CN112087724A - Communication method, network equipment, user equipment and access network equipment - Google Patents
Communication method, network equipment, user equipment and access network equipment Download PDFInfo
- Publication number
- CN112087724A CN112087724A CN201910511766.9A CN201910511766A CN112087724A CN 112087724 A CN112087724 A CN 112087724A CN 201910511766 A CN201910511766 A CN 201910511766A CN 112087724 A CN112087724 A CN 112087724A
- Authority
- CN
- China
- Prior art keywords
- group list
- group
- access
- list
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/06—Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
- H04W4/08—User group management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/11—Allocation or use of connection identifiers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a communication method, which comprises the following steps: the method comprises the steps that first network equipment receives an encrypted first group list sent by User Equipment (UE), wherein the first group list comprises identifiers of one or more groups which the UE requests to access; the first network equipment decrypts the encrypted first group list to obtain a first closed access service identifier group; the method comprises the steps that a first network device determines a signing group list stored by a Unified Data Management (UDM); the first network equipment determines a second group list according to the first group list and the signed group list, wherein the second group list comprises an identifier of a group which allows the UE to access; when the second group list exists, the first network device sends the second group list to the access network device. The first network equipment receives the UE request sent by the UE in an encrypted mode, accesses the group list and decrypts the group list, so that data leakage is avoided, and privacy of the UE is protected.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a communication method, a user equipment, an access network device, and a network device.
Background
A group allows access to a group of subscribers of one or more particular cells. Access to a group requires support from User Equipment (UE), access network equipment and core network. When the UE accesses the group, the core network and the UE transmit information to complete the check. In the information transmission process, signals for realizing data interaction between the core network equipment and the UE are reliable and effective, data leakage does not occur, and the privacy of the UE is protected.
Disclosure of Invention
The application provides a communication method, network equipment, user equipment and access network equipment, which can avoid data leakage and protect privacy of UE.
In a first aspect, a communication method is provided, including: a first network device receives an encrypted first group list sent by a User Equipment (UE), wherein the first group list comprises identifiers of one or more groups requested to be accessed by the UE; the first network equipment decrypts the encrypted first group list to obtain a first closed access service identifier group; the first network equipment determines a signing group list stored by a Unified Data Management (UDM); the first network equipment determines a second group list according to the first group list and the signed group list, wherein the second group list comprises an identifier of a group which the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.
The first network equipment receives and decrypts the request access group list sent by the UE in an encryption mode, so that data leakage is avoided, and privacy of the UE is protected. The first network device sends the identifier of the group to which the UE is allowed to access to the access network device, and the access network device may prepare for data transmission after the UE accesses the group.
With reference to the first aspect, in some possible implementations, the receiving, by the first network device, an encrypted first group list sent by a UE includes: the first network equipment receives the encrypted first group list sent by the UE through a non-access stratum (NAS) Security Mode (SM) completion message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by NAS security context.
Through the NASSM completion message or the uplink NAS message protected by the NAS security context, the first network equipment receives the encrypted first group list, so that encrypted transmission of the first group list is realized, and an additional flow is not required to be added. And receiving the encrypted first group list sent by the UE through the NAS SM, so that information interaction between the UE and the first network equipment can be reduced, and the influence on the system is reduced.
With reference to the first aspect, in some possible implementations, the method further includes: when the second group list does not exist, the first network equipment calculates a message verification code according to a shared key between the UE and the first network equipment; and the first network equipment sends a registration rejection message to the access network equipment, wherein the message verification code is used for verifying the registration rejection message by the UE.
The UE can verify the registration rejection message through the message verification code sent by the first network device, so that the UE is prevented from being unable to access the group due to forged or modified registration rejection messages.
With reference to the first aspect, in some possible implementations, the method includes: the first network device receives a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device, and the first network device determines a second group list according to the first group list and the subscription group list, including: the first network device determines the second group list according to the first group list, the third group list and the signed group list.
The first access network equipment verifies the group list supported by the access network equipment, the group list requested to be accessed by the UE and the signed group list, so that the accuracy of the group which allows the UE to be accessed is ensured.
With reference to the first aspect, in some possible implementations, the method includes: the first network equipment receives access group request information sent by the access network equipment, and the access group request information is used for indicating UE to request access to a group.
In a second aspect, a communication method is provided, including: encrypting a first group list by User Equipment (UE) by using a non-access stratum (NAS) security context to obtain an encrypted first group list, wherein the first group list comprises identifications of one or more groups which the UE requests to access; the UE sends the encrypted first group list.
The UE accesses the group list in a request sent in an encryption mode, so that data leakage is avoided, and the privacy of the UE is protected.
With reference to the second aspect, in some possible implementations, the sending, by the UE, the encrypted first group list includes: the UE sends the encrypted first group list to the first network equipment through an NAS Security Mode (SM) completion message; or, the UE sends the encrypted first group list through an uplink NAS message protected by NAS security context.
The UE sends the encrypted first group list through the NASSM completion message or the uplink NAS message protected by the NAS security context, so that encrypted transmission of the first group list is realized, and an additional flow is not required to be added. The UE completes message sending of the encrypted first group list through the NAS SM, information interaction between the UE and the first network equipment can be reduced, and influence on a system is reduced.
With reference to the second aspect, in some possible implementations, the method further includes: the UE receives a registration rejection message sent by first network equipment, wherein the registration rejection message comprises a message verification code, and the UE verifies the registration rejection message according to the message verification code.
The registration rejection message is verified by the UE according to the message verification code, so that the condition that the UE cannot access the group due to forged or modified registration rejection message is avoided.
With reference to the second aspect, in some possible implementations, the method includes: and the UE sends access group request information to the access network equipment, wherein the access group request information is used for indicating the UE to request access to the group.
In a third aspect, a communication method is provided, including: the access network equipment receives an encrypted first group list sent by User Equipment (UE), wherein the first closed access service identification group comprises one or more group service identifications requested to be accessed by the UE; the access network equipment sends the encrypted first group list; the access network equipment receives a second group list sent by the first network equipment, wherein the second group list comprises identification of one or more groups allowing the UE to access; the access network equipment sends the quality of service QoS of the one or more groups to the UE.
With reference to the third aspect, in some possible implementations, the method includes: and the access network equipment receives access group request information sent by the UE, wherein the access group request information is used for indicating the UE to request an access group.
In the process of accessing the group by the UE, the access network equipment receives the identifier of the group which is sent by the network equipment and allows the UE to access, and prepares for a subsequent UE access group, so that the system delay can be reduced.
In a fourth aspect, a network device is provided, comprising: the device comprises a transceiving module, a decryption module and a determination module; a transceiver module, configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identifiers of one or more groups to which the UE requests access; the decryption module is used for decrypting the encrypted first group list to obtain a first closed access service identifier group; the determining module is used for determining a subscription group list determined and stored by the unified data management UDM network element; the determining module is further configured to determine a second group list according to the first group list and the subscribed group list, where the second group list includes an identifier of a group to which the UE is allowed to access; the transceiver module is further configured to, when the second group list exists, send, by the first network device, the second group list to the access network device.
With reference to the fourth aspect, in some possible implementations, the transceiver module is configured to receive the encrypted first group list that is sent by the UE through a non-access stratum NAS security mode, SM, completion message.
With reference to the fourth aspect, in some possible implementations, the UE further includes a calculating module, where the calculating module is configured to calculate, when the second group list does not exist, a message authentication code according to a shared key between the UE and the first network device; the transceiver module is further configured to send a registration rejection message to the access network device, where the message authentication code is used for the UE to authenticate the registration rejection message.
With reference to the fourth aspect, in some possible implementation manners, the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device, and the determining module is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
In a fifth aspect, a user equipment is provided, including: the encryption module and the transceiver module; the encryption module is configured to encrypt a first group list using a non-access stratum, NAS, security context to obtain an encrypted first group list, where the first group list includes an identifier of one or more groups to which the UE requests access; the transceiver module is configured to send the encrypted first group list.
With reference to the fifth aspect, in some possible implementations, the transceiver module is configured to send the encrypted first group list to the first network device through an NAS security mode SM complete message; or the transceiver module is configured to send the encrypted first group list via an uplink NAS message protected by NAS security context.
With reference to the fifth aspect, in some possible implementations, the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message authentication code; the user equipment also comprises a verification module which is used for verifying the registration rejection message according to the message verification code.
In a sixth aspect, an access network device is provided, which includes: a transceiver module and a generating module; the receiving and sending module is used for receiving an encrypted first group list sent by User Equipment (UE), wherein the first closed access service identification group comprises one or more group service identifications requested to be accessed by the UE; the transceiver module is further configured to send the encrypted first group list; the transceiver module is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups to which the UE is allowed to access; the generation module is used for generating QoS (quality of service) information of the one or more groups according to the identification of the one or more groups; the transceiving module is further configured to send the quality of service QoS information to the UE.
In a seventh aspect, a network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identifiers of one or more groups to which the UE requests access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group; the processor is further configured to determine a subscription group list that is determined and stored by the unified data management UDM network element; the processor is further configured to determine a second group list according to the first group list and the subscribed group list, where the second group list includes an identifier of a group to which the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.
With reference to the seventh aspect, in some possible implementations, the communication interface is configured to receive the encrypted first group list that is sent by the UE through a non-access stratum NAS security mode, SM, completion message.
With reference to the seventh aspect, in some possible implementations, when the second group list does not exist, the processor is further configured to calculate a message authentication code according to a shared key between the UE and the first network device; the communication interface is further configured to send a registration rejection message to the access network device, where the message authentication code is used for the UE to authenticate the registration rejection message.
With reference to the seventh aspect, in some possible implementations, the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device, and the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
In an eighth aspect, a user equipment is provided, comprising: a processor and a communication interface; the processor is configured to encrypt a first group list using a non-access stratum, NAS, security context to obtain an encrypted first group list, the first group list including an identification of one or more groups to which the UE requests access; the communication interface is configured to send the encrypted first group list.
With reference to the eighth aspect, in some possible implementations, the communication interface is configured to send the encrypted first group list to the first network device through an NAS security mode SM complete message; or the communication interface is configured to send the encrypted first group list via an upstream NAS message protected by NAS security context.
With reference to the eighth aspect, in some possible implementations, the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message authentication code, and the message authentication code is used for the UE to authenticate the registration rejection message.
In a ninth aspect, an access network device is provided, which includes: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services requested to be accessed by the UE; the communication interface is further configured to send the encrypted first group list; the communication interface is further configured to receive a second group list sent by the first network device, where the second group list includes an identification of one or more groups to which the UE is allowed to access; the communications interface is further configured to send quality of service, QoS, of the one or more groups to the UE.
A tenth aspect provides a communication system comprising an access network device, a network device, and a user equipment as described above.
In an eleventh aspect, there is provided a computer program storage medium having program instructions which, when executed, cause the method described above to be performed.
In a twelfth aspect, a chip is provided, the chip comprising at least one processor, which when executed by the at least one processor causes the method described above to be performed.
Drawings
Fig. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
Fig. 2 is a schematic flow chart of a method for a terminal device to access a group.
Fig. 3 is a schematic flow chart of a communication method according to an embodiment of the present application.
Fig. 4 is a schematic flow diagram of an access stratum security mode establishment.
Fig. 5 is a schematic flow diagram of a non-access stratum security mode establishment.
Fig. 6 is a schematic flow diagram of authentication and authorization.
Fig. 7 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 8 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 9 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 10 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 11 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 12 is a schematic flow chart of a communication method according to another embodiment of the present application.
Fig. 13 is a schematic structural diagram of a user equipment according to an embodiment of the present application.
Fig. 14 is a schematic structural diagram of a network device according to an embodiment of the present application.
Fig. 15 is a schematic structural diagram of an access network device according to an embodiment of the present application.
Fig. 16 is a schematic structural diagram of a user equipment according to another embodiment of the present application.
Fig. 17 is a schematic structural diagram of a network device according to another embodiment of the present application.
Fig. 18 is a schematic structural diagram of an access network device according to another embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
The technical scheme of the embodiment of the application can be applied to various communication systems, for example: global system for mobile communications (GSM) systems, Code Division Multiple Access (CDMA) systems, Wideband Code Division Multiple Access (WCDMA) systems, General Packet Radio Service (GPRS), Long Term Evolution (LTE) systems, LTE Frequency Division Duplex (FDD) systems, LTE Time Division Duplex (TDD), universal mobile telecommunications system (universal mobile telecommunications system, UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication systems, future fifth generation (5G) or new radio NR systems, etc.
It should be understood that, in the embodiment of the present application, a specific structure of an execution main body of the method provided in the embodiment of the present application is not particularly limited as long as the execution main body can communicate with the method provided in the embodiment of the present application by running a program recorded with a code of the method provided in the embodiment of the present application, for example, the execution main body of the method provided in the embodiment of the present application may be a terminal or a network device, or a functional module capable of calling a program and executing the program in a UE or a network device.
For the understanding of the embodiments of the present application, an application scenario of the embodiments of the present application will be described in detail with reference to fig. 1.
Fig. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. The network architecture shown in fig. 1 may specifically include the following network elements:
1. user Equipment (UE): may be referred to as a terminal device, terminal, access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. The UE may also be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a future 5G network or a terminal device in a future evolved Public Land Mobile Network (PLMN), etc., and may also be an end device, a logic entity, an intelligent device, a terminal device such as a mobile phone, an intelligent terminal, etc., or a communication device such as a server, a gateway, a base station, a controller, etc., or an Internet of things (IoT) device such as a sensor, an electric meter, a water meter, etc. The UE may also be a wired device such as a computer, laptop, etc. The embodiments of the present application do not limit this.
2. Access Network (AN): the method provides a network access function for authorized users in a specific area, and can use transmission tunnels with different qualities according to the level of the users, the requirements of services and the like. The access network may be an access network employing different access technologies. There are two types of current radio access technologies: third Generation Partnership Project (3 GPP) access technologies such as the radio access technologies employed in 3G, 4G or 5G systems and non-third Generation Partnership Project (non-3GPP) access technologies. The 3GPP Access technology refers to an Access technology meeting 3GPP standard specifications, and an Access Network adopting the 3GPP Access technology is referred to as a Radio Access Network (RAN), where an Access Network device in a 5G system is referred to as a next generation Base station (gNB). The non-3GPP access technology refers to an access technology that does not conform to the 3GPP standard specification, for example, an air interface technology represented by an Access Point (AP) in wifi.
An access network that implements access network functionality based on wired communication technology may be referred to as a wired access network.
An access network that implements an access network function based on a wireless communication technology may be referred to as a Radio Access Network (RAN). The radio access network can manage radio resources, provide access service for the terminal, and further complete the forwarding of control signals and user data between the terminal and the core network.
The radio access network may be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, and may also be a wireless controller in a Cloud Radio Access Network (CRAN) scenario, or the access network device may be a relay station, an access point, a vehicle-mounted device, a wearable device, and a network device in a future 5G network or a network device in a future evolved PLMN network. The embodiments of the present application do not limit the specific technologies and the specific device forms adopted by the radio access network device.
3. Access and mobility management function (AMF) entity: the method is mainly used for mobility management, access management, and the like, and can be used for implementing functions other than session management in Mobility Management Entity (MME) functions, such as functions of lawful interception, or access authorization (or authentication), and the like. In the embodiment of the present application, the method and the device can be used for implementing the functions of the access and mobility management network element.
4. Session Management Function (SMF) entity: the method is mainly used for session management, Internet Protocol (IP) address allocation and management of the UE, selection of a termination point of an interface capable of managing a user plane function, policy control or charging function, downlink data notification, and the like. In the embodiment of the present application, the method and the device can be used for implementing the function of the session management network element.
5. User Plane Function (UPF) entity: i.e. a data plane gateway. The method can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, and the like. The user data can be accessed to a Data Network (DN) through the network element. In the embodiment of the application, the method can be used for realizing the function of the user plane gateway.
6. Data Network (DN): for providing a network for transmitting data. Such as a network of carrier services, an Internet network, a third party's service network, etc.
7. Authentication service function (AUSF) entity: the method is mainly used for user authentication and the like.
8. Network open function (NEF) entity: for securely opening services and capabilities, etc. provided by the 3GPP network functions to the outside.
9. The network storage function (NF) entity is used to store the network function entity and the description information of the service provided by the network function entity, and support service discovery, network element entity discovery, etc.
10. Policy Control Function (PCF) entity: the unified policy framework is used for guiding network behaviors, providing policy rule information for control plane function network elements (such as AMF and SMF network elements) and the like.
11. Unified Data Management (UDM) entity: for handling subscriber identification, access authentication, registration, or mobility management, etc.
12. Application Function (AF) entity: the method is used for carrying out data routing of application influence, accessing network open function network elements, or carrying out strategy control by interacting with a strategy framework and the like.
In the network architecture, an N1 interface is a reference point between a terminal and an AMF entity; the N2 interface is a reference point of AN and AMF entities, and is used for sending non-access stratum (NAS) messages and the like; the N3 interface is a reference point between (R) AN and UPF entities, for transmitting user plane data, etc.; the N4 interface is a reference point between the SMF entity and the UPF entity, and is used to transmit information such as tunnel identification information, data cache indication information, and downlink data notification message of the N3 connection; the N6 interface is a reference point between the UPF entity and the DN for transmitting user plane data, etc.
The name of the interface between each network element in fig. 1 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the transmitted message (or signaling) between the network elements is only an example, and the function of the message itself is not limited in any way.
It should be understood that the network architecture applied to the embodiments of the present application is only an exemplary network architecture described in terms of a conventional point-to-point architecture and a service architecture, and the network architecture to which the embodiments of the present application are applied is not limited thereto, and any network architecture capable of implementing the functions of the network elements described above is applicable to the embodiments of the present application.
It should also be understood that the AMF network element, SMF network element, UPF network element, NSSF network element, NEF network element, AUSF network element, NRF network element, PCF network element, and UDM network element shown in fig. 1 may all be understood as network elements in the core network for implementing different functions, for example, may be combined into a network slice as needed. The core network elements may be independent devices, or may be integrated in the same device to implement different functions, which is not limited in this application. The device performing the function of a core network element may also be referred to as a core network device or a network device.
The above nomenclature is only used for distinguishing different functions, and does not mean that the network elements are separate physical devices, and the present application does not limit the specific form of the above network elements, for example, the network elements may be integrated in the same physical device, or may be different physical devices. Furthermore, the above nomenclature is only used to distinguish between different functions, and should not be construed as limiting the application in any way, and this application does not exclude the possibility of other nomenclature being used in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terminology in 5G, and may also adopt other names, etc. The description is unified here, and will not be repeated below.
For ease of understanding, before describing embodiments of the present application, a brief description of several terms referred to herein will be provided.
1. Authentication and Key Agreement (AKA): the user can perform an AKA procedure with the network during the startup initiation registration procedure. The two-way authentication of the terminal and the network terminal can be realized through the AKA process, so that the secret keys of the terminal and the network terminal are consistent, and the safe communication between the terminal and the network terminal can be ensured.
2. Key KSEAF: a secret key sent by AUSF to SEAF in UE registration process; the SEAF calculates KAMF, and sends KAMF to AMF. The SEAF and the AMF can be deployed independently or jointly.
3. The key KAMF: and the UE and the AMF respectively acquire the key KAMF in the registration process of the UE. The key KAMF is determined from the key KSEAF. KAMF is associated with a key set identifier (KSI in 5G, ngKSI) in 5G. For example, the UE and the AMF may pre-store a one-to-one correspondence relationship of at least one KAMF and at least one ngKSI, respectively. Each ngKSI can therefore be used to uniquely indicate one KAMF. KAMF can be used for subsequent generation of key KgNB.
4. Key KgNB: the key derived from the key KAMF, i.e. the key KgNB which can be determined from the key KAMF. For example, the key KgNB may be generated based on an algorithm such as a Key Derivation Function (KDF), KAMF, or the like.
It should also be understood that the names of the intermediate keys and the root keys listed above are named only for convenience of distinction, and should not be construed as limiting the application, and the application does not exclude the possibility of replacing the intermediate keys or the root keys with other names to achieve the same or similar functions.
5. Encryption key: and the sending end encrypts the plaintext according to the encryption algorithm to generate the parameters input when the ciphertext is generated. If a symmetric encryption method is used, the encryption key and the decryption key are the same. The receiving end can decrypt the ciphertext according to the same encryption algorithm and the same encryption key. In other words, the transmitting end and the receiving end can decrypt and encrypt based on the same key.
6. Integrity protection key: and the sending end carries out integrity protection on the plaintext or the ciphertext according to an integrity protection algorithm. The receiving end can carry out integrity verification on the data subjected to integrity protection according to the same integrity protection algorithm and the integrity protection key.
7. Safety capability: including but not limited to: security algorithms, security parameters, keys, etc. In the embodiment of the present application, the security capability may include, for example, a security capability of the UE and a security capability of the user plane gateway.
8. And (4) a security algorithm: an algorithm for use in securing data. Examples may include: encryption/decryption algorithms, integrity protection algorithms, etc.
9. Security context: information that may be used to implement data encryption/decryption and/or integrity protection. The security context may include, for example: encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.
A normal cell may allow access to all legitimate subscribers (and roaming users) of the operator. And a group allows access to a group of subscribers of one or more particular cells. That is, users that can access a group are limited, conditional. The same user may belong to multiple groups, i.e. multiple groups may be accessed. Each group corresponds to a group identification. Access to the group requires support by the UE, access network equipment and core network.
The embodiment of the application is suitable for a scenario in which the UE needs to access a group, and the group may be, for example, a Closed Access Group (CAG) or a Closed Subscriber Group (CSG). The following description will be made by taking CAG as an example.
Fig. 2 is a schematic flow chart of a method for a UE to access a group.
A Subscriber Identity Decryption Function (SIDF) network element may be configured in a unified data management function (UDM) network element, or may be deployed independently. That is, the UDM network element may provide the user identity decryption function through the SIDF deployed by itself, or by calling the SIDF.
The UE is configured with list 1, which may be referred to as an allowed CAG Identification (ID) list (allowed CAG ID list). List 1 includes the identities of CAGs that the UE can access.
In step 101, the access network device sends list 2 to the UE, where list 2 is a list of CAG IDs supported by the cell, and list 2 includes IDs of CAG supported by the cell.
The access network device sends the list 2 by means of broadcasting. The broadcasted content may not be protected by encryption, i.e. all devices within the coverage area of the access network device may obtain the information broadcasted by the access network device. Thus, devices within the coverage area of the access network device can all obtain list 2.
The access network device may also send list 2 in a unicast manner. The unicast content may not be protected by encryption, i.e. all devices within the coverage of the access network device may obtain the information unicast by the access network device. Thus, devices within the coverage area of the access network device can all obtain list 2.
In step 102, the UE matches the list 1 and the list 2, and obtains the CAG IDs included in both the list 1 and the list 2, that is, the matched CAG IDs (selected matching CAG IDs). The UE acquires a first matching group, wherein the first matching group comprises one or more matched CAG IDs. List 1 includes CAG IDs in the first matching group and list 2 includes CAG IDs in the first matching group. Alternatively, list 1 and list 2 each include a first matching group.
In step 103, the UE sends Registration Request (RR) information and a first matching group to the access network device.
The RR information includes a user hidden Identifier (SUCI). The SUCI is obtained by encrypting a user permanent identifier (SUPI) according to a public key corresponding to a home network public key identifier (home network public key identifier). The home network public key identifier is used to indicate the public and/or private key employed for SUPI encryption and SUCI decryption. That is, the UE generates the SUCI using a protection scheme with the original public key (i.e., the home network public key).
The UDM maintains a private key corresponding to the home network public key identifier. The algorithm for user privacy should be executed in the secure environment of UDM.
The SIDF is used for decryption from the SUCI to get SUPI. When the home network public key is used for encryption of SUPI, the SIDF will decrypt the SUCI using the home network private key securely stored in the home operator network. Decryption should be done in UDM. Access rights to the SIDF should be defined so that only network elements of the home network are allowed to request the SIDF.
The first matching group is transmitted through a Radio Resource Control (RRC) layer.
In step 104, the access network device sends the RR information and the second matching group to an access and mobility management function (AMF) network element.
The second matched set may be the same as the first matched set.
Before step 104, optionally, the access network device may match the first matching group with the list 2 to obtain a second matching group. The second matching group includes one or more CAG IDs. The first matching group and list 2 each comprise a second matching group. Through the matching of the access network equipment, the probability of CAG registration error of UE access can be reduced.
The RR information and the second matching group are sent through an N2 interface between the access network device and the AMF network element.
Before step 105, the AMF sends an authentication request message to an authentication server function (AUSF) carrying SUCI to a unified data management function (UDM)/(description identifier de-centralized function, SIDF) network element. UDM before AUSF sends get request, with SUCI
And the UDM/SIDF network element determines the SUPI of the UE according to the SUCI.
At step 105, the authentication and security process is authenticated.
The authentication procedure and security procedure can be referred to as protocol third generation partnership project (3 GPP) Technical Specification (TS) 33.501V15.4.0 (2019-03). And in the identity authentication process, the UDM/SIDF network element generates an authentication vector and sends the authentication vector to the AUSF network element.
In the authentication process, after the authentication process among the AUSF network element, the SEAF network element and the UE, the AUSF network element sends a key KSEAF to the SEAF network element. The SEAF network element generates a key KAMF according to the key KSEAF and sends the key KAMF to the AMF network element. The SEAF network element may also be deployed in the device in which the AMF network element is located. The SEAF network element sends a Key Set Identifier (KSI) to the UE. The KSI may be a 5G key set identifier in 5G, ngKSI. The UE may determine the key KAMF through the KSI. Through the mode, the UE and the AMF network element realize the sharing of the key KAMF. The above provides an implementation of authentication, which does not exclude further evolution of the authentication method and other mechanisms of mutual authentication. This patent is not repeated herein.
After the authentication procedure, a non-access stratum (NAS) Security Mode Command (SMC) and an Access Stratum (AS) Security Mode Command (SMC) may be performed.
Prior to step 106, the UDM/SIDF network element determines subscription data for the UE from the SUPI. The subscription data may also be referred to as subscription information. The subscription data of the UE includes list 3, where list 3 includes CAG IDs that the network side allows the UE to access. List 3 includes one or more CAG IDs.
In step 106, the AMF network element receives the list 3 sent by the UDM/SIDF network element.
In step 107 the AMF network element matches the second matching group with list 3. The AMF checks whether the second matching group and the list 3 include at least one identical CAG ID. The at least one identical CAG ID is used as a target CAG ID
If the target CAG ID exists, step 108a is performed.
In step 108a, the AMF sends registration acceptance information to the UE.
If the target CAG ID does not exist, step 108b is performed.
In step 108b, the AMF sends registration rejection information to the UE.
After step 108b, the UE deletes the CAG ID corresponding to the first matching group from the list 1.
By the method, the UE can perform the corresponding CAG service.
The CAG service that the UE desires to perform is related to the type of UE, and each CAG service can be accessed and used only by a specific UE. Therefore, the CAG service that the UE wishes to perform involves privacy. When the UE sends the first matching group to the access network equipment, an attacker acquires the CAG ID requested to be accessed by the UE by eavesdropping an air interface, and privacy is revealed.
In order to solve the above problem, an embodiment of the present application provides a communication method. And sending the CAG ID which is requested to be accessed by the UE in an encrypted mode. In this way, the possibility of privacy disclosure can be reduced.
Fig. 3 is a schematic flow chart of a communication method provided in an embodiment of the present application.
In step 201, the UE generates an encrypted first group list.
The group list may also be referred to as a group identity set. The first group list includes an identification of one or more groups that the UE requests access to. The group may be, for example, CAG, CSG, etc.
The identification of the one or more groups that the UE requests access may be all or part of the identification of the second group list configured to the UE.
In step 202, the UE transmits the encrypted first group list.
The UE may send the encrypted first group list to an AMF network element.
In some embodiments, the UE may establish a NAS security context, i.e., establish a NAS security mode, with the AMF network element. The establishment of the NAS security context can be seen in fig. 4.
The UE may send the first group to the AMF network element via a NASSM complete message in the NAS security context setup procedure. The UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through an NAS message protected by the NAS security context.
The UE may authenticate with the AMF network element to obtain the shared secret key. Authentication of the UE can be seen in fig. 6. The UE may establish an NAS security context with the AMF network element based on the shared secret key. The establishment of the NAS security context can be seen in fig. 4.
The AMF may decrypt the encrypted first group list transmitted by the UE. The AMF may decrypt the encrypted first group list with a confidentiality algorithm.
In other embodiments, the UE may encrypt the first group list via the AMF public key. The UE may send the encrypted first group list to an AMF network element. The AMF public key may be sent by the AMF to the UE or may be pre-configured by the UE.
And the AMF network element is configured with an AMF private key corresponding to the AMF public key. The AMF network element may decrypt the encrypted first group list according to the AMF private key.
The UE may send the encrypted first group list to a UDM network element.
The UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.
The UE may send the encrypted first group list and the home network public key identifier to a UDM network element. The home network public key identifier is used to indicate the home network key.
The UDM network element receives the encrypted first group list and the home network public key identifier. The UDM network element may determine the home network private key from the home network public key identifier. The UDM network element may decrypt the encrypted first group list according to the home network private key.
The UE may send the encrypted first group list to the access network device.
In some embodiments, the UE may establish an AS security context, i.e., establish an AS security mode, with the access network device. The establishment of the AS security context can be seen in fig. 5.
The UE may send the first group list to the access network device via an ASSM complete message during the AS security context establishment procedure. The UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through an AS message protected by the AS security context.
The AMF distributes the KgNB to the access network equipment. The UE generates KgNB according to KAMF. The UE and the access network device may then establish an access stratum AS security mode SM.
The access network device may decrypt the encrypted first group list sent by the UE. The access network device may decrypt the encrypted first group list with a confidentiality algorithm.
The access network device may decrypt the received encrypted first group list. The access network device may decrypt the encrypted first group list via a confidentiality algorithm. In other embodiments, the UE may encrypt the first group list via the access network device public key. The UE may send the encrypted first group list to the access network device. The access network device public key may be sent by the access network device to the UE, or may be UE-preconfigured. And the access network equipment is configured with an AMF private key corresponding to the access network equipment public key. The access network device may decrypt the encrypted first group list according to the access network device private key.
Optionally, the UE may receive a registration reject message sent by the AMF network element. The registration rejection message includes a message authentication code for the UE to authenticate the registration rejection message. The registration reject message may also include a reject code. The reject code may be used to indicate rejection of UE registration, or the reject code may be used to indicate a reason for rejection of UE registration. The reason for rejecting the UE registration may be an AMF network element verification failure, or a UE authentication failure, etc. The failure of the verification of the AMF network element means that the AMF network element determines that the second group list does not exist. The second group list includes the identity of the same group in the subscription group list and the first group list maintained by the UDM.
Optionally, the UE may send access group request information to the access network device, where the access group request information is used to indicate that the UE requests to access a group.
Through steps 201-202, the UE sends the first group list in an encrypted manner, so as to avoid secret leakage.
FIG. 4 is a schematic flow diagram of establishing a NAS security context.
In step 301a, the AMF network element initiates integrity protection.
In step 301b, the AMF network element sends a NAS SM order message to the UE. The NAS SM command message includes an integrity algorithm, a ciphering algorithm, a NAS Message Authentication Code (MAC), UE security capability, KSI, etc. The NAS MAC may be used to verify the integrity of NAS SM order messages.
In step 301c, the AMF network element initiates uplink decryption
In step 302a, the UE verifies the NAS SM complete message integrity. If the verification is successful, the UE starts uplink encryption, downlink decryption and integrity protection
In step 302b, the UE sends a NAS security mode complete message to the AMF network element. The NAS security mode complete message includes the NAS MAC. The NAS MAC may be used to verify the integrity of the NAS SM completion message.
In step 301d, the AMF network element initiates downlink ciphering.
The AMF network element triggers an NAS SMC flow and sends an NAS security mode instruction to the UE; the UE sends an NAS security mode complete message. In step 301b, the AMF network element sends NAS SM command message to the UE, with only integrity protection. In step 302b, the UE sends an NAS security mode complete message to the AMF network element, with confidentiality and integrity protection. The UE then shares the NAS security context with the AMF. The UE and the AMF network element can protect the message to be sent through the NAS security context, and the NAS message is protected to have integrity and confidentiality through the NAS security context. Through steps 301a-302d, a NAS security context is established.
It should be noted that, for convenience of understanding, fig. 4 only briefly describes the processing flow of the NAS SMC, and specifically, other processing procedures and/or parameters may be added or some of the processing procedures and/or parameters may be reduced in the application.
Fig. 5 is a schematic flow diagram of establishing an AS security context.
Prior to step 401a, the RAN receives the key KgNB. The key KgNB is determined by the AMF network element from the key KAMF. The AMF should generate the key KgNB and send it to the RAN.
In step 401a, the RAN initiates RRC integrity protection.
In step 401b, the RAN sends an AS SM order message to the UE, the AS SM order message including an integrity algorithm, a ciphering algorithm, and a MAC-I, wherein the MAC-I is determined from the key KgNB.
In step 401c, the RAN initiates RRC downlink ciphering.
In step 402a, the UE verifies the integrity of the AS SM order message. And the UE verifies the integrity of the AS SM instruction message according to the MAC-I. If the verification is successful, the UE initiates RRC integrity protection and RRC downlink deciphering. And the UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.
In step 402b, the UE sends an AS SM complete message to the RAN. The AS SM complete message includes MAC-I, which is determined from the key KgNB. The RAN may decrypt the AS SM done message according to the MAC-I and verify the integrity of the AS SM done message.
In step 402c, the UE initiates RRC uplink ciphering.
In step 401d, the RAN initiates RRC uplink deciphering.
RAN triggers an AS SMC flow and sends an AS security mode instruction message to UE. The UE sends an AS security mode complete message to the RAN. Wherein, the message in step 401b is only integrity protected, and the message in step 402b is simultaneously confidentiality protected and integrity protected. And the integrity and confidentiality of the message transmitted between the UE and the RAN in the AS security mode can be protected according to the key KgNB. And then, the UE and the access network equipment share the AS security context, the UE and the access network equipment can send the AS message through the protection of the AS security context, and the AS message protected through the AS security context has integrity and confidentiality protection. Through steps 401a-402d, an AS security context is established.
It should be noted that, for convenience of understanding, fig. 5 only briefly describes the process flow of the AS security context establishment, and other processes and/or parameters may be added or some of the processes and/or parameters may be reduced in an application.
Fig. 6 is a schematic flow diagram of a method of authentication and authorization. Authentication may also be referred to as identity authentication.
In a communication network, when a UE requests access to a service provided by a service provider, it is checked whether the UE has access rights. The procedure for authentication can be seen in
In step 501, the UDM/ARPF network element generates an authentication vector.
In step 502, the UDM/ARPF network element sends a first authentication reply message, which may be a numm _ ue authentication _ Get ReSponse message, to the AUSF network element. The first authentication reply message includes an authentication vector.
In step 503, the UE performs bidirectional authentication with the AUSF network element.
In step 504 the AUSF generates and sends the key KSEAF to the SEAF network element.
In step 505, the SEAF network element generates a key KAMF from the key KSEAF and sends KSI to the UE, where KSI is used to indicate the key KAMF.
The SEAF network element may be deployed independently from the AMF network element, or may be deployed separately. The SEAF network element may send the KAMF to the AMF network element.
Fig. 6 shows only one authentication method, and also includes other authentication methods, such as 5G authentication and key agreement; the authentication may also include UE and AMF authentication, UE and AUSF authentication, and the like, which is not limited in the embodiment of the present application.
Fig. 7 is a schematic flow chart of a communication method provided in an embodiment of the present application.
The first network device comprises an AMF network element. The first network device may also include network elements with Network Functions (NF), such as an SMF network element, an AUSF network element, an SEAF network element, and an UDM network element.
In step 1101, the UE encrypts the first group list with the NAS security context to obtain an encrypted first group list. The first group list includes an identification of one or more groups that the UE requests access to.
The first group list may include all or part of the identities in the UE group list configured for the UE.
The UE may treat the UE group list as a first group list.
Before step 1101, the UE receives an access network group list sent by an access network device, where the access network group list includes an identification of a group supported by the access network device. The UE may determine a first group list according to the access network group list and the UE group list, where the first group list includes an identifier of a same group in the access network group list and the UE group list.
In step 1102, the UE transmits the encrypted first group list.
Prior to step 1102, the UE may establish a NAS security context with the AMF. The UE may send the encrypted first group list via NAS security context protected NAS messages.
Or, in the NAS security context establishment process between the UE and the AMF, after the UE establishes the NAS security context, the UE sends the encrypted first group list to the first network device through a NAS SM completion message.
The first network device receives an encrypted first group list. The first network device decrypts the encrypted first group list.
In step 1103, the first network device checks. And the AMF determines a second group list according to the first group list and the signed group list. The second group list includes the identity of the same group in the first group list and the contracted group list. The second group list includes an identification of groups that the UE is allowed to access. I.e. the identity of the same group as the identity of the group to which the UE is allowed to access.
Prior to step 1103, the first network device determines a subscription group list maintained by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element. The first network device includes a UDM network element, and the first network device may obtain a subscription group list stored by the UDM network element.
When there is a second group list, step 1104 is performed.
In step 1104, the first network device sends a second group list to the access network device. And the access network equipment receives the second group list and acquires the identification of the group which allows the UE to access.
Optionally, after step 1104, step 1105 may be performed.
In step 1105, the access network device sends, to the UE, radio resource allocation information and/or quality of service (QoS) information, etc. of each identified corresponding group in the second group list.
When the second group list does not exist, proceed to step 1106.
In step 1106, the first network device sends a registration reject message to the UE. In order to avoid an attacker modifying or forging the registration rejection message, the AMF may send the registration rejection message in the following manner.
The first network device may send a registration reject message to the UE via a NAS message. Before step 1106, the AMF and the UE perform NAS security context establishment, which is not limited in the embodiment of the present application. In the case of establishing the NAS security context, the first network device may send a registration reject message to the UE over the NAS security context. I.e. the registration reject message may be a NAS message protected by a NAS security context.
Referring to fig. 11, the first network device may calculate a message authentication code according to a shared key between the UE and the AMF. The first network device may send a registration reject message to the UE, the registration reject message including a message authentication code. The message authentication code is used for the UE to authenticate the registration rejection message.
Referring to fig. 12, the first network device may also compute a digital signature from the AMF private key. The first network device may send a registration reject message to the UE, the registration reject message including the digital signature. And the UE decrypts the digital signature according to the AMF public key.
Optionally, the UE may send access group request information to the access network device, where the access group request information is used to indicate that the UE requests to access a group.
Through the steps 1101 and 1106, the UE sends the identification of the group requesting access in an encrypted manner, so that the disclosure of UE privacy can be avoided.
The group may be, for example, CAG, CSG, etc. The following description takes the UE requesting access to the CAG as an example.
Fig. 8 is a schematic flow chart of a communication method provided in an embodiment of the present application.
The UE may send the first matched group to the AMF network element via an encrypted NAS message.
The UE maintains a list 1, which may be referred to as an allowed caged list (allowed CAG ID list). List 1 includes an identification of the CAG configured for the UE. I.e. list 1 indicates the CAG for which the UE supports access. How a particular UE obtains list 1 is not limiting. For example, list 1 may include CAG IDs that the UE may obtain from an operator, may include CAG IDs configured by a network administrator, may include CAG IDs configured by the UE when the UE leaves a factory, and the like.
In step 601, the access network device broadcasts system information, where the system information includes list 2, where list 2 is a list of CAG IDs supported by a cell in which the UE is located in one or more cells covered by the access network device. The broadcasted content may not be protected by encryption, and all devices within the coverage area of the access network device can obtain the information broadcasted by the access network device.
Optionally, in step 601, the access network device unicast-transmits system information, where the system information includes list 2, and list 2 includes CAG IDs supported by the cell. The unicast content may not be protected by encryption, and all devices within the coverage of the access network device can obtain the unicast information of the access network device.
In step 602, the UE matches list 1 and list 2, i.e. the UE checks whether there is a first matching group, the first matching group comprising at least one CAG ID. The CAG IDs in the first matched set belong to both list 1 and list 2. The CAG IDs in the first matching group can be referred to as matching CAG IDs (selected matching CAG IDs).
In step 603, the UE transmits a Registration Request (RR) message to the access network device, the registration request message including the SUCI. The registration request message may be a control plane message.
Prior to step 603, the UE computes the SUCI, which is an encapsulation for the permanent identity SUPI, so that an attacker cannot obtain SUPI through eavesdropping over the air interface. SUPI is a permanent identity of the UE. That is, the UE encrypts SUPI to get SUCI.
The SUCI may include one or more of a SUPI type, a routing indicator, a protection scheme identifier, a home network public key identifier, etc. Wherein the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate a protection scheme adopted by the mall SUCI, i.e., a scheme for encrypting the SUPI. The routing indicator may be used to indicate UDM network elements capable of serving the UE.
Optionally, the UE sends the first indication information to the access network device. The first indication information is used for indicating the UE to request to access the CAG.
The first indication information that the UE may send to the access network device is used to indicate that the UE requests to access the CAG. Since the information related to UE registration in the RR message is sent to the AMF network element by the UE, the access network device needs to forward the information, and cannot sense the information. Therefore, the UE sends the first indication information to the access network device, so as to indicate to the access network device to perform a procedure corresponding to the UE requesting to access the CAG.
Optionally, the first indication information is carried in a registration request message or other message. For example, the first indication information may be transmitted through a Radio Resource Control (RRC) message. The first indication information may take various forms, for example, the first indication information may include list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
The access network equipment forwards the registration request message to the AMF network element at step 604. The registration request message includes the SUCI. The forwarded registration request message may be sent over an N2 interface between the access network device and the AMF network element, i.e. the forwarded registration request message may be an N2 message.
Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends second indication information to the AMF network element. And the second indication information indicates that the UE requests to access the CAG service.
The second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE requesting to access the CAG.
The second indication information may be carried in the forwarded registration request message. The second indication information may also be carried in other messages.
Alternatively, the access network device may send the list 2 to the AMF network element. The second indication information may include list 2. For example, if the access network device receives the first indication information, the access network device sends the list 2 to the AMF network element.
In step 605, the AMF network element sends SUCI to the AUSF. The SUCI may be carried in the first authentication request message. The first authentication Request message may be a Nausf _ UEAuthentication _ authentication Request message.
Optionally, the AMF may receive the second indication information and/or the list 2.
In step 606, the AUSF network element sends the SUCI to the UDM/SIDF network element. The SUCI may be carried in a second identity authentication request message. The second authentication Request message may be a Nudm _ UEauthentication _ Get Request message.
In step 607, the UDM/SIDF network element decrypts the SUCI to obtain SUPI and performs authentication algorithm selection, generating an authentication vector according to the selected authentication algorithm.
Step 608 is an authentication procedure for identity authentication of the UE.
Specifically, the UDM/SIDF network element sends an authentication vector to the AUSF network element. The authentication vector may be carried in an authentication reply message. The authentication reply message may be a Nudm _ UEauthentication _ Get ReSponse message.
And the UE and the AUSF network element perform bidirectional authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF from the key KSEAF. The SEAF sends KSI to the UE indicating the key KAMF. The UE may determine the key KAMF from the KSI. The SEAF sends KAMF to the AMF. Here, the SEAF may be deployed independently of the AMF or may be deployed separately. The embodiment of the present application does not limit the specific details and procedures of the authentication between the UE and the AUSF network element.
Through the steps, the AMF network element and the UE share the key KAMF.
In step 609-.
According to a secret key KAMFThe UE and the AMF network element may determine an integrity key and a confidentiality key between the UE and the AMF network element, so as to perform integrity protection and confidentiality protection on a message between the UE and the AMF network element. And (4) carrying out confidentiality protection, namely encrypting the information by the information sending end and decrypting the information by the information receiving end.
In step 609, the AMF network element sends a NAS security mode instruction message to the UE. The NAS security mode directive message has integrity protection. The integrity protection is not described in detail in the prior art.
In step 610, the UE sends a NAS security mode complete message to the AMF network element.
Optionally, the NAS security mode complete message may include the first matched group. The NAS security mode complete message is confidentiality and integrity protected. Thus, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.
In the process of accessing CAG by UE, NAS security context is established. The first matching group is sent through a NAS SMC completion message or sent in a NAS message protected by NAS security context, the first matching group can be encrypted, and no additional processing procedure is added.
Through step 609-. With NAS security mode, messages between the AMF network element and the UE may have integrity protection and confidentiality protection.
In case the NAS security mode complete message does not include the first matched group, step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish the security context through the NAS SMC procedure.
In step 611, the UE sends the first matched group to the AMF through an Uplink (UL) NAS message. That is, the first matched group is transmitted through NAS security protection.
In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes CAG IDs that the network side allows the UE to access. The AMF network element may receive subscription data sent by the UDM network element, where the subscription data includes a list 3.
Prior to step 612, the AMF network element may send a request message to the UDM network element to obtain subscription data corresponding to the SUPI from the UDM. Optionally, the request message includes SUPI. The subscription data includes list 3, where list 3 includes CAG IDs that the network side allows the UE to access.
In step 613, the AMF matches list 3 with the first matched set to determine whether a second matched set exists. List 3 includes CAG IDs in the second matching group and the first matching group includes CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in the list 3, the first matching group, as the CAG ID in the second matching group.
Optionally, the AMF matches list 2, list 3, the first matched set to determine if a second matched set exists. List 2 includes CAG IDs in the second matching group, list 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in list 2, list 3, the first matching group as the CAG ID in the second matching group.
Step 601 and step 602 may not be performed for the case where the AMF matches the list 2, the list 3, and the first matching group. The UE may treat list 1 as the first matched group.
Since the first matching group is sent to the AMF network element through the NAS message, the access network device cannot check and verify the first matching group sent by the UE, and it cannot be ensured that the matching result of the UE, that is, the CAG IDs in the first matching group are all the CAG IDs in the list 2. Thus, the AMF network element may generate the second matching group according to list 2.
Optionally, the AMF network element is preconfigured with CAG IDs supported by the access network device, i.e. the AMF is preconfigured with list 2. At this time, in step 604, the access network device may not send the list 2 to the AMF network element. Or the list 2 is used as second indication information to indicate that the UE requests to access the CAG service.
Since the first matching group is obtained by matching the UE already, the AMF may not match the list 2 any more in order to reduce the amount of calculation. I.e., the AMF may further match the first matched set with list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as second indication information, where the second indication information is used to indicate that the UE requests to access the CAG service.
And if the second matching group exists, allowing the UE to access the CAG service corresponding to the CAG ID in the second matching group.
If the UE is allowed access, the AMF may send a second matching group to the access network device in step 614. The second matched set may be sent via an N2 message. The second matching group includes an identification of the CAG to which the UE is allowed to access. And the access network equipment receives the second matching group to acquire the CAG ID allowing the UE to access. Optionally, after receiving the second matching group to which the UE is allowed to access, the access network device executes operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending resource configuration information of the CAG corresponding to each CAG ID in the second matching group to the UE. Optionally, the access network device sends policy information corresponding to the CAG ID in the second matching group, for example, QoS information of each CAG, to the UE. The policy information is used to indicate relevant parameters for data transmission after the UE accesses the CAG. In this embodiment of the present application, the access network device does not limit the specific operation of the CAG ID in the second matching group.
In step 615, the AMF network element sends a registration response message to the UE. The registration response message may be a registration accept message or a registration reject message.
And if the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group, that is, the CAG ID allowing the UE to access to the UE.
And if the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information. The check failure indication information may be used to indicate the reason for registration rejection, such as the CAG ID check failing or the UE identity authentication failing.
Optionally, the AMF sends information on whether to allow the UE to access the CAG to the UE through other downlink NAS messages. .
Optionally, before step 610, further before step 603, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group. That is, the protection indication information is used to instruct the UE to encrypt the first matching group and send the first matching group in an encrypted manner. For example, before step 603, the UE performs a registration procedure. In the process of the registration access, the registration receiving message comprises protection indication information. And in the subsequent CAG access process of the UE, protecting the registration rejection message by adopting the mode.
Through steps 601 and 615, the UE sends the first matching group in an encrypted manner, so as to avoid information leakage.
In some embodiments, the UE may send the first indication information to the AMF network element through a NAS message other than the RR message. And the AMF determines the process that the UE requests to access the CAG through the first indication information.
In some embodiments, it is also possible that the base station does not broadcast list 2, or the UE does not match base station broadcast list 2 with list 1; the UE sends the encrypted list 1 to the AMF through the NAS message. The subsequent operation is the same as the following procedure, except for the first matched set, which is now list 1.
In some embodiments, it is also possible that the UE encrypts the first matched set based on the public key of the AMF to obtain a ciphertext of the first matched set. Sending the ciphertext of the first matching group to the AMF through the NAS message, for example, sending the ciphertext of the first matching group to the AMF together with the SUCI through the RR message; or sent to the AMF via other NAS messages. And the AMF decrypts the ciphertext of the first matching group through the private key of the AMF to obtain the first matching group. The flow of the latter determination is the same as in the above embodiment. Here, the process of obtaining the public key of the AMF by the UE may be preset, or the AMF is distributed to the UE in the previous registration procedure; and are not intended to be limiting.
Fig. 9 is a schematic flow chart of a communication method provided in an embodiment of the present application.
The UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element, and the UDM network element decrypts the encrypted first matching group and sends the decrypted first matching group to the AMF.
The UE maintains a list 1, which may be referred to as an allowed caged list (allowed CAG ID list). List 1 includes an identification of the CAG configured for the UE. I.e. list 1 indicates the CAG for which the UE supports access. How a particular UE obtains list 1 is not limiting. For example, list 1 may include CAG IDs that the UE may obtain from an operator, may include CAG IDs configured by a network administrator, may include CAG IDs configured by the UE when the UE leaves a factory, and the like.
In step 601, the access network device broadcasts system information, where the system information includes list 2, and list 2 is a list of CAG IDs supported by cells covered by the access network device. The broadcast content is not protected by encryption, and all devices within the coverage of the access network device can acquire the information broadcast by the access network device.
Optionally, in step 601, the access network device unicast-transmits system information, where the system information includes list 2, and list 2 is a list of CAG IDs supported by the cell. The unicast content may not be protected by encryption, and all devices within the coverage of the access network device can obtain the unicast information of the access network device.
In step 602, the UE matches list 1 and list 2, i.e. the UE checks whether there is a first matching group, the first matching group comprising at least one CAG ID. The CAG IDs in the first matched set belong to both list 1 and list 2. The CAG IDs in the first matching group can be referred to as matching CAG IDs (selected matching CAG IDs).
In step 703, the UE sends a registration request message to the access network device, where the registration request message includes the SUCI. The registration request message may be a control plane message.
The registration request message further includes the encrypted first matched set.
Prior to step 703, the UE computes a SUCI, which is an encapsulation for the permanent identity SUPI, so that an attacker cannot obtain SUPI through eavesdropping over the air interface. SUPI is a permanent identity of the UE. That is, the UE encrypts SUPI to get SUCI.
The SUCI may include one or more of a SUPI type, a routing indicator, a protection scheme identifier, a home network public key identifier, etc. Wherein the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate a protection scheme adopted by the SUCI described above, i.e., a scheme for encrypting SUPI. The routing indicator may be used to indicate UDM network elements capable of serving the UE.
Before step 703, the UE encrypts the first matching group according to the home network public key to obtain an encrypted first matching group. The UE encrypts the first matching group according to the public key of the home network, which may also be referred to as the UE encapsulating the first matching group.
The UE may encrypt the first matched group in the same encryption manner as the SUCI. The UE may encrypt the SUPI and the first matched set together and encapsulate them in one message. That is, the SUCI and the encrypted first matched set may be carried in the same message. Alternatively, the UE may encrypt the SUPI and the first matching group, respectively. Optionally, the encrypted first matching group includes one or more of a routing indicator, a protection scheme identifier, a home network public key identifier, and the like. The SUCI and the encrypted first matched set may be carried in the same or different messages.
The UE may also encrypt the first matched set using a different encryption scheme than the SUCI. For example, the SUCI and the encrypted first matching group may correspond to different home network keys, i.e. to different home network public key identifiers. The encrypted first matching group includes one or more of a routing indicator, a protection scheme identifier, a home network public key identifier, etc. The SUCI and the encrypted first matched set may be carried in the same or different messages. The home network key includes a home network public key and a home network private key. The UE and the UDM network element comprise corresponding relations between the identifier of the home network public key and between the identifier of the home network public key and the home network private key.
Optionally, the UE sends the first indication information to the access network device. The first indication information is used for indicating the UE to request to access the CAG service.
Optionally, the first indication information is carried in a registration request message or other message. For example, the first indication information may be transmitted through a Radio Resource Control (RRC) message. The first indication information may take various forms, for example, the first indication information may include list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
In step 704, the access network equipment sends a registration request message to the AMF network element. The registration request message includes the SUCI and the encrypted first matched set. The registration request message may be sent over an N2 interface between the access network device and the AMF network element, i.e. the registration request message may be an N2 message.
Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends second indication information to the AMF network element. And the second indication information indicates that the UE requests to access the CAG service.
The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.
Alternatively, the access network device may send the list 2 to the AMF network element. The second indication information may include list 2.
In step 705, the AMF network element sends the encrypted first matching group and SUCI to the AUSF. The SUCI may be carried in the first authentication request message. The encrypted first matched set may be carried in a first authentication request message or other message. The first authentication Request message may be a Nausf UEAuthentication authentication Request message.
Optionally, the AMF may receive the second indication information and/or the list 2.
In step 706, the AUSF network element sends the encrypted first matching group and SUCI to the UDM/SIDF network element. The SUCI may be carried in the second authentication request message. The encrypted first matched set may be carried in a second authentication request message or other message. The second authentication Request message may be a Nudm _ UEauthentication _ Get Request message.
In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
The UDM/SIDF network element decrypts the SUCI to obtain the SUPI and performs authentication algorithm selection, generating an authentication vector according to the selected authentication algorithm. And the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
Or the UDM/SIDF network element decrypts the information corresponding to the SUPI and the first matching group to obtain the SUPI and the first matching group.
And the UDM/SIDF network element determines the subscription data of the UE according to the SUPI. The subscription data of the UE includes list 3, where list 3 includes CAG IDs that the network side allows the UE to access.
And the UDM/SIDF network element matches the first matching group with the list 3 to obtain a third matching group. The third matching group includes the same CAG ID as in the first matching group and list 3.
And if the UDM/SIDF network element determines that the third matching group does not exist, the UE authentication process and the step 614 are not carried out. And when the third matching group does not exist and the verification fails, the subsequent UE authentication process is not needed, so that the signaling overhead of the system is saved.
The UDM/SIDF network element may reject registration of the UE. The UDM may send the rejection indication information to the AMF network element, with or without the AUSF network element.
Before step 615, the UDM network element may send the first rejection indication information to the AMF network element, with or without the AUSF network element. The first rejection indication information may include a reason for registration rejection. That is, the first reject indication information may be used to indicate that there is no third matching group, i.e., the check fails, and there is no CAG allowing the UE to access.
And the AMF network element receives rejection indication information sent by the UDM network element and determines that the second matching group does not exist, namely CAG allowing the UE to access does not exist.
In step 615, the AMF network element sends a registration reject message to the UE.
If the UDM/SIDF network element determines that the third matching group exists, proceed to step 709-. Step 709 and step 710 are steps in the authentication process, where the authentication process is used for identity authentication of the UE.
Specifically, the UDM/SIDF network element sends an authentication vector to the AUSF network element in step 709. The authentication vector may be carried in the first authentication reply message. The first authentication reply message may be a Nudm _ UEauthentication _ Get ReSponse message.
In step 710, the AUSF network element sends an authentication vector to the AMF network element. The authentication vector may be carried in the second authentication reply message. The second authentication reply message may be a Nudm _ UEauthentication _ Get ReSponse message.
The UDM/SIDF network element may send the third matching group to the AMF network element.
The UDM/SIDF network element may send the third matching group to the AUSF network element. And the AUSF network element sends the third matching group to the AMF network element. That is, the third matching group may be forwarded by the AUSF network element and sent to the AMF network element. The third matched set may be carried in the first authentication reply message or other message. The third matched set may be carried in a second authentication reply message or other message.
The UDM/SIDF may also send the third matching group to the AMF network element via other messages, without forwarding via other network elements.
And the UE and the AUSF network element perform bidirectional authentication. After successful authentication, the AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates a key KAMF according to the key KSEAF and sends KSI to the UE, wherein the KSI is used for indicating the key KAMF. The UE may determine the key KAMF from the KSI. The SEAF sends KAMF to the AMF. Here, the SEAF may be deployed independently of the AMF or may be deployed separately. The embodiment of the present application does not limit the specific details and procedures of the authentication between the UE and the AUSF network element.
Through the steps, the AMF network element and the UE share the key KAMF.
After the authentication process, according to the key KAMF, the UE and the AMF may establish an NAS security context, and the UE and the access network device may establish an AS security context.
Before step 614, the AMF network element receives the third matching group sent by the UDM network element. And the AMF network element determines a second matching group according to the third matching group.
The AMF network element may use the third matching group as the second matching group.
The AMF network element may match the third matching group with the list 2 to determine the second matching group. The second matching group includes the same CAG ID as in list 2 for the third matching group.
Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and it cannot be ensured that the matching result of the UE, i.e., the CAG IDs in the first matching group, are all the CAG IDs in the list 2. Thus, the AMF network element may generate the second matching group according to list 2.
Optionally, the AMF network element is preconfigured with CAG IDs supported by the access network device, i.e. the AMF is preconfigured with list 2. At this time, in step 704, the access network device may not send list 2 to the AMF network element. Or the list 2 sent by the access network device to the AMF network element may serve as the second indication information to indicate that the UE requests to access the CAG service.
Since the first matching group is obtained by matching the UE already, the AMF may not match the list 2 any more in order to reduce the amount of calculation. I.e., the AMF may further match the first matched set with list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as second indication information, where the second indication information is used to indicate that the UE requests to access the CAG service.
If a second matched set exists, proceed to step 614.
In step 614, the AMF network element may send the second matching group to the access network device. The second matched set may be sent via an N2 message. The second matching group includes an identification of the CAG to which the UE is allowed to access. And the access network equipment acquires the CAG ID allowing the UE to access. Optionally, after receiving the second matching group to which the UE is allowed to access, the access network device executes operations such as radio resource management corresponding to the CAG ID in the second matching group. The embodiment of the present application does not limit the specific operation of the access network device.
In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message may be a registration accept message or a registration reject message.
And if the AMF network element determines that the second matching group exists and the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group, that is, the CAG ID allowing the UE to access to the UE.
And if the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes second rejection indication information, where the second rejection indication information is used to indicate a reason for registration failure, for example, a CAG ID check fails, or authentication fails.
Optionally, the registration reply message may be a downlink NAS message.
Through the steps, the UE sends the first matching group in an encrypted mode, and information leakage can be avoided.
Before the authentication process of the UE is performed, the UDM/SIDF network element checks whether the UE can access the CAG, that is, the first matching group and the list 3 are matched.
In some embodiments, the first matching group and list 3 may be matched by the AMF and checked.
In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
The UDM/SIDF network element decrypts the SUCI to obtain the SUPI and performs authentication algorithm selection, generating an authentication vector according to the selected authentication algorithm. And the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
Or the UDM/SIDF network element decrypts the information corresponding to the SUPI and the first matching group to obtain the SUPI and the first matching group.
And the UDM/SIDF network element determines the subscription data of the UE according to the SUPI. The subscription data of the UE includes list 3, where list 3 includes CAG IDs that the network side allows the UE to access.
After step 707, an authentication procedure for identity authentication of the UE.
The UDM/SIDF network element sends the first matching group and the list 3 to the AMF network element.
The UDM/SIDF network element may send the first matching group and the list 3 to the AMF network element. The first matched set and/or list 3 may be carried in a first authentication reply message or other message.
The UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element. And the AUSF network element sends the first matching group and the list 3 to the AMF network element. That is, the first matching group and the list 3 may be forwarded by the AUSF network element to the AMF network element. The first matched set and/or list 3 may be carried in a second authentication reply message or other message.
Before step 614, the AMF network element performs matching based on the first matching group and list 3 to determine a second matching group. The second matching group includes the same CAG ID as the first matching group and the china in the list 3.
The AMF may use the same CAG ID in list 3, the first matched group, as the CAG ID in the second matched group. The AMF may also use the same CAG IDs in the list 2, the list 3, and the first matching group as the CAG IDs in the second matching group.
If the UE is allowed access, the AMF may send a second matching group to the access network device in step 614.
In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message may be a registration accept message or a registration reject message.
In some embodiments, the UE may not match list 2 to list 1, or the base station may not broadcast list 2,. The UE sends the encrypted list 1 to the AMF network element via NAS message. The subsequent operations are the same as the above-described flow. This scheme is different from the above-described flow in that the first matching group is list 1 in this case. That is, step 601 and step 602 may not be performed for the case where the AMF matches the third matching group with the list 2. The UE may treat list 1 as the first matched group.
Fig. 10 is a schematic flow chart of a communication method provided in an embodiment of the present application.
The UE may send the first matching group to the network element of the access network device through the encrypted AS message.
The UE is configured with list 1. List 1 includes CAG IDs for which the UE supports access.
In step 601, the access network device sends list 2 to the UE. List 2 includes CAG IDs supported by cells covered by the access network equipment. The cell is a cell in which the UE is located in one or more cells covered by the access network device. The broadcasted content may not be protected by encryption, and all devices within the coverage area of the access network device can obtain the information broadcasted by the access network device.
Optionally, in step 601, the access network device unicast-transmits system information, where the system information includes list 2, and list 2 includes CAG IDs supported by the cell. The unicast content may not be protected by encryption, and all devices within the coverage of the access network device can obtain the unicast information of the access network device.
In step 602, the UE matches list 1 and list 2 to obtain a first matching group. The first matching group includes the same CAG IDs in list 1 and list 2. The UE matches list 1 and list 2, i.e. the UE determines a first matching group, the first matching group comprising at least one CAG ID. The CAG IDs in the first matched set belong to both list 1 and list 2. The CAG IDs in the first matching group can be referred to as matching CAG IDs (selected matching CAG IDs).
In step 603, the UE sends a registration request message to the access network device, the registration request message including the SUCI.
Prior to step 603, the UE computes the SUCI, which is an encapsulation for the permanent identity SUPI, so that an attacker cannot obtain SUPI through eavesdropping over the air interface. SUPI is a permanent identity of the UE. That is, the UE encrypts SUPI to get SUCI.
The SUCI may include one or more of a SUPI type, a routing indicator, a protection scheme identifier, a home network public key identifier, etc. Wherein the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate a protection scheme adopted by the mall SUCI, i.e., a scheme for encrypting the SUPI. The routing indicator may be used to indicate UDM network elements capable of serving the UE.
Optionally, the UE sends the first indication information to the access network device. The first indication information is used for indicating the UE to request to access the CAG.
The first indication information that the UE may send to the access network device is used to indicate that the UE requests to access the CAG. Since the information related to UE registration in the RR message is sent to the AMF network element by the UE, the access network device needs to forward the information, and cannot sense the information. Therefore, the UE sends the first indication information to the access network device, so as to indicate to the access network device to perform a procedure corresponding to the UE requesting to access the CAG.
Optionally, the first indication information is carried in a registration request message or other message. For example, the first indication information may be transmitted through a Radio Resource Control (RRC) message. The first indication information may take various forms, for example, the first indication information may include list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
In step 604, the access network equipment sends a registration request message to the AMF network element. The registration request message includes the SUCI. The registration request message may be sent over an N2 interface between the access network device and the AMF network element, i.e. the registration request message may be an N2 message.
Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends second indication information to the AMF network element. And the second indication information indicates that the UE requests to access the CAG service.
The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.
Alternatively, the access network device may send the list 2 to the AMF network element. The second indication information may include list 2.
In step 605, the AMF network element sends SUCI to the AUSF. The SUCI may be carried in the first authentication request message. The first authentication Request message may be a Nausf UEAuthentication authentication Request message.
Optionally, the AMF may receive the second indication information and/or the list 2.
In step 606, the AUSF network element sends the SUCI to the UDM/SIDF network element. The SUCI may be carried in a second identity authentication request message. The second authentication Request message may be a Nudm _ UEauthentication _ Get Request message.
In step 607, the UDM/SIDF network element decrypts the SUCI to obtain SUPI and performs authentication algorithm selection, generating an authentication vector according to the selected authentication algorithm.
Step 608 is an authentication procedure for identity authentication of the UE.
Specifically, the UDM/SIDF network element sends an authentication vector to the AUSF network element. The authentication vector may be carried in an identity authentication reply message. The authentication reply message may be a Nudm _ UEauthentication _ Get ReSponse message.
And the UE and the AUSF network element perform bidirectional authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates a key KAMF according to the key KSEAF and sends KSI to the UE, wherein the KSI is used for indicating the key KAMF. The UE may determine the key KAMF from the KSI. The SEAF sends KAMF to the AMF. Here, the SEAF may be deployed independently of the AMF or may be deployed separately. The embodiment of the present application does not limit the specific details and procedures of the authentication between the UE and the AUSF network element.
Through the steps, the AMF network element and the UE share the key KAMF.
In steps 809-.
Before step 809, the AMF calculates and sends the key KgNB to the access network equipment. The key KgNB is determined from the key KAMF. According to the key KgNB, the UE and the access network equipment can determine an integrity key and a confidentiality key between the UE and the access network equipment, so that the integrity protection and the confidentiality protection are carried out on the message between the UE and the access network equipment. And (4) carrying out confidentiality protection, namely encrypting the information by the information sending end and decrypting the information by the information receiving end.
In step 809, the access network equipment sends an AS security mode instruction message to the UE. The AS security mode command message has integrity protection.
In step 810a, the UE sends an AS security mode complete message to the access network device. The AS security mode complete message has confidentiality and integrity protection.
Optionally, the AS security mode complete message may include the first matched group. Thus, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.
Through steps 809 and 810a, the UE and the network element of the access network device establish a security context through the AS SMC process, and the message between the access network device and the UE can be transmitted in an encrypted manner. Through the AS security mode, messages between the AMF network element and the UE can have integrity protection and confidentiality protection.
It is also possible that the transmission of the first matched set is performed through step 810b when the AS security mode complete message does not include the first matched set. Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC procedure.
In step 810b, the UE sends the first matched group transmission to the AMF via an Uplink (UL) AS message. That is, the first matched set is sent with protection of the AS security context.
Before step 814, the access network device decrypts the first matching group received via the AS security mode complete message, or the upstream AS message protected by the AS security context. And the access network equipment decrypts according to the AS security context to obtain the decrypted first matching group.
In some embodiments, the access network device may check the first matching group before step 814.
Optionally, the access network device may match the first matching group with the list 2. The access network device may remove CAG IDs outside of list 2 in the first matching group to obtain a new first matching group.
Optionally, the access network device receives the first matching group sent by the UE. The access network device determines whether the CAG IDs in the first matching group are in list 2 of CAG IDs supported by the access network device. And if the first matching group belongs to the list 2, namely the first matching group is in the list 2, the access network equipment sends the first matching group to the AMF network element. Otherwise, the access network equipment does not send the first matching group; optionally, the access network device denies access of the UE.
In other embodiments, the matching of the first matching group to the list 2 may be performed by the AMF network element.
The AMF network element may pre-configure list 2. Alternatively, the AMF network element may receive the list 2 sent by the access network device. For example, in step 604, the access network device sends list 2 to the AMF network element. The AMF network element may match the list 2, the list 3, and the first matching group. I.e. the AMF network element may determine a second matching group comprising the same CAG IDs in list 2, list 3, the first matching group.
Alternatively, the access network device and the AMF may not match the first matching group and the list 2.
In step 814, the UE sends the decrypted first matching group to the AMF network element. The decrypted first matched set may be a verified first matched set. The second matched set may be sent via an N2 message. The second matching group includes an identification of the CAG to which the UE is allowed to access.
In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes CAG IDs that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element, and the subscription data comprises a list 3
The embodiment of the present application does not limit the sequence of step 814 and step 612.
Optionally, before step 612, the AMF network element may send a subscription data request to the UDM network element, and obtain subscription data corresponding to the UE from the UDM network element. The subscription data includes list 3, where list 3 includes CAG IDs that the network side allows the UE to access.
In step 613, the AMF matches list 3 with the first matched set to determine whether a second matched set exists. List 3 includes CAG IDs in the second matching group and the first matching group includes CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in the list 3, the first matching group, as the CAG ID in the second matching group.
And if the second matching group exists, allowing the UE to access the CAG service corresponding to the CAG ID in the second matching group.
In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message may be a registration accept message or a registration reject message.
And if the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group, that is, the CAG ID allowing the UE to access to the UE.
And if the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information, where the verification failure indication information is used to indicate that the CAG ID verification fails. The check failure indication information may indicate a reason for registration rejection, i.e., the CAG ID check fails.
Alternatively, the registration reply message may be a downlink NAS message sent by the AMF to the UE.
In other embodiments, the access network device may encrypt the first matching group according to another public key of the access network device. The UE may pre-configure the public key of the access network device, the UE may receive the public key sent by the access network device, for example, the access network device may broadcast the public key of the access network device, and so on.
Optionally, before step 810a, the UE may receive protection indication information for instructing the UE to send the encrypted first matching group.
The UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through an AS SMC completion message, which may reveal information in a manner. Meanwhile, the influence on the access of the UE to the CAG flow is small.
Fig. 11 is a schematic flow chart of a communication method provided in an embodiment of the present application.
In the process that the UE accesses the CAG, after the UE receives the registration rejection message, the CAG ID in the first matching group is deleted from the list 1. If an attacker can forge the registration reject message, the attacker may cause the UE to empty list 1 by forging multiple reject messages. After list 1 is empty, the UE cannot use CAG service.
If the verification of the AMF network element or the UDM network element fails, namely the CAG ID allowing the UE to access does not exist, the AMF needs to send a registration rejection message to the UE.
And the AMF network element determines that the CAG ID allowing the UE to access does not exist, and then the AMF network element sends a registration rejection message to the UE.
And the UDM network element determines that the CAG ID allowing the UE to access does not exist, and sends verification failure information to the AMF network element. And the AMF network element sends a registration rejection message to the UE according to the verification failure information.
And after the identity authentication of the UE is completed, the UE and the AMF network element share the key KAMF.
If after the establishment of the NAS SM is completed, a security context between the UE and the AMF network element, namely an NAS protection context, is established. The AMF network element may send a registration reject message to the UE via a NAS message protected by NAS security context. The message protected by the NAS security context has confidentiality protection, which can prevent attacks by attackers. Alternatively, the AMF network element may send the registration rejection message to the UE through steps 901 and 902.
In addition, regardless of whether the NAS security context is established, the AMF network element may further send a registration rejection message to the UE through steps 901 and 902.
Before step 901, UE identity authentication is performed. The UE shares the key KAMF with the AMF network element.
In step 901, the AMF network element determines that the check fails, and calculates the MAC.
Before step 901, the AMF network element may receive a check failure message sent by the UDM. The AMF network element may determine that the verification fails according to the verification failure message. Or, the AMF network element may perform a check to determine that the check fails. AMF checks, see fig. 2, 7, 9.
The AMF network element is based on first computing the MAC based on the key KAMF.
The MAC may also be called a message authentication code, a document message authentication code, a message authentication code, and an information authentication code, and is a small piece of information generated by a specific algorithm to check the integrity of a certain piece of information. The MAC may be authenticated. The MAC may be used to check whether the content is altered during the messaging process. Meanwhile, the MAC can be used for identity authentication of a message source to confirm the source of the message.
And the AMF network element calculates according to the message verification code function to obtain the MAC.
The input parameters of the message authentication code function include a key KAMF, and the input parameters of the message authentication code function may further include at least one of the following parameters: the system comprises rejection indication information, ngKSI, an NAS uplink counter, an NAS downlink counter, a first matching group, an anti-pairing down between architecture attack parameter (ABBA), an AMF ID, an AMF set identifier (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by the AMF, a service network identifier and the like. The fresh parameter randomly selected by the AMF may be, for example, a random number such as a non-repeated random number (number used once or number once, nonce) that is used once. The serving network identifies the serving network in which the AMF is located. The first matching group comprises the CAGIDs which the UE requests to access. The reject indication information is used to indicate the reason of registration reject, for example, the identity check of the CAG to which the UE requests access fails, or the registration request of the UE is rejected. The reasons for registration rejection may also be other verification failures, authentication failures, etc.
In step 902, the AMF network element sends a registration reject message to the UE.
The registration reject message includes the MAC.
The registration rejection message may also include rejection indication information.
The registration reject message may also be ngKSI, which is used to indicate KAMF.
The registration rejection message may further include at least one of a plurality of input parameters of a message authentication code function other than KAMF. For example, the registration rejection message may include at least one of the following parameters: the system comprises a NAS uplink counter, a NAS downlink counter, a first matching group, an anti-doubling down between architecture attack prevention parameter (ABBA), an AMF ID, an AMF set identifier (AMF set ID), SUCI, SUPI, a fresh parameter randomly selected by the AMF, a service network identifier and the like. The first matching group is determined by the UE according to a CAG ID list 1 configured for the UE and a CAG ID list 2 supported by the access network equipment, and the first matching group comprises the same CAG ID in the list 1 and the list 2.
The AMF network element may also send the input parameters of the message authentication code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends ngKSI to the UE.
The UE may also store input parameters for the message authentication code function. And after the UE determines the first matching group, saving the first matching group. The UE may also maintain suici, SUPI, etc. The AMF may send parameters, which are not saved by the UE, among input parameters of the message authentication code function to the UE.
After step 902, the UE verifies the MAC. And the UE calculates the MAC according to the message authentication code function and the input parameters of the message authentication code function.
And the UE determines whether the check is passed according to the MAC obtained by calculation and the MAC in the registration rejection message.
And the UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the authentication is passed. The UE may delete the first matching group from the CAG ID list 1 configured to the UE.
And if the UE determines that the calculated MAC is different from the MAC in the registration rejection message, the verification fails. The UE determines the registration reject message as a forged message.
Through the steps 901 and 902, the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, thereby preventing an attacker from modifying and forging the registration rejection message.
Fig. 12 is a schematic flow chart of a communication method provided in an embodiment of the present application.
In the process that the UE accesses the CAG, after the UE receives the registration rejection message, the CAG ID in the first matching group is deleted from the list 1. If an attacker can forge the registration reject message, the attacker may cause the UE to empty list 1 by forging multiple reject messages. After list 1 is empty, the UE cannot use CAG service.
And the AMF/UDM network element determines that the verification is not passed, and then the step 1001 and the step 1003 are carried out.
In step 1001, the AMF/UDM network element computes a digital signature.
In step 1002, the AMF/UDM network element sends the digital signature to the UE.
For the case of UDM verification, UDM verification fails and the digital signature may be computed based on the private key of the home network and the rejection indication information. The UDM checks, see fig. 9.
Optionally, the UDM computes the digital signature according to a digital signature function. The input parameters of the digital signature function include a home network private key. The input parameters of the digital signature function may further include at least one of a first matching group, SUCI, SUPI, a fresh parameter (nonce, random number, etc.) randomly selected by the UDM, a serving network identity (serving network where the AMF is located), a home network identity, and rejection indication information. The first matching group comprises the CAGIDs which the UE requests to access. The reject indication information is used to indicate the reason for registration reject, for example, the identity check of the CAG to which the UE requests access fails, or authentication fails.
And the UDM network element sends the digital signature to the UE. The digital signature can be forwarded by the AMF network element and/or the AUSF network element, etc.
Optionally, the UDM network element may send rejection indication information to the AMF network element, for indicating that the verification fails. And the AMF sends a registration rejection message to the UE, wherein the registration rejection message carries the digital signature sent by the UDM.
The UE receives the registration reject message. The UE may verify the digital signature according to the rejection indication information corresponding to the possible rejection reason, i.e. verify the correctness of the digital signature. Alternatively, the UE may verify the digital signature based on the received rejection indication information.
Optionally, the UDM network element may further send the key identifier for signature to the UE through the AMF and/or the AUSF. Optionally, the UDM network element may further send a public key identifier, so that the UE may determine, according to the public key identifier, a public key used for digital signature calculation.
Optionally, the UDM network element may further send an algorithm indication, and the UE may determine an algorithm used for the digital signature calculation according to the algorithm indication.
Optionally, the parameters sent by the UDM network element may further include at least one of the following parameters: SUCI, SUPI, fresh parameters (nonce, random number, etc.) randomly selected by UDM, serving network identity (serving network where AMF is located), home network identity and rejection indication information, etc. The UDM and/or AMF network element may also send parameters that are not stored by other UEs, so that the UE can correctly check the MAC.
For the condition that the AMF network element is verified, the AMF network element is not verified, and the digital signature can be calculated for the rejection indication information based on the private key of the AMF.
The AMF network element performs the verification, see fig. 2, fig. 8, fig. 10. The AMF fails the verification and the AMF may compute a digital signature based on the private key of the AMF and the rejection indication information.
Optionally, the AMF calculates the digital signature according to a digital signature function. The input parameters of the digital signature function include the AMF save private key. The input parameters of the digital signature function may further include at least one of a first matching group, SUCI, SUPI, a fresh parameter (nonce, random number, etc.) randomly selected by the AMF, a service network identifier (service network where the AMF is located), an AMF public key identifier, and rejection indication information;
in step 1002, the AMF network element sends a registration reject message to the UE.
The registration rejection message includes a digital signature.
The registration rejection message may also include rejection indication information.
The registration rejection message may further include a key identifier used for calculating the digital signature, and the UE may determine, according to the key identifier, the AMF public key corresponding to the key identifier, so as to verify the digital signature.
The registration rejection message may further include at least one of a plurality of input parameters of the digital signature function other than the AMF public key. For example, the registration rejection message may include at least one of the following parameters: the first matched group, SUCI, SUPI, fresh parameters (nonce, random number, etc.) randomly selected by UDM, fresh parameters (nonce, random number, etc.) randomly selected by AMF, service network identification (service network where AMF is located), AMF public key identification, and rejection indication information.
In step 1003, the UE checks the correctness of the digital signature.
The UE receives the digital signature. The UE verifies the digital signature. And if the verification is passed, determining that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.
The UE holds the public key of the home network. The specific way of obtaining the public key of the home network is not limited.
If the verification is passed, the UE may delete the first matching group from the CAG ID list 1 configured for the UE.
And if the verification is not passed, the UE determines that the registration rejection message is a forged message.
Through the step 1001 and 1003, the AMF/UDM network element sends the digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, prevent an attacker from modifying and forging the registration rejection message, and complete the protection of the rejection indication information.
Method embodiments of the present application are described above in conjunction with fig. 1-12, and apparatus embodiments of the present application are described below in conjunction with fig. 13-18. It is to be understood that the description of the method embodiments corresponds to the description of the apparatus embodiments, and therefore reference may be made to the preceding method embodiments for parts not described in detail.
Fig. 13 is a schematic structural diagram of a user equipment according to an embodiment of the present application. The user equipment 1300 includes: an encryption module 1310 and a transceiver module 1320.
The encryption module 1310 is configured to encrypt the first group list using the non-access stratum, NAS, security context to obtain an encrypted first group list, the first group list including an identification of one or more groups that the UE requests access to.
The transceiver 1320 is configured to transmit the encrypted first group list.
Optionally, the transceiver module 1320 is configured to send the encrypted first group list to the first network device through a NAS security mode SM complete message.
Optionally, the transceiver module 1320 is configured to send the encrypted first group list via an upstream NAS message protected by NAS security context.
Optionally, the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message authentication code.
The user device 1300 further comprises a verification module for verifying the registration rejection message according to the message authentication code.
Fig. 14 is a schematic structural diagram of a network device according to an embodiment of the present application. Network device 1400, comprising: a transceiving module 1410, a decryption module 1420, and a determination module 1430.
The transceiving module 1410 is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes an identifier of one or more groups that the UE requests to access.
The decryption module 1420 is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group.
The determining module 1430 is configured to determine the subscription group list determined and stored by the UDM network element.
The determining module 1430 is further configured to determine a second group list according to the first group list and the subscribed group list, where the second group list includes an identifier of a group to which the UE is allowed to access.
The transceiving module 1410 is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.
Optionally, the transceiver module 1410 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
Optionally, the UE 1400 further includes a calculating module, configured to calculate, when the second group list does not exist, a message authentication code according to a shared key between the UE and the first network device.
The transceiving module 1410 is further configured to send a registration reject message to the access network device, where the message authentication code is used for the UE to authenticate the registration reject message.
Optionally, the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device.
The determining module 1430 is configured to determine the second group list according to the first group list, the third group list, and the contracted group list.
Fig. 15 is a schematic structural diagram of an access network device according to an embodiment of the present application. The access network apparatus 1500 includes: a transceiver module 1510, and a generation module 1520.
The transceiver module 1510 is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services requested to be accessed by the UE.
The transceiver 1510 is further configured to transmit the encrypted first group list.
The transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes an identification of one or more groups that the UE is allowed to access.
The generating module 1520 is configured to generate quality of service, QoS, information for the one or more groups based on the identification of the one or more groups.
The transceiving module 1510 is further configured to send quality of service QoS information to the UE.
Fig. 16 is a schematic structural diagram of a network device according to an embodiment of the present application. Network device 1600, comprising: a processor 1610 and a communication interface 1620.
The communication interface 1620 is configured to receive an encrypted first group list sent by a UE, where the first group list includes an identifier of one or more groups requested to be accessed by the UE.
The processor 1610 is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group.
The processor 1610 is further configured to determine a subscription group list maintained by the UDM network element determination.
The communication interface 1620 is configured to send the second group list to the access network device when the second group list exists.
Optionally, the communication interface 1620 is configured to receive the encrypted first group list sent by the UE via the non-access stratum NAS security mode SM completion message.
Optionally, the processor 1610 is further configured to calculate a message authentication code according to a shared key between the UE and the first network device when the second group list does not exist.
Optionally, the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device.
Fig. 17 is a schematic structural diagram of a user equipment according to an embodiment of the present application. The user equipment 1700 includes: a processor 1710 and a communication interface 1720;
a processor 1710 is configured to encrypt the first group list with a non-access stratum, NAS, security context to obtain an encrypted first group list, the first group list including an identification of one or more groups that the UE requests access to;
Optionally, the communication interface 1720 is configured to send the encrypted first group list to the first network device via a NAS security mode SM complete message.
Optionally, the communication interface 1720 is configured to send the encrypted first group list via a NAS security context protected upstream NAS message.
Optionally, the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, the registration rejection message including a message authentication code.
Fig. 18 is a schematic structural diagram of an access network device according to an embodiment of the present application. The access network device 1800 includes a communication interface 1810.
The communication interface 1810 is configured to receive an encrypted first group list sent by a UE, where the first closed access service identifier group includes identifiers of one or more group services requested to be accessed by the UE;
the communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes an identifier of one or more groups that the UE is allowed to access;
the communication interface 1810 is also configured to send quality of service, QoS, information for the one or more groups to the UE.
Optionally, the access network device 1800 comprises a processor configured to generate the quality of service, QoS, information for the one or more groups from the second group list.
An embodiment of the present application provides a computer program storage medium having program instructions, which when executed, enable the functions of any one of the first network device, the access network device and the user equipment in the foregoing methods to be implemented.
An embodiment of the present application provides a chip, where the chip includes at least one processor, and when the program instructions are executed in the at least one processor, the functions of any one of the first network device, the access network device, and the user equipment in the foregoing methods are implemented.
An embodiment of the present application provides a communication system, which includes the first network device, the user equipment, and the access network device in the foregoing.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (20)
1. A method of communication, comprising:
a first network device receives an encrypted first group list sent by a User Equipment (UE), wherein the first group list comprises identifiers of one or more groups requested to be accessed by the UE;
the first network equipment decrypts the encrypted first group list to obtain a first closed access service identifier group;
the first network equipment determines a signing group list stored by a Unified Data Management (UDM);
the first network equipment determines a second group list according to the first group list and the signed group list, wherein the second group list comprises an identifier of a group which the UE is allowed to access;
when the second group list exists, the first network device sends the second group list to the access network device.
2. The method of claim 1, wherein the first network device receives the encrypted first group list sent by the UE, and wherein the method comprises:
the first network equipment receives the encrypted first group list sent by the UE through a non-access stratum (NAS) Security Mode (SM) completion message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by NAS security context.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
when the second group list does not exist, the first network equipment calculates a message verification code according to a shared key between the UE and the first network equipment;
and the first network equipment sends a registration rejection message to the access network equipment, wherein the message verification code is used for verifying the registration rejection message by the UE.
4. A method according to any one of claims 1-3, characterized in that the method comprises:
the first network equipment receives a third group list sent by the access network equipment, wherein the third group list comprises the identification of the group supported by the access network equipment;
the determining, by the first network device, a second group list according to the first group list and the signed group list includes: the first network device determines the second group list according to the first group list, the third group list and the signed group list.
5. A method of communication, comprising:
encrypting a first group list by User Equipment (UE) by using a non-access stratum (NAS) security context to obtain an encrypted first group list, wherein the first group list comprises identifications of one or more groups which the UE requests to access;
the UE sends the encrypted first group list.
6. The method of claim 5,
the UE sending the encrypted first group list, comprising: the UE sends the encrypted first group list to the first network equipment through an NAS Security Mode (SM) completion message; or, the UE sends the encrypted first group list through an uplink NAS message protected by NAS security context.
7. The method according to claim 5 or 6, characterized in that it comprises:
the UE receives a registration rejection message sent by a first network device, the registration rejection message including a message authentication code,
and the UE verifies the registration rejection message according to the message verification code.
8. A method of communication, comprising:
the access network equipment receives an encrypted first group list sent by User Equipment (UE), wherein the first closed access service identification group comprises one or more group service identifications requested to be accessed by the UE;
the access network equipment sends the encrypted first group list;
the access network equipment receives a second group list sent by the first network equipment, wherein the second group list comprises identification of one or more groups allowing the UE to access;
the access network equipment sends the QoS (quality of service) information of the one or more groups to the UE.
9. A network device, comprising: a processor and a communication interface;
the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identifiers of one or more groups to which the UE requests access;
the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group;
the processor is further configured to determine a subscription group list that is determined and stored by the unified data management UDM network element;
the processor is further configured to determine a second group list according to the first group list and the subscribed group list, where the second group list includes an identifier of a group to which the UE is allowed to access;
the communication interface is further configured to send the second group list to the access network device when the second group list exists.
10. The network device of claim 9, wherein the communication interface is configured to receive the encrypted first group list sent by the UE via a non-access stratum, NAS, security mode, SM, complete message.
11. Method network device according to claim 9 or 10,
the processor is further configured to, when the second group list does not exist, calculate a message authentication code according to a shared key between the UE and the first network device;
the communication interface is further configured to send a registration rejection message to the access network device, where the message authentication code is used for the UE to authenticate the registration rejection message.
12. The network device of any one of claims 9-11,
the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device;
the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
13. A user device, comprising: a processor and a communication interface;
the processor is configured to encrypt a first group list using a non-access stratum, NAS, security context to obtain an encrypted first group list, the first group list including an identification of one or more groups to which the UE requests access;
the communication interface is configured to send the encrypted first group list.
14. The user equipment of claim 13,
the communication interface is configured to send the encrypted first group list to the first network device through an NAS security mode SM complete message; or the communication interface is configured to send the encrypted first group list via an upstream NAS message protected by NAS security context.
15. The user equipment according to claim 13 or 14,
the communication interface is further configured to receive a registration rejection message sent by the first network device, the registration rejection message including a message authentication code,
the processor is further configured to validate the registration rejection message based on the message authentication code.
16. An access network device, comprising: a processor and a communication interface;
the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services requested to be accessed by the UE;
the communication interface is further configured to send the encrypted first group list;
the communication interface is further configured to receive a second group list sent by the first network device, where the second group list includes an identification of one or more groups to which the UE is allowed to access;
the communications interface is further configured to send quality of service, QoS, information for the one or more groups to the UE.
17. A communication device comprising means for performing the method of any of claims 1 to 8.
18. A computer program storage medium having program instructions which, when executed, cause the method of any one of claims 1 to 8 to be performed.
19. A chip, characterized in that the chip comprises at least one processor, which when program instructions are executed in the at least one processor causes the method according to any one of claims 1 to 8 to be performed.
20. A communication system comprising a network device according to any of claims 9-12, a user equipment according to any of claims 13-15, and an access network device according to claim 16.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910511766.9A CN112087724A (en) | 2019-06-13 | 2019-06-13 | Communication method, network equipment, user equipment and access network equipment |
| PCT/CN2020/076975 WO2020248624A1 (en) | 2019-06-13 | 2020-02-27 | Communication method, network device, user equipment and access network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910511766.9A CN112087724A (en) | 2019-06-13 | 2019-06-13 | Communication method, network equipment, user equipment and access network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112087724A true CN112087724A (en) | 2020-12-15 |
Family
ID=73733715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910511766.9A Pending CN112087724A (en) | 2019-06-13 | 2019-06-13 | Communication method, network equipment, user equipment and access network equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112087724A (en) |
| WO (1) | WO2020248624A1 (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022147803A1 (en) * | 2021-01-08 | 2022-07-14 | 华为技术有限公司 | Secure communication method and device |
| CN114785544A (en) * | 2022-03-12 | 2022-07-22 | 海南电网有限责任公司 | Method for improving management plane system safety access service plane system in network system |
| WO2022174729A1 (en) * | 2021-02-20 | 2022-08-25 | 华为技术有限公司 | Method for protecting identity identification privacy, and communication apparatus |
| WO2022193220A1 (en) * | 2021-03-18 | 2022-09-22 | Zte Corporation | Method, device, and system for core network device re-allocation in wireless network |
| CN115314841A (en) * | 2021-05-06 | 2022-11-08 | 华为技术有限公司 | Communication method and communication device |
| WO2023040728A1 (en) * | 2021-09-14 | 2023-03-23 | 华为技术有限公司 | Network element selection method, communication apparatus, and communication system |
| WO2023216961A1 (en) * | 2022-05-07 | 2023-11-16 | 维沃移动通信有限公司 | Privacy protection information processing method and apparatus, and communication device |
| CN117221884A (en) * | 2023-11-08 | 2023-12-12 | 深圳简谱技术有限公司 | Base station system information management method and system |
| CN117295138A (en) * | 2023-10-17 | 2023-12-26 | 泸州卓远液压有限公司 | Control method and device for hydraulic equipment cluster |
| CN114785544B (en) * | 2022-03-12 | 2024-07-02 | 海南电网有限责任公司 | Method for improving safety access service surface system of management surface system in network system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945390A (en) * | 2009-07-08 | 2011-01-12 | 华为技术有限公司 | Admission control method and device |
| CN102045648A (en) * | 2009-10-15 | 2011-05-04 | 中兴通讯股份有限公司 | Closed subscriber group white list transmitting method, device and system |
| CN102056109A (en) * | 2010-12-28 | 2011-05-11 | 北京握奇数据系统有限公司 | Methods for group sending and returning short message services (SMSs) and telecom smart card |
| US8072953B2 (en) * | 2007-04-24 | 2011-12-06 | Interdigital Technology Corporation | Wireless communication method and apparatus for performing home Node-B identification and access restriction |
| US8082000B2 (en) * | 2009-05-12 | 2011-12-20 | Motorola Mobility, Inc. | Method of selecting a private cell for providing communication to a communication device and a communication device |
| US9986420B2 (en) * | 2014-07-08 | 2018-05-29 | Alcatel-Lucent Usa Inc. | Validating cell access mode |
| CN109716809A (en) * | 2016-09-23 | 2019-05-03 | 高通股份有限公司 | Access stratum safety for efficient packet transaction |
| CN109788474A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and device of message protection |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008152611A1 (en) * | 2007-06-15 | 2008-12-18 | Nokia Corporation | Apparatus, method and computer program product providing transparent container |
| CN104469977B (en) * | 2014-09-10 | 2019-01-25 | 北京佰才邦技术有限公司 | Method of mobile communication, device and system |
| CN110536293A (en) * | 2019-08-15 | 2019-12-03 | 中兴通讯股份有限公司 | The methods, devices and systems of access closure access group |
-
2019
- 2019-06-13 CN CN201910511766.9A patent/CN112087724A/en active Pending
-
2020
- 2020-02-27 WO PCT/CN2020/076975 patent/WO2020248624A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8072953B2 (en) * | 2007-04-24 | 2011-12-06 | Interdigital Technology Corporation | Wireless communication method and apparatus for performing home Node-B identification and access restriction |
| US8082000B2 (en) * | 2009-05-12 | 2011-12-20 | Motorola Mobility, Inc. | Method of selecting a private cell for providing communication to a communication device and a communication device |
| CN101945390A (en) * | 2009-07-08 | 2011-01-12 | 华为技术有限公司 | Admission control method and device |
| CN102045648A (en) * | 2009-10-15 | 2011-05-04 | 中兴通讯股份有限公司 | Closed subscriber group white list transmitting method, device and system |
| CN102056109A (en) * | 2010-12-28 | 2011-05-11 | 北京握奇数据系统有限公司 | Methods for group sending and returning short message services (SMSs) and telecom smart card |
| US9986420B2 (en) * | 2014-07-08 | 2018-05-29 | Alcatel-Lucent Usa Inc. | Validating cell access mode |
| CN109716809A (en) * | 2016-09-23 | 2019-05-03 | 高通股份有限公司 | Access stratum safety for efficient packet transaction |
| CN109788474A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and device of message protection |
Non-Patent Citations (2)
| Title |
|---|
| 3GPP: "3rd Generation Partnership Project;Technical Specification Group Services and System Aspects;Study on security for 5GS enhanced support of Vertical and LAN Services(Release 16)", 《3GPP TR 33.819 V1.0.0》 * |
| VODAFONE GROUP PLC: "Comments on S3-160007 CR to 33.401 to add NB-IoT keys and processes", 《3GPP TSG-SA3 MEETING #82,S3-160223》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022147803A1 (en) * | 2021-01-08 | 2022-07-14 | 华为技术有限公司 | Secure communication method and device |
| WO2022174729A1 (en) * | 2021-02-20 | 2022-08-25 | 华为技术有限公司 | Method for protecting identity identification privacy, and communication apparatus |
| WO2022193220A1 (en) * | 2021-03-18 | 2022-09-22 | Zte Corporation | Method, device, and system for core network device re-allocation in wireless network |
| CN115314841A (en) * | 2021-05-06 | 2022-11-08 | 华为技术有限公司 | Communication method and communication device |
| WO2023040728A1 (en) * | 2021-09-14 | 2023-03-23 | 华为技术有限公司 | Network element selection method, communication apparatus, and communication system |
| CN114785544A (en) * | 2022-03-12 | 2022-07-22 | 海南电网有限责任公司 | Method for improving management plane system safety access service plane system in network system |
| CN114785544B (en) * | 2022-03-12 | 2024-07-02 | 海南电网有限责任公司 | Method for improving safety access service surface system of management surface system in network system |
| WO2023216961A1 (en) * | 2022-05-07 | 2023-11-16 | 维沃移动通信有限公司 | Privacy protection information processing method and apparatus, and communication device |
| CN117295138A (en) * | 2023-10-17 | 2023-12-26 | 泸州卓远液压有限公司 | Control method and device for hydraulic equipment cluster |
| CN117221884A (en) * | 2023-11-08 | 2023-12-12 | 深圳简谱技术有限公司 | Base station system information management method and system |
| CN117221884B (en) * | 2023-11-08 | 2024-02-23 | 深圳简谱技术有限公司 | Base station system information management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020248624A1 (en) | 2020-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230353379A1 (en) | Authentication Mechanism for 5G Technologies | |
| CN108781366B (en) | Authentication mechanism for 5G technology | |
| US11856402B2 (en) | Identity-based message integrity protection and verification for wireless communication | |
| WO2020248624A1 (en) | Communication method, network device, user equipment and access network device | |
| CN110830991B (en) | Secure session method and device | |
| US11122428B2 (en) | Transmission data protection system, method, and apparatus | |
| CN107018676B (en) | Mutual authentication between user equipment and evolved packet core | |
| KR101554396B1 (en) | Method and apparatus for binding subscriber authentication and device authentication in communication systems | |
| US9240881B2 (en) | Secure communications for computing devices utilizing proximity services | |
| KR101508576B1 (en) | Home node-b apparatus and security protocols | |
| JP5480890B2 (en) | Control signal encryption method | |
| US11228908B2 (en) | Data transmission method and related device and system | |
| JP2023539174A (en) | Privacy of relay selection in sliced cellular networks | |
| US11082843B2 (en) | Communication method and communications apparatus | |
| CN113518312B (en) | Communication method, device and system | |
| CN114245372B (en) | Authentication method, device and system | |
| KR20100053407A (en) | Method of sharing security information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201215 |
|
| RJ01 | Rejection of invention patent application after publication |