CN111464324A

CN111464324A - Secure communication method, device and system

Info

Publication number: CN111464324A
Application number: CN201910049372.6A
Authority: CN
Inventors: 余万涛; 谢振华; 游世林; 彭锦
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2019-01-18
Filing date: 2019-01-18
Publication date: 2020-07-28
Also published as: WO2020147457A1

Abstract

The embodiment of the invention discloses a secure communication method, a device and a system, wherein the secure communication method comprises the following steps: sending a first message to a first network slice entity through a first network entity of a network where the first network slice entity to be registered and accessed is located; receiving a fourth message of the first network slice entity. The embodiment of the invention does not need to carry out a complete authentication process again, reduces the time for registering and accessing and reduces the waste of network resources.

Description

Secure communication method, device and system

Technical Field

Embodiments of the present invention relate to, but not limited to, mobile communication security technologies, and in particular, to a method, an apparatus, and a system for secure communication.

Background

The 5G Network architecture will introduce new Information Technology (IT) technologies, such as Network Function Virtualization (NFV). In 3G or 4G networks, the protection of functional network elements relies heavily on the secure isolation of physical devices. In the 5G network, due to the deployment of the NFV technology, part of the functional network elements are deployed on the cloud infrastructure in the form of virtual functional network elements. A virtual core network constructed based on network service requirements is called a network slice, and one network slice constitutes one virtual core network and provides a mobile network access service for a group of specific user terminals (UEs). A typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication related functions, a slice user plane unit which mainly provides sliced user resources for users, a slice policy control unit which is responsible for user policy functions, and a slice charging unit which is responsible for charging functions for users. The functionality of the network slice is determined by the operator according to requirements and operator policies, e.g., some network slices may include a dedicated forwarding plane in addition to control plane functionality; while some network slices may include only some basic control plane functions, other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on demand. One UE may also receive services from different network slices at the same time.

In a 5G network, in order to meet the service requirements of different types of users, there are multiple different network slices in the network, and users access the network and are authenticated by the network. A user who wants to use a service provided by the network needs to access one or more network slices and be authenticated by the network slices. An Access Management Function (AMF) and/or a Security anchor Function (SEAF) are provided in each network slice for managing Security-related processes of the network slice, such as managing Security context. Different network slices are isolated from each other, and the communication of one slice cannot affect the service provided by other slices.

Since the user equipment UE may access one or more network slices after accessing the 5G network, the user equipment UE may have one or more security contexts corresponding to the network and the plurality of network slices, respectively. In the current 5G system, when a UE with one or more security contexts registers to access a new service network or a network slice, a new security context needs to be established, and an old security context used previously on the network side is stopped. This results in a waste of network resources and also increases the time for the UE to register for access, since the new registration procedure does not use the old security context at all. When the UE registers to access a new network slice, how to reuse an old security context to reduce the time of registering access is a problem to be solved, so as to avoid the waste of network resources.

Disclosure of Invention

The embodiment of the invention provides a secure communication method, a device and a system, which can reduce the time for registering and accessing and reduce the waste of network resources.

The embodiment of the invention provides a secure communication method, which comprises the following steps:

sending a first message to a first network entity of a network where a first network slice entity is located through a registered and accessed first network entity;

receiving a fourth message of the first network slice entity.

receiving a first message of user equipment; wherein the first message comprises: an identifier of a first network slice entity to be registered and accessed; forwarding the first message to the first network slice entity according to the identity of the first network slice entity.

receiving a first message sent to a first network slice entity by user equipment through the first network entity of a network where the first network slice entity to be registered and accessed is located;

and acquiring a first network slice security context established by the user equipment and the first network slice entity, and sending a fourth message to the user equipment.

receiving a seventh message of the first network slice entity to be registered and accessed; wherein the seventh message comprises a fifth message or a second message;

sending an eighth message to the first network slice entity; wherein the eighth message comprises a sixth message or a third message, and the eighth message comprises a second network slice security context established by the user equipment and a second network slice entity which is registered and accessed.

receiving a second message of a first network entity of a network where a first network slice entity to be registered and accessed is located; wherein the second message comprises an identification of the first network slice entity;

sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment.

sending a first message to a second network entity to be registered and accessed; wherein the first message comprises: the method comprises the steps that temporary identity information of user equipment in a registered and accessed first network slice entity, temporary identity information of the user equipment in the registered and accessed first network entity and a message authentication code MAC obtained through calculation based on a first network slice security context in an activated state at present are obtained;

and acquiring a second network security context established with the second network entity, and receiving a fourth message of the second network entity.

receiving a first message of user equipment; wherein the first message comprises: the method comprises the steps that temporary identity information of user equipment in a registered and accessed second network slice entity, temporary identity information of the user equipment in a registered and accessed first network entity and a message authentication code MAC obtained through calculation based on a first network slice security context in an activated state at present are obtained;

acquiring verification indication information or authentication indication information of user equipment, and acquiring a first network security context established between the user equipment and the first network entity;

and acquiring a second network security context established with the user equipment, and sending a fourth message to the user equipment.

receiving a second message of a second network entity to be registered and accessed;

sending a third message to the second network entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment, and revokes the registration of the user equipment on the registered and accessed first network slice entity.

receiving a fifth message of a second network entity to be registered and accessed; wherein the fifth message includes verification indication information or authentication indication information of the user equipment;

sending a sixth message to the second network entity; wherein the sixth message comprises the established first network security context of the user equipment and the registered and accessed first network entity.

An embodiment of the present invention provides a secure communication apparatus, including a processor and a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by the processor, any one of the secure communication methods is implemented.

Embodiments of the present invention provide a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of any one of the above-mentioned secure communication methods.

The embodiment of the invention comprises the following steps: sending a first message to a first network slice entity to be registered and accessed through a registered and accessed first network entity; receiving a fourth message of the first network slice entity. The embodiment of the invention does not need to carry out a complete authentication process again, reduces the time for registering and accessing and reduces the waste of network resources.

The embodiment of the invention provides a secure communication system, which comprises:

the user equipment is used for sending a first message to a first network slice entity through the first network entity of the network where the first network slice entity to be registered and accessed is located; receiving a fourth message of the first network slice entity;

a first network entity, configured to receive a first message of a user equipment; wherein the first message comprises: an identifier of a first network slice entity to be registered and accessed; forwarding the first message to the first network slice entity according to the identity of the first network slice entity;

the first network slice entity is used for receiving a first message sent by the user equipment through the first network entity; and acquiring a first network slice security context established by the user equipment and the first network slice entity, and sending a fourth message to the user equipment.

the user equipment is used for sending a first message to a second network entity to be registered and accessed; wherein the first message comprises: the method comprises the steps that temporary identity information of user equipment in a registered and accessed first network slice entity, temporary identity information of the user equipment in the registered and accessed first network entity and a message authentication code MAC obtained through calculation based on a first network slice security context in an activated state at present are obtained; acquiring a second network security context established with the second network entity, and receiving a fourth message of the second network entity;

the second network entity is used for receiving a first message of the user equipment; acquiring verification indication information of user equipment, and acquiring a first network security context established between the user equipment and the first network entity; and acquiring a second network security context established with the user equipment, and sending a fourth message to the user equipment.

Additional features and advantages of embodiments of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of embodiments of the invention. The objectives and other advantages of the embodiments of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the examples of the invention serve to explain the principles of the embodiments of the invention and not to limit the embodiments of the invention.

Fig. 1 is a flowchart of a secure communication method according to an embodiment of the present invention;

fig. 2 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 3 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 4 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 5 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 6 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 7 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 8 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 9 is a flowchart of a secure communication method according to another embodiment of the present invention;

fig. 10 is a flowchart of a secure communication method proposed by example 1 of an embodiment of the present invention;

fig. 11 is a flowchart of a secure communication method proposed by example 2 of an embodiment of the present invention;

fig. 12 is a flowchart of a secure communication method proposed by example 3 of an embodiment of the present invention;

fig. 13 is a flowchart of a secure communication method proposed in example 4 of an embodiment of the present invention;

fig. 14 is a flowchart of a secure communication method proposed by example 5 of an embodiment of the present invention;

fig. 15 is a flowchart of a secure communication method proposed by example 6 of an embodiment of the present invention;

fig. 16 is a flowchart of a secure communication method proposed in example 7 of an embodiment of the present invention.

Detailed Description

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments of the present invention may be arbitrarily combined with each other without conflict.

The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.

In embodiments of the present invention, a user equipment may support one or more security contexts, corresponding to one or more networks and/or network slices, respectively.

In embodiments of the present invention, only one security context is allowed to be active at a time.

Referring to fig. 1, an embodiment of the present invention provides a secure communication method, including:

step 100, a first message is sent to a first network slice entity through a first network entity of a network where the first network slice entity to be registered and accessed is located.

In this embodiment of the present invention, sending the first message includes any one of:

directly sending the first message;

sending the first message, verification indication information of the user equipment and a message authentication code MAC calculated based on a first network security context or a second network slice security context in an activated state;

and sending the first message and the verification indication information of the user equipment.

In this embodiment of the present invention, the first message includes any one of:

the temporary identity information of the user equipment in the first network entity, the identifier of the first network slice entity and a Message Authentication Code (MAC) calculated based on the first network security context currently in an activated state;

the temporary identity information of the user equipment in the first network entity, the temporary identity information of the user equipment in a registered and accessed second network slice entity, the identification of the first network slice entity and a message authentication code MAC calculated based on a first network security context in an activated state;

the temporary identity information of the user equipment in the first network entity, the temporary identity information of the user equipment in a registered and accessed second network slice entity, the identification of the first network slice entity and a message authentication code MAC calculated based on the security context of the second network slice currently in an activated state;

the identity temporary information of the user equipment in the registered and accessed second network slice entity, the identification of the first network slice entity and the message authentication code MAC calculated based on the first network security context in the activated state.

The Temporary Identity information is a 5G Globally Unique Temporary User Equipment (UE) Identity (5G-GUTI, 5G global uniform temporal UE Identity), and the Identity of the first Network Slice entity includes Network Slice Selection assistance information (NSSAI, Network Slice Selection assistance information).

Step 101, receiving a fourth message of the first network slice entity.

In another embodiment of the present invention, between step 100 and step 101, further comprising:

step 102, obtaining a first network slice security context established with the first network slice entity.

Specifically, step 102 includes any one of:

performing authentication and non-access Stratum Security Mode (NAS SMC, NonAccess Stratum Security Mode Command) procedures with the first network slice entity, and establishing a first network slice Security context with the first network slice entity;

and horizontally dispersing the key in the second network slice security context established with the registered and accessed second network slice entity to obtain the first network slice security context.

In this embodiment of the present invention, the first message is a registration request message, and the fourth message is a registration confirmation message.

In the embodiment of the invention, the first network entity, the first network slice entity and the second network slice entity belong to the same network;

or the first network entity and the first network slice entity belong to the same network, and the first network slice entity and the second network slice entity belong to different networks.

Referring to fig. 2, another embodiment of the present invention provides a secure communication method, including:

step 200, receiving a first message of user equipment; wherein the first message comprises: an identifier of a first network slice entity to be registered and accessed; forwarding the first message to the first network slice entity according to the identity of the first network slice entity.

In this embodiment of the present invention, forwarding the first message to the first network slice entity according to the identifier of the first network slice entity includes any one of:

forwarding the first message directly to the first network slice entity according to the identity of the first network slice entity;

acquiring verification indication information or authentication indication information of user equipment, and sending the first message, the verification indication information or the authentication indication information of the user equipment and a message authentication code MAC obtained by calculation based on a first network security context or a second network slice security context in an activated state to a first network slice entity according to an identifier of the first network slice entity;

when the first message does not contain the temporary identity information of the user equipment in the second network entity, performing authentication and NAS SMC (network access stratum) processes with the user equipment, and establishing a first network security context with the user equipment; transmitting the first message and authentication indication information of the user equipment to the first network slice entity.

In this embodiment of the present invention, the first message further includes any one of:

the temporary identity information of the user equipment in the first network entity and a message authentication code MAC calculated based on the first network security context in the activated state at present;

the temporary identity information of the user equipment in the first network entity, the identity temporary information of the user equipment in a registered and accessed second network slice entity and a message authentication code MAC calculated based on a first network security context in an activated state at present;

the temporary identity information of the user equipment in the first network entity, the identity temporary information of the user equipment in a registered and accessed second network slice entity and a message authentication code MAC calculated based on the security context of the second network slice in the activated state;

identity temporary information of the user equipment in the registered and accessed second network slice entity and a message authentication code MAC calculated based on the first network security context in the activated state.

In another embodiment of the present invention, the method further comprises:

step 201, receiving a second message of the first network slice entity, and sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment; deregistering the user device in the first network entity.

In this embodiment of the present invention, the first message is a registration request message, the second message is a security context migration request message, and the third message is a security context migration response message.

Referring to fig. 3, another embodiment of the present invention provides a secure communication method, including:

step 300, receiving a first message sent to a first network slice entity by a user equipment through the first network entity of a network where the first network slice entity to be registered and accessed is located.

In the embodiment of the present invention, receiving the first message includes any one of:

directly receiving a first message;

receiving a first message, verification indication information or authentication indication information of user equipment, and a MAC calculated based on a first network security context or a second network slice security context which is in an activated state at present;

and receiving the first message and the authentication indication information of the user equipment.

the temporary identity information of the user equipment in the first network entity, the identification of the first network slice entity and a message authentication code MAC calculated based on the first network security context in the activated state;

Step 301, obtaining a first network slice security context established by the user equipment and the first network slice entity, and sending a fourth message to the user equipment.

In an embodiment of the present invention, acquiring a first network slice security context established by a user equipment and a first network slice entity includes at least one of:

performing authentication and NAS SMC (network attached storage) processes with user equipment, and establishing a first network slice security context with the user equipment;

acquiring a second network slice security context established by the user equipment and a registered and accessed second network slice entity; when the verification indication information of the user equipment indicates that the user equipment is not verified or the authentication indication information of the user equipment indicates that the user equipment is not authenticated, performing authentication and NAS SMC (network attached storage controller) processes with the user equipment, and establishing a first network slice security context with the user equipment;

acquiring a second network slice security context established by the user equipment and a registered and accessed second network slice entity; and when the verification indication information of the user equipment indicates that the user equipment passes the verification or the authentication indication information of the user equipment indicates that the user equipment passes the authentication, performing horizontal dispersion on the key in the second network slice security context to obtain a first network slice security context of the user equipment.

Wherein, the obtaining of the second network slice security context established by the user equipment and the registered and accessed second network slice entity includes any one of:

sending a second message to the second network slice entity; receiving a third message of the second network slice entity; wherein the third message comprises a second network slice security context established by the user equipment with the second network slice entity;

sending a fifth message, an identifier of the first network slice entity and verification indication information or authentication indication information of the user equipment to the second network slice entity; receiving a sixth message of the second network slice entity; wherein the sixth message comprises a second network slice security context established by the user equipment with the second network slice entity.

The fifth message is a security context migration request message, and the sixth message is a security context migration response message.

In another embodiment of the present invention, after receiving a first message sent by a user equipment through a first network entity which is registered and accessed, the method further includes:

and acquiring verification indication information or authentication indication information of the user equipment.

Wherein, the obtaining of the verification indication information or the authentication indication information of the user equipment includes any one of:

sending a second message to the first network entity; receiving a third message of the first network entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment;

sending a second message to the second network slice entity; receiving a third message of the second network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment;

sending a fifth message to the second network slice entity; receiving a sixth message of the second network slice entity; wherein the sixth message comprises verification indication information or authentication indication information of the user equipment;

sending a fifth message to the first network entity; receiving a sixth message of the first network entity; wherein the sixth message includes authentication indication information of the user equipment.

In the embodiment of the present invention, the first message is a registration request message, and the fourth message is a registration confirmation message.

Referring to fig. 4, another embodiment of the present invention provides a secure communication method, including:

step 400, receiving a seventh message of the first network slice entity to be registered and accessed; wherein the seventh message comprises a fifth message or a second message.

In this embodiment of the present invention, the seventh message that the first network slice entity to be registered and accessed is received includes any one of the following:

receiving a seventh message of the first network slice entity to be registered and accessed;

and receiving a seventh message of a first network slice entity to be registered and accessed, the identification of the first network slice entity and verification indication information or authentication indication information of the user equipment.

In this embodiment of the present invention, the fifth message is a security context migration request message.

Step 401, sending an eighth message to the first network slice entity; wherein the eighth message comprises a sixth message or a third message, and the eighth message comprises a second network slice security context established by the user equipment and a second network slice entity which is registered and accessed.

In this embodiment of the present invention, the sixth message is a security context migration response message.

In another embodiment of the present invention, the eighth message further includes verification indication information or authentication indication information of the user equipment.

In another embodiment of the present invention, the method further comprises:

deregistering the user device with the second network slice entity.

Referring to fig. 5, another embodiment of the present invention provides a secure communication method, including:

step 500, receiving a second message of a first network entity of a network where a first network slice entity to be registered and accessed is located; wherein the second message comprises an identification of the first network slice entity.

Step 501, sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment.

In another embodiment of the present invention, the method further comprises: the registration of the user device on itself is revoked.

Referring to fig. 6, another embodiment of the present invention provides a secure communication method, including:

step 600, sending a first message to a second network entity to be registered and accessed; wherein the first message comprises: the method comprises the steps of obtaining temporary identity information of user equipment in a registered and accessed first network slice entity, obtaining temporary identity information of the user equipment in the registered and accessed first network entity, and obtaining a message authentication code MAC calculated based on a first network slice security context in an activated state.

Step 601, obtaining a second network security context established with the second network entity, and receiving a fourth message of the second network entity.

In this embodiment of the present invention, acquiring the second network security context established with the second network entity includes:

performing authentication and NAS SMC procedures with the second network entity, and establishing the second network security context with the second network entity.

Referring to fig. 7, another embodiment of the present invention provides a secure communication method, including:

step 700, receiving a first message of user equipment; wherein the first message comprises: the method comprises the steps of obtaining temporary identity information of user equipment in a registered and accessed second network slice entity, obtaining temporary identity information of the user equipment in a registered and accessed first network entity, and obtaining a message authentication code MAC calculated based on a first network slice security context in an activated state.

Step 701, obtaining verification indication information or authentication indication information of the user equipment, and obtaining a first network security context established between the user equipment and the first network entity.

In the embodiment of the present invention, acquiring the verification indication information or the authentication indication information of the user equipment includes:

sending a second message to the second network slice entity;

receiving a third message of the second network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment.

In this embodiment of the present invention, acquiring the first network security context established by the ue and the first network entity includes:

sending a fifth message to the first network entity; wherein the fifth message includes verification indication information or authentication indication information of the user equipment;

receiving a sixth message of the first network entity; wherein the sixth message includes the first network security context.

Step 702, obtaining a second network security context established with the user equipment, and sending a fourth message to the user equipment.

In an embodiment of the present invention, acquiring the second network security context established with the user equipment includes at least one of:

when the verification indication information of the user equipment indicates that the user equipment passes verification or the authentication indication information of the user equipment indicates that the user equipment passes authentication, performing horizontal dispersion on the key of the first network security context to obtain a second network security context;

and when the verification indication information of the user equipment indicates that the user equipment is not verified or the authentication indication information of the user equipment indicates that the user equipment is not authenticated, performing authentication and NAS SMC (network attached storage) processes with the user equipment, and establishing the second network security context with the user equipment.

Referring to fig. 8, another embodiment of the present invention provides a secure communication method, including:

step 800, a second message of a second network entity to be registered and accessed is received.

Step 801, sending a third message to the second network entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment, and revokes the registration of the user equipment on the registered and accessed first network slice entity.

Referring to fig. 9, another embodiment of the present invention provides a secure communication method, including:

step 900, receiving a fifth message of the second network entity to be registered and accessed; wherein the fifth message includes verification indication information or authentication indication information of the user equipment.

Step 901, sending a sixth message to the second network entity; wherein the sixth message comprises the established first network security context of the user equipment and the registered and accessed first network entity.

The following describes the implementation process of the method according to the embodiment of the present invention by using specific examples, and the examples listed are not intended to limit the scope of the embodiment of the present invention.

Example 1

User Equipment (UE) has registered and accessed to the first Network, for example, the UE has registered in a Network AMF1 (i.e., a first Network entity) of the first Network, and at this time, the UE and the Network AMF1 of the first Network establish a first Network security context. Fig. 10 is a flowchart of a secure communication method provided in example 1 of an embodiment of the present invention when a UE is ready to register and access a first network slice in a first network, the method including:

step 1001, the UE sends a registration request message to the Network AMF1 of the first Network, where the registration request message may include the 5G-GUTI of the Network AMF1 of the first Network, the NSSAI of the Slice AMF1 of the first Network Slice (i.e., the first Network Slice entity), and a message authentication code MAC calculated based on the first Network security context currently in an active state;

step 1002, the Network AMF1 further sends a registration request message to a Slice AMF1 of the first Network Slice in the first Network according to NSSAI;

step 1003, the Slice AMF1 sends a security context migration Request (ContextTransfer Request) message to the Network AMF 1;

at step 1004, the Network AMF1 sends a Security context migration Response (ContextTransfer Response) message to the Slice AMF 1. The security context migration response message may include authentication indication information of the UE.

Step 1005, the Network AMF1 cancels the registration of the UE on the Network AMF 1;

at step 1006, the Slice AMF1 performs authentication and NAS SMC procedures with the UE. Upon completion of the authentication and NAS SMC procedures, Slice AMF1 and the UE establish a first network Slice security context.

Step 1007, Slice AMF1 sends Registration acknowledgement message Registration Accept to UE;

after the UE completes registration in the Slice AMF1 of the first Network Slice in the first Network, if the UE attempts to access the first Network and attaches to the Network AMF1 of the first Network, the Network AMF1 will deny the UE access.

Example 2

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. When the first network security context of the UE is in an active state and the UE is ready to register and access a second network slice in the first network, fig. 11 is a flowchart of a secure communication method provided by example 2 of the embodiment of the present invention, where the method includes:

step 1101, the UE sends a registration request message to the Network AMF1 of the first Network, where the registration request message may include the 5G-GUTI of the Network AMF1 of the first Network, the 5G-GUTI of the Slice AMF1 of the first Network Slice, the NSSAI of the Slice AMF2 of the second Network Slice (i.e., the second Network Slice entity), and a message authentication code MAC calculated based on the first Network security context;

step 1102, the Network AMF1 further sends a registration request message to a Slice AMF2 of the second Network Slice in the first Network according to NSSAI;

in step 1103, the Slice AMF2 sends a security context migration Request (ContextTransfer Request) message to the Network AMF 1;

in step 1104, the Network AMF1 sends a security context migration Response (ContextTransfer Response) message to the Slice AMF 2. The security context migration response message contains authentication indication information of the UE;

in step 1105, the Network AMF1 deregisters the UE with the Network AMF 1.

Step 1106, the Slice AMF2 sends a security context migration Request (ContextTransfer Request) message, the NSSAI of the Slice AMF2 of the second network Slice, and the authentication indication information of the UE to the Slice AMF 1;

in step 1107, Slice AMF1 sends a security context migration Response (ContextTransfer Response) message to Slice AMF 2. The security context migration response message contains a first network slice security context of the UE;

step 1108, when the UE verification indication information indicates that the UE is verified, the Slice AMF2 and/or the UE may update the first network Slice security context of the UE by performing horizontal dispersion on the KAMF (key) in the received first network Slice security context to form a second network Slice security context of the UE; when the verification indication information of the UE indicates that the UE does not verify, the Slice AMF2 may perform authentication and NAS SMC procedures with the UE. Upon completion of the authentication and NAS SMC procedures, SliceAMF2 and the UE establish a second network slice security context.

Step 1109, the Network AMF2 sends Registration acknowledgement message Registration Accept to the UE;

after the UE completes registration in the Slice AMF2 of the second Network Slice in the first Network, if the UE attempts to access the first Network and attach to the Network AMF1 in the first Network, the Network AMF1 will reject the attachment of the UE.

Example 3

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. Fig. 12 is a flowchart of a secure communication method provided in example 3 of the embodiment of the present invention when a first network slice security context of a UE is in an active state and the UE is ready to register and access a second network slice in a first network, the method including:

step 1201, the UE sends a registration request message to the Network AMF1 of the first Network, where the registration request message may include the 5G-GUTI of the Network AMF1 of the first Network, the 5G-GUTI of the Slice AMF1 of the first Network Slice, the NSSAI of the Slice AMF1 of the second Network Slice, and a message authentication code MAC calculated based on the security context of the first Network Slice;

at step 1202, the Network AMF1 forwards the registration request message of the UE to the Slice AMF2 according to NSSAI.

Step 1203, the Slice AMF2 sends a security context migration Request (ContextTransfer Request) message to the Slice AMF 1;

at step 1204, Slice AMF1 sends a security context migration Response (ContextTransfer Response) message to Slice AMF 2. The security context migration response message includes: authentication indication information of the UE, a first network slice security context of the UE;

at step 1205, Slice AMF1 deregisters the UE with Slice AMF 1.

In step 1206, when the verification indication information of the UE indicates that the UE fails to verify, the Slice AMF2 and the UE may perform authentication and NAS SMC procedures. After the authentication and NAS SMC process is finished, the Slice AMF2 and the UE establish a second network Slice security context; the Slice AMF2 may also not authenticate the UE when the UE's verification indication information indicates that the UE verifies to save time and network resources. In this case, Slice AMF2 and/or the UE may form a second network Slice security context for the UE by horizontally dispersing the KAMF in the received first network Slice security context to update the first network Slice security context for the UE.

Step 1207, the Slice AMF2 sends a Registration acknowledgement message Registration Accept to the UE;

after the UE completes registration with the Slice AMF2 of the second network Slice in the first network, the Slice AMF1 will reject the attachment of the UE if the UE attempts to access the first network Slice in the first network and attach to the Slice AMF1 of the first network Slice in the first network.

Example 4

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. When the first network slice security context of the UE is in an active state and the UE is ready to register and access the second network, fig. 13 is a flowchart of a secure communication method provided by example 4 of the embodiment of the present invention, where the method includes:

step 1301, the UE sends a registration request message to the Network AMF2 of the second Network, where the registration request message may include the 5G-GUTI of the Slice AMF1 of the first Network Slice, the 5G-GUTI of the Network AMF1 of the first Network Slice, and a message authentication code MAC calculated based on the security context of the first Network Slice currently in an active state;

step 1302, the Network AMF2 sends a security context migration Request (ContextTransfer Request) message to the Slice AMF 1;

at step 1303, Slice AMF1 sends a security context migration Response (ContextTransfer Response) message to Network AMF 2. The security context migration response message may include authentication indication information of the UE;

at step 1304, Slice AMF1 deregisters the UE with Slice AMF 1.

Step 1305, the Network AMF2 sends a security context migration Request (ContextTransfer Request) message to the Network AMF1, where the security context migration Request message may include authentication indication information of the UE;

in step 1306, the Network AMF1 sends a Security context migration Response (ContextTransfer Response) message to the Network AMF 2. The security context migration response message contains the first network security context of the UE;

step 1307, when the verification indication information of the UE indicates that the UE passes the verification, the Network AMF2 may update the first Network security context of the UE by performing horizontal dispersion on the KAMF in the first Network security context to form a second Network security context of the UE; when the verification indication information of the UE indicates that the UE does not verify, the Network AMF2 may perform authentication and NAS SMC procedures with the UE. After the authentication and NAS SMC procedures are completed, the Network AMF2 and the UE establish a second Network security context.

Step 1308, the Network AMF2 sends a Registration acknowledgement message Registration Accept to the UE;

after the UE completes the buzhou registration in the Network AMF2 of the second Network, if the UE attempts to access the first Network Slice in the first Network and attaches the Slice AMF1 of the first Network Slice in the first Network, the Slice AMF1 will reject the access of the UE.

Example 5

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. When the first network slice security context of the UE is in an active state and the UE is ready to register and access a third network slice in the second network, fig. 14 is a flowchart of a secure communication method provided by example 5 of an embodiment of the present invention, the method including:

step 1401, the UE sends a registration request message to the Network AMF2 of the second Network, where the registration request message may include the 5G-GUTI of the Network AMF1 of the first Network, the 5G-GUTI of the Slice AMF1 of the first Network Slice, the NSSAI of the Slice AMF3 of the third Network Slice, and a message authentication code MAC calculated based on the security context of the first Network Slice;

at step 1402, the Network AMF2 forwards the registration request message for the UE to the Slice AMF3 according to the NSSAI of the Slice AMF3 of the third Network Slice.

At step 1403, the Slice AMF3 sends a security context migration Request (ContextTransfer Request) message to the Slice AMF 1;

at step 1404, Slice AMF1 sends a security context migration Response (ContextTransfer Response) message to Slice AMF 2. The security context migration response message contains a first network slice security context of the UE and UE verification indication information;

at step 1405, Slice AMF1 deregisters the UE with Slice AMF 1.

In step 1406, when the UE verification indication information indicates that the UE fails to verify, the Slice AMF3 and the UE may perform authentication and NAS SMC procedures. After the authentication and NAS SMC procedures are complete, Slice AMF3 and the UE establish a third network Slice security context.

The Slice AMF3 may also not authenticate the UE when the UE's verification indication information indicates that the UE verifies to save time and network resources. In this case, Slice AMF3 may form a third network Slice security context for the UE by horizontally dispersing KAMF in the received first network Slice security context to update the first network Slice security context for the UE.

Step 1407, the Slice AMF3 sends a Registration acknowledgement message Registration Accept to the UE;

after the UE completes registration with the Slice AMF3 of the third network Slice in the second network, the Slice AMF1 will deny the UE access if the UE attempts to access the first network Slice in the first network and attaches to the Slice AMF1 of the first network Slice in the first network.

Example 6

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. When the first network security context of the UE is in an active state and the UE is ready to register and access a third network slice in the second network, fig. 15 is a flowchart of a secure communication method provided by example 6 of the embodiment of the present invention, where the method includes:

step 1501, the UE sends a registration request message to the Network AMF2 of the second Network, where the registration request message may include the 5G-GUTI of the Slice AMF1 of the first Network Slice, the 5G-GUTI of the Network AMF1 of the first Network Slice, the NSSAI of the Slice AMF3 of the third Network Slice, and the message authentication code MAC calculated based on the first Network security context;

step 1502, the Network AMF2 sends a security context migration Request (ContextTransfer Request) message to the Network AMF1, where the security context migration Request message may include the NSSAI of SliceAMF3 of the third Network slice;

in step 1503, the Network AMF1 sends a security context Response (ContextTransfer Response) message to the Network AMF 2. The security context migration response message may include indication information of authentication of the UE;

at step 1504, the Network AMF1 deregisters the UE with the Network AMF 1.

In step 1505, the Network AMF2 forwards the registration request message of the UE, the authentication indication information of the UE, and the MAC to the Slice AMF 3.

Step 1506, the Slice AMF3 determines to send a security Context Transfer Request (Context Transfer Request) message, NSSAI and authentication indication information of the UE to the Slice AMF1 according to the 5G-GUTI of Slice AMF 1;

at step 1507, Slice AMF1 sends a security context migration Response (ContextTransfer Response) message to Slice AMF 3. The security context migration response message contains a first network slice security context of the UE;

at step 1508, the Slice AMF3 may perform authentication and NAS SMC procedures with the UE when the UE verification indication indicates that the UE fails to verify. After the authentication and NAS SMC process is finished, the Slice AMF3 and the UE establish a third network Slice security context; the Slice AMF2 may also not authenticate the UE when the UE's verification indication information indicates that the UE verifies to save time and network resources. In this case, Slice AMF3 and the UE may form a third network Slice security context for the UE by horizontally dispersing KAMF in the received first network Slice security context to update the first network Slice security context for the UE.

Step 1509, the Network AMF2 sends a Registration acknowledgement message Registration Accept to the UE;

after the UE completes registration in the Slice AMF3 of the third Network Slice in the second Network, if the UE attempts to access the first Network and attaches to the Network AMF1 of the first Network, the Network AMF1 will reject the access of the UE.

Example 7

The UE has already registered in the first Network and the first Network Slice of the first Network, for example, the UE has already registered in the Network AMF1 in the first Network, at which time, the UE and the Network AMF1 in the first Network establish a first Network security context, and in addition, the UE has also already registered in the first Network Slice Slice AMF1 in the first Network, at which time, the UE and the Slice AMF1 in the first Network Slice establish a first Network Slice security context. When the first network security context of the UE is in an active state and the UE is ready to register and access a third network slice in the second network, fig. 16 is a flowchart of a secure communication method provided by example 7 of the embodiment of the present invention, where the method includes:

step 1601, the UE sends a registration request message to a Network AMF2 of the second Network, where the registration request message may include a 5G-GUTI of a Slice AMF1 of the first Network Slice, an NSSAI of a Slice AMF3 of the third Network Slice, and a message authentication code MAC calculated based on the first Network security context;

in step 1602, after receiving the registration request message, the Network AMF2 detects whether the registration request message includes the 5G-GUTI of the Network AMF 1. If the 5G-GUTI of the Network AMF1 is not contained, Network authentication and NAS SMC (Network access control) processes are carried out between the Network AMF2 and the UE. After the authentication and NAS SMC procedures are completed, the Network AMF2 and the UE establish a second Network security context.

In step 1603, the Network AMF2 forwards the registration request message of the UE and the authentication indication information of the UE to the Slice AMF 3.

Step 1604, the Slice AMF3 determines to send a security Context Transfer Request (Context Transfer Request) message, the NSSAI of the Slice AMF3 of the third network Slice, and the authentication indication information of the UE to the Slice AMF1 according to the 5G-GUTI of the Slice AMF 1;

at step 1605, Slice AMF1 sends a Security context migration Response (ContextTransfer Response) to Slice AMF 3. The security context migration response message contains a first network slice security context of the UE;

at step 1606, the Slice AMF3 may perform authentication and NAS SMC procedures with the UE when the UE verification indication information determines that the UE fails to verify. After the authentication and NAS SMC process is finished, the Slice AMF3 and the UE establish a third network Slice security context; the Slice AMF3 may also not authenticate the UE when the UE's verification indication information determines that the UE verifies, to save time and network resources. In this case, Slice AMF3 and the UE may form a third network Slice security context for the UE by horizontally dispersing KAMF in the received first network Slice security context to update the first network Slice security context for the UE.

Step 1607, the Network AMF3 sends Registration acknowledgement message Registration Accept to the UE;

Another embodiment of the present invention provides a secure communication apparatus, including:

the first sending module is used for sending a first message to a first network slice entity through a first network entity of a network where the first network slice entity to be registered and accessed is located;

a first receiving module, configured to receive a fourth message of the first network slice entity.

In another embodiment of the present invention, the method further comprises:

a first obtaining module, configured to obtain a first network slice security context established with the first network slice entity.

In this embodiment of the present invention, the first obtaining module is specifically configured to execute any one of the following:

performing authentication and NAS SMC processes with the first network slice entity, and establishing a first network slice security context with the first network slice entity;

In this embodiment of the present invention, the first sending module is specifically configured to execute any one of the following:

directly sending the first message;

In this embodiment of the present invention, the temporary identity information is 5G-GUTI, and the identifier of the first network slice entity includes NSSAI.

The above-mentioned secure communication apparatus is the same as the specific implementation process of the secure communication method in the foregoing embodiment, and is not described here again.

the second receiving module is used for receiving a first message of the user equipment; wherein the first message comprises: an identifier of a first network slice entity to be registered and accessed;

a second sending module, configured to forward the first message to the first network slice entity according to the identifier of the first network slice entity.

In this embodiment of the present invention, the second receiving module is further configured to:

receiving a second message of the first network slice entity;

the second sending module is further configured to: sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment;

further comprising: a first revocation module for revoking the registration of the user equipment in the first network entity.

In this embodiment of the present invention, the second sending module is specifically configured to forward the first message to the first network slice entity according to the identifier of the first network slice entity by using any one of the following manners:

the third receiving module is used for receiving a first message sent to a first network slice entity by user equipment through the first network entity of a network where the first network slice entity to be registered and accessed is located;

the second acquisition module is used for acquiring a first network slice security context established by the user equipment and the first network slice entity;

and the third sending module is used for sending a fourth message to the user equipment.

In this embodiment of the present invention, the second obtaining module is further configured to:

In this embodiment of the present invention, the second obtaining module is specifically configured to implement the obtaining of the verification indication information or the authentication indication information of the user equipment by using any one of the following manners:

directly receiving a first message;

In this embodiment of the present invention, the second obtaining module is specifically configured to implement, by using at least one of the following manners, obtaining the first network slice security context established by the user equipment and the first network slice entity:

In this embodiment of the present invention, the second obtaining module is specifically configured to obtain the second network slice security context established by the ue and the registered and accessed second network slice entity in any one of the following manners:

In this embodiment of the present invention, the fifth message is a security context migration request message, and the sixth message is a security context migration response message.

a fourth receiving module, configured to receive a seventh message of the first network slice entity to be registered and accessed; wherein the seventh message comprises a fifth message or a second message;

a fourth sending module, configured to send an eighth message to the first network slice entity; wherein the eighth message comprises a sixth message or a third message, and the eighth message comprises a second network slice security context established by the user equipment and a second network slice entity which is registered and accessed.

In the embodiment of the present invention, the method further includes:

a second revocation module for revoking the registration of the user equipment with the second network slice entity.

In this embodiment of the present invention, the eighth message further includes verification indication information or authentication indication information of the user equipment.

In this embodiment of the present invention, the fourth receiving module is specifically configured to implement, by using any one of the following manners, that the seventh message of the first network slice entity to be registered and accessed is received:

a fifth receiving module, configured to receive a second message of the first network entity of the network in which the first network slice entity to be registered and accessed is located; wherein the second message comprises an identification of the first network slice entity;

a fifth sending module, configured to send a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment.

In the embodiment of the present invention, the method further includes: and the third revocation module is used for revoking the registration of the user equipment in the third revocation module.

a sixth sending module, configured to send the first message to a second network entity to be registered and accessed; wherein the first message comprises: the method comprises the steps that temporary identity information of user equipment in a registered and accessed first network slice entity, temporary identity information of the user equipment in the registered and accessed first network entity and a message authentication code MAC obtained through calculation based on a first network slice security context in an activated state at present are obtained;

a third obtaining module, configured to obtain a second network security context established with the second network entity;

a sixth receiving module, configured to receive the fourth message of the second network entity.

In this embodiment of the present invention, the third obtaining module is specifically configured to implement the obtaining of the second network security context established with the second network entity in the following manner:

a seventh receiving module, configured to receive a first message of a user equipment; wherein the first message comprises: the method comprises the steps that temporary identity information of user equipment in a registered and accessed second network slice entity, temporary identity information of the user equipment in a registered and accessed first network entity and a message authentication code MAC obtained through calculation based on a first network slice security context in an activated state at present are obtained;

a fourth obtaining module, configured to obtain verification indication information or authentication indication information of the user equipment, and obtain a first network security context established between the user equipment and the first network entity;

acquiring a second network security context established with the user equipment;

and a seventh sending module, configured to send a fourth message to the user equipment.

In this embodiment of the present invention, the fourth obtaining module is specifically configured to implement the obtaining of the verification indication information or the authentication indication information of the user equipment in the following manner:

sending a second message to the second network slice entity;

In this embodiment of the present invention, the fourth obtaining module is specifically configured to implement the following steps to obtain the first network security context established by the ue and the first network entity:

In this embodiment of the present invention, the fourth obtaining module is specifically configured to implement the obtaining of the second network security context established with the user equipment by using at least one of the following manners:

an eighth receiving module, configured to receive a second message of a second network entity to be registered and accessed;

an eighth sending module, configured to send a third message to the second network entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment, and revokes the registration of the user equipment on the registered and accessed first network slice entity.

a ninth receiving module, configured to receive a fifth message of the second network entity to be registered and accessed; wherein the fifth message includes verification indication information or authentication indication information of the user equipment;

a ninth sending module, configured to send a sixth message to the second network entity; wherein the sixth message comprises the established first network security context of the user equipment and the registered and accessed first network entity.

Another embodiment of the present invention provides a secure communication apparatus, including a processor and a computer-readable storage medium, wherein the computer-readable storage medium stores instructions, and when the instructions are executed by the processor, the secure communication apparatus implements any one of the secure communication methods described above.

Another embodiment of the invention proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of any of the above-mentioned secure communication methods.

Another embodiment of the present invention provides a secure communication system, including:

In this embodiment of the present invention, the user equipment is further configured to:

a first network slice security context established with the first network slice entity is obtained.

In this embodiment of the present invention, the ue is specifically configured to implement the obtaining of the first network slice security context established with the first network slice entity in any one of the following manners:

In this embodiment of the present invention, the ue is specifically configured to implement sending the first message by using any one of the following manners:

directly sending the first message;

In an embodiment of the present invention, the first network entity is further configured to:

receiving a second message of the first network slice entity, and sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment; deregistering the user device in the first network entity.

In this embodiment of the present invention, the first network entity is specifically configured to forward the first message to the first network slice entity according to the identifier of the first network slice entity by using any one of the following manners:

In this embodiment of the present invention, the first network slice entity is further configured to obtain verification indication information or authentication indication information of the user equipment.

In this embodiment of the present invention, the first network slice entity is specifically configured to implement obtaining verification indication information or authentication indication information of the user equipment by using any one of the following manners:

In this embodiment of the present invention, the first network slice entity is specifically configured to implement receiving the first message by using any one of the following manners:

directly receiving a first message;

In this embodiment of the present invention, the first network slice entity is specifically configured to implement obtaining of the first network slice security context established by the user equipment and the first network slice entity in at least one of the following manners:

In this embodiment of the present invention, the first network slice entity is specifically configured to implement, in the following manner, acquiring a second network slice security context established by the ue and a registered and accessed second network slice entity, where the second network slice security context includes any one of the following:

The system further comprises: the second network slicing entity is used for receiving a seventh message of the first network slicing entity to be registered and accessed; wherein the seventh message comprises a fifth message or a second message;

In an embodiment of the present invention, the second network slice entity is further configured to: deregistering the user device with the second network slice entity.

Wherein the eighth message further includes verification indication information or authentication indication information of the user equipment.

The second network slice entity is specifically configured to receive the seventh message of the first network slice entity to be registered and accessed in any one of the following manners:

In another embodiment of the present invention, the system further comprises:

the second network entity of the network where the second network slice entity is located is used for receiving a second message of the first network entity of the network where the first network slice entity to be registered and accessed is located; wherein the second message comprises an identification of the first network slice entity; sending a third message to the first network slice entity; wherein the third message includes authentication indication information or authentication indication information of the user equipment.

Wherein the second network entity is further configured to: the registration of the user device on itself is revoked.

The above-mentioned secure communication system is the same as the specific implementation process of the secure communication method in the foregoing embodiment, and is not described here again.

the second network entity is used for receiving a first message of the user equipment; acquiring verification indication information or authentication indication information of user equipment, and acquiring a first network security context established between the user equipment and the first network entity; and acquiring a second network security context established with the user equipment, and sending a fourth message to the user equipment.

In this embodiment of the present invention, the second network entity is specifically configured to implement obtaining the second network security context established with the ue by using at least one of the following manners:

when the verification indication information of the user equipment indicates that the user equipment passes the verification, performing horizontal dispersion on the key of the first network security context to obtain a second network security context;

and when the verification indication information of the user equipment indicates that the user equipment is not verified, performing authentication and NAS SMC (network access stratum) processes with the user equipment, and establishing the second network security context with the user equipment.

The ue is specifically configured to obtain a second network security context established with the second network entity in the following manner:

In this embodiment of the present invention, the second network entity is specifically configured to implement obtaining the verification indication information or the authentication indication information of the user equipment by using the following manner:

the system further comprises:

the second network slice entity is used for receiving a second message of the second network entity to be registered and accessed;

In this embodiment of the present invention, the second network entity is specifically configured to implement obtaining the first network security context established by the user equipment and the first network entity in the following manner:

sending a fifth message to the first network entity; wherein the fifth message includes verification indication information or authentication indication information of the user equipment; receiving a sixth message of the first network entity; wherein the sixth message comprises the first network security context;

the system further comprises:

the first network entity is used for receiving a fifth message of the second network entity to be registered and accessed; wherein the fifth message includes verification indication information or authentication indication information of the user equipment; sending a sixth message to the second network entity; wherein the sixth message comprises the established first network security context of the user equipment and the registered and accessed first network entity.

It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Although the embodiments of the present invention have been described above, the descriptions are only used for understanding the embodiments of the present invention, and are not intended to limit the embodiments of the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the embodiments of the invention as defined by the appended claims.

Claims

1. A secure communication method, comprising:

sending a first message to a first network slice entity through a first network entity of a network where the first network slice entity to be registered and accessed is located;

receiving a fourth message of the first network slice entity.

2. The secure communication method of claim 1, wherein prior to receiving the fourth message of the first network slice entity, the method further comprises:

3. The secure communication method of claim 2, wherein the obtaining the first network slice security context established with the first network slice entity comprises any one of:

performing authentication and non-access stratum security mode procedures, NAS SMC, procedures with the first network slice entity, establishing the first network slice security context with the first network slice entity;

4. The secure communication method according to claim 1 or 2, wherein the sending the first message comprises any one of:

directly sending the first message;

5. The secure communication method according to claim 1 or 2, wherein the first message includes any one of:

6. The secure communication method according to claim 1 or 2, wherein the first message is a registration request message and the fourth message is a registration confirmation message.

7. The secure communication method according to claim 1 or 2, wherein the temporary identity information is a 5G globally unique temporary user equipment identity 5G-GUTI, and the identity of the first network slice entity comprises network slice selection assistance information NSSAI.

8. A secure communication method, comprising:

9. The secure communications method of claim 8, further comprising:

10. The secure communication method according to claim 8 or 9, wherein the forwarding the first message to the first network slice entity according to the identity of the first network slice entity comprises any one of:

when the first message does not contain the temporary identity information of the user equipment in a second network entity, performing authentication and non-access stratum security mode (NAS) SMC (mobility management protocol) process with the user equipment, and establishing a first network security context with the user equipment; transmitting the first message and authentication indication information of the user equipment to the first network slice entity.

11. The secure communication method according to claim 8 or 9, wherein the first message further comprises any one of:

12. A secure communication method, comprising:

13. The secure communication method according to claim 12, wherein after receiving the first message sent by the user equipment through the registered and accessed first network entity, the method further comprises:

14. The secure communication method according to claim 13, wherein the obtaining of the verification indication information or the authentication indication information of the user equipment includes any one of:

15. The secure communications method of claim 12, wherein receiving the first message comprises any one of:

directly receiving a first message;

16. The method of claim 12, wherein obtaining the first network slice security context established by the user equipment and the first network slice entity comprises at least one of:

performing authentication and non-access stratum security mode process NAS SMC process with the user equipment, and establishing a first network slice security context with the user equipment;

17. The method of claim 16, wherein obtaining the second network slice security context established by the ue and the second network slice entity registered and accessed comprises any one of:

18. The secure communications method according to claim 17, wherein the fifth message is a security context migration request message, and the sixth message is a security context migration response message.

19. The secure communications method of claim 12, wherein the first message comprises any one of:

20. A secure communication method, comprising:

21. The secure communications method of claim 20, further comprising:

deregistering the user device with the second network slice entity.

22. The secure communication method according to claim 20 or 21, wherein the eighth message further includes authentication indication information or authentication indication information of the user equipment.

23. The secure communication method according to claim 20 or 21, wherein the receiving the seventh message of the first network slice entity to be registered and accessed comprises any one of the following:

24. A secure communication method, comprising:

25. The secure communications method of claim 24, further comprising: the registration of the user device on itself is revoked.

26. A secure communication method, comprising:

27. The secure communications method of claim 26, wherein obtaining the second network security context established with the second network entity comprises:

performing an authentication and non-access stratum security mode procedure, NAS SMC, procedure with the second network entity, establishing the second network security context with the second network entity.

28. A secure communication method, comprising:

29. The secure communication method according to claim 28, wherein the obtaining the verification indication information or the authentication indication information of the user equipment comprises:

sending a second message to the second network slice entity;

30. The secure communications method of claim 28, wherein the obtaining the first network security context established by the user equipment and the first network entity comprises:

31. The secure communications method of claim 28, wherein the obtaining the second network security context established with the user equipment comprises at least one of:

32. A secure communication method, comprising:

33. A secure communication method, comprising:

34. A secure communications apparatus comprising a processor and a computer readable storage medium having instructions stored thereon, wherein the instructions, when executed by the processor, implement a secure communications method as claimed in any one of claims 1 to 33.

35. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the secure communication method according to any one of claims 1 to 33.

36. A secure communication system, comprising:

37. A secure communication system, comprising: