CN110121196A

CN110121196A - A kind of security identifier management method and device

Info

Publication number: CN110121196A
Application number: CN201810114251.0A
Authority: CN
Inventors: 毕晓宇; 侯云静
Original assignee: Telecommunications Science and Technology Research Institute Co Ltd
Current assignee: Datang Mobile Communications Equipment Co Ltd
Priority date: 2018-02-05
Filing date: 2018-02-05
Publication date: 2019-08-13
Anticipated expiration: 2038-02-05
Also published as: CN110121196B

Abstract

This application discloses a kind of security identifier management method and devices.Network functional entity is terminal distribution Non-Access Stratum NAS security identifier, and the NAS security identifier is used to protect the safety of established NAS connection for identifying NAS safe context, the NAS safe context；The NAS security identifier is sent to the terminal by the network functional entity.Wherein, the NAS security identifier, comprising: 3GPP NAS security identifier, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；And non-3 gpp NAS security identifier, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on non-3 GPP access.

Description

A kind of security identifier management method and device

Technical field

The present invention relates to field of communication technology more particularly to a kind of security identifier management method and devices.

Background technique

5G system is a kind of service-oriented emerging system, is compared long term evolution (long term evolution, LTE) System, which has, is more widely applied scene.For example, 5G system is supported including industrial automation (long-range) control system Super reliable, the low latency communication of application, can also support a large amount of efficient, Gao Chengben, highdensity internet of things equipment.It is wrapped in 5G system Include 5G access net (5G Access Network, 5G-AN), 5G core net (5G Core Network, 5GC).

In order to realize the security strategy of 5G system, need to carry out security identifier management in 5G system.

Currently, being directed to 5G system, there has been no security identifier Managed Solutions.

Summary of the invention

The embodiment of the present application provides a kind of security identifier management method and device.

In a first aspect, providing a kind of security identifier management method, comprising:

Network functional entity is terminal distribution Non-Access Stratum NAS security identifier, and the NAS security identifier is for identifying NAS Safe context, the NAS safe context are used to protect the safety of established NAS connection；

The NAS security identifier is sent to the terminal by the network functional entity.

Optionally, comprising being pushed away based on shared key in the NAS safe context that the 3GPP NAS security identifier is identified The NAS key and NAS count device value and NAS connection identifier drilled；

Comprising deducing to obtain based on shared key in the NAS safe context that the non-3 gpp NAS security identifier is identified NAS key, NAS count device value and NAS connection identifier.

Optionally, the NAS security identifier, comprising:

3GPP NAS security identifier, for identifying NAS corresponding to the NAS connection that the terminal is established based on 3GPP access Safe context；And non-3 gpp NAS security identifier, the NAS connection established for identifying the terminal based on non-3 GPP access Corresponding NAS safe context.

Optionally, the NAS key for including in the NAS safe context that the 3GPP NAS security identifier is identified is based on the One shared secret key deduction obtains, the NAS key for including in the NAS safe context that the non-3 gpp NAS security identifier is identified It deduces to obtain based on the second shared key, second shared key is based on first shared key and deduces to obtain；

The 3GPP NAS security identifier is different with the non-3 gpp NAS security identifier value.

Optionally, the NAS key for including in the NAS safe context that the 3GPP NAS security identifier is identified is based on First shared key is deduced to obtain, and the NAS for including in the NAS safe context that the non-3 gpp NAS security identifier is identified is close Key is based on first shared key and deduces to obtain.

The 3GPP NAS security identifier is identical with the non-3 gpp NAS security identifier value.

Optionally, the NAS security identifier is sent to the terminal by the network functional entity, comprising:

The network functional entity sends NAS message to terminal, and the NAS message carries the NAS security identifier.

Optionally, the NAS security identifier, comprising: 3GPP NAS security identifier is based on 3GPP for identifying the terminal Access the corresponding NAS safe context of the NAS connection established；And non-3 gpp NAS security identifier, for identifying the end The end group NAS safe context corresponding in the NAS connection that non-3 GPP access is established；

The network functional entity sends NAS message to terminal, and the NAS message carries the NAS security identifier, packet It includes:

After the network functional entity carries out authentication to the 3GPP access that the terminal is initiated, Xiang Suoshu terminal is sent First NAS safe mode command, the first NAS safe mode command carry the 3GPP NAS security identifier；

For the network functional entity after the terminal initiates non-3 GPP access, Xiang Suoshu terminal sends the 2nd NAS safety Mode command, the 2nd NAS safe mode command carry the non-3 gpp NAS security identifier.

Optionally, the NAS security identifier, comprising: 3GPP NAS security identifier is based on 3GPP for identifying the terminal Access the corresponding NAS safe context of the NAS connection established；Non-3 gpp NAS security identifier, for identifying the terminal base In the corresponding NAS safe context of the NAS connection that non-3 GPP access is established；

After the network functional entity carries out authentication to the non-3 GPP access that the terminal is initiated, Xiang Suoshu terminal hair The first NAS safe mode command is sent, the first NAS safe mode command carries the non-3 gpp NAS security identifier；

For the network functional entity after the terminal initiates 3GPP access, Xiang Suoshu terminal sends the 2nd safe mould of NAS Formula order, the 2nd NAS safe mode command carry the 3GPP NAS security identifier.

It is optionally, described that the NAS security identifier is sent to the terminal, comprising:

The network functional entity sends authentication request message to the terminal, described in the authentication request message carries NAS security identifier.

Optionally, the NAS security identifier, comprising:

Ident value information field, for carrying the value of the NAS security identifier；

Safe context type information domain, the instruction information for bearing safety context type.

Optionally, the network functional entity is AMF.

Second aspect provides a kind of network functional entity, comprising:

Distribution module, for being terminal distribution Non-Access Stratum NAS security identifier, the NAS security identifier is for identifying NAS Safe context, the NAS safe context are used to protect the safety of established NAS connection；

Sending module, for the NAS security identifier to be sent to the terminal.

The third aspect provides a kind of network functional entity, comprising: processor, memory, transceiver, the processor are deposited Reservoir is connected with transceiver by bus；The processor, for reading the program in memory, execution:

For terminal distribution Non-Access Stratum NAS security identifier, the NAS security identifier is for identifying NAS safe context, institute NAS safe context is stated for protecting the safety of established NAS connection；

The NAS security identifier is sent to the terminal by the transceiver.

Optionally, the NAS security identifier, comprising:

Optionally, the processor, is specifically used for:

NAS message is sent to terminal by the transceiver, the NAS message carries the NAS security identifier.

The processor, is specifically used for:

After carrying out authentication to the 3GPP access that the terminal is initiated, the is sent to the terminal by the transceiver One NAS safe mode command, the first NAS safe mode command carry the 3GPP NAS security identifier；

After the terminal initiates non-3 GPP access, the 2nd safe mould of NAS is sent to the terminal by the transceiver Formula order, the 2nd NAS safe mode command carry the non-3 gpp NAS security identifier.

Optionally, the NAS security identifier, includes: 3GPP NAS security identifier is connect for identifying the terminal based on 3GPP Enter the corresponding NAS safe context of the NAS connection of foundation；Non-3 gpp NAS security identifier is based on for identifying the terminal The corresponding NAS safe context of the NAS connection that non-3 GPP access is established；

The processor, is specifically used for:

After carrying out authentication to the non-3 GPP access that the terminal is initiated, sent by the transceiver to the terminal First NAS safe mode command, the first NAS safe mode command carry the non-3 gpp NAS security identifier；

After the terminal initiates 3GPP access, the 2nd NAS safe mode is sent to the terminal by the transceiver Order, the 2nd NAS safe mode command carry the 3GPP NAS security identifier.

Optionally, the processor, is specifically used for:

Authentication request message is sent to the terminal by the transceiver, the authentication request message carries the NAS Security identifier.

Optionally, the NAS security identifier, comprising:

Optionally, the network functional entity is AMF.

Fourth aspect, provides a kind of computer readable storage medium, and the computer-readable recording medium storage has calculating Machine executable instruction, the computer executable instructions are for executing the computer as described in above-mentioned any one of first aspect Method.

5th aspect, provides a kind of computer product, and the computer product is used to be calculated when the computer product When machine is run, computer can be made to execute any one possible design such as the described in any item methods of above-mentioned first aspect Function performed by middle certificate server.

6th aspect, also provides a kind of security identifier management method, comprising:

Network functional entity is terminal distribution security identifier, the security identifier for identify the terminal and network side it Between the key shared and the Non-Access Stratum NAS safe context that is obtained based on the secret key deduction；

The network functional entity sends the security identifier to the terminal.

The network side entity can be the entity for belonging to different PLMN, then terminal saves the first security identifier simultaneously With the second security identifier.First security identifier is used to identify by the shared key of 3GPP access and based on the key Deduce obtained Non-Access Stratum NAS safe context；Second security identifier is used to identify shared by non-3 GPP access Key and the Non-Access Stratum NAS safe context obtained based on the secret key deduction.

Optionally, the network functional entity be AUSF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that 3GPP access is established；

The network functional entity is terminal distribution security identifier, comprising:

The AUSF obtains the Ciphering Key of terminal, generates the security identifier for the terminal；

The network functional entity sends the security identifier to the terminal, comprising:

The AUSF sends authentication to SEAF and starts response message, and the authentication starting response message carries institute Security identifier is stated, the authentication starting response message disappears for triggering the SEAF to terminal transmission certification request Breath, the authentication request message carry the security identifier.

Optionally, the network functional entity be AMF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that 3GPP access is established；

The AMF receives the shared key that SEAF is sent, and generates security identifier for the shared key, it is described share it is close Shared key of the key between the terminal and the AMF；

The AMF sends security identifier to UE by non-access layer information, and the type of the non-access layer information is attachment Request response either registration response, periodically updates message response or NAS Security Mode Command message.

Optionally, the network functional entity be AUSF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that non-3 GPP access is established；

The AUSF sends AAA message to SEAF, and the AAA message carries the security identifier, and the AAA message is used for It triggers the SEAF and authentication request message is sent to the terminal by N3IWF, the authentication request message carries the safety Mark.

Optionally, the network functional entity be AMF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that non-3 GPP access is established；

The AMF receives the shared key that SEAF is sent, and generates security identifier for the terminal, and by the security identifier It is sent to N3IWF, sends certification success message to trigger the N3IWF to terminal, the authentication request message carries the peace Full mark.

Optionally, the network functional entity is N3IWF, and the NAS safe context that the security identifier is identified is base In the corresponding NAS safe context of the NAS connection that non-3 GPP access is established；

The N3IWF receives the shared key that AUSF is sent, and generates security identifier for the terminal, and by the safety post Know and is sent to UE by authenticating success message.

Optionally, the security identifier is carried in the information unit newly defined for following EAP-AKA ' agreement.

Optionally, the method also includes:

The target AMF that the terminal is switched to is the terminal distribution security identifier, and to the target BS of the terminal Switching request message is sent, the switching request message carries the security identifier currently distributed.

Optionally, the security identifier, comprising:

Ident value information field, for carrying the value of the security identifier；

7th aspect, also provides a kind of network functional entity, comprising:

Distribution module, for being terminal distribution security identifier, the security identifier is for identifying the terminal and network side Between the NAS security identifier shared and the Non-Access Stratum NAS safe context deduced based on the NAS security identifier；

Sending module, for sending the security identifier to the terminal.

Eighth aspect also provides a kind of network functional entity, comprising: processor, memory, transceiver, the processor, Memory is connected with transceiver by bus；The processor, for reading the program in memory, execution:

For terminal distribution security identifier, the security identifier is used to identify the NAS shared between the terminal and network side Security identifier and the Non-Access Stratum NAS safe context deduced based on the NAS security identifier；

The security identifier is sent to the terminal by the transceiver.

The security identifier is for the key identification in 5G system.

The processor, is specifically used for:

The AUSF sends authentication to SEAF by transceiver and starts response message, and the authentication starts response Message carries the security identifier, and the authentication starting response message is recognized for triggering the SEAF to terminal transmission Request message is demonstrate,proved, the authentication request message carries the security identifier.

The processor, is specifically used for: the AMF receives the shared key that SEAF is sent, and raw for the shared key At security identifier, shared key of the shared key between the terminal and the AMF；

The transceiver sends security identifier to UE by non-access layer information by the AMF, and the Non-Access Stratum disappears The type of breath is attach request response either registration response, periodically updates message response or the safe mould of NAS Formula command messages.

The AUSF sends AAA message to SEAF by the transceiver, and the AAA message carries the security identifier, The AAA message sends authentication request message to the terminal by N3IWF for triggering the SEAF, and the certification request disappears Breath carries the security identifier.

The processor, is specifically used for: sending the security identifier to the terminal by the transceiver, comprising:

The shared key that the N3IWF is sent by the transceiver AUSF generates security identifier for the terminal, And the security identifier is sent to UE by authenticating success message.

Optionally, the processor, is also used to:

Optionally, the security identifier, comprising:

9th aspect, provides a kind of computer readable storage medium, the computer-readable recording medium storage has calculating Machine executable instruction, the computer executable instructions are for executing the computer such as institute any one of in terms of the above-mentioned 6th The method stated.

Tenth aspect, a kind of computer product, the computer product are used to be transported when the computer product by computer When row, computer can be made to execute in any one possible design of the method as described in any one of in terms of the above-mentioned 6th Function performed by certificate server.

In above-described embodiment of the application, network functional entity is terminal distribution NAS security identifier, and the network function is real The NAS security identifier is sent to the terminal by body.Wherein, the NAS security identifier is used to identify NAS safe context, The NAS safe context is used to protect the safety of established NAS connection；The NAS security identifier includes: 3GPP NAS peace Full mark, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；And it is non- 3GPP NAS security identifier, for identifying NAS safety corresponding to the NAS connection that the terminal is established based on non-3 GPP access Hereafter.Therefore network functional entity can be terminal distribution NAS security identifier, to realize the management to security identifier.

Detailed description of the invention

Fig. 1 is a kind of 5G system architecture schematic diagram that the embodiment of the present application is applicable in；

Fig. 2 is that UE provided by the embodiments of the present application accesses net based on 3GPP and non-3 GPP access network is linked into 5G core net Schematic diagram；

Fig. 3 is the key level schematic diagram in 5G system provided by the embodiments of the present application；

Fig. 4 is security identifier management process schematic diagram provided by the embodiments of the present application；

Fig. 5 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Fig. 6 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Fig. 7 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Fig. 8 is a kind of form schematic diagram of NAS security identifier provided by the embodiments of the present application；

Fig. 9 is the form schematic diagram of another kind NAS security identifier provided by the embodiments of the present application；

Figure 10 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Figure 11 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Figure 12 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Figure 13 is schematic diagram provided by the embodiments of the present application；

Figure 14 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Figure 15 is a kind of security identifier management process schematic diagram provided by the embodiments of the present application；

Figure 16 is schematic device provided by the embodiments of the present application；

Figure 17 is schematic device provided by the embodiments of the present application；

Figure 18 is the structural schematic diagram of network functional entity provided by the embodiments of the present application；

Figure 19 is the structural schematic diagram of network functional entity provided by the embodiments of the present application.

Specific embodiment

Hereinafter, the part term in the embodiment of the present application is explained, in order to those skilled in the art understand that.

(1) in the embodiment of the present application, noun " network " and " system " are often used alternatingly, but those skilled in the art can To understand its meaning.

(2) in the embodiment of the present application, noun " network equipment " and " network element " and " network functional entity " can alternately make With.For example, access and mobile management function to ps domain (access and mobility management function, AMF) can be with Referred to as AMF entity or AMF network element, can be also simply referred to as AMF；For another example, authentication service function (authentication server Function, AUSF) it is properly termed as AUSF entity or AUSF network element, it can be also simply referred to as AUSF.AMF and AUSF can be collectively referred to as net Network equipment.

(3) term " multiple " refers to two or more in the embodiment of the present application, and other quantifiers are similar therewith.

(4) "and/or" describes the incidence relation of affiliated partner, indicates may exist three kinds of relationships, for example, A and/or B, Can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Character "/" typicallys represent forward-backward correlation pair As if a kind of relationship of "or".

The embodiment of the present application is described in detail with reference to the accompanying drawing.

The embodiment of the present application provides a kind of security identifier management method and device, is applicable to 5G system or its evolution system System, is readily applicable to other communication systems.

It is 5G system architecture schematic diagram provided by the embodiments of the present application referring to Fig. 1.It may include with off line in the system architecture Member:

Authentication service function (authentication server function, AUSF)；

Access and mobile management function to ps domain (access and mobility management function, AMF)；

Data network (data network, DN), such as Operator Specific Service, linking Internet or third party's business etc.；

Network is sliced selection function (network slice selection function, NSSF)；

Policy control functions (policy control function, PCF)；

Conversation management functional (session management function, SMF)；

Uniform data management function (unified data management, UDM)；

Uniform data warehouse functions (unified data repository, UDR)；

User plane functions (user plane function, UPF)；

Application level function (aplication function, AF)；

Access network ((radio) access network, (R) AN) node；

Safety certification anchor point function (security anchor function, SEAF).

Above-mentioned each network element is an independent logical functional entity, and part network element can also close and set, for example, SEAF with AMF can be closed and be set.

It further include terminal in above system framework.Wherein, terminal be also referred to as user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT) etc., are that one kind provides a user The equipment of voice and/or data connectivity, for example, handheld device, mobile unit etc. with wireless connecting function.Currently, The citing of some terminals are as follows: mobile phone (mobile phone), tablet computer, laptop, palm PC, mobile Internet are set Standby (mobile internet device, MID), wearable device, virtual reality (virtual reality, VR) equipment, increasing Strong reality (augmented reality, AR) equipment, the wireless terminal in Industry Control (industrial control), nothing People drives the wireless terminal in (self driving), the wireless end in remote operation (remote medical surgery) End, the wireless terminal in smart grid (smart grid), the wireless end in transportation safety (transportation safety) End, the wireless terminal in smart city (smart city), the wireless terminal in wisdom family (smart home) etc..

As shown in Figure 1, N1 indicates the reference point between UE and AMF, N2 indicates the reference point between (R) AN node and AMF, N3 indicates the reference point between (R) AN node and UPF, and N4 indicates the reference point between UPF and SMF, and N5 is indicated between PCF and AF Reference point, N6 indicate UPF and DN between reference point, N7 indicate SMF and PC between reference point, N8 indicate AMF and UDM it Between reference point, N9 indicate two core UPF between reference point, N10 indicate UDM and SMF between reference point, N11 indicate Reference point between AMF and SMF, N12 indicate the reference point between AUSF and AMF, and N13 indicates the reference between AUSF and UDM Point, N14 indicate two AMF between reference point, N15 indicate AMF and PCF between reference point, N22 indicate NSSF and AMF it Between reference point.

The network architecture of the embodiment of the present application description is the technical solution in order to more clearly illustrate the embodiment of the present application, The restriction to technical solution provided by the embodiments of the present application is not constituted, those of ordinary skill in the art are it is found that with network rack The differentiation of structure, technical solution provided by the embodiments of the present application are equally applicable for similar technical problem.

In 5G system, UE can access network by 3GPP and/or non-3 GPP access network is linked into 5G core net.

Net is accessed based on 3GPP Fig. 2 shows UE and non-3 GPP access network is linked into the schematic diagram of 5G core net.UE and non- Establishing between 3GPP interworking function (Non-3GPP interworking function, N3IWF) has secure tunnel, these safety Tunnel is for the safe transmission that progress control plane and user plane information exchange between UE and the 5G core net of non-3 GPP access.

When UE accesses network and independent non-3GPP access network access 5G core net by 3GPP, between UE and AMF There are multiple NAS connections.Further, it is linked into simultaneously by 3GPP access network and non-3GPP access network in UE identical In the case where the 5G core net of public land mobile network (public land mobile network, PLMN), if selection N3IWF and AMF in the same PLMN, then by the same AMF provide service.It is thus understood that being, UE passes through non-3 gpp There are two independent NAS to connect when access is with 3GPP access.

Can be the corresponding NAS safe context of NAS connection distribution to guarantee the safety of transmission in 5G system, with In the safe transmission based on the NAS connection.Different NAS safe contexts can be used in different NAS connections.NAS safety is up and down Text may include shared key, NAS Encryption Algorithm and the integral algorithm that certification generates, uplink and downlink NAS count device value (NAS It COUNT) and other parameters that can identify NAS connection, can also be comprising deducing the NAS key obtained based on shared key.NAS Key can be obtained by other secret key deductions.Fig. 3 shows a kind of key hierarchical structure of 5G system.

It is the key level schematic diagram in 5G system provided by the embodiments of the present application referring to Fig. 3.

Include following key in the key hierarchical structure:

(1) UE and authentication trust shape store processing function (Authentication credential Repository And Processing Function, ARPF) between share key

K: be stored in Global Subscriber identification card (universal subscriber identity module, USIM) and The permanent key of ARPF；

The key pair that CK/IK:ARPF and USIM are generated in verification process.

(2) key that mobile device (mobile equipment, ME) and AUSF share

K_AUSF: the key that UE and AUSF is deduced according to CK/IK；

(3) key that ME and SEAF shares

K_SEAF: UE and SEAF are according to K_AUSFDeduce obtained key；

(4) ME and AMF shared key

K_AMF: UE and AMF are according to K_SEAFDeduce obtained key；

(5) NAS key

K_NASint: for the NAS key of integrity protection, the network element of UE and core net is according to K_AMFDeduce obtained key；

K_NASenc: for the NAS key of Encryption Algorithm, the network element of UE and core net is according to K_AMFDeduce obtained key.

When UE accesses net and the access of independent non-3 GPP access network by 3GPP simultaneously, for the UE, there are multiple NAS Connection, such as a NAS connection for passing through 5G-RAN are connected with one by the NAS of non-3 GPP access network.Generally for safety The purpose of isolation, it will usually establish two sets of different NAS safe contexts (wherein may include NAS key) protection and protect respectively not With NAS connection.In addition, can also the scene of interaction has the switching between 5G system and 4G system between system in 5G system Have the evolution of 4G system grouping system (evolved packet system, EPS) and 5G system core net in N3IWF it Between switching and 4G system in evolved packet data gateway (evolved packet data gateway, ePDG) and 5G Switching between system, therefore can also have a variety of safe contexts.

In the embodiment of the present application, safe context can carry out unique identification by security identifier.Pass through making for security identifier With UE and the network element of core net being made to can recognize that corresponding safe context, and can be in subsequent connection Corresponding safe context can also be reused by not starting identifying procedure.

The key management method of LTE system can not use in 5G system, the reason is as follows that: as previously mentioned, working as UE and network When there are multiple NAS connections, need to protect different NAS connections using different safe contexts.For example, being based on 3GPP for UE The NAS connection established when access net access needs to distribute the NAS key for being used for the connection, is connect for UE based on non-3 GPP access network The NAS connection of fashionable foundation needs to distribute other NAS key.Since in the key management method of LTE system, there is no more The scene of NAS connection can not have corresponding security identifier to the safe context of different NAS connections, therefore can not be in 5G system It is used in system.

In the embodiment of the present application, NAS security identifier is introduced, for convenience of description, NAS security identifier is expressed as ngKSI_NAS。 ngKSI_NASIt may include NAS key (K for identifying NAS safe context, in NAS safe context_NASintAnd/or K_NASenc).When When connecting between UE and network side (such as AMF) there are more NAS, different NAS connections uses different NAS safe contexts, no Same NAS safe context is assigned different ngKSI_NAS。

In the embodiment of the present application, optionally, another safe context mark is also introduced, for convenience of description, is referred to as ngKSI.It may include shared key K in the safe context that ngKSI is identified_AMF(by K_AMFCan deduce to obtain NAS key), it should Security identifier can be with K_AMFIt saves together, UE is sent to by network side in verification process or handoff procedure.

Below with reference to Fig. 4 to Fig. 7, security identifier management process schematic diagram provided by the embodiments of the present application is described.

It referring to fig. 4, is security identifier management process schematic diagram provided by the embodiments of the present application, the process can include:

S401: network functional entity is terminal distribution NAS security identifier ngKSI_NAS。

Wherein, ngKSI_NASFor identifying NAS safe context.NAS safe context is for protecting established NAS to connect The safety connect.

It may include NAS key, ngKSI in NAS safe context_NASIt is associated with NAS key.Optionally, NAS key base The key K shared between the terminal and AMF_AMFDeduction obtains.

Wherein, ngKSI_NASIt may include 3GPP NAS security identifier and non-3 gpp NAS security identifier.3GPP NAS safety post Know for identifying NAS safe context (NAS safe context corresponding to the NAS connection that terminal is established based on 3GPP access In may include NAS key K for integrity protection_NASintAnd/or the NAS key K for Encryption Algorithm_NASencAnd it is used for The parameters such as the algorithm and NAS COUNT of NAS integrality and encryption)；Non-3 gpp NAS security identifier is based on for identifying terminal The corresponding NAS safe context of the NAS connection that non-3 GPP access is established (may include for complete in the NAS safe context Property protection NAS key K '_NASintAnd/or the NAS key K ' for Encryption Algorithm_NASencAnd it is used for NAS integrality and encryption Algorithm and the parameters such as NAS COUNT).

Optionally, NAS key (such as the K for including in the NAS safe context that 3GPP NAS security identifier is identified_NASint And/or K_NASenc) and the NAS safe context that is identified of non-3 gpp NAS security identifier in include NAS key (such as K’_NASintAnd/or K '_NASenc), identical shared key K can be based on_AMFDeduction obtains, 3GPP NAS security identifier and non-3 gpp NAS security identifier value is different.

Optionally, NAS key (such as the K for including in the NAS context that 3GPP NAS security identifier is identified_NASintWith/ Or K_NASenc) it is based on the first shared key K_AMFDeduction obtains, and includes in the NAS context that non-3 gpp NAS security identifier is identified NAS key (such as K '_NASintAnd/or K '_NASenc) it is based on the second shared key K '_AMFDeduction obtains, the second shared key K '_AMF Based on the first shared key K_AMFDeduction obtains.3GPP NAS security identifier is different with non-3 gpp NAS security identifier value.

Optionally, NAS key (such as the K in the NAS safe context that 3GPP NAS security identifier is identified_NASintWith/ Or K_NASenc) and the NAS safe context that is identified of non-3 gpp NAS security identifier in include NAS key (such as K '_NASint And/or K '_NASenc), identical shared key K can be based on_AMFDeduction obtains, 3GPP NAS security identifier and non-3 gpp NAS peace Full mark value is identical.

S402: the NAS security identifier is sent to the terminal by network functional entity.

Optionally, network functional entity sends NAS message to terminal, and the NAS message carries the NAS security identifier ngKSI_NAS。

Optionally, before S401, the method also includes: network functional entity is the terminal distribution security identifier NgKSI, and the security identifier ngKSI is sent to the terminal.Wherein, the security identifier ngKSI can be used for identifying The key K shared between UE and AMF_AMF。

Optionally, security identifier ngKSI can be sent to terminal by authentication request message by network functional entity.

When UE is initially accessed 5G core net, NAS security identifier ngKSI can be carried out according to above-mentioned process shown in Fig. 4_NAS Distribution and transmission.

After UE is initially accessed 5G core net, if carrying out network switching, it can also be realized by process shown in Fig. 4 NAS security identifier ngKSI_NASDistribution and notify to UE.Specifically, the target AMF that UE is switched to is UE distribution NAS security identifier ngKSI_NAS, and switching request message is sent to the target BS of the UE, the switching request message carrying is worked as The NAS security identifier ngKSI of preceding distribution_NAS, by the target BS by NAS security identifier ngKSI_NASIt is sent to the UE.

In above-mentioned process shown in Fig. 4, the network functional entity can be the network element of 5G system core net, such as can be with It is AMF.If UE is connected to identical 5G core net by 3GPP access and non-3 GPP access simultaneously, as the N3IWF selected It then the UE provides service by an AMF, therefore can be terminal by the AMF when being located at the same PLMN with 3GPP access Distribute different NAS connections corresponding NAS key.

Based on above-mentioned process shown in Fig. 4, in one possible implementation, in S402, network functional entity pair After the 3GPP access that terminal is initiated carries out authentication, the first NAS safe mode command, the first NAS peace are sent to the terminal Syntype order carries 3GPP NAS security identifier；Network functional entity is after the terminal initiates non-3 GPP access, to the terminal The 2nd NAS safe mode command is sent, the 2nd NAS safe mode command carries the non-3 gpp NAS security identifier.

This method is applicable to UE using 5G certifiede-mail protocol (Authentication and Key Agreement, AKA) in the case where authentication mode, 3GPP access is first carried out, then execute the scene of non-3 GPP access.

AKA uses challenge response mechanism, completes user and internetwork authentication, while identity-based certification is to communication Encryption key is held consultation.Preferably prevent attack by certification and cryptographic means, protection mobile communications network resource Safety.

As shown in figure 5, the process can include:

Step 1:SEAF sends authentication data request (Authentication Data Request) message to AUSF. SEAF and AMF can be closed and be set.

Step 2:AUSF sends authentication information request (Auth-infoReq) message to UDM/ARPF.

Wherein, UDM/ARPF indicates that UDM and ARPF conjunction is set within one device.

Step 3:UDM/ARPF sends authentication information to AUSF and feeds back (Auth-info Resp) message, wherein carrying the UE Ciphering Key.

Step 4:AUSF sends 5G authentication starting to SEAF and replies (5G AuthenticationInitiation Answer) message.

Step 5:SEAF sends user authentication request (User authentication request) message to UE, wherein Random parameter RAND is carried, certificate parameter AUTN and safe context identify ngKSI, can in the safe context of ngKSI mark Include shared key K_AMF。

Wherein, security identifier ngKSI can be distributed by SEAF.Security identifier ngKSI can also be distributed by AUSF, such situation Under, the 5G authentication starting answer message that AUSF is sent in step 4 carries security identifier ngKSI.Security identifier ngKSI is also It can be distributed by AMF, security identifier ngKSI, which can be carried on, is sent to SEAF after getting the shared key after certification by AMF Message in.

Step 6:UE sends user authentication feedback message (User authentication response) to SEAF, wherein Carry certificate parameter RES.

Step 7:SEAF compares the certificate parameter XRES that the certificate parameter RES that the SEAF the is received and SEAF is generated, root Authentication is carried out according to comparison result.

Step 8:SEAF sends 5G AC message to AUSF, and identity authentication result is notified to AUSF.

Step 9:AMF sends 5G NAS safe mode command (5G NAS Security Mode Command) to UE, It is middle to carry NAS security identifier KSI corresponding to the NAS connection established based on 3GPP access_NAS。KSI_NAS3GPP is based on for identifying The corresponding NAS safe context of the NAS connection established is accessed, may include for integrity protection in the NAS safe context NAS key K_NASintAnd/or the NAS key K for Encryption Algorithm_NASenc。

Wherein, NAS security identifier KSI_NASIt can be distributed by AMF.

Step 10:UE sends 5G NAS safe mode to AMF and completes message (5G NAS Security Mode Complete).Optionally, which can carry above-mentioned NAS security identifier KSI_NAS。

Step 11:UE is based on non-3 GPP access network and carries out network insertion, and authentication is carried out between SEAF and AUSF (Authentication).The process is similar with 1~step 8 of above-mentioned steps.In the process, AUSF is terminal distribution NAS Security identifier KSI '_NAS。KSI’_NASFor identifying NAS safety corresponding to the NAS connection established based on non-3 GPP access up and down Text may include the NAS key K ' for integrity protection in the NAS safe context_NASintAnd/or the NAS for Encryption Algorithm Key K '_NASenc。

Step 12:AMF sends 5G NAS safe mode command (5G NAS Security Mode Command) to UE, It is middle to carry NAS security identifier KSI ' corresponding to the NAS connection established based on non-3 GPP access_NAS。

Wherein, NAS security identifier KSI '_NASIt can be distributed by AMF.

Step 13:UE sends 5G NAS safe mode to AMF and completes message (5G NAS Security Mode Command).Optionally, which can carry above-mentioned NAS security identifier KSI '_NAS。

It should be noted that UE carries out authentication when network insertion based on non-3 GPP access network in above-mentioned steps 11 Process can be omitted.

This method is applicable to UE using in the case where EAP-AKA ' authentication mode, first carrying out 3GPP access, then executes non- The scene of 3GPP access.

Expansible authentication (Extensible Authentication Protocol, EAP) agreement is a series of The set of verification mode, design concept are to meet the authentication demand of any link layer, support a variety of link layer authentication modes.

As shown in fig. 6, the process can include:

Step 1:SEAF sends authentication data request (Authentication data request) message to AUSF.

SEAF and AMF can be closed and be set.

Step 3:UDM/ARPF sends authentication information to AUSF and feeds back (Auth-infoResp) message, wherein carrying UE's Ciphering Key.

Step 4:AUSF sends 5G authentication starting to SEAF and replies (5G Authentication Initiation Answer) message, wherein carrying EAP-Req-AKA '/challenge request message and root security identifier ngKSI, ngKSI use In mark shared key K_AMF。

Wherein, security identifier ngKSI can be distributed by SEAF.Security identifier ngKSI can also be distributed by AUSF, such situation Under, the 5G authentication starting answer message that AUSF is sent in step 4 carries security identifier ngKSI.Security identifier ngKSI is also Can be distributed by AMF, security identifier ngKSI can be carried on by AMF get certification after shared key after be sent to SEAF's In message.

Step 5:SEAF sends user authentication request (User authentication request) message to UE, wherein Carry EAP-Req-AKA '/challenge request message and root security identifier ngKSI.In the safe context of ngKSI mark It may include shared key K_AMF。

Step 6:UE sends user authentication to SEAF and feeds back (User authentication response) message, wherein Carry certificate parameter RES.

Step 8:SEAF sends 5G AC message to AUSF, and identity authentication result is notified to AMF.

Wherein, NAS security identifier KSI_NASIt can be distributed by AMF.

Wherein, NAS security identifier KSI '_NASIt can be distributed by AMF.

Based on above-mentioned process shown in Fig. 4, in one possible implementation, in S402, network functional entity pair After the 3GPP access that terminal is initiated carries out authentication, the first NAS safe mode command, the first NAS peace are sent to the terminal Syntype order carries non-3 gpp NAS security identifier；Network functional entity is after the terminal initiates 3GPP access, to the terminal The 2nd NAS safe mode command is sent, the 2nd NAS safe mode command carries the 3GPP NAS security identifier.

As shown in fig. 7, the process can include:

Step 1a~step 1b:UE is connected to the non-3GPP access network of untrusted, selects N3IWF, and obtain IP address.

Step 2~step 8a:UE and network side carry out authentication procedures.

Step 8b:AUSF sends AAA (Authentication, Authorization, Accounting) message to AMF, AMF sends message to N31WF, wherein mark ngKSI safe to carry.It can be wrapped in the safe context of security identifier ngKSI mark K containing shared key_AMF。

Wherein, security identifier ngKSI can be distributed by AMF.

Step 8c:AMF sends N2 message to N31WF, wherein carrying authentication request message (Auth.Request), EAP- Req-AKA '/challenge message and security identifier ngKSI.

Step 8d:N31WF sends authentication to UE and responds (IKE_AUTH Res) message, disappears wherein carrying EAP-Req Breath, 5G-NAS message, NAS-PDU message, Auth. request message, EAP/AKA-Challenge message and security identifier ngKSI。

Step 8e~step 9b:UE initiates authentication request procedure.

Wherein, in step 9a, AMF sends N2 message to N31WF, wherein carrying N3IWF key, SMC request message, EAP- Success message and security identifier ngKSI.In step 9b, N31WF sends IKE_AUTH Res message to UE, wherein carrying EAP-Req message, 5G-NAS message, NAS-PDU message, SMC request message, EAP-Success message and security identifier ngKSI。

Step 10a~step 11:UE and N3IWF is interacted, and completes authentication.

Step 12:AMF sends 5G NAS safe mode command (5G NAS Security Mode Command) to UE, Middle carrying NAS security identifier KSI '_NAS。KSI’_NASFor identifying NAS corresponding to the NAS connection established based on non-3 GPP access Safe context may include the NAS key K ' for integrity protection in the NAS safe context_NASintAnd/or for encrypting The NAS key K ' of algorithm_NASenc。

Wherein, NAS security identifier KSI '_NASIt can be distributed by AMF.

Step 14:UE is based on 3GPP access net and carries out network insertion, and AMF is terminal distribution NAS security identifier KSI_NAS。 KSI_NASNAS safe context corresponding to the NAS connection of foundation is accessed based on 3GPP for identifying, in the NAS safe context It may include the NAS key K for integrity protection_NASintAnd/or the NAS key K for Encryption Algorithm_NASenc。

Step 15:AMF sends 5G NAS safe mode command (5G NAS Security Mode Command) to UE, It is middle to carry NAS security identifier KSI corresponding to the NAS connection established based on 3GPP access_NAS。

Wherein, NAS security identifier KSI_NASIt can be distributed by AMF.

Step 16:UE sends 5G NAS safe mode to AMF and completes message (5G NAS Security Mode Complete).Optionally, which can carry above-mentioned NAS security identifier KSI_NAS。

Optionally, in the embodiment of the present application, in security identifier ngKSI can include:

Safe context type information domain, the instruction information for bearing safety context type.The instruction information can be with It identifies the key mapped from 4G network or identifies the key generated based on 5G network master authentication mode.

For example, the format of described security identifier ngKSI can be as shown in Figure 8.NgKSI length is a byte, In, bit 1 to bit 3 is ident value information field, and value is the value of ngKSI；Bit 4 is safe context type information Domain；Bit 5 is used to carry the relevant information of the information unit to bit 8.

Optionally, in the embodiment of the present application, NAS security identifier ngKSI_NASIn can include:

For example, the NAS key identification ngKSI_NASFormat can be as shown in Figure 9.ngKSI_NASLength is a word Section, wherein bit 1 to bit 3 is ident value information field, and value is ngKSI_NASValue；Bit 4 is safe context Type information domain；Bit 5 is used to carry the relevant information of the information unit to bit 8.

Below with reference to Figure 10 to Figure 15, the security identifier management process signal that the application other embodiment provides is described Figure.

It as shown in Figure 10, is security identifier management process schematic diagram provided by the embodiments of the present application, the process can include:

S1001: network functional entity is terminal distribution security identifier ngKSI.

Wherein, security identifier ngKSI is for the key identification in 5G system.NgKSI is for identifying the terminal and net The key shared between network side and the NAS safe context obtained based on the secret key deduction.NgKSI and shared key phase Association.

Wherein, for terminal distribution security identifier ngKSI the network functional entity can be AUSF or AMF or N3IWF。

Wherein, the format of security identifier ngKSI can be as shown in Figure 8.

S1002: the network functional entity sends the security identifier ngKSI to the terminal.

Based on above-mentioned process shown in Fig. 10, this method is suitable for UE using in the case where 5G AKA ' authentication mode, executes The scene of 3GPP access.

In one possible implementation, the network functional entity for distributing security identifier ngKSI is AUSF, security identifier The NAS safe context that ngKSI is identified is the corresponding NAS safe context of the NAS connection based on 3GPP access foundation.Such as Shown in Figure 11, the process can include:

Step 1~2:AUSF to UDM/ARPF send authentication information request (Auth-info Req) message, UDM/ARPF to AUSF return authentication information response (Auth-info Resp) message, wherein carrying the Ciphering Key of UE.

Step 3:AUSF sends authentication to SEAF and starts (Authentication Initiation Answer, 5G- AIA) message, wherein mark ngKSI safe to carry.

Wherein, security identifier ngKSI is generated by AUSF.

Step 4:SEAF sends certification request (Auth-Req) message to UE, wherein mark ngKSI safe to carry.

Step 5~6:UE sends authentication response (Auth-Resp) message to SEAF, and SEAF is to AUSF returning response message. The process is optional.

If network entity belongs to different PLMN, UE will save two ngKSI and safe context, and one for marking Know the key shared by non-3 GPP access and the Non-Access Stratum NAS safe context obtained based on the secret key deduction；One A Non-Access Stratum NAS safety for identifying by non-3 GPP access shared key and being obtained based on the secret key deduction Hereafter.

Based on above-mentioned process shown in Fig. 10, in one possible implementation, this method is suitable for UE and uses EAP- In the case where AKA ' authentication mode, the scene of 3GPP access is executed.

In one possible implementation, the network functional entity for distributing security identifier ngKSI is AUSF, security identifier The NAS safe context that ngKSI is identified is the corresponding NAS safe context of the NAS connection based on 3GPP access foundation.Such as Shown in Figure 12, the process can include:

Step 3:AUSF sends N12 message (message is 5G-AIA) to SEAF, wherein carrying EAP-Pequest message/ AKA '-Chanllenge parameter.

Wherein, security identifier ngKSI is generated by AUSF.

Step 4:SEAF sends certification request (Auth-Req) message to UE, which is N1 message, wherein safe to carry NgKSI is identified, EAP-Pequest message/AKA '-Chanllenge parameter can be also carried.

Step 5~6:UE sends authentication response (Auth-Resp) message to SEAF, which is N1 message, wherein carrying EAP-Response message/AKA '-Chanllenge parameter, SEAF is to AUSF returning response message.The process is optional.

The notification message provisory that exchanges is carried out between step 7:UE and AUSF to transmit.

Step 8:AUSF sends N12 message to SEAF, wherein EAP-success parameter or anchor key ginseng can be carried Number.

Step 9:SEAF sends N1 message to UE, wherein EAP-success parameter can be carried.

In one possible implementation, a new attribute, AT_ can be defined by modifying EAP-AKA ' agreement Its format of ngKSI is as shown in figure 13, and AT_ngKSI can be set as specified value according to the parameter attribute of EAP-AKA ', and length is The length value of the attribute, it is 4-5 that the value of specific ngKSI, which is equipped with 1 byte significance bit, other reserve other purposes. The attribute will issue UE by being carried in EAP-Request/AKA '-Challenge message.

Based on above-mentioned process shown in Fig. 10, in one possible implementation, the network of security identifier ngKSI is distributed Functional entity is AUSF, and the NAS safe context that security identifier ngKSI is identified is that the NAS established based on non-3 GPP access is connected Connect corresponding NAS safe context.The above method is suitable for UE using in the case where 5G AKA ' authentication mode, executes non- The scene of 3GPP access, Signalling exchange process can be as shown in figure 14.

As shown in figure 14, UE and N3IWF establish the tunnel IPsec, if security identifier ngKSI is disappeared by NAS message and N2 Breath issues UE, then by 8b (generating ngKSI by AUSF), 8c (generates ngKSI by AMF), and then N31WF (is passed through by 8d Auth-Req message carries ngKSI) message is issued into UE.The process can include:

Step 2~step 8a:UE and network side carry out authentication procedures.

Step 8b:AUSF generates security identifier ngKSI, AAA message is sent to SEAF/AMF, wherein carrying Ciphering Key (AV) and security identifier ngKSI.

Wherein, SEAF/AMF indicates that SEAF and AMF conjunction is set within one device.

Step 8c:SEAF/AMF sends N2 message to N31WF, wherein carrying authentication request message (Auth-Req) and pacifying Full mark ngKSI.

Step 8d:N31WF to UE send IKE_AUTH request message, wherein carry EAP Request message, 5G-NAS message, NAS-PDU message, authentication request message (Auth-Req) and security identifier ngKSI.

Step 8e~step 8f:UE initiates authentication request procedure.

Based on above-mentioned process shown in Fig. 10, in one possible implementation, the network of security identifier ngKSI is distributed Functional entity is AMF, and the NAS safe context that security identifier ngKSI is identified is the NAS connection established based on non-3 GPP access Corresponding NAS safe context.This method is suitable for UE using in the case where EAP-AKA ' authentication mode, and execution non-3 gpp connects The scene entered, Signalling exchange process can be as shown in figure 15.

As shown in figure 15, in one possible implementation, security identifier ngKSI can be produced by AUSF and AMF respectively It is raw, if security identifier ngKSI is generated by AMF, EAP-Req-AKA '/challenge message can be passed through and be sent to UE.It is increased The attribute such as the format in Figure 14 of AT_ngKSI.The process can include:

Step 2~step 8a:UE and network side carry out authentication procedures.

8b:AUSF sends AAA message to AMF, wherein carrying EAP-Req-AKA '/Challenge message.

8c:AMF sends N2 message to N3IWF, wherein certification request (Auth-Request) message is carried, wherein carrying EAP-Req AKA '/Challenge message.

8d:N3IWF sends IKE_AUTH request message to UE, wherein carrying EAP Request message, 5G-NAS message, NAS- PDU message, authentication request message (Auth-Request) and EAP-ReqAKA '/Challenge message.

8e:UE sends IKE_AUTH response message to N3IWF, wherein carrying EAP response message, 5G-NAS message, NAS- PDU message, authentication response message (Auth-Response), EAP-RepAKA '/Challenge message.

8f:N3IWF sends N2 message to AMF, wherein carrying authentication response (Auth-Response) message, EAP-Rep AKA '/Challenge message.

Step 8g~step 9b:UE initiates authentication request procedure.

Step 10a~step 11:UE and N3IWF is interacted, and completes authentication.

Step 12:UE transmits continuous NAS message to AMF by IPsec SA.

In one possible implementation, the network functional entity for distributing security identifier ngKSI is AMF, security identifier The NAS safe context that ngKSI is identified is the corresponding NAS safe context of the NAS connection based on 3GPP access foundation.It should In implementation, SEAF sends K to AMF_AMF, AMF receives K_AMFSecurity identifier ngKSI is generated afterwards, is responded by attach request, is attached Request response either registration response, periodically update message response or NAS Security Mode Command message hair To UE.

In one possible implementation, the network functional entity for distributing security identifier ngKSI is N3IWF, safety post The corresponding NAS safety of the NAS connection for knowing the NAS safe context that ngKSI is identified to establish based on non-3 GPP access is up and down Text.In the implementation, AUSF sends K to N3IWF_N3IWF, N3IWF receives K_N3IWFSecurity identifier ngKSI is generated afterwards, and will The security identifier is sent to UE by authenticating success message.

It should be noted that if the stage that SEAF and AMF do not use conjunction to set, then security identifier ngKSI can be by newly fixed Other NAS messages of justice issue UE.

Under the scene of intersystem handover, AMF is responsible for mobile management, needs to be calculated the key deduced by target AMF, and The ngKSI of distribution is sent to target BS by switching request (Handover Request) message.The ngKSI of the side UE is by UE Oneself distribution.

Based on the same technical idea, the embodiment of the present application also provides a kind of network functional entity, it can be achieved that above-mentioned reality The security identifier management method provided in example is provided.

Referring to Figure 16, for the structural schematic diagram of the network functional entity, the network functional entity can include: distribution module 1601, sending module 1602.

Distribution module 1601, for being terminal distribution Non-Access Stratum NAS security identifier, the NAS security identifier is for marking Know NAS safe context, the NAS safe context is used to protect the safety of established NAS connection.

Sending module 1602, for the NAS security identifier to be sent to the terminal.

Optionally, comprising being pushed away based on shared key in the NAS safe context that the 3GPP NAS security identifier is identified The NAS key and NAS count device value and NAS connection identifier drilled；What the non-3 gpp NAS security identifier was identified Include the NAS key deduced based on shared key, NAS count device value and NAS connection identifier in NAS safe context.

Optionally, the NAS security identifier, comprising: 3GPP NAS security identifier is based on 3GPP for identifying the terminal Access the corresponding NAS safe context of the NAS connection established；And non-3 gpp NAS security identifier, for identifying the terminal The NAS safe context corresponding to NAS connection established based on non-3 GPP access.

Optionally, the NAS key for including in the NAS safe context that the 3GPP NAS security identifier is identified is based on the One shared secret key deduction obtains, the NAS key for including in the NAS safe context that the non-3 gpp NAS security identifier is identified It deduces to obtain based on the second shared key, second shared key is based on first shared key and deduces to obtain；It is described 3GPP NAS security identifier is different with the non-3 gpp NAS security identifier value.

Optionally, the NAS key for including in the NAS safe context that the 3GPP NAS security identifier is identified is based on First shared key is deduced to obtain, and the NAS for including in the NAS safe context that the non-3 gpp NAS security identifier is identified is close Key is based on first shared key and deduces to obtain, and the 3GPP NAS security identifier and the non-3 gpp NAS security identifier take It is worth identical.

Optionally, the NAS security identifier is sent to the terminal by the network functional entity, comprising: the network Functional entity sends NAS message to terminal, and the NAS message carries the NAS security identifier.

Optionally, the NAS security identifier, comprising: 3GPP NAS security identifier is based on 3GPP for identifying the terminal Access the corresponding NAS safe context of the NAS connection established；And non-3 gpp NAS security identifier, for identifying the end The end group NAS safe context corresponding in the NAS connection that non-3 GPP access is established.

Optionally, the network functional entity sends NAS message to terminal, and the NAS message carries the NAS safety post Know, comprising: after the network functional entity carries out authentication to the 3GPP access that the terminal is initiated, Xiang Suoshu terminal is sent First NAS safe mode command, the first NAS safe mode command carry the 3GPP NAS security identifier；The network Functional entity is after the terminal initiates non-3 GPP access, Xiang Suoshu terminal the 2nd NAS safe mode command of transmission, and described second NAS safe mode command carries the non-3 gpp NAS security identifier.

Optionally, the network functional entity sends NAS message to terminal, and the NAS message carries the NAS safety post Know, comprising: after the network functional entity carries out authentication to the non-3 GPP access that the terminal is initiated, Xiang Suoshu terminal hair The first NAS safe mode command is sent, the first NAS safe mode command carries the non-3 gpp NAS security identifier.

Optionally, for the network functional entity after the terminal initiates 3GPP access, Xiang Suoshu terminal sends the 2nd NAS Safe mode command, the 2nd NAS safe mode command carry the 3GPP NAS security identifier.

Optionally, described that root key mark is sent to the terminal, comprising: the network functional entity is to described Terminal sends authentication request message, and the authentication request message carries the root key mark.

Optionally, the NAS security identifier, comprising:

Optionally, the network functional entity is AMF.

Referring to Figure 17, for the structural schematic diagram of the network functional entity, the network functional entity can include: distribution module 1701, sending module 1702.

Distribution module 1601, for being terminal distribution security identifier, the security identifier is for identifying the terminal and net The key shared between network side and the Non-Access Stratum NAS safe context obtained based on the secret key deduction.

Sending module 1602, for sending the security identifier to the terminal.

Optionally, the security identifier is for the key identification in 5G system.

Optionally, the network functional entity be AUSF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that 3GPP access is established.

Optionally, the network functional entity is terminal distribution security identifier, comprising: the AUSF obtains the certification of terminal Vector generates the security identifier for the terminal.

Optionally, the network functional entity sends the security identifier to the terminal, comprising: the AUSF is to SEAF It sends authentication and starts response message, the authentication starting response message carries the security identifier, and the identity is recognized Card starting response message sends authentication request message to the terminal for triggering the SEAF, and the authentication request message carries The security identifier.

Optionally, the network functional entity be AMF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that 3GPP access is established.

Optionally, the network functional entity is terminal distribution security identifier, comprising: the AMF receives what SEAF was sent Shared key, and security identifier, the shared key being total between the terminal and the AMF are generated for the shared key Enjoy key.

Optionally, the network functional entity sends the security identifier to the terminal, comprising: the AMF passes through non- Access layer information sends security identifier to UE, and the type of the non-access layer information is that attach request response either registration is rung It answers, periodically updates message response or NAS Security Mode Command message.

Optionally, the network functional entity be AUSF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that non-3 GPP access is established.

Optionally, the network functional entity sends the security identifier to the terminal, comprising: the AUSF is to SEAF AAA message is sent, the AAA message carries the security identifier, and the AAA message passes through N3IWF for triggering the SEAF Authentication request message is sent to the terminal, the authentication request message carries the security identifier.

Optionally, the network functional entity be AMF, the NAS safe context that the security identifier is identified be based on The corresponding NAS safe context of the NAS connection that non-3 GPP access is established.

Optionally, the network functional entity sends the security identifier to the terminal, comprising: the AMF is received The shared key that SEAF is sent generates security identifier for the terminal, and the security identifier is sent to N3IWF, with triggering The N3IWF sends certification success message to terminal, and the authentication request message carries the security identifier.

Optionally, the network functional entity is N3IWF, and the NAS safe context that the security identifier is identified is base In the corresponding NAS safe context of the NAS connection that non-3 GPP access is established.

Optionally, the network functional entity sends the security identifier to the terminal, comprising: the N3IWF is received The shared key that AUSF is sent generates security identifier for the terminal, and the security identifier is passed through certification success message hair Give UE.

Optionally, further includes: the AMF is the terminal distribution security identifier, and sends out to the target BS of the terminal Switching request message is sent, the switching request message carries the security identifier currently distributed.

Optionally, the security identifier, comprising:

It is the structural schematic diagram of network functional entity provided by the embodiments of the present application, as shown in figure 18, the base referring to Figure 18 It stands can include: processor 1801, memory 1802, transceiver 1803 and bus interface.

Processor 1801, which is responsible for management bus architecture and common processing, memory 1802, can store processor 1801 and exists Execute used data when operation.Transceiver 1803 is for sending and receiving data under the control of processor 1801.

Bus architecture may include the bus and bridge of any number of interconnection, specifically represented by processor 1801 one or The various circuits for the memory that multiple processors and memory 1802 represent link together.Bus architecture can also will be such as outer Various other circuits of peripheral equipment, voltage-stablizer and management circuit or the like link together, these are all that this field institute is public Know, therefore, it will not be further described herein.Bus interface provides interface.Processor 1801 is responsible for management bus Framework and common processing, memory 1802 can store the used data when executing operation of processor 1801.

The process that the embodiment of the present invention discloses, can be applied in processor 1801, or realized by processor 1801.? During realization, each step of signal processing flow can be by the integrated logic circuit of the hardware in processor 1801 or soft The instruction of part form is completed.Processor 1801 can be general processor, digital signal processor, specific integrated circuit, scene Programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, can be with Realize or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be micro- place Manage device or any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in firmly Part processor executes completion, or in processor hardware and software module combination execute completion.Software module can be located at Random access memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. In the storage medium of this field maturation.The storage medium is located at memory 1802, and processor 1801 is read in memory 1802 Information, in conjunction with the step of its hardware completion signal processing flow.

Specifically, processor 1801, for reading the program in memory 1802 and executing the realization of aforementioned base station side Row reference signal transmission process or downlink reference signal transmission flow or executable uplink reference signals transmission flow and downlink Reference signal transmission process.

It is the structural schematic diagram of network functional entity provided by the embodiments of the present application, as shown in figure 19, the end referring to Figure 19 End can include: processor 1901, memory 902, transceiver 1903 and bus interface.

Processor 1901, which is responsible for management bus architecture and common processing, memory 1902, can store processor 1901 and exists Execute used data when operation.Transceiver 1903 is for sending and receiving data under the control of processor 1901.

Bus architecture may include the bus and bridge of any number of interconnection, specifically represented by processor 1901 one or The various circuits for the memory that multiple processors and memory 1902 represent link together.Bus architecture can also will be such as outer Various other circuits of peripheral equipment, voltage-stablizer and management circuit or the like link together, these are all that this field institute is public Know, therefore, it will not be further described herein.Bus interface provides interface.Processor 1901 is responsible for management bus Framework and common processing, memory 1902 can store the used data when executing operation of processor 1901.

The process that the embodiment of the present invention discloses, can be applied in processor 1901, or realized by processor 1901.? During realization, each step of signal processing flow can be by the integrated logic circuit of the hardware in processor 1901 or soft The instruction of part form is completed.Processor 1901 can be general processor, digital signal processor, specific integrated circuit, scene Programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, can be with Realize or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be micro- place Manage device or any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in firmly Part processor executes completion, or in processor hardware and software module combination execute completion.Software module can be located at Random access memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. In the storage medium of this field maturation.The storage medium is located at memory 1902, and processor 1901 is read in memory 1902 Information, in conjunction with the step of its hardware completion signal processing flow.

Specifically, processor 1901, for reading the program in memory 1902 and executing the realization of aforementioned terminals side Row reference signal transmission process or downlink reference signal transmission flow or executable uplink reference signals transmission flow and downlink Reference signal transmission process.

Claims

1. a kind of security identifier management method, which is characterized in that the described method includes:

Network functional entity is terminal distribution Non-Access Stratum NAS security identifier, and the NAS security identifier is for identifying NAS safety Context, the NAS safe context are used to protect the safety of established NAS connection；

2. the method as described in claim 1, which is characterized in that in the NAS safety that the 3GPP NAS security identifier is identified Hereinafter comprising the NAS key and NAS count device value deduced based on shared key and NAS connection identifier；

It include to be deduced based on shared key in the NAS safe context that the non-3 gpp NAS security identifier is identified NAS key, NAS count device value and NAS connection identifier.

3. the method as described in claim 1, which is characterized in that the NAS security identifier, comprising:

3GPP NAS security identifier, for identifying NAS safety corresponding to the NAS connection that the terminal is established based on 3GPP access Context；And

Non-3 gpp NAS security identifier, for identifying NAS corresponding to the NAS connection that the terminal is established based on non-3 GPP access Safe context.

4. method as claimed in claim 3, which is characterized in that in the NAS safety that the 3GPP NAS security identifier is identified The NAS key for hereinafter including is based on the first shared key and deduces to obtain, the NAS that the non-3 gpp NAS security identifier is identified The NAS key for including in safe context is based on the second shared key and deduces to obtain, and second shared key is based on described the One shared secret key deduction obtains；

5. method as claimed in claim 3, which is characterized in that the NAS safety that the 3GPP NAS security identifier is identified The NAS key for including in context is based on the first shared key and deduces to obtain, what the non-3 gpp NAS security identifier was identified The NAS key for including in NAS safe context is based on first shared key and deduces to obtain；

6. the method as described in claim 1, which is characterized in that the network functional entity sends the NAS security identifier To the terminal, comprising:

7. method as claimed in claim 6, which is characterized in that the NAS security identifier, comprising: 3GPP NAS security identifier, For identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；And non-3 gpp NAS security identifier, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on non-3 GPP access；

The network functional entity sends NAS message to terminal, and the NAS message carries the NAS security identifier, comprising:

After the network functional entity carries out authentication to the 3GPP access that the terminal is initiated, Xiang Suoshu terminal sends first NAS safe mode command, the first NAS safe mode command carry the 3GPP NAS security identifier；

For the network functional entity after the terminal initiates non-3 GPP access, Xiang Suoshu terminal sends the 2nd NAS safe mode Order, the 2nd NAS safe mode command carry the non-3 gpp NAS security identifier.

8. method as claimed in claim 6, which is characterized in that the NAS security identifier, comprising: 3GPP NAS security identifier, For identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；Non-3 gpp NAS safety Mark, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on non-3 GPP access；

After the non-3 GPP access that the network functional entity initiates the terminal carries out authentication, Xiang Suoshu terminal sends the One NAS safe mode command, the first NAS safe mode command carry the non-3 gpp NAS security identifier；

For the network functional entity after the terminal initiates 3GPP access, Xiang Suoshu terminal sends the 2nd NAS safe mode life It enables, the 2nd NAS safe mode command carries the 3GPP NAS security identifier.

9. the method as described in claim 1, which is characterized in that described that the NAS security identifier is sent to the terminal, packet It includes:

The network functional entity sends authentication request message to the terminal, and the authentication request message carries the NAS peace Full mark.

10. the method as described in claim 1, which is characterized in that the NAS security identifier, comprising:

11. the method as described in claim 1, which is characterized in that the network functional entity is AMF.

12. a kind of network functional entity characterized by comprising

Distribution module, for being terminal distribution Non-Access Stratum NAS security identifier, the NAS security identifier is for identifying NAS safety Context, the NAS safe context are used to protect the safety of established NAS connection；

Sending module, for the NAS security identifier to be sent to the terminal.

13. a kind of network functional entity characterized by comprising processor, memory, transceiver, the processor, storage Device is connected with transceiver by bus；The processor, for reading the program in memory, execution:

For terminal distribution Non-Access Stratum NAS security identifier, the NAS security identifier is used to identify NAS safe context, described NAS safe context is used to protect the safety of established NAS connection；

The NAS security identifier is sent to the terminal by the transceiver.

14. network functional entity as claimed in claim 13, which is characterized in that the 3GPP NAS security identifier was identified Include the NAS key and NAS count device value deduced based on shared key and NAS connection mark in NAS safe context Know；

15. network functional entity as claimed in claim 13, which is characterized in that the NAS security identifier, comprising:

16. network functional entity as claimed in claim 15, which is characterized in that the 3GPP NAS security identifier was identified The NAS key for including in NAS safe context is based on the first shared key and deduces to obtain, non-3 gpp NAS security identifier institute The NAS key for including in the NAS safe context of mark is based on the second shared key and deduces to obtain, the second shared key base It deduces to obtain in first shared key；

17. network functional entity as claimed in claim 15, which is characterized in that the 3GPP NAS security identifier is identified NAS safe context in include NAS key be based on the first shared key deduce to obtain, the non-3 gpp NAS security identifier The NAS key for including in the NAS safe context identified is based on first shared key and deduces to obtain；

18. network functional entity as claimed in claim 13, which is characterized in that the processor is specifically used for:

19. network functional entity as claimed in claim 18, which is characterized in that the NAS security identifier, comprising: 3GPP NAS security identifier, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；With And non-3 gpp NAS security identifier, for identifying NAS corresponding to the NAS connection that the terminal is established based on non-3 GPP access Safe context；

The processor, is specifically used for:

After carrying out authentication to the 3GPP access that the terminal is initiated, first is sent to the terminal by the transceiver NAS safe mode command, the first NAS safe mode command carry the 3GPP NAS security identifier；

After the terminal initiates non-3 GPP access, the 2nd NAS safe mode life is sent to the terminal by the transceiver It enables, the 2nd NAS safe mode command carries the non-3 gpp NAS security identifier.

20. network functional entity as claimed in claim 18, which is characterized in that the NAS security identifier includes: 3GPP NAS Security identifier, for identifying NAS safe context corresponding to the NAS connection that the terminal is established based on 3GPP access；It is non- 3GPP NAS security identifier, for identifying NAS safety corresponding to the NAS connection that the terminal is established based on non-3 GPP access Hereafter；

The processor, is specifically used for:

After carrying out authentication to the non-3 GPP access that the terminal is initiated, first is sent to the terminal by the transceiver NAS safe mode command, the first NAS safe mode command carry the non-3 gpp NAS security identifier；

After the terminal initiates 3GPP access, the 2nd NAS safe mode command is sent to the terminal by the transceiver, The 2nd NAS safe mode command carries the 3GPP NAS security identifier.

21. network functional entity as claimed in claim 13, which is characterized in that the processor is specifically used for:

Authentication request message is sent to the terminal by the transceiver, the authentication request message carries the NAS safety Mark.

22. network functional entity as claimed in claim 13, which is characterized in that the NAS security identifier, comprising:

23. network functional entity as claimed in claim 13, which is characterized in that the network functional entity is AMF.

24. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can It executes instruction, the computer executable instructions are as described in any one of claim 1 to 11 for executing the computer Method.

25. a kind of computer product, which is characterized in that the computer product is used to be transported when the computer product by computer When row, computer can be made to execute in any one possible design of method as described in any one of claim 1 to 11 Function performed by certificate server.