WO2022148469A1 - Security protection method, apparatus and system - Google Patents

Security protection method, apparatus and system Download PDF

Info

Publication number
WO2022148469A1
WO2022148469A1 PCT/CN2022/071229 CN2022071229W WO2022148469A1 WO 2022148469 A1 WO2022148469 A1 WO 2022148469A1 CN 2022071229 W CN2022071229 W CN 2022071229W WO 2022148469 A1 WO2022148469 A1 WO 2022148469A1
Authority
WO
WIPO (PCT)
Prior art keywords
amf
user
target
target amf
security context
Prior art date
Application number
PCT/CN2022/071229
Other languages
French (fr)
Chinese (zh)
Inventor
郭龙华
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202210021323.3A external-priority patent/CN114765827A/en
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022148469A1 publication Critical patent/WO2022148469A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/04Registration at HLR or HSS [Home Subscriber Server]

Definitions

  • the present application relates to the field of communications, and in particular, to a security protection method, device, and system.
  • the terminal may perform access and mobility management function (AMF) redirection during the process of registering with the network.
  • AMF access and mobility management function
  • redirection or handover may perform redirection or handover, and the redirection or handover process also has the problems of high signaling overhead and prolonged network access.
  • the embodiments of the present application provide a security protection method, device, and system, which can reduce signaling interaction in the process of core network element redirection or handover, reduce signaling overhead, and shorten network access delay.
  • the embodiments of the present application provide a security protection method, including:
  • the target network element receives the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal;
  • the target network element responds to the above-mentioned first request.
  • the first request may be a registration request of the terminal.
  • the above network element may be a mobility management network function, such as AMF; the above network element may also be a network element that undergoes redirection or handover and needs to acquire the security context of the terminal or establish a secure connection with the terminal.
  • the initial network element is the first network element that processes the first request
  • the target network element is the network element that provides services for the terminal after redirection or handover occurs.
  • the initial network element and the target network element may be the same type of network element, or may be different types of network elements capable of providing the same type of service for the terminal.
  • the first request includes the user temporary identifier of the terminal.
  • the response of the target network element to the first request can be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal and the security context corresponding to the user temporary identifier, and can also be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal.
  • the identifier is the above-mentioned user permanent identifier received by the target network element and the security context corresponding to the user's temporary identifier is the above-mentioned security context received by the target network element.
  • the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the terminal from the initial network element through a direct interface the first request of the terminal, the security context of the terminal, and the user permanent identity of the terminal.
  • the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal from the core network element.
  • the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the first request from the terminal of the initial network element; in response to the first request, the target network element sends an acquisition request to the NF, and the acquisition request is used to request to acquire the security context and the corresponding terminal from the NF.
  • the user permanent identifier, the acquisition request includes the user temporary identifier of the terminal; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the user permanent identifier of the terminal from the core network element.
  • the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element uses the security context and the permanent user identifier.
  • the method further includes: the target network element does not initiate an authentication process.
  • the target network element may determine not to initiate the authentication process according to the local policy.
  • the method further includes: the target network element does not send a request for acquiring the context.
  • the target network element may determine not to send the request for obtaining the context according to the local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element.
  • the context includes the security context.
  • the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not send a request for acquiring the security context.
  • the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not initiate an authentication process.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines whether to use or trust the above-mentioned security context and/or the above-mentioned user permanent identifier according to a local policy.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines to use the above-mentioned security context and/or user permanent identifier according to a local policy.
  • the method further includes: the target network element does not initiate an authentication process.
  • the method further includes: the target network element does not send a request for acquiring the context.
  • the response of the target network element to the first request includes: the target network element determines whether to initiate an authentication process according to a local policy.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines not to initiate an authentication process according to a local policy.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines whether to send a request for acquiring the context according to a local policy.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines not to send the request for acquiring the context according to a local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element.
  • the context includes the security context.
  • the target network element can trust the above information from the initial network element; the target network element can directly use the above information to respond to the first request without It is necessary to initiate an authentication process to obtain the security context or the user's permanent identity. Similarly, it is not necessary to send a request for obtaining the context, which effectively reduces the signaling process of the target network element after receiving the first request, and effectively shortens the time between the terminal and the target. The delay required by the network element to establish or update a secure connection.
  • the target network element acquires and uses the security context and the user permanent identifier from the initial network element, so as to avoid acquiring the security context and the user permanent identifier from the original network element. This avoids the problem that after the security context between the initial network element and the terminal is updated, the target network element obtains the security context before the update from the original network element, resulting in failure to successfully establish communication with the terminal based on the security context.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines not to use the security context or the user permanent identifier according to a local policy.
  • the method further includes: the target network element initiates an authentication process.
  • the target network element determines to initiate an authentication process according to a local policy.
  • the target network element does not need to initiate the authentication process after receiving any first request, but only needs to initiate the authentication process when the target network element determines that the authentication process needs to be initiated according to the local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
  • the method further includes: the target network element receives the first indication information.
  • the first indication information is used to indicate that the first request is forwarded through the initial network element.
  • the response of the target network element to the first request includes: the target network element determines, according to the first indication information, to respond to the security context of the terminal and the permanent identifier of the terminal.
  • the response of the target network element to the above-mentioned first request includes: the target network element determines, according to the first indication information, to judge according to the local policy.
  • the first indication information is generated by the initial network element and forwarded to the target network element through the access network device; or, the first indication information is generated by the access network device and sent to the target network element.
  • the target network element extracts the user temporary identifier from the first request.
  • the target network element uses the temporary user identifier of the terminal to index the security context of the terminal and the permanent user identifier of the terminal in the acquired security context and user permanent identifier.
  • the method further includes: after the target network element acquires the permanent user identifier of the terminal, the target network element deletes the temporary user identifier of the terminal.
  • the embodiments of the present application provide a security protection method, including:
  • the initial access management function network element receives a first request of the terminal, where the first request includes a user temporary identifier of the terminal;
  • the initial network element obtains the context of the terminal and the permanent user identifier of the terminal corresponding to the above-mentioned temporary user identifier;
  • the initial network element sends the above-mentioned first request to the target network element through the access network device;
  • the initial network element sends the user temporary identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal to the first network element.
  • the method further includes: the initial network element sends first indication information to the access network device, where the first indication information is used to indicate that the above-mentioned first request is forwarded by the initial network element.
  • the method further includes: the initial network element extracts the user temporary identifier in the first request.
  • the embodiments of the present application provide a security protection method, including:
  • the first network element obtains the temporary user identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal;
  • the first network element sends the above-mentioned user temporary identifier, user permanent identifier, and security context to the target access management function network element.
  • the method further includes: the first network element receives an acquisition request from the target network element, where the acquisition request includes the above-mentioned temporary user identifier;
  • the first network element sending the user temporary identifier, the user permanent identifier, and the security context to the target access management function network element includes: in response to the acquisition request, the first network element sends the user temporary identifier and the user temporary identifier to the target network element, and the User permanent ID and security context corresponding to the user temporary ID.
  • an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the first aspect. the corresponding method described.
  • an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used to store computer-executed instructions, and the processor is used to execute the computer-executed instructions stored in the memory, so that the device executes as described in the second aspect. the corresponding method described.
  • an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the third aspect. the corresponding method described.
  • an embodiment of the present application provides a communication apparatus for implementing the method of the first aspect.
  • the communication device can implement the function of the target network element in the first aspect.
  • the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • an embodiment of the present application provides a communication device for implementing the method of the second aspect.
  • the communication apparatus can implement the function of the initial network element in the second aspect.
  • the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • an embodiment of the present application provides a communication apparatus for implementing the method of the third aspect.
  • the communication apparatus may implement the function of the first network element in the second aspect.
  • the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed, the instructions in any one of the first to third aspects are executed. method is implemented.
  • an embodiment of the present application provides a computer program product, the computer program product includes instructions, when the instructions are executed, the method according to any one of the first aspect to the third aspect is implemented .
  • an embodiment of the present application provides a communication system, including the device described in the fourth aspect or the seventh aspect, and the device described in the fifth aspect or the eighth aspect.
  • the communication system further includes the apparatus described in the sixth aspect or the ninth aspect.
  • the technical effects of the second to twelfth aspects may refer to the beneficial effects of the first aspect.
  • FIG. 1 is a schematic diagram of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a security protection method provided by an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of a registration method provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of another security protection method provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of another security protection method provided by an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of a further security protection method provided by an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of still another communication apparatus provided by an embodiment of the present application.
  • FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application, and each part involved in FIG. 1 is as follows:
  • a terminal device may also be called a user equipment (user equipment, UE), a terminal, and the like.
  • a terminal device is a device with wireless transceiver function, which can communicate with one or more core networks (core network, CN) through the access network device in the (radio) access network ((R)AN). ) to communicate. It can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on water, such as ships; it can also be deployed in the air, such as on airplanes, balloons, or satellites.
  • core network CN
  • R radio access network
  • the terminal device can be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, an industrial control (industrial control) wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, and so on.
  • a mobile phone mobile phone
  • a tablet computer Pad
  • a computer with wireless transceiver function a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, an industrial control (industrial control) wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, and so on.
  • VR virtual reality
  • AR augmented reality
  • industrial control industrial control
  • the (radio) access network (R)AN) is used to provide network access functions for authorized user equipment in a specific area, and can use different quality transmission tunnels according to the level of user equipment, service requirements, etc. .
  • (R)AN can manage radio resources, provide access services for user equipment, and then complete the forwarding of control information and/or data information between user equipment and a core network (core network, CN).
  • the access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device.
  • the access network equipment may include: next generation node basestation (gNB) in 5G system, evolved node B (evolved node B, eNB) in long term evolution (LTE), wireless Network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB , or home node B, HNB), base band unit (BBU), transmission point (transmitting and receiving point, TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, Or network equipment in the future network, etc.
  • gNB next generation node basestation
  • eNB evolved node B
  • eNB evolved node B
  • LTE long term evolution
  • RNC wireless Network controller
  • node B node B
  • BSC base station controller
  • base transceiver station base transceiver station
  • BTS home base
  • UPF User plane function
  • QoS quality of service
  • the data network (DN) network function is used to provide a network for transmitting data.
  • Access and mobility management function (AMF) network function can be used to implement mobility management entity (mobility management entity, MME) function in addition to session management Other functions other than that, such as lawful interception and access authorization/authentication.
  • MME mobility management entity
  • the AMF network function is hereinafter referred to as AMF.
  • the AMF may include an initial AMF (initial AMF), an old AMF (old AMF), and a target AMF (target AMF).
  • the initial AMF can be understood as the first AMF to process the UE registration request in this registration.
  • the initial AMF is selected by the (R)AN, but the initial AMF may not be able to serve the UE.
  • the original AMF can be understood as the UE
  • the target AMF can be understood as the AMF that serves the UE after the UE is redirected.
  • the UE carries network slice selection information in the registration request message. After the UE completes the registration request from the initial AMF, the initial AMF cannot serve the network slice and needs to be redirected to the target AMF to serve the UE.
  • NSSF Network slice selection function
  • Network storage network functions such as the network repository function (NRF) can be used to maintain real-time information on all network function services in the network.
  • NRF network repository function
  • the authentication server function (AUSF) is used to authenticate services, generate keys to realize two-way authentication of user equipment, and support a unified authentication framework.
  • Unified data management (UDM) network function which can be used to handle user equipment identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is hereinafter referred to as UDM.
  • the mobility management network function in the embodiment of the present application may be the AMF network function shown in FIG. 1 , or may be other network functions having the above-mentioned AMF network function in the future communication system.
  • the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) in long term evolution (long term evolution, LTE), or the like.
  • MME mobility management entity
  • LTE long term evolution
  • the mobility management network function is an AMF network function as an example for description.
  • the AMF network function is referred to as AMF for short
  • the terminal device is referred to as UE or terminal, that is, the AMF described later in the embodiments of the present application can be replaced by the mobility management network function, and the UE or terminal can be replaced by a terminal. equipment.
  • the embodiments of the present application take the redirection of the mobility management network function as an example to introduce the security protection method proposed by the present application.
  • the security protection method of the present application can also be applied to the handover of the mobility management network function. It can be understood that when other core network elements are redirected or switched, and the core network element and the terminal need to establish a secure connection, the actions performed by the mobility management network function in the following methods can be replaced by the core network element. network element execution.
  • the above-mentioned network functions or functions can be either network elements in hardware devices, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (eg, a cloud platform).
  • Figure 2 is a schematic flow chart of a security protection. Specifically include:
  • the target AMF receives the first request from the terminal of the initial AMF, the security context of the terminal, and the user permanent identity of the terminal.
  • the above-mentioned first request includes the user temporary identifier of the terminal.
  • the user temporary identity may be a temporary identity generated by the terminal, such as SUCI.
  • the user temporary identity may also be a temporary identity generated by the core network for the terminal, such as a GUTI, and the terminal obtains the temporary identity from the core network.
  • the first request is used to request to establish a secure connection between the terminal and the core network, or the first request is used to request to establish a secure connection between the terminal and the AMF that receives the first request.
  • Establishing a secure connection includes establishing a security context. The above establishment can also be replaced by an update.
  • the first request may be a registration request of the terminal, where the registration request is used for requesting to register the terminal with the core network, or the request is used for requesting to register the terminal with an AMF capable of serving the terminal.
  • the first request may also be other requests of the terminal, such as a handover request.
  • the security context is used to describe the information required for security protection of the communication between the core network and the terminal.
  • the security context includes one or more of the following information: AMF key, AMF key identifier, security capability of the terminal, encryption protection algorithm, integrity protection algorithm, and NAS COUNT.
  • the security context of the terminal is the security context of the terminal that has been acquired by the initial AMF.
  • the above-mentioned initial AMF receives the above-mentioned first request from the terminal, initiates a main authentication process for the terminal, and the initial AMF obtains the security context of the terminal through the main authentication process.
  • the initial AMF can encrypt and protect information such as signaling sent to the terminal according to the security context.
  • the first request of the terminal, the security context of the terminal, and the permanent user identifier of the terminal are carried in a message. It can be understood that, by acquiring the message, the target AMF can learn that the security context and the permanent user identifier carried in the message correspond to the temporary user identifier in the first request.
  • the initial AMF sends the message to the target AMF through the direct interface.
  • the above-mentioned first request of the terminal, the security context of the terminal, and the user permanent identifier of the terminal are carried in different messages respectively.
  • the security context or the user permanent identifier and the terminal identifier are carried in one message, so that the target AMF can know the received security context and the user permanent identifier corresponding to the terminal.
  • the terminal identifier may be the above-mentioned temporary user identifier, and the terminal identifier may be other information that enables the target AMF to identify the terminal, such as session information or tunnel identifier information corresponding to the terminal.
  • the initial AMF may send the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal to the target AMF through the core network element.
  • the initial AMF sends the first request of the terminal to the target AMF through the access network device.
  • the target AMF may extract the user temporary identity from the first request.
  • the target AMF may use the user temporary identity index of the terminal or obtain the security context of the terminal and the user permanent identity of the terminal.
  • the target AMF may use the user temporary identifier to request the NF to obtain the security context of the terminal and the permanent user identifier of the terminal.
  • the above-mentioned core network elements may be UDM, NSSF, or other core network elements capable of storing and forwarding the above-mentioned information.
  • the core network element is hereinafter referred to as a network function NF.
  • the NF after acquiring the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal, the NF sends the acquired information to the target AMF. That is, the NF directly pushes the information to the target AMF after obtaining the above information.
  • the NF acquires the security context of the terminal and the permanent user identifier of the terminal, and sends the acquired information to the target AMF when receiving an acquisition request from the target AMF.
  • the acquisition request includes the user temporary identifier, and the user temporary identifier is used to request the security context and user permanent identifier corresponding to the terminal from the NF.
  • the target AMF receives the above-mentioned first request; in response to the above-mentioned first request, the target AMF sends the acquisition request to the NF; the target AMF receives the terminal's security context and the terminal's user permanent identity from the NF.
  • S220 The target AMF responds to the first request.
  • the response manner includes triggering the authentication process or not triggering the authentication process.
  • the target AMF can send an authentication request to the AUSF.
  • the target AMF responds to the above-mentioned first request in any of the following ways:
  • Manner 1 In response to the security context of the terminal and the permanent identity of the terminal, the target AMF uses the security context and the permanent identity of the user.
  • Using the security context can be understood as performing security protection on signaling according to the information in the security context, such as performing encryption protection or performing integrity protection.
  • the use of the security context can also be understood as sending signaling to the terminal for security protection according to the information in the security context.
  • Using the user permanent identification can be understood as the user permanent identification as the user's unique permanent identification in the core network, can also be understood as charging according to the user permanent identification, can also be understood as obtaining or implementing the user permanent identification according to the user permanent identification. Other services of the terminal.
  • the target AMF may not trigger the authentication process and not send the request for acquiring the context. For example, when the target AMF receives the RR message carried in the first request, and the message carries SUCI, the target AMF may choose not to trigger the authentication process.
  • the first manner further includes: the target AMF does not initiate an authentication process. It can be understood that, after the target AMF acquires the above-mentioned security context and user permanent identifier, it no longer needs to acquire the security context and user permanent identifier of the terminal by initiating an authentication process.
  • the first manner further includes: the target AMF does not send a request for acquiring the security context.
  • the target AMF obtains the above-mentioned security context and user permanent identity, it is no longer necessary to send a request for obtaining the security context to the original AMF.
  • the original AMF is the original AMF serving the terminal, the security context of the terminal is established on the original AMF, and the permanent user identifier of the terminal is stored.
  • the target AMF determines whether to use the above-mentioned security context or the above-mentioned user permanent identifier according to the local policy.
  • Another way of expressing mode 4 may be: the target AMF judges whether to trust the security context and user permanent identity received from the initial AMF according to a local policy.
  • the local policy is the policy information locally configured by the target AMF or received from other core network elements.
  • Exemplary local policies may include:
  • the target AMF trusts the initiating AMF; alternatively, the target AMF and the initiating AMF are in the same security domain; or,
  • the security requirement of the network slice where the target AMF provides services for the terminal is not to repeatedly initiate the authentication process; or,
  • the security requirement of the above network slice is not to send a context acquisition request to the original AMF; or,
  • the target AMF does not initiate the authentication process after acquiring the security context; or,
  • the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
  • Mode 4 may be replaced with the target AMF determining to use the security context or the user permanent identifier according to the local policy.
  • the target AMF does not initiate an authentication process.
  • the method further includes: the target AMF does not send a request for acquiring the context.
  • Mode 5 The target AMF determines whether to initiate an authentication process according to a local policy.
  • Mode 5 can be replaced with the target AMF determining not to initiate the authentication process according to the local policy.
  • Manner 5 further includes: the target AMF judges whether to send the request for acquiring the context according to the local policy.
  • the target AMF determines whether to send a request for obtaining the context according to the local policy.
  • Mode 6 can be replaced with the target AMF determining not to send a request for acquiring the security context according to the local policy.
  • Manner 6 further includes: the target AMF determines whether to initiate an authentication process according to a local policy.
  • the target AMF can trust the above-mentioned information from the initial AMF; the target AMF can directly use the above-mentioned information to carry out the first request. It does not need to initiate an authentication process to obtain the security context or user permanent identity, and similarly does not need to send a request to obtain the context, thus effectively reducing the signaling process of the target AMF after receiving the first request, effectively shortening the The delay required for the terminal to establish or update the connection with the target AMF.
  • the target AMF needs to obtain the user permanent identifier corresponding to the user temporary identifier after obtaining the user temporary identifier, before using the user permanent identifier to obtain from the NF.
  • the user permanently identifies the corresponding security context.
  • the security context of the terminal can be understood as using the user temporary identifier of the terminal as the identity identifier, so that the target AMF can directly use the user temporary identifier to obtain the corresponding security context. Simplifies the process for the target AMF to obtain the security context.
  • the target AMF obtains and uses the security context and the user permanent identity from the initial AMF, so that the security context and the user permanent identity can be avoided from the original AMF.
  • the security context between the initial AMF and the terminal may be updated, but the target AMF obtains the security context before the update from the original AMF, and cannot successfully establish communication with the terminal based on the security context.
  • the target AMF obtains the security context from the initial AMF to ensure that the obtained security context is the updated security context of the initial AMF, avoiding the problem that the target AMF and the terminal cannot successfully establish communication.
  • the target AMF can also avoid receiving the security context from multiple channels such as the original AMF and the initial AMF, so as to avoid judging and selecting multiple security contexts.
  • the processing logic for determining the security context of the terminal by the target AMF is simplified.
  • the target AMF may delete the temporary user identifier of the terminal after acquiring the permanent user identifier of the terminal.
  • the target AMF can provide services for the terminal based on the user's permanent identity of the terminal.
  • the mode four of S220 target AMF judges whether to use above-mentioned security context or above-mentioned user permanent identification according to local policy, also comprises:
  • Mode 4 may be replaced with the target AMF determining not to use the security context or the user permanent identifier according to the local policy.
  • Exemplary local policies at this time may include:
  • the target AMF does not trust the originating AMF; or,
  • the initiating AMF should not know the AMF key used by the target AMF; or,
  • the target AMF needs to use the authentication process to obtain the AMF key of the target AMF; or,
  • the target AMF and the originating AMF are in different security domains; or,
  • the security requirement of the network slice where the target AMF provides services for the terminal is that the authentication process needs to be repeatedly initiated; or,
  • the security requirement of the above network slicing is that a context acquisition request needs to be sent to the original AMF; or,
  • the target AMF needs to initiate an authentication process after obtaining the security context; or,
  • the target AMF After acquiring the security context, the target AMF needs to send a context acquisition request to the original AMF.
  • the target AMF initiates an authentication process.
  • the target AMF sends an authentication request to the AUSF, and the message carries SUCI.
  • the message it is also possible to choose to use the user permanent identifier to replace SUCI, which reduces the computational cost of UDM parsing SUCI.
  • the fifth method in S220 the target AMF judges whether to initiate the authentication process according to the local policy, and further includes:
  • Mode 5 can be replaced with the target AMF determining to initiate the authentication process according to the local policy.
  • the target AMF does not need to initiate an authentication process after receiving any first request, but only needs to initiate an authentication process when the target AMF determines that it needs to initiate an authentication process according to a local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
  • S210 further includes:
  • the target AMF receives indication information #1, the indication information #1 is used to indicate that the first request is forwarded by the initial AMF, or used to indicate that the security context of the terminal and the user permanent identity of the terminal received from the initial AMF are the initial AMF. Obtained by the authentication process, or used to indicate redirection, or used to indicate that the security context of the terminal has been generated, or used to instruct the target AMF to obtain the security context from the NF, or used to instruct the target AMF to skip the authentication process, or Used to instruct the target AMF to skip requesting the context from the original AMF, or to indicate that the initial AMF and the terminal have performed a security interaction of NAS messages, or to indicate that the initial AMF and the terminal have established a security context, or to indicate that the initial AMF and the UE succeeded master authentication.
  • the indication information #1 may be carried in a message with the above-mentioned first request. After receiving the message, the target AMF learns that the indication information #1 acts on the first request.
  • the indication information #1 and the above-mentioned first request are respectively carried in different messages, and the indication information #1 and the above-mentioned terminal identifier are sent to the target AMF together.
  • the indication information #1 may be exemplarily embodied in the following manner:
  • a parameter #1 or the value of a specific field in a parameter, or a cell structure to represent the indication information.
  • Implicit indication for example: the complete registration request message, the terminal's mobility management context, the terminal's security context, and the combination of the terminal's user permanent identity can be understood as indication information #1; or, the information provided by the NSSF carried in the message , indicating that a NAS Reroute due to slicing has occurred.
  • the target AMF receives the routing information of the NF from the initial AMF, or the information obtained by the initial AMF from the NSSF, and the routing information or the information obtained from the NSSF can be understood as the indication information #1.
  • the above S220 further includes: the target AMF determines, according to the indication information #1, to respond to the security context of the terminal and the permanent identifier of the terminal.
  • the above S220 further includes: the target AMF determines to judge according to the local policy according to the indication information #1.
  • the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1; or, the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1. .
  • FIG. 3 is a schematic flowchart of a terminal registering with the core network. Specifically include:
  • S301 The UE sends a registration request (registration request, RR) message to an initial AMF (initial AMF), where the RR message includes a subscriber concealed identifier (SUCI).
  • registration request registration request
  • RR registration request
  • SUCI subscriber concealed identifier
  • the RR message includes SUCI and plaintext IEs.
  • the plaintext IEs do not include network slice selection assistance information (requested network slice selection assitance information, requested NSSAI) requested by the UE.
  • the UE involved in the embodiment of the present application sends the RR message to the initial AMF, which means that the UE sends the RR message to the (R)AN, and the (R)AN sends the RR message to the initial AMF, because in this step
  • the (R)AN plays the role of transparent transmission, and for the sake of brevity of description, it may be directly described as the UE sending the RR message to the initial AMF in the embodiments of the present application and/or in the drawings.
  • S302 The initial AMF initiates a primary authentication process for primary authentication.
  • the initial AMF initiates the main authentication process to perform authentication and key negotiation, and obtain the NAS security context of the UE and the user permanent identifier (SUPI) of the UE.
  • SUPI user permanent identifier
  • the initial AMF sends a non access stratum security mode command (NAS SMC) message to the UE, the NAS SMC message can be used to establish a NAS security context between the UE and the initial AMF, and the NAS SMC message There is integrity protection.
  • NAS SMC non access stratum security mode command
  • the NAS SMC message may include indication information for instructing the UE to send a complete initial NAS message.
  • NAS SMP non-access stratum security mode complete
  • the UE If the UE receives the indication information instructing the UE to send the complete initial NAS message in the NAS SMC message, the UE carries the complete initial NAS message (that is, the RR message) in the NAS SMP message, and the complete RR message includes the requested NSSAI.
  • NAS security context is established between the UE and the initial AMF.
  • S305 The initial AMF determines to perform NAS redirection (or called NAS reroute).
  • NAS redirection AMF redirection
  • NAS re-direction and NAS reroute represent the same process.
  • the initial AMF calls the service operation #1 provided by the NSSF (for example, called the Nnssf_NSSelection_Get service operation).
  • the NSSF returns a response in response to service operation #1 (for example, called Nnssf_NSSelection_Get Response), and the response carries the AMF set (AMF set) or AMF address list that can serve the requested NSSAI.
  • the initial AMF calls the service operation #2 of the NRF (for example, the service operation called Nnrf_NFDiscovery_Request), and the Nnrf_NFDiscovery_Request service operation is used to obtain the address of the target AMF.
  • the NRF sends the response of the service operation #2, which includes the address of the target AMF.
  • calling a certain service operation provided by a certain network function can also be understood as requesting the certain service operation provided by the network function.
  • Receiving the invocation of the certain service operation can also be understood as receiving the request of the certain service operation.
  • Figure 4 shows a method for establishing a NAS security connection between a target AMF and a terminal. Specifically include:
  • the initial AMF invokes the service operation #3 provided by the target AMF (such as the Namf_Communication_N1MessageNotify service operation), and the service operation #3 carries the above-mentioned RR message, the above-mentioned NAS security context, and the above-mentioned SUPI.
  • the service operation #3 provided by the target AMF (such as the Namf_Communication_N1MessageNotify service operation)
  • the service operation #3 carries the above-mentioned RR message, the above-mentioned NAS security context, and the above-mentioned SUPI.
  • the target AMF responds to the RR message.
  • Figure 5 shows another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
  • the initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
  • the redirect NAS message includes the above-mentioned RR message.
  • the redirected NAS message further includes indication information #1.
  • the redirected NAS message includes the AMF set or the AMF address list obtained by the initial AMF from the NSSF in S305, and the AMF set or the AMF address list may be understood as the indication information #1.
  • the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
  • the SUCI, the NAS security context, and the SUPI are carried in the same message.
  • the NAS security context and the SUPI are respectively carried in different messages.
  • the NAS security context or SUPI needs to be carried in the same message as SUCI, respectively.
  • the NF determines that the above-mentioned terminal identity, NAS security context, and SUPI are associated with each other.
  • a service on UDM can be defined.
  • the service name is UDM UE context update service
  • the input includes: SUCI, NAS security context, SUPI, and target AMF routing information.
  • Output None.
  • the above target AMF routing information is used to address the target AMF.
  • the target AMF routing information can be obtained from the originating AMF.
  • the timing relationship between S501 and S502 is not limited.
  • the indication information #1 may be received from the initial AMF in S501, or may be generated by the (R)AN.
  • S504 The NF sends SUCI, NAS security context, and SUPI to the target AMF.
  • the timing relationship between S503 and S504 is not limited.
  • S505 The target AMF responds to the RR message.
  • the service name is UDM_AMF UE context update service
  • the input includes: SUCI, NAS security context, SUPI, target AMF routing information.
  • Output None. It can be understood that the service is aimed at UDM and AMF, and the service exemplarily provided in S502 is aimed at UDM and UE.
  • Figure 6 shows yet another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
  • the initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
  • the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
  • the timing relationship between S601 and S602 is not limited.
  • the (R)AN sends the above-mentioned RR message and indication information #1 to the target AMF.
  • the request #1 is used to request the NF to obtain the above-mentioned NAS security context and user permanent identity.
  • the request #1 includes SUCI.
  • the target AMF extracts SUCI from the above registration request message.
  • S605 The NF sends the NAS security context and SUPI to the target AMF.
  • the NF can query the NAS security context and SUPI corresponding to the SUCI according to the SUCI in the sending request #1.
  • the NF sends SUCI, NAS security context, and SUPI to the target AMF.
  • the NF can carry the NAS security context and SUPI in the response message of the above request #1, so that the target AMF knows that the NAS security context and SUPI correspond to the above.
  • SUCI SUCI.
  • S606 The target AMF responds to the RR message.
  • the RR message in S310 may include 5G-GUTI, plaintext IEs and NAS container (NAS container). ).
  • the requested NSSAI may be included in the NAS container.
  • the UE performs integrity protection on the RR message based on the existing NAS security context.
  • the interval between S301 and S302 further includes:
  • the initial AMF invokes the first service operation provided by the original AMF (old AMF) (for example, the Namf_Communication_UEContextTransfer service operation), and the Namf_Communication_UEContextTransfer service operation can be used to request the context of the UE.
  • the Namf_Communication_UEContextTransfer includes the RR message received by the initial AMF.
  • the original AMF responds to the service operation, and verifies the integrity of the RR message included in the received service operation request.
  • the original AMF successfully verifies the integrity of the RR message, it sends a Namf_Communication_UEContextTransfer Response (such as the response to the first service operation) to the initial AMF, which carries the UE context, and the UE context includes the UE's security context.
  • the security context of the UE includes any one or more of the following:
  • AMF AMF key
  • ngKSI key set identifier
  • the security algorithm includes an integrity protection algorithm and an encryption algorithm, which are selected by the original AMF and used between the UE and the UE;
  • UE security capabilities that is, the identifier set of the encryption algorithm and the integrity protection algorithm implemented on the UE;
  • a horizontal KAMF derivation indication (KeyAMFHDerivationInd indication), which can be transmitted as information outside the security context; the KeyAMFHDerivationInd indication is used to indicate that the KAMF is generated through horizontal KAMF derivation.
  • the initial AMF may determine whether to perform horizontal KAMF derivation according to a local policy. If the initial AMF is derived from the horizontal KAMF according to the local policy, the new KAMF is different from the KAMF received from the original AMF. Similarly, the initial AMF may update other parameters in the above security context according to local policies.
  • SUCI can be replaced with 5G-GUTI.
  • the security context obtained from the initial AMF refers to the security context after the initial AMF is updated.
  • the target AMF can respond to the received information according to the content introduced in S220 above. responds to the first request. For example, when the target AMF receives or does not receive the horizontal KAMF derivation indication, the target AMF uses the security context received from the initial AMF instead of requesting and obtaining the security context from the original AMF.
  • each network element or network function such as the initial AMF, the target AMF, and the original AMF, etc., in order to realize the above functions, includes corresponding hardware structures and/or software modules for executing each function.
  • the present application can be implemented in hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • each network element or network function may be divided into functional modules according to the foregoing method examples.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware, or can be implemented in the form of software function modules.
  • FIG. 7 shows a communication apparatus 70 provided by an embodiment of the present application.
  • the communication device 70 can be a mobility management network function; as an example, the communication device 70 can also be an access network device; as an example, the communication device 70 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection methods shown in FIGS. 2-6 .
  • the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.
  • the apparatus 70 includes at least one processor 720, configured to implement the functions of the relevant network elements or network functions in the methods provided in the embodiments of the present application.
  • the apparatus 70 may also include a transceiver 710 . In this embodiment of the present application, the transceiver may be used to communicate with other devices through a transmission medium.
  • the apparatus 70 may further include at least one memory 730 for storing program instructions and/or data.
  • Memory 730 is coupled to processor 720 .
  • the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
  • Processor 720 may cooperate with memory 730 .
  • Processor 720 may execute program instructions stored in memory 730 . At least one of the at least one memory may be included in the processor.
  • the specific connection medium between the transceiver 710, the processor 720, and the memory 730 is not limited in the embodiments of the present application.
  • the memory 730, the processor 720, and the transceiver 710 are connected through a bus 740 in FIG. 7.
  • the bus is represented by a thick line in FIG. 7, and the connection between other components is only for schematic illustration. , is not limited.
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
  • the processor may include a baseband processor and a central processing unit (CPU), the baseband processor is mainly used for processing communication protocols and communication data, and the CPU It is mainly used to control the entire device, execute software programs, and process data of software programs.
  • the baseband processor is mainly used for processing communication protocols and communication data
  • the CPU It is mainly used to control the entire device, execute software programs, and process data of software programs.
  • the processor may also be a network processor (network processor, NP) or a combination of CPU and NP.
  • the processor may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general-purpose array logic (generic array logic, GAL) or any combination thereof.
  • Memory may include volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM), which acts as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • SDRAM double data rate synchronous dynamic random access memory
  • double data rate SDRAM double data rate SDRAM
  • DDR SDRAM enhanced synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SCRAM synchronous link dynamic random access memory
  • direct rambus RAM direct rambus RAM
  • Embodiments of the present application further provide a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed, the program includes part or all of the steps of any of the registration methods described in the above method embodiments.
  • FIG. 8 shows a communication apparatus 80 provided by an embodiment of the present application.
  • the communication device 80 can be a mobility management network function; as an example, the communication device 80 can also be an access network device; as an example, the communication device 80 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection method shown in FIG. 2 to FIG. 6 .
  • the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.
  • the device 80 divides the communication device into functional units in the above method embodiments. For example, each functional unit may be divided corresponding to each function, or two or more units may be integrated into one processing module.
  • the above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of software function modules. It should be noted that the division of units in the embodiments of the present application is schematic, and is only a logical function division, and other division methods may be used in actual implementation.
  • the communication device 80 may include a processing unit 801 and a transceiver unit 802 .
  • the processing unit 801 is specifically used for the function of responding to the first request in S220, S402, S505, and S606.
  • the transceiver unit 802 is specifically used for the functions of sending and receiving information involved in FIG. 2 to FIG. 6 .
  • the functions/implementation process of the transceiver unit 802 and the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer execution instructions stored in the memory 730 .
  • the function/implementation process of the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer-executed instructions stored in the memory 730, and the function of the transceiver unit 802 in FIG. 8
  • the implementation process may be implemented by the transceiver 710 in the communication device 70 shown in FIG. 7 .
  • the disclosed apparatus may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative, for example, the division of the units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units or components may be combined or Integration into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable memory.
  • the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art, or all or part of the technical solution, and the computer software product is stored in a memory.
  • a computer device which may be a personal computer, a server, or a network device, etc.
  • the aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.
  • "Plural” means two or more. "And/or”, which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character “/" generally indicates that the associated objects are an "or" relationship.

Abstract

A security protection method, apparatus and system. The method comprises: a target AMF receiving, from an initial AMF, a first request of a terminal, a security context of the terminal and a subscription permanent identifier of the terminal (S210); and the target AMF responding to the first request (S220). Since an initial AMF acquires a security context of a terminal and a subscription permanent identifier of the terminal by means of an authentication process, a target AMF can trust the above-mentioned information from the initial AMF; and the target AMF can directly respond to a first request by using the information received from the initial AMF and does not need to initiate the authentication process to acquire the security context or the subscription permanent identifier, and similarly, also does not need to send a request for acquiring a context, thereby effectively reducing a signaling process after the target AMF receives the first request, and effectively shortening a time delay required for establishing or updating a connection between the terminal and the target AMF.

Description

一种安全保护方法、装置和***A security protection method, device and system 技术领域technical field
本申请涉及通信领域,特别涉及一种安全保护的方法、装置、和***。The present application relates to the field of communications, and in particular, to a security protection method, device, and system.
背景技术Background technique
终端在注册到网络的过程中可能进行接入与移动管理功能网络功能(access and mobility management function,AMF)重定向。当接收终端注册请求的初始AMF不能服务该终端的情况下,该初始AMF可进行NAS重定向(NAS reroute),即该初始AMF获取可服务该用户设备的目标AMF(target AMF)的信息,并向该目标AMF发送从该终端处接收到的注册请求消息。The terminal may perform access and mobility management function (AMF) redirection during the process of registering with the network. When the initial AMF that receives the terminal registration request cannot serve the terminal, the initial AMF can perform NAS reroute, that is, the initial AMF obtains the information of the target AMF (target AMF) that can serve the user equipment, and The registration request message received from the terminal is sent to the target AMF.
然而目前AMF重定向过程的信令开销大、入网时延长。However, at present, the signaling overhead of the AMF redirection process is large, and the network access time is prolonged.
类似的,其他需要获取终端的安全上下文的核心网网元可能进行重定向或者切换,该重定向或者切换过程同样存在信令开销大、入网时延长的问题。Similarly, other core network elements that need to obtain the security context of the terminal may perform redirection or handover, and the redirection or handover process also has the problems of high signaling overhead and prolonged network access.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种安全保护方法、装置及***,可以减少核心网网元重定向或者切换过程中的信令交互,降低信令开销,缩短入网时延。The embodiments of the present application provide a security protection method, device, and system, which can reduce signaling interaction in the process of core network element redirection or handover, reduce signaling overhead, and shorten network access delay.
第一方面,本申请实施例提供一种安全保护方法,包括:In a first aspect, the embodiments of the present application provide a security protection method, including:
目标网元接收来自初始网元的终端的第一请求、该终端的安全上下文、该终端的用户永久标识;The target network element receives the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal;
目标网元对上述第一请求进行响应。The target network element responds to the above-mentioned first request.
第一请求可以是终端的注册请求。The first request may be a registration request of the terminal.
上述网元可以是移动性管理网络功能,例如AMF;上述网元还可以是发生重定向或者切换,且需要获取终端的安全上下文或者需要与终端建立安全连接的网元。初始网元是第一个对第一请求进行处理的网元,目标网元是发生重定向或者切换之后,为终端提供服务的网元。初始网元和目标网元可以是相同类型的网元,也可以是能够为终端提供相同类型服务的不同类型网元。The above network element may be a mobility management network function, such as AMF; the above network element may also be a network element that undergoes redirection or handover and needs to acquire the security context of the terminal or establish a secure connection with the terminal. The initial network element is the first network element that processes the first request, and the target network element is the network element that provides services for the terminal after redirection or handover occurs. The initial network element and the target network element may be the same type of network element, or may be different types of network elements capable of providing the same type of service for the terminal.
在一种可能的实现方式中,第一请求包括终端的用户临时标识。In a possible implementation manner, the first request includes the user temporary identifier of the terminal.
目标网元对第一请求进行响应可以理解为确定该终端的用户临时标识对应的用户永久标识、和该用户临时标识对应的安全上下文,也可以理解为确定该终端的用户临时标识对应的用户永久标识为目标网元接收到的上述用户永久标识、以及该用户临时标识对应的安全上下文为目标网元接收到的上述安全上下文。The response of the target network element to the first request can be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal and the security context corresponding to the user temporary identifier, and can also be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal. The identifier is the above-mentioned user permanent identifier received by the target network element and the security context corresponding to the user's temporary identifier is the above-mentioned security context received by the target network element.
在一种可能的实现方式中,目标网元接收来自初始网元的终端的第一请求、该终端的安全上下文、该终端的用户永久标识包括:目标网元通过直接接口从初始网元接收终端的第一请求、该终端的安全上下文、该终端的用户永久标识。In a possible implementation manner, the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the terminal from the initial network element through a direct interface the first request of the terminal, the security context of the terminal, and the user permanent identity of the terminal.
在一种可能的实现方式中,目标网元接收来自初始网元的终端的第一请求、该终端的安全上下文、该终端的用户永久标识包括:目标网元从接入网设备接收终端的第一请求;目标网元从核心网网元接收该终端的用户临时标识、该终端的安全上下文、 和该终端的用户永久标识。In a possible implementation manner, the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal from the core network element.
在一种可能的实现方式中,目标网元接收来自初始网元的终端的第一请求、该终端的安全上下文、该终端的用户永久标识包括:目标网元从接入网设备接收终端的第一请求;目标网元接收来自初始网元的终端的第一请求;响应于该第一请求,目标网元向NF发送获取请求,该获取请求用于请求从NF获取对应该终端的安全上下文和用户永久标识,该获取请求包括终端的用户临时标识;目标网元从核心网网元接收该终端的用户临时标识、该终端的安全上下文、和该终端的用户永久标识。In a possible implementation manner, the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the first request from the terminal of the initial network element; in response to the first request, the target network element sends an acquisition request to the NF, and the acquisition request is used to request to acquire the security context and the corresponding terminal from the NF. The user permanent identifier, the acquisition request includes the user temporary identifier of the terminal; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the user permanent identifier of the terminal from the core network element.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:响应于上述终端的安全上下文和上述终端的永久标识,目标网元使用该安全上下文和用户永久标识。In a possible implementation manner, the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element uses the security context and the permanent user identifier.
在一种可能的实现方式中,还包括:目标网元不发起鉴权流程。目标网元可以根据本地策略确定不发起鉴权流程。In a possible implementation manner, the method further includes: the target network element does not initiate an authentication process. The target network element may determine not to initiate the authentication process according to the local policy.
在一种可能的实现方式中,还包括:目标网元不发送获取上下文的请求。目标网元可以根据本地策略确定不发送获取上下文的请求。不发送获取上下文的请求可以是不向原网元发送获取上下文的请求。上下文包括安全上下文。In a possible implementation manner, the method further includes: the target network element does not send a request for acquiring the context. The target network element may determine not to send the request for obtaining the context according to the local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element. The context includes the security context.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:响应于上述终端的安全上下文和上述终端的永久标识,目标网元不发送获取安全上下文的请求。In a possible implementation manner, the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not send a request for acquiring the security context.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:响应于上述终端的安全上下文和上述终端的永久标识,目标网元不发起鉴权流程。In a possible implementation manner, the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not initiate an authentication process.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略判断是否使用或者信任上述安全上下文和/或上述用户永久标识。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines whether to use or trust the above-mentioned security context and/or the above-mentioned user permanent identifier according to a local policy.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略确定使用上述安全上下文和/或用户永久标识。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines to use the above-mentioned security context and/or user permanent identifier according to a local policy.
在一种可能的实现方式中,还包括:目标网元不发起鉴权流程。In a possible implementation manner, the method further includes: the target network element does not initiate an authentication process.
在一种可能的实现方式中,还包括:目标网元不发送获取上下文的请求。In a possible implementation manner, the method further includes: the target network element does not send a request for acquiring the context.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略判断是否发起鉴权流程。In a possible implementation manner, the response of the target network element to the first request includes: the target network element determines whether to initiate an authentication process according to a local policy.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略确定不发起鉴权流程。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines not to initiate an authentication process according to a local policy.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略判断是否发送获取上下文的请求。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines whether to send a request for acquiring the context according to a local policy.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略确定不发送获取上下文的请求。不发送获取上下文的请求可以是不向原网元发送获取上下文的请求。上下文包括安全上下文。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines not to send the request for acquiring the context according to a local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element. The context includes the security context.
由于初始网元通过鉴权流程获取终端的安全上下文、终端的用户永久标识,目标网元可以信任来自初始网元的上述信息;目标网元可以直接使用上述信息对第一请求进行响应,而不需要发起鉴权流程来获取安全上下文或者用户永久标识,类似的也不需要发送获取上下文的请求,从而有效减少了目标网元在接收到第一请求之后的信令流程,有效缩短了终端与目标网元建立或者更新安全连接所需的时延。Since the initial network element obtains the security context of the terminal and the permanent user identity of the terminal through the authentication process, the target network element can trust the above information from the initial network element; the target network element can directly use the above information to respond to the first request without It is necessary to initiate an authentication process to obtain the security context or the user's permanent identity. Similarly, it is not necessary to send a request for obtaining the context, which effectively reduces the signaling process of the target network element after receiving the first request, and effectively shortens the time between the terminal and the target. The delay required by the network element to establish or update a secure connection.
目标网元获取并使用来自初始网元的安全上下文以及用户永久标识,从而可以避免向原网元获取安全上下文和用户永久标识。避免了初始网元与终端间的安全上下文进行更新后,目标网元从原网元获取更新前的安全上下文,导致无法基于该安全上下文与终端成功建立通信的问题。The target network element acquires and uses the security context and the user permanent identifier from the initial network element, so as to avoid acquiring the security context and the user permanent identifier from the original network element. This avoids the problem that after the security context between the initial network element and the terminal is updated, the target network element obtains the security context before the update from the original network element, resulting in failure to successfully establish communication with the terminal based on the security context.
在一种可能的实现方式中,目标网元对上述第一请求进行响应包括:目标网元根据本地策略确定不使用所述安全上下文或所述用户永久标识。In a possible implementation manner, the response of the target network element to the above-mentioned first request includes: the target network element determines not to use the security context or the user permanent identifier according to a local policy.
在一种可能的实现方式中,还包括:目标网元发起鉴权流程。In a possible implementation manner, the method further includes: the target network element initiates an authentication process.
在一种可能的实现方式中,目标网元根据本地策略确定发起鉴权流程。In a possible implementation manner, the target network element determines to initiate an authentication process according to a local policy.
基于上述方式,目标网元不需要在接收到任何第一请求后都发起鉴权流程,而仅需要目标网元根据本地策略确定需要发起鉴权流程的时候才会发起鉴权流程。在减少不必要的鉴权流程导致的信令开销的同时,保障了通信连接的安全。Based on the above method, the target network element does not need to initiate the authentication process after receiving any first request, but only needs to initiate the authentication process when the target network element determines that the authentication process needs to be initiated according to the local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
在一种可能的实现方式中,还包括:目标网元接收第一指示信息。第一指示信息用于指示上述第一请求经过所述初始网元的转发。In a possible implementation manner, the method further includes: the target network element receives the first indication information. The first indication information is used to indicate that the first request is forwarded through the initial network element.
目标网元对上述第一请求进行响应包括:目标网元根据第一指示信息,确定响应于上述终端的安全上下文和上述终端的永久标识。The response of the target network element to the first request includes: the target network element determines, according to the first indication information, to respond to the security context of the terminal and the permanent identifier of the terminal.
目标网元对上述第一请求进行响应包括:目标网元根据第一指示信息,确定根据本地策略判断。The response of the target network element to the above-mentioned first request includes: the target network element determines, according to the first indication information, to judge according to the local policy.
在一种可能的实现方式中,第一指示信息由初始网元生成,通过接入网设备转发给目标网元;或者,第一指示信息由接入网设备生成并发送给目标网元。In a possible implementation manner, the first indication information is generated by the initial network element and forwarded to the target network element through the access network device; or, the first indication information is generated by the access network device and sent to the target network element.
在一种可能的实现方式中,目标网元从第一请求中提取用户临时标识。In a possible implementation manner, the target network element extracts the user temporary identifier from the first request.
在一种可能的实现方式中,目标网元在获取的安全上下文和用户永久标识中,使用终端的用户临时标识索引该终端的安全上下文和该终端的用户永久标识。In a possible implementation manner, the target network element uses the temporary user identifier of the terminal to index the security context of the terminal and the permanent user identifier of the terminal in the acquired security context and user permanent identifier.
在一种可能的实现方式中,还包括:目标网元获取终端的用户永久标识之后,目标网元删除终端的用户临时标识。In a possible implementation manner, the method further includes: after the target network element acquires the permanent user identifier of the terminal, the target network element deletes the temporary user identifier of the terminal.
第二方面,本申请实施例提供一种安全保护方法,包括:In a second aspect, the embodiments of the present application provide a security protection method, including:
初始接入管理功能网元接收终端的第一请求,该第一请求包括终端的用户临时标识;The initial access management function network element receives a first request of the terminal, where the first request includes a user temporary identifier of the terminal;
初始网元获取与上述用户临时标识对应的终端的上下文、终端的用户永久标识;The initial network element obtains the context of the terminal and the permanent user identifier of the terminal corresponding to the above-mentioned temporary user identifier;
初始网元通过接入网设备向目标网元发送上述第一请求;The initial network element sends the above-mentioned first request to the target network element through the access network device;
初始网元向第一网元发送上述终端的用户临时标识、上述终端的用户永久标识、上述终端的安全上下文。The initial network element sends the user temporary identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal to the first network element.
在一种可能的实现方式中,还包括:初始网元向接入网设备发送第一指示信息,第一指示信息用于指示上述第一请求经过所述初始网元的转发。In a possible implementation manner, the method further includes: the initial network element sends first indication information to the access network device, where the first indication information is used to indicate that the above-mentioned first request is forwarded by the initial network element.
在一种可能的实现方式中,还包括:初始网元提取上述第一请求中的用户临时标识。In a possible implementation manner, the method further includes: the initial network element extracts the user temporary identifier in the first request.
第三方面,本申请实施例提供一种安全保护方法,包括:In a third aspect, the embodiments of the present application provide a security protection method, including:
第一网元获取终端的用户临时标识、终端的用户永久标识、和终端的安全上下文;The first network element obtains the temporary user identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal;
第一网元向目标接入管理功能网元发送上述用户临时标识、用户永久标识、和安全上下文。The first network element sends the above-mentioned user temporary identifier, user permanent identifier, and security context to the target access management function network element.
在一种可能的实现方式中,还包括:第一网元接收来自目标网元的获取请求,获取请求包括上述用户临时标识;In a possible implementation manner, the method further includes: the first network element receives an acquisition request from the target network element, where the acquisition request includes the above-mentioned temporary user identifier;
第一网元向目标接入管理功能网元发送上述用户临时标识、用户永久标识、和安全上下文包括:响应于上述获取请求,第一网元向目标网元发送上述用户临时标识、以及与该用户临时标识对应的用户永久标识和安全上下文。The first network element sending the user temporary identifier, the user permanent identifier, and the security context to the target access management function network element includes: in response to the acquisition request, the first network element sends the user temporary identifier and the user temporary identifier to the target network element, and the User permanent ID and security context corresponding to the user temporary ID.
第四方面,本申请实施例提供一种通信装置,包括处理器和存储器,存储器用于存储计算机执行指令,处理器用于执行存储器存储的计算机执行指令,以使得该装置执行如第一方面项所述的相应的方法。In a fourth aspect, an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the first aspect. the corresponding method described.
第五方面,本申请实施例提供一种通信装置,包括处理器和存储器,存储器用于存储计算机执行指令,处理器用于执行存储器存储的计算机执行指令,以使得该装置执行如第二方面项所述的相应的方法。In a fifth aspect, an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used to store computer-executed instructions, and the processor is used to execute the computer-executed instructions stored in the memory, so that the device executes as described in the second aspect. the corresponding method described.
第六方面,本申请实施例提供一种通信装置,包括处理器和存储器,存储器用于存储计算机执行指令,处理器用于执行存储器存储的计算机执行指令,以使得该装置执行如第三方面项所述的相应的方法。In a sixth aspect, an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the third aspect. the corresponding method described.
第七方面,本申请实施例提供一种通信装置,用于实现第一方面的方法。该通信装置可以实现第一方面中目标网元的功能。该通信装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a seventh aspect, an embodiment of the present application provides a communication apparatus for implementing the method of the first aspect. The communication device can implement the function of the target network element in the first aspect. The communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
第八方面,本申请实施例提供一种通信装置,用于实现第二方面的方法。该通信装置可以实现第二方面中初始网元的功能。该通信装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In an eighth aspect, an embodiment of the present application provides a communication device for implementing the method of the second aspect. The communication apparatus can implement the function of the initial network element in the second aspect. The communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
第九方面,本申请实施例提供一种通信装置,用于实现第三方面的方法。该通信装置可以实现第二方面中第一网元的功能。该通信装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a ninth aspect, an embodiment of the present application provides a communication apparatus for implementing the method of the third aspect. The communication apparatus may implement the function of the first network element in the second aspect. The communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
第十方面,本申请实施例提供一种计算机可读存储介质,该计算机可读存储介质用于存储指令,当所述指令被执行时,使如第一方面至第三方面任一项所述的方法被实现。In a tenth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed, the instructions in any one of the first to third aspects are executed. method is implemented.
第十一方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括指令,当所述指令被执行时,使如第一方面至第三方面任一项所述的方法被实现。In an eleventh aspect, an embodiment of the present application provides a computer program product, the computer program product includes instructions, when the instructions are executed, the method according to any one of the first aspect to the third aspect is implemented .
第十二方面,本申请实施例提供一种通信***,包括第四方面或者第七方面所述的装置,和第五方面或者第八方面所述的装置。In a twelfth aspect, an embodiment of the present application provides a communication system, including the device described in the fourth aspect or the seventh aspect, and the device described in the fifth aspect or the eighth aspect.
可选的,该通信***还包括第六方面或者第九方面所述的装置。Optionally, the communication system further includes the apparatus described in the sixth aspect or the ninth aspect.
其中,第二方面至第十二方面的技术效果可参见第一方面的有益效果。The technical effects of the second to twelfth aspects may refer to the beneficial effects of the first aspect.
附图说明Description of drawings
图1为本申请实施例提供的一种通信***的示意图;FIG. 1 is a schematic diagram of a communication system provided by an embodiment of the present application;
图2为本申请实施例提供的一种安全保护方法的流程示意图;2 is a schematic flowchart of a security protection method provided by an embodiment of the present application;
图3为本申请实施例提供的一种注册方法的流程示意图;3 is a schematic flowchart of a registration method provided by an embodiment of the present application;
图4为本申请实施例提供的另种安全保护方法的流程示意图;4 is a schematic flowchart of another security protection method provided by an embodiment of the present application;
图5为本申请实施例提供的又种安全保护方法的流程示意图;5 is a schematic flowchart of another security protection method provided by an embodiment of the present application;
图6为本申请实施例提供的再种安全保护方法的流程示意图;6 is a schematic flowchart of a further security protection method provided by an embodiment of the present application;
图7为本申请实施例提供的一种通信装置的结构示意图。FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.
图8为本申请实施例提供的又一种通信装置的结构示意图。FIG. 8 is a schematic structural diagram of still another communication apparatus provided by an embodiment of the present application.
具体实施方式Detailed ways
图1是本申请实施例提供的一种网络架构示意图,图1中所涉及的各个部分如下所示:FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application, and each part involved in FIG. 1 is as follows:
终端设备,也可称为用户设备(user equipment,UE)、终端等。终端设备是一种具有无线收发功能的设备,可以经(无线)接入网络((radio)access network,(R)AN)中的接入网设备与一个或多个核心网(core network,CN)进行通信。可以部署在陆地上,包括室内或室外、手持、穿戴或车载;也可以部署在水面上,如轮船上等;还可以部署在空中,例如部署在飞机、气球或卫星上等。终端设备可以是手机(mobile phone)、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。A terminal device may also be called a user equipment (user equipment, UE), a terminal, and the like. A terminal device is a device with wireless transceiver function, which can communicate with one or more core networks (core network, CN) through the access network device in the (radio) access network ((R)AN). ) to communicate. It can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on water, such as ships; it can also be deployed in the air, such as on airplanes, balloons, or satellites. The terminal device can be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, an industrial control (industrial control) wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, and so on.
(无线)接入网络((radio)access network,(R)AN),用于为特定区域的授权用户设备提供入网功能,并能够根据用户设备的级别,业务的需求等使用不同质量的传输隧道。如(R)AN可管理无线资源,为用户设备提供接入服务,进而完成控制信息和/或数据信息在用户设备和核心网(core network,CN)之间的转发。本申请实施例中的接入网设备是一种为终端设备提供无线通信功能的设备,也可称为网络设备。如该接入网设备可以包括:5G***中的下一代基站节点(next generation node basestation,gNB)、长期演进(long term evolution,LTE)中的演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(base band unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、小基站设备(pico)、移动交换中心,或者未来网络中的网络设备等。可理解,本申请实施例对接入网设备的具体类型不作限定。在不同无线接入技术的***中,具备接入网设备功能的设备的名称可能会有所不同。The (radio) access network ((R)AN) is used to provide network access functions for authorized user equipment in a specific area, and can use different quality transmission tunnels according to the level of user equipment, service requirements, etc. . For example, (R)AN can manage radio resources, provide access services for user equipment, and then complete the forwarding of control information and/or data information between user equipment and a core network (core network, CN). The access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device. For example, the access network equipment may include: next generation node basestation (gNB) in 5G system, evolved node B (evolved node B, eNB) in long term evolution (LTE), wireless Network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB , or home node B, HNB), base band unit (BBU), transmission point (transmitting and receiving point, TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, Or network equipment in the future network, etc. It is understandable that the embodiment of the present application does not limit the specific type of the access network device. In systems with different wireless access technologies, the names of devices with access network device functions may be different.
用户面功能(user plane function,UPF)网络功能,用于分组路由和转发以及用户面数据的服务质量(quality of service,QoS)处理等。User plane function (UPF) network function, which is used for packet routing and forwarding and quality of service (QoS) processing of user plane data.
数据网络(data network,DN)网络功能,用于提供传输数据的网络。The data network (DN) network function is used to provide a network for transmitting data.
接入和移动管理功能(access and mobility management function,AMF)网络功能,主要用于移动性管理和接入管理等,可以用于实现移动性管理实体(mobility management entity,MME)功能中除会话管理之外的其它功能,例如,合法监听以及接入授权/鉴权等功能。可理解,以下简称AMF网络功能为AMF。本申请实施例中,AMF可包括初始AMF(initial AMF),原AMF(old AMF)和目标AMF(target AMF)。例如,该初始AMF可理解为该次注册中第一个处理UE注册请求的AMF,该初始AMF由(R)AN选择,但是该初始AMF不一定能为该UE服务,原AMF可理解为UE上一次注册到网络时服务UE的AMF,目标AMF可理解为UE重定向后,为该UE服务的AMF。例如,UE在注册请求消息中携带网络切片选择信息,UE在初始AMF完成注册请求后,初始AMF无法为所述网络切片服务,需要重定向到目标AMF为该UE服务。Access and mobility management function (AMF) network function, mainly used for mobility management and access management, etc., can be used to implement mobility management entity (mobility management entity, MME) function in addition to session management Other functions other than that, such as lawful interception and access authorization/authentication. It can be understood that the AMF network function is hereinafter referred to as AMF. In this embodiment of the present application, the AMF may include an initial AMF (initial AMF), an old AMF (old AMF), and a target AMF (target AMF). For example, the initial AMF can be understood as the first AMF to process the UE registration request in this registration. The initial AMF is selected by the (R)AN, but the initial AMF may not be able to serve the UE. The original AMF can be understood as the UE The AMF that served the UE when it registered to the network last time, and the target AMF can be understood as the AMF that serves the UE after the UE is redirected. For example, the UE carries network slice selection information in the registration request message. After the UE completes the registration request from the initial AMF, the initial AMF cannot serve the network slice and needs to be redirected to the target AMF to serve the UE.
网络切片选择功能(network slice selection function,NSSF),可用于确定网络切片实例,选择AMF网络功能等等。Network slice selection function (NSSF), which can be used to determine network slice instances, select AMF network functions, and more.
网络存储网络功能,如包括网络注册功能(network repository function,NRF),可用于维护网络中所有网络功能服务的实时信息。Network storage network functions, such as the network repository function (NRF), can be used to maintain real-time information on all network function services in the network.
认证服务器功能(authentication server function,AUSF),用于鉴权服务、产生密钥实现对用户设备的双向鉴权,支持统一的鉴权框架。The authentication server function (AUSF) is used to authenticate services, generate keys to realize two-way authentication of user equipment, and support a unified authentication framework.
统一数据管理(unified data management,UDM)网络功能,可用于处理用户设备标识,接入鉴权,注册以及移动性管理等。可理解,以下简称UDM网络功能为UDM。Unified data management (UDM) network function, which can be used to handle user equipment identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is hereinafter referred to as UDM.
本申请实施例中的移动性管理网络功能可以是图1所示的AMF网络功能,也可以是未来通信***中的具有上述AMF网络功能的其他网络功能。或者,本申请中的移动性管理网络功能还可以是长期演进(long term evolution,LTE)中的移动性管理实体(mobility management entity,MME)等。The mobility management network function in the embodiment of the present application may be the AMF network function shown in FIG. 1 , or may be other network functions having the above-mentioned AMF network function in the future communication system. Alternatively, the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) in long term evolution (long term evolution, LTE), or the like.
为方便说明,本申请实施例中以移动性管理网络功能为AMF网络功能为例进行说明。进一步地,将AMF网络功能简称为AMF,将终端设备称为UE或终端,即本申请实施例中后文所描述的AMF均可替换为移动性管理网络功能,UE或终端均可替换为终端设备。For convenience of description, in the embodiments of the present application, the mobility management network function is an AMF network function as an example for description. Further, the AMF network function is referred to as AMF for short, and the terminal device is referred to as UE or terminal, that is, the AMF described later in the embodiments of the present application can be replaced by the mobility management network function, and the UE or terminal can be replaced by a terminal. equipment.
本申请实施例以移动性管理网络功能的重定向为例,对本申请提出的安全保护方法进行介绍。本申请的安全保护方法还可以适用于移动性管理网络功能的切换。可以理解的是,当其他核心网网元发生重定向或者切换,且该核心网网元与终端需要建立安全连接,则以下方法中由移动性管理网络功能执行的动作可以替换为由该核心网网元执行。The embodiments of the present application take the redirection of the mobility management network function as an example to introduce the security protection method proposed by the present application. The security protection method of the present application can also be applied to the handover of the mobility management network function. It can be understood that when other core network elements are redirected or switched, and the core network element and the terminal need to establish a secure connection, the actions performed by the mobility management network function in the following methods can be replaced by the core network element. network element execution.
可理解,以上所介绍的术语在不同的领域或不同的标准中,可能有不同的名称,因此不应将以上所示的名称理解为对本申请实施例的限定。上述网络功能或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。It is understandable that the terms introduced above may have different names in different fields or different standards, so the names shown above should not be construed as limitations on the embodiments of the present application. The above-mentioned network functions or functions can be either network elements in hardware devices, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (eg, a cloud platform).
图2所示是一种安全保护的流程示意图。具体包括:Figure 2 is a schematic flow chart of a security protection. Specifically include:
S210:目标AMF接收来自初始AMF的终端的第一请求、该终端的安全上下文、 该终端的用户永久标识。S210: The target AMF receives the first request from the terminal of the initial AMF, the security context of the terminal, and the user permanent identity of the terminal.
上述第一请求包括终端的用户临时标识。用户临时标识可以是终端生成的临时标识,例如SUCI。用户临时标识还可以是核心网为该终端生成的临时标识,例如GUTI,终端从核心网获取该临时标识。The above-mentioned first request includes the user temporary identifier of the terminal. The user temporary identity may be a temporary identity generated by the terminal, such as SUCI. The user temporary identity may also be a temporary identity generated by the core network for the terminal, such as a GUTI, and the terminal obtains the temporary identity from the core network.
第一请求用于请求建立该终端与核心网间的安全连接、或者该第一请求用于请求建立该终端与接收该第一请求的AMF间的安全连接。建立安全连接包括建立安全上下文。上述建立还可以替换为更新。The first request is used to request to establish a secure connection between the terminal and the core network, or the first request is used to request to establish a secure connection between the terminal and the AMF that receives the first request. Establishing a secure connection includes establishing a security context. The above establishment can also be replaced by an update.
第一请求可以是终端的注册请求,该注册请求用于请求将该终端注册到核心网、或者该请求用于请求将该终端注册到能够为该终端服务的AMF上。第一请求还可以是终端的其他请求,例如切换请求。The first request may be a registration request of the terminal, where the registration request is used for requesting to register the terminal with the core network, or the request is used for requesting to register the terminal with an AMF capable of serving the terminal. The first request may also be other requests of the terminal, such as a handover request.
安全上下文用于描述对核心网与终端间的通信进行安全保护所需的信息。可选的,安全上下文包括以下信息中的一个或多个:AMF密钥、AMF密钥标识、终端的安全能力、加密保护算法、完整性保护算法、NAS COUNT。The security context is used to describe the information required for security protection of the communication between the core network and the terminal. Optionally, the security context includes one or more of the following information: AMF key, AMF key identifier, security capability of the terminal, encryption protection algorithm, integrity protection algorithm, and NAS COUNT.
上述终端的安全上下文是初始AMF已获取的该终端的安全上下文。上述初始AMF接收来自终端的上述第一请求,发起对该终端的主鉴权流程,初始AMF通过主鉴权流程获取该终端的安全上下文。初始AMF可以根据该安全上下文对发送给终端的信令等信息进行加密保护。The security context of the terminal is the security context of the terminal that has been acquired by the initial AMF. The above-mentioned initial AMF receives the above-mentioned first request from the terminal, initiates a main authentication process for the terminal, and the initial AMF obtains the security context of the terminal through the main authentication process. The initial AMF can encrypt and protect information such as signaling sent to the terminal according to the security context.
在第一种可能的实现方式中,上述终端的第一请求、终端的安全上下文、终端的用户永久标识携带在一条消息中。可以理解的是,目标AMF通过获取该消息,可以获知该消息中携带的安全上下文、用户永久标识与第一请求中的用户临时标识对应。可选的,初始AMF通过直接接口向目标AMF发送该消息。In a first possible implementation manner, the first request of the terminal, the security context of the terminal, and the permanent user identifier of the terminal are carried in a message. It can be understood that, by acquiring the message, the target AMF can learn that the security context and the permanent user identifier carried in the message correspond to the temporary user identifier in the first request. Optionally, the initial AMF sends the message to the target AMF through the direct interface.
在第二种可能的实现方式中,上述终端的第一请求、终端的安全上下文、终端的用户永久标识分别携带在不同的消息中。可选的,安全上下文或者用户永久标识与终端标识携带在一条消息中,以使得目标AMF能够获知接收的安全上下文以及用户永久标识对应该终端。可选的,终端标识可以是上述用户临时标识,终端标识可以是其他能够使目标AMF识别终端的信息,例如终端对应的会话信息或者隧道标识信息。In a second possible implementation manner, the above-mentioned first request of the terminal, the security context of the terminal, and the user permanent identifier of the terminal are carried in different messages respectively. Optionally, the security context or the user permanent identifier and the terminal identifier are carried in one message, so that the target AMF can know the received security context and the user permanent identifier corresponding to the terminal. Optionally, the terminal identifier may be the above-mentioned temporary user identifier, and the terminal identifier may be other information that enables the target AMF to identify the terminal, such as session information or tunnel identifier information corresponding to the terminal.
基于上述第二种可能的实现方式,初始AMF可以通过核心网网元向目标AMF发送终端的用户临时标识、终端的安全上下文、和终端的用户永久标识。可选的,初始AMF通过接入网设备向目标AMF发送上述终端的第一请求。Based on the above-mentioned second possible implementation manner, the initial AMF may send the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal to the target AMF through the core network element. Optionally, the initial AMF sends the first request of the terminal to the target AMF through the access network device.
目标AMF可以从第一请求中提取用户临时标识。目标AMF在获取的安全上下文和用户永久标识中,可以使用终端的用户临时标识索引或者获取该终端的安全上下文和该终端的用户永久标识。或者,目标AMF可以使用该用户临时标识向NF请求获取该终端的安全上下文和该终端的用户永久标识。The target AMF may extract the user temporary identity from the first request. In the obtained security context and user permanent identity, the target AMF may use the user temporary identity index of the terminal or obtain the security context of the terminal and the user permanent identity of the terminal. Alternatively, the target AMF may use the user temporary identifier to request the NF to obtain the security context of the terminal and the permanent user identifier of the terminal.
上述核心网网元可以是UDM、NSSF,还可以是能够存储以及转发上述信息的其他核心网网元。为了便于叙述,下文将该核心网网元称为网络功能NF。The above-mentioned core network elements may be UDM, NSSF, or other core network elements capable of storing and forwarding the above-mentioned information. For ease of description, the core network element is hereinafter referred to as a network function NF.
可选的,NF获取终端的用户临时标识、终端的安全上下文和终端的用户永久标识之后,将获取的信息发送给目标AMF。即NF在获取上述信息之后直接推送给目标AMF。Optionally, after acquiring the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal, the NF sends the acquired information to the target AMF. That is, the NF directly pushes the information to the target AMF after obtaining the above information.
可选的,NF获取上述终端的安全上下文和终端的用户永久标识,当收到来自目标AMF的获取请求时,将获取的信息发送给目标AMF。该获取请求中包括用户临时标 识,该用户临时标识用于向NF请求对应该终端的安全上下文和用户永久标识。对于目标AMF:目标AMF接收上述第一请求;响应于上述第一请求,目标AMF向NF发送该获取请求;目标AMF从NF接收终端的安全上下文和终端的用户永久标识。Optionally, the NF acquires the security context of the terminal and the permanent user identifier of the terminal, and sends the acquired information to the target AMF when receiving an acquisition request from the target AMF. The acquisition request includes the user temporary identifier, and the user temporary identifier is used to request the security context and user permanent identifier corresponding to the terminal from the NF. For the target AMF: the target AMF receives the above-mentioned first request; in response to the above-mentioned first request, the target AMF sends the acquisition request to the NF; the target AMF receives the terminal's security context and the terminal's user permanent identity from the NF.
S220:目标AMF对上述第一请求进行响应。S220: The target AMF responds to the first request.
示例性的,响应方式包括触发鉴权流程或者不触发鉴权流程。触发鉴权流程时,目标AMF可以向AUSF发送鉴权请求。Exemplarily, the response manner includes triggering the authentication process or not triggering the authentication process. When the authentication process is triggered, the target AMF can send an authentication request to the AUSF.
目标AMF对上述第一请求进行响应,可以通过以下任一方式:The target AMF responds to the above-mentioned first request in any of the following ways:
方式一:响应于上述终端的安全上下文和上述终端的永久标识,目标AMF使用该安全上下文和用户永久标识。Manner 1: In response to the security context of the terminal and the permanent identity of the terminal, the target AMF uses the security context and the permanent identity of the user.
使用安全上下文可以理解为根据该安全上下文中的信息对信令进行安全保护,例如进行加密保护或者进行完整性保护。使用安全上下文还可以理解为向终端发送根据该安全上下文中的信息进行安全保护的信令。Using the security context can be understood as performing security protection on signaling according to the information in the security context, such as performing encryption protection or performing integrity protection. The use of the security context can also be understood as sending signaling to the terminal for security protection according to the information in the security context.
使用用户永久标识可以理解为将该用户永久标识作为用户在核心网中的唯一永久标识,还可以理解为根据该用户永久标识进行计费,还可以理解为根据该用户永久标识获取或者实施针对该终端的其他服务。Using the user permanent identification can be understood as the user permanent identification as the user's unique permanent identification in the core network, can also be understood as charging according to the user permanent identification, can also be understood as obtaining or implementing the user permanent identification according to the user permanent identification. Other services of the terminal.
上述使用该安全上下文和用户永久标识可以理解为信任从初始AMF接收的安全上下文和用户永久标识。从而目标AMF可以不触发鉴权流程,不发送获取上下文的请求。例如,目标AMF接收第一请求中携带RR消息,消息中携带SUCI时,目标AMF可以选择不触发鉴权流程。The above-mentioned use of the security context and the user permanent identity can be understood as trusting the security context and the user permanent identity received from the initial AMF. Therefore, the target AMF may not trigger the authentication process and not send the request for acquiring the context. For example, when the target AMF receives the RR message carried in the first request, and the message carries SUCI, the target AMF may choose not to trigger the authentication process.
可选的,方式一还包括:目标AMF不发起鉴权流程。可以理解的是,目标AMF获取上述安全上下文和用户永久标识之后,不再需要通过发起鉴权流程获取终端的安全上下文和用户永久标识。Optionally, the first manner further includes: the target AMF does not initiate an authentication process. It can be understood that, after the target AMF acquires the above-mentioned security context and user permanent identifier, it no longer needs to acquire the security context and user permanent identifier of the terminal by initiating an authentication process.
可选的,方式一还包括:目标AMF不发送获取安全上下文的请求。例如,目标AMF获取上述安全上下文和用户永久标识之后,不再需要向原AMF发送获取安全上下文的请求。原AMF是服务于该终端的原AMF,原AMF上建立有终端的安全上下文,且保存有该终端的用户永久标识。Optionally, the first manner further includes: the target AMF does not send a request for acquiring the security context. For example, after the target AMF obtains the above-mentioned security context and user permanent identity, it is no longer necessary to send a request for obtaining the security context to the original AMF. The original AMF is the original AMF serving the terminal, the security context of the terminal is established on the original AMF, and the permanent user identifier of the terminal is stored.
方式二:响应于上述终端的安全上下文和上述终端的永久标识,目标AMF不发起鉴权流程。Manner 2: In response to the security context of the terminal and the permanent identifier of the terminal, the target AMF does not initiate an authentication process.
方式三:响应于上述终端的安全上下文和上述终端的永久标识,目标AMF不发送获取安全上下文的请求。Manner 3: In response to the security context of the terminal and the permanent identifier of the terminal, the target AMF does not send a request for acquiring the security context.
方式四:目标AMF根据本地策略判断是否使用上述安全上下文或上述用户永久标识。Manner 4: The target AMF determines whether to use the above-mentioned security context or the above-mentioned user permanent identifier according to the local policy.
方式四的另一种表达方式可以是:目标AMF根据本地策略判断是否信任从初始AMF接收的安全上下文和用户永久标识。Another way of expressing mode 4 may be: the target AMF judges whether to trust the security context and user permanent identity received from the initial AMF according to a local policy.
本地策略是目标AMF本地配置的、或者是从其他核心网网元接收的策略信息。本地策略示例性的可以包括:The local policy is the policy information locally configured by the target AMF or received from other core network elements. Exemplary local policies may include:
目标AMF信任初始AMF;或者,目标AMF和初始AMF位于相同的安全域;或者,The target AMF trusts the initiating AMF; alternatively, the target AMF and the initiating AMF are in the same security domain; or,
目标AMF为该终端提供服务时所在的网络切片的安全需求为不重复发起鉴权流 程;或者,The security requirement of the network slice where the target AMF provides services for the terminal is not to repeatedly initiate the authentication process; or,
上述网络切片的安全需求为不向原AMF发送获取上下文请求;或者,The security requirement of the above network slice is not to send a context acquisition request to the original AMF; or,
目标AMF在获取安全上下文之后不发起鉴权流程;或者,The target AMF does not initiate the authentication process after acquiring the security context; or,
目标AMF在获取安全上下文之后不向原AMF发送获取上下文请求。The target AMF does not send an acquire context request to the original AMF after acquiring the security context.
当判断为是:方式四可以替换为所述目标AMF根据本地策略确定使用所述安全上下文或所述用户永久标识。When the judgment is yes: Mode 4 may be replaced with the target AMF determining to use the security context or the user permanent identifier according to the local policy.
当判断为是,还包括:目标AMF不发起鉴权流程。When the judgment is yes, it also includes: the target AMF does not initiate an authentication process.
当判断为是,还包括:目标AMF不发送获取上下文的请求。When the determination is yes, the method further includes: the target AMF does not send a request for acquiring the context.
方式五:目标AMF根据本地策略判断是否发起鉴权流程。Mode 5: The target AMF determines whether to initiate an authentication process according to a local policy.
当判断为不是:方式五可以替换为目标AMF根据本地策略确定不发起鉴权流程。When it is judged to be no: Mode 5 can be replaced with the target AMF determining not to initiate the authentication process according to the local policy.
方式五还包括:目标AMF根据本地策略判断是否发送获取上下文的请求。Manner 5 further includes: the target AMF judges whether to send the request for acquiring the context according to the local policy.
方式六:目标AMF根据本地策略判断是否发送获取上下文的请求。Manner 6: The target AMF determines whether to send a request for obtaining the context according to the local policy.
当判断为不是:方式六可以替换为目标AMF根据本地策略确定不发送获取安全上下文的请求。When it is judged to be no: Mode 6 can be replaced with the target AMF determining not to send a request for acquiring the security context according to the local policy.
方式六还包括:目标AMF根据本地策略判断是否发起鉴权流程。Manner 6 further includes: the target AMF determines whether to initiate an authentication process according to a local policy.
基于图2所示的方法,由于初始AMF通过鉴权流程获取终端的安全上下文、终端的用户永久标识,目标AMF可以信任来自初始AMF的上述信息;目标AMF可以直接使用上述信息对第一请求进行响应,而不需要发起鉴权流程来获取安全上下文或者用户永久标识,类似的也不需要发送获取上下文的请求,从而有效减少了目标AMF在接收到第一请求之后的信令流程,有效缩短了终端与目标AMF建立或者更新连接所需的时延。Based on the method shown in FIG. 2 , since the initial AMF obtains the security context of the terminal and the user permanent identity of the terminal through the authentication process, the target AMF can trust the above-mentioned information from the initial AMF; the target AMF can directly use the above-mentioned information to carry out the first request. It does not need to initiate an authentication process to obtain the security context or user permanent identity, and similarly does not need to send a request to obtain the context, thus effectively reducing the signaling process of the target AMF after receiving the first request, effectively shortening the The delay required for the terminal to establish or update the connection with the target AMF.
可以理解的是,当终端的安全上下文使用终端的用户永久标识作为身份标识时,目标AMF需要在获取用户临时标识之后,获取用户临时标识对应的用户永久标识,才能使用该用户永久标识从NF获取该用户永久标识对应的安全上下文。而基于上述图2所示的方法,终端的安全上下文可以理解为使用终端的用户临时标识作为身份标识,从而使得目标AMF可以直接使用用户临时标识获取对应的安全上下文。简化了目标AMF获得安全上下文的过程。It is understandable that, when the security context of the terminal uses the user permanent identifier of the terminal as the identity identifier, the target AMF needs to obtain the user permanent identifier corresponding to the user temporary identifier after obtaining the user temporary identifier, before using the user permanent identifier to obtain from the NF. The user permanently identifies the corresponding security context. Based on the method shown in FIG. 2, the security context of the terminal can be understood as using the user temporary identifier of the terminal as the identity identifier, so that the target AMF can directly use the user temporary identifier to obtain the corresponding security context. Simplifies the process for the target AMF to obtain the security context.
可以理解的是,目标AMF获取并使用来自初始AMF的安全上下文以及用户永久标识,从而可以避免向原AMF获取安全上下文和用户永久标识。初始AMF在接收到上述第一请求后,初始AMF与终端间的安全上下文可能进行更新,然而目标AMF从原AMF获取的是更新前的安全上下文,无法基于该安全上下文与终端成功建立通信。而基于上述图2所示的方法,目标AMF获取来自初始AMF的安全上下文可以保证获取的是初始AMF更新后的安全上下文,避免了上述目标AMF与终端无法成功建立通信的问题。并且,目标AMF也可以避免从原AMF、初始AMF等多个途径接收安全上下文之后,从而避免对多个安全上下文进行判断和选择。简化了目标AMF确定终端的安全上下文的处理逻辑。It can be understood that the target AMF obtains and uses the security context and the user permanent identity from the initial AMF, so that the security context and the user permanent identity can be avoided from the original AMF. After the initial AMF receives the above-mentioned first request, the security context between the initial AMF and the terminal may be updated, but the target AMF obtains the security context before the update from the original AMF, and cannot successfully establish communication with the terminal based on the security context. Based on the method shown in FIG. 2 , the target AMF obtains the security context from the initial AMF to ensure that the obtained security context is the updated security context of the initial AMF, avoiding the problem that the target AMF and the terminal cannot successfully establish communication. Moreover, the target AMF can also avoid receiving the security context from multiple channels such as the original AMF and the initial AMF, so as to avoid judging and selecting multiple security contexts. The processing logic for determining the security context of the terminal by the target AMF is simplified.
上述图2所示的方法中,目标AMF可以在获取终端的用户永久标识之后,删除终端的用户临时标识。目标AMF可以基于终端的用户永久标识为终端提供服务。In the above method shown in FIG. 2 , the target AMF may delete the temporary user identifier of the terminal after acquiring the permanent user identifier of the terminal. The target AMF can provide services for the terminal based on the user's permanent identity of the terminal.
上述图2所示的方法中,S220的方式四:目标AMF根据本地策略判断是否使用 上述安全上下文或上述用户永久标识,还包括:In the method shown in above-mentioned Fig. 2, the mode four of S220: target AMF judges whether to use above-mentioned security context or above-mentioned user permanent identification according to local policy, also comprises:
当判断为不是:方式四可以替换为所述目标AMF根据本地策略确定不使用所述安全上下文或所述用户永久标识。When it is judged that it is not: Mode 4 may be replaced with the target AMF determining not to use the security context or the user permanent identifier according to the local policy.
此时的本地策略示例性的可以包括:Exemplary local policies at this time may include:
目标AMF不信任初始AMF;或者,The target AMF does not trust the originating AMF; or,
初始AMF不应获知目标AMF使用的AMF密钥;或者,The initiating AMF should not know the AMF key used by the target AMF; or,
目标AMF需要使用鉴权流程获取目标AMF的AMF密钥;或者,The target AMF needs to use the authentication process to obtain the AMF key of the target AMF; or,
目标AMF和初始AMF位于不同的安全域;或者,The target AMF and the originating AMF are in different security domains; or,
目标AMF为该终端提供服务时所在的网络切片的安全需求为需要重复发起鉴权流程;或者,The security requirement of the network slice where the target AMF provides services for the terminal is that the authentication process needs to be repeatedly initiated; or,
上述网络切片的安全需求为需要向原AMF发送获取上下文请求;或者,The security requirement of the above network slicing is that a context acquisition request needs to be sent to the original AMF; or,
目标AMF在获取安全上下文之后需要发起鉴权流程;或者,The target AMF needs to initiate an authentication process after obtaining the security context; or,
目标AMF在获取安全上下文之后需要向原AMF发送获取上下文请求。After acquiring the security context, the target AMF needs to send a context acquisition request to the original AMF.
当判断为不是,还包括:目标AMF发起鉴权流程。目标AMF向AUSF发送鉴权请求,消息中携带SUCI。消息中也可以选择使用用户永久标识替代SUCI,减少了UDM解析SUCI的计算开销。When the judgment is no, it also includes: the target AMF initiates an authentication process. The target AMF sends an authentication request to the AUSF, and the message carries SUCI. In the message, it is also possible to choose to use the user permanent identifier to replace SUCI, which reduces the computational cost of UDM parsing SUCI.
S220中的方式五:目标AMF根据本地策略判断是否发起鉴权流程,还包括:The fifth method in S220: the target AMF judges whether to initiate the authentication process according to the local policy, and further includes:
当判断为是:方式五可以替换为目标AMF根据本地策略确定发起鉴权流程。When it is judged to be yes: Mode 5 can be replaced with the target AMF determining to initiate the authentication process according to the local policy.
基于上述方式,目标AMF不需要在接收到任何第一请求后都发起鉴权流程,而仅需要目标AMF根据本地策略确定需要发起鉴权流程的时候才会发起鉴权流程。在减少不必要的鉴权流程导致的信令开销的同时,保障了通信连接的安全。Based on the above method, the target AMF does not need to initiate an authentication process after receiving any first request, but only needs to initiate an authentication process when the target AMF determines that it needs to initiate an authentication process according to a local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
上述图2所示的方法中,S210还包括:In the method shown in FIG. 2 above, S210 further includes:
目标AMF接收指示信息#1,该指示信息#1用于指示上述第一请求经过初始AMF的转发、或者用于指示从初始AMF接收的上述终端的安全上下文和终端的用户永久标识是初始AMF经过鉴权流程获取的、或者用于指示重定向、或者用于指示已生成该终端的安全上下文、或者用于指示目标AMF从NF获取安全上下文、或者用于指示目标AMF跳过鉴权流程、或者用于指示目标AMF跳过向原AMF请求上下文、或者用于指示初始AMF和终端进行了NAS消息的安全交互,或用于指示初始AMF和终端建立了安全上下文,或用于指示初始AMF和UE成功地进行了主认证。The target AMF receives indication information #1, the indication information #1 is used to indicate that the first request is forwarded by the initial AMF, or used to indicate that the security context of the terminal and the user permanent identity of the terminal received from the initial AMF are the initial AMF. Obtained by the authentication process, or used to indicate redirection, or used to indicate that the security context of the terminal has been generated, or used to instruct the target AMF to obtain the security context from the NF, or used to instruct the target AMF to skip the authentication process, or Used to instruct the target AMF to skip requesting the context from the original AMF, or to indicate that the initial AMF and the terminal have performed a security interaction of NAS messages, or to indicate that the initial AMF and the terminal have established a security context, or to indicate that the initial AMF and the UE succeeded master authentication.
可选的,该指示信息#1可以和上述第一请求携带在一个消息中。目标AMF接收该消息后,获知该指示信息#1作用于该第一请求。可选的,该指示信息#1和上述第一请求分别携带在不同的消息中,该指示信息#1和上述终端标识一同发送给目标AMF。Optionally, the indication information #1 may be carried in a message with the above-mentioned first request. After receiving the message, the target AMF learns that the indication information #1 acts on the first request. Optionally, the indication information #1 and the above-mentioned first request are respectively carried in different messages, and the indication information #1 and the above-mentioned terminal identifier are sent to the target AMF together.
可选的,该指示信息#1可以示例性的通过以下方式来体现:Optionally, the indication information #1 may be exemplarily embodied in the following manner:
a)显式指示。例如一个参数#1、或者一个参数中特定字段的值、或者一个信元结构来表示该指示信息。a) Explicitly indicated. For example, a parameter #1, or the value of a specific field in a parameter, or a cell structure to represent the indication information.
b)隐式指示:例如:完整的注册请求消息、终端的移动管理上下文、终端的安全上下文,终端的用户永久标识的组合可以理解为指示信息#1;或者,消息中携带的NSSF提供的信息,指示发生了由于切片而产生的NAS Reroute。目标AMF从初始AMF接收上述NF的路由信息、或者初始AMF从NSSF获取的信息,该路由信息或者从NSSF 获取的信息可以理解为该指示信息#1。b) Implicit indication: for example: the complete registration request message, the terminal's mobility management context, the terminal's security context, and the combination of the terminal's user permanent identity can be understood as indication information #1; or, the information provided by the NSSF carried in the message , indicating that a NAS Reroute due to slicing has occurred. The target AMF receives the routing information of the NF from the initial AMF, or the information obtained by the initial AMF from the NSSF, and the routing information or the information obtained from the NSSF can be understood as the indication information #1.
可选的,上述S220还包括:目标AMF根据指示信息#1,确定响应于上述终端的安全上下文和上述终端的永久标识。Optionally, the above S220 further includes: the target AMF determines, according to the indication information #1, to respond to the security context of the terminal and the permanent identifier of the terminal.
可选的,上述S220还包括:目标AMF根据指示信息#1,确定根据本地策略判断。Optionally, the above S220 further includes: the target AMF determines to judge according to the local policy according to the indication information #1.
可选的,上述S220的方式四至方式六中,目标AMF根据本地策略判断可以替换为目标AMF根据指示信息#1判断;或者,目标AMF根据本地策略确定可以替换为目标AMF根据指示信息#1确定。Optionally, in the ways 4 to 6 of the above S220, the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1; or, the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1. .
下面,将基于上述图1所示的网络架构,介绍实现上述图2所示方法的具体过程。Below, based on the network architecture shown in FIG. 1, the specific process for implementing the method shown in FIG. 2 will be introduced.
图3所示是一种终端向核心网注册的流程示意图。具体包括:FIG. 3 is a schematic flowchart of a terminal registering with the core network. Specifically include:
S301:UE向初始AMF(initial AMF)发送注册请求(registration request,RR)消息,该RR消息中包括用户隐藏标识符(subscriber concealed identifier,SUCI)。S301: The UE sends a registration request (registration request, RR) message to an initial AMF (initial AMF), where the RR message includes a subscriber concealed identifier (SUCI).
例如,UE中没有非接入层(non access stratum,NAS)安全上下文,则RR消息中包括SUCI和明文的IEs。该明文IEs中不包括UE请求的网络切片选择辅助信息(requested network slice selection assitance information,requested NSSAI)。For example, if there is no non access stratum (non access stratum, NAS) security context in the UE, the RR message includes SUCI and plaintext IEs. The plaintext IEs do not include network slice selection assistance information (requested network slice selection assitance information, requested NSSAI) requested by the UE.
应理解,本申请实施例中所涉及的UE向初始AMF发送RR消息,表示的是UE向(R)AN发送RR消息,(R)AN再将RR消息发送给初始AMF,由于在该步骤中(R)AN起到透传的作用,为了描述的简洁在本申请实施例中和/或附图中可直接描述为UE向初始AMF发送RR消息。It should be understood that the UE involved in the embodiment of the present application sends the RR message to the initial AMF, which means that the UE sends the RR message to the (R)AN, and the (R)AN sends the RR message to the initial AMF, because in this step The (R)AN plays the role of transparent transmission, and for the sake of brevity of description, it may be directly described as the UE sending the RR message to the initial AMF in the embodiments of the present application and/or in the drawings.
S302:初始AMF发起主认证primary authentication流程。S302: The initial AMF initiates a primary authentication process for primary authentication.
初始AMF发起主认证流程,以进行认证和密钥协商,获取上述UE的NAS安全上下文和UE的用户永久标识(subscription permanent identifier,SUPI)。The initial AMF initiates the main authentication process to perform authentication and key negotiation, and obtain the NAS security context of the UE and the user permanent identifier (SUPI) of the UE.
S303:初始AMF发送非接入层安全模式命令(non access stratum security mode command,NAS SMC)消息给UE,该NAS SMC消息可用于建立UE和初始AMF之间的NAS安全上下文,且该NAS SMC消息有完整性保护。S303: The initial AMF sends a non access stratum security mode command (NAS SMC) message to the UE, the NAS SMC message can be used to establish a NAS security context between the UE and the initial AMF, and the NAS SMC message There is integrity protection.
可选的,该NAS SMC消息中可包括用于指示UE发送完整的初始NAS消息的指示信息。Optionally, the NAS SMC message may include indication information for instructing the UE to send a complete initial NAS message.
S304:UE接收NAS SMC消息,验证该NAS SMC消息的完整性。在验证成功的情况下,向初始AMF发送非接入层安全模式完成(non access stratum security mode complete,NAS SMP)消息。初始AMF接收该NAS SMP消息。S304: The UE receives the NAS SMC message and verifies the integrity of the NAS SMC message. In the case of successful verification, a non-access stratum security mode complete (NAS SMP) message is sent to the initial AMF. The initial AMF receives the NAS SMP message.
若UE在NAS SMC消息中接收到指示UE发送完整的初始NAS消息的指示信息,则UE在NAS SMP消息中携带完整的初始NAS消息(即RR消息),完整的RR消息中包括requested NSSAI。If the UE receives the indication information instructing the UE to send the complete initial NAS message in the NAS SMC message, the UE carries the complete initial NAS message (that is, the RR message) in the NAS SMP message, and the complete RR message includes the requested NSSAI.
UE和初始AMF成功地完成NAS安全模式控制流程(即S303和S304)后,UE和初始AMF之间建立了NAS安全上下文。After the UE and the initial AMF successfully complete the NAS security mode control process (ie, S303 and S304), a NAS security context is established between the UE and the initial AMF.
S305:初始AMF确定进行NAS重定向(或称之为NAS reroute)。S305: The initial AMF determines to perform NAS redirection (or called NAS reroute).
应理解,在本申请中,NAS重定向、AMF重定向、和NAS重转、NAS reroute表示相同的流程。It should be understood that, in this application, NAS redirection, AMF redirection, and NAS re-direction and NAS reroute represent the same process.
可选的,当初始AMF不能服务requested NSSAI中某些或者全部S-NSSAI(s)的情况下,初始AMF调用NSSF提供的服务操作#1,(如称为Nnssf_NSSelection_Get服 务操作)。NSSF返回响应服务操作#1的响应(如称为Nnssf_NSSelection_Get Response),并在该响应中携带可服务requested NSSAI的AMF集(AMF set)或者AMF的地址列表。Optionally, when the initial AMF cannot serve some or all of the S-NSSAI(s) in the requested NSSAI, the initial AMF calls the service operation #1 provided by the NSSF (for example, called the Nnssf_NSSelection_Get service operation). The NSSF returns a response in response to service operation #1 (for example, called Nnssf_NSSelection_Get Response), and the response carries the AMF set (AMF set) or AMF address list that can serve the requested NSSAI.
初始AMF没有目标AMF的地址的情况下,初始AMF调用NRF的服务操作#2(如称为Nnrf_NFDiscovery_Request服务操作),该Nnrf_NFDiscovery_Request服务操作用于获取目标AMF的地址。该NRF发送该服务操作#2的响应,其中包括目标AMF的地址。If the initial AMF does not have the address of the target AMF, the initial AMF calls the service operation #2 of the NRF (for example, the service operation called Nnrf_NFDiscovery_Request), and the Nnrf_NFDiscovery_Request service operation is used to obtain the address of the target AMF. The NRF sends the response of the service operation #2, which includes the address of the target AMF.
本申请实施例中,调用某个网络功能提供的某个服务操作,也可以理解为请求该网络功能提供的该某个服务操作。接收到该某个服务操作的调用,也可以理解为接收到该某个服务操作的请求。In this embodiment of the present application, calling a certain service operation provided by a certain network function can also be understood as requesting the certain service operation provided by the network function. Receiving the invocation of the certain service operation can also be understood as receiving the request of the certain service operation.
基于上述图3所示的注册过程,下面,将介绍多种目标AMF和UE间建立NAS安全连接的方法。Based on the above-mentioned registration process shown in FIG. 3 , various methods for establishing a NAS security connection between the target AMF and the UE will be introduced below.
图4所示是一种目标AMF和终端建立NAS安全连接的方法。具体包括:Figure 4 shows a method for establishing a NAS security connection between a target AMF and a terminal. Specifically include:
S401:初始AMF调用目标AMF提供的服务操作#3(如称为Namf_Communication_N1MessgeNotify服务操作),在该服务操作#3中携带上述RR消息、上述NAS安全上下文、和上述SUPI。S401: The initial AMF invokes the service operation #3 provided by the target AMF (such as the Namf_Communication_N1MessageNotify service operation), and the service operation #3 carries the above-mentioned RR message, the above-mentioned NAS security context, and the above-mentioned SUPI.
S402:目标AMF对RR消息进行响应。S402: The target AMF responds to the RR message.
具体可参考S220的内容,此处不作赘述。For details, please refer to the content of S220, which will not be repeated here.
图5所示是另一种目标AMF和终端建立NAS安全连接的方法。具体包括:Figure 5 shows another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
S501:初始AMF向(R)AN发送重定向NAS消息(reroute NAS message)。S501: The initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
该重定向NAS消息包括上述RR消息。The redirect NAS message includes the above-mentioned RR message.
可选的,该重定向NAS消息还包括指示信息#1。Optionally, the redirected NAS message further includes indication information #1.
该指示信息#1具体可以参考图2所示的方法中涉及的指示信息#1。可选的,该重定向NAS消息包括上述S305中初始AMF从NSSF获取的AMF集或者AMF的地址列表,该AMF集或者AMF的地址列表可以理解为该指示信息#1。For the indication information #1, specific reference may be made to the indication information #1 involved in the method shown in FIG. 2 . Optionally, the redirected NAS message includes the AMF set or the AMF address list obtained by the initial AMF from the NSSF in S305, and the AMF set or the AMF address list may be understood as the indication information #1.
S502:初始AMF向NF发送SUCI、NAS安全上下文、和SUPI。S502: The initial AMF sends SUCI, NAS security context, and SUPI to the NF.
可以理解的是,该SUCI、NAS安全上下文、和SUPI具有关联关系。It can be understood that the SUCI, the NAS security context, and the SUPI have an associated relationship.
可选的,该SUCI、NAS安全上下文、和SUPI携带在同一消息中。Optionally, the SUCI, the NAS security context, and the SUPI are carried in the same message.
可选的,该NAS安全上下文、和SUPI分别携带在不同的消息中。NAS安全上下文或者SUPI需要分别与SUCI携带在同一消息中。Optionally, the NAS security context and the SUPI are respectively carried in different messages. The NAS security context or SUPI needs to be carried in the same message as SUCI, respectively.
NF确定上述终端标识、NAS安全上下文、和SUPI彼此关联。The NF determines that the above-mentioned terminal identity, NAS security context, and SUPI are associated with each other.
以NF为UDM为例,可以定义UDM上的服务,例如该服务名称为UDM UE context update service,输入包括:SUCI,NAS安全上下文,SUPI,目标AMF路由信息。输出:无。Taking NF as UDM as an example, a service on UDM can be defined. For example, the service name is UDM UE context update service, and the input includes: SUCI, NAS security context, SUPI, and target AMF routing information. Output: None.
可选的,上述目标AMF路由信息用于寻址目标AMF。该目标AMF路由信息可以从初始AMF获取。Optionally, the above target AMF routing information is used to address the target AMF. The target AMF routing information can be obtained from the originating AMF.
S501与S502的时序关系不作限定。The timing relationship between S501 and S502 is not limited.
S503:(R)AN向目标AMF发送上述RR消息和指示信息#1。S503: The (R)AN sends the above-mentioned RR message and indication information #1 to the target AMF.
该指示信息#1可以是在S501中从初始AMF接收的,也可以是(R)AN生成的。The indication information #1 may be received from the initial AMF in S501, or may be generated by the (R)AN.
S504:NF向目标AMF发送SUCI、NAS安全上下文、和SUPI。S503与S504的时序关系不作限定。S504: The NF sends SUCI, NAS security context, and SUPI to the target AMF. The timing relationship between S503 and S504 is not limited.
S505:目标AMF对RR消息进行响应。S505: The target AMF responds to the RR message.
以NF为UDM为例,可以定义UDM上的服务,比如该服务名称为UDM_AMF UE context update service,输入包括:SUCI,NAS安全上下文,SUPI,target AMF路由信息。输出:无。可以理解的是,该服务针对的是UDM和AMF,S502中示例性提供的服务针对的是UDM和UE。Taking NF as UDM as an example, you can define a service on UDM. For example, the service name is UDM_AMF UE context update service, and the input includes: SUCI, NAS security context, SUPI, target AMF routing information. Output: None. It can be understood that the service is aimed at UDM and AMF, and the service exemplarily provided in S502 is aimed at UDM and UE.
具体可参考S220的内容,此处不作赘述。For details, please refer to the content of S220, which will not be repeated here.
图6所示是又一种目标AMF和终端建立NAS安全连接的方法。具体包括:Figure 6 shows yet another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
S601:初始AMF向(R)AN发送重定向NAS消息(reroute NAS message)。S601: The initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
具体可参考S501的内容,此处不作赘述。For details, please refer to the content of S501, which will not be repeated here.
S602:初始AMF向NF发送SUCI、NAS安全上下文、和SUPI。S602: The initial AMF sends SUCI, NAS security context, and SUPI to the NF.
具体可参考S502的内容,此处不作赘述。For details, please refer to the content of S502, which will not be repeated here.
S601与S602的时序关系不作限定。The timing relationship between S601 and S602 is not limited.
S603:(R)AN向目标AMF发送上述RR消息和指示信息#1。S603: The (R)AN sends the above-mentioned RR message and indication information #1 to the target AMF.
具体可参考S503的内容,此处不作赘述。For details, please refer to the content of S503, which will not be repeated here.
S604:响应于上述RR消息,目标AMF向NF发送请求#1。S604: In response to the above RR message, the target AMF sends request #1 to the NF.
该请求#1用于向NF请求获取上述NAS安全上下文和用户永久标识。The request #1 is used to request the NF to obtain the above-mentioned NAS security context and user permanent identity.
该请求#1包括SUCI。The request #1 includes SUCI.
可选的,目标AMF从上述注册请求消息中提取SUCI。Optionally, the target AMF extracts SUCI from the above registration request message.
S605:NF向目标AMF发送NAS安全上下文、和SUPI。S605: The NF sends the NAS security context and SUPI to the target AMF.
NF可以根据发送请求#1中的SUCI查询SUCI对应的NAS安全上下文和SUPI。The NF can query the NAS security context and SUPI corresponding to the SUCI according to the SUCI in the sending request #1.
可选的,NF向目标AMF发送SUCI、NAS安全上下文、和SUPI。Optionally, the NF sends SUCI, NAS security context, and SUPI to the target AMF.
可以理解的是,当NF向目标AMF发送的信息不包括SUCI时,NF可以将NAS安全上下文和SUPI携带在上述请求#1的响应消息中,以使目标AMF获知该NAS安全上下文和SUPI对应上述SUCI。S606:目标AMF对RR消息进行响应。It can be understood that when the information sent by the NF to the target AMF does not include SUCI, the NF can carry the NAS security context and SUPI in the response message of the above request #1, so that the target AMF knows that the NAS security context and SUPI correspond to the above. SUCI. S606: The target AMF responds to the RR message.
具体可参考S220的内容,此处不作赘述。For details, please refer to the content of S220, which will not be repeated here.
可选的,图3所示的注册过程中,当UE已经注册到网络,UE和原AMF建立NAS安全上下文,则S310中的RR消息可以包括5G-GUTI、明文的IEs和NAS容器(NAS container)。该NAS container中可以包括requested NSSAI。UE基于已有的NAS安全上下文对该RR消息进行完整性保护。Optionally, in the registration process shown in FIG. 3, when the UE has registered with the network, and the UE establishes a NAS security context with the original AMF, the RR message in S310 may include 5G-GUTI, plaintext IEs and NAS container (NAS container). ). The requested NSSAI may be included in the NAS container. The UE performs integrity protection on the RR message based on the existing NAS security context.
当初始AMF接收到包括5G-GUTI的RR消息时,S301和S302之间还包括:When the initial AMF receives the RR message including the 5G-GUTI, the interval between S301 and S302 further includes:
301a:初始AMF调用原AMF(old AMF)提供的第一服务操作(如称为Namf_Communication_UEContextTransfer服务操作),该Namf_Communication_UEContextTransfer服务操作可用于请求UE的上下文。该Namf_Communication_UEContextTransfer中包括初始AMF接收到的RR消息。301a: The initial AMF invokes the first service operation provided by the original AMF (old AMF) (for example, the Namf_Communication_UEContextTransfer service operation), and the Namf_Communication_UEContextTransfer service operation can be used to request the context of the UE. The Namf_Communication_UEContextTransfer includes the RR message received by the initial AMF.
301b:原AMF对该服务操作进行响应,验证接收到的该服务操作请求中包括的RR消息的完整性。原AMF在验证该RR消息完整性成功的情况下,向初始AMF发 送Namf_Communication_UEContextTransfer Response(如称为第一服务操作的响应),该响应中携带UE上下文,UE上下文包括UE的安全上下文。301b: The original AMF responds to the service operation, and verifies the integrity of the RR message included in the received service operation request. When the original AMF successfully verifies the integrity of the RR message, it sends a Namf_Communication_UEContextTransfer Response (such as the response to the first service operation) to the initial AMF, which carries the UE context, and the UE context includes the UE's security context.
可选的,UE的安全上下文包括以下任意一项或多项:Optionally, the security context of the UE includes any one or more of the following:
AMF密钥(KAMF),5G中的密钥集标识符(ngKSI);AMF key (KAMF), key set identifier (ngKSI) in 5G;
下行NAS计数(downlink NAS count)和上行NAS计数(uplink NAS count);Downlink NAS count and uplink NAS count;
安全算法;该安全算法包括完整性保护算法和加密算法,为原AMF选择的、和UE之间使用的完整性保护算法和加密算法;Security algorithm; the security algorithm includes an integrity protection algorithm and an encryption algorithm, which are selected by the original AMF and used between the UE and the UE;
UE安全能力(UE security capabilities),即UE上实现的加密算法的和完整性保护算法的标识符集;UE security capabilities (UE security capabilities), that is, the identifier set of the encryption algorithm and the integrity protection algorithm implemented on the UE;
水平KAMF推衍指示(KeyAMFHDerivationInd指示),该指示可以作为安全上下文以外的信息来传输;该KeyAMFHDerivationInd指示用于指示KAMF是经过水平KAMF推衍而生成的。A horizontal KAMF derivation indication (KeyAMFHDerivationInd indication), which can be transmitted as information outside the security context; the KeyAMFHDerivationInd indication is used to indicate that the KAMF is generated through horizontal KAMF derivation.
可选的,初始AMF可以根据本地策略确定是否进行水平KAMF推衍。如果初始AMF根据本地策略进行水平KAMF推衍,则新的KAMF与从原AMF接收的KAMF不同。类似的,初始AMF可以根据本地策略对上述安全上下文中的其他参数进行更新。Optionally, the initial AMF may determine whether to perform horizontal KAMF derivation according to a local policy. If the initial AMF is derived from the horizontal KAMF according to the local policy, the new KAMF is different from the KAMF received from the original AMF. Similarly, the initial AMF may update other parameters in the above security context according to local policies.
基于S301a和S301b,图4至图6所示的方法中,SUCI可以替换为5G-GUTI。并且,可以理解的是,若S301b中初始AMF对UE的安全上下文进行更新,则图4至图6所示的方法中,从初始AMF获取的安全上下文是指初始AMF更新后的安全上下文。Based on S301a and S301b, in the methods shown in FIGS. 4 to 6 , SUCI can be replaced with 5G-GUTI. Moreover, it can be understood that if the initial AMF updates the security context of the UE in S301b, in the methods shown in FIG. 4 to FIG. 6, the security context obtained from the initial AMF refers to the security context after the initial AMF is updated.
可以理解的是,无论初始AMF或者NF是否向目标AMF发送水平KAMF推衍指示,或者其他用于指示安全上下文已发生变化的指示信息,目标AMF都可以根据上述S220所介绍的内容对所收到的第一请求进行响应。例如,目标AMF收到或者没有收到水平KAMF推衍指示时,目标AMF使用从初始AMF收到的安全上下文,而不向原AMF请求和获取安全上下文。It can be understood that, regardless of whether the initial AMF or NF sends a horizontal KAMF derivation indication to the target AMF, or other indication information used to indicate that the security context has changed, the target AMF can respond to the received information according to the content introduced in S220 above. responds to the first request. For example, when the target AMF receives or does not receive the horizontal KAMF derivation indication, the target AMF uses the security context received from the initial AMF instead of requesting and obtaining the security context from the original AMF.
可以理解的是,各个网元或网络功能,例如初始AMF、目标AMF和原AMF等等,为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该可以意识到,结合本文中所公开的实施例描述的各示例的单元及方法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。It can be understood that each network element or network function, such as the initial AMF, the target AMF, and the original AMF, etc., in order to realize the above functions, includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should be aware that, in conjunction with the units and method steps of each example described in the embodiments disclosed herein, the present application can be implemented in hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对各个网元或网络功能进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以使用硬件的形式实现,也可以使用软件功能模块的形式实现。In this embodiment of the present application, each network element or network function may be divided into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. . The above-mentioned integrated modules can be implemented in the form of hardware, or can be implemented in the form of software function modules.
如图7所示为本申请实施例提供的一种通信装置70。作为示例,该通信装置70可为移动性管理网络功能;作为示例,该通信装置70还可为接入网设备;作为示例, 该通信装置70还可为NF。也就是说,该通信装置可为实现图2-图6所示的安全保护方法中所涉及到的相关装置。可选的,该装置还可以为芯片***。本申请实施例中,芯片***可以由芯片构成,也可以包含芯片和其他分立器件。装置70包括至少一个处理器720,用于实现本申请实施例提供的方法中相关网元或网络功能的功能。作为示例,装置70还可以包括收发器710。在本申请实施例中,收发器可用于通过传输介质和其它设备进行通信。FIG. 7 shows a communication apparatus 70 provided by an embodiment of the present application. As an example, the communication device 70 can be a mobility management network function; as an example, the communication device 70 can also be an access network device; as an example, the communication device 70 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection methods shown in FIGS. 2-6 . Optionally, the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices. The apparatus 70 includes at least one processor 720, configured to implement the functions of the relevant network elements or network functions in the methods provided in the embodiments of the present application. As an example, the apparatus 70 may also include a transceiver 710 . In this embodiment of the present application, the transceiver may be used to communicate with other devices through a transmission medium.
可选的,装置70还可以包括至少一个存储器730,用于存储程序指令和/或数据。存储器730和处理器720耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。处理器720可能和存储器730协同操作。处理器720可能执行存储器730中存储的程序指令。至少一个存储器中的至少一个可以包括于处理器中。Optionally, the apparatus 70 may further include at least one memory 730 for storing program instructions and/or data. Memory 730 is coupled to processor 720 . The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. Processor 720 may cooperate with memory 730 . Processor 720 may execute program instructions stored in memory 730 . At least one of the at least one memory may be included in the processor.
可理解,在不同的网元或网络功能实体中,可能有的不包括存储器,因此本申请实施例对于该用于注册的装置中是否包括存储器不作限定。It is understandable that some of different network elements or network function entities may not include a memory, so this embodiment of the present application does not limit whether the device for registration includes a memory.
本申请实施例中不限定上述收发器710、处理器720以及存储器730之间的具体连接介质。本申请实施例在图7中以存储器730、处理器720以及收发器710之间通过总线740连接,总线在图7中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the transceiver 710, the processor 720, and the memory 730 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 730, the processor 720, and the transceiver 710 are connected through a bus 740 in FIG. 7. The bus is represented by a thick line in FIG. 7, and the connection between other components is only for schematic illustration. , is not limited. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
可选的,当通信装置70为接入网设备时,处理器可以包括基带处理器和中央处理器(central processing unit,CPU),基带处理器主要用于对通信协议以及通信数据进行处理,CPU主要用于对整个装置进行控制,执行软件程序,处理软件程序的数据。Optionally, when the communication device 70 is an access network device, the processor may include a baseband processor and a central processing unit (CPU), the baseband processor is mainly used for processing communication protocols and communication data, and the CPU It is mainly used to control the entire device, execute software programs, and process data of software programs.
可选的,当通信装置70为移动性管理网络功能或者为NF时,该处理器还可以是网络处理器(network processor,NP)或者CPU和NP的组合。Optionally, when the communication device 70 is a mobility management network function or an NF, the processor may also be a network processor (network processor, NP) or a combination of CPU and NP.
处理器还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器可以包括易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)等等。The processor may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general-purpose array logic (generic array logic, GAL) or any combination thereof. Memory may include volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (direct rambus RAM, DR RAM) and so on.
本申请实施例还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,该程序执行时包括上述方法实施例中记载的任何一种注册方法的部分或全部步骤。Embodiments of the present application further provide a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed, the program includes part or all of the steps of any of the registration methods described in the above method embodiments.
如图8所示为本申请实施例提供的一种通信装置80。作为示例,该通信装置80可为移动性管理网络功能;作为示例,该通信装置80还可为接入网设备;作为示例,该通信装置80还可为NF。也就是说,该通信装置可为实现图2-图6所示的安全保护方法中所涉及到的相关装置。可选的,该装置还可以为芯片***。本申请实施例中,芯片***可以由芯片构成,也可以包含芯片和其他分立器件。装置80上述方法实施例中对通信装置进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的单元集成在一个处理模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。FIG. 8 shows a communication apparatus 80 provided by an embodiment of the present application. As an example, the communication device 80 can be a mobility management network function; as an example, the communication device 80 can also be an access network device; as an example, the communication device 80 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection method shown in FIG. 2 to FIG. 6 . Optionally, the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices. The device 80 divides the communication device into functional units in the above method embodiments. For example, each functional unit may be divided corresponding to each function, or two or more units may be integrated into one processing module. The above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of software function modules. It should be noted that the division of units in the embodiments of the present application is schematic, and is only a logical function division, and other division methods may be used in actual implementation.
该通信装置80可以包括处理单元801和收发单元802。The communication device 80 may include a processing unit 801 and a transceiver unit 802 .
可选的,处理单元801具体用于:S220、S402、S505、S606中对第一请求进行响应的功能。Optionally, the processing unit 801 is specifically used for the function of responding to the first request in S220, S402, S505, and S606.
可选的,收发单元802具体用于:图2-图6中涉及的收发信息的功能。Optionally, the transceiver unit 802 is specifically used for the functions of sending and receiving information involved in FIG. 2 to FIG. 6 .
具体的,图8中的收发单元802和处理单元801的功能/实现过程可以通过图7所示的通信设备70中的处理器710调用存储器730中存储的计算机执行指令来实现。或者,图8中的处理单元801的功能/实现过程可以通过图7所示的通信设备70中的处理器710调用存储器730中存储的计算机执行指令来实现,图8中的收发单元802的功能/实现过程可以通过图7中所示的通信设备70中的收发器710来实现。Specifically, the functions/implementation process of the transceiver unit 802 and the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer execution instructions stored in the memory 730 . Alternatively, the function/implementation process of the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer-executed instructions stored in the memory 730, and the function of the transceiver unit 802 in FIG. 8 The implementation process may be implemented by the transceiver 710 in the communication device 70 shown in FIG. 7 .
在本申请所提供的几个实施例中,应该理解到,所揭露的装置,可通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个***,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative, for example, the division of the units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units or components may be combined or Integration into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储器中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形 式体现出来,该计算机软件产品存储在一个存储器中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储器包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable memory. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art, or all or part of the technical solution, and the computer software product is stored in a memory, Several instructions are included to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读存储器中,存储器可以包括:闪存盘、只读存储器(英文:Read-Only Memory,简称:ROM)、随机存取器(英文:Random Access Memory,简称:RAM)、磁盘或光盘等。Those skilled in the art can understand that all or part of the steps in the various methods of the above embodiments can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable memory, and the memory can include: a flash disk , Read-only memory (English: Read-Only Memory, referred to as: ROM), random access device (English: Random Access Memory, referred to as: RAM), magnetic disk or optical disk, etc.
本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、***、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third" and "fourth" in the description and claims of the present application and the drawings are used to distinguish different objects, rather than to describe a specific order . Furthermore, the terms "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, or optionally also includes For other steps or units inherent to these processes, methods, products or devices.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. It is explicitly and implicitly understood by those skilled in the art that the embodiments described herein may be combined with other embodiments.
“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。"Plural" means two or more. "And/or", which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are an "or" relationship.

Claims (45)

  1. 一种安全保护的方法,其特征在于,A method of security protection, characterized in that:
    目标接入管理功能AMF接收来自初始AMF的注册请求,所述注册请求包括第一用户临时标识;The target access management function AMF receives a registration request from the initial AMF, where the registration request includes the first user temporary identity;
    所述目标AMF通过第一网元接收来自初始AMF的第一信息,所述第一信息包括用户临时标识、所述用户临时标识对应的用户永久标识、和所述用户临时标识对应的安全上下文;The target AMF receives, through the first network element, first information from the initial AMF, where the first information includes a user temporary identity, a user permanent identity corresponding to the user temporary identity, and a security context corresponding to the user temporary identity;
    所述目标AMF根据所述第一信息,确定所述第一用户临时标识对应的第一用户永久标识、和所述第一用户临时标识对应的第一安全上下文。The target AMF determines, according to the first information, a first permanent user identity corresponding to the first user temporary identity and a first security context corresponding to the first user temporary identity.
  2. 根据权利要求1所述的方法,所述目标AMF根据所述第一信息,确定所述第一用户临时标识对应的第一用户永久标识、和所述第一用户临时标识对应的第一安全上下文包括:The method according to claim 1, wherein the target AMF determines, according to the first information, a first permanent user identity corresponding to the first user temporary identity and a first security context corresponding to the first user temporary identity include:
    所述目标AMF在所述第一信息中使用所述第一用户临时标识索引所述第一永久标识和所述第一安全上下文。The target AMF uses the first user temporary identity to index the first permanent identity and the first security context in the first information.
  3. 根据权利要求2所述的方法,还包括:The method of claim 2, further comprising:
    所述目的AMF从所述注册请求中获取所述第一用户临时标识。The destination AMF acquires the first user temporary identity from the registration request.
  4. 根据权利要求1-3任一所述的方法,还包括:所述目标AMF接收第一指示信息,所述第一指示信息用于指示所述注册请求经过初始AMF的转发。The method according to any one of claims 1-3, further comprising: receiving, by the target AMF, first indication information, where the first indication information is used to indicate that the registration request is forwarded by the initial AMF.
  5. 根据权利要求4所述的方法,所述目标AMF根据所述第一信息,确定所述第一用户临时标识对应的第一用户永久标识、和所述第一用户临时标识对应的第一安全上下文包括:The method according to claim 4, wherein the target AMF determines, according to the first information, a first permanent user identity corresponding to the first user temporary identity and a first security context corresponding to the first user temporary identity include:
    响应于所述第一指示信息,所述目标AMF根据所述第一信息,确定所述第一用户永久标识、和所述第一安全上下文。In response to the first indication information, the target AMF determines the first user permanent identity and the first security context according to the first information.
  6. 根据权利要求4或5所述的方法,所述第一指示信息由所述初始AMF生成并通过接入网设备发送到所述目标AMF;或者,所述第一指示信息有所述接入网设备生成并发送到所述目标AMF。The method according to claim 4 or 5, wherein the first indication information is generated by the initial AMF and sent to the target AMF through an access network device; or, the first indication information has the access network device The device generates and sends to the target AMF.
  7. 根据权利要求1-6任一所述的方法,所述目标接入管理功能AMF接收注册请求包括:According to the method according to any one of claims 1-6, the target access management function AMF receiving the registration request comprises:
    所述目标AMF通过接入网设备接收来自所述初始AMF的所述注册请求消息。The target AMF receives the registration request message from the initial AMF through an access network device.
  8. 根据权利要求1-7任一所述的方法,还包括:The method according to any one of claims 1-7, further comprising:
    响应于所述注册请求,所述目标AMF向所述第一网元发送请求消息,所述请求消息包括所述第一用户临时标识,所述请求消息用于请求获取所述第一安全上下文和所述第一用户永久标识。In response to the registration request, the target AMF sends a request message to the first network element, where the request message includes the first user temporary identifier, and the request message is used to request to obtain the first security context and The permanent identification of the first user.
  9. 根据权利要求1-8任一所述的方法,还包括:The method according to any one of claims 1-8, further comprising:
    所述目标AMF根据本地策略确定不发起针对所述终端的鉴权流程。The target AMF determines not to initiate an authentication procedure for the terminal according to a local policy.
  10. 根据权利要求1-9任一所述的方法,还包括:The method according to any one of claims 1-9, further comprising:
    所述目标AMF根据本地策略确定不向原AMF发送获取上下文请求。The target AMF determines not to send a context acquisition request to the original AMF according to the local policy.
  11. 根据权利要求9或10所述的方法,所述本地策略包括:The method according to claim 9 or 10, the local policy comprises:
    所述目标AMF信任初始AMF;或者,The target AMF trusts the originating AMF; or,
    所述目标AMF和所述初始AMF位于相同的安全域;或者,The target AMF and the initial AMF are located in the same security domain; or,
    第一网络切片的安全需求为不重复发起鉴权流程;所述目标AMF在所述第一网络切片中为所述终端提供服务;或者,The security requirement of the first network slice is not to repeatedly initiate an authentication process; the target AMF provides services for the terminal in the first network slice; or,
    所述第一网络切片的安全需求为不向原AMF发送获取上下文请求;或者,The security requirement of the first network slice is not to send a context acquisition request to the original AMF; or,
    所述目标AMF在获取安全上下文之后不发起鉴权流程;或者,The target AMF does not initiate an authentication process after acquiring the security context; or,
    所述目标AMF在获取安全上下文之后不向原AMF发送获取上下文请求。The target AMF does not send a context acquisition request to the original AMF after acquiring the security context.
  12. 根据权利要求1-11任一所述的方法,所述目标AMF确定所述第一用户永久标识之后,还包括:The method according to any one of claims 1-11, after the target AMF determines the permanent identity of the first user, further comprising:
    所述目标AMF删除所述第一用户临时标识。The target AMF deletes the first user temporary identity.
  13. 根据权利要求1-12任一所述的方法,所述用户临时标识包括:用户隐藏标识SUCI、或者全局唯一的临时标识GUTI。According to the method according to any one of claims 1-12, the temporary user identifier comprises: a user hidden identifier SUCI, or a globally unique temporary identifier GUTI.
  14. 根据权利要求1-13任一所述的方法,所述第一网元为统一数据管理UDM、或者网络切片选择功能NSSF。According to the method of any one of claims 1-13, the first network element is a unified data management UDM or a network slice selection function NSSF.
  15. 一种安全保护的方法,其特征在于,A method of security protection, characterized in that:
    目标接入管理功能AMF接收注册请求,所述注册请求包括用户临时标识;The target access management function AMF receives the registration request, and the registration request includes the user temporary identification;
    响应于所述注册请求,所述目标AMF向第一网元发送获取请求,所述获取请求包括所述用户临时标识,所述获取请求用于请求获取所述用户临时标识对应的用户永久标识、和所述用户临时标识对应的安全上下文;In response to the registration request, the target AMF sends an acquisition request to the first network element, where the acquisition request includes the user temporary identifier, and the acquisition request is used to request to acquire the user permanent identifier corresponding to the user temporary identifier, a security context corresponding to the user temporary identifier;
    所述目标AMF通过第一网元接收来自初始AMF的所述用户永久标识、和所述安全上下文;The target AMF receives the user permanent identity and the security context from the initial AMF through the first network element;
    所述目标AMF根据所述第一信息,确定所述用户临时标识对应的所述用户永久标识、和所述用户临时标识对应的所述安全上下文。The target AMF determines, according to the first information, the permanent user identification corresponding to the temporary user identification and the security context corresponding to the temporary user identification.
  16. 根据权利要求15所述的方法,所述目标接入管理功能AMF接收注册请求包括:The method according to claim 15, the target access management function AMF receiving the registration request comprises:
    所述目标AMF通过接入网设备接收来自所述初始AMF的注册请求。The target AMF receives the registration request from the initial AMF through the access network device.
  17. 根据权利要求15或16所述的方法,还包括:所述目标AMF接收第一指示信息,所述第一指示信息用于指示所述注册请求经过初始AMF的转发。The method according to claim 15 or 16, further comprising: the target AMF receiving first indication information, where the first indication information is used to indicate that the registration request is forwarded by the initial AMF.
  18. 根据权利要求17所述的方法,所述第一指示信息由所述初始AMF生成并发送给所述接入网设备。The method according to claim 17, wherein the first indication information is generated by the initial AMF and sent to the access network device.
  19. 根据权利要求17或18所述的方法,所述目标AMF根据所述第一信息,确定所述用户临时标识对应的所述用户永久标识、和所述用户临时标识对应的所述安全上下文包括:The method according to claim 17 or 18, wherein the target AMF determines, according to the first information, the user permanent identity corresponding to the user temporary identity and the security context corresponding to the user temporary identity comprising:
    响应于所述第一指示信息,所述目标AMF根据所述第一信息,确定所述用户永久标识、和所述安全上下文。In response to the first indication information, the target AMF determines the user permanent identity and the security context according to the first information.
  20. 根据权利要求15-19任一所述的方法,还包括:The method of any one of claims 15-19, further comprising:
    所述目的AMF从所述注册请求中获取所述用户临时标识。The destination AMF acquires the user temporary identifier from the registration request.
  21. 根据权利要求15-20任一所述的方法,还包括:The method according to any one of claims 15-20, further comprising:
    所述目标AMF根据本地策略确定不发起针对所述终端的鉴权流程。The target AMF determines not to initiate an authentication procedure for the terminal according to a local policy.
  22. 根据权利要求15-21任一所述的方法,还包括:The method according to any one of claims 15-21, further comprising:
    所述目标AMF根据本地策略确定不向原AMF发送获取上下文请求。The target AMF determines not to send a context acquisition request to the original AMF according to the local policy.
  23. 根据权利要求21或22所述的方法,所述本地策略包括:The method of claim 21 or 22, the local policy comprising:
    所述目标AMF信任初始AMF;或者,The target AMF trusts the originating AMF; or,
    所述目标AMF和所述初始AMF位于相同的安全域;或者,The target AMF and the initial AMF are located in the same security domain; or,
    第一网络切片的安全需求为不重复发起鉴权流程;所述目标AMF在所述第一网络切片中为所述终端提供服务;或者,The security requirement of the first network slice is not to repeatedly initiate an authentication process; the target AMF provides services for the terminal in the first network slice; or,
    所述第一网络切片的安全需求为不向原AMF发送获取上下文请求;或者,The security requirement of the first network slice is not to send a context acquisition request to the original AMF; or,
    所述目标AMF在获取安全上下文之后不发起鉴权流程;或者,The target AMF does not initiate an authentication process after acquiring the security context; or,
    所述目标AMF在获取安全上下文之后不向原AMF发送获取上下文请求。The target AMF does not send a context acquisition request to the original AMF after acquiring the security context.
  24. 根据权利要求15-23任一所述的方法,所述目标AMF确定所述用户永久标识之后,还包括:The method according to any one of claims 15-23, after the target AMF determines the user permanent identity, further comprising:
    所述目标AMF删除所述用户临时标识。The target AMF deletes the user temporary identity.
  25. 根据权利要求15-24任一所述的方法,所述用户临时标识包括:用户隐藏标识SUCI、或者全局唯一的临时标识GUTI。According to the method according to any one of claims 15-24, the temporary user identifier comprises: a user hidden identifier SUCI, or a globally unique temporary identifier GUTI.
  26. 根据权利要求15-25所述的方法,所述第一网元为统一数据管理UDM、或者网络切片选择功能NSSF。According to the method of claims 15-25, the first network element is a unified data management UDM or a network slice selection function NSSF.
  27. 一种安全保护的方法,其特征在于,A method of security protection, characterized in that:
    目标接入管理功能AMF从初始AMF接收第一信息,所述第一信息包括注册请求、用户永久标识、和安全上下文,所述注册请求包括用户临时标识;The target access management function AMF receives first information from the initial AMF, the first information includes a registration request, a user permanent identity, and a security context, and the registration request includes a user temporary identity;
    响应于所述第一信息,目标AMF根据本地策略判断是否发起鉴权流程。In response to the first information, the target AMF determines whether to initiate an authentication process according to a local policy.
  28. 根据权利要求27所述的方法,所述目标接入管理功能AMF接收第一信息包括:The method according to claim 27, the receiving of the first information by the target access management function AMF comprises:
    所述目标AMF通过直接接口从初始AMF接收所述第一信息。The target AMF receives the first information from the originating AMF through a direct interface.
  29. 根据权利要求27或28所述的方法,目标AMF根据本地策略判断是否发起鉴权流程包括:The method according to claim 27 or 28, the target AMF judging whether to initiate an authentication process according to a local policy comprises:
    所述目标AMF根据本地策略确定不发起针对所述终端的鉴权流程。The target AMF determines not to initiate an authentication procedure for the terminal according to a local policy.
  30. 根据权利要求27-29任一所述的方法,还包括:The method of any one of claims 27-29, further comprising:
    所述目标AMF根据本地策略确定不向原AMF发送获取上下文请求。The target AMF determines not to send a context acquisition request to the original AMF according to the local policy.
  31. 根据权利要求29或30所述的方法,所述本地策略包括:The method of claim 29 or 30, the local policy comprising:
    所述目标AMF信任初始AMF;或者,The target AMF trusts the originating AMF; or,
    所述目标AMF和所述初始AMF位于相同的安全域;或者,The target AMF and the initial AMF are located in the same security domain; or,
    第一网络切片的安全需求为不重复发起鉴权流程;所述目标AMF在所述第一网络切片中为所述终端提供服务;或者,The security requirement of the first network slice is not to repeatedly initiate an authentication process; the target AMF provides services for the terminal in the first network slice; or,
    所述第一网络切片的安全需求为不向原AMF发送获取上下文请求;或者,The security requirement of the first network slice is not to send a context acquisition request to the original AMF; or,
    所述目标AMF在获取安全上下文之后不发起鉴权流程;或者,The target AMF does not initiate an authentication process after acquiring the security context; or,
    所述目标AMF在获取安全上下文之后不向原AMF发送获取上下文请求。The target AMF does not send a context acquisition request to the original AMF after acquiring the security context.
  32. 根据权利要求27-31任一所述的方法,所述目标AMF确定所述用户永久标识之后,还包括:The method according to any one of claims 27-31, after the target AMF determines the user permanent identity, further comprising:
    所述目标AMF删除所述用户临时标识。The target AMF deletes the user temporary identity.
  33. 根据权利要求27-32任一所述的方法,所述用户临时标识包括:用户隐藏标识SUCI、或者全局唯一的临时标识GUTI。According to the method according to any one of claims 27-32, the temporary user identifier comprises: a user hidden identifier SUCI, or a globally unique temporary identifier GUTI.
  34. 一种安全保护的方法,其特征在于,A method of security protection, characterized in that:
    初始接入管理功能AMF接收终端的注册请求,所述注册请求包括用户临时标识;The initial access management function AMF receives the registration request of the terminal, and the registration request includes the user temporary identification;
    所述初始AMF获取与所述用户临时标识对应的所述终端的安全上下文、用户永久标识;The initial AMF acquires the security context of the terminal and the permanent user identifier corresponding to the user temporary identifier;
    所述初始AMF通过接入网设备向目标AMF发送所述注册请求;The initial AMF sends the registration request to the target AMF through the access network device;
    所述初始AMF向第一网元发送所述用户临时标识、所述用户永久标识、所述终端的安全上下文。The initial AMF sends the user temporary identifier, the user permanent identifier, and the security context of the terminal to the first network element.
  35. 根据权利要求34所述的方法,还包括:所述初始AMF向所述接入网设备发送第一指示信息,所述第一指示信息用于指示所述注册请求经过所述初始AMF的转发。The method according to claim 34, further comprising: the initial AMF sending first indication information to the access network device, where the first indication information is used to indicate that the registration request is forwarded by the initial AMF.
  36. 根据权利要求33或34所述的方法,所述初始AMF获取所述用户永久标识之后,还包括:The method according to claim 33 or 34, after the initial AMF acquires the permanent identity of the user, further comprising:
    所述初始AMF提取所述注册请求中的所述用户临时标识。The initial AMF extracts the user temporary identifier in the registration request.
  37. 一种安全保护的方法,其特征在于,A method of security protection, characterized in that:
    第一网元获取用户临时标识、对应所述用户临时标识的用户永久标识、和对应所述用户临时标识的安全上下文;The first network element obtains a user temporary identity, a user permanent identity corresponding to the user temporary identity, and a security context corresponding to the user temporary identity;
    所述第一网元向目标接入管理功能AMF发送所述用户临时标识、所述用户永久标识、和所述安全上下文。The first network element sends the user temporary identity, the user permanent identity, and the security context to the target access management function AMF.
  38. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    所述第一网元接收来自所述目标AMF的请求消息,所述请求消息包括所述用户临时标识;receiving, by the first network element, a request message from the target AMF, where the request message includes the user temporary identifier;
    所述第一网元向目标接入管理功能AMF发送所述用户临时标识、所述用户永久标识、和所述安全上下文包括:The first network element sending the user temporary identifier, the user permanent identifier, and the security context to the target access management function AMF includes:
    响应于所述请求消息,所述第一网元向所述目标AMF发送所述用户临时标识、以及与所述用户临时标识对应的所述用户永久标识和所述安全上下文。In response to the request message, the first network element sends the user temporary identity, the user permanent identity corresponding to the user temporary identity, and the security context to the target AMF.
  39. 一种通信装置,包括处理器和存储器,所述存储器用于存储计算机执行指令,所述处理器用于执行所述存储器存储的计算机执行指令,以使得所述装置执行权利要求1-14任一项所述的方法。A communication device comprising a processor and a memory, the memory for storing computer-executable instructions, the processor for executing the computer-implemented instructions stored in the memory, so that the device executes any one of claims 1-14 the method described.
  40. 一种通信装置,包括处理器和存储器,所述存储器用于存储计算机执行指令,所述处理器用于执行所述存储器存储的计算机执行指令,以使得所述装置执行权利要求15-26任一项所述的方法。A communication device, comprising a processor and a memory, the memory for storing computer-executable instructions, the processor for executing the computer-implemented instructions stored in the memory, so that the device executes any one of claims 15-26 the method described.
  41. 一种通信装置,包括处理器和存储器,所述存储器用于存储计算机执行指令,所述处理器用于执行所述存储器存储的计算机执行指令,以使得所述装置执行权利要求27-33任一项所述的方法。A communication device, comprising a processor and a memory, the memory for storing computer-executable instructions, the processor for executing the computer-implemented instructions stored in the memory, so that the device executes any one of claims 27-33 the method described.
  42. 一种通信装置,包括处理器和存储器,所述存储器用于存储计算机执行指令,所述处理器用于执行所述存储器存储的计算机执行指令,以使得所述装置执行权利要求34-36任一项所述的方法。A communication device comprising a processor and a memory, the memory for storing computer-implemented instructions, the processor for executing the computer-implemented instructions stored in the memory, so that the device executes any one of claims 34-36 the method described.
  43. 一种通信装置,包括处理器和存储器,所述存储器用于存储计算机执行指令,所述处理器用于执行所述存储器存储的计算机执行指令,以使得所述装置执行权利要求37或38所述的方法。A communication device comprising a processor and a memory, the memory for storing computer-implemented instructions, the processor for executing the computer-implemented instructions stored in the memory, to cause the device to perform the method of claim 37 or 38 method.
  44. 一种通信***,其特征在于,包括权利要求41或42所述的通信装置、和权利要求42所述的通信装置、和权利要求43所述的通信装置。A communication system comprising the communication device according to claim 41 or 42, the communication device according to claim 42, and the communication device according to claim 43.
  45. 一种通信***,其特征在于,包括权利要求43所述的通信装置、和权利要求42所述的通信装置。A communication system, comprising the communication device of claim 43 and the communication device of claim 42.
PCT/CN2022/071229 2021-01-11 2022-01-11 Security protection method, apparatus and system WO2022148469A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202110033323 2021-01-11
CN202110033323.0 2021-01-11
CN202210021323.3A CN114765827A (en) 2021-01-11 2022-01-10 Safety protection method, device and system
CN202210021323.3 2022-01-10

Publications (1)

Publication Number Publication Date
WO2022148469A1 true WO2022148469A1 (en) 2022-07-14

Family

ID=82357980

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/071229 WO2022148469A1 (en) 2021-01-11 2022-01-11 Security protection method, apparatus and system

Country Status (1)

Country Link
WO (1) WO2022148469A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115996357A (en) * 2023-03-23 2023-04-21 南昌龙旗智能科技有限公司 Virtual position processing method and virtual device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420691A (en) * 2008-11-24 2009-04-29 华为技术有限公司 Authentication method, system and apparatus for communication
CN101594608A (en) * 2008-05-30 2009-12-02 华为技术有限公司 Method, mobile management network element and the mobile communication system of safe context are provided
CN110167025A (en) * 2018-02-13 2019-08-23 华为技术有限公司 A kind of communication means and communication device
CN110446233A (en) * 2018-05-04 2019-11-12 华为技术有限公司 Switching method, equipment and system
CN110881184A (en) * 2018-09-05 2020-03-13 华为技术有限公司 Communication method and device
CN111866974A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Method and apparatus for mobile registration

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594608A (en) * 2008-05-30 2009-12-02 华为技术有限公司 Method, mobile management network element and the mobile communication system of safe context are provided
CN101420691A (en) * 2008-11-24 2009-04-29 华为技术有限公司 Authentication method, system and apparatus for communication
CN110167025A (en) * 2018-02-13 2019-08-23 华为技术有限公司 A kind of communication means and communication device
CN110446233A (en) * 2018-05-04 2019-11-12 华为技术有限公司 Switching method, equipment and system
CN110881184A (en) * 2018-09-05 2020-03-13 华为技术有限公司 Communication method and device
CN111866974A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Method and apparatus for mobile registration

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115996357A (en) * 2023-03-23 2023-04-21 南昌龙旗智能科技有限公司 Virtual position processing method and virtual device
CN115996357B (en) * 2023-03-23 2023-10-31 南昌龙旗智能科技有限公司 Virtual position processing method and virtual device

Similar Documents

Publication Publication Date Title
US11228905B2 (en) Security implementation method, related apparatus, and system
WO2022257549A1 (en) Network slicing method and device, and storage medium
US11533610B2 (en) Key generation method and related apparatus
US20220217611A1 (en) Service Configuration Method, Communication Apparatus, and Communication System
WO2021155758A1 (en) Key acquisition method and device
WO2021136211A1 (en) Method and device for determining authorization result
US11871223B2 (en) Authentication method and apparatus and device
US20220272607A1 (en) Network Access Method and Communication Apparatus
WO2021197175A1 (en) Method for discovering application server and related device
US20220210859A1 (en) Data transmission method and apparatus
EP4185009A1 (en) Packet forwarding method, apparatus and system
WO2022199451A1 (en) Session switching method and apparatus
WO2022148469A1 (en) Security protection method, apparatus and system
WO2021180209A1 (en) Method for transmitting paging information and communication apparatus
WO2021047454A1 (en) Location information acquisition method, location service configuration method, and communication device
WO2017152360A1 (en) Method and device for radio bearer security configuration
WO2021073382A1 (en) Registration method and apparatus
WO2023016160A1 (en) Session establishment method and related apparatus
WO2020042026A1 (en) Wireless communication method and device
TWI799064B (en) Method and related device for generating key identification
WO2019163810A1 (en) Wireless communication system, security proxy device and relay device
US20230362885A1 (en) Wireless communication method, device and storage medium
EP4274310A1 (en) Network intercommunication method and apparatus
WO2021057456A1 (en) Method and device for use in registration
WO2023186028A1 (en) Communication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22736630

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22736630

Country of ref document: EP

Kind code of ref document: A1