Disclosure of Invention
The embodiment of the application provides a signaling operation and indication method and device thereof and a computer storage medium, which are used for realizing an encryption protection scheme of SUPI and improving the use safety of the SUPI.
The signaling operation method provided by the embodiment of the application comprises the following steps:
receiving key-related signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and carrying out corresponding operation according to the signaling.
In the embodiment of the application, at the UE side, the signaling related to the key is received; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber; and performing corresponding operation according to the signaling, thereby realizing the encryption protection scheme of the SUPI and further improving the use safety of the SUPI.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, performing corresponding operations according to the signaling specifically includes:
analyzing the SICI to obtain a request instruction of an operation to be executed;
and performing corresponding operation according to the request instruction.
Optionally, performing corresponding operations according to the request instruction specifically includes:
and operating the subscription identifier hiding configuration file and/or the subscription identifier encryption key list according to the request instruction.
Optionally, performing corresponding operations according to the signaling, further includes:
and generating a response instruction according to the operation result of the operation, and packaging the response instruction in the SICI.
Optionally, the SICI is a security protected SICI.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Optionally, performing corresponding operations according to the signaling specifically includes:
determining the SUPI protection scheme needing to be adopted currently and a key for encrypting the SUPI applied to the SUPI protection scheme needing to be adopted currently;
according to the SUPI protection scheme which needs to be adopted currently, encryption protection is carried out on the SUPI by using the key which is applied to the SUPI protection scheme which needs to be adopted currently and used for encrypting the SUPI.
Correspondingly, on the network side, a signaling operation indication method provided in the embodiment of the present application includes:
generating key-dependent signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and sending the signaling.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the signaling related to key generation specifically includes:
generating a request instruction of an operation required to be executed by User Equipment (UE);
and encapsulating the request instruction in SICI.
Optionally, the SICI is a security protected SICI.
Optionally, before generating the request instruction, the method further includes:
generating a key pair for SUPI encryption and decryption and identifying the key pair;
providing a SUPI decryption key to a subscription identifier decryption function, SIDF, entity and providing a SUPI encryption key to the SIEKPF entity.
Optionally, the operations that the UE needs to perform include: a subscription identifier hiding profile and/or a subscription identifier encryption key list is operated.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
An embodiment of the present application provides a signaling operation apparatus, including:
a memory for storing program instructions;
a processor for calling the program instructions stored in the memory and executing according to the obtained program:
receiving, by a transceiver, key-related signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and carrying out corresponding operation according to the signaling.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the processor performs corresponding operations according to the signaling, specifically including:
analyzing the SICI to obtain a request instruction of an operation to be executed;
and performing corresponding operation according to the request instruction.
Optionally, the processor performs corresponding operations according to the request instruction, specifically including:
and operating the subscription identifier hiding configuration file and/or the subscription identifier encryption key list according to the request instruction.
Optionally, the processor performs corresponding operations according to the signaling, and further includes:
and generating a response instruction according to the operation result of the operation, and packaging the response instruction in the SICI.
Optionally, the SICI is a security protected SICI.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Optionally, the processor performs corresponding operations according to the signaling, specifically including:
determining the SUPI protection scheme needing to be adopted currently and a key for encrypting the SUPI applied to the SUPI protection scheme needing to be adopted currently;
according to the SUPI protection scheme which needs to be adopted currently, encryption protection is carried out on the SUPI by using the key which is applied to the SUPI protection scheme which needs to be adopted currently and used for encrypting the SUPI.
An embodiment of the present application provides a signaling operation indicating device, including:
a memory for storing program instructions;
a processor for calling the program instructions stored in the memory and executing according to the obtained program:
generating key-dependent signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
the signaling is sent by a transceiver.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the generating, by the processor, a signaling related to a key specifically includes:
generating a request instruction of an operation required to be executed by User Equipment (UE);
and encapsulating the request instruction in SICI.
Optionally, the SICI is a security protected SICI.
Optionally, before generating the request instruction, the processor is further configured to:
generating a key pair for SUPI encryption and decryption and identifying the key pair;
providing a SUPI decryption key to a subscription identifier decryption function, SIDF, entity and providing a SUPI encryption key to the SIEKPF entity.
Optionally, the operations that the UE needs to perform include: a subscription identifier hiding profile and/or a subscription identifier encryption key list is operated.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Another signaling operation apparatus provided in an embodiment of the present application includes:
a receiving unit, configured to receive a key-related signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and the operation unit is used for carrying out corresponding operation according to the signaling.
Another signaling operation indication apparatus provided in an embodiment of the present application includes:
a generating unit for generating a key-dependent signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
a sending unit, configured to send the signaling.
Another embodiment of the present application provides a computer storage medium having stored thereon computer-executable instructions for causing a computer to perform any one of the methods described above.
Detailed Description
The embodiment of the application provides a signaling operation and indication method and device thereof and a computer storage medium, which are used for realizing an encryption protection scheme of SUPI and improving the use safety of the SUPI.
In the embodiment of the present application, a Subscription Identifier hiding Configuration File (SICCF) and a Subscription Identifier Encryption Key List (SIEKL) are set in a User Equipment (UE). Whether the UE uses the SUPI is controlled through the configuration and modification of the two files so as to protect the privacy of the UE. To configure and modify these two files in the UE, a new parameter, namely, a Subscription Identifier hiding Instruction (sic i), transmitted through a Non-Access Stratum (NAS) message is designed. The Core Network (CN) uses the parameter SICI to transmit various Privacy protection related control instructions to the UE through a Privacy Key provisioning Function (Privacy Key provisioning Function).
Note that the SUPI in the embodiment of the present application may also be simply referred to as a subscription identifier.
The following is a description of terms or functional entities involved in the embodiments of the present application:
subscription Identifier hiding Instruction (SICI): for encapsulating the request and response information related to the subscription identifier hiding function configuration interacted between the UE and the CN for transmission through NAS signaling.
The UE Subscription Identifier hiding System (UE Subscription Identifier hiding System) performs functions related to Subscription Permanent Identifier (SUPI) hiding, which includes functions or functional entities, wherein,
subscription Identifier hiding Management Function (SICMF): the system is responsible for maintaining a Subscription Identifier hiding Configuration File (SICCF) and a Subscription Identifier Encryption Key List (SIEKL), generating and resolving a Subscription Identifier hiding instruction (SICI), and calling a corresponding security function to provide confidentiality or integrity protection for the SICI when needed.
Subscription Identifier hiding Function (SICF): SUPI or part of the information in SUPI is encrypted with a key given in a Subscription Identifier Encryption Key List (SIEKL) according to information provided by a subscription identifier hiding profile (SICCF).
Subscription Identifier hiding Configuration File (SICCF): for storing which encryption scheme to use to protect SUPI. Here, the null scheme is a special encryption scheme, which means that no SUPI protection scheme is used. When any non "null scheme" is selected, it means that a certain SUPI protection scheme is used. The system determines from the information provided in the file whether to protect SUPI and what scheme to protect.
Subscription Identifier Encryption Key List (Subscription Identifier Encryption Key List, SIEKL): a list of keys used to encrypt SUPI is stored. The contents of the list are shown in table one below. The parameters are described as follows:
key identifier (Key Identity): a unique identification of the key.
Key (Key): the key value.
Encryption Scheme (Scheme): and identifying the encryption scheme. (optional)
Expiration Time (Expiration Time): time to key failure. (optional)
Use designation (In Use): whether the key is currently available. (optional)
Key Identity
|
Key
|
Scheme
|
Expiration Time
|
In use
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
... |
Watch 1
The CN Subscription Identifier hiding System (CN Subscription Identifier hiding System) performs functions related to Subscription permanent Identifier (SUPI) hiding, which includes functions or functional entities as follows:
subscription Identifier Key Generation Function (SIKGF): responsible for the generation of encryption key and decryption key pairs; an Encryption Key List (Encryption Key List) is provided to a Subscription Identifier Encryption Key Provisioning Function (SIEKPF), and a Decryption Key List (Decryption Key List) is provided to a Subscription Identifier Decryption Function (SIDF) entity. The encryption key is identical to the key identification of the corresponding decryption key. It should be noted that, in the embodiment of the present application, the encryption key may be, for example, a public key, and the corresponding decryption key may be, for example, a private key. Of course, other encryption schemes are possible, such as the same encryption key and decryption key.
Subscription Identifier Encryption Key Provisioning Function (SIEKPF) entity: 1) providing a key list for SUPI encryption to the UE; 2) setting which encryption scheme to use and which encryption key to use; 3) inquiring the configuration condition of a signing identifier hiding system in the UE; 4) and generating and analyzing a subscription identifier hiding instruction (SICI), and calling a corresponding security function when needed to provide confidentiality or integrity protection for the SICI.
Subscription Identifier Decryption Function (SIDF) entity: a decryption key corresponding to the encryption key is selected and the encrypted content is decrypted according to the encryption scheme used.
The following illustrates the basic operation processes provided by the embodiments of the present application:
a typical subscription identifier encryption key provisioning and configuration flow is shown in fig. 1, and specifically includes:
step 1, a Subscription Identifier Key Generation Function (SIKGF) entity generates a key pair for SUPI encryption and decryption, identifies the generated key pair, i.e. identifies an encryption key and a decryption key respectively, and establishes a correspondence relationship between the encryption key and the decryption key. The generated encryption and decryption keys may be based on an asymmetric cryptographic algorithm, in which case the public key is an encryption key and the private key is a decryption key. The generated encryption and decryption keys may also be based on a symmetric cryptographic algorithm, in which case the encryption and decryption keys are the same.
Step 2.1, SIKGF provides SUPI decryption key to the Subscription Identifier Decryption Function (SIDF);
step 2.2, SIKGF provides the SUPI encryption key to the Subscription Identifier Encryption Key Provisioning Function (SIEKPF).
Step 3, a subscription identifier encryption key provisioning function, SIEKPF, entity generates a request instruction of operations that a subscription identifier hidden management function (SICMF) in the UE needs to perform, such as key update, protection scheme setting, configuration state query, etc.; if the system requires to provide confidentiality or integrity protection for the transmitted instruction, the SIEKPF calls a related security function to complete the confidentiality or integrity protection operation of the instruction; the SIEKPF encapsulates the generated operation request instruction in a subscription identifier hiding instruction (SICI).
And step 4, the SIEKPF entity provides the generated SICI to an Access and Mobility Management Function (AMF). Wherein, the AMF is a network element defined in 5G and belongs to the CN side.
And step 5, the AMF entity puts the SICI in a proper NAS signaling as an optional parameter of the NAS signaling and sends the SICI to the UE.
Step 6, a subscription identifier hiding management function (SICMF) entity in the UE acquires SICI in the NAS signaling; and the SICMF entity analyzes the received SICI, and if the SICI is protected by confidentiality or integrity, the SICMF entity calls a related security function to finish decryption or integrity verification, so that an operation request sent by the SIEKPF entity is obtained.
And 7, the SICMF entity performs required operation on a subscription identifier hiding configuration file (SICCF) and/or a Subscription Identifier Encryption Key List (SIEKL) according to the content in the instruction.
Step 8, the SICMF entity generates an operation request response instruction according to the operation result; if the system requires to provide confidentiality or integrity protection for the transmitted response instruction, the SICMF entity calls a related security function to complete confidentiality or integrity protection operation of the response instruction; and the SICMF entity encapsulates the generated instruction in a subscription identifier hiding instruction (SICI).
Step 9, the UE (specifically, the existing functional entity may be, or the SICMF entity) puts the SICI in the appropriate NAS signaling as an optional parameter of the NAS signaling, and sends the appropriate NAS signaling to the AMF entity.
Step 10, the AMF entity provides SICI in the NAS signaling to the SIEKPF entity.
Step 11, the SIEKPF entity analyzes the received SICI; if the SICI is protected by confidentiality or integrity, the SICMF entity calls a related security function to finish decryption or integrity verification, and further obtains an operation response sent by the UE.
It should be noted that the keys described in the embodiments of the present application are keys for SUPI.
A typical subscription identifier encryption and decryption process is shown in fig. 2, and specifically includes:
step 21.1, a subscription identifier hiding function (SICF) entity in the UE inquires a subscription identifier hiding configuration file (SICCF) and obtains information of which SUPI protection scheme should be used;
step 21.2, for example, the SICF entity obtains a scheme (scheme) identifier, and uses this identifier to look up the available keys (keys) in the SIEKL table.
If the query result requires that a certain non-null scheme is used, the UE queries a Subscription Identifier Encryption Key List (SIEKL) to obtain an available encryption key, specifically, first finds a scheme identifier, and then finds an available encryption key in the SIEKL key list according to the scheme identifier. The rule chosen should be that the key is applicable to the specified protection scheme and that the key is not expired and/or is in an available state. If the subscription identifier encryption key list siegl does not have any optional fields (e.g. scheme, expiration time, in use), the key located at the head of the siegl list may be selected as the SUPI encryption key.
Step 22, the Subscription Identifier hiding function SICF entity in the UE encrypts the SUPI with the encryption key according to the specified protection scheme, so as to obtain a hidden Subscription Identifier (sui), that is, a sui (generating sui) is generated. The SUCI contains an identification of the encryption key.
Step 23, the UE (specifically, the existing functional entity in the UE) sends the sui to the CN.
Step 24, the AMF entity in the CN provides the SUCI to the Subscription Identifier Decryption Function (SIDF) entity.
And step 25, the SIDF entity, using the key identifier in the SUCI to find out the decryption key corresponding to the encryption key, and simultaneously obtaining the used SUPI protection scheme, and further decrypting the SUCI, i.e. hiding the SUCI (De-concealing SUCI), thereby obtaining the SUPI.
The SIDF entity provides the SUPI to the AMF entity, step 26.
In the above, the request sent by the Subscription Identifier Encryption Key Provisioning Function (SIEKPF) to the subscription identifier hiding management function (SICMF) entity in the UE (i.e. the request in step 3 of the flow shown in fig. 1) may include one or a combination of the following instructions (not limited to these):
a state reporting request: requesting to report the content in the configuration file (SICCF) and reporting the key identifier in the Subscription Identifier Encryption Key List (SIEKL).
Privacy protection scheme setup request: the method is used for requesting to write the privacy protection scheme identification which needs to be used currently into a configuration file (SICCF).
Privacy protection key write request: for requesting the writing of a privacy preserving encryption key and related information in a Subscription Identifier Encryption Key List (SIEKL).
Privacy protection key deletion request: for requesting deletion of all or part of records in a Subscription Identifier Encryption Key List (SIEKL).
Accordingly, the response sent by the subscription identifier hiding management function (SICMF) in the UE to the Subscription Identifier Encryption Key Provisioning Function (SIEKPF) may contain one or a combination of the following instructions (not limited to these):
and (3) state reporting response: for reporting the content in the configuration file (SICCF) and the key identifier in the subscription identifier encryption key list.
Privacy protection scheme set response: for returning a result, e.g. success or failure, of writing the privacy preserving scheme identity currently needed for use into the configuration file.
Privacy protection key write response: for returning the result, e.g., success or failure, of writing the privacy-preserving encryption key and related information into the subscription-identifier encryption key list.
Privacy protection key deletion response: for returning the result of deleting some records in the subscription identifier encryption key list, e.g. success or failure.
When the subscription privacy hiding protection scheme in the UE is set to be a non-null scheme and there is no available key, the UE may also actively send a "status report response". That is, the profile (SICCF) requires the UE to perform SUPI encryption, i.e., use sui, but the UE has no encryption key available at all, requiring active reporting of the current state in the UE to the CN in order for the CN to provide it with the required encryption key.
The actual deployment of the system is mainly related to the deployment of the Subscription Identifier Encryption Key Provisioning Function (SIEKPF).
For example: a scenario in which the Subscription Identifier Encryption Key Provisioning Function (SIEKPF) is physically located with an Authentication Server Function (AUSF) in the 5G security architecture (in one Server, or without standardizing the interface). In this scenario, the interaction between the UE and the CN related to the subscription identifier hiding configuration may be performed in the UE authentication procedure. An implementation manner in this scenario is shown in fig. 3, and specifically includes:
step 31, the UE sends a registration request to the network side, and the request is routed to the access and mobility management function AMF entity.
Step 32, the access and mobility management function AMF entity sends an authentication vector or an authentication request to the authentication server function AUSF entity.
Step 33, the SIEKPF entity together with the authentication server function AUSF entity, through an authentication vector response or other message, carries the SICI provided to the AMF. The parameters may be conveyed through a variety of NAS signaling.
And step 34, the UE and the CN complete the bidirectional authentication and establish the NAS safe connection.
Step 35, the AMF sends a registration acceptance message to the UE, wherein the registration acceptance message carries the SICI parameter.
And step 36, the UE sends an authentication completion message to the CN, wherein the authentication completion message carries the SICI parameter. In the embodiment of the application, both the UE and the AMF transmit the SICI parameter through NAS signaling.
Step 37, AMF provides SICI to SEKPF entity.
For another example, for a scenario in which a Subscription Identifier Encryption Key Provisioning Function (SIEKPF) entity is separately connected to the AMF, the interaction between the UE and the CN related to the subscription identifier hiding configuration in this scenario may be completed through NAS signaling after the NAS secure connection is established. One implementation of this scenario is shown in fig. 4. This embodiment also assumes that the UE does not have a valid SUPI encryption key. Then, the specific processing flow includes:
step 41, the UE sends a registration request to the network, which is routed to the AMF. Since it is assumed that the UE does not have a key for encrypting the SUPI, the UE carries the SICI indicating the registration identity hidden configuration state in the registration request. That is, since the operator requires encryption of SUPI, the UE has no key and informs the CN through this scenario.
And step 42, the UE and the CN complete the bidirectional authentication and establish the NAS safe connection.
Step 43, the AMF entity provides the received SICI to the SIEKPF entity.
Step 44, the SIEKPF entity encapsulates the SUPI encryption key in the SICI and provides the SICI to the AMF entity.
And step 45, the AMF entity sends NAS signaling carrying the SICI parameter to the UE.
Step 46, the UE writes the SUPI encryption key carried in the SICI into a Signing Identifier Encryption Key List (SIEKL), encapsulates the successfully written information in the SICI, and then sends the SICI parameter-carried NAS signaling to the AMF entity.
Step 47, the AMF entity provides the SICI to the SEKPF entity.
In summary, referring to fig. 5, on the UE side, a signaling operation method provided in the embodiment of the present application includes:
s501, receiving a signaling related to a key; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and S502, performing corresponding operation according to the signaling.
In the embodiment of the application, at the UE side, the signaling related to the key is received; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber; and performing corresponding operation according to the signaling, thereby realizing the encryption protection scheme of the SUPI and further improving the use safety of the SUPI.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, performing corresponding operations according to the signaling specifically includes:
analyzing the SICI to obtain a request instruction of an operation to be executed;
and performing corresponding operation according to the request instruction.
For example, the SICMF entity may analyze the SICI to obtain a request instruction of an operation to be performed; and corresponding operation is carried out according to the request instruction.
Of course, the execution main body performing the corresponding operation according to the signaling may also be other functional entities in the UE.
Optionally, performing corresponding operations according to the request instruction specifically includes:
and operating the subscription identifier hiding configuration file and/or the subscription identifier encryption key list according to the request instruction.
Optionally, performing corresponding operations according to the signaling, further includes:
and generating a response instruction according to the operation result of the operation, and packaging the response instruction in the SICI.
For example, the SICMF entity operates on the subscription identifier hiding profile SICCF and/or the subscription identifier encryption key list SIEKL according to the request instruction.
Optionally, the SICI is a security protected SICI.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Optionally, performing corresponding operations according to the signaling specifically includes:
determining the SUPI protection scheme needing to be adopted currently and a key for encrypting the SUPI applied to the SUPI protection scheme needing to be adopted currently;
according to the SUPI protection scheme which needs to be adopted currently, encryption protection is carried out on the SUPI by using the key which is applied to the SUPI protection scheme which needs to be adopted currently and used for encrypting the SUPI.
For example, the subscription identifier hiding function SICF entity performs encryption protection on SUPI according to the SUPI protection scheme provided by SICCF by using a key given by SIEKL.
Correspondingly, on a network side, for example, a core network side, see fig. 6, a signaling operation indication method provided in an embodiment of the present application includes:
s601, generating a signaling related to a key; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
s602, the signaling is sent.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the signaling related to key generation specifically includes:
generating a request instruction of an operation required to be executed by User Equipment (UE);
and encapsulating the request instruction in SICI.
For example:
a signature identifier encryption key provisioning function SIEKPF entity generates a request instruction of operations to be executed by a signature identifier hiding management function SICMF entity in user equipment UE;
the SIEKPF entity encapsulates the request instruction in SICI.
Optionally, the SICI is a security protected SICI.
Optionally, before generating the request instruction, the method further includes:
generating a key pair for SUPI encryption and decryption and identifying the key pair;
providing a SUPI decryption key to a subscription identifier decryption function, SIDF, entity and providing a SUPI encryption key to the SIEKPF entity.
For example: a Subscription Identifier Key Generation Function (SIKGF) entity which generates a key pair for SUPI encryption and decryption and identifies the key pair;
the SIKGF entity provides a SUPI decryption key to a Subscription Identifier Decryption Function (SIDF) entity and provides a SUPI encryption key to the SIEKPF entity.
Optionally, the operations that the UE needs to perform include: a subscription identifier hiding profile and/or a subscription identifier encryption key list is operated.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Corresponding to the above signaling operation method, referring to fig. 7, on the terminal side, a signaling operation apparatus provided in an embodiment of the present application includes:
a memory 620 for storing program instructions;
a processor 600, configured to call the program instructions stored in the memory, and execute, according to the obtained program:
receiving key-related signaling through transceiver 610; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and carrying out corresponding operation according to the signaling.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the processor performs corresponding operations according to the signaling, specifically including:
analyzing the SICI to obtain a request instruction of an operation to be executed;
and performing corresponding operation according to the request instruction.
Optionally, the processor performs corresponding operations according to the request instruction, specifically including:
and operating the subscription identifier hiding configuration file and/or the subscription identifier encryption key list according to the request instruction.
Optionally, the processor performs corresponding operations according to the signaling, and further includes:
and generating a response instruction according to the operation result of the operation, and packaging the response instruction in the SICI.
Optionally, the SICI is a security protected SICI.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
Optionally, the processor performs corresponding operations according to the signaling, specifically including:
determining the SUPI protection scheme needing to be adopted currently and a key for encrypting the SUPI applied to the SUPI protection scheme needing to be adopted currently;
according to the SUPI protection scheme which needs to be adopted currently, encryption protection is carried out on the SUPI by using the key which is applied to the SUPI protection scheme which needs to be adopted currently and used for encrypting the SUPI.
A transceiver 610 for receiving and transmitting data under the control of the processor 600.
Where in fig. 7 the bus architecture may include any number of interconnected buses and bridges, with various circuits being linked together, particularly one or more processors represented by processor 600 and memory represented by memory 620. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 610 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. For different user devices, the user interface 630 may also be an interface capable of interfacing with a desired device externally, including but not limited to a keypad, display, speaker, microphone, joystick, etc.
The processor 600 is responsible for managing the bus architecture and general processing, and the memory 620 may store data used by the processor 600 in performing operations.
Alternatively, the processor 600 may be a CPU (central processing unit), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a CPLD (Complex Programmable Logic Device).
Referring to fig. 8, on the network side, corresponding to the signaling operation indication method, the signaling operation indication apparatus provided in the embodiment of the present application includes:
a memory 520 for storing program instructions;
a processor 500 for calling the program instructions stored in the memory, and executing, according to the obtained program:
generating key-dependent signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
the signaling is sent through transceiver 510.
Optionally, the signaling is non-access stratum NAS signaling.
Optionally, the signaling carries a subscription identifier hiding instruction SICI.
Optionally, the generating, by the processor, a signaling related to a key specifically includes:
generating a request instruction of an operation required to be executed by User Equipment (UE);
and encapsulating the request instruction in SICI.
Optionally, the SICI is a security protected SICI.
Optionally, before generating the request instruction, the processor is further configured to:
generating a key pair for SUPI encryption and decryption and identifying the key pair;
providing a SUPI decryption key to a subscription identifier decryption function, SIDF, entity and providing a SUPI encryption key to the SIEKPF entity.
Optionally, the operations that the UE needs to perform include: a subscription identifier hiding profile and/or a subscription identifier encryption key list is operated.
Optionally, the subscription identifier hiding profile is for storing a SUPI protection scheme; the subscription identifier encryption key list is used to store encryption keys applied in the SUPI protection scheme.
A transceiver 510 for receiving and transmitting data under the control of the processor 500.
Where in fig. 8, the bus architecture may include any number of interconnected buses and bridges, with various circuits being linked together, particularly one or more processors represented by processor 500 and memory represented by memory 520. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 510 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 may store data used by the processor 500 in performing operations.
The processor 500 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD).
On the UE side, referring to fig. 9, another signaling operation apparatus provided in an embodiment of the present application includes:
a receiving unit 91, configured to receive key-related signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
and an operation unit 92, configured to perform corresponding operations according to the signaling.
On the CN side, referring to fig. 10, another signaling operation indication apparatus provided in the embodiment of the present application includes:
a generating unit 101, configured to generate a key-related signaling; the key is a key corresponding to a permanent identifier (SUPI) of a subscriber;
a sending unit 102, configured to send the signaling.
The signaling operation method provided in the foregoing embodiment of the present application may be applied to a Terminal device, which may also be referred to as a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (Mobile Terminal), and the like, and optionally, the Terminal may have a capability of communicating with one or more core networks through a Radio Access Network (RAN), for example, the Terminal may be a Mobile phone (or referred to as a "cellular" phone), or a computer with Mobile property, and for example, the Terminal may also be a portable, pocket, hand-held, computer-embedded, or vehicle-mounted Mobile device.
Another embodiment of the present application provides a computer storage medium having stored thereon computer-executable instructions for causing a computer to perform any one of the methods described above.
The computer storage media may be any available media or data storage device that can be accessed by a computer, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
To sum up, the technical solution provided in the embodiment of the present application includes the following entities: a contract identifier key generation function (sigkf), a contract identifier encryption key provision function (SIEKPF), a contract identifier hiding management function (SICMF), a contract identifier hiding function (SICF), a contract identifier hiding profile (SICCF), and a contract identifier encryption key list (SIEKL).
In the technical scheme provided by the embodiment of the application, a name is defined as follows: NAS parameters of Subscription Identifier hiding Instruction (sic i), which are used to carry instructions or messages related to Subscription Identifier hiding function configuration passed between UE and CN.
The SIEKPF at the CN side is responsible for: sending a key for use in a subscription identifier hiding scheme to the UE; deleting keys that are no longer used; setting which subscription identifier hiding scheme is used; inquiring the hidden configuration information of the signing identifier in the UE; encapsulating the transmitted instruction in SICI; and when confidentiality or integrity protection needs to be provided for the content in the SICI, calling a corresponding security function to complete security protection of the SICI.
The SICCF at the UE side is used for storing which subscription identifier protection scheme is adopted; the SIEKL on the UE side is used to store the encryption key applied in the subscription identifier protection scheme.
The SICMF at the UE side is responsible for: processing and receiving an operation instruction which is transmitted by the CN and encapsulated in the SICI, and updating the SICCF and the SIEKL according to the instruction of the instruction; the SICMF is also responsible for encapsulating the information sent to the CN in SICI; if confidentiality or integrity protection needs to be provided for the content in the SICI, the system is also responsible for calling a corresponding security function to complete security protection of the SICI.
The SICF at the UE side is responsible for: according to the indication information (subscription identifier protection scheme) given by the SICCF, the subscription identifier (SUPI) is cryptographically protected with a key given by the SIEKL.
The SIKGF on the CN side is responsible for: a key pair for subscription identifier encryption and decryption is generated and the generated key pair is identified, and then the encryption key is provided to the SIEKPF.
At present, public key encryption SUPI is explicitly adopted in 3GPP SA 35G secure TS to protect user privacy, and the embodiments of the present application provide specific solutions for how to provide keys and key-related information to UEs, and how to manage these keys.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.