WO2022067803A1

WO2022067803A1 - Communication method and apparatus

Info

Publication number: WO2022067803A1
Application number: PCT/CN2020/119728
Authority: WO
Inventors: 杨林平; 张博; 陈军; 强鹂; 李�赫
Original assignee: 华为技术有限公司
Priority date: 2020-09-30
Filing date: 2020-09-30
Publication date: 2022-04-07
Also published as: CN116391376A

Abstract

A communication method and apparatus, which relate to the technical field of communications and are used for ensuring normal communication between a network side and a terminal device. The communication method is applied to a terminal device configured with a (U)SIM card, which stores a key set identifier. The method comprises: when needing to initiate an initial registration process, a terminal device determining whether there is a valid intermediate key; if there is no valid intermediate key, the terminal device deleting a key set identifier; the terminal device sending an initial registration request message to a mobility management network element, wherein the initial registration request message does not carry a key set identifier so as to trigger an authentication process for the terminal device; and the terminal device obtaining authentication key information during the authentication process, wherein the authentication key information comprises the valid intermediate key.

Description

通信方法及装置Communication method and device

技术领域technical field

本申请涉及通信技术领域，尤其涉及一种通信方法及装置。The present application relates to the field of communication technologies, and in particular, to a communication method and device.

背景技术Background technique

第三代合作伙伴计划项目(3rd generation partnership project，3GPP)定义的移动通信网络引入了安全保护机制来保证移动通信的安全(例如：通信的保密性、完整性)。示例性的，在经过鉴权流程之后，网络侧(例如统一数据管理网元)和终端设备可以分别保存相同的中间密钥(例如K _AUSF)。网络侧发送给终端设备的信息可以使用中间密钥进行安全保护；相应的，终端设备可以使用该中间密钥对网络侧进行安全保护后的信息进行安全校验，以验证信息的安全性。 The mobile communication network defined by the 3rd generation partnership project (3rd generation partnership project, 3GPP) introduces a security protection mechanism to ensure the security of mobile communication (for example, confidentiality and integrity of communication). Exemplarily, after going through the authentication process, the network side (for example, the unified data management network element) and the terminal device may store the same intermediate key (for example, K _AUSF ) respectively. The information sent by the network side to the terminal device can be protected by the intermediate key; correspondingly, the terminal device can use the intermediate key to perform security verification on the information after the security protection by the network side to verify the security of the information.

但是，在一些场景下(例如终端设备当前***的全球用户识别模块(universal subscriber identity module，USIM)卡是从其他终端设备拔出的)，终端设备未存储有效的中间密钥。但是，网络侧并不能获知该终端设备是否存储有效的中间密钥。从而，网络侧依然按照正常的流程使用中间密钥对待发送给终端设备的信息进行安全保护，但是终端设备由于未存储中间密钥，因此无法对安全保护后的信息进行安全校验。这样一来，影响网络侧与终端设备之间的正常通信。However, in some scenarios (for example, the universal subscriber identity module (USIM) card currently inserted in the terminal device is pulled out from other terminal devices), the terminal device does not store a valid intermediate key. However, the network side cannot know whether the terminal device stores a valid intermediate key. Therefore, the network side still uses the intermediate key to perform security protection on the information to be sent to the terminal device according to the normal process, but since the terminal device does not store the intermediate key, it cannot perform security verification on the security-protected information. In this way, the normal communication between the network side and the terminal device is affected.

发明内容SUMMARY OF THE INVENTION

本申请提供一种通信方法，用于保证网络侧与终端设备之间的正常通信。The present application provides a communication method for ensuring normal communication between a network side and a terminal device.

第一方面，提供一种通信方法，该方法应用于配置有(U)SIM卡的终端设备，(U)SIM卡中存储有密钥集标识符，方法包括：终端设备在需要发起初始注册流程时，确定是否存在有效的中间密钥；如果不存在有效的中间密钥，则终端设备删除密钥集标识符；终端设备向移动管理网元发送初始注册请求消息，初始注册请求消息不携带密钥集标识符以触发对终端设备的鉴权流程；终端设备在鉴权流程中得到鉴权密钥信息，鉴权密钥信息包括有效的中间密钥。In a first aspect, a communication method is provided, the method is applied to a terminal device configured with a (U)SIM card, and a key set identifier is stored in the (U)SIM card, the method comprising: when the terminal device needs to initiate an initial registration process If there is no valid intermediate key, the terminal device deletes the key set identifier; the terminal device sends an initial registration request message to the mobility management network element, and the initial registration request message does not carry the password The key set identifier is used to trigger the authentication process for the terminal device; the terminal device obtains authentication key information in the authentication process, and the authentication key information includes a valid intermediate key.

基于上述技术方案，在终端设备需要发起初始注册流程时，终端设备先检查是否存在有效的中间密钥。在不存在有效的中间密钥的情况下，终端设备删除(U)SIM卡中的密钥集标识符，以使得终端设备发送初始注册请求消息中不携带密钥集标识符。由于初始注册请求消息不携带密钥集标识符，从而移动管理网元会发起与终端设备的鉴权流程。在鉴权流程中，终端设备与网络侧可以同步得到相同的中间密钥。这样一来，在后续流程(例如SOR流程或者UPU流程)中，网络侧可以使用中间密钥对发送给终端设备的信息进行安全保护；相应的，终端设备可以使用相同的中间密钥对安全保护后的信息进行安全校验。从而，本申请实施例能够保证终端设备与网络侧之间的安全通信。Based on the above technical solutions, when the terminal device needs to initiate an initial registration process, the terminal device first checks whether there is a valid intermediate key. In the case where there is no valid intermediate key, the terminal device deletes the key set identifier in the (U)SIM card, so that the initial registration request message sent by the terminal device does not carry the key set identifier. Since the initial registration request message does not carry the key set identifier, the mobility management network element will initiate an authentication process with the terminal device. In the authentication process, the terminal device and the network side can obtain the same intermediate key synchronously. In this way, in subsequent processes (such as SOR process or UPU process), the network side can use the intermediate key to protect the information sent to the terminal device; correspondingly, the terminal device can use the same intermediate key to protect the security The following information is checked for security. Therefore, the embodiments of the present application can ensure secure communication between the terminal device and the network side.

一种可能的设计中，密钥集标识符为终端设备通过第一接入技术接入网络时生成的密钥集标识符；终端设备向移动管理网元发送初始注册请求消息，包括：终端设备使用第一接入技术向移动管理网元发送初始注册请求消息。In a possible design, the key set identifier is the key set identifier generated when the terminal device accesses the network through the first access technology; the terminal device sends an initial registration request message to the mobility management network element, including: the terminal device An initial registration request message is sent to the mobility management network element using the first access technology.

一种可能的设计中，终端设备删除密钥集标识符，包括：终端设备将密钥集标识符的值设置为第一值，第一值用于指示“没有可用的密钥”。In a possible design, deleting the key set identifier by the terminal device includes: the terminal device sets the value of the key set identifier to a first value, where the first value is used to indicate "no key available".

一种可能的设计中，初始注册请求消息不携带密钥集标识符，包括：初始注册请求消息包括第一指示信息，第一指示信息用于指示没有可用的密钥。In a possible design, the initial registration request message does not carry the key set identifier, including: the initial registration request message includes first indication information, and the first indication information is used to indicate that there is no available key.

一种可能的设计中，终端设备还配置有非易失性存储器；终端设备确定是否存在有效的中间密钥，包括：终端设备确定非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识是否一致；在非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识一致的情况下，终端设备确定非易失性存储器和(U)SIM卡中是否存在有效的中间密钥；或者，在非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识不一致的情况下，终端设备确定(U)SIM卡中是否存在有效的中间密钥。In a possible design, the terminal device is further configured with a non-volatile memory; the terminal device determines whether there is a valid intermediate key, including: the terminal device determines the terminal identity and the (U)SIM card in the non-volatile memory Whether the terminal identity in the non-volatile memory is consistent with the terminal identity in the (U)SIM card, the terminal device determines whether the non-volatile memory and the (U)SIM card are consistent. Whether there is a valid intermediate key; or, in the case that the terminal identification in the non-volatile memory and the terminal identification in the (U)SIM card are inconsistent, the terminal device determines whether there is a valid intermediate key in the (U)SIM card. Intermediate key.

一种可能的设计中，鉴权密钥信息还包括：漫游引导(steering of roaming，SOR)计数器(counter)的取值，和/或用户设备参数更新(UE parameters update，UPU)计数器的取值。In a possible design, the authentication key information also includes: the value of the roaming guide (steering of roaming, SOR) counter (counter), and/or the value of the user equipment parameter update (UE parameters update, UPU) counter .

一种可能的设计中，有效的中间密钥包括Kausf。In one possible design, valid intermediate keys include Kausf.

一种可能的设计中，密钥集标识符为下一代网络密钥集标识符(key set identifier for next generation radio access network，ngKSI)。In a possible design, the key set identifier is the next generation network key set identifier (key set identifier for next generation radio access network, ngKSI).

第二方面，提供一种通信方法，该方法包括：终端设备确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值；当第一计数器的取值大于或等于预设值时，终端设备删除密钥集标识符；终端设备向移动管理网元发送注册请求消息，注册请求消息不携带密钥集标识符以触发对终端设备的鉴权流程；终端设备在鉴权流程中得到更新后的鉴权密钥信息，更新后的鉴权密钥信息包括更新后的中间密钥和数值为0的第一计数器。In a second aspect, a communication method is provided, the method comprising: a terminal device determining whether a value of a first counter in the authentication key information is greater than or equal to a preset value; when the value of the first counter is greater than or equal to a preset value value, the terminal device deletes the key set identifier; the terminal device sends a registration request message to the mobility management network element, the registration request message does not carry the key set identifier to trigger the authentication process for the terminal device; the terminal device is in the authentication process The updated authentication key information is obtained in , and the updated authentication key information includes the updated intermediate key and a first counter whose value is 0.

基于上述技术方案，终端设备在鉴权密钥信息中的计数器大于或等于预设值(也即计数器即将翻转)的情况下，删除密钥集标识符以使得终端设备发送注册请求消息中不携带密钥集标识符。由于注册请求消息不携带密钥集标识符，从而移动管理网元会发起与终端设备的鉴权流程。在鉴权流程中，终端设备与网络侧可以同步得到更新后的鉴权密钥信息，更新后的鉴权密钥信息包括更新后的中间密钥以及数值为0的计数器。这样一来，由于网络侧在鉴权流程之前发送给终端设备的信息不是使用更新后的中间密钥进行安全保护，因此网络攻击者即使使用网络侧在鉴权流程之前发送给终端设备的信息，也不能通过终端设备的安全校验，无法对终端设备进行重播攻击。可见，本申请实施例能够保证终端设备与网络侧之间的正常通信。Based on the above technical solution, when the counter in the authentication key information is greater than or equal to the preset value (that is, the counter is about to roll over), the terminal device deletes the key set identifier so that the registration request message sent by the terminal device does not carry Keyset identifier. Since the registration request message does not carry the key set identifier, the mobility management network element will initiate an authentication process with the terminal device. In the authentication process, the terminal device and the network side can obtain updated authentication key information synchronously, and the updated authentication key information includes the updated intermediate key and a counter with a value of 0. In this way, since the information sent by the network side to the terminal device before the authentication process does not use the updated intermediate key for security protection, even if the network attacker uses the information sent by the network side to the terminal device before the authentication process, It also cannot pass the security check of the terminal device, and cannot carry out replay attacks on the terminal device. It can be seen that the embodiments of the present application can ensure normal communication between the terminal device and the network side.

一种可能的设计中，密钥集标识符为终端设备通过第一接入技术接入网络时生成的密钥集标识符；终端设备向移动管理网元发送注册请求消息，包括：终端设备使用第一接入技术向移动管理网元发送注册请求消息。In a possible design, the key set identifier is a key set identifier generated when the terminal device accesses the network through the first access technology; the terminal device sends a registration request message to the mobility management network element, including: The first access technology sends a registration request message to the mobility management network element.

一种可能的设计中，终端设备删除密钥集标识符，包括：终端设备将密钥集标识符的值设置为第一值，第一值用于指示“没有可用的密钥”。In a possible design, deleting the key set identifier by the terminal device includes: the terminal device sets the value of the key set identifier to a first value, where the first value is used to indicate "no key is available".

一种可能的设计中，终端设备删除密钥集标识符，包括：当终端设备处于连接态时，终端设备释放与网络设备之间的连接；终端设备在释放与网络设备之间的连接之后，删除密钥集标识符。In a possible design, the terminal device deletes the key set identifier, including: when the terminal device is in the connection state, the terminal device releases the connection with the network device; after the terminal device releases the connection with the network device, Delete the keyset identifier.

一种可能的设计中，注册请求消息不携带密钥集标识符，包括：注册请求消息包括第一指示信息，第一指示信息用于指示没有可用的密钥。In a possible design, the registration request message does not carry the key set identifier, including: the registration request message includes first indication information, and the first indication information is used to indicate that there is no available key.

一种可能的设计中，方法还包括：终端设备接收第一信息，第一信息包括数据、第二计数器的取值、以及消息认证码(message authentication code，MAC)；终端设备比较第二计数器的取值是否大于第一计数器的取值；当第二计数器的取值大于第一计数器的取值时，终端设备根据第一信息中的数据和第二计数器的取值，验证MAC；当MAC通过验证时，终端设备以第二计数器的取值更新第一计数器的取值。In a possible design, the method further includes: the terminal device receives first information, where the first information includes data, the value of the second counter, and a message authentication code (MAC); the terminal device compares the value of the second counter. Whether the value is greater than the value of the first counter; when the value of the second counter is greater than the value of the first counter, the terminal device verifies the MAC according to the data in the first information and the value of the second counter; when the MAC passes During verification, the terminal device updates the value of the first counter with the value of the second counter.

一种可能的设计中，终端设备确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值，包括：终端设备确定更新后的第一计数器的取值是否大于或等于预设值。In a possible design, the terminal device determines whether the value of the first counter in the authentication key information is greater than or equal to a preset value, including: the terminal device determines whether the value of the updated first counter is greater than or equal to the preset value. set value.

一种可能的设计中，第一计数器包括：SOR计数器，和/或UPU计数器。In a possible design, the first counter includes: an SOR counter, and/or a UPU counter.

一种可能的设计中，中间密钥包括Kausf。In one possible design, the intermediate key includes Kausf.

一种可能的设计中，密钥集标识符为ngKSI。In one possible design, the keyset identifier is ngKSI.

第三方面，提供一种通信方法，该通信方法包括：统一数据管理网元在需要向终端设备发送数据时，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护；响应于确定结果，统一数据管理网元触发对终端设备的鉴权流程。In a third aspect, a communication method is provided, the communication method comprising: when a unified data management network element needs to send data to a terminal device, it is determined that the intermediate key generated during the authentication process of the terminal device cannot be used to perform security protection on the data; Based on the determination result, the unified data management network element triggers an authentication process for the terminal device.

基于上述技术方案，针对统一数据管理网元发送给终端设备的数据无法使用中间密钥进行安全保护的情况，统一数据管理网元通过触发鉴权流程，从而使得终端设备与网络侧同步更新中间密钥以及相关参数(例如SOR counter和/或UPU counter)。从而，统一数据管理网元发送给终端设备的数据可以使用有效的中间密钥进行安全保护，终端设备也能对安全保护后的数据进行相应的安全校验。这样一来，保证统一数据管理网元与终端设备之间的正常通信。Based on the above technical solutions, for the situation that the data sent by the unified data management network element to the terminal device cannot be protected by the intermediate key, the unified data management network element triggers the authentication process, so that the terminal device and the network side update the intermediate key synchronously. key and related parameters (eg SOR counter and/or UPU counter). Therefore, the data sent by the unified data management network element to the terminal device can be protected by an effective intermediate key, and the terminal device can also perform corresponding security verification on the security-protected data. In this way, normal communication between the unified data management network element and the terminal device is guaranteed.

一种可能的设计中，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护，包括：统一数据管理网元无法获取终端设备鉴权过程中涉及的鉴权服务网元的标识。In a possible design, it is determined that the intermediate key generated in the authentication process of the terminal device cannot be used to protect the data, including: the unified data management network element cannot obtain the information of the authentication service network element involved in the authentication process of the terminal device. logo.

一种可能的设计中，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护据，包括：统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；统一数据管理网元接收来自鉴权服务网元的响应消息，响应消息用于指示对数据安全保护失败。In a possible design, it is determined that the intermediate key generated in the authentication process of the terminal device cannot be used to protect the data, including: the unified data management network element sends the data to the authentication service network element involved in the authentication process of the terminal device. The request message includes data; the unified data management network element receives the response message from the authentication service network element, and the response message is used to indicate the failure of data security protection.

一种可能的设计中，响应消息包括第二指示信息，第二指示信息用于指示对数据安全保护失败的原因。In a possible design, the response message includes second indication information, where the second indication information is used to indicate the reason for the failure of data security protection.

一种可能的设计中，对数据安全保护失败的原因包括中间密钥缺失或者对数据进行安全保护的计数器将翻转。In one possible design, the reasons for data security failure include missing intermediate keys or a rollover of a data security counter.

一种可能的设计中，计数器包括SOR的计数器或者UPU的计数器。In one possible design, the counters include SOR counters or UPU counters.

一种可能的设计中，在统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息之前，还包括：统一数据管理网元根据终端设备的标识，获取鉴权服务网元的标识。In a possible design, before the unified data management network element sends the request message to the authentication service network element involved in the authentication process of the terminal device, the method further includes: the unified data management network element obtains the authentication service according to the identification of the terminal device. ID of the network element.

一种可能的设计中，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护，包括：统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；统一数据管理网元接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；统一数据管理网元向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值；如果在预设的时间内未收到来自终端设备的确认消息，则统一数据管理网元确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, it is determined that the intermediate key generated in the authentication process of the terminal device cannot be used to protect the data, including: the unified data management network element sends a request to the authentication service network element involved in the authentication process of the terminal device. message, the request message includes data; the unified data management network element receives the response message from the authentication service network element, and the response message includes the first MAC and the value of the first counter; the unified data management network element sends the first information to the terminal device, The first information includes the data, the first MAC and the value of the first counter; if the confirmation message from the terminal device is not received within the preset time, the unified data management network element determines that the terminal device cannot be used for authentication. The intermediate key for data security protection.

一种可能的设计中，确定无法使用终端设备主鉴权过程中生成的中间密钥对数据进行安全保护，包括：统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；统一数据管理网元接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；统一数据管理网元向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值；统一数据管理网元接收到确认消息，且对确认消息校验失败，则确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, it is determined that the intermediate key generated in the main authentication process of the terminal device cannot be used to protect the data, including: the unified data management network element sends the data to the authentication service network element involved in the authentication process of the terminal device. request message, the request message includes data; the unified data management network element receives a response message from the authentication service network element, and the response message includes the first MAC and the value of the first counter; the unified data management network element sends the first information to the terminal device , the first information includes the data, the first MAC and the value of the first counter; the unified data management network element receives the confirmation message and fails to verify the confirmation message, then it is determined that the intermediate password generated during the authentication process of the terminal equipment cannot be used. key to secure data.

一种可能的设计中，确定无法使用终端设备主鉴权过程中生成的中间密钥对数据进行安全保护，包括：统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；统一数据管理网元接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；统一数据管理网元向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值；统一数据管理网元接收到确认消息，确认消息包括第三指示信息，第三指示信息用于指示对数据进行安全校验失败的原因；统一数据管理网元根据第三指示信息，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, it is determined that the intermediate key generated in the main authentication process of the terminal device cannot be used to protect the data, including: the unified data management network element sends the data to the authentication service network element involved in the authentication process of the terminal device. request message, the request message includes data; the unified data management network element receives a response message from the authentication service network element, and the response message includes the first MAC and the value of the first counter; the unified data management network element sends the first information to the terminal device , the first information includes the data, the first MAC and the value of the first counter; the unified data management network element receives the confirmation message, and the confirmation message includes the third indication information, and the third indication information is used to indicate that the security verification of the data fails. The reason; the unified data management network element determines, according to the third indication information, that the intermediate key generated during the authentication process of the terminal device cannot be used to secure the data.

一种可能的设计中，对数据进行安全校验失败的原因包括中间密钥缺失或者对数据进行安全保护的计数器将翻转。In a possible design, the reason for the failure of the security check on the data includes the missing of the intermediate key or the rollover of the counter for the security protection of the data.

一种可能的设计中，统一数据管理网元触发对终端设备的鉴权流程，包括：统一数据管理网元向为终端设备提供服务的移动管理网元发送第四指示信息，第四指示信息用于触发对终端设备的鉴权流程。In a possible design, the unified data management network element triggers the authentication process for the terminal equipment, including: the unified data management network element sends fourth indication information to the mobility management network element that provides services for the terminal equipment, and the fourth indication information is used It is used to trigger the authentication process of the terminal device.

一种可能的设计中，统一数据管理网元向为终端设备提供服务的移动管理网元发送第四指示信息，包括：统一数据管理网元向移动管理网元发送去注册请求消息，去注册请求消息用于请求对终端设备去注册。In a possible design, the unified data management network element sends fourth indication information to the mobility management network element that provides services for the terminal equipment, including: the unified data management network element sends a de-registration request message to the mobility management network element, and the de-registration request message is sent to the mobility management network element. The message is used to request deregistration of the terminal device.

一种可能的设计中，统一数据管理网元触发对终端设备的鉴权流程，包括：统一数据管理网元向鉴权服务网元发送第五指示信息，第五指示信息用于指示鉴权服务网元触发移动管理网元发起对终端设备的鉴权流程。In a possible design, the unified data management network element triggers the authentication process for the terminal device, including: the unified data management network element sends fifth indication information to the authentication service network element, and the fifth indication information is used to indicate the authentication service. The network element triggers the mobility management network element to initiate an authentication process for the terminal device.

一种可能的设计中，上述数据为SOR数据、UPU数据、终端设备的签约数据、终端设备的路由数据、或者路由标识。In a possible design, the above data is SOR data, UPU data, subscription data of the terminal device, routing data of the terminal device, or routing identifier.

一种可能的设计中，中间密钥包括K _AUSF。 In one possible design, the intermediate key includes K _AUSF .

第四方面，提供一种通信方法，该方法包括：移动管理网元接收终端设备发送的用于从4G网络切换到5G网络的注册请求消息，注册请求消息包括密钥集标识符，密钥集标识符包括安全上下文类型参数；当安全上下文类型参数所指示的安全上下文的类型不为原生(native)时，移动管理网元发起与终端设备的鉴权流程。In a fourth aspect, a communication method is provided, the method comprising: a mobile management network element receiving a registration request message sent by a terminal device for switching from a 4G network to a 5G network, the registration request message including a key set identifier, a key set The identifier includes a security context type parameter; when the security context type indicated by the security context type parameter is not native, the mobility management network element initiates an authentication process with the terminal device.

具体来说，移动管理网元根据安全上下文类型参数确定终端设备上是否存在原生的安全上下文。例如，注册请求消息中包括ngKSI，且ngKSI中的类型为映射的 (mapped)，并且注册请求中未携带“Non-current native NAS key set identifier”这个信元，则移动管理网元确定终端设备本地没有原生的安全上下文，进而触发终端的鉴权流程。Specifically, the mobility management network element determines whether there is a native security context on the terminal device according to the security context type parameter. For example, if the registration request message includes ngKSI, and the type in ngKSI is mapped, and the information element "Non-current native NAS key set identifier" is not carried in the registration request, the mobility management network element determines the local There is no native security context, which triggers the authentication process of the terminal.

基于上述技术方案，在终端设备从4G网络切换到5G网络的场景下，当安全上下文类型参数所指示的安全上下文的类型不为native时,移动管理网元可以确定终端设备未在5G网络中经过鉴权流程，因此统一数据管理网元并未存储终端设备鉴权流程所涉及的鉴权服务网元的标识。因此，移动管理网元发起终端设备的鉴权流程，以使得统一数据管理网元可以在鉴权流程中存储终端设备鉴权流程所涉及的鉴权服务网元的标识，从而保证统一数据管理网元和终端设备之间的正常通信。Based on the above technical solutions, in the scenario where the terminal device switches from the 4G network to the 5G network, when the security context type indicated by the security context type parameter is not native, the mobility management network element can determine that the terminal device has not passed through the 5G network. authentication process, so the unified data management network element does not store the identification of the authentication service network element involved in the terminal device authentication process. Therefore, the mobility management network element initiates the authentication process of the terminal device, so that the unified data management network element can store the identification of the authentication service network element involved in the authentication process of the terminal device in the authentication process, thereby ensuring the unified data management network Normal communication between the element and the end device.

第五方面，提供一种通信装置，包括处理模块和通信模块。处理模块，用于在需要发起初始注册流程时，确定是否存在有效的中间密钥；如果不存在有效的中间密钥，则删除(U)SIM卡中存储的密钥集标识符。通信模块，用于向移动管理网元发送初始注册请求消息，初始注册请求消息不携带密钥集标识符以触发移动管理网元与通信装置之间的鉴权流程。处理模块，用于在鉴权流程中得到鉴权密钥信息，鉴权密钥信息包括有效的中间密钥。In a fifth aspect, a communication device is provided, including a processing module and a communication module. The processing module is configured to determine whether there is a valid intermediate key when an initial registration process needs to be initiated; if there is no valid intermediate key, delete the key set identifier stored in the (U)SIM card. The communication module is configured to send an initial registration request message to the mobility management network element, where the initial registration request message does not carry a key set identifier to trigger an authentication process between the mobility management network element and the communication device. The processing module is used for obtaining authentication key information in the authentication process, where the authentication key information includes a valid intermediate key.

一种可能的设计中，密钥集标识符为通信装置通过第一接入技术接入网络时生成的密钥集标识符；通信模块，具体用于使用第一接入技术向移动管理网元发送初始注册请求消息。In a possible design, the key set identifier is a key set identifier generated when the communication device accesses the network through the first access technology; the communication module is specifically configured to use the first access technology to send the mobile management network element Send initial registration request message.

一种可能的设计中，处理模块，具体用于将密钥集标识符的值设置为第一值，第一值用于指示“没有可用的密钥”。In a possible design, the processing module is specifically configured to set the value of the key set identifier to a first value, where the first value is used to indicate "no key available".

一种可能的设计中，通信装置还包括存储模块；处理模块，具体用于确定存储模块中的终端身份标识和(U)SIM卡中的终端身份标识是否一致；在存储模块中的终端身份标识和(U)SIM卡中的终端身份标识一致的情况下，确定存储模块和(U)SIM卡中是否存在有效的中间密钥；或者，在存储模块中的终端身份标识和(U)SIM卡中的终端身份标识不一致的情况下，确定(U)SIM卡中是否存在有效的中间密钥。In a possible design, the communication device also includes a storage module; a processing module is specifically used to determine whether the terminal identification in the storage module is consistent with the terminal identification in the (U)SIM card; the terminal identification in the storage module In the case of being consistent with the terminal identification in the (U)SIM card, determine whether there is a valid intermediate key in the storage module and the (U)SIM card; Or, the terminal identification in the storage module and the (U)SIM card In the case of inconsistent terminal identifications in the (U)SIM card, determine whether there is a valid intermediate key in the (U)SIM card.

一种可能的设计中，鉴权密钥信息还包括：SOR的计数器的取值，和/或UPU的计数器的取值。In a possible design, the authentication key information further includes: the value of the counter of the SOR, and/or the value of the counter of the UPU.

第六方面，提供一种通信装置，包括处理模块和通信模块。处理模块，用于确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值；当第一计数器的取值大于或等于预设值时，删除密钥集标识符。通信模块，用于向移动管理网元发送注册请求消息，注册请求消息不携带密钥集标识符以触发对通信装置的鉴权流程。处理模块，还用于在鉴权流程中得到更新后的鉴权密钥信息，更新后的鉴权密钥信息包括更新后的中间密钥和数值为0的第一计数器。In a sixth aspect, a communication device is provided, including a processing module and a communication module. The processing module is configured to determine whether the value of the first counter in the authentication key information is greater than or equal to the preset value; when the value of the first counter is greater than or equal to the preset value, delete the key set identifier. The communication module is configured to send a registration request message to the mobility management network element, where the registration request message does not carry a key set identifier to trigger an authentication process for the communication device. The processing module is further configured to obtain updated authentication key information in the authentication process, where the updated authentication key information includes an updated intermediate key and a first counter with a value of 0.

一种可能的设计中，密钥集标识符为通信装置通过第一接入技术接入网络时生成的密钥集标识符；通信模块，具体使用第一接入技术向移动管理网元发送注册请求消息。In a possible design, the key set identifier is the key set identifier generated when the communication device accesses the network through the first access technology; the communication module specifically uses the first access technology to send the registration information to the mobility management network element. request message.

一种可能的设计中，处理模块，具体用于当通信装置处于连接态时，释放与网络设备之间的连接；在释放与网络设备之间的连接之后，删除密钥集标识符。In a possible design, the processing module is specifically configured to release the connection with the network device when the communication device is in the connection state; after releasing the connection with the network device, delete the key set identifier.

一种可能的设计中，通信模块，还用于接收第一信息，第一信息包括数据、第二计数器的取值、以及MAC。处理模块，还用于比较第二计数器的取值是否大于第一计数器的取值；当第二计数器的取值大于第一计数器的取值时，根据第一信息中的数据和第二计数器的取值，验证MAC；当MAC通过验证时，以第二计数器的取值更新第一计数器的取值。In a possible design, the communication module is further configured to receive first information, where the first information includes data, the value of the second counter, and the MAC. The processing module is also used to compare whether the value of the second counter is greater than the value of the first counter; when the value of the second counter is greater than the value of the first counter, according to the data in the first information and the value of the second counter When the MAC is verified, the value of the first counter is updated with the value of the second counter.

一种可能的设计中，处理模块，具体用于确定更新后的第一计数器的取值是否大于或等于预设值。In a possible design, the processing module is specifically configured to determine whether the updated value of the first counter is greater than or equal to a preset value.

第七方面，提供一种通信装置，包括处理模块和通信模块。处理模块，用于在需要向终端设备发送数据时，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。通信模块，用于响应于确定结果，触发对终端设备的鉴权流程。In a seventh aspect, a communication device is provided, including a processing module and a communication module. The processing module is configured to determine that the intermediate key generated in the authentication process of the terminal device cannot be used to perform security protection on the data when the data needs to be sent to the terminal device. The communication module is used for triggering the authentication process of the terminal device in response to the determination result.

一种可能的设计中，处理模块，具体用于当无法获取终端设备鉴权过程中涉及的鉴权服务网元的标识时，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, the processing module is specifically used to determine that the intermediate key generated in the terminal device authentication process cannot be used to perform data processing when the identification of the authentication service network element involved in the terminal device authentication process cannot be obtained. safety protection.

一种可能的设计中，通信模块，还用于向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；接收来自鉴权服务网元的响应消息，响应消息用于指示对数据安全保护失败。处理模块，具体用于根据响应消息，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, the communication module is further configured to send a request message to the authentication service network element involved in the authentication process of the terminal device, where the request message includes data; receive a response message from the authentication service network element, and the response message uses to indicate a failure of data security protection. The processing module is specifically configured to determine, according to the response message, that the intermediate key generated in the authentication process of the terminal device cannot be used to perform security protection on the data.

一种可能的设计中，计数器包括SOR计数器或者UPU计数器。In one possible design, the counters include SOR counters or UPU counters.

一种可能的设计中，处理模块，还用于根据终端设备的标识，获取鉴权服务网元的标识。In a possible design, the processing module is further configured to obtain the identification of the authentication service network element according to the identification of the terminal device.

一种可能的设计中，通信模块，还用于向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值。处理模块，具体用于在预设的时间内未收到来自终端设备的确认消息，则确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, the communication module is further configured to send a request message to the authentication service network element involved in the authentication process of the terminal device, where the request message includes data; and receive a response message from the authentication service network element, the response message includes The value of the first MAC and the first counter; sending first information to the terminal device, where the first information includes data, the first MAC, and the value of the first counter. The processing module is specifically configured to determine that the intermediate key generated in the authentication process of the terminal device cannot be used to perform security protection on the data if the confirmation message from the terminal device is not received within a preset time.

一种可能的设计中，通信模块，还用于向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值；接收到确认消息。处理模块，用于当对确认消息校验失败时，则确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, the communication module is further configured to send a request message to the authentication service network element involved in the authentication process of the terminal device, where the request message includes data; and receive a response message from the authentication service network element, the response message includes The value of the first MAC and the first counter; sending the first information to the terminal device, the first information including the data, the first MAC and the value of the first counter; receiving the confirmation message. The processing module is configured to determine that the intermediate key generated in the authentication process of the terminal device cannot be used to perform security protection on the data when the verification of the confirmation message fails.

一种可能的设计中，通信模块，还用于向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息，请求消息包括数据；接收来自鉴权服务网元的响应消息，响应消息包括第一MAC以及第一计数器的取值；向终端设备发送第一信息，第一信息包括数据、第一MAC以及第一计数器的取值；接收到确认消息，确认消息包括第三指示信息，第三指示信息用于指示对数据进行安全校验失败的原因。处理模块，具体用于根据第三指示信息，确定无法使用终端设备鉴权过程中生成的中间密钥对数据进行安全保护。In a possible design, the communication module is further configured to send a request message to the authentication service network element involved in the authentication process of the terminal device, where the request message includes data; and receive a response message from the authentication service network element, the response message includes The value of the first MAC and the first counter; sending the first information to the terminal device, the first information includes the data, the first MAC and the value of the first counter; receiving the confirmation message, the confirmation message includes the third indication information, the first The three indication information is used to indicate the reason for the failure to perform security verification on the data. The processing module is specifically configured to determine, according to the third indication information, that it is impossible to use the intermediate key generated in the authentication process of the terminal device to perform security protection on the data.

一种可能的设计中，通信模块，用于向为终端设备提供服务的移动管理网元发送第四指示信息，第四指示信息用于触发对终端设备的鉴权流程。In a possible design, the communication module is configured to send fourth indication information to a mobility management network element that provides services for the terminal device, where the fourth indication information is used to trigger an authentication process for the terminal device.

一种可能的设计中，通信模块，用于向移动管理网元发送去注册请求消息，去注册请求消息用于请求对终端设备去注册。In a possible design, the communication module is configured to send a de-registration request message to the mobility management network element, and the de-registration request message is used to request de-registration of the terminal device.

一种可能的设计中，通信模块，用于向鉴权服务网元发送第五指示信息，第五指示信息用于指示鉴权服务网元触发移动管理网元发起对终端设备的鉴权流程。In a possible design, the communication module is configured to send fifth indication information to the authentication service network element, where the fifth indication information is used to instruct the authentication service network element to trigger the mobility management network element to initiate an authentication process for the terminal device.

一种可能的设计中，数据为SOR数据、UPU数据、终端设备的签约数据、终端设备的路由数据、或者路由标识(routing ID)。In a possible design, the data is SOR data, UPU data, subscription data of the terminal device, routing data of the terminal device, or routing ID.

第八方面，提供一种通信装置，包括处理模块和通信模块。通信模块，用于接收终端设备发送的用于从4G网络切换到5G网络的注册请求消息，注册请求消息包括密钥集标识符，密钥集标识符包括安全上下文类型参数。处理模块，用于当安全上下文类型参数所指示的安全上下文的类型不为native时，发起对终端设备的鉴权流程。In an eighth aspect, a communication device is provided, including a processing module and a communication module. The communication module is configured to receive a registration request message sent by the terminal device for switching from the 4G network to the 5G network, where the registration request message includes a key set identifier, and the key set identifier includes a security context type parameter. The processing module is configured to initiate an authentication process for the terminal device when the security context type indicated by the security context type parameter is not native.

第九方面，提供一种通信装置，包括处理器和通信接口，处理器用于执行计算机程序指令，使得通信装置实现第一方面至第四方面中任一方面所提供的任一种设计所涉及的通信方法。A ninth aspect provides a communication device, comprising a processor and a communication interface, where the processor is configured to execute computer program instructions, so that the communication device implements the design involved in any one of the first to fourth aspects. communication method.

第十方面，提供一种计算机可读存储介质，计算机可读存储介质存储有指令，当指令在计算机上运行时，使得计算机实现第一方面至第四方面中任一方面所提供的任一种设计所涉及的通信方法。A tenth aspect provides a computer-readable storage medium, where the computer-readable storage medium stores instructions, when the instructions are executed on a computer, the computer is made to implement any one of the first to fourth aspects. Design the communication methods involved.

第十一方面，提供一种包含计算机指令的计算机程序产品，当计算机程序产品在计算机上运行时，使得计算机实现第一方面至第四方面中任一方面所提供的任一种设计所涉及的通信方法。An eleventh aspect provides a computer program product comprising computer instructions, which, when the computer program product is run on a computer, enables the computer to implement the design involved in any one of the first to fourth aspects. communication method.

第十二方面，提供一种芯片，该芯片包括处理器，当处理器执行计算机程序指令时，实现第一方面至第四方面中任一方面所提供的任一种设计所涉及的通信方法。A twelfth aspect provides a chip, the chip includes a processor, and when the processor executes computer program instructions, it implements the communication method involved in any of the designs provided in any one of the first to fourth aspects.

其中，第五方面至第十二方面中任一种设计方式所带来的技术效果可参见上文所提供的对应的方法中的有益效果，此处不再赘述。Wherein, for the technical effect brought by any one of the design manners of the fifth aspect to the twelfth aspect, reference may be made to the beneficial effects in the corresponding method provided above, which will not be repeated here.

附图说明Description of drawings

图1为本申请实施例提供的一种5G网络的架构示意图；FIG. 1 is a schematic diagram of the architecture of a 5G network provided by an embodiment of the present application;

图2为本申请实施例提供的一种终端设备的结构示意图；FIG. 2 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

图3为本申请实施例提供的一种终端设备中的移动设备的硬件结构示意图；3 is a schematic diagram of a hardware structure of a mobile device in a terminal device provided by an embodiment of the present application;

图4为发送端计算MAC的示意图；Fig. 4 is the schematic diagram that the sending end calculates MAC;

图5为接收端计算MAC的示意图；5 is a schematic diagram of a receiving end calculating MAC;

图6为相关技术中注册流程的示意图；6 is a schematic diagram of a registration process in the related art;

图7为相关技术中EAP-AKA'流程的示意图；FIG. 7 is a schematic diagram of the EAP-AKA' process in the related art;

图8为相关技术中5G-AKA流程的示意图；8 is a schematic diagram of a 5G-AKA process in the related art;

图9为相关技术中SOR流程的示意图；Fig. 9 is the schematic diagram of SOR process flow in the related art;

图10为相关技术中UPU流程的示意图；10 is a schematic diagram of a UPU process in the related art;

图11为相关技术中终端设备未存储有效的K _AUSF的原因的示意图； 11 is a schematic diagram of the reason why a terminal device does not store a valid K _AUSF in the related art;

图12为本申请实施例提供的一种通信方法的流程图；12 is a flowchart of a communication method provided by an embodiment of the present application;

图13为本申请实施例提供的另一种通信方法的流程图；13 is a flowchart of another communication method provided by an embodiment of the present application;

图14为本申请实施例提供的另一种通信方法的流程图；14 is a flowchart of another communication method provided by an embodiment of the present application;

图15为本申请实施例提供的另一种通信方法的流程图；15 is a flowchart of another communication method provided by an embodiment of the present application;

图16为本申请实施例提供的另一种通信方法的流程图；16 is a flowchart of another communication method provided by an embodiment of the present application;

图17为本申请实施例提供的另一种通信方法的流程图；FIG. 17 is a flowchart of another communication method provided by an embodiment of the present application;

图18为本申请实施例提供的另一种通信方法的流程图；FIG. 18 is a flowchart of another communication method provided by an embodiment of the present application;

图19为本申请实施例提供的另一种通信方法的流程图；FIG. 19 is a flowchart of another communication method provided by an embodiment of the present application;

图20为本申请实施例提供的另一种通信方法的流程图；20 is a flowchart of another communication method provided by an embodiment of the present application;

图21为本申请实施例提供的另一种通信方法的流程图；FIG. 21 is a flowchart of another communication method provided by an embodiment of the present application;

图22为本申请实施例提供的一种通信装置的结构示意图；FIG. 22 is a schematic structural diagram of a communication device according to an embodiment of the present application;

图23为本申请实施例提供的一种通信装置的硬件结构示意图。FIG. 23 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application.

具体实施方式Detailed ways

在本申请的描述中，除非另有说明，“/”表示“或”的意思，例如，A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。此外，“至少一个”是指一个或多个，“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定，并且“第一”、“第二”等字样也并不限定一定不同。In the description of this application, unless otherwise stated, "/" means "or", for example, A/B can mean A or B. In this article, "and/or" is only an association relationship to describe the associated objects, which means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone these three situations. Further, "at least one" means one or more, and "plurality" means two or more. The words "first" and "second" do not limit the quantity and execution order, and the words "first", "second" and the like do not limit certain differences.

需要说明的是，本申请中，“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言，使用“示例性的” 或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiment or design described in this application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner.

本申请实施例提供的技术方案可以应用于各种通信***，例如，采用第五代(5th generation，5G)通信技术的通信***，未来演进***或者多种通信融合***等等。本申请提供的技术方案可以应用于多种应用场景，例如，机器对机器(machine to machine，M2M)、宏微通信、增强型移动互联网(enhanced mobile broadband，eMBB)、超高可靠超低时延通信(ultra-reliable & low latency communication，uRLLC)以及海量物联网通信(massive machine type communication，mMTC)等场景。The technical solutions provided in the embodiments of the present application can be applied to various communication systems, for example, a communication system using a fifth generation (5th generation, 5G) communication technology, a future evolution system, or a variety of communication fusion systems, and so on. The technical solutions provided in this application can be applied to various application scenarios, such as machine to machine (M2M), macro-micro communication, enhanced mobile broadband (eMBB), ultra-reliable and ultra-low latency Communication (ultra-reliable & low latency communication, uRLLC) and massive IoT communication (massive machine type communication, mMTC) and other scenarios.

应理解，本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案，并不构成对于本申请实施例提供的技术方案的限定，本领域普通技术人员可知，随着网络架构的演变和新业务场景的出现，本申请实施例提供的技术方案对于类似的技术问题，同样适用。It should be understood that the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

示例性的，如图1所示，为本申请实施例提供的技术方案所适用的5G网络的架构。5G网络可以包括：终端设备、无线接入网络(radio access network，RAN)或者接入网络(access network，AN)(下文中将RAN和AN统称为(R)AN)、核心网、以及数据网(data network，DN)。其中，核心网包括多个核心网网元(或者称为网络功能网元)，例如：接入与移动性管理(access and mobility management function，AMF)网元、会话管理功能(session management function，SMF)网元、策略控制功能(policy control function，PCF)网元、用户面功能(user plane function，UPF)网元、应用层功能(application function)网元、鉴权服务功能(authentication server function，AUSF)网元、以及统一数据管理(unified data management，UDM)网元。此外，核心网还可以包括一些其他未示出的网元，例如安全锚功能(security anchor function，SEAF)网元、认证凭证库以及处理功能(authentication credential repository and processing function，ARPF)，本申请实施例在此不予赘述。Exemplarily, as shown in FIG. 1 , the architecture of the 5G network to which the technical solutions provided in the embodiments of the present application are applicable. The 5G network may include: terminal equipment, a radio access network (RAN) or an access network (AN) (hereinafter, RAN and AN are collectively referred to as (R)AN), a core network, and a data network (data network, DN). The core network includes multiple core network network elements (or called network function network elements), such as: access and mobility management (AMF) network elements, session management function (session management function, SMF) network elements ) network element, policy control function (PCF) network element, user plane function (UPF) network element, application layer function (application function) network element, authentication server function (AUSF) ) network element, and a unified data management (UDM) network element. In addition, the core network may also include some other network elements that are not shown, such as a security anchor function (SEAF) network element, an authentication credential repository and a processing function (authentication credential repository and processing function, ARPF), which is implemented in this application. Examples are not repeated here.

其中，终端设备通过下一代网络(Next generation，N)1接口(简称N1)与AMF通信，RAN设备通过N2接口(简称N2)与AMF通信，RAN设备通过N3接口(简称N3)与UPF通信，UPF通过N6接口(简称N6)与DN通信。The terminal device communicates with the AMF through the Next Generation Network (Next generation, N) 1 interface (N1 for short), the RAN device communicates with the AMF through the N2 interface (N2 for short), and the RAN device communicates with the UPF through the N3 interface (N3 for short). The UPF communicates with the DN through the N6 interface (N6 for short).

AMF、SMF、UDM、AUSF、或者PCF等控制面网元也可以采用服务化接口进行交互。比如，如图1所示，AMF对外提供的服务化接口可以为Namf；SMF对外提供的服务化接口可以为Nsmf；UDM对外提供的服务化接口可以为Nudm；PCF对外提供的服务化接口可以为Npcf，AUSF对外提供的服务化接口可以为Nausf；在此不再一一描述。Control plane network elements such as AMF, SMF, UDM, AUSF, or PCF can also use service interfaces for interaction. For example, as shown in Figure 1, the service interface provided by AMF can be Namf; the service interface provided by SMF can be Nsmf; the service interface provided by UDM can be Nudm; the service interface provided by PCF can be Npcf, the service interface provided by AUSF externally can be Nausf; it will not be described one by one here.

需要说明的是，上述核心网网元可以有其他的名称，本申请实施例不限于此。例如，AMF网元也可以简称为AMF，UPF网元也可以简称为UPF，等。It should be noted that, the above-mentioned core network element may have other names, and the embodiment of the present application is not limited to this. For example, an AMF network element may also be abbreviated as AMF, a UPF network element may also be abbreviated as UPF, and so on.

AMF网元主要负责移动性管理处理部分，例如：接入控制、移动性管理、附着与去附着以及SMF选择等功能。AMF网元为终端设备中的会话提供服务的情况下，会为该会话提供控制面的存储资源，以存储会话标识、与会话标识关联的SMF标识等。The AMF network element is mainly responsible for the mobility management processing part, such as: access control, mobility management, attachment and detachment, and SMF selection and other functions. When the AMF network element provides services for the session in the terminal device, it provides storage resources of the control plane for the session to store the session ID, the SMF ID associated with the session ID, and the like.

UDM网元主要用于管理用户的签约数据和鉴权数据，以及进行鉴权信用处理，用户标识处理，访问授权，注册/移动性管理，订阅管理和短消息管理等。UDM network elements are mainly used to manage user subscription data and authentication data, and perform authentication credit processing, user identification processing, access authorization, registration/mobility management, subscription management, and short message management.

AUSF网元用于为AMF提供对终端设备的鉴权服务，对一些网元(例如UDM) 发送给终端设备的数据进行安全保护等。The AUSF network element is used to provide the AMF with an authentication service for the terminal device, and to perform security protection on the data sent by some network elements (such as UDM) to the terminal device.

SEAF网元用于参与对终端设备的鉴权流程，负责传递相应的鉴权信息。The SEAF network element is used to participate in the authentication process of the terminal equipment, and is responsible for transmitting the corresponding authentication information.

(R)AN可以由(R)AN设备构成。(R)AN设备可以是各种形式的基站，例如：宏基站，微基站(也称为“小站”)，分散单元-控制单元(distribute unit-control unit，DU-CU)等，其中，DU-CU是一种部署在无线接入网中能够和终端设备进行无线通信的设备。另外，上述基站还可以是云无线接入网络(cloud radio access network，CRAN)场景下的无线控制器，或者中继站、接入点、车载设备、可穿戴设备或者未来演进的公共陆地移动网络(public land mobile network，PLMN)网络中的网络设备等。(R)AN设备也可以是宽带网络业务网关(broadband network gateway，BNG)，汇聚交换机，非(non)-第三代合作伙伴计划(3rd generation partnership project，3GPP)接入设备等。(R)AN设备主要负责空口侧的无线资源管理、上下行数据分类、服务质量(quality of service，QoS)管理、数据压缩和加密、与控制面网元完成信令处理或与用户面功能网元完成数据转发等功能。本申请实施例对(R)AN设备的具体形态和结构不做限定。示例性的，在采用不同的无线接入技术的***中，具备基站功能的设备的名称可能会有所不同。例如，基站可以是LTE中的演进型通用陆地无线接入网The (R)AN may consist of (R)AN devices. The (R)AN device can be various forms of base stations, such as: macro base station, micro base station (also called "small cell"), distributed unit-control unit (DU-CU), etc., wherein, A DU-CU is a device deployed in a wireless access network that can wirelessly communicate with a terminal device. In addition, the above-mentioned base station may also be a wireless controller in a cloud radio access network (CRAN) scenario, or a relay station, an access point, a vehicle-mounted device, a wearable device, or a future evolved public land mobile network (public land mobile network). land mobile network, PLMN) network equipment in the network, etc. The (R)AN device may also be a broadband network gateway (BNG), an aggregation switch, a non-(non)-3rd generation partnership project (3GPP) access device, and the like. (R)AN equipment is mainly responsible for radio resource management on the air interface side, uplink and downlink data classification, quality of service (QoS) management, data compression and encryption, and complete signaling processing with control plane network elements or with user plane functional networks. Meta completes functions such as data forwarding. The embodiments of the present application do not limit the specific form and structure of the (R)AN device. Exemplarily, in systems using different wireless access technologies, the names of devices with base station functions may be different. For example, the base station may be the Evolved Universal Terrestrial Radio Access Network in LTE

(evolved universal terrestrial radio access network，E-UTRAN)设备，如演进型节点B(evolutional NodeB，eNB或e-NodeB)，也可以是5G***中的下一代无线接入网(next generation radio access network，NG-RAN)设备(如gNB)等。(evolved universal terrestrial radio access network, E-UTRAN) equipment, such as an evolved NodeB (evolutional NodeB, eNB or e-NodeB), or a next generation radio access network in the 5G system, NG-RAN) equipment (such as gNB), etc.

终端设备可以是一种具有无线收发功能的设备。所述终端设备可以有不同的名称，例如用户设备(user equipment，UE)、接入终端、终端单元、终端站、移动站、移动台、远方站、远程终端、移动设备、无线通信设备、终端代理或终端装置等。终端可以被部署在陆地上，包括室内或室外、手持或车载；也可以被部署在水面上(如轮船等)；还可以被部署在空中(例如飞机、气球和卫星上等)。终端设备包括具有无线通信功能的手持式设备、车载设备、可穿戴设备或计算设备。示例性地，终端设备可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality，VR)终端设备、增强现实(augmented reality，AR)终端设备、工业控制中的无线终端、无人驾驶中的无线终端、远程医疗中的无线终端、智能电网中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。本申请实施例中，终端设备可以是指用于实现终端设备的功能的装置，例如芯片***。本申请实施例中，芯片***可以由芯片构成，也可以包括芯片和其他分立器件。本申请实施例中，以用于实现终端设备的功能的装置是终端为例，描述本申请实施例提供的技术方案。The terminal device may be a device with wireless transceiving function. The terminal equipment may have different names, such as user equipment (UE), access terminal, terminal unit, terminal station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, terminal agent or terminal device, etc. Terminals can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons and satellites, etc.). Terminal devices include handheld devices, vehicle-mounted devices, wearable devices or computing devices with wireless communication functions. Exemplarily, the terminal device may be a mobile phone (mobile phone), a tablet computer or a computer with a wireless transceiver function. The terminal device can also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in telemedicine, intelligent Wireless terminals in power grids, wireless terminals in smart cities, wireless terminals in smart homes, and so on. In this embodiment of the present application, the terminal device may refer to an apparatus for implementing the function of the terminal device, such as a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices. In the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described by taking the device for realizing the function of the terminal device as a terminal as an example.

示例性的，图2示出本申请实施例提供的一种终端设备的结构示意图。如图2所示，终端设备至少包括通用集成电路卡(universal integrated circuit card，UICC)和移动设备(mobile equipment，ME)。Exemplarily, FIG. 2 shows a schematic structural diagram of a terminal device provided by an embodiment of the present application. As shown in Figure 2, the terminal device at least includes a universal integrated circuit card (universal integrated circuit card, UICC) and a mobile equipment (mobile equipment, ME).

UICC主要用于存储和计算用户信息、鉴权密钥、付费方式等消息。UICC是一种可移动智能卡，用户只需要将UICC卡从一部终端取出并***到另一部终端，就可以方便的将UICC中存储的信息从一部终端转移到另一部终端。UICC可以包括一种或多种逻辑模块，如用户识别模块(subscriber identity module，SIM)、USIM、IP多媒体业务识别模块(IP multi media service identity module，ISIM)，以及其他如电子签名认证、电子钱包等非电信。UICC is mainly used to store and calculate user information, authentication keys, payment methods and other messages. UICC is a kind of removable smart card. Users only need to take out the UICC card from one terminal and insert it into another terminal, and then the information stored in the UICC can be conveniently transferred from one terminal to another terminal. UICC may include one or more logical modules, such as subscriber identity module (SIM), USIM, IP multimedia service identity module (ISIM), and others such as electronic signature authentication, electronic wallet and other non-telecommunication.

参考图3，ME可以包括以下部件：射频(radio frequency，RF)电路110、存储器120、其他输入设备130、显示屏140、传感器150、音频电路160、I/O子***170、处理器180、以及电源190等部件。本领域技术人员可以理解，图3中示出的ME结构并不构成对ME的限定，ME可以包括比图示更多或更少的部件，或者组合某些部件，或者拆分某些部件，或者不同的部件布置。3, the ME may include the following components: radio frequency (RF) circuit 110, memory 120, other input devices 130, display screen 140, sensor 150, audio circuit 160, I/O subsystem 170, processor 180, And components such as power supply 190 . Those skilled in the art can understand that the ME structure shown in FIG. 3 does not constitute a limitation to the ME, and the ME may include more or less components than the one shown in the figure, or combine some components, or split some components, Or a different component arrangement.

RF电路110可用于收发信息或通话过程中，信号的接收和发送，特别地，将基站的下行信息接收后，给处理器180处理；另外，将设计上行的数据发送给基站。通常，RF电路包括但不限于天线、至少一个放大器、收发信机、耦合器、LNA(low noise amplifier，低噪声放大器)、双工器等。此外，RF电路110还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议，包括但不限于全球移动通讯***(global system of mobile communication，GSM)、通用分组无线服务(general packet radio service，GPRS)、码分多址(code division multiple access，CDMA)、宽带码分多址(wideband code division multiple access，WCDMA)、长期演进(Long Term Evolution，LTE)、电子邮件、短消息服务(Short Messaging Service，SMS)等。The RF circuit 110 can be used for receiving and sending signals during transmission and reception of information or during a call. In particular, after receiving the downlink information of the base station, it is processed by the processor 180 ; in addition, the designed uplink data is sent to the base station. Generally, the RF circuit includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, an LNA (low noise amplifier), a duplexer, and the like. In addition, the RF circuitry 110 may also communicate with networks and other devices via wireless communication. The wireless communication can use any communication standard or protocol, including but not limited to global system of mobile communication (GSM), general packet radio service (GPRS), code division multiple access (code division multiple access) division multiple access, CDMA), wideband code division multiple access (WCDMA), Long Term Evolution (Long Term Evolution, LTE), email, Short Messaging Service (Short Messaging Service, SMS), etc.

存储器120可用于存储软件程序以及模块，处理器180通过运行存储在存储器120的软件程序以及模块，从而执行ME的各种功能应用以及数据处理。存储器120可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作***、至少一个功能所需的应用程序(比如声音播放功能、图象播放功能等)等；存储数据区可存储根据ME的使用所创建的数据(比如音频数据、电话本等)等。此外，存储器120可以包括高速随机存取存储器，还可以包括非易失性存储器(non-volatile memory，NVM)，例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 120 may be used to store software programs and modules, and the processor 180 executes various functional applications and data processing of the ME by running the software programs and modules stored in the memory 120 . The memory 120 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an application program required for at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may store Data (such as audio data, phone book, etc.) created according to the usage of the ME, etc. In addition, the memory 120 may include high-speed random access memory, and may also include non-volatile memory (NVM), such as at least one disk storage device, flash memory device, or other volatile solid-state storage device.

其他输入设备130可用于接收输入的数字或字符信息，以及产生与ME的用户设置以及功能控制有关的键信号输入。具体地，其他输入设备130可包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆、光鼠(光鼠是不显示可视输出的触摸敏感表面，或者是由触摸屏形成的触摸敏感表面的延伸)等中的一种或多种。其他输入设备130与I/O子***170的其他输入设备控制器171相连接，在其他设备输入控制器171的控制下与处理器180进行信号交互。 Other input devices 130 may be used to receive input numerical or character information, and to generate key signal input related to user settings and function control of the ME. Specifically, other input devices 130 may include, but are not limited to, physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, joysticks, optical mice (optical mice are touch-sensitive mice that do not display visual output) surface, or an extension of a touch-sensitive surface formed by a touch screen), etc. The other input device 130 is connected to the other input device controller 171 of the I/O subsystem 170 , and performs signal interaction with the processor 180 under the control of the other device input controller 171 .

显示屏140可用于显示由用户输入的信息或提供给用户的信息以及ME的各种菜单，还可以接受用户输入。具体的显示屏140可包括显示面板141，以及触控面板142。其中显示面板141可以采用液晶显示器(quid Crystal Display，LCD)、有机发光二极管(Organic Light-Emitting Diode，OLED)等形式来配置显示面板141。触控面板142，也称为触摸屏、触敏屏等，可收集用户在其上或附近的接触或者非接触操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板142上或在触控面板142附近的操作，也可以包括体感操作；该操作包括单点控制操作、多点控制操作等操作类型。)，并根据预先设定的程式驱动相应的连接装置。可选的，触控面板142可包括触摸检测装置和触摸控制器两个部分。其中，触摸检测装置检测用户的触摸方位、姿势，并检测触摸操作带来的信号，将信号传送给触摸控制器；触摸控制器从触摸检测装置上接收触摸信息，并将它转换成处理器能够处理的信息，再送给处理器180，并能接收处理器180发来的命令并加以执行。此外，可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触控面板142，也可以采用未来发展的任何技术实现触控面板142。进一步的，触控面板142可覆盖显示面板141，用户可以根据显示面板141显示的内容(该显示内容包括但不限于，软键盘、虚拟鼠标、虚拟按键、图标等等)，在显示面板141上覆盖的触控面板142上或者附近进行操作，触控面板142检测到在其上或附近的操作后，通过I/O子***170传送给处理器180以确定用户输入，随后处理器180根据用户输入通过I/O子***170在显示面板141上提供相应的视觉输出。虽然在图3中，触控面板142与显示面板141是作为两个独立的部件来实现ME的输入和输入功能，但是在某些实施例中，可以将触控面板142与显示面板141集成而实现ME的输入和输出功能。The display screen 140 may be used to display information input by or provided to the user and various menus of the ME, and may also accept user input. The specific display screen 140 may include a display panel 141 and a touch panel 142 . The display panel 141 may be configured in the form of a liquid crystal display (quid Crystal Display, LCD), an organic light-emitting diode (Organic Light-Emitting Diode, OLED) or the like. The touch panel 142, also known as a touch screen, touch sensitive screen, etc., can collect the user's contact or non-contact operations (such as the user's finger, stylus, etc., any suitable object or attachment on or near it on the touch panel 142) Or the operation near the touch panel 142 may also include a somatosensory operation; the operation includes operation types such as single-point control operation, multi-point control operation, etc.), and the corresponding connection device is driven according to a preset program. Optionally, the touch panel 142 may include two parts, a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation and posture, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, and converts it into a processor capable of The processed information is then sent to the processor 180, and the commands sent by the processor 180 can be received and executed. In addition, the touch panel 142 can be realized by various types of resistive, capacitive, infrared, and surface acoustic waves, and any technology developed in the future can also be used to realize the touch panel 142 . Further, the touch panel 142 can cover the display panel 141, and the user can display the content on the display panel 141 according to the content displayed on the display panel 141 (the display content includes, but not limited to, a soft keyboard, a virtual mouse, virtual keys, icons, etc.) on the display panel 141 The operation is performed on or near the covered touch panel 142. After the touch panel 142 detects the operation on or near it, the operation is transmitted to the processor 180 through the I/O subsystem 170 to determine the user input, and then the processor 180 according to the user Inputs provide corresponding visual outputs on display panel 141 through I/O subsystem 170 . Although in FIG. 3 , the touch panel 142 and the display panel 141 are used as two independent components to realize the input and input functions of the ME, but in some embodiments, the touch panel 142 and the display panel 141 may be integrated to form a Realize the input and output functions of ME.

ME还可包括至少一种传感器150，比如光传感器、运动传感器以及其他传感器。具体地，光传感器可包括环境光传感器及接近传感器。ME还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器，在此不再赘述。The ME may also include at least one sensor 150, such as light sensors, motion sensors, and other sensors. Specifically, the light sensors may include ambient light sensors and proximity sensors. ME can also configure other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc., which will not be described here.

I/O子***170用来控制输入输出的外部设备，可以包括其他设备输入控制器171、传感器控制器172、显示控制器173。可选的，一个或多个其他输入控制设备控制器171从其他输入设备130接收信号和/或者向其他输入设备130发送信号，其他输入设备130可以包括物理按钮(按压按钮、摇臂按钮等)、拨号盘、滑动开关、操纵杆、点击滚轮。值得说明的是，其他输入控制设备控制器171可以与任一个或者多个上述设备连接。所述I/O子***170中的显示控制器173从显示屏140接收信号和/或者向显示屏140发送信号。显示屏140检测到用户输入后，显示控制器173将检测到的用户输入转换为与显示在显示屏140上的用户界面对象的交互，即实现人机交互。传感器控制器172可以从一个或者多个传感器150接收信号和/或者向一个或者多个传感器150发送信号。The I/O subsystem 170 is used to control the input and output of external devices, which may include other device input controllers 171 , sensor controllers 172 , and display controllers 173 . Optionally, one or more other input control device controllers 171 receive signals from and/or send signals to other input devices 130, which may include physical buttons (push buttons, rocker buttons, etc.) , dial pad, slide switch, joystick, click wheel. It should be noted that other input control device controllers 171 may be connected to any one or more of the above-mentioned devices. The display controller 173 in the I/O subsystem 170 receives signals from and/or sends signals to the display screen 140 . After the display screen 140 detects the user input, the display controller 173 converts the detected user input into interaction with the user interface objects displayed on the display screen 140, that is, to realize human-computer interaction. Sensor controller 172 may receive signals from and/or send signals to one or more sensors 150 .

处理器180是ME的控制中心，利用各种接口和线路连接整个ME的各个部分，通过运行或执行存储在存储器120内的软件程序和/或模块，以及调用存储在存储器120内的数据，执行ME的各种功能和处理数据，从而对ME进行整体监控。可选的，处理器180可包括一个或多个处理单元；优选的，处理器180可集成应用处理器和调制解调处理器，其中，应用处理器主要处理操作***、用户界面和应用程序等，调制解调处理器主要处理无线通信。可以理解的是，上述调制解调处理器也可以不集成到处理器180中。The processor 180 is the control center of the ME, and uses various interfaces and lines to connect various parts of the entire ME, and executes by running or executing the software programs and/or modules stored in the memory 120, and calling the data stored in the memory 120. Various functions of the ME and processing data to monitor the ME as a whole. Optionally, the processor 180 may include one or more processing units; preferably, the processor 180 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 180 .

ME还包括给各个部件供电的电源190(比如电池)，优选的，电源可以通过电源管理***与处理器180逻辑相连，从而通过电源管理***实现管理充电、放电、以及功耗等功能。The ME also includes a power supply 190 (such as a battery) for supplying power to various components. Preferably, the power supply can be logically connected to the processor 180 through a power management system, so as to manage charging, discharging, and power consumption functions through the power management system.

尽管未示出，ME还可以包括摄像头、蓝牙模块等，在此不再赘述。Although not shown, the ME may also include a camera, a Bluetooth module, and the like, which will not be repeated here.

为了便于理解本申请的技术方案，下面先对本申请所涉及的术语进行简单介绍。In order to facilitate the understanding of the technical solutions of the present application, the following briefly introduces the terms involved in the present application.

1、(U)SIM卡1. (U)SIM card

在本申请实施例中，(U)SIM卡是SIM卡和USIM卡的统称。也即，(U)SIM卡可以表示SIM卡或者USIM卡。In the embodiments of this application, the (U)SIM card is a general term for a SIM card and a USIM card. That is, the (U)SIM card may represent a SIM card or a USIM card.

在移动通信***中，(U)SIM卡可以作为移动用户的网络身份的标识。(U)SIM卡用于存储用户数据和完成用户身份鉴权。一张(U)SIM卡对应一个移动用户。需要说明的是，(U)SIM卡可以存储移动用户对应的终端身份标识。In a mobile communication system, the (U)SIM card can be used as an identifier of a mobile user's network identity. The (U)SIM card is used to store user data and complete user identity authentication. One (U)SIM card corresponds to one mobile user. It should be noted that the (U)SIM card can store the terminal identity corresponding to the mobile user.

(U)SIM卡通过物理卡片的形式实现的，包括但不限于：标准SIM卡、Mini-SIM卡、Micro SIM卡、以及Nano SIM卡。(U)SIM cards are implemented in the form of physical cards, including but not limited to: standard SIM cards, Mini-SIM cards, Micro SIM cards, and Nano SIM cards.

或者，(U)SIM卡可以以芯片的形式实现，例如嵌入式用户识别模块(embedded-SIM，eSIM)卡。Alternatively, the (U)SIM card may be implemented in the form of a chip, such as an embedded subscriber identity module (embedded-SIM, eSIM) card.

2、安全保护2. Security protection

安全保护是指对数据进行加密/解密，和/或完整性保护/校验等处理，以避免数据泄露或者数据被篡改等风险。Security protection refers to data encryption/decryption, and/or integrity protection/verification, etc., to avoid risks such as data leakage or data tampering.

1)加密/解密1) Encrypt/Decrypt

加密/解密：保护数据在传输过程中的机密性(因此又可以被称作机密性保护)，机密性是指无法被直接看出真实内容。加密保护一般可以使用密钥和加密算法对数据进行加密来实现。加密保护的具体方法可以参考3GPP TS 33.401 f50中8.2节或33.501 f50中6.4.4节标准相关描述，这里不再赘述。Encryption/Decryption: Protects the confidentiality of data in transit (hence can also be referred to as confidentiality protection), which means that the real content cannot be directly seen. Encryption protection can generally be achieved by encrypting data using a key and an encryption algorithm. For the specific method of encryption protection, please refer to section 8.2 in 3GPP TS 33.401 f50 or the standard description in section 6.4.4 in 33.501 f50, which will not be repeated here.

2)完整性保护/校验2) Integrity protection/check

完整性保护/校验用于判断消息在传递过程中，其内容是否被更改，也可以用于作为身份验证，以确认消息的来源。完整性校验和保护需要使用MAC。完整性校验和保护的具体方法可以参考3GPP TS 33.401 f50中8.1节或33.501 f50中6.4.3节标准相关描述，这里不再赘述。Integrity protection/checking is used to judge whether the content of the message has been changed during the delivery process, and it can also be used as authentication to confirm the source of the message. Integrity checksum protection requires the use of a MAC. For the specific method of integrity checksum protection, please refer to section 8.1 in 3GPP TS 33.401 f50 or the standard description in section 6.4.3 in 33.501 f50, which will not be repeated here.

MAC可以用于检查消息在传递过程中，其内容是否被更改；以及，消息认证码可以用于作为身份验证，以确认消息的来源。The MAC can be used to check whether the content of the message has been altered during delivery; and the message authentication code can be used as authentication to confirm the source of the message.

如图4所示，发送端将密钥(key)、计数器(count)、长度(length)、承载(bearer)、消息(message)、方向(direction)等参数输入演进分组***完整性算法(evolved packet system integrity algorithm，EIA)，可以得到完整性的消息认证码(message authentication code integrity，MAC-I)或者NAS-MAC。As shown in Figure 4, the sender inputs parameters such as key (key), counter (count), length (length), bearer (bearer), message (message), direction (direction) into the evolved packet system integrity algorithm (evolved). packet system integrity algorithm, EIA), you can get the integrity of the message authentication code (message authentication code integrity, MAC-I) or NAS-MAC.

如图5所示，接收端将完整性保护密钥、count、length、bearer、message、direction等参数输入EIA，可以得到期望的完整性的消息认证码(excepted message authentication code integrity，XMAC-I)或者期望的非接入层消息认证码(excepted non-access stratum message authentication code，XNAS-MAC)。As shown in Figure 5, the receiving end inputs the integrity protection key, count, length, bearer, message, direction and other parameters into the EIA, and can obtain the expected integrity message authentication code (excepted message authentication code integrity, XMAC-I) Or the expected non-access stratum message authentication code (excepted non-access stratum message authentication code, XNAS-MAC).

对于接收端来说，接收端可以将接收到的MAC-I与自身生成的XMAC-I进行比对，以验证消息是否完整。若MAC-I与XMAC-I相同，则接收端确定接收到的MAC-I通过验证，从而接收端能够确定发送端所发送的消息是完整的；若MAC-I与XMAC-I不相同，则接收端能够确定接收到的MAC-I未通过验证，从而接收端能够确定发送端所发送的消息是不完整的。For the receiving end, the receiving end can compare the received MAC-I with the XMAC-I generated by itself to verify whether the message is complete. If the MAC-I is the same as the XMAC-I, the receiving end determines that the received MAC-I has passed the verification, so that the receiving end can determine that the message sent by the transmitting end is complete; if the MAC-I and XMAC-I are different, then The receiving end can determine that the received MAC-I has not passed the verification, so that the receiving end can determine that the message sent by the transmitting end is incomplete.

3、注册流程3. Registration process

注册流程用于建立终端设备与网络侧之间的连接，以使得终端设备能够接入到网络中。注册流程可以分为：The registration process is used to establish a connection between the terminal device and the network side, so that the terminal device can access the network. The registration process can be divided into:

1)初始注册流程：终端设备由于某些原因(例如开机)而发起的第一次注册流程。1) Initial registration process: the first registration process initiated by the terminal device due to some reasons (such as power-on).

2)移动更新注册流程：终端设备移动出原先的服务区域而发起的注册流程。2) Mobile update registration process: a registration process initiated by the terminal device moving out of the original service area.

3)周期性注册流程：终端设备按照预设时间间隔而发起的注册流程。应理解，周期性注册流程类似于心跳机制，以便于网络侧获知终端还处于服务区域内。3) Periodic registration process: a registration process initiated by a terminal device according to a preset time interval. It should be understood that the periodic registration process is similar to the heartbeat mechanism, so that the network side can know that the terminal is still in the service area.

如图6所示，注册流程可以包括以下步骤：As shown in Figure 6, the registration process can include the following steps:

S1、终端设备向接入网设备发送注册请求。S1. The terminal device sends a registration request to the access network device.

S2、接入网设备执行AMF选择流程。S2. The access network device executes the AMF selection process.

S3、接入网设备向第一AMF发送注册请求。S3. The access network device sends a registration request to the first AMF.

S4、第一AMF根据注册请求，确定第二AMF，并向第二AMF发送上下文传输请求。S4. The first AMF determines the second AMF according to the registration request, and sends a context transmission request to the second AMF.

其中，第一AMF是当前为终端设备提供服务的AMF。第二AMF是之前为终端设备提供服务的AMF。Wherein, the first AMF is the AMF that currently provides services for the terminal device. The second AMF is the AMF that previously served the terminal device.

S5、第二AMF向第一AMF发送上下文传输请求的响应消息。S5. The second AMF sends a response message of the context transmission request to the first AMF.

S6、第一AMF向终端设备发送标识请求(例如Identity Request)。S6. The first AMF sends an identity request (eg, Identity Request) to the terminal device.

S7、终端设备向第一AMF发送标识请求的响应消息(Identity Response)。S7. The terminal device sends a response message (Identity Response) of the identity request to the first AMF.

S8、第一AMF执行鉴权功能(authentication server function，AUSF)选择流程。S8. The first AMF performs an authentication function (authentication server function, AUSF) selection process.

如果第一AMF无法从本地或者第二AMF中查找到安全上下文，或者第一AMF对终端设备发送的信息进行完整性校验失败，则移动管理网元应执行下述步骤S9。If the first AMF cannot find the security context from the local or the second AMF, or the first AMF fails to check the integrity of the information sent by the terminal device, the mobility management network element shall perform the following step S9.

S9、终端设备和网络侧之间执行认证和安全流程。S9, an authentication and security process is performed between the terminal device and the network side.

S10、第一AMF向第二AMF发送注册完成通知。S10. The first AMF sends a registration completion notification to the second AMF.

S11、第一AMF向UE发起标识获取流程。S11. The first AMF initiates an identity acquisition process to the UE.

S12、第一AMF与设备标识寄存器(equipment identity register，EIR)执行设备标识检查。S12. The first AMF performs an equipment identity check with an equipment identity register (equipment identity register, EIR).

S13、第一AMF执行UDM选择流程。S13. The first AMF executes the UDM selection process.

S14、第一AMF与UDM执行注册、订阅获取流程。S14. The first AMF and the UDM perform registration and subscription acquisition processes.

S15、若第一AMF确定第二AMF提供的PCF信息不可用，第一AMF执行PCF选择流程。S15. If the first AMF determines that the PCF information provided by the second AMF is unavailable, the first AMF executes the PCF selection process.

S16、若第一AMF确定第二AMF提供的PCF信息可用，且PCF信息指示的PCF是第二AMF使用的PCF时，第一AMF向该PCF发送控制策略获取请求。S16. If the first AMF determines that the PCF information provided by the second AMF is available, and the PCF indicated by the PCF information is the PCF used by the second AMF, the first AMF sends a control policy acquisition request to the PCF.

S17、第一AMF向SMF发送事件开放通知消息。S17. The first AMF sends an event opening notification message to the SMF.

S18、第一AMF向非3GPP互通功能(non-3GPP interworking function，N3IWF)发送N2请求。S18. The first AMF sends an N2 request to a non-3GPP interworking function (non-3GPP interworking function, N3IWF).

S19、N3IWF向第一AMF返回N2请求的响应消息。S19. The N3IWF returns a response message requested by the N2 to the first AMF.

S20、第一AMF向终端设备发送注册接收消息(例如Registration Accept)。S20. The first AMF sends a registration reception message (for example, Registration Accept) to the terminal device.

其中，注册接收消息用于指示网络侧接受终端设备的注册。The registration reception message is used to instruct the network side to accept the registration of the terminal device.

S21、终端设备向第一AMF发送注册完成消息(例如Registration complete)。S21. The terminal device sends a registration complete message (for example, Registration complete) to the first AMF.

可以理解的是，注册完成消息用于指示完成注册流程。It can be understood that the registration complete message is used to indicate the completion of the registration process.

其中，上述步骤S4-S19、以及S21均是可选的步骤，可以根据实际情况选择执行或者不执行。Wherein, the above steps S4-S19 and S21 are optional steps, which can be selected to be executed or not executed according to the actual situation.

以上是对注册流程中的各个步骤的一些介绍，注册流程还可以包括其他步骤，本申请实施例不限于此。The above are some introductions to the various steps in the registration process. The registration process may also include other steps, and the embodiments of the present application are not limited thereto.

4、鉴权流程4. Authentication process

鉴权流程用于网络侧与终端协商用于安全保护的信息(例如密钥、计数器等)。在5G网络中，鉴权流程可以分为两种：一种为可扩展的认证协议(extensible authentication protocol，EAP)-AKA'流程，另一种为5G-AKA流程。The authentication process is used for the network side to negotiate with the terminal for information (such as keys, counters, etc.) for security protection. In the 5G network, the authentication process can be divided into two types: one is the extensible authentication protocol (EAP)-AKA' process, and the other is the 5G-AKA process.

1)EAP-AKA'流程1) EAP-AKA' process

如图7所示，EAP-AKA'流程包括以下步骤：As shown in Figure 7, the EAP-AKA' process includes the following steps:

S201、UDM生成认证向量(authentication vector，AV)。S201, the UDM generates an authentication vector (authentication vector, AV).

作为一种可能的实现方式，在创建5G HE AV时，UDM将鉴权管理域的分离(separation)比特设置为“1”。并且，UDM将计算CK'和IK'，并以CK'和IK'替换CK和IK。从而，UDM生成AV'。As a possible implementation, when creating a 5G HE AV, the UDM sets the separation bit of the authentication management domain to "1". And, UDM will calculate CK' and IK' and replace CK and IK with CK' and IK'. Thus, the UDM generates AV'.

AV'是由RAND,AUTN,XRES,CK',IK'构成的认证数据，用于在EAP-AKA'流程中对终端设备进行鉴权。AV' is the authentication data composed of RAND, AUTN, XRES, CK', IK', which is used to authenticate the terminal device in the EAP-AKA' process.

S202、UDM向AUSF发送Nudm_UEAuthentication_Get Response消息。S202. The UDM sends a Nudm_UEAuthentication_Get Response message to the AUSF.

其中，Nudm_UEAuthentication_Get Response消息包括AV'。Wherein, the Nudm_UEAuthentication_Get Response message includes AV'.

可选的，如果UDM之前接收到的Nudm_Authenticate_Get Request消息包括SUCI，则对应的Nudm_Authentication_Get Response消息还包括SUPI。Optionally, if the Nudm_Authenticate_Get Request message previously received by the UDM includes SUCI, the corresponding Nudm_Authentication_Get Response message also includes SUPI.

S203、AUSF向SEAF发送Nausf_UEAuthentication_Authenticate Response消息。S203. The AUSF sends a Nausf_UEAuthentication_Authenticate Response message to the SEAF.

其中，Nausf_UEAuthentication_Authenticate Response消息包括EAP Request/AKA′-Challenge。Wherein, the Nausf_UEAuthentication_Authenticate Response message includes EAP Request/AKA'-Challenge.

S204、SEAF向终端设备发送Authentication Request消息。S204. The SEAF sends an Authentication Request message to the terminal device.

其中，Authentication Request消息包括EAP Request/AKA′-Challenge。Wherein, the Authentication Request message includes EAP Request/AKA'-Challenge.

另外，Authentication Request消息还包括ngKSI。In addition, the Authentication Request message also includes ngKSI.

终端设备中的ME在接收到Authentication Request消息之后，将ngKSI、EAP Request/AKA′-Challenge中的RAND和AUTN发送给USIM卡。After receiving the Authentication Request message, the ME in the terminal device sends the ngKSI, RAND and AUTN in the EAP Request/AKA'-Challenge to the USIM card.

S205、终端设备计算鉴权响应。S205, the terminal device calculates an authentication response.

作为一种可能的实现方式，终端设备中的USIM卡在接收到RAND和AUTN之后，验证5G AV的新鲜度。在通过这些验证之后，USIM卡计算出RES。之后，USIM卡将RES、CK、IK发送给ME。As a possible implementation, the USIM card in the terminal device verifies the freshness of the 5G AV after receiving the RAND and AUTN. After passing these verifications, the USIM calculates the RES. After that, the USIM card sends RES, CK and IK to ME.

S206、终端设备向SEAF发送Authentication Response消息。S206, the terminal device sends an Authentication Response message to the SEAF.

其中，Authentication Response消息包括EAP-Response/AKA'-Challenge。Wherein, the Authentication Response message includes EAP-Response/AKA'-Challenge.

S207、SEAF向AUSF发送Nausf_UEAuthentication_Authenticate Request消息。S207. The SEAF sends a Nausf_UEAuthentication_Authenticate Request message to the AUSF.

在本申请实施例中，Nausf_UEAuthentication_Authenticate Request消息包括EAP-Response/AKA'-Challenge。In this embodiment of the present application, the Nausf_UEAuthentication_Authenticate Request message includes EAP-Response/AKA'-Challenge.

S208、AUSF验证鉴权响应。S208. The AUSF verifies the authentication response.

作为一种可能的实现方式，AUSF验证EAP-Response/AKA'-Challenge。如果鉴权失败，则AUSF应向SEAF返回鉴权失败消息。As a possible implementation, AUSF verifies the EAP-Response/AKA'-Challenge. If the authentication fails, the AUSF shall return an authentication failure message to the SEAF.

此外，AUSF应向UDM通知鉴权结果。In addition, the AUSF shall notify the UDM of the authentication result.

S209(可选的)、终端设备与AUSF之间交互其他的EAP消息。S209 (optional), other EAP messages are exchanged between the terminal device and the AUSF.

S210、AUSF向SEAF发送Nausf_UEAuthentication_Authenticate Response消息。S210. The AUSF sends a Nausf_UEAuthentication_Authenticate Response message to the SEAF.

在鉴权成功的情况下，Nausf_UEAuthentication_Authenticate Response消息包括EAP Success||Anchor Key。In the case of successful authentication, the Nausf_UEAuthentication_Authenticate Response message includes the EAP Success||Anchor Key.

在鉴权成功的情况下，AUSF从CK'和IK'中退导出EMSK，并将EMSK的最高有效256位作为K _AUSF。并且，AUSF根据K _AUSF推导出K _SEAF。 In the case of successful authentication, AUSF deduces EMSK from CK' and IK', and uses the most significant 256 bits of EMSK as K _AUSF . And, AUSF derives K _SEAF from K _AUSF .

S211、SEAF向终端设备发送N1消息。S211. The SEAF sends an N1 message to the terminal device.

其中，N1消息包括EAP Success消息以及ngKSI。Among them, the N1 message includes the EAP Success message and the ngKSI.

在终端设备接收EAP Success消息之后，终端设备从CK'和IK'中退导出EMSK，并将EMSK的最高有效256位作为K _AUSF。并且，终端设备根据K _AUSF推导出K _SEAF。 After the terminal device receives the EAP Success message, the terminal device extracts the EMSK from CK' and IK', and uses the most significant 256 bits of the EMSK as K _AUSF . And, the terminal device derives K _SEAF according to K _AUSF .

以上是对EAP-AKA'流程的一些介绍，其具体细节可以参考现有技术，在此不予赘述。The above are some introductions to the EAP-AKA' process, and the specific details can refer to the prior art, which will not be repeated here.

2)5G-AKA流程2) 5G-AKA process

如图8所示，5G-AKA流程包括以下步骤：As shown in Figure 8, the 5G-AKA process includes the following steps:

S301、UDM生成认证向量。S301. The UDM generates an authentication vector.

对于UDM接收到的每一个Nudm_Authenticate_Get Request消息，UDM/ARPF都会创建5G归属环境(home environment，HE)AV。For each Nudm_Authenticate_Get Request message received by UDM, UDM/ARPF will create a 5G home environment (HE) AV.

作为一种可能的实现方式，在创建5G HE AV时，UDM将鉴权管理域的分离比特设置为“1”。然后，UDM可以按照TS33.501附录A.2，推导出K _AUSF，并且按照TS33.501附录A.4推导出预期响应(expected response，XRES*)。从而，UDM创建出5G HE AV。 As a possible implementation, when creating a 5G HE AV, the UDM sets the separation bit of the authentication management field to "1". The UDM can then derive _KAUSF according to TS33.501 Appendix A.2, and the expected response (XRES*) according to TS33.501 Appendix A.4. Thus, UDM creates 5G HE AV.

5G HE AV是由RAND、AUTN、XRES*、以及K _AUSF构成的认证数据，用于在5G-AKA流程中对终端设备进行鉴权。 5G HE AV is authentication data composed of RAND, AUTN, XRES*, and K _AUSF , which is used to authenticate terminal equipment in the 5G-AKA process.

S302、UDM向AUSF发送Nudm_Authentication_Get Response消息。S302. The UDM sends a Nudm_Authentication_Get Response message to the AUSF.

其中，Nudm_Authentication_Get Response消息包括：5G HE AV。Among them, the Nudm_Authentication_Get Response message includes: 5G HE AV.

可选的，如果UDM接收到的Nudm_Authenticate_Get Request消息包括SUCI，则对应的Nudm_Authentication_Get Response消息还包括SUPI。Optionally, if the Nudm_Authenticate_Get Request message received by the UDM includes SUCI, the corresponding Nudm_Authentication_Get Response message also includes SUPI.

S303、AUSF存储XRES*。S303, AUSF stores XRES*.

作为一种可能的实现方式，AUSF应将XRES*与收到的SUCI或SUPI一起临时存储As a possible implementation, AUSF should temporarily store XRES* together with the received SUCI or SUPI

S304、AUSF计算哈希预期响应(hash expected response，HXRES*)。S304. The AUSF calculates a hash expected response (hash expected response, HXRES*).

作为一种可能的实现方式，AUSF根据XRES*计算HXRES*，以及根据K _AUSF计算K _SEAF。 As a possible implementation, AUSF calculates HXRES* from XRES* and K _SEAF from K _AUSF .

S305、AUSF向SEAF发送Nausf_UEAuthentication_Authenticate Response消息。S305. The AUSF sends a Nausf_UEAuthentication_Authenticate Response message to the SEAF.

其中，Nausf_UEAuthentication_Authenticate Response消息包括5G SE AV。其中，5G SE AV包括RAND，AUTN，以及HXRES*。Among them, the Nausf_UEAuthentication_Authenticate Response message includes 5G SE AV. Among them, 5G SE AV includes RAND, AUTN, and HXRES*.

S306、SEAF向终端设备发送Authentication Request消息。S306. The SEAF sends an Authentication Request message to the terminal device.

其中，Authentication Request消息包括RAND，AUTN。Among them, the Authentication Request message includes RAND and AUTN.

并且，Authentication Request消息还包括ngKSI。需要说明的是，终端设备和AMF使用该ngKSI来识别K _AMF和在认证成功的情况下创建的部分原生安全上下文(partial native security context)。 And, the Authentication Request message further includes ngKSI. It should be noted that the terminal device and the _AMF use the ngKSI to identify the KAMF and the partial native security context (partial native security context) created in the case of successful authentication.

终端设备中的ME将Authentication Request消息中的随机值(RAND)和认证凭证(authentication token，AUTN)转发给USIM卡。The ME in the terminal device forwards the random value (RAND) and authentication credential (authentication token, AUTN) in the Authentication Request message to the USIM card.

S307、终端设备计算鉴权响应(response，RES*)。S307. The terminal device calculates an authentication response (response, RES*).

作为一种可能的实现方式，终端设备中的USIM卡在接收到RAND和AUTN之后，验证5G AV的新鲜度。在通过这些验证之后，USIM卡计算出RES。As a possible implementation, the USIM card in the terminal device verifies the freshness of the 5G AV after receiving the RAND and AUTN. After passing these verifications, the USIM calculates the RES.

另外，USIM卡还会将RES、CK、IK返回给ME。ME根据RES推导出RES*。以及，ME还会计算出K _AUSF以及K _SEAF。 In addition, the USIM card will also return RES, CK, and IK to the ME. ME derives RES* from RES. And, ME also calculates K _AUSF and K _SEAF .

S308、终端设备向SEAF发送Authentication Response消息。S308, the terminal device sends an Authentication Response message to the SEAF.

其中，Authentication Response消息包括RES*。Among them, the Authentication Response message includes RES*.

S309、SEAF计算HRES*，并比较HRES*与HXRES是否一致。S309, SEAF calculates HRES*, and compares whether HRES* and HXRES are consistent.

其中，HRES*是根据RES*推导出来的。Among them, HRES* is derived from RES*.

应理解，当HRES*与HXRES一致时，则SEAF从服务网络的角度考虑认为鉴权成功。It should be understood that when HRES* is consistent with HXRES, the SEAF considers that the authentication is successful from the perspective of the serving network.

在HRES*与HXRES一致的情况下，SEAF执行下述步骤S310。In the case that HRES* matches HXRES, SEAF executes the following step S310.

S310、SEAF向AUSF发送Nausf_UEAuthentication_Authenticate Request消息。S310. The SEAF sends a Nausf_UEAuthentication_Authenticate Request message to the AUSF.

其中，Nausf_UEAuthentication_Authenticate Request消息包括RES*。Among them, the Nausf_UEAuthentication_Authenticate Request message includes RES*.

S311、AUSF验证接收到的RES*。S311. The AUSF verifies the received RES*.

作为一种可能的实现方式，当AUSF接收到作为认证确认的、携带RES*的Nausf_UEAuthentication_Authenticate Request消息时，AUSF可以验证AV是否已过期。如果AV已过期，则AUSF从归属网络的角度认为鉴权不成功。如果AV未过期，AUSF应将接收到的RES*是否与存储的XRES*相等。如果RES*与XRES*相等，则AUSF从归属网络的角度认为鉴权成功。并且，AUSF向UDM通知鉴权结果。As a possible implementation manner, when the AUSF receives the Nausf_UEAuthentication_Authenticate Request message carrying RES* as an authentication confirmation, the AUSF can verify whether the AV has expired. If the AV has expired, the AUSF considers the authentication unsuccessful from the perspective of the home network. If the AV is not expired, the AUSF shall equate the received RES* with the stored XRES*. If RES* and XRES* are equal, the AUSF considers that the authentication is successful from the perspective of the home network. And, the AUSF notifies the UDM of the authentication result.

在鉴权成功的情况下，AUSF存储K _AUSF。 In the case of successful authentication, the AUSF stores K _AUSF .

S312、AUSF向SEAF发送Nausf_UEAuthentication_Authenticate Response消息。S312. The AUSF sends a Nausf_UEAuthentication_Authenticate Response message to the SEAF.

其中，Nausf_UEAuthentication_Authenticate Response消息用于指示归属网络对此次鉴权的鉴权结果。也即，Nausf_UEAuthentication_Authenticate Response消息用于通知SEAF从归属网络的角度来看鉴权是否成功。The Nausf_UEAuthentication_Authenticate Response message is used to indicate the authentication result of this authentication by the home network. That is, the Nausf_UEAuthentication_Authenticate Response message is used to inform SEAF whether the authentication is successful from the perspective of the home network.

在鉴权成功的情况下，Nausf_UEAuthentication_Authenticate Response消息包括K _SEAF和SUPI。 In the case of successful authentication, the Nausf_UEAuthentication_Authenticate Response message includes K _SEAF and SUPI.

在鉴权成功的情况下，SEAF应根据K _SEAF等参数计算K _AMF。之后，SEAF应向AMF提供ngKSI和K _AMF。 In the case of successful authentication, SEAF shall calculate K _AMF according to parameters such as K _SEAF . After that, SEAF should provide ngKSI and KAMF to _AMF .

以上是对5G-AKA流程的一些介绍，其具体细节可以参考现有技术，在此不予赘述。The above are some introductions to the 5G-AKA process, and the specific details can refer to the existing technology, which will not be repeated here.

5、ngKSI5. ngKSI

ngKSI用于对5G非接入层(non-access stratum，NAS)安全上下文进行标识，并指示该5G NAS安全上下文的类型。ngKSI由一个标识值和一个安全上下文类型参数构成。其中，标识值用于唯一对应一个5G NAS安全上下文。安全上下文类型参数用于指示该5G NAS安全上下文是native 5G NAS安全上下文还是映射(mapped)5G NAS 安全上下文。The ngKSI is used to identify the 5G non-access stratum (NAS) security context and indicate the type of the 5G NAS security context. ngKSI consists of an identity value and a security context type parameter. Among them, the identification value is used to uniquely correspond to a 5G NAS security context. The security context type parameter is used to indicate whether the 5G NAS security context is a native 5G NAS security context or a mapped 5G NAS security context.

示例性的，当5G NAS安全上下文的类型为native时，安全上下文类型参数的值为KSIAMF。当5G NAS安全上下文的类型为mapped时，安全上下文类型参数的值为KSIASME。Exemplarily, when the type of the 5G NAS security context is native, the value of the security context type parameter is KSIAMF. When the type of the 5G NAS security context is mapped, the value of the security context type parameter is KSIASME.

应理解，对于原生的安全上下文来说，ngKSI由AMF在鉴权流程中生成并发送给终端设备的。或者，对于mapped 5G NAS安全上下文来说，ngKSI是在异***切换期间由终端设备和AMF分别推演的。It should be understood that for the native security context, the ngKSI is generated by the AMF in the authentication process and sent to the terminal device. Alternatively, for the mapped 5G NAS security context, the ngKSI is deduced separately by the end device and the AMF during inter-system handover.

native 5G NAS安全上下文是接入5G网络的终端设备与5G核心网网元之间通过鉴权流程来生成的。The native 5G NAS security context is generated through the authentication process between the terminal device accessing the 5G network and the 5G core network element.

napped 5G NAS安全上下文是在4G网络的终端设备鉴权流程中生成的演进分组***(evolved packet system，EPS)安全上下文通过映射方式而得到的。The napped 5G NAS security context is obtained by mapping the evolved packet system (EPS) security context generated in the terminal device authentication process of the 4G network.

6、5G NAS安全上下文6. 5G NAS security context

5G NAS安全上下文是指可以用于实现终端与核心网之间传输数据的安全保护(例如，加密/解密，和/或完整性保护/校验)的信息。The 5G NAS security context refers to information that can be used to implement security protection (eg, encryption/decryption, and/or integrity protection/verification) of data transmitted between the terminal and the core network.

安全上下文可以包括以下一项或者多项：根密钥、加密密钥、完整性保护密钥、特定参数(比如NAS Count)、安全算法、安全指示(例如，是否开启加密的指示，是否开启完整性保护的指示、密钥使用期限的指示，密钥长度)等。The security context may include one or more of the following: root key, encryption key, integrity protection key, specific parameters (such as NAS Count), security algorithm, security indication (for example, whether to enable encryption, whether to enable complete Indication of sexual protection, indication of key usage period, key length), etc.

其中，加密密钥为发送端根据加密算法对明文进行加密以生成密文时输入的参数。若使用对称加密的方法，加密密钥和解密密钥是相同的。接收端可以根据相同的加密算法和加密密钥对密文进行解密。换句话说，发送端和接收端可以基于同一个密钥去加密和解密。The encryption key is a parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiver can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.

完整性保护密钥为发送端根据完整性保护算法对明文或密文进行完整性保护时输入的参数。接收端可以根据相同的完整性保护算法和完整性保护密钥对进行了完整性保护的数据进行完整性验证。The integrity protection key is a parameter input by the sender when the plaintext or ciphertext is integrity protected according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity-protection algorithm and integrity-protection key.

特定参数(比如NAS Count)为发送端根据防重放保护算法对明文或密文进行防重放保护时输入的参数。接收端可以根据相同的防重放保护算法对进行了防重放保护的数据进行防重放验证。The specific parameter (such as NAS Count) is the parameter input by the sender when the plaintext or ciphertext is protected against replay according to the anti-replay protection algorithm. The receiving end can perform anti-replay verification on the anti-replay-protected data according to the same anti-replay protection algorithm.

安全算法即对数据进行安全保护时使用的算法。例如，加密算法、解密算法、完整性保护算法等。The security algorithm is the algorithm used for data security protection. For example, encryption algorithm, decryption algorithm, integrity protection algorithm, etc.

7、SOR7. SOR

漫游引导用于使得归属地网络(home public land mobile network，HPLMN)有能力指导处于自动选网模式的终端设备搜索特定的拜访地网络(visited public land mobile network，VPLMN)。Roaming guidance is used to enable the home public land mobile network (HPLMN) to have the ability to guide the terminal device in the automatic network selection mode to search for a specific visited public land mobile network (VPLMN).

如图9所示，SOR流程可以包括以下步骤：As shown in Figure 9, the SOR process can include the following steps:

S401、HPLMN UDM确定通知终端设备引导信息列表(steering information list)发生更新。S401. The HPLMN UDM determines to notify the terminal device that the steering information list (steering information list) is updated.

S402、HPLMN UDM向HPLMN AUSF发送Nausf_SoRProtection消息。S402. The HPLMN UDM sends a Nausf_SoRProtection message to the HPLMN AUSF.

其中，Nausf_SoRProtection消息包括SUPI、引导信息列表、以及SOR头部(header)。Among them, the Nausf_SoRProtection message includes SUPI, boot information list, and SOR header (header).

可选的，如果HPLMN决定终端设备要确认接收到的引导信息列表安全检查成功，则UDM需要在SOR header中进行相应的设置，并且Nausf_SoRProtection消息还包括ACK Indication。Optionally, if the HPLMN decides that the terminal device should confirm that the received boot information list is successfully checked for security, the UDM needs to perform corresponding settings in the SOR header, and the Nausf_SoRProtection message also includes ACK Indication.

S403、HPLMN AUSF向HPLMN UDM发送Nausf_SoRProtection Response消息。S403, the HPLMN AUSF sends a Nausf_SoRProtection Response message to the HPLMN UDM.

其中，Nausf_SoRProtection Response消息包括：SoR-MAC-I _AUSF以及SOR counter。 The Nausf_SoRProtection Response message includes: SoR-MAC-I _AUSF and SOR counter.

可选的，在Nausf_SoRProtection消息包括ACK Indication的情况下，Nausf_SoRProtection Response消息还包括SoR-XMAC-I _UE。 Optionally, in the case that the Nausf_SoRProtection message includes ACK Indication, the Nausf_SoRProtection Response message also includes SoR-XMAC-I _UE .

在本申请实施例中，SoR-MAC-I _AUSF是根据引导信息列表、SOR header、SOR counter以及K _AUSF来计算得到的。SoR-XMAC-I _UE是根据SOR成功确认消息、SOR counter以及K _AUSF来计算得到的。 In this embodiment of the present application, the SoR-MAC-I _AUSF is calculated according to the boot information list, the SOR header, the SOR counter, and the K _AUSF . The SoR-XMAC-I _UE is calculated according to the SOR success confirmation message, the SOR counter and the K _AUSF .

S404、HPLMN UDM向VPLMN AMF发送Nudm_SDM_Notification消息。S404. The HPLMN UDM sends a Nudm_SDM_Notification message to the VPLMN AMF.

其中，Nudm_SDM_Notification消息包括：引导信息列表、SOR header、SoR-MAC-I _AUSF以及SOR counter。 Wherein, the Nudm_SDM_Notification message includes: boot information list, SOR header, SoR-MAC-I _AUSF and SOR counter.

S405、VPLMN AMF向终端设备发送DL NAS Transport消息。S405. The VPLMN AMF sends a DL NAS Transport message to the terminal device.

其中，DL NAS Transport消息包括：引导信息列表、SOR header、SoR-MAC-I _AUSF以及SOR counter。 Wherein, the DL NAS Transport message includes: boot information list, SOR header, SoR-MAC-I _AUSF and SOR counter.

S406、终端设备验证SoR-MAC-I _AUSF。 S406, the terminal device verifies the SoR-MAC-I _AUSF .

作为一种可能的实现方式，终端设备根据接收到的引导信息列表、SOR header和SOR counter，按照与AUSF相关的方式，计算出SoR-MAC-I _AUSF，并验证计算出的SoR-MAC-I _AUSF与接收到的SoR-MAC-I _AUSF是否相同。如果计算出的SoR-MAC-I _AUSF与接收到的SoR-MAC-I _AUSF相同，则说明接收到的SoR-MAC-I _AUSF通过验证。 As a possible implementation manner, the terminal device calculates SoR-MAC-I AUSF according to the received boot information list, SOR header and SOR counter in a manner related to _AUSF , and verifies the calculated SoR-MAC-I Whether the _AUSF is the same as the received SoR-MAC-I _AUSF . If the calculated SoR-MAC-I _AUSF is the same as the received SoR-MAC-I _AUSF , it means that the received SoR-MAC-I _AUSF passes the verification.

当UDM已经请求终端设备确认接收到的引导信息列表安全检查成功时，在终端设备已经成功验证SoR-MAC-I _AUSF之后，终端设备还应执行下述步骤S407。 When the UDM has requested the terminal device to confirm that the security check of the received boot information list is successful, after the terminal device has successfully verified the SoR-MAC-I _AUSF , the terminal device should also perform the following step S407.

S407、终端设备向VPLMN AMF发送UL NAS Transport消息。S407. The terminal device sends a UL NAS Transport message to the VPLMN AMF.

其中，UL NAS Transport消息包括透明容器，该透明容器包括SOR-MAC-I _UE。 Wherein, the UL NAS Transport message includes a transparent container, and the transparent container includes SOR-MAC-I _UE .

S408、VPLMN AMF向HPLMN UDM发送Nudm_SDM_Info request消息。S408, the VPLMN AMF sends a Nudm_SDM_Info request message to the HPLMN UDM.

其中，Nudm_SDM_Info request消息包括透明容器，该透明容器包括SOR-MAC-I _UE。 Wherein, the Nudm_SDM_Info request message includes a transparent container, and the transparent container includes SOR-MAC-I _UE .

S409、HPLMN UDM比较接收到的SOR-MAC-I _UE和存储的SOR-XMAC-I _UE是否一致。 S409, the HPLMN UDM compares whether the received SOR-MAC-I _UE is consistent with the stored SOR-XMAC-I _UE .

应理解，若接收到的SOR-MAC-I _UE和存储的SOR-XMAC-I _UE不一致，说明网络存在安全风险。 It should be understood that if the received SOR-MAC-I _UE is inconsistent with the stored SOR-XMAC-I _UE , it means that there is a security risk in the network.

以上是对SOR流程的简单介绍，其具体细节可以参考现有技术，在此不予赘述。The above is a brief introduction to the SOR process, and the specific details can refer to the prior art, which will not be repeated here.

8、SOR counter8. SOR counter

其中，SOR counter也可以记为Counter _SOR。 Among them, SOR counter can also be recorded as Counter _SOR .

AUSF和终端设备会将SOR counter与K _AUSF相关联。SOR counter一般为16位的计数器。SOR counter用于避免重播攻击。 The AUSF and the end device will associate the SOR counter with the K _AUSF . The SOR counter is generally a 16-bit counter. The SOR counter is used to avoid replay attacks.

在终端设备推导出K _AUSF时，终端设备会将SOR counter设置为0。 When the end device derives the K _AUSF , the end device will set the SOR counter to 0.

在AUSF推导出K _AUSF时，AUSF会将SOR counter设置为1。 When AUSF derives K _AUSF , AUSF will set the SOR counter to 1.

9、用户设备参数更新(UE parameters update，UPU)9. User equipment parameter update (UE parameters update, UPU)

UPU流程可以使得网络侧有能力更新终端设备的相关参数。The UPU process can enable the network side to update the relevant parameters of the terminal device.

如图10所示，UPU流程可以包括以下步骤：As shown in Figure 10, the UPU process can include the following steps:

S501、UDM决定执行UPU。S501, the UDM decides to execute the UPU.

S502、UDM向AUSF发送Nausf_UPUProctection消息。S502, the UDM sends a Nausf_UPUPoctection message to the AUSF.

其中，Nausf_UPUProctection消息包括SUPI以及UPU数据。The Nausf_UPUPoctection message includes SUPI and UPU data.

可选的，Nausf_UPUProctection消息还可以包括确认指示(ACK indication)，以表明UDM请求终端设备确认接收到的UPU数据安全检查成功。Optionally, the Nausf_UPUPoctection message may further include an acknowledgment indication (ACK indication) to indicate that the UDM requests the terminal device to confirm that the received UPU data has been successfully checked for security.

S503、AUSF向UDM发送Nausf_UPUProctection response消息。S503. The AUSF sends a Nausf_UPUPoctection response message to the UDM.

其中，Nausf_UPUProctection response消息包括：UPU counter以及UPU-MAC-I _AUSF。UPU-MAC-I _AUSF是对UPU数据进行完整性保护后产生的MAC。UPU counter是在对对UPU数据进行完整性保护过程中使用的counter。 The Nausf_UPUPoctection response message includes: UPU counter and UPU-MAC-I _AUSF . UPU-MAC-I _AUSF is a MAC generated after integrity protection of UPU data. UPU counter is a counter used in the process of integrity protection of UPU data.

可选的，在Nausf_UPUProctection消息还包括ACK indication的情况下，Nausf_UPUProctection response消息还包括UPU-XMAC-I _UE。 Optionally, in the case that the Nausf_UPUProctection message further includes the ACK indication, the Nausf_UPUProctection response message also includes the UPU-XMAC-I _UE .

需要说明的是，UPU-MAC-I _AUSF是根据UPU数据、UPU counter以及K _AUSF来计算得到的。UPU-XMAC-I _UE是根据ACK indication、UPU counter以及K _AUSF来计算得到的。 It should be noted that the UPU-MAC-I _AUSF is calculated according to the UPU data, the UPU counter and the K _AUSF . UPU-XMAC-I _UE is calculated according to ACK indication, UPU counter and K _AUSF .

S504、UDM向AMF发送Nudm_SDM_Notification消息。S504, the UDM sends a Nudm_SDM_Notification message to the AMF.

其中，Nudm_SDM_Notification消息包括：UPU数据、UPU counter以及UPU-MAC-I _AUSF。 The Nudm_SDM_Notification message includes: UPU data, UPU counter and UPU-MAC-I _AUSF .

S505、AMF向终端设备发送DL NAS Transport消息。S505. The AMF sends a DL NAS Transport message to the terminal device.

其中，DL NAS Transport消息包括UPU数据、UPU counter以及UPU-MAC-I _AUSF。 The DL NAS Transport message includes UPU data, UPU counter and UPU-MAC-I _AUSF .

S506、终端设备验证UPU-MAC-I _AUSF。 S506, the terminal device verifies the UPU-MAC-I _AUSF .

作为一种可能的实现方式，终端设备根据接收到的UPU数据和UPU counter，按照与AUSF相同的方式计算出UPU-MAC-I _AUSF，并验证计算出来的UPU-MAC-I _AUSF是否与接收到的UPU-MAC-I _AUSF相同。当计算出来的UPU-MAC-I _AUSF与接收到的UPU-MAC-I _AUSF相同时，说明验证成功。 As a possible implementation, the terminal device calculates the UPU-MAC-I _AUSF in the same way as the AUSF according to the received UPU data and the UPU counter, and verifies whether the calculated UPU-MAC-I _AUSF is the same as the received UPU-MAC-I AUSF The UPU-MAC-I _{AUSF is} the same. When the calculated UPU-MAC-I _AUSF is the same as the received UPU-MAC-I _AUSF , the verification is successful.

在验证成功的情况下，若UPU数据中包含受安全分组(secured packet)保护的参数时，则终端设备中的ME将受安全分组保护的参数发送给终端设备中的USIM卡。In the case of successful verification, if the UPU data contains parameters protected by a secure packet (secured packet), the ME in the terminal device sends the parameters protected by the secure packet to the USIM card in the terminal device.

在验证成功的情况下，若UPU数据中不包含受安全分组保护的参数时，则终端设备中的ME根据UPU数据中的参数，更新其存储的参数。In the case of successful verification, if the UPU data does not contain parameters protected by the security group, the ME in the terminal device updates the parameters stored in the terminal device according to the parameters in the UPU data.

当UDM已经请求终端设备确认接收到的UPU数据安全检查成功时，在终端设备已经成功验证UPU-MAC-I _AUSF，以及根据UPU数据更新参数之后，终端设备应执行下述步骤S507。 When the UDM has requested the terminal device to confirm that the security check of the received UPU data is successful, after the terminal device has successfully verified the UPU-MAC-I _AUSF and updated parameters according to the UPU data, the terminal device should perform the following step S507 .

S507、终端设备向AMF发送UL NAS Transport消息。S507. The terminal device sends a UL NAS Transport message to the AMF.

其中，UL NAS Transport消息包括透明容器，该透明容器包括UPU-MAC-I _UE。 Wherein, the UL NAS Transport message includes a transparent container, and the transparent container includes UPU-MAC-I _UE .

需要说明的是，UPU-MAC-I _UE是根据UPU确认(Acknowledgement)、UPU counter以及K _AUSF来计算得到的。 It should be noted that the UPU-MAC-I _UE is calculated according to the UPU acknowledgement (Acknowledgement), the UPU counter and the K _AUSF .

S508、AMF向UDM发送Nudm_SDM_Info request消息。S508, the AMF sends a Nudm_SDM_Info request message to the UDM.

其中，Nudm_SDM_Info request消息包括透明容器，该透明容器包括UPU-MAC-I _UE。 Wherein, the Nudm_SDM_Info request message includes a transparent container, and the transparent container includes UPU-MAC-I _UE .

S509、UDM比较接收到的UPU-MAC-I _UE和存储的UPU-XMAC-I _UE是否一致。 S509, the UDM compares whether the received UPU-MAC-I _UE is consistent with the stored UPU-XMAC-I _UE .

应理解，如果接收到的UPU-MAC-I _UE和存储的UPU-XMAC-I _UE不一致，说明网络存在安全风险。 It should be understood that if the received UPU-MAC-I _UE is inconsistent with the stored UPU-XMAC-I _UE , it means that there is a security risk in the network.

以上是对UPU流程的简单介绍，其具体细节可以参考现有技术，在此不予赘述。The above is a brief introduction to the UPU process, and the specific details can refer to the prior art, which will not be repeated here.

10、UPU counter10. UPU counter

其中，UPU counter也可以记为Counter _UPU。 Among them, UPU counter can also be recorded as Counter _UPU .

AUSF和终端设备会将UPU counter与K _AUSF相关联。UPU counter一般为16位的计数器。UPU counter用于避免重播攻击。 The AUSF and the end device will associate the UPU counter with the K _AUSF . The UPU counter is generally a 16-bit counter. The UPU counter is used to avoid replay attacks.

在终端设备推导出K _AUSF时，终端设备会将UPU counter设置为0。 When the end device derives the K _AUSF , the end device will set the UPU counter to 0.

在AUSF推导出K _AUSF时，AUSF会将UPU counter设置为1。 When AUSF derives K _AUSF , AUSF will set the UPU counter to 1.

以上是对本申请实施例所涉及的术语的介绍，在此统一说明，以下不再赘述。The above is an introduction to the terms involved in the embodiments of the present application, which are uniformly described here, and will not be repeated below.

当前，终端设备与AUSF之间经过鉴权流程之后，终端设备与AUSF可以存储、维护相同的密钥K _AUSF。但是，由于一些原因，终端设备可能未存储有效的K _AUSF。 Currently, after the authentication process between the terminal device and the AUSF, the terminal device and the AUSF can store and maintain the same key K _AUSF . However, for some reasons, the end device may not store a valid K _AUSF .

示例性的，以图11为例说明终端设备未存储有效的K _AUSF的原因。 Exemplarily, the reason why the terminal device does not store the valid K _AUSF is illustrated by taking FIG. 11 as an example.

S601、***USIM卡1的ME1在5G网络下注册，生成ngKSI＝0的5G NAS安全上下文以及5G鉴权密钥信息。S601, ME1 inserted into USIM card 1 registers under the 5G network, and generates 5G NAS security context with ngKSI=0 and 5G authentication key information.

应理解，ngKSI＝0仅是示例。It should be understood that ngKSI=0 is only an example.

其中，5G NAS安全上下文可以存储于EF _5GS3GPPNSC卡文件。5G鉴权密钥信息可以存储于EF _5GAUTHKEYS卡文件。5G鉴权密钥信息包括K _AUSF等。 Among them, the 5G NAS security context can be stored in the EF _5GS3GPPNSC card file. 5G authentication key information can be stored in the EF _5GAUTHKEYS card file. The 5G authentication key information includes K _AUSF and the like.

S602、ME1中存储5G鉴权密钥信息，USIM卡1存储ngKSI＝0的5G NAS安全上下文。S602, ME1 stores 5G authentication key information, and USIM card 1 stores the 5G NAS security context with ngKSI=0.

之后，在***USIM卡1的ME1去注册之后，网络侧依然会保存ngKSI＝0的5G NAS安全上下文。After that, after the ME1 inserted into the USIM card 1 is registered, the network side will still save the 5G NAS security context with ngKSI=0.

S603、USIM卡1从ME1中拨出，并***ME2中。S603. The USIM card 1 is dialed out from ME1 and inserted into ME2.

此时，USIN卡1还存储ngKSI＝0的5G NAS安全上下文，但是ME2中并未存储相应的5G鉴权密钥信息。At this time, USIN card 1 also stores the 5G NAS security context with ngKSI=0, but ME2 does not store the corresponding 5G authentication key information.

S604、***USIM卡1的ME2在开机后，发送初始注册请求消息。S604. After the ME2 inserted into the USIM card 1 is powered on, an initial registration request message is sent.

由于USIM卡1存储ngKSI＝0的5G NAS安全上下文，因此初始注册请求消息携带ngKSI＝0。Since the USIM card 1 stores the 5G NAS security context with ngKSI=0, the initial registration request message carries ngKSI=0.

S605、AMF启用ngKSI＝0的5G NAS安全上下文。S605. The AMF enables the 5G NAS security context with ngKSI=0.

***USIM卡1的ME2在5G网络下注册成功。ME2 inserted into USIM card 1 is successfully registered under the 5G network.

应理解，基于上述步骤S601-S605，***USIM卡1的ME2并未存储有5G鉴权密钥信息。这导致，***USIM卡1的ME2无法对网络侧的一些网元(例如UDM)的信息进行安全校验，导致***USIM卡1的ME2只能丢弃这些信息。下面以SOR流程为例进行说明。It should be understood that, based on the above steps S601-S605, the ME2 inserted into the USIM card 1 does not store the 5G authentication key information. As a result, the ME2 inserted into the USIM card 1 cannot perform security verification on the information of some network elements (eg UDM) on the network side, so that the ME2 inserted into the USIM card 1 can only discard the information. The following describes the SOR process as an example.

S606、HPLMN UDM确定通知***USIM卡1的ME2引导信息列表发生更新。S606. The HPLMN UDM determines to notify that the boot information list of the ME2 inserted into the USIM card 1 is updated.

S607、HPLMN UDM向HPLMN AUSF发送Nausf_SoRProtection消息。S607. The HPLMN UDM sends a Nausf_SoRProtection message to the HPLMN AUSF.

S608、HPLMN AUSF向HPLMN UDM发送Nausf_SoRProtection Response消息。S608. The HPLMN AUSF sends a Nausf_SoRProtection Response message to the HPLMN UDM.

S609、HPLMN UDM向VPLMN AMF发送Nudm_SDM_Notification消息。S609. The HPLMN UDM sends a Nudm_SDM_Notification message to the VPLMN AMF.

S610、VPLMN AMF向***USIM卡1的ME2发送DL NAS Transport消息。S610. The VPLMN AMF sends a DL NAS Transport message to the ME2 inserted into the USIM card 1.

在接收到DL NAS Transport消息之后，由于***USIM卡1的ME2并未存储5G鉴权密钥信息，因此***USIM卡1的ME2无法对SoR-MAC-I _AUSF进行安全校验。 After receiving the DL NAS Transport message, because the ME2 inserted into the USIM card 1 does not store the 5G authentication key information, the ME2 inserted into the USIM card 1 cannot perform security verification on the SoR-MAC-I _AUSF .

S611、***USIM卡1的ME2由于无法校验SoR-MAC-I _AUSF，而丢弃DL NAS Transport消息。 S611. ME2 inserted into USIM card 1 discards the DL NAS Transport message because it cannot verify the SoR-MAC-I _AUSF .

应理解，除了图11所示的原因之外，终端设备未存储有效的K _AUSF还可以是其他因素导致的，例如终端设备的存储出现故障，终端设备的软件运行异常等，对此不作限定。 It should be understood that in addition to the reasons shown in FIG. 11 , the terminal device does not store valid K _AUSF due to other factors, such as storage failure of the terminal device, abnormal operation of the software of the terminal device, etc., which are not limited.

可见，当前，在终端设备未存储有效的K _AUSF，但存储ngKSI的情况下，终端设备在开机后的初始注册流程中，终端设备会发送携带ngKSI的初始注册请求消息，使得网络侧激活相应的5G NAS安全上下文。但是，网络侧并不获知终端设备未存储有效的K _AUSF，从而导致网络侧按照正常流程(例如SOR流程和UPU流程)中的安全保护步骤，使用K _AUSF对发送给终端设备的信息进行安全保护。但是，终端设备由于未存储有效的K _AUSF，因此不能对安全保护后的信息进行安全校验，从而终端设备只能丢弃安全保护后的信息。这样一来，影响了网络侧的相关网元(例如UDM)正常与终端设备进行安全的通信。 It can be seen that currently, in the case where the terminal device does not store a valid K _AUSF but stores ngKSI, in the initial registration process after the terminal device is powered on, the terminal device will send an initial registration request message carrying ngKSI, so that the network side activates the corresponding 5G NAS security context. However, the network side does not know that the terminal device does not store a valid K _AUSF , so that the network side uses the K _AUSF to perform security protection on the information sent to the terminal device according to the security protection steps in the normal process (such as the SOR process and the UPU process). . However, since the terminal device does not store valid K _AUSF , it cannot perform security verification on the security-protected information, so the terminal device can only discard the security-protected information. In this way, the related network elements (eg UDM) on the network side are affected to normally communicate securely with the terminal device.

为了解决这一技术问题，本申请实施例提供一种通信方法。如图12所示，该通信方法包括以下步骤：In order to solve this technical problem, an embodiment of the present application provides a communication method. As shown in Figure 12, the communication method includes the following steps:

S701、终端设备在需要发起初始注册流程时，确定是否存在有效的中间密钥。S701. When the terminal device needs to initiate an initial registration process, determine whether there is a valid intermediate key.

其中，该终端设备配置有(U)SIM卡，该(U)SIM卡中存储有密钥集标识符。Wherein, the terminal device is configured with a (U)SIM card, and the (U)SIM card stores a key set identifier.

示例性的，密钥集标识符可以为ngKSI，或者未来网络中的用于标识安全上下文的密钥集标识符。Exemplarily, the key set identifier may be ngKSI, or a key set identifier used to identify the security context in the future network.

在本申请实施例中，中间密钥可以包括K _AUSF，K _SEAF for 3gpp access，K _SEAF for non-3gpp access。 In this embodiment of the present application, the intermediate key may include K _AUSF , K _SEAF for 3gpp access, and K _SEAF for non-3gpp access.

可选的，终端设备需要发起初始注册流程的场景可以是：终端设备刚开机时。Optionally, the scenario where the terminal device needs to initiate the initial registration process may be: when the terminal device is just powered on.

示例性的，在终端设备新***一张新的(U)SIM卡之后，终端设备响应于用户设备的操作而开机，准备以***的(U)SIM卡发起初始注册流程。Exemplarily, after a new (U)SIM card is newly inserted into the terminal device, the terminal device is powered on in response to the operation of the user equipment, and is ready to initiate an initial registration process with the inserted (U)SIM card.

可选的，步骤S701可以包括以下子步骤：S7011-S7013。Optionally, step S701 may include the following sub-steps: S7011-S7013.

S7011、在终端设备还配置有非易失性存储器的情况下，终端设备确定非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识是否一致。S7011. In the case that the terminal device is further configured with a non-volatile memory, the terminal device determines whether the terminal identity in the non-volatile memory is consistent with the terminal identity in the (U)SIM card.

应理解，在终端设备还配置有非易失性存储器的情况下，当(U)SIM卡从终端设备中拨出时，终端设备的非易失性存储器会存储该(U)SIM卡中的终端身份标识。之后，若终端设备又***(U)SIM卡，则终端设备会比较新***的(U)SIM卡中的终端身份标识与非易失性存储器中的终端身份标识是否一致。It should be understood that in the case where the terminal device is further configured with a non-volatile memory, when the (U)SIM card is dialed out from the terminal device, the non-volatile memory of the terminal device will store the data stored in the (U)SIM card. Terminal ID. Afterwards, if the (U)SIM card is inserted into the terminal device again, the terminal device will compare whether the terminal identification in the newly inserted (U)SIM card is consistent with the terminal identification in the non-volatile memory.

若一致，则说明新***的(U)SIM卡与之前拔出的(U)SIM卡是同一张SIM卡，则终端设备的非易失性存储器所存储的卡文件(例如EF _5GAUTHKEYS卡文件等)对于新***的(U)SIM卡是有效的，从而终端设备应执行下述步骤S7012。 If they are consistent, it means that the newly inserted (U)SIM card and the previously pulled (U)SIM card are the same SIM card, and the card files (such as EF _5GAUTHKEYS card files, etc.) stored in the non-volatile memory of the terminal device ) is valid for the newly inserted (U)SIM card, so the terminal device should perform the following step S7012.

若不一致，则说明新***的(U)SIM卡与之前拔出的(U)SIM卡不是同一张SIM卡，则终端设备的非易失性存储器所存储的卡文件(例如EF _5GAUTHKEYS卡文件等)对于新***的(U)SIM卡是无效的，因此终端设备无需在非易失性存储器中查找有效的中间密钥，从而终端设备应执行下述步骤S7013。 If they are inconsistent, it means that the newly inserted (U)SIM card and the previously pulled (U)SIM card are not the same SIM card, then the card file (such as EF _5GAUTHKEYS card file, etc.) stored in the non-volatile memory of the terminal device ) is invalid for the newly inserted (U)SIM card, so the terminal device does not need to search for a valid intermediate key in the non-volatile memory, so the terminal device should perform the following step S7013.

S7012、在非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识一致的情况下，终端设备确定非易失性存储器和(U)SIM卡中是否存在有效的中间密钥。S7012. In the case where the terminal identification in the non-volatile memory is consistent with the terminal identification in the (U)SIM card, the terminal device determines whether there is a valid intermediate password in the non-volatile memory and the (U)SIM card. key.

S7013、在非易失性存储器中的终端身份标识和(U)SIM卡中的终端身份标识不一致的情况下，终端设备确定(U)SIM卡中是否存在有效的中间密钥。S7013. In the case that the terminal identification in the non-volatile memory and the terminal identification in the (U)SIM card are inconsistent, the terminal device determines whether there is a valid intermediate key in the (U)SIM card.

其中，终端身份标识用于在网络中唯一标识终端设备。The terminal identity identifier is used to uniquely identify the terminal device in the network.

在4G网络中，终端身份标识可以为：国际移动用户识别码(international mobile subscriber identification number，IMSI)。In the 4G network, the terminal identity can be: international mobile subscriber identification number (international mobile subscriber identification number, IMSI).

在5G网络中，终端身份标识可以为：签约永久标识(subscription permanent identifier，SUPI)、签约隐藏标识(subscription concealed identifier，SUCI)、或者5G全球唯一临时身份(5G globally unique temporary identity，5G-GUTI)。需要说明的是，SUPI用于表征终端设备的真实身份，功能类似于LTE中的IMSI。SUCI是SUPI以公钥进行加密后生成的。网络设备与终端设备之间传输SUCI，可以避免明文传输的SUPI被攻击者窃取的问题。可以理解的是，SUCI可以利用与公钥成对的私钥进行解密，以得到SUCI。In a 5G network, the terminal identity can be: subscription permanent identifier (SUPI), subscription concealed identifier (SUCI), or 5G globally unique temporary identity (5G-GUTI) . It should be noted that SUPI is used to characterize the real identity of terminal equipment, and its function is similar to IMSI in LTE. SUCI is generated by SUPI encrypted with the public key. SUCI is transmitted between the network device and the terminal device, which can avoid the problem that the SUPI transmitted in plaintext is stolen by the attacker. It can be understood that SUCI can be decrypted using the private key paired with the public key to obtain SUCI.

S702、如果不存在有效的中间密钥，则终端设备删除密钥集标识符。S702. If there is no valid intermediate key, the terminal device deletes the key set identifier.

在本申请实施例中，终端设备删除密钥集标识符可以具体实现为：终端设备将ngKSI的值设置为第一值，该第一值用于指示“没有可用的密钥(no key is available)”。In this embodiment of the present application, the terminal device deletes the key set identifier may be specifically implemented as: the terminal device sets the value of ngKSI to a first value, where the first value is used to indicate "no key is available (no key is available)" )”.

S703、终端设备向移动管理网元发送初始注册请求消息。S703: The terminal device sends an initial registration request message to the mobility management network element.

作为一种可能的实现方式，若(U)SIM卡之前存储的密钥集标识符为终端设备通过第一接入技术接入网络时生成的的密钥集标识符，则终端设备可以使用第一接入技术向移动管理网元发送初始注册请求消息。As a possible implementation, if the key set identifier previously stored on the (U)SIM card is the key set identifier generated when the terminal device accesses the network through the first access technology, the terminal device can use the first An access technology sends an initial registration request message to the mobility management network element.

其中，第一接入技术可以为3GPP接入技术或者non-3GPP接入技术。The first access technology may be a 3GPP access technology or a non-3GPP access technology.

应理解，由于终端设备已删除密钥集标识符，因此初始注册请求消息不携带密钥集标识符，从而移动管理网元在接收到不携带密钥集标识符的初始注册请求消息，会触发与终端设备的鉴权流程。It should be understood that since the terminal device has deleted the key set identifier, the initial registration request message does not carry the key set identifier, so the mobility management network element will trigger the The authentication process with the terminal device.

在本申请实施例中，初始注册请求消息不携带密钥集标识符，可以具体实现为：初始注册请求消息包含第一指示信息，该第一指示信息用于指示没有可用的密钥。In this embodiment of the present application, the initial registration request message does not carry the key set identifier, which may be specifically implemented as follows: the initial registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.

示例性的，第一指示信息可以具体实现为：初始注册请求消息中的密钥集标识符信元被设置为“no key is available”。Exemplarily, the first indication information may be specifically implemented as: the key set identifier information element in the initial registration request message is set to "no key is available".

S704、终端设备在鉴权流程中得到鉴权密钥信息。S704, the terminal device obtains the authentication key information in the authentication process.

其中，鉴权密钥信息包括有效的中间密钥。Wherein, the authentication key information includes a valid intermediate key.

可选的，鉴权密钥信息还包括：SOR计数器的取值和/或UPU计数器的取值。Optionally, the authentication key information further includes: the value of the SOR counter and/or the value of the UPU counter.

鉴权流程的具体细节可以参考上文中图7或图8所示流程的描述，在此不再赘述。For the specific details of the authentication process, reference may be made to the description of the process shown in FIG. 7 or FIG. 8 above, which will not be repeated here.

基于图12所示实施例，在终端设备需要发起初始注册流程时，终端设备先检查是否存在有效的中间密钥。在不存在有效的中间密钥的情况下，终端设备删除(U)SIM卡中的密钥集标识符，以使得终端设备发送初始注册请求消息中不携带密钥集标识符。由于初始注册请求消息不携带密钥集标识符，从而移动管理网元会发起与终端设备的鉴权流程。在鉴权流程中，终端设备与网络侧可以同步得到相同的中间密钥。这样一来，在后续流程(例如SOR流程或者UPU流程)中，网络侧可以使用中间密钥对发送给终端设备的信息进行安全保护；相应的，终端设备可以使用相同的中间密钥对安全保护后的信息进行安全校验。从而，本申请实施例能够保证终端设备与网络侧之间的安全通信。Based on the embodiment shown in FIG. 12 , when the terminal device needs to initiate an initial registration process, the terminal device first checks whether there is a valid intermediate key. In the case where there is no valid intermediate key, the terminal device deletes the key set identifier in the (U)SIM card, so that the initial registration request message sent by the terminal device does not carry the key set identifier. Since the initial registration request message does not carry the key set identifier, the mobility management network element will initiate an authentication process with the terminal device. In the authentication process, the terminal device and the network side can obtain the same intermediate key synchronously. In this way, in subsequent processes (such as SOR process or UPU process), the network side can use the intermediate key to protect the information sent to the terminal device; correspondingly, the terminal device can use the same intermediate key to protect the security The following information is checked for security. Therefore, the embodiments of the present application can ensure secure communication between the terminal device and the network side.

当前，终端设备在鉴权流程之后，会存储设置为0的SOR counter和UPU counter。之后，在相关流程(例如UPU流程或者SOR流程)中，终端设备会根据网络侧下发的SOR counter或者UPU counter，更新自身存储的SOR counter或者UPU counter。从而，终端设备存储的SOR counter或者UPU counter的数值不断增大。若允许终端设备存储的SOR counter(或者UPU counter)发生翻转，则网络攻击者可以使用之前网络侧发送给终端设备的信息进行重播攻击，影响网络侧与终端设备之间的正常通信。对此，现有技术并未给出相应的解决方案。Currently, the terminal device will store the SOR counter and UPU counter set to 0 after the authentication process. After that, in the relevant process (such as the UPU process or the SOR process), the terminal device will update the SOR counter or UPU counter stored by itself according to the SOR counter or UPU counter sent by the network side. Therefore, the value of the SOR counter or UPU counter stored by the terminal device keeps increasing. If the SOR counter (or UPU counter) stored by the terminal device is allowed to be reversed, the network attacker can use the information previously sent to the terminal device by the network side to replay the attack, affecting the normal communication between the network side and the terminal device. In this regard, the prior art does not provide a corresponding solution.

为了解决这一技术问题，本申请实施例提供一种通信方法。如图13所示，该通信方法包括以下步骤：In order to solve this technical problem, an embodiment of the present application provides a communication method. As shown in Figure 13, the communication method includes the following steps:

S801、终端设备确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值。S801. The terminal device determines whether the value of the first counter in the authentication key information is greater than or equal to a preset value.

其中，鉴权密钥信息中的第一计数器可以为SOR计数器和/或UPU计数器。Wherein, the first counter in the authentication key information may be an SOR counter and/or a UPU counter.

应理解，计数器大于或等于预设值，说明计数器临近翻转。It should be understood that if the counter is greater than or equal to the preset value, it means that the counter is about to roll over.

计数器翻转是指计数器在超出最大计数范围之后，重新从0开始计数的过程。Counter rollover refers to the process in which the counter starts counting from 0 again after exceeding the maximum counting range.

示例性的，对于16位计数器来说，计数器的计数范围为0～65535。在计数器的取值为65535的情况下，若计数器的取值再加1，则会导致计数器翻转，使得计数器为0。Exemplarily, for a 16-bit counter, the count range of the counter is 0-65535. When the value of the counter is 65535, if the value of the counter is increased by 1, it will cause the counter to roll over, making the counter 0.

在本申请实施例中，预设值是可以终端设备出厂时预配置的，或者终端设备根据自身使用情况配置的，又或者网络设备向终端设备指示的。示例性的，以计数器的计数范围为0～65535为例，预设值可以为65500。In this embodiment of the present application, the preset value may be pre-configured when the terminal device leaves the factory, or configured by the terminal device according to its own usage, or indicated by the network device to the terminal device. Exemplarily, taking the count range of the counter as 0 to 65535 as an example, the preset value may be 65500.

可选的，终端设备执行步骤S801的触发条件可以为以下条件中的任意一个：Optionally, the trigger condition for the terminal device to perform step S801 may be any one of the following conditions:

条件1、终端设备刚更新鉴权密钥信息中的第一计数器的取值。Condition 1: The terminal device has just updated the value of the first counter in the authentication key information.

条件2、终端设备刚开机。Condition 2. The terminal device has just been powered on.

条件3、终端设备准备发起注册流程。Condition 3. The terminal device is ready to initiate a registration process.

以上条件1-条件3仅是示例性说明，不构成具体限定。The above Condition 1 to Condition 3 are only illustrative and do not constitute a specific limitation.

S802、当第一计数器大于或等于预设值时，终端设备删除自身存储的密钥集标识符。S802. When the first counter is greater than or equal to a preset value, the terminal device deletes the key set identifier stored by itself.

应理解，终端设备可以将密钥集标识符存储在终端设备配置的(U)SIM卡中。It will be appreciated that the terminal device may store the key set identifier in the (U)SIM card configured by the terminal device.

在本申请实施例中，终端设备删除密钥集标识符以具体实现为：终端设备将密钥集标识符设置为第一值，第一值用于指示“没有可用的密钥(no key is available)”。In this embodiment of the present application, the specific implementation of deleting the key set identifier by the terminal device is as follows: the terminal device sets the key set identifier to a first value, and the first value is used to indicate "no key is available". available)".

S803、终端设备向移动管理网元发送注册请求消息。S803. The terminal device sends a registration request message to the mobility management network element.

作为一种可能的实现方式，若(U)SIM卡之前存储的密钥集标识符为终端设备通过第一接入技术接入网络时生成的的密钥集标识符，则终端设备可以使用第一接入技术向移动管理网元发送注册请求消息。As a possible implementation, if the key set identifier previously stored on the (U)SIM card is the key set identifier generated when the terminal device accesses the network through the first access technology, the terminal device can use the first An access technology sends a registration request message to the mobility management network element.

应理解，由于终端设备已删除密钥集标识符，因此注册请求消息不携带密钥集标识符，从而移动管理网元在接收到不携带密钥集标识符的注册请求消息，会触发与终端设备的鉴权流程。It should be understood that since the terminal device has deleted the key set identifier, the registration request message does not carry the key set identifier. Therefore, when the mobile management network element receives the registration request message that does not carry the key set identifier, it will trigger the Device authentication process.

在本申请实施例中，注册请求消息不携带密钥集标识符，可以具体实现为：注册请求消息包含第一指示信息，该第一指示信息用于指示没有可用的密钥。In this embodiment of the present application, the registration request message does not carry the key set identifier, which may be specifically implemented as follows: the registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.

示例性的，第一指示信息可以具体实现为：注册请求消息中的ngKSI信元被设置为“no key is available”。Exemplarily, the first indication information may be specifically implemented as: the ngKSI information element in the registration request message is set to "no key is available".

上述注册请求消息可以是初始注册请求消息或者其他注册流程中的注册请求消息。The above registration request message may be an initial registration request message or a registration request message in other registration processes.

S804、终端设备在鉴权流程中得到更新后的鉴权密钥信息。S804, the terminal device obtains the updated authentication key information in the authentication process.

其中，更新后的鉴权密钥信息包括更新后的中间密钥和数值为0的第一计数器。中间密钥包括K _AUSF，K _SEAF for 3gpp access，K _SEAF for non-3gpp access。 The updated authentication key information includes the updated intermediate key and a first counter whose value is 0. Intermediate keys include K _AUSF , K _SEAF for 3gpp access, and K _SEAF for non-3gpp access.

应理解，在鉴权流程之后，鉴权密钥信息中的第一计数器与更新后的中间密钥相关联。It should be understood that after the authentication process, the first counter in the authentication key information is associated with the updated intermediate key.

基于图13所示的实施例，终端设备在鉴权密钥信息中的计数器大于或等于预设值(也即计数器即将翻转)的情况下，删除密钥集标识符以使得终端设备发送注册请求消息中不携带密钥集标识符。由于注册请求消息不携带密钥集标识符，从而移动管理网元会发起与终端设备的鉴权流程。在鉴权流程中，终端设备与网络侧可以同步得到更新后的鉴权密钥信息，更新后的鉴权密钥信息包括更新后的中间密钥以及数值为0的计数器。这样一来，由于网络侧在鉴权流程之前发送给终端设备的信息不是使用更新后的中间密钥进行安全保护，因此网络攻击者即使使用网络侧在鉴权流程之前发送给终端设备的信息，也不能通过终端设备的安全校验，无法对终端设备进行重播攻击。可见，本申请实施例能够保证终端设备与网络侧之间的正常通信。Based on the embodiment shown in FIG. 13 , when the counter in the authentication key information is greater than or equal to the preset value (that is, the counter is about to roll over), the terminal device deletes the key set identifier so that the terminal device sends a registration request The keyset identifier is not carried in the message. Since the registration request message does not carry the key set identifier, the mobility management network element will initiate an authentication process with the terminal device. In the authentication process, the terminal device and the network side can obtain updated authentication key information synchronously, and the updated authentication key information includes the updated intermediate key and a counter with a value of 0. In this way, since the information sent by the network side to the terminal device before the authentication process does not use the updated intermediate key for security protection, even if the network attacker uses the information sent by the network side to the terminal device before the authentication process, It also cannot pass the security check of the terminal device, and cannot carry out replay attacks on the terminal device. It can be seen that the embodiments of the present application can ensure normal communication between the terminal device and the network side.

下面结合具体应用场景来说明图13所示实施例。其中，下述场景主要针对步骤S801的触发条件为条件1的情况。The embodiment shown in FIG. 13 is described below with reference to specific application scenarios. The following scenarios are mainly for the case where the trigger condition of step S801 is condition 1.

基于图13所示的实施例，如图14所示，该通信方法在步骤S801之前还包括步骤S901-S904。相应的，步骤S801可以具体实现为步骤S905。Based on the embodiment shown in FIG. 13, as shown in FIG. 14, the communication method further includes steps S901-S904 before step S801. Correspondingly, step S801 may be specifically implemented as step S905.

S901、终端设备接收第一信息。S901. A terminal device receives first information.

其中，第一信息包括数据、第二计数器的取值以及MAC。The first information includes data, the value of the second counter, and the MAC.

示例性的，以SOR流程为例，第一信息中的数据可以是引导信息列表和SOR header，第一信息中的第二计数器可以为SOR计数器，第一信息中的MAC可以为SoR-MAC-I _AUSF。 Exemplarily, taking the SOR process as an example, the data in the first information may be the boot information list and the SOR header, the second counter in the first information may be the SOR counter, and the MAC in the first information may be SoR-MAC- I _AUSF .

示例性的，以UPU流程为例，第一信息中的数据可以为UPU数据，第一信息中的第二计数器可以为UPU计数器，第一信息中的MAC可以为UPU-MAC-I _AUSF。 Exemplarily, taking the UPU process as an example, the data in the first information may be UPU data, the second counter in the first information may be a UPU counter, and the MAC in the first information may be UPU-MAC-I _AUSF .

应理解，第一信息还可以为其他流程中的消息，本申请实施例对此不作限定。It should be understood that the first information may also be a message in other processes, which is not limited in this embodiment of the present application.

S902、终端设备比较第一信息中的第二计数器的取值是否大于鉴权密钥信息中的第一计数器的取值。S902. The terminal device compares whether the value of the second counter in the first information is greater than the value of the first counter in the authentication key information.

当第一信息中的第二计数器的取值小于或等于鉴权密钥信息中的第一计数器的取值时，终端设备可以丢弃第一信息。反之，终端设备执行下述步骤S903。When the value of the second counter in the first information is less than or equal to the value of the first counter in the authentication key information, the terminal device may discard the first information. On the contrary, the terminal device executes the following step S903.

S903、当第一信息中的第二计数器的取值大于鉴权密钥信息中的第一计数器的取值时，终端设备根据第一信息中的数据和第二计数器的取值，验证第一信息中的MAC。S903. When the value of the second counter in the first information is greater than the value of the first counter in the authentication key information, the terminal device verifies the first counter according to the data in the first information and the value of the second counter MAC in the message.

作为一种可能的实现方式中，终端设备根据第一信息中的数据和第二计数器的取值，以及鉴权密钥信息所包括的中间密钥，生成期望MAC。终端设备比较期望MAC和第一信息中的MAC是否一致。当第一信息中的MAC与期望MAC一致时，第一信息中的MAC通过验证。反之，第一信息中的MAC未通过验证。As a possible implementation manner, the terminal device generates the expected MAC according to the data in the first information, the value of the second counter, and the intermediate key included in the authentication key information. The terminal device compares whether the expected MAC is consistent with the MAC in the first information. When the MAC in the first information is consistent with the expected MAC, the MAC in the first information passes the verification. On the contrary, the MAC in the first message fails the verification.

示例性的，以SOR流程为例，终端设备根据第一信息中的数据和第二计数器的取值，以及鉴权密钥信息所包括的中间密钥，生成SoR-MAC-I _AUSF。之后，终端设备比较自身生成的SoR-MAC-I _AUSF与第一信息中的SoR-MAC-I _AUSF是否一致。若一致，则说明第一信息中的SoR-MAC-I _AUSF通过验证。反之，则说明SoR-MAC-I _AUSF未通过验证。 Exemplarily, taking the SOR process as an example, the terminal device generates SoR-MAC-I _AUSF according to the data in the first information, the value of the second counter, and the intermediate key included in the authentication key information. Afterwards, the terminal device compares whether the SoR-MAC-I _AUSF generated by itself is consistent with the SoR-MAC-I _AUSF in the first information. If they are consistent, it means that the SoR-MAC-I _AUSF in the first information has passed the verification. On the contrary, it means that the SoR-MAC-I _AUSF fails the verification.

示例性的，以UPU流程为例，终端设备根据第一信息中的数据和第二计数器的取值，以及鉴权密钥信息所包括的中间密钥，生成UPU-MAC-I _AUSF。之后，终端设备比较自身生成的UPU-MAC-I _AUSF与第一信息中的UPU-MAC-I _AUSF是否一致。若一致，则说明第一信息中的UPU-MAC-I _AUSF通过验证。反之，则说明UPU-MAC-I _AUSF未通过验证。 Exemplarily, taking the UPU process as an example, the terminal device generates UPU-MAC-I _AUSF according to the data in the first information, the value of the second counter, and the intermediate key included in the authentication key information. Afterwards, the terminal device compares whether the UPU-MAC-I _AUSF generated by itself is consistent with the UPU-MAC-I _AUSF in the first information. If they are consistent, it means that the UPU-MAC-I _AUSF in the first information has passed the verification. On the contrary, it means that the UPU-MAC-I _AUSF fails the verification.

S904、当第一信息中的MAC通过验证时，终端设备以第一信息中的第二计数器的取值更新鉴权密钥信息中的第一计数器的取值。S904. When the MAC in the first information passes the verification, the terminal device updates the value of the first counter in the authentication key information with the value of the second counter in the first information.

以SOR流程为例，终端设备以第一信息中的SOR计数器的取值更新鉴权密钥信息中的SOR计数器的取值。示例性的，假设第一信息中的SOR计数器的取值为20，鉴权密钥信息中的SOR计数器的取值为4，则终端设备可以将鉴权密钥信息中的SOR计数器的取值更新为20。Taking the SOR process as an example, the terminal device updates the value of the SOR counter in the authentication key information with the value of the SOR counter in the first information. Exemplarily, assuming that the value of the SOR counter in the first information is 20 and the value of the SOR counter in the authentication key information is 4, the terminal device can set the value of the SOR counter in the authentication key information to Update to 20.

以UPU流程为例，终端设备以第一信息中的UPU计数器的取值更新鉴权密钥信息中的UPU计数器的取值。Taking the UPU process as an example, the terminal device updates the value of the UPU counter in the authentication key information with the value of the UPU counter in the first information.

S905、终端设备确定鉴权密钥信息中更新后的第一计数器的取值是否大于或等于预设值。S905. The terminal device determines whether the updated value of the first counter in the authentication key information is greater than or equal to a preset value.

基于图14所示的实施例，在每次更新鉴权密钥信息中的第一计数器的取值之后，终端设备及时检查更新后的第一计数器的取值是否大于或等于预设值。在更新后的第一计数器的取值大于或等于预设值的情况下，终端设备可以通过发送不携带密钥集标识符的注册请求消息触发网络侧发起鉴权流程，得到更新后的鉴权密钥信息。可见，图14所示的实施例能够减少计数器临近翻转却未被发现的情况发生，进而减少网络侧由于计数器临近翻转而不能使用相应流程(例如SOR流程或者UPU流程)的情况发生。Based on the embodiment shown in FIG. 14 , after each update of the value of the first counter in the authentication key information, the terminal device checks in time whether the updated value of the first counter is greater than or equal to the preset value. When the value of the updated first counter is greater than or equal to the preset value, the terminal device can trigger the network side to initiate an authentication process by sending a registration request message that does not carry the key set identifier, and obtain the updated authentication key information. It can be seen that the embodiment shown in FIG. 14 can reduce the occurrence of the situation where the counter is close to flipping but is not found, thereby reducing the situation in which the network side cannot use the corresponding process (such as the SOR process or the UPU process) because the counter is close to flipping.

目前，为了保证数据的安全，UDM下发给终端设备的数据均需要使用终端设备鉴权过程中生成的中间密钥进行安全保护。目前，在一些场景下，UDM下发给终端设备的数据无法进行相应的安全保护。下面结合一些应用场景进行说明。Currently, in order to ensure data security, the data delivered by the UDM to the terminal device needs to be protected by the intermediate key generated during the authentication process of the terminal device. Currently, in some scenarios, the data delivered by the UDM to the terminal device cannot be properly protected. The following describes some application scenarios.

场景一、在鉴权流程之后，终端设备与鉴权流程中涉及的AUSF会存储相同的K _AUSF，从而UDM可以将发送给终端设备的数据请求终端设备鉴权流程中涉及的AUSF使用K _AUSF进行相应的安全保护。但是，一些情况下，UDM可能并未存储终端设备鉴权过程中涉及的AUSF的标识，从而UDM不能确定该向哪一个AUSF请求对待发送给终端设备的数据进行相应的安全保护。 Scenario 1. After the authentication process, the terminal device and the AUSF involved in the authentication process will store the same K _AUSF , so that the UDM can request the data sent to the terminal device for the AUSF involved in the authentication process of the terminal device to use the K _AUSF . appropriate security protection. However, in some cases, the UDM may not store the identifier of the AUSF involved in the authentication process of the terminal device, so that the UDM cannot determine which AUSF to request for corresponding security protection of the data to be sent to the terminal device.

示例性的，UDM未存储终端设备鉴权过程中涉及的AUSF的标识的原因为：终端设备先在4G网络中注册，生成EPS安全上下文；之后，终端设备从4G网络切换到5G网络，5G网络基于EPS安全上下文，推演出一个隐射的(mapped)5G NAS安全上下文，并启用该mapped 5G NAS安全上下文。这一过程中，由于4G网络中不存在AUSF，因此UDM不可能存储终端设备鉴权过程中涉及的AUSF的标识。Exemplarily, the reason why the UDM does not store the identifier of the AUSF involved in the authentication process of the terminal device is: the terminal device first registers in the 4G network to generate the EPS security context; Based on the EPS security context, a mapped 5G NAS security context is deduced, and the mapped 5G NAS security context is enabled. In this process, since there is no AUSF in the 4G network, it is impossible for the UDM to store the identity of the AUSF involved in the authentication process of the terminal device.

场景二、AUSF因为一些因素(例如AUSF未存储K _AUSF，或者AUSF存储的对数据进行安全保护的counter即将翻转)，导致AUSF无法正常地对UDM待发送给终端设备的数据进行安全保护。 Scenario 2. Due to some factors (for example, the AUSF does not store K _AUSF , or the counter stored in the AUSF for data security protection is about to be reversed), the AUSF cannot normally perform security protection on the data to be sent by the UDM to the terminal device.

场景三、终端设备因为一些因素(例如终端设备未存储K _AUSF，或者终端设备存储的对数据进行安全保护的counter即将翻转)，导致终端设备无法正常地对UDM发送给终端设备的数据进行安全校验。其中，终端设备未存储K _AUSF的相关原因可以参考上文描述，在此不再赘述。 Scenario 3. Due to some factors (for example, the terminal device does not store K _AUSF , or the counter stored by the terminal device for data security protection is about to be flipped), the terminal device cannot normally perform security verification on the data sent by UDM to the terminal device. test. The relevant reasons why the terminal device does not store the K _AUSF can refer to the above description, which will not be repeated here.

当UDM下发给终端设备的数据无法进行相应的安全保护时，终端设备和UDM之间无法正常通信。针对这一技术问题，业界亟待解决方案。When the data delivered by the UDM to the terminal device cannot be properly protected, normal communication between the terminal device and the UDM cannot be performed. In response to this technical problem, the industry urgently needs a solution.

为了解决上述技术问题，本申请实施例提供一种通信方法。如图15所示，该通信方法包括以下步骤：In order to solve the above technical problem, an embodiment of the present application provides a communication method. As shown in Figure 15, the communication method includes the following steps:

S1001、统一数据管理网元在需要向终端设备发送数据时，确定无法使用终端设备鉴权流程中生成的中间密钥对数据进行安全保护。S1001. When the unified data management network element needs to send data to the terminal device, it determines that the intermediate key generated in the terminal device authentication process cannot be used to perform security protection on the data.

其中，中间密钥包括K _AUSF。K _AUSF的来源可以参考图7或图8所示鉴权流程中的说明，在此不再赘述 Wherein, the intermediate key includes K _AUSF . The source of K _AUSF can refer to the description in the authentication process shown in FIG. 7 or FIG. 8 , which will not be repeated here.

在本申请实施例中，统一数据管理网元可以是5G网络中的UDM，或者是未来网络中用于负责管理签约数据、鉴权数据等的网元。在此统一说明，以下不再赘述。In this embodiment of the present application, the unified data management network element may be a UDM in a 5G network, or a network element in a future network that is responsible for managing subscription data, authentication data, and the like. Here, a unified description is provided, and details are not repeated below.

上述统一数据管理网元待发送给终端设备的数据可以为SOR数据、UPU数据、所述终端设备的签约数据、所述终端设备的路由数据、或者路由标识等，本申请实施例对此不作限定。The data to be sent to the terminal device by the above-mentioned unified data management network element may be SOR data, UPU data, subscription data of the terminal device, routing data of the terminal device, or routing identifier, etc., which is not limited in this embodiment of the present application .

S1002、响应于确定结果，统一数据管理网元触发对终端设备的鉴权流程。S1002. In response to the determination result, the unified data management network element triggers an authentication process for the terminal device.

其中，确定结果即为：确定无法使用终端设备鉴权流程中生成的中间密钥对数据进行安全保护。Wherein, the determination result is: it is determined that the intermediate key generated in the terminal device authentication process cannot be used to perform security protection on the data.

可选的，响应于确定结果，统一数据管理网元可以先为终端设备设置一个定时器，在定时器超时之后，再触发对终端设备的鉴权流程。Optionally, in response to the determination result, the unified data management network element may first set a timer for the terminal device, and after the timer expires, trigger the authentication process for the terminal device.

可选的，统一数据管理网元触发对终端设备的鉴权流程，可以采用以下实现方式中的任意一种：Optionally, the unified data management network element triggers the authentication process for the terminal device, which can be implemented in any one of the following ways:

实现方式一、统一数据管理网元向为终端设备提供服务的移动管理网元发送第四指示信息。其中，第四指示信息用于触发对终端设备的鉴权流程。Implementation Mode 1: The unified data management network element sends fourth indication information to the mobility management network element that provides services for the terminal device. Wherein, the fourth indication information is used to trigger the authentication process of the terminal device.

应理解，上述第四指示信息可以承载于现有的信令中，或者新增的信令中。It should be understood that the above-mentioned fourth indication information may be carried in existing signaling or in newly added signaling.

示例性的，鉴权第四指示信息可以承载于Nudm_SDM_Notification消息中。Exemplarily, the fourth authentication indication information may be carried in the Nudm_SDM_Notification message.

示例性的，统一数据管理网元向为终端设备提供服务的移动管理网元发送第四指示信息，可以具体实现为：统一数据管理网元向该移动管理网元发送去注册请求消息。其中，去注册请求消息用于请求对终端设备去注册。这样一来，在终端设备重新注册到网络的过程中，移动管理网元可以与终端设备进行鉴权流程。Exemplarily, the unified data management network element sends the fourth indication information to the mobility management network element that provides services for the terminal device, which may be specifically implemented as: the unified data management network element sends a deregistration request message to the mobility management network element. The de-registration request message is used to request de-registration of the terminal device. In this way, during the process of re-registering the terminal device to the network, the mobility management network element can perform an authentication process with the terminal device.

实现方式二、统一数据管理网元向鉴权服务网元发送第五指示信息。其中，第五指示信息用于指示鉴权服务网元触发移动管理网元发起对终端设备的鉴权流程。Implementation mode 2: The unified data management network element sends fifth indication information to the authentication service network element. The fifth indication information is used to instruct the authentication service network element to trigger the mobility management network element to initiate an authentication process for the terminal device.

这样一来，鉴权服务网元接收到第五指示信息之后，可以向移动管理网元发送第六指示信息，以触发移动管理网元发起对终端设备的鉴权流程。In this way, after receiving the fifth indication information, the authentication service network element can send the sixth indication information to the mobility management network element, so as to trigger the mobility management network element to initiate an authentication process for the terminal device.

应理解，上述第五指示信息或者第六指示信息可以承载于现有的信令中，或者新增的信令中。It should be understood that the above fifth indication information or sixth indication information may be carried in existing signaling or in newly added signaling.

应理解，在鉴权流程之后，网络侧和终端设备之间得到相同的中间密钥，从而统一数据管理网元可以按照正常流程(例如SOR流程或UPU流程)进行数据的发送。It should be understood that after the authentication process, the same intermediate key is obtained between the network side and the terminal device, so that the unified data management network element can send data according to a normal process (eg, SOR process or UPU process).

基于图15所示的实施例，针对统一数据管理网元发送给终端设备的数据无法使用中间密钥进行安全保护的情况，统一数据管理网元通过触发鉴权流程，从而使得终端设备与网络侧同步更新中间密钥以及相关参数(例如SOR counter和/或UPU counter)。从而，统一数据管理网元发送给终端设备的数据可以使用有效的中间密钥进行安全保护，终端设备也能对安全保护后的数据进行相应的安全校验。这样一来，保证统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in FIG. 15 , for the situation that the data sent by the unified data management network element to the terminal device cannot be protected by the intermediate key, the unified data management network element triggers the authentication process, thereby enabling the terminal device and the network side Synchronously update intermediate keys and related parameters (eg SOR counter and/or UPU counter). Therefore, the data sent by the unified data management network element to the terminal device can be protected by an effective intermediate key, and the terminal device can also perform corresponding security verification on the security-protected data. In this way, normal communication between the unified data management network element and the terminal device is guaranteed.

下面以举例的方式来说明图15所示实施例的具体实现方式。The specific implementation of the embodiment shown in FIG. 15 is described below by way of example.

实现方式一、Implementation method 1.

如图16所示，图15中的步骤S1001可以具体实现为图16中的步骤S1101，图15所示的步骤S1002可以具体实现为图16中的步骤S1102。As shown in FIG. 16 , step S1001 in FIG. 15 may be embodied as step S1101 in FIG. 16 , and step S1002 shown in FIG. 15 may be embodied as step S1102 in FIG. 16 .

S1101、统一数据管理网元无法获取终端设备鉴权过程中涉及的鉴权服务网元的标识。S1101. The unified data management network element cannot obtain the identifier of the authentication service network element involved in the authentication process of the terminal device.

可选的，在鉴权流程中，统一数据管理网元可以建立并存储终端设备的终端身份标识与终端设备鉴权过程中涉及的鉴权服务网元的标识之间的对应关系。示例性的，该对应关系可以存储成表1所示的格式。Optionally, in the authentication process, the unified data management network element may establish and store the correspondence between the terminal identification of the terminal device and the identification of the authentication service network element involved in the authentication process of the terminal device. Exemplarily, the corresponding relationship may be stored in the format shown in Table 1.

表1Table 1

终端设备的终端身份标识Terminal ID of the terminal device	鉴权服务网元的标识Identification of the authentication service network element
……...	……...

应理解，每经过一次终端设备的鉴权流程，统一数据管理网元均会更新一次终端设备的终端身份标识与鉴权服务网元的标识之间的对应关系，以保证该对应关系的有效性。It should be understood that the unified data management network element will update the corresponding relationship between the terminal identification of the terminal device and the identification of the authentication service network element every time the authentication process of the terminal device is passed to ensure the validity of the corresponding relationship. .

从而，在统一数据管理网元准备给终端设备发送数据时，统一数据管理网元可以根据终端设备的终端身份标识，查找对应的鉴权服务网元的标识。若统一数据管理网元未查找到对应的鉴权服务网元的标识，则统一数据管理网元确定无法获取终端设备鉴权过程中涉及的鉴权服务网元的标识。Therefore, when the unified data management network element prepares to send data to the terminal device, the unified data management network element can search for the identification of the corresponding authentication service network element according to the terminal identification of the terminal device. If the unified data management network element does not find the identification of the corresponding authentication service network element, the unified data management network element determines that the identification of the authentication service network element involved in the terminal device authentication process cannot be obtained.

S1102、统一数据管理网元触发对终端设备的鉴权流程。S1102. The unified data management network element triggers an authentication process for the terminal device.

基于图16所示的实施例，统一数据管理网元在无法获取终端设备鉴权过程中涉及的鉴权服务网元的标识的情况下，通过及时地触发鉴权流程，以保证后续过程中统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in FIG. 16 , when the unified data management network element cannot obtain the identification of the authentication service network element involved in the authentication process of the terminal device, the authentication process is triggered in time to ensure the unified data management in the subsequent process. Normal communication between data management network elements and terminal equipment.

应理解，图16所示的实施例能够解决上述场景一所存在的问题。It should be understood that the embodiment shown in FIG. 16 can solve the problem existing in the first scenario.

实现方式二、Implementation method two,

如图17所示，图15中的步骤S1001可以具体实现为图17中的步骤S1201-S1202，图15中的步骤S1002可以具体实现为图17中的步骤S1203。As shown in FIG. 17 , step S1001 in FIG. 15 may be embodied as steps S1201-S1202 in FIG. 17 , and step S1002 in FIG. 15 may be embodied as step S1203 in FIG. 17 .

S1201、统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息。S1201. The unified data management network element sends a request message to the authentication service network element involved in the terminal device authentication process.

其中，该请求消息包括所述数据。Wherein, the request message includes the data.

示例性的，以SOR流程为例，该请求消息可以为Nausf_SoRProtection消息，该请求消息中的数据可以为引导信息列表、以及SOR header。Exemplarily, taking the SOR process as an example, the request message may be a Nausf_SoRProtection message, and the data in the request message may be a guide information list and a SOR header.

示例性的，以UPU流程为例，该请求消息可以为Nausf_UPUProctection消息，该请求消息中的数据可以为UPU数据。Exemplarily, taking the UPU process as an example, the request message may be a Nausf_UPUPoctection message, and the data in the request message may be UPU data.

可选的，该请求消息还可以包括确认指示信息，该确认指示信息用于指示终端设备在对数据进行安全校验成功后返回确认消息。Optionally, the request message may further include confirmation indication information, where the confirmation indication information is used to instruct the terminal device to return a confirmation message after successful security verification of the data.

应理解，在执行步骤S1201之前，统一数据管理网元能够根据终端设备的终端身份标识，查找到终端设备鉴权过程中涉及的鉴权服务网元的标识。It should be understood that, before step S1201 is performed, the unified data management network element can find the identification of the authentication service network element involved in the authentication process of the terminal device according to the terminal identification of the terminal device.

S1202、统一数据管理网元接收鉴权服务网元发送的响应消息。S1202. The unified data management network element receives the response message sent by the authentication service network element.

其中，响应消息用于指示对所述数据安全保护失败。The response message is used to indicate that the data security protection fails.

以SOR流程为例，该响应消息可以为Nausf_SoRProtection Response消息。Taking the SOR process as an example, the response message may be a Nausf_SoRProtection Response message.

以UPU流程为例，该响应消息可以为Nausf_UPUProctection Response消息。Taking the UPU process as an example, the response message may be a Nausf_UPUPoctection Response message.

一种可能的设计中，响应消息包括第二指示信息，该第二指示信息用于指示安全保护失败的原因。In a possible design, the response message includes second indication information, where the second indication information is used to indicate the reason for the failure of the security protection.

示例性的，安全保护失败的原因可以包括：中间密钥缺少，或者对数据进行安全保护的counter即将翻转。Exemplarily, the reasons for the failure of the security protection may include: the intermediate key is missing, or the counter for security protection of the data is about to be overturned.

应理解，在SOR流程中，上述对数据进行安全保护的counter即为SOR counter。在UPU流程中，上述对数据进行安全保护的counter即为UPU counter。It should be understood that in the SOR process, the above-mentioned counter for data security protection is the SOR counter. In the UPU process, the above-mentioned counter for data security protection is the UPU counter.

S1203、统一数据管理网元根据响应消息，触发对终端设备的鉴权流程S1203, the unified data management network element triggers an authentication process for the terminal device according to the response message

基于图17所示的实施例，统一数据管理网元能够根据鉴权服务网元返回的安全保护失败原因，及时触发鉴权流程，以保证后续过程中统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in FIG. 17 , the unified data management network element can trigger the authentication process in time according to the security protection failure reason returned by the authentication service network element, so as to ensure the communication between the unified data management network element and the terminal device in the subsequent process. normal communication.

应理解，图17所示的实施例能够解决上述场景二所存在的问题。It should be understood that the embodiment shown in FIG. 17 can solve the problem existing in the above-mentioned second scenario.

实现方式三、Implementation three,

如图18所示，图15中的步骤S1001可以具体实现为图18中的步骤S1301-S1304，图15中的步骤S1002可以具体实现为图18中的步骤S1305。As shown in FIG. 18 , step S1001 in FIG. 15 may be embodied as steps S1301-S1304 in FIG. 18 , and step S1002 in FIG. 15 may be embodied as step S1305 in FIG. 18 .

S1301、统一数据管理网元向终端设备鉴权过程中涉及的鉴权服务网元发送请求消息。S1301. The unified data management network element sends a request message to the authentication service network element involved in the terminal device authentication process.

S1302、统一数据管理网元接收鉴权服务网元发送的响应消息。S1302. The unified data management network element receives the response message sent by the authentication service network element.

其中，该响应消息包括第一MAC、第一计数器的取值。The response message includes the first MAC and the value of the first counter.

可选的，在请求消息还包括确认指示信息的情况下，该响应消息还包括第二期望MAC。Optionally, when the request message further includes confirmation indication information, the response message further includes the second desired MAC.

示例性的，在SOR流程中，第一MAC为SoR-MAC-I _AUSF，第一计数器为SOR计数器，第二期望MAC为SoR-XMAC-I _UE。上述三个参数的确定方式可以参考图9所示SOR流程中的介绍，在此不再赘述。 Exemplarily, in the SOR process, the first MAC is SoR-MAC-I _AUSF , the first counter is the SOR counter, and the second desired MAC is SoR-XMAC-I _UE . For the determination methods of the above three parameters, reference may be made to the introduction in the SOR process shown in FIG. 9 , which will not be repeated here.

示例性的，在UPU流程中，第一MAC为UPU-MAC-I _AUSF，第一计数器为UPU计数器，第二期望MAC为UPU-XMAC-I _UE。上述三个参数的确定方式可以参考图10所示UPU流程中的介绍，在此不再赘述。 Exemplarily, in the UPU process, the first MAC is UPU-MAC-I _AUSF , the first counter is UPU counter, and the second expected MAC is UPU-XMAC-I _UE . For the determination methods of the above three parameters, reference may be made to the introduction in the UPU process shown in FIG. 10 , and details are not repeated here.

S1303、统一数据管理网元向终端设备发送第一信息。S1303. The unified data management network element sends the first information to the terminal device.

其中，第一信息包括：数据、第一MAC以及第一计数器的取值。The first information includes: data, the first MAC, and the value of the first counter.

作为一种可能的实现方式，统一数据管理网元先向为终端设备提供服务的移动管理网元发送第一信息。之后，该移动管理网元向终端设备发送第一信息。As a possible implementation manner, the unified data management network element first sends the first information to the mobility management network element that provides services for the terminal device. After that, the mobility management network element sends the first information to the terminal device.

示例性的，在SOR流程中，步骤S1303可以具体实现为图9中的步骤S404-S405。Exemplarily, in the SOR process, step S1303 may be specifically implemented as steps S404-S405 in FIG. 9 .

示例性的，在UPU流程中，步骤S1303可以具体实现为图10中的步骤S504-S505。Exemplarily, in the UPU flow, step S1303 may be specifically implemented as steps S504-S505 in FIG. 10 .

S1304、如果统一数据管理网元在预设时间内未接收到来自终端设备的确认消息，则统一数据管理网元确定无法使用终端设备鉴权过程中生成的中间密钥对所述数据进行安全保护。S1304. If the unified data management network element does not receive the confirmation message from the terminal device within the preset time, the unified data management network element determines that the data cannot be securely protected by using the intermediate key generated during the authentication process of the terminal device .

其中，上述预设时间的时长可以是统一数据管理根据操作维护管理(operation administration and maintenance，OAM)***指示来配置的，或者统一数据管理网元根据实际情况配置的，本申请实施例对此不作限定。Wherein, the duration of the above-mentioned preset time may be configured by the unified data management according to the instruction of an operation administration and maintenance (OAM) system, or the unified data management network element may be configured according to the actual situation, which is not made in this embodiment of the present application. limited.

作为一种可能的实现方式，统一数据管理网元在发送第一信息之后，为终端设备设置定时器。在定时器超时的情况下，若统一数据管理网元还未接收到来自终端设备的确认消息，则统一数据管理网元确定无法使用终端设备鉴权过程中生成的中间密钥对所述数据进行安全保护。As a possible implementation manner, the unified data management network element sets a timer for the terminal device after sending the first information. When the timer expires, if the unified data management network element has not received the confirmation message from the terminal device, the unified data management network element determines that the data cannot be processed using the intermediate key generated during the authentication process of the terminal device. safety protection.

应理解，定时器的定时时长即为上文中预设时间的时长。It should be understood that the timing duration of the timer is the duration of the preset time above.

S1305、响应于确定结果，统一数据管理网元触发对终端设备的鉴权流程。S1305. In response to the determination result, the unified data management network element triggers an authentication process for the terminal device.

基于图18所示的实施例，统一数据管理网元在预设时间内未接收到来自终端设备的确认消息，则统一数据管理网元可以获知终端设备不能成功地对第一信息进行安全校验，进而统一数据管理网元可以获知终端设备可能未存储有效的中间密钥。这种情况下，统一数据管理网元通过及时地触发鉴权流程，以保证后续过程中统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in FIG. 18 , if the unified data management network element does not receive the confirmation message from the terminal device within the preset time, the unified data management network element can learn that the terminal device cannot successfully perform security verification on the first information , so that the unified data management network element can learn that the terminal device may not store a valid intermediate key. In this case, the unified data management network element triggers the authentication process in time to ensure normal communication between the unified data management network element and the terminal device in the subsequent process.

应理解，图18所示实施例可以解决上述场景三所存在的问题。It should be understood that the embodiment shown in FIG. 18 can solve the problem existing in the third scenario above.

实现方式四、Implementation four,

如图19所示，图15中的步骤S1001可以具体实现为图19中的步骤S1401-S1405，图15中的步骤S1002可以具体实现为图19中的步骤S1406。As shown in FIG. 19 , step S1001 in FIG. 15 may be embodied as steps S1401-S1405 in FIG. 19 , and step S1002 in FIG. 15 may be embodied as step S1406 in FIG. 19 .

S1401-S1403、与步骤S1301-S1403相似，其具体细节可以参考图18所示实施例，在此不再赘述。S1401-S1403 are similar to steps S1301-S1403, and the specific details thereof may refer to the embodiment shown in FIG. 18, which will not be repeated here.

S1404、统一数据管理网元接收到来自于终端设备的确认消息。S1404, the unified data management network element receives the confirmation message from the terminal device.

其中，确认消息包括第二MAC。Wherein, the confirmation message includes the second MAC.

在SOR流程中，第二MAC为SoR-MAC-I _UE。或者，在UPU流程中，第二MAC为UPU-MAC-I _UE。 In the SOR procedure, the second MAC is SoR-MAC-I _UE . Or, in the UPU process, the second MAC is UPU-MAC-I _UE .

示例性的，在SOR流程中，步骤S1304可以具体实现为图9中的步骤S407-S408。Exemplarily, in the SOR process, step S1304 may be specifically implemented as steps S407-S408 in FIG. 9 .

示例性的，在UPU流程中，步骤S1304可以具体实现为图9中的步骤S507-S508。Exemplarily, in the UPU flow, step S1304 may be specifically implemented as steps S507-S508 in FIG. 9 .

在接收到确认消息之后，统一数据管理网元可以对确认消息进行校验。After receiving the confirmation message, the unified data management network element can verify the confirmation message.

示例性的，统一数据管理网元对确认消息进行校验，可以具体实现为：统一数据管理网元比较接收到的第二MAC和存储的第二期望MAC是否一致。若第二MAC与第二期望MAC一致，则确认消息的校验成功。反之，确认消息的校验失败。Exemplarily, the unified data management network element checks the confirmation message, which may be specifically implemented as follows: the unified data management network element compares whether the received second MAC and the stored second expected MAC are consistent. If the second MAC is consistent with the second expected MAC, the verification of the confirmation message is successful. Otherwise, the verification of the acknowledgment message fails.

S1405、在确认消息校验失败的情况下，统一数据管理网元确定无法使用终端设备鉴权过程中生成的中间密钥对所述数据进行安全保护。S1405. In the case that the verification of the confirmation message fails, the unified data management network element determines that the data cannot be securely protected by using the intermediate key generated in the authentication process of the terminal device.

S1406、响应于确定结果，统一数据管理网元触发对终端设备的鉴权流程。S1406. In response to the determination result, the unified data management network element triggers an authentication process for the terminal device.

基于图19所示实施例，当来自于终端设备的确认消息安全校验失败时，统一数据管理网元可以获知终端设备不能成功地对第一信息进行安全校验，进而统一数据管理网元可以获知终端设备可能未存储有效的中间密钥。这种情况下，统一数据管理网元通过及时地触发鉴权流程，以保证后续过程中统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in FIG. 19 , when the security verification of the confirmation message from the terminal device fails, the unified data management network element can learn that the terminal device cannot successfully perform security verification on the first information, and then the unified data management network element can It is known that the end device may not store a valid intermediate key. In this case, the unified data management network element triggers the authentication process in time to ensure normal communication between the unified data management network element and the terminal device in the subsequent process.

应理解，图19所示实施例可以解决上述场景三所存在的问题。It should be understood that the embodiment shown in FIG. 19 can solve the problems existing in the above-mentioned third scenario.

实现方式五、Implementation method five,

如图20所示，图15中的步骤S1001可以具体实现为图20中的步骤S1501-S1505，图15中的步骤S1002可以具体实现为图20中的步骤S1506。As shown in FIG. 20 , step S1001 in FIG. 15 may be embodied as steps S1501-S1505 in FIG. 20 , and step S1002 in FIG. 15 may be embodied as step S1506 in FIG. 20 .

S1501-S1503、与步骤S1301-S1304相似，其具体细节可以参考图18所示实施例，在此不再赘述。S1501-S1503 are similar to steps S1301-S1304, and the specific details thereof can refer to the embodiment shown in FIG. 18, which will not be repeated here.

S1504、统一数据管理网元接收到来自于终端设备的确认消息。S1504, the unified data management network element receives the confirmation message from the terminal device.

可选的，在确认消息校验成功的情况下，统一数据管理网元可以执行下述步骤S1505。Optionally, in the case that the verification of the confirmation message is successful, the unified data management network element may perform the following step S1505.

在本申请实施例中，确认消息包括第三指示信息。其中，第三指示信息用于指示安全校验失败的原因。In this embodiment of the present application, the confirmation message includes third indication information. Wherein, the third indication information is used to indicate the reason for the failure of the security verification.

示例性的，安全校验失败的原因可以包括：中间密钥缺少，或者对数据进行安全保护的计数器即将翻转。Exemplarily, the reasons for the failure of the security check may include: the intermediate key is missing, or the counter for security protection of the data is about to roll over.

应理解，在SOR流程中，上述对数据进行安全保护的计数器即为SOR计数器。在UPU流程中，上述对数据进行安全保护的counter即为UPU计数器。It should be understood that, in the SOR process, the above-mentioned counter for security protection of data is the SOR counter. In the UPU process, the above-mentioned counter for data security protection is the UPU counter.

S1505、统一数据管理网元根据第三指示信息，确认定无法使用终端设备鉴权过程中生成的中间密钥对所述数据进行安全保护。S1505. The unified data management network element determines, according to the third indication information, that the data cannot be securely protected by using the intermediate key generated in the authentication process of the terminal device.

S1506、响应于确定结果，统一数据管理网元触发对终端设备的鉴权流程。S1506. In response to the determination result, the unified data management network element triggers an authentication process for the terminal device.

基于图20所示的实施例，统一数据管理网元能够根据终端设备返回的安全校验失败原因，及时触发鉴权流程，以保证后续过程中统一数据管理网元与终端设备之间的正常通信。Based on the embodiment shown in Figure 20, the unified data management network element can trigger the authentication process in time according to the security verification failure reason returned by the terminal device, so as to ensure normal communication between the unified data management network element and the terminal device in the subsequent process .

应理解，图20所示的实施例可以解决上述场景三所存在的问题。It should be understood that the embodiment shown in FIG. 20 can solve the problem existing in the above-mentioned third scenario.

当前，终端设备先在4G网络中注册，生成演进分组***(evolved packet system，EPS)安全上下文；之后，终端设备从4G网络切换到5G网络，5G网络基于EPS安全上下文，推演出一个隐射的(mapped)5G NAS安全上下文，并启用该mapped 5G NAS安全上下文。这一过程中，由于4G网络中不存在AUSF，因此UDM不可能存储终端设备鉴权过程中涉及的AUSF的标识。这样一来，导致UDM需要向终端设备发送数据时，UDM无法确定应向哪一个AUSF请求对待发送给终端设备的数据进行安全保护，从而影响到UDM和终端设备之间的正常通信。At present, the terminal device first registers in the 4G network to generate the evolved packet system (EPS) security context; after that, the terminal device switches from the 4G network to the 5G network, and the 5G network deduces an implicit security context based on the EPS security context. (mapped) 5G NAS security context, and enable the mapped 5G NAS security context. In this process, since there is no AUSF in the 4G network, it is impossible for the UDM to store the identity of the AUSF involved in the authentication process of the terminal device. As a result, when the UDM needs to send data to the terminal device, the UDM cannot determine which AUSF to request for security protection of the data to be sent to the terminal device, thus affecting the normal communication between the UDM and the terminal device.

针对这一技术问题，本申请实施例提供一种通信方法。如图21所示，该通信方法包括以下步骤：To address this technical problem, an embodiment of the present application provides a communication method. As shown in Figure 21, the communication method includes the following steps:

S1601、移动管理网元接收来自终端设备的注册请求消息。S1601. The mobility management network element receives a registration request message from a terminal device.

其中，该注册请求消息用于从4G网络切换到5G网络。Among them, the registration request message is used to switch from the 4G network to the 5G network.

可选的，从4G网络切换到5G网络，可以表述为：从S1接口切换到N1接口。Optionally, switching from the 4G network to the 5G network can be expressed as: switching from the S1 interface to the N1 interface.

在本申请实施例中，移动管理网元可以为5G网络中的AMF。In this embodiment of the present application, the mobility management network element may be an AMF in a 5G network.

应理解，当注册请求消息包括第七指示信息时，移动管理网元可以获知终端设备从4G网络切换到5G网络。其中，第七指示信息用于指示终端设备上一次接入的网络为4G网络。It should be understood that when the registration request message includes the seventh indication information, the mobility management network element can learn that the terminal device switches from the 4G network to the 5G network. The seventh indication information is used to indicate that the network accessed by the terminal device last time is a 4G network.

可选的，当注册请求消息中的用户设备状态(UE status)信元中的EMM状态(state)被设置为EMM-REGISTERED时，说明注册请求消息携带第七指示信息。Optionally, when the EMM state (state) in the user equipment status (UE status) information element in the registration request message is set to EMM-REGISTERED, it means that the registration request message carries the seventh indication information.

该注册请求消息包括密钥集标识符，密钥集标识符包括安全上下文类型参数。The registration request message includes a key set identifier that includes a security context type parameter.

其中，安全上下文类型参数用于指示安全上下文的类型。Among them, the security context type parameter is used to indicate the type of security context.

可选的，安全上下文的类型包括native或mapped。Optionally, the type of security context includes native or mapped.

示例性的，上述安全上下文为5G NAS安全上下文。Exemplarily, the above security context is a 5G NAS security context.

S1602、当安全上下文类型参数所指示的安全上下文的类型不为native时，移动管理网元发起终端设备的鉴权流程。S1602. When the security context type indicated by the security context type parameter is not native, the mobility management network element initiates an authentication process of the terminal device.

具体来说，移动管理网元根据安全上下文类型参数确定终端设备上是否存在原生的安全上下文。例如，注册请求消息中包括ngKSI，且ngKSI中的类型为映射的(mapped)，并且注册请求中未携带“Non-current native NAS key set identifier”这个信元，则移动管理网元确定终端设备本地没有原生的安全上下文，进而触发终端的鉴权流程。Specifically, the mobility management network element determines whether there is a native security context on the terminal device according to the security context type parameter. For example, if the registration request message includes ngKSI, and the type in ngKSI is mapped, and the information element "Non-current native NAS key set identifier" is not carried in the registration request, the mobility management network element determines the local There is no native security context, which triggers the authentication process of the terminal.

基于图21所示实施例，在终端设备从4G网络切换到5G网络的场景下，当安全上下文类型参数所指示的安全上下文的类型不为native时,移动管理网元可以确定终端设备未在5G网络中经过鉴权流程，因此统一数据管理网元并未存储终端设备鉴权流程所涉及的鉴权服务网元的标识。因此，移动管理网元发起终端设备的鉴权流程，以使得统一数据管理网元可以在鉴权流程中存储终端设备鉴权流程所涉及的鉴权服务网元的标识，从而保证统一数据管理网元和终端设备之间的正常通信。Based on the embodiment shown in Figure 21, in the scenario where the terminal device switches from the 4G network to the 5G network, when the security context type indicated by the security context type parameter is not native, the mobility management network element can determine that the terminal device is not on the 5G network The network goes through the authentication process, so the unified data management network element does not store the identifier of the authentication service network element involved in the terminal device authentication process. Therefore, the mobility management network element initiates the authentication process of the terminal device, so that the unified data management network element can store the identification of the authentication service network element involved in the authentication process of the terminal device in the authentication process, thereby ensuring the unified data management network Normal communication between the element and the end device.

上述主要从方法的角度对本申请实施例提供的方案进行了介绍。可以理解的是，终端为了实现上述功能，其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到，结合本文中所公开的实施例描述的各示例的算法步骤，本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。The solutions provided by the embodiments of the present application have been introduced above mainly from the perspective of methods. It can be understood that, in order to realize the above-mentioned functions, the terminal includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or in the form of a combination of hardware and computer software, in conjunction with the algorithm steps of the examples described in the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

本申请实施例可以根据上述方法示例对终端设备、移动管理网元以及统一数据管理网元进行功能模块的划分，例如，可以对应每一个功能划分每一个功能模块，也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。需要说明的是，本申请实施例中对模块的划分是示意性的，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式。下面以采用对应每一个功能划分每一个功能模块为例进行说明：In this embodiment of the present application, the terminal device, the mobility management network element, and the unified data management network element may be divided into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or two The above functions are integrated in one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation. The following is an example of dividing each function module corresponding to each function to illustrate:

如图22所示，为本申请实施例提供的一种通信装置，该通信装置包括：处理模块201和通信模块202。As shown in FIG. 22 , a communication device provided by an embodiment of the present application includes: a processing module 201 and a communication module 202 .

一个示例中，通信装置为终端设备，或者为应用于终端设备中的芯片。处理模块201用于支持终端设备执行图12中的步骤S701、S702、S704，图13中的步骤S801、S802、S804，图14中的步骤S902-S905。通信模块202用于支持终端设备执行图12中的步骤S702，图13中的步骤S803，图14中的步骤S901。In one example, the communication apparatus is a terminal device, or a chip applied in the terminal device. The processing module 201 is configured to support the terminal device to perform steps S701, S702 and S704 in FIG. 12 , steps S801 , S802 and S804 in FIG. 13 , and steps S902 to S905 in FIG. 14 . The communication module 202 is used to support the terminal device to perform step S702 in FIG. 12 , step S803 in FIG. 13 , and step S901 in FIG. 14 .

另一个示例中，通信装置为统一数据管理网元，或者为应用于统一数据管理网元中的芯片。处理模块201用于支持统一数据管理网元执行图15中的步骤S1001，图16中的步骤S1101，图18中的步骤S1304，图19中的步骤S1405，图20中的步骤S1505。通信模块202用于支持统一数据管理网元执行图15中的步骤S1002，图17中的步骤 S1201-S1202，图18中的步骤S1301-S1303，图19中的步骤S1401-S1404，图20中的步骤S1501-S1504。In another example, the communication device is a unified data management network element, or a chip applied in the unified data management network element. The processing module 201 is configured to support the unified data management network element to perform step S1001 in FIG. 15 , step S1101 in FIG. 16 , step S1304 in FIG. 18 , step S1405 in FIG. 19 , and step S1505 in FIG. 20 . The communication module 202 is used to support the unified data management network element to perform step S1002 in FIG. 15 , steps S1201-S1202 in FIG. 17 , steps S1301-S1303 in FIG. 18 , steps S1401-S1404 in FIG. Steps S1501-S1504.

另一个示例中，通信装置为移动管理网元，或者为应用于移动管理网元中的芯片。处理模块201用于支持移动管理网元执行图21中的步骤S1602。通信模块202用于支持移动管理网元执行图21中的步骤S1601。In another example, the communication device is a mobility management network element, or a chip applied in the mobility management network element. The processing module 201 is configured to support the mobility management network element to perform step S1602 in FIG. 21 . The communication module 202 is configured to support the mobility management network element to perform step S1601 in FIG. 21 .

可选，该通信装置还可以包括存储模块203，用于存储通信装置的程序代码和数据，数据可以包括不限于原始数据或者中间数据等。Optionally, the communication device may further include a storage module 203 for storing program codes and data of the communication device, and the data may include but not limited to original data or intermediate data and the like.

其中，处理模块201可以是处理器或控制器，例如可以是CPU，通用处理器，DSP，ASIC，FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框，模块和电路。处理器也可以是实现计算功能的组合，例如包含一个或多个微处理器组合，DSP和微处理器的组合等等。The processing module 201 may be a processor or a controller, for example, a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA, or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure. A processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.

通信模块202可以是通信接口、收发器或收发电路等，其中，该通信接口是统称，在具体实现中，该通信接口可以包括多个接口，例如可以包括：基站和终端设备之间的接口和/或其他接口。The communication module 202 may be a communication interface, a transceiver or a transceiver circuit, etc., where the communication interface is a general term, and in a specific implementation, the communication interface may include multiple interfaces, for example, may include: an interface between a base station and a terminal device and a / or other interface.

存储模块203可以是存储器。The storage module 203 may be a memory.

当处理模块201为处理器，通信模块202为通信接口，存储模块203为存储器时，本申请实施例所涉及的通信装置可以为图23所示。When the processing module 201 is a processor, the communication module 202 is a communication interface, and the storage module 203 is a memory, the communication device involved in the embodiment of the present application may be as shown in FIG. 23 .

参阅图23所示，该通信装置包括：处理器301、通信接口302、存储器303。可选的，通信装置还可以包括总线304。其中，通信接口302、处理器301以及存储器303可以通过总线304相互连接；总线304可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。所述总线304可以分为地址总线、数据总线、控制总线等。为便于表示，图23中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。Referring to FIG. 23 , the communication device includes: a processor 301 , a communication interface 302 , and a memory 303 . Optionally, the communication device may further include a bus 304 . Wherein, the communication interface 302, the processor 301 and the memory 303 can be connected to each other through a bus 304; the bus 304 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus etc. The bus 304 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is shown in FIG. 23, but it does not mean that there is only one bus or one type of bus.

可选的，本申请实施例还提供一种计算机可读存储介质，其上存储有指令，该指令被执行时执行上述方法实施例中的方法。Optionally, an embodiment of the present application further provides a computer-readable storage medium, on which an instruction is stored, and when the instruction is executed, the method in the foregoing method embodiment is performed.

可选的，本申请实施例还提供一种包含指令的计算机程序产品，该指令被执行时执行上述方法实施例中的方法。Optionally, an embodiment of the present application further provides a computer program product including an instruction, when the instruction is executed, the method in the foregoing method embodiment is performed.

可选的，本申请实施例再提供一种芯片，该芯片包括处理器，用于实现本申请实施例的技术方法。在一种可能的设计中，该芯片还包括存储器，用于保存本申请实施例通信设备必要的程序指令和/或数据。在一种可能的设计中，该芯片还包括存储器，用于处理器调用存储器中存储的应用程序代码。该芯片，可以由一个或多个芯片构成，也可以包含芯片和其他分立器件，本申请实施例对此不作具体限定。Optionally, an embodiment of the present application further provides a chip, where the chip includes a processor for implementing the technical method of the embodiment of the present application. In a possible design, the chip further includes a memory for storing necessary program instructions and/or data of the communication device according to the embodiment of the present application. In one possible design, the chip also includes memory for the processor to invoke application code stored in the memory. The chip may be composed of one or more chips, or may include chips and other discrete devices, which are not specifically limited in this embodiment of the present application.

结合本申请公开内容所描述的方法或者算法的步骤可以硬件的方式来实现，也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成，软件模块可以被存放于RAM、闪存、ROM、可擦除可编程只读存储器(erasable programmable ROM，EPROM)、电可擦可编程只读存储器(electrically EPROM，EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器，从而使处理器能够从该存储介质读取信息，且可向该存储介质写入信息。当然，存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外，该ASIC可以位于核心网接口设备中。当然，处理器和存储介质也可以作为分立组件存在于核心网接口设备中。或者，存储器可以与处理器耦合，例如存储器可以是独立存在，通过总线与处理器相连接。存储器也可以和处理器集成在一起。存储器可以用于存储执行本申请实施例提供的技术方案的应用程序代码，并由处理器来控制执行。处理器用于执行存储器中存储的应用程序代码，从而实现本申请实施例提供的技术方案。The steps of the methods or algorithms described in conjunction with the disclosure of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions. Software instructions can be composed of corresponding software modules, and software modules can be stored in RAM, flash memory, ROM, erasable programmable read-only memory (erasable programmable read-only memory, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium may reside in an ASIC. Alternatively, the ASIC may be located in the core network interface device. Of course, the processor and the storage medium may also exist in the core network interface device as discrete components. Alternatively, the memory may be coupled to the processor, eg, the memory may exist independently and be connected to the processor through a bus. The memory can also be integrated with the processor. The memory may be used to store application code for executing the technical solutions provided by the embodiments of the present application, and the execution is controlled by the processor. The processor is configured to execute the application program code stored in the memory, thereby implementing the technical solutions provided by the embodiments of the present application.

通过以上的实施方式的描述，所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将装置的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。From the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated as required. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above.

在本申请所提供的几个实施例中，应该理解到，所揭露的装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述模块或单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个装置，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be Incorporation may either be integrated into another device, or some features may be omitted, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是一个物理单元或多个物理单元，即可以位于一个地方，或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place, or may be distributed to multiple different places . Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个可读取存储介质中。基于这样的理解，本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该软件产品存储在一个存储介质中，包括若干指令用以使得一个设备(可以是单片机，芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, which are stored in a storage medium , including several instructions to make a device (may be a single chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何在本申请揭露的技术范围内的变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application shall be covered within the protection scope of the present application. . Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims

一种通信方法，其特征在于，所述方法应用于配置有(全球)用户身份模块(U)SIM卡的终端设备，所述(U)SIM卡中存储有密钥集标识符，所述方法包括：A communication method, characterized in that the method is applied to a terminal device configured with a (global) Subscriber Identity Module (U)SIM card, wherein a key set identifier is stored in the (U)SIM card, and the method include:

所述终端设备在需要发起初始注册流程时，确定是否存在有效的中间密钥；When the terminal device needs to initiate an initial registration process, determine whether there is a valid intermediate key;

如果不存在所述有效的中间密钥，则所述终端设备删除所述密钥集标识符；If the valid intermediate key does not exist, the terminal device deletes the key set identifier;

所述终端设备向移动管理网元发送初始注册请求消息，所述初始注册请求消息不携带所述密钥集标识符以触发对所述终端设备的鉴权流程；The terminal device sends an initial registration request message to the mobility management network element, where the initial registration request message does not carry the key set identifier to trigger an authentication process for the terminal device;

所述终端设备在鉴权流程中得到鉴权密钥信息，所述鉴权密钥信息包括所述有效的中间密钥。The terminal device obtains authentication key information in the authentication process, and the authentication key information includes the valid intermediate key.
根据权利要求1所述的方法，其特征在于，所述密钥集标识符为所述终端设备通过第一接入技术接入网络时生成的密钥集标识符；The method according to claim 1, wherein the key set identifier is a key set identifier generated when the terminal device accesses a network through a first access technology;

所述终端设备向移动管理网元发送初始注册请求消息，包括：The terminal device sends an initial registration request message to the mobility management network element, including:

所述终端设备使用所述第一接入技术向所述移动管理网元发送所述初始注册请求消息。The terminal device sends the initial registration request message to the mobility management network element by using the first access technology.
根据权利要求1或2所述的方法，其特征在于，所述终端设备删除所述密钥集标识符，包括：The method according to claim 1 or 2, wherein the terminal device deletes the key set identifier, comprising:

所述终端设备将所述密钥集标识符的值设置为第一值，所述第一值用于指示“没有可用的密钥”。The terminal device sets the value of the key set identifier to a first value indicating "no key available".
根据权利要求1至3任一项所述的方法，其特征在于，所述初始注册请求消息不携带所述密钥集标识符，包括：The method according to any one of claims 1 to 3, wherein the initial registration request message does not carry the key set identifier, comprising:

所述初始注册请求消息包括第一指示信息，所述第一指示信息用于指示没有可用的密钥。The initial registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.
根据权利要求1至4任一项所述的方法，其特征在于，所述终端设备还配置有非易失性存储器；The method according to any one of claims 1 to 4, wherein the terminal device is further configured with a non-volatile memory;

所述终端设备确定是否存在有效的中间密钥，包括：The terminal device determines whether there is a valid intermediate key, including:

所述终端设备确定所述非易失性存储器中的终端身份标识和所述(U)SIM卡中的终端身份标识是否一致；The terminal device determines whether the terminal identity in the non-volatile memory is consistent with the terminal identity in the (U)SIM card;

在所述非易失性存储器中的终端身份标识和所述(U)SIM卡中的终端身份标识一致的情况下，所述终端设备确定所述非易失性存储器和所述(U)SIM卡中是否存在所述有效的中间密钥；或者，In the case that the terminal identity in the non-volatile memory is consistent with the terminal identity in the (U)SIM card, the terminal device determines that the non-volatile memory and the (U)SIM whether the valid intermediate key is present in the card; or,

在所述非易失性存储器中的终端身份标识和所述(U)SIM卡中的终端身份标识不一致的情况下，所述终端设备确定所述(U)SIM卡中是否存在所述有效的中间密钥。In the case where the terminal identification in the non-volatile memory is inconsistent with the terminal identification in the (U)SIM card, the terminal device determines whether the valid terminal ID exists in the (U)SIM card. Intermediate key.
根据权利要求1至5任一项所述的方法，其特征在于，所述鉴权密钥信息还包括：漫游引导SOR的计数器的取值，和/或用户设备参数更新UPU的计数器的取值。The method according to any one of claims 1 to 5, wherein the authentication key information further comprises: the value of the counter of the roaming guidance SOR, and/or the value of the counter of the user equipment parameter update UPU .
根据权利要求1至6任一项所述的方法，其特征在于，所述有效的中间密钥包括Kausf。The method according to any one of claims 1 to 6, wherein the valid intermediate key comprises Kausf.
根据权利要求1至7任一项所述的方法，其特征在于，所述密钥集标识符为下一代网络密钥集标识符ngKSI。The method according to any one of claims 1 to 7, wherein the key set identifier is a next generation network key set identifier ngKSI.
一种通信方法，其特征在于，所述方法包括：A communication method, characterized in that the method comprises:

终端设备确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值；The terminal device determines whether the value of the first counter in the authentication key information is greater than or equal to a preset value;

当所述第一计数器的取值大于或等于所述预设值时，所述终端设备删除密钥集标识符；When the value of the first counter is greater than or equal to the preset value, the terminal device deletes the key set identifier;

所述终端设备向移动管理网元发送注册请求消息，所述注册请求消息不携带所述密钥集标识符以触发对所述终端设备的鉴权流程；The terminal device sends a registration request message to the mobility management network element, where the registration request message does not carry the key set identifier to trigger an authentication process for the terminal device;

所述终端设备在所述鉴权流程中得到更新后的鉴权密钥信息，所述更新后的鉴权密钥信息包括更新后的中间密钥和数值为0的所述第一计数器。The terminal device obtains the updated authentication key information in the authentication process, and the updated authentication key information includes the updated intermediate key and the first counter whose value is 0.
根据权利要求9所述的方法，其特征在于，所述密钥集标识符为所述终端设备通过第一接入技术接入网络时生成的密钥集标识符；The method according to claim 9, wherein the key set identifier is a key set identifier generated when the terminal device accesses the network through the first access technology;

所述终端设备向移动管理网元发送注册请求消息，包括：The terminal device sends a registration request message to the mobility management network element, including:

所述终端设备使用所述第一接入技术向所述移动管理网元发送所述注册请求消息。The terminal device sends the registration request message to the mobility management network element by using the first access technology.
根据权利要求9或10所述的方法，其特征在于，所述终端设备删除所述密钥集标识符，包括：The method according to claim 9 or 10, wherein the terminal device deletes the key set identifier, comprising:

所述终端设备将所述密钥集标识符的值设置为第一值，所述第一值用于指示“没有可用的密钥”。The terminal device sets the value of the key set identifier to a first value indicating "no key available".
根据权利要求9至11任一项所述的方法，其特征在于，所述终端设备删除所述密钥集标识符，包括：The method according to any one of claims 9 to 11, wherein the terminal device deletes the key set identifier, comprising:

当所述终端设备处于连接态时，所述终端设备释放与网络设备之间的连接；When the terminal device is in the connected state, the terminal device releases the connection with the network device;

所述终端设备在释放与网络设备之间的连接之后，删除所述密钥集标识符。The terminal device deletes the key set identifier after releasing the connection with the network device.
根据权利要求9至12任一项所述的方法，其特征在于，所述注册请求消息不携带所述密钥集标识符，包括：The method according to any one of claims 9 to 12, wherein the registration request message does not carry the key set identifier, comprising:

所述注册请求消息包括第一指示信息，所述第一指示信息用于指示没有可用的密钥。The registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.
根据权利要求9至13任一项所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 9 to 13, wherein the method further comprises:

所述终端设备接收第一信息，所述第一信息包括数据、第二计数器的取值、以及消息认证码MAC；receiving, by the terminal device, first information, where the first information includes data, a value of the second counter, and a message authentication code MAC;

所述终端设备比较所述第二计数器的取值是否大于所述第一计数器的取值；comparing, by the terminal device, whether the value of the second counter is greater than the value of the first counter;

当所述第二计数器的取值大于所述第一计数器的取值时，所述终端设备根据所述第一信息中的所述数据和所述第二计数器的取值，验证所述MAC；When the value of the second counter is greater than the value of the first counter, the terminal device verifies the MAC according to the data in the first information and the value of the second counter;

当所述MAC通过验证时，所述终端设备以所述第二计数器的取值更新所述第一计数器的取值。When the MAC passes the verification, the terminal device updates the value of the first counter with the value of the second counter.
根据权利要求14所述的方法，其特征在于，所述终端设备确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值，包括：The method according to claim 14, wherein determining, by the terminal device, whether the value of the first counter in the authentication key information is greater than or equal to a preset value, comprising:

所述终端设备确定更新后的所述第一计数器的取值是否大于或等于所述预设值。The terminal device determines whether the updated value of the first counter is greater than or equal to the preset value.
根据权利要求9至15任一项所述的方法，其特征在于，所述第一计数器包括：漫游引导SOR的计数器，和/或用户设备参数更新UPU的计数器。The method according to any one of claims 9 to 15, wherein the first counter comprises: a counter of roaming guidance SOR, and/or a counter of user equipment parameter update UPU.
根据权利要求9至16任一项所述的方法，其特征在于，所述中间密钥包括Kausf。The method according to any one of claims 9 to 16, wherein the intermediate key comprises Kausf.
根据权利要求9至17任一项所述的方法，其特征在于，所述密钥集标识符为下一代网络密钥集标识符ngKSI。The method according to any one of claims 9 to 17, wherein the key set identifier is a next generation network key set identifier ngKSI.
一种通信装置，其特征在于，包括：A communication device, comprising:

处理模块，用于在需要发起初始注册流程时，确定是否存在有效的中间密钥；如果不存在所述有效的中间密钥，则备删除(全球)用户身份模块(U)SIM卡中存储的密钥集标识符；The processing module is used to determine whether there is an effective intermediate key when it is necessary to initiate an initial registration process; keyset identifier;

通信模块，用于向移动管理网元发送初始注册请求消息，所述初始注册请求消息不携带所述密钥集标识符以触发对所述通信装置的鉴权流程；a communication module, configured to send an initial registration request message to a mobility management network element, where the initial registration request message does not carry the key set identifier to trigger an authentication process for the communication device;

所述处理模块，用于在鉴权流程中得到鉴权密钥信息，所述鉴权密钥信息包括所述有效的中间密钥。The processing module is configured to obtain authentication key information in the authentication process, where the authentication key information includes the valid intermediate key.
根据权利要求19所述的通信装置，其特征在于，所述密钥集标识符为所述通信装置通过第一接入技术接入网络时生成的密钥集标识符；The communication device according to claim 19, wherein the key set identifier is a key set identifier generated when the communication device accesses the network through the first access technology;

所述通信模块，具体用于使用所述第一接入技术向所述移动管理网元发送所述初始注册请求消息。The communication module is specifically configured to send the initial registration request message to the mobility management network element by using the first access technology.
根据权利要求19或20所述的通信装置，其特征在于，The communication device according to claim 19 or 20, characterized in that:

所述处理模块，具体用于将所述密钥集标识符的值设置为第一值，所述第一值用于指示“没有可用的密钥”。The processing module is specifically configured to set the value of the key set identifier to a first value, where the first value is used to indicate "no key available".
根据权利要求19至21任一项所述的通信装置，其特征在于，所述初始注册请求消息不携带所述密钥集标识符，包括：The communication device according to any one of claims 19 to 21, wherein the initial registration request message does not carry the key set identifier, comprising:

所述初始注册请求消息包括第一指示信息，所述第一指示信息用于指示没有可用的密钥。The initial registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.
根据权利要求19至22任一项所述的通信装置，其特征在于，所述通信装置还包括存储模块；The communication device according to any one of claims 19 to 22, wherein the communication device further comprises a storage module;

所述处理模块，具体用于确定所述存储模块中的终端身份标识和所述(U)SIM卡中的终端身份标识是否一致；在所述存储模块中的终端身份标识和所述(U)SIM卡中的终端身份标识一致的情况下，确定所述存储模块和所述(U)SIM卡中是否存在所述有效的中间密钥；或者，在所述存储模块中的终端身份标识和所述(U)SIM卡中的终端身份标识不一致的情况下，确定所述(U)SIM卡中是否存在所述有效的中间密钥。The processing module is specifically used to determine whether the terminal identification in the storage module is consistent with the terminal identification in the (U)SIM card; the terminal identification in the storage module and the (U) In the case where the terminal identifiers in the SIM card are consistent, determine whether the valid intermediate key exists in the storage module and the (U)SIM card; or, the terminal identifier in the storage module and all In the case that the terminal identities in the (U)SIM card are inconsistent, it is determined whether the valid intermediate key exists in the (U)SIM card.
根据权利要求19至23任一项所述的通信装置，其特征在于，所述鉴权密钥信息还包括：漫游引导SOR的计数器的取值，和/或用户设备参数更新UPU的计数器的取值。The communication device according to any one of claims 19 to 23, wherein the authentication key information further comprises: the value of the counter of the roaming guidance SOR, and/or the value of the counter of the user equipment parameter update UPU value.
根据权利要求19至24任一项所述的通信装置，其特征在于，所述有效的中间密钥包括Kausf。The communication device according to any one of claims 19 to 24, wherein the valid intermediate key comprises Kausf.
根据权利要求19至25任一项所述的通信装置，其特征在于，所述密钥集标识符为下一代网络密钥集标识符ngKSI。The communication device according to any one of claims 19 to 25, wherein the key set identifier is a next generation network key set identifier ngKSI.
一种通信装置，其特征在于，包括：A communication device, comprising:

处理模块，用于确定鉴权密钥信息中的第一计数器的取值是否大于或等于预设值；当所述第一计数器的取值大于或等于所述预设值时，删除密钥集标识符；A processing module, configured to determine whether the value of the first counter in the authentication key information is greater than or equal to a preset value; when the value of the first counter is greater than or equal to the preset value, delete the key set identifier;

通信模块，用于向移动管理网元发送注册请求消息，所述注册请求消息不携带所述密钥集标识符以触发对所述通信装置的鉴权流程；a communication module, configured to send a registration request message to the mobility management network element, where the registration request message does not carry the key set identifier to trigger an authentication process for the communication device;

所述处理模块，还用于在所述鉴权流程中得到更新后的鉴权密钥信息，所述更新后的鉴权密钥信息包括更新后的中间密钥和数值为0的所述第一计数器。The processing module is also used to obtain the updated authentication key information in the authentication process, and the updated authentication key information includes the updated intermediate key and the first value whose value is 0. a counter.
根据权利要求27所述的通信装置，其特征在于，所述密钥集标识符为所述通信装置通过第一接入技术接入网络时生成的密钥集标识符；The communication device according to claim 27, wherein the key set identifier is a key set identifier generated when the communication device accesses the network through the first access technology;

所述通信模块，具体使用所述第一接入技术向所述移动管理网元发送所述注册请求消息。The communication module specifically uses the first access technology to send the registration request message to the mobility management network element.
根据权利要求27或28所述的通信装置，其特征在于，The communication device according to claim 27 or 28, characterized in that,

所述处理模块，具体用于将所述密钥集标识符的值设置为第一值，所述第一值用于指示“没有可用的密钥”。The processing module is specifically configured to set the value of the key set identifier to a first value, where the first value is used to indicate "no key available".
根据权利要求27至29任一项所述的通信装置，其特征在于，The communication device according to any one of claims 27 to 29, characterized in that:

所述处理模块，具体用于当所述通信装置处于连接态时，释放与网络设备之间的连接；在释放与网络设备之间的连接之后，删除所述密钥集标识符。The processing module is specifically configured to release the connection with the network device when the communication device is in the connection state; after releasing the connection with the network device, delete the key set identifier.
根据权利要求27至30任一项所述的通信装置，其特征在于，所述注册请求消息不携带所述密钥集标识符，包括：The communication device according to any one of claims 27 to 30, wherein the registration request message does not carry the key set identifier, comprising:

所述注册请求消息包括第一指示信息，所述第一指示信息用于指示没有可用的密钥。The registration request message includes first indication information, where the first indication information is used to indicate that there is no available key.
根据权利要求27至31任一项所述的通信装置，其特征在于，The communication device according to any one of claims 27 to 31, characterized in that:

所述通信模块，还用于接收第一信息，所述第一信息包括数据、第二计数器的取值、以及消息认证码MAC；The communication module is further configured to receive first information, where the first information includes data, a value of the second counter, and a message authentication code MAC;

所述处理模块，还用于比较所述第二计数器的取值是否大于所述第一计数器的取值；当所述第二计数器的取值大于所述第一计数器的取值时，根据所述第一信息中的所述数据和所述第二计数器的取值，验证所述MAC；当所述MAC通过验证时，以所述第二计数器的取值更新所述第一计数器的取值。The processing module is further configured to compare whether the value of the second counter is greater than the value of the first counter; when the value of the second counter is greater than the value of the first counter, according to the The data in the first information and the value of the second counter are used to verify the MAC; when the MAC passes the verification, the value of the first counter is updated with the value of the second counter .
根据权利要求32所述的通信装置，其特征在于，The communication device of claim 32, wherein:

所述处理模块，具体用于确定更新后的所述第一计数器的取值是否大于或等于所述预设值。The processing module is specifically configured to determine whether the updated value of the first counter is greater than or equal to the preset value.
根据权利要求27至33任一项所述的通信装置，其特征在于，所述第一计数器包括：漫游引导SOR的计数器，和/或用户设备参数更新UPU的计数器。The communication apparatus according to any one of claims 27 to 33, wherein the first counter comprises: a counter for roaming guidance SOR, and/or a counter for user equipment parameter update UPU.
根据权利要求27至34任一项所述的通信装置，其特征在于，所述中间密钥包括Kausf。The communication device according to any one of claims 27 to 34, wherein the intermediate key comprises Kausf.
根据权利要求27至35任一项所述的通信装置，其特征在于，所述密钥集标识符为下一代网络密钥集标识符ngKSI。The communication device according to any one of claims 27 to 35, wherein the key set identifier is a next generation network key set identifier ngKSI.
一种芯片，其特征在于，包括处理器和通信接口，所述处理器用于执行计算机程序指令，使得所述通信装置实现权利要求1至18任一项所述的通信方法。A chip, characterized by comprising a processor and a communication interface, wherein the processor is configured to execute computer program instructions, so that the communication device implements the communication method according to any one of claims 1 to 18.
一种计算机可读存储介质，其特征在于，所述计算机可读存储介质存储有指令，当所述指令在计算机上运行时，使得所述计算机执行权利要求1至18任一项所述的通信方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores instructions that, when the instructions are executed on a computer, cause the computer to perform the communication described in any one of claims 1 to 18 method.