CN114286339A - Method and system for determining security policy - Google Patents
Method and system for determining security policy Download PDFInfo
- Publication number
- CN114286339A CN114286339A CN202111570062.2A CN202111570062A CN114286339A CN 114286339 A CN114286339 A CN 114286339A CN 202111570062 A CN202111570062 A CN 202111570062A CN 114286339 A CN114286339 A CN 114286339A
- Authority
- CN
- China
- Prior art keywords
- security policy
- network element
- target
- identifier
- base station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000013523 data management Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- ORQBXQOJMQIAOY-UHFFFAOYSA-N nobelium Chemical compound [No] ORQBXQOJMQIAOY-UHFFFAOYSA-N 0.000 description 3
- 101100503774 Caenorhabditis elegans gbb-1 gene Proteins 0.000 description 2
- 101100503778 Caenorhabditis elegans gbb-2 gene Proteins 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure provides a method and a system for determining a security policy, and belongs to the technical field of communication. The method comprises the following steps: the method comprises the steps that when an identity authentication request of UE is received, a UDM network element obtains a user identifier of the UE; the UDM network element acquires a security policy corresponding to a target number segment where the user identifier of the UE is located as a target security policy according to the user identifier of the UE; the UDM network element sends a first message to an AMF network element, wherein the first message comprises the identifier of the target security policy; and the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, wherein the target network element is the AMF network element or the base station. The method for determining the security policy provided by the embodiment of the disclosure can solve the problem that the selection of the security policy is not flexible enough.
Description
Technical Field
The disclosure belongs to the technical field of communication, and particularly relates to a method and a system for determining a security policy.
Background
At present, the access security protection of a 5G network may include multiple different security policies, and encryption and integrity protection may be performed on data transmission protection between a UE (User Equipment) side and a network side through the security policies.
Generally, priorities selected by each security policy are configured in a gbb (5G base station) or an AMF (Access and Mobility Management Function) network element in a core network, and when a UE accesses the network, the gbb or the AMF network element determines a security policy corresponding to the UE according to a pre-configured priority order. For example, the priority order in the gbb 1 is policy 0, policy 1, policy 2, and policy 3, and the priority order in the gbb 2 is policy 3, policy 2, policy 1, and policy 0, assuming that the UE supports the above 4 policies, the selected policies are all policy 0 for the UE accessing the gbb 1, and the selected policies are all policy 3 for the UE accessing the gbb 2.
However, the above-mentioned determination method of the security policy mainly depends on the priority order of the configuration of the gNB or AMF network element, and the selection of the security policy is not flexible enough, and may not be able to adapt to the personalized requirements of different UEs.
Disclosure of Invention
The embodiment of the disclosure aims to provide a method and a system for determining a security policy, which can solve the problem that the selection of the security policy is not flexible enough.
In order to solve the technical problem, the present disclosure is implemented as follows:
in a first aspect, an embodiment of the present disclosure provides a method for determining a security policy, where the method includes: under the condition of receiving an identity authentication request of UE, a UDM (Unified Data Management) network element acquires a user identifier of the UE; the UDM network element acquires a security policy corresponding to a target number segment where the user identifier of the UE is located as a target security policy according to the user identifier of the UE, and one number segment corresponds to a service requirement of one security policy; the UDM network element sends a first message to an AMF network element, wherein the first message comprises the identifier of the target security policy; and the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, wherein the target network element is the AMF network element or the base station.
Optionally, before the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, the method further includes: the target network element updates the priority sequence of the security policies in the target network element based on the identification of the target security policies; the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes: and the target network element determines the security policy corresponding to the UE based on the updated priority order of the security policy.
Optionally, the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes: and the target network element determines the target security policy as the security policy of the UE.
Optionally, the determining, by the target network element, the target security policy as the security policy of the UE includes: if the UE is determined to support the target security policy, the target network element determines that the security policy corresponding to the UE is the target security policy; and if the UE is determined not to support the target security policy, the target network element determines the security policy corresponding to the UE according to the priority order of the security policies configured in the target network element.
Optionally, after the UDM network element acquires the user identity of the UE, the method further includes: if the target number segment where the user identifier of the UE is located does not have the corresponding security policy, the UDM network element sends indication information to the AMF network element; wherein the indication information indicates that the target network element determines the security policy for the UE according to the priority order of the security policies configured in the target network element.
Optionally, the target network element is a base station; before the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, the method further includes: the AMF network element sends second information to the base station, wherein the second information comprises an identifier of the target security policy; the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes: and the base station determines the security policy corresponding to the UE based on the identifier of the target security policy in the second information.
Optionally, after the AMF network element sends the second information to the base station, the method further includes: and the base station updates the priority sequence of the security policy in the base station based on the identifier of the target security policy in the second information.
Optionally, the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes: when the target network element is an AMF network element, the AMF network element determines a security policy of a non-access stratum corresponding to the UE based on the identifier of the target security policy; or, when the target network element is a base station, the base station determines a security policy of an access stratum corresponding to the UE based on the identifier of the target security policy.
Optionally, the method further includes configuring, by the UDM network element, a security policy corresponding to the target number segment according to a service requirement, where the security policy includes at least one of a confidentiality policy and an integrity policy.
In a second aspect, an embodiment of the present disclosure provides a system for determining a security policy, where the system for determining a security policy includes: the AMF network element, the UDM network element and the base station are connected with the AMF network element; the UDM network element is used for acquiring a security policy corresponding to a target number segment where a user identifier of the UE is located as a target security policy under the condition of receiving an identity authentication request of the UE, and sending a first message to the AMF network element, wherein one number segment corresponds to a service requirement of one security policy, and the first message comprises the identifier of the target security policy; and the target network element is used for determining the security policy corresponding to the UE based on the identifier of the target security policy, and the target network element is the AMF network element or the base station.
In the embodiment of the present disclosure, in the process of performing identity authentication on the UE, the UDM network element may determine, based on the user identifier of the UE, a security policy corresponding to the number segment corresponding to the user identifier, and return the identifier of the security policy to a target network element that selects a security policy of the UE for the UE, and the target network element combines the UDM network element with the security policy selected for the UE, so as to select a security policy to be finally used for the UE, and since the security policy corresponding to the number segment is a security policy that is adapted to the service requirement of the UE, for UEs with different service requirements accessing the same base station, the UDM network element may combine the number segments of the UEs to determine a security policy corresponding to the service requirement of the UE, and select a final security policy for the UE based on the security policy that is adapted to the service of the UE, so as to avoid a problem that in the related art, selection flexibility is poor only due to a fixed order configured in the base station or the AMF network element, according to the technical scheme, more various protection capabilities are provided for the user, different safety strategies corresponding to different service requirements of each UE can be different, and the individualized requirements of different UEs can be adapted.
Drawings
Fig. 1 is a schematic diagram of a security policy determination system provided in an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a communication architecture provided by an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating a method for determining a security policy according to an embodiment of the present disclosure;
fig. 4 is a second schematic flowchart of a method for determining a security policy according to an embodiment of the present disclosure;
fig. 5 is a third schematic flowchart of a method for determining a security policy according to an embodiment of the present disclosure;
fig. 6 is a fourth schematic flowchart of a method for determining a security policy according to an embodiment of the present disclosure;
fig. 7 is a fifth flowchart illustrating a method for determining a security policy according to an embodiment of the present disclosure;
fig. 8 is a sixth schematic flowchart of a method for determining a security policy according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The terms first, second and the like in the description and in the claims of the present disclosure are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that embodiments of the disclosure may be practiced other than those illustrated or described herein, and that the objects identified as "first," "second," etc. are generally a class of objects and do not limit the number of objects, e.g., a first object may be one or more. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
It is noted that the techniques described in the embodiments of the present disclosure are not limited to LTE (Long Term Evolution)/LTE-a (LTE-Advanced) systems, but may also be used in other wireless communication systems, such as CDMA (Code Division Multiple Access), TDMA (Time Division Multiple Access), FDMA (Frequency Division Multiple Access), OFDMA (Orthogonal Frequency Division Multiple Access), SC-FDMA (Single-carrier Frequency-Division Multiple Access), and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described techniques can be used for both the above-mentioned systems and radio technologies, as well as for other systems and radio technologies. However, the following description describes the NR system for purposes of example, and NR terminology is used in much of the description below, although the techniques may also be applied to applications other than NR system applications, such as 6G (6th Generation ) communication systems.
The following describes in detail a method for determining a security policy provided by the embodiments of the present disclosure with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a security policy determination system according to an embodiment of the present disclosure, and as shown in fig. 1, the security policy determination system 100 includes: the system comprises an AMF network element 101, a UDM network element 102 and a base station 103, wherein the UDM network element 102 is connected with the AMF network element 101; the UDM network element 102 is configured to, in a case that an identity authentication request of the UE is received, acquire a security policy corresponding to a target number segment where a user identifier of the UE is located as a target security policy, and send a first message to the AMF network element 101, where the first message includes an identifier of the target security policy; and the target network element is used for determining the security policy corresponding to the UE based on the identifier of the target security policy, and the target network element is the AMF network element 101 or the base station 103.
In the system for determining a security policy provided by the embodiment of the present disclosure, during the process of identity authentication of a UE, a UDM network element in the system for determining a security policy may determine, based on a user identifier of the UE, a security policy corresponding to a number segment corresponding to the user identifier, and return an identifier of the security policy to a target network element that selects a security policy of the UE for the UE, where the target network element selects the security policy for the UE in combination with the UDM network element, so as to select a security policy to be finally used for the UE, and since the security policy corresponding to the number segment is a security policy that is adapted to a service requirement of the UE, in a case of UEs with different service requirements accessing a same base station, the UDM network element may determine, in combination with the number segments of the UEs, a security policy corresponding to the service requirement of the UE, and select a final security policy for the UE based on the security policy adapted to the service of the UE, so as to avoid related technologies, the problem of poor flexibility of selection can be only caused according to a fixed sequence configured in a base station or an AMF network element.
Fig. 2 is a schematic diagram of a communication architecture according to an embodiment of the present disclosure. As shown in fig. 2, the communication system includes: at least one UE (e.g., UE 200 and UE 201), a base station 202, an AMF network element 203, an AUSF network element 204, and a UDM network element 205; wherein, the UDM network element 205 is configured with a corresponding relationship between the number segment and the security policy. The UE may access the base station 202, and in the access process, the UE may send an identity Authentication request to the base station 202, the base station 202 sends the identity Authentication request to the AMF network element 203, and the AMF network element 203 forwards the identity Authentication request to the UDM network element 205 through an AUSF (Authentication Server Function) network element to perform identity Authentication of the UE. The UDM network element 205 may provide an authentication key and credentials, and perform identity authentication of the UE in cooperation with the AMF network element 203 and the AUSF network element 204. In the process of authenticating each UE, the UDM network element may determine a security policy preferentially selected for the UE by using the method for determining a security policy provided by the embodiment of the present disclosure, so that the AMF network element 203 and the base station 202 determine a corresponding security policy for each UE.
For convenience of description, in the embodiment of the present disclosure, the AMF network element performs communication with the UDM network element through the AUSF network element, which is simplified to be described as an example, and is not described in detail below.
Fig. 3 is a schematic flowchart of a method for determining a security policy according to an embodiment of the present disclosure, as shown in fig. 3, the method includes the following steps S301 and S304:
s301, under the condition of receiving the identity authentication request of the UE, the UDM network element acquires the user identification of the UE.
The identity authentication request comprises a user identification of the UE requesting authentication.
Generally, when the UE performs identity authentication, the UE first sends an identity authentication request to a base station in an access network, the base station in the access network sends the identity authentication request to an AMF network element in a core network, and the AMF network element may forward the identity authentication request to an UDM network element in the core network through an AUSF network element in the core network to perform identity authentication.
Illustratively, the user identity of the UE may be a cell phone number.
S302, the UDM network element acquires a security policy corresponding to a target number segment where the user identifier of the UE is located as a target security policy according to the user identifier of the UE.
Wherein one number segment corresponds to a service requirement of a security policy.
It should be noted that, the UDM network element is configured with a corresponding relationship between the number segment and the security policy.
For example, in the embodiment of the present disclosure, the security policy is described by taking a confidentiality policy and a security policy in a 5G system as an example. Wherein, table 1 is a 5G encryption strategy, including 4 encryption algorithms; table 2 shows a 5G security completion strategy, which includes four encryption algorithms.
TABLE 1
| Algorithm ID (4bit) | Name of algorithm | Remarks for note |
| 0000_{2} | NEA 0 | Null algorithm (non-encryption) |
| 0001_{2} | 128- |
128-bit SNOW 3G encryption algorithm |
| 0010_{2} | 128-NEA 2 | 128-bit AES algorithm |
| 0011_{2} | 128-NEA 3 | 128-bit hedge generation algorithm |
TABLE 2
| Algorithm ID (4bit) | Name of algorithm | Remarks for note |
| 0000_{2} | NIA 0 | Null algorithm (non-encryption) |
| 0001_{2} | 128- |
128-bit SNOW 3G encryption algorithm |
| 0010_{2} | 128-NIA 2 | 128-bit AES algorithm |
| 0011_{2} | 128- |
128-bit hedge generation algorithm |
It should be noted that the security policy may include at least one of the confidentiality related algorithm and the security related algorithm, and if the security policy includes both the confidentiality related algorithm and the security related algorithm, one confidentiality related algorithm in one security policy may combine any one of the plurality of security algorithms.
For example, 128-NEA 1 may constitute a security policy with any one of NIA0, 128-NIA 1, and 128-NIA 1.
It should be noted that, in the embodiment of the present disclosure, the algorithm corresponding to the security policy in the table is only an exemplary illustration, and in practical applications, the security policy may also include a security policy in an existing system other than the 5G system, and may also be a security policy added in a future communication system, which is not specifically limited in this embodiment of the present disclosure.
S303, the UDM network element sends a first message to the AMF network element.
Wherein the first message includes an identification of the target security policy.
Illustratively, each confidentiality related algorithm and security related algorithm can be configured in the AMF network element and in the base station. If a security policy includes a security algorithm and a confidentiality algorithm, the identity of a security policy may indicate the algorithm identity of each algorithm in the set of algorithms.
S304, the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy.
The target network element is an AMF network element or a base station.
It should be noted that, the AMF network element and the base station may respectively select security policies of different hierarchies for the UE.
It should be noted that, after the target network element determines the Security policy corresponding to the UE, the target network element may notify the UE of the determined Security policy through an SMC (Security Mode Command).
In the method for determining a security policy provided in the embodiment of the present disclosure, in the process of performing identity authentication on a UE, a UDM network element may determine, based on a user identifier of the UE, a security policy corresponding to a number segment corresponding to the user identifier, and return an identifier of the security policy to a target network element that selects a security policy of the UE for the UE, and the target network element selects, in combination with the UDM network element, the security policy selected for the UE, so as to select a security policy that is finally used for the UE, and since the security policy corresponding to the number segment is a security policy that is adapted to a service requirement of the UE, in a UE that has different service requirements and accesses to the same base station, the UDM network element may determine, in combination with the number segments of the UEs, a security policy corresponding to the service requirement of the UE, and select, a final security policy for the UE based on the security policy that is adapted to the service of the UE, thereby avoiding a problem that, in related technologies, only a fixed order configured in the base station or the AMF network element may cause poor flexibility of selection, according to the technical scheme, more various protection capabilities are provided for the user, different safety strategies corresponding to different service requirements of each UE can be different, and the individualized requirements of different UEs can be adapted.
Optionally, in the method for determining a security policy provided in the embodiment of the present disclosure, when the target network element is a base station, before the step S304, the following step S305 may further be included:
s305, the AMF network element sends the second information to the base station.
Wherein the second information comprises an identification of the target security policy.
Further, S304 described above can be specifically executed by S34c described below:
s34c, the base station determines the security policy corresponding to the UE based on the identifier of the target security policy in the second information.
Based on the scheme, after receiving the identifier of the target security policy returned by the UDM network element, the AMF network element may forward the identifier of the target security policy to the base station, so that the base station may determine the security policy corresponding to the UE based on the target security policy indicated by the AMF network element.
Optionally, with reference to fig. 3, as shown in fig. 4, in the method for determining a security policy provided in the embodiment of the present disclosure, before the above S304, the following S306 may further be included:
s306, the target network element updates the priority sequence of the security policy configured in the target network element based on the identifier of the target security policy.
It should be noted that, the target network element is configured with a priority order of the security policies in a fixed order corresponding to the target network element, and when one UE performs identity authentication, the target network element may adjust, for the UE, the priority order of the security policies according to the security policy of the number segment where the UE is located through the UDM network element, for example, may adjust the selection priority of the target security policy to the highest priority.
Optionally, the UDM network element may also store a corresponding relationship between the security policies excluded from the number segment, that is, the target security policy is a security policy that is not used by the number segment, and the target network element may adjust the selection priority of the target security policy to the lowest priority. For convenience of description, in the embodiment of the present disclosure, a target security policy acquired by a UDM network element is taken as an example of a security policy preferentially used by a UE.
Further, S304 described above can be executed by S34a described below:
s34a, the target network element determines the security policy corresponding to the UE based on the updated priority order of the security policy.
In the scheme, the target network element sequentially matches security policies that can be supported in the UE according to the adjusted priority order, and determines the matched security policy with the highest priority as the security policy corresponding to the UE.
Generally, in the process of security policy negotiation, each UE may report an identifier of a security policy supported by the UE.
It can be understood that, in practical applications, there may be UEs that can support each security policy, or there may be UEs that only support a part of the security policies, and this is not specifically limited by the embodiment of the present disclosure.
Illustratively, assume the original priority order of the security policies in the target network element is: 0. 1, 2, 3, each UE supports 0, 1, 2, and 3. If the policy selection mode is the conventional one, the target network element only selects the security policy corresponding to 0 for all UEs accessing the base station corresponding to the target network element. According to the policy selection method disclosed in the present disclosure, if the target network element is the UE 1, the priority order of the updated security policy is: 2. 0, 1, and 3, the target network element determines whether the security policy UE 1 corresponding to 2 supports according to the updated sequence, and if it is determined that the UE 1 supports 2, the security policy corresponding to 2 may be determined as the security policy of the UE. If the target network element is the priority order of the updated security policy of the UE 2, the priority order is as follows: 3. 2, 0, and 1, the target network element determines whether the security policy UE 2 corresponding to the 3 supports the target network element according to the updated sequence, and determines that the UE 2 supports the target network element 3, and may determine the security policy corresponding to the 3 as the security policy of the UE 2.
Based on the scheme, after the UDM network element determines the target security policy for the UE, the target network element may adjust the selection priority order of the security policies configured in the target network element in combination with the target security policy determined by the UDM network element, and sequentially match the security policies supported by the UE based on the adjusted priority order, and use the first matched security policy as the security policy corresponding to the UE.
Optionally, in the method for determining a security policy provided by the embodiment of the present disclosure, after the above S305, the above S306 may be executed by the following S36:
and S36, the base station updates the priority order of the security policy in the base station based on the identifier of the target security policy in the second information.
Exemplarily, after the UDM network element determines the identifier of the target security policy for one UE, the UDM network element may send update indication information (i.e., the first information) to the AMF network element, where the update indication information may include a security policy update identification bit and an identifier bit of the security policy, the security policy update identification bit may be set to 1, and a value of the security policy update identification bit may be the identifier of the target security policy. After receiving the update indication information, the AMF network element may update the priority order of the security policy in the AMF network element for the UE according to the update indication information, and forward the update indication information to the base station, so that the base station updates the priority order of the security policy in the base station for the UE according to the update indication information (i.e., the second information).
Based on the scheme, after receiving second information returned by the AMF network element, the base station can update the priority order of the security policies in the base station according to the identification of the target security policy indicated in the second information, so that the base station determines the corresponding security policy for the UE according to the priority order of the updated security policy.
Optionally, with reference to fig. 3, as shown in fig. 5, in the method for determining a security policy provided in the embodiment of the present disclosure, the step S304 may be further performed by the following step S34 b:
s34b, the target network element determines the target security policy as the security policy of the UE.
For example, assuming that the security policies selected by the UDM network element for the UE are 128-NEA 1 and 128-NIA3, the target network element may directly determine 128-NEA 1 and 128-NIA3 as the security policies corresponding to the UE.
Example 1: after receiving the first information sent by the UDM network element, the AMF network element may directly determine the target security policy as the security policy of the UE according to the identifier of the target security policy in the first information.
Example 2: after the base station receives the second information sent by the AMF network element, the target security policy may be determined as the security policy of the UE directly according to the identifier of the target security policy in the second information.
Based on the scheme, after the target network element receives the identifier of the target security policy indicated by the UDM network element, the target security policy indicated by the UDM network element can be directly determined as the security policy of the UE, and the finally selected security policy better conforms to the service requirement of the user because the target security policy is the security policy which is determined by the UDM network element according to the number segment where the user identifier of the UE is located and is adapted to the user service.
Optionally, with reference to fig. 5, as shown in fig. 6, in the method for determining a security policy provided in the embodiment of the present disclosure, the step S34B may be specifically executed by the following B1 or B2:
b1, if it is determined that the UE supports the target security policy, the target network element determines that the security policy corresponding to the UE is the target security policy.
B2, if it is determined that the UE does not support the target security policy, the target network element determines the security policy corresponding to the UE according to the priority order of the security policies configured in the target network element.
It can be understood that, after receiving the identifier of the target security policy returned by the UDM network element, the target network element may directly use the target security policy as the security policy corresponding to the UE in the case that the UE supports the target security policy, and if the UE does not support the target security policy, the target network element may determine the corresponding security policy for the UE according to the original priority order of the security policies configured in the target network element and in a conventional manner.
Based on the scheme, in a scenario that the target network element directly uses the target security policy as the security policy of the UE, the target network element needs to determine whether the UE supports the target security policy according to the information of the supported security policy reported by the UE, and in a case of support, the target security policy is directly used as the security policy of the UE, and in a case of no support, the security policy can be determined for the UE in a conventional determination manner.
Optionally, in the method for determining a security policy provided by the embodiment of the present disclosure, after the above S301, the following S307 may be further included:
s307, if the corresponding security policy does not exist in the target number segment where the user identifier of the UE is located, the UDM network element sends indication information to the AMF network element.
The indication information indicates the target network element to determine the security policy for the UE according to the priority order of the security policies configured in the target network element.
Illustratively, the indication information may include a security policy update identification bit, and a value of the security policy update identification bit may be set to 0, indicating that there is no corresponding security policy in the destination number segment where the user identifier is located.
Based on the scheme, if the target number segment does not have the corresponding security policy, the UDM network element may determine that the target number segment is not configured with the security policy, that is, the selection of the security policy is not configured with the customized requirement, so the UDM network element may instruct the target network element to select the security policy according to the priority order configured in the target network element.
Optionally, in the method for determining a security policy provided by the embodiment of the present disclosure, the step S304 may be specifically executed through the following steps S341 and S342:
s341, in case that the target network element is the AMF network element, the AMF network element determines the security policy of the non-access stratum corresponding to the UE based on the identifier of the target security policy.
For example, when the target security policy is directly used as the security policy of the UE, the AMF network element determines whether the UE supports the target security policy, and when the UE supports the target security policy, the AMF network element determines the target security policy as the security policy of the non-access stratum corresponding to the UE. In the case that the priority order of the security policies in the AMF network element is updated first according to the target security policy, the AMF network element may determine the security policy of the non-access stratum corresponding to the UE based on the updated priority order of the security policies.
Example (c): the AMF network element may directly determine 128-NEA 1 and 128-NIA3 as the security policy of the non-access stratum corresponding to the UE, and the base station may directly determine 128-NEA 1 and 128-NIA3 as the security policy of the access stratum corresponding to the UE.
And S342, under the condition that the target network element is the base station, the base station determines the security policy of the access layer corresponding to the UE based on the identifier of the target security policy.
For example, when the target security policy is directly used as the security policy of the UE, the base station determines whether the UE supports the target security policy, and when the UE supports the target security policy, the base station determines the target security policy as the security policy of the access stratum corresponding to the UE. Under the condition that the priority order of the security policies in the AMF network element is updated first according to the target security policy, the base station may determine the security policy of the non-access stratum corresponding to the UE based on the updated priority order of the security policies.
It should be noted that, the priority order of the security policy configured in the AMF network element and the priority order of the security policy configured in the base station may be the same or different, and this is not specifically limited in this embodiment of the disclosure.
Optionally, the AMF network element and the base station may be the same or different in the manner of selecting the security policy for the UE, for example, in a case that the base station directly adopts the target security policy as the security policy of the access layer of the UE, the AMF network element may update the priority order first, and determine the security policy of the non-access layer of the UE according to the priority order; the AMF network element may also directly adopt the target security policy as a security policy of a non-access stratum of the UE.
Based on the scheme, the AMF network element can determine the security policy of the non-access stratum for the UE based on the target security policy selected by the UDM network element for the UE, the base station can also determine the security policy of the access stratum for the UE based on the target security policy selected by the UDM network element for the UE, and aiming at different layers, the selection of the security policy can be performed based on the identifier of the target security policy corresponding to the number segment of the user identifier of the UE.
Optionally, in the method for determining a security policy provided by the embodiment of the present disclosure, before the foregoing S301, the following S300 may also be included:
s300, according to the service requirement, the UDM network element configures a security policy corresponding to the target number segment.
Wherein the security policy includes at least one of a confidentiality policy and an integrity policy.
Illustratively, the UDM network element may be configured with a corresponding relationship between the security policy and the number segment,
it should be noted that, in the embodiment of the present disclosure, a security policy required for users of different services may be configured in advance in a UDM network element according to service requirements.
For example, if a user of an enterprise 1 needs to specify a security policy 1, a corresponding relationship between the specified security policy 1 and the number segment 1 may be configured for the number segment 1 occupied by the enterprise 1, and if a user of an enterprise 2 needs to specify a security policy 2, a corresponding relationship between the specified security policy 2 and the number segment 2 may be configured for the number segment 2 occupied by the enterprise 2.
Based on the scheme, the UDM network element can configure the corresponding relationship between the number segment of the user and the security policy according to the service requirement of the user, and in the process of identity authentication of the user accessing the network in the number segment, the UDM network element can quickly determine the security policy corresponding to the service requirement for the UE according to the number segment and indicate the security policy to the target network element, so that the target network element determines the corresponding security policy for the UE based on the security policy indicated by the UDM network element.
Example one:
fig. 7 is a schematic diagram of a security policy determination process according to an embodiment of the present disclosure. As shown in fig. 7, the following steps 71 to 79 may be included:
71. the UE sends an identity authentication request to the base station.
72. And the base station forwards the identity authentication request sent by the UE to the AMF network element.
73. And the AMF network element sends the identity authentication request of the UE sent by the base station to the UDM network element.
74. And the UDM network element acquires the user identification of the UE according to the identity authentication request of the UE.
75. And the UDM network element acquires the security policy corresponding to the number segment where the user identifier of the UE is located as a target security policy according to the user identifier of the UE.
76. And the UDM network element sends the identification of the target security policy to the AMF network element.
77. And the AMF network element sends the identification of the target security policy to the base station.
78. And the base station determines the target security policy as the security policy of the access layer corresponding to the UE.
79. And the AMF network element determines the target security policy as the security policy of the non-access stratum corresponding to the UE.
Based on the scheme, the AMF network element and the base station can directly determine the target security policy determined by the UDM network element as the security policy of the access layer and the security policy of the non-access layer of the UE, the security policy determination step is simple, and the service requirement of the UE can be better adapted.
Example two:
fig. 8 is a schematic diagram of a security policy determination process according to an embodiment of the present disclosure. As shown in fig. 7, the following steps 801 to 811 may be included:
wherein 801 and 807 can refer to 71-77 of FIG. 7, which are not described herein again.
808. And the base station updates the priority order of the security policies configured in the base station based on the identification of the target security policy.
809. And the base station determines the security policy of the access layer corresponding to the UE according to the updated priority order of the security policy.
810. And the AMF network element updates the priority order of the security policies configured in the AMF network element based on the identification of the target security policy.
811. And the AMF network element determines the security policy of the non-access stratum corresponding to the UE according to the updated priority order of the security policy.
Based on the scheme, the AMF network element and the base station can update the priority sequence of the security policy configured in the AMF according to the target security policy determined by the UDM network element, update the priority sequence of the security policy configured in the base station, and then respectively determine the security policies of the access layer and the non-access layer corresponding to the UE based on the updated priority sequence of the security policy, so that the probability of selecting the security policy corresponding to the UE service requirement can be improved, or the probability of excluding the selected security policy from the UE service is reduced, and the selected security policy is more suitable for the service of the UE.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Further, it is noted that the scope of the methods and apparatus in the embodiments of the present disclosure is not limited to performing functions in the order shown or discussed, but may include performing functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present disclosure.
While the present disclosure has been described with reference to the embodiments illustrated in the drawings, which are intended to be illustrative rather than restrictive, it will be apparent to those of ordinary skill in the art in light of the present disclosure that many more modifications may be made without departing from the spirit of the disclosure and the scope of the appended claims.
Claims (10)
1. A method for determining a security policy, the method comprising:
under the condition of receiving an identity authentication request of UE, a UDM unified data management network element acquires a user identifier of the UE;
the UDM network element acquires a security policy corresponding to a target number segment where the user identifier of the UE is located as a target security policy according to the user identifier of the UE, and one number segment corresponds to a service requirement of one security policy;
the UDM network element sends a first message to an AMF access and mobility management function network element, wherein the first message comprises an identifier of the target security policy;
and the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, wherein the target network element is the AMF network element or the base station.
2. The method of claim 1, wherein before the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, the method further comprises:
the target network element updates the priority sequence of the security policies in the target network element based on the identification of the target security policies;
the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes:
and the target network element determines the security policy corresponding to the UE based on the updated priority order of the security policy.
3. The method of claim 1, wherein the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy comprises:
and the target network element determines the target security policy as the security policy of the UE.
4. The method of claim 1, wherein the determining, by the target network element, the target security policy as the security policy of the UE comprises:
if the UE is determined to support the target security policy, the target network element determines that the security policy corresponding to the UE is the target security policy;
and if the UE is determined not to support the target security policy, the target network element determines the security policy corresponding to the UE according to the priority order of the security policies configured in the target network element.
5. The method according to any of claims 1 to 4, wherein after the UDM network element obtains the user identity of the UE, the method further comprises:
if the target number segment where the user identifier of the UE is located does not have the corresponding security policy, the UDM network element sends indication information to the AMF network element;
wherein the indication information indicates that the target network element determines the security policy for the UE according to the priority order of the security policies configured in the target network element.
6. The method according to any of claims 1 to 4, wherein the target network element is a base station; before the target network element determines the security policy corresponding to the UE based on the identifier of the target security policy, the method further includes:
the AMF network element sends second information to the base station, wherein the second information comprises an identifier of the target security policy;
the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy includes:
and the base station determines the security policy corresponding to the UE based on the identifier of the target security policy in the second information.
7. The method of claim 6, wherein after the AMF network element sends the second information to the base station, the method further comprises:
and the base station updates the priority sequence of the security policy in the base station based on the identifier of the target security policy in the second information.
8. The method of claim 1, wherein the determining, by the target network element, the security policy corresponding to the UE based on the identifier of the target security policy comprises:
when the target network element is an AMF network element, the AMF network element determines a security policy of a non-access stratum corresponding to the UE based on the identifier of the target security policy; alternatively, the first and second electrodes may be,
and under the condition that the target network element is the base station, the base station determines the security policy of the access layer corresponding to the UE based on the identifier of the target security policy.
9. The method of claim 1, further comprising:
and according to service requirements, the UDM network element configures a security policy corresponding to the target number segment, wherein the security policy comprises at least one of a confidentiality policy and an integrity policy.
10. A system for determining a security policy, the system comprising: the system comprises an AMF access and mobility management function network element, an UDM unified data management network element and a base station, wherein the UDM unified data management network element is connected with the AMF network element;
the UDM network element is used for acquiring a security policy corresponding to a target number segment where a user identifier of the UE is located as a target security policy under the condition of receiving an identity authentication request of the UE, and sending a first message to the AMF network element, wherein one number segment corresponds to a service requirement of one security policy, and the first message comprises the identifier of the target security policy;
and the target network element is used for determining the security policy corresponding to the UE based on the identifier of the target security policy, and the target network element is the AMF network element or the base station.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111570062.2A CN114286339A (en) | 2021-12-21 | 2021-12-21 | Method and system for determining security policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111570062.2A CN114286339A (en) | 2021-12-21 | 2021-12-21 | Method and system for determining security policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114286339A true CN114286339A (en) | 2022-04-05 |
Family
ID=80873436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111570062.2A Pending CN114286339A (en) | 2021-12-21 | 2021-12-21 | Method and system for determining security policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114286339A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412925A (en) * | 2022-09-02 | 2022-11-29 | 广州爱浦路网络技术有限公司 | Network security protection method and device and security protection function network element |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018000936A1 (en) * | 2016-07-01 | 2018-01-04 | 华为技术有限公司 | Method and apparatus for configuring key and determining security policy |
| CN109309920A (en) * | 2017-07-28 | 2019-02-05 | 华为技术有限公司 | Safety implementation method, relevant apparatus and system |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| US20200228975A1 (en) * | 2017-09-30 | 2020-07-16 | Huawei Technologies Co., Ltd. | Communication method, communications apparatus, and system |
| CN111491394A (en) * | 2019-01-27 | 2020-08-04 | 华为技术有限公司 | Method and device for user plane security protection |
| CN112351431A (en) * | 2019-08-09 | 2021-02-09 | 华为技术有限公司 | Method and device for determining safety protection mode |
| US20210168594A1 (en) * | 2018-08-10 | 2021-06-03 | Huawei Technologies Co., Ltd. | Secure Session Method And Apparatus |
| CN113810902A (en) * | 2020-05-30 | 2021-12-17 | 华为技术有限公司 | Method, device and system for determining user plane safety execution information |
-
2021
- 2021-12-21 CN CN202111570062.2A patent/CN114286339A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018000936A1 (en) * | 2016-07-01 | 2018-01-04 | 华为技术有限公司 | Method and apparatus for configuring key and determining security policy |
| CN109309920A (en) * | 2017-07-28 | 2019-02-05 | 华为技术有限公司 | Safety implementation method, relevant apparatus and system |
| US20200228975A1 (en) * | 2017-09-30 | 2020-07-16 | Huawei Technologies Co., Ltd. | Communication method, communications apparatus, and system |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| US20210168594A1 (en) * | 2018-08-10 | 2021-06-03 | Huawei Technologies Co., Ltd. | Secure Session Method And Apparatus |
| CN111491394A (en) * | 2019-01-27 | 2020-08-04 | 华为技术有限公司 | Method and device for user plane security protection |
| CN112351431A (en) * | 2019-08-09 | 2021-02-09 | 华为技术有限公司 | Method and device for determining safety protection mode |
| CN113810902A (en) * | 2020-05-30 | 2021-12-17 | 华为技术有限公司 | Method, device and system for determining user plane safety execution information |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412925A (en) * | 2022-09-02 | 2022-11-29 | 广州爱浦路网络技术有限公司 | Network security protection method and device and security protection function network element |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3782385B1 (en) | Embedded sim profile download and management system | |
| US7477632B1 (en) | Subscriber management and service profiles | |
| CN103959857B (en) | Manage the mobile device application in wireless network | |
| US20210329453A1 (en) | Blockchain based wireless access point password management | |
| US8032174B2 (en) | Provisioning methods and apparatus for wireless local area networks (WLANS) with use of a provisioning ESSID | |
| CN102440016B (en) | Apparatus and method for over-the-air provisioning of security credentials between two access systems | |
| US8488576B2 (en) | Methods and apparatus for establishing WLAN communications using an ESSID created based on a predetermined algorithm and a domain name | |
| US20080148359A1 (en) | Provisioning methods and apparatus with use of a provisioning essid derived from both predetermined criteria and network-specific criteria | |
| WO2019206286A1 (en) | Method, apparatus and system for accessing network slice | |
| US20230024999A1 (en) | Communication system, method, and apparatus | |
| CN102611554B (en) | Method and equipment for realizing digital signature | |
| EP2219324A1 (en) | Provisioning secure access parameters (ESSID) to WLAN mobile communication devices | |
| US11706591B2 (en) | Methods to enable Wi-Fi onboarding of user equipment by utilizing an eSIM | |
| CN114286339A (en) | Method and system for determining security policy | |
| US20220014927A1 (en) | Secure re-use of sim security parameters between different parties | |
| US10716001B2 (en) | Self-provisioning of mobile devices in deployable mobile telecommunications networks | |
| CN112956253A (en) | Method and apparatus for attaching user equipment to network slice | |
| CN114208111B (en) | Communication method, device and system | |
| US7689209B1 (en) | Wireless communication network with software modification locking | |
| CN105474560A (en) | Identifying a channel for network communication | |
| US9756029B2 (en) | Method and system for authenticating at least one terminal requesting access to at least one resource | |
| CN108476418B (en) | Apparatus and method for operating a communication network | |
| JP2022501926A (en) | Systems and methods for wireless resource control management in shared networks | |
| CN114339761A (en) | User plane data integrity protection method and system for network slicing | |
| JP2016158094A (en) | Wireless lan access point and control method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |