CN111770488A

CN111770488A - EHPLMN updating method, related equipment and storage medium

Info

Publication number: CN111770488A
Application number: CN202010635877.3A
Authority: CN
Inventors: 刘君
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2020-07-03
Filing date: 2020-07-03
Publication date: 2020-10-13
Anticipated expiration: 2040-07-03
Also published as: CN111770488B

Abstract

The application discloses an EHPLMN updating method, a chip, a communication device and a storage medium. The method comprises the following steps: a terminal receives first information sent by network equipment; the first information comprises at least one EHPLMN information; the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal; the terminal saves the first information; and using the first information and EHPLMN information preset in the terminal as updated EHPLMN information together.

Description

EHPLMN updating method, related equipment and storage medium

Technical Field

The present application relates to the field of communications technologies, and in particular, to an Equivalent Home Public Land Mobile Network (EHPLMN) update method, a related device, and a storage medium.

Background

EHPLMN plays an important role in terminals from Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), Long Term Evolution (LTE) System to the current fifth Generation Mobile communication technology (5G, 5th Generation) System.

However, in the related art, the method for updating EHPLMN needs to be optimized.

Disclosure of Invention

In order to solve the related technical problem, embodiments of the present application provide an EHPLMN updating method, related devices, and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

an embodiment of the present application provides an EHPLMN updating method, including:

a terminal receives first information sent by network equipment; the first information comprises at least one EHPLMN information; the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal;

the terminal saves the first information; and using the first information and EHPLMN information preset in the terminal as updated EHPLMN information together.

In the above scheme, the receiving, by the terminal, the first information sent by the network device includes:

the terminal receives first information sent by the network equipment through Non-access Stratum (NAS) signaling.

the terminal receives encrypted first information sent by the network equipment;

the saving the first information includes:

the terminal decrypts the encrypted first information to obtain decrypted first information;

and storing the decrypted first information.

In the foregoing solution, the decrypting the encrypted first information includes:

the terminal decrypts the encrypted first information by using the second information as a secret key; the second information includes EHPLMN information preset in the terminal.

In the foregoing solution, the decrypting, by the terminal, the encrypted first information includes:

the terminal carries out integrity check on the encrypted first information;

and after the integrity check of the encrypted first information passes, the terminal decrypts the encrypted first information.

In the foregoing solution, the performing integrity check on the encrypted first information includes:

the terminal carries out integrity check on the encrypted first information by using the length of the encrypted first information, the first identifier and the length of the first identifier; the first identification represents a version corresponding to the first information.

In the foregoing solution, when receiving the first information, the method further includes:

the terminal receives a first identifier sent by the network equipment; the first identification represents a version corresponding to the first information;

the saving the first information includes:

under the condition that the version of the first identification representation is higher than that of the second identification representation, the terminal updates locally stored third information by using the first information; the second identifier represents a version corresponding to the third information locally stored by the terminal; the third information comprises EHPLMN information updated by the terminal based on information sent by network equipment history.

An embodiment of the present application further provides an EHPLMN updating method, including:

the network equipment detects an event for updating the EHPLMN information;

the network equipment generates first information according to the detected event for updating the EHPLMN information; the first information comprises at least one EHPLMN information; the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal.

And the network equipment sends the generated first information to the terminal.

In the foregoing solution, the generating first information according to the detected event for updating EHPLMN information includes:

the network equipment determines fourth information according to the detected event for updating the EHPLMN information; the fourth information includes all EHPLMN information after the operation corresponding to the event of updating EHPLMN information is performed;

and the network equipment removes the EHPLMN information preset by the terminal in the fourth information to obtain the first information.

In the foregoing solution, the sending the generated first information to the terminal includes:

and the network equipment sends the first information to the terminal through NAS signaling.

the network equipment encrypts the first information to obtain encrypted first information;

and sending the encrypted first information to the terminal.

In the foregoing solution, the encrypting the first information includes:

the network equipment uses second information as a key to encrypt the first information; the second information includes EHPLMN information preset in the terminal.

In the foregoing solution, the sending the encrypted first information to the terminal includes:

the network equipment performs integrity protection on the encrypted first information;

and sending the encrypted first information subjected to integrity protection to the terminal.

In the foregoing solution, the integrity protection of the encrypted first information includes:

the network equipment performs integrity protection on the encrypted first information by using the length of the encrypted first information, the first identifier and the length of the first identifier; the first identification represents a version corresponding to the first information.

In the foregoing solution, when the generated first information is sent to a terminal, the method further includes:

the network equipment sends a first identifier to the terminal; the first identification represents a version corresponding to the first information.

An embodiment of the present application further provides a chip, including: a processor and an interface; wherein,

the processor is configured to execute the steps of any one of the methods on the terminal side or execute the steps of any one of the methods on the network device side when running the computer program.

An embodiment of the present application further provides a communication device, including: a processor and a memory for storing a computer program capable of running on the processor; wherein,

the processor is configured to execute the steps of any one of the methods on the terminal side or execute the steps of any one of the methods on the network device side when the computer program is executed.

An embodiment of the present application further provides a storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of any method on the terminal side are implemented, or the steps of any method on the network device side are implemented.

According to the EHPLMN updating method, the EHPLMN updating device, the related equipment and the storage medium, network equipment detects an event for updating EHPLMN information; generating first information according to the detected event for updating the EHPLMN information; sending the generated first information to a terminal; the terminal stores the first information, and the first information and the EHPLMN information preset in the terminal are jointly used as updated EHPLMN information, wherein the first information comprises EHPLMN information updated relative to the EHPLMN information preset in the terminal; according to the scheme of the embodiment of the application, the terminal uses at least one piece of EHPLMN information sent by the network equipment and the EHPLMN information preset by the terminal as the updated EHPLMN information together, so that the terminal does not need to actively collect the EHPLMN information updated by the corresponding operator, but the network equipment of the corresponding operator sends the updated EHPLMN information to the terminal, and therefore the terminal can accurately update the EHPLMN information in real time.

Drawings

Fig. 1 is a flowchart illustrating an EHPLMN updating method applied to a network device according to an embodiment of the present application;

fig. 2 is a flowchart illustrating an EHPLMN updating method applied to a terminal according to an embodiment of the present application;

FIG. 3 is a timing diagram illustrating an EHPLMN update method according to an embodiment of the present application;

FIG. 4 is a flowchart illustrating an embodiment of the present application for encrypting an Additional EHPLMN List (Additional EHPLMN List);

FIG. 5 is a flowchart illustrating a process of decrypting the encrypted Additional EHPLMN List according to an embodiment of the present application;

FIG. 6 is a first schematic structural diagram of an EHPLMN updating apparatus according to an embodiment of the present application;

FIG. 7 is a second schematic structural diagram of an EHPLMN updating apparatus according to an embodiment of the present application;

FIG. 8 is a diagram illustrating a chip structure according to an embodiment of the present disclosure;

fig. 9 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application.

Detailed Description

The technical solution of the present application is further described in detail below with reference to the drawings and examples of the specification.

In the related art, an Elementary File (EF) EF in a Universal Subscriber Identity Module (USIM) of a terminal_EHPLMNThe EHPLMN information may be embodied in the form of an EHPLMN List (List); the terminal may determine whether the currently registered PLMN is a Roaming (Roaming) PLMN according to the EHPLMNList, and start to periodically search for a network in order to correctly return to a Home public land mobile network (HPLMN, Home PLMN) designated by a corresponding operator in case that it is determined that the currently registered PLMN is the Roaming PLMN.

In recent years, due to rapid development of wireless technologies and proliferation of terminal users caused by popularization of smart phones, some large operators gradually expand and/or upgrade wireless networks, so that EHPLMN lists preset in USIMs of terminals may not meet requirements of corresponding operators. In the process of expanding the capacity and/or upgrading and updating the wireless network, an operator may add new EHPLMN information on the basis of an EHPLMN List preset by a USIM, where the new EHPLMN information may also be embodied in a List, and in general, in order to distinguish from the EHPLMN List, a table corresponding to EHPLMN information added by the operator may be referred to as an Additional EHPLMN List; meanwhile, after the Additional EHPLMN List is added by the corresponding operator on the basis of the EHPLMN List, in order to ensure the terminal to correctly judge the roamingplm, the Additional EHPLMN List expanded by the corresponding operator needs to be synchronously updated to the terminal.

Generally, in order to synchronously update the extended Additional EHPLMN List of the corresponding operator, the terminal needs to actively collect the extended Additional EHPLMN List of the corresponding operator, and then store the collected Additional EHPLMN List in a Non-volatile memory (NVM); because of numerous global large operators, it is very difficult to cover accurate information of all the large operators, that is, it is very difficult for the terminal to collect accurate Additional EHPLMN List extended by the corresponding operator; moreover, the corresponding operator may perform multiple expansion and/or upgrade and update on the wireless network, and the terminal cannot timely (i.e., in real time) obtain the Additional EHPLMN List expanded by the corresponding operator each time; therefore, the terminal cannot accurately and synchronously update the extended Additional EHPLMNList of the corresponding operator in real time by adopting the method.

Based on this, in various embodiments of the present application, at least one EHPLMN information (i.e., the Additional EHPLMN List) is sent to the terminal through the network device, so that the terminal uses the at least one EHPLMN information sent by the network device and the EHPLMN information preset by the terminal (i.e., the EHPLMN List) together as the updated EHPLMN information; the terminal does not need to actively collect the EHPLMN information updated by the corresponding operator, but the network equipment of the corresponding operator sends the updated EHPLMN information to the terminal, so that the terminal can accurately update the EHPLMN information in real time.

An embodiment of the present application provides an EHPLMN updating method, which is applied to a network device, and as shown in fig. 1, the method includes the following steps:

step 101: the network equipment detects an event for updating the EHPLMN information;

step 102: the network equipment generates first information according to the detected event for updating the EHPLMN information;

here, the first information includes at least one EHPLMN information; the first information does not include second information; the second information comprises EHPLMN information preset in the terminal; that is, the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal;

step 103: and the network equipment sends the generated first information to the terminal.

Here, the first information and the second information may be EHPLMN information that can be used by the terminal, for example, may be used by the terminal to determine whether a currently registered PLMN is a roaming PLMN.

The first information does not include the second information, that is, the first information includes EHPLMN information completely different from EHPLMN information included in the second information.

Wherein the second information is the EHPLMN List; the first information is the above-mentioned additional ehplmn List.

Here, it should be noted that the terminal is any terminal registered in a network corresponding to the network device.

In step 101, in actual application, the event for updating EHPLMN information may be an event in various forms, for example, the event for updating EHPLMN information may be an operation of adding EHPLMN information in a visual management page corresponding to the network device by an administrator of a corresponding operator; for another example, the event for updating EHPLMN information may be that the network device receives an instruction sent by an administrator of a corresponding operator to add EHPLMN information.

In practical application, an event for updating EHPLMN information may occur during a network upgrade process and/or a network capacity expansion process of a corresponding operator.

In step 102, in actual application, after detecting an event of updating EHPLMN information, the network device may determine, according to the event of updating EHPLMN information, all EHPLMN information after performing an operation corresponding to the event of updating EHPLMN information by the network device (which may be referred to as fourth information in the following description); the network equipment stores the second information in advance, and all events for updating the EHPLMN information are updating events aiming at the second information; therefore, the fourth information includes the second information, and the network device may obtain an Additional EHPLMN List by removing the second information in the fourth information, that is, obtain the first information.

Based on this, in an embodiment, the generating the first information according to the detected event of updating the EHPLMN information may include:

the network equipment determines fourth information according to the detected event for updating the EHPLMN information; the fourth information includes all EHPLMN information after the operation corresponding to the event of updating EHPLMN information is performed; that is, the fourth information includes the second information;

the network device removes the second information (namely EHPLMN information preset in the terminal) in the fourth information to obtain the first information.

In practical application, in order to reduce modification costs for the network device and the terminal, when the network device sends the first information to the terminal, the first information may be transmitted by using signaling in an existing signaling interaction flow between a network side and a terminal side, for example, a NAS Transport (Transport) flow.

Based on this, in an embodiment, in step 103, the sending the generated first information to the terminal may include:

Here, in various embodiments of the present application, all information interacted between the network device and the terminal may be transmitted through NAS signaling.

In actual application, the first information may be set in a payload container (payload container) field of the NAS signaling; accordingly, after receiving the NAS signaling, the terminal may obtain the first information from a Payload Container domain in the NAS signaling.

In practical application, in order to enable the terminal to distinguish the NAS signaling carrying the first information from other NAS signaling, the network device may set an identifier (which may be referred to as a third identifier in the following description) in the NAS signaling carrying the first information, where the third identifier may be a value that is not used or defined in any related technology and has no special meaning; when the terminal detects the third identifier from NAS signaling, the terminal may determine to receive NAS signaling carrying the first information, that is, receive the first information sent by the network device. Here, the third identifier may be set in a Payload Container Type (Payload Container Type) field of the NAS signaling (e.g., the Payload Container Type field is set to 9); therefore, the efficiency of the terminal for determining whether the current NAS signaling carries the first information can be improved.

Based on this, in step 103, when the network device sends the generated first information to the terminal in actual application, the method may further include: the network equipment sends a third identifier to the terminal; the third identifier is used for the terminal to determine to receive the first information sent by the network device.

In practical applications, the network device may include at least two network elements on the network side, such as a Unified Data Management (UDM) network element and an Access and mobility Management Function (AMF) network element. Specifically, the UDM network element may detect an event that updates EHPLMN information, and when the event that updates EHPLMN information is detected, the UDM network element may determine the fourth information according to the event that updates EHPLMN information, remove the second information in the fourth information, generate the first information, send the first information to the AMF network element through a subscription data Notification (numdm _ SDM _ Notification) message, and send the first information to the terminal through a Downlink NAS Transport (Downlink NAS Transport) message.

In practical application, in order to enable the terminal to determine whether the first information is an Additional EHPLMN List required by the terminal, that is, to determine whether the version corresponding to the first information is higher than the version of EHPLNM information stored in the terminal (when the terminal determines that the version corresponding to the first information is higher than the version of EHPLNM information stored in the terminal, the terminal stores the first information; when the terminal determines that the version corresponding to the first information is lower than or equal to the version of EHPLNM information stored in the terminal, the terminal discards the first information), and when the network device sends the generated first information to the terminal, the network device may also send identification information representing the version corresponding to the first information to the terminal (which may be referred to as a first identifier in subsequent descriptions); in this way, the terminal may determine whether the first information needs to be saved according to the first identifier.

Based on this, in an embodiment, when the generated first information is sent to the terminal, the method may further include:

Specifically, the network device may send the first identifier to the terminal through NAS signaling.

In practical application, since the first information is very important, in order to avoid that the first information is falsely or maliciously tampered in the data transmission process, and further cause that the terminal is expected to be on a Visited Public Land Mobile Network (VPLMN) and mistakenly assumes that the VPLMN is the HPLMN, the terminal and the network device need to securely transmit the first information; for example, the first information is encrypted; for another example, the first information is transmitted through a secure tunnel established between the terminal and the network device.

Based on this, in an embodiment, the sending the generated first information to the terminal may include:

and sending the encrypted first information to the terminal.

In practical application, the network device and the terminal may set an encryption key locally in advance for encrypting and decrypting the first information. Here, since both the terminal and the network device store second information, only the terminal and the network device can know the content of the second information; therefore, in order to save the storage space of the terminal and the network device and further improve the security of transmitting the first information, the second information may be directly set as an encryption key stream, that is, the second information is used as a key; the network device uses the second information as a key to encrypt the first information to obtain encrypted first information; and after receiving the encrypted first information, the terminal can decrypt the encrypted first information by using the second information to obtain decrypted first information.

In actual application, the network device and the terminal can encrypt and decrypt the first information by using any encryption method; for example, when the network device encrypts the first information, an exclusive or operation may be performed on the first information and an encryption key stream (e.g., the second information), and an obtained result of the exclusive or operation is the encrypted first information; accordingly, when the terminal decrypts the encrypted first information, an exclusive or operation may be performed on the encrypted first information and a decryption key stream (corresponding to the encryption key stream, that is, the second information), and an obtained result of the exclusive or operation is the decrypted first information.

In practical application, when the network device is composed of a UDM network element and an AMF network element, the UDM network element may encrypt the first information after generating the first information, obtain the encrypted first information, send the encrypted first information to the AMF network element through a numdm _ SDM _ Notification message, and send the encrypted first information to the terminal through a downlink nas Transport message.

In practical application, in order to ensure the integrity of the encrypted first information received by the terminal, the network device may further perform integrity protection on the encrypted first information, and send the encrypted first information subjected to integrity protection to the terminal.

Based on this, in an embodiment, the sending the encrypted first information to the terminal may include:

Here, when the network device sends the encrypted first information subjected to integrity protection to the terminal, it is further required to send first integrity verification information at the same time, where the first integrity verification information is generated after the network device performs integrity protection on the encrypted first information, and the first integrity verification information is used for the terminal to perform integrity check on the encrypted first information after receiving the encrypted first information.

In practical applications, the first integrity verification information may include a Message Authentication Code (MAC).

In actual application, the network device may also send, to the terminal, first integrity verification information corresponding to the encrypted first information subjected to integrity protection through a Downlink NAS Transport message; therefore, the sending the encrypted first information subjected to integrity protection to the terminal may include: and the network equipment sends the encrypted first information and first integrity verification information corresponding to the encrypted first information to the terminal.

In practical application, parameters required for integrity protection of the encrypted first information and parameters required for integrity check of the encrypted first information (the parameters required for integrity protection of the encrypted first information are the same as the parameters required for integrity check of the encrypted first information) may be set as needed, for example, the length of the encrypted first information, the first identifier, the length of the first identifier, and the like.

Based on this, in an embodiment, the integrity protecting the encrypted first information may include:

and the network equipment performs integrity protection on the encrypted first information by using the length of the encrypted first information, the first identifier and the length of the first identifier.

In practical application, the network device and the terminal may perform integrity protection on the encrypted first information by using any data integrity protection algorithm, and perform integrity check on the encrypted first information; such as MD5 Message Digest Algorithm (MD5, Message Digest Algorithm MD5), key derivation Function (KDF, KeyDerivation Function), etc. Meanwhile, the network device may further include an Authentication service Function (AUSF) network element, and the AUSF network element performs integrity protection on the encrypted first information.

For example, when the network device is composed of a UDM network element, an AUSF network element, and an AMF network element, the integrity protection of the encrypted first information by the network device using the KDF may be specifically implemented as follows: after the UDM network element generates the first information, the UDM network element encrypts the first information to obtain the encrypted first information, and sends an integrity Protection request (which may be denoted as Nausf _ AddEHPLMN _ Protection) message carrying the encrypted first information to the AUSF network element to request the AUSF network element to perform integrity Protection on the encrypted first information. After receiving the Nausf _ AddEHPLMN _ Protection message, the AUSF network element may generate an initial value as a first value (the first value may be any one of the related technologies)A value not used or defined with a special meaning, e.g. 0x 000 x01 (Counter) may be represented_EHPLMN)，Counter_EHPLMNA version corresponding to at least one EHPLMN information included in the first information (i.e., the first identifier) may be characterized; and a preset first FC value (the first FC value may be any value which is not used or defined in the related art and has no special meaning, such as 0x80, the FC value is a KDF instance identifier for identifying different KDF instances, i.e. different KDF instances for distinguishing calculation purposes), the encrypted first information, the length of the encrypted first information, the Counter_EHPLMN(i.e., the first identifier) and a Counter_EHPLMNThe length of the first identifier (that is, the length of the first identifier) is used as an input parameter of the KDF, and an AUSF key (K) negotiated by the terminal and the AUSF network element is used in a process of registering the terminal to a network corresponding to the network device_AUSF) Operating the KDF as a specified key of the KDF; the AUSF network element may determine a low 128 bits (bit) of a result output after the KDF is run as an MAC (which may be represented as EHPLMN-MAC-I) obtained after integrity protection is performed on the encrypted first information_AUSF) (ii) a Obtaining EHPLMN-MAC-I_AUSFAnd then the AUSF network element can return the carrier EHPLMN-MAC-I to the UDM network element_AUSFAnd Counter_EHPLMNAn integrity Protection request response (which may be denoted as Nausf _ AddEHPLMN _ Protection _ Rsp) message; after the AUSF _ AddEHPLMN _ Protection _ Rsp is returned by the AUSF network element, the Counter may be controlled_EHPLMNPlus 1, i.e. using Counter_EHPLMNUpdate Counter with the result of adding 1_EHPLMNFor AUSF network element to calculate EHPLMN-MAC-I next time_AUSF. After receiving the Nausf _ AddEHPLMN _ Protection _ Rsp message, the UDM network element may encrypt the encrypted first information and the EHPLMN-MAC-I message through a Nudm _ SDM _ Notification message_AUSFAnd Counter_EHPLMNSending the encrypted first information and the EHPLMN-MAC-I to an AMF network element, and sending the encrypted first information and the EHPLMN-MAC-I to the AMF network element through a Downlink NAS Transport message_AUSF(i.e., the first integrity verification information) and a Counter_EHPLMN(i.e. the first identity) is sent to the terminal. Here, the encrypted first information, E, may beHPLMN-MAC-I_AUSFAnd Counter_EHPLMNAnd setting the Payload ContainerType field of the Downlink NAS Transport message as the third identifier (the third identifier may be any value which is not used or defined in the related art and has no special meaning, for example, 9).

Correspondingly, for the above process of integrity protection of the encrypted first information, the integrity check of the encrypted first information by the terminal using the KDF may be specifically implemented as follows: the terminal receives a Downlink NAS Transport message from the network equipment, and when detecting that a Payload Container Type domain of the Downlink NAS Transport message is the first identifier, the terminal determines to receive the encrypted first information, namely determines that the Payload Container domain of the Downlink NAS Transport message contains the encrypted first information; at this time, the terminal needs to perform security check on the Payload Container domain of the Downlink NAS Transport message, where the security check is a process of "the terminal performs integrity check on the encrypted first information by using other information, except the encrypted first information, included in the Payload Container domain of the Downlink NAS Transport message, and performs decryption processing on the encrypted first information after the integrity check of the encrypted first information passes" the terminal performs security check on the Payload Container domain of the Downlink NAS Transport message; specifically, the terminal obtains the encrypted first information, EHPLMN-MAC-I, from the PayloadContainer domain of the Downlink NAS Transport message_AUSFAnd Counter_EHPLMNAnd the preset first FC value, the encrypted first information, the length of the encrypted first information and the Counter are used_EHPLMNAnd Counter_EHPLMNIs used as an input parameter of KDF, and K is used as_AUSFOperating the KDF as a specified key of the KDF; the terminal may determine a low 128bit of a result output after the KDF is run as an MAC (which may be represented as EHPLMN-XMAC-I) obtained by performing integrity check on the encrypted first information_AUSF) (ii) a Obtaining EHPLMN-XMAC-I_AUSFThe terminal can then be paired with EHPLMN-XMAC-I_AUSFAnd EHPLMN-MAC-I_AUSFCompared, in EHPLMN-XMAC-I_AUSFAnd EHPLMN-MAC-I_AUSFIf the first information and the second information are equal, the terminal can determine that the integrity check of the encrypted first information passes; at this time, the terminal may perform decryption processing on the encrypted first information to obtain decrypted first information, and store the decrypted first information. Here, the terminal calculates EHPLMN-XMAC-I_AUSFThe method and AUSF network element calculate EHPLMN-MAC-I_AUSFIn the same way, that is, the terminal calculates the EHPLMN-XMAC-I_AUSFNeeded parameters and AUSF network element calculation EHPLMN-MAC-I_AUSFThe required parameters are the same.

In actual application, in order to enable the network device to determine that the terminal completes EHPLMN update, the Downlink NAS Transport message (i.e., NAS signaling) may further include a reception confirmation indication (which may be denoted as acknowledgement) information; the ACK Indication information is used for indicating the terminal to send receiving confirmation information to the network equipment after the first information is saved; of course, in order to ensure the integrity of information transmission, the receiving confirmation information may be integrity protected; after receiving the reception confirmation information, the network device may perform integrity check on the reception confirmation information, and after the integrity check of the reception confirmation information passes, the network device may determine that the terminal completes EHPLMN update. When the integrity check of the reception confirmation information fails, the network device may resend the first information to the terminal, or may not perform processing, and may specifically perform setting according to a requirement of an operator. Therefore, when the generated first information is sent to the terminal, the method may further include: the network equipment sends receiving confirmation indication information (which can be sent through NAS signaling) to the terminal; and the receiving confirmation indication information is used for indicating the terminal to send receiving confirmation information to the network equipment after the first information is stored. Here, when the receiving confirmation information is integrity-protected, and the network device receives the receiving confirmation information sent by the terminal, it also receives second integrity verification information sent by the terminal, and performs integrity check on the receiving confirmation information by using the second integrity verification information; the second integrity verification information is generated when the terminal performs integrity protection on the reception confirmation information.

Specifically, when the network device is composed of a UDM network element, an AUSF network element, and the terminal and the network device perform integrity Protection on the reception confirmation information by using a KDF, and perform integrity check on the reception confirmation information, and when the UDM network element sends a Nausf _ add EHPLMN _ Protection message carrying the encrypted first information to the AUSF network element, the Nausf _ add EHPLMN _ Protection message also needs to carry ACK Indication information for indicating a MAC (which may be represented as EHPLMN-XMAC-I) of the AUSF network element computing terminal, where the ACK Indication information is used to indicate the MAC (which may be represented as EHPLMN-XMAC-I) of the AUSF network element computing terminal_UE)，EHPLMN-XMAC-I_UEAnd the UDM network element is used for carrying out integrity check on the receiving confirmation information returned by the terminal after the first information is stored. The AUSF network element receives the Nausf _ AddEHPLMN _ Protection message and obtains the Counter_EHPLMNAnd EHPLMN-MAC-I_AUSFThereafter, a preset second FC value (the second FC value may be any value which is not used or defined in the related art and has no special meaning, such as 0x81), a preset first character string (the first character string may be set as required, such as "0 x01 (" Additional EHPLMN List "or the like)), a length of the first character string, and a Counter_EHPLMNAnd Counter_EHPLMNIs used as an input parameter of KDF, and K is used as_AUSFOperating the KDF as a specified key of the KDF; the AUSF network element can determine the low 128bit of the output result after the KDF is operated as the EHPLMN-XMAC-I_UEAnd returns the carried EHPLMN-MAC-I to the UDM network element_AUSF、EHPLMN-XMAC-I_UEAnd Counter_EHPLMNNausf _ AddEHPLMN _ Protection _ Rsp message. After the UDM network element receives the Nausf _ AddEHPLMN _ Protection _ Rsp message, the UDM network element may send the EHPLMN-XMAC-I message to the network element_UEThe encrypted first information, EHPLMN-MAC-I, can be stored locally and can be transmitted by a Nudm _ SDM _ Notification message_AUSFAnd Counter_EHPLMNSending to AMF network elementThe AMF network element transmits the encrypted first information and the EHPLMN-MAC-I through a Downlink NAS Transport message_AUSFAnd, ACK Indication information and Counter_EHPLMNAnd sending the information to the terminal. The terminal may receive a Downlink NAS Transport message from the network device, perform integrity check on the encrypted first information, decrypt the encrypted first information to obtain decrypted first information, and store the decrypted first information, and the terminal may use the second FC value, the first character string, the length of the first character string, and the Counter to generate the second FC value_EHPLMNAnd Counter_EHPLMNIs used as an input parameter of KDF, and K is used as_AUSFOperating the KDF as a specified key of the KDF; the terminal may determine a low 128bit of a result output after the KDF is run as an MAC (which may be represented as EHPLMN-MAC-I) obtained after integrity protection is performed on the reception confirmation information_UEI.e., the second integrity verification information), and EHPLMN-MAC-I is transmitted_UEThe Uplink NAS Transport message is carried in an Uplink NAS signaling (Uplink NAS Transport) message responding to the Downlink NASTTransport message and is sent to the AMF network element; the AMF network element sends the EHPLMN-MAC-I through a Nudm _ SDM _ Info message responding to the Nudm _ SDM _ Notification message_UESending the information to a UDM network element; the UDM network element can exchange EHPLMN-MAC-I_UEEHPLMN-XMAC-I with home_UEBy contrast, when EHPLMN-MAC-I_UEAnd EHPLMN-XMAC-I_UEWhen the number of the received confirmation information is equal, the UDM network element may determine that the integrity check of the received confirmation information passes, and the terminal completes the EHPLMN update. Here, the terminal calculates EHPLMN-MAC-I_UEThe method and AUSF network element calculate EHPLMN-XMAC-I_UEIn the same way, that is, the terminal calculates the EHPLMN-MAC-I_UERequired parameters and AUSF network element calculation EHPLMN-XMAC-I_UEThe required parameters are the same.

Correspondingly, an embodiment of the present application further provides an EHPLMN updating method, which is applied to a terminal, and as shown in fig. 2, the method includes the following steps:

step 201: a terminal receives first information sent by network equipment;

step 202: the terminal saves the first information; and using the first information and EHPLMN information preset in the terminal (i.e. preset in the terminal by an operator) together as updated EHPLMN information.

Here, the first information and the second information are used together as EHPLMN information that can be used by the terminal, and may be used by the terminal to determine whether a currently registered PLMN is a roaming PLMN, for example.

In step 201, in actual application, the first information sent by the network device may be received by the mobility management module of the terminal.

In step 202, during actual application, the mobile management module of the terminal may store the first information in the NVM of the terminal, and determine whether the currently registered PLMN is a roaming PLMN by using the first information and the second information; in the case where it is determined that the currently registered PLMN is a roaming PLMN, the mobility management module may instruct the network searching module of the terminal to leave the current roaming PLMN and to return to the HPLMN.

In step 201, during actual application, when the terminal receives the first information sent by the network device, the terminal may also receive a third identifier sent by the network device. Specifically, the terminal may determine whether the information received from the network device carries the third identifier, and in a case that it is determined that the information received from the network device carries the third identifier, the terminal may determine to receive the first information sent by the network device. Of course, the terminal may discard the corresponding information received from the network device or may not process the information received from the network device when determining that the information received from the network device does not carry the third identifier.

In an embodiment, the receiving, by the terminal, the first information sent by the network device may include:

and the terminal receives the first information sent by the network equipment through NAS signaling.

In actual application, after receiving the NAS signaling, the terminal may determine whether a Payload Container Type field of the NAS signaling carries the third identifier, determine that the NAS signaling carries the first information under the condition that it is determined that the NAS signaling carries the third identifier, and may obtain the first information from the Payload Container field in the NAS signaling.

accordingly, the saving the first information may include:

and storing the decrypted first information.

In practical application, the terminal may preset an encryption key that is the same as the encryption key of the network device locally, for example, the second information is set as an encryption key stream, that is, the second information is used as a key; the network equipment encrypts the first information by using the second information to obtain encrypted first information; and the terminal decrypts the encrypted first information by using the second information as a secret key to obtain decrypted first information.

In an embodiment, integrity protection is performed on the encrypted first information, and the decrypting, by the terminal, the encrypted first information may include:

the terminal carries out integrity check on the encrypted first information;

In actual application, in order to perform integrity check on the encrypted first information, when the terminal receives the first information sent by the network device, the terminal may also receive first integrity verification information sent by the network device; the first integrity verification information is generated after the network device performs integrity protection on the encrypted first information, and the first integrity verification information is used for the terminal to perform integrity check on the encrypted first information after receiving the encrypted first information. Therefore, the receiving the first information sent by the network device may include: and the terminal receives the encrypted first information sent by the network equipment and first integrity verification information corresponding to the encrypted first information.

In an embodiment, the integrity checking the encrypted first information may include:

In actual application, under the condition that the integrity check of the encrypted first information is not passed, the terminal may wait for the network device to resend the first information without processing; of course, the terminal may also send an EHPLMN update request message to the network device to re-accept the first information.

In an embodiment, when receiving the first information, the method may further include:

the terminal receives the first identifier sent by the network equipment;

accordingly, the saving the first information may include:

In actual application, the first identifier and the first information may be received by the terminal through the same NAS signaling, that is, the Downlink NAS Transport message; the first identifier is the Counter_EHPLMN。

Specifically, after receiving the first information, in order to verify whether the first information is wrong information (for example, at least one EHPLMN information included in the first information is an EHPLMN information that has been updated by the terminal), the terminal may determine whether the version of the first identifier representation is higher than the version of the second identifier representation, and update the third information with the first information if the version of the first identifier representation is higher than the version of the second identifier representation; and meanwhile, updating the second identifier by using the first identifier. Of course, the terminal may discard the first information in case the version of the first identity token is lower than or equal to the version of the second identity token.

In actual application, when the terminal receives first information sent by network equipment, the terminal can also receive receiving confirmation indication information sent by the network equipment; and the receiving confirmation indication information is used for indicating the terminal to send receiving confirmation information to the network equipment after the first information is stored. Therefore, in response to the reception confirmation indication information, the terminal may generate reception confirmation information after saving the first information, and send the generated reception confirmation information to the network device, so that the network device confirms that the terminal completes EHPLMN update. Certainly, in order to ensure the integrity of information transmission, the terminal may perform integrity protection on the reception confirmation information, generate second integrity verification information corresponding to the reception confirmation information subjected to integrity protection, and send the second integrity verification information and the reception confirmation information subjected to integrity protection to the network device together, so that the network device uses the second integrity verification information to perform integrity verification on the reception confirmation information.

In the EHPLMN updating method provided in the embodiment of the present application, the network device detects an event for updating EHPLMN information; generating first information according to the detected event for updating the EHPLMN information; sending the generated first information to a terminal; the terminal stores the first information, and uses the first information and the EHPLMN information preset in the terminal together as the updated EHPLMN information, and the first information contains the EHPLMN information updated relative to the EHPLMN information preset in the terminal, so that the terminal does not need to actively collect the EHPLMN information updated by the corresponding operator, but the network equipment of the corresponding operator sends the updated EHPLMN information to the terminal, and thus, the terminal can accurately update the EHPLMN information in real time.

The present application will be described in further detail with reference to the following application examples.

The embodiment of the present application provides a mechanism for dynamically updating an Additional ehplmnslisti (i.e., the first information) to a terminal, which is actively initiated by a network side (i.e., the network device), where the network side uses a security architecture of an existing 5G network and an existing 5G NAS Transport process to update the Additional ehplmnslisti, and fully uses a security network element function of the current 5G network to perform security protection on the Additional ehplmnslisti through a cooperation of a UDM network element and an AUSF network element. Specifically, after a terminal registers a New air interface (NR, New Radio) network, when a UDM network element detects that an EHPLMN List (i.e., the second information) pre-stored in the terminal needs to be extended, that is, when the UDM network element determines that an Additional EHPLMN List needs to be provided for the terminal through an event that an administrator of a corresponding operator updates the EHPLMN List, the UDM network element encrypts the Additional EHPLMN List, performs integrity protection on the encrypted Additional EHPLMN List by an AUSF network element, and finally, issues the encrypted Additional EHPLMN List (i.e., the encrypted Additional EHPLMN List) to the terminal through a dl downlink NAS Transport flow. A mobile management module of the terminal receives the DL NAS Transport information, carries out integrity check and decryption on the Additional EHPLMN List information, and stores the decrypted Additional EHPLMN List in an NVM of the terminal; the Additional EHPLMN List and the EHPLMN List in the USIM card jointly form an EHPLMN List, and the EHPLMN List is used for guiding the network searching module of the terminal to leave the current Roaming PLMN and return to the HPLMN by the mobile management module.

As shown in fig. 3, the EHPLMN updating method provided in this embodiment may specifically include the following steps:

step 301: the terminal is registered on the NR network; step 302 is then performed.

Step 302: the UDM network element detects that the current EHPLMN List is insufficient, the EHPLMN needs to be updated, and an Additional EHPLMN List is generated; step 303 is then performed.

Specifically, the UDM network element detects an event of updating the EHPLMN List, determines that an Additional EHPLMN List needs to be sent to the terminal, and generates the Additional EHPLMN List according to the event of updating the EHPLMN List.

Step 303: the UDM network element and the AUSF network element perform security protection on the Additional EHPLMN List; step 304 is then performed.

Here, the performing security protection on the Additional EHPLMN List may include encrypting the Additional EHPLMN List and performing integrity protection on the Additional EHPLMN List; specifically, the process of performing step 303 may include the steps of:

step 3031: the UDM network element encrypts an Additional EHPLMN List; step 3032 is then performed.

In particular, the EF of the USIM card of the terminal is taken into account_EHPLMNThe content (i.e. EHPLMN List) is only known to the terminal and UDM network elements. Therefore, the EHPLMN List can be designed as an encryption key stream, and the UDM network element completes Ad pair through the process shown in fig. 4And simply encrypting the conditional EHPLMN List, namely performing exclusive OR operation on the EHPLMN List and the plain texts of the conditional EHPLMN List (namely the unencrypted conditional EHPLMN List), wherein the content obtained by the exclusive OR operation is the encrypted conditional EHPLMN List.

Step 3032: after the UDM network element finishes information encryption, sending a Nausf _ AddEHPLMN _ Protection message to an AUSF network element, and requesting the AUSF network element to perform information integrity Protection on the encrypted Additional EHPLMN List; step 3033 is then performed.

Here, the Nausf _ add EHPLMN _ Protection message includes encrypted Additional EHPLMNList and ACK Indication indicating that the AUSF network element is required to calculate EHPLMN-XMAC-I_UE，EHPLMN-XMAC-I_UEThe method is used for storing the information for the UDM network element locally and carrying out integrity check on the acknowledgement message when the acknowledgement message (acknowledgement) sent by the terminal is received subsequently.

Step 3033: the AUSF network element returns a Nausf _ AddEHPLMN _ Protection _ Rsp message to the UDM network element after finishing integrity Protection on the encrypted Additional EHPLMN List; step 304 is then performed.

Here, the Nausf _ AddEHPLMN _ Protection _ Rsp message includes EHPLMN-MAC-I_AUSF、EHPLMN-XMAC-I_UEAnd Counter_EHPLMN。

Specifically, the process of integrity protection of the encrypted Additional EHPLMN List by the AUSF network element may include the following two steps:

step 1: AUSF network element generates Counter for integrity protection_EHPLMN(i.e., the first identifier), Counter_EHPLMNMay be 0x 000 x01, and after the generation of the Nausf _ AddEHPLMN _ Protection _ Rsp message is completed once, the Counter may count the generated Nausf _ AddEHPLMN _ Protection _ Rsp message_EHPLMNThe value is increased by 1.

Step 2: the AUSF network element takes 0x80 (i.e. the first FC value) as an input parameter FC of the KDF, takes the encrypted Additional EHPLMN List as an input parameter P0 of the KDF, takes the length of the encrypted Additional EHPLMN List as an input parameter L0 of the KDF, and takes the Counter_EHPLMNAs input parameter P1 of KDF, and Counter_EHPLMNIs used as an input parameter L1 of KDF, and K is used as_AUSFExecuting the KDF as a specified key of the KDF; the lower 128 bits of the output result after executing KDF are the EHPLMN-MAC-I obtained after integrity protection is carried out on the encrypted Additional EHPLMN List_AUSF。

Meanwhile, the AUSF network element uses 0x81 (i.e., the second FC value) as an input parameter FC of the KDF, uses a character string "0 x 01" (Additional EHPLMN List "acquisition)" (i.e., the first character string) as an input parameter P0 of the KDF, uses the length of the character string as an input parameter L0 of the KDF, and uses the Counter as an input parameter FC of the KDF_EHPLMNAs input parameter P1 of KDF, and Counter_EHPLMNIs used as an input parameter L1 of KDF, and K is used as_AUSFExecuting the KDF as a specified key of the KDF; the low 128bit of the output result after executing KDF is EHPLMN-XMAC-I_UE。

Step 304: the UDM network element sends a Nudm _ SDM _ Notification message to the AMF network element; step 305 is then performed.

Here, the Nudm _ SDM _ Notification message includes encrypted Additional EHPLMN List and EHPLMN-MAC-I_AUSFAnd Counter_EHPLMN。

Step 305: after receiving the Nudm _ SDM _ Notification message sent by the UDM network element, the AMF network element sends a DL NAS Transport message to the terminal; step 306 is then performed.

Here, the Payload Container Type field of the DL NAS Transport message may be set to 9 (i.e., the third identifier described above); the Payload Container field of the DL NAS Transport message may contain the encrypted AdditionalEHPLMN List, ACK Indication (i.e., the above-mentioned reception acknowledgement Indication information), EHPLMN-MAC-I_AUSF(i.e., the first integrity verification information) and a Counter_EHPLMN(i.e., the first identifier described above).

Step 306: after receiving a DL NAS Transport message from an AMF network element, a mobile management module of the terminal indicates a security module of the terminal to perform security check on an encrypted Additional EHPLMN List in a Payload Container domain when detecting that the Payload Container Type domain of the DL NAS Transport message is 9; step 307 is then performed.

Here, the performing security check on the encrypted Additional EHPLMN List may include performing integrity check on the encrypted Additional EHPLMN List and decrypting the encrypted Additional EHPLMN List; specifically, the process of performing step 306 may include the steps of:

step 3061: the terminal carries out integrity check on the encrypted Additional EHPLMN List; step 3062 is then performed.

Here, the terminal calculates EHPLMN-MAC-I using AUSF network element_AUSFThe same manner as that of calculating EHPLMN-XMAC-I_AUSFValue and EHPLMN-MAC-I_AUSFAnd EHPLMN-XMAC-I_AUSFComparing, and if the two are equal, the integrity check is passed; that is, the terminal calculates the EHPLMN-MAC-I using the AUSF network element_AUSFComputing EHPLMN-XMAC-I with the same KDF input parameters FC, P0, L0, P1, L1 and the same key_AUSFThe value is obtained. Specifically, the terminal uses 0x80 as an input parameter FC of the KDF, uses the encrypted Additional EHPLMN List included in the Payload Container field of the DL NAS Transport message as an input parameter P0 of the KDF, uses the length of the encrypted Additional EHPLMN List as an input parameter L0 of the KDF, and uses the Counter included in the Payload Container field of the DL NAS Transport message_EHPLMNAs input parameter P1 of KDF, and Counter_EHPLMNIs used as an input parameter L1 of KDF, and K is used as_AUSFExecuting the KDF as a specified key of the KDF; the lower 128 bits of the output result after executing KDF is the EHPLMN-XMAC-I obtained after the integrity check is carried out on the encrypted Additional EHPLMN List_AUSF。

Step 3062: after the integrity check of the encrypted Additional EHPLMN List is passed, the terminal decrypts the encrypted Additional EHPLMN List in the same manner as that of the UDM network element for encrypting the Additional EHPLMN List, and obtains an Additional EHPLMN List plaintext (i.e., the decrypted first information) after decryption; step 307 is then performed.

Specifically, the terminal regards the EHPLMN List as a key stream, and performs an exclusive or operation on the EHPLMN List and the encrypted Additional EHPLMN List through the process shown in fig. 5, where the content obtained by the exclusive or operation is the content of the Additional EHPLMN List in the plaintext.

Step 307: after the security check of the encrypted Additional EHPLMN List is passed by the security module of the terminal, EHPLMN-MAC-I is calculated_UEAnd EHPLMN-MAC-I_UEThe information is sent to the AMF network element in an UL NAS Transport message; step 308 is then performed.

Here, the UL NAS Transport message is Acknowledgement of the DL NAS Transport message. Specifically, after obtaining the plaintext of the Additional EHPLMN List, the terminal needs to calculate EHPLMN-XMAC-I by using the AUSF network element in order to respond to the DL NASTransport message received before_UEComputing EHPLMN-MAC-I using the same KDF input parameters FC, P0, L0, P1, L1 and the same key_UE。

Step 308: the AMF network element receives the EHPLMN-MAC-I in the DL NAS Transport message from the terminal_UE(i.e. the second integrity verification information) is sent to the UDM network element via a Nudm _ SDM _ Info message; step 309 is then performed.

Step 309: UDM network element comparing EHPLMN-MAC-I_UEWhether to compare with the previously saved EHPLMN-XMAC-I_UESimilarly, the integrity check is performed on the Acknowledgement of the terminal if EHPLMN-MAC-I_UEAnd EHPLMN-XMAC-I_UEAnd if the terminal is the same, the integrity check of the Acknowledgement of the terminal passes.

Here, a specific implementation process of the EHPLMN updating method provided in this embodiment is the same as the specific implementation processes of the EHPLMN updating method shown in fig. 1 and the EHPLMN updating method shown in fig. 2, and is not repeated here.

When an operator carries out upgrading and updating transformation on a network, an Additional EHPLMN List needs to be added on the basis of the EHPLMN List of the current USIM card of a corresponding terminal; if the terminal collects the Additional EHPLMN List, the difficulty of collection is large; and, since the collected Additional EHPLMN List may be inaccurate, it is difficult for the terminal to update the Additional EHPLMN List in synchronization with the operator. By adopting the EHPLMN updating method provided by the embodiment of the present application, the network side initiates the updating action of the Additional EHPLMN List, and makes full use of the 5G security architecture and signaling flow to ensure the security and integrity of the Additional EHPLMN List in the transmission process, so that the Additional EHPLMN List can be safely updated to the terminal side in real time.

Therefore, the EHPLMN updating method provided by the embodiment of the present application has the following advantages:

firstly, the updating of the EHPLMN has real-time performance and accuracy; since the network side of the operator can provide the Additional EHPLMN List with the highest accuracy, the initiation of the update of the EHPLMN by the network side is most real-time and accurate; therefore, the problems that the terminal is difficult to collect the Additional EHPLMN List and the EHPLMN is not updated timely (such as the EHPLMN update is delayed) can be solved, and the Additional EHPLMN List obtained by the terminal is always the latest EHPLMN information of the corresponding operator (namely the service operator corresponding to the terminal).

Secondly, the existing security architecture and signaling flow of the current 5G network are fully utilized, and on the premise that the changes of the existing 5G network equipment and the terminal are minimized as much as possible (namely on the premise of controlling cost), the integrity and confidentiality (namely security) of the Additional EHPLMN List are ensured in the information transmission process, and finally the Additional EHPLMN List is safely updated to the terminal side in real time.

In order to implement the method on the terminal side in the embodiment of the present application, an embodiment of the present application further provides an EHPLMN updating apparatus, which is disposed on a terminal, and as shown in fig. 6, the EHPLMN updating apparatus includes: a receiving unit 61 and a first processing unit 62; wherein,

the receiving unit 61 is configured to receive first information sent by a network device; the first information comprises at least one EHPLMN information; the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal;

the first processing unit 62 is configured to store the first information; and using the first information and EHPLMN information preset in the terminal as updated EHPLMN information together.

In an embodiment, the receiving unit 61 is specifically configured to receive the first information sent by the network device through NAS signaling.

In an embodiment, the receiving unit 61 is further configured to:

receiving encrypted first information sent by the network equipment;

correspondingly, the first processing unit 62 is further configured to:

decrypting the encrypted first information to obtain decrypted first information;

and storing the decrypted first information.

In an embodiment, the first processing unit 62 is further configured to:

decrypting the encrypted first information by using the second information as a key; the second information includes EHPLMN information preset in the terminal.

In an embodiment, the first processing unit 62 is further configured to:

carrying out integrity check on the encrypted first information;

and after the integrity check of the encrypted first information passes, decrypting the encrypted first information.

In an embodiment, the first processing unit 62 is further configured to:

carrying out integrity check on the encrypted first information by using the length of the encrypted first information, the first identifier and the length of the first identifier; the first identification represents a version corresponding to the first information.

In an embodiment, the receiving unit 61 is further configured to receive a first identifier sent by the network device; the first identification represents a version corresponding to the first information;

the first processing unit 62 is further configured to:

Here, the functions of the receiving unit 61 and the first processing unit 62 may be equivalent to the functions of a mobile management module and a security module of a terminal in an embodiment of the present application.

In practical applications, the receiving unit 61 may be implemented by a communication interface in the EHPLMN updating device; the first processing unit 62 may be implemented by a processor in the update EHPLMN device.

It should be noted that: the EHPLMN updating apparatus provided in the above embodiment is only illustrated by dividing the above program modules when updating the EHPLMN, and in practical applications, the above processing allocation may be completed by different program modules according to needs, that is, the internal structure of the EHPLMN updating apparatus is divided into different program modules to complete all or part of the above described processing. In addition, the EHPLMN updating apparatus provided in the above embodiments and the EHPLMN updating method embodiment at the terminal side belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and are not described herein again.

In order to implement the method on the network device side in the embodiment of the present application, an embodiment of the present application further provides an EHPLMN updating apparatus, which is disposed on a network device, and as shown in fig. 7, the EHPLMN updating apparatus includes: a detection unit 71, a second processing unit 72, and a transmission unit 73; wherein,

the detecting unit 71 is configured to detect an event of updating EHPLMN information;

the second processing unit 72 is configured to generate first information according to the detected event for updating EHPLMN information; the first information comprises at least one EHPLMN information; the first information comprises EHPLMN information updated relative to EHPLMN information preset in the terminal;

the sending unit 73 is configured to send the generated first information to the terminal.

In an embodiment, the second processing unit 72 is specifically configured to:

determining fourth information according to the detected event for updating the EHPLMN information; the fourth information includes all EHPLMN information after the operation corresponding to the event of updating EHPLMN information is performed; the fourth information includes the second information, and the second information includes EHPLMN information preset in the terminal;

and removing the second information in the fourth information to obtain the first information.

In an embodiment, the sending unit 73 is specifically configured to send the first information to the terminal through NAS signaling.

In an embodiment, the second processing unit 72 is further configured to perform encryption processing on the first information to obtain encrypted first information;

the sending unit 73 is further configured to send the encrypted first information to the terminal.

In an embodiment, the second processing unit 72 is further configured to:

and performing encryption processing on the first information by using the second information as a key.

In an embodiment, the second processing unit 72 is further configured to perform integrity protection on the encrypted first information;

the sending unit 73 is further configured to send the encrypted first information subjected to integrity protection to the terminal.

In an embodiment, the second processing unit 72 is further configured to:

integrity protection is carried out on the encrypted first information by using the length of the encrypted first information, the first identifier and the length of the first identifier; the first identification represents a version corresponding to the first information.

In an embodiment, when the generated first information is sent to a terminal, the sending unit 73 is further configured to:

sending a first identifier to the terminal; the first identification represents a version corresponding to the first information.

In practice, the detecting unit 71 and the second processing unit 72 may be implemented by a processor in the EHPLMN updating apparatus; the transmitting unit 73 may be implemented by a communication interface in the update EHPLMN device.

It should be noted that: the EHPLMN updating apparatus provided in the above embodiment is only illustrated by dividing the above program modules when updating the EHPLMN, and in practical applications, the above processing allocation may be completed by different program modules according to needs, that is, the internal structure of the EHPLMN updating apparatus is divided into different program modules to complete all or part of the above described processing. In addition, the EHPLMN updating apparatus provided in the foregoing embodiment and the EHPLMN updating method embodiment on the network device side belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and are not described herein again.

In order to implement the method on the terminal side or the network device side in the embodiment of the present application, an embodiment of the present application further provides a chip, and as shown in fig. 8, the chip 80 includes:

an interface 81 for information interaction with the memory;

and the processor 82 is connected with the interface 81 to realize information interaction with the memory, and is used for reading the computer program stored in the memory through the interface 81 and executing the method provided by one or more technical schemes on the terminal side or the network equipment side when the computer program is run.

In practical applications, as shown in fig. 8, the chip 80 may further include a memory 83, and the memory 83 is used for storing various types of data to support the operation of the chip 80. Examples of such data include: any computer program for operating on chip 80.

Of course, the developer may also store a computer program capable of running on the processor 82 by a memory of a communication device (such as a terminal or a network device) where the chip 80 is located, without providing a memory in the chip 80 according to the chip design requirement.

Specifically, when the chip 80 is used to implement the method on the terminal side in the embodiment of the present application, the processor 82 is configured to perform the following operations:

receiving first information sent by network equipment; the first information comprises at least one EHPLMN information; the first information includes EHPLMN information updated with respect to EHPLMN information preset in the terminal;

saving the first information; and using the first information and EHPLMN information preset in the terminal as updated EHPLMN information together.

In an embodiment, the processor 82 is further configured to receive, through NAS signaling, the first information sent by the network device.

In one embodiment, the processor 82 is further configured to:

receiving encrypted first information sent by the network equipment;

and storing the decrypted first information.

In one embodiment, the processor 82 is further configured to:

carrying out integrity check on the encrypted first information;

In one embodiment, the processor 82 is further configured to:

In an embodiment, when receiving the first information, the processor 82 is further configured to:

receiving a first identifier sent by the network equipment; the first identification represents a version corresponding to the first information;

When the chip 80 is used to implement the method on the network device side in the embodiment of the present application, the processor 82 is specifically configured to perform the following operations:

detecting an event that updates EHPLMN information;

generating first information according to the detected event for updating the EHPLMN information; the first information comprises at least one EHPLMN information; the first information comprises EHPLMN information updated relative to EHPLMN information preset in the terminal;

and sending the generated first information to the terminal.

In one embodiment, the processor 82 is further configured to:

determining fourth information according to the detected event for updating the EHPLMN information; the fourth information includes all EHPLMN information after the operation corresponding to the event of updating EHPLMN information is performed;

and removing the EHPLMN information preset by the terminal in the fourth information to obtain the first information.

In one embodiment, the processor 82 is further configured to:

and sending the first information to the terminal through NAS signaling.

In one embodiment, the processor 82 is further configured to:

encrypting the first information to obtain encrypted first information;

and sending the encrypted first information to the terminal.

In one embodiment, the processor 82 is further configured to:

encrypting the first information by using second information as a key; the second information includes EHPLMN information preset in the terminal.

In one embodiment, the processor 82 is further configured to:

integrity protection is carried out on the encrypted first information;

In one embodiment, the processor 82 is further configured to:

It should be noted that: the process of the processor 82 specifically executing the above operations is detailed in the method embodiment of the terminal side and the method embodiment of the network device side in this application, and details are not described here again.

Based on the hardware implementation of the program module, and in order to implement the method on the terminal side or the network device side in the embodiment of the present application, an embodiment of the present application further provides a communication device, where the communication device may be a terminal or a network device, as shown in fig. 9, the communication device 90 includes:

a communication interface 91 capable of performing information interaction with other communication devices;

the processor 92 is connected with the communication interface 91 to realize information interaction with other communication devices, and is used for executing the method provided by one or more technical schemes on the terminal side or the network device side when running a computer program;

a memory 93 for storing a computer program capable of running on the processor 92.

Here, when the communication device 90 is a terminal, the other communication device may be a network device; when the communication device 90 is a network device, the other communication device may be a terminal.

Specifically, when the communication device 90 is used to implement the method on the terminal side in the embodiment of the present application, the processor 92 is configured to perform the following operations:

In an embodiment, the processor 92 is further configured to receive, through NAS signaling, the first information sent by the network device.

In one embodiment, the processor 92 is further configured to:

receiving encrypted first information sent by the network equipment;

and storing the decrypted first information.

In one embodiment, the processor 92 is further configured to:

carrying out integrity check on the encrypted first information;

In one embodiment, the processor 92 is further configured to:

In an embodiment, when receiving the first information, the processor 92 is further configured to:

When the communication device 90 is used to implement the method on the network device side in the embodiment of the present application, the processor 92 is configured to perform the following operations:

detecting an event that updates EHPLMN information;

and sending the generated first information to the terminal.

In one embodiment, the processor 92 is further configured to:

and sending the first information to the terminal through NAS signaling.

In one embodiment, the processor 92 is further configured to:

encrypting the first information to obtain encrypted first information;

and sending the encrypted first information to the terminal.

In one embodiment, the processor 92 is further configured to:

integrity protection is carried out on the encrypted first information;

In one embodiment, the processor 92 is further configured to:

It should be noted that: the process of the processor 92 specifically executing the above operations is detailed in the method embodiment of the terminal side and the method embodiment of the network device side in this application, and details are not described here again.

Of course, in practice, the various components of the communication device 90 may be coupled together by a bus system 94. It will be appreciated that the bus system 94 is used to enable communications among the components. The bus system 94 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 94 in fig. 9.

The method disclosed in the above embodiments of the method on the terminal side or the network device side may be applied to the processor 92, or may be implemented by the processor 92. The processor 92 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 92. The processor 92 may be a general purpose processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 92 may implement or perform the methods, steps, and logic blocks disclosed in the method embodiments of the present application on the terminal side or the network device side. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the method on the terminal side or the network device side of the present application may be directly implemented as the execution of a hardware decoding processor, or implemented by the combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 93, and the processor 92 reads the information in said memory 93 and in combination with its hardware performs the steps of the aforementioned method.

In an exemplary embodiment, the communication Device 90 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned method on the terminal side or the network Device side.

It will be appreciated that the memory of embodiments of the present application (e.g., memory 83 in chip 80 or memory 93 in communication device 90) may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an erasable Programmable Read-Only Memory (EPROM), an electrically erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a ferromagnetic access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data rate Synchronous Dynamic Random Access Memory), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous link Dynamic Random Access Memory (SLDRAM, Synchronous Dynamic Random Access Memory (DRAM), Direct Memory (DRM, Random Access Memory). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

In an exemplary embodiment, the present application further provides a storage medium, that is, a computer storage medium, specifically, a computer readable storage medium, such as a memory 83 in the chip 80 for storing a computer program, where the computer program stored in the memory 83 is executable by the processor 82 in the chip 80 to perform the steps of the foregoing terminal-side or network-side method. As another example, the memory 93 stores a computer program, and the computer program stored in the memory 93 can be executed by the processor 92 in the communication device 90 to perform the steps of the aforementioned terminal-side or network-side method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

In the several embodiments provided in the present application, it should be understood that the disclosed method and intelligent device may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.

Claims

1. An Equivalent Home Public Land Mobile Network (EHPLMN) updating method, comprising:

2. The method of claim 1, wherein the terminal receives first information sent by a network device, and the method comprises:

and the terminal receives first information sent by the network equipment through non-access stratum (NAS) signaling.

3. The method according to claim 1 or 2, wherein the terminal receives the first information sent by the network device, and comprises:

the saving the first information includes:

and storing the decrypted first information.

4. The method according to claim 3, wherein said decrypting the encrypted first information comprises:

5. The method according to claim 3, wherein the terminal performs decryption processing on the encrypted first information, and the decryption processing includes:

the terminal carries out integrity check on the encrypted first information;

6. The method of claim 5, wherein the integrity checking the encrypted first information comprises:

7. The method of claim 1 or 2, wherein, when receiving the first information, the method further comprises:

the saving the first information includes:

8. An EHPLMN update method, comprising:

the network equipment detects an event for updating the EHPLMN information;

9. The method of claim 8, wherein generating the first information based on the detected event that updates the EHPLMN information comprises:

10. The method of claim 8, wherein the sending the generated first information to a terminal comprises:

11. The method according to any one of claims 8 to 10, wherein the sending the generated first information to the terminal comprises:

and sending the encrypted first information to the terminal.

12. The method of claim 11, wherein the encrypting the first information comprises:

13. The method of claim 11, wherein the sending the encrypted first information to the terminal comprises:

14. The method of claim 13, wherein integrity protecting the encrypted first information comprises:

15. The method according to any one of claims 8 to 10, wherein when sending the generated first information to a terminal, the method further comprises:

16. A chip, comprising: a processor and an interface; wherein,

the processor, when being configured to execute a computer program, is configured to perform the steps of the method of any one of claims 1 to 7 or to perform the steps of the method of any one of claims 8 to 15.

17. A communication device, comprising: a processor and a memory for storing a computer program capable of running on the processor; wherein,

the processor is adapted to perform the steps of the method of any one of claims 1 to 7 or the steps of the method of any one of claims 8 to 15 when running the computer program.

18. A storage medium storing a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7 or carries out the steps of the method of any one of claims 8 to 15.