CN110536293A - The methods, devices and systems of access closure access group - Google Patents
The methods, devices and systems of access closure access group Download PDFInfo
- Publication number
- CN110536293A CN110536293A CN201910754388.7A CN201910754388A CN110536293A CN 110536293 A CN110536293 A CN 110536293A CN 201910754388 A CN201910754388 A CN 201910754388A CN 110536293 A CN110536293 A CN 110536293A
- Authority
- CN
- China
- Prior art keywords
- cag
- terminal
- access
- list
- amf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 101
- 230000004044 response Effects 0.000 claims description 38
- 238000012546 transfer Methods 0.000 claims description 18
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000012795 verification Methods 0.000 description 36
- 238000010586 diagram Methods 0.000 description 17
- 241000209094 Oryza Species 0.000 description 10
- 235000007164 Oryza sativa Nutrition 0.000 description 10
- 235000021186 dishes Nutrition 0.000 description 10
- 235000009566 rice Nutrition 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000013523 data management Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application proposes a kind of methods, devices and systems of access closure access group, a method of access closure access group, comprising: the CAG ID requested access to is encrypted, the CAG ID requested access to encrypted;Login request message is sent, includes the CAG ID of the encryption the requested access to and SUCI of terminal in the login request message.
Description
Technical field
This application involves cordless communication networks, such as are related to a kind of methods, devices and systems of access closure access group.
Background technique
Third generation partner program (3rd Generation Partnership Project, 3GPP) has been formulated various
The specification of mobile network, wherein in order to support private network, 3GPP to define closure access group (Closed by public network
Access Group, CAG) mechanism.
One closure access group includes the user of one group of accessible one or more CAG cell.One closure access
Group has a closure access group mark (Closed Access Group Identity, CAG ID).Use closure access group machine
System can access control to terminal access private network.
At present to private network access control scheme be in the terminal configuration allow access CAG ID, net
Network carries the CAG ID list of cell support in the system message of broadcast, after terminal receives broadcast message, selects matching
CAG ID as the CAG ID requested access to.Terminal is requested access to carrying into the login request message that network is sent
CAG ID completes registration process.
But the CAG ID in login request message is to carry and sent in plain text by eating dishes without rice or wine, and is easy to be trapped and reveal,
It is had an impact so as to the safety to private network.
Summary of the invention
The application provides a kind of methods, devices and systems of access closure access group, for improving the peace of closure access group
Quan Xing.
The embodiment of the present application provides a kind of method of access closure access group, comprising:
The CAG ID requested access to is encrypted, the CAG ID requested access to encrypted;
Login request message is sent, includes the CAG ID requested access to and terminal of encryption in login request message
SUCI。
The embodiment of the present application provides a kind of method of access closure access group, comprising:
Receive the login request message that terminal is sent, include in login request message encryption the CAG ID requested access to and
The SUCI of terminal;
The SUCI of terminal is resolved to the SUPI of terminal, and is to request access to by the CAG ID decryption of encryption requested access to
CAG ID;
The first CAG ID list is obtained from the home network of terminal according to the SUPI of terminal;
Judge whether the CAG ID requested access to and the first CAG ID list match, sends registration to terminal if matching and connect
By message.
The embodiment of the present application provides a kind of method of access closure access group, comprising:
The CAG ID requested access to is encrypted, the CAG ID of the first encryption requested access to is obtained;
Login request message is sent, includes the CAG ID requested access to and terminal of the first encryption in login request message
5G-GUTI。
The embodiment of the present application provides a kind of method of access closure access group, comprising:
The login request message that terminal is sent is received, includes the CAG of the first encryption requested access in login request message
The 5G-GUTI of ID and terminal;
Judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal;
If it was once the history AMF of terminal service that current AMF, which is, and was stored with the SUPI of terminal in current AMF, then basis
The SUPI of terminal obtains the first CAG ID list from the home network of terminal, and the CAG ID of the first encryption requested access to is solved
The close CAG ID to request access to;
Judge whether the CAG ID requested access to and the first CAG ID list match, sends registration to terminal if matching and connect
By message.
The embodiment of the present application provides a kind of device of access closure access group, comprising:
Encrypting module is set as the CAG ID requested access to for encrypting, being encrypted to the CAG ID requested access to;
Sending module is set as sending login request message, includes the CAG of encryption requested access in login request message
The SUCI of ID and terminal.
The embodiment of the present application provides a kind of device of access closure access group, comprising:
Receiving module is set as receiving the login request message that terminal is sent, includes asking for encryption in login request message
Seek the CAG ID of the access and SUCI of terminal;
Deciphering module is set as resolving to the SUCI of terminal into the SUPI of terminal, and by the CAG of encryption requested access to
ID decryption is the CAG ID requested access to;
Module is obtained, is set as obtaining the first CAG ID list from the home network of terminal according to the SUPI of terminal;
Judgment module, is set as the CAG ID for judging to request access to and whether the first CAG ID list matches, if matching
Registration received message is sent to terminal.
The embodiment of the present application provides a kind of device of access closure access group, comprising:
Encrypting module is set as encrypting the CAG ID requested access to, obtains the CAG of the first encryption requested access to
ID;
Sending module is set as sending login request message, includes requesting access to for the first encryption in login request message
CAG ID and terminal 5G-GUTI.
The embodiment of the present application provides a kind of device of access closure access group, comprising:
Receiving module is set as receiving the login request message that terminal is sent, includes the first encryption in login request message
The CAG ID requested access to and terminal 5G-GUTI;
Deciphering module is set as judging whether current AMF is the history for being once terminal service according to the 5G-GUTI of terminal
AMF;
Module is obtained, if being set as current AMF to be once being the history AMF of terminal service, and is stored with end in current AMF
The SUPI at end then obtains the first CAG ID list, and asking the first encryption from the home network of terminal according to the SUPI of terminal
The CAG ID of access is asked to decrypt the CAG ID to request access to;
Judgment module, is set as the CAG ID for judging to request access to and whether the first CAG ID list matches, if matching
Registration received message is sent to terminal.
The embodiment of the present application provides a kind of system of access closure access group, including terminal and the network equipment;
Terminal includes the device of the access closure access group as shown in Figure 11 embodiment;
The network equipment includes the device of the access closure access group as shown in Figure 12 embodiment.
The embodiment of the present application provides a kind of system of access closure access group, including terminal and the network equipment;
Terminal includes the device of the access closure access group as shown in Figure 13 embodiment;
The network equipment includes the device of the access closure access group as shown in Figure 14 embodiment.
Detailed description of the invention
Fig. 1 is a kind of private network access control flow diagram provided by the embodiments of the present application;
Fig. 2 is the flow chart for the method that a kind of access that an embodiment provides is closed access group;
Fig. 3 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 4 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 5 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 6 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 7 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 8 is the flow chart of the method for another access closure access group that an embodiment provides;
Fig. 9 is the interaction diagrams for the method that a kind of access that an embodiment provides is closed access group;
Figure 10 is the interaction diagrams of the method for another access closure access group that an embodiment provides;
Figure 11 is the structural schematic diagram for the device that a kind of access that an embodiment provides is closed access group;
Figure 12 is the structural schematic diagram of the device for another access closure access group that an embodiment provides;
Figure 13 is the structural schematic diagram of the device for another access closure access group that an embodiment provides;
Figure 14 is the structural schematic diagram of the device for another access closure access group that an embodiment provides;
Figure 15 is a kind of structural schematic diagram for terminal that an embodiment provides.
Specific embodiment
Embodiments herein is described in detail below in conjunction with attached drawing.
Fig. 1 is a kind of private network access control flow diagram provided by the embodiments of the present application, as shown in Figure 1, traditional
Private network access, mainly by network access and mobile management function to ps domain (Access and Mobility
Management Function, AMF), uniform data management (Unified Data Management, UDM) or subscription identity
Accord with hidden function (Subscription Identifier De-concealing Function, SIDF), authentication server function
Energy (AUthentication Server Function, AUSF) is completed the certification to mobile terminal (abbreviation terminal) and is tested with safety
Card.Wherein AMF, UDM or SIDF, AUSF are the network element that certification and safety verification are realized in network, can be to be deployed in network
Entity device, be also possible to the functional module being deployed in any of network or multiple entity network elements.
Wherein, as shown in Figure 1, firstly, configuration allows the CAG ID list accessed at the terminal, fair in step S1010
Perhaps the CAG ID list that accesses indicates that terminal is only capable of accessing the corresponding private network of CAG ID in the list, such as permitting here
Perhaps the CAG ID list accessed is { 2,3,4,5 }.
Then, in step S1020, the base station in network carries the CAG ID of cell support in the system message of broadcast
List, the CAG ID list that cell is supported indicate the private network for allowing the terminal access in cell.Pass through the base station access network
The terminal of the network system message ready to receive to the broadcast, to get the CAG ID list of cell support.What cell was supported
CAG ID list is, for example, { 1,2,3 }.
In step S1030, when terminal receives the system message of broadcast, by the CAG ID for allowing to access of itself configuration
The CAG ID list that list and the cell received are supported is compared, and the CAG ID selected in matched CAG ID makees
For the CAG ID requested access to.Such as after being compared herein, matched CAG ID is { 2,3 }, therefrom selects { 2 } as asking
Seek the CAG ID of access.
In step S1040, after determining the CAG ID requested access to, terminal can start in the CAG ID requested access to
Access process in corresponding private network.Terminal sends login request message to network, and inscription carries in login request message
The CAG ID requested access to goes back user's hidden identification (SUbscription of carried terminal in login request message
Concealed Identifier, SUCI).Base station disappears registration request after the login request message for receiving terminal transmission
Breath is sent to AMF, to realize certification and the safety verification to terminal access private network.
In step S1050, each network element AMF, AUSF, UDM that certification and safety verification are carried out to terminal are realized in network
Or SIDF carries out certification and safety verification process to terminal, wherein the SUCI of terminal is resolved to the user of terminal by UDM or SIDF
The SUPI of terminal is simultaneously returned to AMF by permanent identification (SUbscription Permanent Identifier, SUPI).
In step S1060, AMF sends request message to the home network of terminal, allows to visit in home network to obtain
The CAG ID list asked includes the SUPI of terminal in request message.Home network returns to the CAG ID column for allowing to access to AMF
Table is, for example, { 2,3,4,5 } herein.
Step S1070, AFM judge that the CAG whether terminal allows access request to access, that is, AMF judge registration request
The CAG ID requested access in message whether include from the CAG ID list for allowing to access that home network obtains, if
It is then accessible, if otherwise cannot access.Herein, the CAG ID requested access to is { 2 }, is included in from home network and obtains
Allow access CAG ID list { 2,3,4,5 } in, therefore allow terminal access private network.
Step S1080, AMF feed back registration received message to terminal, namely allow terminal access private network.
If AMF, which judges terminal not, allows the CAG of access request access in step S1070, then in step S1090,
AMF sends registration reject message to terminal.
As can be seen that terminal is when requesting access to private network from embodiment illustrated in fig. 1, the CAG ID that will be requested access to
It is carried in a registration request message by plaintext, and login request message is sent by eating dishes without rice or wine, so as to lead to CAG
ID leakage, and then the safety of private network may be influenced.
Fig. 2 is the flow chart for the method that a kind of access that an embodiment provides is closed access group, as shown in Fig. 2, this implementation
The method that example provides includes the following steps.
Step S2010 encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.
The method of access closure access group provided in this embodiment is applied to the terminal device in mobile communication system, referred to as
Terminal.When terminal needs to access private network, that is, is closed access group, certification and security verification device hair into network are needed
The CAG ID requested access to is sent, and since CAG ID is to be sent by plaintext, and the login request message for carrying CAG ID is
By transmission of eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.
And to solve the above-mentioned problems, in the present embodiment, when terminal needs to access closure access group, asked having determined
After the CAG ID for asking access, the CAG ID requested access to is encrypted first, the CAG ID requested access to encrypted.It is right
CAG ID encrypted used cipher mode can using existing any cipher mode, and with to terminal carry out certification and
Corresponding to manner of decryption in the network element of safety verification.To CAG ID encrypted used in code key may be a kind of or more
Kind possible mode, and with certification and safety verification are carried out to terminal network element in code key corresponding to.
Step S2020 sends login request message, include in login request message encryption the CAG ID requested access to and
The SUCI of terminal.
After the CAG ID requested access to encrypted, the i.e. transmittable login request message of terminal, login request message
In include encryption the CAG ID requested access to and terminal SUCI.By eating dishes without rice or wine to send login request message, terminal connects terminal
The serving BS of cell locating for the base station entered or terminal will receive the login request message.And receive login request message
Base station login request message can be sent to the network element that certification and safety verification are carried out to terminal, including AMF, AUSF, UDM/
SIDF etc..Above-mentioned each network element can determine the home network of terminal according to the SUCI of terminal, and by the CAG of encryption requested access to
After ID is decrypted, the CAG ID of terminal is obtained, step S1050- step that then can according to Fig. 1 in embodiment
S1090 carries out certification and safety verification to terminal, so that it is determined that whether terminal is able to access that corresponding to the CAG ID requested access to
CAG.When allowing CAG corresponding to the CAG ID that requests access to of terminal access, then terminal will receive registration received message, and
CAG corresponding to the CAG ID for not allowing terminal access to request access to, then terminal will receive registration reject message.
The method of access closure access group provided in this embodiment, encrypts to the CAG ID requested access to, obtains
After the CAG ID of encryption requested access to, login request message is sent, includes requesting access to for encryption in login request message
The SUCI of CAG ID and terminal provide a kind of closure access group access method protected to closure access group, due to
The CAG ID requested access to is encrypted, therefore is avoided through the CAG ID caused by the login request message of transmission that eats dishes without rice or wine
Leakage, improve access CAG safety.
In one embodiment, using terminal home network can be to the CAG ID requested access to the method encrypted
Public key encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.So registered when terminal is sent
After request message, due to simultaneously including the CAG ID of encryption the requested access to and SUCI of terminal in login request message,
The network element that certification and safety verification are carried out to terminal for receiving login request message, can know terminal according to the SUCI of terminal
Home network, then to terminal carry out certification and safety verification network element can obtain terminal home network public key, because
This can be used the public key got and the CAG ID of encryption requested access to be decrypted, the CAG ID of acquisition request access.
In one embodiment, the public key using home network can be to the CAG ID requested access to the method encrypted
The SUCI of the CAG ID requested access to and terminal are encrypted jointly, obtain the SUCI of the extension of terminal.So when terminal is sent out
After sending login request message, the network element that certification and safety verification are carried out to terminal of login request message is received, it can basis
The relevant information of terminal knows the home network of terminal, then the network element for carrying out certification and safety verification to terminal can obtain end
The public key of the home network at end, therefore the public key got can be used, the SUCI of extension is decrypted, acquisition request access
CAG ID and terminal SUCI.
Fig. 3 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 3, this reality
The method for applying example offer includes the following steps.
Step S3010 receives the system broadcast message for carrying the first CAG ID list.
When terminal needs to access CAG, it is necessary first to really allow the CAG of terminal access.Base station broadcast carries first
The system broadcast message of CAG ID list, the terminal of access base station or the terminal in base station range will receive this
System broadcast message.It include the ID that at least one allows the CAG of terminal access in first CAG ID list.
Step S3020 matches the 2nd CAG ID list and the first CAG ID list of itself configuration, determines terminal
The CAG ID requested access to.
At the terminal, it is also configured with a CAG ID list, referred to as the 2nd CAG ID list, is wrapped in the 2nd CAG ID list
Include the ID at least one CAG that terminal allows to access.2nd CAG ID list is pre-set in terminal, can be at end
It is preconfigured in end, it is also possible to be configured when terminal is registered in a network by the network equipment as terminal.Terminal is by first
CAG ID list and the 2nd CAG ID list are matched, so that it is determined that the CAG ID of terminal request access.
The 2nd CAG ID list and the first CAG ID list to itself configuration carry out matched method and can be to determine the
An identical CAG ID is the CAG ID requested access in two CAG ID lists and the first CAG ID list.First CAG ID column
Identical CAG ID may be one or more or the first CAG ID list and the 2nd CAG in table and the 2nd CAG ID list
There is no identical CAG ID in ID list.If there is no identical CAG ID in the first CAG ID list and the 2nd CAG ID list,
It so would not allow for terminal access CAG, therefore terminal will be unable to the CAG ID for determining to request access to, therefore terminal also would not
Carry out follow-up process.If the first CAG ID list and only one identical CAG ID of the 2nd CAG ID list, then can incite somebody to action
This identical CAG ID is as the CAG ID requested access to.If there are two the first CAG ID list and the 2nd CAG ID lists
Or more than two identical CAG ID, then an optional conduct can be asked from two or more identical CAG ID
The CAG ID of access is sought, or a then conduct is selected from two or more identical CAG ID according to default rule
The CAG ID requested access to.
In addition, can also be configured in the terminal before reception carries the system broadcast message of the first CAG ID list
2nd CAG ID list includes the CAG ID that at least one allows to access in the 2nd CAG ID list.
Step S3030 encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.
Step S3040 sends login request message, include in login request message encryption the CAG ID requested access to and
The SUCI of terminal.
Step S3030 and step S3040 is similar with step S2010 and step S2020, and details are not described herein again.
Fig. 4 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 4, this reality
The method for applying example offer includes the following steps.
Step S4010 receives the login request message that terminal is sent, and includes requesting access to for encryption in login request message
CAG ID and terminal SUCI.
The method of access closure access group provided in this embodiment is applied to the network equipment in mobile communication system, these
The network equipment is the network element that certification and safety verification are carried out to terminal, including but not limited to one in AMF, AUSF, UDM/SIDF
It is a or multiple.When terminal needs to access private network, that is, is closed access group, certification and safety verification into network is needed to set
Preparation send the CAG ID requested access to, and since CAG ID is to be sent by plaintext, and the registration request for carrying CAG ID disappears
Breath is to be sent by eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.
And to solve the above-mentioned problems, in the present embodiment, the network element for carrying out certification and safety verification to terminal receives eventually
The login request message sent is held, includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message.Its
In, the SUPI of terminal is obtained after can parse by the SUCI of terminal, thus the request knowing the home network of terminal, and encrypting
The CAG ID of access can after decryption acquisition request access CAG ID, then to terminal carry out certification and safety verification net
Member can carry out certification and safety verification to terminal with the CAG ID requested access to by the SUPI of terminal, whether judge terminal
It is able to access that the corresponding CAG of CAG ID requested access to.Wherein terminal uses encryption to the CAG ID of encryption requested access to
Mode can use existing any cipher mode, and with to terminal carry out certification and safety verification network element in decryption side
Corresponding to formula.Terminal to CAG ID encrypted used in code key may be one or more possible modes, and with it is right
Terminal carries out corresponding to the code key in the network element of certification and safety verification.
The SUCI of terminal is resolved to the SUPI of terminal, and the CAG ID of encryption requested access to is decrypted by step S4020
For the CAG ID requested access to.
Terminal authenticate and the network element of safety verification is after the CAG ID of the SUCI and encryption that receive terminal
It is the CAG ID requested access to by the CAG ID decryption of encryption requested access to, and the SUCI of terminal is parsed.For example,
The SUCI of terminal is resolved to the SUPI of terminal by UDM/SIDF, and is solved the CAG ID of encryption requested access to by UDM/SIDF
The close CAG ID to request access to, then the SUPI of terminal and the CAG ID requested access to are sent to AMF by UDM/SIDF.
In one embodiment, terminal can be using terminal home network to the CAG ID requested access to the method encrypted
The public key of network encrypts the CAG ID requested access to, the CAG ID requested access to encrypted.So receive registration
The SUCI of terminal is resolved to the SUPI of terminal by the UDM or SIDF of request message, confirmable after the SUPI for obtaining terminal
Home network requests access to the CAG ID decryption of encryption requested access to so as to the public key of using terminal home network
CAG ID.
Step S4030 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.
Terminal authenticate and the network element of safety verification is after obtaining the SUPI of terminal, it can be true according to the SUPI of terminal
Determine the home network of terminal, then the first CAG ID list can be obtained from the home network of terminal according to the SUPI of terminal.The
It include the ID that at least one allows the CAG of terminal access in one CAG ID list.For example, receiving terminal from UDM/SIDF
The AMF of the SUPI and CAG ID requested access to obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.
In one embodiment, the first CAG ID list is obtained from the home network of terminal according to the SUPI of terminal, comprising: to
The home network of terminal sends CAG ID list request message, includes SUPI in CAG ID list request message;Receive terminal
The first CAG ID list that home network is sent.
Step S4040, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching
Send registration received message.
Then the CAG ID and the first CAG ID column that certification and the network element judgement of safety verification request access to are carried out to terminal
Whether table matches, and determines that terminal is able to access that the corresponding CAG of CAG ID requested access to if matching, therefore can send out to terminal
Send registration received message.For example, whether CAG ID and the first CAG ID list that AMF judgement requests access to match, if matching
Registration received message is sent to terminal.
In one embodiment, judging whether the CAG ID requested access to and the first CAG ID list match can be judgement and asks
Ask the CAG ID of access whether identical as any CAG ID in the first CAG ID list, if they are the same, it is determined that request access to
CAG ID and the first CAG ID list match.If the CAG ID requested access to and any CAG ID in the first CAG ID list are equal
It is not identical, it is determined that the CAG ID requested access to and the first CAG ID list mismatch.
In one embodiment, if CAG ID and the first CAG ID list that judgement requests access to are mismatched, then to end
End sends registration reject message.
Fig. 5 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 5, this reality
The method for applying example offer includes the following steps.
Step S5010, receives the login request message that terminal is sent, and includes the extension of terminal in login request message
SUCI, the SUCI of the extension of terminal are that the public key of using terminal home network is total to the SUCI of the CAG ID requested access to and terminal
It is obtained with encryption.
In embodiment illustrated in fig. 4, include in the login request message that the terminal received is sent is the request visit of encryption
The SUCI of the CAG ID asked and terminal, and in the present embodiment, include in the login request message that the terminal received is sent
It is the SUCI of the extension of terminal.The SUCI of the extension of terminal is the public key of using terminal home network to the CAG ID requested access to
It is obtained with the SUCI common cryptographic of terminal.
The SUCI decryption of the extension of terminal is request by the public key of step S5020, UDM or SIDF using terminal home network
The CAG ID of the access and SUCI of terminal, and the SUCI of terminal is resolved to the SUPI of terminal.
After UDM or SIDF receives the SUCI of extension, the home network of terminal can be known according to the relevant information of terminal,
So UDM or SIDF can obtain the public key of the home network of terminal, therefore the public key pair got can be used in UDM or SIDF
The SUCI of extension is decrypted, the CAG ID of acquisition request access and the SUCI of terminal.Then UDM or SIDF can also be by terminal
SUCI resolve to the SUPI of terminal.
The SUPI of terminal and the CAG ID requested access to are sent to AMF by step S5030, UDM or SIDF.
Step S5040, AMF obtain the first CAG ID list from the home network of terminal according to the SUPI of terminal.
Whether the CAG ID and the first CAG ID list that step S5050, AMF judgement request access to match, if matching to
Terminal sends registration received message.
Step S5030- step S5050 in embodiment illustrated in fig. 1 certification and safety verification process it is similar, herein no longer
It repeats.
Fig. 6 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in fig. 6, this reality
The method for applying example offer includes the following steps.
Step S6010 encrypts the CAG ID requested access to, obtains the CAG ID of the first encryption requested access to.
The method of access closure access group provided in this embodiment is applied to the terminal device in mobile communication system, referred to as
Terminal.When terminal needs to access private network, that is, is closed access group, certification and security verification device hair into network are needed
The CAG ID requested access to is sent, and since CAG ID is to be sent by plaintext, and the login request message for carrying CAG ID is
By transmission of eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.
And to solve the above-mentioned problems, in the present embodiment, when terminal needs to access closure access group, asked having determined
After the CAG ID for asking access, the CAG ID requested access to is encrypted first, obtains the CAG of the first encryption requested access to
ID.Being encrypted used cipher mode to CAG ID can be using existing any cipher mode, and carries out with to terminal
Corresponding to manner of decryption in the network element of certification and safety verification.To CAG ID encrypted used in code key may be one
Kind or a variety of possible modes, and with to terminal carry out certification and safety verification network element in code key corresponding to.
Step S6020, sends login request message, includes the CAG of the first encryption requested access in login request message
The 5G-GUTI of ID and terminal.
After obtaining the CAG ID of the first encryption requested access to, the i.e. transmittable login request message of terminal, registration request
It include the globally unique temporary user device mark (5G of 5G of the CAG ID requested access to and terminal of the first encryption in message
Globally Unique Temporary UE Identity, 5G-GUTI).Terminal, which passes through, eats dishes without rice or wine to send login request message,
The serving BS of cell locating for the base station of terminal access or terminal will receive the login request message.And it receives registration and asks
Ask the base station of message login request message can be sent to terminal carry out certification and safety verification network element, including AMF,
AUSF, UDM/SIDF etc..Above-mentioned each network element can be determined according to the 5G-GUTI of terminal current each network element whether be once be terminal
The network element of service, if then due to once to preserve various information relevant to terminal in the network element of terminal service, it is each
The request that network element can directly use various information relevant to terminal to determine that the home network of terminal, terminal encryption first encrypt
Acquisition request access is decrypted to the CAG ID of the first encryption requested access in the relevant informations such as the code key of CAG ID of access
CAG ID, and obtain allow terminal access the first CAG ID list.Then it determines whether terminal is able to access that request access to
CAG ID corresponding to CAG.When allowing CAG corresponding to the CAG ID that requests access to of terminal access, then terminal will receive
Received message is registered, CAG corresponding to the CAG ID requested access to without permission terminal access, then terminal will receive registration and refuse
Exhausted message.
The method of access closure access group provided in this embodiment, encrypts to the CAG ID requested access to, obtains
After the CAG ID of first encryption requested access to, login request message is sent, includes asking for the first encryption in login request message
The CAG ID of the access and 5G-GUTI of terminal is sought, a kind of closure access group visit protected to closure access group is provided
It asks method, due to being encrypted to the CAG ID requested access to, avoids the login request message by eating dishes without rice or wine to send
The leakage of caused CAG ID improves the safety of access CAG.
In one embodiment, it states and the CAG ID requested access to is encrypted, obtain the CAG of the first encryption requested access to
ID, comprising: carried out using the CAG ID that the encryption secret key pair in safe context corresponding with the 5G-GUTI of terminal requests access to
Encryption, obtains the CAG ID of the first encryption requested access to.So after terminal sends login request message, due to registration request
Simultaneously include the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in message, therefore receives registration request and disappear
The network element that certification and safety verification are carried out to terminal of breath, can be known according to the 5G-GUTI of terminal current each network element whether be
It was once the network element of terminal service, if then due to once to preserve various letters relevant to terminal in the network element of terminal service
Breath including the encryption code key in safe context corresponding with the 5G-GUTI of terminal, therefore carries out certification and safety to terminal and tests
The network element of card can directly use what the encryption secret key pair first in safe context corresponding with the 5G-GUTI of terminal encrypted to ask
Ask the CAG ID of access that the CAG ID of acquisition request access is decrypted.
Fig. 7 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in fig. 7, this reality
The method for applying example offer includes the following steps.
Step S7010 encrypts the CAG ID requested access to, obtains the CAG ID of the first encryption requested access to.
Step S7020, sends login request message, includes the CAG of the first encryption requested access in login request message
The 5G-GUTI of ID and terminal.
Step S7010 and step S7020 is identical as step S6010 and step S6020, and details are not described herein again.
Step S7030 receives the identification request message that AMF is sent.
After terminal has sent login request message, if it is once terminal service that the network element for receiving login request message, which is,
Network element, it would be possible that preserve information relevant to terminal, thus can to the CAG ID requested access to of the first encryption into
Row decryption.And if the network element for receiving login request message be not that terminal service or timing receive login request message
Network element be once terminal service but do not saved the relevant information of terminal, then just can not requesting access to the first encryption
CAG ID is decrypted.So terminal will receive the identification request message that AMF is sent.Identification request message is due to that can not lead to
Cross the 5G-GUTI of terminal the CAG ID of the first encryption requested access to is decrypted it is rear received.
Step S7040 encrypts the CAG ID requested access to using the public key of home network, obtains the second encryption
The CAG ID requested access to.
After terminal receives identification request message, that is, can be used home network public key to the CAG ID requested access into
Row encryption, obtains the CAG ID of the second encryption requested access to.
Step S7050 sends identification response message to AMF, includes requesting access to for the second encryption in identification response message
CAG ID and terminal SUCI.
Then terminal sends identification response message to AMF, includes requesting access to for the second encryption in identification response message
The SUCI of CAG ID and terminal.Due to simultaneously including the CAG ID requested access to and terminal of the second encryption in identification response message
SUCI, therefore the AMF for receiving identification response message can know the home network of terminal according to the SUCI of terminal, then
AMF can obtain the public key of the home network of terminal, therefore the public key got can be used and request access to the second encryption
CAG ID be decrypted, acquisition request access CAG ID.In addition AMF can also be obtained according to the SUCI of terminal allows terminal
First CAG ID list of access.Then determine whether terminal is able to access that CAG corresponding to the CAG ID requested access to.When fair
Perhaps CAG corresponding to the CAG ID that terminal access requests access to, then terminal will receive registration received message, without allowing terminal
CAG corresponding to the CAG ID of access request access, then terminal will receive registration reject message.
In one embodiment, after terminal receives the identification request message that AMF is sent, the public affairs of home network can also be used
Key encrypts the SUCI of the CAG ID requested access to and terminal jointly, obtains the SUCI of the extension of terminal;Then terminal to
AMF sends identification response message, includes the SUCI of the extension of terminal in identification response message.So when terminal sends identification request
After message, the AMF for receiving identification request message can know the home network of terminal according to the relevant information of terminal, then
AMF can obtain the public key of the home network of terminal, therefore the public key got can be used, the SUCI of extension is decrypted,
The CAG ID of the acquisition request access and SUCI of terminal.In addition AMF can also be obtained according to the SUCI of terminal allows terminal access
The first CAG ID list.Then determine whether terminal is able to access that CAG corresponding to the CAG ID requested access to.It is whole when allowing
CAG corresponding to the CAG ID of access request access is held, then terminal will receive registration received message, without allowing terminal access
CAG corresponding to the CAG ID requested access to, then terminal will receive registration reject message.
In one embodiment, the CAG ID requested access to is encrypted, obtains the CAG of the first encryption requested access to
Before ID, further includes: receive the system broadcast message for carrying the first CAG ID list;To the 2nd CAG ID column of itself configuration
Table and the first CAG ID list are matched, and determine the CAG ID requested access to.It include at least one in first CAG ID list
Allow the ID of the CAG of terminal access.
In one embodiment, the 2nd CAG ID list and the first CAG ID list of itself configuration are matched, is determined
The CAG ID requested access to, comprising: the 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determined
An identical CAG ID is the CAG ID requested access in 2nd CAG ID list and the first CAG ID list.Itself is configured
The 2nd CAG ID list and the first CAG ID list carry out matched method and can be to determine the 2nd CAG ID list and first
An identical CAG ID is the CAG ID requested access in CAG ID list.First CAG ID list and the 2nd CAG ID list
In identical CAG ID may be not identical in one or more or the first CAG ID list and the 2nd CAG ID list
CAG ID.If there is no identical CAG ID in the first CAG ID list and the 2nd CAG ID list, then terminal would not allow for visit
Ask CAG, therefore terminal will be unable to the CAG ID for determining to request access to, therefore terminal would not also carry out follow-up process.If the
One CAG ID list and only one identical CAG ID of the 2nd CAG ID list, then can be by this identical CAG ID
As the CAG ID requested access to.If there are two the first CAG ID list and the 2nd CAG ID lists or more than two identical
CAG ID, then can from two or more identical CAG ID optional one as the CAG ID requested access to,
Or selected from two or more identical CAG ID according to default rule, one as the CAG requested access to
ID。
In addition, can also be configured in the terminal before reception carries the system broadcast message of the first CAG ID list
2nd CAG ID list includes the CAG ID that at least one allows to access in the 2nd CAG ID list.
Fig. 8 is the flow chart of the method for another access closure access group that an embodiment provides, as shown in figure 8, this reality
The method for applying example offer includes the following steps.
Step S8010, receives the login request message that terminal is sent, and includes the request of the first encryption in login request message
The CAG ID of the access and 5G-GUTI of terminal.
The method of access closure access group provided in this embodiment is applied to the network equipment in mobile communication system, these
The network equipment is the network element that certification and safety verification are carried out to terminal, including but not limited to one in AMF, AUSF, UDM/SIDF
It is a or multiple.When terminal needs to access private network, that is, is closed access group, certification and safety verification into network is needed to set
Preparation send the CAG ID requested access to, and since CAG ID is to be sent by plaintext, and the registration request for carrying CAG ID disappears
Breath is to be sent by eating dishes without rice or wine, therefore CAG ID is easy leakage, and then influences the safety of closure access group.
And to solve the above-mentioned problems, in the present embodiment, the network element for carrying out certification and safety verification to terminal receives eventually
The login request message sent is held, includes the CAG ID of encryption the requested access to and 5G-GUTI of terminal in login request message.
Wherein, the network element for certification and safety verification being carried out to terminal can be determined according to the 5G-GUTI of terminal current each network element whether be
It was once the network element of terminal service.Wherein terminal can adopt the CAG ID institute of the first encryption requested access to using cipher mode
With existing any cipher mode, and with certification and safety verification are carried out to terminal network element in manner of decryption corresponding to.
Terminal to CAG ID encrypted used in code key may be one or more possible modes, and recognize with to terminal
Corresponding to code key in the network element of card and safety verification.
Step S8020 judges whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal.
The CAG ID authenticated and the network element of safety verification is encrypted in the 5G-GUTI for receiving terminal and first is carried out to terminal
Afterwards, judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal first.Due to once for eventually
Information relevant to terminal can be preserved by holding in the history AMF of service, therefore can be judged according to the 5G-GUTI of terminal current
Whether AMF is the history AMF for being once terminal service.
Step S8030 if it was once the history AMF of terminal service that current AMF, which is, and is stored with terminal in current AMF
SUPI then obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal, and the request of the first encryption is visited
The CAG ID decryption asked is the CAG ID requested access to.
If current AMF is the history AMF for being once terminal service, then the SUPI of terminal may be preserved in current AMF,
The SUPI of terminal may also not be saved.If it was once the history AMF of terminal service that current AMF, which is, and was stored with end in current AMF
The SUPI at end, then current AMF then can obtain the first CAG ID list from the home network of terminal according to the SUPI of terminal, and
CAG ID by the CAG ID decryption of the first encryption requested access to request access to.Current AMF visits the request of the first encryption
The CAG ID asked be decrypted used in code key and cipher mode can be preset in terminal and AMF, be also possible to work as
It is that terminal preserves when being serviced before preceding AMF.Such as the safe context of terminal is stored in current AMF, pacifying
It include encryption code key in full context, then the CAG that the encryption secret key pair in safe context requests access to can be used in terminal
ID is encrypted to obtain the CAG ID of the first encryption requested access to, and current AMF also can be used in the safety of the terminal of storage
The CAG ID requested access to is decrypted in the CAG ID of encryption secret key pair first encryption hereinafter requested access to.
Step S8040, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching
Send registration received message.
This step is identical as step S4040, and details are not described herein again.
Step S8050, if it was once the history AMF of terminal service that current AMF, which is, and currently not stored terminal in AMF
SUPI, then current AMF sends identification request message to terminal.
If it was once the history AMF of terminal service that current AMF, which is, and did not preserved the SUPI of terminal in current AMF, then
The CAG ID of the first encryption that current AMF can not then send terminal requested access to is decrypted.Therefore current AMF is to terminal
Identification request message is sent, requesting terminal sends the CAG ID requested access to again.
Step S8060, receives the identification response message that terminal is sent, and includes that terminal uses home network in identification response message
The CAG ID of the second encryption that the public key of network is encrypted the requested access to and SUCI of terminal.
After terminal receives identification request message, in order to guarantee the safety of CAG ID, terminal can be used and use home network
The public key of network is encrypted to the CAG ID's requested access to, obtains the CAG ID of the second encryption requested access to.It is so current
AFM will receive the identification response message of terminal transmission, include terminal in identification response message using home network public key into
The CAG ID of second encryption of row encryption the requested access to and SUCI of terminal.
The SUCI of terminal is resolved to the SUPI of terminal by step S8070, UDM or SIDF, and using terminal home network
The CAG ID that public key requests access to the CAG ID decryption of the second encryption requested access to.
Step S8080 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.
Step S8090, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching
Send registration received message.
Step S8070- step S8090 is similar with the step S5020- step S5050 in embodiment illustrated in fig. 4, herein not
It repeats again.
It in one embodiment, include that terminal accesses terminal request using the public key of home network in identification response message
The SUCI for the extension that the CAG ID and SUCI of terminal is obtained after being encrypted jointly.The SUCI of the extension of terminal is that using terminal is returned
What the public key of category network obtained the SUCI common cryptographic of the CAG ID requested access to and terminal.So UDM or SIDF is used eventually
Holding the public key of home network is the SUCI of the CAG ID requested access to and terminal by the SUCI of the extension of terminal decryption, and by terminal
SUCI resolve to the SUPI of terminal.The SUCI of terminal is resolved to the SUPI of terminal by UDM or SIDF, and according to the SUPI of terminal
The first CAG ID list is obtained from the home network of terminal.Judge the CAG ID that requests access to and the first CAG ID list whether
Match, sends registration received message to terminal if matching.
Step S8100, if current AMF is not terminal service, current AMF is determined once according to the 5G-GUTI of terminal
For the history AMF of terminal service, and send to history AMF the context transfer request message of terminal, the context transfer of terminal
Request message includes the 5G-GUTI of terminal.
If it is not terminal service that current AMF, which is, then by the relevant information of not stored terminal in current AMF.So by
The 5G-GUTI of terminal is also had received in current AMF, therefore current AMF can be determined once according to the 5G-GUTI of terminal as eventually
Hold the history AMF of service.Then current AMF sends the context transfer request message of terminal, the context of terminal to history AMF
Transfer request message includes the 5G-GUTI of terminal.
Step S8110, current AMF receive the context transfer response message that history AMF is sent, and context transfer response disappears
Safe context and the first CAG ID list in breath including terminal.
Current AMF is after the context transfer response message for receiving history AMF transmission, you can learn that in the safety of terminal
Hereafter, and available first CAG ID list.
Step S8120, private key in the safe context of current AMF using terminal are requested access to the first encryption
CAG ID decryption is the CAG ID requested access to.
Step S8130, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching
Send registration received message.
If current AMF then can receive to store the corresponding safe context of terminal in the history AMF of terminal service
The safe context of the terminal sent to history AMF, then current AMF can be directly using in the safe context received
The CAG ID requested access to that secret key pair first encrypts is decrypted.And if also and not stored in the history AMF of terminal service
The relevant information of terminal, then current AMF just needs to be handled by other means.
Step S8140, if current AMF does not receive the context transfer response message of the terminal of history AMF transmission, when
Preceding AMF sends identification request message to terminal.
If current AMF does not receive the context transfer response message of the terminal of history AMF transmission, then current AMF will
Identification request message is sent to terminal, requesting terminal retransmits the CAG ID that current AMF can be decrypted.
Step S8150, receives the identification response message that terminal is sent, and includes that terminal uses home network in identification response message
The CAG ID of the second encryption that the public key of network is encrypted the requested access to and SUCI of terminal.
The SUCI of terminal is resolved to the SUPI of terminal by step S8160, UDM or SIDF, and using terminal home network
The CAG ID that public key requests access to the CAG ID decryption of the second encryption requested access to.
Step S8170 obtains the first CAG ID list from the home network of terminal according to the SUPI of terminal.
Step S8180, judges whether the CAG ID requested access to and the first CAG ID list match, to terminal if matching
Send registration received message.
Step S8150- step S8180 is identical as step S8060- step S8090, and details are not described herein again.
It in one embodiment, include that terminal accesses terminal request using the public key of home network in identification response message
The SUCI for the extension that the CAG ID and SUCI of terminal is obtained after being encrypted jointly.The SUCI of the extension of terminal is that using terminal is returned
What the public key of category network obtained the SUCI common cryptographic of the CAG ID requested access to and terminal.So UDM or SIDF is used eventually
Holding the public key of home network is the SUCI of the CAG ID requested access to and terminal by the SUCI of the extension of terminal decryption, and by terminal
SUCI resolve to the SUPI of terminal.The SUCI of terminal is resolved to the SUPI of terminal by UDM or SIDF, and according to the SUPI of terminal
The first CAG ID list is obtained from the home network of terminal.Judge the CAG ID that requests access to and the first CAG ID list whether
Match, sends registration received message to terminal if matching.
In one embodiment, judge whether the CAG ID requested access to and the first CAG ID list match, comprising: judgement is asked
Ask the CAG ID of access whether identical as any CAG ID in the first CAG ID list, if they are the same, it is determined that request access to
CAG ID and the first CAG ID list match.
In one embodiment, after judging whether the CAG ID requested access to and the first CAG ID list match, further includes:
Registration reject message is sent to terminal if mismatching.
Fig. 9 is the interaction diagrams for the method that a kind of access that an embodiment provides is closed access group, as shown in figure 9, this
The method that embodiment provides includes the following steps.
Step S9010: configuration allows the CAG ID list accessed, such as { 2,3,4,5 } on mobile terminals.
Step S9020: network carries the CAG ID list of cell support, such as { 1,2,3 } in the system message of broadcast.
Step S9030: after terminal receives the message, compare two lists, select one in matched CAG ID
CAG ID selects 2 as the CAG ID requested access to, such as from { 2,3 }.
Step S9040: the public key of terminal home network encrypts the CAG ID requested access to, and what is encrypted asks
Seek the CAG ID of access;Terminal can also encrypt the CAG ID and SUPI that request access to the public key of home network together and obtain
The SUCI of extension;Terminal sends login request message to network, wherein carrying the CAG ID of encryption requested access to, request message
In also carry SUCI;The SUCI (2) of extension is carried in common cryptographic, in request message.
Step S9050: certification and security process, wherein SUCI is resolved to SUPI by UDM/SIDF, and UDM/SIDF will also add
The close CAG ID requested access to resolves to the CAG ID requested access to;UDM/SIDF returns SUPI and the CAG ID requested access to
Back to AMF.
Step S9060:AMF obtains the CAG ID list for allowing to access to home network, carries SUPI in request message
Parameter, such as { 2,3,4,5 }.
Step S9070 (access control): AMF judges whether terminal allows to access the CAG, and specifically, AMF judges from registration
Whether the CAG ID received in message includes from the CAG ID list that home network, which obtains, allows to access, if so, then may be used
With access, if not, cannot access, such as 2 in { 2,3,4,5 }, accessible.
Step S9080: as accessible, AMF returns to registration received message to terminal.
Step S9090: cannot such as access, and AMF returns to registration reject message to terminal.
Figure 10 is the interaction diagrams of the method for another access closure access group that an embodiment provides, such as Figure 10 institute
Show, method provided in this embodiment includes the following steps.
Step S10010: configuration allows the CAG ID list accessed, such as { 2,3,4,5 } on mobile terminals.
Step S10020: network carried in the system message of broadcast cell support CAG ID list, such as 1,2,
3}。
Step S10030: after terminal receives the message, compare two lists, select one in matched CAG ID
CAG ID selects 2 as the CAG ID requested access to, such as from { 2,3 }.
Step S10040: if on the interim subscriber identity 5G-GUTI and safety of the visited network that terminal has request to register
Hereafter, then terminal encrypts the CAG ID requested access to the encryption key in the safe context, and what is encrypted asks
Seek the CAG ID of access;Terminal sends login request message to network, wherein the CAG ID of encryption requested access to is carried, request
5G-GUTI is also carried in message.
Step S10050: if the current AMF (new AMF) for receiving registration message is exactly to service going through for the terminal last time
History AMF (old AMF), and still have the SUPI and safe context of the terminal, then using the encryption in the safe context
The CAG ID requested access to, the CAG ID requested access to of key decryption encryption;If new AMF is not last time, service should
The old AMF of terminal, then new AMF sends terminal contexts transfer request message to old AMF, carries 5G-GUTI in message.
Step S10060:old AMF returns to the SUPI and safe context of the terminal to new AMF, and new AMF can make
The CAG ID requested access to, the CAG ID requested access to encrypted with the encryption key decryption in the safe context;It returns
Return further includes the CAG ID list for allowing to access, such as { 2,3,4,5 } in message.
Step S10070: if not having to store the SUPI and context of terminal on old AMF, new AMF is sent to terminal
Identification request message.
Step S10080: the public key of terminal home network encrypts the CAG ID requested access to, is encrypted
The CAG ID requested access to;Terminal can also encrypt the CAG ID and SUPI that request access to the public key of home network together
To the SUCI of extension;Terminal returns to identification response message to new AMF, wherein carrying the CAG ID of encryption requested access to, asks
It asks and also carries SUCI in message;The SUCI (2) of extension is carried in common cryptographic, in request message.
Step S10090: certification and security process, if step S10060 successfully returns SUPI, wherein need not include
SUCI parsing and CAG ID parsing;If step S10060 is unsuccessful, UDM/SIDF solves SUCI during this step
Analysis is SUPI, and the CAG ID of encryption requested access to also is resolved to the CAG ID requested access to by UDM/SIDF;UDM/SIDF will
SUPI and the CAG ID requested access to return to AMF.
Step S10100: if step S10060 is unsuccessful, AMF obtains the CAG ID for allowing to access to home network
List carries SUPI parameter, such as { 2,3,4,5 } in request message.
Step S10110 (access control): AMF judges whether terminal allows to access the CAG, and specifically, AMF judges from note
Whether the CAG ID that receives includes from the CAG ID list for allowing to access that home network obtains, if so, then in volume message
Accessible, if not, cannot access, such as 2 in { 2,3,4,5 }, accessible.
Step S10120: as accessible, AMF returns to registration received message to terminal.
Step S10130: cannot such as access, and AMF returns to registration reject message to terminal.
Figure 11 is the structural schematic diagram for the device that a kind of access that an embodiment provides is closed access group, as shown in figure 11,
It is provided in this embodiment access closure access group device include: encrypting module 111, be set as to the CAG ID requested access into
Row encryption, the CAG ID requested access to encrypted;Sending module 112 is set as sending login request message, registration request
It include the CAG ID of encryption the requested access to and SUCI of terminal in message.
The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 2
The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein
It states.
Figure 12 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 12 institute
Show, the device of access closure access group provided in this embodiment includes: receiving module 121, is set as receiving the note that terminal is sent
Volume request message includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message;Deciphering module 122,
It is set as resolving to the SUCI of terminal into the SUPI of terminal, and the CAG ID decryption of encryption requested access to is requested access to
CAG ID;Module 123 is obtained, is set as obtaining the first CAG ID list from the home network of terminal according to the SUPI of terminal;Sentence
Disconnected module 124, is set as the CAG ID for judging to request access to and whether the first CAG ID list matches, and sends out if matching to terminal
Send registration received message.
The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 4
The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein
It states.
Figure 13 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 13 institute
Show, the device of access closure access group provided in this embodiment includes: encrypting module 131, is set as to the CAG requested access to
ID is encrypted, and the CAG ID of the first encryption requested access to is obtained;Sending module 132 is set as sending login request message,
It include the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message.
The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 6
The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein
It states.
Figure 14 is the structural schematic diagram of the device for another access closure access group that an embodiment provides, such as Figure 14 institute
Show, the device of access closure access group provided in this embodiment includes: receiving module 141, is set as receiving the note that terminal is sent
Volume request message includes the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message;Decrypt mould
Block 142 is set as judging whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal;Obtain mould
Block 143 if being set as current AMF to be once being the history AMF of terminal service, and is stored with the SUPI of terminal, then in current AMF
The first CAG ID list, and the CAG requested access to that first is encrypted are obtained from the home network of terminal according to the SUPI of terminal
ID decryption is the CAG ID requested access to;Judgment module 144 is set as CAG ID and the first CAG ID column that judgement requests access to
Whether table matches, and sends registration received message to terminal if matching.
The device of access closure access group provided in this embodiment is closed access for realizing the access of embodiment illustrated in fig. 8
The method of group, the realization principle and technical effect are similar for the device of access closure access group provided in this embodiment, no longer superfluous herein
It states.
The embodiment of the present application also provides a kind of system of access closure access group, including terminal and the network equipment, terminal packet
The device of the access closure access group as shown in Figure 11 embodiment is included, the network equipment includes accessing to close as shown in Figure 12 embodiment
Close the device of access group.
The embodiment of the present application also provides a kind of system of access closure access group, including terminal and the network equipment, terminal packet
The device of the access closure access group as shown in Figure 13 embodiment is included, the network equipment includes accessing to close as shown in Figure 14 embodiment
Close the device of access group.
Figure 15 is a kind of structural schematic diagram for terminal that an embodiment provides, and as shown in figure 15, which includes processor
151, memory 152, transmitter 153 and receiver 154;The quantity of processor 151 can be one or more, Figure 15 in terminal
In by taking a processor 151 as an example;Processor 151 and memory 152, transmitter 1543 and receiver 154 in terminal;It can be with
It is connected by bus or other modes, in Figure 15 for being connected by bus.
Memory 152 is used as a kind of computer readable storage medium, and it is executable to may be configured as storage software program, computer
Program and module, as the corresponding program of access closure access group method in the application Fig. 2-Fig. 3 or Fig. 6-Fig. 7 embodiment refers to
Order/module is (for example, encrypting module 111 and sending module 112 or access closure access group in access closure access group device
Encrypting module 131 and sending module 132 in device).The software journey that processor 151 is stored in memory 152 by operation
Sequence, instruction and module, thus terminal at least one functional application and data processing, i.e. realization Fig. 2-Fig. 3's or Fig. 6-Fig. 7
Access closure access group method.
Memory 152 can mainly include storing program area and storage data area, wherein storing program area can store operation system
Application program needed for system, at least one function;Storage data area, which can be stored, uses created data etc. according to terminal.This
Outside, memory 152 may include high-speed random access memory, can also include nonvolatile memory, for example, at least one
Disk memory, flush memory device or other non-volatile solid state memory parts.
Transmitter 153 is that can send out module of the emission of radio frequency signals into space or combination of devices for example including radio frequency
Penetrate the combination of machine, antenna and other devices.Receiver 154 is that can receive the module or device of radiofrequency signal from space
Combination, the combination for example including radio-frequency transmitter, antenna and other devices.
The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions
A kind of method when being executed by computer processor for executing access closure access group, this method comprises: to requesting access to
CAG ID encrypted, the CAG ID requested access to encrypted;Login request message is sent, is wrapped in login request message
Include the CAG ID of encryption the requested access to and SUCI of terminal.
The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions
A kind of method when being executed by computer processor for executing access closure access group, this method comprises: receiving terminal hair
The login request message sent includes the CAG ID of encryption the requested access to and SUCI of terminal in login request message;By terminal
SUCI resolve to the SUPI of terminal, and the CAG ID by the CAG ID decryption of encryption requested access to request access to;According to
The SUPI of terminal obtains the first CAG ID list from the home network of terminal;Judge the CAG ID and the first CAG ID requested access to
Whether list matches, and sends registration received message to terminal if matching.
The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions
A kind of method when being executed by computer processor for executing access closure access group, this method comprises: to requesting access to
CAG ID encrypted, obtain the CAG ID of the first encryption requested access to;Send login request message, login request message
In include first encryption the CAG ID requested access to and terminal 5G-GUTI.
The embodiment of the present application also provides a kind of storage medium comprising computer executable instructions, computer executable instructions
A kind of method when being executed by computer processor for executing access closure access group, this method comprises: receiving terminal hair
The login request message sent includes the CAG ID of the first encryption the requested access to and 5G-GUTI of terminal in login request message;
Judge whether current AMF is the history AMF for being once terminal service according to the 5G-GUTI of terminal;If current AMF is once to be eventually
The history AMF of service is held, and is stored with the SUPI of terminal in current AMF, then according to the SUPI of terminal from the home network of terminal
Obtain the first CAG ID list, and the CAG ID by the CAG ID decryption of the first encryption requested access to request access to;Judgement
Whether the CAG ID and the first CAG ID list requested access to matches, and sends registration received message to terminal if matching.
It should be understood by those skilled in the art that, terms user terminal covers the wireless user equipment of any suitable type,
Such as mobile phone, portable data processing device, portable web browser or vehicle-mounted mobile platform.
In general, the various embodiments of the application can be in hardware or special circuit, software, logic or any combination thereof
Middle realization.For example, some aspects can be implemented within hardware, and can be implemented in can be by controller, micro- for other aspects
In the firmware or software that processor or other computing devices execute, although the application is without being limited thereto.
Embodiments herein can execute computer program instructions by the data processor of mobile device and realize, example
Such as in processor entity, perhaps pass through hardware or the combination by software and hardware.Computer program instructions can be remittance
Compile instruction, instruction set architecture (InstructionSet Architecture, ISA) instruction, machine instruction, machine-dependent instructions,
Microcode, firmware instructions, condition setup data or the source code write with any combination of one or more programming languages or
Object code.
The block diagram of any logic flow in illustrations can be with representation program step, or can indicate to be connected with each other
Logic circuit, module and function, or can be with the combination of representation program step and logic circuit, module and function.Computer
Program can store on a memory.Memory can have any type for being suitable for local technical environment and can be used
Any suitable data storage technology realizes, such as, but not limited to read-only memory (Read-Only Memory, ROM), random
Access memory (Random Access Memory, RAM), optical memory device and system (digital video disc
(Digital Video Disc, DVD) or CD (Compact Disc, CD)) etc..Computer-readable medium may include non-wink
When property storage medium.Data processor can be any type for being suitable for local technical environment, such as, but not limited to general meter
Calculation machine, special purpose computer, microprocessor, digital signal processor (Digital Signal Processing, DSP), dedicated collection
At circuit (Application Specific Integrated Circuit, ASIC), programmable logic device (Field-
Programmable Gate Array, FGPA) and processor based on multi-core processor framework.
Claims (34)
1. a kind of method of access closure access group characterized by comprising
The closure access group mark CAG ID requested access to is encrypted, the CAG ID requested access to encrypted;
Login request message is sent, includes the CAG ID requested access to and terminal of the encryption in the login request message
User's hidden identification SUCI.
2. being obtained the method according to claim 1, wherein the described couple of CAG ID requested access to is encrypted
The CAG ID of encryption requested access to, comprising:
The CAG ID requested access to is encrypted using the public key of home network, the CAG ID requested access to encrypted.
3. the method according to claim 1, wherein described encrypt the CAG ID requested access to,
The CAG ID requested access to encrypted, comprising:
The SUCI of the CAG ID requested access to and the terminal are encrypted jointly using the public key of home network, obtained
The SUCI of the extension of the terminal;
The transmission login request message includes the CAG ID requested access to and the institute of the encryption in the login request message
State the SUCI of terminal, comprising:
Login request message is sent, includes the SUCI of the extension of the terminal in the login request message.
4. described in any item methods according to claim 1~3, which is characterized in that the CAG requested access to terminal
Before ID is encrypted, further includes:
Receive the system broadcast message for carrying the first CAG ID list;
The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine that the terminal request is visited
The CAG ID asked.
5. according to the method described in claim 4, it is characterized in that, the 2nd CAG ID list and described to itself configuration
First CAG ID list is matched, and determines the CAG ID requested access to, comprising:
The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine the 2nd CAG ID
An identical CAG ID is the CAG ID requested access in list and the first CAG ID list.
6. according to the method described in claim 4, it is characterized in that, it is described receive carry the first CAG ID list system it is wide
Before broadcasting message, further includes:
The 2nd CAG ID list is configured, includes the CAG ID that at least one allows to access in the 2nd CAG ID list.
7. a kind of method of access closure access group characterized by comprising
The login request message that terminal is sent is received, includes the closure access of encryption requested access in the login request message
User's hidden identifiers SUCI of group mark CAG ID and the terminal;
The SUCI of the terminal resolves to the user permanent identification SUPI of the terminal, and by the CAG of encryption requested access to
ID decryption is the CAG ID requested access to;
The first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
8. the method according to the description of claim 7 is characterized in that described resolve to SUPI for the SUCI, and by encryption
The CAG ID decryption requested access to is the CAG ID requested access to, comprising:
Uniform data manages UDM or subscription identifier hidden function SIDF and the SUCI of the terminal is resolved to the terminal
SUPI, and the CAG ID by the CAG ID decryption of encryption requested access to request access to;
The SUPI of the terminal and the CAG ID requested access to are sent to mobile management function to ps domain by the UDM or SIDF
AMF;
The SUPI according to the terminal obtains the first CAG ID list from the home network of the terminal, comprising:
The AMF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
Whether the CAG ID and the first CAG ID list requested access to described in the judgement matches, to the end if matching
End sends registration received message, comprising:
Whether the CAG ID and the first CAG ID list requested access to described in the AMF judgement matches, to institute if matching
It states terminal and sends registration received message.
9. according to the method described in claim 8, it is characterized in that, the UDM or SIDF resolves to the SUCI of the terminal
The SUPI of terminal, and the CAG ID by the CAG ID decryption of encryption requested access to request access to, comprising:
The SUCI of the terminal is resolved to the SUPI of terminal by the UDM or SIDF, and uses the public affairs of the terminating home network
The CAG ID that key requests access to the CAG ID decryption of encryption requested access to.
10. according to the method described in claim 8, it is characterized in that, the login request message for receiving terminal and sending, described
It include the CAG ID of encryption the requested access to and SUCI of the terminal in login request message, comprising:
The login request message that terminal is sent is received, includes the SUCI of the extension of the terminal, institute in the login request message
The SUCI for stating the extension of terminal is the public key using the terminating home network to the CAG ID requested access to and the end
What the SUCI common cryptographic at end obtained;
The SUCI of the terminal is resolved to the SUPI of the terminal by the UDM or SIDF, and by the CAG of encryption requested access to
ID decryption is the CAG ID requested access to, comprising:
The UDM or SIDF is asked the SUCI decryption of the extension of the terminal to be described using the public key of the terminating home network
The CAG ID of access and the SUCI of the terminal are asked, and the SUCI of the terminal is resolved to the SUPI of the terminal.
11. according to the described in any item methods of claim 7~10, which is characterized in that the CAG requested access to described in the judgement
Whether ID and the first CAG ID list match, comprising:
Whether the CAG ID requested access to described in judgement is identical as any CAG ID in the first CAG ID list, if phase
Together, it is determined that the CAG ID requested access to and the first CAG ID list match.
12. according to the described in any item methods of claim 7~10, which is characterized in that it is described according to the SUPI from the end
The home network at end obtains the first CAG ID list, comprising:
CAG ID list request message is sent to the home network of the terminal, includes institute in the CAG ID list request message
State SUPI;
Receive the first CAG ID list that the home network of the terminal is sent.
13. according to the described in any item methods of claim 7~10, which is characterized in that the CAG requested access to described in the judgement
After whether ID and the first CAG ID list match, further includes:
Registration reject message is sent to the terminal if mismatching.
14. a kind of method of access closure access group characterized by comprising identify CAG to the closure access group requested access to
ID is encrypted, and the CAG ID of the first encryption requested access to is obtained;
Login request message is sent, includes the CAG ID requested access to and the institute of first encryption in the login request message
State the globally unique temporary user device mark 5G-GUTI of 5G of terminal.
15. according to the method for claim 14, which is characterized in that described to add to the CAG ID requested access to
It is close, obtain the CAG ID of the first encryption requested access to, comprising:
Use the CAG ID requested access to described in the encryption secret key pair in safe context corresponding with the 5G-GUTI of the terminal
It is encrypted, obtains the CAG ID of the first encryption requested access to.
16. according to the method for claim 14, which is characterized in that after the transmission login request message, further includes:
Receive the identification request message that mobile management function to ps domain AMF is sent;
Using the public key of home network the CAG ID requested access to is encrypted, obtains requesting access to for the second encryption
CAG ID;
Identification response message is sent to the AMF, includes requesting access to for second encryption in the identification response message
User's hidden identification SUCI of CAG ID and the terminal.
17. according to the method for claim 14, which is characterized in that after the transmission login request message, further includes:
Receive the identification request message that AMF is sent;
The SUCI of the CAG ID requested access to and the terminal are encrypted jointly using the public key of home network, obtained
The SUCI of the extension of the terminal;
Identification response message is sent to the AMF, includes the SUCI of the extension of the terminal in the identification response message.
18. 4~17 described in any item methods according to claim 1, which is characterized in that the described couple of CAG ID requested access into
Row encryption, before obtaining the CAG ID of the first encryption requested access to, further includes:
Receive the system broadcast message for carrying the first CAG ID list;
The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine the CAG requested access to
ID。
19. 4~17 described in any item methods according to claim 1, which is characterized in that the 2nd CAG to itself configuration
ID list and the first CAG ID list are matched, and determine the CAG ID requested access to, comprising:
The 2nd CAG ID list and the first CAG ID list of itself configuration are matched, determine the 2nd CAG ID
An identical CAG ID is the CAG ID requested access in list and the first CAG ID list.
20. 4~19 described in any item methods according to claim 1, which is characterized in that the reception carries the first CAG ID
Before the system broadcast message of list, further includes:
The 2nd CAG ID list is configured, includes the CAG ID that at least one allows to access in the 2nd CAG ID list.
21. a kind of method of access closure access group characterized by comprising
The login request message that terminal is sent is received, includes the closure of the first encryption requested access in the login request message
The globally unique temporary user device of 5G that access group identifies CAG ID and the terminal identifies 5G-GUTI;
According to the 5G-GUTI of the terminal judge current mobility management function AMF whether be once be the terminal service
History AMF;
If it was once the history AMF of the terminal service that current AMF, which is, and was stored with the use of the terminal in the current AMF
Family permanent identification SUPI then obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal, and
The CAG ID decryption requested access to that described first is encrypted is the CAG ID requested access to;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
22. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal
AMF whether be once be the terminal service AMF after, further includes:
If it was once the history AMF of the terminal service that current AMF, which is, and the not stored terminal in the current AMF
SUPI, then current AMF sends identification request message to the terminal;
The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message
Public key encrypted second encryption the CAG ID requested access to and the terminal user's hidden identification SUCI;
The SUCI of the terminal is resolved to the SUPI of the terminal by UDM or SIDF, and uses the public affairs of the terminating home network
The CAG ID that key requests access to the CAG ID decryption of the second encryption requested access to;
The first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
23. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal
AMF whether be once be the terminal service AMF after, further includes:
If it was once the history AMF of the terminal service that current AMF, which is, and the not stored terminal in the current AMF
SUPI, then current AMF sends identification request message to the terminal;
The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message
Public key the SUCI of the terminal request CAG ID accessed and the terminal encrypted jointly after obtained extension
SUCI;
The UDM or SIDF is visited the SUCI decryption of the extension of the terminal for request using the public key of the terminating home network
The SUCI of the CAG ID and the terminal that ask, and the SUCI of the terminal is resolved to the SUPI of the terminal.
The SUCI of the terminal is resolved to the SUPI of the terminal by UDM or SIDF, and according to the SUPI of the terminal from described
The home network of terminal obtains the first CAG ID list;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
24. according to the method for claim 21, which is characterized in that described to be judged currently according to the 5G-GUTI of the terminal
AMF whether be once be the terminal service AMF after, further includes:
If current AMF be not the terminal service, current AMF was once described according to the 5G-GUTI of terminal determination
The history AMF of terminal service, and the context transfer request message of the terminal is sent to the history AMF, the terminal
Context transfer request message includes the 5G-GUTI of the terminal;
Current AMF receives the context transfer response message that the history AMF is sent, and wraps in the context transfer response message
Include the terminal safe context and the first CAG ID list;
Current AMF is solved using the CAG ID requested access to of the private key in the safe context of the terminal to first encryption
The close CAG ID to request access to;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
25. according to the method for claim 24, which is characterized in that if the current AMF be not the terminal service,
Current AMF determines the once history AMF for the terminal service according to the 5G-GUTI of the terminal, and sends out to the history AMF
After sending the context transfer request message of the terminal, further includes:
If current AMF does not receive the context transfer response message for the terminal that the history AMF is sent, current AMF
Identification request message is sent to the terminal;
The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message
Public key encrypted second encryption the CAG ID requested access to and the terminal SUCI;
The SUCI of the terminal is resolved to the SUPI of the terminal by UDM or SIDF, and uses the public affairs of the terminating home network
The CAG ID that key requests access to the CAG ID decryption of the second encryption requested access to;
The first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
26. according to the method for claim 24, which is characterized in that if the current AMF be not the terminal service,
Current AMF determines the once history AMF for the terminal service according to the 5G-GUTI of the terminal, and sends out to the history AMF
After sending the context transfer request message of the terminal, further includes:
If current AMF does not receive the context transfer response message for the terminal that the history AMF is sent, current AMF
Identification request message is sent to the terminal;
The identification response message that the terminal is sent is received, includes that the terminal uses home network in the identification response message
Public key the SUCI of the terminal request CAG ID accessed and the terminal encrypted jointly after obtained extension
SUCI;
The UDM or SIDF is visited the SUCI decryption of the extension of the terminal for request using the public key of the terminating home network
The SUCI of the CAG ID and the terminal that ask, and the SUCI of the terminal is resolved to the SUPI of the terminal.
The first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal;
Whether the CAG ID and the first CAG ID list requested access to described in judgement matches, and sends out if matching to the terminal
Send registration received message.
27. according to the described in any item methods of claim 21~26, which is characterized in that requested access to described in the judgement
Whether CAG ID and the first CAG ID list match, comprising:
Whether the CAG ID requested access to described in judgement is identical as any CAG ID in the first CAG ID list, if phase
Together, it is determined that the CAG ID requested access to and the first CAG ID list match.
28. according to the described in any item methods of claim 21~26, which is characterized in that requested access to described in the judgement
After whether CAG ID and the first CAG ID list match, further includes:
Registration reject message is sent to the terminal if mismatching.
29. a kind of device of access closure access group characterized by comprising
Encrypting module is set as encrypting the closure access group mark CAG ID requested access to, and the request encrypted is visited
The CAG ID asked;
Sending module is set as sending login request message, includes requesting access to for the encryption in the login request message
CAG ID and terminal user's hidden identification SUCI.
30. a kind of device of access closure access group characterized by comprising
Receiving module is set as receiving the login request message that terminal is sent, includes asking for encryption in the login request message
Seek user's hidden identifiers SUCI of closure access group mark the CAG ID and the terminal of access;
Deciphering module is set as resolving to the SUCI of the terminal into the user permanent identification SUPI of the terminal, and will encryption
The CAG ID decryption requested access to be the CAG ID that requests access to;
Module is obtained, is set as obtaining the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
Whether judgment module, the CAG ID and the first CAG ID list for being set as requesting access to described in judgement match, if
Received message is registered with then sending to the terminal.
31. a kind of device of access closure access group characterized by comprising
Encrypting module is set as encrypting the closure access group mark CAG ID requested access to, obtains asking for the first encryption
Seek the CAG ID of access;
Sending module is set as sending login request message, includes the request of first encryption in the login request message
The globally unique temporary user device of the CAG ID of the access and 5G of the terminal identifies 5G-GUTI.
32. a kind of device of access closure access group characterized by comprising
Receiving module is set as receiving the login request message that terminal is sent, includes the first encryption in the login request message
The closure access group mark CAG ID requested access to and the terminal 5G globally unique temporary user device mark 5G-
GUTI;
Deciphering module is set as judging whether current mobility management function AMF is once to be according to the 5G-GUTI of the terminal
The history AMF of the terminal service;
Module is obtained, if being set as current AMF to be once being the history AMF of the terminal service, and is stored in the current AMF
There is the user permanent identification SUPI of the terminal, then obtains first from the home network of the terminal according to the SUPI of the terminal
CAG ID list, and the CAG ID decryption requested access to that described first is encrypted is the CAG ID requested access to;
Whether judgment module, the CAG ID and the first CAG ID list for being set as requesting access to described in judgement match, if
Received message is registered with then sending to the terminal.
33. a kind of system of access closure access group, which is characterized in that including terminal and the network equipment;
The terminal includes the device of access closure access group as claimed in claim 29;
The network equipment includes the device of access closure access group as claimed in claim 30.
34. a kind of system of access closure access group, which is characterized in that including terminal and the network equipment;
The terminal includes the device of access closure access group as claimed in claim 31;
The network equipment includes the device of access closure access group as claimed in claim 32.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910754388.7A CN110536293A (en) | 2019-08-15 | 2019-08-15 | The methods, devices and systems of access closure access group |
PCT/CN2020/109116 WO2021027916A1 (en) | 2019-08-15 | 2020-08-14 | Method, device and system for accessing closed access group |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910754388.7A CN110536293A (en) | 2019-08-15 | 2019-08-15 | The methods, devices and systems of access closure access group |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110536293A true CN110536293A (en) | 2019-12-03 |
Family
ID=68663523
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910754388.7A Pending CN110536293A (en) | 2019-08-15 | 2019-08-15 | The methods, devices and systems of access closure access group |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110536293A (en) |
WO (1) | WO2021027916A1 (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111405557A (en) * | 2020-03-19 | 2020-07-10 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
WO2020248624A1 (en) * | 2019-06-13 | 2020-12-17 | 华为技术有限公司 | Communication method, network device, user equipment and access network device |
WO2021027916A1 (en) * | 2019-08-15 | 2021-02-18 | 中兴通讯股份有限公司 | Method, device and system for accessing closed access group |
WO2021082528A1 (en) * | 2019-10-30 | 2021-05-06 | 中国电信股份有限公司 | Communication method, system, base station, and terminal |
EP3866552A1 (en) * | 2020-02-17 | 2021-08-18 | NTT DoCoMo, Inc. | Communication terminal, method for configuring a communication terminal, access management component and method for access management of a non-public network |
CN113453311A (en) * | 2020-03-27 | 2021-09-28 | 华为技术有限公司 | Method and device for processing information of closed access group |
CN113498028A (en) * | 2020-04-08 | 2021-10-12 | 维沃移动通信有限公司 | CAG processing method and related equipment |
CN113518316A (en) * | 2020-04-09 | 2021-10-19 | 维沃移动通信有限公司 | CAG information processing method and device and communication equipment |
WO2021208592A1 (en) * | 2020-04-15 | 2021-10-21 | 华为技术有限公司 | Communication method and apparatus |
CN113543127A (en) * | 2020-03-31 | 2021-10-22 | 大唐移动通信设备有限公司 | Key generation method, device, equipment and computer readable storage medium |
CN113573370A (en) * | 2020-04-29 | 2021-10-29 | 中国移动通信有限公司研究院 | Information processing method, network equipment, terminal and storage medium |
WO2021235875A1 (en) * | 2020-05-21 | 2021-11-25 | Samsung Electronics Co., Ltd. | Method and system for handling ue with cag subscription in wireless network |
CN113973344A (en) * | 2020-07-22 | 2022-01-25 | 中国电信股份有限公司 | Non-public network access control method, base station and communication system |
CN114071648A (en) * | 2020-08-04 | 2022-02-18 | 中移(成都)信息通信科技有限公司 | Information configuration method, device, equipment and medium |
US11968533B2 (en) | 2019-03-29 | 2024-04-23 | Interdigital Patent Holdings, Inc. | Methods and apparatus for secure access control in wireless communications |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140018081A1 (en) * | 2011-01-21 | 2014-01-16 | Ubiquisys Limited | Femtocell network |
US20160105410A1 (en) * | 2013-04-23 | 2016-04-14 | Zte Corporation | OMA DM Based Terminal Authentication Method, Terminal and Server |
WO2019088599A1 (en) * | 2017-10-31 | 2019-05-09 | 엘지전자 주식회사 | Method for protecting data encrypted by home network key in wireless communication system and device therefor |
CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3535996B1 (en) * | 2016-11-07 | 2020-12-23 | Apple Inc. | Apparatus and machine readable storage medium for handling stickiness of ue-specific ran-cn association |
CN109842880B (en) * | 2018-08-23 | 2020-04-03 | 华为技术有限公司 | Routing method, device and system |
CN110536293A (en) * | 2019-08-15 | 2019-12-03 | 中兴通讯股份有限公司 | The methods, devices and systems of access closure access group |
-
2019
- 2019-08-15 CN CN201910754388.7A patent/CN110536293A/en active Pending
-
2020
- 2020-08-14 WO PCT/CN2020/109116 patent/WO2021027916A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140018081A1 (en) * | 2011-01-21 | 2014-01-16 | Ubiquisys Limited | Femtocell network |
US20160105410A1 (en) * | 2013-04-23 | 2016-04-14 | Zte Corporation | OMA DM Based Terminal Authentication Method, Terminal and Server |
WO2019088599A1 (en) * | 2017-10-31 | 2019-05-09 | 엘지전자 주식회사 | Method for protecting data encrypted by home network key in wireless communication system and device therefor |
CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
Non-Patent Citations (3)
Title |
---|
""3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security for 5GS enhanced support of Vertical and LAN Services; (Release 16)"", 《3GPP 3GPP TR 33.819 V1.1.0 》, 9 July 2019 (2019-07-09), pages 5 * |
""rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on enhancement of 5G System (5GS) for vertical and Local Area Network (LAN) services (Release 16)"", 《3GPP TR 23.734 V16.2.0》, 11 June 2019 (2019-06-11), pages 6 * |
ZTE CORPORATION, INTERDIGITAL: "S3-192343 "Security threats and requirements on CAG ID privacy"", 3GPP TSG_SA\\WG3_SECURITY, no. 3, 28 June 2019 (2019-06-28) * |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11968533B2 (en) | 2019-03-29 | 2024-04-23 | Interdigital Patent Holdings, Inc. | Methods and apparatus for secure access control in wireless communications |
WO2020248624A1 (en) * | 2019-06-13 | 2020-12-17 | 华为技术有限公司 | Communication method, network device, user equipment and access network device |
WO2021027916A1 (en) * | 2019-08-15 | 2021-02-18 | 中兴通讯股份有限公司 | Method, device and system for accessing closed access group |
WO2021082528A1 (en) * | 2019-10-30 | 2021-05-06 | 中国电信股份有限公司 | Communication method, system, base station, and terminal |
EP3866552A1 (en) * | 2020-02-17 | 2021-08-18 | NTT DoCoMo, Inc. | Communication terminal, method for configuring a communication terminal, access management component and method for access management of a non-public network |
WO2021165243A1 (en) * | 2020-02-17 | 2021-08-26 | Ntt Docomo, Inc. | Communication terminal, method for configuring a communication terminal, access management component and method for access management of a non-public network |
JP7186879B2 (en) | 2020-02-17 | 2022-12-09 | 株式会社Nttドコモ | Communication terminal, method of configuring communication terminal, access control component and method for access control of non-public network |
JP2022524902A (en) * | 2020-02-17 | 2022-05-11 | 株式会社Nttドコモ | Communication terminals, how to configure communication terminals, access control components, and methods for access control of non-public networks |
CN111405557B (en) * | 2020-03-19 | 2022-03-15 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
CN111405557A (en) * | 2020-03-19 | 2020-07-10 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
CN113453311A (en) * | 2020-03-27 | 2021-09-28 | 华为技术有限公司 | Method and device for processing information of closed access group |
WO2021190217A1 (en) * | 2020-03-27 | 2021-09-30 | 华为技术有限公司 | Method and device for processing closed access group information |
CN113453311B (en) * | 2020-03-27 | 2022-12-13 | 华为技术有限公司 | Method and device for processing information of closed access group |
CN113543127B (en) * | 2020-03-31 | 2023-02-17 | 大唐移动通信设备有限公司 | Key generation method, device, equipment and computer readable storage medium |
CN113543127A (en) * | 2020-03-31 | 2021-10-22 | 大唐移动通信设备有限公司 | Key generation method, device, equipment and computer readable storage medium |
CN113498028A (en) * | 2020-04-08 | 2021-10-12 | 维沃移动通信有限公司 | CAG processing method and related equipment |
CN113498028B (en) * | 2020-04-08 | 2022-11-08 | 维沃移动通信有限公司 | CAG processing method and related equipment |
CN113518316A (en) * | 2020-04-09 | 2021-10-19 | 维沃移动通信有限公司 | CAG information processing method and device and communication equipment |
WO2021208592A1 (en) * | 2020-04-15 | 2021-10-21 | 华为技术有限公司 | Communication method and apparatus |
CN113573370B (en) * | 2020-04-29 | 2022-09-13 | 中国移动通信有限公司研究院 | Information processing method, network equipment, terminal and storage medium |
WO2021218831A1 (en) * | 2020-04-29 | 2021-11-04 | 中国移动通信有限公司研究院 | Information processing method, network device, terminal, and storage medium |
CN113573370A (en) * | 2020-04-29 | 2021-10-29 | 中国移动通信有限公司研究院 | Information processing method, network equipment, terminal and storage medium |
WO2021235875A1 (en) * | 2020-05-21 | 2021-11-25 | Samsung Electronics Co., Ltd. | Method and system for handling ue with cag subscription in wireless network |
CN113973344A (en) * | 2020-07-22 | 2022-01-25 | 中国电信股份有限公司 | Non-public network access control method, base station and communication system |
CN114071648A (en) * | 2020-08-04 | 2022-02-18 | 中移(成都)信息通信科技有限公司 | Information configuration method, device, equipment and medium |
CN114071648B (en) * | 2020-08-04 | 2023-04-07 | 中移(成都)信息通信科技有限公司 | Information configuration method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
WO2021027916A1 (en) | 2021-02-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110536293A (en) | The methods, devices and systems of access closure access group | |
US8543814B2 (en) | Method and apparatus for using generic authentication architecture procedures in personal computers | |
JP5579938B2 (en) | Authentication of access terminal identification information in roaming networks | |
US8107623B2 (en) | Method for verifying a first identity and a second identity of an entity | |
US8347090B2 (en) | Encryption of identifiers in a communication system | |
CN101123811B (en) | Apparatus and method for managing stations associated with WPA-PSK wireless network | |
US9191814B2 (en) | Communications device authentication | |
EP3433994B1 (en) | Methods and apparatus for sim-based authentication of non-sim devices | |
EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
US20060236116A1 (en) | Provisioning root keys | |
US20090253409A1 (en) | Method of Authenticating Home Operator for Over-the-Air Provisioning of a Wireless Device | |
JP5468623B2 (en) | Apparatus and method for protecting bootstrap messages in a network | |
US20110271330A1 (en) | Solutions for identifying legal user equipments in a communication network | |
JP2013529019A (en) | Wireless network authentication device and method | |
CN102143134A (en) | Method, device and system for distributed identity authentication | |
JP5276593B2 (en) | System and method for obtaining network credentials | |
WO2006051152A1 (en) | Determining a key derivation function | |
CN104660567B (en) | D2D terminal access authentications method, D2D terminals and server | |
US20230413060A1 (en) | Subscription onboarding using a verified digital identity | |
JP2021536687A (en) | Non-3GPP device access to the core network | |
CN104486460B (en) | Application server address acquisition methods, equipment and system | |
EP3547734A1 (en) | Authentication for a communication system | |
KR20220100886A (en) | A method for authenticating users on a network slice | |
RU2698424C1 (en) | Authorization control method | |
CN110226319A (en) | Method and apparatus for the parameter exchange during promptly accessing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |