WO2023131044A1

WO2023131044A1 - Authentication and security method and device, and storage medium

Info

Publication number: WO2023131044A1
Application number: PCT/CN2022/143302
Authority: WO
Inventors: 周巍; 徐晖
Original assignee: 大唐移动通信设备有限公司
Priority date: 2022-01-05
Filing date: 2022-12-29
Publication date: 2023-07-13
Also published as: CN116419218A

Abstract

Embodiments of the present disclosure provide an authentication and security method and device, and a storage medium. The method comprises: determining an authentication root key of a UE according to a SUPI; generating an authentication vector according to the authentication root key and a service network name; and using a unique identifier AuthID to identify the authentication vector, the present UE authentication process and a first authentication instance. The first authentication instance is created in an authentication server function (AUSF) function area, the first authentication instance is created for the present UE authentication process, and the first authentication instance comprises the authentication vector. According to the authentication and security method and device and the storage medium provided by the embodiments of the present disclosure, the security function of the core network system is separated, the security capability of the 5G core network is concentrated in a limited computing system, and a network element in need of a security service calls the relevant security function through the interface of the security system, thereby significantly reducing the number of software and hardware systems to be subjected to security level authentication.

Description

认证与安全方法、装置及存储介质Authentication and security method, device and storage medium

相关申请的交叉引用Cross References to Related Applications

本申请要求于2022年01月05日提交的申请号为2022100063448，发明名称为“认证与安全方法、装置及存储介质”的中国专利申请的优先权，其通过引用方式全部并入本文。This application claims the priority of the Chinese patent application with the application number 2022100063448 filed on January 05, 2022, and the title of the invention is "Authentication and Security Method, Device and Storage Medium", which is fully incorporated herein by reference.

技术领域technical field

本公开涉及通信技术领域，尤其涉及一种认证与安全方法、装置及存储介质。The present disclosure relates to the technical field of communications, and in particular to an authentication and security method, device and storage medium.

背景技术Background technique

第五代移动通信(the 5th generation mobile communication,5G)***不仅可以应用于普通的商业应用，也可以作为专用***应用于对安全要求很高的专用***中。在高安全应用领域，对***软硬件都有专门的安全标准。The 5th generation mobile communication (5G) system can not only be applied to ordinary commercial applications, but also can be used as a dedicated system in a dedicated system with high security requirements. In the field of high security applications, there are special security standards for system software and hardware.

现有方案中，密钥管理和密码运算均有各个网元分别进行处理。In the existing solution, each network element handles the key management and the cryptographic operation separately.

5G核心网由许多实现各种功能的网元(服务器)构成，当***要求具有高安全等级时，核心网中的所有软硬件都需要满足相应的安全标准，采用现有方案会极大地增加***的复杂度，进而提高***成本。The 5G core network is composed of many network elements (servers) that implement various functions. When the system requires a high security level, all software and hardware in the core network must meet the corresponding security standards. Adopting the existing solution will greatly increase the system security. complexity, thereby increasing system cost.

发明内容Contents of the invention

本公开实施例提供一种认证与安全方法、装置及存储介质，用以解决现有技术中***复杂度高的技术问题。Embodiments of the present disclosure provide an authentication and security method, device, and storage medium to solve the technical problem of high system complexity in the prior art.

第一方面，本公开实施例提供一种认证与安全方法，应用于认证密码***，包括：In the first aspect, the embodiment of the present disclosure provides an authentication and security method, which is applied to an authentication cryptographic system, including:

接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求所述认证密码***对所述SUCI进行解密；Receiving a first request message sent by a unified data management UDM network element, the first request message includes the hidden user identifier SUCI of the target terminal UE, and the first request message is used to request the authentication and cryptographic system to perform an operation on the SUCI decryption;

对所述SUCI进行解密，获得用户永久标识SUPI；Deciphering the SUCI to obtain the user permanent identification SUPI;

向所述UDM网元发送所述SUPI；sending the SUPI to the UDM network element;

接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；receiving a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is that the UDM network element checks the target UE according to the SUPI sent after the signing information of

根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区为此次UE认证过程而创建的，所述第一认证实例中包含所述认证向量；Determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use the unique identifier AuthID to identify the authentication vector, this UE authentication process, and A first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area for this UE authentication process, and the first authentication instance includes the authentication vector;

向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；sending the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；Receive a third request message sent by the AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。Authenticate the target UE according to the RES* and the AuthID included in the third request message.

在一些实施例中，还包括：In some embodiments, also include:

将认证结果发送给所述AUSF网元；Send the authentication result to the AUSF network element;

在所述目标UE认证通过的情况下，接收所述AUSF网元发送的发送的第四请求消息，所述第四请求消息中包含所述SUPI或所述AuthID；When the target UE passes the authentication, receive a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能SEAF功能区为此次UE认证过程而创建的，所述第二认证实例中包含所述密钥Kseaf；Use the SUPI or the AuthID to determine the first authentication instance, and use the key Kausf in the authentication vector and the service network name to calculate the key Kseaf; and use the SUPI to identify the second authentication instance, the second authentication instance The second authentication instance is created in the security anchor function SEAF functional area for this UE authentication process, and the second authentication instance includes the key Kseaf;

将所述密钥Kseaf是否生成成功的结果发送给所述AUSF网元。Send the result of whether the key Kseaf is successfully generated to the AUSF network element.

在一些实施例中，还包括：In some embodiments, also include:

在所述目标UE认证通过的情况下，接收SEAF网元发送的第五请求消息，所述第五请求消息中包含所述SUPI和抗降维攻击ABBA；When the target UE passes the authentication, receive a fifth request message sent by the SEAF network element, where the fifth request message includes the SUPI and the anti-dimensionality reduction attack ABBA;

利用所述SUPI查找到所述第二认证实例，并利用所述密钥Kseaf、所述SUPI和所述ABBA计算密钥Kamf。Find the second authentication instance by using the SUPI, and calculate the key Kamf by using the key Kseaf, the SUPI and the ABBA.

在一些实施例中，还包括：In some embodiments, also include:

利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区为此次UE认证过程而创建的，所述第三认证实例中包含所述密钥Kamf。Use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area for this UE authentication process, and the third authentication instance contains the key Kamf .

在一些实施例中，还包括：In some embodiments, also include:

将密钥Kamf是否生成成功的结果发送给所述SEAF网元。Send the result of whether the key Kamf is successfully generated to the SEAF network element.

在一些实施例中，还包括：In some embodiments, also include:

为此次UE认证过程生成一个AuthID。Generate an AuthID for this UE authentication process.

在一些实施例中，所述第二请求消息中还包含AuthID，所述AuthID是UDM网元为此次UE认证过程生成的一个唯一标识。In some embodiments, the second request message further includes AuthID, and the AuthID is a unique identifier generated by the UDM network element for this UE authentication process.

在一些实施例中，还包括：In some embodiments, also include:

接收AMF网元发送的第六请求消息，所述第六请求消息中包含所述SUPI，所述第六请求消息用于请求建立安全上下文；Receive a sixth request message sent by the AMF network element, where the sixth request message includes the SUPI, and the sixth request message is used to request the establishment of a security context;

利用所述SUPI在所述AMF功能区查找所述第三认证实例，并利用密钥Kamf建立第一非接入层NAS安全上下文，所述第一NAS安全上下文中包含密钥KNASenc和密钥KNASint；Use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first non-access stratum NAS security context, the first NAS security context includes the key KNASenc and the key KNASint ;

将所述SUPI、所述密钥KNASenc和所述密钥KNASint发送给通信密码***。Send the SUPI, the key KNASenc and the key KNASint to a communication cryptosystem.

在一些实施例中，所述第六请求消息中还包含5G密钥集标识ngKSI；所述ngKSI用于标识所述第一NAS安全上下文。In some embodiments, the sixth request message further includes a 5G key set identifier ngKSI; the ngKSI is used to identify the first NAS security context.

在一些实施例中，所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint。In some embodiments, the SUPI, the ngKSI, the key KNASenc, and the key KNASint are used for the communication cryptosystem to establish a second NAS security context, and the second NAS security context includes the The SUPI, the ngKSI, the key KNASenc and the key KNASint.

在一些实施例中，所述SUPI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述密钥KNASenc和所述密钥KNASint。In some embodiments, the SUPI, the key KNASenc, and the key KNASint are used for the communication cryptographic system to establish a second NAS security context, and the second NAS security context includes the SUPI, the The key KNASenc and the key KNASint.

在一些实施例中，还包括：In some embodiments, also include:

接收所述通信密码***发送的建立所述第二NAS安全上下文的结果；receiving a result of establishing the second NAS security context sent by the communication cryptographic system;

将建立所述第二NAS安全上下文的结果发送给所述AMF网元。Sending the result of establishing the second NAS security context to the AMF network element.

第二方面，本公开实施例提供一种网络设备，包括存储器，收发机，处理器；In a second aspect, an embodiment of the present disclosure provides a network device, including a memory, a transceiver, and a processor;

存储器，用于存储计算机程序；收发机，用于在所述处理器的控制下收发数据；处理器，用于读取所述存储器中的计算机程序并执行以下操作：The memory is used to store computer programs; the transceiver is used to send and receive data under the control of the processor; the processor is used to read the computer programs in the memory and perform the following operations:

接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求认证密码***对所述SUCI进行解密；Receive a first request message sent by a unified data management UDM network element, where the first request message includes the user hidden identifier SUCI of the target terminal UE, and the first request message is used to request an authentication cryptographic system to decrypt the SUCI;

在一些实施例中，还包括：In some embodiments, also include:

第三方面，本公开实施例提供一种通信设备***，包括认证密码***和通信密码***；In a third aspect, an embodiment of the present disclosure provides a communication device system, including an authentication password system and a communication password system;

所述认证密码***向所述通信密码***发送SUPI、密钥KNASenc和密钥KNASint；The authentication cryptosystem sends SUPI, the key KNASenc and the key KNASint to the communication cryptosystem;

所述通信密码***根据所述SUPI、所述密钥KNASenc和所述密钥KNASint进行NAS安全过程。The communication cryptosystem performs a NAS security process according to the SUPI, the key KNASenc and the key KNASint.

第四方面，本公开实施例提供一种认证与安全装置，包括：In a fourth aspect, an embodiment of the present disclosure provides an authentication and security device, including:

第一接收模块，用于接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求所述认证密码***对所述SUCI进行解密；The first receiving module is configured to receive a first request message sent by a unified data management UDM network element, the first request message includes the user concealed identifier SUCI of the target terminal UE, and the first request message is used to request the authentication The cryptographic system decrypts the SUCI;

解密模块，用于对所述SUCI进行解密，获得用户永久标识SUPI；A decryption module, configured to decrypt the SUCI to obtain the user permanent identification SUPI;

第一发送模块，用于向所述UDM网元发送所述SUPI；a first sending module, configured to send the SUPI to the UDM network element;

第二接收模块，用于接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；The second receiving module is configured to receive a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is the UDM network element according to the specified It is sent after the SUPI checks the subscription information of the target UE;

第一确定模块，用于根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区为此次UE认证过程而创建的，所述第一认证实例中包含所述认证向量；A first determining module, configured to determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use a unique identifier AuthID to identify the authentication vector . This UE authentication process and a first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area for this UE authentication process, and the first authentication instance includes the authentication vector;

第二发送模块，用于向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；A second sending module, configured to send the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

第三接收模块，用于接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；A third receiving module, configured to receive a third request message sent by an AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

认证模块，用于根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。An authentication module, configured to authenticate the target UE according to the RES* and the AuthID included in the third request message.

在一些实施例中，还包括第三发送模块、第四接收模块、第二确定模块和第四发送模块；In some embodiments, it also includes a third sending module, a fourth receiving module, a second determining module and a fourth sending module;

所述第三发送模块用于将认证结果发送给所述AUSF网元；The third sending module is used to send the authentication result to the AUSF network element;

在所述目标UE认证通过的情况下，所述第四接收模块用于接收所述AUSF网元发送的发送的第四请求消息，所述第四请求消息中包含所述SUPI或所述AuthID；When the target UE is authenticated, the fourth receiving module is configured to receive a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

所述第二确定模块用于利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能SEAF功能区创建的，所述第二认证实例是为此次UE认证过程创建的，所述第二认证实例中包含所述密钥Kseaf；The second determination module is configured to determine the first authentication instance by using the SUPI or the AuthID, and calculate the key Kseaf by using the key Kausf and the service network name in the authentication vector; and use the SUPI to identify A second authentication instance, the second authentication instance is created in the security anchor function SEAF functional area, the second authentication instance is created for this UE authentication process, and the second authentication instance contains the key Kseaf;

所述第四发送模块用于将所述密钥Kseaf是否生成成功的结果发送给所述AUSF网元。The fourth sending module is configured to send the result of whether the key Kseaf is successfully generated to the AUSF network element.

在一些实施例中，还包括第五接收模块和第一查找模块；In some embodiments, a fifth receiving module and a first searching module are also included;

在所述目标UE认证通过的情况下，所述第五接收模块用于接收SEAF网元发送的第五请求消息，所述第五请求消息中包含所述SUPI和抗降维攻击ABBA；When the target UE is authenticated, the fifth receiving module is configured to receive a fifth request message sent by a SEAF network element, where the fifth request message includes the SUPI and the anti-dimensionality reduction attack ABBA;

所述第一查找模块用于利用所述SUPI查找到所述第二认证实例，并利用所述密钥Kseaf、所述SUPI和所述ABBA计算密钥Kamf。The first search module is configured to use the SUPI to find the second authentication instance, and use the key Kseaf, the SUPI and the ABBA to calculate a key Kamf.

在一些实施例中，还包括标识模块；In some embodiments, an identification module is also included;

所述标识模块用于利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区创建的，所述第三认证实例是为此次UE认证过程创建的，所述第三认证实例中包含所述密钥Kamf。The identification module is configured to use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area, and the third authentication instance is created for this UE authentication process , the third authentication instance includes the key Kamf.

在一些实施例中，还包括第五发送模块；In some embodiments, a fifth sending module is also included;

所述第五发送模块用于将密钥Kamf是否生成成功的结果发送给所述SEAF网元。The fifth sending module is used to send the result of whether the key Kamf is successfully generated to the SEAF network element.

在一些实施例中，还包括生成模块；In some embodiments, a generating module is also included;

所述生成模块用于为此次UE认证过程生成一个AuthID。The generating module is used to generate an AuthID for this UE authentication process.

在一些实施例中，还包括第六接收模块、第二查找模块和第六发送模块；In some embodiments, a sixth receiving module, a second searching module and a sixth sending module are also included;

所述第六接收模块用于接收AMF网元发送的第六请求消息，所述第六请求消息中包含所述SUPI，所述第六请求消息用于请求建立安全上下文；The sixth receiving module is configured to receive a sixth request message sent by an AMF network element, the sixth request message includes the SUPI, and the sixth request message is used to request establishment of a security context;

所述第二查找模块用于利用所述SUPI在所述AMF功能区查找所述第三认证实例，并利用密钥Kamf建立第一非接入层NAS安全上下文，所述第一NAS安全上下文中包含密钥KNASenc和密钥KNASint；The second search module is configured to use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first non-access stratum NAS security context, in the first NAS security context Contains key KNASenc and key KNASint;

所述第六发送模块用于将所述SUPI、所述密钥KNASenc和所述密钥KNASint发送给通信密码***。The sixth sending module is configured to send the SUPI, the key KNASenc and the key KNASint to a communication cryptographic system.

在一些实施例中，还包括第七接收模块和第七发送模块；In some embodiments, a seventh receiving module and a seventh sending module are also included;

所述第七接收模块用于接收所述通信密码***发送的建立所述第二NAS安全上下文的结果；The seventh receiving module is configured to receive the result of establishing the second NAS security context sent by the communication encryption system;

所述第七发送模块用于将建立所述第二NAS安全上下文的结果发送给所述AMF网元。The seventh sending module is configured to send the result of establishing the second NAS security context to the AMF network element.

第五方面，本公开实施例还提供一种处理器可读存储介质，所述处理器可读存储介质存储有计算机程序，所述计算机程序用于使所述处理器执行如上所述第一方面所述的认证与安全方法的步骤。In the fifth aspect, the embodiments of the present disclosure further provide a processor-readable storage medium, the processor-readable storage medium stores a computer program, and the computer program is used to enable the processor to execute the above-mentioned first aspect. Steps of the described authentication and security method.

第六方面，本公开实施例还提供一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序用于使计算机执行如上所述第一方面所述的认证与安全方法的步骤。In the sixth aspect, the embodiments of the present disclosure further provide a computer-readable storage medium, the computer-readable storage medium stores a computer program, and the computer program is used to make the computer perform the authentication and authentication described in the first aspect. Steps of the security method.

第七方面，本公开实施例还提供一种通信设备可读存储介质，所述通信设备可读存储介质存储有计算机程序，所述计算机程序用于使通信设备执行如上所述第一方面所述的认证与安全方法的步骤。In the seventh aspect, the embodiments of the present disclosure further provide a communication device-readable storage medium, where the communication device-readable storage medium stores a computer program, and the computer program is used to enable the communication device to perform the above-mentioned first aspect. steps in the authentication and security method.

第八方面，本公开实施例还提供一种芯片产品可读存储介质，所述芯片产品可读存储介质存储有计算机程序，所述计算机程序用于使芯片产品执行如上所述第一方面所述的认证与安全方法的步骤。In the eighth aspect, the embodiments of the present disclosure further provide a chip product-readable storage medium, the chip product-readable storage medium stores a computer program, and the computer program is used to make the chip product perform the above-mentioned first aspect. steps in the authentication and security method.

本公开实施例提供的认证与安全方法、装置及存储介质，通过将核心网***安全功能分离，将5G核心网安全能力集中在有限的计算***中，需要安全服务的网元通过安全***的接口调用相关的安全功能，从而大大减少了需要通过安全等级认证的软硬件***的数量。The authentication and security method, device, and storage medium provided by the embodiments of the present disclosure concentrate the security capabilities of the 5G core network in a limited computing system by separating the security functions of the core network system, and the network elements that require security services pass through the interface of the security system Invoking relevant safety functions, thus greatly reducing the number of software and hardware systems that need to pass safety level certification.

附图说明Description of drawings

为了更清楚地说明本公开实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图是本公开的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present disclosure. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本公开实施例提供的核心网高安全***架构示意图；FIG. 1 is a schematic diagram of a core network high security system architecture provided by an embodiment of the present disclosure;

图2是本公开实施例提供的认证与安全方法的流程示意图；FIG. 2 is a schematic flowchart of an authentication and security method provided by an embodiment of the present disclosure;

图3是本公开实施例提供的UE认证流程的信令交互示意图；FIG. 3 is a schematic diagram of signaling interaction of a UE authentication process provided by an embodiment of the present disclosure;

图4是本公开实施例提供的NAS安全流程的信令交互示意图；FIG. 4 is a schematic diagram of signaling interaction of a NAS security process provided by an embodiment of the present disclosure;

图5是本公开实施例提供的一种网络设备的结构示意图；FIG. 5 is a schematic structural diagram of a network device provided by an embodiment of the present disclosure;

图6是本公开实施例提供的一种认证与安全装置的结构示意图。Fig. 6 is a schematic structural diagram of an authentication and security device provided by an embodiment of the present disclosure.

具体实施方式Detailed ways

为使本公开实施例的目的、技术方案和优点更加清楚，下面将结合本公开实施例中的附图，对本公开实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本公开一部分实施例，而不是全部的实施例。基于本公开中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本公开保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the described embodiments It is only a part of the embodiments of the present disclosure, but not all the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present disclosure.

图1是本公开实施例提供的核心网高安全***架构示意图，如图1所示，本公开实施例提供一种通信设备***(高安全等级密码***)，包括认证密码***和通信密码***。FIG. 1 is a schematic diagram of the core network high security system architecture provided by the embodiment of the present disclosure. As shown in FIG. 1 , the embodiment of the present disclosure provides a communication equipment system (a high-security encryption system), including an authentication encryption system and a communication encryption system.

认证密码***向通信密码***发送SUPI、密钥KNASenc和密钥KNASint。The authentication cryptosystem sends SUPI, the key KNASenc and the key KNASint to the communication cryptosystem.

通信密码***根据SUPI、密钥KNASenc和密钥KNASint进行NAS安全过程。The communication cryptosystem performs NAS security process according to SUPI, key KNASenc and key KNASint.

具体地，认证密码***为高安全等级密码***中的网元，用于用户认证过程中与密码运算相关的操作。Specifically, the authentication cryptosystem is a network element in a high-security cryptosystem, and is used for operations related to cryptographic operations during user authentication.

与密码运算相关的操作具体包括：存储签约用户的认证密钥，执行相关的密码运算，存储认证过程生成的密钥和相关数据，并可将认证过程生成的密钥和相关参数提供给其他密码计算设备。其他密码计算设备包括通信密码***。Operations related to cryptographic operations specifically include: storing the authentication key of the subscriber, performing related cryptographic operations, storing the key and related data generated during the authentication process, and providing the key and related parameters generated during the authentication process to other ciphers computing device. Other cryptographic computing devices include communication cryptosystems.

通信密码***也为高安全等级密码***中的网元，用于实现数据传输安全，例如，存储用于实现数据通信安全的密钥，执行相关的密码运算以实现数据通信的机密性和完整性保护。The communication cryptographic system is also a network element in a high-security cryptographic system, which is used to achieve data transmission security, for example, to store keys used to achieve data communication security, and to perform related cryptographic operations to achieve the confidentiality and integrity of data communication Protect.

本公开实施例中，认证密码***和通信密码***为新加入的网元，这两个新加入的网元为高安全等级网元，用来将与密码运算相关的能力从5G核心网元中与分离出来，从而避免将整个核心网变成高安全等级网络，因此可降低整个***的复杂度和成本。In the embodiment of the present disclosure, the authentication encryption system and the communication encryption system are newly added network elements, and these two newly added network elements are high security level network elements, which are used to transfer the capabilities related to cryptographic operations from the 5G core network elements Separation from the core network, thereby avoiding turning the entire core network into a high-level security network, thus reducing the complexity and cost of the entire system.

认证密码***由如下功能区构成：The authentication password system consists of the following functional areas:

统一数据管理(Unified Data Managemen,UDM)功能区：5G核心网中的UDM网元可通过认证密码***的接口访问认证密码***中UDM功能区中的功能和数据，但不能访问其他功能区中的功能和数据。UDM功能区可将终端/用户设备(User Equipment,UE)认证过程中认证服务器功能(Authentication Server Function,AUSF)网元需要的安全信息写入AUSF功能区。Unified Data Management (Unified Data Management, UDM) functional area: UDM network elements in the 5G core network can access the functions and data in the UDM functional area of the authentication cryptographic system through the interface of the authentication cryptographic system, but cannot access the functions and data in other functional areas. functions and data. The UDM functional area can write the security information required by the authentication server function (Authentication Server Function, AUSF) network element in the terminal/user equipment (User Equipment, UE) authentication process into the AUSF functional area.

AUSF功能区：5G核心网中的AUSF网元可通过认证密码***的接口访问认证密码***中AUSF功能区中的功能和数据，但不能访问其他功能区中的功能和数据。AUSF功能区可将UE认证过程中安全锚功能(SEcurity Anchor Function,SEAF)网元需要的安全信息写入SEAF功能区。AUSF functional area: AUSF network elements in the 5G core network can access the functions and data in the AUSF functional area in the authentication cryptography system through the interface of the authentication cryptography system, but cannot access the functions and data in other functional areas. The AUSF functional area can write the security information required by the security anchor function (SEcurity Anchor Function, SEAF) network element in the UE authentication process into the SEAF functional area.

SEAF功能区：5G核心网中的SEAF网元可通过认证密码***的接口访问认证密码***中SEAF功能区中的功能和数据，但不能访问其他功能区中的功能和数据。SEAF功能区可将UE认证过程中接入和移动管理功能(Access and Mobility Management Function,AMF)网元需要的安全信息写入AMF功能区。SEAF functional area: SEAF network elements in the 5G core network can access the functions and data in the SEAF functional area of the authentication cryptographic system through the interface of the authentication cryptographic system, but cannot access the functions and data in other functional areas. The SEAF functional area can write the security information required by the access and mobility management function (Access and Mobility Management Function, AMF) network element in the UE authentication process into the AMF functional area.

AMF功能区：5G核心网中的AMF网元可通过认证密码***的接口访问认证密码***中AMF功能区中的功能和数据，但不能访问其他功能区中的功能和数据。AMF功能区可将用于实现UE数据通信安全的安全信息提供给通信密码***。AMF functional area: AMF network elements in the 5G core network can access the functions and data in the AMF functional area in the authentication cryptosystem through the interface of the authentication cryptographic system, but cannot access the functions and data in other functional areas. The AMF functional area can provide security information for realizing UE data communication security to the communication cryptographic system.

图2是本公开实施例提供的认证与安全方法的流程示意图，如图2所示，本公开实施例提供一种认证与安全方法，其执行主体可以为认证密码***，该方法包括：Fig. 2 is a schematic flow diagram of the authentication and security method provided by the embodiment of the present disclosure. As shown in Fig. 2, the embodiment of the disclosure provides an authentication and security method, the execution subject of which may be an authentication cryptographic system, and the method includes:

步骤201、接收UDM网元发送的第一请求消息，该第一请求消息中包含目标UE的用户隐藏标识(Subscription Concealed Identifier,SUCI)，该第一请求消息用于请求该认证密码***对该SUCI进行解密； Step 201, receiving the first request message sent by the UDM network element, the first request message includes the user concealed identifier (Subscription Concealed Identifier, SUCI) of the target UE, and the first request message is used to request the authentication cryptographic system for the SUCI to decrypt;

步骤202、对该SUCI进行解密，获得用户永久标识(Subscription Permanent Identifier,SUPI)； Step 202, decrypt the SUCI to obtain a permanent user identification (Subscription Permanent Identifier, SUPI);

步骤203、向该UDM网元发送该SUPI； Step 203, sending the SUPI to the UDM network element;

步骤204、接收该UDM网元发送的第二请求消息，该第二请求消息中包含该SUPI和服务网络名称(serving network name，SN name)，该第二请求消息是该UDM网元根据该SUPI检查该目标UE的签约信息之后发送的； Step 204, receive the second request message sent by the UDM network element, the second request message includes the SUPI and the service network name (serving network name, SN name), the second request message is the UDM network element according to the SUPI Sent after checking the subscription information of the target UE;

步骤205、根据该SUPI确定该目标UE的认证根密钥，并根据该认证根密钥和该服务网络名称生成认证向量，并使用唯一标识AuthID标识该认证向量、此次UE认证过程以及第一认证实例，该第一认证实例是在认证服务器功能AUSF功能区创建的，该第一认证实例是为此次UE认证过程创建的，该第一认证实例中包含该认证向量；Step 205: Determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use the unique identifier AuthID to identify the authentication vector, the current UE authentication process, and the first An authentication instance, the first authentication instance is created in the authentication server function AUSF functional area, the first authentication instance is created for this UE authentication process, and the first authentication instance includes the authentication vector;

步骤206、向该UDM网元发送该认证向量中需要提供给该目标UE的部分；Step 206, sending the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

步骤207、接收AUSF网元发送的第三请求消息，该第三请求消息中包含认证响应(RESponse,RES*)和该AuthID； Step 207, receiving a third request message sent by the AUSF network element, the third request message includes an authentication response (RESponse, RES*) and the AuthID;

步骤208、根据该第三请求消息中包含的该RES*和该AuthID对该目标UE进行认证。Step 208: Authenticate the target UE according to the RES* and the AuthID contained in the third request message.

在一些实施例中，还包括：In some embodiments, also include:

将认证结果发送给该AUSF网元；Send the authentication result to the AUSF network element;

在该目标UE认证通过的情况下，接收该AUSF网元发送的发送的第四请求消息，该第四请求消息中包含该SUPI或该AuthID；When the target UE is authenticated, receive a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

利用该SUPI或该AuthID确定该第一认证实例，并利用该认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用该SUPI标识第二认证实例，该第二认证实例是在安全锚功能SEAF功能区创建的，该第二认证实例是为此次UE认证过程创建的，该第二认证实例中包含该密钥Kseaf；Use the SUPI or the AuthID to determine the first authentication instance, and use the key Kausf in the authentication vector and the service network name to calculate the key Kseaf; and use the SUPI to identify the second authentication instance, which is in the security Created by the anchor function SEAF functional area, the second authentication instance is created for this UE authentication process, and the second authentication instance contains the key Kseaf;

将该密钥Kseaf是否生成成功的结果发送给该AUSF网元。Send the result of whether the key Kseaf is successfully generated to the AUSF network element.

在一些实施例中，还包括：In some embodiments, also include:

在该目标UE认证通过的情况下，接收SEAF网元发送的第五请求消息，该第五请求消息中包含该SUPI和抗降维攻击(Anti-Bidding down Between Architectures,ABBA)；When the target UE passes the authentication, receive the fifth request message sent by the SEAF network element, the fifth request message includes the SUPI and anti-dimension reduction attacks (Anti-Bidding down Between Architectures, ABBA);

利用该SUPI查找到该第二认证实例，并利用该密钥Kseaf、该SUPI和该ABBA计算密钥Kamf。Use the SUPI to find the second authentication instance, and use the key Kseaf, the SUPI and the ABBA to calculate the key Kamf.

在一些实施例中，还包括：In some embodiments, also include:

利用该SUPI标识第三认证实例，该第三认证实例是在接入和移动管理功能AMF功能区创建的，该第三认证实例是为此次UE认证过程创建的，该第三认证实例中包含该密钥Kamf。The SUPI is used to identify the third authentication instance. The third authentication instance is created in the access and mobility management function AMF functional area. The third authentication instance is created for this UE authentication process. The third authentication instance includes The key Kamf.

在一些实施例中，还包括：In some embodiments, also include:

将密钥Kamf是否生成成功的结果发送给该SEAF网元。Send the result of whether the key Kamf is successfully generated to the SEAF network element.

在一些实施例中，还包括：In some embodiments, also include:

在一些实施例中，该第二请求消息中还包含AuthID，该AuthID是UDM网元为此次UE认证过程生成的一个唯一标识。In some embodiments, the second request message further includes AuthID, which is a unique identifier generated by the UDM network element for this UE authentication process.

在一些实施例中，还包括：In some embodiments, also include:

接收AMF网元发送的第六请求消息，该第六请求消息中包含该SUPI，该第六请求消息用于请求建立安全上下文；Receive a sixth request message sent by the AMF network element, the sixth request message includes the SUPI, and the sixth request message is used to request the establishment of a security context;

利用该SUPI在该AMF功能区查找该第三认证实例，并利用密钥Kamf建立第一非接入层(Non-Access Stratum,NAS)安全上下文，该第一NAS安全上下文中包含密钥KNASenc和密钥KNASint；Use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first Non-Access Stratum (Non-Access Stratum, NAS) security context, which includes the key KNASenc and the first NAS security context. key KNASint;

将该SUPI、该密钥KNASenc和该密钥KNASint发送给通信密码***。The SUPI, the key KNASenc and the key KNASint are sent to the communication cryptosystem.

在一些实施例中，该SUPI、该密钥KNASenc和该密钥KNASint用于供该通信密码***建立第二NAS安全上下文，该第二NAS安全上下文中包含该SUPI、该密钥KNASenc和该密钥KNASint。In some embodiments, the SUPI, the key KNASenc, and the key KNASint are used for the communication cryptographic system to establish a second NAS security context, and the second NAS security context includes the SUPI, the key KNASenc, and the encryption key. Key KNASint.

在一些实施例中，还包括：In some embodiments, also include:

接收该通信密码***发送的建立该第二NAS安全上下文的结果；receiving the result of establishing the second NAS security context sent by the communication cryptographic system;

将建立该第二NAS安全上下文的结果发送给该AMF网元。Send the result of establishing the second NAS security context to the AMF network element.

具体地，图3是本公开实施例提供的UE认证流程的信令交互示意图，如图3所示，本公开实施例提供的UE认证流程包括如下步骤：Specifically, FIG. 3 is a schematic diagram of signaling interaction of the UE authentication process provided by the embodiment of the present disclosure. As shown in FIG. 3 , the UE authentication process provided by the embodiment of the present disclosure includes the following steps:

1、UE向SEAF网元发送注册请求，请求中包含有UE的SUCI或5G全球唯一临时UE标识(Globally Unique Temporary UE Identity,GUTI)。1. The UE sends a registration request to the SEAF network element, and the request contains the UE's SUCI or 5G Globally Unique Temporary UE Identity (GUTI).

2、SEAF网元向AUSF网元发送UE认证请求，请求中包含有UE的SUCI或SUPI，以及服务网络名称(serving network name，SN name)。2. The SEAF network element sends a UE authentication request to the AUSF network element, and the request includes the SUCI or SUPI of the UE and the serving network name (serving network name, SN name).

3、AUSF网元向UDM网元发送UE认证请求，请求中包含有UE的SUCI或SUPI，以及serving network name。3. The AUSF network element sends a UE authentication request to the UDM network element, and the request includes the SUCI or SUPI of the UE, and the serving network name.

4、当请求中包含有UE的SUCI时，UDM网元向认证密码***发送SUCI解密请求(第一请求)，请求中包含有UE的SUCI。4. When the request includes the SUCI of the UE, the UDM network element sends a SUCI decryption request (first request) to the authentication cryptographic system, and the request includes the SUCI of the UE.

5、认证密码***解密UE的SUCI，获得UE的SUPI。5. The authentication cryptosystem decrypts the UE's SUCI to obtain the UE's SUPI.

6、认证密码***将UE的SUPI返回给UDM网元。6. The authentication password system returns the UE's SUPI to the UDM network element.

7、UDM网元利用UE的SUPI检查UE的签约信息。若允许对UE继续进行认证，则UDM网元向认证密码***发送生成UE认证向量的请求(第二请求)，请求中包含有SUPI和serving network name。7. The UDM network element uses the SUPI of the UE to check the subscription information of the UE. If the UE is allowed to continue to authenticate, the UDM network element sends a request (second request) for generating the UE authentication vector to the authentication cryptographic system, and the request includes SUPI and serving network name.

可选地，可由UDM网元为此次UE认证过程提供一个唯一标识AuthID(Authentication ID)。Optionally, the UDM network element may provide a unique identifier AuthID (Authentication ID) for this UE authentication process.

可选地，也可由认证密码***为此次UE认证过程提供一个唯一标识AuthID。Optionally, the authentication password system may also provide a unique identifier AuthID for this UE authentication process.

若由UDM网元提供AuthID，则该请求中还应包含有AuthID。If the AuthID is provided by the UDM network element, the request should also include the AuthID.

在UE被实际认证成功之前，UDM网元和AUSF网元使用AuthID与认证密码***交互，从而使分布在不同实体中的安全能力作为一个整体工作。认证密码***存储生成的认证向量，该认证向量使用AuthID作为标识。Before the UE is actually successfully authenticated, the UDM network element and the AUSF network element use AuthID to interact with the authentication cryptosystem, so that the security capabilities distributed in different entities work as a whole. The authentication cryptosystem stores the generated authentication vector, which uses the AuthID as the identifier.

8、认证密码***根据UE的SUPI确定UE的认证根密钥。认证密码***利用UE的认证根密钥和serving network name等信息生成一个认证UE的认证向量。5G认证向量的格式为：(RAND，AUTN， XRES*，密钥Kausf)。其中，RAND(Random challenge)为随机挑战，AUTN(AUthentication TokeN)为认证令牌，XRES*(eXpected RESponse)为预期响应，密钥Kausf为密钥。8. The authentication cryptographic system determines the authentication root key of the UE according to the SUPI of the UE. The authentication cryptographic system generates an authentication vector for authenticating the UE by using information such as the authentication root key of the UE and the serving network name. The format of the 5G authentication vector is: (RAND, AUTN, XRES*, key Kausf). Among them, RAND (Random challenge) is a random challenge, AUTN (AUthentication TokeN) is an authentication token, XRES* (eXpected RESponse) is an expected response, and the key Kausf is a key.

可选地，若由认证密码***提供AuthID，则认证密码***生成一个AuthID，否则使用UDM网元提供AuthID。Optionally, if the AuthID is provided by the authentication cryptosystem, the authentication cryptosystem generates an AuthID, otherwise, the UDM network element provides the AuthID.

认证密码***使用AuthID标识生成的认证向量和此次UE认证过程。The authentication cryptographic system uses the AuthID to identify the generated authentication vector and the current UE authentication process.

认证密码***利用UE的SUPI作为标识在AUSF功能区为此次UE认证过程创建一个认证实例(第一认证实例)，该认证实例包含有使用AuthID作为标识的UE认证向量。The authentication cryptographic system creates an authentication instance (the first authentication instance) in the AUSF functional area for the UE authentication process by using the UE's SUPI as the identifier, and the authentication instance includes the UE authentication vector using the AuthID as the identifier.

9、认证密码***仅将认证向量中需要提供给UE的部分返回给UDM网元，也即(RAND，AUTN)。若AuthID由认证密码***提供，则还应将AuthID返回给UDM网元。9. The authentication cryptographic system only returns the part of the authentication vector that needs to be provided to the UE to the UDM network element, that is, (RAND, AUTN). If the AuthID is provided by the authentication password system, the AuthID should also be returned to the UDM network element.

10、UDM网元将(RAND，AUTN)和AuthID返回给AUSF网元。10. The UDM network element returns (RAND, AUTN) and AuthID to the AUSF network element.

当AUSF网元向UDM网元提供的是UE的SUCI的情况下，UDM网元还需要返回SUPI。When the AUSF network element provides the UE's SUCI to the UDM network element, the UDM network element also needs to return the SUPI.

11、AUSF网元将(RAND，AUTN)发送给SEAF网元。11. The AUSF network element sends (RAND, AUTN) to the SEAF network element.

12、SEAF网元生成5G密钥集标识(Key Set Identifier in 5G,ngKSI)，然后将(RAND，AUTN)，ngKSI和ABBA发送给UE。12. The SEAF network element generates the 5G key set identifier (Key Set Identifier in 5G, ngKSI), and then sends (RAND, AUTN), ngKSI and ABBA to the UE.

13、UE验证AUTN，确认该认证向量正确，然后利用UE的认证根密钥和RAND计算RES*。13. The UE verifies the AUTN, confirms that the authentication vector is correct, and then uses the UE's authentication root key and RAND to calculate RES*.

14、UE将RES*发送给SEAF网元。14. The UE sends the RES* to the SEAF network element.

15、SEAF网元将RES*发送给AUSF网元。15. The SEAF network element sends the RES* to the AUSF network element.

16、AUSF网元向认证密码***发送UE认证请求(第三请求)，请求中包含有AuthID和RES*，还可以包含有UE的SUPI。16. The AUSF network element sends a UE authentication request (third request) to the authentication cryptographic system, the request includes AuthID and RES*, and may also include SUPI of the UE.

17、认证密码***在AUSF功能区利用SUPI和AuthID查找到认证向量，然后验证RES*是否与认证向量中的XRES*相同。17. The authentication password system uses SUPI and AuthID to find the authentication vector in the AUSF functional area, and then verifies whether RES* is the same as XRES* in the authentication vector.

若认证通过，认证密码***在该UE认证实例中标识该UE已通过认证，并存储密钥Kausf。If the authentication passes, the authentication cryptographic system identifies in the UE authentication instance that the UE has passed the authentication, and stores the key Kausf.

18、认证密码***将认证结果(成功(success)/失败(failure)) 返回给AUSF网元。18. The authentication password system returns the authentication result (success/failure) to the AUSF network element.

19、若UE通过认证，AUSF网元请求认证密码***计算密钥Kseaf，该请求(第四请求)中包含有：SUPI或AuthID，该请求中还可以包含有：serving network name。19. If the UE passes the authentication, the AUSF network element requests the authentication cryptographic system to calculate the key Kseaf. The request (the fourth request) includes: SUPI or AuthID, and the request may also include: serving network name.

20、认证密码***利用SUPI确定UE的认证实例，然后利用密钥Kausf和SN计算密钥Kseaf。20. The authentication cryptographic system uses SUPI to determine the UE's authentication instance, and then uses the key Kausf and SN to calculate the key Kseaf.

认证密码***利用UE的SUPI作为标识在SEAF功能区为此次UE认证过程创建一个认证实例(第二认证实例)，该认证实例包含有信息：密钥Kseaf。The authentication cryptographic system uses the UE's SUPI as an identifier to create an authentication instance (second authentication instance) in the SEAF functional area for this UE authentication process, and the authentication instance contains information: the key Kseaf.

21、认证密码***将密钥是否生成成功的结果(success/failure)返回给AUSF网元。21. The authentication cryptographic system returns the result (success/failure) of whether the key is successfully generated to the AUSF network element.

22、AUSF网元将认证结果返回给SEAF网元。22. The AUSF network element returns the authentication result to the SEAF network element.

若认证成功，若SEAF网元发送的认证请求中包含有SUCI，则AUSF网元还应将SUPI发送给SEAF网元。If the authentication is successful, if the authentication request sent by the SEAF network element contains SUCI, the AUSF network element should also send the SUPI to the SEAF network element.

23、若认证成功，SEAF网元请求认证授权***生成密钥Kamf，该请求(第五请求)中包含有：SUPI和ABBA。23. If the authentication is successful, the SEAF network element requests the authentication and authorization system to generate a key Kamf, and the request (fifth request) includes: SUPI and ABBA.

24、认证授权***在SEAF功能区利用SUPI查找到UE认证实例，然后利用密钥Kseaf及相关参数计算密钥Kamf。24. The authentication and authorization system uses SUPI to find the UE authentication instance in the SEAF functional area, and then uses the key Kseaf and related parameters to calculate the key Kamf.

认证密码***利用UE的SUPI作为标识在AMF功能区为此次UE认证过程创建一个认证实例(第三认证实例)，该认证实例包含有信息：密钥Kamf。The authentication cryptographic system uses the UE's SUPI as an identifier to create an authentication instance (the third authentication instance) in the AMF functional area for the UE authentication process. The authentication instance contains information: the key Kamf.

25、认证密码***将密钥是否生成成功的结果(success/failure)返回给SEAF网元。25. The authentication cryptographic system returns the result (success/failure) of whether the key is successfully generated to the SEAF network element.

26、SEAF网元将认证结果返回给AMF网元。26. The SEAF network element returns the authentication result to the AMF network element.

若认证成功，SEAF网元将ngKSI和SUPI提供给AMF网元。If the authentication is successful, the SEAF network element provides the ngKSI and SUPI to the AMF network element.

具体地，图4是本公开实施例提供的NAS安全流程的信令交互示意图，如图4所示，本公开实施例提供的NAS安全流程包括如下步骤：Specifically, FIG. 4 is a schematic diagram of signaling interaction of the NAS security process provided by the embodiment of the present disclosure. As shown in FIG. 4 , the NAS security process provided by the embodiment of the present disclosure includes the following steps:

1、当AMF网元尚未建立UE的NAS安全上下文时，AMF网元向认证密码***发送建立安全上下文请求(第六请求)，该请求中包含有：SUPI，该请求中还可以包含有：ngKSI。1. When the AMF network element has not established the NAS security context of the UE, the AMF network element sends a security context establishment request (sixth request) to the authentication and encryption system. The request includes: SUPI, and the request can also include: ngKSI .

2、认证密码***利用SUPI在AMF功能区查找UE认证安全上下文，然后利用Kamf建立UE NAS安全上下文(第一NAS安全上下文)，该NAS安全上下文中有实现NAS安全的密钥：KNASenc和KNASint。2. The authentication cryptographic system uses SUPI to find the UE authentication security context in the AMF functional area, and then uses Kamf to establish the UE NAS security context (the first NAS security context). The NAS security context has the keys to realize NAS security: KNASenc and KNASint.

在上述安全上下文请求中还包含有ngKSI的情况下，在UE安全上下文中以ngKSI做为标识利用Kamf建立UE NAS安全上下文，该NAS安全上下文中有实现NAS安全的密钥：KNASenc和KNASint。In the case that the above-mentioned security context request also includes ngKSI, use Kamf to establish UE NAS security context with ngKSI in UE security context, and the NAS security context has keys to realize NAS security: KNASenc and KNASint.

3、认证密码***将用于实现NAS安全的密钥材料通过消息发送给通信密码***，该消息中包含有：SUPI，密钥KNASenc，密钥KNASint。3. The authentication cryptosystem sends the key material used to realize NAS security to the communication cryptosystem through a message, which includes: SUPI, key KNASenc, and key KNASint.

在上述安全上下文请求中还包含有ngKSI的情况下，该消息中还可以包含有：ngKSI。In the case that the above security context request also includes ngKSI, the message may also include: ngKSI.

4、通信密码***利用SUPI做为标识建立UE的NAS安全上下文(第二NAS安全上下文)，该NAS安全上下文中包含有：SUPI，密钥KNASenc，密钥KNASint。4. The communication encryption system uses SUPI as an identifier to establish a NAS security context (second NAS security context) of the UE, and the NAS security context includes: SUPI, a key KNASenc, and a key KNASint.

在上述安全上下文请求中还包含有ngKSI的情况下，通信密码***利用SUPI和ngKSI做为标识建立UE的NAS安全上下文，该NAS安全上下文中还可以包含有：ngKSI。In the case that the above-mentioned security context request also includes ngKSI, the communication encryption system uses SUPI and ngKSI as identifiers to establish the NAS security context of the UE, and the NAS security context may also include: ngKSI.

5、通信密码***将建立UE NAS安全上下文结果(Success/Failure)返回给认证密码***。5. The communication encryption system will return the result (Success/Failure) of establishing the UE NAS security context to the authentication encryption system.

6、认证密码***将通信密码***建立NAS安全上下文结果(Success/Failure)返回给AMF网元。6. The authentication cryptosystem returns the result (Success/Failure) of establishing the NAS security context by the communication cryptosystem to the AMF network element.

7、当AMF网元需要向UE发送NAS消息时，AMF网元生成NAS明文消息。7. When the AMF network element needs to send a NAS message to the UE, the AMF network element generates a NAS plaintext message.

8、AMF网元向通信密码***发送NAS消息密码操作请求，请求中包含有：SUPI，消息明文和安全计算所需要的参数，例如算法标识，COUNT，BEARER，DIRECTION和LENGTH等。8. The AMF network element sends a NAS message cryptographic operation request to the communication cryptographic system. The request includes: SUPI, message plaintext, and parameters required for secure calculation, such as algorithm identification, COUNT, BEARER, DIRECTION, and LENGTH.

在上述安全上下文请求中还包含有ngKSI的情况下，该NAS消息密码操作请求中还可以包含有ngKSI。In the case that the above security context request also includes ngKSI, the NAS message cryptographic operation request may also include ngKSI.

9、通信密码***利用SUPI获取UE的安全上下文，计算NAS密文，然后将NAS密文返回给AMF网元。9. The communication encryption system uses SUPI to obtain the security context of the UE, calculates the NAS ciphertext, and then returns the NAS ciphertext to the AMF network element.

10、AMF网元向UE发送NAS消息。10. The AMF network element sends a NAS message to the UE.

11、UE向AMF网元发送NAS消息。11. The UE sends a NAS message to the AMF network element.

12、AMF网元向通信密码***发送NAS消息密码操作请求，请求中包含有：SUPI，消息密文和安全计算所需要的参数，例如算法标识，COUNT，BEARER，DIRECTION和LENGTH等。12. The AMF network element sends a NAS message cryptographic operation request to the communication cryptographic system. The request includes: SUPI, message ciphertext, and parameters required for secure calculation, such as algorithm identification, COUNT, BEARER, DIRECTION, and LENGTH.

13、通信密码***解密和验证NAS密文，然后将消息明文返回给AMF网元。13. The communication encryption system decrypts and verifies the NAS ciphertext, and then returns the message plaintext to the AMF network element.

本公开实施例提供的认证与安全方法，通过将核心网***安全功能分离，将5G核心网安全能力集中在有限的计算***中，需要安全服务的网元通过安全***的接口调用相关的安全功能，从而大大减少了需要通过安全等级认证的软硬件***的数量。The authentication and security method provided by the embodiments of the present disclosure concentrates the security capabilities of the 5G core network in a limited computing system by separating the security functions of the core network system, and the network elements that need security services call related security functions through the interface of the security system , thereby greatly reducing the number of software and hardware systems that need to pass security level certification.

图5是本公开实施例提供的一种网络设备的结构示意图，如图5所示，所述网络设备包括存储器520，收发机500，处理器510，其中：Fig. 5 is a schematic structural diagram of a network device provided by an embodiment of the present disclosure. As shown in Fig. 5, the network device includes a memory 520, a transceiver 500, and a processor 510, wherein:

存储器520，用于存储计算机程序；收发机500，用于在所述处理器510的控制下收发数据；处理器510，用于读取所述存储器520中的计算机程序并执行以下操作：The memory 520 is used to store computer programs; the transceiver 500 is used to send and receive data under the control of the processor 510; the processor 510 is used to read the computer programs in the memory 520 and perform the following operations:

根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区创建的，所述第一认证实例是为此次UE认证过程创建的，所述第一认证实例中包含所述认证向量；Determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use the unique identifier AuthID to identify the authentication vector, this UE authentication process, and The first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area, the first authentication instance is created for this UE authentication process, and the authentication vector is included in the first authentication instance ;

具体地，收发机500，用于在处理器510的控制下接收和发送数据。Specifically, the transceiver 500 is configured to receive and send data under the control of the processor 510 .

其中，在图5中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器510代表的一个或多个处理器和存储器520代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机500可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元，这些传输介质包括无线信道、有线信道、光缆等传输介质。处理器510负责管理总线架构和通常的处理，存储器520可以存储处理器510在执行操作时所使用的数据。Wherein, in FIG. 5 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by the processor 510 and various circuits of the memory represented by the memory 520 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, etc., which are well known in the art and therefore will not be further described herein. The bus interface provides the interface. The transceiver 500 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over transmission media, including wireless channels, wired channels, optical cables, and other transmission media. The processor 510 is responsible for managing the bus architecture and general processing, and the memory 520 may store data used by the processor 510 when performing operations.

处理器510可以是中央处理器(CPU)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列(Field－Programmable Gate Array，FPGA)或复杂可编程逻辑器件(Complex Programmable Logic Device，CPLD)，处理器也可以采用多核架构。The processor 510 can be a central processing unit (CPU), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array (Field-Programmable Gate Array, FPGA) or a complex programmable logic device (Complex Programmable Logic Device, CPLD), the processor can also adopt a multi-core architecture.

在一些实施例中，还包括：In some embodiments, also include:

利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能 SEAF功能区创建的，所述第二认证实例是为此次UE认证过程创建的，所述第二认证实例中包含所述密钥Kseaf；Use the SUPI or the AuthID to determine the first authentication instance, and use the key Kausf in the authentication vector and the service network name to calculate the key Kseaf; and use the SUPI to identify the second authentication instance, the second authentication instance The second authentication instance is created in the security anchor function SEAF functional area, the second authentication instance is created for this UE authentication process, and the second authentication instance includes the key Kseaf;

在一些实施例中，还包括：In some embodiments, also include:

利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区创建的，所述第三认证实例是为此次UE认证过程创建的，所述第三认证实例中包含所述密钥Kamf。Use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area, the third authentication instance is created for this UE authentication process, the third authentication instance The authentication instance includes the key Kamf.

在一些实施例中，还包括：In some embodiments, also include:

具体地，本公开实施例提供的上述网络设备，能够实现上述执行主体为认证密码***的方法实施例所实现的所有方法步骤，且能够达到相同的技术效果，在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。Specifically, the above-mentioned network equipment provided by the embodiments of the present disclosure can implement all the method steps implemented by the above-mentioned method embodiment in which the execution subject is the authentication cryptographic system, and can achieve the same technical effect. The same parts and beneficial effects of the method embodiments are described in detail.

图6是本公开实施例提供的一种认证与安全装置的结构示意图，如图6所示，本公开实施例提供一种认证与安全装置，包括Fig. 6 is a schematic structural diagram of an authentication and safety device provided by an embodiment of the present disclosure. As shown in Fig. 6, an embodiment of the present disclosure provides an authentication and safety device, including

第一接收模块601、解密模块602、第一发送模块603、第二接收模块604、第一确定模块605、第二发送模块606、第三接收模块607、认证模块608，其中：The first receiving module 601, the decryption module 602, the first sending module 603, the second receiving module 604, the first determining module 605, the second sending module 606, the third receiving module 607, and the authentication module 608, wherein:

第一接收模块601用于接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求所述认证密码***对所述SUCI进行解密；The first receiving module 601 is configured to receive a first request message sent by a unified data management (UDM) network element, the first request message includes the user hidden identity SUCI of the target terminal UE, and the first request message is used to request the authentication The cryptographic system decrypts the SUCI;

解密模块602用于对所述SUCI进行解密，获得用户永久标识SUPI；The decryption module 602 is used to decrypt the SUCI to obtain the SUPI;

第一发送模块603用于向所述UDM网元发送所述SUPI；The first sending module 603 is configured to send the SUPI to the UDM network element;

第二接收模块604用于接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；The second receiving module 604 is configured to receive a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is the UDM network element according to the It is sent after the SUPI checks the subscription information of the target UE;

第一确定模块605用于根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区创建的，所述第一认证实例是为此次UE认证过程创建的，所述第一认证实例中包含所述认证向量；The first determination module 605 is configured to determine the authentication root key of the target UE according to the SUPI, and generate an authentication vector according to the authentication root key and the service network name, and use a unique identifier AuthID to identify the authentication vector , this UE authentication process and a first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area, the first authentication instance is created for this UE authentication process, the first authentication The authentication vector is included in the example;

第二发送模块606用于向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；The second sending module 606 is configured to send the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

第三接收模块607用于接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；The third receiving module 607 is configured to receive a third request message sent by an AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

认证模块608用于根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。The authentication module 608 is configured to authenticate the target UE according to the RES* and the AuthID included in the third request message.

具体地，本公开实施例提供的上述认证与安全装置，能够实现上述执行主体为认证密码***的方法实施例所实现的所有方法步骤，且能够达到相同的技术效果，在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。Specifically, the above-mentioned authentication and security device provided by the embodiment of the present disclosure can realize all the method steps implemented by the above-mentioned method embodiment in which the execution subject is the authentication and encryption system, and can achieve the same technical effect. The same parts and beneficial effects as those in the method embodiment will be described in detail.

需要说明的是，本公开上述各实施例中对单元/模块的划分是示意性的，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式。另外，在本公开各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。It should be noted that, the division of units/modules in the above embodiments of the present disclosure is schematic, and is only a logical function division, and there may be another division manner in actual implementation. In addition, each functional unit in each embodiment of the present disclosure may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个处理器可读取存储介质中。基于这样的理解，本公开的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)或处理器(processor)执行本公开各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of the present disclosure is essentially or part of the contribution to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) execute all or part of the steps of the methods described in various embodiments of the present disclosure. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

在一些实施例中，还提供一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序用于使计算机执行上述各方法实施例提供的认证与安全方法的步骤。In some embodiments, a computer-readable storage medium is also provided, the computer-readable storage medium stores a computer program, and the computer program is used to make a computer execute the steps of the authentication and security method provided by the above method embodiments .

具体地，本公开实施例提供的上述计算机可读存储介质，能够实现上述各方法实施例所实现的所有方法步骤，且能够达到相同的技术效果，在此不再对本实施例中与方法实施例相同的部分及有益效果进行具体赘述。Specifically, the above-mentioned computer-readable storage medium provided by the embodiments of the present disclosure can realize all the method steps realized by the above-mentioned method embodiments, and can achieve the same technical effect. The same parts and beneficial effects are described in detail.

需要说明的是：所述计算机可读存储介质可以是处理器能够存取的任何可用介质或数据存储设备，包括但不限于磁性存储器(例如软盘、硬盘、磁带、磁光盘(MO)等)、光学存储器(例如CD、DVD、BD、HVD等)、以及半导体存储器(例如ROM、EPROM、EEPROM、非易失性存储器(NAND FLASH)、固态硬盘(SSD))等。It should be noted that: the computer-readable storage medium can be any available medium or data storage device that can be accessed by the processor, including but not limited to magnetic storage (such as floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.), Optical memory (such as CD, DVD, BD, HVD, etc.), and semiconductor memory (such as ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid-state hard disk (SSD)), etc.

另外需要说明的是：本公开实施例中术语“第一”、“第二”等是用于区别类似的对象，而不用于描述特定的顺序或先后次序。应该理解这样使用的术语在适当情况下可以互换，以便本公开的实施例能够以除了在这里图示或描述的那些以外的顺序实施，且“第一”、“第二”所区别的对象通常为一类，并不限定对象的个数，例如第一对象可以是一个，也可以是多个。In addition, it should be noted that the terms "first" and "second" in the embodiments of the present disclosure are used to distinguish similar objects, and are not used to describe a specific order or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the present disclosure are capable of practice in sequences other than those illustrated or described herein and that "first" and "second" distinguish objects. It is usually one category, and the number of objects is not limited. For example, there may be one or more first objects.

本公开实施例中术语“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。The term "and/or" in the embodiments of the present disclosure describes the association relationship of associated objects, indicating that there may be three relationships, for example, A and/or B, which may mean: A exists alone, A and B exist simultaneously, and B exists alone These three situations. The character "/" generally indicates that the contextual objects are an "or" relationship.

本公开实施例中术语“多个”是指两个或两个以上，其它量词与之类似。The term "plurality" in the embodiments of the present disclosure refers to two or more, and other quantifiers are similar.

本公开实施例提供的技术方案可以适用于多种***，尤其是5G***。例如适用的***可以是全球移动通讯(global system of mobile communication，GSM)***、码分多址(code division multiple access，CDMA)***、宽带码分多址(Wideband Code Division Multiple Access，WCDMA)通用分组无线业务(general packet radio service，GPRS)***、长期演进(long term evolution，LTE)***、LTE频分双工(frequency division duplex，FDD)***、LTE时分双工(time division duplex，TDD)***、高级长期演进(long term evolution advanced，LTE-A)***、通用移动***(universal mobile telecommunication system，UMTS)、全球互联微波接入(worldwide interoperability for microwave access，WiMAX)***、5G新空口(New Radio,NR)***等。这多种***中均包括终端设备和网络设备。***中还可以包括核心网部分，例如演进的分组***(Evloved Packet System,EPS)、 5G***(5GS)等。The technical solutions provided by the embodiments of the present disclosure can be applied to various systems, especially 5G systems. For example, the applicable system may be a global system of mobile communication (GSM) system, a code division multiple access (CDMA) system, a wideband code division multiple access (WCDMA) general packet Wireless business (general packet radio service, GPRS) system, long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE time division duplex (time division duplex, TDD) system, Long term evolution advanced (LTE-A) system, universal mobile telecommunications system (UMTS), worldwide interoperability for microwave access (WiMAX) system, 5G new air interface (New Radio, NR) system, etc. These various systems include end devices and network devices. The system may also include a core network part, such as an evolved packet system (Evloved Packet System, EPS), a 5G system (5GS), and the like.

本公开实施例涉及的终端设备，可以是指向用户提供语音和/或数据连通性的设备，具有无线连接功能的手持式设备、或连接到无线调制解调器的其他处理设备等。在不同的***中，终端设备的名称可能也不相同，例如在5G***中，终端设备可以称为用户设备(User Equipment，UE)。无线终端设备可以经无线接入网(Radio Access Network,RAN)与一个或多个核心网(Core Network,CN)进行通信，无线终端设备可以是移动终端设备，如移动电话(或称为“蜂窝”电话)和具有移动终端设备的计算机，例如，可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置，它们与无线接入网交换语言和/或数据。例如，个人通信业务(Personal Communication Service，PCS)电话、无绳电话、会话发起协议(Session Initiated Protocol，SIP)话机、无线本地环路(Wireless Local Loop，WLL)站、个人数字助理(Personal Digital Assistant，PDA)等设备。无线终端设备也可以称为***、订户单元(subscriber unit)、订户站(subscriber station)，移动站(mobile station)、移动台(mobile)、远程站(remote station)、接入点(access point)、远程终端设备(remote terminal)、接入终端设备(access terminal)、用户终端设备(user terminal)、用户代理(user agent)、用户装置(user device)，本公开实施例中并不限定。The terminal device involved in the embodiments of the present disclosure may be a device that provides voice and/or data connectivity to users, a handheld device with a wireless connection function, or other processing devices connected to a wireless modem. In different systems, the name of the terminal equipment may be different. For example, in a 5G system, the terminal equipment may be called User Equipment (User Equipment, UE). The wireless terminal equipment can communicate with one or more core networks (Core Network, CN) via the radio access network (Radio Access Network, RAN), and the wireless terminal equipment can be a mobile terminal equipment, such as a mobile phone (or called a "cellular "telephones) and computers with mobile terminal equipment, such as portable, pocket, hand-held, computer built-in or vehicle-mounted mobile devices, which exchange language and/or data with the radio access network. For example, Personal Communication Service (PCS) phone, cordless phone, Session Initiated Protocol (SIP) phone, Wireless Local Loop (WLL) station, Personal Digital Assistant, PDA) and other devices. Wireless terminal equipment can also be called system, subscriber unit, subscriber station, mobile station, mobile station, remote station, access point , remote terminal (remote terminal), access terminal (access terminal), user terminal (user terminal), user agent (user agent), and user device (user device), which are not limited in the embodiments of the present disclosure.

本公开实施例涉及的网络设备，可以是基站，该基站可以包括多个为终端提供服务的小区。根据具体应用场合不同，基站又可以称为接入点，或者可以是接入网中在空中接口上通过一个或多个扇区与无线终端设备通信的设备，或者其它名称。网络设备可用于将收到的空中帧与网际协议(Internet Protocol，IP)分组进行相互更换，作为无线终端设备与接入网的其余部分之间的路由器，其中接入网的其余部分可包括网际协议(IP)通信网络。网络设备还可协调对空中接口的属性管理。例如，本公开实施例涉及的网络设备可以是全球移动通信***(Global System for Mobile communications，GSM)或码分多址接入(Code Division Multiple Access，CDMA)中的网络设备(Base Transceiver Station，BTS)，也可以是带宽码分多址接入(Wide-band Code Division Multiple Access，WCDMA)中的网络设备(NodeB)，还可以是长期演进(long term evolution，LTE)***中的演进型网络设备(evolutional Node B，eNB或e-NodeB)、5G网络架构(next generation system)中的5G基站(gNB)，也可以是家庭演进基站(Home evolved Node B，HeNB)、中继节点(relay node)、家庭基站(femto)、微微基站(pico)等，本公开实施例中并不限定。在一些网络结构中，网络设备可以包括集中单元(centralized unit，CU)节点和分布单元(distributed unit，DU)节点，集中单元和分布单元也可以地理上分开布置。The network device involved in the embodiments of the present disclosure may be a base station, and the base station may include multiple cells that provide services for terminals. Depending on the specific application, the base station can also be called an access point, or it can be a device in the access network that communicates with the wireless terminal device through one or more sectors on the air interface, or other names. The network device can be used to interchange received over-the-air frames with Internet Protocol (IP) packets and act as a router between the wireless terminal device and the rest of the access network, which can include the Internet Protocol (IP) communication network. Network devices may also coordinate attribute management for the air interface. For example, the network equipment involved in the embodiments of the present disclosure may be a network equipment (Base Transceiver Station, BTS) in Global System for Mobile communications (GSM) or Code Division Multiple Access (Code Division Multiple Access, CDMA) ), it can also be a network device (NodeB) in Wide-band Code Division Multiple Access (WCDMA), or it can be an evolved network device in a long term evolution (long term evolution, LTE) system (evolutional Node B, eNB or e-NodeB), 5G base station (gNB) in the 5G network architecture (next generation system), can also be a home evolved base station (Home evolved Node B, HeNB), relay node (relay node) , a home base station (femto), a pico base station (pico), etc., are not limited in this embodiment of the present disclosure. In some network structures, a network device may include a centralized unit (centralized unit, CU) node and a distributed unit (distributed unit, DU) node, and the centralized unit and the distributed unit may also be arranged geographically separately.

网络设备与终端设备之间可以各自使用一或多根天线进行多输入多输出(Multi Input Multi Output,MIMO)传输，MIMO传输可以是单用户MIMO(Single User MIMO,SU-MIMO)或多用户MIMO(Multiple User MIMO,MU-MIMO)。根据根天线组合的形态和数量，MIMO传输可以是2D-MIMO、3D-MIMO、FD-MIMO或massive-MIMO，也可以是分集传输或预编码传输或波束赋形传输等。One or more antennas can be used between network devices and terminal devices for Multi Input Multi Output (MIMO) transmission, and MIMO transmission can be Single User MIMO (Single User MIMO, SU-MIMO) or Multi-User MIMO (Multiple User MIMO, MU-MIMO). According to the shape and number of root antenna combinations, MIMO transmission can be 2D-MIMO, 3D-MIMO, FD-MIMO, or massive-MIMO, or diversity transmission, precoding transmission, or beamforming transmission, etc.

本领域内的技术人员应明白，本公开的实施例可提供为方法、***、或计算机程序产品。因此，本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) having computer-usable program code embodied therein.

本公开是参照根据本公开实施例的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机可执行指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机可执行指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present disclosure. It should be understood that each procedure and/or block in the flowchart and/or block diagrams, and combinations of procedures and/or blocks in the flowchart and/or block diagrams can be implemented by computer-executable instructions. These computer-executable instructions can be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine, such that instructions executed by the processor of the computer or other programmable data processing equipment produce Means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些处理器可执行指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的处理器可读存储器中，使得存储在该处理器可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These processor-executable instructions may also be stored in a processor-readable memory capable of directing a computer or other programmable data processing device to operate in a specific manner, such that the instructions stored in the processor-readable memory produce a manufacturing product, the instruction device realizes the functions specified in one or more procedures of the flow chart and/or one or more blocks of the block diagram.

这些处理器可执行指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These processor-executable instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented The executed instructions provide steps for implementing the functions specified in the procedure or procedures of the flowchart and/or the block or blocks of the block diagrams.

显然，本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样，倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内，则本公开也意图包含这些改动和变型在内。It is obvious that those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the present disclosure. Thus, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies thereof, the present disclosure also intends to include these modifications and variations.

Claims

一种认证与安全方法，其特征在于，应用于认证密码***，包括：An authentication and security method, characterized in that it is applied to an authentication cryptosystem, comprising:

接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求所述认证密码***对所述SUCI进行解密；Receiving a first request message sent by a unified data management UDM network element, the first request message includes the hidden user identifier SUCI of the target terminal UE, and the first request message is used to request the authentication and cryptographic system to perform an operation on the SUCI decryption;

对所述SUCI进行解密，获得用户永久标识SUPI；Deciphering the SUCI to obtain the user permanent identification SUPI;

向所述UDM网元发送所述SUPI；sending the SUPI to the UDM network element;

接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；receiving a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is that the UDM network element checks the target UE according to the SUPI sent after the signing information of

根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区为此次UE认证过程而创建的，所述第一认证实例中包含所述认证向量；Determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use the unique identifier AuthID to identify the authentication vector, this UE authentication process, and A first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area for this UE authentication process, and the first authentication instance includes the authentication vector;

向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；sending the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；Receive a third request message sent by the AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。Authenticate the target UE according to the RES* and the AuthID included in the third request message.
根据权利要求1所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 1, further comprising:

将认证结果发送给所述AUSF网元；Send the authentication result to the AUSF network element;

在所述目标UE认证通过的情况下，接收所述AUSF网元发送的发送的第四请求消息，所述第四请求消息中包含所述SUPI或所述 AuthID；When the target UE is authenticated, receiving a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能SEAF功能区为此次UE认证过程而创建的，所述第二认证实例中包含所述密钥Kseaf；Use the SUPI or the AuthID to determine the first authentication instance, and use the key Kausf in the authentication vector and the service network name to calculate the key Kseaf; and use the SUPI to identify the second authentication instance, the second authentication instance The second authentication instance is created in the security anchor function SEAF functional area for this UE authentication process, and the second authentication instance includes the key Kseaf;

将所述密钥Kseaf是否生成成功的结果发送给所述AUSF网元。Send the result of whether the key Kseaf is successfully generated to the AUSF network element.
根据权利要求2所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 2, further comprising:

在所述目标UE认证通过的情况下，接收SEAF网元发送的第五请求消息，所述第五请求消息中包含所述SUPI和抗降维攻击ABBA；When the target UE passes the authentication, receive a fifth request message sent by the SEAF network element, where the fifth request message includes the SUPI and the anti-dimensionality reduction attack ABBA;

利用所述SUPI查找到所述第二认证实例，并利用所述密钥Kseaf、所述SUPI和所述ABBA计算密钥Kamf。Find the second authentication instance by using the SUPI, and calculate the key Kamf by using the key Kseaf, the SUPI and the ABBA.
根据权利要求3所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 3, further comprising:

利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区为此次UE认证过程而创建的，所述第三认证实例中包含所述密钥Kamf。Use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area for this UE authentication process, and the third authentication instance contains the key Kamf .
根据权利要求4所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 4, further comprising:

将所述密钥Kamf是否生成成功的结果发送给所述SEAF网元。Send the result of whether the key Kamf is successfully generated to the SEAF network element.
根据权利要求1所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 1, further comprising:

为此次UE认证过程生成一个AuthID。Generate an AuthID for this UE authentication process.
根据权利要求1所述的认证与安全方法，其特征在于，所述第二请求消息中还包含AuthID，所述AuthID是UDM网元为此次UE认证过程生成的一个唯一标识。The authentication and security method according to claim 1, wherein the second request message further includes AuthID, and the AuthID is a unique identifier generated by the UDM network element for this UE authentication process.
根据权利要求4所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 4, further comprising:

接收AMF网元发送的第六请求消息，所述第六请求消息中包含所述SUPI，所述第六请求消息用于请求建立安全上下文；Receive a sixth request message sent by the AMF network element, where the sixth request message includes the SUPI, and the sixth request message is used to request the establishment of a security context;

利用所述SUPI在所述AMF功能区查找所述第三认证实例，并利用密钥Kamf建立第一非接入层NAS安全上下文，所述第一NAS安全上下文中包含密钥KNASenc和密钥KNASint；Use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first non-access stratum NAS security context, the first NAS security context includes the key KNASenc and the key KNASint ;

将所述SUPI、所述密钥KNASenc和所述密钥KNASint发送给通信密码***。Send the SUPI, the key KNASenc and the key KNASint to a communication cryptosystem.
根据权利要求8所述的认证与安全方法，其特征在于，所述第六请求消息中还包含5G密钥集标识ngKSI；所述ngKSI用于标识所述第一NAS安全上下文。The authentication and security method according to claim 8, wherein the sixth request message further includes a 5G key set identifier ngKSI; the ngKSI is used to identify the first NAS security context.
根据权利要求9所述的认证与安全方法，其特征在于，所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint。The authentication and security method according to claim 9, wherein the SUPI, the ngKSI, the key KNASenc and the key KNASint are used for the communication cryptosystem to establish a second NAS security context, The second NAS security context includes the SUPI, the ngKSI, the key KNASenc, and the key KNASint.
根据权利要求8所述的认证与安全方法，其特征在于，所述SUPI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述密钥KNASenc和所述密钥KNASint。The authentication and security method according to claim 8, wherein the SUPI, the key KNASenc and the key KNASint are used for the communication cryptographic system to establish a second NAS security context, and the second The NAS security context includes the SUPI, the key KNASenc and the key KNASint.
根据权利要求11所述的认证与安全方法，其特征在于，还包括：The authentication and security method according to claim 11, further comprising:

接收所述通信密码***发送的建立所述第二NAS安全上下文的结果；receiving a result of establishing the second NAS security context sent by the communication cryptographic system;

将建立所述第二NAS安全上下文的结果发送给所述AMF网元。Sending the result of establishing the second NAS security context to the AMF network element.
一种网络设备，其特征在于，包括存储器，收发机，处理器；A network device, characterized in that it includes a memory, a transceiver, and a processor;

存储器，用于存储计算机程序；收发机，用于在所述处理器的控制下收发数据；处理器，用于读取所述存储器中的计算机程序并执行以下操作：The memory is used to store computer programs; the transceiver is used to send and receive data under the control of the processor; the processor is used to read the computer programs in the memory and perform the following operations:

接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求认证密码***对所述SUCI进行解密；Receive a first request message sent by a unified data management UDM network element, where the first request message includes the user hidden identifier SUCI of the target terminal UE, and the first request message is used to request an authentication cryptographic system to decrypt the SUCI;

对所述SUCI进行解密，获得用户永久标识SUPI；Deciphering the SUCI to obtain the user permanent identification SUPI;

向所述UDM网元发送所述SUPI；sending the SUPI to the UDM network element;

接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；receiving a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is that the UDM network element checks the target UE according to the SUPI sent after the signing information of

根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区为此次UE认证过程而创建的，所述第一认证实例中包含所述认证向量；Determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use the unique identifier AuthID to identify the authentication vector, this UE authentication process, and A first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area for this UE authentication process, and the first authentication instance includes the authentication vector;

向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；sending the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；Receive a third request message sent by the AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。Authenticate the target UE according to the RES* and the AuthID included in the third request message.
根据权利要求13所述的网络设备，其特征在于，还包括：The network device according to claim 13, further comprising:

将认证结果发送给所述AUSF网元；Send the authentication result to the AUSF network element;

在所述目标UE认证通过的情况下，接收所述AUSF网元发送的发送的第四请求消息，所述第四请求消息中包含所述SUPI或所述AuthID；When the target UE passes the authentication, receive a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能SEAF功能区为此次UE认证过程而创建的，所述第二认证实例中包含所述密钥Kseaf；Use the SUPI or the AuthID to determine the first authentication instance, and use the key Kausf in the authentication vector and the service network name to calculate the key Kseaf; and use the SUPI to identify the second authentication instance, the second authentication instance The second authentication instance is created in the security anchor function SEAF functional area for this UE authentication process, and the second authentication instance includes the key Kseaf;

将所述密钥Kseaf是否生成成功的结果发送给所述AUSF网元。Send the result of whether the key Kseaf is successfully generated to the AUSF network element.
根据权利要求14所述的网络设备，其特征在于，还包括：The network device according to claim 14, further comprising:

在所述目标UE认证通过的情况下，接收SEAF网元发送的第五请求消息，所述第五请求消息中包含所述SUPI和抗降维攻击ABBA；When the target UE passes the authentication, receive a fifth request message sent by the SEAF network element, where the fifth request message includes the SUPI and the anti-dimensionality reduction attack ABBA;

利用所述SUPI查找到所述第二认证实例，并利用所述密钥Kseaf、所述SUPI和所述ABBA计算密钥Kamf。Find the second authentication instance by using the SUPI, and calculate the key Kamf by using the key Kseaf, the SUPI and the ABBA.
根据权利要求15所述的网络设备，其特征在于，还包括：The network device according to claim 15, further comprising:

利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区为此次UE认证过程而创建的，所述第三认证实例中包含所述密钥Kamf。Use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area for this UE authentication process, and the third authentication instance contains the key Kamf .
根据权利要求16所述的网络设备，其特征在于，还包括：The network device according to claim 16, further comprising:

将密钥Kamf是否生成成功的结果发送给所述SEAF网元。Send the result of whether the key Kamf is successfully generated to the SEAF network element.
根据权利要求13所述的网络设备，其特征在于，还包括：The network device according to claim 13, further comprising:

为此次UE认证过程生成一个AuthID。Generate an AuthID for this UE authentication process.
根据权利要求13所述的网络设备，其特征在于，所述第二请求消息中还包含AuthID，所述AuthID是UDM网元为此次UE认证过程生成的一个唯一标识。The network device according to claim 13, wherein the second request message further includes AuthID, and the AuthID is a unique identifier generated by the UDM network element for this UE authentication process.
根据权利要求16所述的网络设备，其特征在于，还包括：The network device according to claim 16, further comprising:

接收AMF网元发送的第六请求消息，所述第六请求消息中包含所述SUPI，所述第六请求消息用于请求建立安全上下文；Receive a sixth request message sent by the AMF network element, where the sixth request message includes the SUPI, and the sixth request message is used to request the establishment of a security context;

利用所述SUPI在所述AMF功能区查找所述第三认证实例，并利用密钥Kamf建立第一非接入层NAS安全上下文，所述第一NAS 安全上下文中包含密钥KNASenc和密钥KNASint；Use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first non-access stratum NAS security context, the first NAS security context includes the key KNASenc and the key KNASint ;

将所述SUPI、所述密钥KNASenc和所述密钥KNASint发送给通信密码***。Send the SUPI, the key KNASenc and the key KNASint to a communication cryptosystem.
根据权利要求20所述的网络设备，其特征在于，所述第六请求消息中还包含5G密钥集标识ngKSI；所述ngKSI用于标识所述第一NAS安全上下文。The network device according to claim 20, wherein the sixth request message further includes a 5G key set identifier ngKSI; the ngKSI is used to identify the first NAS security context.
根据权利要求21所述的网络设备，其特征在于，所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint。The network device according to claim 21, wherein the SUPI, the ngKSI, the key KNASenc and the key KNASint are used for the communication cryptosystem to establish a second NAS security context, the The second NAS security context includes the SUPI, the ngKSI, the key KNASenc, and the key KNASint.
根据权利要求20所述的网络设备，其特征在于，所述SUPI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述密钥KNASenc和所述密钥KNASint。The network device according to claim 20, wherein the SUPI, the key KNASenc and the key KNASint are used for the communication encryption system to establish a second NAS security context, and the second NAS security The SUPI, the key KNASenc and the key KNASint are included in the context.
根据权利要求23所述的网络设备，其特征在于，还包括：The network device according to claim 23, further comprising:

接收所述通信密码***发送的建立所述第二NAS安全上下文的结果；receiving a result of establishing the second NAS security context sent by the communication cryptographic system;

将建立所述第二NAS安全上下文的结果发送给所述AMF网元。Sending the result of establishing the second NAS security context to the AMF network element.
一种认证与安全装置，其特征在于，包括：An authentication and safety device, characterized in that it includes:

第一接收模块，用于接收统一数据管理UDM网元发送的第一请求消息，所述第一请求消息中包含目标终端UE的用户隐藏标识SUCI，所述第一请求消息用于请求所述认证密码***对所述SUCI进行解密；The first receiving module is configured to receive a first request message sent by a unified data management UDM network element, the first request message includes the user concealed identifier SUCI of the target terminal UE, and the first request message is used to request the authentication The cryptographic system decrypts the SUCI;

解密模块，用于对所述SUCI进行解密，获得用户永久标识SUPI；A decryption module, configured to decrypt the SUCI to obtain the user permanent identification SUPI;

第一发送模块，用于向所述UDM网元发送所述SUPI；a first sending module, configured to send the SUPI to the UDM network element;

第二接收模块，用于接收所述UDM网元发送的第二请求消息，所述第二请求消息中包含所述SUPI和服务网络名称，所述第二请求消息是所述UDM网元根据所述SUPI检查所述目标UE的签约信息之后发送的；The second receiving module is configured to receive a second request message sent by the UDM network element, the second request message includes the SUPI and the service network name, and the second request message is the UDM network element according to the specified It is sent after the SUPI checks the subscription information of the target UE;

第一确定模块，用于根据所述SUPI确定所述目标UE的认证根密钥，并根据所述认证根密钥和所述服务网络名称生成认证向量，并使用唯一标识AuthID标识所述认证向量、此次UE认证过程以及第一认证实例，所述第一认证实例是在认证服务器功能AUSF功能区为此次UE认证过程而创建的，所述第一认证实例中包含所述认证向量；A first determining module, configured to determine the authentication root key of the target UE according to the SUPI, generate an authentication vector according to the authentication root key and the service network name, and use a unique identifier AuthID to identify the authentication vector . This UE authentication process and a first authentication instance, the first authentication instance is created in the authentication server function AUSF functional area for this UE authentication process, and the first authentication instance includes the authentication vector;

第二发送模块，用于向所述UDM网元发送所述认证向量中需要提供给所述目标UE的部分；A second sending module, configured to send the part of the authentication vector that needs to be provided to the target UE to the UDM network element;

第三接收模块，用于接收AUSF网元发送的第三请求消息，所述第三请求消息中包含认证响应RES*和所述AuthID；A third receiving module, configured to receive a third request message sent by an AUSF network element, where the third request message includes an authentication response RES* and the AuthID;

认证模块，用于根据所述第三请求消息中包含的所述RES*和所述AuthID对所述目标UE进行认证。An authentication module, configured to authenticate the target UE according to the RES* and the AuthID included in the third request message.
根据权利要求25所述的认证与安全装置，其特征在于，还包括第三发送模块、第四接收模块、第二确定模块和第四发送模块；The authentication and security device according to claim 25, further comprising a third sending module, a fourth receiving module, a second determining module and a fourth sending module;

所述第三发送模块用于将认证结果发送给所述AUSF网元；The third sending module is used to send the authentication result to the AUSF network element;

在所述目标UE认证通过的情况下，所述第四接收模块用于接收所述AUSF网元发送的发送的第四请求消息，所述第四请求消息中包含所述SUPI或所述AuthID；When the target UE is authenticated, the fourth receiving module is configured to receive a fourth request message sent by the AUSF network element, where the fourth request message includes the SUPI or the AuthID;

所述第二确定模块用于利用所述SUPI或所述AuthID确定所述第一认证实例，并利用所述认证向量中的密钥Kausf和服务网络名称计算密钥Kseaf；并利用所述SUPI标识第二认证实例，所述第二认证实例是在安全锚功能SEAF功能区创建的，所述第二认证实例是为此次UE认证过程创建的，所述第二认证实例中包含所述密钥Kseaf；The second determination module is configured to determine the first authentication instance by using the SUPI or the AuthID, and calculate the key Kseaf by using the key Kausf and the service network name in the authentication vector; and use the SUPI to identify A second authentication instance, the second authentication instance is created in the security anchor function SEAF functional area, the second authentication instance is created for this UE authentication process, and the second authentication instance contains the key Kseaf;

所述第四发送模块用于将所述密钥Kseaf是否生成成功的结果发送给所述AUSF网元。The fourth sending module is configured to send the result of whether the key Kseaf is successfully generated to the AUSF network element.
根据权利要求26所述的认证与安全装置，其特征在于，还包括第五接收模块和第一查找模块；The authentication and safety device according to claim 26, further comprising a fifth receiving module and a first searching module;

在所述目标UE认证通过的情况下，所述第五接收模块用于接收SEAF网元发送的第五请求消息，所述第五请求消息中包含所述SUPI 和抗降维攻击ABBA；When the target UE is authenticated, the fifth receiving module is configured to receive a fifth request message sent by a SEAF network element, where the fifth request message includes the SUPI and the anti-dimensionality reduction attack ABBA;

所述第一查找模块用于利用所述SUPI查找到所述第二认证实例，并利用所述密钥Kseaf、所述SUPI和所述ABBA计算密钥Kamf。The first search module is configured to use the SUPI to find the second authentication instance, and use the key Kseaf, the SUPI and the ABBA to calculate a key Kamf.
根据权利要求27所述的认证与安全装置，其特征在于，还包括标识模块；The authentication and safety device according to claim 27, further comprising an identification module;

所述标识模块用于利用所述SUPI标识第三认证实例，所述第三认证实例是在接入和移动管理功能AMF功能区创建的，所述第三认证实例是为此次UE认证过程创建的，所述第三认证实例中包含所述密钥Kamf。The identification module is configured to use the SUPI to identify a third authentication instance, the third authentication instance is created in the access and mobility management function AMF functional area, and the third authentication instance is created for this UE authentication process , the third authentication instance includes the key Kamf.
根据权利要求28所述的认证与安全装置，其特征在于，还包括第五发送模块；The authentication and security device according to claim 28, further comprising a fifth sending module;

所述第五发送模块用于将密钥Kamf是否生成成功的结果发送给所述SEAF网元。The fifth sending module is used to send the result of whether the key Kamf is successfully generated to the SEAF network element.
根据权利要求25所述的认证与安全装置，其特征在于，还包括生成模块；The authentication and security device according to claim 25, further comprising a generation module;

所述生成模块用于为此次UE认证过程生成一个AuthID。The generating module is used to generate an AuthID for this UE authentication process.
根据权利要求25所述的认证与安全装置，其特征在于，所述第二请求消息中还包含AuthID，所述AuthID是UDM网元为此次UE认证过程生成的一个唯一标识。The authentication and security device according to claim 25, wherein the second request message further includes AuthID, and the AuthID is a unique identifier generated by the UDM network element for this UE authentication process.
根据权利要求28所述的认证与安全装置，其特征在于，还包括第六接收模块、第二查找模块和第六发送模块；The authentication and safety device according to claim 28, further comprising a sixth receiving module, a second searching module and a sixth sending module;

所述第六接收模块用于接收AMF网元发送的第六请求消息，所述第六请求消息中包含所述SUPI，所述第六请求消息用于请求建立安全上下文；The sixth receiving module is configured to receive a sixth request message sent by an AMF network element, the sixth request message includes the SUPI, and the sixth request message is used to request establishment of a security context;

所述第二查找模块用于利用所述SUPI在所述AMF功能区查找所述第三认证实例，并利用密钥Kamf建立第一非接入层NAS安全上下文，所述第一NAS安全上下文中包含密钥KNASenc和密钥KNASint；The second search module is configured to use the SUPI to search for the third authentication instance in the AMF functional area, and use the key Kamf to establish a first non-access stratum NAS security context, in the first NAS security context Contains key KNASenc and key KNASint;

所述第六发送模块用于将所述SUPI、所述密钥KNASenc和所述密钥KNASint发送给通信密码***。The sixth sending module is configured to send the SUPI, the key KNASenc and the key KNASint to a communication cryptographic system.
根据权利要求32所述的认证与安全装置，其特征在于，所述第六请求消息中还包含5G密钥集标识ngKSI；所述ngKSI用于标识所述第一NAS安全上下文。The authentication and security device according to claim 32, wherein the sixth request message further includes a 5G key set identifier ngKSI; the ngKSI is used to identify the first NAS security context.
根据权利要求33所述的认证与安全装置，其特征在于，所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述ngKSI、所述密钥KNASenc和所述密钥KNASint。The authentication and security device according to claim 33, wherein the SUPI, the ngKSI, the key KNASenc and the key KNASint are used for the communication cryptosystem to establish a second NAS security context, The second NAS security context includes the SUPI, the ngKSI, the key KNASenc, and the key KNASint.
根据权利要求32所述的认证与安全装置，其特征在于，所述SUPI、所述密钥KNASenc和所述密钥KNASint用于供所述通信密码***建立第二NAS安全上下文，所述第二NAS安全上下文中包含所述SUPI、所述密钥KNASenc和所述密钥KNASint。The authentication and security device according to claim 32, wherein the SUPI, the key KNASenc and the key KNASint are used for the communication cryptographic system to establish a second NAS security context, and the second The NAS security context includes the SUPI, the key KNASenc and the key KNASint.
根据权利要求35所述的认证与安全装置，其特征在于，还包括第七接收模块和第七发送模块；The authentication and security device according to claim 35, further comprising a seventh receiving module and a seventh sending module;

所述第七接收模块用于接收所述通信密码***发送的建立所述第二NAS安全上下文的结果；The seventh receiving module is configured to receive the result of establishing the second NAS security context sent by the communication encryption system;

所述第七发送模块用于将建立所述第二NAS安全上下文的结果发送给所述AMF网元。The seventh sending module is configured to send the result of establishing the second NAS security context to the AMF network element.
一种计算机可读存储介质，其特征在于，所述计算机可读存储介质存储有计算机程序，所述计算机程序用于使计算机执行权利要求1至12中的任一项所述的认证与安全方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and the computer program is used to make a computer execute the authentication and security method described in any one of claims 1 to 12 .