CN112087297A - Method, system and equipment for obtaining security context - Google Patents

Method, system and equipment for obtaining security context Download PDF

Info

Publication number
CN112087297A
CN112087297A CN201910518066.2A CN201910518066A CN112087297A CN 112087297 A CN112087297 A CN 112087297A CN 201910518066 A CN201910518066 A CN 201910518066A CN 112087297 A CN112087297 A CN 112087297A
Authority
CN
China
Prior art keywords
security context
request message
mme
indication information
key set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910518066.2A
Other languages
Chinese (zh)
Other versions
CN112087297B (en
Inventor
赵绪文
陈霞云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910518066.2A priority Critical patent/CN112087297B/en
Publication of CN112087297A publication Critical patent/CN112087297A/en
Application granted granted Critical
Publication of CN112087297B publication Critical patent/CN112087297B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/003Arrangements for allocating sub-channels of the transmission path
    • H04L5/0053Allocation of signaling, i.e. of overhead other than pilot signals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides a method for acquiring a security context, which comprises the following steps: a Mobile Management Entity (MME) sends a first request message to an Access and Management Function (AMF), wherein the first request message comprises a key set identifier, the key set identifier is used for indicating the AMF to generate a first security context, and the first security context is a mapping type security context; the MME receives a first response message sent by the AMF, wherein the first response message comprises first indication information and the first security context, and the first indication information is used for indicating that the first security context is a mapping type security context. The same type of key set identifier can be used by the UE and the MME, so that the UE can normally access the network to acquire service when moving from the 5G network to the 4G network.

Description

Method, system and equipment for obtaining security context
Technical Field
The present application relates to the field of wireless communications, and in particular, to a method, system, and device for obtaining a security context.
Background
In the early days of 5G network deployment, there are scenarios where end users move from a 5G network to a 4G network. However, in the current third Generation Partnership Project (3 GPP) standard flow, when the 5G network moves to the 4G network, the Core Access and Mobility Management Function (AMF) sends an identity response (identity response) message or a Context response (Context response) message to the Mobility Management Entity (MME), and when the 4G network moves to the 4G network, the old MME sends an identity response message or a Context response message to the new MME, the same Type of message is used, and the data structure is the same, the User Mobility Management Context (UE MM) cell in the two messages only contains the Key identity in E-UTRAN, ksei, and the UE MM cell only generates the MME MM cell 107 according to the Type of the MME MM, the type of the eKSI is a Native type (Native). And the User Equipment (UE) sets the type of the eKSI as a mapping type (Mapped) according to a scene that the current 5G network moves to the 4G network when generating the eKSI. In a subsequent Security Mode Command (SMC) procedure, the UE and the MME respectively use different types of eKSI to query that Security contexts are inconsistent, which results in an SMC procedure failure, an attach procedure or a Tracking Area Update (TAU) procedure being terminated, and the UE cannot normally access a network to obtain a service.
Disclosure of Invention
The application provides a method, a system and equipment for acquiring a security context.
In a first aspect, a method for obtaining a security context is provided, including: the method comprises the steps that a Mobile Management Entity (MME) sends a first request message to an Access and Management Function (AMF), wherein the first request message comprises a key set identifier, the key set identifier is used for indicating the AMF to generate a first security context, and the first security context is a mapping type security context; the MME receives a first response message sent by the AMF, wherein the first response message comprises first indication information and a first security context, and the first indication information is used for indicating that the first security context is a mapping type security context.
According to the system of the embodiment of the application, in a scenario that the UE moves from the 5G network to the 4G network, the AMF may send the first indication information to the MME after receiving the first request message, and the MME receives the first indication information sent by the AMF to generate the key set identifier of the mapping type, so that the UE and the MME may use the same type of key set identifier.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the MME generates a key set identifier of a mapping type according to the first indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context; the MME sends a key set identifier of the mapping type to the user equipment UE.
According to the system of the embodiment of the application, the MME may generate, according to the first indication information and/or the first security context, a mapping type key set identifier, which may be used for enabling the UE to normally access the network to acquire services when the UE moves from the 5G network to the 4G network.
With reference to the first aspect, in some implementations of the first aspect, the first indication information includes at least one of the following information elements: a second indication information cell; a radio access type information element; a mobility management context information element including third indication information.
With reference to the first aspect, in certain implementations of the first aspect, the first request message is an identity request message or a context request message.
According to the system of the embodiment of the application, the first request message may be a message in the prior art, and the burden of the system is not increased additionally.
With reference to the first aspect, in certain implementations of the first aspect, the first response message is an identification response message or a context response message.
According to the system of the embodiment of the application, the first indication information can be contained in a message in the prior art, and the burden of the system is not increased additionally.
In a second aspect, a method for obtaining a security context is provided, including: the MME receives a second request message sent by the UE, wherein the second request message comprises fourth indication information and a key set identifier; the MME stores fourth indication information; the MME sends a first request message to the AMF, wherein the first request message comprises a key set identifier which is used for indicating the AMF to generate a first security context, and the first security context is a mapping type security context; the MME receives a first response message sent by the AMF, the first response message comprises a first security context, and the fourth indication information is used for indicating that the first security context is a mapping type security context.
With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the MME generates a key set identifier of a mapping type according to the fourth indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context; the MME sends a key set identifier of the mapping type to the UE.
With reference to the second aspect, in some implementations of the second aspect, the fourth indication information includes at least one of the following information elements: a fifth indication information cell; a user status cell.
With reference to the second aspect, in some implementations of the second aspect, the second request message is an attach request message or a tracking area update request message.
With reference to the second aspect, in some implementations of the second aspect, the first request message is an identity request message or a context request message.
With reference to the second aspect, in some implementations of the second aspect, the first response message is an identification response message or a context response message.
In a third aspect, a method for obtaining a security context is provided, including: the AMF receives a first request message sent by the MME, wherein the first request message comprises a key set identifier; the AMF generates a first security context according to the key set identifier, wherein the first security context is a mapping type security context; the AMF sends a first response message to the MME, wherein the first response message comprises first indication information and a first security context, and the first indication information is used for indicating that the first security context is a mapping type security context. The MME receives first indication information, and the first indication information is used for the MME to generate a key set identifier of a mapping type; and the MME generates a key set identifier of the mapping type according to the first indication information.
With reference to the third aspect, in certain implementations of the third aspect, the first indication information and/or the first security context is used to instruct the MME to generate a mapping type key set identifier, and the mapping type key set identifier is used to identify the first security context.
With reference to the third aspect, in some implementations of the third aspect, the first indication information includes at least one of the following information elements: a second indication information cell; a radio access type information element; a mobility management context information element including third indication information.
With reference to the third aspect, in some implementations of the third aspect, the first request message is an identity request message or a context request message.
With reference to the third aspect, in some implementations of the third aspect, the first response message is an identification response message or a context response message.
In a fourth aspect, a method for obtaining a security context is provided, including: and the UE sends a second request message to the MME, wherein the second request message comprises fourth indication information, and the fourth indication information is used for indicating that the first security context received by the MME is the security context of the mapping type.
With reference to the fourth aspect, in some implementations of the fourth aspect, further comprising: the fourth indication information and/or the first security context is used for indicating the MME to generate a key set identifier of a mapping type, and the key set identifier of the mapping type is used for identifying the first security context; the UE receives a key set identifier of the mapping type sent by the MME.
With reference to the fourth aspect, in some implementations of the fourth aspect, the fourth indication information includes at least one of the following information elements: a fifth indication information cell; a user status cell.
With reference to the fourth aspect, in some implementations of the fourth aspect, the second request message is an attach request message or a tracking area update request message.
In a fifth aspect, a system for obtaining a security context is provided, including: the MME sends a first request message to the AMF, wherein the first request message comprises a key set identifier which is used for indicating the AMF to generate a first security context; the AMF generates a first security context, wherein the first security context is a mapping type security context; the AMF sends a first response message to the MME, wherein the first response message comprises first indication information and a first security context, and the first indication information is used for indicating that the first security context is a mapping type security context.
With reference to the fifth aspect, in certain implementations of the fifth aspect, the method further includes: the MME generates a key set identifier of a mapping type according to the first indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context; the MME sends a key set identifier of the mapping type to the user equipment UE.
With reference to the fifth aspect, in some implementations of the fifth aspect, the first indication information includes at least one of the following information elements: a second indication information cell; a radio access type information element; a mobility management context information element including third indication information.
With reference to the fifth aspect, in some implementations of the fifth aspect, the first request message is an identity request message or a context request message.
With reference to the fifth aspect, in some implementations of the fifth aspect, the first response message is an identification response message or a context response message.
In a sixth aspect, a system for obtaining a security context is provided, including: the UE sends a second request message to the MME, wherein the second request message comprises fourth indication information and a key set identifier; the MME receives the second request message and stores fourth indication information; the MME sends a first request message to the AMF, wherein the first request message comprises a key set identifier which is used for indicating the AMF to generate a first security context; the AMF sends a first response message to the MME, wherein the first response message comprises a first security context, and the first security context is a mapping type security context; the MME receives the first response message, and the fourth indication information is used for indicating that the first security context received by the MME is the security context of the mapping type.
With reference to the sixth aspect, in certain implementations of the sixth aspect, further comprising: the MME generates a key set identifier of a mapping type according to the fourth indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context; the MME sends a key set identifier of the mapping type to the UE.
With reference to the sixth aspect, in some implementations of the sixth aspect, the fourth indication information includes at least one of the following information elements: a fifth indication information cell; a user status cell.
With reference to the sixth aspect, in some implementations of the sixth aspect, the second request message is an attach request message or a tracking area update request message.
With reference to the sixth aspect, in some implementations of the sixth aspect, the first request message is an identity request message or a context request message.
With reference to the sixth aspect, in some implementations of the sixth aspect, the first response message is an identification response message or a context response message.
In a seventh aspect, a network device is provided, which may perform the method of the first and second aspects or any implementation manner thereof.
In an eighth aspect, a network device is provided, which may perform the method of the third aspect or any implementation manner thereof.
A ninth aspect provides a user equipment, which may perform the method of the fourth aspect or any implementation manner thereof.
Drawings
Fig. 1 is a schematic architecture diagram of a communication system suitable for use in embodiments of the present application.
Fig. 2 is a schematic flow chart of a method for acquiring a security context according to an embodiment of the present application.
Fig. 3 is a schematic interaction diagram of a system for acquiring a security context according to an embodiment of the present application.
FIG. 4 is a schematic interaction diagram of one method of obtaining a security context in the system provided in FIG. 3.
FIG. 5 is a schematic interaction diagram of another method of obtaining a security context in the system provided in FIG. 3.
Fig. 6 is a schematic flow chart of a method for acquiring a security context according to an embodiment of the present application.
FIG. 7 is a schematic interaction diagram of one of the methods provided in FIG. 6 for obtaining a security context.
FIG. 8 is a schematic interaction diagram of another method of obtaining a security context in the methods provided in FIG. 6.
Fig. 9 is a schematic structural diagram of an MME according to an embodiment of the present application.
Fig. 10 is a schematic structural diagram of an AMF according to an embodiment of the present application.
Fig. 11 is a schematic structural diagram of a user equipment according to an embodiment of the present application.
Fig. 12 is a schematic diagram of a user equipment provided in an embodiment of the present application.
Fig. 13 is a schematic diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic architecture diagram of a mobile communication system suitable for use in the embodiments of the present application.
As shown in fig. 1, the mobile communication system 100 may include at least one MME101, at least one AMF103, and at least one UE 102. Fig. 1 is a schematic diagram, and other network devices, such as a wireless relay device and a wireless backhaul device, may also be included in the communication system, which are not shown in fig. 1. The embodiments of the present application do not limit the number and specific types of network devices and UEs included in the mobile communication system.
The UE102 in the embodiments of the present application may refer to an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal device may also be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a future 5G network or a terminal device in a future evolved Public Land Mobile Network (PLMN), and the like, which are not limited in this embodiment.
FIG. 2 is a schematic flow diagram of a method of obtaining a security context. The method of fig. 2 may be performed by the MME101 of fig. 1.
S201, the MME sends a first request message to the AMF, where the first request message includes a key set identifier, and the key set identifier may be used to instruct the AMF to generate a first security context, where the first security context is a mapping type security context.
Alternatively, the first request message may be an identification request message or a context request message.
S202, the MME may receive a first response message sent by the AMF, where the first response message may include the first indication information and the first security context.
Wherein the first indication information may be used to indicate that the first security context is a mapping type security context.
Alternatively, the first response message may be an identification response message or a context response message.
Optionally, S203, the MME may generate, after receiving the first response message, a key set identifier of a mapping type according to the first indication information and/or the first security context carried in the first response message, where the key set identifier of the mapping type may be used to identify the first security context.
Optionally, S204, the MME may send the UE a key set identification of the mapping type. FIG. 3 is a schematic flow diagram of a system for obtaining a security context. The system shown in fig. 3 may be composed of at least one MME101 and at least one AMF103 in fig. 1.
S201, the MME sends a first request message to the AMF, where the first request message may include a key set identifier, and the key set identifier may be of a local type.
Alternatively, the Key Set Identifier may be eKSI or a new generation Key Set Identifier (ngKSI).
It should be understood that the first request message may be one of various messages communicated between the MME and the AMF, for example, the first request message may be an identification request message or a context request message, and the application is not particularly limited.
S202, the AMF receives the first request message, may obtain a second security context corresponding to the key set identifier of the local type according to the first request message, and may generate a first security context according to the second security context, where the first security context is a mapping type security context.
S203, the AMF may send a first response message to the MME, where the first response message includes first indication information and a first security context, where the first indication information may be used for the security context of which the first security context is a mapping type.
It should be understood that the first response message may be one of various messages communicated between the MME and the AMF, for example, the first response message may be an identification corresponding message or a context response message, and the application is not limited in particular.
Optionally, in S204, after receiving the first response message, the MME may further generate a key set identifier of the mapping type according to the first indication information and/or the first security context.
Optionally, the system may further include at least one UE, and after the step S204 is completed, the MME may further send a Non-Access Stratum (NAS) Security Mode Command (SMC) message to the UE, where the NAS SMC message may include a key set identifier of the mapping type.
When a UE moves from a 5G network to a 4G network, there are two different scenarios. First, the UE previously deregisters (Deregistered) from the 5G network, and the UE may initiate an Initial attach (Initial attach) procedure after moving to the 4G network. Second, the UE is previously registered in the 5G network and in an idle state, and after moving to the 4G network, the UE may initiate a Tracking Area Update (TAU) procedure.
It should be understood that the technical solution of the present application may also be applied to a scenario where the user equipment moves to a low level in the future, for example, the user equipment moves from a 6G network to a 5G network.
Fig. 4 is a schematic interaction diagram of a method for acquiring a security context in the system shown in fig. 3, which occurs in a scenario where a UE previously deregisters from a 5G network and initiates an initial attach procedure after moving to a 4G network. The method of fig. 4 may be performed by MME101, AMF103, and UE102 in fig. 1.
S301, the UE sends an Attach Request (Attach Request) message to the MME, which may include a local type key set identifier, whose value part may indicate a second security context stored on the UE, where a security context refers to a type of set of permissions and rights that define what a certain process is allowed to do.
The MME may send a first request message to the AMF according to the received attach request message, which may include a complete attach request message S302.
The first Request message may be an Identification Request (Identification Request) message.
S303, the AMF queries a second security context according to the value part of the key set identifier carried in the identity request message sent by the MME, and may generate a first security context according to the second security context, where the first security context may be a mapping type security context.
The second security context may be a 5G security context, and the first security context may be an Evolved Packet System (EPS) security context of a mapping type, that is, the first security context may be a 4G security context of a mapping type.
The AMF may reply to the MME with a first Response message, which may be an Identification Response (Identification Response) message, and may include the first indication information and the first security context of the mapping type.
Optionally, the first response message may include a UE MM Context information element including a numeric portion of a key set identifier indicating the first security Context in the first response message.
Optionally, the first indication information may be used to indicate that the first security context carried in the first response message is a mapping-type security context.
Optionally, the first indication information may also indicate that the MME should generate a key set identifier of a mapping type, or the information is used to indicate a scenario that the UE currently moves from 5G to 4G, or the information is used to indicate that the UE is previously registered in a 5G network, and the like.
Possible ways of carrying the first indication information in the first response message include, but are not limited to, the following ways:
adding an independent second indication information cell in the first response message by the amf, wherein the second indication information cell is used for indicating that the first security context carried in the first response message is a mapping type security context, or for indicating that the MME generates a key set identifier of the mapping type, or for indicating that the UE is in a scenario of moving from 5G to 4G, or for indicating that the UE is previously registered in a 5G network, and the like;
adding a Radio Access Technology-type (RAT-type) information element to the first response message by the amf, where a value of the information element may be used to indicate that a network type previously accessed by the UE is a 5G network, for example, a value of the RAT-type is a New Radio (NR) or other newly defined value, may be used to indicate that a first security context carried in the first response message is a security context of a mapping type, or may be used to indicate that an MME generates a key set identifier of the mapping type, or may be used to indicate that the UE is in a scenario of moving from 5G to 4G, or may be used to indicate that the UE is previously registered in a 5G network, and so on;
the AMF expands the UE MM Context information element in the first response message, adds third indication information in the element, or adds the third indication information in a reserved bit, wherein the indication information can be used for indicating that the security Context is the first security Context of the mapping type, or used for indicating that an MME generates a key set identifier of the mapping type, or used for indicating that the UE is in a scene of moving from 5G to 4G, or used for indicating that the UE is registered in a 5G network before, and the like.
It should be understood that the first indication information may be included in the first response message, or may be included in other messages returned by the AMF to the MME, for indicating that the first security context carried in the first response message is a mapping type security context.
S304, the MME receives a first response message returned by the AMF, where the first response message may carry first indication information, and the first response message may include but is not limited to:
a. a second indication information cell;
RAT-type information element;
c. and the UE MM Context cell comprises third indication information.
The above three types of first indication information may be used to indicate that the first security context carried in the first response message is a mapping type security context, or may also be used to indicate that the MME should generate a mapping type key set identifier, or indicate that the current UE is a scenario in which the UE moves from 5G to 4G, or indicate that the UE is registered in a 5G network before.
S305, the UE generates a third security context of the mapping type according to the local second security context, and generates a key set identifier of the mapping type, wherein the key set identifier corresponds to the third security context.
S306, the MME may perform the following processing according to the first indication information carried in the first response message returned by the AMF:
a. if the first indication information carried by the first response message in the message is the second indication information element, the MME generates a key set identifier of a mapping type (the structure of which may be mapped | | Value);
b. if the first indication information carried by the first response message in the message is a RAT-type information element, the MME generates a mapping type key set identifier (the structure of which may be mapped | | | Value);
c. if the first indication information carried by the first response message in the message is the UE MM Context information element including the third indication information, the MME generates a key set identifier of the mapping type (the structure of which may be mapped | | Value).
Alternatively, the MME may generate a key set identifier (whose structure may be mapped | | Value) for the mapping type according to the first security context for the mapping type.
S307, the MME sends a NAS SMC message to the UE, which may include a key set identifier of the mapping type generated by the MME.
The UE and the MME can perform the following operations:
and the UE obtains a third security context according to the mapping type key set identifier generated by the MME and contained in the NAS SMC message.
Optionally, the UE may also perform security protection (e.g., integrity protection and ciphering) on other messages (e.g., NAS messages) sent to the MME using the third security context, and the MME performs security verification (e.g., integrity check and deciphering) on the NAS messages sent by the UE according to the second security context identified by the key set identifier of the mapping type.
In a scenario that the UE moves from a 5G network to a 4G network, the UE initiates an Attach procedure, the AMF carries first indication information in a first response message, the MME receives identification response information sent by the AMF, and generates a key set identifier of a mapping type according to the first indication information, so that the types of the key set identifiers generated by the UE and the MME are the same, the security contexts used by the UE and the MME are the same, and subsequent procedures can be normally executed.
Fig. 5 is a schematic interaction diagram of a method for acquiring a security context in the system shown in fig. 3, which occurs in a scenario that a UE is registered in a 5G network and in an idle state before the UE moves to a 4G network, and the UE may initiate a tracking area update procedure.
The method of fig. 5 may be performed by MME101, AMF103, and UE102 in fig. 1.
S501, the UE sends a tracking area update request (taureq) message to the MME, which may include a local type key set identifier, and a numerical portion of the key set identifier may indicate a second security context saved on the UE.
S502, the MME may send a first request message to the AMF according to the received tracking area update request message, where the first request message may include a complete tracking area update request message.
The first Request message may be a Context Request (Context Request) message.
S503, the AMF queries a second security context according to a value part of the key set identifier carried in the tracking area update request message sent by the MME, and may generate a first security context according to the second security context, where the first security context may be a mapping type security context.
Wherein the second security context may be a 5G security context and the first security context may be an EPS security context of a mapped type, i.e. the first security context may be a 4G security context of a mapped type.
The AMF may reply to the MME with a first Response message, which may be a Context Response (Context Response) message, and may include the first indication information and the first security Context of the mapping type.
Optionally, the first response message may include a UE MM Context information element including a numeric portion of a key set identifier indicating the first security Context in the first response message.
Optionally, the first indication information may be used to indicate that the first security context carried in the first response message is a mapping-type security context.
Optionally, the first indication information may also indicate that the MME should generate a key set identifier of a mapping type, or the information is used to indicate a scenario that the UE currently moves from 5G to 4G, or the information is used to indicate that the UE is previously registered in a 5G network, and the like.
In the UE-initiated TAU procedure, the first response message may carry a RAT-type information element, which may also be one of the first indication information, and the information element may be used to indicate that the network type that the UE has previously accessed is a 5G network, for example, the value of RAT-type is NR or other newly defined values.
Possible ways of carrying the first indication information in the first response message include, but are not limited to, the following ways:
and adding an independent second indication information cell in the first response message by the AMF, wherein the independent second indication information cell is used for indicating that the first security context carried in the first response message is the security context of the mapping type, or for indicating that an MME generates a key set identifier of the mapping type, or for indicating that the UE is in a scene of moving from 5G to 4G, or for indicating that the UE is registered in a 5G network before, and the like.
The AMF expands the UE MM Context information element in the first response message, adds third indication information in the element, or adds the third indication information in a reserved bit, wherein the indication information can be used for indicating that the Context is a first security Context of a mapping type, or used for indicating that an MME generates a key set identifier of the mapping type, or used for indicating that the UE is in a scene of moving from 5G to 4G, or used for indicating that the UE is registered in a 5G network before, and the like.
The amf carries a Radio Access Technology-type (RAT-type) information element in the first response message, where a value of the information element may be used to indicate that a network type previously accessed by the UE is a 5G network, such as a value of the RAT-type is a New Radio (NR) or other newly defined value, may be used to indicate that the first security context carried in the first response message is a security context of a mapping type, or may be used to indicate that an MME generates a key set identifier of the mapping type, or may be used to indicate that the UE is in a scenario of moving from 5G to 4G, or may be used to indicate that the UE is previously registered in a 5G network, and so on.
It should be understood that the first indication information may be included in the first response message, or may be included in other messages returned by the AMF to the MME, for indicating that the first security context carried in the first response message is a mapping type security context.
S504, the MME receives a first response message returned by the AMF, where the first response message may carry first indication information, and the first response message may include but is not limited to:
a. a second indication information cell;
b. the UE MM Context cell comprises third indication information;
a RAT-type information element.
The above three types of first indication information may be used to indicate that the first security context carried in the first response message is a mapping type security context, or may be used to indicate that the MME should generate a mapping type key set identifier, or indicate that the UE is currently moving from 5G to 4G, or indicate that the UE is previously registered in a 5G network.
S505, the UE generates a third security context of the mapping type according to the local second security context, and generates a key set identifier of the mapping type, wherein the key set identifier corresponds to the third security context.
S506, the MME may perform the following processing according to the first indication information carried in the first response message returned by the AMF:
a. if the first indication information carried by the first response message is the second indication information element, the MME generates a key set identifier of a mapping type (the structure of which may be mapped | | | Value);
b. if the first indication information carried by the first response message is a RAT-type information element, the MME generates a mapping type key set identifier (the structure of which may be mapped | | | Value);
c. if the first indication information carried by the first response message is the UE MM Context information element including the third indication information, the MME generates a mapping type key set identifier (whose structure may be mapped | | | Value).
Alternatively, the MME may generate a key set identifier (whose structure may be mapped | | Value) for the mapping type according to the first security context for the mapping type.
S507, the MME sends a NAS SMC message to the UE, where the NAS SMC message may include a key set identifier of the mapping type generated by the MME.
The UE and the MME can perform the following operations:
and the UE obtains a third security context according to the mapping type key set identifier generated by the MME and contained in the NAS SMC message.
Optionally, the UE may also perform security protection (e.g., integrity protection and ciphering) on other messages (e.g., NAS messages) sent to the MME using the third security context, and the MME performs security verification (e.g., integrity check and deciphering) on the NAS messages sent by the UE according to the second security context identified by the key set identifier of the mapping type.
In a scenario that the UE moves from a 5G network to a 4G network, the UE initiates a TAU process, the AMF carries first indication information in a first response message, the MME receives the context response message sent by the AMF, and generates a key set identifier of a mapping type according to the first indication information, so that the types of the key set identifiers generated by the UE and the MME are the same, the security contexts used by the UE and the MME are the same, and subsequent processes can be normally executed.
FIG. 6 is a schematic flow chart diagram of another method of obtaining a security context. The method illustrated in fig. 6 may be performed by the MME101 in fig. 1.
S610, the MME receives a second request message sent by the UE, where the second request message may include fourth indication information and a key set identifier.
Alternatively, the second request message may be an attach request message or a tracking area update request message.
S620, the MME receives the second request information and stores the fourth indication information.
S630, the MME sends a first request message to the AMF, where the first request message includes a key set identifier, and the key set identifier may be used to instruct the AMF to generate the first security context.
Alternatively, the first request message may be an identification request message or a context request message.
S640, the MME may receive a first response message sent by the AMF, where the first response message may include the first security context, and the fourth indication information may be used to indicate that the first security context is a mapping type security context.
Alternatively, the first response message may be an identification response message or a context response message.
Optionally, S650, the MME may generate, after receiving the first response message, a mapping-type key set identifier according to the fourth indication information and/or the mapping-type first security context, where the mapping-type key set identifier may be used to identify the mapping-type first security context.
Optionally, S660, the MME sends the key set identification of the mapping type to the UE. Fig. 7 is a schematic interaction diagram of one of the methods of fig. 6 for obtaining a security context, which occurs in a scenario where a UE previously de-registers from a 5G network and initiates an initial attach procedure after moving to a 4G network. The method of fig. 7 may be performed by MME101, AMF103, and UE102 in fig. 1.
According to the method for acquiring the security context, the mode that the MME stores the fourth indication information in advance is adopted, and when the MME receives the key set identifier to be processed, the MME can generate the key set identifier of the mapping type according to the fourth indication information.
S601, the UE sends a second request message to the MME, where the second request message may be an attach request message, which may include a key set identifier, and a numerical portion of the key set identifier may be used to identify a second security context stored on the UE.
Optionally, the second request message may further carry fourth indication information, where the fourth indication information may be used to indicate that the first security context received by the MME is a mapping type security context, and may also be used to indicate that the MME generates a mapping type key set identifier. Since there are various types of fourth indication information, only a few examples are given here:
the fourth indication information may be a user Status (UE Status) information element carried in the attach request message, where the information element indicates that a state of the UE when the UE is previously registered in 5G is a registration state or a de-registration state;
the fourth indication information may also be fifth indication information carried in the attach request message, where the information is used to indicate that the first security context carried in the first response message is a mapping-type security context, or is used to indicate that the MME should generate a key set identifier of the mapping type, or is used to indicate a scenario in which the UE currently moves from 5G to 4G, or is used to indicate that the UE is previously registered in a 5G network, and the like.
It should be understood that the fourth indication information may be included in the attach request message, or may be included in another message sent by the UE to the MME, and is used to indicate that the first security context carried in the first response message is a security context of a mapping type, or indicate that the MME should generate a key set identifier of a mapping type, or the information is used to indicate a scenario that the UE currently moves from 5G to 4G, or the information is used to indicate that the UE is previously registered in a 5G network, and so on.
S602, the MME receives the second request message, and stores fourth indication information contained in the second request message, where the fourth indication information may be a user status information element and/or fifth indication information.
S603, the MME sends a first request message to the AMF, where the first request message may be an identification request message, and the first request message may include a complete second request message.
S604, the AMF queries a second security context according to a value part of the key set identifier carried in the first request message sent by the MME, and may generate a first security context according to the second security context, where the first security context may be a mapping type security context.
Wherein the second security context may be a 5G security context and the first security context may be an EPS security context of a mapped type, i.e. the first security context may be a 4G security context of a mapped type.
The AMF may reply to the MME with a first response message, which may be an identity response message, which may include the first security context of the mapping type.
Optionally, the first response message may include a UE MM Context information element including a numeric portion of a key set identifier indicating the first security Context in the first response message.
S605, the MME receives a first response message returned by the AMF, where the first response message includes a value part of the key set identifier and the first security context.
S606, the UE generates a third security context of the mapping type according to the local second security context, and generates a key set identifier of the mapping type, wherein the key set identifier corresponds to the third security context.
S607, the MME obtains the value part of the key set identifier according to the first response message returned by the AMF, and may determine that the first security context is the mapping type security context according to the stored fourth indication information.
Optionally, the MME may generate a key set identifier (whose structure may be mapped | | | Value) of the mapping type according to the fourth indication message and/or the first security context.
S608, the MME sends a NAS SMC message to the UE, which may include a key set identifier of the MME-generated mapping type.
The UE and the MME can perform the following operations:
and the UE obtains a third security context according to the mapping type key set identifier generated by the MME and contained in the NAS SMC message.
Optionally, the UE may also perform security protection (e.g., integrity protection and ciphering) on other messages (e.g., NAS messages) sent to the MME using the third security context, and the MME performs security verification (e.g., integrity check and deciphering) on the NAS messages sent by the UE according to the second security context identified by the key set identifier of the mapping type.
Compared with the communication method shown in fig. 4, the communication method proposed in this embodiment does not involve modification of the AMF, nor does it modify the protocol of the N26 interface between the MME and the AMF. And the MME generates a key set identifier of a mapping type according to the user state information element or the fifth indication information sent by the UE, so that the types of the key set identifiers generated by the UE and the MME are the same, the security context used by the UE and the MME is the same, and the subsequent process can be normally executed.
Fig. 8 is a schematic interaction diagram of another method for acquiring a security context in the method shown in fig. 6, which occurs in a scenario that a UE is registered in a 5G network and in an idle state before the UE moves to a 4G network, and then the UE initiates a tracking area update procedure. The method of fig. 8 may be performed by MME101, AMF103, and UE102 in fig. 1.
The system for acquiring the security context adopts a mode that the MME stores the fourth indication information in advance, and when the MME receives the key set identifier to be processed, the MME can generate the key set identifier of the mapping type according to the fourth indication information.
S701, the UE sends a second request message to the MME, where the second request message may be a tracking area update request message, which may include a local type key set identifier, and a numerical portion of the key set identifier may be used to identify a second security context stored on the UE.
Optionally, the second request message may further carry fourth indication information, where the fourth indication information may be used to indicate that the first security context received by the MME is a mapping type security context, and may also be used to indicate that the MME generates a mapping type key set identifier. Since there are various types of fourth indication information, only a few examples are given here:
the fourth indication information may be a user status information element carried in the tracking area update request message, which indicates that the status of the UE when previously registered in the 5G is a registration status or a de-registration status.
The fourth indication information may also be fifth indication information carried in the tracking area update request message, where the fifth indication information is used to indicate that the first security context carried in the first response message is a mapping-type security context, or is used to indicate that the MME should generate a key set identifier of the mapping type, or is used to indicate a scenario in which the UE currently moves from 5G to 4G, or is used to indicate that the UE is previously registered in a 5G network, and so on.
It should be understood that the fourth indication information may be included in the tracking area update request message, or may be included in another message sent by the UE to the MME, to indicate that the first security context carried in the first response message is a security context of a mapping type, or indicate that the MME should generate a key set identifier of a mapping type, or indicate that the UE is currently moving from 5G to 4G, or indicate that the UE is previously registered in a 5G network, and so on.
S702, the MME receives the second request message, and stores fourth indication information contained in the second request message, wherein the fourth indication information can be a user state information element and/or fifth indication information.
S703, the MME sends a first request message to the AMF, where the first request message may be a context request message, and the first request message may include a complete second request message.
S704, the AMF queries a second security context according to the value part of the key set identifier carried in the first request message sent by the MME, and may generate a first security context according to the second security context, where the first security context may be a mapping type security context.
Wherein the second security context may be a 5G security context and the first security context may be an EPS security context of a mapped type, i.e. the first security context may be a 4G security context of a mapped type.
The AMF may reply to the MME with a first response message, which may be a context response message, which may include a first security context of the mapping type.
Optionally, the first response message may include a UE MM Context information element including a resin portion of a key set identifier, a numerical portion of the key set identifier indicating the first security Context in the first response message.
S705, the MME receives a first response message returned by the AMF, where the first response message includes a value part of the key set identifier and the first security context.
S706, the UE generates a third security context of the mapping type according to the local second security context, and generates a key set identifier of the mapping type, where the key set identifier corresponds to the third security context.
S707, the MME obtains the value part of the key set identifier according to the first response message returned by the AMF, and judges that the first security context is the mapping type security context according to the fourth indication information.
Optionally, the MME may generate a key set identifier (whose structure may be mapped | | | Value) of the mapping type according to the fourth indication message and/or the first security context.
S708, the MME sends a NAS SMC message to the UE, which may include a key set identifier of the MME-generated mapping type.
The UE and the MME can perform the following operations:
and the UE obtains a third security context according to the mapping type key set identifier generated by the MME and contained in the NAS SMC message.
Optionally, the UE may also perform security protection (e.g., integrity protection and ciphering) on other messages (e.g., NAS messages) sent to the MME using the third security context, and the MME performs security verification (e.g., integrity check and deciphering) on the NAS messages sent by the UE according to the second security context identified by the key set identifier of the mapping type.
Compared with the communication method shown in fig. 5, the communication method proposed in this embodiment does not involve modification of the AMF, nor does it modify the protocol of the N26 interface between the MME and the AMF. And the MME generates a key set identifier of a mapping type according to the user state information element or the fifth indication information sent by the UE, so that the types of the key set identifiers generated by the UE and the MME are the same, the security context used by the UE and the MME is the same, and the subsequent process can be normally executed.
Fig. 9 to 11 are schematic diagrams of a communication device in a method for acquiring a security context.
As shown in fig. 9, the MME800 may include a first transmitting module 801, a first processing module 802, and a first receiving module 803.
The first sending module 801 may send a first request message to the AMF, where the first request message may include a key set identifier, and the key set identifier is used to instruct the AMF to generate the first security context.
Wherein the first request message may be an identification request message or a context request message.
Optionally, the first sending module 801 may further send a NAS SMC message to the UE, where the NAS SMC message includes a key set identifier of the mapping type.
The first receiving module 803 may receive a first response message sent by the AMF, and the first response message may include the first indication information and the first security context.
Wherein the first response message may be an identification response message or be included in a context response message.
Optionally, the first receiving module 803 may also receive a second request message sent by the UE, where the second request message may include fourth indication information, and the MME may further include a storing module, where the storing module may be configured to store the fourth indication information sent by the UE.
The first processing module 802 generates a key set identifier of a mapping type according to the first indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context.
Optionally, the first processing module 802 may also generate a mapping type key set identifier according to the fourth indication information and/or the first security context stored by the storage module, where the mapping type key set identifier is used to identify the first security context.
As shown in fig. 10, the AMF900 may include a second transmitting module 901, a second processing module 902, and a second receiving module 903.
The second receiving module 903 may receive first request information sent by the MME, where the first request message may include a key set identifier.
The second processing module 902 may obtain a second security context corresponding to the key set identifier from the first request message and generate a first security context from the second security context.
The second sending module 901 may send first response information to the MME, where the first response information may include first indication information and a first security context, and the first indication information is used to indicate that the first security context received by the MME is a mapping-type security context.
Wherein the first response message may be an identification response message or be included in a context response message.
As shown in fig. 11, the UE1000 may include a third receiving module 1001, a third processing module 1002 and an including module 1003
The third receiving module 1001 may receive a NAS SMC message.
The third processing module 1002 may obtain a third security context corresponding to the key set identifier of the mapping type.
The protection module 1003 may secure the NAS SMC message using the third security context.
Optionally, the UE may further include a third sending module, where the third sending module may send second request information to the MME, and the second request information may be fourth indication information, where the fourth indication information may be used to indicate that the first security context received by the MME is a mapping-type security context.
It should be understood that the system for acquiring a security context provided in the embodiment of the present application may be constituted by the apparatuses shown in fig. 9 to 11.
Fig. 12 shows a schematic structural diagram of a user equipment provided in an embodiment of the present application. It may be the user equipment in the above embodiment, for implementing the operation of the user equipment in the above embodiment.
As shown in fig. 12, the user equipment includes: antenna 810, radio frequency device 820, baseband device 830. Antenna 810 is coupled to radio 820. In the downlink direction, rf apparatus 820 receives information transmitted by the network device through antenna 810, and transmits the information transmitted by the network device to baseband apparatus 830 for processing. In the uplink direction, the baseband device 830 processes the information of the terminal device and sends the information to the radio frequency device 820, and the radio frequency device 820 processes the information of the terminal device and sends the information to the network device through the antenna 810.
The baseband apparatus 830 may include a modem subsystem for implementing processing of various communication protocol layers of data; the system also comprises a central processing subsystem used for realizing the processing of a terminal operating system and an application layer; in addition, other subsystems, such as a multimedia subsystem for controlling a camera, a screen display, etc. of the terminal device, a peripheral subsystem for connecting with other devices, etc. may be included. The modem subsystem may be a separate chip. Alternatively, the above means for the user equipment may be located at the modem subsystem.
The modem subsystem may include one or more processing elements 831, including, for example, a host CPU and other integrated circuits. The modem subsystem may also include a storage element 832 and an interface circuit 833. The storage element 832 is used to store data and programs, but programs for performing the methods performed by the terminal device in the above methods may not be stored in the storage element 832, but in a memory outside the modem subsystem. The interface circuit 833 is used to communicate with other subsystems. The above apparatus for a terminal device may be located in a modem subsystem, which may be implemented by a chip comprising at least one processing element for performing the steps of any of the methods performed by the above terminal device and interface circuitry for communicating with other apparatus. In one implementation, the unit for the terminal device to implement each step in the above method may be implemented in the form of a processing element scheduler, for example, an apparatus for the terminal device includes a processing element and a storage element, and the processing element calls a program stored in the storage element to execute the method executed by the terminal in the above method embodiment. The memory elements may be memory elements with the processing elements on the same chip, i.e. on-chip memory elements.
Fig. 13 is a schematic structural diagram of a network device according to an embodiment of the present application. Such a network device may be MME101 or AMF103 in fig. 1.
As shown in fig. 13, the network device includes: antenna 901, radio frequency device 902, baseband device 903. The antenna 901 is connected to a radio frequency device 902. In the uplink direction, the rf apparatus 902 receives information transmitted by the terminal through the antenna 901, and transmits the information transmitted by the terminal equipment to the baseband apparatus 903 for processing. In the downlink direction, the baseband device 903 processes the information of the terminal and sends the information to the radio frequency device 902, and the radio frequency device 902 processes the information of the terminal device and sends the information to the terminal through the antenna 901.
The baseband device 903 may include one or more processing elements 9031, including, for example, a host CPU and other integrated circuits. In addition, the baseband device 903 may further include a storage element 9032 and an interface 9033, where the storage element 9032 is configured to store programs and data; the interface 9033 is used for exchanging information with the radio frequency device 902, and is, for example, a Common Public Radio Interface (CPRI). The above means for a network device may be located in the baseband apparatus 903, for example, the above means for a network device may be a chip on the baseband apparatus 903, the chip including at least one processing element and an interface circuit, wherein the processing element is configured to perform each step of any one of the methods performed by the above network device, and the interface circuit is configured to communicate with other devices. In one implementation, the unit of the network device for implementing the steps in the above method may be implemented in the form of a processing element scheduler, for example, an apparatus for the network device includes a processing element and a storage element, and the processing element calls a program stored in the storage element to execute the method executed by the network device in the above method embodiment. The memory elements may be memory elements on the same chip as the processing element, i.e. on-chip memory elements, or may be memory elements on a different chip than the processing element, i.e. off-chip memory elements.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the procedures or functions according to the embodiments of the present invention are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (34)

1. A method for obtaining a security context, comprising:
a Mobile Management Entity (MME) sends a first request message to an Access and Management Function (AMF), wherein the first request message comprises a key set identifier, the key set identifier is used for indicating the AMF to generate a first security context, and the first security context is a mapping type security context;
the MME receives a first response message sent by the AMF, wherein the first response message comprises first indication information and the first security context, and the first indication information is used for indicating that the first security context is a mapping type security context.
2. The method of claim 1, further comprising: the MME generates a key set identifier of a mapping type according to the first indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context;
the MME sends a key set identifier of the mapping type to User Equipment (UE).
3. The method of claim 1, wherein the first indication information comprises at least one of the following information elements:
a second indication information cell;
a radio access type information element;
a mobility management context information element including third indication information.
4. A method according to any one of claims 1 to 3, wherein the first request message is an identity request message or a context request message.
5. The method of claim 4, wherein the first response message is an identity response message or a context response message.
6. A method for obtaining a security context, comprising:
the MME receives a second request message sent by the UE, wherein the second request message comprises fourth indication information and a key set identifier;
the MME stores the fourth indication information;
the MME sends a first request message to the AMF, wherein the first request message comprises the key set identifier, the key set identifier is used for indicating the AMF to generate a first security context, and the first security context is a mapping type security context;
the MME receives the first response message sent by the AMF, where the first response message includes the first security context, and the fourth indication information is used to indicate that the first security context is a mapping type security context.
7. The method of claim 6, further comprising:
the MME generates a key set identifier of a mapping type according to the fourth indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context;
the MME sends a key set identifier of the mapping type to the UE.
8. The method of claim 6, wherein the fourth indication information comprises at least one of the following information elements:
a fifth indication information cell;
a user status cell.
9. The method according to any of claims 6 to 8, wherein the second request message is an attach request message or a tracking area update request message.
10. The method according to any of claims 6 to 9, wherein the first request message is an identity request message or a context request message.
11. The method of claim 10, wherein the first response message is an identification response message or a context response message.
12. A method for obtaining a security context, comprising:
the AMF receives a first request message sent by an MME, wherein the first request message comprises a key set identifier;
the AMF generates a first security context according to the key set identifier, wherein the first security context is a mapping type security context;
the AMF sends a first response message to the MME, wherein the first response message comprises first indication information and a first security context, and the first indication information is used for indicating that the first security context is a mapping type security context.
13. The method according to claim 12, wherein the first indication information and/or the first security context is used to indicate the MME to generate a mapping type key set identifier, and wherein the mapping type key set identifier is used to identify the first security context.
14. The method of claim 12, wherein the first indication information comprises at least one of the following information elements:
a second indication information cell;
a radio access type information element;
a mobility management context information element including third indication information.
15. The method according to any of claims 12 to 14, wherein the first request message is an identity request message or a context request message.
16. The method of claim 15, wherein the first response message is an identity response message or a context response message.
17. A method for obtaining a security context, comprising:
the UE sends a second request message to the MME, wherein the second request message comprises fourth indication information, and the fourth indication information is used for indicating that the first security context received by the MME is a mapping type security context.
18. The method of claim 17, further comprising:
the fourth indication information and/or the first security context is used to instruct the MME to generate a key set identifier of a mapping type, the key set identifier of the mapping type being used to identify the first security context;
the UE receives a key set identifier of the mapping type sent by the MME.
19. The method of claim 17, wherein the fourth indication information comprises at least one of the following information elements:
a fifth indication information cell;
a user status cell.
20. The method according to any of claims 17 to 19, wherein the second request message is an attach request message or a tracking area update request message.
21. A system for obtaining a security context, comprising:
an MME sends a first request message to an AMF, wherein the first request message comprises a key set identifier used for indicating the AMF to generate a first security context; the AMF generates a first security context, wherein the first security context is a mapping type security context;
the AMF sends a first response message to the MME, wherein the first response message comprises first indication information and the first security context, and the first indication information is used for indicating that the first security context is a mapping type security context.
22. The system of claim 21, further comprising:
the MME generates a key set identifier of a mapping type according to the first indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context;
the MME sends a key set identifier of the mapping type to User Equipment (UE).
23. The system of claim 22, wherein the first indication information comprises at least one of the following information elements:
a second indication information cell;
a radio access type information element;
a mobility management context information element including third indication information.
24. The system according to any of claims 22 or 23, wherein said first request message is an identity request message or a context request message.
25. The system of claim 24, wherein the first response message is an identification response message or a context response message.
26. A system for obtaining a security context, comprising:
the UE sends a second request message to the MME, wherein the second request message comprises fourth indication information and a key set identifier;
the MME receives the second request message and stores the fourth indication information;
the MME sending a first request message to the AMF, the first request message including the key set identifier, the key set identifier being used to instruct the AMF to generate a first security context;
the AMF sends the first response message to the MME, wherein the first response message comprises the first security context, and the first security context is a mapping type security context;
the MME receives the first response message, and the fourth indication information is used for indicating that the first security context received by the MME is a mapping type security context.
27. The system of claim 26, further comprising:
the MME generates a key set identifier of a mapping type according to the fourth indication information and/or the first security context, wherein the key set identifier of the mapping type is used for identifying the first security context;
the MME sends a key set identifier of the mapping type to the UE.
28. The system of claim 26, wherein the fourth indication information comprises at least one of the following information elements:
a fifth indication information cell;
a user status cell.
29. The system according to any of claims 26 to 28, wherein said second request message is an attach request message or a tracking area update request message.
30. The system according to any of claims 26 to 29, wherein said first request message is an identity request message or a context request message.
31. The system of claim 30, wherein the first response message is an identification response message or a context response message.
32. A network device configured to perform the method of any one of claims 1 to 11.
33. A network device configured to perform the method of any one of claims 12 to 16.
34. A user equipment, characterized in that the user equipment is configured to perform the method of any of claims 17 to 20.
CN201910518066.2A 2019-06-14 2019-06-14 Method, system and equipment for obtaining security context Active CN112087297B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910518066.2A CN112087297B (en) 2019-06-14 2019-06-14 Method, system and equipment for obtaining security context

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910518066.2A CN112087297B (en) 2019-06-14 2019-06-14 Method, system and equipment for obtaining security context

Publications (2)

Publication Number Publication Date
CN112087297A true CN112087297A (en) 2020-12-15
CN112087297B CN112087297B (en) 2022-05-24

Family

ID=73734151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910518066.2A Active CN112087297B (en) 2019-06-14 2019-06-14 Method, system and equipment for obtaining security context

Country Status (1)

Country Link
CN (1) CN112087297B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738881A (en) * 2020-12-30 2021-04-30 展讯通信(上海)有限公司 Network registration method and device

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355809A (en) * 2008-09-12 2009-01-28 中兴通讯股份有限公司 Method and system for negotiating and initiating safety context
KR20110045796A (en) * 2009-10-27 2011-05-04 삼성전자주식회사 Method and system for managing security in mobile communication system
CN104067648A (en) * 2012-01-30 2014-09-24 瑞典爱立信有限公司 Call handover between cellular communication system nodes that support different security contexts
CN105532026A (en) * 2013-10-28 2016-04-27 华为技术有限公司 Method and device for providing and acquiring security context
US20170353505A1 (en) * 2016-06-07 2017-12-07 Verizon Patent And Licensing Inc. Recovery from a potential proxy call session control function (p-cscf) failure during call origination
CN107872770A (en) * 2016-09-22 2018-04-03 联发科技(新加坡)私人有限公司 Message treatment method and its user equipment
WO2018137853A1 (en) * 2017-01-30 2018-08-02 Telefonaktiebolaget Lm Ericsson (Publ) Management of security contexts at idle mode mobility between different wireless communication systems
US20180331830A1 (en) * 2017-05-12 2018-11-15 Alcatel-Lucent Usa Inc. Indicator for determination of key for processing message in communication system
CN109076079A (en) * 2016-04-27 2018-12-21 高通股份有限公司 The Non-Access Stratum safety of enhancing
WO2019020193A1 (en) * 2017-07-28 2019-01-31 Telefonaktiebolaget Lm Ericsson (Publ) Methods providing non-3gpp access using access network keys and related wireless terminals and network nodes
US20190104447A1 (en) * 2017-09-29 2019-04-04 Nokia Technologies Oy Security in intersystem mobility
CN109691154A (en) * 2016-09-16 2019-04-26 高通股份有限公司 On-demand network function re-authentication based on key freshness

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355809A (en) * 2008-09-12 2009-01-28 中兴通讯股份有限公司 Method and system for negotiating and initiating safety context
KR20110045796A (en) * 2009-10-27 2011-05-04 삼성전자주식회사 Method and system for managing security in mobile communication system
CN104067648A (en) * 2012-01-30 2014-09-24 瑞典爱立信有限公司 Call handover between cellular communication system nodes that support different security contexts
CN105532026A (en) * 2013-10-28 2016-04-27 华为技术有限公司 Method and device for providing and acquiring security context
CN109076079A (en) * 2016-04-27 2018-12-21 高通股份有限公司 The Non-Access Stratum safety of enhancing
US20170353505A1 (en) * 2016-06-07 2017-12-07 Verizon Patent And Licensing Inc. Recovery from a potential proxy call session control function (p-cscf) failure during call origination
CN109691154A (en) * 2016-09-16 2019-04-26 高通股份有限公司 On-demand network function re-authentication based on key freshness
CN107872770A (en) * 2016-09-22 2018-04-03 联发科技(新加坡)私人有限公司 Message treatment method and its user equipment
WO2018137853A1 (en) * 2017-01-30 2018-08-02 Telefonaktiebolaget Lm Ericsson (Publ) Management of security contexts at idle mode mobility between different wireless communication systems
US20180331830A1 (en) * 2017-05-12 2018-11-15 Alcatel-Lucent Usa Inc. Indicator for determination of key for processing message in communication system
WO2019020193A1 (en) * 2017-07-28 2019-01-31 Telefonaktiebolaget Lm Ericsson (Publ) Methods providing non-3gpp access using access network keys and related wireless terminals and network nodes
US20190104447A1 (en) * 2017-09-29 2019-04-04 Nokia Technologies Oy Security in intersystem mobility
CN109587688A (en) * 2017-09-29 2019-04-05 诺基亚技术有限公司 Safety in inter-system mobility

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
3GPP工作组: ""33501-f10"", 《3GPP SPECS\33_SERIES》 *
LIMING CHEN ECT.: "Security Analysis and Access Protection of Power Distribution Wireless Private TD-LTE Network", 《2016 CHINA INTERNATIONAL CONFERENCE ON ELECTRICITY DISTRIBUTION (CICED 2016)》 *
MOBILE COMPETENCE CENTRE: "23.502:Way forward for NGC-EPC interworking", 《3GPP》 *
薄瑜,王立娟,何丹丹: "基于上下文信息匹配的消息传输算法的安全策略", 《计算技术与自动化》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738881A (en) * 2020-12-30 2021-04-30 展讯通信(上海)有限公司 Network registration method and device
CN112738881B (en) * 2020-12-30 2022-09-30 展讯通信(上海)有限公司 Network registration method and device

Also Published As

Publication number Publication date
CN112087297B (en) 2022-05-24

Similar Documents

Publication Publication Date Title
CN110881184B (en) Communication method and device
CN112910913B (en) Method and network system for establishing session
EP3402253B1 (en) Core network control plane device selection method and apparatus
US11032872B2 (en) Apparatus and method for deleting session context
US10051585B2 (en) Methods, apparatuses and computer program products for providing temporal information
US20130035056A1 (en) Communications system
CN109845360B (en) Communication method and device
CN110574407B (en) User equipment and method for protecting initial non-access stratum message
CN108605225B (en) Safety processing method and related equipment
CN111328112B (en) Method, device and system for isolating security context
KR20150065410A (en) Access point connection method of electronic apparatus and electronic appparatus thereof
EP3703311B1 (en) Secure communication method and device
CN111148279A (en) Connection reestablishment method and device
CN112369056A (en) Apparatus and method operable to recover user equipment capability identity
CN116033541A (en) Network registration method and device
CN113225761A (en) Method for selecting network slice and electronic equipment
CN112087297B (en) Method, system and equipment for obtaining security context
CN108934067B (en) Method and device for acquiring paging parameters
CN114258096A (en) Method and device for processing non-access stratum context
US20200128603A1 (en) Method for acquiring context configuration information, terminal device and access network device
CN110913328A (en) Method, device and equipment for transmitting positioning information
EP4199416A1 (en) Information transmission method and apparatus, and communication device
CN113613248B (en) Authentication event processing method, device and system
CN113709729B (en) Data processing method, device, network equipment and terminal
CN116074821A (en) Communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant