CN112654043A - Registration method and device - Google Patents

Registration method and device Download PDF

Info

Publication number
CN112654043A
CN112654043A CN201911097204.0A CN201911097204A CN112654043A CN 112654043 A CN112654043 A CN 112654043A CN 201911097204 A CN201911097204 A CN 201911097204A CN 112654043 A CN112654043 A CN 112654043A
Authority
CN
China
Prior art keywords
amf
initial
target
nas
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911097204.0A
Other languages
Chinese (zh)
Inventor
邓娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2020/117085 priority Critical patent/WO2021073382A1/en
Publication of CN112654043A publication Critical patent/CN112654043A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information

Abstract

The application discloses a registration method device, which comprises the following steps: the method comprises the steps that an initial AMF sends first routing information to a target AMF through a RAN, and after the target AMF receives the first routing information, the target AMF can acquire a UE context or a UE security context or a NAS security context of the UE and the like from the initial AMF through an SCP. The UE context is a new NAS security context established between the UE and the initial AMF, so that the target AMF can acquire the new NAS security context, UE registration failure is avoided, and UE registration success is guaranteed.

Description

Registration method and device
Technical Field
The present application relates to the field of wireless communications technologies, and in particular, to a registration method and apparatus.
Background
The registration procedure of a User Equipment (UE) in a fifth-generation mobile communication technology (5th-generation, 5G) system is defined in the standard third generation partnership project (3 GPP). Access and mobility management function (AMF) redirection may be performed during registration.
In general, the user equipment registration procedure may be as follows: the user equipment firstly sends a registration request to an initial AMF (initial AMF), the initial AMF authenticates the user equipment and obtains the context of the user equipment, including a security context if any; the initial AMF may initiate a non-access stratum (NAS) security mode control flow to establish a NAS security context between the user equipment and the initial AMF. In case that the initial AMF cannot serve the user equipment, the initial AMF may perform NAS redirection (NAS route), that is, the initial AMF obtains information of a target AMF (target AMF) that can serve the user equipment, and sends a registration request message received from the user equipment to the target AMF. When the initial AMF cannot directly transmit the registration request message to the target AMF, the initial AMF transmits the registration request message to the target AMF through a (Radio) Access Network (R) AN, thereby completing AMF redirection.
However, with the above method, since the NAS security context is already established between the user equipment and the initial AMF, and the target AMF cannot acquire the NAS security context, the user equipment may fail to register and cannot access the network.
Disclosure of Invention
The embodiment of the application provides a registration method and a registration device, which can effectively avoid the situation that UE fails in registration and cannot access a network.
In a first aspect, an embodiment of the present application provides a registration method, including:
the AMF determines to redirect the NAS through an access network device;
the initial AMF sends first routing information, wherein the first routing information is used for indicating a target AMF to acquire relevant information of terminal equipment from the initial AMF;
under the condition that the target AMF receives the first routing information, the initial AMF receives a first service request, and the first service request is used for requesting the relevant information of the terminal equipment;
and the initial AMF sends a response of the first service request, wherein the response of the first service request comprises the relevant information of the terminal equipment.
In a possible implementation manner, the relevant information of the terminal device includes any one or more of the following information: the context of the terminal device, the security context of the terminal device, the NAS security context of the terminal device, or the NAS security context established by the initial AMF and the terminal device.
In a possible implementation manner, the first routing information includes routing information of the initial AMF.
In a possible implementation manner, the first service request includes the first routing information and the identification information of the terminal device.
In one possible implementation manner, the sending, by the initial AMF, the first routing information to the target AMF includes:
the initial AMF sends first routing information to a target AMF under the condition that any one or more of the following conditions are met;
the initial AMF and the terminal equipment perform the safety interaction of NAS information;
the initial AMF and the terminal equipment successfully perform NAS security mode control flow;
the initial AMF and the terminal equipment successfully perform NAS SMC;
the initial AMF and the terminal equipment establish a new NAS security context;
the initial AMF and the terminal equipment successfully perform main authentication;
the initial AMF and the terminal equipment activate NAS security;
the initial AMF receives a level KAMFPush-derived fingerShown in the specification;
the initial AMF selects a new security algorithm.
In a second aspect, an embodiment of the present application provides a registration method, including:
under the condition that an initial Access Management Function (AMF) determines that non-access stratum (NAS) redirection is carried out through access network equipment, a target Access Management Function (AMF) receives first routing information, wherein the first routing information is used for indicating the target AMF to acquire relevant information of terminal equipment from the initial AMF;
the target AMF sends a first service request, wherein the first service request is used for requesting relevant information of the terminal equipment;
and the target AMF receives a response of the first service request, wherein the response of the first service request comprises the relevant information of the terminal equipment.
In a third aspect, an embodiment of the present application provides a registration method, including:
the AMF determines to redirect the NAS through an access network device;
the initial AMF sends first information to a communication agent function, wherein the first information comprises relevant information of terminal equipment;
and the initial AMF sends second routing information to a target AMF, wherein the second routing information is used for indicating the target AMF to acquire the relevant information of the terminal equipment from a communication agent function.
In a fourth aspect, an embodiment of the present application provides a registration method, including:
under the condition that the AMF determines that non-access stratum NAS redirection is carried out through the access network equipment, the target AMF receives second routing information;
the target AMF sends a second service request to a communication agent function according to the second routing information, wherein the second service request is used for requesting the relevant information of the terminal equipment, and the relevant information of the terminal equipment is stored in the communication agent function;
and the AMF receives a response of a second service request sent by the communication agent function, wherein the response of the second service request comprises the relevant information of the terminal equipment.
In a fifth aspect, an embodiment of the present application provides a registration method, including:
the AMF determines to redirect the NAS through an access network device;
the initial AMF sends second information to a communication agent function, the second information comprises related information of terminal equipment and third routing information, the third routing information comprises routing information of a target AMF, and the second information is used for indicating the communication agent function to send the related information of the terminal equipment to the target AMF.
In a sixth aspect, an embodiment of the present application provides a registration method, including:
under the condition that the AMF determines that non-access stratum NAS redirection is carried out through the access network equipment; and the target access management function AMF receives second information sent by the communication agent function, wherein the second information comprises the related information of the terminal equipment and third routing information, the third routing information comprises the routing information of the target AMF, and the second information is used for indicating the communication agent function to send the related information of the terminal equipment to the target AMF.
In a seventh aspect, an embodiment of the present application provides an apparatus for registering, including a processor coupled with the transceiver, the processor being configured to perform the corresponding method according to any one of the first to sixth aspects, and the transceiver being configured to perform the corresponding method according to any one of the first to sixth aspects.
In an eighth aspect, an embodiment of the present application provides an apparatus for registration, including a processor, a memory and a transceiver, where the memory is configured to store computer-executable instructions, and the processor is configured to execute the computer-executable instructions stored in the memory, so as to cause the apparatus to perform the corresponding method according to any one of the first aspect to the sixth aspect.
In a ninth aspect, the present application provides a computer-readable storage medium for storing instructions that, when executed, cause the method according to any one of the first to sixth aspects to be implemented.
In a tenth aspect, an embodiment of the present application provides a computer program product, which includes instructions that, when executed, cause the method according to any one of the first to sixth aspects to be implemented.
Drawings
Fig. 1 is a schematic diagram of a network architecture provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 7 is a schematic flowchart of a registration method according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an apparatus for registration according to an embodiment of the present application.
Detailed Description
The terms "first," "second," "third," and "fourth," etc. in the description and claims of this application and in the accompanying drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
"plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The registration method provided by the present application may be applied to various communication systems, such as a Long Term Evolution (LTE) system, a fifth generation (5G) communication system, a mixed architecture system of LTE and 5G, a New Radio (NR) system of 5G, and a new communication system appearing in future communication development, such as a 6G system.
The terminology involved in the embodiments of the present application will be described below by way of example with reference to fig. 1.
Fig. 1 is a schematic diagram of a network architecture provided in an embodiment of the present application, where the respective parts involved in fig. 1 are as follows:
the terminal device 110 may also be referred to as a User Equipment (UE), a terminal, and the like. The terminal device is a device having a wireless transceiving function, and can communicate with one or more Core Networks (CN) via AN access network device in a (radio) access network (R) AN 120. Can be deployed on land, including indoors or outdoors, hand-held, worn, or vehicle-mounted; can also be deployed on the water surface, such as a ship and the like; it may also be deployed in the air, such as on an airplane, balloon, or satellite, etc. The terminal device may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in home (smart home), and so on.
A (radio) access network (R) AN 120, configured to provide a network access function for authorized user equipment in a specific area, and enable different quality transmission tunnels to be used according to the level of the user equipment, the service requirement, and the like. For example, the (R) AN may manage radio resources, provide access services for the user equipment, and then complete forwarding of control information and/or data information between the user equipment and a Core Network (CN). The access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device. The access network device may include: next generation base station node (eNB) in 5G system, evolved node B (eNB) in Long Term Evolution (LTE), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (e.g., home evolved node B, or home node B, HNB), Base Band Unit (BBU), transmission point (TRP), Transmission Point (TP), small base station equipment (pico), mobile switching center (mobile switching center), or network equipment in future network, etc. It is understood that the embodiment of the present application does not limit the specific type of the access network device. In systems with different radio access technologies, the names of devices that function as access network devices may differ.
A User Plane Function (UPF) network function 130, which is used for packet routing and forwarding, quality of service (QoS) processing of user plane data, and the like.
A Data Network (DN) network function 140 for providing a network for transmitting data.
An Access Management Function (AMF) network function 150 is mainly used for mobility management, access management, and the like, and may be used to implement other functions, such as functions of lawful interception, access authorization/authentication, and the like, in a Mobility Management Entity (MME) function except for session management. It is understood that hereinafter referred to as AMF network function is AMF. In the embodiment of the present application, the AMF may include an initial AMF (initialamf), a raw AMF (oldamf), and a target AMF (targetamf). For example, the initial AMF may be understood as the AMF that is the first one in the registration to process the UE registration request, the initial AMF is selected by the (R) AN, but the initial AMF may not necessarily serve the UE, the original AMF may be understood as the AMF that serves the UE when the UE last registered to the network, and the target AMF may be understood as the AMF that serves the UE after the UE re-registration.
The Session Management Function (SMF) 160 is mainly used for session management, address allocation and management of an Internet Protocol (IP) of a user equipment, selection of a termination point of an interface that can manage a user plane function and a policy control and charging function, and downlink data notification.
The policy control network function 170, such as a Policy Control Function (PCF), a unified policy framework for guiding network behavior, providing policy rule information for control plane functions (e.g., AMF, SMF network functions, etc.), and the like.
An authentication server function (AUSF) 180, configured to authenticate a service, generate a key, implement bidirectional authentication on a user equipment, and support a unified authentication framework.
The Unified Data Management (UDM) network function 190 may be configured to handle ue identities, access authentication, registration, mobility management, and the like. It is understood that the UDM network function is hereinafter referred to as UDM.
An Application Function (AF) 1100, configured to perform application-influenced data routing, access a network open function, perform policy control by interacting with a policy framework, and the like.
A Network Slice Selection Function (NSSF) may be used to determine a network slice instance, select an AMF network function, and so on.
Network storage network functions, such as those including a Network Registration Function (NRF), may be used to maintain real-time information of all network function services in the network.
The communication agent function: is a network function or network entity that can communicate with all AMFs in a Public Land Mobile Network (PLMN). Specifically, the communication proxy function may be a network function capable of communicating with all AMFs in the PLMN in the network functions defined in the 5G standard, such as a service communication proxy (SCP or SeCoP), NSSF, NRF, UDSF, UDR, AUSF, UDM, or the like, or may be an additional network function or network entity, and the communication proxy function is not limited in this embodiment of the present application. For convenience of description, in the embodiment of the present application, the SCP is taken as an example to describe the registration method provided in the embodiment of the present application, and the SCP may be used to provide functions of indirect communication, agent discovery, message addressing and sending to a target network function/network service, communication security, and the like.
The mobility management network function in the embodiment of the present application may be the AMF network function 150 shown in fig. 1, or may be another network function having the AMF network function 150 in a future communication system. Alternatively, the mobility management network function in the present application may also be a Mobility Management Entity (MME) in Long Term Evolution (LTE), and the like.
For convenience of description, in the embodiment of the present application, the mobility management network function is taken as the AMF network function 150 as an example for description. Further, the AMF network function 150 is abbreviated as AMF, and the terminal device 110 is referred to as UE, that is, the AMF described later in this embodiment of the present application may be replaced by a mobility management network function, and the UE may be replaced by the terminal device.
A network architecture (for example, a 5G network architecture) shown in fig. 1 adopts a service-based architecture, a conventional network element function (or network function) is split into a plurality of network function service modules that are self-contained, self-managed, and reusable based on a Network Function Virtualization (NFV) technology, and a customized network function reconfiguration can be realized by flexibly defining a service module set, and a service flow is formed externally through a uniform service call interface. The network architecture diagram shown in fig. 1 can be understood as a service-based 5G network architecture diagram in a non-roaming scenario. For roaming scenarios, the embodiments of the present application are also applicable.
It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting. The network function or function may be a network element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (e.g., a cloud platform).
Fig. 2 is a flowchart illustrating a registration method according to an embodiment of the present application, where the registration method is applicable to the network architecture shown in fig. 1, and as shown in fig. 2, the registration method includes:
201. the UE sends a Registration Request (RR) message to an initial amf (initial amf), where the RR message includes a user hidden identifier (SUCI) or a 5G globally unique temporary terminal equipment identifier (5th generation global identity temporal user identity, 5G-GUTI). And the initial AMF receives the RR message.
For example, if there is no Non Access Stratum (NAS) security context in the UE, the RR message includes SUCI and IEs in plaintext. The plaintext IEs does not include network slice selection assistance information (requested nsai) requested by the UE.
For another example, if there is NAS security context in the UE, the RR message may include 5G-GUTI, clear IEs, and NAS container (NAS container). The NAS container includes the encrypted full RR message, and includes the requested NSSAI. The UE integrity protects the RR message.
It should be understood that the NAS security context is the NAS security context established between the UE and the original AMF the last time the UE was registered to the network.
It is understood that when 5G-GUTI is included in the RR message, the registration method further includes the operations shown in 202 and 203; when SUCI is included in the RR message, the registration method does not include the operations shown in 202 and 203.
202. The initial AMF calls or requests a first service operation (e.g., referred to as a Namf _ Communication _ UEContextTransfer service operation) provided by the original AMF (old AMF), which may be used to request a UE context. The Namf _ Communication _ UEContextTransfer includes the RR message received by the initial AMF.
It should be understood that, in the embodiments of the present application, the UE sends the RR message to the initial AMF, which means that the UE sends the RR message to the (R) AN, and then the (R) AN sends the RR message to the initial AMF, since the (R) AN plays a role of transparent transmission in this step, it may be directly described in the embodiments and/or in the drawings that the UE sends the RR message to the initial AMF for simplicity of description.
In the embodiment of the present application, invoking a certain service operation provided by a certain network function may also be understood as requesting the certain service operation provided by the network function. Receiving a call of the certain service operation may also be understood as receiving a request of the certain service operation.
203. The original AMF receives a call or a request for a service operation requesting a UE context, and verifies the integrity of an RR message included in the received service operation request. And under the condition that the integrity of the RR message is verified successfully, the original AMF sends Namf _ Communication _ UEContextTransfer Response (such as a Response called as a first service operation) to the initial AMF, wherein the Response carries a UE context and comprises a UE security context.
Optionally, the UE security context includes any one or more of the following:
AMF key (K)AMF) Key set identifier (ngKSI) in 5G;
a downlink NAS count (downlink NAS count) and an uplink NAS count (uplink NAS count);
a security algorithm; the safety algorithm comprises an integrity protection algorithm and an encryption algorithm which are selected for the original AMF and used between the UE and the safety algorithm;
UE security capabilities (UE security capabilities), i.e. a set of identifiers of the ciphering algorithm and the integrity protection algorithm implemented on the UE;
level KAMFDerived indication (indication of keyamfhderivantind); the KeyAMFHDURIONInd indication is used to indicate KAMFIs passed through a horizontal KAMFDerived and generated.
It should be understood that in the present application, the original AMF should determine whether to proceed with level K based on local policyAMFAnd (4) carrying out derivation. If the original AMF does not perform level K according to the local strategyAMFDerivation, the original AMF should use the K between the UE and the original AMF in Namf _ Communication _ UEContextTransfer ResponseAMF. In this application, the K used between the UE and the original AMFAMFCalled old KAMF. If the original AMF carries out the level K according to the local strategyAMFDerivation, the old K is used for the original AMFAMFAs an input key, a new K is generated by using a parameter such as NAS Count (NAS Count) as an input parameterAMFThe new key is referred to herein as a horizontally derived KAMF. The original AMF should include a horizontally-derived K in the Namf _ Communication _ UEContextTransfer ResponseAMFAnd keyamfhderivarioind.
204. The initial AMF initiates a primary authentication flow.
For example, SUCI is included in the RR message, the initial AMF initiates the master authentication for authentication and key agreement.
For another example, the RR message includes 5G-GUTI, and if the initial AMF fails to acquire the UE context from the original AMF, the initial AMF initiates the primary authentication. For another example, if 5G-GUTI is included in the RR message and the initial AMF succeeds in acquiring the UE context, the initial AMF may determine whether to perform primary authentication according to the local policy.
205. The initial AMF sends a non-access stratum security mode command (NAS SMC) message to the UE, wherein the NAS SMC message can be used for establishing NAS security context between the UE and the initial AMF, and the NAS SMC message has integrity protection.
Optionally, the case that the initial AMF sends the NAS SMC message includes:
a) the original AMF receives the old K from the original AMFAMFAnd the initial AMF decides to use the received old K according to a local policyAMFBut instead of determining to use the received security algorithm, selecting a security algorithm that is different from the received security algorithm;
b) the initial AMF receives the horizontally derived K from the original AMFAMFAnd a KeyAMFHDeriationInd, and the initial AMF decides to use K derived from the level received from the original AMF according to local policyAMF
c) The initial AMF and the UE are subjected to main authentication.
Optionally, the NAS SMC message may include indication information for instructing the UE to send a complete initial NAS message.
Receiving a level K at an initial AMF from an original AMFAMFIn case of a derived indication (keyamfdhrerivatioind indication), the initial AMF may include a K _ AMF _ change _ flag indication with a value set to 1 in the NAS SMC message, i.e. a K _ AMF _ change _ flag indication with a value set to 1 may be included in the NAS SMC message.
206. And the UE receives the NAS SMC message and verifies the integrity of the NAS SMC message. And in case of successful verification, sending a non access stratum security mode complete (NAS SMP) message to the initial AMF. The initial AMF receives the NAS SMP message.
If the UE receives K _ AMF _ change _ flag with value of 1 in the NAS SMC message, the UE firstly carries out horizontal KAMF derivation to generate a horizontally derived KAMFAnd NAS ciphering keys and NAS integrity protection keys, referred to as NAS keys. The UE then verifies the integrity of the NAS SMC using the generated NAS integrity protection key.
If the UE receives the indication information indicating that the UE sends the complete initial NAS message in the NAS SMC message, the UE carries the complete initial NAS message (i.e., RR message) in the NAS SMP message, and the complete RR message includes the requested NSSAI.
After the UE and the initial AMF successfully complete the NAS security mode control procedure (i.e. including 205 and 206), a NAS security context is established between the UE and the initial AMF, which is referred to as a new NAS security context in this application. This new NAS security context is not the same as the NAS security context established between the UE and the old AMF (referred to as the old NAS security context in this application).
207. In the case that the initial AMF needs to determine whether to perform NAS redirection (NAS route) according to the subscription information of the UE, and the original AMF does not provide the network slice selection subscription information of the UE, the initial AMF invokes a second service operation (referred to as Numd _ SDM _ Get service operation) provided by the UDM for requesting the network slice selection subscription data of the UE. The UDM sends a Response (e.g., called Numd _ SDM _ Get Response) to the second service operation in Response to the invocation of the second service operation (e.g., called Numd _ SDM _ Get service operation) of the initial AMF.
It should be understood that NAS redirection, AMF redirection, and NAS retrace, represent the same flow in this application and may be used interchangeably.
208. In the event that the initial AMF is unable to service some or all of the requested S-NSSAIs (S), the initial AMF invokes a third service operation provided by the NSSF (e.g., referred to as an Nnssf _ NSSelection _ Get service operation). The NSSF returns a Response (e.g., called NSSF _ NSSelection _ Get Response) in Response to the third service operation, and carries in the Response an AMF set (AMF set) or address list of AMFs that can serve requestssssai.
209. The initial AMF determines to perform NAS redirection (otherwise known as NAS route). The original AMF calls a fourth service operation (called as Namf _ Communication _ registration stateUpdate service operation) of the original AMF, for notifying the original AMF that the registration of the UE at the original AMF fails. The original AMF shall make a call or request never received for a service operation requesting the UE context sent by the initial AMF in step 2.
210. In the case where the initial AMF determines to perform NAS redirection and the initial AMF does not have the address of the target AMF, the initial AMF calls a fifth service operation (referred to as NRF _ NFDiscovery _ Request service operation) of the NRF, where the NRF _ NFDiscovery _ Request service operation is used to obtain the address of the target AMF. The NRF sends a response of the fifth service operation including the address of the target AMF.
211. In case that the initial AMF determines to redirect the NAS message to the target AMF (i.e., NAS route via (R) AN) through the (R) AN according to the local policy and the subscription information, the initial AMF transmits a redirected NAS message to the RAN. The route NAS message includes the complete RR message.
Optionally, the route NAS message may further include information provided by the NSSF. The RAN sends an initial UE message (initial UE message) to the target AMF. The initial UE message includes the complete RR message and the information provided by the NSSF. The information provided by the NSSF may be used to indicate that a heavy NAS orientation (NAS route) due to slicing has occurred.
Optionally, the initial AMF may further determine to directly send the NAS message (i.e., RR message) to the target AMF (i.e., direct NAS route) according to the local policy and the subscription information, and then the initial AMF invokes an N1 message provided by the target AMF to notify a Namf _ Communication _ N1MessgeNotify service operation, and carries a complete registration request message and a UE context in the Namf _ Communication _ N1MessgeNotify service operation, where the UE context includes a UE security context.
It is understood that the above-described registration method is merely an example, and in a specific implementation, other steps may be further included, or each message or information shown above further includes other names, and the like.
In the flow diagram of the registration method shown in fig. 2, after the initial AMF determines that NAS redirection is initiated by the RAN, and before the NAS redirection, since security interaction of NAS messages is performed between the initial AMF and the UE (or NAS SMC flow is successfully performed between the initial AMF and the UE), that is, a new NAS security context is established between the UE and the initial AMF, the UE only receives NAS messages protected based on the new NAS security context. Further, after receiving the RR message in the initial UE message, the target AMF does not have the new NAS security context, so the NAS message sent by the target AMF to the UE is not protected by using the new NAS security context, which may eventually result in a registration failure.
It should be understood that, in the present application, the security interaction of the NAS message by the initial AMF and the UE, the NAS SMC flow successfully performed between the initial AMF and the UE, the NAS security activated by the initial AMF and the UE, the NAS security mode control flow successfully performed between the initial AMF and the UE, the ciphering and integrity protection activated by the initial AMF and the UE, the NAS security context established between the initial AMF and the UE, the new NAS security context established between the initial AMF and the UE, the NAS security activated by the UE, and the NAS ciphering and NAS integrity protection activated by the UE may indicate the same meaning and may be used interchangeably. The NAS security mode control flow may be the flow of step 205 and step 206 shown in fig. 2.
The embodiment of the application provides a registration method, which is used for solving the problem of registration failure. The following describes a registration method provided in an embodiment of the present application with reference to the drawings.
Fig. 3 is a schematic flowchart of a registration method provided in an embodiment of the present application, and as shown in fig. 3, the registration method includes:
it is understood that reference may be made to the description of the foregoing embodiment 201 and 210 for the specific implementation of 301 to 310 in fig. 3, such as reference may be made to the registration method shown in fig. 2, and details will not be described here.
311. The initial AMF determines to redirect the NAS message to the target AMF (i.e. NAS route via (R) AN) through the (R) AN; the initial AMF sends the first routing information to the target AMF through the (R) AN, for example, the initial AMF sends the first routing information to the (R) AN, and the (R) AN receives the first routing information sent by the initial AMF.
In this embodiment of the application, the first routing information is used to instruct the target AMF to obtain the UE context or the security context of the UE or the NAS security context of the UE from the initial AMF or the NAS security context established by the initial AMF and the UE.
Optionally, the first routing information is further used to indicate any one or more of the following:
the target AMF acquires the UE context or the security context of the UE or the NAS security context established by the initial AMF and the UE from the initial AMF through a Service Communication Proxy (SCP);
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform main authentication;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a security algorithm different from the security algorithm received from the original AMF;
as AN example, the initial AMF may determine to send the NAS message to the target AMF through the (R) AN according to the local policy and subscription information.
Illustratively, the initial AMF sends a redirect NAS message (route NAS message) to the (R) AN, the route NAS message including the first routing information. (R) the AN receives the route NAS message.
Optionally, the first routing information may include any one or more of the following: routing information of the initial AMF, routing information of the UE context, routing information of the UE security context, routing information of the UE NAS security context, routing information of a new NAS security context of the UE, routing information of a current security context, routing information of a service request for requesting the UE security context, routing information of a service request for requesting the UE NAS security context, routing information for requesting the current security context, routing information of a new NAS security context for requesting the UE. For example, the first routing information may include any one or more of: an end point address (end point address) of the initial AMF, an Internet Protocol (IP) address of the initial AMF, an instance Identifier (instance ID) of the initial AMF, an AMF set Identifier (AMF set ID) of the initial AMF, a Globally Unique AMF Identifier (GUAMI) of the initial AMF, a service instance Identifier (service instance ID) for UE context provided by the initial AMF, a service instance set Identifier (service ID) of the initial AMF, a first 5G-GUTI and the like. The first 5G-GUTI may be a 5G-GUTI allocated by the initial AMF for the UE. It is understood that the first routing information may also include other information that can be used to address the initial AMF, or the UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context, which is not limited in this application.
Optionally, the initial AMF may determine whether to send the first routing information to the target AMF through the (R) AN by some conditions. For example, when the initial AMF determines that any one or more of the following conditions are satisfied, the initial AMF sends the first routing information to the target AMF through the (R) AN:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm.
Optionally, the initial AMF allocates a 5G-GUTI to the UE.
Optionally, the initial AMF sends the first 5G-GUTI to the target AMF through the (R) AN, if the initial AMF includes the first 5G-GUTI in the registration request message, the initial AMF sends a redirect NAS message (route NAS message) to the (R) AN, where the route NAS message includes the registration request message carrying the first 5G-GUTI.
312. The (R) AN sends the received first routing information to a target AMF, and the target AMF receives the first routing information sent by the (R) AN.
For example, (R) the AN receives a route NAS message including the first routing information sent by the initial AMF, and (R) the AN sends AN initial UE message including the first routing information to the target AMF. The target AMF receives the initial UE message.
For example, (R) the AN receives a route NAS message sent by the initial AMF, wherein the route NAS message comprises a registration request message carrying the first 5G-GUTI, and (R) the AN sends AN initial UE message to the target AMF, wherein the initial UE message comprises the registration request message carrying the first 5G-GUTI.
313. The target AMF sends a first service request to a Service Communication Proxy (SCP) according to the first routing information, and the SCP receives the first service request sent by the target AMF.
It should be understood that in the present application, a network function a invoking a service operation of another network function B, a network function a requesting a service from another network function B, and a network function a requesting a service operation of another network function B all mean the same, and may be used interchangeably.
In this embodiment of the application, the first service request may be used to request a UE context or a security context of the UE or a NAS security context established by an initial AMF and the UE or a current UE context or a new NAS security context of the UE.
Optionally, the first service request may include the received first routing information and the identification information of the UE.
Optionally, the first service request may include the first 5G-GUTI carried in the received registration request.
Optionally, the first service request may include the first 5G-GUTI and the routing information of the initial AMF, which are carried in the received registration request. The routing information of the initial AMF is the routing information of the initial AMF determined by the target AMF according to the received first 5G-GUTI, such as including an AMF set identifier (AMF set ID) of the initial AMF or a globally Unique AMF identifier (GUAMI) of the initial AMF.
Since the route NAS message may include the RR message, the UE identification information included in the first service request may include the UE identification in the RR message received by the target AMF. The identity information of the UE may be SUPI, or 5G-GUTI, or SUCI.
Optionally, before step 313 and after step 312, the registration method shown in fig. 3 further includes:
317. the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF from the original AMF, for example, the target AMF can request the UE context from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF can send the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF to the target AMF through Namf _ Communication _ UEContextTransfer response.
In a case that the target AMF acquires the UE context, or the security context of the UE, or the NAS security context of the UE, or the security context established between the UE and the original AMF from the original AMF, the UE identification information included in the first service request may further include an UE identification included in the UE context acquired by the target AMF from the original AMF. For example, the identity of the UE may be SUPI, or 5G-GUTI, or SUCI.
314. The SCP sends the first service request to an initial AMF, which receives the first service request sent by the SCP.
It should be understood that, in this embodiment of the present application, after receiving the first service request, the SCP may send the first service request to the initial AMF according to the first routing information included in the first service request. For example, the first routing information may include routing information of the initial AMF, so that the SCP can effectively know to which AMF to request UE context or security context of the UE or NAS security context of the UE.
For example, after the SCP receives the first service request, the SCP may find the initial AMF according to the received first routing information, and send the first service request to the initial AMF.
For example, after the SCP receives the first service request, the SCP may find the initial AMF according to the received first 5G-GUTI, and the first service request is sent to the initial AMF.
For example, after the SCP receives the first service request, the SCP may find the initial AMF according to the received routing information of the initial AMF, and the first service request is sent to the initial AMF.
315. The initial AMF sends a response of the first service request to the SCP, wherein the response of the first service request comprises UE context, UE security context, NAS security context of the UE, NAS security context established by the initial AMF and the UE, or current security context. The SCP receives a response to the first service request sent by the initial AMF.
For example, the initial AMF obtains, according to the received identification information of the UE, a UE context, or a UE security context, or a NAS security context of the UE, or a NAS security context established by the initial AMF and the UE, or a current security context corresponding to the identification information, and sends a response of the first service request to the SCP, where the response of the first service request includes the UE context, or the UE security context, or the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context.
It can be appreciated that when the first service request is for requesting a UE context, the UE context may be included in a response of the first service request; when the first service request is used for requesting the security context of the UE, the response of the first service request may include the UE security context; when the first service request is used for requesting the NAS security context of the UE, the response of the first service request may include the NAS security context of the UE; when the first service request is used for requesting the NAS security context established between the initial AMF and the UE, the response of the first service request may include the NAS security context established between the initial AMF and the UE. When the first service request is used to request an initial current security context, the current security context may be included in a response of the first service request.
As a possible implementation, before the initial AMF sends the response of the first service request to the SCP, the initial AMF decides whether to proceed with the level KAMFAnd (6) deduction. It will be appreciated that in the present application, level KAMFDeduction and level KAMFDerivations are intended to have the same meaning and may be used interchangeably (or substituted) in this application.
If the initial AMF decides not to proceed with level KAMFDeduction, the initial AMF sends the current security context including the current K to the target AMF or SCPAMF(ii) a It should be understood that in the present application, the initial AMF directionThe target AMF sends the current security context, namely the initial AMF sends the current security context to the target AMF through the SCP.
If the initial AMF decides to proceed to level KAMFDeduction, then the initial AMF is based on the current KAMFGeneration of new KAMFOr new security context or new NAS security context, the initial AMF sends a new K to the target AMF or SCPAMFOr a new security context or a new NAS security context, and the initial AMF sends the level K to the target AMFAMFAnd deducing the indication. The level KAMFThe deduction indication may be referred to as keyAmfHDerionitiInd.
Optionally, the response to the first service request includes the current security context or a new KAMFOr a new security context or level KAMFAnd deducing the indication. Alternatively, the initial AMF may send the security context of the UE, including the current security context or the new K, to the target AMF or SCP via a message other than the response of the first service request described aboveAMFOr a new security context or level KAMFDeductive indication, the present application is not limited to a specific manner how the initial AMF sends the security context of the UE to the target AMF.
Initial AMF decision whether to proceed with level KAMFThe deduction can be in any one of three ways:
the first method is as follows: initial AMF does not proceed to level KAMFDeduction, namely, the initial AMF sends the current security context to the target AMF;
the second method comprises the following steps: the initial AMF judges whether to carry out level K according to a local strategyAMFDeduction, i.e. initial AMF performs level K according to local policy determinationAMFDeduction, or, initial AMF does not make level K according to local policy determinationAMFDeduction;
the third method comprises the following steps: the initial AMF judges whether to carry out level K according to a fourth preset conditionAMFDeduction, namely if the initial AMF judges that the fourth preset condition is met, the initial AMF does not carry out the level KAMFAnd (6) deduction. That is, the initial AMF sends the current security context to the target AMF; if the initial AMF judges that the fourth preset condition is not met, the initial AMF judges according to a local strategyWhether horizontal cutting is performed or not KAMFDeduction, i.e. initial AMF performs level K according to local policy determinationAMFDeduction, or initial AMF, does not make level K according to local policy determinationAMFAnd (6) deduction. The fourth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
316. The SCP sends the received UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context to the target AMF, and the target AMF receives the UE context, or the UE security context, or the NAS security context established by the initial AMF and the UE, or the current security context sent by the SCP.
It can be understood that when the SCP sends the UE context to the target AMF, the target AMF may receive the UE context sent by the SCP; when the SCP sends the UE security context to the target AMF, the target AMF can receive the UE security context sent by the SCP; when the SCP sends the NAS security context of the UE to the target AMF, the target AMF can receive the NAS security context of the UE sent by the SCP; when the SCP sends the NAS security context established by the initial AMF and the UE to the target AMF, the target AMF can receive the NAS security context established by the initial AMF and the UE sent by the SCP. When the SCP sends the current security context to the target AMF, the target AMF may receive the current security context sent by the SCP.
For example, the SCP, after receiving the response of the first service request including the UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context, may send the received UE context, or the UE security context, or the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current context to the target AMF in the response of the first service request. That is, the SCP may send a response of the first service request to the target AMF, where the response of the first service request includes the UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context.
Optionally, after receiving the first service request, the initial AMF may further determine whether to initiate the level K according to a local policy or a local configurationAMFAnd (4) carrying out derivation. If it is determined that the initiation level K isAMFDerivation, then the initial AMF is performed at level KAMFDeriving to form new KAMFAnd sends the new K to SCPAMFAnd level KAMFDerivatizing indicators, such as keyAMFHDrivationInd. Further, the SCP sends the level K to the target AMFAMFDerivation indication and novel KAMFWhereby the target AMF receives the level KAMFDerivation indication and the new KAMFThen, the target AMF sends an NAS SMC message to the UE, and the NAS SMC message comprises a K _ AMF _ change _ flag with a value of 1, which is used for indicating the UE to perform level KAMFAnd (4) carrying out derivation. Further, after the UE receives the NAC SMC message, level K is performed according to K _ AMF _ change _ flag having a value of 1AMFDeriving to obtain new KAMFAnd may send a NAS SMP message to the target AMF.
After the target AMF receives the response of the first service request or the security context (i.e. after the target AMF receives the security context sent by the initial AMF through the SCP), or after the target AMF receives the UE context from the original AMF (and after 317 in the figure), the target AMF performs any one of the following options:
option one: the target AMF does not perform the master authentication, or the target AMF uses the received KAMFOr a security context.
Should understand the objectAMF does not perform primary authentication, or target AMF uses received KAMFOr the security context means that the target AMF skips the primary authentication and performs other processes in the registration process. The target AMF is based on the received KAMFOr the security context protects the third message and sends the third message to the UE. Specifically, the target AMF receives KAMFOr the security context generates the NAS encryption and decryption key and the NAS integrity key, and the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the third message. Under this option, the third message is any N1 message that does not include an authentication request.
In this embodiment, the target AMF does not perform the master authentication, i.e., the target AMF uses the received KAMFOr a security context.
And (5) option two: the target AMF protects the authentication request message and/or the target AMF sends a secured N1 message, including the authentication request message. That is, the target AMF protects the authentication request message, and the target AMF sends the security-protected authentication request message to the UE, wherein the target AMF sending the security-protected authentication request message to the UE may be understood as the target AMF sending the security-protected N1 message to the UE, and the N1 message includes the authentication request message.
It should be appreciated that the target AMF protects the authentication request message, i.e., the target AMF is based on the received KAMFOr a security context protection authentication request message, sending the authentication request message with security protection. Specifically, the target AMF receives KAMFOr the security context generates an NAS encryption and decryption key and an NAS integrity key, protects the authentication request message by adopting the generated NAS encryption and decryption key and/or the NAS integrity key, and sends the authentication request message with security protection.
It should be appreciated that the target AMF sends the authentication request message with security protection, i.e. the target AMF is based on the received KAMFOr a security context protection authentication request message, sending the authentication request message with security protection. Specifically, the target AMF receives KAMFOr security context generation NAS encryption and decryptionAnd the key and the NAS integrity key are adopted, the generated NAS encryption and decryption key and/or the NAS integrity key are/is adopted to protect the authentication request message, and the authentication request message with safety protection is sent.
It should be appreciated that the target AMF sends a secured N1 message, including an authentication request message, i.e., the target AMF is based on the received KAMFOr security context protection authentication N1 message, send with security protected N1 message. Specifically, the target AMF receives KAMFOr the security context generates a NAS encryption and decryption key and a NAS integrity key, the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the N1 message, and the message with the security protection is sent to the N1 message. The N1 message here includes an authentication request message.
And (4) selecting a third option: the target AMF sends an authentication request message without security protection or the target AMF initiates a NAS SMC.
And 4, selecting a fourth option: the target AMF does not perform main authentication; or the target AMF protects the authentication request message; or the target AMF sends a secured N1 message including an authentication request message.
It should be appreciated that in this embodiment, the target AMF does not perform primary authentication, i.e., the target AMF uses the received KAMFOr the security context means that the target AMF skips the primary authentication and performs other processes in the registration process. In this implementation, the target AMF is based on the received KAMFOr a security context protected third message; specifically, the target AMF receives KAMFOr the security context generates the NAS encryption and decryption key and the NAS integrity key, and the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the third message. Under this option, the third message is any N1 message that does not include an authentication request.
The target AMF protects the authentication request message, i.e. the target AMF is based on the received KAMFOr security context protection authentication request message and transmitting the authentication request message with security protection, and specifically, the target AMF protects the authentication request message with security protection according to the received KAMFOr the security context generates the NAS encryption and decryption key and the NAS integrity key, and adopts the generated NAS encryption and decryption key and/or the NASThe integrity key protects the authentication request message and sends the authentication request message with security protection.
As a possible implementation of one option: after the target AMF receives the response of the first service request or after the target AMF receives the UE context from the original AMF (and 317 in the figure), the target AMF does not perform the primary authentication, or the target AMF uses the received KAMFOr a security context.
As another possible implementation of option one: after the target AMF receives the response of the first service request or after the target AMF receives the UE context from the original AMF (and after 317 in the figure), it determines whether AMF redirection occurs or non-access stratum rerouting through the RAN (NAS route via RAN) occurs. The target AMF does not perform primary authentication if AMF redirection occurs or non-access stratum rerouting through the RAN occurs, or the target AMF uses the received KAMFOr a security context. The target AMF determines that AMF redirection occurs or non-access stratum rerouting through the RAN according to any one or more of the following conditions;
the target AMF receives a registration request message which is a complete registration request message without integrity protection; the target AMF receives a complete registration request message; the target AMF receives a registration request message without integrity protection; the initial UE message received by the Target AMF includes a Source to Target AMF Information rerouting Information element (Source to Target AMF Information route IE); the initial UE message received by the target AMF includes Network Slice Selection Assistance Information (NSSAI); the initial UE message received by the target AMF includes configured network slice selection assistance information (configured NSSAI) and/or rejected slice network slice selection assistance information (rejected NSSAI); and the target AMF receives the first routing information.
As another possible implementation manner of the first option: if the target AMF receives level KAMFDeduction indication (i.e. target AMF receives initial AM)F level K sent by SCPAMFThe deduction indication, or the response of the first service request received by the target AMF, includes the level KAMFDeduction indication that target AMF receives level K sent by SCPAMFDerived indication), the target AMF is based on the level KAMFDeduction instruction, not to perform master authentication, or to use received KAMFOr a security context.
Otherwise, if the target AMF does not receive the level KAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: the target AMF still does not perform the primary authentication, or uses the received KAMFOr a security context;
and operation II: if the target AMF performs the main authentication according to the local policy, the target AMF should be based on the received KAMFOr the security context protection authentication request message and sending the authentication request message with security protection; if the target AMF does not perform the main authentication according to the local policy, the target AMF should be based on the received KAMFOr a security context protected N1 message and send a security protected N1 message;
operation three: the target AMF should be based on the received KAMFOr a security context protection N1 message, including an authentication request message, and sends a secured N1 message, including a secured authentication request message.
As a possible implementation of one option: if the target AMF receives the tenth indication information (namely the target AMF receives the tenth indication information sent by the SCP by the initial AMF, or the response of the first service request received by the target AMF comprises the tenth indication information, and the target AMF receives the tenth indication information sent by the SCP), the target AMF does not carry out the main authentication according to the tenth indication information, or the received K is usedAMFOr a security context. The tenth indication information is used to indicate that the target AMF does not perform the primary authentication, or that the target AMF uses the received KAMFOr a security context.
Further included in this implementation is that the initial AMF determines to send the tenth indication information to the target AMF or SCP, at 315, before the initial AMF sends the response to the first service request. Specifically, when the initial AMF determines that the tenth preset condition is met, the initial AMF sends tenth indication information to the target AMF or the SCP. Accordingly, the target AMF receives the tenth indication information. Optionally, the initial AMF transmits tenth indication information to the target AMF or SCP using the response of the first service request. The tenth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; initial AMF run level KAMFDeduction; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
When the tenth preset condition is not satisfied, the initial AMF does not transmit tenth indication information to the target AMF or the SCP. The target AMF does not receive the tenth indication information. If the target AMF does not receive the tenth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF decides not to do primary authentication, the target AMF sends an N1 message without security protection or the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four:the target AMF should be based on the received KAMFOr a security context protection N1 message and a security protected N1 message, including an authentication request message.
If the target AMF does not receive the tenth indication information, the target AMF may further perform any one of the following operations:
operation one: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFIf the deduction instruction indicates that the target AMF should send an authentication request message without security protection; or the target AMF should be based on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF receives level KAMFDeduction indication, the target AMF should not perform the main authentication or the target AMF uses the received KAMFOr the security context, or the target AMF shall perform NAS SMC.
Operation three: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection.
If the target AMF does not receive the tenth indication information, the target AMF may further perform any one of the following operations:
operation one: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFDeduction indicates that the target AMF should be based on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF decides to perform master authentication, and the target AMF receives level KAMFIf the deduction instruction indicates that the target AMF should send an authentication request message without security protection;
the tenth indication may also be used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; success between initial AMF and UECarrying out NAS SMC flow; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; initial AMF performed level KAMFDeduction; the initial AMF generates a new KAMF(ii) a The initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF does not perform a main authentication process; the target AMF skips the main authentication process to carry out other processes in the registration; target AMF uses received KAMFOr a security context.
As a possible implementation manner of the second option: if the target AMF receives the ninth indication information (i.e. the target AMF receives the ninth indication information sent by the initial AMF through the SCP, or the target AMF receives the ninth indication information sent by the SCP, or the target AMF receives the ninth indication information included in the response of the first service request received by the target AMF), when the target AMF decides to perform the primary authentication, the target AMF shall protect the authentication request message according to the ninth indication information, and specifically, the target AMF shall protect the authentication request message based on the received KAMFOr the security context protection authentication request message and transmits the security protected authentication request message, or the target AMF should transmit the security protected N1 message, including the authentication request message, according to the ninth indication information. The ninth indication information is used to indicate that the target AMF protects the authentication request message.
Further included in this implementation is that the initial AMF determines to send ninth indication information to the target AMF or SCP, at 315, before the initial AMF sends the response to the first service request. Specifically, when the initial AMF determines that the ninth preset condition is met, the initial AMF sends ninth indication information to the target AMF or the SCP. Accordingly, the target AMF or SCP receives the ninth indication information. Optionally, the initial AMF includes ninth indication information in the response of the first service request. The ninth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; new NAS security is established between the UE and the initial AMFA full context; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF. The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
In this application, the sending of the message, information, or indication, etc. from the initial AMF to the target AMF means that the initial AMF sends the message, information, or indication, etc. to the target AMF through the SCP.
And when the ninth preset condition is not met, the initial AMF does not send ninth indication information to the target AMF or the SCP. The target AMF does not receive the ninth indication information. If the target AMF does not receive the ninth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the main authentication, the target AMF should send an authentication request message without security protection;
and operation II: if the target AMF decides not to do primary authentication, the target AMF sends an N1 message without security protection or the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFDeduction indication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protection authentication request message and transmitting the authentication request message with security protection.
And operation five: if the target AMF decides to perform master authentication, and the target AMF receives level KAMFDeducing the indication, the target AMF should send an authentication request message without security protection.
The ninth indication information may also be used to indicate any one or more of the following:
the target AMF shall protect the authentication request message; the target AMF should send a security protection authentication request message; the target AMF shall protect the authentication request message; the target AMF should send a secured N1 message, including an authentication request message.
Carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; the initial AMF selects a different security algorithm than the one selected by the original AMF.
As a possible implementation manner of the second option: after receiving the response of the first service request, the target AMF determines whether AMF redirection or non-access stratum rerouting through the RAN (also referred to as direct NAS route) occurs. If AMF redirection occurs or non-access stratum rerouting through RAN occurs, the target AMF should protect the authentication request message when it decides to do the primary authentication, in particular, based on the received KAMFOr the security context protection authentication request message and transmits the security protected authentication request message, or the target AMF should transmit the security protected N1 message including the authentication request message. The target AMF determines that AMF redirection occurs or non-access stratum rerouting through the RAN according to any one or more of the following conditions;
the target AMF receives a registration request message which is a complete registration request message without integrity protection; the target AMF receives a complete registration request message; the target AMF receives a registration request message without integrity protection; the initial UE message received by the Target AMF includes a Source to Target AMF Information rerouting Information element (Source to Target AMF Information route IE); the initial UE message received by the target AMF includes Network Slice Selection Assistance Information (NSSAI); the initial UE message received by the target AMF includes configured network slice selection assistance information (configured NSSAI) and/or rejected slice network slice selection assistance information (rejected NSSAI); and the target AMF receives the first routing information.
As another possible implementation manner of option two: after the target AMF receives the response of the first service request or after the target AMF receives the UE context from the original AMF (and after 317 in the figure), if the target AMF determines to perform the primary authentication, the target AMF shall protect the authentication request message, or the target AMF shall send a security protected N1 message, including the authentication request message. The target AMF shall protect the authentication request message, i.e. the target AMF is based on the received KAMFOr the security context protection authentication request message and sending the authentication request message with security protection; the target AMF should send a secured N1 message, i.e. the target AMF is based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message.
As a possible implementation of option three: if the target AMF receives the eighth indication information (that is, the target AMF receives the eighth indication information sent by the initial AMF through the SCP, or the target AMF receives the eighth indication information sent by the SCP, or the target AMF receives the response of the first service request including the eighth indication information), when the target AMF determines to perform the main authentication, the target AMF should send an authentication request message without security protection according to the eighth indication information, or the target AMF should initiate the SMC NAS according to the eighth indication information. The eighth indication information is used to instruct the target AMF to send an authentication request message without security protection. The eighth indication information may be level KAMFAnd deducing the indication.
Further included in this implementation is that the initial AMF determines to send the eighth indication information to the target AMF or SCP, at 315, before the initial AMF invokes a response of the first service request of the target AMF. Specifically, when the initial AMF determines that the eighth preset condition is met, the initial AMF sends eighth indication information to the target AMF or the SCP. Accordingly, the objectThe AMF receives the eighth indication information. Optionally, the initial AMF transmits eighth indication information to the target AMF or SCP using the response of the first service request. The eighth preset condition is any one or more of the following conditions: initial AMF run level KAMFDeduction, or initial AMF generation of new KAMF
And when the eighth preset condition is not met, the initial AMF does not send eighth indication information to the target AMF or the SCP. The target AMF does not receive the eighth indication information. If the target AMF does not receive the eighth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to do the primary authentication, the target AMF should base on the received KAMFOr the security context protection authentication request message, and sending the authentication request message with security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should be based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message, including an authentication request message.
The eighth indication information may also be used to indicate any one or more of the following:
initial AMF run level KAMFDeduction; initial AMF generates a new KAMF(ii) a The target AMF should send an authentication request message without security protection; the target AMF should initiate NAS SMC.
As a possible implementation of option four: if the target AMF receives level KAMFDeduction indication, then, the target AMF should not perform the primary authentication, or the target AMF should use the received KAMFOr security context, or target AMF originating NAS SMC. Otherwise if the target AMF does not receive the level KAMFDeducing the indication, but receiving the seventh indication information, then:
if the target AMF decides to initiate the primary authentication, according to the seventh indication information, the target AMF should send an authentication request message with security protection, or,
the target AMF should send a secured N1 message including an authentication request message according to the seventh indication information.
The seventh indication information is used to instruct the target AMF to send an authentication request message with security protection, or instruct the target AMF to send an N1 message with security protection.
Further included in this implementation is that the initial AMF determines to send seventh indication information to the target AMF or SCP, at 315, before the initial AMF sends the response to the first service request. Specifically, when the initial AMF determines that the seventh preset condition is met, the initial AMF sends seventh indication information to the target AMF or the SCP. Accordingly, the target AMF receives the seventh indication information. Optionally, the initial AMF transmits seventh indication information to the target AMF or SCP using the response of the first service request. The seventh preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context.
And when the seventh preset condition is not met, the initial AMF does not send seventh indication information to the target AMF or the SCP. The target AMF does not receive the seventh indication information. If the first AM does not receive the seventh indication information, the level K is not received eitherAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to do the primary authentication, the target AMF should base on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protectionOr the target AMF sends an authentication request message without security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message, or the target AMF should send a non-security protected N1 message.
Operation three: the target AMF should be based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message, including an authentication request message.
And operation four: the target AMF should send an N1 message without security protection, including an authentication request message.
The seventh indication information may also be used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF should send an authentication request message with security protection; the target AMF shall protect the authentication request message; the target AMF should send a secured N1 message, including an authentication request message.
As another possible implementation of option four: if the target AMF receives the sixth indication information and the level KAMFDeduction indication, the target AMF should not perform the primary authentication, or the target AMF should use the received KAMFOr a security context. Otherwise if the target AMF does not receive the level KAMFThe deduction instruction, but the sixth instruction information is received, if the target AMF decides to initiate the main authentication, according to the sixth instruction information, the target AMF should send an authentication request message with safety protection; alternatively, the first and second electrodes may be,
the target AMF should transmit a security protected N1 message according to the sixth indication information, the N1 message including an authentication request message.
The sixth indication information is used to instruct the target AMF to send an authentication request message with security protection.
Further included in this implementation is that the initial AMF determines to send sixth indication information to the target AMF or SCP, at 315, before the initial AMF sends the response to the first service request. Specifically, when the initial AMF determines that the sixth preset condition is met, the initial AMF sends sixth indication information to the target AMF or the SCP. Accordingly, the target AMF receives the sixth indication information. Optionally, the initial AMF transmits sixth indication information to the target AMF or SCP using the response of the first service request. The sixth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFAnd a security context.
And when the sixth preset condition is not met, the initial AMF does not send sixth indication information to the target AMF or the SCP. The target AMF does not receive the sixth indication information. If the target AMF does not receive the sixth indication information, but receives the level KAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr security context protection N1 message, and sending with security protectionN1 message, or the target AMF should send N1 message without security protection, or the target AMF initiates NAS SMC;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
If the target AMF does not receive the sixth indication information, the target AMF does not receive the level KAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protection authentication request message and sending the authentication message with security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message, or the target AMF should send a non-security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four: the target AMF should send a secured N1 message, including an authentication request message.
The sixth indication information may also be used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the received KAMFOr a security context; initial AMF decision uses the received level K from the original AMFAMFDeductive generated KAMF(ii) a The initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF should send an authentication request message with security protection; the target AMF shall protect the authentication request message; target AMF shall sendProtected N1 message, including an authentication request message.
In this embodiment, if the SCP receives the sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information sent by the initial AMF, the SCP sends the received sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information to the target AMF. Optionally, the SCP sends sixth indication information, and/or seventh indication information, and/or eighth indication information, and/or ninth indication information, and/or tenth indication information in response to the first service request.
In one possible implementation, the initial AMF sends the sixth indication information to the target AMF through the RAN, and/or,
seventh indication information, and/or eighth indication information, and/or ninth indication information, and/or tenth indication information. Specifically, the initial AMF sends the sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information to the RAN through a redirect NAS message (route NAS message); the RAN sends the received sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information to the target AMF through an initial UE message (initial UE message). The initial AMF needs to determine to transmit the sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information before transmitting the sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information. The initial AMF determines to send the sixth indication information, and/or the seventh indication information, and/or the eighth indication information, and/or the ninth indication information, and/or the tenth indication information, which is described above and is not described herein again.
Optionally, when the registration method shown in fig. 3 includes step 317, the method shown in fig. 3 may further include:
318. and the target AMF deletes the UE context or the UE security context or the NAS security context of the UE acquired from the original AMF.
It should be noted that, whether the UE context or the security context of the UE or the NAS security context of the UE acquired by the target AMF from the original AMF is the same as that acquired from the SCP, which is not limited in this embodiment of the present invention.
In the embodiment of the application, the initial AMF sends the first routing information to the target AMF through the RAN, and after receiving the first routing information, the target AMF may obtain, through the SCP, the UE context or the UE security context or the NAS security context of the UE from the initial AMF. The UE context is a new NAS security context established between the UE and the initial AMF, so that the target AMF can acquire the new NAS security context, UE registration failure is avoided, and UE registration success is guaranteed.
Fig. 4 is a schematic flowchart of a registration method provided in an embodiment of the present application, and as shown in fig. 4, the registration method includes:
it is understood that the specific implementation of 401 to 410 in fig. 4 can be described with reference to 201 and 210 in fig. 2, and will not be described in detail here.
411. The initial AMF determines to redirect the NAS message to a target AMF (namely NAS route via (R) AN), wherein the initial AMF sends first indication information (indicator1) to the (R) AN, and the (R) AN receives the first indication information sent by the initial AMF, and the first indication information is used for indicating the target AMF to acquire a UE context or a security context of the UE or a NAS security context of the UE or the NAS security context or a current security context established by the initial AMF and the UE from the initial AMF.
Optionally, the initial AMF sends a redirect NAS message (route NAS message) to the (R) AN, where the route NAS message may include the first indication information. (R) the AN receives the route NAS message.
Specifically, the first indication information may also be used to indicate any one or more of the following:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm;
(R) the AN transmitting the routing information of the initial AMF to the target AMF;
and (R) the AN sends indication information to the target AMF, wherein the indication information is used for indicating the target AMF to acquire the UE context from the initial AMF or indicating the target AMF to acquire the UE context from the initial AMF through the SCP.
Optionally, the initial AMF may also determine whether to send the first indication information to the (R) AN through some conditions. For example, when the initial AMF determines that one or more of the following conditions are satisfied, the initial AMF transmits the first indication information to the (R) AN.
The initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm.
412. The (R) AN sends fourth routing information to the target AMF, and the target AMF receives the fourth routing information sent by the (R) AN.
The fourth routing information may include routing information of the initial AMF, such as an end point address (end point address) of the initial AMF, an Internet Protocol (IP) address of the initial AMF, an instance Identifier (instance ID) of the initial AMF, an AMF set Identifier (AMF set ID) of the initial AMF, a Globally Unique AMF Identifier (GUAMI) of the initial AMF, and the like. The fourth routing information also includes other information that can be used for performing the initial AMF routing, and the application is not limited thereto.
Optionally, the (R) AN may send AN initial UE message to the target AMF, where the initial UE message includes the fourth routing information. The target AMF receives the initial UE message.
Optionally, (R) the AN determines whether to send the fourth routing information to the target AMF. For example, when the (R) AN receives the first indication information transmitted by the initial AMF, the (R) AN transmits the fourth routing information to the target AMF.
413. The target AMF sends a third service request to a Service Communication Proxy (SCP) according to the fourth routing information, and the SCP receives the third service request sent by the target AMF.
Optionally, the third service request includes the fourth routing information received by the target AMF and the identity information of the UE.
Since the initial UE message may include the RR message, the UE identification information included in the third service request may include the UE identification in the RR message received by the target AMF. The identity information of the UE may be SUPI, or 5G-GUTI, or SUCI.
Optionally, before step 413 and after step 412, the registration method shown in fig. 4 further includes:
417. the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF from the original AMF, for example, the target AMF can request the UE context from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF can send the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF to the target AMF through Namf _ Communication _ UEContextTransfer response.
In a case that the target AMF acquires the UE context, or the security context of the UE, or the NAS security context of the UE, or the security context established between the UE and the original AMF from the original AMF, the UE identification information included in the first service request may further include an UE identification included in the UE context acquired by the target AMF from the original AMF. For example, the identity of the UE may be SUPI, or 5G-GUTI, or SUCI.
414. The SCP sends the third service request to the initial AMF, which receives the third service request sent by the SCP.
415. And the initial AMF sends a response of a third service request to the SCP, wherein the response of the third service request comprises the UE context, the UE security context, the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current context. The SCP receives a response to the third service request sent by the initial AMF.
416. The SCP sends the received UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current context to the target AMF, and the target AMF receives the UE context, or the UE security context, or the NAS security context established by the UE, or the NAS security context established by the initial AMF and the UE, or the current context sent by the SCP.
417. Optionally, the target AMF obtains the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF from the original AMF, for example, the target AMF may request the UE context from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF may send the UE context or the security context of the UE or the NAS security context of the UE or the security context established between the UE and the original AMF to the target AMF through Namf _ Communication _ UEContextTransfer response.
418. And the target AMF deletes the UE context or the UE security context or the NAS security context of the UE acquired from the original AMF.
It should be noted that, whether the UE context or the security context of the UE or the NAS security context of the UE acquired by the target AMF from the original AMF is the same as that acquired from the SCP, which is not limited in this embodiment of the present invention.
Fig. 5 is a schematic flowchart of a registration method provided in an embodiment of the present application, and as shown in fig. 5, the registration method includes:
it is understood that the specific implementation of 501 to 510 in fig. 5 can refer to the registration methods of 201 to 210 shown in fig. 2, and will not be described in detail here.
511. The initial AMF determines to redirect the NAS message to the target AMF (i.e. NAS route via (R) AN) through the (R) AN; the initial AMF sends first information to SCP; the SCP receives the first message sent by the initial AMF.
For example, the first information includes identification information of the UE and UE context, or
The first information comprises identification information of the UE and security context of the UE, or
The first information comprises identification information of the UE and NAS security context of the UE, or
The first information comprises identification information of the UE and NAS security context established by the initial AMF and the UE, or
The first information includes identification information of the UE and a current security context.
The identity information of the UE may be sui, SUPI, 5G-GUTI, or the like of the UE.
Optionally, the identification information of the UE is sui or 5G-GUTI carried in the registration request message received by the initial AMF.
Optionally, the initial AMF may further determine whether the first information needs to be sent to the SCP according to some conditions. If the initial AMF determines that one or more of the following conditions are met, the initial AMF sends a first message to the SCP.
The initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm.
Optionally, before the initial AMF sends the first information to the SCP, the initial AMF may further determine whether to perform the level K according to a local policy or a local configurationAMFAnd (4) carrying out derivation. Level K is performed at initial AMF determinationAMFIn the case of derivation, the initial AMF may be subjected to a level KAMFDeriving to form new KAMF. Further, the initial AMF may also send the new K to the SCPAMFAnd level KAMFDerivatizing indicators, such as keyAMFHDrivationInd.
As a possible implementation, before the initial AMF sends the first information to the SCP, the initial AMF decides whether to proceed with level K or notAMFAnd (6) deduction.
If the initial AMF decides not to proceed with level KAMFDeduction, the initial AMF sends the current security context including the current K to the target AMF or SCPAMF(ii) a It should be understood that in the present application, the initial AMF sends the current security context to the target AMF, that is, the initial AMF sends the current security context to the target AMF through the SCP.
If the initial AMF decides to proceed to level KAMFDeduction, then the initial AMF is based on the current KAMFGeneration of new KAMFOr new security context or new NAS security context, the initial AMF sends a new K to the target AMF or SCPAMFOr a new security context or a new NAS security context, and the initial AMF sends the level K to the target AMFAMFAnd deducing the indication. The level KAMFThe deduction indication may be referred to as keyAmfHDerionitiInd.
Optionally, the initial AMF includes a current security context or a new K in the first informationAMFOr a new security context or level KAMFA deduction indication; alternatively, the initial AMF may transmit the security context of the UE, including the current security context or the new K, to the target AMF or SCP through a message other than the first information described aboveAMFOr a new security context or level KAMFDeductive instructions, how this application is for initial AMFThe specific manner of transmitting the security context of the UE to the target AMF is not limited.
Initial AMF decision whether to proceed with level KAMFThe deduction can be in any one of three ways:
the first method is as follows: initial AMF does not proceed to level KAMFDeduction, namely, the initial AMF sends the current security context to the target AMF;
the second method comprises the following steps: the initial AMF judges whether to carry out level K according to a local strategyAMFDeduction, i.e. initial AMF performs level K according to local policy determinationAMFDeduction, or, initial AMF does not make level K according to local policy determinationAMFDeduction;
the third method comprises the following steps: the initial AMF judges whether to carry out level K according to a fourth preset conditionAMFDeduction, namely if the initial AMF judges that the fourth preset condition is met, the initial AMF does not carry out the level KAMFDeduction, i.e., the initial AMF sends the current security context to the target AMF; if the initial AMF judges that the fourth preset condition is not met, the initial AMF judges whether to carry out level K according to a local strategyAMFDeduction, i.e. initial AMF performs level K according to local policy determinationAMFDeduction, or initial AMF, does not make level K according to local policy determinationAMFAnd (6) deduction. The fourth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
In this application, the current security context includes the current NAS security context. The current NAS security context includes the currentKAMF. The initial AMF is based on the current KAMFGeneration of new KAMFAlso known as derived KAMF. The initial AMF is based on the current KAMFA new security context, also referred to as derived security context, is generated. The initial AMF is based on the current KAMFGenerating a new NAS security context, also referred to as a derived NAS security context, including a derived KAMF. The initial AMF is based on the current KAMFThe generated new security context includes the initial AMF according to the current KAMFA new NAS security context is generated. Level KAMFThe derived indication is also called KAMFHorizontal deduction indication for indicating generation of new KAMFOr level KAMFAnd (6) deduction.
In one possible implementation, before the initial AMF sends the first information, the initial AMF determines to send twentieth indication information to the target AMF or SCP. Specifically, when the initial AMF determines that the twentieth preset condition is satisfied, the initial AMF sends twentieth indication information to the target AMF or the SCP. Accordingly, the target AMF or SCP receives the twentieth indication information. Optionally, the initial AMF transmits twentieth indication information to the target AMF or SCP using the first information. The twentieth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; initial AMF run level KAMFDeduction; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
In one possible implementation, before the initial AMF sends the first message, the initial AMF determines to send a nineteenth indication message to the target AMF or SCP. Specifically, when the initial AMF determines that the nineteenth preset condition is met, the initial AMF sends nineteenth indication information to the target AMF or the SCP. Accordingly, the target AMF or SCP receives the nineteenth indication information. Optionally, the initial AMF includes nineteenth indication information in the first information. The nineteenth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF. The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
In one possible implementation, before the initial AMF sends the first information, the initial AMF determines to send eighteenth indication information to the target AMF or SCP. Specifically, when the initial AMF determines that the eighteenth preset condition is met, the initial AMF sends eighteenth indication information to the target AMF or the SCP. Accordingly, the target AMF receives the eighteenth indication information. Optionally, the initial AMF sends eighteenth indication information to the target AMF or SCP using the first information. The eighteenth preset condition is any one or more of the following conditions: initial AMF run level KAMFDeduction, or initial AMF generation of new KAMF. The eighteenth indication information may be a level KAMFAnd deducing the indication.
In one possible implementation, before the initial AMF sends the first information, the initial AMF determines to send seventeenth indication information to the target AMF or SCP. Specifically, when the initial AMF determines that the seventeenth preset condition is met, the initial AMF sends seventeenth indication information to the target AMF or the SCP. Accordingly, the target AMF receives the seventeenth indication information. Optionally, the initial AMF transmits seventeenth indication information to the target AMF or SCP using the first information. The seventeenth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context.
In one possible implementation, before the initial AMF sends the first information, the initial AMF determines to send sixteenth indication information to the target AMF or SCP. Specifically, when the initial AMF determines that the sixteenth preset condition is met, the initial AMF sends sixteenth indication information to the target AMF or the SCP. Accordingly, the target AMF receives the sixteenth indication information. Optionally, the initial AMF transmits sixteenth indication information to the target AMF or SCP using the first information. The sixteenth preset condition is any one or more of the following conditions:
carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF(ii) a The initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFAnd a security context.
The twentieth indication information is used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF(ii) a The safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; initial AMF performed level KAMFDeduction; the initial AMF generates a new KAMF(ii) a The initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF does not perform a main authentication process; the target AMF skips the main authentication process to carry out other processes in the registration; target AMF uses received KAMFOr a security context.
The nineteenth indication information is used to indicate any one or more of the following:
the target AMF shall protect the authentication request message; the target AMF should send a security protection authentication request message; the target AMF shall protect the authentication request message; the target AMF should send a secured N1 message, including an authentication request message; carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; the initial AMF selects a different security algorithm than the one selected by the original AMF.
The eighteenth indication information is used to indicate any one or more of the following:
initial AMF run level KAMFDeduction; initial AMF generates a new KAMF(ii) a The target AMF should send an authentication request message without security protection; the target AMF should initiate NAS SMC.
The seventeenth indication information is used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; security is established between the UE and the initial AMFAssociating; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the K received from the original AMFAMFOr a security context; the initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF should send an authentication request message with security protection; the target AMF shall protect the authentication request message; the target AMF should send a secured N1 message, including an authentication request message.
The sixteenth indication information is used to indicate any one or more of the following:
carrying out safety interaction of NAS information between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the received KAMFOr a security context; initial AMF decision uses the received level K from the original AMFAMFDeductive generated KAMF(ii) a The initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF should send an authentication request message with security protection; the target AMF shall protect the authentication request message; the target AMF should send a protected N1 message, including an authentication request message.
It is understood that step 511 may be after step 507 and at any position before step 512, and the embodiment of the present application is not limited to which step 511 specifically precedes or succeeds.
As AN example, the initial AMF may determine to send the NAS message to the target AMF through the (R) AN according to the local policy and subscription information.
512. The initial AMF sends the second routing information to the target AMF through the (R) AN, for example, the initial AMF sends the second routing information to the (R) AN, and the (R) AN receives the second routing information sent by the initial AMF.
In this embodiment of the application, the second routing information is used to instruct the target AMF to obtain, from the SCP, the UE context or the security context of the UE or the NAS security context established by the initial AMF and the UE or the current security context.
For example, the initial AMF sends the second routing information to the (R) AN, such as the initial AMF sending a route NAS message to the (R) AN, where the route NAS message may include the second routing information. (R) the AN receives the route NAS message.
Optionally, the second routing information is further used to indicate any one or more of the following:
the target AMF acquires the UE context or the security context of the UE or the NAS security context established by the initial AMF and the UE or the current security context from a Service Communication Proxy (SCP);
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform main authentication;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm;
the initial AMF sends the UE context or the security context of the UE or the NAS security context established by the initial AMF and the UE or the current security context to the SCP;
the second routing information may include any one or more of: routing information of the SCP, routing information of the UE context, routing information of the UE security context, routing information of the UE NAS security context, routing information of the current security context, routing information of a service request for requesting the UE security context, routing information of a service request for requesting the UE NAS security context, routing information of a service request for requesting the current security context. For example, the second routing information may include any one or more of: an end point address (end address) of the SCP, an Internet Protocol (IP) address of the SCP, an instance identifier (instance ID) of the SCP, a set identifier (SCP set ID) of the SCP, a service instance identifier (service instance ID) of the SCP, a service instance set identifier (service set ID) of the SCP, and the like. It is understood that the second routing information may also include other information that may be used to address the initial SCP, or the UE context, or the UE security context, or the NAS security context established by the UE NAS security context or the initial AMF and the UE, or the current security context, which is not limited in this application.
In this application, how the initial AMF obtains an end address (end point address) of the SCP, an Internet Protocol (IP) address of the SCP, an instance identifier (instance ID) of the SCP, an SCP set identifier (SCP set ID) of the SCP, a service instance identifier (service instance ID) of the SCP for requesting a UE context, a service instance identifier (service instance ID) of the SCP for requesting a UE security context, a service instance identifier (service instance ID) of the SCP for requesting a NAS security context of the UE, a service instance identifier (service instance ID) of the SCP for requesting a current UE security context, a service instance set identifier (service set ID) of the SCP, and the like are not limited.
Optionally, the initial AMF may determine whether to send the second routing information to the target AMF through the (R) AN by some conditions. For example, the initial AMF may send the second routing information to the target AMF over the (R) AN when any one or more of the following conditions are met:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm;
the initial AMF sends the UE context or the UE security context or the NAS security context of the UE to the SCP.
513. (R) the AN sends the second routing information to the target AMF, which receives the second routing information.
Optionally, the (R) AN may also send AN initial UE message to the target AMF, where the initial UE message includes the second routing information. The target AMF receives the initial UE message.
514. And the target AMF sends a second service request to the SCP according to the second routing information, and the SCP receives the second service request.
In this embodiment, the second service request may be used to request a UE context or a UE security context or a NAS security context of the UE or a NAS security context or a current security context established by the initial AMF and the UE. The second service request may include identification information of the UE. Since the initial UE message may include the RR message, the identification information of the UE may include the identification information of the UE in the RR message included in the initial UE message received by the target AMF. The identity information of the UE may be SUPI, or SUCI, or 5G-GUTI.
Optionally, before step 514 and after step 512, the registration method shown in fig. 5 further includes:
516. the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE from the original AMF, for example, the target AMF can request the UE context or the security context of the UE or the NAS security context of the UE from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF can send the UE context or the security context of the UE or the NAS security context of the UE to the target AMF through Namf _ Communication _ UEContextTransfer response.
In the case that the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE from the original AMF, the UE identification information included in the second service request may further include the UE context or the security context of the UE acquired from the original AMF or the UE identification included in the NAS security context of the UE. For example, the identity of the UE may be SUPI, or 5G-GUTI, or SUCI.
515. The SCP sends UE context, or UE security context, or NAS security context of the UE, or NAS security context established by the initial AMF and the UE or current security context to the target AMF; the target AMF receives the UE context, or the UE security context, or the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE or the current security context.
For example, the SCP finds the UE context, or the UE security context, or the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current context according to the identity information of the UE included in the received second service request, and sends the UE context, or the UE security context, or the NAS security context established by the initial AMF and the UE, or the current context to the target AMF.
Illustratively, the SCP sends a response of the second service request to the target AMF, and includes the UE context, or the UE security context, or the NAS security context of the UE, or the NAS security context established by the initial AMF and the UE, or the current security context, or the new NAS security context established by the initial AMF and the UE, or the current security context in the response of the second service request.
Optionally, the new K is sent to SCP at the initial AMFAMFAnd level KAMFThe SCP may also derive an indication, such as in the case of a keyAMFHDrivationInd, of the level KAMFDerivation indication and the new KAMFSent to the target AMF, whereby the target AMF receives the level KAMFDerivation indication and novel KAMFThen, the target AMF sends an NAS SMC message to the UE, and the NAS SMC message comprises a K _ AMF _ change _ flag with a value of 1, which is used for indicating the UE to perform level KAMFAnd (4) carrying out derivation. Further, after the UE receives the NAC SMC message, the level K is performed according to a K _ AMF _ change _ flag having a value of 1AMFDeriving to produce new KAMFAnd may send a NAS SMP message to the target AMF.
If the SCP receives the twentieth indication information, and/or the nineteenth indication information, and/or the eighteenth indication information, and/or the seventeenth indication information, and/or the sixteenth indication information sent by the initial AMF, the SCP sends the twentieth indication information, and/or the nineteenth indication information, and/or the eighteenth indication information, and/or the seventeenth indication information, and/or the sixteenth indication information to the target AMF. Optionally, the SCP sends the twentieth indication information, and/or the nineteenth indication information, and/or the eighteenth indication information, and/or the seventeenth indication information, and/or the sixteenth indication information to the target AMF through a response of the second service request.
After the target AMF receives the response of the second service request, or after the target AMF receives the security context of the UE (i.e. 516 in the figure) from the original AMF, the target AMF performs any one of the following options:
option one: the target AMF does not perform the master authentication, or the target AMF uses the received KAMFOr a security context.
It should be understood that the target AMF does not perform the primary authentication, or the target AMF uses the received KAMFOr the security context means that the target AMF skips the primary authentication and performs other processes in the registration process. The target AMF is based on the received KAMFOr the security context protects the third message and sends the third message to the UE. Specifically, the target AMF receives KAMFOr the security context generates the NAS encryption and decryption key and the NAS integrity key, and the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the third message. Under this option, the third message is any N1 message that does not include an authentication request.
In this embodiment, the target AMF does not perform the master authentication, i.e., the target AMF uses the received KAMFOr a security context.
And (5) option two: the target AMF protects the authentication request message and/or the target AMF sends a secured N1 message, including the authentication request message. That is, the target AMF protects the authentication request message, and the target AMF sends the security-protected authentication request message to the UE, wherein the target AMF sending the security-protected authentication request message to the UE may be understood as the target AMF sending the security-protected N1 message to the UE, and the N1 message includes the authentication request message.
It should be appreciated that the target AMF protects the authentication request message, i.e., the target AMF is based on the received KAMFOr the security context protection authentication request message is sent with security protectionIn particular, the target AMF, based on the received KAMFOr the security context generates an NAS encryption and decryption key and an NAS integrity key, protects the authentication request message by adopting the generated NAS encryption and decryption key and/or the NAS integrity key, and sends the authentication request message with security protection.
It should be appreciated that the target AMF sends the authentication request message with security protection, i.e. the target AMF is based on the received KAMFOr security context protection authentication request message and transmitting the authentication request message with security protection, and specifically, the target AMF protects the authentication request message with security protection according to the received KAMFOr the security context generates an NAS encryption and decryption key and an NAS integrity key, protects the authentication request message by adopting the generated NAS encryption and decryption key and/or the NAS integrity key, and sends the authentication request message with security protection.
It should be appreciated that in this embodiment, the target AMF sends a secured N1 message, including an authentication request message, i.e., the target AMF is based on the received KAMFOr a security context protection authentication N1 message, and sending a secured N1 message, specifically, the target AMF according to the received KAMFOr the security context generates a NAS encryption and decryption key and a NAS integrity key, the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the N1 message, and the message with the security protection is sent to the N1 message. The N1 message here includes an authentication request message.
And (4) selecting a third option: the target AMF sends an authentication request message without security protection or the target AMF initiates a NAS SMC.
And 4, selecting a fourth option: the target AMF does not perform main authentication; or the target AMF protects the authentication request message; or the target AMF sends a secured N1 message including an authentication request message.
It should be appreciated that in this embodiment, the target AMF does not perform primary authentication, i.e., the target AMF uses the received KAMFOr the security context means that the target AMF skips the primary authentication and performs other processes in the registration process. In this implementation, the target AMF is based on the received KAMFOr a security context protected third message; specifically, the target AMF according to the received KAMFOr the security context generates the NAS encryption and decryption key and the NAS integrity key, and the generated NAS encryption and decryption key and/or the NAS integrity key are adopted to protect the third message. Under this option, the third message is any N1 message that does not include an authentication request.
The target AMF protects the authentication request message, i.e. the target AMF is based on the received KAMFOr security context protection authentication request message and transmitting the authentication request message with security protection, and specifically, the target AMF protects the authentication request message with security protection according to the received KAMFOr the security context generates an NAS encryption and decryption key and an NAS integrity key, protects the authentication request message by adopting the generated NAS encryption and decryption key and/or the NAS integrity key, and sends the authentication request message with security protection.
As a possible implementation of one option: after the target AMF receives the response of the second service request or the target AMF receives the security context from the original AMF, the target AMF does not perform the master authentication, or the target AMF uses the received KAMFOr a security context.
As another possible implementation of option one: after receiving the response of the second service request, the target AMF determines whether AMF redirection or non-access stratum rerouting through the RAN (NAS route via RAN) occurs. The target AMF does not perform primary authentication if AMF redirection occurs or non-access stratum rerouting through the RAN occurs, or the target AMF uses the received KAMFOr a security context. The target AMF determines that AMF redirection occurs or non-access stratum rerouting through the RAN according to any one or more of the following conditions;
the target AMF receives a registration request message which is a complete registration request message without integrity protection; the target AMF receives a complete registration request message; the target AMF receives a registration request message without integrity protection; the initial UE message received by the Target AMF includes a Source to Target AMF Information rerouting Information element (Source to Target AMF Information route IE); the initial UE message received by the target AMF includes Network Slice Selection Assistance Information (NSSAI); the initial UE message received by the target AMF includes configured network slice selection assistance information (configured NSSAI) and/or rejected slice network slice selection assistance information (rejected NSSAI); and the target AMF receives the first routing information.
As another possible implementation manner of the first option: if the target AMF receives level KAMFDeduction indication (i.e. the target AMF receives the level K sent by the initial AMF through SCPAMFThe deduction indication, or the response of the second service request received by the target AMF, includes the level KAMFDeduction indication that target AMF receives level K sent by SCPAMFDerived indication), the target AMF is based on the level KAMFDeduction instruction, not to perform master authentication, or to use received KAMFOr a security context.
Otherwise, if the target AMF does not receive the level KAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: the target AMF still does not perform the primary authentication, or uses the received KAMFOr a security context;
and operation II: if the target AMF performs the main authentication according to the local policy, the target AMF should be based on the received KAMFOr the security context protection authentication request message and sending the authentication request message with security protection; if the target AMF does not perform the main authentication according to the local policy, the target AMF should be based on the received KAMFOr a security context protected N1 message and send a security protected N1 message;
operation three: the target AMF should be based on the received KAMFOr a security context protection N1 message, including an authentication request message, and sends a secured N1 message, including a secured authentication request message.
As a possible implementation of one option: if the target AMF receives the twentieth indication message (i.e. the target AMF receives the first indication message sent by the initial AMF through SCP)Twenty indication information, or the target AMF receives the response of the second service request including the twentieth indication information, and receives the twentieth indication information sent by the SCP), the target AMF does not perform the primary authentication according to the twentieth indication information, or uses the received KAMFOr a security context. The twentieth indication information is used to indicate that the target AMF does not perform the primary authentication, or that the target AMF uses the received KAMFOr a security context.
If the target AMF does not receive the twentieth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF decides not to do primary authentication, the target AMF sends an N1 message without security protection or the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four: the target AMF should be based on the received KAMFOr a security context protection N1 message and a security protected N1 message, including an authentication request message.
If the twentieth indication information is not received by the target AMF, the target AMF may further perform any one of the following operations:
operation one: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFIf the deduction instruction indicates that the target AMF should send an authentication request message without security protection; or the target AMF should be based on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF receives level KAMFDeduction indicates that the target AMF shouldNot performing master authentication, or using the received K by the target AMFAMFOr the security context, or the target AMF shall perform NAS SMC.
Operation three: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection.
If the target AMF does not receive the twentieth indication information, the target AMF may further perform any one of the following operations:
operation one: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFDeduction indicates that the target AMF should be based on the received KAMFOr the security context protects the authentication request message and sends the authentication request message with security protection;
and operation II: if the target AMF decides to perform master authentication, and the target AMF receives level KAMFIf the deduction instruction indicates that the target AMF should send an authentication request message without security protection;
as a possible implementation manner of the second option: if the target AMF receives the nineteenth indication information (i.e. the target AMF receives the nineteenth indication information sent by the initial AMF through the SCP, or the target AMF receives the nineteenth indication information sent by the SCP, or the target AMF receives the response of the second service request including the nineteenth indication information), when the target AMF decides to perform the main authentication, the target AMF shall protect the authentication request message according to the nineteenth indication information, specifically, the target AMF shall protect the authentication request message based on the received KAMFOr the security context protection authentication request message and transmits the authentication request message with security protection, or the target AMF should transmit the N1 message with security protection including the authentication request message according to the nineteenth indication information. The nineteenth indication information is used to indicate that the target AMF protects the authentication request message.
Carrying out safety interaction of NAS information between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; performing primary authentication between the UE and the initial AMF; the initial AMF selects anddifferent security algorithms selected by the original AMF; the initial AMF uses the received level K from the original AMFAMFDerived KAMF. The initial AMF receives a level K from the original AMFAMFDeducing the indication and the initial AMF deciding to use the K received from the original AMFAMF
If the target AMF does not receive the nineteenth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the main authentication, the target AMF should send an authentication request message without security protection;
and operation II: if the target AMF decides not to do primary authentication, the target AMF sends an N1 message without security protection or the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four: if the target AMF decides to perform master authentication, and the target AMF does not receive level KAMFDeduction indication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protection authentication request message and transmitting the authentication request message with security protection.
And operation five: if the target AMF decides to perform master authentication, and the target AMF receives level KAMFDeducing the indication, the target AMF should send an authentication request message without security protection.
As a possible implementation manner of the second option: after receiving the response of the second service request, the target AMF determines whether AMF redirection or non-access stratum rerouting through the RAN (also referred to as direct NAS route) occurs. If AMF redirection occurs or non-access stratum rerouting through RAN occurs, the target AMF should protect the authentication request message when it decides to do the primary authentication, in particular, based on the received KAMFOr security context protection authentication request message, and sending the message with security protectionThe authentication request message, or the target AMF should send a secured N1 message, including the authentication request message. The target AMF determines that AMF redirection occurs or non-access stratum rerouting through the RAN according to any one or more of the following conditions;
the target AMF receives a registration request message which is a complete registration request message without integrity protection; the target AMF receives a complete registration request message; the target AMF receives a registration request message without integrity protection; the initial UE message received by the Target AMF includes a Source to Target AMF Information rerouting Information element (Source to Target AMF Information route IE); the initial UE message received by the target AMF includes Network Slice Selection Assistance Information (NSSAI); the initial UE message received by the target AMF includes configured network slice selection assistance information (configured NSSAI) and/or rejected slice network slice selection assistance information (rejected NSSAI); and the target AMF receives the first routing information.
As another possible implementation manner of option two: after the target AMF receives the response of the second service request, if the target AMF decides to perform the primary authentication, the target AMF should protect the authentication request message, or the target AMF should send a security protected N1 message including the authentication request message. The target AMF shall protect the authentication request message, i.e. the target AMF is based on the received KAMFOr the security context protection authentication request message and sending the authentication request message with security protection; the target AMF should send a secured N1 message, i.e. the target AMF is based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message.
As a possible implementation of option three: if the target AMF receives the eighteenth indication information (namely, the target AMF receives the eighteenth indication information sent by the initial AMF through the SCP, or the target AMF receives the eighteenth indication information sent by the SCP, or the response of the second service request received by the target AMF comprises the tenth indication informationEight indication information), when the target AMF decides to perform the master authentication, the target AMF shall send an authentication request message without security protection according to the eighteenth indication information, or the target AMF shall initiate the NAS SMC according to the eighteenth indication information. The eighteenth indication information is used to instruct the target AMF to send an authentication request message without security protection. The eighteenth indication information may be a level KAMFAnd deducing the indication.
If the target AMF does not receive the eighteenth indication information, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to do the primary authentication, the target AMF should base on the received KAMFOr the security context protection authentication request message, and sending the authentication request message with security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message;
operation three: the target AMF should be based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message, including an authentication request message.
The eighteenth indication may also be used to indicate any one or more of the following:
initial AMF run level KAMFDeduction; initial AMF generates a new KAMF(ii) a The target AMF should send an authentication request message without security protection; the target AMF should initiate NAS SMC.
As a possible implementation of option four: if the target AMF receives level KAMFDeduction indication, then, the target AMF should not perform the primary authentication, or the target AMF should use the received KAMFOr security context, or target AMF originating NAS SMC. Otherwise if the target AMF does not receive the level KAMFDeducing the indication, but receiving seventeenth indication information, then:
if the target AMF decides to initiate the primary authentication, according to the seventeenth indication information, the target AMF should send an authentication request message with security protection, or,
the target AMF should transmit a secured N1 message including an authentication request message according to the seventeenth indication information.
The seventeenth indication information is used to indicate that the target AMF sends an authentication request message with security protection, or that the target AMF sends an N1 message with security protection.
If the seventeenth indication information is not received by the first AM, the level K is not received eitherAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to do the primary authentication, the target AMF should base on the received KAMFOr the security context protection authentication request message is sent, and the authentication request message with security protection is sent, or the target AMF sends the authentication request message without security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message, or the target AMF should send a non-security protected N1 message.
Operation three: the target AMF should be based on the received KAMFOr a security context protected N1 message and sends a security protected N1 message, including an authentication request message.
And operation four: the target AMF should send an N1 message without security protection, including an authentication request message.
As another possible implementation of option four: if the sixteenth indication and the level K are received by the target AMFAMFDeduction indication, the target AMF should not perform the primary authentication, or the target AMF should use the received KAMFOr a security context. Otherwise if the target AMF does not receive the level KAMFThe deduction instruction, but receiving the sixteenth instruction information, if the target AMF decides to initiate the main authentication, according to the sixteenth instruction information, the target AMF should send an authentication request message with security protection; alternatively, the first and second electrodes may be,
the target AMF should transmit a security protected N1 message according to the sixteenth indication information, and the N1 message includes an authentication request message.
The sixteenth indication information is used to instruct the target AMF to send an authentication request message with security protection.
If the target AMF does not receive the sixteenth indication information, but receives the level KAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message, or the target AMF should send a no security protected N1 message, or the target AMF originates a NAS SMC;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
If the target AMF does not receive the sixteenth indication information, the level K is not receivedAMFDeducing the indication, the target AMF may perform any one of the following operations:
operation one: if the target AMF decides to perform the primary authentication, the target AMF should send an authentication request message without security protection, or the target AMF should base on the received KAMFOr the security context protection authentication request message and sending the authentication message with security protection.
And operation II: if the target AMF decides not to perform primary authentication, the target AMF should base on the received KAMFOr a security context protection N1 message and send a security protected N1 message, or the target AMF should send a non-security protected N1 message;
operation three: the target AMF should send an N1 message without security protection, including an authentication request message.
And operation four: the target AMF should send a secured N1 message, including an authentication request message.
The sixteenth indication may also be used to indicate any one or more of:
between initial AMF and UESecure interaction of NAS messages is enabled; a security association is established between the UE and the initial AMF; the safety protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; the NAS SMC flow is successfully carried out between the initial AMF and the UE; performing primary authentication on the initial AMF and the UE; the initial AMF receives a level K from the original AMFAMFDeducing the indication and deciding to use the received KAMFOr a security context; initial AMF decision uses the received level K from the original AMFAMFDeductive generated KAMF(ii) a The initial AMF selects a security algorithm different from the security algorithm selected by the original AMF; the target AMF should send an authentication request message with security protection; the target AMF shall protect the authentication request message; the target AMF should send a protected N1 message, including an authentication request message.
Optionally, when the registration method shown in fig. 5 includes step 516, the method shown in fig. 5 may further include:
517. the target AMF deletes the UE context or the UE security context or the NAS security context of the UE acquired from the original AMF.
It should be noted that, whether the UE context or the security context of the UE or the NAS security context of the UE acquired by the target AMF from the original AMF is the same as that acquired from the SCP, which is not limited in this embodiment of the present invention.
In the embodiment of the present application, the initial AMF sends first information to the SCP, where the first information includes a UE context or a UE security context or a NAS security context established by the UE or the initial AMF and the UE or a current UE security context, so that after the initial AMF sends the second routing information to the target AMF through the (R) AN, the target AMF may directly obtain the UE context or the UE security context or the NAS security context of the UE or the NAS security context established by the initial AMF and the UE or the current security context from the SCP. The NAS security context of the UE is the NAS security context established between the UE and the initial AMF, so that the target AMF can acquire the NAS security context, thereby avoiding the failure of the registration of the target AMF and ensuring the success of the registration of the target AMF.
Fig. 6 is a schematic flowchart of a registration method provided in an embodiment of the present application, and as shown in fig. 6, the registration method includes:
it is understood that the specific implementation of 601 to 610 in fig. 6 can refer to the registration method shown in 201-210 in fig. 2, and will not be described in detail here.
611. The initial AMF determines to redirect the NAS message to the target AMF (i.e. NAS route via (R) AN) through the (R) AN; the initial AMF sends third information to the SCP; the SCP receives the third message sent by the initial AMF.
For example, the third information includes the identification information of the UE and the UE context, or
The third information includes identification information of the UE and security context of the UE, or
The third information comprises identification information of the UE and NAS security context of the UE, or
The third information includes identification information of the UE and NAS security context established by the initial AMF and the UE, or
The third information includes identification information of the UE and a current security context.
The identity information of the UE may be sui, SUPI, 5G-GUTI, or the like of the UE.
Optionally, the identification information of the UE is sui or 5G-GUTI carried in the registration request message received by the initial AMF.
Optionally, the initial AMF may further determine whether the third information needs to be sent to the SCP according to some conditions. If one or more of the following conditions are met, the initial AMF sends a third message to the SCP:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerivation indication(indicated by keyamfhderivarioind);
the initial AMF selects a new security algorithm.
Optionally, before the initial AMF sends the third information to the SCP, the initial AMF may further determine whether to perform the level K according to a local policy or a local configurationAMFAnd (4) carrying out derivation. Level K is performed at initial AMF determinationAMFIn the case of derivation, the initial AMF is subjected to a level KAMFDeriving to produce new KAMF. Further, the initial AMF may also send the new K to the SCPAMFAnd level KAMFDerivatizing indicators, such as keyAMFHDrivationInd.
It is understood that step 611 may be after step 607 and anywhere before step 612, and the embodiment of the present application is not limited to which step 611 specifically precedes or succeeds.
612. The initial AMF sends the second indication information to the target AMF through the (R) AN, namely the initial AMF sends the second indication information to the (R) AN, and the (R) AN receives the second indication information.
The second indication information may be used to instruct the target AMF to obtain the UE context or the security context of the UE or the NAS security context of the UE from the SCP, or the NAS security context established by the initial AMF and the UE or the current security context. Optionally, the second indication information may be further used to indicate one or more of the following:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
initial AMF receives level KAMFDerived indication (indicated by keyamfhderivantind);
the initial AMF selects a new security algorithm;
the initial AMF sends the UE context or the UE security context or the NAS security context of the UE or the NAS security context established by the initial AMF and the UE to the SCP.
Optionally, the initial AMF may further determine whether to send the second indication information to the target AMF through some conditions. For example, the initial AMF may send the second indication information to the target AMF when one or more of the following conditions are met.
The initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
the initial AMF receives a horizontal KAMF derivation indication (keyamfhderivarioind indication);
the initial AMF selects a new security algorithm;
the initial AMF sends UE context or UE security context or UE NAS security context or NAS security context established by the initial AMF and the UE or current security context to the SCP.
Optionally, the initial AMF sends a route NAS message to the (R) AN, and includes the second indication information in the route NAS message. (R) the AN receives the route NAS message.
613. The RAN sends the second indication information to the target AMF, and the target AMF receives the second indication information.
Optionally, (R) the AN sends AN initial UE message to the target AMF, where the initial UE message includes the received second indication information. The target AMF receives the initial UE message.
614. And the target AMF sends a fifth service request to the SCP according to the second indication information, and the SCP receives the fifth service request.
In this embodiment, the fifth service request may be used to request a UE context or a security context of the UE or a NAS security context or a current security context established by the initial AMF and the UE. The fifth service request may include identification information of the UE. Since the RR message may be included in the received initial UE message, the identification information of the UE may include the identification information of the UE in the RR message included in the initial UE message received by the target AMF. The identity information of the UE may be SUPI, or SUCI, or 5G-GUTI.
Optionally, before step 613 and after step 612, the registration method shown in fig. 6 further includes:
616. the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE from the original AMF, for example, the target AMF can request the UE context or the security context of the UE or the NAS security context of the UE from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF can send the UE context or the security context of the UE or the NAS security context of the UE to the target AMF through Namf _ Communication _ UEContextTransfer response.
When the target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE from the original AMF, the UE identity information included in the fifth service request may further include the UE context or the security context of the UE acquired from the original AMF or the UE identity included in the NAS security context of the UE. For example, the identity of the UE may be SUPI, or 5G-GUTI, or SUCI.
Specifically, after receiving the second indication information, the target AMF may have an SCP of the UE context or the security context of the UE or the NAS security context of the UE or the current security context, and thus send the fifth service request to the SCP. As an example, the specific method for the target AMF to address to the SCP with the UE context or the security context of the UE or the NAS security context of the UE may include that the target AMF may obtain routing information of the SCP according to the current policy and/or the current configuration information, or the target AMF obtains information of the SCP from another network function or network entity (such as an NRF), and the like, and how to find the SCP is not limited in the embodiments of the present application.
615. The SCP acquires a UE context corresponding to the identification information, or a security context of the UE, or an NAS security context established by the initial AMF and the UE or a current security context according to the identification information of the UE, and sends a fifth service request response to the target AMF, wherein the fifth service request response comprises the UE context, or the security context of the UE, or the NAS security context established by the initial AMF and the UE, and the target AMF receives the fifth service request response.
Optionally, the new K is sent to SCP at the initial AMFAMFAnd a level KAMF derivation indicator, such as KeyAMFHDerivationInd, the SCP may also determine the level KAMFDerivation indication and the new KAMFSent to the target AMF, whereby the target AMF receives the level KAMFDerivation indication and novel KAMFThen, the target AMF sends an NAS SMC message to the UE, and the NAS SMC message comprises a K _ AMF _ change _ flag with a value of 1, which is used for indicating the UE to perform level KAMFAnd (4) carrying out derivation. Further, a NAS SMP message may be sent to the target AMF after the UE receives the NAC SMC message.
Optionally, when the registration method shown in fig. 6 includes step 616, the method shown in fig. 6 may further include:
617. the target AMF deletes the UE context or the UE security context or the NAS security context of the UE acquired from the original AMF.
It should be noted that, whether the UE context or the security context of the UE or the NAS security context of the UE acquired by the target AMF from the original AMF is the same as that acquired from the SCP, which is not limited in this embodiment of the present invention.
Fig. 7 is a schematic flowchart of a registration method provided in an embodiment of the present application, and as shown in fig. 7, the registration method includes:
it is understood that the specific implementation manners 701 to 710 in fig. 7 can be the registration method of 201-210 shown in fig. 2, and will not be described in detail here.
711. The initial AMF determines NAS redirection by SCP. And the initial AMF sends second information to the target AMF through the SCP, wherein the second information comprises complete registration request information, UE related information and third routing information. That is, the initial AMF sends the second information to the SCP, which receives the second information. The UE-related information comprises a UE context, or a UE security context, or a NAS security context of the UE, or a NAS security context established by the initial AMF and the UE or a current UE context.
In this embodiment, the third routing information may include routing information of the target AMF. For example, the third routing information may include any one or more of: an end point address (end point address) of the target AMF, an Internet Protocol (IP) address of the target AMF, an instance Identifier (instance ID) of the target AMF, an AMF set Identifier (AMF set ID) of the target AMF, a Globally Unique AMF Identifier (GUAMI) of the target AMF, a service instance Identifier (service instance ID) for a UE context provided by the target AMF, a service instance set Identifier (service ID) of the target AMF, and the like. It is understood that the third routing information may also include other information that may be used to address the target AMF, and the application is not limited thereto.
Optionally, before the initial AMF sends the second information to the SCP, the initial AMF may further determine whether to perform the level K according to a local policy or a local configurationAMFAnd (4) carrying out derivation. Level K is performed at initial AMF determinationAMFIn the case of derivation, the initial AMF is subjected to a level KAMFDeriving to produce new KAMF. Further, the initial AMF may also send the new K to the SCPAMFAnd a horizontal key KAMFA derivative indication such as the keyAMFHDrivationInd indication.
Optionally, the initial AMF determines to perform NAS redirection through the SCP according to the local policy and the subscription information.
Optionally, when the initial AMF determines that the NAS redirection through the (R) AN is not possible or determines that the NAS redirection through the (R) AN is required, and the initial AMF determines that one or more of the following conditions are satisfied, the initial AMF may determine that the NAS redirection through the SCP is performed:
the initial AMF and the UE perform the safety interaction of the NAS message;
the initial AMF and the UE successfully perform the NAS security mode control flow;
the initial AMF and the UE successfully perform NAS SMC;
the initial AMF and the UE establish a new NAS security context;
the initial AMF and the UE successfully perform main authentication;
the initial AMF and the UE activate NAS security;
the initial AMF receives a horizontal KAMF derivation indication (keyamfhderivarioind indication);
the initial AMF selects a new security algorithm;
712. the SCP sends second information to the target AMF, and the target AMF receives the second information.
After receiving the complete RR message, UE related information and third routing information sent by the initial AMF, the SCP finds the target AMF according to the third routing information and sends the received complete RR message and UE related information to the target AMF.
Optionally, the new K is sent to SCP at the initial AMFAMFAnd level KAMFThe SCP may also derive an indication, such as in the case of a keyAMFHDrivationInd, of the level KAMFDerivation indication and the new KAMFSent to the target AMF, whereby the target AMF receives the level KAMFDerivation indication and novel KAMFThen, the target AMF sends an NAS SMC message to the UE, and the NAS SMC message comprises a K _ AMF _ change _ flag with a value of 1, which is used for indicating the UE to perform level KAMFAnd (4) carrying out derivation. Further, a NAS SMP message may be sent to the target AMF after the UE receives the NAC SMC message.
The flow shown in fig. 7 also optionally includes steps 713 and 714.
713. The target AMF acquires the UE context or the security context of the UE or the NAS security context of the UE from the original AMF, for example, the target AMF can request the UE context or the security context of the UE or the NAS security context of the UE from the original AFM through Namf _ Communication _ UEContextTransfer, and the original AMF can send the UE context or the security context of the UE or the NAS security context of the UE to the target AMF through Namf _ Communication _ UEContextTransfer response.
714. The target AMF deletes the UE context or the UE security context or the NAS security context of the UE acquired from the original AMF.
It should be noted that, whether the UE context or the security context of the UE or the NAS security context of the UE acquired by the target AMF from the original AMF is the same as that acquired from the initial AMF, which is not limited in this embodiment of the present application.
In the embodiment of the application, the initial AMF sends the second information to the SCP, where the second information may include complete registration request information, UE-related information, and third routing information, so that the target AMF may obtain, from the SCP, information such as a UE context, a UE security context, a NAS security context of the UE, or a NAS security context established by the initial AMF and the UE, thereby ensuring that the target AMF can successfully register.
It should be noted that all embodiments in this application may also replace the SCP with another network function or network entity, such as NSSF.
In the embodiment of the present application, the case of the english name is not limited, and for example, the name may be Namf _ Communication _ UEContextTransfer, or Namf _ Communication _ UEContextTransfer.
It can be understood that the above embodiments are focused on, and the implementation manner not described in detail in one embodiment may refer to other embodiments, which are not described in detail here. Furthermore, the various embodiments described herein may be implemented as stand-alone solutions or combined in accordance with inherent logic and are intended to fall within the scope of the present application.
The above description mainly introduces the scheme provided by the embodiments of the present application from various interaction perspectives. It is to be understood that each network element or network function, such as the initial AMF, the target AMF, the original AMF, etc., includes a corresponding hardware structure and/or software module for performing each function in order to implement the above functions. Those of skill in the art would appreciate that the various illustrative components and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, functional modules may be divided for each network element or network function according to the above method example, for example, each functional module may be divided for each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a form of hardware or a form of a software functional module.
Fig. 8 shows an apparatus 80 for registering according to an embodiment of the present application, which is used to implement the foregoing method. As an example, the means for registering 80 may be an initial AMF, or a target AMF, or a raw AMF; the means 80 for registering may also be, by way of example, (R) AN, i.e., a network device; as an example, the means for registering may also be an SCP; the means for registering may also be, by way of example, a terminal device or the like. That is, the device for registering may be a related device involved in implementing the registration method shown in fig. 2 to 7. Optionally, the device may also be a system-on-a-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. The apparatus 80 includes at least one processor 820 configured to implement the functions of the relevant network elements or network functions in the methods provided in the embodiments of the present application. As an example, the apparatus 80 may also include a transceiver 810. In embodiments of the present application, a transceiver may be used to communicate with other devices over a transmission medium.
Optionally, the apparatus 80 may also include at least one memory 830 for storing program instructions and/or data. The memory 830 is coupled with the processor 820. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, and may be an electrical, mechanical or other form for information interaction between the devices, units or modules. The processor 820 may operate in conjunction with the memory 830. Processor 820 may execute program instructions stored in memory 830. At least one of the at least one memory may be included in the processor.
It is understood that, in different network elements or network functional entities, there may be no memory included, and therefore, the embodiment of the present application does not limit whether the apparatus for registering includes a memory or not.
The specific connection medium among the transceiver 810, the processor 820 and the memory 830 is not limited in the embodiments of the present application. In fig. 8, the memory 830, the processor 820 and the transceiver 810 are connected by a bus 840, the bus is represented by a thick line in fig. 8, and the connection manner among other components is only schematically illustrated and is not limited. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
Optionally, the processor may include a baseband processor and a Central Processing Unit (CPU), where the baseband processor is mainly used to process a communication protocol and communication data, and the CPU is mainly used to control the whole device, execute a software program, and process data of the software program. Alternatively, the processor may be a Network Processor (NP) or a combination of a CPU and an NP. The processor may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The memory may include volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM), among others.
The embodiment of the present application further provides a computer storage medium, where the computer storage medium may store a program, and the program includes some or all of the steps of any one of the registration methods described in the above method embodiments when executed.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory comprises: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable memory, which may include: flash Memory disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in view of the above, the content of the present specification should not be construed as a limitation to the present application.

Claims (14)

1. A registration method, comprising:
the AMF determines to redirect the NAS through an access network device;
the initial AMF sends first routing information, wherein the first routing information is used for indicating a target AMF to acquire relevant information of terminal equipment from the initial AMF;
under the condition that the target AMF receives the first routing information, the initial AMF receives a first service request, and the first service request is used for requesting the relevant information of the terminal equipment;
and the initial AMF sends a response of the first service request, wherein the response of the first service request comprises the relevant information of the terminal equipment.
2. The method according to claim 1, wherein the information related to the terminal device comprises any one or more of the following information: the context of the terminal device, the security context of the terminal device, the NAS security context of the terminal device, or the NAS security context established by the initial AMF and the terminal device.
3. The method according to claim 1 or 2, wherein the first routing information comprises routing information of the initial AMF.
4. A method according to any of claims 1-3, characterized in that said first service request comprises said first routing information and identification information of said terminal device.
5. The method according to any of claims 1-4, wherein the sending, by the initial AMF, the first routing information to the target AMF comprises:
the initial AMF sends first routing information to a target AMF under the condition that any one or more of the following conditions are met;
the initial AMF and the terminal equipment perform the safety interaction of NAS information;
the initial AMF and the terminal equipment successfully perform NAS security mode control flow;
the initial AMF and the terminal equipment successfully perform NAS SMC;
the initial AMF and the terminal equipment establish a new NAS security context;
the initial AMF and the terminal equipment successfully perform main authentication;
the initial AMF and the terminal equipment activate NAS security;
the initial AMF receives a level KAMFDeriving indication;
the initial AMF selects a new security algorithm.
6. A registration method, comprising:
under the condition that an initial Access Management Function (AMF) determines that non-access stratum (NAS) redirection is carried out through access network equipment, a target Access Management Function (AMF) receives first routing information, wherein the first routing information is used for indicating the target AMF to acquire relevant information of terminal equipment from the initial AMF;
the target AMF sends a first service request, wherein the first service request is used for requesting relevant information of the terminal equipment;
and the target AMF receives a response of the first service request, wherein the response of the first service request comprises the relevant information of the terminal equipment.
7. A registration method, comprising:
the AMF determines to redirect the NAS through an access network device;
the initial AMF communication agent function sends first information, wherein the first information comprises relevant information of terminal equipment;
and the initial AMF sends second routing information to a target AMF, wherein the second routing information is used for indicating the target AMF to acquire the relevant information of the terminal equipment from a communication agent function.
8. A registration method, comprising:
under the condition that the AMF determines that non-access stratum NAS redirection is carried out through the access network equipment, the target AMF receives second routing information;
the target AMF sends a second service request to a communication agent function according to the second routing information, wherein the second service request is used for requesting the relevant information of the terminal equipment, and the relevant information of the terminal equipment is stored in the communication agent function;
and the AMF receives a response of a second service request sent by the communication agent function, wherein the response of the second service request comprises the relevant information of the terminal equipment.
9. A registration method, comprising:
the AMF determines to redirect the NAS through an access network device;
the initial AMF sends second information to a communication agent function, the second information comprises related information of terminal equipment and third routing information, the third routing information comprises routing information of a target AMF, and the second information is used for indicating the communication agent function to send the related information of the terminal equipment to the target AMF.
10. A registration method, comprising:
under the condition that the AMF determines that non-access stratum NAS redirection is carried out through the access network equipment; and the target access management function AMF receives second information sent by the communication agent function, wherein the second information comprises the related information of the terminal equipment and third routing information, the third routing information comprises the routing information of the target AMF, and the second information is used for indicating the communication agent function to send the related information of the terminal equipment to the target AMF.
11. An apparatus for registration, comprising a processor coupled with the transceiver, the processor configured to perform the corresponding method of any one of claims 1-10, and the transceiver configured to perform the corresponding method of any one of claims 1-10.
12. An apparatus for registration, comprising a processor, a memory, and a transceiver, the memory for storing computer-executable instructions, the processor for executing the computer-executable instructions stored by the memory to cause the apparatus to perform the respective method of any of claims 1-10.
13. A computer-readable storage medium for storing instructions that, when executed, cause the method of any one of claims 1-10 to be implemented.
14. A computer program product comprising instructions that, when executed, cause the method of any of claims 1-10 to be implemented.
CN201911097204.0A 2019-10-13 2019-11-11 Registration method and device Pending CN112654043A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/117085 WO2021073382A1 (en) 2019-10-13 2020-09-23 Registration method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2019109705246 2019-10-13
CN201910970524 2019-10-13

Publications (1)

Publication Number Publication Date
CN112654043A true CN112654043A (en) 2021-04-13

Family

ID=75343201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911097204.0A Pending CN112654043A (en) 2019-10-13 2019-11-11 Registration method and device

Country Status (2)

Country Link
CN (1) CN112654043A (en)
WO (1) WO2021073382A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114051231A (en) * 2021-10-15 2022-02-15 中国联合网络通信集团有限公司 Service routing method, device and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429295A (en) * 2017-08-31 2019-03-05 中兴通讯股份有限公司 A kind of method, AMF, system and storage medium selecting AMF
CN110291837A (en) * 2017-02-06 2019-09-27 华为技术有限公司 Network registry and network slice selection system and method
US20190306754A1 (en) * 2018-06-20 2019-10-03 Intel Corporation Vehicle-to-everything (v2x) communication authorization in fifth generation (5g) systems

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PT3952375T (en) * 2017-01-30 2022-12-21 Ericsson Telefon Ab L M Security context handling in 5g during connected mode
CN108809550A (en) * 2017-04-26 2018-11-13 华为技术有限公司 abnormal data transmission method, device and system
CN109548109B (en) * 2017-08-14 2021-03-09 电信科学技术研究院 Processing method and device for mismatching of UE and network state and storage medium
US10542428B2 (en) * 2017-11-20 2020-01-21 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110291837A (en) * 2017-02-06 2019-09-27 华为技术有限公司 Network registry and network slice selection system and method
CN109429295A (en) * 2017-08-31 2019-03-05 中兴通讯股份有限公司 A kind of method, AMF, system and storage medium selecting AMF
US20190306754A1 (en) * 2018-06-20 2019-10-03 Intel Corporation Vehicle-to-everything (v2x) communication authorization in fifth generation (5g) systems

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114051231A (en) * 2021-10-15 2022-02-15 中国联合网络通信集团有限公司 Service routing method, device and computer readable storage medium
CN114051231B (en) * 2021-10-15 2023-05-30 中国联合网络通信集团有限公司 Service routing method, device and computer readable storage medium

Also Published As

Publication number Publication date
WO2021073382A1 (en) 2021-04-22

Similar Documents

Publication Publication Date Title
CN110419205B (en) Method for integrity protection of user plane data
US10454686B2 (en) Method, apparatus, and system for providing encryption or integrity protection in a wireless network
CN109309920B (en) Security implementation method, related device and system
US10911948B2 (en) Method and system for performing network access authentication based on non-3GPP network, and related device
KR102315881B1 (en) Mutual authentication between user equipment and an evolved packet core
US20170171752A1 (en) Securing signaling interface between radio access network and a service management entity to support service slicing
WO2019062996A1 (en) Method, apparatus, and system for security protection
CN110800332A (en) Network slice distribution method, equipment and system
US11871223B2 (en) Authentication method and apparatus and device
US11140545B2 (en) Method, apparatus, and system for protecting data
JPWO2018079692A1 (en) System, base station, core network node, and method
US11751160B2 (en) Method and apparatus for mobility registration
US11722890B2 (en) Methods and systems for deriving cu-up security keys for disaggregated gNB architecture
CN110881020A (en) Authentication method for user subscription data and data management network element
WO2023213301A1 (en) Authentication method, communication apparatus, and computer-readable storage medium
CN108702303B (en) Method and equipment for carrying out security configuration on radio bearer
CN112654043A (en) Registration method and device
CN114642014B (en) Communication method, device and equipment
CN111465060A (en) Method, device and system for determining security protection mode
CN114765827A (en) Safety protection method, device and system
CN115915114A (en) Registration method and device
CN114205814A (en) Data transmission method, device and system, electronic equipment and storage medium
CN117812574A (en) Communication method and communication device
CN115769616A (en) Security context for target AMF
CN116158111A (en) Communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210413

RJ01 Rejection of invention patent application after publication