CN110536293A

CN110536293A - The methods, devices and systems of access closure access group

Info

Publication number: CN110536293A
Application number: CN201910754388.7A
Authority: CN
Inventors: 彭锦; 游世林; 林兆骥; 余万涛
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2019-08-15
Filing date: 2019-08-15
Publication date: 2019-12-03
Also published as: WO2021027916A1

Abstract

The application proposes a kind of methods, devices and systems of access closure access group, a method of access closure access group, comprising: the CAG ID requested access to is encrypted, the CAG ID requested access to encrypted；Login request message is sent, includes the CAG ID of the encryption the requested access to and SUCI of terminal in the login request message.

Description

The methods, devices and systems of access closure access group

Technical field

This application involves cordless communication networks, such as are related to a kind of methods, devices and systems of access closure access group.

Background technique

Third generation partner program (3rd Generation Partnership Project, 3GPP) has been formulated various The specification of mobile network, wherein in order to support private network, 3GPP to define closure access group (Closed by public network Access Group, CAG) mechanism.

One closure access group includes the user of one group of accessible one or more CAG cell.One closure access Group has a closure access group mark (Closed Access Group Identity, CAG ID).Use closure access group machine System can access control to terminal access private network.

At present to private network access control scheme be in the terminal configuration allow access CAG ID, net Network carries the CAG ID list of cell support in the system message of broadcast, after terminal receives broadcast message, selects matching CAG ID as the CAG ID requested access to.Terminal is requested access to carrying into the login request message that network is sent CAG ID completes registration process.

But the CAG ID in login request message is to carry and sent in plain text by eating dishes without rice or wine, and is easy to be trapped and reveal, It is had an impact so as to the safety to private network.

Summary of the invention

The application provides a kind of methods, devices and systems of access closure access group, for improving the peace of closure access group Quan Xing.

The embodiment of the present application provides a kind of method of access closure access group, comprising:

The CAG ID requested access to is encrypted, the CAG ID requested access to encrypted；

Login request message is sent, includes the CAG ID requested access to and terminal of encryption in login request message SUCI。

Receive the login request message that terminal is sent, include in login request message encryption the CAG ID requested access to and The SUCI of terminal；

The SUCI of terminal is resolved to the SUPI of terminal, and is to request access to by the CAG ID decryption of encryption requested access to CAG ID；

The first CAG ID list is obtained from the home network of terminal according to the SUPI of terminal；

Judge whether the CAG ID requested access to and the first CAG ID list match, sends registration to terminal if matching and connect By message.

The CAG ID requested access to is encrypted, the CAG ID of the first encryption requested access to is obtained；

Login request message is sent, includes the CAG ID requested access to and terminal of the first encryption in login request message 5G-GUTI。

The login request message that terminal is sent is received, includes the CAG of the first encryption requested access in login request message The 5G-GUTI of ID and terminal；

Judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal；

If it was once the history AMF of terminal service that current AMF, which is, and was stored with the SUPI of terminal in current AMF, then basis The SUPI of terminal obtains the first CAG ID list from the home network of terminal, and the CAG ID of the first encryption requested access to is solved The close CAG ID to request access to；

The embodiment of the present application provides a kind of device of access closure access group, comprising:

Encrypting module is set as the CAG ID requested access to for encrypting, being encrypted to the CAG ID requested access to；

Sending module is set as sending login request message, includes the CAG of encryption requested access in login request message The SUCI of ID and terminal.

Receiving module is set as receiving the login request message that terminal is sent, includes asking for encryption in login request message Seek the CAG ID of the access and SUCI of terminal；

Deciphering module is set as resolving to the SUCI of terminal into the SUPI of terminal, and by the CAG of encryption requested access to ID decryption is the CAG ID requested access to；

Module is obtained, is set as obtaining the first CAG ID list from the home network of terminal according to the SUPI of terminal；

Judgment module, is set as the CAG ID for judging to request access to and whether the first CAG ID list matches, if matching Registration received message is sent to terminal.

Encrypting module is set as encrypting the CAG ID requested access to, obtains the CAG of the first encryption requested access to ID；

Sending module is set as sending login request message, includes requesting access to for the first encryption in login request message CAG ID and terminal 5G-GUTI.

Receiving module is set as receiving the login request message that terminal is sent, includes the first encryption in login request message The CAG ID requested access to and terminal 5G-GUTI；

Deciphering module is set as judging whether current AMF is the history for being once terminal service according to the 5G-GUTI of terminal AMF；

Module is obtained, if being set as current AMF to be once being the history AMF of terminal service, and is stored with end in current AMF The SUPI at end then obtains the first CAG ID list, and asking the first encryption from the home network of terminal according to the SUPI of terminal The CAG ID of access is asked to decrypt the CAG ID to request access to；

The embodiment of the present application provides a kind of system of access closure access group, including terminal and the network equipment；

Terminal includes the device of the access closure access group as shown in Figure 11 embodiment；

The network equipment includes the device of the access closure access group as shown in Figure 12 embodiment.

Terminal includes the device of the access closure access group as shown in Figure 13 embodiment；

The network equipment includes the device of the access closure access group as shown in Figure 14 embodiment.

Detailed description of the invention

Fig. 1 is a kind of private network access control flow diagram provided by the embodiments of the present application；

Fig. 2 is the flow chart for the method that a kind of access that an embodiment provides is closed access group；

Fig. 3 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 4 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 5 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 6 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 7 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 8 is the flow chart of the method for another access closure access group that an embodiment provides；

Fig. 9 is the interaction diagrams for the method that a kind of access that an embodiment provides is closed access group；

Figure 10 is the interaction diagrams of the method for another access closure access group that an embodiment provides；

Figure 11 is the structural schematic diagram for the device that a kind of access that an embodiment provides is closed access group；

Figure 12 is the structural schematic diagram of the device for another access closure access group that an embodiment provides；

Figure 13 is the structural schematic diagram of the device for another access closure access group that an embodiment provides；

Figure 14 is the structural schematic diagram of the device for another access closure access group that an embodiment provides；

Figure 15 is a kind of structural schematic diagram for terminal that an embodiment provides.

Specific embodiment

Embodiments herein is described in detail below in conjunction with attached drawing.

Fig. 1 is a kind of private network access control flow diagram provided by the embodiments of the present application, as shown in Figure 1, traditional Private network access, mainly by network access and mobile management function to ps domain (Access and Mobility Management Function, AMF), uniform data management (Unified Data Management, UDM) or subscription identity Accord with hidden function (Subscription Identifier De-concealing Function, SIDF), authentication server function Energy (AUthentication Server Function, AUSF) is completed the certification to mobile terminal (abbreviation terminal) and is tested with safety Card.Wherein AMF, UDM or SIDF, AUSF are the network element that certification and safety verification are realized in network, can be to be deployed in network Entity device, be also possible to the functional module being deployed in any of network or multiple entity network elements.

Wherein, as shown in Figure 1, firstly, configuration allows the CAG ID list accessed at the terminal, fair in step S1010 Perhaps the CAG ID list that accesses indicates that terminal is only capable of accessing the corresponding private network of CAG ID in the list, such as permitting here Perhaps the CAG ID list accessed is { 2,3,4,5 }.

Then, in step S1020, the base station in network carries the CAG ID of cell support in the system message of broadcast List, the CAG ID list that cell is supported indicate the private network for allowing the terminal access in cell.Pass through the base station access network The terminal of the network system message ready to receive to the broadcast, to get the CAG ID list of cell support.What cell was supported CAG ID list is, for example, { 1,2,3 }.

In step S1030, when terminal receives the system message of broadcast, by the CAG ID for allowing to access of itself configuration The CAG ID list that list and the cell received are supported is compared, and the CAG ID selected in matched CAG ID makees For the CAG ID requested access to.Such as after being compared herein, matched CAG ID is { 2,3 }, therefrom selects { 2 } as asking Seek the CAG ID of access.

In step S1040, after determining the CAG ID requested access to, terminal can start in the CAG ID requested access to Access process in corresponding private network.Terminal sends login request message to network, and inscription carries in login request message The CAG ID requested access to goes back user's hidden identification (SUbscription of carried terminal in login request message Concealed Identifier, SUCI).Base station disappears registration request after the login request message for receiving terminal transmission Breath is sent to AMF, to realize certification and the safety verification to terminal access private network.

In step S1050, each network element AMF, AUSF, UDM that certification and safety verification are carried out to terminal are realized in network Or SIDF carries out certification and safety verification process to terminal, wherein the SUCI of terminal is resolved to the user of terminal by UDM or SIDF The SUPI of terminal is simultaneously returned to AMF by permanent identification (SUbscription Permanent Identifier, SUPI).

In step S1060, AMF sends request message to the home network of terminal, allows to visit in home network to obtain The CAG ID list asked includes the SUPI of terminal in request message.Home network returns to the CAG ID column for allowing to access to AMF Table is, for example, { 2,3,4,5 } herein.

Step S1070, AFM judge that the CAG whether terminal allows access request to access, that is, AMF judge registration request The CAG ID requested access in message whether include from the CAG ID list for allowing to access that home network obtains, if It is then accessible, if otherwise cannot access.Herein, the CAG ID requested access to is { 2 }, is included in from home network and obtains Allow access CAG ID list { 2,3,4,5 } in, therefore allow terminal access private network.

Step S1080, AMF feed back registration received message to terminal, namely allow terminal access private network.

If AMF, which judges terminal not, allows the CAG of access request access in step S1070, then in step S1090, AMF sends registration reject message to terminal.

As can be seen that terminal is when requesting access to private network from embodiment illustrated in fig. 1, the CAG ID that will be requested access to It is carried in a registration request message by plaintext, and login request message is sent by eating dishes without rice or wine, so as to lead to CAG ID leakage, and then the safety of private network may be influenced.

Fig. 2 is the flow chart for the method that a kind of access that an embodiment provides is closed access group, as shown in Fig. 2, this implementation The method that example provides includes the following steps.

Step S2010 encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.

The method of access closure access group provided in this embodiment is applied to the terminal device in mobile communication system, referred to as Terminal.When terminal needs to access private network, that is, is closed access group, certification and security verification device hair into network are needed The CAG ID requested access to is sent, and since CAG ID is to be sent by plaintext, and the login request message for carrying CAG ID is By transmission of eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.

And to solve the above-mentioned problems, in the present embodiment, when terminal needs to access closure access group, asked having determined After the CAG ID for asking access, the CAG ID requested access to is encrypted first, the CAG ID requested access to encrypted.It is right CAG ID encrypted used cipher mode can using existing any cipher mode, and with to terminal carry out certification and Corresponding to manner of decryption in the network element of safety verification.To CAG ID encrypted used in code key may be a kind of or more Kind possible mode, and with certification and safety verification are carried out to terminal network element in code key corresponding to.

Step S2020 sends login request message, include in login request message encryption the CAG ID requested access to and The SUCI of terminal.

After the CAG ID requested access to encrypted, the i.e. transmittable login request message of terminal, login request message In include encryption the CAG ID requested access to and terminal SUCI.By eating dishes without rice or wine to send login request message, terminal connects terminal The serving BS of cell locating for the base station entered or terminal will receive the login request message.And receive login request message Base station login request message can be sent to the network element that certification and safety verification are carried out to terminal, including AMF, AUSF, UDM/ SIDF etc..Above-mentioned each network element can determine the home network of terminal according to the SUCI of terminal, and by the CAG of encryption requested access to After ID is decrypted, the CAG ID of terminal is obtained, step S1050- step that then can according to Fig. 1 in embodiment S1090 carries out certification and safety verification to terminal, so that it is determined that whether terminal is able to access that corresponding to the CAG ID requested access to CAG.When allowing CAG corresponding to the CAG ID that requests access to of terminal access, then terminal will receive registration received message, and CAG corresponding to the CAG ID for not allowing terminal access to request access to, then terminal will receive registration reject message.

The method of access closure access group provided in this embodiment, encrypts to the CAG ID requested access to, obtains After the CAG ID of encryption requested access to, login request message is sent, includes requesting access to for encryption in login request message The SUCI of CAG ID and terminal provide a kind of closure access group access method protected to closure access group, due to The CAG ID requested access to is encrypted, therefore is avoided through the CAG ID caused by the login request message of transmission that eats dishes without rice or wine Leakage, improve access CAG safety.

In one embodiment, using terminal home network can be to the CAG ID requested access to the method encrypted Public key encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.So registered when terminal is sent After request message, due to simultaneously including the CAG ID of encryption the requested access to and SUCI of terminal in login request message, The network element that certification and safety verification are carried out to terminal for receiving login request message, can know terminal according to the SUCI of terminal Home network, then to terminal carry out certification and safety verification network element can obtain terminal home network public key, because This can be used the public key got and the CAG ID of encryption requested access to be decrypted, the CAG ID of acquisition request access.

In one embodiment, the public key using home network can be to the CAG ID requested access to the method encrypted The SUCI of the CAG ID requested access to and terminal are encrypted jointly, obtain the SUCI of the extension of terminal.So when terminal is sent out After sending login request message, the network element that certification and safety verification are carried out to terminal of login request message is received, it can basis The relevant information of terminal knows the home network of terminal, then the network element for carrying out certification and safety verification to terminal can obtain end The public key of the home network at end, therefore the public key got can be used, the SUCI of extension is decrypted, acquisition request access CAG ID and terminal SUCI.

Fig. 3 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 3, this reality The method for applying example offer includes the following steps.

Step S3010 receives the system broadcast message for carrying the first CAG ID list.

When terminal needs to access CAG, it is necessary first to really allow the CAG of terminal access.Base station broadcast carries first The system broadcast message of CAG ID list, the terminal of access base station or the terminal in base station range will receive this System broadcast message.It include the ID that at least one allows the CAG of terminal access in first CAG ID list.

Step S3020 matches the 2nd CAG ID list and the first CAG ID list of itself configuration, determines terminal The CAG ID requested access to.

At the terminal, it is also configured with a CAG ID list, referred to as the 2nd CAG ID list, is wrapped in the 2nd CAG ID list Include the ID at least one CAG that terminal allows to access.2nd CAG ID list is pre-set in terminal, can be at end It is preconfigured in end, it is also possible to be configured when terminal is registered in a network by the network equipment as terminal.Terminal is by first CAG ID list and the 2nd CAG ID list are matched, so that it is determined that the CAG ID of terminal request access.

The 2nd CAG ID list and the first CAG ID list to itself configuration carry out matched method and can be to determine the An identical CAG ID is the CAG ID requested access in two CAG ID lists and the first CAG ID list.First CAG ID column Identical CAG ID may be one or more or the first CAG ID list and the 2nd CAG in table and the 2nd CAG ID list There is no identical CAG ID in ID list.If there is no identical CAG ID in the first CAG ID list and the 2nd CAG ID list, It so would not allow for terminal access CAG, therefore terminal will be unable to the CAG ID for determining to request access to, therefore terminal also would not Carry out follow-up process.If the first CAG ID list and only one identical CAG ID of the 2nd CAG ID list, then can incite somebody to action This identical CAG ID is as the CAG ID requested access to.If there are two the first CAG ID list and the 2nd CAG ID lists Or more than two identical CAG ID, then an optional conduct can be asked from two or more identical CAG ID The CAG ID of access is sought, or a then conduct is selected from two or more identical CAG ID according to default rule The CAG ID requested access to.

In addition, can also be configured in the terminal before reception carries the system broadcast message of the first CAG ID list 2nd CAG ID list includes the CAG ID that at least one allows to access in the 2nd CAG ID list.

Step S3030 encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.

Step S3040 sends login request message, include in login request message encryption the CAG ID requested access to and The SUCI of terminal.

Step S3030 and step S3040 is similar with step S2010 and step S2020, and details are not described herein again.

Fig. 4 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 4, this reality The method for applying example offer includes the following steps.

Step S4010 receives the login request message that terminal is sent, and includes requesting access to for encryption in login request message CAG ID and terminal SUCI.

The method of access closure access group provided in this embodiment is applied to the network equipment in mobile communication system, these The network equipment is the network element that certification and safety verification are carried out to terminal, including but not limited to one in AMF, AUSF, UDM/SIDF It is a or multiple.When terminal needs to access private network, that is, is closed access group, certification and safety verification into network is needed to set Preparation send the CAG ID requested access to, and since CAG ID is to be sent by plaintext, and the registration request for carrying CAG ID disappears Breath is to be sent by eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.

And to solve the above-mentioned problems, in the present embodiment, the network element for carrying out certification and safety verification to terminal receives eventually The login request message sent is held, includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message.Its In, the SUPI of terminal is obtained after can parse by the SUCI of terminal, thus the request knowing the home network of terminal, and encrypting The CAG ID of access can after decryption acquisition request access CAG ID, then to terminal carry out certification and safety verification net Member can carry out certification and safety verification to terminal with the CAG ID requested access to by the SUPI of terminal, whether judge terminal It is able to access that the corresponding CAG of CAG ID requested access to.Wherein terminal uses encryption to the CAG ID of encryption requested access to Mode can use existing any cipher mode, and with to terminal carry out certification and safety verification network element in decryption side Corresponding to formula.Terminal to CAG ID encrypted used in code key may be one or more possible modes, and with it is right Terminal carries out corresponding to the code key in the network element of certification and safety verification.

The SUCI of terminal is resolved to the SUPI of terminal, and the CAG ID of encryption requested access to is decrypted by step S4020 For the CAG ID requested access to.

Terminal authenticate and the network element of safety verification is after the CAG ID of the SUCI and encryption that receive terminal It is the CAG ID requested access to by the CAG ID decryption of encryption requested access to, and the SUCI of terminal is parsed.For example, The SUCI of terminal is resolved to the SUPI of terminal by UDM/SIDF, and is solved the CAG ID of encryption requested access to by UDM/SIDF The close CAG ID to request access to, then the SUPI of terminal and the CAG ID requested access to are sent to AMF by UDM/SIDF.

In one embodiment, terminal can be using terminal home network to the CAG ID requested access to the method encrypted The public key of network encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.So receive registration The SUCI of terminal is resolved to the SUPI of terminal by the UDM or SIDF of request message, confirmable after the SUPI for obtaining terminal Home network requests access to the CAG ID decryption of encryption requested access to so as to the public key of using terminal home network CAG ID.

Step S4030 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.

Terminal authenticate and the network element of safety verification is after obtaining the SUPI of terminal, it can be true according to the SUPI of terminal Determine the home network of terminal, then the first CAG ID list can be obtained from the home network of terminal according to the SUPI of terminal.The It include the ID that at least one allows the CAG of terminal access in one CAG ID list.For example, receiving terminal from UDM/SIDF The AMF of the SUPI and CAG ID requested access to obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.

In one embodiment, the first CAG ID list is obtained from the home network of terminal according to the SUPI of terminal, comprising: to The home network of terminal sends CAG ID list request message, includes SUPI in CAG ID list request message；Receive terminal The first CAG ID list that home network is sent.

Step S4040, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching Send registration received message.

Then the CAG ID and the first CAG ID column that certification and the network element judgement of safety verification request access to are carried out to terminal Whether table matches, and determines that terminal is able to access that the corresponding CAG of CAG ID requested access to if matching, therefore can send out to terminal Send registration received message.For example, whether CAG ID and the first CAG ID list that AMF judgement requests access to match, if matching Registration received message is sent to terminal.

In one embodiment, judging whether the CAG ID requested access to and the first CAG ID list match can be judgement and asks Ask the CAG ID of access whether identical as any CAG ID in the first CAG ID list, if they are the same, it is determined that request access to CAG ID and the first CAG ID list match.If the CAG ID requested access to and any CAG ID in the first CAG ID list are equal It is not identical, it is determined that the CAG ID requested access to and the first CAG ID list mismatch.

In one embodiment, if CAG ID and the first CAG ID list that judgement requests access to are mismatched, then to end End sends registration reject message.

Fig. 5 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 5, this reality The method for applying example offer includes the following steps.

Step S5010, receives the login request message that terminal is sent, and includes the extension of terminal in login request message SUCI, the SUCI of the extension of terminal are that the public key of using terminal home network is total to the SUCI of the CAG ID requested access to and terminal It is obtained with encryption.

In embodiment illustrated in fig. 4, include in the login request message that the terminal received is sent is the request visit of encryption The SUCI of the CAG ID asked and terminal, and in the present embodiment, include in the login request message that the terminal received is sent It is the SUCI of the extension of terminal.The SUCI of the extension of terminal is the public key of using terminal home network to the CAG ID requested access to It is obtained with the SUCI common cryptographic of terminal.

The SUCI decryption of the extension of terminal is request by the public key of step S5020, UDM or SIDF using terminal home network The CAG ID of the access and SUCI of terminal, and the SUCI of terminal is resolved to the SUPI of terminal.

After UDM or SIDF receives the SUCI of extension, the home network of terminal can be known according to the relevant information of terminal, So UDM or SIDF can obtain the public key of the home network of terminal, therefore the public key pair got can be used in UDM or SIDF The SUCI of extension is decrypted, the CAG ID of acquisition request access and the SUCI of terminal.Then UDM or SIDF can also be by terminal SUCI resolve to the SUPI of terminal.

The SUPI of terminal and the CAG ID requested access to are sent to AMF by step S5030, UDM or SIDF.

Step S5040, AMF obtain the first CAG ID list from the home network of terminal according to the SUPI of terminal.

Whether the CAG ID and the first CAG ID list that step S5050, AMF judgement request access to match, if matching to Terminal sends registration received message.

Step S5030- step S5050 in embodiment illustrated in fig. 1 certification and safety verification process it is similar, herein no longer It repeats.

Fig. 6 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in fig. 6, this reality The method for applying example offer includes the following steps.

Step S6010 encrypts the CAG ID requested access to, obtains the CAG ID of the first encryption requested access to.

And to solve the above-mentioned problems, in the present embodiment, when terminal needs to access closure access group, asked having determined After the CAG ID for asking access, the CAG ID requested access to is encrypted first, obtains the CAG of the first encryption requested access to ID.Being encrypted used cipher mode to CAG ID can be using existing any cipher mode, and carries out with to terminal Corresponding to manner of decryption in the network element of certification and safety verification.To CAG ID encrypted used in code key may be one Kind or a variety of possible modes, and with to terminal carry out certification and safety verification network element in code key corresponding to.

Step S6020, sends login request message, includes the CAG of the first encryption requested access in login request message The 5G-GUTI of ID and terminal.

After obtaining the CAG ID of the first encryption requested access to, the i.e. transmittable login request message of terminal, registration request It include the globally unique temporary user device mark (5G of 5G of the CAG ID requested access to and terminal of the first encryption in message Globally Unique Temporary UE Identity, 5G-GUTI).Terminal, which passes through, eats dishes without rice or wine to send login request message, The serving BS of cell locating for the base station of terminal access or terminal will receive the login request message.And it receives registration and asks Ask the base station of message login request message can be sent to terminal carry out certification and safety verification network element, including AMF, AUSF, UDM/SIDF etc..Above-mentioned each network element can be determined according to the 5G-GUTI of terminal current each network element whether be once be terminal The network element of service, if then due to once to preserve various information relevant to terminal in the network element of terminal service, it is each The request that network element can directly use various information relevant to terminal to determine that the home network of terminal, terminal encryption first encrypt Acquisition request access is decrypted to the CAG ID of the first encryption requested access in the relevant informations such as the code key of CAG ID of access CAG ID, and obtain allow terminal access the first CAG ID list.Then it determines whether terminal is able to access that request access to CAG ID corresponding to CAG.When allowing CAG corresponding to the CAG ID that requests access to of terminal access, then terminal will receive Received message is registered, CAG corresponding to the CAG ID requested access to without permission terminal access, then terminal will receive registration and refuse Exhausted message.

The method of access closure access group provided in this embodiment, encrypts to the CAG ID requested access to, obtains After the CAG ID of first encryption requested access to, login request message is sent, includes asking for the first encryption in login request message The CAG ID of the access and 5G-GUTI of terminal is sought, a kind of closure access group visit protected to closure access group is provided It asks method, due to being encrypted to the CAG ID requested access to, avoids the login request message by eating dishes without rice or wine to send The leakage of caused CAG ID improves the safety of access CAG.

In one embodiment, it states and the CAG ID requested access to is encrypted, obtain the CAG of the first encryption requested access to ID, comprising: carried out using the CAG ID that the encryption secret key pair in safe context corresponding with the 5G-GUTI of terminal requests access to Encryption, obtains the CAG ID of the first encryption requested access to.So after terminal sends login request message, due to registration request Simultaneously include the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in message, therefore receives registration request and disappear The network element that certification and safety verification are carried out to terminal of breath, can be known according to the 5G-GUTI of terminal current each network element whether be It was once the network element of terminal service, if then due to once to preserve various letters relevant to terminal in the network element of terminal service Breath including the encryption code key in safe context corresponding with the 5G-GUTI of terminal, therefore carries out certification and safety to terminal and tests The network element of card can directly use what the encryption secret key pair first in safe context corresponding with the 5G-GUTI of terminal encrypted to ask Ask the CAG ID of access that the CAG ID of acquisition request access is decrypted.

Fig. 7 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in fig. 7, this reality The method for applying example offer includes the following steps.

Step S7010 encrypts the CAG ID requested access to, obtains the CAG ID of the first encryption requested access to.

Step S7020, sends login request message, includes the CAG of the first encryption requested access in login request message The 5G-GUTI of ID and terminal.

Step S7010 and step S7020 is identical as step S6010 and step S6020, and details are not described herein again.

Step S7030 receives the identification request message that AMF is sent.

After terminal has sent login request message, if it is once terminal service that the network element for receiving login request message, which is, Network element, it would be possible that preserve information relevant to terminal, thus can to the CAG ID requested access to of the first encryption into Row decryption.And if the network element for receiving login request message be not that terminal service or timing receive login request message Network element be once terminal service but do not saved the relevant information of terminal, then just can not requesting access to the first encryption CAG ID is decrypted.So terminal will receive the identification request message that AMF is sent.Identification request message is due to that can not lead to Cross the 5G-GUTI of terminal the CAG ID of the first encryption requested access to is decrypted it is rear received.

Step S7040 encrypts the CAG ID requested access to using the public key of home network, obtains the second encryption The CAG ID requested access to.

After terminal receives identification request message, that is, can be used home network public key to the CAG ID requested access into Row encryption, obtains the CAG ID of the second encryption requested access to.

Step S7050 sends identification response message to AMF, includes requesting access to for the second encryption in identification response message CAG ID and terminal SUCI.

Then terminal sends identification response message to AMF, includes requesting access to for the second encryption in identification response message The SUCI of CAG ID and terminal.Due to simultaneously including the CAG ID requested access to and terminal of the second encryption in identification response message SUCI, therefore the AMF for receiving identification response message can know the home network of terminal according to the SUCI of terminal, then AMF can obtain the public key of the home network of terminal, therefore the public key got can be used and request access to the second encryption CAG ID be decrypted, acquisition request access CAG ID.In addition AMF can also be obtained according to the SUCI of terminal allows terminal First CAG ID list of access.Then determine whether terminal is able to access that CAG corresponding to the CAG ID requested access to.When fair Perhaps CAG corresponding to the CAG ID that terminal access requests access to, then terminal will receive registration received message, without allowing terminal CAG corresponding to the CAG ID of access request access, then terminal will receive registration reject message.

In one embodiment, after terminal receives the identification request message that AMF is sent, the public affairs of home network can also be used Key encrypts the SUCI of the CAG ID requested access to and terminal jointly, obtains the SUCI of the extension of terminal；Then terminal to AMF sends identification response message, includes the SUCI of the extension of terminal in identification response message.So when terminal sends identification request After message, the AMF for receiving identification request message can know the home network of terminal according to the relevant information of terminal, then AMF can obtain the public key of the home network of terminal, therefore the public key got can be used, the SUCI of extension is decrypted, The CAG ID of the acquisition request access and SUCI of terminal.In addition AMF can also be obtained according to the SUCI of terminal allows terminal access The first CAG ID list.Then determine whether terminal is able to access that CAG corresponding to the CAG ID requested access to.It is whole when allowing CAG corresponding to the CAG ID of access request access is held, then terminal will receive registration received message, without allowing terminal access CAG corresponding to the CAG ID requested access to, then terminal will receive registration reject message.

In one embodiment, the CAG ID requested access to is encrypted, obtains the CAG of the first encryption requested access to Before ID, further includes: receive the system broadcast message for carrying the first CAG ID list；To the 2nd CAG ID column of itself configuration Table and the first CAG ID list are matched, and determine the CAG ID requested access to.It include at least one in first CAG ID list Allow the ID of the CAG of terminal access.

In one embodiment, the 2nd CAG ID list and the first CAG ID list of itself configuration are matched, is determined The CAG ID requested access to, comprising: the 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determined An identical CAG ID is the CAG ID requested access in 2nd CAG ID list and the first CAG ID list.Itself is configured The 2nd CAG ID list and the first CAG ID list carry out matched method and can be to determine the 2nd CAG ID list and first An identical CAG ID is the CAG ID requested access in CAG ID list.First CAG ID list and the 2nd CAG ID list In identical CAG ID may be not identical in one or more or the first CAG ID list and the 2nd CAG ID list CAG ID.If there is no identical CAG ID in the first CAG ID list and the 2nd CAG ID list, then terminal would not allow for visit Ask CAG, therefore terminal will be unable to the CAG ID for determining to request access to, therefore terminal would not also carry out follow-up process.If the One CAG ID list and only one identical CAG ID of the 2nd CAG ID list, then can be by this identical CAG ID As the CAG ID requested access to.If there are two the first CAG ID list and the 2nd CAG ID lists or more than two identical CAG ID, then can from two or more identical CAG ID optional one as the CAG ID requested access to, Or selected from two or more identical CAG ID according to default rule, one as the CAG requested access to ID。

Fig. 8 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 8, this reality The method for applying example offer includes the following steps.

Step S8010, receives the login request message that terminal is sent, and includes the request of the first encryption in login request message The CAG ID of the access and 5G-GUTI of terminal.

And to solve the above-mentioned problems, in the present embodiment, the network element for carrying out certification and safety verification to terminal receives eventually The login request message sent is held, includes the CAG ID of encryption the requested access to and 5G-GUTI of terminal in login request message. Wherein, the network element for certification and safety verification being carried out to terminal can be determined according to the 5G-GUTI of terminal current each network element whether be It was once the network element of terminal service.Wherein terminal can adopt the CAG ID institute of the first encryption requested access to using cipher mode With existing any cipher mode, and with certification and safety verification are carried out to terminal network element in manner of decryption corresponding to. Terminal to CAG ID encrypted used in code key may be one or more possible modes, and recognize with to terminal Corresponding to code key in the network element of card and safety verification.

Step S8020 judges whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal.

The CAG ID authenticated and the network element of safety verification is encrypted in the 5G-GUTI for receiving terminal and first is carried out to terminal Afterwards, judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal first.Due to once for eventually Information relevant to terminal can be preserved by holding in the history AMF of service, therefore can be judged according to the 5G-GUTI of terminal current Whether AMF is the history AMF for being once terminal service.

Step S8030 if it was once the history AMF of terminal service that current AMF, which is, and is stored with terminal in current AMF SUPI then obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal, and the request of the first encryption is visited The CAG ID decryption asked is the CAG ID requested access to.

If current AMF is the history AMF for being once terminal service, then the SUPI of terminal may be preserved in current AMF, The SUPI of terminal may also not be saved.If it was once the history AMF of terminal service that current AMF, which is, and was stored with end in current AMF The SUPI at end, then current AMF then can obtain the first CAG ID list from the home network of terminal according to the SUPI of terminal, and CAG ID by the CAG ID decryption of the first encryption requested access to request access to.Current AMF visits the request of the first encryption The CAG ID asked be decrypted used in code key and cipher mode can be preset in terminal and AMF, be also possible to work as It is that terminal preserves when being serviced before preceding AMF.Such as the safe context of terminal is stored in current AMF, pacifying It include encryption code key in full context, then the CAG that the encryption secret key pair in safe context requests access to can be used in terminal ID is encrypted to obtain the CAG ID of the first encryption requested access to, and current AMF also can be used in the safety of the terminal of storage The CAG ID requested access to is decrypted in the CAG ID of encryption secret key pair first encryption hereinafter requested access to.

Step S8040, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching Send registration received message.

This step is identical as step S4040, and details are not described herein again.

Step S8050, if it was once the history AMF of terminal service that current AMF, which is, and currently not stored terminal in AMF SUPI, then current AMF sends identification request message to terminal.

If it was once the history AMF of terminal service that current AMF, which is, and did not preserved the SUPI of terminal in current AMF, then The CAG ID of the first encryption that current AMF can not then send terminal requested access to is decrypted.Therefore current AMF is to terminal Identification request message is sent, requesting terminal sends the CAG ID requested access to again.

Step S8060, receives the identification response message that terminal is sent, and includes that terminal uses home network in identification response message The CAG ID of the second encryption that the public key of network is encrypted the requested access to and SUCI of terminal.

After terminal receives identification request message, in order to guarantee the safety of CAG ID, terminal can be used and use home network The public key of network is encrypted to the CAG ID's requested access to, obtains the CAG ID of the second encryption requested access to.It is so current AFM will receive the identification response message of terminal transmission, include terminal in identification response message using home network public key into The CAG ID of second encryption of row encryption the requested access to and SUCI of terminal.

The SUCI of terminal is resolved to the SUPI of terminal by step S8070, UDM or SIDF, and using terminal home network The CAG ID that public key requests access to the CAG ID decryption of the second encryption requested access to.

Step S8080 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.

Step S8090, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching Send registration received message.

Step S8070- step S8090 is similar with the step S5020- step S5050 in embodiment illustrated in fig. 4, herein not It repeats again.

It in one embodiment, include that terminal accesses terminal request using the public key of home network in identification response message The SUCI for the extension that the CAG ID and SUCI of terminal is obtained after being encrypted jointly.The SUCI of the extension of terminal is that using terminal is returned What the public key of category network obtained the SUCI common cryptographic of the CAG ID requested access to and terminal.So UDM or SIDF is used eventually Holding the public key of home network is the SUCI of the CAG ID requested access to and terminal by the SUCI of the extension of terminal decryption, and by terminal SUCI resolve to the SUPI of terminal.The SUCI of terminal is resolved to the SUPI of terminal by UDM or SIDF, and according to the SUPI of terminal The first CAG ID list is obtained from the home network of terminal.Judge the CAG ID that requests access to and the first CAG ID list whether Match, sends registration received message to terminal if matching.

Step S8100, if current AMF is not terminal service, current AMF is determined once according to the 5G-GUTI of terminal For the history AMF of terminal service, and send to history AMF the context transfer request message of terminal, the context transfer of terminal Request message includes the 5G-GUTI of terminal.

If it is not terminal service that current AMF, which is, then by the relevant information of not stored terminal in current AMF.So by The 5G-GUTI of terminal is also had received in current AMF, therefore current AMF can be determined once according to the 5G-GUTI of terminal as eventually Hold the history AMF of service.Then current AMF sends the context transfer request message of terminal, the context of terminal to history AMF Transfer request message includes the 5G-GUTI of terminal.

Step S8110, current AMF receive the context transfer response message that history AMF is sent, and context transfer response disappears Safe context and the first CAG ID list in breath including terminal.

Current AMF is after the context transfer response message for receiving history AMF transmission, you can learn that in the safety of terminal Hereafter, and available first CAG ID list.

Step S8120, private key in the safe context of current AMF using terminal are requested access to the first encryption CAG ID decryption is the CAG ID requested access to.

Step S8130, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching Send registration received message.

If current AMF then can receive to store the corresponding safe context of terminal in the history AMF of terminal service The safe context of the terminal sent to history AMF, then current AMF can be directly using in the safe context received The CAG ID requested access to that secret key pair first encrypts is decrypted.And if also and not stored in the history AMF of terminal service The relevant information of terminal, then current AMF just needs to be handled by other means.

Step S8140, if current AMF does not receive the context transfer response message of the terminal of history AMF transmission, when Preceding AMF sends identification request message to terminal.

If current AMF does not receive the context transfer response message of the terminal of history AMF transmission, then current AMF will Identification request message is sent to terminal, requesting terminal retransmits the CAG ID that current AMF can be decrypted.

Step S8150, receives the identification response message that terminal is sent, and includes that terminal uses home network in identification response message The CAG ID of the second encryption that the public key of network is encrypted the requested access to and SUCI of terminal.

The SUCI of terminal is resolved to the SUPI of terminal by step S8160, UDM or SIDF, and using terminal home network The CAG ID that public key requests access to the CAG ID decryption of the second encryption requested access to.

Step S8170 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.

Step S8180, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching Send registration received message.

Step S8150- step S8180 is identical as step S8060- step S8090, and details are not described herein again.

In one embodiment, judge whether the CAG ID requested access to and the first CAG ID list match, comprising: judgement is asked Ask the CAG ID of access whether identical as any CAG ID in the first CAG ID list, if they are the same, it is determined that request access to CAG ID and the first CAG ID list match.

In one embodiment, after judging whether the CAG ID requested access to and the first CAG ID list match, further includes: Registration reject message is sent to terminal if mismatching.

Fig. 9 is the interaction diagrams for the method that a kind of access that an embodiment provides is closed access group, as shown in figure 9, this The method that embodiment provides includes the following steps.

Step S9010: configuration allows the CAG ID list accessed, such as { 2,3,4,5 } on mobile terminals.

Step S9020: network carries the CAG ID list of cell support, such as { 1,2,3 } in the system message of broadcast.

Step S9030: after terminal receives the message, compare two lists, select one in matched CAG ID CAG ID selects 2 as the CAG ID requested access to, such as from { 2,3 }.

Step S9040: the public key of terminal home network encrypts the CAG ID requested access to, and what is encrypted asks Seek the CAG ID of access；Terminal can also encrypt the CAG ID and SUPI that request access to the public key of home network together and obtain The SUCI of extension；Terminal sends login request message to network, wherein carrying the CAG ID of encryption requested access to, request message In also carry SUCI；The SUCI (2) of extension is carried in common cryptographic, in request message.

Step S9050: certification and security process, wherein SUCI is resolved to SUPI by UDM/SIDF, and UDM/SIDF will also add The close CAG ID requested access to resolves to the CAG ID requested access to；UDM/SIDF returns SUPI and the CAG ID requested access to Back to AMF.

Step S9060:AMF obtains the CAG ID list for allowing to access to home network, carries SUPI in request message Parameter, such as { 2,3,4,5 }.

Step S9070 (access control): AMF judges whether terminal allows to access the CAG, and specifically, AMF judges from registration Whether the CAG ID received in message includes from the CAG ID list that home network, which obtains, allows to access, if so, then may be used With access, if not, cannot access, such as 2 in { 2,3,4,5 }, accessible.

Step S9080: as accessible, AMF returns to registration received message to terminal.

Step S9090: cannot such as access, and AMF returns to registration reject message to terminal.

Figure 10 is the interaction diagrams of the method for another access closure access group that an embodiment provides, such as Figure 10 institute Show, method provided in this embodiment includes the following steps.

Step S10010: configuration allows the CAG ID list accessed, such as { 2,3,4,5 } on mobile terminals.

Step S10020: network carried in the system message of broadcast cell support CAG ID list, such as 1,2, 3}。

Step S10030: after terminal receives the message, compare two lists, select one in matched CAG ID CAG ID selects 2 as the CAG ID requested access to, such as from { 2,3 }.

Step S10040: if on the interim subscriber identity 5G-GUTI and safety of the visited network that terminal has request to register Hereafter, then terminal encrypts the CAG ID requested access to the encryption key in the safe context, and what is encrypted asks Seek the CAG ID of access；Terminal sends login request message to network, wherein the CAG ID of encryption requested access to is carried, request 5G-GUTI is also carried in message.

Step S10050: if the current AMF (new AMF) for receiving registration message is exactly to service going through for the terminal last time History AMF (old AMF), and still have the SUPI and safe context of the terminal, then using the encryption in the safe context The CAG ID requested access to, the CAG ID requested access to of key decryption encryption；If new AMF is not last time, service should The old AMF of terminal, then new AMF sends terminal contexts transfer request message to old AMF, carries 5G-GUTI in message.

Step S10060:old AMF returns to the SUPI and safe context of the terminal to new AMF, and new AMF can make The CAG ID requested access to, the CAG ID requested access to encrypted with the encryption key decryption in the safe context；It returns Return further includes the CAG ID list for allowing to access, such as { 2,3,4,5 } in message.

Step S10070: if not having to store the SUPI and context of terminal on old AMF, new AMF is sent to terminal Identification request message.

Step S10080: the public key of terminal home network encrypts the CAG ID requested access to, is encrypted The CAG ID requested access to；Terminal can also encrypt the CAG ID and SUPI that request access to the public key of home network together To the SUCI of extension；Terminal returns to identification response message to new AMF, wherein carrying the CAG ID of encryption requested access to, asks It asks and also carries SUCI in message；The SUCI (2) of extension is carried in common cryptographic, in request message.

Step S10090: certification and security process, if step S10060 successfully returns SUPI, wherein need not include SUCI parsing and CAG ID parsing；If step S10060 is unsuccessful, UDM/SIDF solves SUCI during this step Analysis is SUPI, and the CAG ID of encryption requested access to also is resolved to the CAG ID requested access to by UDM/SIDF；UDM/SIDF will SUPI and the CAG ID requested access to return to AMF.

Step S10100: if step S10060 is unsuccessful, AMF obtains the CAG ID for allowing to access to home network List carries SUPI parameter, such as { 2,3,4,5 } in request message.

Step S10110 (access control): AMF judges whether terminal allows to access the CAG, and specifically, AMF judges from note Whether the CAG ID that receives includes from the CAG ID list for allowing to access that home network obtains, if so, then in volume message Accessible, if not, cannot access, such as 2 in { 2,3,4,5 }, accessible.

Step S10120: as accessible, AMF returns to registration received message to terminal.

Step S10130: cannot such as access, and AMF returns to registration reject message to terminal.

Figure 11 is the structural schematic diagram for the device that a kind of access that an embodiment provides is closed access group, as shown in figure 11, It is provided in this embodiment access closure access group device include: encrypting module 111, be set as to the CAG ID requested access into Row encryption, the CAG ID requested access to encrypted；Sending module 112 is set as sending login request message, registration request It include the CAG ID of encryption the requested access to and SUCI of terminal in message.

The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 2 The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein It states.

Figure 12 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 12 institute Show, the device of access closure access group provided in this embodiment includes: receiving module 121, is set as receiving the note that terminal is sent Volume request message includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message；Deciphering module 122, It is set as resolving to the SUCI of terminal into the SUPI of terminal, and the CAG ID decryption of encryption requested access to is requested access to CAG ID；Module 123 is obtained, is set as obtaining the first CAG ID list from the home network of terminal according to the SUPI of terminal；Sentence Disconnected module 124, is set as the CAG ID for judging to request access to and whether the first CAG ID list matches, and sends out if matching to terminal Send registration received message.

The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 4 The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein It states.

Figure 13 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 13 institute Show, the device of access closure access group provided in this embodiment includes: encrypting module 131, is set as to the CAG requested access to ID is encrypted, and the CAG ID of the first encryption requested access to is obtained；Sending module 132 is set as sending login request message, It include the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message.

The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 6 The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein It states.

Figure 14 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 14 institute Show, the device of access closure access group provided in this embodiment includes: receiving module 141, is set as receiving the note that terminal is sent Volume request message includes the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message；Decrypt mould Block 142 is set as judging whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal；Obtain mould Block 143 if being set as current AMF to be once being the history AMF of terminal service, and is stored with the SUPI of terminal, then in current AMF The first CAG ID list, and the CAG requested access to that first is encrypted are obtained from the home network of terminal according to the SUPI of terminal ID decryption is the CAG ID requested access to；Judgment module 144 is set as CAG ID and the first CAG ID column that judgement requests access to Whether table matches, and sends registration received message to terminal if matching.

The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 8 The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein It states.

The embodiment of the present application also provides a kind of system of access closure access group, including terminal and the network equipment, terminal packet The device of the access closure access group as shown in Figure 11 embodiment is included, the network equipment includes accessing to close as shown in Figure 12 embodiment Close the device of access group.

The embodiment of the present application also provides a kind of system of access closure access group, including terminal and the network equipment, terminal packet The device of the access closure access group as shown in Figure 13 embodiment is included, the network equipment includes accessing to close as shown in Figure 14 embodiment Close the device of access group.

Figure 15 is a kind of structural schematic diagram for terminal that an embodiment provides, and as shown in figure 15, which includes processor 151, memory 152, transmitter 153 and receiver 154；The quantity of processor 151 can be one or more, Figure 15 in terminal In by taking a processor 151 as an example；Processor 151 and memory 152, transmitter 1543 and receiver 154 in terminal；It can be with It is connected by bus or other modes, in Figure 15 for being connected by bus.

Memory 152 is used as a kind of computer readable storage medium, and it is executable to may be configured as storage software program, computer Program and module, as the corresponding program of access closure access group method in the application Fig. 2-Fig. 3 or Fig. 6-Fig. 7 embodiment refers to Order/module is (for example, encrypting module 111 and sending module 112 or access closure access group in access closure access group device Encrypting module 131 and sending module 132 in device).The software journey that processor 151 is stored in memory 152 by operation Sequence, instruction and module, thus terminal at least one functional application and data processing, i.e. realization Fig. 2-Fig. 3's or Fig. 6-Fig. 7 Access closure access group method.

Memory 152 can mainly include storing program area and storage data area, wherein storing program area can store operation system Application program needed for system, at least one function；Storage data area, which can be stored, uses created data etc. according to terminal.This Outside, memory 152 may include high-speed random access memory, can also include nonvolatile memory, for example, at least one Disk memory, flush memory device or other non-volatile solid state memory parts.

Transmitter 153 is that can send out module of the emission of radio frequency signals into space or combination of devices for example including radio frequency Penetrate the combination of machine, antenna and other devices.Receiver 154 is that can receive the module or device of radiofrequency signal from space Combination, the combination for example including radio-frequency transmitter, antenna and other devices.

The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions A kind of method when being executed by computer processor for executing access closure access group, this method comprises: to requesting access to CAG ID encrypted, the CAG ID requested access to encrypted；Login request message is sent, is wrapped in login request message Include the CAG ID of encryption the requested access to and SUCI of terminal.

The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions A kind of method when being executed by computer processor for executing access closure access group, this method comprises: receiving terminal hair The login request message sent includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message；By terminal SUCI resolve to the SUPI of terminal, and the CAG ID by the CAG ID decryption of encryption requested access to request access to；According to The SUPI of terminal obtains the first CAG ID list from the home network of terminal；Judge the CAG ID and the first CAG ID requested access to Whether list matches, and sends registration received message to terminal if matching.

The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions A kind of method when being executed by computer processor for executing access closure access group, this method comprises: to requesting access to CAG ID encrypted, obtain the CAG ID of the first encryption requested access to；Send login request message, login request message In include first encryption the CAG ID requested access to and terminal 5G-GUTI.

The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions A kind of method when being executed by computer processor for executing access closure access group, this method comprises: receiving terminal hair The login request message sent includes the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message； Judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal；If current AMF is once to be eventually The history AMF of service is held, and is stored with the SUPI of terminal in current AMF, then according to the SUPI of terminal from the home network of terminal Obtain the first CAG ID list, and the CAG ID by the CAG ID decryption of the first encryption requested access to request access to；Judgement Whether the CAG ID and the first CAG ID list requested access to matches, and sends registration received message to terminal if matching.

It should be understood by those skilled in the art that, terms user terminal covers the wireless user equipment of any suitable type, Such as mobile phone, portable data processing device, portable web browser or vehicle-mounted mobile platform.

In general, the various embodiments of the application can be in hardware or special circuit, software, logic or any combination thereof Middle realization.For example, some aspects can be implemented within hardware, and can be implemented in can be by controller, micro- for other aspects In the firmware or software that processor or other computing devices execute, although the application is without being limited thereto.

Embodiments herein can execute computer program instructions by the data processor of mobile device and realize, example Such as in processor entity, perhaps pass through hardware or the combination by software and hardware.Computer program instructions can be remittance Compile instruction, instruction set architecture (InstructionSet Architecture, ISA) instruction, machine instruction, machine-dependent instructions, Microcode, firmware instructions, condition setup data or the source code write with any combination of one or more programming languages or Object code.

The block diagram of any logic flow in illustrations can be with representation program step, or can indicate to be connected with each other Logic circuit, module and function, or can be with the combination of representation program step and logic circuit, module and function.Computer Program can store on a memory.Memory can have any type for being suitable for local technical environment and can be used Any suitable data storage technology realizes, such as, but not limited to read-only memory (Read-Only Memory, ROM), random Access memory (Random Access Memory, RAM), optical memory device and system (digital video disc (Digital Video Disc, DVD) or CD (Compact Disc, CD)) etc..Computer-readable medium may include non-wink When property storage medium.Data processor can be any type for being suitable for local technical environment, such as, but not limited to general meter Calculation machine, special purpose computer, microprocessor, digital signal processor (Digital Signal Processing, DSP), dedicated collection At circuit (Application Specific Integrated Circuit, ASIC), programmable logic device (Field- Programmable Gate Array, FGPA) and processor based on multi-core processor framework.

Claims

1. a kind of method of access closure access group characterized by comprising

The closure access group mark CAG ID requested access to is encrypted, the CAG ID requested access to encrypted；

Login request message is sent, includes the CAG ID requested access to and terminal of the encryption in the login request message User's hidden identification SUCI.

2. being obtained the method according to claim 1, wherein the described couple of CAG ID requested access to is encrypted The CAG ID of encryption requested access to, comprising:

The CAG ID requested access to is encrypted using the public key of home network, the CAG ID requested access to encrypted.

3. the method according to claim 1, wherein described encrypt the CAG ID requested access to, The CAG ID requested access to encrypted, comprising:

The SUCI of the CAG ID requested access to and the terminal are encrypted jointly using the public key of home network, obtained The SUCI of the extension of the terminal；

The transmission login request message includes the CAG ID requested access to and the institute of the encryption in the login request message State the SUCI of terminal, comprising:

Login request message is sent, includes the SUCI of the extension of the terminal in the login request message.

4. described in any item methods according to claim 1~3, which is characterized in that the CAG requested access to terminal Before ID is encrypted, further includes:

Receive the system broadcast message for carrying the first CAG ID list；

The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine that the terminal request is visited The CAG ID asked.

5. according to the method described in claim 4, it is characterized in that, the 2nd CAG ID list and described to itself configuration First CAG ID list is matched, and determines the CAG ID requested access to, comprising:

The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine the 2nd CAG ID An identical CAG ID is the CAG ID requested access in list and the first CAG ID list.

6. according to the method described in claim 4, it is characterized in that, it is described receive carry the first CAG ID list system it is wide Before broadcasting message, further includes:

The 2nd CAG ID list is configured, includes the CAG ID that at least one allows to access in the 2nd CAG ID list.

7. a kind of method of access closure access group characterized by comprising

The login request message that terminal is sent is received, includes the closure access of encryption requested access in the login request message User's hidden identifiers SUCI of group mark CAG ID and the terminal；

The SUCI of the terminal resolves to the user permanent identification SUPI of the terminal, and by the CAG of encryption requested access to ID decryption is the CAG ID requested access to；

The first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal；

Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal Send registration received message.

8. the method according to the description of claim 7 is characterized in that described resolve to SUPI for the SUCI, and by encryption The CAG ID decryption requested access to is the CAG ID requested access to, comprising:

Uniform data manages UDM or subscription identifier hidden function SIDF and the SUCI of the terminal is resolved to the terminal SUPI, and the CAG ID by the CAG ID decryption of encryption requested access to request access to；

The SUPI of the terminal and the CAG ID requested access to are sent to mobile management function to ps domain by the UDM or SIDF AMF；

The SUPI according to the terminal obtains the first CAG ID list from the home network of the terminal, comprising:

The AMF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal；

Whether the CAG ID and the first CAG ID list requested access to described in the judgement matches, to the end if matching End sends registration received message, comprising:

Whether the CAG ID and the first CAG ID list requested access to described in the AMF judgement matches, to institute if matching It states terminal and sends registration received message.

9. according to the method described in claim 8, it is characterized in that, the UDM or SIDF resolves to the SUCI of the terminal The SUPI of terminal, and the CAG ID by the CAG ID decryption of encryption requested access to request access to, comprising:

The SUCI of the terminal is resolved to the SUPI of terminal by the UDM or SIDF, and uses the public affairs of the terminating home network The CAG ID that key requests access to the CAG ID decryption of encryption requested access to.

10. according to the method described in claim 8, it is characterized in that, the login request message for receiving terminal and sending, described It include the CAG ID of encryption the requested access to and SUCI of the terminal in login request message, comprising:

The login request message that terminal is sent is received, includes the SUCI of the extension of the terminal, institute in the login request message The SUCI for stating the extension of terminal is the public key using the terminating home network to the CAG ID requested access to and the end What the SUCI common cryptographic at end obtained；

The SUCI of the terminal is resolved to the SUPI of the terminal by the UDM or SIDF, and by the CAG of encryption requested access to ID decryption is the CAG ID requested access to, comprising:

The UDM or SIDF is asked the SUCI decryption of the extension of the terminal to be described using the public key of the terminating home network The CAG ID of access and the SUCI of the terminal are asked, and the SUCI of the terminal is resolved to the SUPI of the terminal.

11. according to the described in any item methods of claim 7~10, which is characterized in that the CAG requested access to described in the judgement Whether ID and the first CAG ID list match, comprising:

Whether the CAG ID requested access to described in judgement is identical as any CAG ID in the first CAG ID list, if phase Together, it is determined that the CAG ID requested access to and the first CAG ID list match.

12. according to the described in any item methods of claim 7~10, which is characterized in that it is described according to the SUPI from the end The home network at end obtains the first CAG ID list, comprising:

CAG ID list request message is sent to the home network of the terminal, includes institute in the CAG ID list request message State SUPI；

Receive the first CAG ID list that the home network of the terminal is sent.

13. according to the described in any item methods of claim 7~10, which is characterized in that the CAG requested access to described in the judgement After whether ID and the first CAG ID list match, further includes:

Registration reject message is sent to the terminal if mismatching.

14. a kind of method of access closure access group characterized by comprising identify CAG to the closure access group requested access to ID is encrypted, and the CAG ID of the first encryption requested access to is obtained；

Login request message is sent, includes the CAG ID requested access to and the institute of first encryption in the login request message State the globally unique temporary user device mark 5G-GUTI of 5G of terminal.

15. according to the method for claim 14, which is characterized in that described to add to the CAG ID requested access to It is close, obtain the CAG ID of the first encryption requested access to, comprising:

Use the CAG ID requested access to described in the encryption secret key pair in safe context corresponding with the 5G-GUTI of the terminal It is encrypted, obtains the CAG ID of the first encryption requested access to.

16. according to the method for claim 14, which is characterized in that after the transmission login request message, further includes:

Receive the identification request message that mobile management function to ps domain AMF is sent；

Using the public key of home network the CAG ID requested access to is encrypted, obtains requesting access to for the second encryption CAG ID；

Identification response message is sent to the AMF, includes requesting access to for second encryption in the identification response message User's hidden identification SUCI of CAG ID and the terminal.

17. according to the method for claim 14, which is characterized in that after the transmission login request message, further includes:

Receive the identification request message that AMF is sent；

Identification response message is sent to the AMF, includes the SUCI of the extension of the terminal in the identification response message.

18. 4~17 described in any item methods according to claim 1, which is characterized in that the described couple of CAG ID requested access into Row encryption, before obtaining the CAG ID of the first encryption requested access to, further includes:

Receive the system broadcast message for carrying the first CAG ID list；

The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine the CAG requested access to ID。

19. 4~17 described in any item methods according to claim 1, which is characterized in that the 2nd CAG to itself configuration ID list and the first CAG ID list are matched, and determine the CAG ID requested access to, comprising:

20. 4~19 described in any item methods according to claim 1, which is characterized in that the reception carries the first CAG ID Before the system broadcast message of list, further includes:

21. a kind of method of access closure access group characterized by comprising

The login request message that terminal is sent is received, includes the closure of the first encryption requested access in the login request message The globally unique temporary user device of 5G that access group identifies CAG ID and the terminal identifies 5G-GUTI；

According to the 5G-GUTI of the terminal judge current mobility management function AMF whether be once be the terminal service History AMF；

If it was once the history AMF of the terminal service that current AMF, which is, and was stored with the use of the terminal in the current AMF Family permanent identification SUPI then obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal, and The CAG ID decryption requested access to that described first is encrypted is the CAG ID requested access to；

22. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal AMF whether be once be the terminal service AMF after, further includes:

If it was once the history AMF of the terminal service that current AMF, which is, and the not stored terminal in the current AMF SUPI, then current AMF sends identification request message to the terminal；

The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message Public key encrypted second encryption the CAG ID requested access to and the terminal user's hidden identification SUCI；

The SUCI of the terminal is resolved to the SUPI of the terminal by UDM or SIDF, and uses the public affairs of the terminating home network The CAG ID that key requests access to the CAG ID decryption of the second encryption requested access to；

23. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal AMF whether be once be the terminal service AMF after, further includes:

The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message Public key the SUCI of the terminal request CAG ID accessed and the terminal encrypted jointly after obtained extension SUCI；

The UDM or SIDF is visited the SUCI decryption of the extension of the terminal for request using the public key of the terminating home network The SUCI of the CAG ID and the terminal that ask, and the SUCI of the terminal is resolved to the SUPI of the terminal.

The SUCI of the terminal is resolved to the SUPI of the terminal by UDM or SIDF, and according to the SUPI of the terminal from described The home network of terminal obtains the first CAG ID list；

24. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal AMF whether be once be the terminal service AMF after, further includes:

If current AMF be not the terminal service, current AMF was once described according to the 5G-GUTI of terminal determination The history AMF of terminal service, and the context transfer request message of the terminal is sent to the history AMF, the terminal Context transfer request message includes the 5G-GUTI of the terminal；

Current AMF receives the context transfer response message that the history AMF is sent, and wraps in the context transfer response message Include the terminal safe context and the first CAG ID list；

Current AMF is solved using the CAG ID requested access to of the private key in the safe context of the terminal to first encryption The close CAG ID to request access to；

25. according to the method for claim 24, which is characterized in that if the current AMF be not the terminal service, Current AMF determines the once history AMF for the terminal service according to the 5G-GUTI of the terminal, and sends out to the history AMF After sending the context transfer request message of the terminal, further includes:

If current AMF does not receive the context transfer response message for the terminal that the history AMF is sent, current AMF Identification request message is sent to the terminal；

The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message Public key encrypted second encryption the CAG ID requested access to and the terminal SUCI；

26. according to the method for claim 24, which is characterized in that if the current AMF be not the terminal service, Current AMF determines the once history AMF for the terminal service according to the 5G-GUTI of the terminal, and sends out to the history AMF After sending the context transfer request message of the terminal, further includes:

27. according to the described in any item methods of claim 21~26, which is characterized in that requested access to described in the judgement Whether CAG ID and the first CAG ID list match, comprising:

28. according to the described in any item methods of claim 21~26, which is characterized in that requested access to described in the judgement After whether CAG ID and the first CAG ID list match, further includes:

Registration reject message is sent to the terminal if mismatching.

29. a kind of device of access closure access group characterized by comprising

Encrypting module is set as encrypting the closure access group mark CAG ID requested access to, and the request encrypted is visited The CAG ID asked；

Sending module is set as sending login request message, includes requesting access to for the encryption in the login request message CAG ID and terminal user's hidden identification SUCI.

30. a kind of device of access closure access group characterized by comprising

Receiving module is set as receiving the login request message that terminal is sent, includes asking for encryption in the login request message Seek user's hidden identifiers SUCI of closure access group mark the CAG ID and the terminal of access；

Deciphering module is set as resolving to the SUCI of the terminal into the user permanent identification SUPI of the terminal, and will encryption The CAG ID decryption requested access to be the CAG ID that requests access to；

Module is obtained, is set as obtaining the first CAG ID list from the home network of the terminal according to the SUPI of the terminal；

Whether judgment module, the CAG ID and the first CAG ID list for being set as requesting access to described in judgement match, if Received message is registered with then sending to the terminal.

31. a kind of device of access closure access group characterized by comprising

Encrypting module is set as encrypting the closure access group mark CAG ID requested access to, obtains asking for the first encryption Seek the CAG ID of access；

Sending module is set as sending login request message, includes the request of first encryption in the login request message The globally unique temporary user device of the CAG ID of the access and 5G of the terminal identifies 5G-GUTI.

32. a kind of device of access closure access group characterized by comprising

Receiving module is set as receiving the login request message that terminal is sent, includes the first encryption in the login request message The closure access group mark CAG ID requested access to and the terminal 5G globally unique temporary user device mark 5G- GUTI；

Deciphering module is set as judging whether current mobility management function AMF is once to be according to the 5G-GUTI of the terminal The history AMF of the terminal service；

Module is obtained, if being set as current AMF to be once being the history AMF of the terminal service, and is stored in the current AMF There is the user permanent identification SUPI of the terminal, then obtains first from the home network of the terminal according to the SUPI of the terminal CAG ID list, and the CAG ID decryption requested access to that described first is encrypted is the CAG ID requested access to；

33. a kind of system of access closure access group, which is characterized in that including terminal and the network equipment；

The terminal includes the device of access closure access group as claimed in claim 29；

The network equipment includes the device of access closure access group as claimed in claim 30.

34. a kind of system of access closure access group, which is characterized in that including terminal and the network equipment；

The terminal includes the device of access closure access group as claimed in claim 31；

The network equipment includes the device of access closure access group as claimed in claim 32.