS connection in the service request process is released, thereby realizing the 5G-TMSI update.
  • the second 5G-TMSI may be carried in the service response message in step 402 above. At this time, there is no need to perform the above steps 403 to 407, and the service response message does not need to carry the first indication information.
  • This method can save signaling overhead and increase the probability that the UE receives the updated 5G-TMSI.
  • the foregoing first timer may also be started after the UE sends the service request message, that is, step 403 is executed after step 401 and before step 402.
  • the stopping condition of the first timer is: the first timer expires or the UE receives a configuration update request message carrying the updated 5G-TMSI.
  • the duration of the first timer can be set according to the duration from sending the service request message to receiving the configuration update request message under normal circumstances. Based on this implementation method, the service response message in step 402 does not need to carry the first indication information.
  • the judgment logic is added to the UE so that the UE can not release the NAS connection within a certain period of time, and the UE can actively request or wait for the configuration update process to occur, and the UE can respond when an abnormality may occur on the network side. Go to the registration state and re-initiate the registration process to ensure the completion of the 5G-TMSI update, so as to prevent the UE from being tracked by attackers and achieve the purpose of protecting user privacy and security.
  • an embodiment of the present application provides yet another communication method.
  • this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.).
  • AMF a component used for AMF
  • the following uses the UE and AMF to execute the method as an example for description.
  • the UE and AMF when the UE and AMF fail to transmit messages through the first access method (corresponding to the first NAS connection), they can try to use the second access method (corresponding to the second NAS connection) transmission.
  • the first access mode is 3GPP access
  • the second access mode is non-3GPP (non-3GPP) access.
  • the first access mode is non-3GPP access
  • the second access mode is 3GPP access.
  • the method includes the following steps:
  • Step 501 The UE registers with the network through the first access mode. At this time, the UE is in the registered state in the first access mode, and is in the de-registered state in the second access mode.
  • Step 502 The UE registers with the network through the second access method. At this time, the UE is registered in both the first access mode and the second access mode.
  • the UE obtains a temporary identity (for example, the first 5G-TMSI) from the AMF during the process of registering to the network through the first access mode or the second access mode.
  • a temporary identity for example, the first 5G-TMSI
  • Step 503 The AMF determines that the number of retransmissions of the first NAS message to the UE through the first NAS connection has reached the maximum number of times and the confirmation message has not been received, where the first NAS message is used to update the temporary identity of the UE.
  • the first NAS message is not successfully received by the UE, and the AMF fails to retransmit the first NAS message multiple times.
  • the reason for the failure to retransmit the first NAS message multiple times may be that the first access mode side is attacked by an attacker.
  • the attacker intercepts the first NAS message and discards the NAS message, causing the UE to fail to receive the NAS message.
  • the UE will not send a confirmation message (also called a response message) to the AMF. If the AMF fails to receive the confirmation message, it determines that the transmission of the first NAS message has failed, and then retransmits the first NAS message. Or because the link is congested, the first NAS message cannot be received by the UE.
  • the maximum number of retransmissions of the first NAS message can be preset, for example, it can be 5 times.
  • Step 504 The AMF sends a second NAS message to the UE through the second NAS connection, and the second NAS message carries the updated temporary identity of the UE (for example, it may be the second 5G-TMSI).
  • Step 505 The UE obtains the updated temporary identity of the UE from the second NAS message.
  • the AMF passes the non-3GPP access mode.
  • the 3GPP access mode sends a second NAS message to the UE, and the second NAS message carries the updated 5G-TMSI (also referred to as the second 5G-TMSI).
  • the UE After the UE obtains the second 5G-TMSI in the second NAS message, it passes the second 5G-TMSI to the bottom layer of the 3GPP access side, and replaces the first 5G-TMSI with the second 5G-TMSI to achieve the purpose of updating the 5G-TMSI .
  • the first NAS message is a configuration update request message
  • the second NAS message is a configuration update request message
  • the first NAS message is a NAS session management transmission message
  • the second NAS message is a NAS session management transmission message
  • the UE and the core network can transmit the UE's temporary identity through the second access method, so that the UE can update the UE's temporary identity.
  • the UE is prevented from being tracked by an attacker, and the purpose of protecting user privacy and security is achieved.
  • each network element described above includes hardware structures and/or software modules corresponding to each function.
  • the present invention can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraints of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
  • the steps or operations implemented by the terminal device can also be implemented by components (such as chips or circuits) configured in the terminal device, corresponding to the steps or operations implemented by the mobility management network element.
  • the operation can also be implemented by a component (such as a chip or a circuit) configured in the mobility management network element.
  • an apparatus for implementing any of the above methods.
  • an apparatus is provided that includes units (or means) for implementing each step performed by the terminal device in any of the above methods.
  • another device is also provided, including a unit (or means) for implementing each step performed by the mobility management network element in any of the above methods.
  • FIG. 6 is a schematic diagram of a communication device provided by an embodiment of this application.
  • the device is used to implement the steps performed by the corresponding terminal device in the foregoing method embodiment.
  • the device 600 includes a processing unit 610 and a transceiver unit 620.
  • the processing unit 610 is configured to determine whether the temporary identity assigned to itself by the network side has expired; the transceiving unit 620 is configured to, in the case of determining that the temporary identity is expired, send the first to the mobility management network element through the access device Message, the first message includes the routing identification of the mobility management network element and the encrypted permanent identity identification; wherein, the routing identification is used for the mobility management determined by the access device to serve the communication device Network element.
  • the processing unit 610 specifically configured to determine that the temporary identity assigned to itself by the network side expires, includes one or more of the following: determining that a timer expires, wherein the duration of the timer is used to determine In the service request process, the maximum length of time that the communication device waits to receive the updated temporary identity; or, it is determined that the number of times that the service request message is not received after sending the service request message reaches the first threshold; or, the communication device did not receive the last time
  • the temporary identity of the communication device is not updated during the incoming NAS connection; or, when the transceiver unit 620 requests the mobility management network element to update the temporary identity, the updated temporary identity is not received.
  • the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
  • the first message is a service request message, or a periodic registration message, or a mobility registration message.
  • the transceiver unit 620 is configured to send a service request message to the mobility management network element, where the service request message includes the first identity; the processing unit 610 is configured to release the communication between the terminal device and the mobility management network element When the NAS is connected in the service request process between the two, a timer is started, and the length of the timer is the maximum time for maintaining the NAS connection; the transceiver unit 620 is configured to receive from the mobility management network element before the timer expires A configuration update request message, where the configuration update request message includes the second identity identifier.
  • the need to release the NAS connection of the service request process between the terminal device and the mobility management network element includes: when the terminal device is disconnected from the mobility management network element After receiving the service response message, it is necessary to release the NAS connection of the service request process between the terminal device and the mobility management network element.
  • the transceiver unit 620 is further configured to receive first indication information from the mobility management network element before the processing unit 610 starts the timer, where the first indication information is used to indicate The terminal device maintains the NAS connection; or, the processing unit 610 is further configured to determine that the updated temporary identity identifier has not been received.
  • the transceiver unit 620 is further configured to send a NAS message to the mobility management network element before receiving the configuration update request message from the mobility management network element, where the NAS message is used to request The mobility management network element sends the updated temporary identity identifier.
  • the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
  • the duration of the timer is determined according to the retransmission time interval of the configuration update request message sent by the mobility management network element; or, the duration of the timer is that of the terminal device Pre-configured by the manufacturer.
  • the processing unit 610 is used to determine whether the temporary identity assigned to itself by the network side has expired; the transceiver unit 620 is used to initiate a de-registration process when it is determined that the temporary identity has expired, and use the encrypted permanent identity to initiate The initial registration process is to obtain the temporary identity that is updated by the network side.
  • the processing unit 610 specifically configured to determine that the temporary identity assigned to itself by the network side expires, includes one or more of the following: determining that a timer expires, wherein the duration of the timer is used to determine In the service request process, the maximum length of time that the communication device waits to receive the updated temporary identity identifier; or, it is determined that the number of times that the service request message is not received after sending the service request message reaches the first threshold; or, the communication device connects to the NAS in the last non-access layer During the process, the temporary identity of the communication device is not updated; or, when the transceiver unit 620 requests the mobility management network element to update the temporary identity, the updated temporary identity is not received.
  • the encrypted permanent identity is the contract hidden identity SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity, and
  • the temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device excluding the home network identity.
  • the transceiving unit 620 is configured to receive a second NAS message from the mobility management network element through the second NAS connection, where the second NAS message is the mobility management network element retransmitting the first NAS to the terminal device through the first NAS connection
  • the first NAS message and the second NAS message include the updated temporary identity identifier of the terminal device when the number of messages reaches the maximum number of times and the confirmation message is not received; the processing unit 610 is configured to send from the second The NAS message obtains the updated temporary identity.
  • the first NAS connection corresponds to a first access mode
  • the second NAS connection corresponds to a second access mode
  • the first access mode is 3GPP access and non-3GPP access.
  • the second access mode is the other of 3GPP access and non-3GPP access.
  • the first NAS message is a configuration update request message
  • the second NAS message is a configuration update request message
  • the first NAS message is a NAS session management transmission message
  • the The second NAS message is a NAS session management transmission message.
  • each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
  • the aforementioned communication device 600 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the aforementioned units may interact or couple with the storage unit to implement corresponding methods or Function.
  • the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
  • FIG. 7 a schematic diagram of a communication device provided by an embodiment of this application.
  • the device is used to implement the steps performed by the corresponding mobility management network element in the foregoing method embodiment.
  • the device 700 includes a processing unit 710 and a transceiver unit 720.
  • the transceiver unit 720 is configured to receive a first message from a terminal device in a registered state, the first message containing the encrypted permanent identity of the terminal device and the routing identifier of the mobility management network element; The element sends the encrypted permanent identity; and, receives the decrypted identity from the decryption network element.
  • the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
  • the processing unit 710 is configured to determine, according to the type of the first message and/or the format of the content in the first message, that the first message does not carry 5G-TMSI, then The decryption network element is determined according to the encrypted permanent identity.
  • the first message is a service request message, or a periodic registration message, or a mobility registration message.
  • the transceiver unit 720 is configured to receive a service request message from a terminal device, where the service request message includes a first identity identifier; and send first indication information to the terminal device, where the first indication information is used to instruct the terminal device to keep NAS connection; and sending a configuration update request message to the terminal device, where the configuration update request message includes a second identity identifier.
  • the transceiver unit 720 is configured to send first indication information to the terminal device, which specifically includes: sending a service response message to the terminal device, where the service response message includes the first indication information.
  • the transceiver unit 720 is configured to receive a NAS message from the terminal device before sending a configuration update request message to the terminal device, and the NAS message is used to request the mobility management network element Send the updated temporary identity.
  • the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
  • the processing unit 710 is configured to determine that the number of retransmissions of the first NAS message to the terminal device through the first NAS connection reaches the maximum number of times and the confirmation message is not received; the first NAS message is used to update the temporary identity of the terminal device
  • the transceiver unit 720 is configured to send a second NAS message to the terminal device through the second NAS connection, the second NAS message containing the updated temporary identity of the terminal device.
  • the first access mode is 3GPP access mode
  • the second access mode is non-3GPP access mode; or, the first access mode is non-3GPP access mode.
  • Access mode, the second access mode is 3GPP access mode.
  • the first NAS message is a configuration update request message
  • the second NAS message is a configuration update request message
  • the first NAS message is a NAS session management transmission message
  • the The second NAS message is a NAS session management transmission message.
  • the maximum number of times is 5 times.
  • each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
  • the aforementioned communication device 700 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the aforementioned units may interact or couple with the storage unit to implement the corresponding method or Function.
  • the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
  • each unit in the device can be all implemented in the form of software called by processing elements; they can also be all implemented in the form of hardware; part of the units can also be implemented in the form of software called by the processing elements, and some of the units can be implemented in the form of hardware.
  • each unit can be a separate processing element, or it can be integrated in a certain chip of the device for implementation.
  • it can also be stored in the memory in the form of a program, which is called and executed by a certain processing element of the device. Function.
  • each step of the above method or each of the above units may be implemented by an integrated logic circuit of hardware in a processor element or implemented in a form of being called by software through a processing element.
  • the unit in any of the above devices may be one or more integrated circuits configured to implement the above methods, for example: one or more application specific integrated circuits (ASICs), or, one or Multiple microprocessors (digital singnal processors, DSPs), or, one or more field programmable gate arrays (Field Programmable Gate Arrays, FPGAs), or a combination of at least two of these integrated circuits.
  • ASICs application specific integrated circuits
  • DSPs digital singnal processors
  • FPGAs Field Programmable Gate Arrays
  • the unit in the device can be implemented in the form of a processing element scheduler
  • the processing element can be a general-purpose processor, such as a central processing unit (CPU) or other processors that can call programs.
  • CPU central processing unit
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • the above receiving unit is an interface circuit of the device for receiving signals from other devices.
  • the receiving unit is an interface circuit used by the chip to receive signals from other chips or devices.
  • the above unit for sending is an interface circuit of the device for sending signals to other devices.
  • the sending unit is an interface circuit used by the chip to send signals to other chips or devices.
  • the terminal equipment includes: an antenna 810, a radio frequency device 820, and a signal processing part 830.
  • the antenna 810 is connected to the radio frequency device 820.
  • the radio frequency device 820 receives the information sent by the network device through the antenna 810, and sends the information sent by the network device to the signal processing part 830 for processing.
  • the signal processing part 830 processes the information of the terminal equipment and sends it to the radio frequency device 820
  • the radio frequency device 820 processes the information of the terminal equipment and sends it to the network equipment via the antenna 810.
  • the signal processing part 830 is used to realize the processing of each communication protocol layer of the data.
  • the signal processing part 830 may be a subsystem of the terminal device, and the terminal device may also include other subsystems, such as a central processing subsystem, which is used to process the terminal device operating system and application layer; another example is the peripheral sub-system.
  • the system is used to realize the connection with other equipment.
  • the signal processing part 830 may be a separately provided chip.
  • the above devices may be located in the signal processing part 830.
  • the signal processing part 830 may include one or more processing elements 831, for example, a main control CPU and other integrated circuits, and an interface circuit 833.
  • the signal processing part 830 may also include a storage element 832.
  • the storage element 832 is used to store data and programs.
  • the program used to execute the method executed by the terminal device in the above method may or may not be stored in the storage element 832, for example, stored in a memory other than the signal processing part 830 During use, the signal processing part 830 loads the program into the cache for use.
  • the interface circuit 833 is used to communicate with the device.
  • the above devices may be located in the signal processing part 830, which may be implemented by a chip.
  • the chip includes at least one processing element and an interface circuit. The circuit is used to communicate with other devices.
  • the unit that implements each step in the above method can be implemented in the form of a processing element scheduler.
  • the device includes a processing element and a storage element, and the processing element calls a program stored by the storage element to execute the above method embodiments.
  • the storage element may be a storage element whose processing element is on the same chip, that is, an on-chip storage element.
  • the program used to execute the method executed by the terminal device in the above method may be a storage element on a different chip from the processing element, that is, an off-chip storage element.
  • the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal device in the above method embodiment.
  • the unit of the terminal device that implements each step in the above method may be configured as one or more processing elements, and these processing elements are provided on the signal processing part 830, where the processing elements may be integrated circuits, for example : One or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
  • the units that implement each step in the above method can be integrated together and implemented in the form of an SOC, and the SOC chip is used to implement the above method.
  • the chip can integrate at least one processing element and a storage element, and the processing element can call the stored program of the storage element to implement the method executed by the above terminal device; or, the chip can integrate at least one integrated circuit to implement the above terminal The method executed by the device; or, it can be combined with the above implementations.
  • the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
  • the above apparatus may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any method executed by the terminal device provided in the above method embodiment.
  • the processing element can execute part or all of the steps executed by the terminal device in the first way: calling the program stored in the storage element; or in the second way: combining instructions through the integrated logic circuit of the hardware in the processor element Part or all of the steps performed by the terminal device are executed in a manner; of course, part or all of the steps executed by the terminal device can also be executed in combination with the first manner and the second manner.
  • the processing element here is the same as the above description, and it may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • the storage element can be a memory or a collective term for multiple storage elements.
  • the mobility management network element includes: a processor 910, an interface 930, and optionally, a memory 920.
  • the interface 930 is used to implement communication with other devices.
  • the method executed by the mobility management network element in the above embodiment can be implemented by the processor 910 calling a program stored in the memory (which may be the memory 920 in the mobility management network element or an external memory). That is, the apparatus for a mobility management network element may include a processor 910 that calls a program in a memory to execute the method executed by the mobility management network element in the above method embodiment.
  • the processor here may be an integrated circuit with signal processing capability, such as a CPU.
  • the apparatus for the mobility management network element may be implemented by one or more integrated circuits configured to implement the above method. For example: one or more ASICs, or, one or more microprocessors DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. Or, the above implementations can be combined.
  • At least one refers to any combination of these items, including any combination of a single item (a) or a plurality of items (a).
  • at least one (piece, species) of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or Multiple.
  • Multiple refers to two or more than two, and other quantifiers are similar.
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
  • the various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions.
  • the general-purpose processor may be a microprocessor.
  • the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
  • the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
  • the steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two.
  • the software unit can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), EPROM memory, EEPROM memory, registers, hard disks, removable disks, CD-ROM or notebooks. Any other storage media in the field.
  • the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium.
  • the storage medium may also be integrated into the processor.
  • the processor and the storage medium can be arranged in the ASIC.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the aforementioned functions described in this application can be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, these functions can be stored on a computer-readable medium, or transmitted on the computer-readable medium in the form of one or more instructions or codes.
  • Computer-readable media include computer storage media and communication media that facilitate the transfer of computer programs from one place to another. The storage medium can be any available medium that can be accessed by a general-purpose or special computer.
  • Such computer-readable media may include, but are not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other device that can be used to carry or store instructions or data structures and Other program code media that can be read by general-purpose or special computers, or general-purpose or special processors.
  • any connection can be appropriately defined as a computer-readable medium, for example, if the software is from a website, server, or other remote source through a coaxial cable, fiber optic computer, twisted pair, or digital subscriber line (DSL) Or transmitted by wireless means such as infrared, wireless and microwave are also included in the definition of computer-readable media.
  • DSL digital subscriber line
  • the said disks and discs include compressed disks, laser disks, optical discs, digital versatile discs (English: Digital Versatile Disc, abbreviated as: DVD), floppy disks and Blu-ray discs.
  • Disks usually copy data with magnetism.
  • Discs usually use lasers to copy data optically.
  • the combination of the above can also be contained in a computer readable medium.
  • the functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
  • the computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another.
  • the storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present application provide a communication method and apparatus. The method comprises: a terminal device in a registered state determines whether a temporary identity assigned by a network side to the terminal device has expired; when determining that the temporary identity has expired, the terminal device sends a first message to a mobility management network element by means of an access device, the first message comprising a routing identifier and an encrypted identity, wherein the routing identifier is used for determining, by the access terminal, a mobility management network element serving the terminal device. On this basis, in order to prevent being tracked, the terminal device uses an encrypted permanent identity instead of the original 5G-TMSI, so that the terminal device can be prevented from being tracked. Compared with the prior art, in this solution, the 5G-TMSI used by the terminal device remains unchanged, but the 5G-TMSI is not used directly, instead, the encrypted permanent identity is used, so that an attacker cannot obtain identity information of the terminal device, and accordingly cannot track the location of the terminal device.

Description

通信方法及装置Communication method and device 技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及通信方法及装置。The embodiments of the present application relate to the field of communication technologies, and in particular, to communication methods and devices.
背景技术Background technique
在现有技术中,终端设备存在被追踪的风险。例如,当终端设备的第五代(the 5th generation,5G)临时移动用户识别码(5G-Temporary Mobile Subscriber Identity,5G-TMSI)被攻击者截获时,则攻击者可以根据5G-TMSI识别终端设备的身份,从而结合该终端设备所处的位置,对该终端设备进行追踪。In the prior art, terminal equipment has the risk of being tracked. For example, when the fifth generation (5G) temporary mobile subscriber identity (5G-Temporary Mobile Subscriber Identity, 5G-TMSI) of a terminal device is intercepted by an attacker, the attacker can identify the terminal device based on the 5G-TMSI The identity of the terminal device can be combined with the location of the terminal device to track the terminal device.
为了避免终端设备被追踪,现有标准规定:终端设备使用的5G-TMSI需要经常更新。比如,在终端设备发起服务请求流程的过程中或在服务请求流程之后,网络侧可以发送新的5G-TMSI给终端设备。In order to avoid terminal equipment being tracked, existing standards stipulate that the 5G-TMSI used by terminal equipment needs to be updated frequently. For example, during or after the service request process is initiated by the terminal device, the network side may send a new 5G-TMSI to the terminal device.
然而,尽管网络侧尝试发送更新的5G-TMSI给终端设备,但攻击者仍然可以实现对终端设备进行追踪。比如,攻击者可以截获用于携带更新的5G-TMSI的消息并丢弃该消息,使得终端设备无法对5G-TMSI进行更新。由于终端设备无法更新5G-TMSI,使得终端设备存在长期使用相同5G-TMSI的可能,从而存在被攻击者追踪的风险。However, even though the network side tries to send the updated 5G-TMSI to the terminal device, the attacker can still track the terminal device. For example, an attacker can intercept a message used to carry the updated 5G-TMSI and discard the message, so that the terminal device cannot update the 5G-TMSI. Since the terminal device cannot update the 5G-TMSI, the terminal device may use the same 5G-TMSI for a long time, and there is a risk of being tracked by an attacker.
发明内容Summary of the invention
本申请实施例提供通信方法及装置,用以防止终端设备被攻击者追踪。The embodiments of the present application provide a communication method and device to prevent terminal equipment from being tracked by an attacker.
第一方面,本申请实施例提供一种通信方法,包括:处于注册态的终端设备确定网络侧给自身分配的临时身份标识是否过期;在确定所述临时身份标识过期的情况下,所述终端设备通过接入设备向接入设备发送第一消息,所述第一消息包含路由标识和所述终端设备对应的加密的永久身份标识。其中,所述路由标识用于确定为所述终端设备服务的移动管理网元。In the first aspect, an embodiment of the present application provides a communication method, including: a terminal device in a registered state determines whether a temporary identity identifier allocated to itself by the network side has expired; in the case where it is determined that the temporary identity identifier has expired, the terminal device The device sends a first message to the access device through the access device, where the first message includes a routing identifier and an encrypted permanent identity identifier corresponding to the terminal device. Wherein, the route identifier is used to determine a mobility management network element serving the terminal device.
基于上述方案,为了防止被追踪,终端设备使用加密的永久身份标识替代原有的5G-TMSI,可以防止终端设备被追踪。相较于现有技术,当终端设备确定网络侧给自身分配的临时身份标识过期的情况下,在与网络侧通信时,不在使用过期的临时身份标识,而是使用加密的永久身份标识,从而使得攻击者无法获取终端设备的身份信息,进而无法追踪到终端设备的位置。Based on the above solution, in order to prevent the terminal device from being tracked, the terminal device uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the terminal device from being tracked. Compared with the prior art, when the terminal device determines that the temporary identity assigned to itself by the network side has expired, it does not use the expired temporary identity when communicating with the network side, but uses the encrypted permanent identity. This makes it impossible for an attacker to obtain the identity information of the terminal device, and thus cannot track the location of the terminal device.
在一种可能的实现方法中,所述终端设备确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:所述终端设备确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中所述终端设备等待接收更新的临时身份标识的最大时长;或者,所述终端设备确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,所述终端设备在上次非接入层NAS连接过程中未更新所述终端设备的临时身份标识;或者,在所述终端设备向所述移动性管理网元请求更新临时身份标识的情况下,所述终端设备未接收到更新的临时身份标识。In a possible implementation method, the terminal device determining that the temporary identity assigned to itself by the network side expires includes one or more of the following: the terminal device determines that a timer expires, and the duration of the timer is used for Determine the maximum length of time that the terminal device waits to receive the updated temporary identity identifier in the service request process; or, the terminal device determines that the number of times the terminal device does not receive a reply after sending the service request message reaches the first threshold; or, the terminal device The temporary identity of the terminal device was not updated during the last non-access stratum NAS connection; or, when the terminal device requests the mobility management network element to update the temporary identity, the terminal device The updated temporary identity has not been received.
基于上述任一方法,终端设备可以确定可能遭受攻击或存在被攻击的风险,因而确定 网络侧给自身分配的临时身份标识过期,进而确定需要使用加密的永久身份标识。Based on any of the above methods, the terminal device can determine that it may be attacked or is at risk of being attacked, and thus determine that the temporary identity assigned to itself by the network side has expired, and then determine that it needs to use an encrypted permanent identity.
在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的SUCI;或者,所述加密的永久身份标识是对所述终端设备的临时身份标识进行加密得到的,所述终端设备的临时身份标识为5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
在一种可能的实现方法中,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。In a possible implementation method, the first message is a service request message, or a periodic registration message, or a mobility registration message.
第二方面,本申请实施例提供一种通信方法,包括:终端设备向移动性管理网元发送服务请求消息,所述服务请求消息包含第一身份标识;当需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接时,所述终端设备启动定时器,所述定时器的时长为保持NAS连接的最大时长;所述定时器超时前,所述终端设备从所述移动性管理网元接收配置更新请求消息,所述配置更新请求消息包含第二身份标识。In a second aspect, an embodiment of the present application provides a communication method, including: a terminal device sends a service request message to a mobility management network element, the service request message includes a first identity; when it is necessary to release the terminal device and the During the NAS connection of the service request process between the mobility management network elements, the terminal device starts a timer, and the length of the timer is the maximum length of time for maintaining the NAS connection; before the timer expires, the terminal device starts from The mobility management network element receives a configuration update request message, where the configuration update request message includes a second identity identifier.
基于上述方案,在终端设备上增加了判断逻辑,使得终端设备可以在一定时间内不释放NAS连接,然后终端设备等待配置更新流程发生,以保证完成对身份标识的更新,从而避免终端设备被攻击者追踪,达到保护用户隐私安全的目的。Based on the above solution, the judgment logic is added to the terminal device, so that the terminal device can not release the NAS connection within a certain period of time, and then the terminal device waits for the configuration update process to occur to ensure that the identity update is completed, thereby preventing the terminal device from being attacked User tracking to achieve the purpose of protecting user privacy and security.
在一种可能的实现方法中,所述需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接,包括:当所述终端设备从所述移动性管理网元接收到服务响应消息或者发出服务请求消息后达到一定时间,则需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接。In a possible implementation method, the need to release the NAS connection of the service request process between the terminal device and the mobility management network element includes: when the terminal device is disconnected from the mobility management network element After a certain period of time is reached after receiving the service response message or sending the service request message, it is necessary to release the NAS connection of the service request process between the terminal device and the mobility management network element.
AMF应在发出服务响应消息后触发定时器,在定时器范围内发送携带第二身份标识的配置更新请求。定时器的时长根据所述UE接收服务响应消息后释放本地NAS连接的定时器确定,或者由运营商厂商预配置。The AMF should trigger a timer after sending a service response message, and send a configuration update request carrying the second identity within the timer range. The duration of the timer is determined according to the timer for releasing the local NAS connection after the UE receives the service response message, or is pre-configured by the operator.
在一种可能的实现方法中,所述终端设备启动定时器之前,还包括:所述终端设备从所述移动性管理网元接收第一指示信息,所述第一指示信息用于指示所述终端设备保持NAS连接;或者,所述终端设备确定未收到更新的临时身份标识。In a possible implementation method, before the terminal device starts the timer, the method further includes: the terminal device receives first indication information from the mobility management network element, and the first indication information is used to indicate the The terminal device maintains the NAS connection; or, the terminal device determines that the updated temporary identity identifier has not been received.
基于上述方案,可以由移动性管理网元通过第一指示信息通知终端设备保持NAS连接,或者终端设备自己判断需要保持NAS连接。当所述终端设备在发出服务请求消息后达到一定时间触发定时器,或者从所述移动性管理网元接收到服务响应消息后触发定时器,定时器到时之前,终端设备需要保持与所述移动性管理网元之间的服务请求流程的NAS连接。Based on the foregoing solution, the mobility management network element may notify the terminal device to maintain the NAS connection through the first indication information, or the terminal device may determine that it needs to maintain the NAS connection. When the terminal device triggers a timer for a certain period of time after sending a service request message, or triggers a timer after receiving a service response message from the mobility management network element, the terminal device needs to keep contact with the timer before the timer expires. NAS connection for service request flow between mobility management network elements.
在一种可能的实现方法中,所述终端设备从所述移动性管理网元接收配置更新请求消息之前,还包括:所述终端设备向所述移动性管理网元发送NAS消息,所述NAS消息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, before the terminal device receives the configuration update request message from the mobility management network element, the method further includes: the terminal device sends a NAS message to the mobility management network element, and the NAS The message is used to request the mobility management network element to send an updated temporary identity.
在一种可能的实现方法中,所述NAS消息包含第二指示信息,所述第二指示信息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
基于上述方案,终端设备在保持NAS连接之后,可以主动向移动性管理网元请求获取更新的临时身份标识,从而节约时间,提高获取更新的临时身份标识的可能性。Based on the above solution, after the terminal device maintains the NAS connection, it can actively request the mobility management network element to obtain the updated temporary identity, thereby saving time and improving the possibility of obtaining the updated temporary identity.
在一种可能的实现方法中,所述定时器的时长是根据所述移动性管理网元发送配置更新请求消息的重传时间间隔确定的;或者,所述定时器的时长是所述终端设备的厂商预配置的。In a possible implementation method, the duration of the timer is determined according to the retransmission time interval of the configuration update request message sent by the mobility management network element; or, the duration of the timer is that of the terminal device Pre-configured by the manufacturer.
第三方面,本申请实施例提供一种通信方法,包括:处于注册态的终端设备确定网络侧给自身分配的临时身份标识是否过期;在确定所述临时身份标识过期的情况下,所述终端设备发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识。In a third aspect, an embodiment of the present application provides a communication method, including: a terminal device in a registered state determines whether the temporary identity assigned to itself by the network side has expired; in the case of determining that the temporary identity has expired, the terminal The device initiates a de-registration process and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity that the network side updates to itself.
基于上述方案,终端设备在确定临时身份标识过期的情况下,发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识,从而实现对临时身份标识的更新。由于初始注册流程中终端设备获取的更新的临时身份标识时受到安全保护,无法被攻击者获取,从而避免终端设备被攻击者追踪,达到保护用户隐私安全的目的。Based on the above solution, when the terminal device determines that the temporary identity has expired, it initiates the de-registration process, and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity updated by the network side, so as to realize the temporary identity Logo update. Since the updated temporary identity obtained by the terminal device in the initial registration process is securely protected and cannot be obtained by an attacker, the terminal device is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
在一种可能的实现方法中,所述终端设备确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:所述终端设备确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中所述终端设备等待接收更新的临时身份标识的最大时长;或者,所述终端设备确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,所述终端设备在上次非接入层NAS连接过程中未更新所述终端设备的临时身份标识;或者,在所述终端设备向所述移动性管理网元请求更新临时身份标识的情况下,所述终端设备未接收到更新的临时身份标识。In a possible implementation method, the terminal device determining that the temporary identity assigned to itself by the network side expires includes one or more of the following: the terminal device determines that a timer expires, and the duration of the timer is used for Determine the maximum length of time that the terminal device waits to receive the updated temporary identity identifier in the service request process; or, the terminal device determines that the number of times the terminal device does not receive a reply after sending the service request message reaches the first threshold; or, the terminal device The temporary identity of the terminal device was not updated during the last non-access stratum NAS connection; or, when the terminal device requests the mobility management network element to update the temporary identity, the terminal device The updated temporary identity has not been received.
在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的签约隐藏标识SUCI;或者,所述加密的永久身份标识是对所述临时身份标识进行加密得到的,所述临时身份标识为第五代临时移动用户识别码5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the encrypted permanent identity is the contract hidden identity SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity, and The temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device excluding the home network identity.
第四方面,本申请实施例提供一种通信方法,包括:终端设备通过第二NSA连接从移动性管理网元接收第二NAS消息,所述第二NAS消息是所述移动性管理网元通过第一NSA连接向所述终端设备重传第一NAS消息的次数达到最大次数且未收到确认消息后发送的,所述第一NAS消息和所述第二NAS消息包含UE的更新的临时身份标识;所述终端设备从所述第二NAS消息获取所述更新的临时身份标识。In a fourth aspect, an embodiment of the present application provides a communication method, including: a terminal device receives a second NAS message from a mobility management network element through a second NSA connection, where the second NAS message is passed by the mobility management network element Sent after the first NSA connection has retransmitted the first NAS message to the terminal device the maximum number of times and the confirmation message is not received, the first NAS message and the second NAS message contain the updated temporary identity of the UE Identifier; the terminal device obtains the updated temporary identity identifier from the second NAS message.
可选的,所述第一NAS连接对应第一接入方式,所述第二NAS连接对应第二接入方式,所述第一接入方式为3GPP接入和非3GPP接入中的一个,所述第二接入方式为3GPP接入和非3GPP接入中的另一个。Optionally, the first NAS connection corresponds to a first access mode, the second NAS connection corresponds to a second access mode, and the first access mode is one of 3GPP access and non-3GPP access, The second access mode is the other of 3GPP access and non-3GPP access.
基于该方案,当第一接入方式传输终端设备的更新的临时身份标识失败时,终端设备和核心网之间可以通过第二接入方式传输终端设备的更新的临时身份标识,使得终端设备可以更新临时身份标识,从而避免终端设备被攻击者追踪,达到保护用户隐私安全的目的。Based on this solution, when the first access method fails to transmit the updated temporary identity of the terminal device, the terminal device and the core network can transmit the updated temporary identity of the terminal device through the second access method, so that the terminal device can Update the temporary identity to prevent the terminal device from being tracked by an attacker and achieve the purpose of protecting user privacy and security.
在一种可能的实现方法中,所述第一NAS消息为配置更新请求消息,所述第二NAS消息为配置更新请求消息;或者,所述第一NAS消息为NAS会话管理传输消息,所述第二NAS消息为NAS会话管理传输消息。In a possible implementation method, the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message; or, the first NAS message is a NAS session management transmission message, and the The second NAS message is a NAS session management transmission message.
第五方面,本申请实施例提供一种通信方法,包括:移动性管理网元接收来自处于注册态的终端设备的第一消息,所述第一消息包含所述终端设备的加密的永久身份标识和所述移动性管理网元的路由标识;所述移动性管理网元向解密网元发送所述加密的永久身份标识;所述移动性管理网元从所述解密网元接收解密的身份标识。In a fifth aspect, an embodiment of the present application provides a communication method, including: a mobility management network element receives a first message from a terminal device in a registered state, the first message containing the encrypted permanent identity of the terminal device And the routing identifier of the mobility management network element; the mobility management network element sends the encrypted permanent identity to the decryption network element; the mobility management network element receives the decrypted identity from the decryption network element .
基于上述方案,为了防止被追踪,终端设备使用加密的永久身份标识替代原有的5G-TMSI,可以防止终端设备被追踪。相较于现有技术,该方案中终端设备使用的5G-TMSI 保持不变,但并不直接使用5G-TMSI,而是使用加密的永久身份标识,从而使得攻击者无法获取终端设备的身份信息,进而无法追踪到终端设备的位置。Based on the above solution, in order to prevent the terminal device from being tracked, the terminal device uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the terminal device from being tracked. Compared with the existing technology, the 5G-TMSI used by the terminal device in this solution remains unchanged, but the 5G-TMSI is not used directly, but an encrypted permanent identity is used, so that the attacker cannot obtain the identity information of the terminal device , And then unable to track the location of the terminal device.
在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的SUCI;或者,所述加密的永久身份标识是对所述终端设备的临时身份标识进行加密得到的,所述终端设备的临时身份标识为5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
在一种可能的实现方法中,所述移动性管理网元根据所述第一消息的类型和/或所述第一消息中内容的格式,确定所述第一消息中未携带5G-TMSI,则根据所述加密的永久身份标识确定所述解密网元。In a possible implementation method, the mobility management network element determines that the first message does not carry 5G-TMSI according to the type of the first message and/or the format of the content in the first message, Then, the decryption network element is determined according to the encrypted permanent identity.
在一种可能的实现方法中,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。In a possible implementation method, the first message is a service request message, or a periodic registration message, or a mobility registration message.
第六方面,本申请实施例提供一种通信方法,包括:移动性管理网元从终端设备接收服务请求消息,所述服务请求消息包含第一身份标识;所述移动性管理网元向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述终端设备保持NAS连接;所述移动性管理网元向所述终端设备发送配置更新请求消息,所述配置更新请求消息包含第二身份标识。In a sixth aspect, an embodiment of the present application provides a communication method, including: a mobility management network element receives a service request message from a terminal device, the service request message includes a first identity; the mobility management network element sends the The terminal device sends first indication information, where the first indication information is used to instruct the terminal device to maintain a NAS connection; the mobility management network element sends a configuration update request message to the terminal device, and the configuration update request message includes The second identity.
基于上述方案,终端设备可以在一定时间内不释放NAS连接,然后终端设备等待配置更新流程发生,以保证完成对终端设备的身份标识的更新,从而避免终端设备被攻击者追踪,达到保护用户隐私安全的目的。Based on the above solution, the terminal device can not release the NAS connection for a certain period of time, and then the terminal device waits for the configuration update process to occur to ensure that the terminal device’s identity update is completed, thereby preventing the terminal device from being tracked by attackers and protecting user privacy The purpose of security.
在一种可能的实现方法中,所述移动性管理网元向所述终端设备发送第一指示信息,包括:所述移动性管理网元向所述终端设备发送服务响应消息,所述服务响应消息包含所述第一指示信息。In a possible implementation method, the sending of the first indication information by the mobility management network element to the terminal device includes: the mobility management network element sending a service response message to the terminal device, the service response The message includes the first indication information.
在一种可能的实现方法中,所述移动性管理网元向所述终端设备发送配置更新请求消息之前,还包括:所述移动性管理网元从所述终端设备接收NAS消息,所述NAS消息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, before the mobility management network element sends a configuration update request message to the terminal device, the method further includes: the mobility management network element receives a NAS message from the terminal device, and the NAS The message is used to request the mobility management network element to send an updated temporary identity.
基于上述方案,终端设备在保持NAS连接之后,可以主动向移动性管理网元请求获取更新的临时身份标识,从而节约时间,提高获取更新的临时身份标识的可能性。Based on the above solution, after the terminal device maintains the NAS connection, it can actively request the mobility management network element to obtain the updated temporary identity, thereby saving time and improving the possibility of obtaining the updated temporary identity.
在一种可能的实现方法中,所述NAS消息包含第二指示信息,所述第二指示信息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
第七方面,本申请实施例提供一种通信方法,包括:所述方法应用于移动性管理网元,终端设备通过第一接入方式与所述移动性管理网元建立有第一NAS连接,通过第二接入方式与所述移动性管理网元建立有第二NAS连接,该方法包括:述移动性管理网元确定通过所述第一NAS连接向所述终端设备重传第一NAS消息的次数达到最大次数且未收到确认消息;所述第一NAS消息用于更新所述终端设备的临时身份标识;移动性管理网元通过第二NAS连接向所述终端设备发送第二NAS消息,所述第二NAS消息包含所述终端设备更新后的临时身份标识。In a seventh aspect, an embodiment of the present application provides a communication method, including: the method is applied to a mobility management network element, and a terminal device establishes a first NAS connection with the mobility management network element through a first access mode, A second NAS connection is established with the mobility management network element through a second access method, and the method includes: the mobility management network element determines to retransmit a first NAS message to the terminal device through the first NAS connection The number of times reaches the maximum number and no confirmation message is received; the first NAS message is used to update the temporary identity of the terminal device; the mobility management network element sends a second NAS message to the terminal device through the second NAS connection , The second NAS message includes the updated temporary identity of the terminal device.
基于该方案,当第一接入方式传输终端设备更新后的临时身份标识失败时,终端设备和核心网之间可以通过第二接入方式传输终端设备更新后的临时身份标识,使得终端设备可以更新临时身份标识,从而避免终端设备被攻击者追踪,达到保护用户隐私安全的目的。Based on this solution, when the first access method fails to transmit the updated temporary identity of the terminal device, the terminal device and the core network can transmit the updated temporary identity of the terminal device through the second access method, so that the terminal device can Update the temporary identity to prevent the terminal device from being tracked by an attacker and achieve the purpose of protecting user privacy and security.
在一种可能的实现方法中,所述第一接入方式为3GPP接入方式,所述第二接入方式 为non-3GPP接入方式;或者,所述第一接入方式为non-3GPP接入方式,所述第二接入方式为3GPP接入方式。在一种可能的实现方法中,所述第一NAS消息为配置更新请求消息,所述第二NAS消息为配置更新请求消息;或者,所述第一NAS消息为NAS会话管理传输消息,所述第二NAS消息为NAS会话管理传输消息。In a possible implementation method, the first access mode is 3GPP access mode, and the second access mode is non-3GPP access mode; or, the first access mode is non-3GPP access mode. Access mode, the second access mode is 3GPP access mode. In a possible implementation method, the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message; or, the first NAS message is a NAS session management transmission message, and the The second NAS message is a NAS session management transmission message.
在一种可能的实现方法中,所述最大次数为5次。In a possible implementation method, the maximum number of times is 5 times.
第八方面,本申请实施例提供一种通信装置,该装置可以是终端设备,还可以是用于终端设备的芯片。该装置具有实现上述第一方面至第四方面的任意方面、或第一方面至第四方面的任意实施例的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。In an eighth aspect, an embodiment of the present application provides a communication device. The device may be a terminal device or a chip for the terminal device. The device has the function of realizing any aspect of the first aspect to the fourth aspect, or any embodiment of the first aspect to the fourth aspect. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
第九方面,本申请实施例提供一种通信装置,该装置可以是移动性管理网元,还可以是用于移动性管理网元的芯片。该装置具有实现上述第五方面至第七方面的任意方面、或第五方面至第七方面的任意实施例的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。In a ninth aspect, an embodiment of the present application provides a communication device, which may be a mobility management network element, or a chip used for a mobility management network element. The device has the function of realizing any aspect of the fifth aspect to the seventh aspect, or any embodiment of the fifth aspect to the seventh aspect. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
第十方面,本申请实施例提供一种终端设备,包括处理器和存储器;所述存储器用于存储计算机执行指令,当所述终端设备运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述终端设备执行上述第一方面至第四方面的任意方面、或第一方面至第四方面的任意实施例的方法。In a tenth aspect, an embodiment of the present application provides a terminal device, including a processor and a memory; the memory is used to store computer execution instructions, and when the terminal device is running, the processor executes the The computer executes instructions to make the terminal device execute any aspect of the foregoing first aspect to the fourth aspect, or the method of any embodiment of the first aspect to the fourth aspect.
第十一方面,本申请实施例提供一种移动性管理网元,包括处理器和存储器;所述存储器用于存储计算机执行指令,当所述移动性管理网元运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述移动性管理网元执行上述第五方面至第七方面的任意方面、或第五方面至第七方面的任意实施例的方法。In an eleventh aspect, an embodiment of the present application provides a mobility management network element, including a processor and a memory; the memory is used to store computer-executed instructions, and when the mobility management network element is running, the processor executes The computer-executed instructions stored in the memory enable the mobility management network element to execute any aspect of the fifth aspect to the seventh aspect, or the method of any embodiment of the fifth aspect to the seventh aspect.
第十二方面,本申请实施例提供一种通信装置,包括处理器和存储器;所述存储器,用于存储计算机程序;所述处理器,用于从所述存储器调用并运行所述计算机程序,以执行第一方面至第七方面的任意方面、或第一方面至第七方面的任意实施例的方法。In a twelfth aspect, an embodiment of the present application provides a communication device including a processor and a memory; the memory is used to store a computer program; the processor is used to call and run the computer program from the memory, To perform the method of any aspect of the first aspect to the seventh aspect, or any embodiment of the first aspect to the seventh aspect.
第十三方面,本申请实施例提供一种处理器,用于执行第一方面至第七方面的任意方面、或第一方面至第七方面的任意实施例的方法。In a thirteenth aspect, an embodiment of the present application provides a processor configured to execute any aspect of the first aspect to the seventh aspect, or the method of any embodiment of the first aspect to the seventh aspect.
第十四方面,本申请实施例提供一种芯片***,包括:处理器和存储器;所述存储器,用于存储计算机程序;所述处理器,用于从所述存储器调用并运行所述计算机程序,使得安装有所述芯片***的设备执行第一方面至第七方面的任意方面、或第一方面至第七方面的任意实施例的方法。In a fourteenth aspect, an embodiment of the present application provides a chip system, including: a processor and a memory; the memory is used to store a computer program; the processor is used to call and run the computer program from the memory , So that the device installed with the chip system executes any aspect of the first aspect to the seventh aspect, or the method of any embodiment of the first aspect to the seventh aspect.
第十五方面,本申请实施例提供一种计算机可读存储介质,包括计算机程序,当其在计算机上运行时,使得所述计算机执行第一方面至第七方面的任意方面、或第一方面至第七方面的任意实施例的方法。In a fifteenth aspect, an embodiment of the present application provides a computer-readable storage medium, including a computer program, which, when run on a computer, causes the computer to execute any aspect of the first aspect to the seventh aspect, or the first aspect To the method of any embodiment of the seventh aspect.
第十六方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括计算机程序,当所述计算机程序在计算机上运行时,使得计算机执行第一方面至第七方面的任意方面、或第一方面至第七方面的任意实施例的方法。In a sixteenth aspect, embodiments of the present application provide a computer program product. The computer program product includes a computer program. When the computer program runs on a computer, the computer executes any aspect of the first to seventh aspects, Or the method of any embodiment of the first aspect to the seventh aspect.
第十七方面,本申请实施例提供一种通信装置,所述通信装置用来执行上述第一方面至第四方面的任意方面、或第一方面至第四方面的任意实施例的方法。In a seventeenth aspect, an embodiment of the present application provides a communication device configured to execute any aspect of the foregoing first aspect to the fourth aspect, or the method of any embodiment of the first aspect to the fourth aspect.
第十八方面,本申请实施例提供一种通信装置,所述通信装置用来执行上述第五方面至第七方面的任意方面、或第五方面至第七方面的任意实施例的方法。In an eighteenth aspect, an embodiment of the present application provides a communication device configured to execute any aspect of the fifth aspect to the seventh aspect, or the method of any embodiment of the fifth aspect to the seventh aspect.
附图说明Description of the drawings
图1为5G网络架构示意图;Figure 1 is a schematic diagram of 5G network architecture;
图2为现有技术攻击者通过中间人追踪终端设备的流程示意图;Fig. 2 is a schematic diagram of a process in which an attacker in the prior art tracks a terminal device through a man-in-the-middle;
图3A为本申请实施例提供的一种通信方法流程示意图;3A is a schematic flowchart of a communication method provided by an embodiment of this application;
图3B为本申请实施例提供的又一种通信方法流程示意图;FIG. 3B is a schematic flowchart of another communication method provided by an embodiment of this application;
图4为本申请实施例提供的又一种通信方法流程示意图;FIG. 4 is a schematic flowchart of another communication method provided by an embodiment of this application;
图5为本申请实施例提供的又一种通信方法流程示意图;FIG. 5 is a schematic flowchart of another communication method provided by an embodiment of this application;
图6为本申请实施例提供的一种通信装置示意图;FIG. 6 is a schematic diagram of a communication device provided by an embodiment of this application;
图7为本申请实施例提供的又一种通信装置示意图;FIG. 7 is a schematic diagram of another communication device provided by an embodiment of this application;
图8为本申请实施例提供的一种终端设备示意图;FIG. 8 is a schematic diagram of a terminal device provided by an embodiment of this application;
图9为本申请实施例提供的一种移动性管理网元示意图。FIG. 9 is a schematic diagram of a mobility management network element provided by an embodiment of this application.
具体实施方式Detailed ways
如图1所示,为第五代(5th generation,5G)网络架构示意图。图1所示的5G网络架构中可包括三部分,分别是终端设备部分、数据网络(data network,DN)和运营商网络部分。下面对其中的部分网元的功能进行简单介绍说明。As shown in Figure 1, it is a schematic diagram of the fifth generation (5G) network architecture. The 5G network architecture shown in FIG. 1 may include three parts, namely a terminal equipment part, a data network (DN), and an operator network part. The functions of some of the network elements are briefly introduced below.
其中,运营商网络包括但不限于包括以下网元中的一个或多个:策略控制功能(policy control function,PCF)网元、应用功能(application function,AF)网元、接入与移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、接入网以及用户面功能(user plane function,UPF)网元、统一数据库(Unified Data Repository,UDR)(图中未示出)、统一数据管理(Unified Data Management,UDM)网元(图中未示出)等。上述运营商网络中,除接入网部分之外的部分可以称为核心网络部分。Among them, the operator network includes, but is not limited to, one or more of the following network elements: policy control function (PCF) network elements, application function (AF) network elements, access and mobility management Function (access and mobility management function, AMF) network element, session management function (session management function, SMF) network element, access network and user plane function (UPF) network element, unified database (Unified Data Repository, UDR) (not shown in the figure), Unified Data Management (UDM) network elements (not shown in the figure), etc. In the above-mentioned operator's network, the part other than the access network part may be referred to as the core network part.
终端设备(terminal device),是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、用户设备(user equipment,UE)等。A terminal device (terminal device) is a device with wireless transceiver function. It can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air ( For example, airplanes, balloons, satellites, etc.). The terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, user equipment (UE), etc.
上述终端设备可通过运营商网络提供的接口(例如N1等)与运营商网络建立连接,使用运营商网络提供的数据和/或语音等服务。终端设备还可通过运营商网络访问数据网络,使用数据网络上部署的运营商业务,和/或第三方提供的业务。其中,上述第三方可为运营商网络和终端设备之外的服务方,可为终端设备提供他数据和/或语音等服务。其中,上述第三方的具体表现形式,具体可根据实际应用场景确定,在此不做限制。The above-mentioned terminal device may establish a connection with the operator's network through an interface (such as N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network. The terminal device can also access the data network through the operator's network, and use the operator's services deployed on the data network and/or the services provided by a third party. Among them, the above-mentioned third party may be a service party other than the operator's network and terminal equipment, and may provide other services such as data and/or voice for the terminal equipment. Among them, the specific form of expression of the above-mentioned third party can be determined according to actual application scenarios, and is not limited here.
接入网是运营商网络的子网络,是运营商网络中业务节点与终端设备之间的实施***。终端设备要接入运营商网络,首先是经过接入网,进而可通过接入网与运营商网络的业务节点连接。接入网包括第三代合作伙伴计划(3rd generation partnership project,3GPP)接 入网和非3GPP(Non-3GPP)接入网。3GPP接入网中的接入设备可以称为无线接入网(radioaccess network,RAN)设备。The access network is a sub-network of the operator's network, and is an implementation system between service nodes and terminal equipment in the operator's network. To access the operator's network, the terminal device first passes through the access network, and then can be connected to the service node of the operator's network through the access network. The access network includes the 3rd generation partnership project (3rd generation partnership project, 3GPP) access network and the non-3GPP (Non-3GPP) access network. The access device in the 3GPP access network may be referred to as a radio access network (radioaccess network, RAN) device.
RAN设备,是一种为终端设备提供无线通信功能的设备,RAN设备包括但不限于:5G中的下一代基站(g nodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(baseBand unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心等。RAN equipment is a type of equipment that provides wireless communication functions for terminal equipment. RAN equipment includes but is not limited to: next-generation base stations (gnodeB, gNB) in 5G, evolved node B (evolved node B, eNB), and wireless networks Controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, Or home node B (HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
非3GPP接入网中的接入设备可以称为非3GPP互通功能(Non-3GPP InterWorking Function,N3IWF)设备。N3IWF设备例如可以包括路由器、WIFi设备、蓝牙设备等。The access device in the non-3GPP access network may be referred to as a non-3GPP interworking function (Non-3GPP InterWorking Function, N3IWF) device. N3IWF devices may include routers, WiFi devices, Bluetooth devices, etc., for example.
AMF网元,负责接入与移动性管理,是N2接口的终结点,终结了非接入层(non access stratum,NAS)消息、完成注册管理、连接管理以及可达性管理、分配跟踪区域列表(tracking area list,TA list)以及移动性管理等,并且透明路由会话管理消息到SMF。AMF network element, responsible for access and mobility management, is the termination point of the N2 interface, terminates non-access stratum (NAS) messages, completes registration management, connection management, reachability management, and allocation tracking area list (tracking area list, TA list) and mobility management, etc., and transparently route session management messages to SMF.
SMF网元,负责会话管理、UE的互联网协议(internet protocol,IP)地址分配与管理,用户面锚点功能的分配与选择、并且负责UPF与用户面路径的(重)选择等。The SMF network element is responsible for session management, the allocation and management of the UE's Internet Protocol (IP) address, the allocation and selection of user plane anchor functions, and the (re)selection of UPF and user plane paths.
UPF网元,负责数据包的路由与转发、合法监听、以及下行数据包缓存并且触发下行数据包通知消息等功能。The UPF network element is responsible for data packet routing and forwarding, legal monitoring, and downstream data packet buffering and triggering downstream data packet notification messages.
AF网元,主要传递应用侧对网络侧的需求,例如,服务质量(Quality of Service,QoS)需求或用户状态事件订阅等。AF可以是第三方功能实体,也可以是运营商部署的应用服务,如IP多媒体子***(IP Multimedia Subsystem,IMS)语音呼叫业务。The AF network element mainly conveys the requirements of the application side to the network side, for example, quality of service (QoS) requirements or user status event subscriptions. The AF can be a third-party functional entity, or an application service deployed by an operator, such as an IP Multimedia Subsystem (IMS) voice call service.
PCF网元,主要负责针对会话、业务流级别进行计费、QoS带宽保障及移动性管理、UE策略决策等策略控制功能。该架构中,AMF与SMF所连接的PCF分别对应AM PCF(PCF for Access and Mobility Control)和SM PCF(PCF for Session Management),在实际部署场景中可能不是同一个PCF实体。The PCF network element is mainly responsible for policy control functions such as billing, QoS bandwidth guarantee and mobility management, and UE policy decision-making for the session and service flow levels. In this architecture, the PCF connected to the AMF and the SMF corresponds to AM PCF (PCF for Access and Mobility Control) and SM PCF (PCF for Session Management), and may not be the same PCF entity in actual deployment scenarios.
UDR,主要负责签约数据、策略数据、应用数据等类型数据的存取功能。UDR is mainly responsible for the access function of contract data, strategy data, application data and other types of data.
UDM网元,主要负责管理签约数据、用户接入授权等功能。The UDM network element is mainly responsible for functions such as management of contract data and user access authorization.
DN,是位于运营商网络之外的网络,运营商网络可以接入多个DN,DN上可部署多种业务,可为终端设备提供数据和/或语音等服务。例如,DN是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备,DN中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,DN是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。A DN is a network located outside the operator's network. The operator's network can access multiple DNs. A variety of services can be deployed on the DN to provide terminal equipment with services such as data and/or voice. For example, DN is the private network of a smart factory. The sensors installed in the workshop of the smart factory can be terminal devices. A control server for the sensors is deployed in the DN, and the control server can provide services for the sensors. The sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions. For another example, the DN is the internal office network of a company. The mobile phones or computers of the employees of the company can be terminal devices, and the mobile phones or computers of the employees can access the information and data resources on the internal office network of the company.
可以理解的是,上述网元或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。可选的,上述网元或者功能可以由一个设备实现,也可以由多个设备共同实现,还可以是一个设备内的一个功能模块,本申请实施例对此不作具体限定。It is understandable that the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform). Optionally, the foregoing network element or function may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in the embodiment of the present application.
本申请实施例中的移动性管理网元、会话管理网元、策略控制网元、数据管理网元、用户面网元分别可以是图1中的AMF、SMF、PCF、UDM、UPF,也可以是未来通信如第六代(6th generation,6G)网络中具有上述AMF、SMF、PCF、UDM、UPF的功能的网 元,本申请实施例对此不限定。为方便说明,本申请实施例以移动性管理网元、会话管理网元、策略控制网元、数据管理网元、用户面网元分别为上述AMF、SMF、PCF、UDM、UPF为例进行说明。并且,本申请实施例以终端设备为UE为例进行说明。The mobility management network element, the session management network element, the policy control network element, the data management network element, and the user plane network element in the embodiment of this application may be AMF, SMF, PCF, UDM, UPF in Figure 1, respectively, or It is a network element that has the above-mentioned AMF, SMF, PCF, UDM, and UPF functions in future communications, such as the 6th generation (6G) network, which is not limited in the embodiment of the present application. For convenience of description, the embodiments of this application are described by taking the above-mentioned AMF, SMF, PCF, UDM, and UPF as examples for the mobility management network element, session management network element, policy control network element, data management network element, and user plane network element respectively. . In addition, the embodiment of the present application takes the terminal device as the UE as an example for description.
为便于理解本申请实施,下面先对本申请出现的一些术语进行介绍说明。To facilitate the understanding of the implementation of this application, some terms appearing in this application will be introduced and explained below.
一、5G全局唯一临时标识(5G-Globally Unique Temporary UE Identity,5G-GUTI)1. 5G Globally Unique Temporary Identity (5G-Globally Unique Temporary UE Identity, 5G-GUTI)
5G-GUTI是由AMF分配给UE的,目的是保护UE的永久签约标识(Subscription Permanent Identifier,SUPI)。具体的,5G-GUTI分配给UE之后,UE与网络之间使用5G-GUTI通信,而不是使用SUPI,从而可以使得SUPI不被暴露,达到保护SUPI的目的。The 5G-GUTI is allocated to the UE by the AMF for the purpose of protecting the UE's permanent subscription identity (Subscription Permanent Identifier, SUPI). Specifically, after 5G-GUTI is allocated to the UE, 5G-GUTI communication is used between the UE and the network instead of SUPI, so that SUPI is not exposed and the purpose of protecting SUPI can be achieved.
5G-GUTI由全球唯一接入与移动性管理功能标识(Globally Unique AMF Identifier,GUAMI)和5G-TMSI两部分构成。其中,GUAMI用来标识分配该5G-GUTI的AMF,5G-TMSI用来标识该AMF中的UE,也即5G-TMSI是UE的身份标识。5G-GUTI consists of two parts: Globally Unique AMF Identifier (GUAMI) and 5G-TMSI. Among them, GUAMI is used to identify the AMF to which the 5G-GUTI is allocated, and 5G-TMSI is used to identify the UE in the AMF, that is, 5G-TMSI is the identity of the UE.
<GUAMI>=<MCC><MNC><AMF Region ID><AMF Set ID><AMF Pointer>。其中,MCC为移动国家码(Mobile Country Code),MNC为移动网络码(Mobile Network Code),AMF Region ID表示AMF的区域标识,AMF Set ID表示AMF所属的AMF集合的标识,AMF Set中有多个AMF实例,AMF Pointer表示AMF Set中的某个具体AMF实例。<GUAMI>=<MCC><MNC><AMFRegionID><AMFSetID><AMFPointer>. Among them, MCC is the mobile country code (Mobile Country Code), MNC is the mobile network code (Mobile Network Code), AMF Region ID represents the region identifier of the AMF, AMF Set ID represents the identifier of the AMF set to which the AMF belongs, and how many are in the AMF Set An AMF instance, AMF Pointer represents a specific AMF instance in the AMF Set.
UE入网后,在网络中,AMF会根据SUPI分配一个5G-TMSI,并在一定的时间内保持不变。After the UE enters the network, in the network, AMF will allocate a 5G-TMSI according to SUPI, and it will remain unchanged for a certain period of time.
其中,UE发起服务请求时,在服务请求消息中携带5G-GUTI,用来标识UE身份。Among them, when the UE initiates a service request, the 5G-GUTI is carried in the service request message to identify the identity of the UE.
二、5G服务临时移动用户标识(5G-Serving-TemporaryMobile Subscriber Identity,5G-S-TMSI)2. 5G service temporary mobile subscriber identity (5G-Serving-TemporaryMobile Subscriber Identity, 5G-S-TMSI)
5G-S-TMSI是精简版的5G-GUTI,用在无线信令流程中,如寻呼或者服务请求RAN设备在寻呼消息中携带5G-S-TMSI。其中,5G-S-TMSI=<AMF Region ID><AMF Set ID><AMF Pointer><5G-TMSI>。5G-S-TMSI is a simplified version of 5G-GUTI, used in wireless signaling procedures, such as paging or service request RAN devices carry 5G-S-TMSI in paging messages. Among them, 5G-S-TMSI=<AMFRegionID><AMFSetID><AMFPointer><5G-TMSI>.
可以看出,5G-GUTI和5G-S-TMSI中均包含5G-TMSI。It can be seen that both 5G-GUTI and 5G-S-TMSI include 5G-TMSI.
三、签约隐藏标识(Subscription Concealed Identifier,SUCI)3. Subscription Concealed Identifier (SUCI)
SUCI是SUPI加密的身份标识,也即SUCI是对SUPI进行加密后得到的。SUCI=<SUPI type><home network ID><Routing indicator><Protection Scheme ID><Home Network Public key id><Scheme Output>。SUCI is the identity of SUPI encryption, that is, SUCI is obtained by encrypting SUPI. SUCI=<SUPI type><home network ID><Routing indicator><Protection Scheme ID><Home Network Public key id><Scheme Output>.
其中,SUPI type表示类型,比如0代表国际移动用户识别码(International Mobile Subscriber Identity,IMSI),1代表特定网络标识。<home network ID>代表归属网络标识,与<MCC><MNC>作用相同。<Routing indicator>代表服务UE的用户识别模块(Subscriber Identity Module,SIM)卡的AUSF和UDM实例的路由信息。<Protection Scheme ID>标识保护算法,<Home Network Public key id>代表归属网络公钥标识,<Scheme Output>代表SUPI加密后的密文。Among them, SUPI type represents the type, for example, 0 represents the International Mobile Subscriber Identity (IMSI), and 1 represents the specific network identity. <home network ID> represents the home network ID, which has the same function as <MCC><MNC>. <Routing indicator> represents the routing information of the AUSF and UDM instances of the Subscriber Identity Module (SIM) card serving the UE. <Protection Scheme ID> identifies the protection algorithm, <Home Network Public key id> represents the home network public key identifier, and <Scheme Output> represents the cipher text encrypted by SUPI.
根据UE在网络的注册情况,可以将UE的状态分为注册态和非注册态。在非注册态下,UE未连接到网络中。AMF中未存储有UE的有效位置和路由信息,因此AMF无法找到UE。在注册态下,UE注册到网络中,UE可以接收需要注册才能够享有的服务等。According to the UE's registration in the network, the status of the UE can be divided into a registered state and an unregistered state. In the unregistered state, the UE is not connected to the network. The effective location and routing information of the UE are not stored in the AMF, so the AMF cannot find the UE. In the registration state, the UE is registered in the network, and the UE can receive services that need to be registered to be able to enjoy.
UE在非注册态下,尝试通过初始注册流程注册到选定的公共陆地移动网络(Public Land Mobile Network,PLMN)中。初始注册流程中UE使用SUCI作为身份标识。UE发送携带有SUCI的注册消息到AMF侧,AMF根据SUCI中的路由标识选择处理UE的UDM。UDM根据存储的UE根密钥计算认证向量,并对SUCI中加密身份进行解密处理,获得解密后的UE身份标识SUPI。UE和网络侧进行双向认证,在认证成功后,AMF获得来自UDM的SUPI。为了防止UE被追踪,UE使用的SUCI每次均不同。In the unregistered state, the UE attempts to register to the selected public land mobile network (Public Land Mobile Network, PLMN) through the initial registration process. In the initial registration process, the UE uses SUCI as its identity. The UE sends a registration message carrying the SUCI to the AMF side, and the AMF selects and processes the UDM of the UE according to the routing identifier in the SUCI. UDM calculates the authentication vector according to the stored UE root key, and decrypts the encrypted identity in SUCI to obtain the decrypted UE identity SUPI. The UE and the network side perform mutual authentication. After the authentication is successful, the AMF obtains the SUPI from the UDM. In order to prevent the UE from being tracked, the SUCI used by the UE is different each time.
UE在注册态下,又可以分为空闲态和连接态。UE在空闲态下和AMF之间没有建立NAS信令连接。UE处于连接态时建立和AMF之间的NAS信令连接。UE在连接态下还有一种状态为非活跃态,非活跃态时,UE保存接入层安全上下文。UE在空闲态时,不保存接入层安全上下文。UE在空闲态下,通过服务请求流程进入连接态。In the registered state, the UE can be divided into an idle state and a connected state. No NAS signaling connection is established between the UE and the AMF in the idle state. When the UE is in the connected state, a NAS signaling connection with the AMF is established. In the connected state, the UE also has an inactive state. In the inactive state, the UE saves the access layer security context. When the UE is in an idle state, it does not save the access layer security context. In the idle state, the UE enters the connected state through the service request process.
在现有技术中,UE存在被追踪的风险,也即UE可能会暴露自己的身份信息,从而使得攻击者根据UE的身份信息和UE所处的位置,达到追踪UE的目的。例如,当UE使用的5G-TMSI被攻击者截获时,则攻击者可以根据5G-TMSI识别UE的身份,从而结合该UE所处的位置,达到对该UE进行追踪的目的。In the prior art, the UE has the risk of being tracked, that is, the UE may expose its own identity information, so that an attacker can track the UE based on the identity information of the UE and the location of the UE. For example, when the 5G-TMSI used by the UE is intercepted by an attacker, the attacker can identify the identity of the UE according to the 5G-TMSI, thereby combining the location of the UE to achieve the purpose of tracking the UE.
为了避免UE被追踪,现有标准规定:UE使用的5G-TMSI需要经常更新。比如,在UE的移动性注册或周期性注册流程中,AMF可以发送新的5G-TMSI给UE。再比如,在UE发起服务请求流程的过程中或在服务请求流程之后,AMF也可以发送新的5G-TMSI给UE。In order to prevent the UE from being tracked, existing standards stipulate that the 5G-TMSI used by the UE needs to be updated frequently. For example, in the mobility registration or periodic registration process of the UE, the AMF can send a new 5G-TMSI to the UE. For another example, during or after the service request process initiated by the UE, the AMF may also send a new 5G-TMSI to the UE.
然而,尽管在上述过程中,AMF会尝试发送新的5G-TMSI给UE,但攻击者仍然可以实现对UE进行追踪。下面结合图2,对攻击者追踪UE的方法进行说明。However, although in the above process, AMF will try to send a new 5G-TMSI to the UE, the attacker can still track the UE. The following describes the method for the attacker to track the UE in conjunction with FIG. 2.
参考图2,为现有技术攻击者通过中间人追踪UE的流程示意图。其中,这里的中间人指的是进行中间人攻击的设备,比如伪基站等。UE通过中间人接入RAN设备(也即中间人可以附着在UE上),然后连接到核心网的AMF。最初,UE通过初始注册流程,接入核心网,该过程中AMF会给UE分配一个5G-GUTI(本申请实施例可以称为第一5G-GUTI),该5G-GUTI中包含5G-TMSI(本申请实施例称为第一5G-TMSI)。当UE处于空闲态,AMF希望建立和UE之间的信令连接或者激活用户面连接来传输用户面数据时,AMF发送寻呼消息到RAN设备,该寻呼消息包含第一5G-TMSI。Referring to FIG. 2, it is a schematic diagram of a flow of tracking a UE through a man-in-the-middle by an attacker in the prior art. Among them, the man-in-the-middle here refers to devices that perform man-in-the-middle attacks, such as pseudo base stations. The UE accesses the RAN equipment through the intermediary (that is, the intermediary can be attached to the UE), and then connects to the AMF of the core network. Initially, the UE accesses the core network through the initial registration process. In this process, the AMF will allocate a 5G-GUTI to the UE (the embodiment of this application may be referred to as the first 5G-GUTI). The 5G-GUTI contains 5G-TMSI ( The embodiment of this application is referred to as the first 5G-TMSI). When the UE is in an idle state and the AMF wishes to establish a signaling connection with the UE or activate a user plane connection to transmit user plane data, the AMF sends a paging message to the RAN device, and the paging message contains the first 5G-TMSI.
下面对图2对应的实施例进行说明,该实施例包括以下步骤:The embodiment corresponding to FIG. 2 is described below, and the embodiment includes the following steps:
步骤201,RAN设备发送寻呼消息给空闲态的UE,携带第一5G-TMSI。Step 201: The RAN device sends a paging message to a UE in an idle state, carrying the first 5G-TMSI.
该寻呼消息为广播消息,所有UE以及中间人都可以获得第一5G-TMSI。The paging message is a broadcast message, and all UEs and intermediaries can obtain the first 5G-TMSI.
步骤202,UE接收到寻呼消息后,UE和AMF之间进行服务请求流程。其中,服务请求流程包括上行服务请求(service request)消息和下行服务响应(service response)消息。服务请求流程具体可以参考TS 23.502第4.2.3节。Step 202: After the UE receives the paging message, a service request process is performed between the UE and the AMF. Among them, the service request process includes an uplink service request (service request) message and a downlink service response (service response) message. For the service request process, please refer to section 4.2.3 of TS 23.502.
其中,服务请求消息中携带第一5G-TMSI。Wherein, the service request message carries the first 5G-TMSI.
其中,服务响应消息包括服务接受(service accept)消息或服务拒绝(service reject)消息。Among them, the service response message includes a service accept message or a service reject message.
步骤203,AMF向UE发送配置更新请求消息,该消息中携带第二5G-TMSI。Step 203: The AMF sends a configuration update request message to the UE, which carries the second 5G-TMSI.
根据现有标准规定,为了避免UE被追踪,AMF需要向UE发送新的5G-TMSI(本申 请实施例称为第二5G-TMSI)。According to existing standards, in order to prevent the UE from being tracked, the AMF needs to send a new 5G-TMSI (referred to as the second 5G-TMSI in this application embodiment) to the UE.
需要说明的是,实际应用中,该配置更新请求消息可以携带新的5G-GUTI(本申请实施例可以称为第二5G-GUTI),该5G-GUTI中携带第二5G-TMSI。It should be noted that in practical applications, the configuration update request message may carry a new 5G-GUTI (this embodiment of the application may be referred to as the second 5G-GUTI), and the 5G-GUTI may carry the second 5G-TMSI.
上述方案中,AMF在配置更新流程中向UE发送第二5G-TMSI,具体的,配置更新流程包括AMF发给UE的下行配置更新请求消息和UE回复给AMF的上行配置更新完成消息。配置更新流程可以是在服务请求流程中,也可以是在服务请求流程结束后。其中,AMF发送给UE的第二5G-TMSI携带于配置更新请求消息,第二5G-TMSI应在当前NAS连接释放前发送。该NAS连接即为服务请求流程中建立的NAS连接。In the above solution, the AMF sends the second 5G-TMSI to the UE in the configuration update process. Specifically, the configuration update process includes a downlink configuration update request message sent by the AMF to the UE and an uplink configuration update complete message returned by the UE to the AMF. The configuration update process can be in the service request process or after the service request process ends. Among them, the second 5G-TMSI sent by the AMF to the UE is carried in the configuration update request message, and the second 5G-TMSI should be sent before the current NAS connection is released. The NAS connection is the NAS connection established in the service request process.
该配置更新请求消息是一个下行NAS消息。该配置更新请求消息通过RAN设备和中间人进行转发。虽然配置更新请求消息是由NAS安全保护的,但该消息中携带的信元包括必选信元和可选信元,可选信元在大部分场景下不会携带,因此攻击者可以通过消息的长度判断下行NAS消息是否为携带有第二5G-TMSI的配置更新请求消息。也即,攻击者可以识别并截获AMF发送给UE的配置更新请求消息。The configuration update request message is a downlink NAS message. The configuration update request message is forwarded through the RAN device and the middleman. Although the configuration update request message is protected by NAS security, the cells contained in the message include mandatory cells and optional cells. Optional cells are not carried in most scenarios, so the attacker can use the message Determine whether the downlink NAS message is a configuration update request message carrying the second 5G-TMSI. That is, the attacker can identify and intercept the configuration update request message sent by the AMF to the UE.
步骤204,中间人丢弃配置更新请求消息。Step 204: The middleman discards the configuration update request message.
需要说明的是,由于配置更新请求消息是一个NAS消息,受到安全保护,因此中间人无法获取到该配置更新请求消息中的第二5G-TMSI。因此,一旦UE接收到该配置更请求消息并对5G-TMSI进行更新,也即将UE使用的5G-TMSI更新为第二5G-TMSI,则攻击者将无法对UE进行追踪。It should be noted that, because the configuration update request message is a NAS message and is protected by security, the middleman cannot obtain the second 5G-TMSI in the configuration update request message. Therefore, once the UE receives the configuration update request message and updates the 5G-TMSI, that is, the 5G-TMSI used by the UE is updated to the second 5G-TMSI, the attacker will not be able to track the UE.
为了阻止UE更新5G-TMSI,中间人截获到步骤203中的配置更新请求消息之后,主动丢弃该配置更新请求消息。也即,中间人不将配置更新请求消息发送至UE,因而UE无法接收到配置更新请求消息,进而无法获取到第二5G-TMSI,也即无法对5G-TMSI进行更新。或者理解为,UE使用的5G-TMSI仍然是第一5G-TMSI。In order to prevent the UE from updating the 5G-TMSI, after intercepting the configuration update request message in step 203, the intermediary actively discards the configuration update request message. That is, the intermediary does not send the configuration update request message to the UE, so the UE cannot receive the configuration update request message, and thus cannot obtain the second 5G-TMSI, that is, the 5G-TMSI cannot be updated. Or it can be understood that the 5G-TMSI used by the UE is still the first 5G-TMSI.
此外,由于配置更新流程中的配置更新完成消息也是受NAS安全保护的,攻击者无法伪造。由于UE没有收到配置更新请求消息,UE自然也不向AMF发送配置更新完成消息。按照现有标准TS 24.501规定,AMF发出配置更新请求消息后,等待配置更新完成消息,并启动定时器T3555。如果定时器超时,则AMF向UE重传配置更新请求消息。如果重传4次之后,在第5次超时的时候,则AMF放弃配置更新流程。也即,AMF重发了5次配置更新请求消息之后,仍然收不到配置更新完成消息,则AMF不再发送配置更新请求消息,从而AMF不再发送第二5G-TMSI。In addition, because the configuration update complete message in the configuration update process is also protected by NAS security, an attacker cannot forge it. Since the UE did not receive the configuration update request message, the UE naturally does not send the configuration update complete message to the AMF. According to the existing standard TS 24.501, after the AMF sends a configuration update request message, it waits for the configuration update complete message and starts the timer T3555. If the timer expires, the AMF retransmits the configuration update request message to the UE. If after 4 retransmissions, when the 5th time expires, the AMF abandons the configuration update process. That is, after the AMF resends the configuration update request message 5 times, but still cannot receive the configuration update complete message, the AMF no longer sends the configuration update request message, so the AMF no longer sends the second 5G-TMSI.
通过上述步骤201至步骤204,尽管AMF在寻呼UE的时候,尝试向UE发送更新的5G-TMSI(即第二5G-TMSI),但由于中间人可以截获用于携带第二5G-TMSI的配置更新请求消息并丢弃该消息,使得UE无法更新5G-TMSI。由于UE未更新5G-TMSI,从而使得UE存在被追踪的风险。Through the above steps 201 to 204, although the AMF tries to send the updated 5G-TMSI (that is, the second 5G-TMSI) to the UE when paging the UE, the intermediary can intercept the configuration used to carry the second 5G-TMSI Update the request message and discard the message, so that the UE cannot update the 5G-TMSI. Since the UE has not updated the 5G-TMSI, the UE is at risk of being tracked.
下面介绍中间人追踪UE的实现方法,主要包括以下步骤205至步骤206。The following describes the implementation method of the middleman tracking UE, which mainly includes the following steps 205 to 206.
步骤205,中间人如果想主动追踪UE的位置时,向所有UE广播寻呼消息,该寻呼消息中携带第一5G-TMSI。Step 205: If the middleman wants to actively track the location of the UE, he broadcasts a paging message to all UEs, and the paging message carries the first 5G-TMSI.
该步骤为可选步骤,当中间人想要主动追踪UE时,执行该步骤205。否则可以不需要执行该步骤。This step is optional. When the middleman wants to actively track the UE, this step 205 is executed. Otherwise, you do not need to perform this step.
其中,中间人获取的第一5G-TMSI是在上述步骤201中获取到的。Wherein, the first 5G-TMSI obtained by the intermediary is obtained in step 201 above.
步骤206,UE发起服务请求流程,在服务请求消息中携带第一5G-TMSI。Step 206: The UE initiates a service request process, and carries the first 5G-TMSI in the service request message.
由于第一5G-TMSI未受到加密保护,因此中间人可以识别出该服务请求消息中携带的第一5G-TMSI,进而识别出该UE的身份,然后中间人可以结合UE当前所在的位置,达到对UE进行追踪的目的。Since the first 5G-TMSI is not protected by encryption, the intermediary can identify the first 5G-TMSI carried in the service request message, and then identify the identity of the UE, and then the intermediary can combine the current location of the UE to reach the UE Purpose of tracking.
通过上述步骤205步骤206,或通过上述步骤206,中间人可以达到对UE进行追踪的目的。Through the above steps 205 and 206, or through the above step 206, the intermediary can achieve the purpose of tracking the UE.
需要说明的是,中间人还可以对UE进行多次或实时追踪。具体的,UE发送完服务请求消息之后,触发定时器T3517,等待下行NAS消息(即服务响应消息)。当定时器超时后,UE重新发送服务请求消息,并将用于计算服务请求消息重传次数的计数器加1。如果计数器大于5,则UE在一段时间内停止发送服务请求消息。从而中间人可以在UE重传服务请求消息的这段时间内实时追踪到UE所在的位置。因此,为了在一段时间内持续追踪到UE位置,中间人截获到UE发送的携带第一5G-TMSI的服务请求消息后,丢弃该服务请求消息,使得UE重传服务请求消息,进而达到持续追踪的目的。It should be noted that the intermediary can also track the UE multiple times or in real time. Specifically, after the UE sends the service request message, it triggers the timer T3517 and waits for the downlink NAS message (that is, the service response message). When the timer expires, the UE resends the service request message and adds 1 to the counter used to count the number of times the service request message is retransmitted. If the counter is greater than 5, the UE stops sending service request messages for a period of time. Therefore, the intermediary can track the location of the UE in real time during the period when the UE retransmits the service request message. Therefore, in order to keep track of the location of the UE for a period of time, after the intermediary intercepts the service request message carrying the first 5G-TMSI sent by the UE, the service request message is discarded, so that the UE retransmits the service request message, thereby achieving continuous tracking. Purpose.
进一步的,如果是由于UE接收到寻呼消息而引起UE发送服务请求消息,则UE重传服务请求消息的次数不受限制。或者理解为,只要中间人主动寻呼UE(即执行上述步骤205),则UE重传服务请求消息的次数将不受限制,使得UE被追踪的时间持续增加。Further, if the UE sends a service request message because the UE receives a paging message, the number of times the UE can retransmit the service request message is not limited. Or it can be understood that as long as the intermediary actively pages the UE (that is, the above step 205 is performed), the number of times the UE can retransmit the service request message will not be limited, so that the time for the UE to be tracked continues to increase.
通过以上过程,可以看出,尽管AMF在寻呼UE的时候,尝试向UE发送更新的5G-TMSI(即第二5G-TMSI),但由于中间人可以截获用于携带第二5G-TMSI的配置更新请求消息并丢弃该消息,使得UE无法更新5G-TMSI。由于UE未更新5G-TMSI,从而使得UE存在被追踪的风险。并且,中间人还可以实现持续对UE进行追踪,使得UE存在被暴露的风险。Through the above process, it can be seen that although the AMF tries to send the updated 5G-TMSI (that is, the second 5G-TMSI) to the UE when paging the UE, the intermediary can intercept the configuration used to carry the second 5G-TMSI Update the request message and discard the message, so that the UE cannot update the 5G-TMSI. Since the UE has not updated the 5G-TMSI, the UE is at risk of being tracked. Moreover, the intermediary can also implement continuous tracking of the UE, so that the UE is at risk of being exposed.
需要说明的是,在另一种应用场景中,也可能发生UE被追踪的情形。比如,UE在完成了初始注册之后,获得了上述第一5G-TMSI,之后发生上述步骤201至步骤204,因此导致UE的5G-TMSI未更新成功,即UE始终存储的是第一5G-TMSI。然后UE发起周期性注册请求消息或者移动性注册请求消息时,携带第一5G-TMSI,由于第一5G-TMSI未受到加密保护,因此中间人可以识别出该消息中携带的第一5G-TMSI,进而识别出该UE的身份,然后中间人可以结合UE当前所在的位置,达到对UE进行追踪的目的。It should be noted that in another application scenario, the UE may also be tracked. For example, after the UE completes the initial registration, it obtains the above-mentioned first 5G-TMSI, and then the above-mentioned steps 201 to 204 occur. Therefore, the 5G-TMSI of the UE is not updated successfully, that is, the UE always stores the first 5G-TMSI . Then, when the UE initiates a periodic registration request message or a mobility registration request message, it carries the first 5G-TMSI. Since the first 5G-TMSI is not protected by encryption, the intermediary can identify the first 5G-TMSI carried in the message, Then the identity of the UE is recognized, and then the intermediary can combine the current location of the UE to achieve the purpose of tracking the UE.
为解决上述问题,本申请实施例提供多种不同的方法,使得UE可以完成对UE的身份标识的更新,由于中间人无法获取更新的临时身份标识,从而避免了UE被追踪。In order to solve the above problems, the embodiments of the present application provide a variety of different methods, so that the UE can complete the update of the UE's identity. Since the intermediary cannot obtain the updated temporary identity, the UE is prevented from being tracked.
需要说明的是,本申请实施例中,UE需要更新的临时身份标识可以是前述描述的5G-TMSI,或者也可以是其他身份标识。比如在未来通信中,UE想要更新的临时身份标识不限于5G-TMSI,还可以是其他身份标识。It should be noted that, in this embodiment of the present application, the temporary identity of the UE that needs to be updated may be the 5G-TMSI described above, or may also be other identities. For example, in future communications, the temporary identity that the UE wants to update is not limited to 5G-TMSI, but may also be other identities.
为方便说明,本申请以下图3A至图5对应的实施例中,以需要更新临时的身份标识为5G-TMSI为例进行说明。For the convenience of description, in the following embodiments corresponding to FIG. 3A to FIG. 5 of the present application, the temporary identity that needs to be updated is 5G-TMSI as an example for description.
如图3A所示,本申请实施例提供一种通信方法。该实施例中,将现有技术中UE发送的5G-GUTI(包含GUAMI和5G-TMSI)替换为GUAMI和加密的永久身份标识,其中,GUAMI作为AMF的路由标识,加密的永久身份标识作为UE的标识,使得攻击者无法获取到UE的身份标识,从而无法追踪UE,达到保护用户隐私安全的目的。该实施例适用于UE从注册态(如空闲态或非活跃态)发起的服务请求流程,或者UE在注册态下进行周期性注册或者移动性注册流程。As shown in FIG. 3A, an embodiment of the present application provides a communication method. In this embodiment, the 5G-GUTI (including GUAMI and 5G-TMSI) sent by the UE in the prior art is replaced with GUAMI and the encrypted permanent identity, where GUAMI is used as the routing identity of the AMF, and the encrypted permanent identity is used as the UE The identity of the attacker cannot obtain the identity of the UE, so that the UE cannot be tracked, and the purpose of protecting user privacy and security is achieved. This embodiment is applicable to the service request process initiated by the UE from the registration state (such as the idle state or the inactive state), or the UE performs periodic registration or the mobility registration process in the registration state.
该方法在UE侧,可以由UE或用于UE的部件(如芯片、电路等)执行;在网络侧,可以由AMF或用于AMF的部件(如芯片、电路等)执行。为便于说明,下面以UE和AMF执行该方法为例进行说明。On the UE side, this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.). For ease of description, the following uses the UE and AMF to execute the method as an example for description.
该方法包括以下步骤:The method includes the following steps:
步骤301a,处于注册态的UE确定网络侧给自身分配的临时身份标识是否过期。Step 301a: The UE in the registered state determines whether the temporary identity allocated to itself by the network side has expired.
步骤302a,在确定临时身份标识过期的情况下,UE通过接入设备向AMF发送第一消息,相应地,AMF可以接收到该第一消息。Step 302a: In the case where it is determined that the temporary identity identifier has expired, the UE sends a first message to the AMF through the access device, and accordingly, the AMF can receive the first message.
该第一消息包含AMF的路由标识和加密的永久身份标识,该AMF的路由标识用于接入设备确定为UE服务的AMF。比如,该AMF的路由标识可以是GUAMI,用于标识AMF。The first message includes the AMF routing identifier and the encrypted permanent identity identifier, and the AMF routing identifier is used by the access device to determine the AMF serving the UE. For example, the routing identifier of the AMF may be GUAMI, which is used to identify the AMF.
作为一种实现方法,加密的永久身份标识为SUCI,该SUCI是对SUPI进行加密后的身份标识。As an implementation method, the encrypted permanent identity is SUCI, which is the identity after SUPI is encrypted.
根据前面介绍,由于SUCI中的<home network ID>代表归属网络标识,与GUAMI中的<MCC><MNC>作用相同,因此为了节约开销,作为另一种实现方法,该加密的永久身份标识可以是SUCI去除<home network ID>之后的剩余部分。也即,该实现方法中,加密的永久身份标识可以是<SUPI type><Routing indicator><Protection Scheme ID><Home Network Public key id><Scheme Output>。According to the previous introduction, since the <home network ID> in SUCI represents the home network identifier, it has the same function as the <MCC> <MNC> in GUAMI. Therefore, in order to save overhead, as another implementation method, the encrypted permanent identity can be It is the remainder of SUCI after removing <home network ID>. That is, in this implementation method, the encrypted permanent identity identifier may be <SUPI type> <Routing indicator> <Protection Scheme ID> <Home Network Public key id> <Scheme Output>.
作为另一种实现方法,加密的永久身份标识还可以是对UE的临时身份标识(如5G-TMSI)进行加密后得到的,也即加密的永久身份标识为加密的5G-TMSI。As another implementation method, the encrypted permanent identity can also be obtained by encrypting the temporary identity of the UE (such as 5G-TMSI), that is, the encrypted permanent identity is the encrypted 5G-TMSI.
需要说明的是,由于第一消息中携带的是加密的永久身份标识,因此即使攻击者能够截获到第一消息,也无法对加密的永久身份标识进行解密,因而无法追踪识别UE的身份,继而无法追踪到UE位置,降低了安全隐患。It should be noted that since the first message carries the encrypted permanent identity, even if the attacker can intercept the first message, the encrypted permanent identity cannot be decrypted, so the UE’s identity cannot be tracked and identified. Unable to track the location of the UE, reducing security risks.
步骤303a,AMF向解密网元(图中以解密网元为UDM为例)发送请求消息,该请求消息包含加密的永久身份标识。In step 303a, the AMF sends a request message to the decryption network element (the decryption network element is UDM as an example), and the request message contains the encrypted permanent identity.
AMF接收到第一消息之后,获取到其中的AMF的路由标识和加密的永久身份标识,AMF根据第一消息的类型和/或第一消息中内容的格式,判断第一消息中是否携带5G-TMSI。如果携带5G-TMSI,则AMF在该AMF中查询5G-TMSI对应的SUPI,如果未携带5G-TMSI,则根据加密的永久身份标识中的路由指示(routing indicator)找到可以解密该加密的永久身份标识的解密网元,该解密网元可以UDM或其他网元,进而向解密网元发送包含加密的永久身份标识的请求消息,目的是希望解密网元对该加密的永久身份标识进行解密。After the AMF receives the first message, it obtains the AMF routing identifier and the encrypted permanent identity. AMF determines whether the first message carries 5G-based on the type of the first message and/or the format of the content in the first message. TMSI. If it carries 5G-TMSI, the AMF queries the AMF for the SUPI corresponding to 5G-TMSI. If it does not carry 5G-TMSI, it finds a permanent identity that can decrypt the encrypted permanent identity according to the routing indicator in the encrypted permanent identity The identified decryption network element, the decryption network element may be UDM or other network elements, and then send a request message containing the encrypted permanent identity to the decryption network element, in order to hope that the decryption network element decrypts the encrypted permanent identity.
以第一消息为服务请求消息,携带<GUAMI><SUCI>为例,AMF收到第一消息后,根据第一消息的内容的格式,判断第一消息中不包含5G-TMSI,则根据SUCI中的路由指示(routing indicator)找到可以解密该加密的永久身份标识的解密网元,当解密网元为UDM,则该请求消息可以是Nudm_UEAuthentication_Get request消息或者其他消息。Taking the first message as a service request message, carrying <GUAMI><SUCI> as an example, after receiving the first message, AMF judges that the first message does not contain 5G-TMSI according to the format of the content of the first message, and then according to SUCI The routing indicator in the routing indicator finds a decryption network element that can decrypt the encrypted permanent identity. When the decryption network element is UDM, the request message may be a Nudm_UEAuthentication_Get request message or other messages.
步骤304a,UDM向AMF发送响应消息,其中携带解密后的身份标识。In step 304a, the UDM sends a response message to the AMF, which carries the decrypted identity.
其中,解密后的身份标识可以是SUPI或5G-TMSI。Among them, the decrypted identity can be SUPI or 5G-TMSI.
可选的,该响应消息可以是Nudm_UEAuthentication_Get response消息。Optionally, the response message may be a Nudm_UEAuthentication_Get response message.
需要说明的是,以上是在UDM中对加密的永久身份标识进行解密,但本申请实施例对解密的方法不做限定。It should be noted that the above is to decrypt the encrypted permanent identity in the UDM, but the embodiment of this application does not limit the decryption method.
基于上述实施例,为了防止被追踪,UE使用加密的永久身份标识替代原有的5G-TMSI, 可以防止UE被追踪。相较于现有技术,本申请实施例中,UE使用的5G-TMSI保持不变,但并不直接使用5G-TMSI,而是使用加密的永久身份标识,从而使得攻击者无法获取UE的身份信息,进而无法追踪到UE位置。Based on the foregoing embodiment, in order to prevent tracking, the UE uses an encrypted permanent identity to replace the original 5G-TMSI, which can prevent the UE from being tracked. Compared with the prior art, in the embodiments of this application, the 5G-TMSI used by the UE remains unchanged, but the 5G-TMSI is not used directly, but an encrypted permanent identity is used, so that the attacker cannot obtain the identity of the UE. Information, and the UE’s location cannot be tracked.
上述第一消息可以是服务请求消息或注册消息(如移动性注册消息或周期性注册消息),下面分别说明。The above-mentioned first message may be a service request message or a registration message (such as a mobility registration message or a periodic registration message), which will be described separately below.
情形一,第一消息为服务请求消息Case 1: The first message is a service request message
作为一种实现方法,图3A对应的实施例可以在服务请求流程中执行,则上述第一消息可以是服务请求消息。As an implementation method, the embodiment corresponding to FIG. 3A may be executed in the service request process, and the above-mentioned first message may be a service request message.
可选的,当第一消息是服务请求消息,则在步骤301a中,UE确定网络侧给自身分配的临时身份标识是否过期的方法,比如可以是以下任一项:Optionally, when the first message is a service request message, in step 301a, the method for the UE to determine whether the temporary identity assigned to itself by the network side has expired, for example, may be any of the following:
方法一,UE确定第一定时器超时,则确定网络侧给自身分配的临时身份标识过期。Method 1: The UE determines that the first timer expires, and then determines that the temporary identity assigned to itself by the network side has expired.
在步骤301a之前,UE在服务请求流程中发送服务请求消息后或接收到服务响应消息后启动第一定时器,定时器的时长用于确定在服务请求流程中UE等待接收更新的临时身份标识的最大时长。Before step 301a, the UE starts the first timer after sending the service request message in the service request process or after receiving the service response message. Maximum duration.
第一定时器的停止条件是:第一定时器超时或UE接收到AMF发送的更新的5G-TMSI(本申请实施例将UE更新前的5G-TMSI称为第一5G-TMSI,将更新的5G-TMSI称为第二5G-TMSI)。The stop condition of the first timer is: the first timer expires or the UE receives the updated 5G-TMSI sent by the AMF (this embodiment of the application refers to the 5G-TMSI before the UE update as the first 5G-TMSI, and the updated 5G-TMSI 5G-TMSI is called the second 5G-TMSI).
当第一定时器超时,表明在设定时长内未收到更新的5G-TMSI(即第二5G-TMSI),进而UE判断可能发生被追踪的情形,因此UE触发UE对临时身份标识进行加密。When the first timer expires, it indicates that the updated 5G-TMSI (that is, the second 5G-TMSI) has not been received within the set time period, and the UE determines that tracking may occur, so the UE triggers the UE to encrypt the temporary identity .
方法二,UE确定发送服务请求消息后未收到回复的次数达到第一阈值,则确定网络侧给自身分配的临时身份标识过期。比如,UE可以设置一个计数器,计数器初始设置为0,在步骤301a之前,首次发送服务请求消息后将计数器加1,以及启动第二定时器。若第二定时器超时,则UE重新启动第二定时器、重新发送服务请求消息并将计数器再加1。当重发服务请求消息的次数达到第一阈值,则计数器的计数值也达到第一阈值,从而UE确定网络侧给自身分配的临时身份标识过期。其中,当UE发生了服务请求消息之后未收到回复(如服务响应消息)时,则UE将会重发服务请求消息。Method 2: The UE determines that the number of times that it has not received a reply after sending the service request message reaches the first threshold, and then determines that the temporary identity assigned to itself by the network side has expired. For example, the UE may set a counter, the counter is initially set to 0, and before step 301a, the counter is increased by 1 after the service request message is sent for the first time, and the second timer is started. If the second timer expires, the UE restarts the second timer, resends the service request message, and increments the counter by 1. When the number of retransmissions of the service request message reaches the first threshold, the count value of the counter also reaches the first threshold, so that the UE determines that the temporary identity assigned to itself by the network side has expired. Wherein, when the UE does not receive a reply (such as a service response message) after the service request message has occurred, the UE will resend the service request message.
其中,第二定时器的停止条件是:UE接收到AMF发送的服务响应消息或第二定时器超时,计数器的停止条件是:达到预设的第一阈值或接收到服务响应消息。也即,该计数器用于统计重传服务请求消息的次数,并控制最大重传次数不超过预设的第一阈值。第二定时器用于控制每次发送服务请求消息后等待服务响应消息的时长。The stopping condition of the second timer is: the UE receives the service response message sent by the AMF or the second timer expires, and the stopping condition of the counter is: reaching the preset first threshold or receiving the service response message. That is, the counter is used to count the number of retransmissions of the service request message, and to control the maximum number of retransmissions not to exceed the preset first threshold. The second timer is used to control the length of time to wait for a service response message after each service request message is sent.
当计数器达到第一阈值,表明UE多次发送服务请求消息之后仍未收到AMF发送的服务响应消息,则UE判断可能发生类似于图2实施例所介绍的被追踪的情形,因此触发UE对临时身份标识进行加密。When the counter reaches the first threshold, indicating that the UE has not received the service response message sent by the AMF after sending the service request message multiple times, the UE judges that a tracked situation similar to the one described in the embodiment in FIG. 2 may occur, and therefore triggers the UE to pair The temporary identity is encrypted.
方法三,UE在上次NAS连接过程中未更新UE的临时身份标识。Method 3: The UE did not update the temporary identity of the UE during the last NAS connection process.
上次NAS连接过程可以是上次服务请求流程中建立的NAS连接。The last NAS connection process may be the NAS connection established in the last service request process.
以临时身份为5G-TMSI为例,由于上次NAS连接过程中未更新5G-TMSI,因而UE当前使用的5G-TMSI存在安全隐患,有被追踪的风险,因此触发UE对身份标识进行加密。Taking the temporary identity as 5G-TMSI as an example, since the 5G-TMSI was not updated during the last NAS connection process, the 5G-TMSI currently used by the UE has security risks and the risk of being tracked. Therefore, the UE is triggered to encrypt the identity.
方法四,UE向AMF请求更新临时身份标识的情况下,未接收到更新的临时身份标识。Method 4: In the case where the UE requests the AMF to update the temporary identity, the updated temporary identity is not received.
也即,UE是请求了更新临时身份标识,但并未接收到更新的临时身份标识的,导致临时身份标识更新失败。That is, the UE requested to update the temporary identity, but did not receive the updated temporary identity, which caused the temporary identity update to fail.
以临时身份为5G-TMSI为例,由于未成功更新5G-TMSI,因而UE当前使用的5G-TMSI存在安全隐患,有被追踪的风险,因此触发UE对身份标识进行加密。Taking the temporary identity as 5G-TMSI as an example, because the 5G-TMSI is not successfully updated, the 5G-TMSI currently used by the UE has security risks and the risk of being tracked, so the UE is triggered to encrypt the identity.
可选的,当第一消息是服务请求消息,则在步骤301之前,还包括:RAN设备(也称为接入设备)发送寻呼消息给UE,其中携带第一5G-TMSI(即更新前的5G-TMSI)。该寻呼消息为广播消息,所有UE以及中间人都可以获得第一5G-TMSI。Optionally, when the first message is a service request message, before step 301, it further includes: the RAN device (also referred to as an access device) sends a paging message to the UE, which carries the first 5G-TMSI (that is, the pre-update) 5G-TMSI). The paging message is a broadcast message, and all UEs and intermediaries can obtain the first 5G-TMSI.
需要说明的是,在现有技术中,UE发送的服务请求消息中携带的是<GUAMI><5G-TMSI>,由于5G-TMSI未受到安全保护,如加密保护等,导致UE可能遭受攻击者的追踪。而基于本申请上述实施例的方案,在服务请求消息中携带的是GUAMI和加密的永久身份标识,也即将未受安全保护的5G-TMSI替换为加密的永久身份标识,使得攻击者无法获取加密的永久身份标识,从而UE无法被追踪。It should be noted that in the prior art, the service request message sent by the UE carries <GUAMI><5G-TMSI>. As 5G-TMSI is not protected by security, such as encryption protection, the UE may suffer from attackers. Tracking. Based on the solution of the above-mentioned embodiment of this application, the service request message carries GUAMI and an encrypted permanent identity, that is, the unprotected 5G-TMSI is replaced with an encrypted permanent identity, so that the attacker cannot obtain the encryption. Permanent identity, so that the UE cannot be tracked.
情形二,第一消息为注册消息(如移动性注册消息、或周期性注册消息等)Case 2: The first message is a registration message (such as a mobility registration message, or a periodic registration message, etc.)
作为另一种实现方法,图3A对应的实施例可以在注册流程中执行,则上述第一消息可以是注册消息。可选的,当第一消息是注册消息,则在步骤301a中,UE确定网络侧给自身分配的临时身份标识是否过期的方法,比如可以与上述情形一中的方法三或方法四。As another implementation method, the embodiment corresponding to FIG. 3A may be executed in the registration process, and the above-mentioned first message may be a registration message. Optionally, when the first message is a registration message, in step 301a, the method for the UE to determine whether the temporary identity allocated to itself by the network side has expired, for example, may be the same as the method 3 or the method 4 in the above scenario 1.
需要说明的是,在现有技术中,UE发送的移动性注册消息或周期性注册消息中携带的是<GUAMI><5G-TMSI>,由于5G-TMSI未受到安全保护,如加密保护等,导致UE可能遭受攻击者的追踪。而基于本申请上述实施例的方案,在移动性注册消息或周期性注册消息中携带的是GUAMI和加密的永久身份标识,也即将未受安全保护的5G-TMSI替换为加密的永久身份标识,使得攻击者无法获取加密的永久身份标识,从而UE无法被追踪。It should be noted that in the prior art, the mobility registration message or periodic registration message sent by the UE carries <GUAMI><5G-TMSI>. Since 5G-TMSI is not protected by security, such as encryption protection, As a result, the UE may be tracked by an attacker. Based on the solution of the above-mentioned embodiment of this application, the mobility registration message or periodic registration message carries GUAMI and an encrypted permanent identity, that is, the unprotected 5G-TMSI is replaced with an encrypted permanent identity. As a result, the attacker cannot obtain the encrypted permanent identity, so that the UE cannot be tracked.
此外,需要说明的是,在UE的初始注册消息中携带的是SUCI,该SUCI是加密的永久身份标识,因此对于UE的初始注册消息,可以不需要执行本申请上述实施例的操作。但需要说明的是,本申请实施例第一消息携带的内容与现有技术的初始注册消息携带的内容是不同的,具体为:现有技术中的初始注册消息中携带的是SUCI,本申请实施例的第一消息为移动性注册消息或周期性注册消息时,携带的是GUAMI和加密的永久身份标识,该加密的永久身份标识可以是SUCI、加密的5G-TMSI或SUCI中去除<home network ID>之后的剩余部分。In addition, it should be noted that the initial registration message of the UE carries the SUCI, which is an encrypted permanent identity. Therefore, for the initial registration message of the UE, it is not necessary to perform the operations of the foregoing embodiment of the present application. However, it should be noted that the content carried in the first message in the embodiment of this application is different from the content carried in the initial registration message in the prior art, specifically: the initial registration message in the prior art carries SUCI, this application When the first message of the embodiment is a mobility registration message or a periodic registration message, it carries GUAMI and an encrypted permanent identity. The encrypted permanent identity can be SUCI, encrypted 5G-TMSI or SUCI. The remaining part after network ID>.
如图3B所示,本申请实施例提供又一种通信方法。该实施例中,UE发起去注册流程,然后重新发起注册流程,并在注册流程中获取5G-TMSI,由于攻击者无法获取到该5G-TMSI,从而无法追踪UE,达到保护用户隐私安全的目的。As shown in FIG. 3B, an embodiment of the present application provides yet another communication method. In this embodiment, the UE initiates the de-registration process, then re-initiates the registration process, and obtains the 5G-TMSI during the registration process. Since the attacker cannot obtain the 5G-TMSI, the UE cannot be tracked and the user's privacy and security are protected. .
该方法在UE侧,可以由UE或用于UE的部件(如芯片、电路等)执行;在网络侧,可以由AMF或用于AMF的部件(如芯片、电路等)执行。为便于说明,下面以UE和AMF执行该方法为例进行说明。On the UE side, this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.). For ease of description, the following uses the UE and AMF to execute the method as an example for description.
该方法包括以下步骤:The method includes the following steps:
步骤301b,处于注册态的UE确定网络侧给自身分配的临时身份标识是否过期。In step 301b, the UE in the registered state determines whether the temporary identity allocated to itself by the network side has expired.
步骤302b,在确定临时身份标识过期的情况下,UE发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识。In step 302b, when it is determined that the temporary identity has expired, the UE initiates a de-registration process and initiates an initial registration process using the encrypted permanent identity to obtain the temporary identity updated by the network side.
其中,UE确定网络侧给自身分配的临时身份标识是否过期的方法可以与图3A对应的实施例中描述的四种方法中的任一种,可参考前述描述。The method for the UE to determine whether the temporary identity assigned to itself by the network side has expired may be any one of the four methods described in the embodiment corresponding to FIG. 3A, and reference may be made to the foregoing description.
基于上述方案,UE在确定临时身份标识过期的情况下,发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识,从而实现对临时身份标识的更新。由于初始注册流程中UE获取的更新的临时身份标识时受到安全保护,无法被攻击者获取,从而避免UE被攻击者追踪,达到保护用户隐私安全的目的。Based on the above solution, when the UE determines that the temporary identity has expired, it initiates the de-registration process, and uses the encrypted permanent identity to initiate the initial registration process to obtain the temporary identity updated by the network side, so as to realize the temporary identity Update. Since the updated temporary identity obtained by the UE in the initial registration process is secured and cannot be obtained by an attacker, the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
可选的,加密的永久身份标识为SUCI。Optionally, the encrypted permanent identity is SUCI.
可选的,UE进入去注册态后,可以执行以下一项或多项操作:删除UE上的临时身份标识(如5G-TMSI也称为第一5G-TMSI)、删除UE上的跟踪区标识列表、删除UE上的安全上下文。Optionally, after the UE enters the de-registration state, one or more of the following operations can be performed: delete the temporary identity on the UE (for example, 5G-TMSI is also called the first 5G-TMSI), delete the tracking area identity on the UE List and delete the security context on the UE.
如图4所示,本申请实施例提供又一种通信方法。该方法在UE侧,可以由UE或用于UE的部件(如芯片、电路等)执行;在网络侧,可以由AMF或用于AMF的部件(如芯片、电路等)执行。为便于说明,下面以UE和AMF执行该方法为例进行说明。As shown in FIG. 4, an embodiment of the present application provides yet another communication method. On the UE side, this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.). For ease of description, the following uses the UE and AMF to execute the method as an example for description.
在现有机制中,服务请求流程和配置更新流程相互独立。配置更新流程可以在服务请求流程中进行,也可以在服务请求流程后进行。当配置更新流程是在服务请求流程之后进行的,有可能出现以下情况:UE在结束服务请求流程之后可能释放掉NAS连接,导致UE未收到配置更新请求消息,进而UE无法接收到更新的5G-TMSI。In the existing mechanism, the service request process and the configuration update process are independent of each other. The configuration update process can be performed during the service request process or after the service request process. When the configuration update process is performed after the service request process, the following situations may occur: the UE may release the NAS connection after finishing the service request process, resulting in the UE not receiving the configuration update request message, and the UE cannot receive the updated 5G -TMSI.
图4对应的实施例中,在UE上设定判断逻辑,当UE未收到更新的5G-TMSI,则UE继续保持NAS连接,以及UE还可以主动向AMF请求获取更新的5G-TMSI,从而避免UE多次使用相同的身份标识。并且,当UE无法获取到更新的5G-TMSI时,UE可以进入去注册态,然后重新发起注册流程,并在注册流程中获取到新的5G-TMSI。由于注册流程中的5G-TMSI受到安全保护,无法被攻击者获取,从而避免UE被攻击者追踪,达到保护用户隐私安全的目的。In the embodiment corresponding to Figure 4, the judgment logic is set on the UE. When the UE does not receive the updated 5G-TMSI, the UE continues to maintain the NAS connection, and the UE can also actively request the AMF to obtain the updated 5G-TMSI, thereby Prevent the UE from using the same identity multiple times. Moreover, when the UE cannot obtain the updated 5G-TMSI, the UE can enter the de-registration state, then re-initiate the registration process, and obtain the new 5G-TMSI during the registration process. Since the 5G-TMSI in the registration process is protected by security and cannot be obtained by an attacker, the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved.
该方法包括以下步骤:The method includes the following steps:
步骤401,连接态的UE向AMF发送服务请求消息,其中携带第一5G-TMSI。相应地,AMF可以接收到该服务请求消息。Step 401: The UE in the connected state sends a service request message to the AMF, which carries the first 5G-TMSI. Correspondingly, the AMF can receive the service request message.
该第一5G-TMSI为UE当前使用的5G-TMSI。The first 5G-TMSI is the 5G-TMSI currently used by the UE.
步骤402,AMF向UE发送服务响应消息。相应地,UE可以接收到该服务响应消息。Step 402: The AMF sends a service response message to the UE. Correspondingly, the UE can receive the service response message.
在服务响应消息发送前,如果AMF还没进行配置更新流程,即UE还未获得更新的5G-TMSI(该实施例中称为第二5G-TMSI)。可选的,AMF可以在服务响应消息中携带第一指示信息,该第一指示信息用于指示UE保持NAS连接。Before the service response message is sent, if the AMF has not performed the configuration update process, that is, the UE has not obtained the updated 5G-TMSI (referred to as the second 5G-TMSI in this embodiment). Optionally, the AMF may carry first indication information in the service response message, and the first indication information is used to instruct the UE to maintain the NAS connection.
需要说明的是,在服务响应消息发送前,如果AMF还没进行配置更新流程,即UE还未获得更新的5G-TMSI(即第二5G-TMSI),则AMF也可以不在服务响应消息中携带上述第一指示信息,而是由UE自己确定未获得更新的5G-TMSI时,保持NAS连接。也即,UE接收到服务响应消息之后,准备释放NAS连接之前,判断是否已经获得更新的5G-TMSI,若没有获得更新的5G-TMSI,则UE保持一段时间的NAS连接。It should be noted that, before the service response message is sent, if the AMF has not performed the configuration update process, that is, the UE has not obtained the updated 5G-TMSI (that is, the second 5G-TMSI), the AMF may not be carried in the service response message. The above first indication information is that when the UE itself determines that the updated 5G-TMSI has not been obtained, the NAS connection is maintained. That is, after receiving the service response message, the UE determines whether the updated 5G-TMSI has been obtained before preparing to release the NAS connection. If the updated 5G-TMSI has not been obtained, the UE maintains the NAS connection for a period of time.
步骤403,UE启动第一定时器,在第一定时器超时前,保持NAS连接。Step 403: The UE starts the first timer, and maintains the NAS connection before the first timer expires.
作为一种实现方法,若上述步骤402中携带第一指示信息,则UE根据第一指示信息,启动第一定时器,在第一定时器超时前,保持NAS连接。As an implementation method, if the first indication information is carried in step 402, the UE starts the first timer according to the first indication information, and maintains the NAS connection before the first timer expires.
作为另一种实现方法,若上述步骤402中未携带第一指示信息,则UE在接收到服务响应消息之后,确定准备释放UE与AMF之间的服务请求流程的NAS连接,此时UE判 断是否已经获得更新的5G-TMSI,若确定未获得更新的5G-TMSI,则UE启动第一定时器,在第一定时器超时前,保持NAS连接。As another implementation method, if the first indication information is not carried in the above step 402, after receiving the service response message, the UE determines that it is ready to release the NAS connection of the service request process between the UE and the AMF. At this time, the UE determines whether The updated 5G-TMSI has been obtained. If it is determined that the updated 5G-TMSI has not been obtained, the UE starts the first timer, and maintains the NAS connection before the first timer expires.
其中,第一定时器停止的条件是:定时器超时或UE接收到AMF发送的携带有第二5G-TMSI的配置更新请求消息。The condition for stopping the first timer is: the timer expires or the UE receives the configuration update request message carrying the second 5G-TMSI sent by the AMF.
作为一种实现方法,该第一定时器的时长可以是UE厂商自己设定的。As an implementation method, the duration of the first timer may be set by the UE manufacturer.
作为另一种实现方法,该第一定时器的时长也可以是根据AMF发送配置更新请求消息的重传时间间隔确定的。比如,AMF两次发送配置更新请求消息的时间间隔为T,AMF至多发送5次配置更新请求消息,则该第一定时器可以设置为5*T。As another implementation method, the duration of the first timer may also be determined according to the retransmission time interval of the configuration update request message sent by the AMF. For example, if the time interval for the AMF to send the configuration update request message twice is T, and the AMF sends the configuration update request message 5 times at most, the first timer can be set to 5*T.
步骤404,UE向AMF发送NAS消息。相应地,AMF可以接收到该NAS消息。Step 404: The UE sends a NAS message to the AMF. Correspondingly, the AMF can receive the NAS message.
该NAS信息用于指示AMF发送更新的5G-TMSI。The NAS information is used to instruct the AMF to send the updated 5G-TMSI.
作为一种实现方法,该NAS消息可以是一条独立的NAS消息,该NAS消息的名称可用于指示AMF发送更新的5G-TMSI。As an implementation method, the NAS message may be an independent NAS message, and the name of the NAS message may be used to instruct the AMF to send the updated 5G-TMSI.
作为另一种实现方法,该NAS消息还可以是现有的NAS消息,该现有的NAS消息中携带第二指示信息,该第二指示信息用于请求AMF发送更新的5G-TMSI。As another implementation method, the NAS message may also be an existing NAS message, and the existing NAS message carries second indication information, and the second indication information is used to request the AMF to send the updated 5G-TMSI.
该步骤404为可选步骤,也即UE可以不主动请求AMF发送更新的5G-TMSI,而是保持NAS连接并等待AMF发送更新的5G-TMSI。This step 404 is an optional step, that is, the UE may not actively request the AMF to send the updated 5G-TMSI, but keep the NAS connection and wait for the AMF to send the updated 5G-TMSI.
步骤405,UE释放NAS连接之前,AMF发送配置更新请求消息,其中携带第二5G-TMSI。Step 405: Before the UE releases the NAS connection, the AMF sends a configuration update request message, which carries the second 5G-TMSI.
需要说明的是,该步骤405可以是由上述步骤404触发的,或者是在没有执行上述步骤404的情况下,由AMF主动发送的。It should be noted that this step 405 may be triggered by the above step 404, or be actively sent by the AMF when the above step 404 is not executed.
步骤406,UE收到第二5G-TMSI后,向AMF发送配置更新完成消息。相应地,AMF可以接收到该配置更新完成消息。Step 406: After receiving the second 5G-TMSI, the UE sends a configuration update complete message to the AMF. Correspondingly, the AMF can receive the configuration update complete message.
需要说明的是,上述步骤405和步骤406为可选步骤。比如,当存在攻击者追踪UE的场景下,可以参考图2对应的实施例的描述,中间人会截获步骤405的配置更新请求消息,从而UE无法获取到配置更新请求消息,进而UE也不会向AMF发送配置更新完成消息。It should be noted that the above steps 405 and 406 are optional steps. For example, when there is a scenario where an attacker tracks the UE, you can refer to the description of the embodiment corresponding to FIG. AMF sends a configuration update complete message.
步骤407,当满足第一条件,UE进入去注册态,重新发起注册流程,并在注册流程中获取到第二5G-TMSI。Step 407: When the first condition is met, the UE enters the de-registration state, re-initiates the registration process, and obtains the second 5G-TMSI during the registration process.
该步骤为可选步骤,当第一定时器超时前,若执行了上述步骤404至步骤406,或执行了步骤405至步骤406,则不需要执行步骤407。This step is optional. Before the first timer expires, if the above steps 404 to 406 are executed, or the steps 405 to 406 are executed, then step 407 is not required to be executed.
这里的第一条件,包括以下一项或多项:The first condition here includes one or more of the following:
条件一,步骤403的第一定时器超时。Condition 1: The first timer in step 403 expires.
基于该条件一,第一定时器超时意味着UE未收到更新的5G-TMSI(即第二5G-TMSI),且保持NAS连接的时长已经到达,UE将会释放NAS连接,因此UE将不会接收到第二5G-TMSI,则UE触发进入去注册态,以重新发起注册流程,并在注册流程中获取更新的5G-TMSI。Based on this condition 1, the first timer expires means that the UE has not received the updated 5G-TMSI (ie the second 5G-TMSI), and the duration of maintaining the NAS connection has been reached, the UE will release the NAS connection, so the UE will not Upon receiving the second 5G-TMSI, the UE triggers to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
条件二,第二定时器超时。Condition two, the second timer expires.
其中,在执行步骤404的前提下,UE发送了NAS消息后,启动第二定时器,且在第二定时器超时前,未收到携带第二5G-TMSI的配置更新请求消息。也即,第二定时器超时的含义为:在UE发送NAS消息后的设定时长内未收到第二5G-TMSI。Wherein, on the premise of performing step 404, after the UE sends the NAS message, the second timer is started, and before the second timer expires, the configuration update request message carrying the second 5G-TMSI is not received. That is, the meaning of the timeout of the second timer is that the second 5G-TMSI is not received within the set time period after the UE sends the NAS message.
基于该条件二,由于UE主动向AMF请求发送更新的5G-TMSI,但UE却未收到携带第二5G-TMSI的配置更新请求消息,则要么是UE被追踪导致中间人丢弃了配置更新请求消息,要么是网络拥塞导致配置更新请求消息丢失。不管哪种情况,UE都可以触发进入去注册态,以重新发起注册流程,并在注册流程中获取更新的5G-TMSI。Based on the second condition, since the UE actively requested the AMF to send the updated 5G-TMSI, but the UE did not receive the configuration update request message carrying the second 5G-TMSI, either the UE was tracked and the intermediary discarded the configuration update request message , Or network congestion caused the configuration update request message to be lost. In either case, the UE can trigger to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
条件三,计数器达到预设的最大次数阈值。Condition 3: The counter reaches the preset maximum number of times threshold.
在执行步骤404的前提下,UE发送了NAS消息后,启动第三定时器和计数器(初始为0),且计数器加1。若在第三定时器超时前,未收到携带第二5G-TMSI的配置更新请求消息,则再次执行步骤404,并重启第三计时器,且计数器再次加1。若计数器达到预设的最大次数阈值时,UE仍然未收到第二5G-TMSI,则表明UE将不会受到携带第二5G-TMSI的配置更新请求消息。计数器达到预设的最大次数阈值的含义为:UE发送NAS消息后未收到第二5G-TMSI,则UE重传NAS消息,直到达到最大重传次数后,UE始终未收到第二5G-TMSI,则UE停止发送NAS消息,并判定接收第二5G-TMSI失败。On the premise of performing step 404, after the UE sends the NAS message, the third timer and counter (initially 0) are started, and the counter is incremented by 1. If the configuration update request message carrying the second 5G-TMSI is not received before the third timer expires, step 404 is executed again, the third timer is restarted, and the counter is incremented by one again. If the counter reaches the preset maximum times threshold and the UE still does not receive the second 5G-TMSI, it indicates that the UE will not receive the configuration update request message carrying the second 5G-TMSI. The meaning of the counter reaching the preset maximum number of times threshold is: the UE does not receive the second 5G-TMSI after sending the NAS message, the UE retransmits the NAS message, until the maximum number of retransmissions is reached, the UE never receives the second 5G-TMSI. TMSI, the UE stops sending NAS messages, and determines that the reception of the second 5G-TMSI fails.
基于该条件三,由于UE主动向AMF请求发送更新的5G-TMSI,但UE却未收到携带第二5G-TMSI的配置更新请求消息,则要么是UE被追踪导致中间人丢弃了配置更新请求消息,要么是网络拥塞导致配置更新请求消息丢失。不管哪种情况,UE都可以触发进入去注册态,以重新发起注册流程,并在注册流程中获取更新的5G-TMSI。Based on the third condition, because the UE actively requested the AMF to send the updated 5G-TMSI, but the UE did not receive the configuration update request message carrying the second 5G-TMSI, either the UE was tracked and the intermediary discarded the configuration update request message , Or network congestion caused the configuration update request message to be lost. In either case, the UE can trigger to enter the de-registration state to re-initiate the registration process and obtain the updated 5G-TMSI during the registration process.
可选的,UE进入去注册态时,可以执行以下一项或多项操作:删除UE上的5G-TMSI(即第一5G-TMSI)、删除UE上的跟踪区标识列表、删除UE上的安全上下文。Optionally, when the UE enters the de-registration state, one or more of the following operations can be performed: delete the 5G-TMSI (that is, the first 5G-TMSI) on the UE, delete the tracking area identification list on the UE, and delete the Security context.
需要说明的是,由于注册流程中的5G-TMSI受到安全保护,无法被攻击者获取,从而避免UE被攻击者追踪,达到保护用户隐私安全的目的。可选的,UE重新发起注册流程,注册类型为初始注册,携带的身份标识为SUCI。It should be noted that because the 5G-TMSI in the registration process is secured and cannot be obtained by an attacker, the UE is prevented from being tracked by the attacker and the purpose of protecting user privacy and security is achieved. Optionally, the UE re-initiates the registration process, the registration type is initial registration, and the carried identity is SUCI.
可选的,本申请实施例中,可以限定UE配置更新流程必须在服务请求流程中进行,从而尽可能保证在服务请求流程的NAS连接释放之前,UE可以接收到配置更新请求消息,从而实现对5G-TMSI的更新。Optionally, in the embodiments of the present application, the UE configuration update process may be restricted to be performed in the service request process, so as to ensure as far as possible that the UE can receive the configuration update request message before the NAS connection in the service request process is released, thereby realizing the 5G-TMSI update.
可选的,本申请实施例中,可以在上述步骤402的服务响应消息中携带第二5G-TMSI。此时,无需执行上述步骤403至步骤407,且服务响应消息中也无需携带第一指示信息。该方式可以节约信令开销,增加UE接收到更新的5G-TMSI的几率。Optionally, in this embodiment of the present application, the second 5G-TMSI may be carried in the service response message in step 402 above. At this time, there is no need to perform the above steps 403 to 407, and the service response message does not need to carry the first indication information. This method can save signaling overhead and increase the probability that the UE receives the updated 5G-TMSI.
作为另一种实现方法,上述第一定时器也可以是在UE发送了服务请求消息之后启动的,也即步骤403是在步骤401之后步骤402之前执行的。该第一定时器的停止条件为:第一定时器超时或UE接收到携带更新的5G-TMSI的配置更新请求消息。该第一定时器的时长可以按照正常情况下从发送服务请求消息之后到接收到配置更新请求消息的时长进行设置。基于该实现方法,则上述步骤402的服务响应消息不需要携带第一指示信息。As another implementation method, the foregoing first timer may also be started after the UE sends the service request message, that is, step 403 is executed after step 401 and before step 402. The stopping condition of the first timer is: the first timer expires or the UE receives a configuration update request message carrying the updated 5G-TMSI. The duration of the first timer can be set according to the duration from sending the service request message to receiving the configuration update request message under normal circumstances. Based on this implementation method, the service response message in step 402 does not need to carry the first indication information.
基于上述实施例,在UE上增加了判断逻辑,使得UE可以在一定时间内不释放NAS连接,并且UE可以主动请求或者等待配置更新流程发生,以及,考虑网络侧可能发生异常时,UE可以回到去注册态并重新发起注册流程,以保证完成对5G-TMSI的更新,从而避免UE被攻击者追踪,达到保护用户隐私安全的目的。Based on the above embodiment, the judgment logic is added to the UE so that the UE can not release the NAS connection within a certain period of time, and the UE can actively request or wait for the configuration update process to occur, and the UE can respond when an abnormality may occur on the network side. Go to the registration state and re-initiate the registration process to ensure the completion of the 5G-TMSI update, so as to prevent the UE from being tracked by attackers and achieve the purpose of protecting user privacy and security.
如图5所示,本申请实施例提供又一种通信方法。该方法在UE侧,可以由UE或用于UE的部件(如芯片、电路等)执行;在网络侧,可以由AMF或用于AMF的部件(如芯片、电路等)执行。为便于说明,下面以UE和AMF执行该方法为例进行说明。As shown in FIG. 5, an embodiment of the present application provides yet another communication method. On the UE side, this method can be executed by the UE or a component used for the UE (such as a chip, circuit, etc.); on the network side, it can be executed by an AMF or a component used for AMF (such as a chip, circuit, etc.). For ease of description, the following uses the UE and AMF to execute the method as an example for description.
该实施例中,在双NAS连接的场景下,当UE和AMF通过第一接入方式(对应第一NAS连接)传输消息失败时,可以尝试通过第二接入方式(对应第二NAS连接)传输。其中,第一接入方式是3GPP接入,第二接入方式是非3GPP(non-3GPP)接入。或者,第一接入方式是非3GPP接入,第二接入方式是3GPP接入。当UE通过两种接入方式接入同一AMF时,两种接入方式使用相同的NAS安全上下文。In this embodiment, in a dual NAS connection scenario, when the UE and AMF fail to transmit messages through the first access method (corresponding to the first NAS connection), they can try to use the second access method (corresponding to the second NAS connection) transmission. Among them, the first access mode is 3GPP access, and the second access mode is non-3GPP (non-3GPP) access. Or, the first access mode is non-3GPP access, and the second access mode is 3GPP access. When the UE accesses the same AMF through two access methods, the two access methods use the same NAS security context.
该方法包括以下步骤:The method includes the following steps:
步骤501,UE通过第一接入方式注册到网络。此时,UE在第一接入方式上为注册态,在第二接入方式上为去注册态。Step 501: The UE registers with the network through the first access mode. At this time, the UE is in the registered state in the first access mode, and is in the de-registered state in the second access mode.
步骤502,UE通过第二接入方式注册到网络。此时,UE在第一接入方式和第二接入方式上均为注册态。Step 502: The UE registers with the network through the second access method. At this time, the UE is registered in both the first access mode and the second access mode.
其中,UE在通过第一接入方式或第二接入方式注册到网络过程中,从AMF获取到临时身份标识(比如可以是第一5G-TMSI)。Wherein, the UE obtains a temporary identity (for example, the first 5G-TMSI) from the AMF during the process of registering to the network through the first access mode or the second access mode.
步骤503,AMF确定通过第一NAS连接向UE重传第一NAS消息的次数达到最大次数且未收到确认消息,其中,第一NAS消息用于更新UE的临时身份标识。Step 503: The AMF determines that the number of retransmissions of the first NAS message to the UE through the first NAS connection has reached the maximum number of times and the confirmation message has not been received, where the first NAS message is used to update the temporary identity of the UE.
该实施例中,第一NAS消息没有被UE成功接收到,且AMF多次重传第一NAS消息均失败。其中,多次重传第一NAS消息失败的原因可能是第一接入方式侧遭受了攻击者的攻击,攻击者截获第一NAS消息后丢弃该NAS消息,导致UE接收不到NAS消息,因而UE不会向AMF发送确认消息(也称为响应消息)。AMF接收不到确认消息,则确定传输第一NAS消息失败,进而会重新传输第一NAS消息。或者是因为链路拥塞导致该第一NAS消息无法被UE接收到。In this embodiment, the first NAS message is not successfully received by the UE, and the AMF fails to retransmit the first NAS message multiple times. Among them, the reason for the failure to retransmit the first NAS message multiple times may be that the first access mode side is attacked by an attacker. The attacker intercepts the first NAS message and discards the NAS message, causing the UE to fail to receive the NAS message. The UE will not send a confirmation message (also called a response message) to the AMF. If the AMF fails to receive the confirmation message, it determines that the transmission of the first NAS message has failed, and then retransmits the first NAS message. Or because the link is congested, the first NAS message cannot be received by the UE.
可选的,重传第一NAS消息的最大次数可以预先设定,比如可以是5次。Optionally, the maximum number of retransmissions of the first NAS message can be preset, for example, it can be 5 times.
步骤504,AMF通过第二NAS连接向UE发送第二NAS消息,该第二NAS消息携带UE的更新后的临时身份标识(比如可以是第二5G-TMSI)。Step 504: The AMF sends a second NAS message to the UE through the second NAS connection, and the second NAS message carries the updated temporary identity of the UE (for example, it may be the second 5G-TMSI).
步骤505,UE从第二NAS消息中获取UE的更新后的临时身份标识。Step 505: The UE obtains the updated temporary identity of the UE from the second NAS message.
以第一接入方式为3GPP接入,第二接入方式为非3GPP接入,临时身份标识为5G-TMSI为例,UE和AMF从3GPP接入方式更新5G-TMSI失败时,AMF通过非3GPP接入方式向UE发送第二NAS消息,第二NAS消息中携带更新的5G-TMSI(也称为第二5G-TMSI)。UE在第二NAS消息中获取第二5G-TMSI后,传递第二5G-TMSI到3GPP接入侧的底层,并使用第二5G-TMSI替换第一5G-TMSI,达到更新5G-TMSI的目的。Taking the first access mode as 3GPP access, the second access mode as non-3GPP access, and the temporary identity identifier as 5G-TMSI as an example, when the UE and AMF fail to update 5G-TMSI from the 3GPP access mode, the AMF passes the non-3GPP access mode. The 3GPP access mode sends a second NAS message to the UE, and the second NAS message carries the updated 5G-TMSI (also referred to as the second 5G-TMSI). After the UE obtains the second 5G-TMSI in the second NAS message, it passes the second 5G-TMSI to the bottom layer of the 3GPP access side, and replaces the first 5G-TMSI with the second 5G-TMSI to achieve the purpose of updating the 5G-TMSI .
作为一种实现方法,第一NAS消息为配置更新请求消息,第二NAS消息为配置更新请求消息。As an implementation method, the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message.
作为又一种实现方法,第一NAS消息为NAS会话管理传输消息,第二NAS消息为NAS会话管理传输消息。As yet another implementation method, the first NAS message is a NAS session management transmission message, and the second NAS message is a NAS session management transmission message.
基于上述实施例,当第一接入方式传输UE的临时身份标识失败时,UE和核心网之间可以通过第二接入方式传输UE的临时身份标识,使得UE可以更新UE的临时身份标识,从而避免UE被攻击者追踪,达到保护用户隐私安全的目的。Based on the above embodiment, when the first access method fails to transmit the UE's temporary identity, the UE and the core network can transmit the UE's temporary identity through the second access method, so that the UE can update the UE's temporary identity. In this way, the UE is prevented from being tracked by an attacker, and the purpose of protecting user privacy and security is achieved.
上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是,上述实现各网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件 还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。The foregoing mainly introduces the solution provided in this application from the perspective of interaction between various network elements. It can be understood that, in order to realize the above-mentioned functions, each network element described above includes hardware structures and/or software modules corresponding to each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed herein, the present invention can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraints of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
可以理解的是,上述各个方法实施例中,对应由终端设备实现的步骤或者操作,也可以由配置于终端设备的部件(例如芯片或者电路)实现,对应由移动性管理网元实现的步骤或者操作,也可以由配置于移动性管理网元的部件(例如芯片或者电路)实现。It can be understood that, in each of the foregoing method embodiments, the steps or operations implemented by the terminal device can also be implemented by components (such as chips or circuits) configured in the terminal device, corresponding to the steps or operations implemented by the mobility management network element. The operation can also be implemented by a component (such as a chip or a circuit) configured in the mobility management network element.
本申请实施例还提供用于实现以上任一种方法的装置,例如,提供一种装置包括用以实现以上任一种方法中终端设备所执行的各个步骤的单元(或手段)。再如,还提供另一种装置,包括用以实现以上任一种方法中移动性管理网元所执行的各个步骤的单元(或手段)。The embodiments of the present application also provide an apparatus for implementing any of the above methods. For example, an apparatus is provided that includes units (or means) for implementing each step performed by the terminal device in any of the above methods. For another example, another device is also provided, including a unit (or means) for implementing each step performed by the mobility management network element in any of the above methods.
参考图6,为本申请实施例提供的一种通信装置的示意图。该装置用于实现上述方法实施例中对应终端设备所执行的各个步骤,如图6所示,该装置600包括处理单元610和收发单元620。Refer to FIG. 6, which is a schematic diagram of a communication device provided by an embodiment of this application. The device is used to implement the steps performed by the corresponding terminal device in the foregoing method embodiment. As shown in FIG. 6, the device 600 includes a processing unit 610 and a transceiver unit 620.
在第一个实施例中:In the first embodiment:
处理单元610,用于确定网络侧给自身分配的临时身份标识是否过期;收发单元620,用于在确定所述临时身份标识过期的情况下,通过接入设备向移动性管理网元发送第一消息,所述第一消息包含所述移动性管理网元的路由标识和所述加密的永久身份标识;其中,所述路由标识用于所述接入设备确定为通信装置服务的所述移动管理网元。The processing unit 610 is configured to determine whether the temporary identity assigned to itself by the network side has expired; the transceiving unit 620 is configured to, in the case of determining that the temporary identity is expired, send the first to the mobility management network element through the access device Message, the first message includes the routing identification of the mobility management network element and the encrypted permanent identity identification; wherein, the routing identification is used for the mobility management determined by the access device to serve the communication device Network element.
在一种可能的实现方法中,处理单元610,具体用于确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中所述通信装置等待接收更新的临时身份标识的最大时长;或者,确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,所述通信装置在上次非接入层NAS连接过程中未更新通信装置的临时身份标识;或者,在收发单元620向所述移动性管理网元请求更新临时身份标识的情况下,未接收到更新的临时身份标识。在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的SUCI;或者,所述加密的永久身份标识是对所述终端设备的临时身份标识进行加密得到的,所述终端设备的临时身份标识为5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the processing unit 610, specifically configured to determine that the temporary identity assigned to itself by the network side expires, includes one or more of the following: determining that a timer expires, wherein the duration of the timer is used to determine In the service request process, the maximum length of time that the communication device waits to receive the updated temporary identity; or, it is determined that the number of times that the service request message is not received after sending the service request message reaches the first threshold; or, the communication device did not receive the last time The temporary identity of the communication device is not updated during the incoming NAS connection; or, when the transceiver unit 620 requests the mobility management network element to update the temporary identity, the updated temporary identity is not received. In a possible implementation method, the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
在一种可能的实现方法中,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。In a possible implementation method, the first message is a service request message, or a periodic registration message, or a mobility registration message.
在第二个实施例中:In the second embodiment:
收发单元620,用于向移动性管理网元发送服务请求消息,所述服务请求消息包含第一身份标识;处理单元610,用于当需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接时,启动定时器,所述定时器的时长为保持NAS连接的最大时长;收发单元620,用于所述定时器超时前,从所述移动性管理网元接收配置更新请求消息,所述配置更新请求消息包含第二身份标识。The transceiver unit 620 is configured to send a service request message to the mobility management network element, where the service request message includes the first identity; the processing unit 610 is configured to release the communication between the terminal device and the mobility management network element When the NAS is connected in the service request process between the two, a timer is started, and the length of the timer is the maximum time for maintaining the NAS connection; the transceiver unit 620 is configured to receive from the mobility management network element before the timer expires A configuration update request message, where the configuration update request message includes the second identity identifier.
在一种可能的实现方法中,所述需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接,包括:当所述终端设备从所述移动性管理网元接收到服务响 应消息,则需要释放所述终端设备与所述移动性管理网元之间的服务请求流程的NAS连接。In a possible implementation method, the need to release the NAS connection of the service request process between the terminal device and the mobility management network element includes: when the terminal device is disconnected from the mobility management network element After receiving the service response message, it is necessary to release the NAS connection of the service request process between the terminal device and the mobility management network element.
在一种可能的实现方法中,收发单元620,还用于在所述处理单元610启动定时器之前,从所述移动性管理网元接收第一指示信息,所述第一指示信息用于指示所述终端设备保持NAS连接;或者,所述处理单元610,还用于确定未收到更新的临时身份标识。In a possible implementation method, the transceiver unit 620 is further configured to receive first indication information from the mobility management network element before the processing unit 610 starts the timer, where the first indication information is used to indicate The terminal device maintains the NAS connection; or, the processing unit 610 is further configured to determine that the updated temporary identity identifier has not been received.
在一种可能的实现方法中,收发单元620,还用于从所述移动性管理网元接收配置更新请求消息之前,向所述移动性管理网元发送NAS消息,所述NAS消息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the transceiver unit 620 is further configured to send a NAS message to the mobility management network element before receiving the configuration update request message from the mobility management network element, where the NAS message is used to request The mobility management network element sends the updated temporary identity identifier.
在一种可能的实现方法中,所述NAS消息包含第二指示信息,所述第二指示信息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
在一种可能的实现方法中,所述定时器的时长是根据所述移动性管理网元发送配置更新请求消息的重传时间间隔确定的;或者,所述定时器的时长是所述终端设备的厂商预配置的。In a possible implementation method, the duration of the timer is determined according to the retransmission time interval of the configuration update request message sent by the mobility management network element; or, the duration of the timer is that of the terminal device Pre-configured by the manufacturer.
在第三个实施例中:In the third embodiment:
处理单元610,用于确定网络侧给自身分配的临时身份标识是否过期;收发单元620,用于在确定所述临时身份标识过期的情况下,发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识。The processing unit 610 is used to determine whether the temporary identity assigned to itself by the network side has expired; the transceiver unit 620 is used to initiate a de-registration process when it is determined that the temporary identity has expired, and use the encrypted permanent identity to initiate The initial registration process is to obtain the temporary identity that is updated by the network side.
在一种可能的实现方法中,处理单元610,具体用于确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中通信装置等待接收更新的临时身份标识的最大时长;或者,确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,通信装置在上次非接入层NAS连接过程中未更新通信装置的临时身份标识;或者,在收发单元620向所述移动性管理网元请求更新临时身份标识的情况下,未接收到更新的临时身份标识。In a possible implementation method, the processing unit 610, specifically configured to determine that the temporary identity assigned to itself by the network side expires, includes one or more of the following: determining that a timer expires, wherein the duration of the timer is used to determine In the service request process, the maximum length of time that the communication device waits to receive the updated temporary identity identifier; or, it is determined that the number of times that the service request message is not received after sending the service request message reaches the first threshold; or, the communication device connects to the NAS in the last non-access layer During the process, the temporary identity of the communication device is not updated; or, when the transceiver unit 620 requests the mobility management network element to update the temporary identity, the updated temporary identity is not received.
在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的签约隐藏标识SUCI;或者,所述加密的永久身份标识是对所述临时身份标识进行加密得到的,所述临时身份标识为第五代临时移动用户识别码5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the encrypted permanent identity is the contract hidden identity SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity, and The temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device excluding the home network identity.
在第四个实施例中:In the fourth embodiment:
收发单元620,用于通过第二NAS连接从移动性管理网元接收第二NAS消息,所述第二NAS消息是所述移动性管理网元通过第一NAS连接向终端设备重传第一NAS消息的次数达到最大次数且未收到确认消息后发送的,所述第一NAS消息和所述第二NAS消息包含终端设备的更新的临时身份标识;处理单元610,用于从所述第二NAS消息获取所述更新的临时身份标识。The transceiving unit 620 is configured to receive a second NAS message from the mobility management network element through the second NAS connection, where the second NAS message is the mobility management network element retransmitting the first NAS to the terminal device through the first NAS connection The first NAS message and the second NAS message include the updated temporary identity identifier of the terminal device when the number of messages reaches the maximum number of times and the confirmation message is not received; the processing unit 610 is configured to send from the second The NAS message obtains the updated temporary identity.
在一种可能的实现方法中,所述第一NAS连接对应第一接入方式,所述第二NAS连接对应第二接入方式,所述第一接入方式为3GPP接入和非3GPP接入中的一个,所述第二接入方式为3GPP接入和非3GPP接入中的另一个。In a possible implementation method, the first NAS connection corresponds to a first access mode, the second NAS connection corresponds to a second access mode, and the first access mode is 3GPP access and non-3GPP access. In one of the access modes, the second access mode is the other of 3GPP access and non-3GPP access.
在一种可能的实现方法中,所述第一NAS消息为配置更新请求消息,所述第二NAS消息为配置更新请求消息;或者,所述第一NAS消息为NAS会话管理传输消息,所述第 二NAS消息为NAS会话管理传输消息。In a possible implementation method, the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message; or, the first NAS message is a NAS session management transmission message, and the The second NAS message is a NAS session management transmission message.
可以理解的是,上述各个单元也可以称为模块或者电路等,并且上述各个单元可以独立设置,也可以全部或者部分集成。It can be understood that each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
可选的,上述通信装置600还可以包括存储单元,该存储单元用于存储数据或者指令(也可以称为代码或者程序),上述各个单元可以和存储单元交互或者耦合,以实现对应的方法或者功能。例如,处理单元可以读取存储单元中的数据或者指令,使得通信装置实现上述实施例中的方法。Optionally, the aforementioned communication device 600 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the aforementioned units may interact or couple with the storage unit to implement corresponding methods or Function. For example, the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
参考图7,为本申请实施例提供的一种通信装置的示意图。该装置用于实现上述方法实施例中对应移动性管理网元所执行的各个步骤,如图7所示,该装置700包括处理单元710和收发单元720。Referring to FIG. 7, a schematic diagram of a communication device provided by an embodiment of this application. The device is used to implement the steps performed by the corresponding mobility management network element in the foregoing method embodiment. As shown in FIG. 7, the device 700 includes a processing unit 710 and a transceiver unit 720.
在第一个实施例中:In the first embodiment:
收发单元720,用于接收来自处于注册态的终端设备的第一消息,所述第一消息包含所述终端设备的加密的永久身份标识和所述移动性管理网元的路由标识;向解密网元发送所述加密的永久身份标识;以及,从所述解密网元接收解密的身份标识。The transceiver unit 720 is configured to receive a first message from a terminal device in a registered state, the first message containing the encrypted permanent identity of the terminal device and the routing identifier of the mobility management network element; The element sends the encrypted permanent identity; and, receives the decrypted identity from the decryption network element.
在一种可能的实现方法中,所述加密的永久身份标识为所述终端设备的SUCI;或者,所述加密的永久身份标识是对所述终端设备的临时身份标识进行加密得到的,所述终端设备的临时身份标识为5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。In a possible implementation method, the encrypted permanent identity is the SUCI of the terminal device; or, the encrypted permanent identity is obtained by encrypting the temporary identity of the terminal device, and The temporary identity of the terminal device is 5G-TMSI; or, the encrypted permanent identity is the remaining part of the SUCI of the terminal device after removing the home network identity.
在一种可能的实现方法中,处理单元710,用于根据所述第一消息的类型和/或所述第一消息中内容的格式,确定所述第一消息中未携带5G-TMSI,则根据所述加密的永久身份标识确定所述解密网元。In a possible implementation method, the processing unit 710 is configured to determine, according to the type of the first message and/or the format of the content in the first message, that the first message does not carry 5G-TMSI, then The decryption network element is determined according to the encrypted permanent identity.
在一种可能的实现方法中,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。In a possible implementation method, the first message is a service request message, or a periodic registration message, or a mobility registration message.
在第二个实施例中:In the second embodiment:
收发单元720,用于从终端设备接收服务请求消息,所述服务请求消息包含第一身份标识;向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述终端设备保持NAS连接;以及,向所述终端设备发送配置更新请求消息,所述配置更新请求消息包含第二身份标识。The transceiver unit 720 is configured to receive a service request message from a terminal device, where the service request message includes a first identity identifier; and send first indication information to the terminal device, where the first indication information is used to instruct the terminal device to keep NAS connection; and sending a configuration update request message to the terminal device, where the configuration update request message includes a second identity identifier.
在一种可能的实现方法中,收发单元720,用于向所述终端设备发送第一指示信息,具体包括:向所述终端设备发送服务响应消息,所述服务响应消息包含所述第一指示信息。In a possible implementation method, the transceiver unit 720 is configured to send first indication information to the terminal device, which specifically includes: sending a service response message to the terminal device, where the service response message includes the first indication information.
在一种可能的实现方法中,收发单元720,用于向所述终端设备发送配置更新请求消息之前,从所述终端设备接收NAS消息,所述NAS消息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the transceiver unit 720 is configured to receive a NAS message from the terminal device before sending a configuration update request message to the terminal device, and the NAS message is used to request the mobility management network element Send the updated temporary identity.
在一种可能的实现方法中,所述NAS消息包含第二指示信息,所述第二指示信息用于请求所述移动性管理网元发送更新的临时身份标识。In a possible implementation method, the NAS message includes second indication information, and the second indication information is used to request the mobility management network element to send an updated temporary identity identifier.
在第三个实施例中:In the third embodiment:
处理单元710,用于确定通过第一NAS连接向终端设备重传第一NAS消息的次数达 到最大次数且未收到确认消息;所述第一NAS消息用于更新所述终端设备的临时身份标识;收发单元720,用于通过第二NAS连接向终端设备发送第二NAS消息,所述第二NAS消息包含所述终端设备更新后的临时身份标识。The processing unit 710 is configured to determine that the number of retransmissions of the first NAS message to the terminal device through the first NAS connection reaches the maximum number of times and the confirmation message is not received; the first NAS message is used to update the temporary identity of the terminal device The transceiver unit 720 is configured to send a second NAS message to the terminal device through the second NAS connection, the second NAS message containing the updated temporary identity of the terminal device.
在一种可能的实现方法中,所述第一接入方式为3GPP接入方式,所述第二接入方式为non-3GPP接入方式;或者,所述第一接入方式为non-3GPP接入方式,所述第二接入方式为3GPP接入方式。In a possible implementation method, the first access mode is 3GPP access mode, and the second access mode is non-3GPP access mode; or, the first access mode is non-3GPP access mode. Access mode, the second access mode is 3GPP access mode.
在一种可能的实现方法中,所述第一NAS消息为配置更新请求消息,所述第二NAS消息为配置更新请求消息;或者,所述第一NAS消息为NAS会话管理传输消息,所述第二NAS消息为NAS会话管理传输消息。In a possible implementation method, the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message; or, the first NAS message is a NAS session management transmission message, and the The second NAS message is a NAS session management transmission message.
在一种可能的实现方法中,所述最大次数为5次。In a possible implementation method, the maximum number of times is 5 times.
可以理解的是,上述各个单元也可以称为模块或者电路等,并且上述各个单元可以独立设置,也可以全部或者部分集成。It can be understood that each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
可选的,上述通信装置700还可以包括存储单元,该存储单元用于存储数据或者指令(也可以称为代码或者程序),上述各个单元可以和存储单元交互或者耦合,以实现对应的方法或者功能。例如,处理单元可以读取存储单元中的数据或者指令,使得通信装置实现上述实施例中的方法。Optionally, the aforementioned communication device 700 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the aforementioned units may interact or couple with the storage unit to implement the corresponding method or Function. For example, the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
应理解以上装置中单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。且装置中的单元可以全部以软件通过处理元件调用的形式实现;也可以全部以硬件的形式实现;还可以部分单元以软件通过处理元件调用的形式实现,部分单元以硬件的形式实现。例如,各个单元可以为单独设立的处理元件,也可以集成在装置的某一个芯片中实现,此外,也可以以程序的形式存储于存储器中,由装置的某一个处理元件调用并执行该单元的功能。此外这些单元全部或部分可以集成在一起,也可以独立实现。这里所述的处理元件又可以成为处理器,可以是一种具有信号的处理能力的集成电路。在实现过程中,上述方法的各步骤或以上各个单元可以通过处理器元件中的硬件的集成逻辑电路实现或者以软件通过处理元件调用的形式实现。It should be understood that the division of units in the above device is only a division of logical functions, and may be fully or partially integrated into one physical entity in actual implementation, or may be physically separated. In addition, the units in the device can be all implemented in the form of software called by processing elements; they can also be all implemented in the form of hardware; part of the units can also be implemented in the form of software called by the processing elements, and some of the units can be implemented in the form of hardware. For example, each unit can be a separate processing element, or it can be integrated in a certain chip of the device for implementation. In addition, it can also be stored in the memory in the form of a program, which is called and executed by a certain processing element of the device. Function. In addition, all or part of these units can be integrated together or implemented independently. The processing element described here can also become a processor, which can be an integrated circuit with signal processing capabilities. In the implementation process, each step of the above method or each of the above units may be implemented by an integrated logic circuit of hardware in a processor element or implemented in a form of being called by software through a processing element.
在一个例子中,以上任一装置中的单元可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个特定集成电路(Application Specific Integrated Circuit,ASIC),或,一个或多个微处理器(digital singnal processor,DSP),或,一个或者多个现场可编程门阵列(Field Programmable Gate Array,FPGA),或这些集成电路形式中至少两种的组合。再如,当装置中的单元可以通过处理元件调度程序的形式实现时,该处理元件可以是通用处理器,例如中央处理器(Central Processing Unit,CPU)或其它可以调用程序的处理器。再如,这些单元可以集成在一起,以片上***(system-on-a-chip,SOC)的形式实现。In an example, the unit in any of the above devices may be one or more integrated circuits configured to implement the above methods, for example: one or more application specific integrated circuits (ASICs), or, one or Multiple microprocessors (digital singnal processors, DSPs), or, one or more field programmable gate arrays (Field Programmable Gate Arrays, FPGAs), or a combination of at least two of these integrated circuits. For another example, when the unit in the device can be implemented in the form of a processing element scheduler, the processing element can be a general-purpose processor, such as a central processing unit (CPU) or other processors that can call programs. For another example, these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
以上用于接收的单元(例如接收单元)是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该接收单元是该芯片用于从其它芯片或装置接收信号的接口电路。以上用于发送的单元(例如发送单元)是一种该装置的接口电路,用于向其它装置发送信号。例如,当该装置以芯片的方式实现时,该发送单元是该芯片用于向其它芯片或装置发送信号的接口电路。The above receiving unit (for example, the receiving unit) is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented as a chip, the receiving unit is an interface circuit used by the chip to receive signals from other chips or devices. The above unit for sending (for example, the sending unit) is an interface circuit of the device for sending signals to other devices. For example, when the device is implemented in the form of a chip, the sending unit is an interface circuit used by the chip to send signals to other chips or devices.
参考图8,其为本申请实施例提供的一种终端设备的结构示意图。该终端设备用于实现以上实施例中终端设备的操作。如图8所示,该终端设备包括:天线810、射频装置820、 信号处理部分830。天线810与射频装置820连接。在下行方向上,射频装置820通过天线810接收网络设备发送的信息,将网络设备发送的信息发送给信号处理部分830进行处理。在上行方向上,信号处理部分830对终端设备的信息进行处理,并发送给射频装置820,射频装置820对终端设备的信息进行处理后经过天线810发送给网络设备。Refer to FIG. 8, which is a schematic structural diagram of a terminal device provided by an embodiment of the application. The terminal device is used to implement the operation of the terminal device in the above embodiment. As shown in FIG. 8, the terminal equipment includes: an antenna 810, a radio frequency device 820, and a signal processing part 830. The antenna 810 is connected to the radio frequency device 820. In the downlink direction, the radio frequency device 820 receives the information sent by the network device through the antenna 810, and sends the information sent by the network device to the signal processing part 830 for processing. In the uplink direction, the signal processing part 830 processes the information of the terminal equipment and sends it to the radio frequency device 820, and the radio frequency device 820 processes the information of the terminal equipment and sends it to the network equipment via the antenna 810.
信号处理部分830用于实现对数据各通信协议层的处理。信号处理部分830可以为该终端设备的一个子***,则该终端设备还可以包括其它子***,例如中央处理子***,用于实现对终端设备操作***以及应用层的处理;再如,周边子***用于实现与其它设备的连接。信号处理部分830可以为单独设置的芯片。可选的,以上的装置可以位于信号处理部分830。The signal processing part 830 is used to realize the processing of each communication protocol layer of the data. The signal processing part 830 may be a subsystem of the terminal device, and the terminal device may also include other subsystems, such as a central processing subsystem, which is used to process the terminal device operating system and application layer; another example is the peripheral sub-system. The system is used to realize the connection with other equipment. The signal processing part 830 may be a separately provided chip. Optionally, the above devices may be located in the signal processing part 830.
信号处理部分830可以包括一个或多个处理元件831,例如,包括一个主控CPU和其它集成电路,以及包括接口电路833。此外,该信号处理部分830还可以包括存储元件832。存储元件832用于存储数据和程序,用于执行以上方法中终端设备所执行的方法的程序可能存储,也可能不存储于该存储元件832中,例如,存储于信号处理部分830之外的存储器中,使用时信号处理部分830加载该程序到缓存中进行使用。接口电路833用于与装置通信。以上装置可以位于信号处理部分830,该信号处理部分830可以通过芯片实现,该芯片包括至少一个处理元件和接口电路,其中处理元件用于执行以上终端设备执行的任一种方法的各个步骤,接口电路用于与其它装置通信。在一种实现中,实现以上方法中各个步骤的单元可以通过处理元件调度程序的形式实现,例如该装置包括处理元件和存储元件,处理元件调用存储元件存储的程序,以执行以上方法实施例中终端设备执行的方法。存储元件可以为处理元件处于同一芯片上的存储元件,即片内存储元件。The signal processing part 830 may include one or more processing elements 831, for example, a main control CPU and other integrated circuits, and an interface circuit 833. In addition, the signal processing part 830 may also include a storage element 832. The storage element 832 is used to store data and programs. The program used to execute the method executed by the terminal device in the above method may or may not be stored in the storage element 832, for example, stored in a memory other than the signal processing part 830 During use, the signal processing part 830 loads the program into the cache for use. The interface circuit 833 is used to communicate with the device. The above devices may be located in the signal processing part 830, which may be implemented by a chip. The chip includes at least one processing element and an interface circuit. The circuit is used to communicate with other devices. In one implementation, the unit that implements each step in the above method can be implemented in the form of a processing element scheduler. For example, the device includes a processing element and a storage element, and the processing element calls a program stored by the storage element to execute the above method embodiments. The method executed by the terminal device. The storage element may be a storage element whose processing element is on the same chip, that is, an on-chip storage element.
在另一种实现中,用于执行以上方法中终端设备所执行的方法的程序可以在与处理元件处于不同芯片上的存储元件,即片外存储元件。此时,处理元件从片外存储元件调用或加载程序于片内存储元件上,以调用并执行以上方法实施例中终端设备执行的方法。In another implementation, the program used to execute the method executed by the terminal device in the above method may be a storage element on a different chip from the processing element, that is, an off-chip storage element. At this time, the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal device in the above method embodiment.
在又一种实现中,终端设备实现以上方法中各个步骤的单元可以是被配置成一个或多个处理元件,这些处理元件设置于信号处理部分830上,这里的处理元件可以为集成电路,例如:一个或多个ASIC,或,一个或多个DSP,或,一个或者多个FPGA,或者这些类集成电路的组合。这些集成电路可以集成在一起,构成芯片。In yet another implementation, the unit of the terminal device that implements each step in the above method may be configured as one or more processing elements, and these processing elements are provided on the signal processing part 830, where the processing elements may be integrated circuits, for example : One or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
实现以上方法中各个步骤的单元可以集成在一起,以SOC的形式实现,该SOC芯片,用于实现以上方法。该芯片内可以集成至少一个处理元件和存储元件,由处理元件调用存储元件的存储的程序的形式实现以上终端设备执行的方法;或者,该芯片内可以集成至少一个集成电路,用于实现以上终端设备执行的方法;或者,可以结合以上实现方式,部分单元的功能通过处理元件调用程序的形式实现,部分单元的功能通过集成电路的形式实现。The units that implement each step in the above method can be integrated together and implemented in the form of an SOC, and the SOC chip is used to implement the above method. The chip can integrate at least one processing element and a storage element, and the processing element can call the stored program of the storage element to implement the method executed by the above terminal device; or, the chip can integrate at least one integrated circuit to implement the above terminal The method executed by the device; or, it can be combined with the above implementations. The functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
可见,以上装置可以包括至少一个处理元件和接口电路,其中至少一个处理元件用于执行以上方法实施例所提供的任一种终端设备执行的方法。处理元件可以以第一种方式:即调用存储元件存储的程序的方式执行终端设备执行的部分或全部步骤;也可以以第二种方式:即通过处理器元件中的硬件的集成逻辑电路结合指令的方式执行终端设备执行的部分或全部步骤;当然,也可以结合第一种方式和第二种方式执行终端设备执行的部分或全部步骤。It can be seen that the above apparatus may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any method executed by the terminal device provided in the above method embodiment. The processing element can execute part or all of the steps executed by the terminal device in the first way: calling the program stored in the storage element; or in the second way: combining instructions through the integrated logic circuit of the hardware in the processor element Part or all of the steps performed by the terminal device are executed in a manner; of course, part or all of the steps executed by the terminal device can also be executed in combination with the first manner and the second manner.
这里的处理元件同以上描述,可以是通用处理器,例如CPU,还可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个ASIC,或,一个或多个微处理器DSP, 或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。存储元件可以是一个存储器,也可以是多个存储元件的统称。The processing element here is the same as the above description, and it may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. The storage element can be a memory or a collective term for multiple storage elements.
参考图9,为本申请实施例提供的一种移动性管理网元的结构示意图,用于实现以上实施例中移动性管理网元的操作。如图9所示,该移动性管理网元包括:处理器910和接口930,可选的,还包括存储器920。该接口930用于实现与其他设备进行通信。Referring to FIG. 9, this is a schematic structural diagram of a mobility management network element provided by an embodiment of this application, which is used to implement the operations of the mobility management network element in the above embodiment. As shown in FIG. 9, the mobility management network element includes: a processor 910, an interface 930, and optionally, a memory 920. The interface 930 is used to implement communication with other devices.
以上实施例中移动性管理网元执行的方法可以通过处理器910调用存储器(可以是移动性管理网元中的存储器920,也可以是外部存储器)中存储的程序来实现。即,用于移动性管理网元的装置可以包括处理器910,该处理器910通过调用存储器中的程序,以执行以上方法实施例中的移动性管理网元执行的方法。这里的处理器可以是一种具有信号的处理能力的集成电路,例如CPU。用于移动性管理网元的装置可以通过配置成实施以上方法的一个或多个集成电路来实现。例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。或者,可以结合以上实现方式。The method executed by the mobility management network element in the above embodiment can be implemented by the processor 910 calling a program stored in the memory (which may be the memory 920 in the mobility management network element or an external memory). That is, the apparatus for a mobility management network element may include a processor 910 that calls a program in a memory to execute the method executed by the mobility management network element in the above method embodiment. The processor here may be an integrated circuit with signal processing capability, such as a CPU. The apparatus for the mobility management network element may be implemented by one or more integrated circuits configured to implement the above method. For example: one or more ASICs, or, one or more microprocessors DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. Or, the above implementations can be combined.
本领域普通技术人员可以理解:本申请中涉及的第一、第二、第三、第四等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。“至少一个”、“任意一个”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个、种),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。“多个”是指两个或两个以上,其它量词与之类似。A person of ordinary skill in the art can understand that the various digital numbers involved in this application, such as the first, second, third, and fourth, are only for the convenience of description and are not used to limit the scope of the embodiments of the present application, but also represent Priority. "And/or" describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. "At least one" means one or more. At least two refers to two or more. "At least one", "any one" or similar expressions refer to any combination of these items, including any combination of a single item (a) or a plurality of items (a). For example, at least one (piece, species) of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or Multiple. "Multiple" refers to two or more than two, and other quantifiers are similar.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention. The implementation process constitutes any limitation.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的***、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which is not repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的***、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个***,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。 当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。The various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions. The general-purpose processor may be a microprocessor. Alternatively, the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine. The processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read-Only Memory,ROM)、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。The steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two. The software unit can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), EPROM memory, EEPROM memory, registers, hard disks, removable disks, CD-ROM or notebooks. Any other storage media in the field. Exemplarily, the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium. Optionally, the storage medium may also be integrated into the processor. The processor and the storage medium can be arranged in the ASIC.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
在一个或多个示例性的设计中,本申请所描述的上述功能可以在硬件、软件、固件或这三者的任意组合来实现。如果在软件中实现,这些功能可以存储与电脑可读的媒介上,或以一个或多个指令或代码形式传输于电脑可读的媒介上。电脑可读媒介包括电脑存储媒介和便于使得让电脑程序从一个地方转移到其它地方的通信媒介。存储媒介可以是任何通用或特殊电脑可以接入访问的可用媒体。例如,这样的电脑可读媒体可以包括但不限于RAM、ROM、EEPROM、CD-ROM或其它光盘存储、磁盘存储或其它磁性存储装置,或其它任何可以用于承载或存储以指令或数据结构和其它可被通用或特殊电脑、或通用或特殊处理器读取形式的程序代码的媒介。此外,任何连接都可以被适当地定义为电脑可读媒介,例如,如果软件是从一个网站站点、服务器或其它远程资源通过一个同轴电缆、光纤电脑、双绞线、数字用户线(DSL)或以例如红外、无线和微波等无线方式传输的也被包含在所定义的电脑可读媒介中。所述的碟片(disk)和磁盘(disc)包括压缩磁盘、镭射盘、 光盘、数字通用光盘(英文:Digital Versatile Disc,简称:DVD)、软盘和蓝光光盘,磁盘通常以磁性复制数据,而碟片通常以激光进行光学复制数据。上述的组合也可以包含在电脑可读媒介中。In one or more exemplary designs, the aforementioned functions described in this application can be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, these functions can be stored on a computer-readable medium, or transmitted on the computer-readable medium in the form of one or more instructions or codes. Computer-readable media include computer storage media and communication media that facilitate the transfer of computer programs from one place to another. The storage medium can be any available medium that can be accessed by a general-purpose or special computer. For example, such computer-readable media may include, but are not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other device that can be used to carry or store instructions or data structures and Other program code media that can be read by general-purpose or special computers, or general-purpose or special processors. In addition, any connection can be appropriately defined as a computer-readable medium, for example, if the software is from a website, server, or other remote source through a coaxial cable, fiber optic computer, twisted pair, or digital subscriber line (DSL) Or transmitted by wireless means such as infrared, wireless and microwave are also included in the definition of computer-readable media. The said disks and discs include compressed disks, laser disks, optical discs, digital versatile discs (English: Digital Versatile Disc, abbreviated as: DVD), floppy disks and Blu-ray discs. Disks usually copy data with magnetism. Discs usually use lasers to copy data optically. The combination of the above can also be contained in a computer readable medium.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should be aware that, in one or more of the foregoing examples, the functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium. The computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another. The storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
以上所述的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。本申请说明书的上述描述可以使得本领域技术任何可以利用或实现本申请的内容,任何基于所公开内容的修改都应该被认为是本领域显而易见的,本申请所描述的基本原则可以应用到其它变形中而不偏离本申请的发明本质和范围。因此,本申请所公开的内容不仅仅局限于所描述的实施例和设计,还可以扩展到与本申请原则和所公开的新特征一致的最大范围。The specific implementations described above further describe the purpose, technical solutions and beneficial effects of this application in detail. It should be understood that the above are only specific implementations of this application and are not intended to limit the scope of this application. The scope of protection, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of this application shall be included in the scope of protection of this application. The above description of the specification of this application can enable any technology in the field to utilize or realize the content of this application. Any modification based on the disclosed content should be considered obvious in the art. The basic principles described in this application can be applied to other modifications. Without departing from the nature and scope of the invention of this application. Therefore, the content disclosed in this application is not only limited to the described embodiments and designs, but can also be extended to the maximum range consistent with the principles of this application and the new features disclosed.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。Although the application has been described in combination with specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the application. Correspondingly, the specification and drawings are merely exemplary descriptions of the application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations or equivalents within the scope of the application. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

Claims (23)

  1. 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:
    处于注册态的终端设备确定网络侧给自身分配的临时身份标识是否过期;The terminal device in the registered state determines whether the temporary identity assigned to itself by the network side has expired;
    在确定所述临时身份标识过期的情况下,所述终端设备通过接入设备向移动性管理网元发送第一消息,所述第一消息包含路由标识和加密的永久身份标识;其中,所述路由标识用于所述接入设备确定为所述终端设备服务的所述移动管理网元。In the case where it is determined that the temporary identity identifier has expired, the terminal device sends a first message to the mobility management network element through the access device, and the first message includes a routing identifier and an encrypted permanent identity identifier; wherein, the The routing identifier is used by the access device to determine the mobility management network element serving the terminal device.
  2. 如权利要求1所述的方法,其特征在于,所述终端设备确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:The method according to claim 1, wherein the terminal device determining that the temporary identity assigned to itself by the network side has expired includes one or more of the following:
    所述终端设备确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中所述终端设备等待接收更新的临时身份标识的最大时长;或者,The terminal device determines that a timer expires, where the duration of the timer is used to determine the maximum duration of the terminal device waiting to receive the updated temporary identity in the service request process; or,
    所述终端设备确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,The terminal device determines that the number of times that no reply is received after sending the service request message reaches the first threshold; or,
    所述终端设备在上次非接入层NAS连接过程中未更新所述终端设备的临时身份标识;或者,The terminal device did not update the temporary identity of the terminal device during the last non-access stratum NAS connection; or,
    在所述终端设备向所述移动性管理网元请求更新临时身份标识的情况下,所述终端设备未接收到更新的临时身份标识。In the case that the terminal device requests the mobility management network element to update the temporary identity identifier, the terminal device does not receive the updated temporary identity identifier.
  3. 如权利要求1或2所述的方法,其特征在于,所述加密的永久身份标识为所述终端设备的签约隐藏标识SUCI;或者,The method according to claim 1 or 2, wherein the encrypted permanent identity identifier is the contract hidden identifier SUCI of the terminal device; or,
    所述加密的永久身份标识是对所述临时身份标识进行加密得到的,所述临时身份标识为第五代临时移动用户识别码5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。The encrypted permanent identity is obtained by encrypting the temporary identity, and the temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the terminal The SUCI of the device removes the remaining part after the home network identifier.
  4. 如权利要求1-3任一所述的方法,其特征在于,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。The method according to any one of claims 1-3, wherein the first message is a service request message, or a periodic registration message, or a mobility registration message.
  5. 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:
    移动性管理网元接收来自处于注册态的终端设备的第一消息,所述第一消息包含所述终端设备的加密的永久身份标识和所述移动性管理网元的路由标识;The mobility management network element receives a first message from a terminal device in a registered state, where the first message includes the encrypted permanent identity of the terminal device and the routing identifier of the mobility management network element;
    所述移动性管理网元向解密网元发送所述加密的永久身份标识;Sending, by the mobility management network element, the encrypted permanent identity identifier to the decryption network element;
    所述移动性管理网元从所述解密网元接收解密的身份标识。The mobility management network element receives the decrypted identity from the decryption network element.
  6. 如权利要求5所述的方法,其特征在于,所述加密的永久身份标识为所述终端设备的SUCI;或者,The method according to claim 5, wherein the encrypted permanent identity is the SUCI of the terminal device; or,
    所述加密的用永久身份标识是对所述临时身份标识进行加密得到的,所述临时身份标识为5G-TMSI;或者,The encrypted permanent identity is obtained by encrypting the temporary identity, and the temporary identity is 5G-TMSI; or,
    所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。The encrypted permanent identity identifier is the remaining part of the SUCI of the terminal device after removing the home network identifier.
  7. 如权利要求5或6所述的方法,其特征在于,所述第一消息为服务请求消息、或周期性注册消息、或移动性注册消息。The method according to claim 5 or 6, wherein the first message is a service request message, or a periodic registration message, or a mobility registration message.
  8. 如权利要求5-7任一所述的方法,其特征在于,还包括:The method according to any one of claims 5-7, further comprising:
    所述移动性管理网元根据所述第一消息的类型和/或所述第一消息中内容的格式,确定所述第一消息中未携带5G-TMSI,则根据所述加密的永久身份标识确定所述解密网元。The mobility management network element determines that the first message does not carry 5G-TMSI according to the type of the first message and/or the format of the content in the first message, and then according to the encrypted permanent identity Determine the decryption network element.
  9. 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:
    处于注册态的终端设备确定网络侧给自身分配的临时身份标识是否过期;The terminal device in the registered state determines whether the temporary identity assigned to itself by the network side has expired;
    在确定所述临时身份标识过期的情况下,所述终端设备发起去注册流程,并使用加密的永久身份标识发起初始注册流程,以获得网络侧给自身更新的临时身份标识。In the case of determining that the temporary identity has expired, the terminal device initiates a de-registration process, and initiates an initial registration process using the encrypted permanent identity to obtain the temporary identity updated by the network side.
  10. 如权利要求9所述的方法,其特征在于,所述终端设备确定网络侧给自身分配的临时身份标识过期包括以下一项或多项:The method according to claim 9, wherein the terminal device determining that the temporary identity assigned to itself by the network side has expired includes one or more of the following:
    所述终端设备确定定时器超时,其中所述定时器的时长用于确定在服务请求流程中所述终端设备等待接收更新的临时身份标识的最大时长;或者,The terminal device determines that a timer expires, where the duration of the timer is used to determine the maximum duration of the terminal device waiting to receive the updated temporary identity in the service request process; or,
    所述终端设备确定发送服务请求消息后未收到回复的次数达到第一阈值;或者,The terminal device determines that the number of times that no reply is received after sending the service request message reaches the first threshold; or,
    所述终端设备在上次非接入层NAS连接过程中未更新所述终端设备的临时身份标识;或者,The terminal device did not update the temporary identity of the terminal device during the last non-access stratum NAS connection; or,
    在所述终端设备向所述移动性管理网元请求更新临时身份标识的情况下,所述终端设备未接收到更新的临时身份标识。In the case that the terminal device requests the mobility management network element to update the temporary identity identifier, the terminal device does not receive the updated temporary identity identifier.
  11. 如权利要求9或10所述的方法,其特征在于,所述加密的永久身份标识为所述终端设备的签约隐藏标识SUCI;或者,The method according to claim 9 or 10, wherein the encrypted permanent identity identifier is the contract hidden identifier SUCI of the terminal device; or,
    所述加密的永久身份标识是对所述临时身份标识进行加密得到的,所述临时身份标识为第五代临时移动用户识别码5G-TMSI;或者,所述加密的永久身份标识为所述终端设备的SUCI除去归属网络标识后的剩余部分。The encrypted permanent identity is obtained by encrypting the temporary identity, and the temporary identity is the fifth-generation temporary mobile user identification code 5G-TMSI; or, the encrypted permanent identity is the terminal The SUCI of the device removes the remaining part after the home network identifier.
  12. 一种通信方法,所述方法应用于移动性管理网元,所述移动性管理网元与终端设备之间通过第一接入方式建立有第一NAS连接,以及通过第二接入方式建立有第二NAS连接,其特征在于,包括:A communication method, the method is applied to a mobility management network element, a first NAS connection is established between the mobility management network element and a terminal device through a first access method, and a second access method is used to establish a connection The second NAS connection is characterized in that it includes:
    所述移动性管理网元确定通过所述第一NAS连接向所述终端设备重传第一NAS消息的次数达到最大次数且未收到确认消息;所述第一NAS消息用于更新所述终端设备的临时身份标识;The mobility management network element determines that the number of retransmissions of the first NAS message to the terminal device through the first NAS connection reaches the maximum number of times and no confirmation message is received; the first NAS message is used to update the terminal The temporary identification of the device;
    所述移动性管理网元通过所述第二NAS连接向所述终端设备发送第二NAS消息,所述第二NAS消息包含所述终端设备更新后的临时身份标识。The mobility management network element sends a second NAS message to the terminal device through the second NAS connection, where the second NAS message includes the updated temporary identity of the terminal device.
  13. 如权利要求12所述的方法,其特征在于,所述第一接入方式为3GPP接入方式,所述第二接入方式为non-3GPP接入方式;或者,The method according to claim 12, wherein the first access mode is a 3GPP access mode, and the second access mode is a non-3GPP access mode; or,
    所述第一接入方式为non-3GPP接入方式,所述第二接入方式为3GPP接入方式。The first access mode is a non-3GPP access mode, and the second access mode is a 3GPP access mode.
  14. 如权利要求12或13所述的方法,其特征在于,所述第一NAS消息为配置更新请求消息,所述第二NAS消息为配置更新请求消息;或者,The method according to claim 12 or 13, wherein the first NAS message is a configuration update request message, and the second NAS message is a configuration update request message; or,
    所述第一NAS消息为NAS会话管理传输消息,所述第二NAS消息为NAS会话管理传输消息。The first NAS message is a NAS session management transmission message, and the second NAS message is a NAS session management transmission message.
  15. 如权利要求12-14任一所述的方法,其特征在于,所述最大次数为5次。The method according to any one of claims 12-14, wherein the maximum number of times is 5 times.
  16. 一种通信装置,其特征在于,包括处理器和存储器;所述存储器用于存储计算机执行指令,当所述通信装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述通信装置执行如权利要求1-8、或9-11任一所述的方法。A communication device, characterized by comprising a processor and a memory; the memory is used to store computer-executable instructions, and when the communication device is running, the processor executes the computer-executable instructions stored in the memory to The communication device is caused to execute the method according to any one of claims 1-8 or 9-11.
  17. 一种通信装置,其特征在于,包括处理器和存储器;所述存储器用于存储计算机执行指令,当所述通信装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述通信装置执行如权利要求12-15任一所述的方法。A communication device, characterized by comprising a processor and a memory; the memory is used to store computer-executable instructions, and when the communication device is running, the processor executes the computer-executable instructions stored in the memory to The communication device is caused to execute the method according to any one of claims 12-15.
  18. 一种通信装置,其特征在于,包括:处理器和通信接口,A communication device, characterized by comprising: a processor and a communication interface,
    所述通信接口,用于接收代码指令并传输至所述处理器,所述处理器用于运行所述代 码指令以执行如权利要求1-8、或9-11任一所述的方法。The communication interface is used to receive and transmit code instructions to the processor, and the processor is used to run the code instructions to execute the method according to any one of claims 1-8 or 9-11.
  19. 一种通信装置,其特征在于,包括:处理器和通信接口,A communication device, characterized by comprising: a processor and a communication interface,
    所述通信接口,用于接收代码指令并传输至所述处理器,所述处理器用于运行所述代码指令以执行如权利要求12-15任一所述的方法。The communication interface is configured to receive and transmit code instructions to the processor, and the processor is configured to run the code instructions to execute the method according to any one of claims 12-15.
  20. 一种芯片***,其特征在于,包括:A chip system, characterized in that it includes:
    存储器,用于存储计算机程序;Memory, used to store computer programs;
    处理器,用于从所述存储器调用并运行所述计算机程序,使得安装有所述芯片***的设备执行如权利要求1-8、或9-11任一所述的方法。The processor is configured to call and run the computer program from the memory, so that the device installed with the chip system executes the method according to any one of claims 1-8 or 9-11.
  21. 一种芯片***,其特征在于,包括:A chip system, characterized in that it includes:
    存储器,用于存储计算机程序;Memory, used to store computer programs;
    处理器,用于从所述存储器调用并运行所述计算机程序,使得安装有所述芯片***的设备执行如权利要求12-15任一所述的方法。The processor is configured to call and run the computer program from the memory, so that the device installed with the chip system executes the method according to any one of claims 12-15.
  22. 一种计算机可读存储介质,其特征在于,包括计算机程序,当其在计算机上运行时,使得所述计算机执行如权利要求1-15任一所述的方法。A computer-readable storage medium, characterized by comprising a computer program, which when running on a computer, causes the computer to execute the method according to any one of claims 1-15.
  23. 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机程序,当所述计算机程序在计算机上运行时,使得计算机执行如权利要求1-15任一所述的方法。A computer program product, wherein the computer program product comprises a computer program, and when the computer program runs on a computer, the computer is caused to execute the method according to any one of claims 1-15.
PCT/CN2020/076855 2020-02-26 2020-02-26 Communication method and apparatus WO2021168713A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/076855 WO2021168713A1 (en) 2020-02-26 2020-02-26 Communication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/076855 WO2021168713A1 (en) 2020-02-26 2020-02-26 Communication method and apparatus

Publications (1)

Publication Number Publication Date
WO2021168713A1 true WO2021168713A1 (en) 2021-09-02

Family

ID=77490573

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/076855 WO2021168713A1 (en) 2020-02-26 2020-02-26 Communication method and apparatus

Country Status (1)

Country Link
WO (1) WO2021168713A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023083153A1 (en) * 2021-11-11 2023-05-19 华为技术有限公司 Method for obtaining security classification result and communication apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080268842A1 (en) * 2007-04-30 2008-10-30 Christian Herrero-Veron System and method for utilizing a temporary user identity in a telecommunications system
CN105228134A (en) * 2015-08-24 2016-01-06 小米科技有限责任公司 A kind of method and apparatus upgrading temporary mobile subscriber identity
CN109511115A (en) * 2017-09-14 2019-03-22 华为技术有限公司 A kind of authorization method and network element
WO2019187483A1 (en) * 2018-03-28 2019-10-03 Nec Corporation Handling of temporary non access stratum parameters during registration procedure for the ue supporting registration to the network using 3gpp network access and non-3gpp network access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080268842A1 (en) * 2007-04-30 2008-10-30 Christian Herrero-Veron System and method for utilizing a temporary user identity in a telecommunications system
CN105228134A (en) * 2015-08-24 2016-01-06 小米科技有限责任公司 A kind of method and apparatus upgrading temporary mobile subscriber identity
CN109511115A (en) * 2017-09-14 2019-03-22 华为技术有限公司 A kind of authorization method and network element
WO2019187483A1 (en) * 2018-03-28 2019-10-03 Nec Corporation Handling of temporary non access stratum parameters during registration procedure for the ue supporting registration to the network using 3gpp network access and non-3gpp network access

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NEC: "Updating NG-RAN with new temporary identity after new 5G-GUTI allocation", 3GPP DRAFT; S2-1903439, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Xian, China; 20190408 - 20190412, 2 April 2019 (2019-04-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051719597 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023083153A1 (en) * 2021-11-11 2023-05-19 华为技术有限公司 Method for obtaining security classification result and communication apparatus

Similar Documents

Publication Publication Date Title
CN110786031B (en) Method and system for privacy protection of 5G slice identifiers
US10320754B2 (en) Data transmission method and apparatus
KR101614999B1 (en) Method for performing paging for downlink data for machine-to-machine devices
JP2022536924A (en) Method and system for handling closed access group related procedures
WO2019096075A1 (en) Method and apparatus for message protection
US20230014494A1 (en) Communication method, apparatus, and system
WO2018099291A1 (en) Data transmission method, apparatus, and system, and storage medium
US20230354463A1 (en) State Transition of Wireless Device
US20220225095A1 (en) External Authentication Method, Communication Apparatus, and Communication System
US20230337002A1 (en) Security context generation method and apparatus, and computer-readable storage medium
US20230328821A1 (en) Modifying PDU Sessions In Underlay Networks
US20220303763A1 (en) Communication method, apparatus, and system
US9386615B2 (en) Adaptive paging procedure for a call terminating via a wireless local area network
US20240129794A1 (en) Network Congestion Control
US20210168614A1 (en) Data Transmission Method and Device
WO2021168713A1 (en) Communication method and apparatus
US20230328596A1 (en) Handover for Communication Networks
KR20130036875A (en) Method and inter working function for roaming gateway service in a mobile communication system
US20220272533A1 (en) Identity authentication method and communications apparatus
US20220038904A1 (en) Wireless-network attack detection
WO2017201673A1 (en) Method for associating mission critical user with user equipment thereof, and relevant device
WO2021088061A1 (en) Communication method and apparatus
WO2020142884A1 (en) Method and device for switching between transmission paths
KR20200044592A (en) Multi-path transmission system and method
US11432158B2 (en) Systems and methods for using a unique routing indicator to connect to a network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20921549

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20921549

Country of ref document: EP

Kind code of ref document: A1