CN110830997B - Key determination method and device, storage medium and electronic device - Google Patents

Key determination method and device, storage medium and electronic device Download PDF

Info

Publication number
CN110830997B
CN110830997B CN201810910259.8A CN201810910259A CN110830997B CN 110830997 B CN110830997 B CN 110830997B CN 201810910259 A CN201810910259 A CN 201810910259A CN 110830997 B CN110830997 B CN 110830997B
Authority
CN
China
Prior art keywords
key
core network
access stratum
change indication
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810910259.8A
Other languages
Chinese (zh)
Other versions
CN110830997A (en
Inventor
谢振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201810910259.8A priority Critical patent/CN110830997B/en
Publication of CN110830997A publication Critical patent/CN110830997A/en
Application granted granted Critical
Publication of CN110830997B publication Critical patent/CN110830997B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/12Reselecting a serving backbone network switching or routing node

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method and a device for determining a secret key, a storage medium and an electronic device, wherein the method comprises the following steps: sending a second core network key and a key change instruction to a target Access Management Function (AMF) to instruct the target AMF to inform a terminal to determine a key according to the key change instruction; wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication; the second core network key is used for generating a key, and the key comprises at least one of the following: access stratum AS key, non-access stratum NAS key. Therefore, the problem that the key of the terminal is not matched with the key of the network in the related technology, so that normal communication cannot be carried out can be solved.

Description

Key determination method and device, storage medium and electronic device
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for determining a secret key, a storage medium, and an electronic apparatus.
Background
The third Generation Partnership Project (3rd Generation Partnership Project, abbreviated AS 3GPP) proposes a scheme for switching an Access Stratum (AS) and a Non Access Stratum (NAS) to synchronize a key, but in the prior art, the key of a terminal is not matched with the key of a network, which results in a problem that normal communication cannot be performed.
In view of the above technical problems, effective solutions have not been eliminated in the related art.
Disclosure of Invention
The embodiment of the invention provides a method and a device for determining a secret key, a storage medium and an electronic device, which are used for at least solving the problem that the secret key of a terminal is not matched with the secret key of a network in the related technology, so that normal communication cannot be carried out.
According to an embodiment of the present invention, there is provided a method of determining a key, including: sending a second core network key and a key change instruction to a target Access Management Function (AMF) to instruct the target AMF to inform a terminal to determine a key according to the key change instruction; wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication; the second core network key is used for generating the key; the key includes at least one of: access stratum AS key, non-access stratum NAS key.
According to another embodiment of the present invention, there is provided a key determination method including: receiving a second core network key and a key change indication sent by a source AMF, wherein the second core network key is used for generating the key, and the key change indication comprises at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication; and informing the terminal to determine the key according to the key change instruction.
According to another embodiment of the present invention, there is provided a key determination apparatus including: a sending module, configured to send a second core network key and a key change instruction to a target access management function AMF, so as to instruct the target AMF to notify a terminal to determine a key according to the key change instruction; wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change instruction and a first non-access stratum (NAS) key change instruction; the second core network key is used for generating the key; the key includes at least one of: access stratum AS key, non-access stratum NAS key.
According to another embodiment of the present invention, there is provided a key determination apparatus including: a receiving module, configured to receive a second core network key and a key change indication sent by a source AMF, where the key change indication includes at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication; a determining module, configured to determine a first radio access key according to the key change indication, where the second core network key is used to generate the key, and the key includes at least one of: access stratum AS key, non-access stratum NAS key.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, comprising a memory in which a computer program is stored and a processor configured to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, the source AMF sends the second core network key and the key change instruction to the target AMF to instruct the target AMF to inform the terminal of the key change instruction; therefore, the problem that normal communication cannot be carried out due to the fact that the secret keys of the terminal and the network are not matched can be solved, and the effect of effectively synchronizing the secret keys between the terminal and the network is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
fig. 1 is a block diagram of a hardware structure of a mobile terminal of a method for determining a secret key according to an embodiment of the present invention;
FIG. 2 is a flow chart (one) of a method for determining a secret key according to an embodiment of the present invention;
fig. 3 is a flowchart (two) of a key determination method according to an embodiment of the present invention;
fig. 4 is a key synchronization flowchart (one) in the related art;
fig. 5 is a key synchronization flowchart in the related art (two);
FIG. 6 is a flow chart (I) of key synchronization between the AS layer and the NAS layer during handover according to the present embodiment;
FIG. 7 is a flow chart of key synchronization between the AS layer and the NAS layer during handover in the present embodiment (II);
fig. 8 is a scheme of key synchronization between the AS layer and the NAS layer in multi-access mobility update according to this embodiment;
fig. 9 is a scheme of key synchronization between the AS layer and the NAS layer in the multi-access mobility update in this embodiment;
fig. 10 is a block diagram (one) of the configuration of a key determination apparatus according to an embodiment of the present invention;
fig. 11 is a block diagram (ii) of the configuration of the key determination apparatus according to the embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the operation on the mobile terminal as an example, fig. 1 is a hardware structure block diagram of the mobile terminal of a method for determining a secret key according to an embodiment of the present invention. As shown in fig. 1, the mobile terminal 10 may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the mobile terminal. For example, the mobile terminal 10 may include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the key determination method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In this embodiment, a method for determining a key is provided, and fig. 2 is a flowchart (a) of a method for determining a key according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, sending a second core network key and a key change instruction to a target access management function AMF to instruct the target AMF to inform a terminal to determine the key according to the key change instruction;
wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication; the second core network key is used for generating a key, and the key comprises at least one of the following: access stratum AS key, non-access stratum NAS key.
Through the steps, the source AMF sends the second core network key and the key change instruction to the target AMF so as to instruct the target AMF to inform the terminal of the key change instruction; therefore, the problem that normal communication cannot be carried out due to the fact that the secret keys of the terminal and the network are not matched can be solved, and the effect of effectively synchronizing the secret keys between the terminal and the network is achieved.
Alternatively, the execution subject of the above steps may be the source AMF or the like, but is not limited thereto.
Preferably, the key change indication comprises one of: a first AS key change indication, a first access stratum AS key change indication and a first NAS key change indication, a key synchronization indication, wherein the key synchronization indication has the same function AS the first access stratum AS key change indication.
It should be noted that, before the source AMF sends the key change instruction to the target AMF, the terminal UE establishes a data connection with the source AMF through the source base station eNB, so as to implement communication between the terminal and the source AFM.
In an alternative embodiment, the source AFM may send a first Security Mode Command message (Security Mode Command message) to the terminal for activating the second core network key before sending the key change indication to the target AMF.
It should be noted that, in the absence of the first core network key, the second core network key is generated for the first time. In the presence of the first core network key, the second core network key is derived based on the first core network key.
Optionally, the first security mode command message includes a first derived parameter (e.g. an uplink NAS signaling COUNT value UL NAS COUNT); the method comprises the steps that a source AFM receives a first security mode completion message sent by a terminal, wherein the first security mode completion message is determined after the terminal derives an NAS signaling protection key based on a first derivation parameter; the source AFM derives a second core network key based on the first derived parameter and the used first core network key; the source AFM activates the NAS signaling protection key with the second core network key. After the NAS signaling protection key is activated, no NAS key change indication needs to be sent to the target AFM in order to avoid repeated activation. For example: the terminal UE receives a first Security Mode command message carrying a first derived parameter, derives a new core network key Kamf (a second core network key) by using the first core network key Kamf being used according to the first derived parameter, then derives an NAS signaling protection key based on Kamf, sends the first Security Mode completion, such as Security Mode Complete message, to the source AMF, receives the first Security Mode completion message, and derives the NAS signaling protection key based on Kamf, thereby completing activation of the new NAS signaling protection key.
In an alternative embodiment, in a handover scenario, the security mode command procedure does not necessarily occur, and at this time, a manner that there is an indication of both NAS key change and AS key change needs to be adopted. Namely, sending a key change indication to the target AMF by: the source AMF receives a first switching request (the switching request aims at switching the terminal to a new base station) sent by a first wireless network element (such as a source base station), wherein the first switching request is used for requesting a switching key; the method comprises the steps that a source AMF sends a first creation terminal context request message to a target AMF based on a first switching request, wherein the first creation terminal context request message carries a key change instruction, the first creation terminal context request message comprises a second core network key, a terminal context, a key synchronization instruction and a first AS key change instruction, the first creation terminal context request message also carries a wireless key, the wireless key is generated based on the second core network key, and the wireless key is an access stratum AS key or is used for generating the access stratum AS key. For example: a source AMF sends a first creation terminal Context Request message (such as a Create UE Context Request message) to a target AMF, wherein the message carries a new core network key Kamf (a second core network key) derived by the source AMF based on a core network key Kamf in use, and the UE Context also carries a key synchronization indication; the key synchronization indication is indicated by a specific field keySyncInd, and the key synchronization indication can also be indicated by that the first creation terminal context request message does not carry a key change indication, and a Next Chain Count (NCC) value in the UE context is 0; if the source AMF carries the core network key Kamf being used by the source AMF in the first create terminal context request message, no key synchronization indication is carried in the request (NCC >0 in this scenario).
Optionally, after receiving the key synchronization indication, the target AMF derives a new radio access key Kgnb based on a new core network key Kamf, and then sends a Handover Request (Handover Request message) to the target base station, where the Handover Request message carries the new radio access key Kgnb and an AS key derivation change indication (such AS NSCI); if the target AMF does not receive the key synchronization indication, the target AMF will not carry the AS key derivation change indication in the handover request sent to the target gNB based on the NH derived Kgnb in the UE context.
Optionally, the target base station derives a radio connection protection key based on Kgnb, and the target base station sends a Handover Response (e.g., Handover Response message) to the target AMF; since the target base station receives the AS key derivation change indication, the handover response also carries the AS key derivation change indication (e.g., keyChangeIndicator).
In an optional embodiment, in a scenario of registration update, the source AMF receives a first terminal context transmission request sent by the target AMF, and then sends a first terminal context transmission response message to the target AMF, where the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message includes a second core network key. The first terminal context transmission response message also carries a wireless key, the wireless key is generated based on the second core network key, and the wireless key is an access stratum AS key or is used for generating the access stratum AS key. And sending a Handover Command (e.g., a Handover Command message) to the terminal through the source base station, where the Handover Command includes a first AS key change indication (e.g., an AS key derivation change indicator) to indicate that the terminal determines the key under the indication of the first AS key change indication. The UE receives the first AS key change instruction, instead of deriving the new radio access key Kgnb based on the existing radio key information, derives the new radio access key Kgnb based on the new Kamf, derives the radio connection protection key based on Kgnb, and sends a Handover Complete message (e.g., Handover Complete message) to the target base station.
In an optional embodiment, when the key change indication includes a first access stratum AS key change indication, the first access stratum AS key change indication is used to instruct the target AMF to notify the terminal to determine an access stratum AS key according to the core network key; when the key change indication comprises a first non-access stratum (NAS) key change indication, the first NAS key change indication is used for indicating a target AMF to inform a terminal to determine a non-access stratum (NAS) key according to a core network key.
Alternatively, if the UE does not receive the AS key derivation change indication, Kgnb will be derived based on the existing radio key information (i.e. NH in the UE context).
Optionally, the target base station will enable a new Kgnb-based AS security with the terminal UE, so that both NAS security and AS security are Kamf-based derivation for synchronization.
Optionally, the target base station sends a Handover Notification (e.g., Handover Notification message) to the target AMF.
In this embodiment, a method for determining a key is provided, and fig. 3 is a flowchart (ii) of a method for determining a key according to an embodiment of the present invention, as shown in fig. 3, the flowchart includes the following steps:
step S302, receiving a second core network key and a key change instruction sent by the source AMF, where the key change instruction includes at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
step S304, the terminal is informed to determine a key according to the key change instruction, wherein the second core network key is used for generating the key, and the key includes at least one of the following: access stratum AS key, non-access stratum NAS key.
Through the steps, the target AMF informs the terminal of the key change instruction, so that the terminal can determine the key based on the key change instruction to realize key synchronization, the problem that normal communication cannot be carried out due to the fact that the key of the terminal is not matched with the key of the network can be solved, and the effect of effectively synchronizing the key between the terminal and the network is achieved.
Alternatively, the execution subject of the above steps may be the target AMF or the like, but is not limited thereto.
Preferably, the key change indication comprises one of: a first AS key change indication, a first access stratum AS key change indication and a first NAS key change indication, a key synchronization indication.
It should be noted that, before the source AMF sends the key change instruction to the target AMF, the terminal UE establishes a data connection with the source AMF through the source base station eNB, so as to implement communication between the terminal and the source AFM.
In an alternative embodiment, the target AMF receives the key change indication sent by the source AMF by: receiving a first creation terminal context request message sent by a source AMF, wherein the first creation terminal context request message carries a key change instruction, the first creation terminal context request message comprises a second core network key, and the second core network key is determined by the source AMF based on a first derivative parameter and a used first core network key; deriving a first wireless access key according to the second core network key; optionally, the first create terminal context request message further carries a wireless key, the wireless key is generated based on a second core network key, the wireless key is an access stratum AS key, and the target AMF transmits the wireless key to the second wireless network element to instruct the second wireless network element to generate the access stratum AS key based on the wireless key. For example: a source AMF sends a first creation terminal Context Request message (such as a Create UE Context Request message) to a target AMF, wherein the message carries a new core network key Kamf (a second core network key) derived by the source AMF based on a core network key Kamf in use, and the UE Context also carries a key synchronization indication; the key synchronization indication is indicated by a specific field keySyncInd, and the key synchronization indication may also be indicated by that the first creation terminal context request message does not carry a key change indication, and a Next Chain Count (NCC) value in the UE context is 0; if the source AMF carries the core network key Kamf that the source AMF is using in the first create terminal context request message, then no key synchronization indication is carried in the request (NCC >0 in this scenario).
In an alternative embodiment, before receiving the key change indication sent by the source AMF, sending a first terminal context transfer request message to the source AMF; and receiving a first terminal context transmission response message sent by the source AMF, wherein the first terminal context transmission response message carries a key change instruction, and the first terminal context transmission response message comprises a second core network key. Optionally, the first terminal context transfer response message carries a radio key, where the radio key is an access stratum AS key, and is generated based on a second core network key, and the target AMF transfers the radio key to a second radio network element (e.g., a target base station) to instruct the second radio network element to generate the access stratum AS key based on the radio key.
In an alternative embodiment, a mechanism for transparently transmitting the related information is adopted, that is, the related information is placed in a container, the container is carried by a message, and the key change indication is transmitted to the terminal. In a target base station switching scene or an N3IWF registration updating scene, when a received key change instruction comprises a first Access Stratum (AS) key change instruction, sending a second Access Stratum (AS) key change instruction to a third wireless network element (such AS a target base station), wherein the second Access Stratum (AS) key change instruction is used for indicating the third wireless network element to inform a terminal to determine an AS key according to a core network key;
and under the scene of switching target base stations or updating source base station registration, when the received key change instruction comprises a first non-access stratum (NAS) key change instruction, sending a second NAS key change instruction to the terminal through a third wireless network element, wherein the second NAS key change instruction is used for instructing the terminal to determine a NAS key according to a core network key.
Optionally, the target AMF sends a second Create terminal Context Response message (e.g., Create UE Context Response message) to the source AMF, where the second Create terminal Context Response message carries an AS key derivation change indication (key change indicator) and a derivation parameter, and may also carry a first NAS key change indication.
Optionally, the UE receives the NAS key change indication or the derived parameter, derives a new core network key Kamf using the currently used core network key Kamf and the received derived parameter, then derives the NAS signaling protection key based on Kamf, receives the AS key derivation change indication, does not derive a new radio access key Kgnb based on the existing radio key information, but derives a new radio access key Kgnb based on the new Kamf, then derives the radio connection protection key based on Kgnb, and sends a Handover Complete message, such AS a Handover Complete message, to the target base station. Therefore, the target base station and the AMF will enable new Kgnb-based AS security and Kamf-based NAS security with the terminal UE, and Kgnb is also derived based on Kamf, so that both the NAS security and the AS security are derived based on Kamf to achieve synchronization.
Optionally, the target base station sends a Handover Notification (e.g. Handover Notification message) to the target AMF.
For a better understanding of the present invention, the following detailed description of the invention is directed to specific examples:
fig. 4 is a key synchronization flowchart (i) in the related art, as shown in fig. 4, which specifically includes the following contents:
s401: the terminal UE establishes data connection with the source AMF through the source base station;
s402: the source base station sends a switching requirement to the source AMF, such as a Handover Required message;
s403: the source AMF sends a Request for creating a terminal Context to the target AMF, for example, sends a Create UE Context Request message, and the source AMF may carry a core network key Kamf and a UE Context in use in the Request, where the Request does not carry a key change indication. In this embodiment, the source AMF carries a core network key Kamf (new key) derived by the active AMF based on the core network key Kamf in use, and a UE context, where the request also carries a key change indication, such as a keyAmfChangeInd;
s404: the target AMF receives the key change instruction, knows that the received core network key is a new key, derives an NAS signaling protection key and a new wireless access key Kgnb based on the new core network key Kamf, and then sends a switching Request to the target gNB, such AS sending a Handover Request message, carrying the new wireless access key Kgnb, an NAS key change instruction (such AS K _ AMF _ change _ flag), an AS key derivation change instruction (such AS NSCI), judges a derivative parameter of Kamf AS a downlink NAS signaling COUNT value (DL COUNT) based on a switching process, and then also carries DL NAS COUNT in UE context;
if the target AMF does not receive the key change indication, the target AMF does not derive a new NAS signaling protection key, and derives a new wireless access key Kgnb based on a Next Hop (Next Hop, NH), but not derives a new wireless access key based on a received core network key, and the switching request sent to the target gNB only carries Kgnb.
S405: a target base station derives a wireless connection protection key based on Kgnb, and the target base station sends a Handover Response to a target AMF, such AS sending a Handover Response message carrying a core network key derivation parameter (DL NAS COUNT), an NAS key Change indication (K _ AMF _ Change _ flag), and an AS key derivation Change indication (e.g. key Change indicator);
s406: the target AMF sends a Response for creating the terminal Context to the source AMF, for example, sends a Create UE Context Response message carrying a core network key derivation parameter (DL NAS COUNT), an NAS key Change indication (K _ AMF _ Change _ flag), and an AS key derivation Change indication (keyshangeindicator);
s407: a source AMF sends a switching command to UE through a source base station, such AS sending a Handover Command message, carrying a core network key derivation parameter DL NAS COUNT, an NAS key Change indication K _ AMF _ Change _ flag, and an AS key derivation Change indication key Change indicator;
s408: the UE receives the NAS cipher key change instruction, a new core network cipher key Kamf is derived by using the core network cipher key Kamf which is in use according to the key derivation parameters of the core network, then the NAS signaling protection cipher key is derived based on Kamf, the UE receives the AS cipher key derivation change instruction, a new wireless access cipher key Kgnb is not derived based on the existing wireless cipher key information, but a new wireless access cipher key Kgnb is derived based on the new Kamf, then a wireless connection protection cipher key is derived based on Kgnb, and the UE sends switching completion, such AS Handover Complete information, to the target base station;
s409: the target base station sends a Handover Notification, such as a Handover Notification message, to the target AMF.
At this point, the UE completes handover and uses a new key to protect communication with the target base station and the target AMF.
Fig. 5 is a key synchronization flowchart (ii) in the related art, and as shown in fig. 5, the following contents are specifically included:
s501: the terminal UE establishes data connection with the source AMF through the source base station;
s502: the source AMF decides to activate a new key set (including NAS key and AS key), and then based on a new key Kamf derived from the core network key Kamf being used, the source AMF first activates a new NAS signaling protection key, that is, sends a Security Mode Command to the terminal UE, for example, sends a Security Mode Command message, where the message carries a derivative parameter, such AS an uplink NAS signaling COUNT value (UL NAS COUNT);
s503: the terminal UE receives a Security Mode command message carrying derived parameters, a new core network key Kamf is derived by using the core network key Kamf in use according to the derived parameters, then an NAS signaling protection key is derived based on the Kamf, the terminal UE sends Security Mode completion, such AS sending a Security Mode Complete message, the source AMF receives the Security Mode completion and also derives the NAS signaling protection key based on the Kamf, so that the activation of the new NAS signaling protection key is completed, and the source AMF has not come to trigger the activation of the new AS protection key, namely receives a subsequent switching request from the source gNB;
s504 to S511: the same as S402 to S409 in fig. 4.
AS can be seen from the above method, if a handover occurs during the process of performing key update by the AMF, the UE will derive Kamf based on Kamf first, and then after receiving a handover command, since NAS key change indication is carried therein, derive Kamf based on Kamf and DL NAS COUNT, then derive NAS key and AS key based on Kamf, while NAS key of the target AMF in the network is derived based on Kamf, and radio key of the target gNB is also derived based on Kamf, resulting in that the keys of the UE and the network are not matched and normal communication cannot be performed.
To solve the problems in the related art, the present embodiments provide a method and an apparatus for synchronizing an access stratum key and a non-access stratum key, so that NAS keys and AS keys of a UE and a network can be synchronized normally in a handover process.
Fig. 6 is a flowchart (one) of key synchronization between the AS layer and the NAS layer in handover according to this embodiment, and AS shown in fig. 6, the method includes the following steps:
s601 to S604, which are the same as steps S501 to S504 in fig. 5;
in this embodiment, the steps 603 to 604 do not necessarily carry derived parameters, for example, an authentication process is performed before the step 603.
S605: the method includes that a source AMF sends a Request for creating a terminal Context to a target AMF, for example, sends a Create UE Context Request message carrying a new core network key Kamf of the source AMF (which may be derived based on the core network key Kamf in use or regenerated in an authentication process), a UE Context, and also carries a key synchronization indication, for example, indicated by a specific field keySyncInd, or indicated by that no key change indication is carried in the message, and a Next Link Count (NCC) value in the UE Context is 0;
optionally, the source AMF may also calculate a new radio key, such as NH, based on Kamf, and send it to the target AMF via this message bearer.
If the source AMF carries the core network key Kamf in the request that the source AMF is using, then no key synchronization indication is carried in the request (NCC >0 in this scenario).
S606: the target AMF receives the key synchronization indication, derives a new radio key Kgnb based on a new core network key Kamf, and then sends a Handover Request to the target gNB, such AS a Handover Request message, carrying the new radio access key Kgnb and an AS key derivation change indication (such AS NSCI);
alternatively, the target AMF does not calculate Kgnb, but directly sends the received radio key from the source AMF as Kgnb to the target gNB through a handover request. The target AMF may decide to update the non-access stratum key based on other judgment conditions, for example, the target AMF decides to modify the encryption integrity protection algorithm, which is different from the prior art that the operation is not related to the key synchronization indication, and the prior art indication requires that the target AMF must update the access stratum key and the non-access stratum key simultaneously based on the indication.
If the target AMF does not receive the key synchronization indication, the target AMF will not carry the AS key derivation change indication in the handover request sent to the target gNB based on the NH derived Kgnb in the UE context.
S607: in this embodiment, the target gNB receives an AS key derivation change instruction, so the Handover Response also carries the AS key derivation change instruction (such AS keyChangeIndicator);
s608: the target AMF sends a Response for creating the terminal Context to the source AMF, for example, sends a Create UE Context Response message carrying the received AS key derivation change indicator;
s609: a source AMF sends a switching Command to UE through a source base station, for example, sends a Handover Command message, and carries a received AS key derivation change indicator;
s610: the UE receives the AS key change instruction, does not derive a new wireless key Kgnb based on the existing wireless key information any more, but derives a new wireless key Kgnb based on a new Kamf, and then derives an access stratum AS key based on Kgnb, and the UE sends switching completion, such AS a Handover Complete message, to the target base station;
if the UE does not receive the AS key derivation change indication, Kgnb will be derived based on the existing radio key information (i.e., NH in the UE context).
To this end, the target base station and the terminal UE enable new Kgnb-based AS security, so that both NAS security and AS security are derived based on Kamf to achieve synchronization.
S611: the target base station sends a Handover Notification, such as a Handover Notification message, to the target AMF.
Fig. 7 is a flowchart (ii) of key synchronization between the AS layer and the NAS layer in handover according to this embodiment, and AS shown in fig. 7, the method includes the following steps:
S701-S702: the same as steps S501 to S502 in fig. 5;
s703: the source AMF sends a Request for creating a terminal Context to the target AMF, for example, sends a Create UE Context Request message, in this embodiment, the Request carries a new core network key Kamf derived by the active AMF based on the core network key Kamf in use, a UE Context, and also carries an NAS key change indication, for example, keyAmfChangeInd (the role is different from the prior art, the role of the prior art is to indicate NAS key change and AS key change), an AS key change indication, for example, indicated by a specific field keyASChangeInd, and also indicated by that a Next link Count (NCC) value in the UE Context is 0;
optionally, the source AMF may also calculate a new radio key, such as NH, based on Kamf, and send it to the target AMF via this message bearer.
S704: the target AMF receives the NAS key change instruction, then derives a non-access stratum NAS key based on a new core network key Kamf, receives the AS key change instruction, derives a new radio key Kgnb based on the new core network key Kamf, and does not derive Kgnb based on radio key information (namely NH) in UE context, and then sends a switching Request to the target gNB, for example, sends a Handover Request message carrying the new radio key Kgnb and an AS key change instruction (for example, NSCI), the target AMF judges a derived parameter of Kamf to be a downlink signaling COUNT value (DL NAS COUNT) based on the switching process, then also carries DL NAS COUNT in the UE context (the DL NAS key change instruction can be used AS the NAS key change instruction), and the target AMF can also carry the NAS key change instruction (for example, K _ AMF _ change _ flag) in the switching Request;
alternatively, the target AMF does not calculate Kgnb, but directly sends the received radio key from the source AMF as Kgnb to the target gNB through a handover request.
S705: the target base station derives the AS key of the access stratum based on Kgnb, and the target base station sends a switching Response to the target AMF, such AS sending a Handover Response message, and carries an AS key change indication (such AS keyChange indicator) and a derived parameter DL NAS COUNT (which can also be used AS an NAS key change indication) and can also carry an NAS key change indication;
s706: the target AMF sends a Response for creating the terminal Context to the source AMF, such AS sending a Create UE Context Response message, carrying an AS key derivation change indicator and a derivation parameter, and also carrying an NAS key change indicator;
s707: a source AMF sends a switching command to UE through a source base station, such AS sending a Handover Command message, carrying an AS key change indicator and a derived parameter, and also carrying an NAS key change indicator;
s708: the UE receives the NAS key change instruction or derived parameters, a new core network key Kamf is derived by using the core network key Kamf in use and the derived parameters, then a non-access stratum NAS key is derived based on the Kamf, the UE receives the AS key derived change instruction, a new wireless key Kgnb is not derived based on the existing wireless key information, a new wireless key Kgnb is derived based on the new Kamf, an access stratum AS key is derived based on the Kgnb, and the UE sends switching completion, such AS Handover Complete information, to the target base station;
to this end, the target base station and the AMF will enable new Kgnb-based AS security and Kamf-based NAS security with the terminal UE, and Kgnb is also derived based on Kamf, so that both NAS security and AS security are derived based on Kamf to achieve synchronization.
S709: the target base station sends a Handover Notification, such as a Handover Notification message, to the target AMF.
Fig. 8 is a scheme of key synchronization between the AS layer and the NAS layer in multi-access mobility update according to this embodiment: the method comprises the following steps:
s801: the terminal UE establishes data connection with the source AMF through a wireless WIFI and a Non-3GPP Interworking Function (N3 IWF), and may also establish data connection with a source base station (not shown in the figure) and the source AMF;
s802: the terminal UE sends the movement to the coverage of the target gNB, and then a Registration Request, such as a Registration Request message, is generated to the target AMF through the target gNB;
s803: the target AMF generates a Context Transfer Request to the source AMF, such as a Transfer UE Context Request message;
s804: the source AMF sends a Context Transfer Response to the target AMF, such AS sending a Transfer UE Context Response message, in this embodiment, the request carries a new core network key Kamf derived by the active AMF based on the core network key Kamf in use, a UE Context, and a NAS key change indication, such AS keyAmfChangeInd, an AS key change indication, such AS indicated by a specific field keyASChangeInd, and may also be indicated by a Next link Count (NCC) value in the UE Context being 0;
optionally, the source AMF may also calculate a new radio key, such as NH, based on Kamf, and send it to the target AMF via this message bearer.
S805: the target AMF receives the NAS secret key change instruction, then derives a non-access stratum NAS secret key based on a new core network secret key Kamf, and sends a Security Mode Command to the terminal UE to activate a new NAS signaling protection secret key, for example, a Security Mode Command message occurs, the target AMF judges the derived parameter of the Kamf to be an uplink NAS signaling COUNT value (UL NAS COUNT) based on a context transfer process, and then the Security Mode Command also carries the UL NAS COUNT in the UE context (the Command can be used as the NAS secret key change instruction);
s806: the UE receives a Security mode command carrying derived parameters, derives a new core network key Kamf by using the core network key Kamf in use and the derived parameters, then derives a non-access stratum (NAS) key based on Kamf, and sends Security mode completion, such as sending a Security Mobile Complete message, to the target AMF;
s807: the target AMF optionally sends base station security activation to the target base station, for example, sends an Initiate UE Context message, which carries a radio key Kgnb derived based on the received core network key (Kamf in this embodiment); this step is independent of the AS key change indication.
Alternatively, the target AMF does not calculate Kgnb, but directly transmits the received wireless key from the source AMF as Kgnb to the target base station through the base station security activation.
S808: the target AMF receives the AS key change instruction, then derives a new N3IWF key Kn3IWF (namely an access stratum AS key) based on the received core network key Kamf, and then sends N3IWF security activation (the message can be used AS the AS key change instruction) to the N3IWF, for example, sends an Initial UE Context message carrying the new Kn3IWF, and the N3IWF interacts with the terminal UE to enable new AS security based on Kn3IWF (the message sent by the N3IWF to the UE in the interaction process can be used AS the AS key change instruction), so that the security and the AS security are derived based on Kamf NAS to realize synchronization;
this step is not performed if the target AMF does not receive the AS key change indication.
S809: the target AMF sends a Registration Accept, such as a Registration Accept message, to the terminal UE through the target base station.
Fig. 9 is a scheme of key synchronization between the AS layer and the NAS layer in the multi-access mobile update in this embodiment, which includes the following steps:
s901: the terminal UE establishes data connection with the source AMF through wireless WIFI and a Non-3GPP interaction Function (N3 IWF), and the terminal UE may also establish data connection with the source AMF through a source base station;
s902: the source AMF decides to activate a new key, and then sends a Security Mode Command to the terminal UE through the N3IWF, for example, sends a Security Mode Command message, which may carry derived parameters;
in this embodiment, the step 902 does not necessarily carry the derived parameters, such as an authentication process is performed before the step 902.
S903: the UE receives the security mode command carrying the derived parameters, and in one embodiment, if the UE has no new Kamf, derives a new core network key Kamf using the currently used core network key Kamf and the received derived parameters. Another embodiment is that the UE has a new Kamf, for example, if the authentication procedure was performed before, it is not derived. Then, the UE derives a non-access stratum (NAS) key based on Kamf, and the UE sends a Security mode completion to the target AMF, such as sending a Security mode Complete message;
s904: the terminal UE moves to the coverage of the target gNB, and then sends a Registration Request, such as Registration Request message, to the target AMF through the target gNB;
s905: the target AMF generates a Context Transfer Request to the source AMF, such as a Transfer UE Context Request message;
s906: the source AMF sends a Context Transfer Response to the target AMF, for example, sends a Transfer UE Context Response message, where the request carries a new core network key Kamf of the source AMF, a UE Context, and also carries a key synchronization indication, for example, indicated by a specific field keySyncInd, or indicated by a message that does not carry a key change indication (the role is the same as keyAmfChangeInd in the prior art), and a Next link Count (NCC) value in the UE Context is 0;
optionally, the context transfer response carries an AS key change indication, such AS indicated by a specific field keyasachangeind, and may also be indicated by a Next link Count (NCC) value of 0 in the UE context;
optionally, the source AMF may also calculate a new radio key, such as NH, based on Kamf, and send it to the target AMF via this message bearer.
S907: the target AMF does not receive the NAS key change instruction or the key change instruction, and therefore does not send the security mode command, the target AMF optionally sends base station security activation to the target base station, for example, sends an initial UE Context message, which carries the radio key Kgnb, and the radio key is derived based on the received core network key (in this embodiment, Kamf);
this step is independent of the AS key change indication. The target AMF may decide to update the non-access stratum key based on other determination conditions, such as the target AMF deciding to modify the encryption or integrity protection algorithm, which is different from the prior art that the target AMF must update the access stratum key and the non-access stratum key simultaneously based on the indication.
Alternatively, the target AMF does not calculate Kgnb, but directly transmits the received wireless key from the source AMF as Kgnb to the target base station through the base station security activation.
S908: the target AMF receives the AS key change instruction, then derives a new N3IWF key Kn3IWF (namely an access stratum AS key) based on the received core network key Kamf, and then sends N3IWF security activation (the message can be used AS the AS key change instruction) to the N3IWF, for example, sends an Initial UE Context message carrying the new Kn3IWF, and the N3IWF interacts with the terminal UE to enable new Kn3 IWF-based AS security (the message sent to the UE by the N3IWF in the interaction process can be used AS the AS key change instruction), so that the NAS security and the AS security are derived based on the Kamf to realize synchronization;
this step is not performed if the target AMF does not receive the AS key change indication.
S909: the target AMF transmits a Registration Accept, such as a Registration Accept message, to the terminal UE through the target base station.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method according to the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a device for determining a key is further provided, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not repeated for what has been described. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware or a combination of software and hardware is also possible and contemplated.
Fig. 10 is a block diagram (a) of a key determining apparatus according to an embodiment of the present invention, and as shown in fig. 10, the apparatus includes: the sending module 1002, which will be described in detail below:
a sending module 1002, configured to send a second core network key and a key change instruction to a target access management function AMF, so as to instruct the target AMF to notify a terminal to determine a key according to the key change instruction;
wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change instruction and a first non-access stratum (NAS) key change instruction; the second core network key is used for generating the key, and the key comprises at least one of the following keys: access stratum AS key, non-access stratum NAS key.
In an optional embodiment, before sending the key change indication to the target AMF, the apparatus is further configured to: sending a first security mode command message to the terminal to activate a second core network key; and receiving a first safety mode completion message sent by the terminal.
In an alternative embodiment, the second core network key is derived based on the first core network key, wherein the first core network key is generated prior to the second core network key.
In an alternative embodiment, the key change indication is sent to the target AMF by: receiving a first switching request sent by a first wireless network element; and sending a first creation terminal context request message to the target AMF, wherein the first creation terminal context request message carries a key change instruction, and the first creation terminal context request message comprises a second core network key.
In an optional embodiment, the first create terminal context request message carries a radio key, where the radio key is generated based on a second core network key, and the radio key is an access stratum AS key or is used to generate the access stratum AS key.
In an alternative embodiment, the key change indication is sent to the target AMF by: receiving a first terminal context transmission request sent by a target AMF; and sending a first terminal context transmission response message to the target AMF, wherein the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message comprises a second core network key.
In an optional embodiment, the first terminal context transfer response message carries a radio key, where the radio key is generated based on the second core network key, and the radio key is an access stratum AS key or is used to generate the access stratum AS key.
In an optional embodiment, when the key change indication includes a first access stratum AS key change indication, the first access stratum AS key change indication is used to instruct the target AMF to notify the terminal to determine an access stratum AS key according to the core network key; when the key change indication comprises a first non-access stratum (NAS) key change indication, the first NAS key change indication is used for indicating a target AMF to inform a terminal to determine a non-access stratum (NAS) key according to a core network key.
Fig. 11 is a block diagram (ii) of the structure of a key determination apparatus according to an embodiment of the present invention, and as shown in fig. 11, the apparatus includes: a receiving module 1102 and a determining module 1104, the apparatus is described in detail below:
a receiving module 1102, configured to receive a second core network key and a key change indication sent by a source AMF, where the key change indication includes at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
a determining module 1104, connected to the receiving module 1102 in the above, configured to notify the terminal to determine a key according to the key change indication, where the second core network key is used to generate a key, and the key includes at least one of: access stratum AS key, non-access stratum NAS key.
In an alternative embodiment, the key change indication sent by the source AMF is received by: and receiving a first creation terminal context request message sent by a source AMF, wherein the first creation terminal context request message carries a key change instruction, and the first creation terminal context request message comprises a second core network key.
In an optional embodiment, the first request message for creating the terminal context is carried, the wireless key is an access stratum AS key, and the wireless key is generated based on the second core network key; the target AMF passes the radio key to the second radio network element to instruct the second radio network element to generate an Access Stratum (AS) key based on the radio key.
In an optional embodiment, before receiving the key change indication sent by the source AMF, the apparatus further includes: a transmission module, configured to send a first terminal context transmission request message to a source AMF; the first processing module is configured to receive a first terminal context transmission response message sent by the source AMF, where the first terminal context transmission response message carries a key change indication, and includes a second core network key.
In an optional embodiment, the first terminal context transfer response message carries a radio key, the radio key is generated based on the second core network key, the radio key is an access stratum AS key, and the target AMF transmits the radio key to the second radio network element to instruct the second radio network element to generate the access stratum AS key based on the radio key.
In an optional embodiment, the apparatus further comprises one of: the second processing module is used for receiving the first access stratum AS key change instruction and sending a second access stratum AS key change instruction to the third wireless network element, wherein the second access stratum AS key change instruction is used for indicating the third wireless network element to inform the terminal to determine the access stratum AS key according to the core network key; and the third processing module is configured to receive the first non-access stratum NAS key change instruction, send a second non-access stratum NAS key change instruction to the terminal through a third radio network element, where the second non-access stratum NAS key change instruction is used to instruct the terminal to determine a non-access stratum NAS key according to the core network key.
It should be noted that the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
An embodiment of the present invention further provides a storage medium having a computer program stored therein, wherein the computer program is configured to perform the steps in any of the method embodiments described above when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, sending the second core network key and the key change instruction to the target access management function AMF, so as to instruct the target AMF to notify the terminal to determine the key according to the key change instruction.
Optionally, the storage medium is further arranged to store a computer program for performing the steps of:
s1, receiving a second core network key and a key change indication sent by the source AMF, where the key change indication includes at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
s2, notifying the terminal to determine a key according to the key change instruction, where the second core network key is used to generate a key, and the key includes at least one of the following: access stratum AS key, non-access stratum NAS key.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention further provide an electronic device, comprising a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, sending the second core network key and the key change instruction to the target access management function AMF, so as to instruct the target AMF to notify the terminal to determine the key according to the key change instruction.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, receiving a second core network key and a key change indication sent by the source AMF, where the key change indication includes at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
s2, notifying the terminal to determine a key according to the key change indication, wherein the second core network key is used to generate a key, and the key includes at least one of the following: access stratum AS key, non-access stratum NAS key.
Optionally, for a specific example in this embodiment, reference may be made to the examples described in the above embodiment and optional implementation, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized in a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be executed out of order, or separately as individual integrated circuit modules, or multiple modules or steps thereof may be implemented as a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (16)

1. A method for determining a key, comprising:
sending a second core network key and a key change instruction to a target Access Management Function (AMF) to instruct the target AMF to inform a terminal to determine a key according to the key change instruction;
wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change instruction and a first non-access stratum (NAS) key change instruction;
the second core network key is used for generating the key;
the key includes at least one of: an Access Stratum (AS) key and a non-access stratum (NAS) key;
wherein sending the key change indication to the target AMF comprises: receiving a first terminal context transmission request sent by the target AMF; and sending a first terminal context transmission response message to the target AMF, wherein the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message comprises the second core network key.
2. The method of claim 1, wherein prior to sending the key change indication to the target AMF, the method further comprises:
sending a first security mode command message to the terminal to activate the second core network key;
and receiving a first security mode completion message sent by the terminal.
3. The method of claim 2, wherein the second core network key is derived based on a first core network key, wherein the first core network key is generated prior to the second core network key.
4. The method of any of claims 1-3, wherein sending the key change indication to the target AMF comprises:
receiving a first switching request sent by a first wireless network element;
and sending a first creation terminal context request message to the target AMF, wherein the first creation terminal context request message carries the key change indication, and the first creation terminal context request message comprises the second core network key.
5. The method of claim 4, wherein the first create terminal context request message carries a radio key, wherein the radio key is generated based on the second core network key, and wherein the radio key is an Access Stratum (AS) key or is used for generating an AS key.
6. The method of claim 1, wherein the first terminal context transfer response message carries a radio key, and wherein the radio key is generated based on the second core network key, and wherein the radio key is an Access Stratum (AS) key or is used for generating an AS key.
7. The method of claim 1,
when the key change instruction comprises a first Access Stratum (AS) key change instruction, the first AS key change instruction is used for indicating the target AMF to inform the terminal to determine an AS key according to a core network key;
when the key change indication comprises a first non-access stratum (NAS) key change indication, the first NAS key change indication is used for indicating the target AMF to inform the terminal to determine a non-access stratum (NAS) key according to a core network key.
8. A method for determining a key, comprising:
receiving a second core network key and a key change indication sent by a source AMF, wherein the key change indication comprises at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
notifying a terminal to determine a key according to the key change indication, wherein the second core network key is used for generating the key, and the key comprises at least one of the following: an Access Stratum (AS) key and a non-access stratum (NAS) key;
wherein, prior to receiving the key change indication sent by the source AMF, the method further comprises:
sending a first terminal context transmission request message to the source AMF;
and receiving a first terminal context transmission response message sent by the source AMF, wherein the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message comprises the second core network key.
9. The method of claim 8, wherein receiving the key change indication sent by the source AMF comprises:
and receiving a first creation terminal context request message sent by the source AMF, wherein the first creation terminal context request message carries the key change indication, and the first creation terminal context request message comprises the second core network key.
10. The method of claim 9,
the first creation terminal context request message carries a wireless key, wherein the wireless key is generated based on the second core network key;
and transmitting the wireless key to a second wireless network element to indicate the second wireless network element to use the wireless key AS an Access Stratum (AS) key, or generating the AS key based on the wireless key.
11. The method of claim 8,
the first terminal context transmission response message carries a wireless key, wherein the wireless key is generated based on the second core network key;
and transmitting the wireless key to a second wireless network element to indicate the second wireless network element to use the wireless key AS an Access Stratum (AS) key, or generating the AS key based on the wireless key.
12. The method of claim 8, further comprising one of:
when the received key change instruction comprises a first Access Stratum (AS) key change instruction, sending a second AS key change instruction to a third wireless network element, wherein the second AS key change instruction is used for indicating the third wireless network element to inform the terminal to determine an AS key according to a core network key;
and when the received key change indication comprises a first non-access stratum (NAS) key change indication, sending a second NAS key change indication to the terminal through a third wireless network element, wherein the second NAS key change indication is used for indicating the terminal to determine a NAS key according to a core network key.
13. An apparatus for determining a key, comprising:
a sending module, configured to send a second core network key and a key change instruction to a target access management function AMF, so as to instruct the target AMF to notify a terminal to determine a key according to the key change instruction;
wherein the key change indication comprises at least one of: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
the second core network key is used for generating the key;
the key includes at least one of: an Access Stratum (AS) key and a non-access stratum (NAS) key;
the sending module is further configured to receive a first terminal context transmission request sent by the target AMF; and sending a first terminal context transmission response message to the target AMF, wherein the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message comprises the second core network key.
14. An apparatus for determining a key, comprising:
a receiving module, configured to receive a second core network key and a key change indication sent by a source AMF, where the key change indication includes at least one of the following: a first Access Stratum (AS) key change indication, a first non-access stratum (NAS) key change indication;
a determining module, configured to notify a terminal to determine a key according to the key change indication, where the second core network key is used to generate the key, and the key includes at least one of: an Access Stratum (AS) key and a non-access stratum (NAS) key;
the receiving module is further configured to send a first terminal context transmission request message to the source AMF; and receiving a first terminal context transmission response message sent by the source AMF, wherein the first terminal context transmission response message carries the key change indication, and the first terminal context transmission response message comprises the second core network key.
15. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to carry out the method of any one of claims 1 to 7 when executed, or wherein the computer program is configured to carry out the method of any one of claims 8 to 12 when executed.
16. An electronic apparatus comprising a memory and a processor, wherein the memory has a computer program stored therein, and the processor is configured to run the computer program to perform the method of any one of claims 1 to 7, or the processor is configured to run the computer program to perform the method of any one of claims 8 to 12.
CN201810910259.8A 2018-08-10 2018-08-10 Key determination method and device, storage medium and electronic device Active CN110830997B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810910259.8A CN110830997B (en) 2018-08-10 2018-08-10 Key determination method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810910259.8A CN110830997B (en) 2018-08-10 2018-08-10 Key determination method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN110830997A CN110830997A (en) 2020-02-21
CN110830997B true CN110830997B (en) 2022-08-19

Family

ID=69541656

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810910259.8A Active CN110830997B (en) 2018-08-10 2018-08-10 Key determination method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN110830997B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3910873A1 (en) 2020-05-15 2021-11-17 Kamstrup A/S Key-management for advanced metering infrastructure

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016140403A1 (en) * 2015-03-05 2016-09-09 엘지전자(주) Method and device for rrc connection of terminal in wireless communication system
CN106134231A (en) * 2015-02-28 2016-11-16 华为技术有限公司 Key generation method, equipment and system
WO2018138347A1 (en) * 2017-01-30 2018-08-02 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5g during connected mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106134231A (en) * 2015-02-28 2016-11-16 华为技术有限公司 Key generation method, equipment and system
WO2016140403A1 (en) * 2015-03-05 2016-09-09 엘지전자(주) Method and device for rrc connection of terminal in wireless communication system
WO2018138347A1 (en) * 2017-01-30 2018-08-02 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5g during connected mode

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Security configuration in intra-system handover;HTC, Google Inc.;《3GPP TSG-RAN2 Meeting NR Adhoc 1807 》;20180706;正文第2-3节 *

Also Published As

Publication number Publication date
CN110830997A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
JP6942804B2 (en) Security context handling during idle mode in 5G
KR102040036B1 (en) Security password changing method, base station, and user equipment
CN109429361B (en) Session processing method and device
US10735957B2 (en) Context preparation
CN107666727B (en) Method, device and system for capability negotiation
EP2290875B1 (en) Generating method and system for key identity identifier at the time when user device transfers
EP3682667B1 (en) Security context in a wireless communication system
JP7111817B2 (en) Method and apparatus for establishing a session
CN109788544B (en) Layer 2 processing method, CU and DU
EP4380208A1 (en) Communication method and apparatus
KR102341580B1 (en) Method and apparatus for transfer of duplicates
KR20200086731A (en) Method and device for reporting location information
KR20200135802A (en) Handover method and apparatus, computer storage medium
CN109309918B (en) Communication method, base station and terminal equipment
CN111373795B (en) Configuration method of signaling radio bearer, terminal equipment and network equipment
CN109792599A (en) Conversation managing method and network element
CN108810889B (en) Communication method, device and system
EP3451715B1 (en) Wireless communication method, device, access network entity and terminal device
AU2024200711A1 (en) Managing security keys in a communication system
CN111194032B (en) Communication method and device thereof
CN110830997B (en) Key determination method and device, storage medium and electronic device
CN109842484B (en) Method, device and equipment for updating next-hop chain counter
CN113472626B (en) Data message transmission method, electronic device and storage medium
CN102316451A (en) Method and device for processing next hop chain counter
EP4145760A1 (en) Method and apparatus for obtaining key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant