WO2021212491A1 - Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium - Google Patents

Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium Download PDF

Info

Publication number
WO2021212491A1
WO2021212491A1 PCT/CN2020/086771 CN2020086771W WO2021212491A1 WO 2021212491 A1 WO2021212491 A1 WO 2021212491A1 CN 2020086771 W CN2020086771 W CN 2020086771W WO 2021212491 A1 WO2021212491 A1 WO 2021212491A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
control plane
key
terminal device
key information
Prior art date
Application number
PCT/CN2020/086771
Other languages
French (fr)
Chinese (zh)
Inventor
许阳
曹进
卜绪萌
于璞
李晖
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202080099194.9A priority Critical patent/CN115336377A/en
Priority to PCT/CN2020/086771 priority patent/WO2021212491A1/en
Publication of WO2021212491A1 publication Critical patent/WO2021212491A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • This application relates to the field of wireless communication, and in particular to a method, device, equipment, and storage medium for authenticating multimedia broadcast and multicast services.
  • the Broadcast Multicast Service Center (BM-SC) network element serves as the Multimedia Broadcast/Multicast Service (MBMS)
  • BM-SC Broadcast Multicast Service Center
  • MBMS Multimedia Broadcast/Multicast Service
  • the embodiments of the present application provide a method, device, equipment, and storage medium for authenticating a multimedia broadcast multicast service.
  • the technical solution is as follows.
  • a method for authentication of multimedia broadcast and multicast services is provided, which is applied to terminal equipment;
  • the terminal device interacts via NAS messages between the mobile network control plane and the first network element control plane, and the interaction is used to complete at least one of the following processes: a service registration process, a request authentication process, and a key distribution process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • a multimedia broadcast multicast service authentication method which is applied to a communication system, the communication system including a mobile network control plane, a first network element control plane, and a first network element user plane;
  • the first network element control plane interacts with the terminal device through NAS messages through the mobile network control plane, and the interaction is used to complete at least one of the following processes: a service registration process, a request authentication process, and a key distribution process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • a multimedia broadcast multicast service authentication device comprising: a transceiver module;
  • the transceiver module is configured to interact with the control plane of the first network element through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, key distribution Process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • a multimedia broadcast multicast service authentication device includes a mobile network control plane module, a first network element control plane module, and a first network element user plane module;
  • the first network element control plane module interacts with the terminal device through NAS messages through the mobile network control plane module, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, key distribution Process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • a terminal device comprising: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; The processor is configured to load and execute the executable instructions to implement the multimedia broadcast multicast service authentication method as described in the above aspect.
  • a communication system including:
  • the code in the memory run by the processor is provided to at least one network element in network function virtualization, and the at least one network element is used to execute the multimedia broadcast multicast service authentication method as described in the foregoing aspect.
  • a computer-readable storage medium is provided, and executable instructions are stored in the readable storage medium, and the executable instructions are loaded and executed by the processor to implement the aforementioned aspects.
  • Multimedia broadcast multicast service authentication method is provided.
  • the terminal device interacts with the control plane of the first network element through NAS messages through the mobile network control plane, that is, the function of BM-SC is realized by separating the user plane and the control plane, and MBMS can be realized without changing the communication equipment in the 3GPP standard. Services can be applied to networks in all 5G scenarios.
  • Fig. 1 is a block diagram of a communication system provided by an exemplary embodiment of the present application
  • Fig. 2 is a schematic diagram of a multimedia broadcast multicast service authentication method provided by an exemplary embodiment of the present application
  • Fig. 3 is a flowchart of a method for authenticating a multimedia broadcast multicast service provided by an exemplary embodiment of the present application
  • Fig. 4 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application.
  • Fig. 5 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application.
  • Fig. 6 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application.
  • Fig. 7 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application.
  • Fig. 8 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application.
  • Fig. 9 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application.
  • FIG. 10 is a method flowchart of a key distribution process provided by an exemplary embodiment of the present application.
  • Fig. 11 is a method flowchart of a key distribution process provided by an exemplary embodiment of the present application.
  • FIG. 12 is a network deployment diagram with a multicast service function provided by an exemplary embodiment of the present application.
  • FIG. 13 is a system architecture diagram with a multicast service function provided by an exemplary embodiment of the present application.
  • FIG. 14 is a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application.
  • FIG. 15 is a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application.
  • FIG. 16 is a schematic structural diagram of a terminal device provided by an exemplary embodiment of the present application.
  • GBA General Bootstrapping Architecture, general authentication mechanism
  • MBS (Multicast Broadcast Service, Multicast Broadcast Service);
  • MRK (MBMS Request Key, MBMS request key);
  • MSK (MBMS Service Key, MBMS service key);
  • MTK (MBMS Traffic Key, MBMS traffic key);
  • MUK (MBMS User Key, MBMS user key);
  • MBSF Multimedia Broadcast Service Function, Multimedia Broadcast Service Function
  • MBSU Multimedia Broadcast Service User plane, Multimedia Broadcast Service User plane
  • SUPI Subscriber Permanent Identifier, the user's real identity
  • Fig. 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application.
  • the communication system includes: an access network 12, a terminal device 14, a core network 16, and a non-core network 18.
  • the access network 12 includes several network devices 120.
  • the network device 120 may be a base station, which is a device deployed in an access network to provide a wireless communication function for a terminal.
  • the base station may include various forms of macro base stations, micro base stations, relay stations, access points, and so on.
  • the names of devices with base station functions may be different. For example, in LTE systems, they are called eNodeB or eNB; in 5G NR-U systems, they are called gNodeB or gNB. .
  • the terminal device 14 may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem, as well as various forms of user equipment, and mobile stations (Mobile Station, MS). , Terminal (terminal device) and so on.
  • Terminal terminal device
  • the network device 120 and the terminal device 14 communicate with each other through a certain air interface technology, such as a Uu interface.
  • the terminal device 14 accesses the core network 16 and the non-core network 18 through the access network 12.
  • the core network 16 includes: User Plane Function (UPF), Authentication Server Function (Authentication Server Function, AUSF), Unified Data Management (UDM) function, and Network Exposure Function (Network Exposure Function) , NEF), access and mobility management function (Access and Mobility Management Function, AMF), security anchor function (SEcurity Anchor Function, SEAF), session management function (Session Management Function, SMF), and policy control function (Policy Control Function) , PCF) at least one of.
  • UPF User Plane Function
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • NEF Network Exposure Function
  • Access and Mobility Management Function Access and Mobility Management Function
  • SEAF Security Anchor Function
  • SMF Session Management Function
  • Policy Control Function Policy Control Function
  • the non-core network 18 is divided into a control plane and a user plane for carrying MBS services.
  • the non-core network 18 includes MBSU and MBSF.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA broadband code division multiple access
  • GSM Global System of Mobile Communication
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • LTE-A Advanced Long Term Evolution
  • NR New Radio
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • WiMAX Wireless Local Area Networks
  • WLAN Wireless Fidelity
  • D2D Device to Device
  • M2M Machine to Machine
  • MTC machine type communication
  • V2V vehicle to vehicle
  • V2X vehicle networking
  • Fig. 2 shows a schematic diagram of a multimedia broadcast multicast service authentication method provided by an exemplary embodiment of the present application.
  • the terminal device interacts with the first network element control plane through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • the registration authentication process is used to register the terminal device on the control plane of the mobile network, so that the subsequent terminal device and the control plane of the first network element execute the MBMS service.
  • the request authentication process is used for the terminal device to request the first network element control plane to issue a key, so that the terminal device communicates through the key in the subsequent process.
  • the key distribution process is used to distribute the key to the terminal device after the first network element control plane verification request is passed, so that the terminal device communicates with the received key.
  • Multimedia Broadcast/Multicast Service is a service type proposed by the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP), which mainly provides two transmission methods: broadcast and multicast . Broadcasting and multicasting are transmitted from one point to many points. SMS, pictures, audio, video, applications, etc. can all be transmitted in this way to achieve the effect of saving mobile bandwidth resources.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • the mobile network control plane is a network element in the core network.
  • the first network element is a network element in a non-core network.
  • the control plane of the first network element is used to process the signaling part of the control plane, and carries functions such as key request, key distribution, and member management.
  • the Non-Access Stratum exists in the wireless communication protocol stack of the Universal Mobile Telecommunications System (UMTS) as a functional layer between the core network and the terminal equipment.
  • the NAS message is a message transmitted in the non-access layer, and the signaling and data transmission between the terminal device and the control plane of the first network element is realized through the NAS message.
  • the above-mentioned terminal device interacts with the control plane of the first network element through a non-access stratum NAS message through the mobile network control plane, including: the terminal device interacts with the control plane of the first network element The interactive content is added to the container, and the container is transmitted through the mobile network control plane.
  • the information interaction between the terminal device and the control plane of the first network element can be transparently transmitted: that is, the relevant information is placed in the container, and the container is placed in the NAS message, and the mobile network control plane transparently transmits it to Peer.
  • Transparent transmission refers to transparent transmission.
  • the terminal device or the first network element control plane
  • the terminal device or the first network element control plane
  • the terminal device interacts with the control plane of the first network element through the mobile network control plane through NAS messages, that is, the function of the BM-SC is realized by separating the user plane and the control plane without changing
  • the communication equipment in the 3GPP standard can implement MBMS services and can be applied to networks in all 5G scenarios.
  • Fig. 3 shows a flowchart of a method for authenticating a multimedia broadcast multicast service provided by an exemplary embodiment of the present application. The method includes the following steps:
  • Step 310 The terminal device sends a service registration request to the mobile network control plane.
  • the service registration request is used to register the terminal device.
  • Step 320 The mobile network control sends a service registration request to the control plane of the first network element.
  • the mobile network control plane After receiving the service registration request sent by the terminal device, the mobile network control plane forwards the service registration request to the first network element control plane.
  • the terminal device needs to perform the MBMS service, the terminal device needs to register first, and the MBMS service can be activated only after the registration is successful.
  • the service registration request includes (or does not include) fifth key information.
  • the fifth key information is a shared key formed between the terminal device and the network side based on the GBA mechanism.
  • Step 330 The first network element controls the terminal device to feed back a first verification success message.
  • the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
  • the terminal device can determine that the service registration process corresponding to the service registration request is successful according to the received first verification success message.
  • the terminal device does not receive the first verification success message, it can be determined that the service registration process corresponding to the service registration request has failed, and the service registration request needs to be re-sent for service registration.
  • Step 340 The terminal device sends a first verification request to the mobile network control plane.
  • the first verification request is used to request to obtain the first key.
  • the first key is used to encrypt the second key in the process of requesting the key by the terminal device.
  • Step 350 The mobile network control sends a first verification request to the control plane of the first network element.
  • the mobile network control plane After receiving the first verification request sent by the terminal device, the mobile network control plane forwards the first verification request to the first network element control plane.
  • the first verification request includes (or does not include) eighth key information.
  • the first verification request may be an MSK request, which is used to request to obtain an MSK key.
  • Step 360 The first network element controls the terminal device to feed back a second verification success message.
  • the second verification success message is used to indicate that the verification of the first verification request is successful.
  • the terminal device can determine that the request authentication process corresponding to the first verification request is successful.
  • the terminal device does not receive the second verification success message, it can be determined that the request authentication process corresponding to the service registration request has failed, and the request authentication needs to be performed again.
  • Step 370 The first network element controls to send the first key and the second key to the terminal device.
  • the first key is used to protect the second key
  • the second key is used for data transmission between the terminal device and the user plane of the first network element.
  • the control plane of the first network element may issue multiple second keys.
  • Step 380 The first network element controls to send the first key and the second key to the user plane of the first network element.
  • the control plane of the first network element after successfully sending the first key (or second key) to the terminal device, the control plane of the first network element sends the first key (or the second key) to the user plane of the first network element ( Or the second key).
  • the control plane of the first network element may issue multiple second keys.
  • the mobile network control plane includes but is not limited to: at least one of AMF network elements, SMF network elements, AUSF network elements, and SEAF network elements;
  • the first network element control plane includes but is not limited to: MBSF network elements;
  • the user plane of a network element includes but is not limited to: MBSU network element.
  • step 310 to step 330 correspond to the service registration process
  • step 340 to step 360 correspond to the request authentication process
  • step 370 to step 380 correspond to the key distribution process.
  • the terminal device interacts with the control plane of the first network element through NAS to complete at least one of the following registration authentication process, request authentication process, and key distribution process, and Each of the registration authentication process, request authentication process, and key distribution process is used for the MBMS service, and provides a method of MBMS service.
  • the service registration process, the MSK request verification process, and the key distribution process are set in In the control plane of the first network element, the normal operation of the MBMS service is ensured.
  • FIG. 4 shows a flowchart of a method of a service registration process provided by an exemplary embodiment of the present application, and the method includes:
  • Step 410 The terminal device sends a service registration request to the mobile network control plane.
  • the service registration request is used to register the terminal device.
  • Step 420 The mobile network control sends a service registration request to the control plane of the first network element.
  • the mobile network control plane After receiving the service registration request sent by the terminal device, the mobile network control plane forwards the service registration request to the first network element control plane.
  • the service registration request forwarded by the mobile network control plane received by the control plane of the first network element does not include fifth key information, and the fifth key information is used to derive third key information; or, the first network element
  • the service registration request forwarded by the mobile network control plane received by the control plane includes the fifth key information.
  • Step 430 The first network element controls the mobile network control plane to send the first network element identifier and the first random number.
  • the first network element identifier is used to uniquely identify the first network element.
  • the first random number is a 16-octet random number generated at the control plane of the first network element.
  • Step 440 The mobile network control sends the first network element identifier and the first random number to the terminal device.
  • the mobile network control plane After receiving the first network element identifier and the first random number sent by the first network element control plane, the mobile network control plane forwards the first network element identifier and the first random number to the terminal device.
  • Step 450 The terminal device determines the first summary information.
  • the first summary information is verification information generated by the terminal device according to the received first random number.
  • the terminal device after receiving the first network element identifier and the first random number, the terminal device first confirms the identity information of the first network element according to the first network element identifier, and determines that the first network element is a server that requires the MBS service.
  • the process for the terminal to determine the first digest information includes: determining third key information according to the first network element identifier and the first random number, determining fourth key information according to the third key information, and determining the fourth key information according to the fourth key information.
  • the key information and the first random number determine the first digest information.
  • Step 460 The terminal device sends the first summary information and the second random number to the control plane of the first network element.
  • the second random number is a 16-octet random number generated at the terminal device.
  • Step 470 The control plane of the first network element verifies the first summary information.
  • the control plane of the first network element verifies the first digest information according to the fourth key information.
  • the process of verifying the first summary information by the control plane of the first network element includes: the control plane of the first network element calculates the fourth key information according to the third key information; the control plane of the first network element calculates the fourth key information according to the first random number And the fourth key information to verify the first digest information.
  • the above-mentioned third key information is a shared key between the terminal device and the control plane of the first network element, the third key information needs to be derived from the fifth key information, and the third key information is used to derive the third key information.
  • Four key information is a shared key between the terminal device and the control plane of the first network element, the third key information needs to be derived from the fifth key information, and the third key information is used to derive the third key information.
  • the mobile network control plane calculates the third key information; the mobile network control faces the first network element.
  • the control plane of a network element sends the third key information; the control plane of the first network element receives the third key information.
  • the service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the fifth key information, and the control plane of the first network element calculates the third key information according to the fifth key information. Key information.
  • Step 480 The control plane of the first network element sends the second summary information and the first verification success message.
  • the second summary information is generated by the control plane of the first network element according to the second random number.
  • the first network element control plane successfully verifies the first summary information
  • the first network element controls to send the second summary information and the first verification success message to the terminal device.
  • Step 490 The terminal device verifies the second summary information.
  • the terminal device receives the second summary information fed back by the control plane of the first network element.
  • the terminal device verifies the second summary information according to the second random number, and if the verification is successful, the service registration process of the terminal device is completed.
  • the mobile network control plane includes AMF and the first network element control plane includes MBSF to exemplify the service registration process.
  • MBSF After the terminal device initiates a service registration request and transmits it through the network, if the service registration request received by MBSF does not contain the key Ks, MBSF first initiates a request containing MBSF_ID and the random number nonce1 to the GBA server AMF, as shown in Figure 5. At this time, the important parameter Ks holder in Ks_xx_NAF is the terminal device and the AMF, so the terminal device and the AMF negotiate the Ks_xx_NAF during the service registration and key request process. To ensure the smooth progress of the service registration process, AMF needs to send Ks_xx_NAF to the MBMS server. The service registration process is completed by the coordination of the terminal device, the GBA server AMF and the MBS server MBSF. After the authentication is successful, the terminal device and the MBSF negotiate to obtain the MRK and MUK.
  • Fig. 5 shows a method flowchart of a service registration process provided by an exemplary embodiment of the present application.
  • the service registration request does not include Ks (that is, the fifth key information), and the method includes:
  • Step 510 The terminal device sends a service registration request to the AMF.
  • the service registration request includes B-TID and MBS Service ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MBS Service ID is the MBS service ID.
  • Step 520 AMF sends a service registration request to MBSF.
  • AMF After AMF receives the service registration request from the terminal device, it first checks the validity period of the B-TID. When it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it forwards to MBSF Service registration request.
  • the forwarded service registration request includes B-TID and MBS Service ID.
  • B-TID represents the identity information generated by the terminal device after the GBA mechanism
  • the MBS Service ID is the MBS service ID.
  • Step 530 MBSF sends MBSF_ID and nonce1 to AMF.
  • MBSF After receiving the service registration request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the first random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • Step 540 AMF calculates Ks_xx_NAF.
  • the AMF calculates the key Ks_xx_NAF (that is, the third key information) according to the random number nonce1.
  • Ks_xx_NAF KDF(KAMF, "gba_xx_NAF", nonce1, SUPI, MBSF_ID).
  • KAMF is the shared key between the terminal device and AMF
  • "gba_xx_NAF” is the GBA process parameter
  • SUPI is the user's real identity
  • nonce1 is a random number
  • MBSF_ID is the identity information of MBSF.
  • the AMF also calculates the user key file, the bootstrap time and the key period.
  • step 550 the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • Step 560 the terminal device calculates MRK and MUK.
  • the terminal device After receiving the message forwarded by the AMF, the terminal device first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it calculates the MRK (that is, the fourth key information) and MUK according to Ks_xx_NAF.
  • step 570 the AMF sends the calculated Ks_xx_NAF to the MBSF.
  • AMF also sends the calculated user key file, bootstrap time and key period to MBSF.
  • Step 580 The terminal device calculates and sends the digest RES and the random number nonce2.
  • RES f2 (MRK, nonce1, B-TID) (that is, the first summary information), and nonce2 is the second random number.
  • Step 590 MBSF calculates MRK, MUK and verifies the digest.
  • MBSF calculates MRK and MUK according to the Ks_xx_NAF received from AMF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
  • Step 5100 MBSF calculates and sends the digest RES*.
  • RES* that is, the second digest information
  • Fig. 6 shows a method flowchart of a service registration process provided by an exemplary embodiment of the present application.
  • the service registration request includes Ks (that is, the fifth key information), and the method includes:
  • Step 610 The terminal device sends a service registration request to the AMF.
  • the service registration request includes the B-TID and the MBS Service ID, where the B-TID represents the identity information generated by the terminal device through the GBA mechanism, and the MBS Service ID is the MBS service ID.
  • Step 620 AMF sends a service registration request to MBSF.
  • AMF After AMF receives the service registration request from the terminal device, it first checks the validity period of the B-TID. When it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it forwards to MBSF Service registration request.
  • the forwarded service registration request includes B-TID, MBS Service ID, and Ks.
  • B-TID represents the identity information generated by the terminal device after the GBA mechanism
  • MBS Service ID is the MBS service ID
  • Ks is the shared key formed between the terminal device and the network side based on the GBA mechanism.
  • Step 630 MBSF sends MBSF_ID and nonce1 to AMF.
  • MBSF After receiving the service registration request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the first random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • step 640 the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • step 650 the terminal device calculates MRK and MUK.
  • the terminal device After the terminal device receives the message forwarded by AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it will calculate the MRK (that is, the fourth key information) according to Ks_xx_NAF (that is, the third key information). Key information) and MUK.
  • Ks_xx_NAF includes one of Ks_ext_NAF and Ks_int_NAF.
  • Ks_ext_NAF KDF(Ks, "gba-me”, nonce1, SUPI, MBSF_ID)
  • Ks_int_NAF KDF(Ks, "gba-u”, nonce1, SUPI, MBSF_ID).
  • Ks is the shared key formed based on the GBA mechanism between the terminal device and the network side
  • "gba-me” and “gba-u” are GBA process parameters
  • nonce1 is a random number
  • SUPI is the user's real identity
  • MBSF_ID It is the identity information of MBSF.
  • Step 660 The terminal device calculates and sends the digest RES and the random number nonce2.
  • RES f2 (MRK, nonce1, B-TID) (that is, the first summary information), and nonce2 is the second random number.
  • Step 670 MBSF calculates MRK, MUK and verifies the digest.
  • MBSF first calculates Ks_xx_NAF, then calculates MRK and MUK according to Ks_xx_NAF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
  • step 680 the MBSF calculates and sends the digest RES*.
  • RES* that is, the second digest information
  • FIG. 7 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application, and the method includes:
  • Step 710 The terminal device sends a first verification request to the mobile network control plane.
  • the first verification request is used to request to obtain the first key.
  • Step 720 The mobile network control sends a first verification request to the control plane of the first network element.
  • the mobile network control plane After receiving the first verification request sent by the terminal device, the mobile network control plane forwards the first verification request to the first network element control plane.
  • the first verification request forwarded by the mobile network control plane received by the control plane of the first network element does not include the eighth key information, and the eighth key information is used to derive the sixth key information; or, the first network The first verification request forwarded by the mobile network control plane received by the meta control plane includes the eighth key information.
  • the first network element control plane After receiving the first verification request, the first network element control plane verifies the first verification request. If the first verification request is successfully verified, skip to step 7100; if the first verification request fails to verify, then skip to step 730, perform step 730 to step 790.
  • Step 730 The first network element controls to send the first network element identifier and the third random number to the mobile network control plane.
  • the first network element identifier is used to uniquely identify the first network element.
  • the third random number is a 16-octet random number generated at the control plane of the first network element.
  • step 740 the mobile network control sends the first network element identifier and the third random number to the terminal device.
  • the mobile network control plane After receiving the first network element identification and the third random number sent by the first network element control plane, the mobile network control plane forwards the first network element identification and the third random number to the terminal device.
  • Step 750 The terminal device determines the third summary information.
  • the third summary information is verification information generated by the terminal device according to the received third random number.
  • the terminal device after receiving the first network element identifier and the third random number, the terminal device first confirms the identity information of the first network element according to the first network element identifier, and determines that the first network element is a server that requires the MBS service.
  • the process for the terminal to determine the third summary information includes: determining the sixth key information according to the first network element identifier and the third random number, determining the seventh key information according to the sixth key information, and determining the seventh key information according to the seventh key information.
  • the key information and the third random number determine the third digest information.
  • Step 760 The terminal device sends the third summary information and the fourth random number to the control plane of the first network element.
  • the fourth random number is a 16-octet random number generated at the terminal device.
  • Step 770 The control plane of the first network element verifies the third summary information.
  • the control plane of the first network element verifies the third digest information according to the seventh key information.
  • the process of verifying the third summary information by the control plane of the first network element includes: the control plane of the first network element calculates the seventh key information according to the sixth key information; the control plane of the first network element calculates the seventh key information according to the third random number And the seventh key information to verify the third digest information.
  • the above-mentioned sixth key information is a shared key between the terminal device and the control plane of the first network element, the sixth key information needs to be derived from the eighth key information, and the sixth key information is used to derive the first network element. Seven key information.
  • the mobile network control plane calculates the sixth key information; the mobile network control faces the first network element.
  • the control plane of a network element sends the sixth key information; the control plane of the first network element receives the sixth key information.
  • the service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the eighth key information, and the control plane of the first network element calculates the sixth key according to the eighth key information. Key information.
  • Step 780 The control plane of the first network element sends fourth summary information.
  • the fourth summary information is generated by the control plane of the first network element according to the fourth random number.
  • the first network element controls to send the fourth summary information to the terminal device.
  • the control plane of the first network element also sends a second verification success message.
  • Step 790 The terminal device verifies the fourth summary information.
  • the terminal device receives the fourth summary information fed back from the control plane of the first network element.
  • the terminal device verifies the fourth summary information according to the fourth random number, and if the verification is successful, the service registration process of the terminal device is completed.
  • Step 7100 The control plane of the first network element sends a second verification success message.
  • the second verification success message is used to indicate that the first verification request is successfully verified.
  • the mobile network control plane includes AMF
  • the first network element control plane includes MBSF to exemplify the above request authentication process.
  • the terminal device After the service registration is completed, if the terminal device wants to join a certain MBS session, the terminal device sends an MSK request to MBSF. Specifically, according to two different situations of whether Ks is included in the request message received by the MBSF, the request authentication process for the service key MSK can be triggered respectively.
  • Fig. 8 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application.
  • the first verification request does not include Ks (that is, eighth key information), and the method includes:
  • Step 810 The terminal device sends a first verification request to the AMF.
  • the first verification request includes B-TID and MSK ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MSK ID is the MSK key ID.
  • Step 820 AMF sends a first verification request to MBSF.
  • the AMF After the AMF receives the first verification request from the terminal device, it first checks the validity period of the B-TID, and when it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it then sends a request to MBSF Forward the first verification request.
  • the forwarded first verification request includes B-TID and MSK ID.
  • B-TID represents the identity information generated by the terminal equipment through the GBA mechanism
  • MSK ID is the MSK key ID.
  • the MBSF After receiving the first verification request, the MBSF checks whether the Ks_xx_NAF has expired, if it has not expired, skip to step 8110; if it expires, skip to step 830, and execute step 830 to step 8100.
  • Step 830 MBSF sends MBSF_ID and nonce1 to AMF.
  • MBSF After receiving the service authentication request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the third random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • Step 840 AMF calculates Ks_xx_NAF.
  • the AMF calculates the key Ks_xx_NAF (that is, the sixth key information) according to the random number nonce1.
  • Ks_xx_NAF KDF(KAMF, "gba_xx_NAF", nonce1, SUPI, MBSF_ID).
  • KAMF is the shared key between the terminal device and AMF
  • "gba_xx_NAF” is the GBA process parameter
  • SUPI is the user's real identity
  • nonce1 is a random number
  • MBSF_ID is the identity information of MBSF.
  • the AMF also calculates the user key file, the bootstrap time and the key period.
  • step 850 the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • Step 860 the terminal device calculates MRK and MUK.
  • the terminal device After the terminal device receives the message forwarded by the AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, calculate the MRK (that is, the seventh key information) and MUK according to Ks_xx_NAF.
  • step 870 the AMF sends the calculated Ks_xx_NAF to the MBSF.
  • AMF also sends the calculated user key file, bootstrap time and key period to MBSF.
  • step 880 the terminal device calculates and sends the digest RES and the random number nonce2.
  • RES f2 (MRK, nonce1, B-TID) (that is, the third summary information), and nonce2 is the fourth random number.
  • step 890 MBSF calculates MRK, MUK and verifies the digest.
  • MBSF calculates MRK and MUK according to the Ks_xx_NAF received from AMF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
  • Step 8100 MBSF calculates and sends the digest RES*.
  • Step 8110 The MBSF sends a verification success identifier to the terminal device.
  • Fig. 9 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application.
  • the first verification request includes Ks (that is, eighth key information), and the method includes:
  • Step 910 The terminal device sends a first verification request to the AMF.
  • the first verification request includes B-TID and MSK ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MSK ID is the MSK key ID.
  • Step 920 AMF sends a first verification request to MBSF.
  • the AMF After the AMF receives the first verification request from the terminal device, it first checks the validity period of the B-TID, and when it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it then sends a request to MBSF Forward the first verification request.
  • the forwarded first verification request includes B-TID, MSK ID, and Ks.
  • B-TID represents the identity information generated by the terminal device after the GBA mechanism
  • MSK ID is the MSK key ID
  • Ks is the shared key formed between the terminal device and the network side based on the GBA mechanism.
  • the MBSF After receiving the first verification request, the MBSF checks whether the Ks_xx_NAF has expired, and if it has not expired, skip to step 990; if it expires, skip to step 930, and execute step 930 to step 980.
  • Step 930 MBSF sends MBSF_ID and nonce1 to AMF.
  • MBSF After receiving the first verification request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the third random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
  • MBSF_ID is the identity information of MBSF
  • nonce1 is a random number.
  • step 940 the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
  • MBSF_ID is the identity information of MBSF, and nonce1 is a random number;
  • Step 950 the terminal device calculates MRK and MUK.
  • the terminal device After the terminal device receives the message forwarded by AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it will calculate the MRK (that is, the seventh key information) according to Ks_xx_NAF (that is, the sixth key information). Key information) and MUK.
  • Ks_xx_NAF includes one of Ks_ext_NAF and Ks_int_NAF.
  • Ks_ext_NAF KDF(Ks, "gba-me”, nonce1, SUPI, MBSF_ID)
  • Ks_int_NAF KDF(Ks, "gba-u”, nonce1, SUPI, MBSF_ID).
  • Ks is a shared key formed based on the GBA mechanism between the terminal device and the network side
  • "gba-me” and “gba-u” are GBA process parameters
  • nonce1 is a random number
  • SUPI is the user's real identity
  • MBSF_ID It is the identity information of MBSF.
  • step 960 the terminal device calculates and sends the digest RES and the random number nonce2.
  • RES f2 (MRK, nonce1, B-TID) (that is, the third summary information), and nonce2 is the fourth random number.
  • step 970 MBSF calculates MRK, MUK and verifies the digest.
  • MBSF first calculates Ks_xx_NAF, then calculates MRK and MUK according to Ks_xx_NAF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
  • step 980 the MBSF calculates and sends the digest RES*.
  • step 990 the MBSF sends a verification success identifier to the terminal device.
  • Fig. 10 shows a method flowchart of a key distribution process provided by an exemplary embodiment of the present application, and the method includes:
  • Step 1010 The first network element controls to send the first key to the terminal device.
  • the first key is used to encrypt the second key.
  • Step 1020 The terminal device sends a first confirmation message to the control plane of the first network element.
  • the first confirmation message is used to indicate that the terminal device successfully receives the first key.
  • Step 1030 The first network element controls to send the first key to the user plane of the first network element.
  • Step 1040 The first network element controls to send the second key to the terminal device.
  • the second key is used to encrypt MBS service data transmission.
  • Step 1050 The terminal device sends a second confirmation message to the control plane of the first network element.
  • the second confirmation message is used to indicate that the terminal device successfully receives the second key.
  • Step 1060 The first network element controls to send the second key to the user plane of the first network element.
  • the user plane of the first network element uses the second key to encrypt data and sends the data to the terminal device.
  • the process of issuing the upper key is exemplified by assuming that the control plane of the first network element includes MBSF and the user plane of the first network element includes MBSU.
  • the MBSF After the MBSF and the terminal device are successfully authenticated, the MBSF stores the terminal device information to indicate that the terminal device is successfully authenticated. Then execute the MSK, MTK distribution process in turn, as shown in Figure 11. After the issuance is complete, MBSU uses the traffic key MTK to encrypt the multicast data and forwards it by the multimedia multicast user plane function MB-UPF.
  • FIG. 11 shows a flowchart of a method for key distribution process provided by an exemplary embodiment of the present application.
  • Step 1110 MBSF generates MSK for the MSK_ID requested by the successful MSK.
  • the MBSF After the MBSF successfully authenticates the MSK request (that is, the first verification request) of the terminal device, the MBSF generates the service key MSK for the MSK_ID of the successful MSK request.
  • Step 1120 MBSF issues MSK to the terminal device.
  • MSK is encrypted and protected by MUK.
  • Step 1130 When the terminal device successfully receives the MSK, the terminal device returns an ACK to the MBSF.
  • the terminal device when the terminal device does not successfully receive the MSK, the terminal device returns a NACK to the MBSF, and the MBSF needs to re-issue the MSK to the terminal device.
  • Step 1140 MBSF issues MSK to MBSU.
  • the issued MSK includes MSK and the corresponding MSK_ID.
  • Step 1150 MBSF generates MTK_ID and the corresponding MTK.
  • MTK is used to encrypt multicast data.
  • Step 1160 MBSF issues MTK to the terminal device.
  • MTK is protected by MSK.
  • Step 1170 When the terminal device successfully receives the MTK, the terminal device returns an ACK to the MBSF.
  • the terminal device when the terminal device does not successfully receive the MTK, the terminal device returns a NACK to the MBSF, and the MBSF needs to re-issue the MTK to the terminal device.
  • Step 1180 MBSF issues MTK to MBSU.
  • MBSF instructs MBSU to use the delivered traffic key MTK to encrypt the multicast data, and complete the delivery process of MSK and MTK.
  • Fig. 12 shows a network deployment diagram with a multicast service function provided by an exemplary embodiment of the present application.
  • Terminal equipment is connected to 5G-RAN through Uu interface; 5G-RAN and UPF are connected through N3 interface; 5G-RAN and AMF are connected through N2 interface; UPF and MBSU are connected through N6 interface; AMF and MBSF are connected through N6mb-c interface; MBSU Connect with MBSF through Ny interface.
  • FIG. 13 shows a system architecture diagram with a multicast service function provided by an exemplary embodiment of the present application.
  • the UE applies for registration of MBS service in the 5G network, MSK request, and the object of key distribution.
  • 5G-RAN serves as a 5G access network, connecting terminal equipment with the network side.
  • AMF is the access and mobility management function in the 5G core network, and is deployed in a unified manner with SEAF. It is mainly responsible for the GBA server function and initiates the authentication of the MBS server or forwards the authentication request during the MBS service process.
  • MBSF is a multicast broadcast service function.
  • MBS server in this architecture, it is a new network function used to process the control plane signaling part to meet the service layer functions in only transmission mode and full service mode. It is mainly responsible for The MBS service registration process and the MSK request authentication process perform mutual authentication with the UE. In the key distribution process, it is responsible for generating the service key MSK and the traffic key MTK for the UE that successfully applies for the service key MSK.
  • MBSU is the user plane of the multicast broadcast service. It is a new entity that handles the load part to cater to the service layer functions. It is a new network function. It is mainly responsible for using the traffic key MTK to encrypt the multicast data and the multimedia multicast user plane function MB -UPF forwarding.
  • MSK ID MSK key ID used to identify MSK.
  • MRK Request key is mainly used to authenticate the UE during the process of UE requesting key.
  • MUK The user key is mainly used to encrypt MSK.
  • MTK The flow key is mainly used to encrypt MBS service data transmission.
  • MTK ID MTK key ID used to identify MTK.
  • FIG. 14 shows a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application.
  • the device includes: a transceiver module 1410;
  • the transceiver module 1410 is configured to interact with the control plane of the first network element through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • the transceiver module 1410 includes a sending sub-module 1411, a receiving sub-module 1412, a determining sub-module 1413, and a verification sub-module 1414.
  • the sending submodule 1411 is configured to add content interacted with the control plane of the first network element to the container, and transmit the container through the mobile network control plane.
  • the sending submodule 1411 is configured to send a service registration request to the mobile network control plane, and the service registration request is used to register the terminal device;
  • the receiving submodule 1412 is configured to be on the first network After receiving the service registration request forwarded by the mobile network control plane, the meta control plane receives the first verification success message sent by the first network element control plane, where the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
  • the sending submodule 1411 is configured to send a first verification request to the mobile network control plane, the first verification request is used to request to obtain the first key; the receiving submodule 1412 is configured to After receiving the first verification request forwarded by the mobile network control plane, the first network element control plane receives a second verification success message sent by the first network element control plane, where the second verification success message is used to indicate that the first verification request is successfully verified.
  • the receiving submodule 1412 is configured to receive the first key and the second key sent by the control plane of the first network element; the first key is used to protect the second key, and the second key is used to protect the second key.
  • the key is used for data transmission between the terminal device and the user plane of the first network element.
  • the receiving submodule 1412 is configured to receive the first network element identifier and the first random number forwarded by the mobile network control plane from the first network element control plane; the determining submodule 1413 is configured In order to determine that the first network element is a server requiring MBS services based on the first network element identifier; the determining submodule 1413 is configured to determine the third key information according to the first network element identifier and the first random number, and according to the third The key information determines the fourth key information, and the first digest information is determined according to the fourth key information and the first random number; the sending submodule 1411 is configured to send the first digest information and the second digest information to the control plane of the first network element. random number.
  • the receiving submodule 1412 is configured to receive second summary information fed back by the control plane of the first network element, where the second summary information is generated by the control plane of the first network element according to the second random number;
  • the verification submodule 1414 is configured to verify the second summary information and complete the service registration process of the terminal device.
  • the service registration request forwarded by the mobile network control plane received by the first network element control plane does not include the fifth key information, and the fifth key information is used to derive the third key information; or , The service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the fifth key information.
  • the receiving sub-module 1412 is configured to receive a second verification success message sent by the control plane of the first network element when the first verification request is successfully verified.
  • the receiving submodule 1412 is configured to receive the first network element identifier and the first network element identifier and the first network element forwarded by the mobile network control plane from the first network element control plane in the case that the first verification request fails to be verified.
  • the determining sub-module 1413 is configured to determine that the first network element is a server that needs MBS service according to the first network element identifier; the determining sub-module 1413 is configured to determine according to the first network element identifier and the third random number , Determine the sixth key information, determine the seventh key information according to the sixth key information, and determine the third digest information according to the seventh key information and the third random number; the sending submodule 1411 is configured to send to the first network The meta control plane sends the third summary information and the fourth random number.
  • the receiving submodule 1412 is configured to receive fourth summary information fed back by the control plane of the first network element, where the fourth summary information is generated by the control plane of the first network element according to a fourth random number;
  • the verification submodule 1414 is configured to verify the fourth summary information successfully, and complete the verification process of the first verification request of the terminal device.
  • the first verification request forwarded by the mobile network control plane received by the first network element control plane does not include the eighth key information, and the eighth key information is used to derive the sixth key information; Or, the first verification request forwarded by the mobile network control plane received by the control plane of the first network element includes eighth key information.
  • the sending submodule 1411 is configured to feed back a first confirmation message to the control plane of the first network element, where the first confirmation message is used to indicate that the terminal device successfully receives the first key; the sending submodule 1411 , Configured to feed back a second confirmation message to the control plane of the first network element, where the second confirmation message is used to indicate that the terminal device successfully receives the second key.
  • the mobile network control plane includes at least one of AMF network elements, SMF network elements, AUSF network elements, and SEAF network elements; the first network element control plane includes MBSF network elements.
  • the device includes a mobile network control plane module 1501, a first network element control plane module 1502, and a first network element user plane module 1503;
  • the first network element control plane module 1502 interacts with the terminal device through NAS messages through the mobile network control plane module 1501, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
  • At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
  • the first network element control plane module 1502 adds the content of interaction with the terminal device to the container, and transmits the container through the mobile network control plane module 1501.
  • the mobile network control plane module 1501 is configured to receive a service registration request sent by a terminal device, and the service registration request is used to register the terminal device; the mobile network control plane module 1501 is configured to The first network element control plane module 1502 forwards the service registration request; the first network element control plane module 1502 is configured to send a first verification success message to the terminal device, and the first verification success message is used to indicate the registration process corresponding to the service registration request success.
  • the mobile network control plane module 1501 is configured to receive a first verification request sent by a terminal device, the first verification request is used to request to obtain the first key; the mobile network control plane module 1501 is configured to The first network element control plane module 1502 is configured to forward the first verification request to the first network element control plane module 1502, and the first network element control plane module 1502 is configured to send a second verification success message to the terminal device, and the second verification success message is used to indicate the first verification. The request is verified successfully.
  • the first network element control plane module 1502 is configured to send the first key and the second key to the terminal device and the first network element user plane module 1503, and the first key is used for The second key is protected, and the second key is used for data transmission between the terminal device and the user plane module 1503 of the first network element.
  • the first network element control plane module 1502 is configured to send the first network element identifier and the first random number to the mobile network control plane module 1501; the mobile network control plane module 1501 is configured to The first network element identification and the first random number are forwarded to the terminal device; the first network element control plane module 1502 is configured to receive the first summary information and the second random number sent by the terminal device, the first summary information is based on the terminal device The first random number is generated; the first network element control plane module 1502 is configured to verify the first digest information according to the fourth key information.
  • the first network element control plane module 1502 when the first summary verification succeeds, is configured to feed back the first verification success message and the second summary information to the terminal device, and the second summary information It is generated by the first network element control plane module 1502 according to the second random number.
  • the first network element control plane module 1502 is configured to calculate the fourth key information according to the third key information; the first network element control plane module 1502 is configured to calculate the fourth key information according to the first network element The random number and the fourth key information verify the first digest information.
  • the service registration request forwarded by the mobile network control plane module 1501 received by the first network element control plane module 1502 does not include the fifth key information, and the fifth key information is used to derive the third key.
  • the service registration request forwarded by the mobile network control plane module 1501 received by the first network element control plane module 1502 includes fifth key information; the first network element control plane module 1502 is configured to Calculate the third key information according to the fifth key information.
  • the first network element control plane module 1502 is configured to verify the first verification request, and if the first verification request is successfully verified, feed back a second verification success message to the terminal device.
  • the first network element control plane module 1502 is configured to verify the first verification request, and if the verification of the first verification request fails, it sends the first verification request to the mobile network control plane module 1501.
  • the mobile network control plane module 1501 is configured to forward the first network element identification and the third random number to the terminal device;
  • the first network element control plane module 1502 is configured to receive the terminal device sending
  • the third summary information and the fourth random number are generated by the terminal device according to the third random number;
  • the first network element control plane module 1502 is configured to compare the third summary information according to the seventh key information Perform verification; if the third summary information is successfully verified, the first network element control plane module 1502 is configured to feed back the fourth summary information to the terminal device, and the fourth summary information is generated according to the fourth random number.
  • the first network element control plane module 1502 is configured to calculate the seventh key information according to the sixth key information; the first network element control plane module 1502 is configured to calculate the seventh key information according to the third The random number and the seventh key information verify the third digest information.
  • the first verification request forwarded by the mobile network control plane received by the first network element control plane does not include the eighth key information, and the eighth key information is used to derive the sixth key information;
  • the mobile network control plane module 1501 is configured to calculate the sixth key information; the mobile network control plane module 1501 is configured to send the sixth key information to the first network element control plane; the first network element control plane module 1502, Is configured to receive sixth key information.
  • the first verification request forwarded by the mobile network control plane received by the first network element control plane includes eighth key information, and the eighth key information is used to derive sixth key information;
  • a network element control plane module 1502 is configured to calculate sixth key information according to the eighth key information.
  • the first network element control plane module 1502 is configured to generate a first key and deliver the first key to the terminal device; the first network element control plane module 1502 is configured to receive The first confirmation message fed back by the terminal device, the first confirmation message is used to indicate that the terminal device successfully receives the first key; the first network element control plane module 1502 is configured to deliver the first network element user plane module 1503 Key; the first network element control plane generates the second key; the first network element control plane module 1502 is configured to issue the second key to the terminal device; the first network element control plane module 1502 is configured to receive The second confirmation message fed back by the terminal device, the second confirmation message is used to indicate that the terminal device successfully receives the second key; the first network element control plane module 1502 is configured to deliver the second network element user plane module 1503 Key.
  • the first network element user plane module 1503 is configured to use the second key to encrypt data and send the data to the terminal device.
  • the mobile network control plane module 1501 includes at least one of an AMF network element module, an SMF network element module, an AUSF network element module, and a SEAF network element module;
  • the first network element control plane module 1502 includes MBSF network element module;
  • the first network element user plane module 1503 includes the MBSU network element module.
  • FIG. 16 shows a schematic structural diagram of a terminal device provided by an exemplary embodiment of the present application.
  • the terminal device includes: a processor 101, a receiver 102, a transmitter 103, a memory 104, and a bus 105.
  • the processor 101 includes one or more processing cores, and the processor 101 executes various functional applications and information processing by running software programs and modules.
  • the receiver 102 and the transmitter 103 may be implemented as a communication component, and the communication component may be a communication chip.
  • the memory 104 is connected to the processor 101 through a bus 105.
  • the memory 104 may be used to store at least one instruction, and the processor 101 is used to execute the at least one instruction to implement each step in the foregoing method embodiment.
  • the memory 104 can be implemented by any type of volatile or non-volatile storage device or a combination thereof.
  • the volatile or non-volatile storage device includes, but is not limited to: magnetic disks or optical disks, electrically erasable and programmable Read Only Memory (Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read -Only Memory, ROM), magnetic memory, flash memory, Programmable Read-Only Memory (PROM).
  • a computer-readable storage medium stores at least one instruction, at least one program, code set, or instruction set, and the at least one instruction, the At least one program, the code set or the instruction set is loaded and executed by the processor to implement the multimedia broadcast multicast service authentication method executed by the terminal device provided by the foregoing method embodiments.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to the field of wireless communications. Disclosed are a multimedia broadcast/multicast service authentication method and apparatus, and a device and a storage medium. The method comprises: a terminal device interacts with a first network element control plane via a mobile network control plane by means of an NAS message, the interaction being used for completing at least one of the following processes: a service registration process, a request authentication process, and a key distribution process, at least one of the service registration process, the request authentication process, and the key distribution process being used for an MBMS service.

Description

多媒体广播组播服务认证方法、装置、设备及存储介质Multimedia broadcast multicast service authentication method, device, equipment and storage medium 技术领域Technical field
本申请涉及无线通信领域,特别涉及一种多媒体广播组播服务认证方法、装置、设备及存储介质。This application relates to the field of wireless communication, and in particular to a method, device, equipment, and storage medium for authenticating multimedia broadcast and multicast services.
背景技术Background technique
在***移动通讯通信***(4th Generation Mobile Communication Systems,4G)中,广播多播服务中心(Broadcast Multicast Service Center,BM-SC)网元作为多媒体广播多播服务(Multimedia Broadcast/Multicast Service,MBMS)的主要节点将会对MBMS服务进行创建和维护以及产生并输送数据流。In the 4th Generation Mobile Communication Systems (4G), the Broadcast Multicast Service Center (BM-SC) network element serves as the Multimedia Broadcast/Multicast Service (MBMS) The main node of) will create and maintain the MBMS service and generate and transmit data streams.
然而,在第五代移动通讯通信***(5th Generation Wireless Communication Systems,5G)的架构中,将不再支持BM-SC网元,如何实现MBMS服务成为需要解决的问题。However, in the 5th Generation Wireless Communication Systems (5G) architecture, BM-SC network elements will no longer be supported, and how to implement MBMS services has become a problem to be solved.
发明内容Summary of the invention
本申请实施例提供了一种多媒体广播组播服务认证方法、装置、设备及存储介质。所述技术方案如下。The embodiments of the present application provide a method, device, equipment, and storage medium for authenticating a multimedia broadcast multicast service. The technical solution is as follows.
根据本申请的一个方面,提供了一种多媒体广播组播服务认证方法,应用于终端设备中;According to one aspect of this application, a method for authentication of multimedia broadcast and multicast services is provided, which is applied to terminal equipment;
所述终端设备通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The terminal device interacts via NAS messages between the mobile network control plane and the first network element control plane, and the interaction is used to complete at least one of the following processes: a service registration process, a request authentication process, and a key distribution process;
所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
根据本申请的一个方面,提供了一种多媒体广播组播服务认证方法,应用于通信***中,所述通信***包括移动网络控制面、第一网元控制面和第一网元用户面;According to one aspect of the present application, there is provided a multimedia broadcast multicast service authentication method, which is applied to a communication system, the communication system including a mobile network control plane, a first network element control plane, and a first network element user plane;
所述第一网元控制面通过所述移动网络控制面与终端设备之间通过NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The first network element control plane interacts with the terminal device through NAS messages through the mobile network control plane, and the interaction is used to complete at least one of the following processes: a service registration process, a request authentication process, and a key distribution process;
所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
根据本申请的一个方面,提供了一种多媒体广播组播服务认证装置,所述装置包括:收发模块;According to one aspect of the present application, there is provided a multimedia broadcast multicast service authentication device, the device comprising: a transceiver module;
所述收发模块,被配置为通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The transceiver module is configured to interact with the control plane of the first network element through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, key distribution Process;
所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
根据本申请的一个方面,提供了一种多媒体广播组播服务认证装置,所述装置包括移动网络控制面模块、第一网元控制面模块和第一网元用户面模块;According to one aspect of the present application, a multimedia broadcast multicast service authentication device is provided, the device includes a mobile network control plane module, a first network element control plane module, and a first network element user plane module;
所述第一网元控制面模块通过所述移动网络控制面模块与终端设备之间通过NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The first network element control plane module interacts with the terminal device through NAS messages through the mobile network control plane module, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, key distribution Process;
所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
根据本申请的一个方面,提供了一种终端设备,所述终端设备包括:处理器;与所述处理器相连的收发器;用于存储所述处理器的可执行指令的存储器;其中,所述处理器被配置为加载并执行所述可执行指令以实现如上述方面所述的多媒体广播组播服务认证方法。According to one aspect of the present application, there is provided a terminal device, the terminal device comprising: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; The processor is configured to load and execute the executable instructions to implement the multimedia broadcast multicast service authentication method as described in the above aspect.
根据本申请的一个方面,提供了一种通信***,所述通信***包括:According to one aspect of the present application, there is provided a communication system, the communication system including:
处理器和存储器;Processor and memory;
其中,所述处理器运行的所述存储器中的代码提供给网络功能虚拟化中的至少一个网元,所述至少一个网元用于执行如上述方面所述的多媒体广播组播服务认证方法。Wherein, the code in the memory run by the processor is provided to at least one network element in network function virtualization, and the at least one network element is used to execute the multimedia broadcast multicast service authentication method as described in the foregoing aspect.
根据本申请的一个方面,提供了一种计算机可读存储介质,所述可读存储介质中存储有可执行指令,所述可执行指令由所述处理器加载并执行以实现如上述方面所述的多媒体广播组播服务认证方法。According to one aspect of the present application, a computer-readable storage medium is provided, and executable instructions are stored in the readable storage medium, and the executable instructions are loaded and executed by the processor to implement the aforementioned aspects. Multimedia broadcast multicast service authentication method.
本申请实施例提供的技术方案至少包括如下有益效果:The technical solutions provided by the embodiments of the present application at least include the following beneficial effects:
终端设备通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,即将BM-SC的功能通过分离用户面与控制面来实现,无需改变3GPP标准中的通信设备即可以实现MBMS业务,可以应用于所有5G场景下的网络。The terminal device interacts with the control plane of the first network element through NAS messages through the mobile network control plane, that is, the function of BM-SC is realized by separating the user plane and the control plane, and MBMS can be realized without changing the communication equipment in the 3GPP standard. Services can be applied to networks in all 5G scenarios.
附图说明Description of the drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1是本申请一个示例性实施例提供的通信***的框图;Fig. 1 is a block diagram of a communication system provided by an exemplary embodiment of the present application;
图2是本申请一个示例性实施例提供的多媒体广播组播服务认证方法的示意图;Fig. 2 is a schematic diagram of a multimedia broadcast multicast service authentication method provided by an exemplary embodiment of the present application;
图3是本申请一个示例性实施例提供的多媒体广播组播服务认证方法的流程图;Fig. 3 is a flowchart of a method for authenticating a multimedia broadcast multicast service provided by an exemplary embodiment of the present application;
图4是本申请一个示例性实施例提供的服务注册流程的方法流程图;Fig. 4 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application;
图5是本申请一个示例性实施例提供的服务注册流程的方法流程图;Fig. 5 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application;
图6是本申请一个示例性实施例提供的服务注册流程的方法流程图;Fig. 6 is a method flowchart of a service registration process provided by an exemplary embodiment of the present application;
图7是本申请一个示例性实施例提供的请求认证流程的方法流程图;Fig. 7 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application;
图8是本申请一个示例性实施例提供的请求认证流程的方法流程图;Fig. 8 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application;
图9是本申请一个示例性实施例提供的请求认证流程的方法流程图;Fig. 9 is a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application;
图10是本申请一个示例性实施例提供的密钥分发流程的方法流程图;FIG. 10 is a method flowchart of a key distribution process provided by an exemplary embodiment of the present application;
图11是本申请一个示例性实施例提供的密钥分发流程的方法流程图;Fig. 11 is a method flowchart of a key distribution process provided by an exemplary embodiment of the present application;
图12是本申请一个示例性实施例提供的含多播服务功能的网络部署图;FIG. 12 is a network deployment diagram with a multicast service function provided by an exemplary embodiment of the present application;
图13是本申请一个示例性实施例提供的含多播服务功能的***架构图;FIG. 13 is a system architecture diagram with a multicast service function provided by an exemplary embodiment of the present application;
图14是本申请一个示例性实施例提供的多媒体广播组播服务认证装置的结构框图;FIG. 14 is a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application;
图15是本申请一个示例性实施例提供的多媒体广播组播服务认证装置的结构框图;15 is a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application;
图16是本申请一个示例性实施例提供的终端设备的结构示意图。FIG. 16 is a schematic structural diagram of a terminal device provided by an exemplary embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solutions, and advantages of the present application clearer, the implementation manners of the present application will be described in further detail below in conjunction with the accompanying drawings.
首先,对本申请涉及的名词进行简单介绍:First, a brief introduction to the terms involved in this application:
GBA:(General Bootstrapping Architecture,通用认证机制);GBA: (General Bootstrapping Architecture, general authentication mechanism);
MBS:(Multicast Broadcast Service,多播广播服务);MBS: (Multicast Broadcast Service, Multicast Broadcast Service);
MRK:(MBMS Request Key,MBMS请求密钥);MRK: (MBMS Request Key, MBMS request key);
MSK:(MBMS Service Key,MBMS服务密钥);MSK: (MBMS Service Key, MBMS service key);
MTK:(MBMS Traffic Key,MBMS流量密钥);MTK: (MBMS Traffic Key, MBMS traffic key);
MUK:(MBMS User Key,MBMS用户密钥);MUK: (MBMS User Key, MBMS user key);
MBSF:(Multimedia Broadcast Service Function,多媒体广播服务功能);MBSF: (Multimedia Broadcast Service Function, Multimedia Broadcast Service Function);
MBSU:(Multimedia Broadcast Service User plane,多媒体广播服务用户面);MBSU: (Multimedia Broadcast Service User plane, Multimedia Broadcast Service User plane);
SUPI:(Subscriber Permanent Identifier,用户真实身份标识)。SUPI: (Subscriber Permanent Identifier, the user's real identity).
图1示出了本申请一个示例性实施例提供的通信***的框图。该通信***包括:接入网12、终端设备14、核心网16和非核心网18。Fig. 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application. The communication system includes: an access network 12, a terminal device 14, a core network 16, and a non-core network 18.
接入网12中包括若干个网络设备120。网络设备120可以是基站,所述基站是一种部署在接入网中用以为终端提供无线通信功能的装置。基站可以包括各种形式的宏基站,微基站,中继站,接入点等等。在采用不同的无线接入技术的***中,具备基站功能的设备的名称可能会有所不同,例如在LTE***中,称为eNodeB或者eNB;在5G NR-U***中,称为gNodeB或者gNB。The access network 12 includes several network devices 120. The network device 120 may be a base station, which is a device deployed in an access network to provide a wireless communication function for a terminal. The base station may include various forms of macro base stations, micro base stations, relay stations, access points, and so on. In systems using different wireless access technologies, the names of devices with base station functions may be different. For example, in LTE systems, they are called eNodeB or eNB; in 5G NR-U systems, they are called gNodeB or gNB. .
终端设备14可以包括各种具有无线通信功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的其他处理设备,以及各种形式的用户设备,移动台(Mobile Station,MS),终端(terminal device)等等。为方便描述,上面提到的设备统称为终端设备。网络设备120与终端设备14之间通过某种空口技术互相通信,例如Uu接口。The terminal device 14 may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem, as well as various forms of user equipment, and mobile stations (Mobile Station, MS). , Terminal (terminal device) and so on. For ease of description, the devices mentioned above are collectively referred to as terminal devices. The network device 120 and the terminal device 14 communicate with each other through a certain air interface technology, such as a Uu interface.
终端设备14通过接入网12接入核心网16和非核心网18。The terminal device 14 accesses the core network 16 and the non-core network 18 through the access network 12.
可选地,核心网16包括:用户面功能(User Plane Function,UPF)、认证服务器功能(Authentication Server Function,AUSF)、统一数据管理(Unified Data Management,UDM)功能、网络开放功能(Network Exposure Function,NEF)、接入和移动性管理功能(Access and Mobility management Function,AMF)、安全锚功能(SEcurity Anchor Function,SEAF)、会话管理功能(Session Management Function,SMF)和策略控制功能(Policy Control Function,PCF)中的至少一种。核心网16中的一个或多个网元用于承载GBA机制。Optionally, the core network 16 includes: User Plane Function (UPF), Authentication Server Function (Authentication Server Function, AUSF), Unified Data Management (UDM) function, and Network Exposure Function (Network Exposure Function) , NEF), access and mobility management function (Access and Mobility Management Function, AMF), security anchor function (SEcurity Anchor Function, SEAF), session management function (Session Management Function, SMF), and policy control function (Policy Control Function) , PCF) at least one of. One or more network elements in the core network 16 are used to carry the GBA mechanism.
可选地,非核心网18被划分为控制面与用户面,用于承载MBS服务。非核心网18包括MBSU和MBSF。Optionally, the non-core network 18 is divided into a control plane and a user plane for carrying MBS services. The non-core network 18 includes MBSU and MBSF.
本申请实施例的技术方案可以应用于各种通信***,例如:全球移动通讯(Global System of Mobile Communication,GSM)***、码分多址(Code Division Multiple Access,CDMA)***、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)***、通用分组无线业务(General Packet Radio Service,GPRS)、长期演进(Long Term Evolution,LTE)***、LTE频分双工(Frequency Division Duplex,FDD) ***、LTE时分双工(Time Division Duplex,TDD)***、先进的长期演进(Advanced Long Term Evolution,LTE-A)***、新无线(New Radio,NR)***、NR***的演进***、非授权频段上的LTE(LTE-based access to Unlicensed spectrum,LTE-U)***、NR-U***、通用移动通信***(Universal Mobile Telecommunication System,UMTS)、全球互联微波接入(Worldwide Interoperability for Microwave Access,WiMAX)通信***、无线局域网(Wireless Local Area Networks,WLAN)、无线保真(Wireless Fidelity,WiFi)、下一代通信***或其他通信***等。The technical solutions of the embodiments of this application can be applied to various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) system, and broadband code division multiple access (Wideband Code Division Multiple Access, WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (FDD) system, LTE Time Division Duplex (TDD) system, Advanced Long Term Evolution (LTE-A) system, New Radio (NR) system, NR system evolution system, LTE on unlicensed frequency bands (LTE-based access to Unlicensed spectrum, LTE-U) system, NR-U system, Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system, Wireless Local Area Networks (WLAN), Wireless Fidelity (WiFi), next-generation communication systems or other communication systems, etc.
通常来说,传统的通信***支持的连接数有限,也易于实现,然而,随着通信技术的发展,移动通信***将不仅支持传统的通信,还将支持例如,设备到设备(Device to Device,D2D)通信,机器到机器(Machine to Machine,M2M)通信,机器类型通信(Machine Type Communication,MTC),车辆间(Vehicle to Vehicle,V2V)通信以及车联网(Vehicle to Everything,V2X)***等。本申请实施例也可以应用于这些通信***。Generally speaking, traditional communication systems support a limited number of connections and are easy to implement. However, with the development of communication technology, mobile communication systems will not only support traditional communication, but also support, for example, Device to Device (Device to Device, D2D) communication, machine to machine (Machine to Machine, M2M) communication, machine type communication (MTC), vehicle to vehicle (V2V) communication, and vehicle networking (Vehicle to Everything, V2X) systems, etc. The embodiments of the present application can also be applied to these communication systems.
图2示出了本申请一个示例性实施例提供的多媒体广播组播服务认证方法的示意图。Fig. 2 shows a schematic diagram of a multimedia broadcast multicast service authentication method provided by an exemplary embodiment of the present application.
终端设备通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The terminal device interacts with the first network element control plane through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
服务注册流程、请求认证流程、密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
其中,注册认证流程用于在移动网络控制面为终端设备进行注册,以便后续终端设备和第一网元控制面执行MBMS业务。Among them, the registration authentication process is used to register the terminal device on the control plane of the mobile network, so that the subsequent terminal device and the control plane of the first network element execute the MBMS service.
请求认证流程用于终端设备请求第一网元控制面下发密钥,从而终端设备在后续过程中通过密钥进行通信。The request authentication process is used for the terminal device to request the first network element control plane to issue a key, so that the terminal device communicates through the key in the subsequent process.
密钥分发流程用于第一网元控制面验证请求通过后,为终端设备分发密钥,从而终端设备通过接收的密钥进行通信。The key distribution process is used to distribute the key to the terminal device after the first network element control plane verification request is passed, so that the terminal device communicates with the received key.
多媒体广播多播服务(Multimedia Broadcast/Multicast Service,MBMS)是由第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)提出的一种业务类型,其主要提供了两种传输方式:广播和多播。广播和多播都是从一点向多点的方向传递,短信、图片、音频、视频、应用程序等均可以以这种方式传输,达到节省移动带宽资源的效果。Multimedia Broadcast/Multicast Service (MBMS) is a service type proposed by the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP), which mainly provides two transmission methods: broadcast and multicast . Broadcasting and multicasting are transmitted from one point to many points. SMS, pictures, audio, video, applications, etc. can all be transmitted in this way to achieve the effect of saving mobile bandwidth resources.
可选地,移动网络控制面是核心网中的网元。Optionally, the mobile network control plane is a network element in the core network.
可选地,第一网元是非核心网中的网元。第一网元控制面用于处理控制面信令部分,承载了密钥请求、密钥分发、成员管理等功能。Optionally, the first network element is a network element in a non-core network. The control plane of the first network element is used to process the signaling part of the control plane, and carries functions such as key request, key distribution, and member management.
可选地,非接入层(Non-Access Stratum,NAS)存在于通用移动通信***(Universal Mobile Telecommunications System,UMTS)的无线通信协议栈中,作为核心网与终端设备之间的功能层。NAS消息就是在非接入层传输的消息,通过NAS消息实现在终端设备与第一网元控制面之间的信令和数据传输。Optionally, the Non-Access Stratum (NAS) exists in the wireless communication protocol stack of the Universal Mobile Telecommunications System (UMTS) as a functional layer between the core network and the terminal equipment. The NAS message is a message transmitted in the non-access layer, and the signaling and data transmission between the terminal device and the control plane of the first network element is realized through the NAS message.
在一个可选的实施例中,上述终端设备通过移动网络控制面与第一网元控制面之间通过非接入层NAS消息进行交互,包括:终端设备将与第一网元控制面之间交互的内容添加到容器中,通过移动网络控制面传送容器。In an optional embodiment, the above-mentioned terminal device interacts with the control plane of the first network element through a non-access stratum NAS message through the mobile network control plane, including: the terminal device interacts with the control plane of the first network element The interactive content is added to the container, and the container is transmitted through the mobile network control plane.
终端设备和第一网元控制面之间的信息交互,可以采用透传的方式:即将相关信息放在容器(Container)中,并将Container放在NAS消息中,由移动网络控制面透传给对端。The information interaction between the terminal device and the control plane of the first network element can be transparently transmitted: that is, the relevant information is placed in the container, and the container is placed in the NAS message, and the mobile network control plane transparently transmits it to Peer.
透传指的是透明传送。对移动网络控制面来说,自身只作为信息传递的通道,不会对信息进行处理。当终端设备(或第一网元控制面)接收到透传消息后,由终端设备(或第一网元控制面)对信息进行处理。Transparent transmission refers to transparent transmission. For the mobile network control plane, it only serves as a channel for information transmission and does not process information. After the terminal device (or the first network element control plane) receives the transparent message, the terminal device (or the first network element control plane) processes the information.
综上,本实施例提供的方法,终端设备通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,即将BM-SC的功能通过分离用户面与控制面来实现,无需改变3GPP标准中的通信设备即可以实现MBMS业务,可以应用于所有5G场景下的网络。To sum up, in the method provided in this embodiment, the terminal device interacts with the control plane of the first network element through the mobile network control plane through NAS messages, that is, the function of the BM-SC is realized by separating the user plane and the control plane without changing The communication equipment in the 3GPP standard can implement MBMS services and can be applied to networks in all 5G scenarios.
图3示出了本申请一个示例性实施例提供的多媒体广播组播服务认证方法的流程图,该方法包括如下步骤:Fig. 3 shows a flowchart of a method for authenticating a multimedia broadcast multicast service provided by an exemplary embodiment of the present application. The method includes the following steps:
步骤310,终端设备向移动网络控制面发送服务注册请求。Step 310: The terminal device sends a service registration request to the mobile network control plane.
其中,服务注册请求用于对终端设备进行注册。Among them, the service registration request is used to register the terminal device.
步骤320,移动网络控制面向第一网元控制面发送服务注册请求。Step 320: The mobile network control sends a service registration request to the control plane of the first network element.
移动网络控制面在接收到终端设备发送的服务注册请求后,向第一网元控制面转发服务注册请求。当终端设备需要进行MBMS服务,终端设备需要先进行注册,当注册成功后,才能开通MBMS服务。After receiving the service registration request sent by the terminal device, the mobile network control plane forwards the service registration request to the first network element control plane. When the terminal device needs to perform the MBMS service, the terminal device needs to register first, and the MBMS service can be activated only after the registration is successful.
可选地,该服务注册请求包含(或不包含)第五密钥信息。第五密钥信息是终端设备与网络侧之间基于GBA机制而形成的共享密钥。Optionally, the service registration request includes (or does not include) fifth key information. The fifth key information is a shared key formed between the terminal device and the network side based on the GBA mechanism.
步骤330,第一网元控制面向终端设备反馈第一验证成功消息。Step 330: The first network element controls the terminal device to feed back a first verification success message.
其中,第一验证成功消息用于指示服务注册请求对应的服务注册流程成功。Wherein, the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
终端设备根据接收到的第一验证成功消息,即可确定服务注册请求对应的服务注册流程成功。The terminal device can determine that the service registration process corresponding to the service registration request is successful according to the received first verification success message.
可选地,终端设备没有接收到第一验证成功消息,即可确定该服务注册请求对应的服务注册流程失败,需要重新发送服务注册请求进行服务注册。Optionally, if the terminal device does not receive the first verification success message, it can be determined that the service registration process corresponding to the service registration request has failed, and the service registration request needs to be re-sent for service registration.
步骤340,终端设备向移动网络控制面发送第一验证请求。Step 340: The terminal device sends a first verification request to the mobile network control plane.
其中,第一验证请求用于请求获取第一密钥。可选地,第一密钥用于终端设备请求密钥过程中对第二密钥进行加密。Wherein, the first verification request is used to request to obtain the first key. Optionally, the first key is used to encrypt the second key in the process of requesting the key by the terminal device.
步骤350,移动网络控制面向第一网元控制面发送第一验证请求。Step 350: The mobile network control sends a first verification request to the control plane of the first network element.
移动网络控制面在接收到终端设备发送的第一验证请求后,向第一网元控制面转发第一验证请求。After receiving the first verification request sent by the terminal device, the mobile network control plane forwards the first verification request to the first network element control plane.
可选地,该第一验证请求包含(或不包含)第八密钥信息。Optionally, the first verification request includes (or does not include) eighth key information.
可选地,该第一验证请求可以为MSK请求,用于请求获取MSK密钥。Optionally, the first verification request may be an MSK request, which is used to request to obtain an MSK key.
步骤360,第一网元控制面向终端设备反馈第二验证成功消息。Step 360: The first network element controls the terminal device to feed back a second verification success message.
其中,第二验证成功消息用于指示第一验证请求验证成功。终端设备根据接收到的第二验证成功消息,即可确定第一验证请求对应的请求认证流程成功。Wherein, the second verification success message is used to indicate that the verification of the first verification request is successful. According to the received second verification success message, the terminal device can determine that the request authentication process corresponding to the first verification request is successful.
可选地,终端设备没有接收到第二验证成功消息,即可确定该服务注册请求对应的请求认证流程失败,需要重新进行请求认证。Optionally, if the terminal device does not receive the second verification success message, it can be determined that the request authentication process corresponding to the service registration request has failed, and the request authentication needs to be performed again.
步骤370,第一网元控制面向终端设备发送第一密钥和第二密钥。Step 370: The first network element controls to send the first key and the second key to the terminal device.
其中,第一密钥用于保护第二密钥,第二密钥用于终端设备和第一网元用户面之间的数据传输。The first key is used to protect the second key, and the second key is used for data transmission between the terminal device and the user plane of the first network element.
可选地,对于一个第一密钥,对应有一个或多个第二密钥。第一网元控制面在向终端设备发送第一密钥后,可以下发多个第二密钥。Optionally, for one first key, there are one or more second keys corresponding to it. After sending the first key to the terminal device, the control plane of the first network element may issue multiple second keys.
步骤380,第一网元控制面向第一网元用户面发送第一密钥和第二密钥。Step 380: The first network element controls to send the first key and the second key to the user plane of the first network element.
可选地,对应步骤370和步骤380,第一网元控制面在向终端设备成功发送第一密钥(或第二密钥)后,再向第一网元用户面发送第一密钥(或第二密钥)。Optionally, corresponding to step 370 and step 380, after successfully sending the first key (or second key) to the terminal device, the control plane of the first network element sends the first key (or the second key) to the user plane of the first network element ( Or the second key).
可选地,对于一个第一密钥,对应有一个或多个第二密钥。第一网元控制面在向第一网元用户面发送第一密钥后,可以下发多个第二密钥。Optionally, for one first key, there are one or more second keys corresponding to it. After sending the first key to the user plane of the first network element, the control plane of the first network element may issue multiple second keys.
可选地,移动网络控制面包括但不限于:AMF网元、SMF网元、AUSF网元、SEAF网元中的至少一种;第一网元控制面包括但不限于:MBSF网元;第一网元用户面包括但不限于:MBSU网元。Optionally, the mobile network control plane includes but is not limited to: at least one of AMF network elements, SMF network elements, AUSF network elements, and SEAF network elements; the first network element control plane includes but is not limited to: MBSF network elements; The user plane of a network element includes but is not limited to: MBSU network element.
需要说明的是,上述步骤310至步骤330对应于服务注册流程,上述步骤340至步骤360对应于请求认证流程,上述步骤370至步骤380对应于密钥分发流程。It should be noted that the above step 310 to step 330 correspond to the service registration process, the above step 340 to step 360 correspond to the request authentication process, and the above step 370 to step 380 correspond to the key distribution process.
综上所述,本申请实施例提供的方法,终端设备与第一网元控制面之间通过NAS交互,以完成以下注册认证流程、请求认证流程、密钥分发流程中的至少一项,且该注册认证流程、请求认证流程、密钥分发流程中的每一项流程用于MBMS业务,提供了一种MBMS服务的方法,将服务注册过程、MSK请求验证过程和密钥下发过程设置于第一网元控制面中,保证了MBMS服务的正常进行。In summary, in the method provided by the embodiment of the present application, the terminal device interacts with the control plane of the first network element through NAS to complete at least one of the following registration authentication process, request authentication process, and key distribution process, and Each of the registration authentication process, request authentication process, and key distribution process is used for the MBMS service, and provides a method of MBMS service. The service registration process, the MSK request verification process, and the key distribution process are set in In the control plane of the first network element, the normal operation of the MBMS service is ensured.
下面,针对上述三个流程分别进行进一步地说明:Below, the above three processes will be further explained:
服务注册流程Service registration process
在基于图3的可选实施例中,图4示出了本申请一个示例性实施例提供的服务注册流程的方法流程图,该方法包括:In an alternative embodiment based on FIG. 3, FIG. 4 shows a flowchart of a method of a service registration process provided by an exemplary embodiment of the present application, and the method includes:
步骤410,终端设备向移动网络控制面发送服务注册请求。Step 410: The terminal device sends a service registration request to the mobile network control plane.
服务注册请求用于对终端设备进行注册。The service registration request is used to register the terminal device.
步骤420,移动网络控制面向第一网元控制面发送服务注册请求。Step 420: The mobile network control sends a service registration request to the control plane of the first network element.
移动网络控制面在接收到终端设备发送的服务注册请求后,向第一网元控制面转发服务注册请求。After receiving the service registration request sent by the terminal device, the mobile network control plane forwards the service registration request to the first network element control plane.
可选地,第一网元控制面接收到的移动网络控制面转发的服务注册请求未包括第五密钥信息,第五密钥信息用于派生第三密钥信息;或,第一网元控制面接收到的移动网络控制面转发的服务注册请求包括第五密钥信息。Optionally, the service registration request forwarded by the mobile network control plane received by the control plane of the first network element does not include fifth key information, and the fifth key information is used to derive third key information; or, the first network element The service registration request forwarded by the mobile network control plane received by the control plane includes the fifth key information.
步骤430,第一网元控制面向移动网络控制面发送第一网元标识和第一随机数。Step 430: The first network element controls the mobile network control plane to send the first network element identifier and the first random number.
可选地,第一网元标识用于唯一地标识第一网元。第一随机数是第一网元控制面处生成的一个16八位组(octet)的随机数。Optionally, the first network element identifier is used to uniquely identify the first network element. The first random number is a 16-octet random number generated at the control plane of the first network element.
步骤440,移动网络控制面向终端设备发送第一网元标识和第一随机数。Step 440: The mobile network control sends the first network element identifier and the first random number to the terminal device.
移动网络控制面在接收到第一网元控制面发送的第一网元标识和第一随机数后,向终端设备转发第一网元标识和第一随机数。After receiving the first network element identifier and the first random number sent by the first network element control plane, the mobile network control plane forwards the first network element identifier and the first random number to the terminal device.
步骤450,终端设备确定第一摘要信息。Step 450: The terminal device determines the first summary information.
第一摘要信息是终端设备根据接收到的第一随机数生成的验证信息。The first summary information is verification information generated by the terminal device according to the received first random number.
可选地,终端设备在接收到第一网元标识和第一随机数后,先根据第一网元标识确认第一网元的身份 信息,确定第一网元是需要MBS服务的服务器。Optionally, after receiving the first network element identifier and the first random number, the terminal device first confirms the identity information of the first network element according to the first network element identifier, and determines that the first network element is a server that requires the MBS service.
可选地,终端确定第一摘要信息的过程包括:根据第一网元标识和第一随机数,确定第三密钥信息,根据第三密钥信息确定第四密钥信息,根据第四密钥信息和第一随机数确定第一摘要信息。Optionally, the process for the terminal to determine the first digest information includes: determining third key information according to the first network element identifier and the first random number, determining fourth key information according to the third key information, and determining the fourth key information according to the fourth key information. The key information and the first random number determine the first digest information.
步骤460,终端设备向第一网元控制面发送第一摘要信息和第二随机数。Step 460: The terminal device sends the first summary information and the second random number to the control plane of the first network element.
可选地,第二随机数是终端设备处生成的一个16八位组(octet)的随机数。Optionally, the second random number is a 16-octet random number generated at the terminal device.
步骤470,第一网元控制面验证第一摘要信息。Step 470: The control plane of the first network element verifies the first summary information.
第一网元控制面根据第四密钥信息,对第一摘要信息进行验证。The control plane of the first network element verifies the first digest information according to the fourth key information.
可选地,第一网元控制面验证第一摘要信息的过程包括:第一网元控制面根据第三密钥信息,计算第四密钥信息;第一网元控制面根据第一随机数和第四密钥信息,对第一摘要信息进行验证。Optionally, the process of verifying the first summary information by the control plane of the first network element includes: the control plane of the first network element calculates the fourth key information according to the third key information; the control plane of the first network element calculates the fourth key information according to the first random number And the fourth key information to verify the first digest information.
可选地,上述第三密钥信息是终端设备和第一网元控制面之间的共享密钥,第三密钥信息需要根据第五密钥信息派生,第三密钥信息用于派生第四密钥信息。Optionally, the above-mentioned third key information is a shared key between the terminal device and the control plane of the first network element, the third key information needs to be derived from the fifth key information, and the third key information is used to derive the third key information. Four key information.
在一种实现方式中,第一网元控制面接收到的移动网络控制面转发的服务注册请求未包括第五密钥信息,则移动网络控制面计算第三密钥信息;移动网络控制面向第一网元控制面发送第三密钥信息;第一网元控制面接收第三密钥信息。在另一种实现方式中,第一网元控制面接收到的移动网络控制面转发的服务注册请求包括第五密钥信息,则第一网元控制面根据第五密钥信息计算第三密钥信息。In an implementation manner, if the service registration request forwarded by the mobile network control plane received by the first network element control plane does not include the fifth key information, the mobile network control plane calculates the third key information; the mobile network control faces the first network element. The control plane of a network element sends the third key information; the control plane of the first network element receives the third key information. In another implementation manner, the service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the fifth key information, and the control plane of the first network element calculates the third key information according to the fifth key information. Key information.
步骤480,第一网元控制面发送第二摘要信息和第一验证成功消息。Step 480: The control plane of the first network element sends the second summary information and the first verification success message.
其中,第二摘要信息是第一网元控制面根据第二随机数生成的。The second summary information is generated by the control plane of the first network element according to the second random number.
在第一网元控制面验证第一摘要信息成功的情况下,第一网元控制面向终端设备发送第二摘要信息和第一验证成功消息。In the case that the first network element control plane successfully verifies the first summary information, the first network element controls to send the second summary information and the first verification success message to the terminal device.
步骤490,终端设备验证第二摘要信息。Step 490: The terminal device verifies the second summary information.
终端设备接收第一网元控制面反馈的第二摘要信息。终端设备根据第二随机数,对第二摘要信息进行验证,若验证成功,则完成终端设备的服务注册流程。The terminal device receives the second summary information fed back by the control plane of the first network element. The terminal device verifies the second summary information according to the second random number, and if the verification is successful, the service registration process of the terminal device is completed.
下面,以移动网络控制面包括AMF,第一网元控制面包括MBSF对上述服务注册流程进行示例性的说明。In the following, the mobile network control plane includes AMF and the first network element control plane includes MBSF to exemplify the service registration process.
终端设备发起服务注册请求并经过网络传输后,若MBSF收到的服务注册请求中未含有密钥Ks,MBSF首先向GBA服务器AMF发起包含MBSF_ID与随机数nonce1的请求,如图5所示,此时Ks_xx_NAF中的重要参数Ks持有者为终端设备和AMF,所以在服务注册和密钥请求过程中由终端设备和AMF协商出Ks_xx_NAF。为确保服务注册过程的顺利进行,AMF需向MBMS服务器发送Ks_xx_NAF。服务注册过程由终端设备、GBA服务器AMF和MBS服务器MBSF三者协同完成,认证成功后由终端设备和MBSF协商得到MRK和MUK。After the terminal device initiates a service registration request and transmits it through the network, if the service registration request received by MBSF does not contain the key Ks, MBSF first initiates a request containing MBSF_ID and the random number nonce1 to the GBA server AMF, as shown in Figure 5. At this time, the important parameter Ks holder in Ks_xx_NAF is the terminal device and the AMF, so the terminal device and the AMF negotiate the Ks_xx_NAF during the service registration and key request process. To ensure the smooth progress of the service registration process, AMF needs to send Ks_xx_NAF to the MBMS server. The service registration process is completed by the coordination of the terminal device, the GBA server AMF and the MBS server MBSF. After the authentication is successful, the terminal device and the MBSF negotiate to obtain the MRK and MUK.
结合参考图5,图5示出了本申请一个示例性实施例提供的服务注册流程的方法流程图。在本实施例中,服务注册请求未包括Ks(即第五密钥信息),该方法包括:With reference to Fig. 5, Fig. 5 shows a method flowchart of a service registration process provided by an exemplary embodiment of the present application. In this embodiment, the service registration request does not include Ks (that is, the fifth key information), and the method includes:
步骤510,终端设备向AMF发送服务注册请求。Step 510: The terminal device sends a service registration request to the AMF.
其中,服务注册请求包含B-TID和MBS Service ID,其中B-TID代表终端设备经GBA机制后产生的身份信息,MBS Service ID为MBS服务ID。Among them, the service registration request includes B-TID and MBS Service ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MBS Service ID is the MBS service ID.
步骤520,AMF向MBSF发送服务注册请求。Step 520: AMF sends a service registration request to MBSF.
AMF在收到终端设备的服务注册请求后,首先检查B-TID的有效期,当确定该B-TID位于有效期内时,且该B-TID对应的密钥也位于有效期内时,则向MBSF转发服务注册请求。转发的服务注册请求包含B-TID、MBS Service ID。其中B-TID代表终端设备经GBA机制后产生的身份信息,MBS Service ID为MBS服务ID。After AMF receives the service registration request from the terminal device, it first checks the validity period of the B-TID. When it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it forwards to MBSF Service registration request. The forwarded service registration request includes B-TID and MBS Service ID. Among them, B-TID represents the identity information generated by the terminal device after the GBA mechanism, and the MBS Service ID is the MBS service ID.
步骤530,MBSF向AMF发送MBSF_ID和nonce1。Step 530: MBSF sends MBSF_ID and nonce1 to AMF.
MBSF在收到AMF转发的服务注册请求后,向AMF发送MBSF_ID(即第一网元标识)和nonce1(即第一随机数),其中MBSF_ID为MBSF的身份信息,nonce1为随机数。After receiving the service registration request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the first random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤540,AMF计算Ks_xx_NAF。Step 540: AMF calculates Ks_xx_NAF.
AMF在收到上述消息后,根据随机数nonce1计算密钥Ks_xx_NAF(即第三密钥信息)。After receiving the above message, the AMF calculates the key Ks_xx_NAF (that is, the third key information) according to the random number nonce1.
可选地,Ks_xx_NAF=KDF(KAMF,"gba_xx_NAF",nonce1,SUPI,MBSF_ID)。其中,KAMF为终端设备和AMF之间的共享密钥,"gba_xx_NAF"为GBA流程参数,SUPI为用户真实身份标识,nonce1为随机数,MBSF_ID为MBSF的身份信息。Optionally, Ks_xx_NAF=KDF(KAMF, "gba_xx_NAF", nonce1, SUPI, MBSF_ID). Among them, KAMF is the shared key between the terminal device and AMF, "gba_xx_NAF" is the GBA process parameter, SUPI is the user's real identity, nonce1 is a random number, and MBSF_ID is the identity information of MBSF.
可选地,AMF还计算用户密钥文件,自举时间和密钥周期。Optionally, the AMF also calculates the user key file, the bootstrap time and the key period.
步骤550,AMF将接收到的MBSF_ID和nonce1转发给终端设备。In step 550, the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
其中MBSF_ID为MBSF的身份信息,nonce1为随机数。Among them, MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤560,终端设备计算MRK和MUK。Step 560, the terminal device calculates MRK and MUK.
终端设备接收到AMF转发的消息后,首先检查MBSF_ID,验证该MBSF是否为所需接收多播消息 的服务器,若验证成功,则根据Ks_xx_NAF计算MRK(即第四密钥信息)和MUK。After receiving the message forwarded by the AMF, the terminal device first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it calculates the MRK (that is, the fourth key information) and MUK according to Ks_xx_NAF.
步骤570,AMF将计算出的Ks_xx_NAF发送给MBSF。In step 570, the AMF sends the calculated Ks_xx_NAF to the MBSF.
可选地,AMF将计算出的用户密钥文件,自举时间和密钥周期也发送给MBSF。Optionally, AMF also sends the calculated user key file, bootstrap time and key period to MBSF.
步骤580,终端设备计算并发送摘要RES和随机数nonce2。Step 580: The terminal device calculates and sends the digest RES and the random number nonce2.
可选地,RES=f2(MRK,nonce1,B-TID)(即为第一摘要信息),nonce2为第二随机数。Optionally, RES=f2 (MRK, nonce1, B-TID) (that is, the first summary information), and nonce2 is the second random number.
步骤590,MBSF计算MRK,MUK并验证摘要。Step 590, MBSF calculates MRK, MUK and verifies the digest.
MBSF根据从AMF处收到的Ks_xx_NAF计算MRK和MUK,然后通过计算出的MRK与MUK验证终端设备的摘要RES是否合法。MBSF calculates MRK and MUK according to the Ks_xx_NAF received from AMF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
步骤5100,MBSF计算并发送摘要RES*。Step 5100, MBSF calculates and sends the digest RES*.
若验证成功,则MBSF向终端设备发送验证成功标识,并计算摘要RES*=f2(MRK,nonce2,B-TID),然后将RES*(即第二摘要信息)发送至终端设备以响应终端设备的挑战。完成终端设备的服务注册过程。If the verification is successful, MBSF sends the verification success identifier to the terminal device, and calculates the digest RES*=f2 (MRK, nonce2, B-TID), and then sends RES* (that is, the second digest information) to the terminal device in response to the terminal device Challenge. Complete the service registration process of the terminal device.
结合参考图6,图6示出了本申请一个示例性实施例提供的服务注册流程的方法流程图。在本实施例中,服务注册请求包括Ks(即第五密钥信息),该方法包括:With reference to Fig. 6, Fig. 6 shows a method flowchart of a service registration process provided by an exemplary embodiment of the present application. In this embodiment, the service registration request includes Ks (that is, the fifth key information), and the method includes:
步骤610,终端设备向AMF发送服务注册请求。Step 610: The terminal device sends a service registration request to the AMF.
其中,服务注册请求包含B-TID和MBS Service ID,其中B-TID代表终端设备经GBA机制后产生的身份信息,MBS Service ID为MBS服务ID。Among them, the service registration request includes the B-TID and the MBS Service ID, where the B-TID represents the identity information generated by the terminal device through the GBA mechanism, and the MBS Service ID is the MBS service ID.
步骤620,AMF向MBSF发送服务注册请求。Step 620: AMF sends a service registration request to MBSF.
AMF在收到终端设备的服务注册请求后,首先检查B-TID的有效期,当确定该B-TID位于有效期内时,且该B-TID对应的密钥也位于有效期内时,则向MBSF转发服务注册请求。转发的服务注册请求包含B-TID、MBS Service ID和Ks。其中B-TID代表终端设备经GBA机制后产生的身份信息,MBS Service ID为MBS服务ID;Ks为终端设备与网络侧之间基于GBA机制而形成的共享密钥。After AMF receives the service registration request from the terminal device, it first checks the validity period of the B-TID. When it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it forwards to MBSF Service registration request. The forwarded service registration request includes B-TID, MBS Service ID, and Ks. Among them, B-TID represents the identity information generated by the terminal device after the GBA mechanism, MBS Service ID is the MBS service ID; Ks is the shared key formed between the terminal device and the network side based on the GBA mechanism.
步骤630,MBSF向AMF发送MBSF_ID和nonce1。Step 630: MBSF sends MBSF_ID and nonce1 to AMF.
MBSF在收到AMF转发的服务注册请求后,向AMF发送MBSF_ID(即第一网元标识)和nonce1(即第一随机数),其中MBSF_ID为MBSF的身份信息,nonce1为随机数。After receiving the service registration request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the first random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤640,AMF将接收到的MBSF_ID和nonce1转发给终端设备。In step 640, the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
其中MBSF_ID为MBSF的身份信息,nonce1为随机数。Among them, MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤650,终端设备计算MRK和MUK。In step 650, the terminal device calculates MRK and MUK.
终端设备接收到AMF转发的消息后,首先检查MBSF_ID,验证该MBSF是否为所需接收多播消息的服务器,若验证成功,则根据Ks_xx_NAF(即第三密钥信息)计算请MRK(即第四密钥信息)和MUK。After the terminal device receives the message forwarded by AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it will calculate the MRK (that is, the fourth key information) according to Ks_xx_NAF (that is, the third key information). Key information) and MUK.
可选地,Ks_xx_NAF包括Ks_ext_NAF和Ks_int_NAF中的一种。具体地,Ks_ext_NAF=KDF(Ks,"gba-me",nonce1,SUPI,MBSF_ID),Ks_int_NAF=KDF(Ks,"gba-u",nonce1,SUPI,MBSF_ID)。其中,Ks为终端设备与网络侧之间基于GBA机制而形成的共享密钥,"gba-me"和"gba-u"为GBA流程参数,nonce1为随机数,SUPI为用户真实身份标识,MBSF_ID为MBSF的身份信息。Optionally, Ks_xx_NAF includes one of Ks_ext_NAF and Ks_int_NAF. Specifically, Ks_ext_NAF=KDF(Ks, "gba-me", nonce1, SUPI, MBSF_ID), Ks_int_NAF=KDF(Ks, "gba-u", nonce1, SUPI, MBSF_ID). Among them, Ks is the shared key formed based on the GBA mechanism between the terminal device and the network side, "gba-me" and "gba-u" are GBA process parameters, nonce1 is a random number, SUPI is the user's real identity, MBSF_ID It is the identity information of MBSF.
步骤660,终端设备计算并发送摘要RES和随机数nonce2。Step 660: The terminal device calculates and sends the digest RES and the random number nonce2.
可选地,RES=f2(MRK,nonce1,B-TID)(即为第一摘要信息),nonce2为第二随机数。Optionally, RES=f2 (MRK, nonce1, B-TID) (that is, the first summary information), and nonce2 is the second random number.
步骤670,MBSF计算MRK,MUK并验证摘要。Step 670, MBSF calculates MRK, MUK and verifies the digest.
MBSF首先计算Ks_xx_NAF,再根据Ks_xx_NAF计算MRK和MUK,然后通过计算出的MRK与MUK验证终端设备的摘要RES是否合法。MBSF first calculates Ks_xx_NAF, then calculates MRK and MUK according to Ks_xx_NAF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
步骤680,MBSF计算并发送摘要RES*。In step 680, the MBSF calculates and sends the digest RES*.
若验证成功,则MBSF向终端设备发送验证成功标识,并计算摘要RES*=f2(MRK,nonce2,B-TID),然后将RES*(即第二摘要信息)发送至终端设备以响应终端设备的挑战。完成终端设备的服务注册过程。If the verification is successful, MBSF sends the verification success identifier to the terminal device, and calculates the digest RES*=f2 (MRK, nonce2, B-TID), and then sends RES* (that is, the second digest information) to the terminal device in response to the terminal device Challenge. Complete the service registration process of the terminal device.
请求认证流程Request certification process
图7示出了本申请一个示例性实施例提供的请求认证流程的方法流程图,该方法包括:FIG. 7 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application, and the method includes:
步骤710,终端设备向移动网络控制面发送第一验证请求。Step 710: The terminal device sends a first verification request to the mobile network control plane.
第一验证请求用于请求获取第一密钥。The first verification request is used to request to obtain the first key.
步骤720,移动网络控制面向第一网元控制面发送第一验证请求。Step 720: The mobile network control sends a first verification request to the control plane of the first network element.
移动网络控制面在接收到终端设备发送的第一验证请求后,向第一网元控制面转发第一验证请求。After receiving the first verification request sent by the terminal device, the mobile network control plane forwards the first verification request to the first network element control plane.
可选地,第一网元控制面接收到的移动网络控制面转发的第一验证请求未包括第八密钥信息,第八密钥信息用于派生第六密钥信息;或,第一网元控制面接收到的移动网络控制面转发的第一验证请求包括第八密钥信息。Optionally, the first verification request forwarded by the mobile network control plane received by the control plane of the first network element does not include the eighth key information, and the eighth key information is used to derive the sixth key information; or, the first network The first verification request forwarded by the mobile network control plane received by the meta control plane includes the eighth key information.
第一网元控制面接收到第一验证请求后,对第一验证请求进行验证,若第一验证请求验证成功,则跳转至步骤7100;若第一验证请求验证失败,则跳转至步骤730,执行步骤730至步骤790。After receiving the first verification request, the first network element control plane verifies the first verification request. If the first verification request is successfully verified, skip to step 7100; if the first verification request fails to verify, then skip to step 730, perform step 730 to step 790.
步骤730,第一网元控制面向移动网络控制面发送第一网元标识和第三随机数。Step 730: The first network element controls to send the first network element identifier and the third random number to the mobile network control plane.
可选地,第一网元标识用于唯一地标识第一网元。第三随机数是第一网元控制面处生成的一个16八位组(octet)的随机数。Optionally, the first network element identifier is used to uniquely identify the first network element. The third random number is a 16-octet random number generated at the control plane of the first network element.
步骤740,移动网络控制面向终端设备发送第一网元标识和第三随机数。In step 740, the mobile network control sends the first network element identifier and the third random number to the terminal device.
移动网络控制面在接收到第一网元控制面发送的第一网元标识和第三随机数后,向终端设备转发第一网元标识和第三随机数。After receiving the first network element identification and the third random number sent by the first network element control plane, the mobile network control plane forwards the first network element identification and the third random number to the terminal device.
步骤750,终端设备确定第三摘要信息。Step 750: The terminal device determines the third summary information.
第三摘要信息是终端设备根据接收到的第三随机数生成的验证信息。The third summary information is verification information generated by the terminal device according to the received third random number.
可选地,终端设备在接收到第一网元标识和第三随机数后,先根据第一网元标识确认第一网元的身份信息,确定第一网元是需要MBS服务的服务器。Optionally, after receiving the first network element identifier and the third random number, the terminal device first confirms the identity information of the first network element according to the first network element identifier, and determines that the first network element is a server that requires the MBS service.
可选地,终端确定第三摘要信息的过程包括:根据第一网元标识和第三随机数,确定第六密钥信息,根据第六密钥信息确定第七密钥信息,根据第七密钥信息和第三随机数确定第三摘要信息。Optionally, the process for the terminal to determine the third summary information includes: determining the sixth key information according to the first network element identifier and the third random number, determining the seventh key information according to the sixth key information, and determining the seventh key information according to the seventh key information. The key information and the third random number determine the third digest information.
步骤760,终端设备向第一网元控制面发送第三摘要信息和第四随机数。Step 760: The terminal device sends the third summary information and the fourth random number to the control plane of the first network element.
可选地,第四随机数是终端设备处生成的一个16八位组(octet)的随机数。Optionally, the fourth random number is a 16-octet random number generated at the terminal device.
步骤770,第一网元控制面验证第三摘要信息。Step 770: The control plane of the first network element verifies the third summary information.
第一网元控制面根据第七密钥信息,对第三摘要信息进行验证。The control plane of the first network element verifies the third digest information according to the seventh key information.
可选地,第一网元控制面验证第三摘要信息的过程包括:第一网元控制面根据第六密钥信息,计算第七密钥信息;第一网元控制面根据第三随机数和第七密钥信息,对第三摘要信息进行验证。Optionally, the process of verifying the third summary information by the control plane of the first network element includes: the control plane of the first network element calculates the seventh key information according to the sixth key information; the control plane of the first network element calculates the seventh key information according to the third random number And the seventh key information to verify the third digest information.
可选地,上述第六密钥信息是终端设备和第一网元控制面之间的共享密钥,第六密钥信息需要根据第八密钥信息派生,第六密钥信息用于派生第七密钥信息。Optionally, the above-mentioned sixth key information is a shared key between the terminal device and the control plane of the first network element, the sixth key information needs to be derived from the eighth key information, and the sixth key information is used to derive the first network element. Seven key information.
在一种实现方式中,第一网元控制面接收到的移动网络控制面转发的服务注册请求未包括第八密钥信息,则移动网络控制面计算第六密钥信息;移动网络控制面向第一网元控制面发送第六密钥信息;第一网元控制面接收第六密钥信息。在另一种实现方式中,第一网元控制面接收到的移动网络控制面转发的服务注册请求包括第八密钥信息,则第一网元控制面根据第八密钥信息计算第六密钥信息。In an implementation manner, if the service registration request forwarded by the mobile network control plane received by the first network element control plane does not include the eighth key information, the mobile network control plane calculates the sixth key information; the mobile network control faces the first network element. The control plane of a network element sends the sixth key information; the control plane of the first network element receives the sixth key information. In another implementation manner, the service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the eighth key information, and the control plane of the first network element calculates the sixth key according to the eighth key information. Key information.
步骤780,第一网元控制面发送第四摘要信息。Step 780: The control plane of the first network element sends fourth summary information.
其中,第四摘要信息是第一网元控制面根据第四随机数生成的。The fourth summary information is generated by the control plane of the first network element according to the fourth random number.
在第一网元验证第三摘要信息成功的情况下,第一网元控制面向终端设备发送第四摘要信息。可选地,第一网元控制面也发送第二验证成功消息。In a case where the first network element successfully verifies the third summary information, the first network element controls to send the fourth summary information to the terminal device. Optionally, the control plane of the first network element also sends a second verification success message.
步骤790,终端设备验证第四摘要信息。Step 790: The terminal device verifies the fourth summary information.
终端设备接收第一网元控制面反馈的第四摘要信息。终端设备根据第四随机数,对第四摘要信息进行验证,若验证成功,则完成终端设备的服务注册流程。The terminal device receives the fourth summary information fed back from the control plane of the first network element. The terminal device verifies the fourth summary information according to the fourth random number, and if the verification is successful, the service registration process of the terminal device is completed.
步骤7100,第一网元控制面发送第二验证成功消息。Step 7100: The control plane of the first network element sends a second verification success message.
第二验证成功消息用于指示第一验证请求验证成功。The second verification success message is used to indicate that the first verification request is successfully verified.
下面,以移动网络控制面包括AMF,第一网元控制面包括MBSF对上述请求认证流程进行示例性的说明。In the following, the mobile network control plane includes AMF, and the first network element control plane includes MBSF to exemplify the above request authentication process.
服务注册完成后,若终端设备希望加入某一MBS会话中,则终端设备向MBSF发送MSK请求。具体地,根据MBSF收到的请求消息中是否包含Ks的两种不同情况,可分别触发对服务密钥MSK的请求认证过程。After the service registration is completed, if the terminal device wants to join a certain MBS session, the terminal device sends an MSK request to MBSF. Specifically, according to two different situations of whether Ks is included in the request message received by the MBSF, the request authentication process for the service key MSK can be triggered respectively.
结合参考图8,图8示出了本申请一个示例性实施例提供的请求认证流程的方法流程图。在本实施例中,第一验证请求未包括Ks(即第八密钥信息),该方法包括:With reference to Fig. 8, Fig. 8 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application. In this embodiment, the first verification request does not include Ks (that is, eighth key information), and the method includes:
步骤810,终端设备向AMF发送第一验证请求。Step 810: The terminal device sends a first verification request to the AMF.
其中,第一验证请求包含B-TID和MSK ID,其中B-TID代表终端设备经GBA机制后产生的身份信息,MSK ID为MSK密钥ID。Among them, the first verification request includes B-TID and MSK ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MSK ID is the MSK key ID.
步骤820,AMF向MBSF发送第一验证请求。Step 820: AMF sends a first verification request to MBSF.
AMF在收到终端设备的第一验证请求后,首先检查B-TID的有效期,当确定该B-TID位于有效期内时,且该B-TID对应的密钥也位于有效期内时,则向MBSF转发第一验证请求。转发的第一验证请求包含B-TID、MSK ID。其中B-TID代表终端设备经GBA机制后产生的身份信息,MSK ID为MSK密钥ID。After the AMF receives the first verification request from the terminal device, it first checks the validity period of the B-TID, and when it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it then sends a request to MBSF Forward the first verification request. The forwarded first verification request includes B-TID and MSK ID. Among them, B-TID represents the identity information generated by the terminal equipment through the GBA mechanism, and MSK ID is the MSK key ID.
MBSF接收到第一验证请求后,检查Ks_xx_NAF是否过期,若未过期则跳转至步骤8110;若过期则跳转至步骤830,执行步骤830至步骤8100。After receiving the first verification request, the MBSF checks whether the Ks_xx_NAF has expired, if it has not expired, skip to step 8110; if it expires, skip to step 830, and execute step 830 to step 8100.
步骤830,MBSF向AMF发送MBSF_ID和nonce1。Step 830: MBSF sends MBSF_ID and nonce1 to AMF.
MBSF在收到AMF转发的服务认证请求后,向AMF发送MBSF_ID(即第一网元标识)和nonce1(即第三随机数),其中MBSF_ID为MBSF的身份信息,nonce1为随机数。After receiving the service authentication request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the third random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤840,AMF计算Ks_xx_NAF。Step 840, AMF calculates Ks_xx_NAF.
AMF在收到上述消息后,根据随机数nonce1计算密钥Ks_xx_NAF(即第六密钥信息)。After receiving the above message, the AMF calculates the key Ks_xx_NAF (that is, the sixth key information) according to the random number nonce1.
可选地,Ks_xx_NAF=KDF(KAMF,"gba_xx_NAF",nonce1,SUPI,MBSF_ID)。其中,KAMF为终端设备和AMF之间的共享密钥,"gba_xx_NAF"为GBA流程参数,SUPI为用户真实身份标识,nonce1为随机数,MBSF_ID为MBSF的身份信息。Optionally, Ks_xx_NAF=KDF(KAMF, "gba_xx_NAF", nonce1, SUPI, MBSF_ID). Among them, KAMF is the shared key between the terminal device and AMF, "gba_xx_NAF" is the GBA process parameter, SUPI is the user's real identity, nonce1 is a random number, and MBSF_ID is the identity information of MBSF.
可选地,AMF还计算用户密钥文件,自举时间和密钥周期。Optionally, the AMF also calculates the user key file, the bootstrap time and the key period.
步骤850,AMF将接收到的MBSF_ID和nonce1转发给终端设备。In step 850, the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
其中MBSF_ID为MBSF的身份信息,nonce1为随机数。Among them, MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤860,终端设备计算MRK和MUK。Step 860, the terminal device calculates MRK and MUK.
终端设备接收到AMF转发的消息后,首先检查MBSF_ID,验证该MBSF是否为所需接收多播消息的服务器,若验证成功,则根据Ks_xx_NAF计算请MRK(即第七密钥信息)和MUK。After the terminal device receives the message forwarded by the AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, calculate the MRK (that is, the seventh key information) and MUK according to Ks_xx_NAF.
步骤870,AMF将计算出的Ks_xx_NAF发送给MBSF。In step 870, the AMF sends the calculated Ks_xx_NAF to the MBSF.
可选地,AMF将计算出的用户密钥文件,自举时间和密钥周期也发送给MBSF。Optionally, AMF also sends the calculated user key file, bootstrap time and key period to MBSF.
步骤880,终端设备计算并发送摘要RES和随机数nonce2。In step 880, the terminal device calculates and sends the digest RES and the random number nonce2.
可选地,RES=f2(MRK,nonce1,B-TID)(即为第三摘要信息),nonce2为第四随机数。Optionally, RES=f2 (MRK, nonce1, B-TID) (that is, the third summary information), and nonce2 is the fourth random number.
步骤890,MBSF计算MRK,MUK并验证摘要。In step 890, MBSF calculates MRK, MUK and verifies the digest.
MBSF根据从AMF处收到的Ks_xx_NAF计算MRK和MUK,然后通过计算出的MRK与MUK验证终端设备的摘要RES是否合法。MBSF calculates MRK and MUK according to the Ks_xx_NAF received from AMF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
步骤8100,MBSF计算并发送摘要RES*。Step 8100, MBSF calculates and sends the digest RES*.
若RES验证成功,则MBSF向终端设备发送验证成功标识,并计算摘要RES*=f2(MRK,nonce2,B-TID),然后将RES*(即第四摘要信息)发送至终端设备以响应终端设备的挑战。完成终端设备的请求认证过程。If the RES verification is successful, the MBSF sends the verification success identifier to the terminal device, and calculates the digest RES*=f2 (MRK, nonce2, B-TID), and then sends RES* (that is, the fourth digest information) to the terminal device in response to the terminal Equipment challenges. Complete the request authentication process of the terminal device.
步骤8110,MBSF向终端设备发送验证成功标识。Step 8110: The MBSF sends a verification success identifier to the terminal device.
结合参考图9,图9示出了本申请一个示例性实施例提供的请求认证流程的方法流程图。在本实施例中,第一验证请求包括Ks(即第八密钥信息),该方法包括:With reference to Fig. 9, Fig. 9 shows a flowchart of a method for requesting an authentication process provided by an exemplary embodiment of the present application. In this embodiment, the first verification request includes Ks (that is, eighth key information), and the method includes:
步骤910,终端设备向AMF发送第一验证请求。Step 910: The terminal device sends a first verification request to the AMF.
其中,第一验证请求包含B-TID和MSK ID,其中B-TID代表终端设备经GBA机制后产生的身份信息,MSK ID为MSK密钥ID。Among them, the first verification request includes B-TID and MSK ID, where B-TID represents the identity information generated by the terminal device through the GBA mechanism, and MSK ID is the MSK key ID.
步骤920,AMF向MBSF发送第一验证请求。Step 920: AMF sends a first verification request to MBSF.
AMF在收到终端设备的第一验证请求后,首先检查B-TID的有效期,当确定该B-TID位于有效期内时,且该B-TID对应的密钥也位于有效期内时,则向MBSF转发第一验证请求。转发的第一验证请求包含B-TID、MSK ID和Ks。其中B-TID代表终端设备经GBA机制后产生的身份信息,MSK ID为MSK密钥ID;Ks为终端设备与网络侧之间基于GBA机制而形成的共享密钥。After the AMF receives the first verification request from the terminal device, it first checks the validity period of the B-TID, and when it is determined that the B-TID is within the validity period and the key corresponding to the B-TID is also within the validity period, it then sends a request to MBSF Forward the first verification request. The forwarded first verification request includes B-TID, MSK ID, and Ks. Among them, B-TID represents the identity information generated by the terminal device after the GBA mechanism, MSK ID is the MSK key ID; Ks is the shared key formed between the terminal device and the network side based on the GBA mechanism.
MBSF接收到第一验证请求后,检查Ks_xx_NAF是否过期,若未过期则跳转至步骤990;若过期则跳转至步骤930,执行步骤930至步骤980。After receiving the first verification request, the MBSF checks whether the Ks_xx_NAF has expired, and if it has not expired, skip to step 990; if it expires, skip to step 930, and execute step 930 to step 980.
步骤930,MBSF向AMF发送MBSF_ID和nonce1。Step 930: MBSF sends MBSF_ID and nonce1 to AMF.
MBSF在收到AMF转发的第一验证请求后,向AMF发送MBSF_ID(即第一网元标识)和nonce1(即第三随机数),其中MBSF_ID为MBSF的身份信息,nonce1为随机数。After receiving the first verification request forwarded by AMF, MBSF sends MBSF_ID (that is, the first network element identifier) and nonce1 (that is, the third random number) to AMF, where MBSF_ID is the identity information of MBSF, and nonce1 is a random number.
步骤940,AMF将接收到的MBSF_ID和nonce1转发给终端设备。In step 940, the AMF forwards the received MBSF_ID and nonce1 to the terminal device.
其中MBSF_ID为MBSF的身份信息,nonce1为随机数;Among them, MBSF_ID is the identity information of MBSF, and nonce1 is a random number;
步骤950,终端设备计算MRK和MUK。Step 950, the terminal device calculates MRK and MUK.
终端设备接收到AMF转发的消息后,首先检查MBSF_ID,验证该MBSF是否为所需接收多播消息的服务器,若验证成功,则根据Ks_xx_NAF(即第六密钥信息)计算请MRK(即第七密钥信息)和MUK。After the terminal device receives the message forwarded by AMF, it first checks the MBSF_ID to verify whether the MBSF is the server that needs to receive the multicast message. If the verification is successful, it will calculate the MRK (that is, the seventh key information) according to Ks_xx_NAF (that is, the sixth key information). Key information) and MUK.
可选地,Ks_xx_NAF包括Ks_ext_NAF和Ks_int_NAF中的一种。具体地,Ks_ext_NAF=KDF(Ks,"gba-me",nonce1,SUPI,MBSF_ID),Ks_int_NAF=KDF(Ks,"gba-u",nonce1,SUPI,MBSF_ID)。其中,Ks为终端设备与网络侧之间基于GBA机制而形成的共享密钥,"gba-me"和"gba-u"为GBA流程参数,nonce1为随机数,SUPI为用户真实身份标识,MBSF_ID为MBSF的身份信息。Optionally, Ks_xx_NAF includes one of Ks_ext_NAF and Ks_int_NAF. Specifically, Ks_ext_NAF=KDF(Ks, "gba-me", nonce1, SUPI, MBSF_ID), Ks_int_NAF=KDF(Ks, "gba-u", nonce1, SUPI, MBSF_ID). Among them, Ks is a shared key formed based on the GBA mechanism between the terminal device and the network side, "gba-me" and "gba-u" are GBA process parameters, nonce1 is a random number, SUPI is the user's real identity, MBSF_ID It is the identity information of MBSF.
步骤960,终端设备计算并发送摘要RES和随机数nonce2。In step 960, the terminal device calculates and sends the digest RES and the random number nonce2.
可选地,RES=f2(MRK,nonce1,B-TID)(即为第三摘要信息),nonce2为第四随机数。Optionally, RES=f2 (MRK, nonce1, B-TID) (that is, the third summary information), and nonce2 is the fourth random number.
步骤970,MBSF计算MRK,MUK并验证摘要。In step 970, MBSF calculates MRK, MUK and verifies the digest.
MBSF首先计算Ks_xx_NAF,再根据Ks_xx_NAF计算MRK和MUK,然后通过计算出的MRK与MUK验证终端设备的摘要RES是否合法。MBSF first calculates Ks_xx_NAF, then calculates MRK and MUK according to Ks_xx_NAF, and then verifies whether the digest RES of the terminal device is legal through the calculated MRK and MUK.
步骤980,MBSF计算并发送摘要RES*。In step 980, the MBSF calculates and sends the digest RES*.
若验证成功,则MBSF向终端设备发送验证成功标识,并计算摘要RES*=f2(MRK,nonce2,B-TID),然后将RES*(即第四摘要信息)发送至终端设备以响应终端设备的挑战。完成终端设备的请求认证过程。If the verification is successful, MBSF sends the verification success identifier to the terminal device, and calculates the digest RES*=f2 (MRK, nonce2, B-TID), and then sends RES* (ie the fourth summary information) to the terminal device in response to the terminal device Challenge. Complete the request authentication process of the terminal device.
步骤990,MBSF向终端设备发送验证成功标识。In step 990, the MBSF sends a verification success identifier to the terminal device.
密钥下发流程Key issuance process
图10示出了本申请一个示例性实施例提供的密钥分发流程的方法流程图,该方法包括:Fig. 10 shows a method flowchart of a key distribution process provided by an exemplary embodiment of the present application, and the method includes:
步骤1010,第一网元控制面向终端设备发送第一密钥。Step 1010: The first network element controls to send the first key to the terminal device.
可选地,第一密钥用于加密第二密钥。Optionally, the first key is used to encrypt the second key.
步骤1020,终端设备向第一网元控制面发送第一确认消息。Step 1020: The terminal device sends a first confirmation message to the control plane of the first network element.
其中,第一确认消息用于指示终端设备接收第一密钥成功。The first confirmation message is used to indicate that the terminal device successfully receives the first key.
步骤1030,第一网元控制面向第一网元用户面发送第一密钥。Step 1030: The first network element controls to send the first key to the user plane of the first network element.
步骤1040,第一网元控制面向终端设备发送第二密钥。Step 1040: The first network element controls to send the second key to the terminal device.
可选地,第二密钥用于加密MBS业务数据传输。Optionally, the second key is used to encrypt MBS service data transmission.
步骤1050,终端设备向第一网元控制面发送第二确认消息。Step 1050: The terminal device sends a second confirmation message to the control plane of the first network element.
其中,第二确认消息用于指示终端设备接收第二密钥成功。The second confirmation message is used to indicate that the terminal device successfully receives the second key.
步骤1060,第一网元控制面向第一网元用户面发送第二密钥。Step 1060: The first network element controls to send the second key to the user plane of the first network element.
可选地,第一网元用户面在接收到下发的第二密钥后,使用第二密钥加密数据,向终端设备发送数据。Optionally, after receiving the issued second key, the user plane of the first network element uses the second key to encrypt data and sends the data to the terminal device.
下面,以第一网元控制面包括MBSF,第一网元用户面包括MBSU对上密钥下发流程进行示例性的说明。Hereinafter, the process of issuing the upper key is exemplified by assuming that the control plane of the first network element includes MBSF and the user plane of the first network element includes MBSU.
MBSF与终端设备认证成功后,MBSF存储终端设备信息以表示该终端设备认证成功。随后依次执行MSK、MTK分发过程,如图11所示。下发完成后,MBSU使用流量密钥MTK加密组播数据并由多媒体组播用户平面功能MB-UPF转发。After the MBSF and the terminal device are successfully authenticated, the MBSF stores the terminal device information to indicate that the terminal device is successfully authenticated. Then execute the MSK, MTK distribution process in turn, as shown in Figure 11. After the issuance is complete, MBSU uses the traffic key MTK to encrypt the multicast data and forwards it by the multimedia multicast user plane function MB-UPF.
结合参考图11,图11示出了本申请一个示例性实施例提供的密钥分发流程的方法流程图。With reference to FIG. 11, FIG. 11 shows a flowchart of a method for key distribution process provided by an exemplary embodiment of the present application.
步骤1110,MBSF为成功的MSK请求的MSK_ID生成MSK。Step 1110: MBSF generates MSK for the MSK_ID requested by the successful MSK.
在MBSF对终端设备的MSK请求(即第一验证请求)认证成功后,MBSF为成功的MSK请求的MSK_ID生成服务密钥MSK。After the MBSF successfully authenticates the MSK request (that is, the first verification request) of the terminal device, the MBSF generates the service key MSK for the MSK_ID of the successful MSK request.
步骤1120,MBSF向终端设备下发MSK。Step 1120: MBSF issues MSK to the terminal device.
其中,MSK由MUK加密保护。Among them, MSK is encrypted and protected by MUK.
步骤1130,当终端设备成功接收到MSK时,终端设备向MBSF返回ACK。Step 1130: When the terminal device successfully receives the MSK, the terminal device returns an ACK to the MBSF.
可选地,当终端设备未成功接收到MSK时,终端设备向MBSF返回NACK,MBSF需要重新向终端设备下发MSK。Optionally, when the terminal device does not successfully receive the MSK, the terminal device returns a NACK to the MBSF, and the MBSF needs to re-issue the MSK to the terminal device.
步骤1140,MBSF向MBSU下发MSK。Step 1140: MBSF issues MSK to MBSU.
下发的MSK包括MSK以及对应的MSK_ID。The issued MSK includes MSK and the corresponding MSK_ID.
步骤1150,MBSF生成MTK_ID以及对应的MTK。Step 1150, MBSF generates MTK_ID and the corresponding MTK.
MTK用于加密组播数据。MTK is used to encrypt multicast data.
步骤1160,MBSF向终端设备下发MTK。Step 1160: MBSF issues MTK to the terminal device.
其中,MTK由MSK保护。Among them, MTK is protected by MSK.
步骤1170,当终端设备成功接收到MTK时,终端设备向MBSF返回ACK。Step 1170: When the terminal device successfully receives the MTK, the terminal device returns an ACK to the MBSF.
可选地,当终端设备未成功接收到MTK时,终端设备向MBSF返回NACK,MBSF需要重新向终端设备下发MTK。Optionally, when the terminal device does not successfully receive the MTK, the terminal device returns a NACK to the MBSF, and the MBSF needs to re-issue the MTK to the terminal device.
步骤1180,MBSF向MBSU下发MTK。Step 1180: MBSF issues MTK to MBSU.
可选地,MBSF指示MBSU使用下发的流量密钥MTK加密组播数据,完成MSK与MTK的下发过程。Optionally, MBSF instructs MBSU to use the delivered traffic key MTK to encrypt the multicast data, and complete the delivery process of MSK and MTK.
图12示出了本申请一个示例性实施例提供的含多播服务功能的网络部署图。Fig. 12 shows a network deployment diagram with a multicast service function provided by an exemplary embodiment of the present application.
终端设备与5G-RAN通过Uu接口相连;5G-RAN与UPF通过N3接口相连;5G-RAN与AMF通过N2接口相连;UPF与MBSU通过N6接口相连;AMF与MBSF通过N6mb-c接口相连;MBSU与MBSF通过Ny接口相连。Terminal equipment is connected to 5G-RAN through Uu interface; 5G-RAN and UPF are connected through N3 interface; 5G-RAN and AMF are connected through N2 interface; UPF and MBSU are connected through N6 interface; AMF and MBSF are connected through N6mb-c interface; MBSU Connect with MBSF through Ny interface.
在如图12所示的网络部署下,图13示出了本申请一个示例性实施例提供的含多播服务功能的***架构图。Under the network deployment shown in FIG. 12, FIG. 13 shows a system architecture diagram with a multicast service function provided by an exemplary embodiment of the present application.
UE作为用户设备,申请5G网络中MBS服务的注册、MSK请求以及作为密钥分发的对象。As the user equipment, the UE applies for registration of MBS service in the 5G network, MSK request, and the object of key distribution.
5G-RAN作为5G接入网,连接终端设备与网络侧。5G-RAN serves as a 5G access network, connecting terminal equipment with the network side.
AMF为5G核心网中的接入与移动性管理功能,与SEAF统一部署,主要负责GBA服务器功能,以及MBS服务流程中发起对MBS服务器的认证或转发认证请求。AMF is the access and mobility management function in the 5G core network, and is deployed in a unified manner with SEAF. It is mainly responsible for the GBA server function and initiates the authentication of the MBS server or forwards the authentication request during the MBS service process.
MBSF为多播广播服务功能,在本架构中作为MBS服务器,是一种新的网络功能,用于处理控制面信令部分,以满足仅传输模式和完全服务模式下的服务层功能,主要负责MBS服务注册流程与MSK请求认证流程中与UE间进行相互认证,在密钥分发流程中负责为成功申请服务密钥MSK的UE生成服务密 钥MSK与流量密钥MTK。MBSF is a multicast broadcast service function. As an MBS server in this architecture, it is a new network function used to process the control plane signaling part to meet the service layer functions in only transmission mode and full service mode. It is mainly responsible for The MBS service registration process and the MSK request authentication process perform mutual authentication with the UE. In the key distribution process, it is responsible for generating the service key MSK and the traffic key MTK for the UE that successfully applies for the service key MSK.
MBSU为多播广播服务用户平面,是处理负载部分以迎合服务层功能的新实体,是一种新的网络功能,主要负责使用流量密钥MTK加密组播数据并由多媒体组播用户平面功能MB-UPF转发。MBSU is the user plane of the multicast broadcast service. It is a new entity that handles the load part to cater to the service layer functions. It is a new network function. It is mainly responsible for using the traffic key MTK to encrypt the multicast data and the multimedia multicast user plane function MB -UPF forwarding.
下面,在如图12所示的网络部署下,对上述实施例中各个流程涉及的参数及网元做出说明。Below, under the network deployment as shown in FIG. 12, the parameters and network elements involved in each process in the foregoing embodiment will be described.
服务注册流程Service registration process
表1-1:服务注册流程参数含义Table 1-1: The meaning of service registration process parameters
Figure PCTCN2020086771-appb-000001
Figure PCTCN2020086771-appb-000001
表1-2:服务注册流程各网元功能Table 1-2: Functions of each network element in the service registration process
Figure PCTCN2020086771-appb-000002
Figure PCTCN2020086771-appb-000002
请求认证流程Request certification process
表2-1:请求认证流程参数含义Table 2-1: The meaning of request authentication process parameters
Figure PCTCN2020086771-appb-000003
Figure PCTCN2020086771-appb-000003
Figure PCTCN2020086771-appb-000004
Figure PCTCN2020086771-appb-000004
表2-2:请求认证流程各网元功能Table 2-2: The functions of each network element in the request authentication process
Figure PCTCN2020086771-appb-000005
Figure PCTCN2020086771-appb-000005
密钥分发流程Key distribution process
表3-1:密钥分发流程参数含义Table 3-1: Meaning of key distribution process parameters
参数名parameter name 参数含义Parameter meaning
MSKMSK 服务密钥,主要用来加密MTK。The service key is mainly used to encrypt MTK.
MSK IDMSK ID MSK密钥ID,用于标识MSK。MSK key ID, used to identify MSK.
MRKMRK 请求密钥,主要在UE请求密钥过程中对UE的鉴权。Request key is mainly used to authenticate the UE during the process of UE requesting key.
MUKMUK 用户密钥,主要用来加密MSK。The user key is mainly used to encrypt MSK.
MTKMTK 流量密钥,主要用来加密MBS业务数据传输。The flow key is mainly used to encrypt MBS service data transmission.
MTK IDMTK ID MTK密钥ID,用于标识MTK。MTK key ID, used to identify MTK.
表3-2:密钥分发流程各网元功能Table 3-2: Functions of each network element in the key distribution process
Figure PCTCN2020086771-appb-000006
Figure PCTCN2020086771-appb-000006
图14示出了本申请一个示例性实施例提供的多媒体广播组播服务认证装置的结构框图,装置包括:收发模块1410;FIG. 14 shows a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application. The device includes: a transceiver module 1410;
收发模块1410,被配置为通过移动网络控制面与第一网元控制面之间通过NAS消息进行交互,交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The transceiver module 1410 is configured to interact with the control plane of the first network element through the mobile network control plane through NAS messages, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
服务注册流程、请求认证流程、密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
可选地,收发模块1410包括发送子模块1411、接收子模块1412、确定子模块1413和验证子模块1414。Optionally, the transceiver module 1410 includes a sending sub-module 1411, a receiving sub-module 1412, a determining sub-module 1413, and a verification sub-module 1414.
在一个可选的实施例中,发送子模块1411,被配置为将与第一网元控制面之间交互的内容添加到容器中,通过移动网络控制面传送容器。In an optional embodiment, the sending submodule 1411 is configured to add content interacted with the control plane of the first network element to the container, and transmit the container through the mobile network control plane.
在一个可选的实施例中,发送子模块1411,被配置为向移动网络控制面发送服务注册请求,服务注册请求用于对终端设备进行注册;接收子模块1412,被配置为在第一网元控制面接收到移动网络控制面转发的服务注册请求后,接收第一网元控制面发送的第一验证成功消息,第一验证成功消息用于指示服务注册请求对应的服务注册流程成功。In an optional embodiment, the sending submodule 1411 is configured to send a service registration request to the mobile network control plane, and the service registration request is used to register the terminal device; the receiving submodule 1412 is configured to be on the first network After receiving the service registration request forwarded by the mobile network control plane, the meta control plane receives the first verification success message sent by the first network element control plane, where the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
在一个可选的实施例中,发送子模块1411,被配置为向移动网络控制面发送第一验证请求,第一验证请求用于请求获取第一密钥;接收子模块1412,被配置为在第一网元控制面接收到移动网络控制面转发的第一验证请求后,接收第一网元控制面发送的第二验证成功消息,第二验证成功消息用于指示第一验证请求验证成功。In an optional embodiment, the sending submodule 1411 is configured to send a first verification request to the mobile network control plane, the first verification request is used to request to obtain the first key; the receiving submodule 1412 is configured to After receiving the first verification request forwarded by the mobile network control plane, the first network element control plane receives a second verification success message sent by the first network element control plane, where the second verification success message is used to indicate that the first verification request is successfully verified.
在一个可选的实施例中,接收子模块1412,被配置为接收第一网元控制面发送的第一密钥和第二密钥;第一密钥用于保护第二密钥,第二密钥用于终端设备和第一网元用户面之间的数据传输。In an optional embodiment, the receiving submodule 1412 is configured to receive the first key and the second key sent by the control plane of the first network element; the first key is used to protect the second key, and the second key is used to protect the second key. The key is used for data transmission between the terminal device and the user plane of the first network element.
在一个可选的实施例中,接收子模块1412,被配置为接收移动网络控制面从第一网元控制面处转发的第一网元标识和第一随机数;确定子模块1413,被配置为根据第一网元标识,确定第一网元是需要MBS服务的服务器;确定子模块1413,被配置为根据第一网元标识和第一随机数,确定第三密钥信息,根据第三密钥信息确定第四密钥信息,根据第四密钥信息和第一随机数确定第一摘要信息;发送子模块1411,被配置为向第一网元控制面发送第一摘要信息和第二随机数。In an optional embodiment, the receiving submodule 1412 is configured to receive the first network element identifier and the first random number forwarded by the mobile network control plane from the first network element control plane; the determining submodule 1413 is configured In order to determine that the first network element is a server requiring MBS services based on the first network element identifier; the determining submodule 1413 is configured to determine the third key information according to the first network element identifier and the first random number, and according to the third The key information determines the fourth key information, and the first digest information is determined according to the fourth key information and the first random number; the sending submodule 1411 is configured to send the first digest information and the second digest information to the control plane of the first network element. random number.
在一个可选的实施例中,接收子模块1412,被配置为接收第一网元控制面反馈的第二摘要信息,第二摘要信息是第一网元控制面根据第二随机数生成的;验证子模块1414,被配置为对第二摘要信息进行验证,完成终端设备的服务注册流程。In an optional embodiment, the receiving submodule 1412 is configured to receive second summary information fed back by the control plane of the first network element, where the second summary information is generated by the control plane of the first network element according to the second random number; The verification submodule 1414 is configured to verify the second summary information and complete the service registration process of the terminal device.
在一个可选的实施例中,第一网元控制面接收到的移动网络控制面转发的服务注册请求未包括第五密钥信息,第五密钥信息用于派生第三密钥信息;或,第一网元控制面接收到的移动网络控制面转发的服务注册请求包括第五密钥信息。In an optional embodiment, the service registration request forwarded by the mobile network control plane received by the first network element control plane does not include the fifth key information, and the fifth key information is used to derive the third key information; or , The service registration request forwarded by the mobile network control plane received by the control plane of the first network element includes the fifth key information.
在一个可选的实施例中,接收子模块1412,被配置为在第一验证请求验证成功的情况下,接收第一网元控制面发送的第二验证成功消息。In an optional embodiment, the receiving sub-module 1412 is configured to receive a second verification success message sent by the control plane of the first network element when the first verification request is successfully verified.
在一个可选的实施例中,接收子模块1412,被配置为在第一验证请求验证失败的情况下,接收移动网络控制面从第一网元控制面处转发的第一网元标识和第三随机数;确定子模块1413,被配置为根据第一网元标识,确定第一网元是需要MBS服务的服务器;确定子模块1413,被配置为根据第一网元标识和第三随机数,确定第六密钥信息,根据第六密钥信息确定第七密钥信息,根据第七密钥信息和第三随机数确定第三摘要信息;发送子模块1411,被配置为向第一网元控制面发送第三摘要信息和第四随机数。In an optional embodiment, the receiving submodule 1412 is configured to receive the first network element identifier and the first network element identifier and the first network element forwarded by the mobile network control plane from the first network element control plane in the case that the first verification request fails to be verified. Three random numbers; the determining sub-module 1413 is configured to determine that the first network element is a server that needs MBS service according to the first network element identifier; the determining sub-module 1413 is configured to determine according to the first network element identifier and the third random number , Determine the sixth key information, determine the seventh key information according to the sixth key information, and determine the third digest information according to the seventh key information and the third random number; the sending submodule 1411 is configured to send to the first network The meta control plane sends the third summary information and the fourth random number.
在一个可选的实施例中,接收子模块1412,被配置为接收第一网元控制面反馈的第四摘要信息,第四摘要信息是第一网元控制面根据第四随机数生成的;验证子模块1414,被配置为验证第四摘要信息成功,完成终端设备的第一验证请求的验证过程。In an optional embodiment, the receiving submodule 1412 is configured to receive fourth summary information fed back by the control plane of the first network element, where the fourth summary information is generated by the control plane of the first network element according to a fourth random number; The verification submodule 1414 is configured to verify the fourth summary information successfully, and complete the verification process of the first verification request of the terminal device.
在一个可选的实施例中,第一网元控制面接收到的移动网络控制面转发的第一验证请求未包括第八密钥信息,第八密钥信息用于派生第六密钥信息;或,第一网元控制面接收到的移动网络控制面转发的第一验证请求包括第八密钥信息。In an optional embodiment, the first verification request forwarded by the mobile network control plane received by the first network element control plane does not include the eighth key information, and the eighth key information is used to derive the sixth key information; Or, the first verification request forwarded by the mobile network control plane received by the control plane of the first network element includes eighth key information.
在一个可选的实施例中,发送子模块1411,被配置为向第一网元控制面反馈第一确认消息,第一确认消息用于指示终端设备接收第一密钥成功;发送子模块1411,被配置为向第一网元控制面反馈第二确认消息,第二确认消息用于指示终端设备接收第二密钥成功。In an optional embodiment, the sending submodule 1411 is configured to feed back a first confirmation message to the control plane of the first network element, where the first confirmation message is used to indicate that the terminal device successfully receives the first key; the sending submodule 1411 , Configured to feed back a second confirmation message to the control plane of the first network element, where the second confirmation message is used to indicate that the terminal device successfully receives the second key.
在一个可选的实施例中,移动网络控制面包括AMF网元、SMF网元、AUSF网元、SEAF网元中的至少一种;第一网元控制面包括MBSF网元。In an optional embodiment, the mobile network control plane includes at least one of AMF network elements, SMF network elements, AUSF network elements, and SEAF network elements; the first network element control plane includes MBSF network elements.
图15示出了本申请一个示例性实施例提供的多媒体广播组播服务认证装置的结构框图,装置包括移动网络控制面模块1501、第一网元控制面模块1502和第一网元用户面模块1503;15 shows a structural block diagram of a multimedia broadcast multicast service authentication device provided by an exemplary embodiment of the present application. The device includes a mobile network control plane module 1501, a first network element control plane module 1502, and a first network element user plane module 1503;
第一网元控制面模块1502通过移动网络控制面模块1501与终端设备之间通过NAS消息进行交互,交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The first network element control plane module 1502 interacts with the terminal device through NAS messages through the mobile network control plane module 1501, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, and key distribution process;
服务注册流程、请求认证流程、密钥分发流程中的至少一项用于MBMS业务。At least one of the service registration process, the request authentication process, and the key distribution process is used for the MBMS service.
在一个可选的实施例中,第一网元控制面模块1502将与终端设备之间交互的内容添加到容器中,通过移动网络控制面模块1501传送容器。In an optional embodiment, the first network element control plane module 1502 adds the content of interaction with the terminal device to the container, and transmits the container through the mobile network control plane module 1501.
在一个可选的实施例中,移动网络控制面模块1501,被配置为接收终端设备发送的服务注册请求,服务注册请求用于对终端设备进行注册;移动网络控制面模块1501,被配置为向第一网元控制面模块1502转发服务注册请求;第一网元控制面模块1502,被配置为向终端设备发送第一验证成功消息,第一验证成功消息用于指示服务注册请求对应的注册流程成功。In an optional embodiment, the mobile network control plane module 1501 is configured to receive a service registration request sent by a terminal device, and the service registration request is used to register the terminal device; the mobile network control plane module 1501 is configured to The first network element control plane module 1502 forwards the service registration request; the first network element control plane module 1502 is configured to send a first verification success message to the terminal device, and the first verification success message is used to indicate the registration process corresponding to the service registration request success.
在一个可选的实施例中,移动网络控制面模块1501,被配置为接收终端设备发送的第一验证请求,第一验证请求用于请求获取第一密钥;移动网络控制面模块1501,被配置为向第一网元控制面模块1502转发第一验证请求;第一网元控制面模块1502,被配置为向终端设备发送第二验证成功消息,第二验证成功消息用于指示第一验证请求验证成功。In an optional embodiment, the mobile network control plane module 1501 is configured to receive a first verification request sent by a terminal device, the first verification request is used to request to obtain the first key; the mobile network control plane module 1501 is configured to The first network element control plane module 1502 is configured to forward the first verification request to the first network element control plane module 1502, and the first network element control plane module 1502 is configured to send a second verification success message to the terminal device, and the second verification success message is used to indicate the first verification. The request is verified successfully.
在一个可选的实施例中,第一网元控制面模块1502,被配置为向终端设备和第一网元用户面模块1503发送第一密钥和第二密钥,第一密钥用于保护第二密钥,第二密钥用于终端设备和第一网元用户面模块 1503之间的数据传输。In an optional embodiment, the first network element control plane module 1502 is configured to send the first key and the second key to the terminal device and the first network element user plane module 1503, and the first key is used for The second key is protected, and the second key is used for data transmission between the terminal device and the user plane module 1503 of the first network element.
在一个可选的实施例中,第一网元控制面模块1502,被配置为向移动网络控制面模块1501发送第一网元标识和第一随机数;移动网络控制面模块1501,被配置为向终端设备转发第一网元标识和第一随机数;第一网元控制面模块1502,被配置为接收终端设备发送的第一摘要信息和第二随机数,第一摘要信息是终端设备根据第一随机数生成的;第一网元控制面模块1502,被配置为根据第四密钥信息,对第一摘要信息进行验证。In an optional embodiment, the first network element control plane module 1502 is configured to send the first network element identifier and the first random number to the mobile network control plane module 1501; the mobile network control plane module 1501 is configured to The first network element identification and the first random number are forwarded to the terminal device; the first network element control plane module 1502 is configured to receive the first summary information and the second random number sent by the terminal device, the first summary information is based on the terminal device The first random number is generated; the first network element control plane module 1502 is configured to verify the first digest information according to the fourth key information.
在一个可选的实施例中,在第一摘要验证成功的情况下,第一网元控制面模块1502,被配置为向终端设备反馈第一验证成功消息和第二摘要信息,第二摘要信息是第一网元控制面模块1502根据第二随机数生成的。In an optional embodiment, when the first summary verification succeeds, the first network element control plane module 1502 is configured to feed back the first verification success message and the second summary information to the terminal device, and the second summary information It is generated by the first network element control plane module 1502 according to the second random number.
在一个可选的实施例中,第一网元控制面模块1502,被配置为根据第三密钥信息,计算第四密钥信息;第一网元控制面模块1502,被配置为根据第一随机数和第四密钥信息,对第一摘要信息进行验证。In an optional embodiment, the first network element control plane module 1502 is configured to calculate the fourth key information according to the third key information; the first network element control plane module 1502 is configured to calculate the fourth key information according to the first network element The random number and the fourth key information verify the first digest information.
在一个可选的实施例中,第一网元控制面模块1502接收到的移动网络控制面模块1501转发的服务注册请求未包括第五密钥信息,第五密钥信息用于派生第三密钥信息;移动网络控制面模块1501,被配置为计算第三密钥信息;移动网络控制面模块1501,被配置为向第一网元控制面模块1502发送第三密钥信息;第一网元控制面模块1502,被配置为接收第三密钥信息。In an optional embodiment, the service registration request forwarded by the mobile network control plane module 1501 received by the first network element control plane module 1502 does not include the fifth key information, and the fifth key information is used to derive the third key. Key information; mobile network control plane module 1501, configured to calculate third key information; mobile network control plane module 1501, configured to send third key information to the first network element control plane module 1502; first network element The control plane module 1502 is configured to receive third key information.
在一个可选的实施例中,第一网元控制面模块1502接收到的移动网络控制面模块1501转发的服务注册请求包括第五密钥信息;第一网元控制面模块1502,被配置为根据第五密钥信息计算第三密钥信息。In an optional embodiment, the service registration request forwarded by the mobile network control plane module 1501 received by the first network element control plane module 1502 includes fifth key information; the first network element control plane module 1502 is configured to Calculate the third key information according to the fifth key information.
在一个可选的实施例中,第一网元控制面模块1502,被配置为对第一验证请求进行验证,在第一验证请求验证成功的情况下,向终端设备反馈第二验证成功消息。In an optional embodiment, the first network element control plane module 1502 is configured to verify the first verification request, and if the first verification request is successfully verified, feed back a second verification success message to the terminal device.
在一个可选的实施例中,第一网元控制面模块1502,被配置为对第一验证请求进行验证,在第一验证请求验证失败的情况下,向移动网络控制面模块1501发送第一网元标识和第三随机数;移动网络控制面模块1501,被配置为向终端设备转发第一网元标识和第三随机数;第一网元控制面模块1502,被配置为接收终端设备发送的第三摘要信息和第四随机数,第三摘要信息是终端设备根据第三随机数生成的;第一网元控制面模块1502,被配置为根据第七密钥信息,对第三摘要信息进行验证;在第三摘要信息验证成功的情况下,第一网元控制面模块1502,被配置为向终端设备反馈第四摘要信息,第四摘要信息是根据第四随机数生成的。In an optional embodiment, the first network element control plane module 1502 is configured to verify the first verification request, and if the verification of the first verification request fails, it sends the first verification request to the mobile network control plane module 1501. The network element identification and the third random number; the mobile network control plane module 1501 is configured to forward the first network element identification and the third random number to the terminal device; the first network element control plane module 1502 is configured to receive the terminal device sending The third summary information and the fourth random number are generated by the terminal device according to the third random number; the first network element control plane module 1502 is configured to compare the third summary information according to the seventh key information Perform verification; if the third summary information is successfully verified, the first network element control plane module 1502 is configured to feed back the fourth summary information to the terminal device, and the fourth summary information is generated according to the fourth random number.
在一个可选的实施例中,第一网元控制面模块1502,被配置为根据第六密钥信息,计算第七密钥信息;第一网元控制面模块1502,被配置为根据第三随机数和第七密钥信息,对第三摘要信息进行验证。In an optional embodiment, the first network element control plane module 1502 is configured to calculate the seventh key information according to the sixth key information; the first network element control plane module 1502 is configured to calculate the seventh key information according to the third The random number and the seventh key information verify the third digest information.
在一个可选的实施例中,第一网元控制面接收到的移动网络控制面转发的第一验证请求未包括第八密钥信息,第八密钥信息用于派生第六密钥信息;移动网络控制面模块1501,被配置为计算第六密钥信息;移动网络控制面模块1501,被配置为向第一网元控制面发送第六密钥信息;第一网元控制面模块1502,被配置为接收第六密钥信息。In an optional embodiment, the first verification request forwarded by the mobile network control plane received by the first network element control plane does not include the eighth key information, and the eighth key information is used to derive the sixth key information; The mobile network control plane module 1501 is configured to calculate the sixth key information; the mobile network control plane module 1501 is configured to send the sixth key information to the first network element control plane; the first network element control plane module 1502, Is configured to receive sixth key information.
在一个可选的实施例中,第一网元控制面接收到的移动网络控制面转发的第一验证请求包括第八密钥信息,第八密钥信息用于派生第六密钥信息;第一网元控制面模块1502,被配置为根据第八密钥信息计算第六密钥信息。In an optional embodiment, the first verification request forwarded by the mobile network control plane received by the first network element control plane includes eighth key information, and the eighth key information is used to derive sixth key information; A network element control plane module 1502 is configured to calculate sixth key information according to the eighth key information.
在一个可选的实施例中,第一网元控制面模块1502,被配置为生成第一密钥,向终端设备下发第一密钥;第一网元控制面模块1502,被配置为接收终端设备反馈的第一确认消息,第一确认消息用于指示终端设备接收第一密钥成功;第一网元控制面模块1502,被配置为向第一网元用户面模块1503下发第一密钥;第一网元控制面生成第二密钥;第一网元控制面模块1502,被配置为向终端设备下发第二密钥;第一网元控制面模块1502,被配置为接收终端设备反馈的第二确认消息,第二确认消息用于指示终端设备接收第二密钥成功;第一网元控制面模块1502,被配置为向第一网元用户面模块1503下发第二密钥。In an optional embodiment, the first network element control plane module 1502 is configured to generate a first key and deliver the first key to the terminal device; the first network element control plane module 1502 is configured to receive The first confirmation message fed back by the terminal device, the first confirmation message is used to indicate that the terminal device successfully receives the first key; the first network element control plane module 1502 is configured to deliver the first network element user plane module 1503 Key; the first network element control plane generates the second key; the first network element control plane module 1502 is configured to issue the second key to the terminal device; the first network element control plane module 1502 is configured to receive The second confirmation message fed back by the terminal device, the second confirmation message is used to indicate that the terminal device successfully receives the second key; the first network element control plane module 1502 is configured to deliver the second network element user plane module 1503 Key.
在一个可选的实施例中,第一网元用户面模块1503,被配置为使用第二密钥加密数据,向终端设备发送数据。In an optional embodiment, the first network element user plane module 1503 is configured to use the second key to encrypt data and send the data to the terminal device.
在一个可选的实施例中,移动网络控制面模块1501包括AMF网元模块、SMF网元模块、AUSF网元模块、SEAF网元模块中的至少一种;第一网元控制面模块1502包括MBSF网元模块;第一网元用户面模块1503包括MBSU网元模块。In an optional embodiment, the mobile network control plane module 1501 includes at least one of an AMF network element module, an SMF network element module, an AUSF network element module, and a SEAF network element module; the first network element control plane module 1502 includes MBSF network element module; the first network element user plane module 1503 includes the MBSU network element module.
图16示出了本申请一个示例性实施例提供的终端设备的结构示意图,该终端设备包括:处理器101、接收器102、发射器103、存储器104和总线105。FIG. 16 shows a schematic structural diagram of a terminal device provided by an exemplary embodiment of the present application. The terminal device includes: a processor 101, a receiver 102, a transmitter 103, a memory 104, and a bus 105.
处理器101包括一个或者一个以上处理核心,处理器101通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 101 includes one or more processing cores, and the processor 101 executes various functional applications and information processing by running software programs and modules.
接收器102和发射器103可以实现为一个通信组件,该通信组件可以是一块通信芯片。The receiver 102 and the transmitter 103 may be implemented as a communication component, and the communication component may be a communication chip.
存储器104通过总线105与处理器101相连。The memory 104 is connected to the processor 101 through a bus 105.
存储器104可用于存储至少一个指令,处理器101用于执行该至少一个指令,以实现上述方法实施例中的各个步骤。The memory 104 may be used to store at least one instruction, and the processor 101 is used to execute the at least one instruction to implement each step in the foregoing method embodiment.
此外,存储器104可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器(Erasable Programmable Read Only Memory,EEPROM),可擦除可编程只读存储器(Erasable Programmable Read Only Memory,EPROM),静态随时存取存储器(Static Random Access Memory,SRAM),只读存储器(Read-Only Memory,ROM),磁存储器,快闪存储器,可编程只读存储器(Programmable Read-Only Memory,PROM)。In addition, the memory 104 can be implemented by any type of volatile or non-volatile storage device or a combination thereof. The volatile or non-volatile storage device includes, but is not limited to: magnetic disks or optical disks, electrically erasable and programmable Read Only Memory (Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read -Only Memory, ROM), magnetic memory, flash memory, Programmable Read-Only Memory (PROM).
在示例性实施例中,还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现上述各个方法实施例提供的由终端设备执行的多媒体广播组播服务认证方法。In an exemplary embodiment, a computer-readable storage medium is also provided. The computer-readable storage medium stores at least one instruction, at least one program, code set, or instruction set, and the at least one instruction, the At least one program, the code set or the instruction set is loaded and executed by the processor to implement the multimedia broadcast multicast service authentication method executed by the terminal device provided by the foregoing method embodiments.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person of ordinary skill in the art can understand that all or part of the steps in the above embodiments can be implemented by hardware, or by a program to instruct relevant hardware. The program can be stored in a computer-readable storage medium. The storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only optional embodiments of this application and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection of this application. Within range.

Claims (67)

  1. 一种多媒体广播组播服务认证方法,其特征在于,应用于终端设备中,所述方法包括:A multimedia broadcast multicast service authentication method, characterized in that it is applied to terminal equipment, and the method includes:
    所述终端设备通过移动网络控制面与第一网元控制面之间,通过非接入层NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The terminal device interacts through a non-access stratum NAS message between the mobile network control plane and the first network element control plane, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, key Distribution process;
    其中,所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于多媒体广播组播服务MBMS业务。Wherein, at least one of the service registration process, the request authentication process, and the key distribution process is used for the multimedia broadcast multicast service MBMS service.
  2. 根据权利要求1所述的方法,其特征在于,所述终端设备通过移动网络控制面与第一网元控制面之间通过非接入层NAS消息进行交互,包括:The method according to claim 1, wherein the interaction between the terminal device through the control plane of the mobile network and the control plane of the first network element through a non-access stratum NAS message comprises:
    所述终端设备将与所述第一网元控制面之间交互的内容添加到容器中,通过所述移动网络控制面传送所述容器。The terminal device adds the content of interaction with the control plane of the first network element to the container, and transmits the container through the mobile network control plane.
  3. 根据权利要求1所述的方法,其特征在于,所述服务注册流程包括:The method according to claim 1, wherein the service registration process comprises:
    向所述移动网络控制面发送服务注册请求,所述服务注册请求用于对所述终端设备进行注册;Sending a service registration request to the mobile network control plane, where the service registration request is used to register the terminal device;
    在所述第一网元控制面接收到所述移动网络控制面转发的所述服务注册请求后,接收所述第一网元控制面发送的第一验证成功消息,所述第一验证成功消息用于指示所述服务注册请求对应的服务注册流程成功。After the first network element control plane receives the service registration request forwarded by the mobile network control plane, it receives a first verification success message sent by the first network element control plane, the first verification success message It is used to indicate that the service registration process corresponding to the service registration request is successful.
  4. 根据权利要求1所述的方法,其特征在于,所述请求认证流程,包括:The method according to claim 1, wherein the request authentication process comprises:
    向所述移动网络控制面发送第一验证请求,所述第一验证请求用于请求获取第一密钥;Sending a first verification request to the mobile network control plane, where the first verification request is used to request to obtain a first key;
    在所述第一网元控制面接收到所述移动网络控制面转发的所述第一验证请求后,接收所述第一网元控制面发送的第二验证成功消息,所述第二验证成功消息用于指示所述第一验证请求验证成功。After the first network element control plane receives the first verification request forwarded by the mobile network control plane, it receives a second verification success message sent by the first network element control plane, and the second verification succeeds The message is used to indicate that the first verification request is successfully verified.
  5. 根据权利要求1所述的方法,其特征在于,所述密钥分发流程,包括:The method according to claim 1, wherein the key distribution process comprises:
    接收所述第一网元控制面发送的第一密钥和第二密钥;Receiving the first key and the second key sent by the control plane of the first network element;
    其中,所述第一密钥用于保护所述第二密钥,所述第二密钥用于所述终端设备和第一网元用户面之间的数据传输。The first key is used to protect the second key, and the second key is used for data transmission between the terminal device and the user plane of the first network element.
  6. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, wherein the method further comprises:
    接收所述移动网络控制面从所述第一网元控制面处转发的第一网元标识和第一随机数;Receiving the first network element identifier and the first random number forwarded by the mobile network control plane from the first network element control plane;
    根据所述第一网元标识,确定第一网元是需要多播广播服务MBS服务的服务器;According to the identifier of the first network element, it is determined that the first network element is a server that needs a multicast broadcast service MBS service;
    根据所述第一网元标识和所述第一随机数,确定第三密钥信息,根据所述第三密钥信息确定第四密钥信息,根据所述第四密钥信息和所述第一随机数确定第一摘要信息;According to the first network element identifier and the first random number, third key information is determined, fourth key information is determined according to the third key information, and fourth key information is determined according to the fourth key information and the first random number. A random number determines the first summary information;
    向所述第一网元控制面发送所述第一摘要信息和第二随机数。Sending the first summary information and the second random number to the control plane of the first network element.
  7. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, wherein the method further comprises:
    接收所述第一网元控制面反馈的第二摘要信息,所述第二摘要信息是所述第一网元控制面根据所述第二随机数生成的;Receiving second summary information fed back by the control plane of the first network element, where the second summary information is generated by the control plane of the first network element according to the second random number;
    对所述第二摘要信息进行验证,完成所述终端设备的服务注册流程。The second summary information is verified, and the service registration process of the terminal device is completed.
  8. 根据权利要求6所述的方法,其特征在于,The method of claim 6, wherein:
    所述服务注册请求未包括第五密钥信息,所述第五密钥信息用于派生所述第三密钥信息;The service registration request does not include fifth key information, and the fifth key information is used to derive the third key information;
    或,所述服务注册请求包括所述第五密钥信息。Or, the service registration request includes the fifth key information.
  9. 根据权利要求4所述的方法,其特征在于,所述接收所述第一网元控制面发送的第二验证成功消息,包括:The method according to claim 4, wherein the receiving a second verification success message sent by the control plane of the first network element comprises:
    在所述第一验证请求验证成功的情况下,接收所述第一网元控制面发送的所述第二验证成功消息。In a case where the first verification request is successfully verified, receiving the second verification success message sent by the control plane of the first network element.
  10. 根据权利要求4所述的方法,其特征在于,所述方法还包括:The method according to claim 4, wherein the method further comprises:
    在所述第一验证请求验证失败的情况下,接收所述移动网络控制面从所述第一网元控制面处转发的第一网元标识和第三随机数;In the case that the verification of the first verification request fails, receiving the first network element identifier and the third random number that are forwarded by the mobile network control plane from the first network element control plane;
    根据所述第一网元标识,确定第一网元是需要MBS服务的服务器;According to the identifier of the first network element, determine that the first network element is a server that needs MBS service;
    根据所述第一网元标识和所述第三随机数,确定第六密钥信息,根据所述第六密钥信息确定第七密钥信息,根据所述第七密钥信息和所述第三随机数确定第三摘要信息;Determine the sixth key information according to the first network element identifier and the third random number, determine the seventh key information according to the sixth key information, and determine the seventh key information according to the seventh key information and the first Three random numbers determine the third summary information;
    向所述第一网元控制面发送所述第三摘要信息和第四随机数。Sending the third summary information and the fourth random number to the control plane of the first network element.
  11. 根据权利要求10所述的方法,其特征在于,所述方法还包括:The method according to claim 10, wherein the method further comprises:
    接收所述第一网元控制面反馈的第四摘要信息,所述第四摘要信息是所述第一网元控制面根据所述第四随机数生成的;Receiving fourth summary information fed back by the control plane of the first network element, where the fourth summary information is generated by the control plane of the first network element according to the fourth random number;
    验证所述第四摘要信息成功,完成所述终端设备的所述第一验证请求的验证过程。The verification of the fourth summary information is successful, and the verification process of the first verification request of the terminal device is completed.
  12. 根据权利要求10所述的方法,其特征在于,The method of claim 10, wherein:
    所述第一验证请求未包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息;The first verification request does not include eighth key information, and the eighth key information is used to derive the sixth key information;
    或,所述第一验证请求包括所述第八密钥信息。Or, the first verification request includes the eighth key information.
  13. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method according to claim 5, wherein the method further comprises:
    向所述第一网元控制面反馈第一确认消息,所述第一确认消息用于指示所述终端设备接收所述第一密钥成功;Feeding back a first confirmation message to the control plane of the first network element, where the first confirmation message is used to indicate that the terminal device successfully receives the first key;
    向所述第一网元控制面反馈第二确认消息,所述第二确认消息用于指示所述终端设备接收所述第二密钥成功。Feeding back a second confirmation message to the control plane of the first network element, where the second confirmation message is used to indicate that the terminal device successfully receives the second key.
  14. 根据权利要求1至13任一所述的方法,其特征在于,The method according to any one of claims 1 to 13, characterized in that:
    所述移动网络控制面包括接入和移动管理功能AMF网元、会话管理功能SMF网元、鉴权服务器功能AUSF网元、安全锚功能SEAF网元中的至少一种;The mobile network control plane includes at least one of an access and mobility management function AMF network element, a session management function SMF network element, an authentication server function AUSF network element, and a security anchor function SEAF network element;
    所述第一网元控制面包括多媒体广播服务功能MBSF网元。The first network element control plane includes a multimedia broadcast service function MBSF network element.
  15. 一种多媒体广播组播服务认证方法,其特征在于,应用于通信***中,所述通信***包括移动网络控制面、第一网元控制面和第一网元用户面,所述方法包括:A multimedia broadcast multicast service authentication method, characterized in that it is applied to a communication system, the communication system includes a mobile network control plane, a first network element control plane, and a first network element user plane, and the method includes:
    所述第一网元控制面通过所述移动网络控制面与终端设备之间,通过非接入层NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The control plane of the first network element interacts with the terminal device through a non-access stratum NAS message through the control plane of the mobile network, and the interaction is used to complete at least one of the following processes: service registration process, request authentication process, Key distribution process;
    其中,所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于多媒体广播组播服务MBMS业务。Wherein, at least one of the service registration process, the request authentication process, and the key distribution process is used for the multimedia broadcast multicast service MBMS service.
  16. 根据权利要求15所述的方法,其特征在于,所述第一网元控制面通过移动网络控制面与终端设备之间通过非接入层NAS消息进行交互,包括:The method according to claim 15, wherein the interaction between the control plane of the first network element and the terminal device through a non-access stratum NAS message through the control plane of the mobile network comprises:
    所述第一网元控制面将与所述终端设备之间交互的内容添加到容器中,通过所述移动网络控制面传送所述容器。The first network element control plane adds content interacted with the terminal device to the container, and transmits the container through the mobile network control plane.
  17. 根据权利要求15所述的方法,其特征在于,所述服务注册流程包括:The method according to claim 15, wherein the service registration process comprises:
    所述移动网络控制面接收所述终端设备发送的所述服务注册请求,所述服务注册请求用于对所述终端设备进行注册;The mobile network control plane receives the service registration request sent by the terminal device, where the service registration request is used to register the terminal device;
    所述移动网络控制面向所述第一网元控制面转发所述服务注册请求;The mobile network control forwards the service registration request to the control plane of the first network element;
    所述第一网元控制面向所述终端设备发送第一验证成功消息,所述第一验证成功消息用于指示所述服务注册请求对应的服务注册流程成功。The first network element controls to send a first verification success message to the terminal device, where the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
  18. 根据权利要求15所述的方法,其特征在于,所述请求认证流程,包括:The method according to claim 15, wherein the request authentication process comprises:
    所述移动网络控制面接收所述终端设备发送的第一验证请求,所述第一验证请求用于请求获取第一密钥;The mobile network control plane receives a first verification request sent by the terminal device, where the first verification request is used to request to obtain a first key;
    所述移动网络控制面向所述第一网元控制面转发所述第一验证请求;The mobile network control forwards the first verification request to the control plane of the first network element;
    所述第一网元控制面向所述终端设备发送第二验证成功消息,所述第二验证成功消息用于指示所述第一验证请求验证成功。The first network element controls to send a second verification success message to the terminal device, where the second verification success message is used to indicate that the first verification request is successfully verified.
  19. 根据权利要求15所述的方法,其特征在于,所述密钥分发流程,包括:The method according to claim 15, wherein the key distribution process comprises:
    所述第一网元控制面向所述终端设备和所述第一网元用户面分别发送第一密钥和第二密钥,所述第一密钥用于保护所述第二密钥,所述第二密钥用于所述终端设备和所述第一网元用户面之间的数据传输。The first network element controls to send a first key and a second key to the terminal device and the user plane of the first network element, respectively, the first key is used to protect the second key, so The second key is used for data transmission between the terminal device and the user plane of the first network element.
  20. 根据权利要求17所述的方法,其特征在于,所述方法还包括:The method according to claim 17, wherein the method further comprises:
    所述第一网元控制面向所述移动网络控制面发送第一网元标识和第一随机数;The first network element control sends a first network element identifier and a first random number to the mobile network control plane;
    所述移动网络控制面向所述终端设备转发所述第一网元标识和所述第一随机数;The mobile network control forwards the first network element identifier and the first random number to the terminal device;
    所述第一网元控制面接收所述终端设备发送的第一摘要信息和第二随机数,所述第一摘要信息是所述终端设备根据所述第一随机数生成的;Receiving, by the first network element control plane, first summary information and a second random number sent by the terminal device, where the first summary information is generated by the terminal device according to the first random number;
    所述第一网元控制面根据第四密钥信息,对所述第一摘要信息进行验证。The control plane of the first network element verifies the first digest information according to the fourth key information.
  21. 根据权利要求20所述的方法,其特征在于,所述第一网元控制面向所述终端设备发送第一验证成功消息,包括:The method according to claim 20, wherein the control of the first network element to send a first verification success message to the terminal device comprises:
    在所述第一摘要验证成功的情况下,所述第一网元控制面向所述终端设备反馈所述第一验证成功消息和第二摘要信息,所述第二摘要信息是所述第一网元控制面根据所述第二随机数生成的。In the case that the first summary is successfully verified, the first network element controls to feed back the first verification success message and second summary information to the terminal device, and the second summary information is the first network The meta control plane is generated according to the second random number.
  22. 根据权利要求20所述的方法,其特征在于,所述第一网元控制面根据第四密钥,对所述第一摘要信息进行验证,包括:The method according to claim 20, wherein the first network element control plane verifies the first digest information according to a fourth key, comprising:
    所述第一网元控制面根据第三密钥信息,计算所述第四密钥信息;The control plane of the first network element calculates the fourth key information according to the third key information;
    所述第一网元控制面根据所述第一随机数和所述第四密钥信息,对所述第一摘要信息进行验证。The control plane of the first network element verifies the first digest information according to the first random number and the fourth key information.
  23. 根据权利要求22所述的方法,其特征在于,所述服务注册请求未包括第五密钥信息,所述第五密 钥信息用于派生所述第三密钥信息,所述方法还包括:The method according to claim 22, wherein the service registration request does not include fifth key information, and the fifth key information is used to derive the third key information, and the method further comprises:
    所述移动网络控制面计算所述第三密钥信息;Calculating the third key information by the mobile network control plane;
    所述移动网络控制面向所述第一网元控制面发送所述第三密钥信息;The mobile network control sends the third key information to the control plane of the first network element;
    所述第一网元控制面接收所述第三密钥信息。The control plane of the first network element receives the third key information.
  24. 根据权利要求22所述的方法,其特征在于,所述服务注册请求包括第五密钥信息,所述第五密钥信息用于派生所述第三密钥信息,所述方法还包括:The method according to claim 22, wherein the service registration request includes fifth key information, and the fifth key information is used to derive the third key information, and the method further comprises:
    所述第一网元控制面根据所述第五密钥信息计算所述第三密钥信息。The first network element control plane calculates the third key information according to the fifth key information.
  25. 根据权利要求18所述的方法,其特征在于,所述第一网元控制面向所述终端设备发送第二验证成功消息,包括:The method according to claim 18, wherein the control of the first network element to send a second verification success message to the terminal device comprises:
    所述第一网元控制面对所述第一验证请求进行验证,在所述第一验证请求验证成功的情况下,向所述终端设备反馈所述第二验证成功消息。The first network element controls to verify the first verification request, and if the verification of the first verification request is successful, feed back the second verification success message to the terminal device.
  26. 根据权利要求18所述的方法,其特征在于,所述方法还包括:The method according to claim 18, wherein the method further comprises:
    所述第一网元控制面对所述第一验证请求进行验证,在所述第一验证请求验证失败的情况下,向所述移动网络控制面发送第一网元标识和第三随机数;The first network element controls the verification against the first verification request, and sends the first network element identifier and the third random number to the mobile network control plane if the verification of the first verification request fails;
    所述移动网络控制面向所述终端设备转发所述第一网元标识和所述第三随机数;The mobile network control forwards the first network element identifier and the third random number to the terminal device;
    所述第一网元控制面接收所述终端设备发送的第三摘要信息和第四随机数,所述第三摘要信息是所述终端设备根据所述第三随机数生成的;Receiving, by the first network element control plane, third summary information and a fourth random number sent by the terminal device, where the third summary information is generated by the terminal device according to the third random number;
    所述第一网元控制面根据第七密钥信息,对所述第三摘要信息进行验证;The control plane of the first network element verifies the third digest information according to the seventh key information;
    在所述第三摘要信息验证成功的情况下,所述第一网元控制面向所述终端设备反馈第四摘要信息,所述第四摘要信息是根据所述第四随机数生成的。In a case where the verification of the third summary information is successful, the first network element controls to feed back fourth summary information to the terminal device, and the fourth summary information is generated according to the fourth random number.
  27. 根据权利要求26所述的方法,其特征在于,所述第一网元控制面根据第七密钥信息,对所述第三摘要信息进行验证,包括:The method according to claim 26, wherein the first network element control plane verifies the third digest information according to the seventh key information, comprising:
    所述第一网元控制面根据第六密钥信息,计算所述第七密钥信息;The control plane of the first network element calculates the seventh key information according to the sixth key information;
    所述第一网元控制面根据所述第三随机数和所述第七密钥信息,对所述第三摘要信息进行验证。The control plane of the first network element verifies the third digest information according to the third random number and the seventh key information.
  28. 根据权利要求27所述的方法,其特征在于,所述第一验证请求未包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息,所述方法还包括:The method according to claim 27, wherein the first verification request does not include eighth key information, the eighth key information is used to derive the sixth key information, and the method further comprises :
    所述移动网络控制面计算所述第六密钥信息;Calculating the sixth key information by the mobile network control plane;
    所述移动网络控制面向所述第一网元控制面发送所述第六密钥信息;The mobile network control sends the sixth key information to the control plane of the first network element;
    所述第一网元控制面接收所述第六密钥信息。The control plane of the first network element receives the sixth key information.
  29. 根据权利要求27所述的方法,其特征在于,所述第一验证请求包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息,所述方法还包括:The method according to claim 27, wherein the first verification request includes eighth key information, and the eighth key information is used to derive the sixth key information, and the method further comprises:
    所述第一网元控制面根据所述第八密钥信息计算所述第六密钥信息。The control plane of the first network element calculates the sixth key information according to the eighth key information.
  30. 根据权利要求19所述的方法,其特征在于,所述第一网元控制面向所述终端设备和所述第一网元用户面分别发送第一密钥和第二密钥,包括:The method according to claim 19, wherein the control of the first network element to send the first key and the second key to the terminal device and the user plane of the first network element, respectively, comprises:
    所述第一网元控制面生成所述第一密钥,向所述终端设备下发所述第一密钥;Generating the first key by the first network element control plane, and delivering the first key to the terminal device;
    所述第一网元控制面接收所述终端设备反馈的第一确认消息,所述第一确认消息用于指示所述终端设备接收所述第一密钥成功;Receiving, by the first network element control plane, a first confirmation message fed back by the terminal device, where the first confirmation message is used to indicate that the terminal device successfully receives the first key;
    所述第一网元控制面向所述第一网元用户面下发所述第一密钥;The first network element controls to issue the first key to the user plane of the first network element;
    所述第一网元控制面生成所述第二密钥,向所述终端设备下发所述第二密钥;Generating the second key by the first network element control plane, and delivering the second key to the terminal device;
    所述第一网元控制面接收所述终端设备反馈的第二确认消息,所述第二确认消息用于指示所述终端设备接收所述第二密钥成功;Receiving, by the first network element control plane, a second confirmation message fed back by the terminal device, where the second confirmation message is used to indicate that the terminal device successfully receives the second key;
    所述第一网元控制面向所述第一网元用户面下发所述第二密钥。The first network element controls to issue the second key to the user plane of the first network element.
  31. 根据权利要求30所述的方法,其特征在于,所述方法还包括:The method according to claim 30, wherein the method further comprises:
    所述第一网元用户面使用所述第二密钥加密数据,向所述终端设备发送所述数据。The user plane of the first network element uses the second key to encrypt data, and sends the data to the terminal device.
  32. 根据权利要求15至31任一所述的方法,其特征在于,The method according to any one of claims 15 to 31, wherein:
    所述移动网络控制面包括接入和移动管理功能AMF网元、会话管理功能SMF网元、鉴权服务器功能AUSF网元、安全锚功能SEAF网元中的至少一种;The mobile network control plane includes at least one of an access and mobility management function AMF network element, a session management function SMF network element, an authentication server function AUSF network element, and a security anchor function SEAF network element;
    所述第一网元控制面包括多媒体广播服务功能MBSF网元;The first network element control plane includes a multimedia broadcast service function MBSF network element;
    所述第一网元用户面包括多媒体广播服务用户面MBSU网元。The first network element user plane includes a multimedia broadcast service user plane MBSU network element.
  33. 一种多媒体广播组播服务认证装置,其特征在于,所述装置包括:收发模块;A multimedia broadcast multicast service authentication device, characterized in that the device includes: a transceiver module;
    所述收发模块,被配置为通过移动网络控制面与第一网元控制面之间,通过非接入层NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The transceiver module is configured to interact through a non-access stratum NAS message between the mobile network control plane and the first network element control plane, and the interaction is used to complete at least one of the following processes: service registration process, request authentication Process, key distribution process;
    其中,所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于多媒体广播组播服务MBMS业务。Wherein, at least one of the service registration process, the request authentication process, and the key distribution process is used for the multimedia broadcast multicast service MBMS service.
  34. 根据权利要求33所述的装置,其特征在于,所述收发模块包括发送子模块;The device according to claim 33, wherein the transceiver module comprises a sending sub-module;
    所述发送子模块,被配置为将与所述第一网元控制面之间交互的内容添加到容器中,通过所述移动网络控制面传送所述容器。The sending submodule is configured to add content interacted with the control plane of the first network element to the container, and transmit the container through the mobile network control plane.
  35. 根据权利要求33所述的装置,其特征在于,所述收发模块包括发送子模块和接收子模块;The device according to claim 33, wherein the transceiver module comprises a sending sub-module and a receiving sub-module;
    所述发送子模块,被配置为向所述移动网络控制面发送服务注册请求,所述服务注册请求用于对所述终端设备进行注册;The sending submodule is configured to send a service registration request to the mobile network control plane, where the service registration request is used to register the terminal device;
    所述接收子模块,被配置为在所述第一网元控制面接收到所述移动网络控制面转发的所述服务注册请求后,接收所述第一网元控制面发送的第一验证成功消息,所述第一验证成功消息用于指示所述服务注册请求对应的服务注册流程成功。The receiving submodule is configured to receive, after the first network element control plane receives the service registration request forwarded by the mobile network control plane, the first verification success sent by the first network element control plane Message, the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
  36. 根据权利要求33所述的装置,其特征在于,所述收发模块包括发送子模块和接收子模块;所述发送子模块,被配置为向所述移动网络控制面发送第一验证请求,所述第一验证请求用于请求获取第一密钥;The device according to claim 33, wherein the transceiver module comprises a sending sub-module and a receiving sub-module; the sending sub-module is configured to send a first verification request to the mobile network control plane, the The first verification request is used to request to obtain the first key;
    所述接收子模块,被配置为在所述第一网元控制面接收到所述移动网络控制面转发的所述第一验证请求后,接收所述第一网元控制面发送的第二验证成功消息,所述第二验证成功消息用于指示所述第一验证请求验证成功。The receiving submodule is configured to receive the second verification sent by the control plane of the first network element after the control plane of the first network element receives the first verification request forwarded by the control plane of the mobile network A success message, where the second verification success message is used to indicate that the first verification request is successfully verified.
  37. 根据权利要求33所述的装置,其特征在于,所述收发模块包括接收子模块;所述接收子模块,被配置为接收所述第一网元控制面发送的第一密钥和第二密钥;The device according to claim 33, wherein the transceiver module comprises a receiving sub-module; the receiving sub-module is configured to receive the first key and the second key sent by the control plane of the first network element key;
    其中,所述第一密钥用于保护所述第二密钥,所述第二密钥用于所述终端设备和第一网元用户面之间的数据传输。The first key is used to protect the second key, and the second key is used for data transmission between the terminal device and the user plane of the first network element.
  38. 根据权利要求35所述的装置,其特征在于,所述收发模块还包括确定子模块;The device according to claim 35, wherein the transceiver module further comprises a determining sub-module;
    所述接收子模块,被配置为接收所述移动网络控制面从所述第一网元控制面处转发的第一网元标识和第一随机数;The receiving submodule is configured to receive a first network element identifier and a first random number forwarded by the mobile network control plane from the first network element control plane;
    所述确定子模块,被配置为根据所述第一网元标识,确定第一网元是需要多播广播服务MBS服务的服务器;The determining sub-module is configured to determine, according to the first network element identifier, that the first network element is a server that requires a multicast broadcast service MBS service;
    所述确定子模块,被配置为根据所述第一网元标识和所述第一随机数,确定第三密钥信息,根据所述第三密钥信息确定第四密钥信息,根据所述第四密钥信息和所述第一随机数确定第一摘要信息;The determining submodule is configured to determine third key information according to the first network element identifier and the first random number, determine fourth key information according to the third key information, and according to the The fourth key information and the first random number determine the first digest information;
    所述发送子模块,被配置为向所述第一网元控制面发送所述第一摘要信息和第二随机数。The sending submodule is configured to send the first summary information and the second random number to the control plane of the first network element.
  39. 根据权利要求35所述的装置,其特征在于,所述收发模块还包括验证子模块;The device according to claim 35, wherein the transceiver module further comprises a verification sub-module;
    所述接收子模块,被配置为接收所述第一网元控制面反馈的第二摘要信息,所述第二摘要信息是所述第一网元控制面根据所述第二随机数生成的;The receiving submodule is configured to receive second summary information fed back by the control plane of the first network element, where the second summary information is generated by the control plane of the first network element according to the second random number;
    所述验证子模块,被配置为对所述第二摘要信息进行验证,完成所述终端设备的服务注册流程。The verification submodule is configured to verify the second summary information and complete the service registration process of the terminal device.
  40. 根据权利要求38所述的装置,其特征在于,The device of claim 38, wherein:
    所述服务注册请求未包括第五密钥信息,所述第五密钥信息用于派生所述第三密钥信息;The service registration request does not include fifth key information, and the fifth key information is used to derive the third key information;
    或,所述服务注册请求包括所述第五密钥信息。Or, the service registration request includes the fifth key information.
  41. 根据权利要求36所述的装置,其特征在于,The device of claim 36, wherein:
    所述接收子模块,被配置为在所述第一验证请求验证成功的情况下,接收所述第一网元控制面发送的所述第二验证成功消息。The receiving submodule is configured to receive the second verification success message sent by the control plane of the first network element when the verification of the first verification request is successful.
  42. 根据权利要求36所述的装置,其特征在于,所述收发模块还包括确定子模块;The device according to claim 36, wherein the transceiver module further comprises a determining sub-module;
    所述接收子模块,被配置为在所述第一验证请求验证失败的情况下,接收所述移动网络控制面从所述第一网元控制面处转发的第一网元标识和第三随机数;The receiving submodule is configured to receive the first network element identifier and the third random number forwarded by the mobile network control plane from the first network element control plane when the first verification request fails to be verified. number;
    所述确定子模块,被配置为根据所述第一网元标识,确定第一网元是需要MBS服务的服务器;The determining submodule is configured to determine that the first network element is a server that requires MBS service according to the first network element identifier;
    所述确定子模块,被配置为根据所述第一网元标识和所述第三随机数,确定第六密钥信息,根据所述第六密钥信息确定第七密钥信息,根据所述第七密钥信息和所述第三随机数确定第三摘要信息;The determining sub-module is configured to determine sixth key information according to the first network element identifier and the third random number, determine seventh key information according to the sixth key information, and according to the The seventh key information and the third random number determine third digest information;
    所述发送子模块,被配置为向所述第一网元控制面发送所述第三摘要信息和第四随机数。The sending submodule is configured to send the third summary information and the fourth random number to the control plane of the first network element.
  43. 根据权利要求42所述的装置,其特征在于,所述收发模块还包括验证子模块;The device according to claim 42, wherein the transceiver module further comprises a verification sub-module;
    所述接收子模块,被配置为接收所述第一网元控制面反馈的第四摘要信息,所述第四摘要信息是所述第一网元控制面根据所述第四随机数生成的;The receiving submodule is configured to receive fourth summary information fed back by the control plane of the first network element, where the fourth summary information is generated by the control plane of the first network element according to the fourth random number;
    所述验证子模块,被配置为验证所述第四摘要信息成功,完成所述终端设备的所述第一验证请求的验证过程。The verification submodule is configured to successfully verify the fourth summary information and complete the verification process of the first verification request of the terminal device.
  44. 根据权利要求42所述的装置,其特征在于,The device of claim 42, wherein:
    所述第一验证请求未包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息;The first verification request does not include eighth key information, and the eighth key information is used to derive the sixth key information;
    或,所述第一验证请求包括所述第八密钥信息。Or, the first verification request includes the eighth key information.
  45. 根据权利要求37所述的装置,其特征在于,所述收发模块包括发送子模块;The device according to claim 37, wherein the transceiver module comprises a sending sub-module;
    所述发送子模块,被配置为向所述第一网元控制面反馈第一确认消息,所述第一确认消息用于指示所述终端设备接收所述第一密钥成功;The sending submodule is configured to feed back a first confirmation message to the control plane of the first network element, where the first confirmation message is used to indicate that the terminal device successfully receives the first key;
    所述发送子模块,被配置为向所述第一网元控制面反馈第二确认消息,所述第二确认消息用于指示所述终端设备接收所述第二密钥成功。The sending submodule is configured to feed back a second confirmation message to the control plane of the first network element, where the second confirmation message is used to indicate that the terminal device successfully receives the second key.
  46. 根据权利要求33至44任一所述的装置,其特征在于,The device according to any one of claims 33 to 44, characterized in that:
    所述移动网络控制面包括接入和移动管理功能AMF网元、会话管理功能SMF网元、鉴权服务器功能AUSF网元、安全锚功能SEAF网元中的至少一种;The mobile network control plane includes at least one of an access and mobility management function AMF network element, a session management function SMF network element, an authentication server function AUSF network element, and a security anchor function SEAF network element;
    所述第一网元控制面包括多媒体广播服务功能MBSF网元。The first network element control plane includes a multimedia broadcast service function MBSF network element.
  47. 一种多媒体广播组播服务认证装置,其特征在于,所述装置包括移动网络控制面模块、第一网元控制面模块和第一网元用户面模块;A multimedia broadcast multicast service authentication device, characterized in that the device includes a mobile network control plane module, a first network element control plane module, and a first network element user plane module;
    所述第一网元控制面模块通过所述移动网络控制面模块与终端设备之间,通过非接入层NAS消息进行交互,所述交互用于完成以下至少一个流程:服务注册流程、请求认证流程、密钥分发流程;The first network element control plane module interacts with the terminal device through a non-access stratum NAS message through the mobile network control plane module, and the interaction is used to complete at least one of the following processes: service registration process, request authentication Process, key distribution process;
    其中,所述服务注册流程、所述请求认证流程、所述密钥分发流程中的至少一项用于多媒体广播组播服务MBMS业务。Wherein, at least one of the service registration process, the request authentication process, and the key distribution process is used for the multimedia broadcast multicast service MBMS service.
  48. 根据权利要求47所述的装置,其特征在于,The device of claim 47, wherein:
    所述第一网元控制面模块将与所述终端设备之间交互的内容添加到容器中,通过所述移动网络控制面模块传送所述容器。The first network element control plane module adds the content of interaction with the terminal device to the container, and transmits the container through the mobile network control plane module.
  49. 根据权利要求47所述的装置,其特征在于,The device of claim 47, wherein:
    所述移动网络控制面模块,被配置为接收所述终端设备发送的所述服务注册请求,所述服务注册请求用于对所述终端设备进行注册;The mobile network control plane module is configured to receive the service registration request sent by the terminal device, where the service registration request is used to register the terminal device;
    所述移动网络控制面模块,被配置为向所述第一网元控制面模块转发所述服务注册请求;The mobile network control plane module is configured to forward the service registration request to the first network element control plane module;
    所述第一网元控制面模块,被配置为向所述终端设备发送第一验证成功消息,所述第一验证成功消息用于指示所述服务注册请求对应的服务注册流程成功。The first network element control plane module is configured to send a first verification success message to the terminal device, where the first verification success message is used to indicate that the service registration process corresponding to the service registration request is successful.
  50. 根据权利要求47所述的装置,其特征在于,The device of claim 47, wherein:
    所述移动网络控制面模块,被配置为接收所述终端设备发送的第一验证请求,所述第一验证请求用于请求获取第一密钥;The mobile network control plane module is configured to receive a first verification request sent by the terminal device, where the first verification request is used to request to obtain a first key;
    所述移动网络控制面模块,被配置为向所述第一网元控制面模块转发所述第一验证请求;The mobile network control plane module is configured to forward the first verification request to the first network element control plane module;
    所述第一网元控制面模块,被配置为向所述终端设备发送第二验证成功消息,所述第二验证成功消息用于指示所述第一验证请求验证成功。The first network element control plane module is configured to send a second verification success message to the terminal device, where the second verification success message is used to indicate that the first verification request is successfully verified.
  51. 根据权利要求47所述的装置,其特征在于,The device of claim 47, wherein:
    所述第一网元控制面模块,被配置为向所述终端设备和所述第一网元用户面模块分别发送第一密钥和第二密钥,所述第一密钥用于保护所述第二密钥,所述第二密钥用于所述终端设备和所述第一网元用户面模块之间的数据传输。The first network element control plane module is configured to send a first key and a second key to the terminal device and the first network element user plane module, respectively, and the first key is used to protect the The second key is used for data transmission between the terminal device and the user plane module of the first network element.
  52. 根据权利要求49所述的装置,其特征在于,The device of claim 49, wherein:
    所述第一网元控制面模块,被配置为向所述移动网络控制面模块发送第一网元标识和第一随机数;The first network element control plane module is configured to send a first network element identifier and a first random number to the mobile network control plane module;
    所述移动网络控制面模块,被配置为向所述终端设备转发所述第一网元标识和所述第一随机数;The mobile network control plane module is configured to forward the first network element identifier and the first random number to the terminal device;
    所述第一网元控制面模块,被配置为接收所述终端设备发送的第一摘要信息和第二随机数,所述第一摘要信息是所述终端设备根据所述第一随机数生成的;The first network element control plane module is configured to receive first summary information and a second random number sent by the terminal device, where the first summary information is generated by the terminal device according to the first random number ;
    所述第一网元控制面模块,被配置为根据第四密钥信息,对所述第一摘要信息进行验证。The first network element control plane module is configured to verify the first digest information according to the fourth key information.
  53. 根据权利要求52所述的装置,其特征在于,The device of claim 52, wherein:
    在所述第一摘要验证成功的情况下,所述第一网元控制面模块,被配置为向所述终端设备反馈所述第一验证成功消息和第二摘要信息,所述第二摘要信息是所述第一网元控制面模块根据所述第二随机数生成的。In the case that the first summary verification succeeds, the first network element control plane module is configured to feed back the first verification success message and second summary information to the terminal device, and the second summary information Is generated by the first network element control plane module according to the second random number.
  54. 根据权利要求52所述的装置,其特征在于,The device of claim 52, wherein:
    所述第一网元控制面模块,被配置为根据第三密钥信息,计算所述第四密钥信息;The first network element control plane module is configured to calculate the fourth key information according to the third key information;
    所述第一网元控制面模块,被配置为根据所述第一随机数和所述第四密钥信息,对所述第一摘要信息进行验证。The first network element control plane module is configured to verify the first digest information according to the first random number and the fourth key information.
  55. 根据权利要求54所述的装置,其特征在于,所述服务注册请求未包括第五密钥信息,所述第五密钥信息用于派生所述第三密钥信息;The apparatus according to claim 54, wherein the service registration request does not include fifth key information, and the fifth key information is used to derive the third key information;
    所述移动网络控制面模块,被配置为计算所述第三密钥信息;The mobile network control plane module is configured to calculate the third key information;
    所述移动网络控制面模块,被配置为向所述第一网元控制面模块发送所述第三密钥信息;The mobile network control plane module is configured to send the third key information to the first network element control plane module;
    所述第一网元控制面模块,被配置为接收所述第三密钥信息。The first network element control plane module is configured to receive the third key information.
  56. 根据权利要求54所述的装置,其特征在于,所述服务注册请求包括第五密钥信息,所述第五密钥信息用于派生所述第三密钥信息;The apparatus according to claim 54, wherein the service registration request includes fifth key information, and the fifth key information is used to derive the third key information;
    所述第一网元控制面模块,被配置为根据所述第五密钥信息计算所述第三密钥信息。The first network element control plane module is configured to calculate the third key information according to the fifth key information.
  57. 根据权利要求50所述的装置,其特征在于,The device of claim 50, wherein:
    所述第一网元控制面模块,被配置为对所述第一验证请求进行验证,在所述第一验证请求验证成功的情况下,向所述终端设备反馈所述第二验证成功消息。The first network element control plane module is configured to verify the first verification request, and if the first verification request is successfully verified, feed back the second verification success message to the terminal device.
  58. 根据权利要求50所述的装置,其特征在于,The device of claim 50, wherein:
    所述第一网元控制面模块,被配置为对所述第一验证请求进行验证,在所述第一验证请求验证失败的情况下,向所述移动网络控制面模块发送第一网元标识和第三随机数;The first network element control plane module is configured to verify the first verification request, and if the verification of the first verification request fails, send a first network element identifier to the mobile network control plane module And the third random number;
    所述移动网络控制面模块,被配置为向所述终端设备转发所述第一网元标识和所述第三随机数;The mobile network control plane module is configured to forward the first network element identifier and the third random number to the terminal device;
    所述第一网元控制面模块,被配置为接收所述终端设备发送的第三摘要信息和第四随机数,所述第三摘要信息是所述终端设备根据所述第三随机数生成的;The first network element control plane module is configured to receive third summary information and a fourth random number sent by the terminal device, where the third summary information is generated by the terminal device according to the third random number ;
    所述第一网元控制面模块,被配置为根据第七密钥信息,对所述第三摘要信息进行验证;The first network element control plane module is configured to verify the third digest information according to the seventh key information;
    在所述第三摘要信息验证成功的情况下,所述第一网元控制面模块,被配置为向所述终端设备反馈第四摘要信息,所述第四摘要信息是根据所述第四随机数生成的。In the case where the verification of the third summary information is successful, the first network element control plane module is configured to feed back fourth summary information to the terminal device, and the fourth summary information is based on the fourth random Number generated.
  59. 根据权利要求58所述的装置,其特征在于,The device of claim 58, wherein:
    所述第一网元控制面模块,被配置为根据第六密钥信息,计算所述第七密钥信息;The first network element control plane module is configured to calculate the seventh key information according to the sixth key information;
    所述第一网元控制面模块,被配置为根据所述第三随机数和所述第七密钥信息,对所述第三摘要信息进行验证。The first network element control plane module is configured to verify the third digest information according to the third random number and the seventh key information.
  60. 根据权利要求59所述的装置,其特征在于,所述第一验证请求未包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息;The device according to claim 59, wherein the first verification request does not include eighth key information, and the eighth key information is used to derive the sixth key information;
    所述移动网络控制面模块,被配置为计算所述第六密钥信息;The mobile network control plane module is configured to calculate the sixth key information;
    所述移动网络控制面模块,被配置为向所述第一网元控制面发送所述第六密钥信息;The mobile network control plane module is configured to send the sixth key information to the first network element control plane;
    所述第一网元控制面模块,被配置为接收所述第六密钥信息。The first network element control plane module is configured to receive the sixth key information.
  61. 根据权利要求59所述的装置,其特征在于,所述第一验证请求包括第八密钥信息,所述第八密钥信息用于派生所述第六密钥信息;The device according to claim 59, wherein the first verification request includes eighth key information, and the eighth key information is used to derive the sixth key information;
    所述第一网元控制面模块,被配置为根据所述第八密钥信息计算所述第六密钥信息。The first network element control plane module is configured to calculate the sixth key information according to the eighth key information.
  62. 根据权利要求51所述的装置,其特征在于,The device of claim 51, wherein:
    所述第一网元控制面模块,被配置为生成所述第一密钥,向所述终端设备下发所述第一密钥;The first network element control plane module is configured to generate the first key, and deliver the first key to the terminal device;
    所述第一网元控制面模块,被配置为接收所述终端设备反馈的第一确认消息,所述第一确认消息用于指示所述终端设备接收所述第一密钥成功;The first network element control plane module is configured to receive a first confirmation message fed back by the terminal device, where the first confirmation message is used to indicate that the terminal device successfully receives the first key;
    所述第一网元控制面模块,被配置为向所述第一网元用户面模块下发所述第一密钥;The first network element control plane module is configured to issue the first key to the first network element user plane module;
    所述第一网元控制面,被配置为生成所述第二密钥,向所述终端设备下发所述第二密钥;The control plane of the first network element is configured to generate the second key and deliver the second key to the terminal device;
    所述第一网元控制面模块,被配置为接收所述终端设备反馈的第二确认消息,所述第二确认消息用于指示所述终端设备接收所述第二密钥成功;The first network element control plane module is configured to receive a second confirmation message fed back by the terminal device, where the second confirmation message is used to indicate that the terminal device successfully receives the second key;
    所述第一网元控制面模块,被配置为向所述第一网元用户面模块下发所述第二密钥。The first network element control plane module is configured to issue the second key to the first network element user plane module.
  63. 根据权利要求62所述的装置,其特征在于,The device of claim 62, wherein:
    所述第一网元用户面模块,被配置为使用所述第二密钥加密数据,向所述终端设备发送所述数据。The first network element user plane module is configured to encrypt data using the second key, and send the data to the terminal device.
  64. 根据权利要求47至63任一所述的装置,其特征在于,The device according to any one of claims 47 to 63, wherein:
    所述移动网络控制面模块包括接入和移动管理功能AMF网元模块、会话管理功能SMF网元模块、鉴权服务器功能AUSF网元模块、安全锚功能SEAF网元模块中的至少一种;The mobile network control plane module includes at least one of an access and mobility management function AMF network element module, a session management function SMF network element module, an authentication server function AUSF network element module, and a security anchor function SEAF network element module;
    所述第一网元控制面模块包括多媒体广播服务功能MBSF网元模块;The first network element control plane module includes a multimedia broadcast service function MBSF network element module;
    所述第一网元用户面模块包括多媒体广播服务用户面MBSU网元模块。The first network element user plane module includes a multimedia broadcast service user plane MBSU network element module.
  65. 一种终端设备,其特征在于,所述终端设备包括:A terminal device, characterized in that, the terminal device includes:
    处理器;processor;
    与所述处理器相连的收发器;A transceiver connected to the processor;
    用于存储所述处理器的可执行指令的存储器;A memory for storing executable instructions of the processor;
    其中,所述处理器被配置为加载并执行所述可执行指令以实现如权利要求1至14任一所述的多媒体广播组播服务认证方法。Wherein, the processor is configured to load and execute the executable instructions to implement the multimedia broadcast multicast service authentication method according to any one of claims 1 to 14.
  66. 一种通信***,其特征在于,所述通信***包括:A communication system, characterized in that, the communication system includes:
    处理器和存储器;Processor and memory;
    其中,所述处理器运行的所述存储器中的代码提供给网络功能虚拟化中的至少一个网元,所述至少一个网元用于执行如权利要求15至32任一所述的多媒体广播组播服务认证方法。Wherein, the code in the memory run by the processor is provided to at least one network element in network function virtualization, and the at least one network element is used to execute the multimedia broadcast group according to any one of claims 15 to 32 Broadcast service authentication method.
  67. 一种计算机可读存储介质,其特征在于,所述可读存储介质中存储有可执行指令,所述可执行指令由所述处理器加载并执行以实现如权利要求1至32任一所述的多媒体广播组播服务认证方法。A computer-readable storage medium, characterized in that executable instructions are stored in the readable storage medium, and the executable instructions are loaded and executed by the processor to implement the one described in any one of claims 1 to 32 Multimedia broadcast multicast service authentication method.
PCT/CN2020/086771 2020-04-24 2020-04-24 Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium WO2021212491A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080099194.9A CN115336377A (en) 2020-04-24 2020-04-24 Multimedia broadcast multicast service authentication method, device, equipment and storage medium
PCT/CN2020/086771 WO2021212491A1 (en) 2020-04-24 2020-04-24 Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/086771 WO2021212491A1 (en) 2020-04-24 2020-04-24 Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium

Publications (1)

Publication Number Publication Date
WO2021212491A1 true WO2021212491A1 (en) 2021-10-28

Family

ID=78270848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/086771 WO2021212491A1 (en) 2020-04-24 2020-04-24 Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium

Country Status (2)

Country Link
CN (1) CN115336377A (en)
WO (1) WO2021212491A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355720A (en) * 2007-07-26 2009-01-28 华为技术有限公司 Network bearing architecture, method and adapter for implementing broadcast/multicast service
CN109699013A (en) * 2017-10-24 2019-04-30 华为技术有限公司 A kind of communication system, communication means and its device
CN109769150A (en) * 2017-11-09 2019-05-17 华为技术有限公司 A kind of method and apparatus of transport multicast business
CN110167190A (en) * 2018-02-14 2019-08-23 华为技术有限公司 Session establishing method and equipment
CN110663284A (en) * 2017-06-21 2020-01-07 Lg电子株式会社 Method and apparatus for performing service request procedure in wireless communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355720A (en) * 2007-07-26 2009-01-28 华为技术有限公司 Network bearing architecture, method and adapter for implementing broadcast/multicast service
CN110663284A (en) * 2017-06-21 2020-01-07 Lg电子株式会社 Method and apparatus for performing service request procedure in wireless communication system
CN109699013A (en) * 2017-10-24 2019-04-30 华为技术有限公司 A kind of communication system, communication means and its device
CN109769150A (en) * 2017-11-09 2019-05-17 华为技术有限公司 A kind of method and apparatus of transport multicast business
CN110167190A (en) * 2018-02-14 2019-08-23 华为技术有限公司 Session establishing method and equipment

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on architectural enhancements for 5G multicast-broadcast services (Release 17)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 23.757, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. V0.3.0, 29 January 2020 (2020-01-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 37, XP051860857 *
ERICSSON, LG ELECTRONICS, ZTE, SAMSUNG: "5MBS Architecture", 3GPP DRAFT; S2-2001381, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Incheon, KR; 20200113 - 20200117, 16 January 2020 (2020-01-16), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051844123 *
OPPO: "Solution for Broadcast Session Start", 3GPP DRAFT; S2-2001707, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Incheon, Korea; 20200113 - 20200117, 27 January 2020 (2020-01-27), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051845605 *
VIVO: "Solution for multicast session management", 3GPP DRAFT; S2-2001706, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Seoul, Korea; 20200113 - 20200117, 27 January 2020 (2020-01-27), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051845604 *

Also Published As

Publication number Publication date
CN115336377A (en) 2022-11-11

Similar Documents

Publication Publication Date Title
US8441974B2 (en) Method of providing multicast broadcast service
US8595485B2 (en) Security management method and system for WAPI terminal accessing IMS network
US9030989B2 (en) Method and apparatus for broadcasting/multicasting content from mobile user equipment over an MBMS network
WO2020253736A1 (en) Authentication method, apparatus and system
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
WO2013185735A2 (en) Encryption realization method and system
AU2020395266B2 (en) Methods and systems for multicast and broadcast service establishment in wireless communication networks
JP2019508984A (en) System and method for relaying data via a communication network
CN113423103B (en) Unified lightweight traceable security data transmission method for D2D auxiliary communication
JP2016501488A (en) Group authentication in broadcast for MTC group of UE
US20240129746A1 (en) A method for operating a cellular network
CN101150396B (en) Method, network and terminal device for obtaining multicast and broadcast service secret key
WO2018170703A1 (en) Connection establishment method and device
US20240073212A1 (en) Communication method and apparatus
JP2023550280A (en) Method and device for distributing multicast encryption keys
WO2021212497A1 (en) Security authentication method and apparatus, and device and storage medium
WO2021212495A1 (en) Multimedia broadcast multicast service authentication method and apparatus, device, and medium
WO2021212491A1 (en) Multimedia broadcast/multicast service authentication method and apparatus, and device and storage medium
WO2022027686A1 (en) Registration method and apparatus
WO2021138801A1 (en) Secure service transmission method and apparatus, terminal device, and network device
WO2023138349A1 (en) Verification method, communication apparatus, and communication system
WO2023231032A1 (en) Method and apparatus for determining inactive multicast service area, and method and apparatus for configuring inactive multicast service area
US20240237142A1 (en) Early data communication with configured resources
WO2024001889A1 (en) V2x policy requesting method and device
WO2023212903A1 (en) Relay communication method, and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20931906

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20931906

Country of ref document: EP

Kind code of ref document: A1