CN113285805A

CN113285805A - Communication method and device

Info

Publication number: CN113285805A
Application number: CN202010103830.2A
Authority: CN
Inventors: 赵绪文; 张博
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-02-20
Filing date: 2020-02-20
Publication date: 2021-08-20
Anticipated expiration: 2040-02-20
Also published as: WO2021164291A1; CN113285805B

Abstract

The embodiment of the invention discloses a communication method and a device, wherein the method comprises the following steps: after receiving the resynchronization authentication token AUTS, the unified data management network element acquires indication information corresponding to the terminal equipment, identifies an AUTS algorithm adopted when the terminal equipment calculates the AUTS according to the indication information corresponding to the terminal equipment, and then verifies the AUTS by adopting the AUTS algorithm consistent with the terminal equipment.

Description

Communication method and device

Technical Field

The present application relates to the field of wireless communication technologies, and in particular, to a communication method and apparatus.

Background

In the current authentication process, after receiving an authentication request message from an access and mobility management function (AMF), a terminal device checks a sequence number (SQN) carried in the authentication request message, and if the SQN is not checked within a correct value range, the terminal device further calculates an authentication token (auth) for synchronization and sends the auth to a Unified Data Management (UDM). And after receiving the AUTS, the UDM checks the AUTS and executes a resynchronization flow after the AUTS is checked to be passed.

However, in the prior art, there may be multiple algorithms for the terminal device to calculate the AUTS, but the UDM cannot identify which AUTS algorithm is specifically used by the terminal device to calculate the AUTS, and when the AUTS algorithm used by the terminal device is inconsistent with the AUTS algorithm used by the UDM, an error may be caused in checking the AUTS by the UDM, thereby causing a resynchronization failure.

Disclosure of Invention

The embodiment of the application provides a communication method and device, which are used for identifying an AUTS algorithm adopted by terminal equipment, so that the AUTS is verified by using a correct AUTS algorithm, and the authentication efficiency of the terminal equipment is improved.

In a first aspect, an embodiment of the present application provides a communication method, which may be performed by a unified data management network element UDM, where the method includes: the method comprises the steps that a unified data management network element receives an authentication service request, wherein the authentication service request comprises a resynchronization authentication token AUTS; the method comprises the steps that a unified data management network element obtains indication information corresponding to terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS; and the unified data management network element adopts a first AUTS algorithm to verify the AUTS.

In the embodiment of the application, the unified data management network element can identify the AUTS algorithm adopted by the terminal equipment when the AUTS is calculated according to the indication information corresponding to the terminal equipment, and then the AUTS algorithm consistent with the terminal equipment is adopted to check the AUTS calculated by the terminal equipment, so that the problem of resynchronization failure caused by inconsistency of the AUTS algorithms adopted by the unified data management network element and the terminal equipment can be effectively avoided, and the resynchronization flow and the subsequent authentication flow of the terminal equipment can be normally carried out.

In a possible design of the first aspect, the obtaining, by the unified data management network element, the indication information corresponding to the terminal device may be obtained by the unified data management network element from a local configuration, or obtained from a unified data storage network element. That is to say, the indication information corresponding to the terminal device may be pre-configured locally in the unified data management network element, or may be configured in the unified data storage network element, so that the applicability of the technical solution in the embodiment of the present application may be enhanced.

In a possible design of the first aspect, the indication information of the terminal device may be included in subscription data of the terminal device, and the subscription data of the terminal device may be stored in the unified data management network element or stored in the unified data storage network element.

In a possible design of the first aspect, determining, by the unified data management network element, the first AUTS algorithm according to the indication information corresponding to the terminal device may include: and the unified data management network element determines a first AUTS algorithm according to the identification of the terminal equipment in the authentication service request and the indication information corresponding to the terminal equipment.

In a second aspect, an embodiment of the present application provides a communication method, which may be performed by a unified data storage network element UDR, and the method includes: the method comprises the steps that a unified data storage network element receives a service calling request from a unified data management network element, the service calling request is used for requesting indication information corresponding to terminal equipment, and the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS; and the unified data storage network element sends a service response message to the unified data management network element, wherein the service response message comprises the indication information corresponding to the terminal equipment.

In this embodiment of the application, the indication information corresponding to the terminal device may be pre-configured in the unified data storage network element, and when the unified data management network element needs to acquire the indication information corresponding to the terminal device, the unified data storage network element may send the indication information corresponding to the terminal device to the unified data management network element according to the service invocation request sent by the unified data management network element, so that the unified data management may verify the AUTS according to the AUTS algorithm indicated by the indication information, thereby enabling the resynchronization procedure to be performed normally.

In a third aspect, an embodiment of the present application provides another communication method, which may be performed by a unified data management network element UDM, where the method includes: the method comprises the steps that a unified data management network element receives an authentication service request, wherein the authentication service request comprises an encrypted resynchronization authentication token AUTS; the unified data management network element decrypts the AUTS to obtain a resynchronization authentication token AUTS and indication information corresponding to the terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS; and the unified data management network element checks the AUTS according to the first AUTS algorithm.

In this embodiment, the unified data management network element may decrypt, according to the received encrypted resynchronization authentication token AUTS, to obtain the indication information corresponding to the terminal device and the AUTS generated by the terminal device. Therefore, the unified data management network element can determine the AUTS algorithm adopted by the terminal equipment according to the indication information corresponding to the terminal equipment, and then the AUTS algorithm consistent with the terminal equipment is adopted to check the AUTS sent by the terminal equipment, so that the problem of resynchronization failure caused by inconsistency of the AUTS algorithm adopted by the unified data management network element and the terminal equipment is avoided, the resynchronization flow and the subsequent authentication flow of the terminal equipment can be normally carried out, and meanwhile, the security of the authentication process can be improved.

In a possible design of the third aspect, the determining, by the unified data management network element, the first AUTS algorithm according to the indication information corresponding to the terminal device may include: and the unified data management network element determines a first AUTS algorithm according to the identification of the terminal equipment in the authentication service request and the indication information corresponding to the terminal equipment.

In a fourth aspect, an embodiment of the present application provides another communication method, which may be performed by a terminal device, where the method includes: the terminal equipment calculates a resynchronization authentication token AUTS, encrypts the AUTS and indication information corresponding to the terminal equipment to obtain an encrypted resynchronization authentication token AUTS, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS; and the terminal equipment sends the AUTS to an access management network element.

In this embodiment, the terminal device may perform encryption protection on the corresponding indication information and the generated AUTS together, and send the encrypted indication information and the generated AUTS to the unified data management network element. Therefore, the unified data management network element can determine the AUTS algorithm adopted by the terminal equipment according to the indication information sent by the terminal equipment, and verify the AUTS sent by the terminal equipment by adopting the AUTS algorithm consistent with the terminal equipment, so that the problem of resynchronization failure caused by inconsistency of the AUTS algorithm adopted by the unified data management network element and the terminal equipment is avoided, the resynchronization flow and the subsequent authentication flow of the terminal equipment can be normally carried out, and meanwhile, the security of the authentication process can be improved.

In one possible design of the fourth aspect, the method further includes: and the terminal equipment generates indication information corresponding to the terminal equipment according to a first AUTS algorithm adopted by the AUTS calculation.

In a fifth aspect, an embodiment of the present application provides another communication method, where the method is executable by a unified data management network element UDM, and the method includes: the method comprises the steps that a unified data management network element receives an authentication service request, wherein the authentication service request comprises a resynchronization authentication token AUTS, the unified data management network element acquires indication information corresponding to terminal equipment from the AUTS, and the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS; and the unified data management network element checks the AUTS according to the first AUTS algorithm.

In the embodiment of the application, the indication information corresponding to the terminal device may also be directly carried in the AUTS, and integrity protection is performed. Therefore, the unified data management network element can directly acquire the indication information corresponding to the terminal equipment from the received AUTS, the AUTS algorithm adopted by the terminal equipment is determined according to the indication information sent by the terminal equipment, and the AUTS algorithm consistent with the terminal equipment is adopted to check the AUTS sent by the terminal equipment, so that the problem of resynchronization failure caused by inconsistency between the AUTS algorithms adopted by the unified data management network element and the terminal equipment is avoided, the resynchronization process and the subsequent authentication process of the terminal equipment can be normally carried out, and meanwhile, the security of the authentication process is improved.

In a possible design of the fifth aspect, the verifying, by the unified data management network element, the AUTS according to the first AUTS algorithm may include: the uniform data management network element obtains the mobile terminal sequence number SQN from the AUTS according to the first AUTS algorithm_MSAnd according to the SQN_MSCalculating to obtain MAC; if the calculated MAC is consistent with the MAC-S acquired from the AUTS, the systemA data management network element may determine that the AUTS check was successful.

In a sixth aspect, an embodiment of the present application provides another communication method, which may be performed by a terminal device, where the method includes: the terminal equipment calculates a resynchronization authentication token AUTS according to indication information corresponding to the terminal equipment, wherein the indication information is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS; and the terminal equipment accesses the AUTS to the access management network element.

In the embodiment of the application, the terminal device may carry corresponding indication information when calculating the AUTS, and then send the AUTS to the unified data management network element after performing integrity protection on the AUTS. Therefore, the unified data management network element can obtain the indication information corresponding to the terminal equipment from the received AUTS, then the AUTS algorithm adopted by the terminal equipment is determined according to the indication information sent by the terminal equipment, and the AUTS algorithm consistent with the terminal equipment is adopted to check the AUTS sent by the terminal equipment, so that the problem of resynchronization failure caused by inconsistency between the AUTS algorithms adopted by the unified data management network element and the terminal equipment is avoided, the resynchronization process and the subsequent authentication process of the terminal equipment can be normally carried out, and meanwhile, the security of the authentication process is improved.

In a possible design of the sixth aspect, the AUTS includes indication information corresponding to the terminal device and/or a MAC-S calculated according to the indication information.

In a seventh aspect, an embodiment of the present application provides another communication method, where the method is executable by a terminal device, and the method includes: the terminal equipment receives a resynchronization authentication token AUTS and configuration information of a USIM card from a USIM card; the terminal equipment determines indication information according to the configuration information of the USIM card, wherein the indication information is used for indicating the USIM card to calculate a first AUTS algorithm adopted by AUTS; the terminal equipment encrypts the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS; and the terminal equipment sends the AUTS to an access management network element.

In the embodiment of the application, the terminal equipment can determine the AUTS algorithm adopted by the USIM card according to the configuration information of the USIM card, further encrypt the indication information used for indicating the AUTS algorithm adopted by the USIM card and the AUTS obtained by calculation of the USIM card together, and send the encrypted indication information and the AUTS to the unified data management network element, so that the resynchronization process can be normally carried out, and the problem that the indication information cannot be generated or encrypted due to limitation or improper configuration of the USIM card can be avoided, thereby enhancing the applicability of the method.

In one possible design of the seventh aspect, the configuration information includes one or more of the following: AUTS algorithm supported by USIM card, whether USIM card supports AUTS algorithm of specific type, type information of USIM card and version information of USIM card.

In an eighth aspect, an embodiment of the present application provides another communication method, which may be performed by a USIM card, which may be installed in a terminal device, and the method includes: and the USIM card calculates a resynchronization authentication token AUTS, and sends the calculated AUTS and the configuration information of the USIM card to the terminal equipment.

In the embodiment of the application, the USIM card can send the calculated AUTS and the configuration information of the USIM card to the terminal equipment, the terminal equipment generates the indication information for indicating the AUTS algorithm according to the configuration information of the USIM card by itself, and encrypts the indication information and the AUTS calculated by the USIM card together and sends the encrypted indication information and the AUTS to the unified data management network element, so that the resynchronization process can be normally carried out, and the problem that the indication information cannot be generated or encrypted due to limitation or improper configuration of the USIM card is avoided, thereby enhancing the applicability of the method.

In one possible design of the eighth aspect, the configuration information includes one or more of the following information: AUTS algorithm supported by USIM card, whether USIM card supports AUTS algorithm of specific type, type information of USIM card and version information of USIM card.

In a ninth aspect, an embodiment of the present application provides a communication apparatus, where the apparatus has a function of implementing a unified data management network element in any one of the possible designs of the first aspect or the first aspect, or may also have a function of implementing a unified data management network element in any one of the possible designs of the third aspect or the third aspect, or may also have a function of implementing a unified data management network element in any one of the possible designs of the fifth aspect or the fifth aspect, or may also have a function of implementing a unified data storage network element in any one of the possible designs of the second aspect or the second aspect. The device may be a network device, or may be a device included in a network device, such as a chip.

The apparatus may also have the functionality of the terminal device in any one of the possible designs of the fourth aspect or the fourth aspect described above, or the functionality of the terminal device in any one of the possible designs of the sixth aspect or the sixth aspect described above, or the functionality of the terminal device in any one of the possible designs of the seventh aspect or the seventh aspect described above. The device may be a terminal device, such as a handheld terminal device, a vehicle-mounted terminal device, a vehicle user device, a road side unit, or the like, or may be a device included in a terminal device, such as a chip, or may be a device including a terminal device, such as a vehicle or the like.

The device may also have a function of implementing a USIM card in any one of the possible designs of the above-described eighth aspect or eighth aspect, and the USIM card may be a device included in the terminal equipment, such as a chip.

The functions of the communication device can be realized by hardware, and can also be realized by executing corresponding software by hardware, wherein the hardware or the software comprises one or more modules corresponding to the functions.

In a possible design, the apparatus structurally includes a processing module and a transceiver module, where the processing module is configured to support the apparatus to perform a function corresponding to the unified data management network element in any one of the designs of the first aspect or the first aspect, or perform a function corresponding to the unified data storage network element in any one of the designs of the second aspect or the second aspect, or perform a function corresponding to the unified data management network element in any one of the designs of the third aspect or the third aspect, or perform a function corresponding to the terminal device in any one of the designs of the fourth aspect or the fourth aspect, or perform a function corresponding to the unified data management network element in any one of the designs of the fifth aspect or the fifth aspect, or perform a function corresponding to the terminal device in any one of the designs of the sixth aspect or the sixth aspect, or perform a function corresponding to the terminal device in any one of the designs of the seventh aspect or the seventh aspect, or perform the corresponding function of the USIM card in any one of the designs of the above-mentioned eighth aspect or eighth aspect. The transceiver module is configured to support communication between the apparatus and other communication devices, for example, when the apparatus is a unified data management network element, the transceiver module obtains indication information corresponding to the terminal device from a unified data storage network element. The communication device may also include a memory module, coupled to the processing module, that retains the necessary program instructions and data for the device. As an example, the processing module may be a processor, the communication module may be a transceiver, the storage module may be a memory, and the memory may be integrated with the processor or disposed separately from the processor, which is not limited in this application.

In another possible design, the apparatus may be configured to include a processor and may also include a memory. The processor is coupled with the memory and is operable to execute the computer program instructions stored in the memory to cause the apparatus to perform the method in the first aspect or any of the possible designs of the first aspect, or the second aspect or any of the designs of the second aspect, or the third aspect, or any of the designs of the fourth aspect or the fourth aspect, or the fifth aspect or any of the designs of the fifth aspect, or any of the designs of the sixth aspect, or any of the seventh aspect, or any of the designs of the eighth aspect. Optionally, the apparatus further comprises a communication interface, the processor being coupled to the communication interface. When the apparatus is a network device or a terminal device, the communication interface may be a transceiver or an input/output interface; when the apparatus is a chip included in a network device or a terminal device, the communication interface may be an input/output interface of the chip. Alternatively, the transceiver may be a transceiver circuit and the input/output interface may be an input/output circuit.

In a tenth aspect, an embodiment of the present application provides a chip system, including: a processor coupled with a memory for storing programs or instructions, which when executed by said processor, cause the system-on-chip to carry out the method of the first aspect described above or any one of the possible designs of the first aspect, or in any one of the possible designs of the second aspect or the second aspect described above, or in any one of the possible designs of the third aspect or the third aspect described above, or a method in any one of the possible designs of the fourth aspect or the fourth aspect described above, or a method in any one of the possible designs of the fifth aspect or the fifth aspect described above, or implementing a method in any one of the possible designs of the sixth aspect or the sixth aspect described above, or implementing a method in any one of the possible designs of the seventh aspect or the seventh aspect described above, or implementing a method in any one of the possible designs of the eighth aspect or the eighth aspect described above.

Optionally, the chip system further comprises an interface circuit, and the interface circuit is used for interacting the code instructions to the processor.

Optionally, the number of the processors in the chip system may be one or more, and the processors may be implemented by hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.

Optionally, one or more memories in the system-on-chip may be provided. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.

In an eleventh aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program or instructions are stored, which when executed, cause a computer to perform the method of the first aspect described above or any one of the possible designs of the first aspect, or performing the method in any one of the possible designs of the second aspect or the second aspect described above, or performing the method in any one of the possible designs of the third aspect or the third aspect described above, or performing the method of any one of the possible designs of the fourth aspect or the fourth aspect described above, or performing the method of any one of the possible designs of the fifth aspect or the fifth aspect described above, or performing the method in any one of the possible designs of the sixth aspect or the sixth aspect described above, or performing the method in any one of the possible designs of the seventh aspect or the seventh aspect described above, or performing the method in any one of the possible designs of the eighth aspect or the eighth aspect described above.

In a twelfth aspect, the embodiments of the present application provide a computer program product, which, when read and executed by a computer, causing a computer to perform the method of the first aspect described above or any one of the possible designs of the first aspect, or performing the method in any one of the possible designs of the second aspect or the second aspect described above, or performing the method in any one of the possible designs of the third aspect or the third aspect described above, or performing the method of any one of the possible designs of the fourth aspect or the fourth aspect described above, or performing the method of any one of the possible designs of the fifth aspect or the fifth aspect described above, or performing the method in any one of the possible designs of the sixth aspect or the sixth aspect described above, or performing the method in any one of the possible designs of the seventh aspect or the seventh aspect described above, or performing the method in any one of the possible designs of the eighth aspect or the eighth aspect described above.

In a thirteenth aspect, an embodiment of the present application provides a communication system, where the communication system includes a unified data management network element and a terminal device. Optionally, a USIM card is provided in the terminal device. Optionally, the communication system may further include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.

Drawings

Fig. 1 is a schematic network architecture of a communication system according to an embodiment of the present application;

fig. 2 is a flowchart illustrating a communication method according to an embodiment of the present application;

fig. 3 is a schematic diagram of checking an AUTN provided in an embodiment of the present application;

fig. 4a and 4b are schematic diagrams of an AUTS algorithm provided in an embodiment of the present application;

fig. 5 is a specific example of a communication method provided in an embodiment of the present application;

fig. 6 is a flowchart illustrating another communication method according to an embodiment of the present application;

fig. 7 is a flowchart illustrating another communication method according to an embodiment of the present application;

fig. 8 is another specific example of a communication method provided in an embodiment of the present application;

fig. 9 is a flowchart illustrating another communication method according to an embodiment of the present application;

fig. 10 is a further specific example of the communication method provided in the embodiment of the present application;

fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 12 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application;

fig. 14 is another schematic structural diagram of another communication device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, for example: global system for mobile communications (GSM) systems, Code Division Multiple Access (CDMA) systems, Wideband Code Division Multiple Access (WCDMA) systems, General Packet Radio Service (GPRS), Long Term Evolution (LTE) systems, LTE Frequency Division Duplex (FDD) systems, LTE Time Division Duplex (TDD), universal mobile telecommunications system (universal mobile telecommunications system, UMTS), Worldwide Interoperability for Microwave Access (WIMAX) communication systems, fifth generation (5G) or new NR systems, etc., or other similar communication systems applied to future communications.

Please refer to fig. 1, which is a schematic diagram of a network architecture of a communication system applicable to an embodiment of the present application, where the network architecture includes a terminal device, an access network device, an access management network element, a session management network element, a user plane network element, a policy control network element, a network slice selection network element, a network warehouse function network element, a network data analysis network element, a unified data management network element, a unified data storage network element, an authentication service function network element, a network capability opening network element, an application function network element, and a Data Network (DN) connected to an operator network. The terminal equipment can send service data to the data network through the access network equipment and the user plane network element, and receive the service data from the data network.

The terminal equipment has a wireless transceiving function, can be deployed on land and comprises an indoor or outdoor, handheld, wearable or vehicle-mounted terminal; can also be deployed on the water surface (such as a ship and the like); the terminal device may be a mobile phone (mobile phone), a tablet (Pad), a computer with wireless transceiving function, a Mobile Internet Device (MID), a wearable device, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving, a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid, a wireless terminal in transportation security, a wireless terminal in smart city, a wireless terminal in home application field, etc . The terminal device may also be referred to as a User Equipment (UE), a mobile station, a remote station, and the like, and the embodiments of the present application do not limit the specific technology, the device form, and the name adopted by the terminal device.

An access network device is a device in a network for accessing a terminal device to a wireless network. The access network device may be a node in a radio access network, which may also be referred to as a base station, and may also be referred to as a Radio Access Network (RAN) node (or device). The network device may include an evolved Node B (NodeB or eNB or e-NodeB) in a Long Term Evolution (LTE) system or an evolved LTE system (LTE-Advanced, LTE-a), such as a conventional macro base station eNB and a micro base station eNB in a heterogeneous network scenario, or may also include a next generation Node B (gNB) in a fifth generation mobile communication technology (5th generation, 5G) New Radio (NR) system, or may also include a radio network controller (radio network controller, RNC), Node B (NB), a base station controller (base station controller, BSC), a base transceiver station (base transceiver station, BTS), a Transmission Reception Point (TRP), a home base station (e.g., a home base station, base station B, base station unit, HNB, BBU), a baseband pool BBU port, or a WiFi Access Point (AP), and further may further or may further include a Centralized Unit (CU) and a Distributed Unit (DU) in a cloud access network (cloudlen) system, which is not limited in the embodiment of the present application. In a scenario of separate deployment of an access network device including a CU and a DU, the CU supports Radio Resource Control (RRC), Packet Data Convergence Protocol (PDCP), Service Data Adaptation Protocol (SDAP), and other protocols; the DU mainly supports a Radio Link Control (RLC), a Medium Access Control (MAC) and a physical layer protocol.

An access management network element, which is mainly used for the attachment of a terminal in a mobile network, mobility management, and tracking area update processes, terminates a Non Access Stratum (NAS) message, completes registration management, connection management, reachability management, tracking area list (list) allocation, mobility management, and the like, and transparently routes a Session Management (SM) message to the session management network element. In a fifth generation (5G) communication system, the access management network element may be an access and mobility management function (AMF), and in a future communication system (e.g. a 6G communication system), the mobility management network element may still be an AMF network element, or may also have other names, which is not limited in this application.

The session management network element is mainly used for session management in a mobile network, such as session establishment, modification and release. The specific functions include allocating an Internet Protocol (IP) address to the terminal, selecting a user plane network element providing a message forwarding function, and the like. In the 5G communication system, the session management network element may be a Session Management Function (SMF), and in a future communication system (e.g. a 6G communication system), the session management network element may still be an SMF network element, or may also have another name, which is not limited in this application.

The user plane network element is mainly used for processing user messages, such as forwarding, charging, legal monitoring and the like. The user plane network element may also be referred to as a Protocol Data Unit (PDU) session anchor (PSA). In a 5G communication system, the user plane network element may be a User Plane Function (UPF), and in a future communication system (e.g., a 6G communication system), the user plane network element may still be a UPF network element, or may also have other names, which is not limited in this application.

The policy control network element includes a user subscription data management function, a policy control function, a charging policy control function, quality of service (QoS) control, and the like. In a 5G communication system, the policy control network element may be a Policy Control Function (PCF), and in a future communication system (e.g. a 6G communication system), the policy control network element may still be a PCF network element, or may also have other names, which is not limited in this application.

And the authentication service function network element is mainly used for carrying out security authentication on the terminal equipment. In the 5G communication system, the authentication service function network element may be an authentication server function (AUSF), and in a future communication system (e.g., a 6G communication system), the authentication service function network element may still be an AUSF network element, or may also have other names, which is not limited in this application.

And the unified data management network element is mainly used for managing the subscription information of the terminal equipment. For example, in the authentication process, calculation of an authentication vector, key deduction, user identification decryption, and the like are performed, and in the resynchronization process, the AUTS is verified according to a corresponding algorithm, and a re-authentication process is initiated. In the 5G communication system, the unified data management network element may be a Unified Data Management (UDM), and in a future communication system (e.g. a 6G communication system), the unified data management network element may still be a UDM network element, or may also have other names, which is not limited in this application.

The unified data storage network element is mainly used for storing structured data information, wherein the structured data information comprises subscription information, strategy information and network data or service data defined by a standard format. In the 5G communication system, the unified data storage network element may be a unified data storage (UDR), and in a future communication system (e.g. a 6G communication system), the unified data storage network element may still be a UDR network element, or may also have other names, which is not limited in this application.

The network slice selection functional network element is mainly used for selecting a proper network slice for the service of the terminal equipment. In the 5G communication system, the network slice selection network element may be a Network Slice Selection Function (NSSF) network element, and in a future communication system (e.g., a 6G communication system), the network slice selection network element may still be an NSSF network element, or may also have other names, which is not limited in this application.

The network warehouse function network element is mainly used for providing registration and discovery functions of the network element or services provided by the network element. In the 5G communication system, the network warehouse function network element may be a network warehouse function (NRF), and in a future communication system (e.g. 6G communication system), the network warehouse function network element may still be an NRF network element, or may also have other names, which is not limited in this application.

The network data analysis network element may collect data from various Network Functions (NF), such as a policy control network element, a session management network element, a user plane network element, an access management network element, and an application function network element (through a network capability open function network element), and perform analysis and prediction. In the 5G communication system, the network data analysis network element may be a network data analysis function (NWDAF), and in a future communication system (e.g. a 6G communication system), the network data analysis network element may still be an NWDAF network element, or may also have other names, which is not limited in this application.

The network capability is opened, and part of the functions of the network can be exposed to the application in a controlled manner. In the 5G communication system, the network element with an open network capability may be a network capability open function (NEF), and in a future communication system (e.g., a 6G communication system), the network element with an open network capability may still be an NEF network element, or may also have another name, which is not limited in this application.

The application function network element may provide service data of various applications to a control plane network element of a communication network of an operator, or obtain data information and control information of the network from the control plane network element of the communication network. In the 5G communication system, the application function network element may be an Application Function (AF), and in a future communication system (e.g. a 6G communication system), the application function network element may still be an AF network element, or may also have other names, which is not limited in this application.

And the data network is mainly used for providing data transmission service for the terminal equipment. The data network may be a private network, such as a local area network, a Public Data Network (PDN) network, such as the Internet (Internet), or a private network co-deployed by an operator, such as an IP multimedia network subsystem (IMS) service.

It should be understood that the above network elements or functions may be network elements in a hardware device, or may be software functions running on dedicated hardware, or virtualization functions instantiated on a platform (e.g., a cloud platform).

For convenience of description, in the following description, a unified data management network element is an UDM network element, an authentication service function network element is an AUSF network element, and an access management network element is an AMF network element, which is taken as an example for description. Further, the UDM network element is abbreviated as UDM, the AUSF network element is abbreviated as AUSF, and the AMF network element is abbreviated as AMF. That is, UDMs described later in this application may be replaced with unified data management network elements, AUSFs may be replaced with authentication service function network elements, and AMFs may be replaced with access management network elements.

It should be noted that the terms "system" and "network" in the embodiments of the present application may be used interchangeably. The "plurality" means two or more, and in view of this, the "plurality" may also be understood as "at least two" in the embodiments of the present application. "at least one" is to be understood as meaning one or more, for example one, two or more. For example, the inclusion of at least one means that one, two or more are included, and does not limit which is included. For example, at least one of A, B and C is included, then inclusion can be A, B, C, A and B, A and C, B and C, or A and B and C. Similarly, the understanding of the description of "at least one" and the like is similar. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" generally indicates that the preceding and following related objects are in an "or" relationship, unless otherwise specified.

Unless stated to the contrary, the embodiments of the present application refer to the ordinal numbers "first", "second", etc., for distinguishing between a plurality of objects, and do not define the order, sequence, priority, or importance of the plurality of objects, and the descriptions of "first", "second", etc., do not define that the objects are necessarily different.

Example one

Please refer to fig. 2, which is a flowchart illustrating a communication method according to an embodiment of the present application, where the method specifically includes the following steps:

step S201, the UDM receives an authentication service request;

optionally, the authentication service request includes a resynchronization authentication token AUTS, where the AUTS is used to instruct the terminal device to determine that the sequence number SQN in the authentication token (AUTN) is not within the correct range.

In an embodiment of the present application, the UDM may receive the authentication service request from the AMF or the AUSF. That is, the AMF may directly send the authentication service request to the UDM, or may send the authentication service request to the AUSF, and then the AUSF forwards the authentication service request to the terminal device.

Optionally, the UDM may also receive an authentication service request from another network function NF, which is not limited in this application.

Further, the embodiment of the application can be applied to the authentication process of the terminal device, and the determination that the sequence number SQN in the authentication token AUTN is not in the correct range by the terminal device may mean that the determination that the sequence number in the authentication token AUTN is less than or equal to the sequence number SQN stored in the terminal device by the terminal device_MS。

Specifically, before performing step S201, the terminal device may receive an authentication request message from the AMF, where the authentication request message includes a random number RAND and an authentication token AUTN, and the authentication token AUTN further includes parameters such as a sequence number SQN, an Anonymous Key (AK), an authentication and key authentication domain (AMF), and a Message Authentication Code (MAC). The terminal device may verify the authentication token AUTN included in the authentication request message, and if the terminal device verifies that the sequence number SQN in the authentication token AUTN is not within the correct range, the terminal device may generate a resynchronization authentication token AUTS and send an authentication failure message to the AMF, where the authentication failure message carries the calculated resynchronization authentication token AUTS, and the AUTS is used to instruct the terminal device to determine that the sequence number SQN in the authentication token AUTN is not within the correct range. Subsequently, after receiving the authentication failure message from the terminal device, the AMF may send an authentication service request to the UDM or AUSF, where the authentication service request includes a resynchronization authentication token AUTS calculated by the terminal device.

Optionally, a Universal Subscriber Identity Module (USIM) card may be installed in the terminal device, where the USIM card is a phone card sent by an operator to a user, and a root key K and a series of subscription configuration information that are consistent with a home network side are stored in the USIM card. After receiving the authentication request message from the AMF, the terminal equipment may send the random number RAND and the authentication token AUTN therein to a USIM card in the terminal equipment, and the USIM card verifies the authentication token AUTN.

As shown in fig. 3, the USIM card may first calculate an expected message authentication code (XMAC) from the authentication token AUTN, the random number RAND, and the root key K, and then compare the resulting XMAC with the MAC in the authentication token AUTN. If XMAC is inconsistent with MAC, it indicates that the MAC check fails, the terminal device may send an authentication failure message to the AMF, and indicate that the specific failure reason in the authentication failure message is MAC failure (MAC failure), and then the AMF initiates a re-authentication process according to the authentication failure message.

If XMAC is consistent with MAC, the MAC verification is successful, and the USIM card can further verify the sequence number SQN in the authentication token AUTN. The USIM card can use the sequence number SQN in the authentication token AUTN and the sequence number SQN stored in the USIM card_MSComparing, if the SQN in the authentication token AUTN exceeds the correct range, the sequence number SQN in the authentication token AUTN is less than or equal to the sequence number SQN stored in the USIM card_MSThen the SQN check may be considered as failed, the USIM card may calculate the AUTS, and the terminal device may then send to the AMFAnd the authentication failure message indicates that a specific failure reason is synchronization failure (synch failure), and the authentication failure message further includes a resynchronization authentication token AUTS (AUTS) calculated by the USIM card after the verification SQN fails, and the AUTS is used for indicating the USIM card to determine that the sequence number SQN in the AUTN is not in a correct range. Optionally, the authentication failure message may further include a random number RAND.

In this embodiment of the present application, a terminal device (or USIM card) may employ multiple possible AUTS algorithms to calculate an AUTS, please refer to fig. 4a, which is a schematic diagram of an AUTS algorithm provided in this embodiment of the present application, where the AUTS satisfies the following relationship:

as can be seen from equation one, AUTS equals SQN_MSExclusive or with AK and then concatenate with MAC-S. Wherein, SQN_MSThe terminal equipment serial number, or also the highest serial number accepted by the USIM card,

or xor represents exclusive or, AK is an anonymous key, and AK ═ f5 (RAND, K), f5 () represents a function, RAND and K are parameters of the function, RAND is a random number, K is a root key, | | | represents concatenation, and MAC-S is a message authentication code calculated by the USIM card for implementing SQN_MSAnd MAC-S ═ f1 (SQN) and integrity protection_MSK, RAND, AMF), f1 @ () is another function, AMF being the authentication management field.

Please refer to fig. 4b, which is a schematic diagram of another AUTS algorithm provided in the embodiment of the present application, in which the AUTS also satisfies the relationship in formula one:

it should be noted, however, that the AUTS algorithm shown in fig. 4b differs from the AUTS algorithm shown in fig. 4a in that the calculation of the anonymity key AK also takes the MAC-S as input, i.e., AK f5 (RAND, K, MAC-S), corresponding to the dashed connection shown in fig. 4b, and therefore, the AUTS algorithm can effectively prevent guessing attacks against SQN.

Step S202, the UDM obtains indication information corresponding to the terminal equipment, and the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS.

In this embodiment of the application, the indication information may be associated with an identifier of the terminal device or an identifier of the USIM card or a subscriber identifier (for example, a subscription permanent identifier (SUPI), an International Mobile Subscriber Identity (IMSI), a General Public Subscription Identifier (GPSI), or the like), and is used to directly or indirectly indicate the first AUTS algorithm used by the terminal device (or the USIM card) to calculate the resynchronization authentication token AUTS. For example, the indication information may be an identifier of a first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, or the indication information may include an identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, or there is a certain mapping relationship between the indication information and the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, or the indication information may also be used to indicate whether the terminal device (or USIM card) supports a new AUTS algorithm, or the indication information may also be used to indicate whether the USIM card is a new card, or the indication information may also be information such as a type, a batch, or a version (release) of the USIM card. It should be understood that the first AUTS algorithm may be one of the two AUTS algorithms described above, or may be another AUTS algorithm, and the application is not limited thereto.

In one possible design, the indication information corresponding to the terminal device may be configured in the UDM in advance. In this way, after receiving the authentication failure message, the UDM may obtain or query the indication information corresponding to the terminal device from the local configuration according to the identifier of the terminal device or the identifier of the USIM card or the user identifier, for example, SUPI, and then determine, according to the indication information, that the terminal device (or USIM card) calculates the first AUTS algorithm used by the AUTS.

Optionally, the indication information corresponding to the terminal device may be included in subscription data of the terminal device, and the subscription data may also be referred to as user subscription data. That is, the UDM stores the user subscription data of the terminal device, and the operator may set the indication information in the user subscription data of the terminal device in advance, so as to directly or indirectly indicate the first AUTS algorithm adopted by the terminal device (or USIM card) to calculate the AUTS.

Optionally, a subscription feature list at user granularity may also be maintained in the UDM, for indicating which features are supported or not supported by the terminal equipment (or USIM card), for example, whether a new AUTS algorithm is supported, or type, batch, or version information of the USIM card, etc. The UDM may also determine, according to the features supported by the terminal device listed in the subscription feature list corresponding to the terminal device, a first AUTS algorithm that is adopted when the terminal device (or USIM card) calculates an AUTS. That is, the subscription characteristic list corresponding to the terminal device may also be understood as a specific embodiment of the above indication information.

In another possible design, the indication information corresponding to the terminal device may also be configured in the UDR, and after receiving the authentication service request, the UDM may obtain the indication information corresponding to the terminal device from the UDR.

For example, the UDR may store user subscription data of the terminal device, and the operator may set the indication information in the user subscription data of the terminal device in advance. Thus, after receiving the authentication service request, the UDM may send a service invocation request to the UDR according to the identifier of the terminal device or the identifier of the USIM card or the user identifier, where the service invocation request is used to request the user subscription data of the terminal device. Optionally, the service invocation request may include an identifier of a terminal device, an identifier of a USIM card, or a user identifier, and the service invocation request may also be referred to as a service request, a service request message, a service invocation request message, or the like, which is not limited in this application.

The UDR may receive the service invocation request, and send a service response to the UDM, where the service response is in response to the service invocation request sent by the UDM, and the service response includes indication information corresponding to the terminal device, and the indication information may be included in the user subscription data of the terminal device in the service response, or may be included in other cells or a newly added cell of the service response message, which is not limited in this application. Optionally, the service response may further include a subscription characteristic list corresponding to the terminal device.

It should be understood that the indication information corresponding to the terminal device may also be configured in the UDR independently, and is not included in the user subscription data of the terminal device. Therefore, the service call request sent by the UDM to the UDR may be used to request the indication information corresponding to the terminal device, and correspondingly, the service response returned by the UDR to the UDM may include the indication information corresponding to the terminal device, but does not include the user subscription data of the terminal device. Optionally, the service response may further include a subscription characteristic list corresponding to the terminal device.

And S203, the UDM checks the AUTS according to the first AUTS algorithm.

Optionally, the UDM may determine the first AUTS algorithm according to the identifier of the terminal device included in the authentication service request and the indication information corresponding to the terminal device acquired in step S202.

Specifically, the checking, by the UDM, the AUTS by using the first AUTS algorithm may include: obtaining mobile terminal sequence number SQN from AUTS by adopting first AUTS algorithm_MSAnd then calculating the MAC, and if the calculated MAC is consistent with the MAC-S included in the AUTS, indicating that the AUTS is verified successfully.

If the AUTS is successfully verified, the UDM can resynchronize the SQN stored at the network side, and then the resynchronized SQN is used for reinitiating the authentication process aiming at the terminal equipment.

Therefore, by setting the indication information corresponding to the terminal equipment in the UDM or the UDR, the UDM can identify the AUTS algorithm adopted when the terminal equipment (or USIM card) calculates the AUTS, and verify the AUTS calculated by the terminal equipment by adopting the AUTS algorithm consistent with the terminal equipment (or USIM card), so as to avoid the problem of resynchronization failure caused by inconsistency between the UDM and the AUTS algorithm adopted by the terminal equipment, and enable the resynchronization flow and the subsequent authentication flow of the terminal equipment to be performed normally.

Referring to fig. 5, a specific example of a communication method provided in the first embodiment of the present application is shown, where the specific example specifically includes the following steps: step S5001, configuring indication information in the user subscription data of the terminal device stored in the UDM, where the indication information is used to indicate the terminal device (or USIM card) to calculate the first AUTS algorithm used by the AUTS, for example, the indication information may be an identifier of the first AUTS algorithm used by the terminal device (USIM card), or the indication information may include an identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, or there is a mapping relationship between the indication information and the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, or the indication information may also be information used to indicate whether the terminal device (or USIM card) supports a new AUTS algorithm, or the indication information may also be information used to indicate whether the USIM card is a new card, or the indication information may also be information such as a type, batch, or version of the USIM card, or the indication information may also be a subscription characteristic list of the terminal device (or USIM card). It should be understood that this step S5001 corresponds to a specific implementation manner in the first embodiment, that is, indication information corresponding to the terminal device is configured in the UDM.

Step S5002 is to configure the instruction information in the user contract data of the terminal device stored in the UDR, or to configure the instruction information in another information in the UDR, or to configure the instruction information in the UDR independently. Also, the indication information is used to indicate the first AUTS algorithm employed by the terminal device (or USIM card). Specific embodiments of the indication information may refer to the description in step S5001.

Step S501, the UDM obtains user subscription data of the terminal device from the UDR, where the user subscription data includes indication information corresponding to the terminal device. This step S501 may further specifically include the steps of sending, by the UDM, a service invocation request to the UDR, and sending, by the UDR, a service response message to the UDM in response to the service invocation request, which will not be described in detail herein. The term "obtaining" may also be understood as a querying, invoking, receiving, or the like action.

It should be understood that steps S5002 and S501 correspond to another specific implementation manner in the first embodiment, that is, indication information of the terminal device is configured in the UDR. As can be seen, the methods shown in step S5001, step S5002 and step S501 are two parallel embodiments, and in practical applications, one of the two paths may be executed.

Step S502, an authentication procedure (authentication procedure) between the terminal device and the UDM is performed. Which comprises the following steps: the AMF sends an authentication request message to the terminal equipment, wherein the authentication request message comprises a random number RAND and an authentication token AUTN.

Step S503, the terminal device verifies the sequence number SQN in the authentication token AUTN, and if the verification SQN is not within the correct range, the terminal device calculates the resynchronization authentication token AUTS and initiates a resynchronization procedure. Optionally, the terminal device may further check a message authentication code MAC in the authentication token AUTN, and the check of the message authentication code MAC may be performed before the check of the sequence number SQN. Optionally, the actions of checking the message authentication code MAC and the sequence number SQN and calculating the resynchronization authentication token AUTS may also be performed by a USIM card in the terminal device.

In step S504, the terminal device sends an authentication failure message (authentication failure) to the AMF, where the authentication failure message includes a resynchronization authentication token AUTS and a random number RAND.

In step S505, the AMF sends an authentication service request to the AUSF, where the authentication service request includes a resynchronization authentication token AUTS and a random number RAND. Optionally, the authentication service request may further include an identifier of the terminal device or an identifier of the USIM card or a user identifier, such as SUPI. It should be understood that the authentication service request described in this step is a service invocation message between network elements, and may also be referred to as a service request message or a service invocation request message, or may also have another name, such as a Nauf _ ue authentication _ authentication request, which is not limited in this application.

In step S506, the AUSF sends an authentication service request to the UDM, where the authentication service request includes a resynchronization authentication token AUTS and a random number RAND. Optionally, the authentication service request may further include an identifier of the terminal device or an identifier of the USIM card or a user identifier, such as SUPI. It should be understood that the authentication service request described in this step is also a service call message between network elements, and may also be referred to as a service request message or a service call request message, etc., or may also have other names, such as numdm-UEAuthentication GET, for example, and the present application is not limited thereto. The authentication service request expression form and content mentioned in step S505 and step S506 may be the same or different, and the present application is not limited thereto.

Step S507, the UDM receives the authentication service request, queries the user subscription data according to the identifier of the terminal device or the identifier of the USIM card or the user identifier, for example, SUPI, determines the indication information corresponding to the terminal device, and further determines the first AUTS algorithm used by the terminal device (or the USIM card) to calculate the AUTS according to the indication information.

And step S508, the UDM verifies the AUTS according to the first AUTS algorithm, and the SQN is resynchronized after the AUTS is successfully verified.

In step S509, the authentication process between the terminal device and the UDM is re-executed.

Example two

Please refer to fig. 6, which is a flowchart illustrating another communication method according to an embodiment of the present application, where the method specifically includes the following steps:

step S601, the terminal device determines that the sequence number SQN in the authentication token AUTN is not in the correct range.

In this embodiment of the application, before executing step S601, the terminal device may receive an authentication request message from the AMF, where the authentication request message includes a random number RAND and an authentication token AUTN, and the authentication token AUTN may specifically include parameters such as a sequence number SQN, an anonymous key AK, an authentication management domain AMF, and a message authentication code MAC. In this way, the terminal device (or the USIM card in the terminal device) may verify the authentication token AUTN in the authentication request message, and if the sequence number SQN in the authentication token AUTN is not in the correct range, for example, the sequence number SQN in the authentication token AUTN is smaller than or equal to the sequence number SQN stored in the terminal device (or the USIM card)_MSThen the SQN check may be deemed to have failed.

Optionally, the terminal device (or USIM card) may check the MAC in the authentication token AUTN first, and check the sequence number SQN in the authentication token AUTN after the MAC fails to be checked. Here, checking the MAC in the authentication token AUTN means that XMAC is calculated from the authentication token AUTN, the random number RAND, and the root key K, and then the obtained XMAC is compared with the MAC in the authentication token AUTN, and if the XMAC and the MAC are consistent, the check is considered to be successful, and if the XMAC and the MAC are not consistent, the check is considered to be failed. Of course, other MAC verification methods may be used, and the present application is not limited thereto.

Step S602, the terminal device calculates a resynchronization authentication token AUTS, and encrypts the AUTS and the indication information corresponding to the terminal device to obtain an encrypted resynchronization authentication token AUTS.

In step S602, the AUTS is used to instruct the terminal device to determine that the sequence number SQN in the authentication token AUTN is not within the correct range, and the terminal device may use an algorithm as shown in fig. 4a or fig. 4b to calculate the AUTS, or may use another algorithm to calculate the AUTS, which is not limited in this application.

In addition, the terminal device may further generate indication information corresponding to the terminal device according to the first AUTS algorithm adopted for calculating the AUTS, where the indication information is associated with an identity of the terminal device, or an identity of a USIM card, or a user identity (e.g., SUPI) and is used for indicating the terminal device to calculate the AUTS algorithm adopted for the AUTS. For example, the terminal device may generate the indication information according to an identifier of the first AUTS algorithm used for calculating the AUTS, where the indication information may be, include, or have a mapping relationship with an identifier of the first AUTS algorithm used for calculating the AUTS by the terminal device (or USIM card). For another example, the indication information may also be a flag bit for indicating whether the terminal equipment (or USIM card) supports a new AUTS algorithm, or for indicating whether the USIM card is a new card, where, for example, the flag bit indicates support when set to 1 and indicates non-support when set to 0. For another example, the indication information may be information such as the type, batch, or version of the USIM card, and there is a certain association relationship between the information such as the type, batch, or version of the USIM card and the AUTS algorithm used by the terminal device. For another example, the indication information may also be a subscription characteristic list of the terminal device (or USIM card), and there is also some association relationship between the subscription characteristic supported by the terminal device and the first AUTS algorithm adopted by the terminal device.

Further, the terminal device encrypts the AUTS and the indication information corresponding to the terminal device, which may be represented as:

AUTS ═ Enc (K, AUTS, indication) formula two

K is an encryption key, AUTS is an encrypted resynchronization authentication token, Enc () represents an encryption function, AUTS is a resynchronization authentication token, and indication refers to indication information corresponding to the terminal equipment.

It can be understood that by encrypting the indication information corresponding to the AUTS and the terminal device and sending the encrypted AUTS to the UDM, the indication information corresponding to the AUTS and the terminal device can be protected, thereby facilitating the normal operation of the resynchronization process and improving the security of the authentication process.

It should be noted that, in this embodiment of the application, the terminal device may encrypt the indication information corresponding to the resynchronization authentication token AUTS and the terminal device by using the root key K, may encrypt the indication information corresponding to the resynchronization authentication token AUTS and the terminal device by using a public key of a home network, and may encrypt the indication information corresponding to the resynchronization authentication token AUTS and the terminal device by using a subscription hidden identifier (SUCI) obtained by using SUPI encryption, which is not limited in this application. I.e. the encryption key K in equation two may be the root key K or the public key of the home network. Of course, the terminal device may also use other encryption algorithms for encryption, and the present application is not limited thereto.

Alternatively, the steps S601 and S602 may be specifically executed by a USIM card in the terminal equipment.

Step S603, the terminal device sends an authentication failure message to the AMF, where the authentication failure message includes an encrypted resynchronization authentication token AUTS.

Step S604, the AMF sends an authentication service request to the UDM, or the AMF sends an authentication service request to the AUSF, and then the AUSF sends the received authentication service request to the UDM, where the authentication service request includes an encrypted resynchronization authentication token AUTS.

Step S605, the UDM receives an authentication service request from the AMF or the AUSF, where the authentication service request includes a cryptographic resynchronization authentication token AUTS, and the AUTS is used to instruct the terminal device to determine that the sequence number SQN in the authentication token AUTN is not within the correct range.

Step S606, the UDM decrypts the encrypted resynchronization authentication token AUTS to obtain the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to indicate the terminal device to calculate the first AUTS algorithm used by the AUTS.

In step S606, the UDM may decrypt the encrypted resynchronization authentication token AUTS using the root key K, or the UDM may decrypt the encrypted resynchronization authentication token AUTS using a private key of the home network, or the UDM may decrypt the encrypted resynchronization authentication token AUTS in a manner that SUPI is obtained based on SUCI decryption. Of course, the UDM may also use other decryption algorithms for decryption, and the present application is not limited thereto.

It should be noted that the decryption algorithm employed by the UDM matches the encryption algorithm employed by the terminal equipment (or USIM card). Specifically, when the terminal device encrypts the re-synchronization authentication token AUTS and the indication information corresponding to the terminal device by using the root key K, the UDM may decrypt the encrypted re-synchronization authentication token AUTS by using the root key K; when the terminal equipment encrypts the re-synchronization authentication token AUTS and the indication information corresponding to the terminal equipment by using the public key of the home network, correspondingly, the UDM can decrypt the encrypted re-synchronization authentication token AUTS by using the private key of the home network; when the terminal equipment encrypts the re-synchronization authentication token AUTS and the indication information corresponding to the terminal equipment in a SUCI encryption mode based on SUPI encryption, correspondingly, the UDM decrypts the encrypted re-synchronization authentication token AUTS in a SUPI decryption mode based on SUCI decryption.

And step S607, the UDM checks the AUTS according to the first AUTS algorithm.

Optionally, the UDM may determine the first AUTS algorithm according to the identifier of the terminal device and the indication information corresponding to the terminal device included in the authentication service request.

In the embodiment of the application, the UDM decrypts to obtain the resynchronization authentication commandAfter the AUTS, the integrity of the re-synchronization authentication token AUTS can be checked. Specifically, the UDM may obtain the SQN of the terminal device from the AUTS according to the first AUTS algorithm_MS(i.e. the highest sequence number SQN accepted by USIM card_MS) Then according to the SQN_MSCalculating to obtain a message authentication code MAC; and if the calculated MAC is consistent with the MAC-S acquired from the resynchronization authentication token AUTS, determining that the integrity check of the AUTS is successful.

Therefore, by adopting the technical scheme, the terminal equipment can carry out encryption protection on the corresponding indication information and the generated AUTS and send the AUTS to the UDM. Therefore, the UDM can determine the AUTS algorithm adopted by the terminal equipment according to the indication information sent by the terminal equipment, and then verify the AUTS sent by the terminal equipment by adopting the AUTS algorithm consistent with the AUTS algorithm adopted by the terminal equipment (or USIM card), so that the problem of resynchronization failure caused by inconsistency between the UDM and the AUTS algorithm adopted by the terminal equipment is avoided, the resynchronization flow and the subsequent authentication flow of the terminal equipment can be normally carried out, and meanwhile, the security of the authentication process can be improved.

EXAMPLE III

Please refer to fig. 7, which is a flowchart illustrating another communication method according to an embodiment of the present application, where the method specifically includes the following steps:

step S701, the terminal device determines that the sequence number SQN in the authentication token AUTN is not within the correct range.

The detailed implementation of step S701 may refer to the description in step S201 in the first embodiment or step S601 in the second embodiment, and is not repeated herein.

Step S702, the terminal device calculates a resynchronization authentication token AUTS according to the indication information corresponding to the terminal device.

In the embodiment of the present application, the indication information is used to directly or indirectly indicate the terminal device to calculate the first AUTS algorithm adopted by the AUTS, and the indication information is associated with an identity of the terminal device, or an identity of a USIM card or a user identity (e.g., SUPI). For example, the indication information may be an identifier of a first AUTS algorithm used by the terminal equipment (USIM card), or the indication information may include an identifier of a first AUTS algorithm used by the terminal equipment (or USIM card) to calculate the AUTS, or there is a mapping relationship between the indication information and an identifier of a first AUTS algorithm used by the terminal equipment (or USIM card) to calculate the AUTS, or the indication information may also be information used to indicate whether the terminal equipment (or USIM card) supports a new AUTS algorithm, or the indication information may also be information used to indicate whether the USIM card is a new card, or the indication information may also be information such as a type, a batch, or a version of the USIM card, or the indication information may also be a subscription characteristic list of the terminal equipment (or USIM card).

Specifically, in step S702, the terminal device may calculate the resynchronization authentication token AUTS in the following manner:

the AUTS is a resynchronization authentication token, and can be used for indicating the terminal equipment to determine that a sequence number SQN in the authentication token AUTN is not in a correct range, and the SQN_MSFor the serial number of the terminal device, i.e. the highest sequence number accepted in the USIM card, AK is an anonymous key, and AK is f5 (RAND, K) or AK is f5 (RAND, K, MAC-S '), f5 () represents a function, RAND is a random number, K is a root key, indication is indication information corresponding to the terminal device, MAC-S ' is a message authentication code calculated according to parameters in AUTN, and MAC-S ' ═ f1 (AMF, RAND, K, SQN)_MSIndication) for implementing SQN_MSF1 x () represents another function, AMF is the authentication management field,

representing exclusive or and | l representing concatenation.

Note that the AUTS calculated by the above formula three is different from the AUTS calculated in the foregoing first and second embodiments, and for the sake of difference, the AUTS in the third embodiment may also be referred to as an AUTS'. Similarly, MAC-S may also be referred to as MAC-S'.

As can be seen from the formula iii, in the third embodiment, the terminal device may carry the indication information corresponding to the terminal device when calculating the AUTS ', and then perform integrity protection on the AUTS ' by using the MAC-S '. Therefore, AUTS' and corresponding indication information sent to the UDM by the terminal equipment can be protected and cannot be tampered, normal operation of a resynchronization flow is facilitated, and meanwhile safety of an authentication process is improved. Note that, here, carrying the indication information corresponding to the terminal device when calculating the AUTS 'may also be understood as embedding the indication information corresponding to the terminal device into the AUTS', or using the indication information corresponding to the terminal device as a newly added input parameter of the AUTS algorithm, that is, the method shown in formula three may also be understood as a new AUTS algorithm.

Alternatively, the steps S701 and S702 may also be specifically executed by a USIM card in the terminal equipment.

Step S703, the terminal device sends an authentication failure message to the AMF, where the authentication failure message includes a resynchronization authentication token AUTS.

Step S704, the AMF sends an authentication service request to the UDM, or the AMF sends an authentication service request to the AUSF, and then the AUSF sends an authentication service request to the UDM, where the authentication service request includes a resynchronization authentication token AUTS'.

Step S705, the UDM receives an authentication service request from the AMF or AUSF, where the authentication service request includes a resynchronization authentication token AUTS' for instructing the terminal device to determine that the sequence number SQN in the authentication token AUTN is not within the correct range.

Step S706, the UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS', where the indication information corresponding to the terminal device is used to indicate the terminal device to calculate the first AUTS algorithm used by the AUTS.

Here, since the indication information corresponding to the terminal device is directly spliced in the AUTS', the UDM can directly obtain the indication information corresponding to the terminal device from the AUTS.

And step S707, the UDM checks the AUTS' according to the first AUTS algorithm.

In this embodiment, after obtaining the resynchronization authentication token AUTS ', the UDM may verify the integrity of the resynchronization authentication token AUTS'. Specifically, the UDM determines a first AUTS algorithm according to the indication information corresponding to the terminal device obtained from the AUTS', calculates AK according to the corresponding algorithm, and then restores the SQN_MSThen according to AMF, RAND, K, SQN_MSAnd indication parameters, and calculating to obtain a message authentication code MAC'; and if the calculated MAC 'is consistent with the MAC-S' acquired from the resynchronization authentication token AUTS ', determining that the integrity check of the AUTS' is successful.

If AUTS' is successfully verified, the UDM can resynchronize the SQN stored at the network side, and then the resynchronized SQN is used for reinitiating the authentication process aiming at the terminal equipment.

Therefore, by adopting the technical scheme, the terminal equipment can carry the corresponding indication information when calculating the AUTS ', and then sends the AUTS' to the UDM after integrity protection. Therefore, the UDM can obtain the indication information corresponding to the terminal equipment from the received AUTS ', then the AUTS algorithm adopted by the terminal equipment is determined according to the indication information sent by the terminal equipment, and the AUTS algorithm consistent with the terminal equipment (or USIM card) is adopted to verify the AUTS' sent by the terminal equipment, so that the problem of resynchronization failure caused by inconsistency between the AUTS algorithm adopted by the UDM and the AUTS algorithm adopted by the terminal equipment is avoided, the resynchronization flow and the subsequent authentication flow of the terminal equipment can be normally carried out, and meanwhile, the safety of the authentication process is improved.

Referring to fig. 8, a specific example of the communication method provided in the second and third embodiments of the present application is shown, which specifically includes the following steps:

step S801, an authentication procedure (authentication procedure) between the terminal device and the UDM is executed. The authentication process may include: the AMF sends an authentication request message to the terminal equipment, wherein the authentication request message comprises a random number RAND and an authentication token AUTN.

Step S802, the terminal equipment checks a sequence number SQN in the authentication token AUTN, and if the SQN is not checked to be in a correct range, the terminal equipment calculates a resynchronization authentication token AUTS and starts a resynchronization flow. Optionally, the terminal device may further check a message authentication code MAC in the authentication token AUTN, and the check of the message authentication code MAC may be before the check of the sequence number SQN.

Corresponding to the second embodiment, in an implementation manner of step S802, the terminal device may further generate indication information, and encrypt the indication information and the calculated resynchronization authentication token AUTS to obtain an encrypted AUTS. The specific encryption manner can refer to the description in step S602, and is not repeated here.

Corresponding to the third embodiment, in another implementation manner of step S802, the terminal device may further generate indication information, and when calculating the resynchronization authentication token AUTS, further use the indication information as one of input parameters for calculating the AUTS, that is, calculate the AUTS according to the indication information corresponding to the terminal device. The specific manner of calculating the AUTS may refer to the description in step S702, and is not repeated here.

In step S803, the terminal device sends an authentication failure message (authentication failure) to the AMF, where the authentication failure message includes an encrypted resynchronization authentication token AUTS or an encrypted resynchronization authentication token AUTS, and a random number RAND.

Corresponding to the second embodiment, in an implementation manner of step S803, the authentication failure message includes an encrypted resynchronization authentication token AUTS, where the AUTS is obtained by encrypting, by the terminal device, the calculated AUTS and the corresponding indication information.

Corresponding to the third embodiment, in another implementation manner of step S803, the authentication failure message includes a resynchronization authentication token AUTS, where the AUTS is generated by the terminal device according to the indication information corresponding to the terminal device, that is, when the terminal device calculates the AUTS, the corresponding indication information is also used as one of the input parameters.

Step S804, the AMF sends an authentication service request to the AUSF, where the authentication service request includes an encrypted resynchronization authentication token AUTS or an encrypted resynchronization authentication token AUTS, and a random number RAND.

Optionally, the authentication service request may further include an identifier of the terminal device or an identifier of the USIM card or a user identifier, such as SUPI.

In step S805, the AUSF sends the received authentication service request to the UDM, where the authentication service request includes the encrypted resynchronization authentication token AUTS or the resynchronization authentication token AUTS, and the random number RAND.

Step S806, the UDM receives the authentication service request, and determines the first AUTS algorithm according to the indication information corresponding to the terminal device.

Corresponding to the second embodiment, in an implementation manner of step S806, the UDM decrypts the encrypted resynchronization authentication token AUTS in the received authentication service request to obtain the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, and then determines the first AUTS algorithm according to the indication information corresponding to the terminal device.

Corresponding to the third embodiment, in an implementation manner of step S806, the UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS in the received authentication service request, checks the integrity of the AUTS according to the MAC-S', and then determines the first AUTS algorithm according to the indication information corresponding to the terminal device.

And step S807, the UDM verifies the AUTS according to the first AUTS algorithm, resynchronizes the SQN after the verification is successful, and then initiates an authentication process again according to the synchronized SQN.

The specific process of checking the AUTS may refer to the description in step S607 or S707, and is not repeated here.

Step S808, re-executing the authentication process between the terminal device and the UDM.

Example four

The fourth embodiment is similar to the second embodiment, but the difference is that in the second embodiment, the actions performed by the terminal device and the USIM card installed in the terminal device are not clearly distinguished, and some actions performed by the terminal device may also be specifically performed by the USIM card installed in the terminal device, for example, the authentication token AUTN received by the terminal device is checked, after it is checked that the sequence number SQN in the authentication token AUTN is not within the correct range, the resynchronization authentication token AUTS is calculated, the resynchronization authentication token AUTS and the indication information are encrypted to obtain the AUTS, and then the encrypted AUTS is finally sent to the UDM through the terminal device via the AMF.

In the fourth embodiment, the actions respectively performed by the terminal device and the USIM card installed in the terminal device are described in detail, the USIM card installed in the terminal device may verify the authentication token AUTN received by the terminal device, after verifying that the sequence number SQN in the authentication token AUTN is not within the correct range, calculate the resynchronization authentication token AUTS, and send the resynchronization authentication token AUTS to the terminal device, the terminal device determines the corresponding indication information according to the configuration information of the USIM card, encrypts the indication information together with the AUTS received from the USIM card, and finally sends the indication information to the UDM through the AMF.

Please refer to fig. 9, which is a flowchart illustrating another communication method according to an embodiment of the present application, where the method specifically includes the following steps:

step S901, the USIM card determines that the sequence number SQN in the authentication token AUTN is not in the correct range.

In this embodiment, before performing step S901, the terminal device may receive the authentication request message from the AMF, send parameters, such as the authentication token AUTN and the random number RAND, included in the authentication request message to the USIM card installed in the terminal device, and verify the authentication token AUTN by the USIM card. For the specific checking process, reference may be made to the description in the foregoing embodiments, and details are not described herein again.

Similarly, the fact that the sequence number SQN in the authentication token AUTN is not within the correct range may mean that the USIM card determines that the sequence number in the authentication token AUTN is smaller than or equal to the sequence number SQN held in the USIM card.

Step S902, the USIM card calculates the resynchronization authentication token AUTS.

In step S902, the USIM card may calculate the resynchronization authentication token AUTS by using the algorithm shown in fig. 4a or 4b, or may calculate the resynchronization authentication token AUTS by using another algorithm, which is not limited in this application.

Step S903, the USIM card sends the resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal equipment.

The configuration information may include information indicating an AUTS algorithm employed when the USIM card calculates the AUTS, and may include, for example, one or more of the following information: the USIM card comprises an identifier of a first AUTS algorithm adopted by the USIM card, information used for indicating whether the USIM card supports a new AUTS algorithm, information used for indicating whether the USIM card is a new card, information such as the type or batch or version (release) of the USIM card and the like. Alternatively, the configuration information may also include other information that can be used to distinguish the AUTS algorithm, which is not limited in this application.

Optionally, the USIM may also send the random number RAND to the terminal device.

Step S904, the terminal apparatus receives the resynchronization authentication token AUTS and the configuration information of the USIM card from the USIM card.

It should be noted that the terminal apparatus receiving the configuration information of the USIM card from the USIM card may also be understood as the terminal apparatus reading the configuration information of the USIM card, or the terminal apparatus acquiring the configuration information of the USIM card, or the like.

And step S905, the terminal equipment determines indication information according to the configuration information of the USIM card, wherein the indication information is used for indicating the USIM card to calculate a first AUTS algorithm adopted by AUTS.

The indication information is associated with an identity of the terminal apparatus, or an identity of the USIM card or a subscriber identity (e.g., SUPI). For example, the indication information may be an identifier of a first AUTS algorithm used by the terminal equipment (USIM card), or the indication information may include an identifier of a first AUTS algorithm used by the terminal equipment (or USIM card) to calculate the AUTS, or there is a mapping relationship between the indication information and an identifier of a first AUTS algorithm used by the terminal equipment (or USIM card) to calculate the AUTS, or the indication information may also be information used to indicate whether the terminal equipment (or USIM card) supports a new AUTS algorithm, or the indication information may also be information used to indicate whether the USIM card is a new card, or the indication information may also be information such as a type, a batch, or a version of the USIM card, or the indication information may also be a subscription characteristic list of the terminal equipment (or USIM card).

It should be understood that the indication information may be part or all of the configuration information of the USIM card, or may be information derived and calculated according to the configuration information of the USIM card, and the application is not limited thereto.

Step S906, the terminal device encrypts the resynchronization authentication token AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS.

The detailed implementation of step S906 can refer to the description of step S602 in example two, and is not repeated here.

Step S907, the terminal device sends an authentication failure message to the AMF, where the authentication failure message includes an encrypted resynchronization authentication token AUTS, and the encrypted resynchronization authentication token AUTS may be used to indicate the terminal device or the USIM card to determine that the sequence number SQN in the authentication token AUTN is not within the correct range. The authentication failure message is used to trigger the UDM to resynchronize the SQN.

Step S908, the AMF sends an authentication service request to the UDM, or the AMF sends an authentication service request to the AUSF, and then the AUSF sends the received authentication service request to the UDM, where the authentication service request includes an encrypted resynchronization authentication token AUTS.

In step S909, the UDM receives the authentication service request from the AMF or AUSF, and obtains the encrypted resynchronization authentication token AUTS in the authentication service request.

Step S910, the UDM decrypts the encrypted resynchronization authentication token AUTS to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.

And step S911, the UDM checks the AUTS according to the first AUTS algorithm.

The detailed implementation of the steps S907 to S911 can refer to the steps S604 to S607 in the second embodiment, which are not repeated here.

Therefore, by adopting the technical scheme, the terminal equipment can determine the AUTS algorithm adopted by the USIM card according to the configuration information of the USIM card, further encrypt the indication information used for indicating the AUTS algorithm adopted by the USIM card and the AUTS calculated by the USIM card and then send the encrypted indication information and the AUTS to the UDM, so that the resynchronization process can be normally carried out, and the problem that the indication information cannot be generated or encrypted due to limitation or improper configuration of the USIM card can be avoided, thereby enhancing the applicability of the method.

Referring to fig. 10, a further specific example of the communication method provided in the fourth embodiment of the present application is shown, where the example specifically includes the following steps:

step S1001, an authentication procedure (authentication procedure) between the terminal device and the UDM is executed. The authentication process may include: the AMF sends an authentication request message to the terminal equipment, wherein the authentication request message comprises a random number RAND and an authentication token AUTN.

In this step, the terminal apparatus may transmit the random number RAND and the authentication token AUTN included in the authentication request message to the USIM card installed in the terminal apparatus.

Step S1002, the USIM card in the terminal device verifies the SQN in the authentication token AUTN, and if the SQN is not verified within the correct range, the USIM card may calculate the resynchronization authentication token AUTS. Optionally, the terminal device may further check a message authentication code MAC in the authentication token AUTN, and the check of the message authentication code MAC may be before the check of the sequence number SQN.

In this step, the USIM card may calculate the AUTS by using the algorithm shown in fig. 4a or fig. 4b, or may calculate the AUTS by using another algorithm, which is not limited in this application.

In step S1003, the USIM card may transmit the calculated resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal device.

Specific embodiments of the configuration information of the USIM card may refer to the description in step S903 and will not be repeated here.

Step S1004, the terminal device generates indication information according to the received USIM card configuration information, and then encrypts the received resynchronization authentication token AUTS and the generated indication information to obtain an encrypted resynchronization authentication token AUTS.

The specific encryption manner can refer to the description in step S602, and is not repeated here.

In step S1005, the terminal device sends an authentication failure message (authentication failure) to the AMF, where the authentication failure message includes the encrypted resynchronization authentication token AUTS and the random number RAND.

In step S1006, the AMF sends an authentication service request to the AUSF, where the authentication service request includes an encrypted resynchronization authentication token AUTS and a random number RAND.

Step S1007, the AUSF sends the received authentication service request to the UDM, where the authentication service request includes the encrypted resynchronization authentication token AUTS and the random number RAND.

Step S1008, the UDM receives the authentication service request, decrypts the encrypted resynchronization authentication token AUTS in the received authentication service request, and obtains the resynchronization authentication token AUTS and the indication information corresponding to the terminal device.

Thus, the UDM determines a first AUTS algorithm according to the indication information corresponding to the terminal equipment.

Step S1009, the UDM checks the AUTS according to the first AUTS algorithm, resynchronizes the SQN after the checking is successful, and then initiates the authentication process again according to the synchronized SQN.

Step S1010, re-executing the authentication process between the terminal device and the UDM.

Fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application, where the communication device 1100 includes: a transceiver module 1110 and a processing module 1120. The communication device may be configured to implement the functions related to the unified data management network element in any of the above method embodiments, or to implement the functions related to the unified data storage network element in any of the above method embodiments. For example, the communication device may be a UDM network element or a UDR network element in the core network, and the network element or the network function may be a network element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (e.g., a cloud platform). As another example, the communication device may be a network device or a chip included in a network device.

When the communication apparatus is used as a unified data management network element to execute the method embodiment shown in fig. 2, the transceiver module 1110 is configured to receive an authentication service request, where the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 is configured to obtain indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to indicate the terminal device to calculate a first AUTS algorithm adopted by the AUTS; the processing module 1120 is further configured to verify the AUTS according to the first AUTS algorithm.

In one possible design, the processing module 1120 is specifically configured to obtain the indication information from a local configuration or obtain the indication information from a unified data storage network element.

In one possible design, the indication information corresponding to the terminal device is included in the subscription data of the terminal device.

When the communication apparatus is used as a unified data storage network element to execute the method embodiment shown in fig. 5, the transceiver module 1110 is configured to receive a service invocation request from the unified data management network element, where the service invocation request is used to request indication information corresponding to a terminal device, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate a first AUTS algorithm used by the AUTS; the processing module 1120 is configured to send a service response message to the unified data management network element through the transceiver module 1110, where the service response message includes indication information corresponding to the terminal device.

When the communication apparatus is used as a unified data management network element to execute the method embodiment shown in fig. 6, the transceiver module 1110 is configured to receive an authentication service request, where the authentication service request includes an encrypted resynchronization authentication token AUTS; the processing module 1120 is configured to decrypt the AUTS to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device, where the indication information corresponding to the terminal device is used to indicate the terminal device to calculate a first AUTS algorithm adopted by the AUTS; the processing module 1120 is further configured to verify the AUTS according to the first AUTS algorithm.

When the communication apparatus is used as a unified data management network element to execute the method embodiment shown in fig. 7, the transceiver module 1110 is configured to receive an authentication service request, where the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 is configured to obtain indication information corresponding to the terminal device from the AUTS, where the indication information corresponding to the terminal device is used to indicate the terminal device to calculate a first AUTS algorithm adopted by the AUTS; the processing module 1120 is further configured to verify the AUTS according to the first AUTS algorithm.

In one possible design, the processing module 1120 is specifically configured to obtain the SQN of the mobile terminal from the AUTS according to the first AUTS algorithm_MSAccording to the SQN_MSCalculating to obtain MAC; and if the MAC is consistent with the MAC-S acquired from the AUTS, determining that the AUTS is verified successfully.

It is to be understood that the processing module 1120 involved in the communication apparatus may be implemented by a processor or processor-related circuit components, and the transceiver module 1110 may be implemented by a transceiver or transceiver-related circuit components. The operations and/or functions of the modules in the communication apparatus are respectively for implementing the corresponding flows of the methods shown in fig. 2, fig. 5, fig. 6, or fig. 7, and are not described herein again for brevity.

Please refer to fig. 12, which is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication device 1200 may be used to implement the methods described in the above method embodiments. The communication apparatus 1200 may be a chip or a network device.

The communication apparatus 1200 includes one or more processors 1201, and the one or more processors 1201 may support the communication apparatus 1200 to implement the method of the unified data management network element or the unified data storage network element in fig. 2, fig. 5, fig. 6, or fig. 7. The processor 1201 may be a general purpose processor or a special purpose processor. For example, the processor 1201 may be a Central Processing Unit (CPU) or a baseband processor. The baseband processor may be used to process communication data, and the CPU may be used to control a communication apparatus (e.g., a network device, a terminal device, or a chip), execute a software program, and process data of the software program. The communication apparatus 1200 may further include a transceiving unit 1205 to enable input (reception) and output (transmission) of signals.

For example, the communication apparatus 1200 may be a chip, and the transceiver unit 1205 may be an input and/or output circuit of the chip, or the transceiver unit 1205 may be a communication interface of the chip, and the chip may be a component of a terminal device or a network device or other wireless communication device.

The communication device 1200 may include one or more memories 1202, on which programs 1204 are stored, and the programs 1204 may be executed by the processor 1201, and generate instructions 1203, so that the processor 1201 executes the method described in the above method embodiment according to the instructions 1203. Optionally, data may also be stored in the memory 1202. Alternatively, the processor 1201 may also read data stored in the memory 1202, the data may be stored at the same memory address as the program 1204, or the data may be stored at a different memory address from the program 1204.

The processor 1201 and the memory 1202 may be provided separately or integrated together, for example, on a single board or a System On Chip (SOC).

The communication device 1200 may also include a transceiving unit 1205, and an antenna 1206. Transceiver unit 1205 may be referred to as a transceiver, transceiver circuit, or transceiver for performing transceiver functions of the communication device via antenna 1206.

It should be understood that the steps of the above-described method embodiments may be performed by logic circuits in the form of hardware or instructions in the form of software in the processor 1201. The processor 1201 may be a CPU, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), or other programmable logic device, such as a discrete gate, transistor logic, or discrete hardware components.

Referring to fig. 13, a schematic structural diagram of another communication device provided in the embodiment of the present application is shown, where the communication device 1300 includes: a transceiver module 1310 and a processing module 1320. The communication device can be used for realizing the functions related to the terminal equipment in any of the above method embodiments. For example, the communication device may be a terminal device, such as a handheld terminal device or a vehicle-mounted terminal device; the communication device may also be a chip included in the terminal apparatus, such as a USIM card mounted in the terminal apparatus, or a device including the terminal apparatus, such as various types of vehicles and the like.

When the communication apparatus is used as a terminal device to execute the method embodiment shown in fig. 6, the processing module 1320 is configured to calculate a resynchronization authentication token AUTS, and encrypt the AUTS and indication information corresponding to the communication apparatus to obtain an encrypted resynchronization authentication token AUTS, where the indication information corresponding to the communication apparatus is used to indicate the communication apparatus to calculate a first AUTS algorithm adopted by the AUTS; a transceiver module 1310 configured to send the AUTS to an access management network element.

In a possible design, the processing module 1320 is further configured to generate indication information corresponding to the apparatus according to a first AUTS algorithm used for calculating the AUTS.

When the communication apparatus is used as a terminal device to execute the method embodiment shown in fig. 7, the processing module 1320 is configured to calculate a resynchronization authentication token AUTS according to indication information corresponding to the communication apparatus, where the indication information corresponding to the communication apparatus is used to instruct the communication apparatus to calculate a first AUTS algorithm adopted by the AUTS; the transceiver module 1310 is configured to send the AUTS to an access management network element.

In one possible design, the indication information corresponding to the communication device and/or the MAC-S calculated according to the indication information corresponding to the communication device are included in the AUTS.

When the communication apparatus is used as a terminal device to execute the method embodiment shown in fig. 9, the transceiving module 1310 is configured to receive a resynchronization authentication token AUTS and configuration information of a USIM card from a universal subscriber identity module USIM card; the processing module 1320 is configured to determine indication information according to the configuration information of the USIM card, where the indication information is used to indicate the USIM card to calculate a first AUTS algorithm used by the AUTS; the processing module 1320 is further configured to encrypt the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS; the transceiver module 1310 is further configured to send the AUTS to the access management network element.

In one possible design, the configuration information includes one or more of the following:

AUTS algorithm supported by USIM card, whether USIM card supports AUTS algorithm of specific type, type information of USIM card and version information of USIM card.

When the communication apparatus executes the method embodiment shown in fig. 9 as a USIM card installed in a terminal device, the processing module 1320 is configured to calculate a resynchronization authentication token AUTS; the transceiving module 1310 is configured to send the AUTS and the configuration information of the USIM card to the terminal device.

The processing module 1320 involved in the communication apparatus may be implemented by a processor or a processor-related circuit component, and the transceiver module 1310 may be implemented by a transceiver or a transceiver-related circuit component. The operations and/or functions of the modules in the communication apparatus are respectively for implementing the corresponding flows of the methods shown in fig. 6 to fig. 10, and are not described herein again for brevity.

Please refer to fig. 14, which is a schematic structural diagram of another communication device provided in the embodiment of the present application. The communication device may specifically be a terminal device. For ease of understanding and illustration, in fig. 14, the terminal device is exemplified by a mobile phone. As shown in fig. 14, the terminal device includes a processor and may further include a memory, and of course, may also include a radio frequency circuit, an antenna, an input/output device, and the like. The processor is mainly used for processing communication protocols and communication data, controlling the terminal equipment, executing software programs, processing data of the software programs and the like. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output devices.

When data needs to be sent, the processor performs baseband processing on the data to be sent and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and sends the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is sent to the terminal equipment, the radio frequency circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data. For ease of illustration, only one memory and processor are shown in FIG. 14. In an actual end device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device, etc. The memory may be provided independently of the processor, or may be integrated with the processor, which is not limited in this embodiment.

In the embodiment of the present application, the antenna and the radio frequency circuit having the transceiving function may be regarded as a transceiving unit of the terminal device, and the processor having the processing function may be regarded as a processing unit of the terminal device. As shown in fig. 14, the terminal device includes a transceiving unit 1410 and a processing unit 1420. A transceiver unit may also be referred to as a transceiver, a transceiving device, etc. A processing unit may also be referred to as a processor, a processing board, a processing module, a processing device, or the like. Alternatively, a device for implementing a receiving function in the transceiving unit 1410 may be regarded as a receiving unit, and a device for implementing a transmitting function in the transceiving unit 1410 may be regarded as a transmitting unit, that is, the transceiving unit 1410 includes a receiving unit and a transmitting unit. A transceiver unit may also sometimes be referred to as a transceiver, transceiving circuitry, or the like. A receiving unit may also be referred to as a receiver, a receiving circuit, or the like. A transmitting unit may also sometimes be referred to as a transmitter, or a transmitting circuit, etc. It should be understood that the transceiving unit 1410 is configured to perform the transmitting operation and the receiving operation on the terminal device side in the above method embodiments, and the processing unit 1420 is configured to perform other operations on the terminal device in the above method embodiments besides the transceiving operation.

An embodiment of the present application further provides a chip system, including: a processor coupled to a memory for storing a program or instructions that, when executed by the processor, cause the system-on-chip to implement the method of any of the above method embodiments.

Optionally, the system on a chip may have one or more processors. The processor may be implemented by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.

Optionally, the memory in the system-on-chip may also be one or more. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.

The system-on-chip may be, for example, a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.

It will be appreciated that the steps of the above described method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.

The embodiment of the present application further provides a computer-readable storage medium, where computer-readable instructions are stored in the computer-readable storage medium, and when the computer-readable instructions are read and executed by a computer, the computer is enabled to execute the method in any of the above method embodiments.

The embodiments of the present application further provide a computer program product, which when read and executed by a computer, causes the computer to execute the method in any of the above method embodiments.

The embodiment of the present application further provides a communication system, where the communication system includes a unified data management network element and a terminal device. Optionally, a USIM card is provided in the terminal device. Optionally, the communication system may further include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.

It should be understood that the processor mentioned in the embodiments of the present application may be a Central Processing Unit (CPU), and may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will also be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM).

It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) is integrated in the processor.

It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of the processes should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of communication, the method comprising:

the method comprises the steps that a unified data management network element receives an authentication service request, wherein the authentication service request comprises a resynchronization authentication token AUTS;

the unified data management network element acquires indication information corresponding to terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS;

and the unified data management network element checks the AUTS according to the first AUTS algorithm.

2. The method of claim 1, wherein the obtaining, by the unified data management network element, the indication information corresponding to the terminal device includes:

and the unified data management network element acquires the indication information from local configuration or acquires the indication information from a unified data storage network element.

3. The method according to claim 1 or 2, wherein the indication information is included in subscription data of the terminal device.

4. A method of communication, the method comprising:

the method comprises the steps that a unified data storage network element receives a service calling request from a unified data management network element, wherein the service calling request is used for requesting indication information corresponding to terminal equipment, and the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS;

and the unified data storage network element sends a service response message to the unified data management network element, wherein the service response message comprises indication information corresponding to the terminal equipment.

5. A method of communication, the method comprising:

the method comprises the steps that a unified data management network element receives an authentication service request, wherein the authentication service request comprises an encrypted resynchronization authentication token AUTS;

the unified data management network element decrypts the AUTS to obtain a resynchronization authentication token AUTS and indication information corresponding to the terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

6. A method of communication, the method comprising:

the method comprises the steps that terminal equipment calculates a resynchronization authentication token AUTS, and encrypts the AUTS and indication information corresponding to the terminal equipment to obtain an encrypted resynchronization authentication token AUTS, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

and the terminal equipment sends the AUTS to an access management network element.

7. The method of claim 6, further comprising:

and the terminal equipment generates indication information corresponding to the terminal equipment according to a first AUTS algorithm adopted by calculating the AUTS.

8. A method of communication, the method comprising:

the unified data management network element acquires the indication information corresponding to the terminal equipment from the AUTS, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

9. The method of claim 8, wherein the step of the unified data management network element verifying the AUTS according to the first AUTS algorithm comprises:

the unified data management network element acquires the mobile terminal sequence number SQN from the AUTS according to the first AUTS algorithm_MS；

According to the SQN_MSAnd calculating to obtain MAC, and if the MAC is consistent with the MAC-S acquired from the AUTS, the unified data management network element determines that the AUTS is verified successfully.

10. A method of communication, the method comprising:

the terminal equipment calculates a resynchronization authentication token AUTS according to indication information corresponding to the terminal equipment, wherein the indication information is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

11. The method of claim 10, wherein the AUTS comprises indication information corresponding to the terminal device and/or a MAC-S calculated according to the indication information.

12. A method of communication, the method comprising:

the terminal equipment receives a resynchronization authentication token AUTS and configuration information of a USIM card from a USIM card;

the terminal equipment determines indication information according to the configuration information of the USIM card, wherein the indication information is used for indicating the USIM card to calculate a first AUTS algorithm adopted by the AUTS;

the terminal equipment encrypts the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS;

and the terminal equipment sends the AUTS.

13. The method of claim 12, wherein the configuration information comprises one or more of the following:

AUTS algorithm supported by the USIM card, whether the USIM card supports AUTS algorithm of a specific type, type information of the USIM card and version information of the USIM card.

14. A method of communication, the method comprising:

a USIM card of a global user identification module calculates a resynchronization authentication token AUTS;

and the USIM card sends the AUTS and the configuration information of the USIM card to terminal equipment.

15. The method of claim 14, wherein the configuration information comprises one or more of the following:

16. A communications apparatus, the apparatus comprising:

the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for receiving an authentication service request which comprises a resynchronization authentication token AUTS;

the processing module is used for acquiring indication information corresponding to the terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS;

the processing module is further configured to verify the AUTS by using the first AUTS algorithm.

17. The apparatus of claim 16, wherein the processing module is specifically configured to:

and acquiring the indication information from local configuration or acquiring the indication information from a unified data storage network element.

18. The apparatus according to claim 16 or 17, wherein the indication information is included in subscription data of the terminal device.

19. A communications apparatus, the apparatus comprising:

the system comprises a receiving and sending module, a service calling module and a service processing module, wherein the receiving and sending module is used for receiving a service calling request from a unified data management network element, the service calling request is used for requesting indication information corresponding to terminal equipment, and the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by AUTS;

and the processing module is used for sending a service response message to the unified data management network element through the transceiver module, wherein the service response message comprises the indication information corresponding to the terminal equipment.

20. A communications apparatus, the apparatus comprising:

the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for receiving an authentication service request which comprises an encrypted resynchronization authentication token AUTS;

the processing module is used for decrypting the AUTS to obtain a resynchronization authentication token AUTS and indication information corresponding to the terminal equipment, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

21. A communications apparatus, the apparatus comprising:

the processing module is used for calculating a resynchronization authentication token AUTS and encrypting the AUTS and the indication information corresponding to the device to obtain an encrypted resynchronization authentication token AUTS, wherein the indication information corresponding to the device is used for indicating the device to calculate a first AUTS algorithm adopted by the AUTS;

and the transceiver module is used for sending the AUTS to an access management network element.

22. The apparatus of claim 21, wherein the processing module is further configured to:

and generating indication information corresponding to the device according to a first AUTS algorithm adopted by the AUTS calculation.

23. A communications apparatus, the apparatus comprising:

the processing module is used for acquiring indication information corresponding to the terminal equipment from the AUTS, wherein the indication information corresponding to the terminal equipment is used for indicating the terminal equipment to calculate a first AUTS algorithm adopted by the AUTS;

24. The apparatus of claim 23, wherein the processing module is specifically configured to:

the mobile terminal is obtained from the AUTS according to the first AUTS algorithmSequence number SQN_MSCalculating to obtain MAC;

and if the MAC is consistent with the MAC-S acquired from the AUTS, determining that the AUTS is verified successfully.

25. A communications apparatus, the apparatus comprising:

the processing module is used for calculating a resynchronization authentication token AUTS according to indication information corresponding to the device, wherein the indication information is used for indicating the device to calculate a first AUTS algorithm adopted by the AUTS;

26. The apparatus of claim 25, wherein the AUTS comprises indication information corresponding to the apparatus and/or a MAC-S calculated according to the indication information.

27. A communications apparatus, the apparatus comprising:

the receiving and sending module is used for receiving a resynchronization authentication token AUTS and configuration information of a USIM card from a universal subscriber identity module USIM card;

the processing module is used for determining indication information according to the configuration information of the USIM card, wherein the indication information is used for indicating the USIM card to calculate a first AUTS algorithm adopted by the AUTS;

the processing module is further configured to encrypt the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS;

the transceiver module is further configured to send the AUTS to an access management network element.

28. The apparatus of claim 27, wherein the configuration information comprises one or more of the following:

29. A communications apparatus, the apparatus comprising:

the processing module is used for calculating a resynchronization authentication token AUTS;

and the transceiver module is used for sending the AUTS and the configuration information of the device to terminal equipment.

30. The apparatus of claim 29, wherein the configuration information comprises one or more of the following:

AUTS algorithms supported by the device, whether the device supports a specific type of AUTS algorithm, type information of the device, and version information of the device.

31. An apparatus for communication, the apparatus comprising at least one processor coupled with at least one memory:

the at least one processor configured to execute the computer program or instructions stored in the at least one memory to cause the apparatus to perform the method of any one of claims 1 to 3, or to cause the apparatus to perform the method of claim 4, or to cause the apparatus to perform the method of claim 5, or to cause the apparatus to perform the method of any one of claims 6 to 7, or to cause the apparatus to perform the method of any one of claims 8 to 9, or to cause the apparatus to perform the method of any one of claims 10 to 11, or to cause the apparatus to perform the method of any one of claims 12 to 13, or to cause the apparatus to perform the method of any one of claims 14 to 15.

32. A computer-readable storage medium storing instructions that, when executed, cause a method of any one of claims 1 to 3 to be implemented, or cause a method of claim 4 to be implemented, or cause a method of claim 5 to be implemented, or cause a method of claims 6 to 7 to be implemented, or cause a method of any one of claims 8 to 9 to be implemented, or cause a method of any one of claims 10 to 11 to be implemented, or cause a method of any one of claims 12 to 13 to be implemented, or cause a method of any one of claims 14 to 15 to be implemented.

33. A communication device comprising a processor and interface circuitry;

the interface circuit is used for interacting code instructions to the processor;

the processor is configured to execute the code instructions to perform the method of any one of claims 1 to 3, or the processor is configured to execute the code instructions to perform the method of claim 4, or the processor is configured to execute the code instructions to perform the method of claim 5, or the processor is configured to execute the code instructions to perform the method of any one of claims 6 to 7, or the processor is configured to execute the code instructions to perform the method of any one of claims 8 to 9, or the processor is configured to execute the code instructions to perform the method of any one of claims 10 to 11, or the processor is configured to execute the code instructions to perform the method of any one of claims 12 to 13, or the processor is configured to execute the code instructions to perform the method of any one of claims 14 to 15.

34. A computer program product, which, when read and executed by a computer, causes the computer to perform the method of any one of claims 1 to 3, or to perform the method of claim 4, or to perform the method of claim 5, or to perform the method of any one of claims 6 to 7, or to perform the method of any one of claims 8 to 9, or to perform the method of any one of claims 10 to 11, or to perform the method of any one of claims 12 to 13, or to perform the method of any one of claims 14 to 15.