CN112738881B

CN112738881B - Network registration method and device

Info

Publication number: CN112738881B
Application number: CN202011642923.9A
Authority: CN
Inventors: 贾彬; 金逸
Original assignee: Spreadtrum Communications Shanghai Co Ltd
Current assignee: Spreadtrum Communications Shanghai Co Ltd
Priority date: 2020-12-30
Filing date: 2020-12-30
Publication date: 2022-09-30
Anticipated expiration: 2040-12-30
Also published as: CN116033541A; CN112738881A

Abstract

The application discloses a network registration method, which is applied to terminal equipment, the terminal equipment establishes communication connection with first access network equipment, the first access network equipment comprises a first security context established by the terminal equipment and second access network equipment, and the method comprises the following steps: sending a registration request message to the first access network device, wherein the registration request message comprises an EPS (evolved packet system) sequence number, the EPS sequence number is used for indicating that a target parameter P0 is a first parameter value, and P0 is a mapping key; receiving a security mode command message sent by the first access network device, wherein the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0; and if the integrity check on the safety mode command message is successful, sending a safety mode completion message to the first access network equipment. The method can improve the registration success rate of the terminal equipment on the communication network.

Description

Network registration method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a network registration method and apparatus.

Background

If the 5G multimode terminal is successfully registered in the 4G network, a set of security context is established between the 5G multimode terminal and the 4G network. During the movement of the 5G multimode terminal, the terminal may be disconnected from the 4G network and stay in the 5G network. In the process that the 5G multimode terminal registers in the 5G network, if the 5G network selects to use the security context established by the 5G multimode terminal in the 4G network, the 5G multimode terminal and the 5G network may map the security context of the 4G network into the security context of the 5G network for use.

It should be noted that the 5G multimode terminal and the 5G network are relatively independent from each other, and the security context of the 4G network is mapped to the security context of the 5G network by the 5G network. During mapping, it is required to ensure that information used for mapping in the 5G multimode terminal and the 5G network is the same, and if the information of the two is different, the mapping result of the 5G multimode terminal is inconsistent with the mapping result of the 5G network. The inconsistency of the mapping results further causes the registration failure of the 5G multimode terminal in the 5G network.

Disclosure of Invention

The application discloses a network registration method and a network registration device, which can improve the registration success rate of terminal equipment on a communication network.

In a first aspect, an embodiment of the present application provides a network registration method, which is applied to a terminal device, where the terminal device establishes a communication connection with a first access network device, and the first access network device includes a first security context established by the terminal device and a second access network device, and the method includes:

sending a registration request message to the first access network device, where the registration request message includes an Evolved Packet System (EPS) sequence number, and the EPS sequence number is used to indicate that the mapping key P0 is a first parameter value;

receiving a security mode command message sent by the first access network device, wherein the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0;

and if the integrity check on the safety mode command message is successful, sending a safety mode completion message to the first access network equipment.

In an embodiment, the Value of the target field is set to the lower 8 bits of P0, and P0 is a NAS Uplink Count Value; a registration request message is sent to the first access network device including a destination field with the lower 8 bits set indicating P0.

In one embodiment, before sending a registration request message to a first access network device, registering to access a second access network device, and establishing a first security context with the second access network device; sending a non-access stratum (NAS) message to the second access network device, wherein the NAS message comprises P0; and if the NAS message is not determined to be successfully sent to the second access network equipment, the second access network equipment enters an idle state, and the switching from the second access network equipment to the first access network equipment is detected, the registration request message is triggered to be sent to the first access network equipment.

In an embodiment, if the integrity check on the security mode command message is successful, after sending a security mode complete message to the first access network device, receiving a registration accept message sent by the first access network device, where the registration accept message is used to indicate that the terminal device successfully registers in the first access network device.

In a second aspect, an embodiment of the present application provides a network registration method, which is applied to a first access network device, where the first access network device establishes a communication connection with a terminal device, the first access network device includes a first security context and a mapping key P0, which are established by the terminal device and a second access network device, and P0 is a second parameter value, and the method includes:

receiving a registration request message sent by a terminal device, wherein the registration request message comprises an EPS (evolved packet system) sequence number, the EPS sequence number is used for indicating that P0 is a first parameter Value, and P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value;

changing the P0 from the second parameter value to the first parameter value according to the EPS sequence number;

mapping the first security context according to the modified P0 to obtain a second security context;

processing according to the second security context to obtain a security mode command message;

and sending a security mode command message to the terminal equipment.

In one embodiment, after sending a security mode command message to a terminal device, receiving a security mode completion message sent by the terminal device; and sending a registration acceptance message to the terminal equipment, wherein the registration acceptance message is used for indicating that the terminal equipment is successfully registered on the first access network equipment.

In a third aspect, an embodiment of the present application provides a network registration method, which is applied to a terminal device, where the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context and a mapping key P0 that are established by the terminal device and a second access network device, and P0 is a second parameter value, and the method includes:

receiving a security mode command message sent by the first access network device, wherein the security mode command message is obtained by the first access network device according to a third security context, and the third security context is obtained by the first access network device mapping the first security context according to P0;

if the Integrity check on the security mode command message fails, sending a security mode rejection message to the first access network device, wherein the security mode rejection message comprises Integrity check failure information of integer detection, and the Integrity check failure information is used for indicating to acquire a fourth security context;

and receiving a registration acceptance message sent by the first access network equipment, wherein the registration acceptance message is generated by the first access network equipment based on the fourth security context.

In one embodiment, if the integrity check on the security mode command message fails, after sending a security mode reject message to the first access network device, receiving an authorization request message sent by the first access network device; and sending an authorization response message to the first access network equipment, wherein the authorization response message is used for indicating the generation of the fourth security context.

In an embodiment, the fourth security context is a local security context of the terminal device maintained by the first access network device.

In a fourth aspect, an embodiment of the present application provides a network registration method, which is applied to a first access network device, where the first access network device establishes a communication connection with a terminal device, and the first access network device includes a first security context established by the terminal device and a second access network device, and the method includes:

receiving a security mode rejection message sent by terminal equipment;

if the security mode rejection message comprises an integer detection failure field, sending an authorization request message to the terminal equipment;

receiving authorization response information sent by the terminal equipment, and generating a fourth security context, wherein the fourth security context is different from the first security context;

sending a safety mode command message to the terminal equipment, wherein the safety mode command message is obtained according to the fourth safety context;

receiving a safety mode completion message sent by terminal equipment;

and if the integrity check of the safety mode completion message is successful, sending a registration acceptance message to the terminal equipment.

In one embodiment, after receiving a security mode reject message sent by a terminal device, if the security mode reject message includes an integer detection failure field and the first access network device includes a local security context, processing a registration accept message using the local security context, where the local security context is different from the first security context or the fourth security context; and sending the processed registration acceptance message to the terminal equipment.

In a fifth aspect, an embodiment of the present application provides a network registration apparatus, which is applied to a terminal device, where the terminal device establishes a communication connection with a first access network device, and the first access network device includes a first security context established by the terminal device and a second access network device, and the apparatus includes:

a transceiving unit, configured to send a registration request message to a first access network device, where the registration request message includes an EPS sequence number of an evolved packet system, and the EPS sequence number is used to indicate that a mapping key P0 is a first parameter value;

the receiving and sending unit is further configured to receive a security mode command message sent by the first access network device, where the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0;

the receiving and sending unit is further configured to send a security mode completion message to the first access network device if the processing unit successfully performs integrity check on the security mode command message.

In a sixth aspect, an embodiment of the present application provides a network registration apparatus, including a processor, a memory, and a communication interface, where the processor, the memory, and the communication interface are connected to each other, where the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to perform the network registration method described in the first, second, third, and fourth aspects.

In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, where one or more instructions are stored, and the one or more instructions are adapted to be loaded by a processor and execute the network registration method described in the first, second, third, and fourth aspects.

In an eighth aspect, an embodiment of the present application provides a chip, where the chip includes a processor and a data interface, and the processor reads instructions stored on a memory through the data interface to perform the network registration method as described in the first, second, third, and fourth aspects.

In a ninth aspect, an embodiment of the present application provides a chip module, which includes the chip of the eighth aspect.

In this embodiment, the terminal device may send a registration request message to the first access network device, where the registration request message includes an EPS sequence number of an evolved packet system, where the EPS sequence number is used to indicate that a target parameter P0 is a first parameter value, and P0 is a mapping key; receiving a security mode command message sent by the first access network device, wherein the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0; and if the integrity check on the safety mode command message is successful, sending a safety mode completion message to the first access network equipment. The method can improve the registration success rate of the terminal equipment on the communication network.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a diagram of a mobile communication network architecture according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a network registration method according to an embodiment of the present application;

fig. 3 is a schematic flowchart of another network registration method according to an embodiment of the present application;

fig. 4 is a flowchart illustrating another network registration method according to an embodiment of the present application;

fig. 5 is a flowchart illustrating another network registration method according to an embodiment of the present application;

fig. 6 is a flowchart illustrating another network registration method according to an embodiment of the present application;

fig. 7 is a flowchart illustrating another network registration method according to an embodiment of the present application

Fig. 8 is a schematic diagram illustrating elements of a network registration apparatus according to an embodiment of the present application;

fig. 9 is a simplified schematic diagram of an entity structure of a network registration apparatus according to an embodiment of the present application;

fig. 10 is a simplified chip diagram of a network registration apparatus according to an embodiment of the present disclosure.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.

In order to better understand the embodiments of the present application, the following terms refer to the embodiments of the present application:

non-access stratum (NAS): the present invention is present in a radio communication protocol stack of a Mobile communication System (UMTS) as a functional layer between a core network and a user equipment. This layer supports signaling and data transfer between the two.

Evolved Packet System (EPS): is a concept that appears in the 3GPP standards committee in 4 th generation mobile communications. The EPS may be considered as User Equipment (UE) +4G access network part (LTE) + Evolved Packet Core (EPC).

In order to better understand the embodiments of the present application, a network architecture to which the embodiments of the present application are applicable is described below.

Referring to fig. 1, fig. 1 is a diagram illustrating a mobile communication network architecture according to an embodiment of the present application. As shown in fig. 1, the network architecture includes a first access network device, a second access network device, and a terminal device. Wherein, distributed on the first access network device is a first network, and the first network can be a 5G network; distributed on the second access network device is a second network, which may be a 4G network. The terminal device may be a multimode terminal, that is, the terminal device supports connection with different networks, for example, a 4G network, a 5G network, a 6G network, and the like. The terminal device is in an IDLE (IDLE) state in the second network, and moves from the second network to the first network while in the IDLE state, and resides in the first network. The terminal device may establish a security context with a second network while in the second network. When the terminal device moves to the first network, the security context established in the second network can be mapped to a security context matching the first network, so that the terminal device can register on the first network. In the embodiment of the present application, a terminal device moves from a second network to a first network is taken as an example.

The access network device related in the embodiment of the present application is an entity for transmitting or receiving a signal on a network side, and may be configured to perform inter-conversion between a received air frame and a network Protocol (IP) packet, and serve as a router between a terminal device and the rest of the access network, where the rest of the access network may include an IP network and the like. The access network device may also coordinate management of attributes for the air interface. For example, the access network device may be an eNB in LTE, may also be a New Radio Controller (NR Controller), may be a gNB in a 5G system, may be a Centralized network element (Centralized Unit), may be a New Radio base station, may be a Radio remote module, may be a micro base station, may be a Relay (Relay), may be a Distributed network element (Distributed Unit), may be a Reception Point (TRP) or a Transmission Point (TP), and may be a G node in an in-vehicle short-distance communication system or any other wireless access device, but the embodiment of the present invention is not limited thereto.

The terminal device in the embodiments of the present application is an entity for receiving or transmitting signals at a user side. The terminal device may be a device providing voice and/or data connectivity to a user, e.g. a handheld device, a vehicle mounted device, etc. with wireless connection capability. The terminal device may also be other processing devices connected to the wireless modem. The terminal device may communicate with a Radio Access Network (RAN). The Terminal Device may also be referred to as a wireless Terminal, a Subscriber Unit (Subscriber Unit), a Subscriber Station (Subscriber Station), a Mobile Station (Mobile), a Remote Station (Remote Station), an Access Point (Access Point), a Remote Terminal (Remote Terminal), an Access Terminal (Access Terminal), a User Terminal (User Terminal), a User Agent (User Agent), a User Device (User Device), a User Equipment (User Equipment, UE), or the like. The terminal equipment may be mobile terminals such as mobile telephones (or so-called "cellular" telephones) and computers with mobile terminals, e.g. portable, pocket, hand-held, computer-included or car-mounted mobile devices, which exchange language and/or data with a radio access network. For example, the terminal device may be a Personal Communication Service (PCS) phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), or the like. Common terminal devices include, for example: the Mobile terminal may be a Mobile phone, a tablet computer, a laptop computer, a palmtop computer, a Mobile Internet Device (MID), a vehicle, a roadside Device, an aircraft, a T node, a wearable Device, such as a smart watch, a smart bracelet, a pedometer, and the like, but the embodiment of the present application is not limited thereto. The communication method and the related device provided by the present application are described in detail below. The terminal device may further include a vehicle terminal, a road side unit RSU, an application server, a base station or a handheld terminal, etc., such as: the Vehicle terminal and the Vehicle terminal (V2V), the Vehicle terminal and the Road Side Unit (RSU), the Vehicle terminal and the Pedestrian hand-held terminal (V2P) and the Vehicle terminal and the application server (V2N) are communicated with each other based on the wireless Network. The wireless network may refer to a 4G network, a 5G network, a 6G network, a DSRC network, a WIFI network, or the like.

In order to improve the success rate of registration of a terminal device on a communication network, embodiments of the present application provide a network registration method and apparatus, and the network registration method and apparatus provided in embodiments of the present application are further described in detail below.

Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a network registration method according to an embodiment of the present disclosure. The network registration method includes the following operations 210 to 230. The main body for executing the method shown in fig. 2 may be a terminal device, or the main body may be a chip in the terminal device. It should be noted that this part of the operation corresponds to the operation shown in fig. 3, fig. 2 is the operation on the terminal device side, and fig. 3 is the operation on the first access network device side. Fig. 2 illustrates, by taking a terminal device as an example of an execution subject of the method, where the terminal device establishes a communication connection with a first access network device, and the first access network device includes a first security context established by the terminal device and a second access network device. Wherein:

210. sending a registration request message to the first access network device, the registration request message including an Evolved Packet System (EPS) sequence number indicating that the mapping key P0 is a first parameter value.

Wherein the EPS Sequence Number (EPS Sequence Number) may be a target field in the Registration Request (Registration Request) message, the field being dedicated to represent the EPS Sequence Number. The terminal device may set the value of the target field to the lower 8 bits of P0 to indicate the value of P0 as the first parameter value. Wherein, the P0 may be a NAS Uplink Count Value (NAS Uplink Value); the NAS Uplink Count Value may be determined according to the specifications in a specific protocol. The end device may send a registration request message to the first access network device including a target field set with the lower 8 bits indicating the P0. In the embodiment of the present application, P0 and NAS Uplink Count Value are equivalent, and for the convenience of understanding, the NAS Uplink Count Value is used for the same description in the following.

In one possible implementation, the terminal device may register to access the second access network device before sending the registration request message to the first access network device. The second access network device may have a 4G network distributed thereon. The terminal device establishes the first security context with the second access network device. The terminal device and the second access network device may each maintain a set of NAS Uplink Count Value.

The NAS Uplink Count Value may be included in the NAS message. If the terminal device sends the NAS message to the second access network device, where the NAS message includes the latest NAS Uplink Count Value in the terminal device, the second access network device modifies the NAS Uplink Count Value into the NAS Uplink Count Value sent by the terminal device after receiving the NAS message. If the terminal device sends the NAS message again, the currently maintained NAS Uplink Count Value is added with 1, and then the NAS Uplink Count Value added with 1 is sent to the second access network device, and the second access network device adds 1 to the NAS Uplink Count Value maintained by itself. In this way, the NAS Uplink Count Value maintained by the terminal device and the NAS Uplink Count Value maintained by the second access network device may be kept consistent. If the terminal device enters an idle state in the network of the second access network device and resides in the network distributed by the first access network device, the first access network device may obtain the NAS Uplink Count Value associated with the terminal device in the second access network device. The second access network device may map the security context established by the terminal device and the second access network device to the security context matched with the first access network device according to the NAS Uplink Count Value, so that the terminal device may be registered in the network of the first access network device.

And if the terminal device does not determine that the NAS message sent to the second access network device is successfully sent to the second access network device, the terminal device enters an idle state, and detects that the terminal device is switched from the second access network device to the first access network device, the terminal device sends the registration request message to the first access network device. This is because, the terminal device cannot determine whether the NAS Uplink Count Value maintained by the terminal device is consistent with the NAS Uplink Count Value maintained by the second access network device without determining that the NAS message is successfully sent to the second access network device. If the two are not consistent, the first access network device performs mapping of the security context according to the NAS Uplink Count Value inconsistent with the terminal device, which may cause the terminal device to fail to register on the first access network device. Therefore, the terminal device needs to send the registration request message, and the EPS sequence number in the registration request message indicates the first access network device to modify the NAS Uplink Count Value acquired by the first access network device.

It should be noted that the NAS Uplink Count Value may be a 32-bit parameter, and since the NAS Uplink Count Value maintained by the terminal device and the NAS Uplink Count Value maintained by the access network device respectively do not have too large error when there is a difference, that is, the high bits of the NAS Uplink Count Value at the two ends are likely to be identical. In view of saving transmission resources, the registration request message may only indicate the low 8 bits of the NAS Uplink Count Value, so that the first access network device may obtain the accurate NAS Uplink Count Value.

220. And receiving a security mode command message sent by the first access network device, wherein the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0.

Wherein, the Security mode command message is processed by the first access network device, and the Security process may be an encryption and Security completion process for the Security mode command.

230. And if the integrity check on the safety mode command message is successful, sending a safety mode completion message to the first access network equipment.

The terminal device may map the first security context established in the second access network device to a security context matched with the first access network device according to the NAS Uplink Count Value stored by the terminal device. Since the NAS Uplink Count Value in the first access network device is already consistent with the NAS Uplink Count Value of the terminal device, the security context mapped by the terminal device is actually matched or identical to the second security context. Therefore, the terminal device can perform integrity check on the security context obtained by mapping the terminal device to the security mode command message obtained by performing security processing on the first access network device according to the second security context. And if the integrity check is successful, the second security context is matched with or identical to the security context mapped by the terminal equipment. The terminal device may send a Security mode complete message to the first access network device. After the first access network device receives the security mode completion message, the terminal device can receive a Registration Accept (Registration Accept) message sent by the first access network device. The registration acceptance message is used for indicating that the terminal equipment is successfully registered on the first access network equipment. The terminal device thus completes the registration with the first access network device.

By the embodiment of the application, the terminal device can send the registration request message to the first access network device under the condition that the NAS message is not sent to the second access network device successfully, the terminal device enters an idle state, and the terminal device resides in the network of the first access network device. The NAS message includes a value of the mapping key P0, and the registration request message includes an EPS sequence number, which may indicate that a value of P0 in the terminal device is a first parameter value. Thus, the value of P0 maintained by the first access network device can be kept consistent with the value of P0 in the terminal device, so that the two values respectively map the security contexts established by the terminal device and the second access network device, and the obtained security contexts are also kept consistent or matched with each other. In the event that the security context of the terminal device by the first access network device is consistent or matched, the terminal device may be successfully registered in the first access network device. By the method, the registration success rate of the terminal equipment on the first access network equipment can be improved.

Referring to fig. 3, fig. 3 is a flowchart illustrating another network registration method according to an embodiment of the present application. The network registration method includes operations 310 to 350 as follows. The method execution body shown in fig. 3 may be the first access network device, or the body may be a chip in the first access network device. Note that this part of the operation corresponds to the operation shown in fig. 2, fig. 2 is an operation on the terminal device side, and fig. 3 is an operation on the first access network device side. Fig. 3 illustrates an implementation body of the method by taking a first access network device as an example, where the first access network device establishes a communication connection with a terminal device, the first access network device includes a first security context and a mapping key P0, which are established by the terminal device and a second access network device, and P0 is a second parameter value. Wherein:

310. receiving a registration request message sent by a terminal device, where the registration request message includes an Evolved Packet System (EPS) sequence number, the EPS sequence number is used to indicate that P0 is a first parameter Value, and P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value.

The first access network device may obtain, from the second access network device, the first security context and P0, that is, NAS Uplink Count Value, established by the terminal device and the second access network device. The NAS Uplink Count Value obtained by the first access network device may be a second parameter Value, and the second parameter Value may be different from the first parameter Value indicated by the EPS sequence number. This is because the NAS message sent by the terminal device to the second access network device may cause that the second access network device cannot successfully receive the NAS message due to a network problem, so that the NAS Uplink Count Value in the second access network device is different from the NAS Uplink Count Value in the terminal device.

320. And modifying the P0 from the second parameter value to the first parameter value according to the EPS sequence number.

Since the terminal device does not determine whether the second access network device receives the NAS message, the NAS Uplink Count Value in the terminal device may be different from the NAS Uplink Count Value acquired by the first access network device. Therefore, the first access network device may modify the NAS Uplink Count Value from the second parameter Value to the first parameter Value according to the EPS sequence number.

Optionally, the second parameter value may be the same as the first parameter value, but the first access network device may also perform this step.

330. And mapping the first security context according to the modified P0 to obtain a second security context.

340. And processing according to the second security context to obtain a security mode command message.

The first access network device may perform Security processing on a Security mode command (Security mode command) message according to the second Security context, where the Security processing may be to encrypt and complete Security processing on the Security mode command message according to the second Security context.

350. And sending a safety mode command message to the terminal equipment.

The security mode command message is encrypted and subjected to security processing, and the security context which is the same as or matched with the second security context is opened by the terminal device to successfully perform integrity check on the security mode command message. If the terminal device successfully performs integrity check on the Security mode command message, the first access network device may receive a Security mode complete (Security mode complete) message sent by the terminal device. The first access network device may further send a Registration Accept (Registration Accept) message to the terminal device, where the Registration Accept message is used to indicate that the terminal device is successfully registered with the first access network device.

According to the embodiment of the application, the first access network equipment modifies the NAS Uplink Count Value according to the EPS serial number in the registration request message sent by the terminal equipment, so that the NAS Uplink Count Value is the same as the NAS Uplink Count Value in the terminal equipment. Thus, the second security context obtained by mapping the first security context by the first access network device according to the modified NAS Uplink Count Value is the same as or matched with the security context obtained by mapping by the terminal device. In this way, the terminal device can register successfully on the first access network device. By the method, the registration success rate of the terminal equipment on the first access network equipment can be improved.

Referring to fig. 4, fig. 4 is a flowchart illustrating another network registration method according to an embodiment of the present application. The network registration method includes the following operations 410 to 4110. The method shown in fig. 4 may be executed by the end device and the first access network device, or the main body may be chips in the end device and the first access network device. Wherein:

410. and the terminal equipment is registered to access the second access network equipment.

The second access network device may have a 4G network distributed therein.

420. The terminal device does not determine that the NAS message is successfully sent to the second access network device, and enters an idle state.

430. And the terminal equipment is disconnected with the second access network equipment and resides in the network of the first access network equipment.

Wherein the network of the first access network device may be a 5G network.

440. The first access network device obtains the first security context and the mapping key P0 with the parameter value as the second parameter value.

The first access network device may obtain the first security context and the mapping key P0 with the parameter value being the second parameter value from the second access network device.

450. The terminal device sends a registration request message to the first access network device, wherein the registration request message comprises an EPS sequence number, and the EPS sequence number is used for indicating that the value of P0 in the terminal device is a first parameter value.

460. And the first access network equipment modifies the value of the P0 from the second parameter value to the first parameter value according to the EPS sequence number, and maps the first security context into a second security context according to the modified P0.

470. And the first access network equipment carries out security processing on the security mode command message according to the second security context.

Wherein the security process may be an encryption and integrity process of the secure mode command message.

480. The first access network device sends a security mode command message to the terminal device.

490. And the terminal equipment successfully performs integrity check on the safety mode command message.

4100. The terminal equipment first access network equipment sends a safety mode completion message.

4110. The first access network device sends a registration acceptance message to the terminal device.

Through the embodiment of the application, the first access network device modifies the maintained value of P0 to be consistent with the value of P0 in the terminal device, so that the security contexts mapped by the first access network device and the terminal device are the same or matched, and the terminal device can successfully register on the first access network device.

Referring to fig. 5, fig. 5 is a flowchart illustrating another network registration method according to an embodiment of the present application. The network registration method includes operations 510 to 530 as follows. The main body for executing the method shown in fig. 5 may be a terminal device, or the main body may be a chip in the terminal device. Note that, this part of the operation corresponds to the operation shown in fig. 6, fig. 5 is the operation on the terminal device side, and fig. 6 is the operation on the first access network device side. Fig. 5 illustrates an implementation body of the method, which is taking a terminal device as an example, where the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context and a mapping key P0, which are established by the terminal device and a second access network device, and P0 is a second parameter value. Wherein:

510. and receiving a security mode command message sent by the first access network device, wherein the security mode command message is obtained by the first access network device according to a third security context, and the third security context is obtained by the first access network device mapping the first security context according to P0.

In a possible implementation manner, the terminal device registers to access the second access network device before receiving the security mode command message sent by the first access network device. The second access network device may be a 4G network, and the first access network device may be a 5G network. The terminal device establishes a first security context on the second access network device. The terminal device and the second access network device respectively maintain the Value of the mapping key P0, that is, the Value of the NAS Uplink Count Value. When the terminal device sends the NAS message including the NAS Uplink Count Value to the second access network device, determines that the sending of the NAS message fails, that is, the NAS message is not successfully sent to the second access network device, and then enters an idle state, and switches from the network of the second access network device to the network of the first access network device, the terminal device may send a registration request message to the first access network device. The registration request message is used for requesting registration of the terminal device in the first access network device. The first access network device may further obtain a first security context established by the terminal device and the second access network device and an NAS Uplink Count Value in the second access network device, and map the first security context out of the third security context according to the NAS Uplink Count Value. And the first access network equipment carries out security processing on the security mode command message according to the third security context and sends the security mode command message to the terminal equipment.

520. And if the Integrity check on the security mode command message fails, sending a security mode rejection message to the first access network device, wherein the security mode rejection message comprises integer check failure information, and the integer check failure information is used for indicating to acquire a fourth security context.

And mapping the first security context into a security context matched with the first access network device according to the NAS Uplink Count Value stored by the terminal device and the second access network device. The terminal device performs an integrity check on the received security mode command message using its mapped security context. Since the terminal device has determined that sending the NAS message to the second access network device fails, it indicates that the NAS Uplink Count Value in the terminal device is different from the NAS Uplink Count Value of the first access network device, and it will be a failure to perform integrity check on the security mode command message by using the terminal device. The terminal device is then unable to register successfully with the first access network device, and may send a Security mode reject (Security mode reject) message to the first access network device. The security mode reject message may include a 5G mobility management (5 GMM) cause (cause) value, where the 5GMM cause value is integer check failure (integer check failure). The integer detection failure may indicate that the first access network device acquires the fourth security context.

530. And receiving a registration acceptance message sent by the first access network equipment, wherein the registration acceptance message is generated by the first access network equipment based on the fourth security context.

In one possible implementation, the fourth security context may be a new security context that is re-established by the first access network device and the terminal device. Specifically, after the terminal device sends the security mode reject message to the first access network device, the terminal device may receive an authorization Request (authorization Request) message sent by the first access network device, where the authorization Request message may be used to Request to establish a new set of security context with the terminal device. The first access network device may use the new security context as the fourth security context. The terminal device may send an authorization Response (authorization Response) message to the first access network device in Response to the authorization request message, where the authorization Response message may instruct the first access network device to generate a new security context, that is, a fourth security context. The first access network device sends a security mode command message encrypted according to the fourth security context and subjected to security completion processing to the terminal device, and the security mode command message may instruct the terminal device to perform integrity check using the fourth security context. If the integrity check of the terminal device is successful, a security mode completion message after encryption and security completion processing according to the fourth security context may be sent to the first access network device. The first access network device may perform integrity check on the security mode complete message using the fourth security context, and if successful, send a registration accept message to the terminal device. In this way, the terminal device can register successfully on the first access network device.

In a possible implementation manner, if the terminal device has previously registered in the first access network device, a local (Native) security context matching the terminal device is saved in the first access network device, and the local security context may serve as a fourth security context. The first access network device may encrypt and complete security processing on the registration acceptance message by using the fourth security context, and after receiving the registration acceptance message, the terminal device may successfully register on the first access network device if integrity check is successful.

By the embodiment of the application, the terminal equipment can send the security mode rejection message to the first access network equipment when receiving the security mode command message and failing to perform integrity check on the security mode command message. Wherein, the security mode reject message may include 5GMM cause, and the value of 5GMM cause is an integer detection failure. The first access network device may then obtain a fourth security context. The fourth security context may be a new security context re-established by the first access network device and the terminal device; alternatively, if the terminal device has been registered in the first access network device before, the first access network device may store a local (Native) security context matching the terminal device, and the local security context may be used as a fourth security context. In this way, the security contexts of the first access network device and the terminal device may be matched, and the terminal device may register successfully with the first access network device. By the method, the registration success rate of the terminal equipment on the communication network can be improved.

Referring to fig. 6, fig. 6 is a flowchart illustrating another network registration method according to an embodiment of the present application. The network registration method includes the following operations 610 to 660. The method shown in fig. 6 may be executed by the first access network device, or the main body may be a chip in the first access network device. Note that this part of the operation corresponds to the operation shown in fig. 5, fig. 5 is an operation on the terminal device side, and fig. 6 is an operation on the first access network device side. Fig. 6 illustrates, by taking a first access network device as an example of an execution subject of the method, where the first access network device establishes a communication connection with a terminal device, and the first access network device includes a first security context established by the terminal device and a second access network device. Wherein:

610. and receiving a security mode rejection message sent by the terminal equipment.

620. And if the security mode rejection message comprises an integer detection failure field, sending an authorization request message to the terminal equipment.

If the first access network device detects that the security mode reject message includes a 5GMM cause value, where the 5GMM cause value is an integer detection failure (integer check failure), the first access network device may send an authorization Request message (authorization Request) to the terminal device. The integer detection failure may indicate that the first access network device acquires the fourth security context, and the authorization request message may be used to request authorization of the terminal device, so that the first access network device and the terminal device establish a new security context.

630. And receiving authorization response information sent by the terminal equipment, and generating a fourth security context which is different from the first security context.

640. And sending a security mode command message to the terminal equipment, wherein the security mode command message is obtained according to the fourth security context processing.

Wherein the first access network device may encrypt and complete security processing of the security mode command message using the fourth security context.

650. And receiving a safety mode completion message sent by the terminal equipment.

If the terminal device successfully performs integrity check on the security mode command message, it may send a security mode completion message obtained by encryption and security completion processing according to the fourth security context to the first access network device.

660. And if the integrity check of the safety mode completion message is successful, sending a registration acceptance message to the terminal equipment.

The registration acceptance message is used for indicating that the terminal device is successfully registered on the first access network device.

By the method, after receiving a security mode rejection message which is sent by the terminal equipment and has a value of 5GMM cause as an integer detection failure, the first access network equipment can select to reestablish a set of new security context with the terminal equipment as a fourth security context; in the case where the local security context of the terminal device is stored in the first access network device, the local security context may be used as the fourth security context. Therefore, the security contexts of the first access network device and the terminal device can be matched, and the terminal device can register successfully on the first access network device. By the method, the registration success rate of the terminal equipment on the communication network can be improved.

Referring to fig. 7, fig. 7 is a flowchart illustrating another network registration method according to an embodiment of the present application. The network registration method includes the following operations 710 to 7120. The method shown in fig. 7 may be executed by the end device and the first access network device, or the main body may be chips in the end device and the first access network device. Wherein:

710. and the terminal equipment is registered to access the second access network equipment.

The second access network device may have a 4G network distributed therein.

720. The terminal device does not determine that the NAS message is successfully sent to the second access network device, and enters an idle state.

730. And the terminal equipment is disconnected with the second access network equipment and resides in the network of the first access network equipment.

Wherein the network of the first access network device may be a 5G network.

740. The first access network device obtains the first security context and the mapping key P0 with the parameter value as the second parameter value.

750. The terminal equipment sends a registration request message to the first access network equipment.

760. The first access network device maps the first security context to a third security context according to P0.

770. And the first access network equipment carries out security processing on the security mode command message according to the third security context.

The security process may be an encryption and integrity process, among others.

780. The first access network device sends a security mode command message to the terminal device.

790. The terminal device fails to perform integrity check on the security mode command message.

This is because the integrity check of the security mode command message by the end device fails because the P0 of the end device and the P0 of the first access network device are not consistent, resulting in a mismatch of the third security context and the security context mapped by the end device.

7100. The terminal equipment sends a security mode rejection message to the first access network equipment, wherein the security mode rejection message comprises 5GMM cause, and the 5GMM cause is Integrity check failure.

7110. The terminal device creates a new security context with the first access network device as a fourth security context.

7120. And if the local security context of the terminal equipment which is stored before exists in the first access network equipment, taking the local security context as a fourth security context.

It should be noted that step 7110 and step 7120 belong to parallel steps, and if the terminal device and the first access network device execute step 7110, step 7120 is not executed; similarly, if the terminal device and the first access network device execute step 7120, step 7110 will not be executed.

According to the embodiment of the application, under the condition that the respective security contexts of the terminal device and the first access network device are not matched, the terminal device can send a security mode rejection message to the first access network device, and the first access network device is instructed to acquire the fourth security context by taking the value of 5GMM cause in the security mode rejection message as Integrity check failure. The fourth security context may be a re-established security context or a previously saved local security context. After the security context of the terminal device is matched with that of the first access network device, the terminal device can register successfully on the first access network device. By the method, the registration success rate of the terminal equipment on the communication network can be improved.

Referring to fig. 8, fig. 8 is a schematic diagram of a unit of a device registering in a network according to an embodiment of the present disclosure. The network-registered device shown in fig. 8 may be used to perform some or all of the functions in the method embodiments described above with reference to fig. 2, 3, 4, 5, 6 and 7. The apparatus may be a terminal device or a first access network device, or may be an apparatus in the terminal device or the first access network device, or may be an apparatus capable of being used in cooperation with the terminal device or the first access network device.

The logical structure of the apparatus may include: a transceiver 810 and a processing unit 820. When the device is applied to a terminal device, the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context established by the terminal device and a second access network device, wherein:

a transceiving unit 810, configured to send a registration request message to a first access network device, where the registration request message includes an evolved packet system EPS sequence number, and the EPS sequence number is used to indicate that a mapping key P0 is a first parameter value;

the transceiver unit 810 is further configured to receive a security mode command message sent by the first access network device, where the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0;

the transceiving unit 810 is further configured to send a security mode complete message to the first access network device if the processing unit 820 successfully performs integrity check on the security mode command message.

In a possible implementation manner, the processing unit 820 is further configured to set the Value of the target field to be the lower 8 bits of P0, where P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value; the transceiving unit 810 is further configured to send a registration request message to the first access network device, where the target field of the lower 8 bits of the indication P0 is set.

In a possible implementation manner, before sending the registration request message to the first access network device, the processing unit 820 is further configured to register to access the second access network device, and establish a first security context with the second access network device; the transceiver 810 is further configured to send a non-access stratum NAS message to the second access network device, where the NAS message includes P0; and if the NAS message is not determined to be successfully sent to the second access network equipment, the second access network equipment enters an idle state, and the switching from the second access network equipment to the first access network equipment is detected, the registration request message is triggered to be sent to the first access network equipment.

In a possible implementation manner, if the integrity check on the security mode command message is successful, after sending a security mode complete message to the first access network device, the transceiver 810 is further configured to receive a registration accept message sent by the first access network device, where the registration accept message is used to indicate that the terminal device successfully registers on the first access network device.

When the apparatus is applied to a first access network device, the first access network device establishes a communication connection with a terminal device, the first access network device includes a first security context and a mapping key P0, which are established by the terminal device and a second access network device, and P0 is a second parameter value, where:

a transceiver unit 810, configured to receive a registration request message sent by a terminal device, where the registration request message includes an EPS sequence number of an evolved packet system, the EPS sequence number is used to indicate that P0 is a first parameter Value, and P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value;

a processing unit 820, configured to modify P0 from the second parameter value to the first parameter value according to the EPS sequence number;

the processing unit 820 is further configured to map the first security context according to the modified P0 to obtain a second security context;

the processing unit 820 is further configured to obtain a security mode command message according to the second security context;

the transceiving unit 810 is further configured to send a security mode command message to the terminal device.

In a possible implementation manner, after sending the security mode command message to the terminal device, the transceiver unit 810 is further configured to receive a security mode completion message sent by the terminal device; and sending a registration acceptance message to the terminal equipment, wherein the registration acceptance message is used for indicating that the terminal equipment is successfully registered on the first access network equipment.

When the device is applied to a terminal device, the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context and a mapping key P0, which are established by the terminal device and a second access network device, and P0 is a second parameter value, where:

a transceiving unit 810, configured to receive a security mode command message sent by a first access network device, where the security mode command message is obtained by processing the first access network device according to a third security context, and the third security context is obtained by mapping the first security context by the first access network device according to P0;

the transceiver 810 is further configured to send a security mode reject message to the first access network device if Integrity check on the security mode command message fails, where the security mode reject message includes Integrity check failure information indicating that a fourth security context is obtained;

the transceiver 810 is further configured to receive a registration accept message sent by the first access network device, where the registration accept message is generated by the first access network device based on the fourth security context.

In a possible implementation manner, if the integrity check on the security mode command message fails, after sending a security mode reject message to the first access network device, the transceiver unit 810 is further configured to receive an authorization request message sent by the first access network device; and sending an authorization response message to the first access network equipment, wherein the authorization response message is used for indicating the generation of the fourth security context.

In one possible implementation, the fourth security context is a local security context of the terminal device that is maintained by the first access network device.

When the device is applied to a first access network device, the first access network device establishes communication connection with a terminal device, the first access network device comprises a first security context established by the terminal device and a second access network device, wherein:

a transceiving unit 810, configured to receive a security mode reject message sent by a terminal device;

if the security mode reject message includes an integer detection failure field, the transceiver unit 810 is further configured to send an authorization request message to the terminal device;

the transceiver unit 810 is further configured to receive authorization response information sent by the terminal device, and generate a fourth security context, where the fourth security context is different from the first security context;

the transceiver 810 is further configured to send a security mode command message to the terminal device, where the security mode command message is obtained according to a fourth security context;

the transceiver unit 810 is further configured to receive a security mode completion message sent by the terminal device;

the transceiver 810 is further configured to send a registration acceptance message to the terminal device if the integrity check on the security mode complete message is successful.

In a possible implementation manner, after receiving the security mode reject message sent by the terminal device, if the security mode reject message includes an integer detection failure field and the first access network device includes a local security context, the processing unit 820 is configured to process the registration accept message using the local security context, where the local security context is different from the first security context or the fourth security context; the transceiver 810 is further configured to send the processed registration acceptance message to the terminal device.

Referring to fig. 9, fig. 9 is a simplified schematic diagram of an entity structure of a network registration apparatus according to an embodiment of the present disclosure, where the apparatus includes a processor 910, a memory 920, and a communication interface 930, and the processor 910, the memory 920, and the communication interface 930 are connected by one or more communication buses. The network registration device can be a chip, a chip module, or the like.

The processor 910 is configured to support the network-registered device to perform the functions corresponding to the methods in fig. 2, fig. 3, fig. 4, fig. 5, fig. 6, and fig. 7. It should be understood that, in the embodiment of the present application, the processor 910 may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), discrete hardware components, or other programmable logic devices, discrete gate or transistor logic devices. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The memory 920 is used to store program codes and the like. The memory 920 in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example and not limitation, many forms of Random Access Memory (RAM) are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (enhanced SDRAM), SDRAM (SLDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DR RAM).

Communication interface 930 is used for transceiving data, information, messages, etc., and may also be described as a transceiver, transceiving circuitry, etc.

In the embodiment of the present application, when the network registration apparatus is applied to a relay device, the relay device establishes a communication connection with an access network device and establishes a communication connection with a remote device through a preset interface, and the processor 910 invokes the program code stored in the memory 920 to perform the following operations:

when the device is applied to a terminal device, the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context established by the terminal device and a second access network device, wherein:

the control communication interface 930 sends a registration request message to the first access network device, where the registration request message includes an EPS sequence number, and the EPS sequence number is used to indicate that the mapping key P0 is a first parameter value;

the control communication interface 930 receives a security mode command message sent by the first access network device, where the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to P0;

the control communication interface 930 sends a security mode complete message to the first access network device if the processor 910 invokes the program code stored in the memory 920 to successfully perform the integrity check on the security mode command message.

In a possible implementation manner, processor 910 calls a program code stored in memory 920 to set the Value of the target field to the lower 8 bits of P0, where P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value; the control communication interface 930 transmits a registration request message including a target field in which the lower 8 bits of the indication P0 are set to the first access network device.

In a possible implementation manner, before sending the registration request message to the first access network device, the processor 910 invokes the program code stored in the memory 920 to register and access the second access network device, and establishes a first security context with the second access network device; the control communication interface 930 sends a non-access stratum, NAS, message to the second access network device, the NAS message including P0; and if the NAS message is not determined to be successfully sent to the second access network equipment, the second access network equipment enters an idle state, and the switching from the second access network equipment to the first access network equipment is detected, the registration request message is triggered to be sent to the first access network equipment.

In a possible implementation manner, if the integrity check on the security mode command message is successful, after sending the security mode complete message to the first access network device, the control communication interface 930 receives a registration accept message sent by the first access network device, where the registration accept message is used to indicate that the terminal device successfully registers on the first access network device.

the control communication interface 930 receives a registration request message sent by the terminal device, where the registration request message includes an EPS sequence number, the EPS sequence number is used to indicate that P0 is a first parameter Value, and P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value;

processor 910 invokes program code stored in memory 920 to modify P0 from the second parameter value to the first parameter value based on the EPS sequence number;

processor 910 invokes the program code stored in memory 920 to map the first security context according to the modified P0 to obtain a second security context;

the processor 910 calls the program code stored in the memory 920 to process according to the second security context to obtain a security mode command message;

the control communication interface 930 sends a security mode command message to the terminal device.

In one possible implementation, after sending the security mode command message to the terminal device, the control communication interface 930 receives a security mode completion message sent by the terminal device; and sending a registration acceptance message to the terminal equipment, wherein the registration acceptance message is used for indicating that the terminal equipment is successfully registered on the first access network equipment.

the control communication interface 930 receives a security mode command message sent by the first access network device, where the security mode command message is obtained by processing the first access network device according to a third security context, and the third security context is obtained by mapping the first security context by the first access network device according to P0;

if the Integrity check on the security mode command message fails, the control communication interface 930 sends a security mode rejection message to the first access network device, where the security mode rejection message includes integer check failure information, and the integer check failure information is used to indicate that a fourth security context is to be acquired;

the control communication interface 930 receives a registration accept message sent by the first access network device, the registration accept message being generated by the first access network device based on the fourth security context.

In a possible implementation manner, if the integrity check on the security mode command message fails, after sending a security mode reject message to the first access network device, the control communication interface 930 receives an authorization request message sent by the first access network device; and sending an authorization response message to the first access network equipment, wherein the authorization response message is used for indicating the generation of the fourth security context.

the control communication interface 930 receives a security mode rejection message sent by the terminal device;

if the security mode reject message includes the integer detection failure field, the control communication interface 930 transmits an authorization request message to the terminal device;

the control communication interface 930 receives the authorization response information sent by the terminal device and generates a fourth security context, which is different from the first security context;

the control communication interface 930 sends a security mode command message to the terminal device, the security mode command message being processed according to the fourth security context;

the control communication interface 930 receives a security mode completion message transmitted by the terminal device;

the control communication interface 930 transmits a registration acceptance message to the terminal device if the integrity check of the security mode completion message is successful.

In a possible implementation manner, after receiving the security mode reject message sent by the terminal device, if the security mode reject message includes an integer detection failure field and the first access network device includes a local security context, the processor 910 invokes the program code stored in the memory 920 to process the registration accept message using the local security context, where the local security context is different from the first security context or the fourth security context; the control communication interface 930 transmits the processed registration acceptance message to the terminal device.

The modules/units included in the apparatuses and products described in the above embodiments may be software modules/units, or may also be hardware modules/units, or may also be part of software modules/units and part of hardware modules/units. For example, for each device or product applied to or integrated into a chip, each module/unit included in the device or product may be implemented by hardware such as a circuit, or at least a part of the module/unit may be implemented by a software program running on a processor integrated within the chip, and the rest (if any) part of the module/unit may be implemented by hardware such as a circuit; for each device or product applied to or integrated with the chip module, each module/unit included in the device or product may be implemented by using hardware such as a circuit, and different modules/units may be located in the same component (e.g., a chip, a circuit module, etc.) or different components of the chip module, or at least some of the modules/units may be implemented by using a software program running on a processor integrated within the chip module, and the rest (if any) of the modules/units may be implemented by using hardware such as a circuit; for each device and product applied to or integrated in the terminal, each module/unit included in the device and product may be implemented by using hardware such as a circuit, and different modules/units may be located in the same component (e.g., a chip, a circuit module, etc.) or different components in the terminal, or at least part of the modules/units may be implemented by using a software program running on a processor integrated in the terminal, and the rest (if any) part of the modules/units may be implemented by using hardware such as a circuit.

Referring to fig. 10, fig. 10 is a simplified schematic diagram of a chip of a network registration apparatus according to an embodiment of the present disclosure, where the chip includes a processor 1010 and a data interface 1020. The chip can be used for processing the corresponding functions of the methods in fig. 2, 3, 4, 5, 6 and 7. The chip may be included in a network-registered device as shown in fig. 9. The chip may also be included in a chip module.

It should be noted that, in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.

The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs.

The units in the processing equipment of the embodiment of the invention can be merged, divided and deleted according to actual needs.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, memory Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A network registration method is applied to a terminal device, wherein the terminal device establishes a communication connection with a first access network device, the first access network device includes a first security context established by the terminal device and a second access network device, and the method includes:

sending a registration request message to the first access network device, where the registration request message includes an Evolved Packet System (EPS) sequence number, and the EPS sequence number is used to indicate that a mapping key P0 is a first parameter value;

receiving a security mode command message sent by the first access network device, where the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping the first security context by the first access network device according to the P0;

and if the integrity check on the security mode command message is successful, sending a security mode completion message to the first access network equipment.

2. The method of claim 1, wherein the registration request message includes a target field, the sending the registration request message to the first access network device comprising:

setting the Value of a target field to be the lower 8 bits of the P0, wherein the P0 is a non-access stratum Uplink Count Value NAS Uplink Count Value;

sending the registration request message to the first access network device including setting a target field indicating the lower 8 bits of the P0.

3. The method of claim 2, wherein prior to sending the registration request message to the first access network device, the method further comprises:

registering to access a second access network device, and establishing the first security context with the second access network device;

sending a non-access stratum (NAS) message to the second access network device, the NAS message including the P0;

and if the NAS message is not determined to be successfully sent to the second access network equipment, the second access network equipment enters an idle state, and the switching from the second access network equipment to the first access network equipment is detected, triggering the sending of a registration request message to the first access network equipment.

4. The method of claim 1, wherein after sending a security mode complete message to the first access network device if the integrity check on the security mode command message is successful, the method further comprises:

receiving a registration acceptance message sent by a first access network device, where the registration acceptance message is used to indicate that the terminal device successfully registers on the first access network device.

5. A network registration method is applied to a first access network device, the first access network device establishes a communication connection with an end device, the first access network device includes a first security context and a mapping key P0, which are established by the end device and a second access network device, and P0 is a second parameter value, and the method includes:

receiving a registration request message sent by the terminal device, where the registration request message includes an Evolved Packet System (EPS) sequence number, the EPS sequence number is used to indicate that the P0 is a first parameter Value, and the P0 is a non-access stratum Uplink Count Value (NAS Uplink Count Value);

modifying the P0 from the second parameter value to the first parameter value according to the EPS sequence number;

and sending the safety mode command message to the terminal equipment.

6. The method of claim 5, wherein after sending the security mode command message to the terminal device, the method further comprises:

receiving a safety mode completion message sent by the terminal equipment;

and sending a registration acceptance message to the terminal equipment, wherein the registration acceptance message is used for indicating that the terminal equipment is successfully registered on the first access network equipment.

7. A network registration apparatus, applied to a terminal device, where the terminal device establishes a communication connection with a first access network device, and the first access network device includes a first security context established by the terminal device and a second access network device, the apparatus comprising:

a transceiving unit, configured to send a registration request message to the first access network device, where the registration request message includes an evolved packet system EPS sequence number, and the EPS sequence number is used to indicate that a mapping key P0 is a first parameter value;

the transceiver unit is further configured to receive a security mode command message sent by the first access network device, where the security mode command message is processed by the first access network device according to a second security context, and the second security context is obtained by mapping, by the first access network device, the first security context according to the P0;

8. A network registration apparatus comprising a processor, a memory and a communication interface, the processor, the memory and the communication interface being interconnected, wherein the memory is configured to store a computer program comprising program instructions, and the processor is configured to invoke the program instructions, to perform the network registration method of any of claims 1 to 4, or to perform the network registration method of any of claims 5 to 6.

9. A computer-readable storage medium, wherein the computer-readable storage medium stores one or more instructions adapted to be loaded by a processor and to perform the network registration method of any of claims 1 to 4, or the network registration method of any of claims 5 to 6.

10. A chip, characterized in that the chip comprises a processor and a data interface, the processor reads instructions stored on a memory through the data interface to execute the network registration method according to any one of claims 1 to 4, or the network registration method according to any one of claims 5 to 6.

11. A chip module, characterized in that it comprises a chip as claimed in claim 10.