CN114025352A

CN114025352A - Authentication method and device for terminal equipment

Info

Publication number: CN114025352A
Application number: CN202010693625.6A
Authority: CN
Inventors: 郝金平; 晋英豪; 王艺; 胡国杰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-07-17
Filing date: 2020-07-17
Publication date: 2022-02-08

Abstract

The embodiment of the application discloses an authentication method and an authentication device for terminal equipment, which are used for realizing the authentication of a network to the terminal equipment without access capability or network access and ensuring the safety of an air interface signaling interacted between the terminal equipment and the network. The method in the embodiment of the application comprises the following steps: the method comprises the steps that first core network equipment receives a first message sent by first terminal equipment, wherein the first message carries an identifier of second terminal equipment, a random number RAND and a response RES, and the random number RAND and the response RES are generated by the second terminal equipment; the first core network equipment sends a first request message to an authentication service function AUSF network element, wherein the first request message is used for requesting to execute authentication for the second terminal equipment, and the first request message carries the identification, the random number RAND and the response RES of the second terminal equipment; and the first core network equipment receives a first authentication response sent by the AUSF network element, and the first authentication response is used for indicating that the authentication of the second terminal equipment is successful.

Description

Authentication method and device for terminal equipment

Technical Field

The present application relates to the field of communications technologies, and in particular, to an authentication method and an authentication device for a terminal device.

Background

At present, when a terminal device accesses a 5G network and is registered for the first time, the terminal device needs to go through the processes of access and authentication. When the terminal device successfully authenticates and enters a connected state, the terminal device can communicate with the network. For example, the terminal device feeds back positioning information to the network to realize the positioning of the network on the position of the terminal device.

However, for a terminal device without access capability or a terminal device without network access, since the terminal device without access capability does not have a Radio Resource Control (RRC) protocol layer required by a normal access network, the authentication process cannot be completed; the terminal device which does not need to access the network can be a terminal device which is in a radio resource control idle (RRC idle) state for a long time and cannot complete the authentication process. Therefore, how to implement the authentication of the network to the terminal device without access capability or the terminal device without network access is a problem to be solved urgently at present.

Disclosure of Invention

The embodiment of the application provides an authentication method and an authentication device for terminal equipment, which are used for realizing the authentication of a second terminal equipment by a network under the condition that the second terminal equipment does not access the network (including the condition that the second terminal equipment does not have access capability or the condition that the first terminal equipment does not need to access the network).

A first aspect of an embodiment of the present application provides a communication method, where the method includes:

a first core network device receives a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number (RAND), and a Response (RES), and the RAND and the response RES are generated by the second terminal device; then, the first core network device sends a first request message to an authentication service function (AUSF) network element, where the first request message is used to request to perform authentication for the second terminal device, and the first request message carries an identifier of the second terminal device, the random number RAND, and a response RES; and the first core network equipment receives a first authentication response sent by the AUSF network element, and the first authentication response is used for indicating that the authentication of the second terminal equipment is successful.

In this embodiment, an auxiliary terminal device (i.e., a first terminal device) obtains an identifier of a second terminal device and authentication information (for example, the authentication information includes a random number RAND and a response RES) of the second terminal device, and a first core network device receives the identifier of the second terminal device and the authentication information of the second terminal device, which are sent by the auxiliary terminal device, and sends the identifier of the second terminal device and the authentication information of the second terminal device to an AUSF network element, so as to implement authentication of the second terminal device by the AUSF network element. Therefore, according to the technical solution of this embodiment, the network authenticates the second terminal device when the second terminal device does not access the network (including the case that the second terminal device does not have access capability or the case that the second terminal device does not need to access the network).

In one possible implementation, the first message further includes at least one of: a key set identifier in 5G, ngKSI, inter-architecture anti-bid decline (ABBA), an encryption algorithm, or an integrity algorithm; the encryption algorithm is an algorithm for encrypting and protecting data of the second terminal device, and the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In this embodiment, the first message further carries the parameters, so that after the authentication of the second terminal device is successful subsequently, the second terminal device and the radio access network device may negotiate an encryption algorithm and an integrity algorithm for encrypting data of the second terminal device, so as to ensure the security of an air interface signaling interacted between the second terminal device and the radio access network device.

In another possible implementation, the first authentication response carries a third key K_SEAF(ii) a The method further comprises the following steps: the first core network equipment is according to the third key K_SEAFGenerating a fourth key K_AMF。

In this possible implementation manner, when the authentication of the second terminal device is successful, the AUSF network element sends the first authentication response to the first core network device, so that the first core network device may send the third key K carried in the first authentication response according to the third key K_SEAFGenerating a fourth key K_AMFIn order to facilitate subsequent second terminal equipment to wirelessly connectSome signaling keys are required for interaction between network access devices.

In another possible implementation, the first authentication response further carries a hash expected response (HXRES); the third key K of the first core network device_SEAFGenerating a fourth key K_AMFThe method comprises the following steps: the first core network device calculates a Hash Response (HRES) according to the response RES and the random number RAND; the first core network equipment verifies the hash response HRES and the hash expected response HXRES; when the verification is passed, the first core network equipment is according to the third key K_SEAFGenerating a fourth key K_AMF。

In this possible implementation, the first core network device generates the fourth key K_AMFBefore, the first core network device further verifies the hash response HRES and the hash expected response HXRES to improve the reliability and security of the authentication of the second terminal device.

In another possible implementation manner, the method further includes: and the first core network equipment sends the authentication result of the second terminal equipment to the first terminal equipment.

In this possible implementation manner, the first core network device feeds back the authentication result of the second terminal device to the first terminal device to notify the first terminal device of the authentication result of the second terminal device. For example, when the authentication of the second terminal device fails, the first terminal device may send the authentication result of the second terminal device to the first core network device again.

In another possible implementation, the method includes: the first core network device sends a location service request to a Location Management Function (LMF) network element, wherein the location service request carries an identifier, an encryption algorithm and a first key K of the second terminal device_gNB(ii) a And the first core network equipment receives a positioning service response sent by the LMF network element, wherein the positioning service response carries the positioning result of the second terminal equipment.

In this possible implementation manner, the first core network device sends the second terminal device to the LMF network element in the process of initiating the location service request through the LMF network elementIdentification, encryption algorithm and first key K_gNBSo that the LMF network element issues the encryption algorithm and the first key K to the radio access network equipment through the measurement request message_gNBAnd the negotiation of the encryption algorithm and the key between the second terminal equipment and the wireless access network equipment is realized, so that the safety of the air interface signaling interacted between the second terminal equipment and the wireless access network equipment is ensured.

In another possible implementation manner, the location service request further carries at least one of the following: the integrity algorithm, or, the key set, identifies ngKSI.

Authentication information of the terminal device to request the network to perform authentication again for the second terminal device.

A second aspect of the embodiments of the present application provides a communication method, including:

the first terminal equipment acquires the identification of the second terminal equipment, a random number RAND and a response RES, wherein the random number RAND and the response RES are generated by the second terminal equipment; then, the first terminal device sends a first message to the first core network device, where the first message carries the identifier of the second terminal device, the random number RAND, and the response RES.

In this embodiment, the auxiliary terminal device (i.e. the first terminal device) obtains the identifier of the second terminal device and the authentication information (e.g. the authentication information includes the random number RAND and the response RES) of the second terminal device. The auxiliary terminal device sends the identifier of the second terminal device and the authentication information of the second terminal device to the first core network device, so as to realize the authentication of the second terminal device by the network. Therefore, the authentication of the second terminal equipment by the network is realized under the condition that the second terminal equipment does not access the network (including the condition that the second terminal equipment does not have the access capability or the condition that the second terminal equipment does not need to access the network).

In one possible implementation, the first message further includes at least one of: the key set identification ngKSI, the inter-architecture anti-bid decline ABBA, an encryption algorithm or an integrity algorithm; the encryption algorithm is an algorithm for encrypting and protecting data of the second terminal device, and the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In another possible implementation manner, the method further includes: and the first terminal equipment receives the authentication result of the second terminal equipment sent by the first core network equipment.

In this possible implementation manner, the first terminal device receives the authentication result of the second terminal device fed back by the first core network device. Thus, when the authentication of the second terminal device fails, the first terminal device may send the authentication information of the first terminal device again to request the network to perform authentication for the second terminal device again.

A third aspect of the embodiments of the present application provides a communication method, including:

an AUSF network element receives a first request message sent by a first core network device, wherein the first request message carries an identifier of a second terminal device, a random number RAND and a response RES, and the random number RAND and the response RES are generated by the second terminal device; then, the AUSF network element sends a second request message to a Unified Data Management (UDM) network element, where the second request message is used to request an authentication parameter of a second terminal device, and the second request message carries an identifier of the second terminal device and a random number RAND; the AUSF network element receives authentication parameters sent by the UDM network element, the authentication parameters comprise expected response XRES, and the expected response SREX is generated by the UDM network element according to random number RAND; and the AUSF network element verifies the response RES and the expected response XRES, and when the verification is passed, the AUSF network element sends a first authentication response to the first core network device, wherein the first authentication response is used for indicating that the authentication of the second terminal device is successful.

In this embodiment, the AUSF network element receives the identifier of the second terminal device, the random number RAND, and the response RES, and then, the AUSF network element requests the UDM network element for an authentication parameter, so that the AUSF network element implements authentication on the second terminal device through the authentication parameter. Therefore, the authentication of the second terminal equipment by the network is realized under the condition that the second terminal equipment does not access the network (including the condition that the second terminal equipment does not have the access capability or the condition that the second terminal equipment does not need to access the network).

In one possible implementation, after the AUSF network element verifies the response RES and the expected response XRES, before the AUSF network element sends the first authentication response to the first core network device, the method further includes: the AUSF network element generates a Hash expected response HXRES according to the expected response XRES and the random number RAND; the AUSF network element sends a first authentication response to the first core network device, including: and the AUSF network element sends a first authentication response to the first core network device, wherein the first authentication response carries the hash expected response HXRES.

In this possible implementation manner, the AUSF network element generates a hash expected response HXRES through the expected response XRES and sends the hash expected response HXRES to the first core network device, so that the first core network device further authenticates the second terminal device, and the security and reliability of authentication of the second terminal device are improved.

A fourth aspect of the embodiments of the present application provides a communication method, including:

the method comprises the steps that a wireless access network device receives a measurement request message sent by an LMF network element, wherein the measurement request message carries an encryption algorithm and a first secret key K_gNB(ii) a The wireless access network equipment is according to the first secret key K_gNBCalculating a second key; the wireless access network equipment decrypts the data of the second terminal equipment according to the second key and the encryption algorithm; and the radio access network equipment sends a measurement response (measurement response) message to the LMF network element, wherein the measurement response message carries the positioning measurement quantity of the second terminal equipment.

In a possible implementation, the radio access network device may pass the first key K_gNBCalculating a second key to decrypt data of the second terminal device by the second key and an encryption algorithm, and to detect the probe sent by the second terminal deviceAnd measuring a reference signal (SRS) to measure a positioning measurement quantity of the second terminal device, so as to facilitate the LMF network element to position the location of the second terminal device. Therefore, the auxiliary terminal device reports the encryption algorithm, the integrity algorithm and the like determined by the second terminal device, so that the encrypted data sent by the second terminal device can be successfully received by the radio access network device. And, under the encryption transmission mechanism, the safety of the air interface signaling interacted between the second terminal equipment and the wireless access network equipment is ensured.

In a possible implementation manner, the measurement request message further carries at least one of the following: integrity algorithm, or, key set identification ngKSI; wherein, the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In this possible implementation, the measurement request message also carries an integrity algorithm or a key set identifier ngKSI, so that the radio access network device may determine an algorithm for integrity protection of the data of the second terminal device.

In another possible implementation manner, the method further includes: the wireless access network equipment is based on the first secret key K_gNBCalculating an integrity key; and then, the wireless access network equipment carries out integrity verification on the data of the second terminal equipment according to the integrity key and the integrity algorithm.

In this possible implementation, the radio access network device further calculates an integrity key for integrity verification of data of the second terminal device.

A fifth aspect of the embodiments of the present application provides a communication method, including:

the LMF network element receives a positioning service request sent by the first core network device, wherein the positioning service request carries the identifier of the second terminal device and the first key K_gNBAnd an encryption algorithm; then, the LMF network element sends a measurement request message to the radio access network equipment, wherein the measurement request message carries an encryption algorithm and a first secret key K_gNBThe encryption algorithm is used for the second terminal device to the second terminal deviceThe algorithm for encrypting the data; the LMF network element receives a measurement response message sent by the wireless access network equipment, wherein the measurement response message carries the positioning measurement quantity of the second terminal equipment; the LMF network element positions the second terminal equipment according to the positioning measurement quantity carried by the measurement response message to obtain a positioning result of the second terminal equipment; and then, the LMF network element sends a positioning service request to the first core network device, wherein the positioning service request carries the positioning result of the second terminal device.

In this embodiment, in the process of positioning the second terminal device, the first key K is sent to the radio access network device through the LMF network element_gNBAnd the encryption algorithm is used for realizing the negotiation between the second terminal equipment and the wireless access network equipment on the encryption algorithm and the key, and ensuring the safety of interactive signaling between the second terminal equipment and the wireless access network equipment.

In one possible implementation, the location service request further carries at least one of the following: integrity algorithm, or key set identification ngKSI; the measurement request message also carries at least one of: the integrity algorithm, or alternatively, the key set identification ngKSI; wherein, the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In this possible implementation manner, in the positioning process of the second terminal device, the integrity algorithm and the like are sent to the radio access network device through the LMF network element, so that the negotiation of the integrity algorithm between the second terminal device and the radio access network device is realized.

A sixth aspect of the embodiments of the present application provides a communication method, including:

and the wireless access network equipment sends a second message, wherein the second message carries a public key, the public key is used for calculating a second key, and the second key is used for decrypting the data of the second terminal equipment by the wireless access network equipment.

In this possible implementation manner, the radio access network device sends a public key or the like to the second terminal device in a broadcast or multicast manner, where the public key is used to calculate a second key, and the second key is used for the radio access network device to decrypt data of the second terminal device. In this way, the second terminal device may encrypt the data of the second terminal device by using the second key, and the radio access network device may decrypt the data of the second terminal device by using the second key, so as to ensure the security of the air interface signaling exchanged between the second terminal device and the radio access network device.

In one possible implementation, the second message further carries at least one of the following: the key set identification ngKSI, encryption algorithm, or integrity algorithm; the encryption algorithm is an algorithm for encrypting and protecting data of the second terminal device, and the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In this possible implementation manner, the radio access network device may further identify the ngKSI, the ciphering algorithm, or the integrity algorithm to the second terminal device key set in a broadcast or multicast manner, so as to implement negotiation of the ciphering algorithm, the integrity algorithm, or the like.

In another possible implementation manner, the method further includes: the wireless access network equipment receives at least one of the following information sent by an access and mobility management function (AMF) network element: a public key, a cryptographic algorithm, a key set identification ngKSI, or, an integrity algorithm.

In this possible implementation manner, the public key, the encryption algorithm, and the like carried in the second message sent by the radio access network device may be determined by the core network device, and the public key, the encryption algorithm, and the like are sent to the radio access network device through an AMF network element in the core network.

In another possible implementation manner, the method further includes: the method comprises the following steps that the radio access network equipment receives a measurement request message sent by an LMF network element, wherein the measurement request message carries at least one of the following items: a public key, a cryptographic algorithm, a key set identification ngKSI, or, an integrity algorithm.

In this possible implementation manner, the second message sent by the radio access network device may carry a public key, an encryption algorithm, and the like determined by the core network device, and the public key, the encryption algorithm, and the like are sent to the radio access network device through an LMF network element in the core network.

A seventh aspect of the embodiments of the present application provides a communication method, including:

the second terminal equipment receives a second message of the wireless access network equipment, wherein the second message carries a public key; then, the second terminal device calculates a second key according to the public key, wherein the second key is used for the second terminal device to encrypt data of the second terminal device.

In this embodiment, the second terminal device receives the public key sent by the radio access network device, so that the second terminal device may calculate the second key according to the public key. The second terminal device may encrypt the data of the second terminal device by using the second key, and the radio access network device may decrypt the data of the second terminal device by using the second key, so as to ensure the security of an air interface signaling interacted between the second terminal device and the radio access network device.

In this possible implementation manner, the radio access network device may further identify the ngKSI, the ciphering algorithm, or the integrity algorithm to the second terminal device key set in a broadcast or multicast manner, so as to implement negotiation of the ciphering algorithm, the integrity algorithm, and the like between the second terminal device and the radio access network device.

In another possible implementation manner, the method further includes: and the second terminal equipment calculates an integrity key according to the public key, wherein the integrity key is used for the second terminal equipment to perform integrity protection on the data of the second terminal equipment through an integrity algorithm.

In this possible implementation manner, the second terminal device obtains the integrity key through public key calculation, so that the second terminal device performs integrity protection on the data of the second terminal device, and the security of data transmission is improved.

An eighth aspect of the present application provides a communication method, including:

the LMF network element receives a positioning service request sent by the AMF network element, wherein the positioning service request carries an identifier of a second terminal device and a public key, the public key is used for calculating a second key, and the second key is used for the second terminal device to encrypt data of the second terminal device; then, the LMF network element sends a measurement request message to the radio access network equipment, wherein the measurement request message carries the public key.

In this embodiment, the core network determines the public key, and in the positioning process of the second terminal device, the AMF network element sends the public key to the LMF network element, so that the LMF network element sends the public key to the radio access network device, and thus the radio access network device may send the public key in a broadcast or multicast manner, so as to implement negotiation of the second terminal device and the radio access network device for the key, thereby ensuring the security of an air interface signaling interacted between the second terminal device and the radio access network device.

In one possible implementation, the location service request further carries at least one of the following: a ciphering algorithm, an integrity algorithm, or, a key set identification ngKSI; the measurement request message also carries at least one of: the ciphering algorithm, the integrity algorithm, or the key set identification ngKSI; the encryption algorithm is an algorithm for encrypting and protecting the data of the second terminal device, and the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In this possible implementation manner, the location service request further carries a key set identifier ngKSI, an encryption algorithm, or an integrity algorithm, so as to implement negotiation between the second terminal device and the radio access network device on the encryption algorithm, the integrity algorithm, and the like.

A ninth aspect of an embodiment of the present application provides a communication apparatus, including:

a transceiver module, configured to receive a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; sending a first request message to the AUSF network element, wherein the first request message is used for requesting to execute authentication for the second terminal equipment, the first request message carries the identification of the second terminal equipment, the random number RAND and the response RES, and receiving a first authentication response sent by the AUSF network element, and the first authentication response is used for indicating that the authentication of the second terminal equipment is successful.

In one possible implementation, the first message further includes at least one of: key set identification ngKSI, inter-architecture anti-bid decline ABBA, encryption algorithm or integrity algorithm; the encryption algorithm is an algorithm for encrypting and protecting data of the second terminal device, and the integrity algorithm is an algorithm for integrity protection of the data of the second terminal device.

In another possible implementation, the first authentication response carries a third key K_SEAF(ii) a The communication device further comprises a processing module;

the processing module is used for processing the third key K_SEAFGenerating a fourth key K_AMF。

In another possible implementation, the first authentication response also carries a hashed expected response HXRES; the processing module is specifically configured to:

calculating a hash response HRES according to the response RES and the random number RAND; verifying the HRES and HXRES; when the verification is passed, according to the third secret key K_SEAFGenerating a fourth key K_AMF。

In another possible implementation manner, the transceiver module is further configured to:

and sending the authentication result of the second terminal equipment to the first terminal equipment.

sending a positioning service request to an LMF network element, wherein the positioning service request carries the identifier, the encryption algorithm and the first key K of the second terminal equipment_gNB(ii) a And receiving a positioning service response sent by the LMF network element, wherein the positioning service response carries the positioning result of the second terminal equipment.

A tenth aspect of the embodiments of the present application provides a first terminal device, where the first terminal device includes:

a processing module, configured to obtain an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device;

a transceiving module, configured to send a first message to a first core network device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES.

and receiving the authentication result of the second terminal equipment sent by the first core network equipment.

An eleventh aspect of an embodiment of the present application provides a communication apparatus, including:

a transceiver module, configured to receive a first request message sent by a first core network device, where the first request message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device;

a processing module, configured to send a second request message to a UDM network element, where the second request message is used to request an authentication parameter of a second terminal device, and the second request message carries an identifier of the second terminal device and a random number RAND;

the receiving and sending module is further configured to receive an authentication parameter sent by the UDM network element, where the authentication parameter includes an expected response XRES, and the expected response SREX is generated by the UDM network element according to the random number RAND;

the processing module is further configured to verify the response RES and the expected response XRES;

the transceiver module is further configured to send a first authentication response to the first core network device when the authentication is passed, where the first authentication response is used to indicate that the authentication of the second terminal device is successful.

In one possible implementation, the processing module is further configured to:

generating a hashed expected response HXRES from the expected response XRES and the random number RAND;

the transceiver module is specifically configured to:

and sending a first authentication response to the first core network device, wherein the first authentication response carries the hash expected response HXRES.

A twelfth aspect of an embodiment of the present application provides a communication apparatus, including:

a transceiver module, configured to receive a measurement request message sent by an LMF network element, where the measurement request message carries an encryption algorithm and a first key K_gNB；

A processing module for determining a first key K based on the first key K_gNBCalculating a second key; decrypting the data of the second terminal device according to the second key and the encryption algorithm;

the transceiver module is further configured to send a measurement response message to the LMF network element, where the measurement response message carries the positioning measurement quantity of the second terminal device.

In another possible implementation manner, the processing module is further configured to:

according to a first key K_gNBCalculating an integrity key;

and carrying out integrity verification on the data of the second terminal equipment according to the integrity key and an integrity algorithm.

A thirteenth aspect of embodiments of the present application provides a communication apparatus, including:

a transceiver module, configured to receive a location service request sent by a first core network device, where the location service request carries an identifier of a second terminal device and a first key K_gNBAnd an encryption algorithm; sending a measurement request message to a wireless access network device, wherein the measurement request message carries an encryption algorithm and a first secret key K_gNBThe encryption algorithm is an algorithm for the second terminal device to encrypt data of the second terminal device.

A fourteenth aspect of an embodiment of the present application provides a communication apparatus, including:

a transceiver module, configured to send a second message, where the second message carries a public key, the public key is used to calculate a second key, and the second key is used for the communication apparatus to decrypt data of a second terminal device; receiving a measurement response message sent by the wireless access network equipment, wherein the measurement response message carries the positioning measurement quantity of the second terminal equipment;

the processing module is used for positioning the second terminal equipment according to the positioning measurement quantity carried by the measurement response message to obtain a positioning result of the second terminal equipment;

the transceiver module is further configured to send a location service request to the first core network device, where the location service request carries a location result of the second terminal device.

receiving at least one of the following information sent by the AMF network element: a public key, a cryptographic algorithm, a key set identification ngKSI, or, an integrity algorithm.

receiving a measurement request message sent by an LMF network element, wherein the measurement request message carries at least one of the following items: a public key, a cryptographic algorithm, a key set identification ngKSI, or, an integrity algorithm.

A fifteenth aspect of an embodiment of the present application provides a second terminal device, where the second terminal device includes:

the receiving and sending module is used for receiving a second message of the wireless access network equipment, and the second message carries a public key; then, the second terminal device calculates a second key according to the public key, wherein the second key is used for the second terminal device to encrypt data of the second terminal device.

In another possible implementation manner, the second terminal device further includes a processing module;

the processing module is used for calculating an integrity key according to the public key, and the integrity key is used for the second terminal equipment to perform integrity protection on the data of the second terminal equipment through an integrity algorithm.

and calculating an integrity key according to the public key, wherein the integrity key is used for the second terminal equipment to perform integrity protection on the data of the second terminal equipment through an integrity algorithm.

A sixteenth aspect of an embodiment of the present application provides a communication apparatus, including:

a transceiver module, configured to receive a location service request sent by an AMF network element, where the location service request carries an identifier of a second terminal device and a public key, the public key is used to calculate a second key, and the second key is used for the second terminal device to encrypt data of the second terminal device; and sending a measurement request message to the wireless access network equipment, wherein the measurement request message carries the public key.

A seventeenth aspect of embodiments of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to invoke and execute the computer program stored in the memory, so that the processor implements the implementation manner as any one of the first aspect.

An eighteenth aspect of an embodiment of the present application provides a first terminal device, where the first terminal device includes: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to invoke and execute the computer program stored in the memory, so that the processor implements the implementation manner as any one of the second aspects.

A nineteenth aspect of embodiments of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements any one of the implementations as in the third aspect.

A twentieth aspect of an embodiment of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements any one implementation manner as in the fourth aspect.

A twenty-first aspect of embodiments of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements the implementation manner as any one of the fifth aspects.

A twenty-second aspect of an embodiment of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements the implementation manner as in any one of the sixth aspects.

A twenty-third aspect of an embodiment of the present application provides a second terminal device, where the second terminal device includes: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements any one of the implementations of the seventh aspect.

A twenty-fourth aspect of an embodiment of the present application provides a communication apparatus, including: a processor, a memory, and a transceiver; the processor is used for the transceiver to send and receive signals; the memory has stored therein a computer program; the processor is further configured to call and run the computer program stored in the memory, so that the processor implements the implementation manner as in any one of the eighth aspects.

A twenty-fifth aspect of embodiments of the present application provides a computer program product comprising instructions that, when run on a computer, cause the computer to perform the implementation manner as in any one of the first to eighth aspects.

A twenty-sixth aspect of embodiments of the present application provides a computer-readable storage medium, including computer instructions, which, when executed on a computer, cause the computer to perform any implementation manner as in any one of the first to eighth aspects.

A twenty-seventh aspect of the present embodiment provides a chip apparatus, including a processor, configured to connect to a memory, and invoke a program stored in the memory, so as to enable the processor to execute any implementation manner of any one of the first aspect to the eighth aspect.

A twenty-eighth aspect of embodiments of the present application provides a communication system including the communication apparatus according to the ninth aspect, the first terminal device according to the tenth aspect, and the communication apparatus according to the eleventh aspect.

Optionally, the communication system further comprises a communication device according to the twelfth aspect and a communication device according to the thirteenth aspect.

A twenty-ninth aspect of embodiments of the present application provides a communication system including the communication apparatus according to the fourteenth aspect and the second terminal device according to the fifteenth aspect.

Optionally, the communication system further comprises a communication device according to the sixteenth aspect.

According to the technical scheme, the embodiment of the application has the following advantages:

as can be seen from the above technical solution, a first core network device receives a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; then, the first core network device sends a first request message to the AUSF network element, wherein the first request message is used for requesting to execute authentication for the second terminal device, and the first request message carries the identification, the random number RAND and the response RES of the second terminal device; the first core network device receives a first authentication response sent by the AUSF network element, and the first authentication response is used for indicating that the authentication of the second terminal device is successful. Therefore, in the technical solution of the embodiment of the present application, the auxiliary terminal device obtains the identifier of the second terminal device and the authentication information of the second terminal device (for example, the authentication information includes the random number RAND and the response RES). And the first core network equipment receives the identifier of the second terminal equipment and the authentication information of the second terminal equipment, which are sent by the auxiliary terminal equipment, and sends the identifier of the second terminal equipment and the authentication information of the second terminal equipment to the AUSF network element so as to realize the authentication of the AUSF network element on the second terminal equipment. Therefore, according to the technical solution of the embodiment of the application, the network authenticates the first terminal device when the second terminal device does not access the network (including the situation that the second terminal device does not have access capability or the situation that the second terminal device does not need to access the network).

Drawings

FIG. 1A is a block diagram of a communication system according to an embodiment of the present invention;

FIG. 1B is a schematic diagram of a network architecture according to an embodiment of the present invention;

fig. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application;

fig. 3 is a schematic diagram of another embodiment of a communication method according to an embodiment of the present application;

fig. 4 is a schematic diagram of another embodiment of a communication method according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application;

fig. 7 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 8 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 9 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 10 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a second terminal device according to an embodiment of the present application;

fig. 12 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 13 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 14 is another schematic structural diagram of the first terminal device according to the embodiment of the present application;

fig. 15 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 16 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 17 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 18 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 19 is another schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 20 is a schematic diagram of a communication system according to an embodiment of the present application;

fig. 21 is another schematic diagram of a communication system according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides an authentication method and an authentication device for terminal equipment, which are used for realizing the authentication of a network to the terminal equipment without access capability and ensuring the safety of an air interface signaling interacted between the terminal equipment and the network.

In order to make the objects, technical solutions and advantages of the present application more clear, the present application will be further described with reference to the accompanying drawings.

The terms "comprising" and "having," and any variations thereof, in the description, claims, and drawings of this application are intended to cover non-exclusive inclusions. Such as a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those skilled in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.

In this application, "at least one" means one or more, "a plurality" means two or more, "at least two" means two or three and three or more, "and/or" for describing an association relationship of associated objects, which means that there may be three relationships, for example, "a and/or B" may mean: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

A communication system to which the embodiments of the present application are applied will be described below.

The technical scheme provided by the application can be applied to various communication systems. In a communication system, a part operated by an operator may be referred to as a Public Land Mobile Network (PLMN) (also referred to as an operator network, etc.). A PLMN is a network established and operated by a government or an approved operator thereof for the purpose of providing a land mobile communication service to the public, and is mainly a public network in which a Mobile Network Operator (MNO) provides a mobile broadband access service to a user. The PLMN described in the present application may specifically be a network meeting the requirements of the third generation partnership project (3 GPP) standard, which is referred to as a 3GPP network for short. The 3GPP network generally includes, but is not limited to, a fifth-generation mobile communication (5th-generation, 5G) network (referred to as a 5G network), a fourth-generation mobile communication (4th-generation, 4G) network (referred to as a 4G network), and the like.

For convenience of description, the communication system shown in fig. 1A will be described below by taking a PLMN as an example. Or, the technical solution provided in the present application may also be applied to a Long Term Evolution (LTE) system, a Frequency Division Duplex (FDD) system, a Time Division Duplex (TDD) system, a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5th generation, 5G) communication system or a New Radio (NR) communication system, and other future communication systems such as 6G.

With the expansion of mobile bandwidth access services, mobile networks will also develop to better support diversified business models, and meet the demands of more diversified application services and more industries. For example, 5G networks have made network architecture adjustments relative to 4G networks in order to provide better and more sophisticated services to more industries. For example, the 5G network splits a Mobility Management Entity (MME) in the 4G network into a plurality of network functions including an access and mobility management function (AMF) and a Session Management Function (SMF).

Fig. 1A is a schematic structural diagram of a communication system according to an embodiment of the present application, which is taken as an example of a 5G network architecture based on a service architecture in a non-roaming scenario defined in a 3GPP standardization process. The network architecture may include three parts, a terminal equipment part, a PLMN, and a Data Network (DN).

The terminal equipment portion may include terminal equipment 110, and the terminal equipment 110 may also be referred to as User Equipment (UE). The terminal device 110 in this application is a device having a radio transceiving function, and may communicate with one or more Core Network (CN) devices (or may also be referred to as core devices) through a Radio Access Network (RAN) device (or may also be referred to as an access device) in a RAN 140.

Terminal device 110 may also be referred to as an access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, user agent, or user equipment, etc. Terminal device 110 may be deployed on land, including indoors or outdoors, hand-held or vehicle-mounted; can also be deployed on the water surface (such as a ship and the like); and may also be deployed in the air (e.g., airplanes, balloons, satellites, etc.).

Alternatively, terminal device 110 may also include constrained devices, such as devices that consume less power, or devices that have limited storage capabilities, or devices that have limited computing capabilities, etc. Examples of information sensing devices include bar codes, Radio Frequency Identification (RFID), sensors, Global Positioning Systems (GPS), laser scanners, and the like.

Alternatively, the terminal device 110 may be a cellular phone (cellular phone), a cordless phone, a Session Initiation Protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), or the like. Alternatively, the terminal device 110 may also be a handheld device with wireless communication functionality, a computing device or other device connected to a wireless modem, an in-vehicle device, a wearable device, a drone device or internet of things, a terminal in an in-vehicle network, a terminal in any modality in a 5G network and future networks, a relay user equipment, a terminal in a PLMN for future evolution, or the like. The relay user equipment may be, for example, a 5G home gateway (RG). For example, the terminal device 110 may be a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid, a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), or the like. The embodiment of the present application does not limit the type or category of the terminal device.

The PLMN may include: a network open function (NEF) 131, a network storage function (NRF) 132, a Policy Control Function (PCF) 133, a Unified Data Management (UDM) 134, AN Application Function (AF) 135, AN authentication server function (AUSF) 136, AN AMF137, a Session Management Function (SMF) 138, a User Plane Function (UPF) 139, and a (radio) access network (R) AN 140, etc. In the above mentioned PLMN, the part other than the (radio) access network 140 part may be referred to as a Core Network (CN) part or a core network part.

The Data Network (DN) 120, which may also be referred to as a Packet Data Network (PDN), is typically a network located outside the PLMN, such as a third party network. Illustratively, a PLMN may have access to a plurality of data network DNs 120, and a plurality of services may be deployed on the data network DNs 120 to provide services such as data and/or voice services for the terminal device 110. For example, the data network DN 120 may be a private network of an intelligent factory, a sensor installed in a workshop of the intelligent factory may be the terminal device 110, and a control server of the sensor is disposed in the data network DN 120, and the control server may provide a service for the sensor. The sensor can communicate with the control server, obtain the instruction of the control server, transmit the sensor data gathered to the control server, etc. according to the instruction. For another example, the data network DN 120 may be an internal office network of a company, and the mobile phone or computer of the employee of the company may be the terminal device 110, and the mobile phone or computer of the employee may access information, data resources, and the like on the internal office network of the company. Terminal device 110 may establish a connection with a PLMN through an interface provided by the PLMN (e.g., an N1 interface in fig. 1A, etc.), and use data and/or voice services provided by the PLMN. Terminal device 110 may also access data network DN 120 via the PLMN, using operator services deployed on data network DN 120, and/or services provided by third parties. The third party may be a service party other than the PLMN and the terminal device 110, and may provide services such as other data and/or voice for the terminal device 110. The specific expression form of the third party may be determined according to an actual application scenario, and is not limited herein.

By way of example, a brief description of network functions in a PLMN is provided below.

The (R) AN 140 is a sub-network of the PLMN. The terminal device 110 accesses the PLMN by first passing through the (R) AN 140 and then connecting to the service node in the PLMN through the (R) AN 140. The access network device in the embodiment of the present application is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as AN access device, (R) AN device, or a network device. Such as access devices including but not limited to: next generation base station (gNB) in 5G system, evolved node B (eNB) in LTE system, Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (home evolved node B, or home node B, HNB), Base Band Unit (BBU), Transmission and Reception Point (TRP), Transmission Point (TP), small base station equipment (pico), mobile switching center, or network equipment in future network. It is understood that the present application is not limited to a particular type of radio access network device. In systems using different radio access technologies, the names of devices that function as radio access network devices may differ.

Optionally, in some deployments of the access device, the access device may include a Centralized Unit (CU), a Distributed Unit (DU), and the like. In other deployments of access devices, a CU may also be divided into a CU-Control Plane (CP), a CU-User Plane (UP), and so on. In some other deployments of the access device, the access device may also be an Open Radio Access Network (ORAN) architecture, and the application does not limit a specific deployment manner of the access device.

The network open function NEF (which may also be referred to as NEF network function or NEF network function entity) 131 is an operator provided control plane function. The NEF network function 131 opens the external interface of the PLMN to the third party in a secure manner. When SMF network function 138 needs to communicate with a network function of a third party, NEF network function 131 may act as a relay for SMF network function 138 to communicate with a network entity of the third party. NEF network function 131, when acting as a relay, may act as a translation of the subscriber's identification information, as well as a translation of the third party's network function's identification information. For example, when the NEF network function 131 sends a subscriber permanent identifier (SUPI) of a subscriber from a PLMN to a third party, the SUPI may be translated into its corresponding external Identity (ID). Conversely, when the NEF network function 131 sends an external ID (a network entity ID of a third party) to the PLMN, it may translate it into SUPI.

The network storage function NRF 132 may be used to maintain real-time information for all network function services in the network.

The policy control function PCF 133 is a control plane function provided by an operator and is used to provide a policy of a Protocol Data Unit (PDU) session to the session management function SMF 138. The policies may include charging related policies, QoS related policies, authorization related policies, and the like.

The unified data management UDM134 is a control plane function provided by an operator, and is responsible for storing information such as a subscriber permanent identifier (SUPI), a security context (security context), and subscription data of a subscriber in a PLMN. The subscriber of the PLMN may be specifically a subscriber using services provided by the PLMN, for example, a subscriber using a core card of a terminal device in china telecommunications, or a subscriber using a core card of a terminal device in china mobile, and the like. For example, the SUPI of the subscriber may be a number of a core card of the terminal device, or the like. The security context may be data (cookie) or token (token) stored on the local terminal device (e.g. mobile phone), etc. The subscription data of the subscriber may be a service associated with the core card of the terminal device, such as a traffic package of the core card of the mobile phone.

The application function AF 135 is used to perform data routing for application influence, access to a network open function, perform policy control with a policy framework, and the like.

The authentication server function AUSF 136 is a control plane function provided by the operator and is typically used for a level one authentication, i.e. authentication between the terminal device 110 (subscriber) and the PLMN.

The access and mobility management function AMF137 is a control plane network function provided by the PLMN and is responsible for access control and mobility management of the access to the PLMN by the terminal device 110, including functions such as mobility state management, assigning temporary identities of users, authenticating and authorizing users, and the like.

The session management function SMF 138 is a control plane network function provided by the PLMN and is responsible for managing a Protocol Data Unit (PDU) session of the terminal device 110. A PDU session is a channel for transmitting PDUs, which the terminal device needs to transmit to each other with the DN 120 through the PDU session. The PDU session may be responsible for establishment, maintenance, deletion, etc. by the SMF 138. The SMF 138 includes session-related functions such as session establishment, modification, and release, including tunnel maintenance between the UPF 139 and the (R) AN 140, selection and control of the UPF 139, Service and Session Continuity (SSC) mode selection, roaming, and the like.

The user plane function UPF 139 is a gateway provided by the operator and is the gateway through which the PLMN communicates with the DN 120. The UPF 139 includes user plane related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, lawful interception, uplink packet detection, downlink packet storage, and the like.

In fig. 1A, Nnef, Nausf, nrf, Npcf, numm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. For example, the meaning of the above interface sequence number can be referred to the meaning defined in the 3GPP standard protocol, and the application does not limit the meaning of the above interface sequence number. It should be noted that fig. 1A only illustrates the terminal device 110 as a UE, an interface name between each network function in fig. 1A is also only an example, and in a specific implementation, the interface name of the system architecture may be other names, which is not limited in this application.

The mobility management network function in this application may be the AMF137 shown in fig. 1A, or may be another network function having the access and mobility management function AMF137 in a future communication system. Alternatively, the mobility management network function in the present application may also be a Mobility Management Entity (MME) in the LTE system.

For convenience of description, in the embodiment of the present application, the access and mobility management function AMF137 is referred to as an AMF network element, the unified data management UDM134 is referred to as an UDM network element, and the authentication server function AUSF 136 is referred to as an AUSF network element. That is, in the embodiment of the present application, the AMF network elements described later may be replaced with an access and mobility management function, the UDM network elements may be replaced with a unified data management function, and the AUSF network elements may be replaced with an authentication server function.

Referring to fig. 1B, fig. 1B is a schematic diagram of a network architecture according to an embodiment of the present application. The network architecture includes a terminal device 101, a next Generation Node B (gNB) 102, a next Generation evolved Node B (ng-eNB) 103, an access and mobility management function (AMF) 104, and an LMF network element.

Therein, a terminal device 101 communicates with a serving base station (e.g., a gNB102 or a ng-eNB103 in fig. 1A) over a Uu interface. The ng-eNB103 is an evolved Long Term Evolution (LTE) base station connected to a 5G core network, and the gNB102 is a base station in a 5G communication system. In the network architecture, base stations communicate with each other through an Xn interface, and the base stations communicate with the AMF104 through an NG-C interface. The AMF104 communicates with the LMF105 via an NL1 interface, and the AMF104 corresponds to a router that communicates between base stations and the LMF 105. The LMF105 is used for position calculation and management of the location of the terminal equipment.

The above fig. 1B only shows an example of two base stations of the network architecture including the gNB102 and ng-eNB 103. In practical applications, the network architecture may further include more base stations, or the network architecture includes only one base station, and the present application is not limited thereto. The terminal device 101 in the network architecture is the terminal device 110 shown in fig. 1A, and the AMF104 is the AMF137 shown in fig. 1A. For the related descriptions of the terminal device 101 and the AMF104, refer to the related description in fig. 1A, and are not described herein again.

For convenience of description, in the embodiment of the present application, the LMF104 is simply referred to as an LMF network element, that is, in the embodiment of the present application, LMF network elements described later may be replaced with location management function network elements.

At present, when a terminal device accesses a 5G network and the terminal device registers for the first time in the 5G network, the terminal device needs to go through the processes of access and authentication. When the terminal device successfully authenticates and enters a connected state, the terminal device can communicate with the network. For example, the terminal device feeds back positioning information to the network to realize the positioning of the network on the position of the terminal device.

However, for a terminal device without access capability or a terminal device without network access, the authentication process cannot be completed because the terminal device does not have access capability or does not have network access.

The access capability refers to a capability of the terminal device accessing the network and entering a radio resource control connected (RRC connected) state. The terminal device is embodied as having protocol layers such as a physical layer, a data link layer and an RRC layer required for accessing the network. For a terminal device without access capability, the terminal device may be a positioning tag device with ultra-low power consumption, and the terminal device does not have an RRC layer and cannot enter a connected state. A terminal device that does not need to access a network may refer to a terminal device that is in a radio resource control idle (RRC idle) state for a long time.

Based on the above problem, the communication method provided by the embodiment shown in fig. 2 provided in the embodiment of the present application implements authentication of a network to a terminal device without access capability or a terminal device without network access. Further, in order to ensure the security of the air interface signaling interacting between the terminal device without the access capability or the terminal device without the access network and the network, the communication method provided in the embodiment shown in fig. 3 or the embodiment shown in fig. 4 of the present application may be used to implement the security activation between the terminal device without the access capability or the terminal device without the access network and the network, so as to ensure the security of the air interface signaling interacting between the terminal device without the access capability or the terminal device without the access network and the network.

Referring to fig. 2, fig. 2 is a schematic diagram of an embodiment of a communication method according to an embodiment of the present application. In fig. 2, the method comprises:

201. the first terminal equipment acquires the authentication information of the second terminal equipment.

Wherein the authentication information of the second terminal device includes a random number RAND and a response RES. The random number RAND and the response RES are generated or provided by the second terminal device.

Specifically, the random number RAND is a random number generated by the second terminal device in an authentication process for the second terminal device. The random number RAND is a parameter for authentication of the second terminal device. The response RES is calculated for the second terminal device based on the root key of the second terminal device and the random number RAND. And the root key of the second terminal equipment is a permanent key which is stored by the UDM network element and the second terminal equipment together when the second terminal equipment signs a contract. The response RES is used for comparison with an expected response (XRES) generated by the core network to enable authentication of the second terminal device. The expected response XRES is generated as described with respect to step 205.

The first terminal device is an auxiliary terminal device of the second terminal device, and the second terminal device is a terminal device without access capability or a terminal device without network access. For example, the second terminal device is an ultra-low power consumption positioning tag device. The first terminal device is a terminal device with access capability, and the first terminal device is used for acquiring the authentication information of the second terminal device and reporting the authentication information of the second terminal device to the network instead of the second terminal device.

Optionally, several possible implementation manners of the first terminal device obtaining the authentication information of the second terminal device are illustrated below. It should be noted that, in this embodiment, the obtaining method of the authentication information of the second terminal device obtained by the first terminal device is not limited, and the first terminal device may also obtain the authentication information of the second terminal device through other methods, which is not specifically limited in this application.

1. And manually inputting the authentication information of the second terminal equipment into the first terminal equipment.

2. The first terminal equipment acquires the authentication information of the second terminal equipment in a two-dimensional code or bar code scanning mode.

Optionally, the authentication information further includes at least one of the following:

key set identification ngKSI, inter-architecture anti-bid decline ABBA, ciphering algorithm (cryptography algorithm), integrity algorithm (integrity algorithm).

The ngKSI is an identifier of a key set used by the second terminal device, and is used for indicating that the network and the second terminal device use the same key set. ABBA used for AMF network element to generate fourth key K_AMF。The encryption algorithm is an algorithm for protecting data of the second terminal device in an encryption manner. The integrity algorithm is an algorithm for integrity protection of data of the second terminal device.

For example, when the second terminal device sends uplink data to the radio access network device, the second terminal device may encrypt the uplink data through the encryption algorithm, and the second terminal device may further perform integrity protection on the uplink data through the integrity algorithm.

202. The first terminal device sends a first message to the first core network device.

Wherein the first message carries the identity of the second terminal device, the random number RAND and the response RES. Optionally, the identifier of the second terminal device is a user equipment identifier (UE ID). For example, a subscription hidden identifier (SUCI) and a globally unique temporary user equipment identifier (GUTI) of the second terminal device.

Optionally, the first message further includes at least one of:

key set identification ngKSI, inter-architecture anti-bid decline ABBA, encryption algorithm, integrity algorithm.

The key set identification ngKSI is used for the second terminal device and AMF network element derivation (derivative) key (e.g. key KgNB). Inter-architecture anti-bid-reduction ABBA for generating K by using second terminal equipment and security anchor function (SEAF) network element_AMF. The encryption algorithm is an algorithm for encrypting data of the second terminal device. The integrity algorithm is an algorithm for integrity protection of data of the second terminal device. The SEAF network element is used for providing an authentication function for the terminal equipment.

Please refer to the related description in step 201 for the related description of the authentication information of the second terminal device carried in the first message, which is not described herein again.

Optionally, in the communication system, when the SEAF network element and the AMF network element are co-deployed, which are collectively referred to as an AMF network element, the first core network element is the AMF network element. When the SEAF network element and the AMF network element are separately deployed, the first core network device is the SEAF network element. The communication system shown in fig. 1A is described by taking the example of co-deployment of the SEAF network element and the AMF network element, in practical application, the SEAF network element and the AMF network element may be separately deployed, and the present application is not limited specifically.

Optionally, the first message is a Non Access Stratum (NAS) message.

203. And the first core network equipment sends a first request message to the AUSF network element.

The first request message is used for requesting to execute authentication for the second terminal device, and the first request message carries the identifier of the second terminal device, the random number RAND and the response RES.

Optionally, the first Request message is an authentication Request message (Nausf _ ue authentication _ authentication Request).

204. And the AUSF network element sends a second request message to the UDM network element.

The second request message is used for requesting the authentication parameters of the second terminal device, and the second request message carries the identifier of the second terminal device and the random number RAND.

Optionally, the second Request message is an authentication acquisition Request message (numm _ ue authentication _ Get Request).

Specifically, the AUSF network element requests the UDM network element for an authentication vector through an authentication acquisition request message, where the authentication acquisition request message carries the identifier of the second terminal device and the random number RAND.

205. And the UDM network element sends the authentication parameters to the AUSF network element.

Wherein the authentication parameter comprises an expected response XRES.

In particular, the expected response XRES is generated by the UDM network element from the random number RAND generated or provided by the second terminal device and the root key stored in the second terminal device of the UDM network element. The expected response XRES is used for comparison with a response RES generated or provided by the second terminal device to enable authentication of the second terminal device.

In a possible implementation manner, the UDM network element sends a response message to the AUSF network element, where the response message carries the authentication parameter. The Response message to the second request message is an authentication acquisition Response message (numm _ UEAuthentication _ Get Response).

Optionally, the response message includes an authentication vector, and the UDM network element generates the authentication vector, which includes the expected response XRES. Optionally, the authentication vector further includes the random number RAND. It should be noted that the authentication vector may further include other parameters, which may specifically refer to related descriptions of the authentication vector in the existing related communication protocol, which are not described herein.

206. The AUSF network element verifies the response RES and the expected response XRES.

Specifically, as shown in the foregoing step 201, the response RES is derived by the second terminal device according to the root key of the second terminal device and the random number RAND generated or provided by the second terminal device. As can be seen from step 205, the expected response XRES is generated by the UDM network element based on the random number RAND generated or provided by the second terminal device and the root key stored in the second terminal device of the UDM network element. Therefore, the AUSF network element may compare the response RES with an expected response (XRES) for consistency, and authenticate the validity of the second terminal device; if the comparison is consistent, the authentication is passed, that is, the authentication of the second terminal device is successful, then step 209 is executed; if the comparison is not consistent, the authentication is not passed, that is, it can be understood that the authentication of the second terminal device fails, step 207 is executed.

207. And the AUSF network element sends a second authentication response (authentication response) to the first core network device.

And the second authentication response is used for indicating that the second terminal equipment fails in authentication.

After the AUSF network element performs step 207, the AUSF network element may further perform step 213 to notify the first terminal device of the authentication result of the second terminal device.

Optionally, when the AUSF successfully authenticates the second terminal device, the embodiment shown in fig. 2 further includes step 208, step 210, and step 211.

208. The AUSF network element calculates a hash expected response (HXRES) from the expected response XRES and the random number RAND.

The hash expected response HXRES is used for comparison with the hash response HRES to enable authentication of the second terminal device. Please refer to step 210 for the process of generating the hash response HRES.

209. The AUSF network element sends a first authentication response (authentication response) to the first core network device.

Wherein the first authentication response is indicative ofThe authentication of the two terminal devices is successful, and the first authentication response carries a third secret key K_SEAF。

Specifically, when the AUSF network element performs consistency comparison between the response RES and the expected response XRES to determine that the authentication is successful, the AUSF network element may determine that the authentication of the second terminal device is successful, and then the AUSF network element indicates that the authentication of the second terminal device by the AUSF network element is successful through the first authentication response.

Optionally, if the AUSF network element performs step 208, the first authentication response also carries the hash expected response HXRES.

210. The first core network device calculates a hash response HRES from the response RES and the random number RAND.

211. The first core network device verifies the hash response HRES and the hash expected response HXRES.

As can be seen from the above step 208, the hashed expected response HXRES is generated by the AUSF network element from the expected response XRES and the random number RAND. As can be seen from the above step 210, the hash response HRES is generated by the first core network device according to the response RES and the random number RAND. Therefore, the first core network device may compare the hash response HRES with the hash expected response HXRES for consistency, and authenticate the validity of the second terminal device; if the comparison is consistent, the authentication is passed, that is, it can be understood that the authentication of the first core network device to the second terminal device is successful, then step 212 is executed. It should be understood that step 209 indicates that the authentication of the second terminal device by the AUSF network element is successful, and step 211 is used for the authentication of the second terminal device by the first core network device. In this embodiment, when the authentication of the second terminal device is successful by both the AUSF network element and the first core network device under the condition that the authentication of the first core network device is performed, it indicates that the authentication of the second terminal device by the network is successful.

It should be noted that, if the hash response HRES is not consistent with the hash expected response HXRES, the authentication is not passed, that is, it can be understood that the authentication of the second terminal device fails, and the first core network device does not perform step 212. Further, the first core network device may feed back, to the first terminal device, that the authentication of the second terminal device fails.

212. First core networkIs prepared according to the third secret key K_SEAFGenerating a fourth key K_AMF。

After the first core network device receives the first authentication response in step 209, the first core network device may send the third key K carried in the first authentication response to the first core network device_SEAFGenerating a fourth key K_AMF. Generating the fourth key K_AMFGeneration process of (2) and existing K_AMFThe generation process is similar, and specific reference may be made to the description of the existing related communication protocol, which is not described herein again.

Specifically, the first core network device may pass through the third key K_SEAFAnd the inter-architecture anti-bidding decline ABBA generates a fourth key K_AMF. Generating the fourth key K_AMFGeneration process of (2) and existing K_AMFThe generation process is similar, and specific reference may be made to the description of the existing related communication protocol, which is not described herein again.

The following describes a manner in which the first core network device acquires inter-architecture bid-price reduction ABBA:

in the mode 1, the inter-architecture bid lowering ABBA is acquired by the first core network device from other devices in the core network, that is, the inter-architecture bid lowering ABBA is generated or provided by the core network.

Mode 2, an inter-architecture bid lowering ABBA is transmitted from a first terminal device to a first core network device, and is generated or provided by a second terminal device. In this manner, the first terminal device acquires the ABBA in step 201 of the above-described embodiment shown in fig. 2, and the first message carries the inter-architecture anti-bid lowering ABBA in step 202 of the above-described embodiment shown in fig. 2.

It should be noted that, when the SEAF network element and the AMF network element are deployed together, the first core network device only needs to execute step 212; when the SEAF network element and the AMF network element are separately deployed, the first core network device is the SEAF network element, and then the SEAF network element generates the fourth key K_AMFThen, the fourth secret key K is sent to the AMF network element_AMF。

Optionally, the AMF network element passes through the fourth key K_AMFGenerating the first key K with the key set identification ngKSI_gNBIn particularIs compared with the existing first key K_gNBThe generation process is similar, and specific reference may be made to the description of the existing related communication protocol, which is not described herein again. Wherein the first key K_gNBFor calculating a key for encrypting data of the second terminal device.

Optionally, this embodiment further includes step 213.

213. And the first core network equipment sends the authentication result of the second terminal equipment to the first terminal equipment.

Optionally, after the authentication of the second terminal device is successful or failed in step 206, the first core network device may feed back the authentication result of the second terminal device to the first terminal device after receiving the authentication response.

In this embodiment of the present application, a first core network device receives a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, and the random number RAND and the response RES are generated or provided by the second terminal device; then, the first core network device sends a first request message to the AUSF network element, where the first request message is used to request to perform authentication for the second terminal device, and the first request message carries an identifier of the second terminal device, a random number RAND, and a response RES. Therefore, in the technical solution of the embodiment of the present application, the identifier of the second terminal device and the authentication information of the second terminal device (for example, the authentication information includes the random number RAND and the response RES) are obtained by the auxiliary terminal device, and the identifier of the second terminal device and the authentication information of the second terminal device are sent to the AUSF network element, so as to implement authentication of the second terminal device by the AUSF network element. Therefore, according to the technical scheme of the embodiment of the application, the network performs authentication on the second terminal device under the condition that the second terminal device does not access the network (including the condition that the second terminal device does not have access capability or the condition that the second terminal device does not need to access the network).

Optionally, the embodiment shown in fig. 2 illustrates an implementation manner in which the AUSF network element verifies the response RES and the expected response XRES to authenticate the second terminal device. The first core network device may further implement an implementation manner of authenticating the second terminal device by verifying the hash response HRES and the hash expected response HXRES. In practical applications, the AUSF network element may not perform step 206 and step 207, and the first request message of step 203 is used for the first core network device to request the hash expected response HXRES from the AUSF network element. The first authentication response of step 209 is applied to the AUSF network element to send the hash expected response HXRES to the first core network device. Then, the first core network device executes step 210 and step 211 to implement authentication of the second terminal device, and when the first core network device determines that the hash response HRES is consistent with the hash expected response HXRES in step 211, the first core network device determines that the authentication of the second terminal device is successful; when the first core network device determines in step 211 that the hash response HRES is not consistent with the hash expected response HXRES, the first core network device determines that the authentication of the second terminal device fails.

Referring to fig. 3, fig. 3 is a schematic diagram of another embodiment of a communication method according to an embodiment of the present application. In fig. 3, the method comprises:

301. and the AMF network element sends a positioning service request to the LMF network element.

The location service request is used for requesting to locate the second terminal equipment, and the location service request carries the identifier of the second terminal equipment and the first secret key K_gNBAnd an encryption algorithm.

Optionally, the location service request further carries at least one of the following:

integrity algorithm, key set identification ngKSI, inter-architecture anti-bid decline ABBA.

Specifically, please refer to the related functional description in step 201 in the embodiment shown in fig. 2 for functional description of the parameters carried in the location service request, which is not described herein again.

Before step 301, the AMF network element generates the first key K_gNBIn detail, please refer to the step 212 where the first core network device generates the first key K_gNBThe description thereof is omitted here for brevity.

It should be noted that the ciphering algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA may be determined by the core network, and in this manner, the AMF network element obtains the ciphering algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA from other core network devices. Alternatively, the ciphering algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA may be determined by the second terminal device, and in this manner, the first message in step 202 above carries the ciphering algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA. When the SEAF network element and the AMF network element are co-deployed, the AMF network element is the first core network device of the embodiment shown in fig. 2, and the AMF network element obtains the encryption algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA from the first message. When the SEAF network element and the AMF network element are separately deployed, that is, the first core network device in the embodiment shown in fig. 2 is the SEAF network element, the AMF network element first receives a first message sent by the first terminal device, where the first message carries the encryption algorithm, the integrity algorithm, the key set identifier ngKSI, and the inter-architecture bid reduction ABBA. The AMF network element acquires the encryption algorithm, the integrity algorithm, the key set identifier ngKSI and the inter-architecture anti-bid decline ABBA from the first message. Then, the AMF network element sends the first message to the SEAF network element.

In this embodiment, the embodiment shown in fig. 3 may be executed based on the successful authentication of the second terminal device in the embodiment shown in fig. 2. The AMF network element obtains the authentication information of the second terminal device through the first message in step 202 in the embodiment shown in fig. 2. That is, in the embodiment of the present application, the second terminal device determines an encryption algorithm and an integrity algorithm for data exchanged between the second terminal device and the radio access network device.

It should be noted that, when the SEAF network element and the AMF network element are separately deployed, that is, the first core network device in the embodiment shown in fig. 2 is the SEAF network element, the AMF network element receives the identifier, the encryption algorithm, and the like of the second terminal device, and then the AMF network element sends the identifier, the encryption algorithm, and the like of the second terminal device to the SEAF network element. When the SEAF network element and the AMF network element are deployed together, and collectively referred to as an AMF network element, the first core network device is referred to as an AMF network element, and the AMF network element may obtain the identifier, the encryption algorithm, and the like of the second terminal device through the first message in the embodiment shown in fig. 2.

302. The LMF network element sends a measurement request (measurement request) message to the radio access network equipment.

Wherein the measurement request message carries a first secret key K_gNBAnd an encryption algorithm.

Optionally, the measurement request message further carries at least one of the following:

the integrity algorithm, key set identification ngKSI.

Specifically, the LMF network element requests the radio access network device to measure the positioning measurement quantity of the second terminal device through the measurement request message, and the measurement request message carries the encryption algorithm and the first key K_gNB. For example, the radio access network device is a gNB shown in fig. 1B, and the LMF network element sends the measurement request message to the gNB through the AMF network element.

It should be noted that, the LMF network element may also send K to the radio access network device through other messages_gNBAnd encryption algorithms, the present application is not limited in particular.

In this embodiment, when the LMF network element locates the second terminal device, the LMF network element selects one or more radio access network devices, and the one or more radio access network devices perform location measurement on the second terminal device. In this embodiment, only an LMF network element selects one radio access network device to perform positioning measurement on a second terminal device is taken as an example for description, and does not belong to the limitation on the technical solution of the embodiment of the present application.

303. The wireless access network equipment is based on the first secret key K_gNBA second key is generated.

And the second key is used for the wireless access network equipment to decrypt the data sent by the second terminal equipment.

Optionally, the radio access network device uses the first key K_gNBGenerating a second key by using the ngKSI, and calculating the second key in a similar way to the existing process of calculating an encryption key for encrypting data of the terminal device, please refer to the existing phaseThe description of the communication protocol is omitted here.

304. And the second terminal equipment sends the data and the reference signal of the second terminal equipment to the wireless access network equipment.

Wherein the data of the second terminal device comprises at least one of: an identity of the second terminal device, or an electrical quantity of the second terminal device. The reference signal is an SRS.

305. And the wireless access network equipment decrypts the data of the second terminal equipment according to the second key and the encryption algorithm.

Specifically, when the second terminal device sends the data of the second terminal device, the data of the second terminal device is encrypted by the second key and the encryption algorithm. Therefore, the radio access network device may decrypt the data of the second terminal device through the second key and the encryption algorithm to obtain the decrypted data of the second terminal device. For example, the identifier of the second terminal device, the radio access network device may determine that the SRS is transmitted by the second terminal device, and measure the SRS to obtain a positioning measurement quantity of the second terminal device.

Wherein the second terminal equipment is based on the first secret key K_gNBA second key is generated. And the second terminal device generates the first key K_gNBThe generation process of (a) is as described above in step 212 of the embodiment shown in fig. 2, and the AMF network element generates the first key K_gNBThe process is similar. The second terminal equipment generates a first key K_gNBThe parameters used (inter-architecture anti-bid decline ABBA and key set identity ngKSI) may be determined by the second terminal device or by the core network. If it is determined by the core network, the measurement request message in step 302 further includes the inter-architecture anti-bid reduction ABBA and the key set identifier ngKSI, and then the radio access network device broadcasts the inter-architecture anti-bid reduction ABBA and the key set identifier ngKSI, so that the second terminal device receives the inter-architecture anti-bid reduction ABBA and the key set identifier ngKSI.

Optionally, the embodiment shown in fig. 3 further includes step 305a and step 305 b.

Step 305 a: second terminalThe device is based on the first key K_gNBAn integrity key is generated.

Specifically, when the measurement request message also carries an integrity algorithm, the second terminal device uses the first key K to perform the integrity algorithm_gNBAn integrity key is generated. Before step 305a, the second terminal device generates the first key K_gNBAnd the second terminal device generates the first key K_gNBThe generation process of (a) is as described above in step 212 of the embodiment shown in fig. 2, and the AMF network element generates the first key K_gNBThe process is similar.

Optionally, the second terminal device uses the first key K_gNBThe integrity key is calculated with the key set identifier ngKSI, and the specific calculation process is similar to that of the existing integrity key, which is specifically referred to the related description of the existing related communication protocol, and is not described here again.

Step 305 b: and the second terminal equipment carries out integrity verification on the data of the second terminal equipment according to the integrity key and the integrity algorithm.

306. And the radio access network equipment sends a measurement response (measurement response) message to the LMF network element.

Wherein the measurement response message carries the positioning measurement quantity of the second terminal device.

Specifically, the LMF network element performs positioning calculation on the position of the second terminal device through the positioning measurement quantity of the second terminal device.

307. And the LMF network element sends a positioning service response to the AMF network element.

Specifically, in the process of positioning the second terminal device, the LMF network element selects one or more radio access network devices to perform positioning measurement on the second terminal device, and receives the positioning measurement quantity of the second terminal device sent by the one or more radio access network devices; and then, the LMF positions the second terminal equipment according to the positioning measurement quantity of the second terminal equipment and a positioning algorithm to obtain a positioning result. And then, the LMF network element feeds back the positioning result of the second terminal equipment to the AMF network element through the positioning service response.

In the embodiment of the application, the AMF network element sends the positioning service to the LMF network elementRequest, the location service request carrying an encryption algorithm and a first key K_gNB(ii) a Then, LMF network element sends measurement request message to radio access network equipment, the measurement request message carries encryption algorithm and first secret key K_gNB. So that the radio access network equipment can pass the first secret key K_gNBAnd calculating a second key so as to decrypt the data of the second terminal equipment through the second key and an encryption algorithm, and measuring the SRS sent by the second terminal equipment, so as to measure the positioning measurement quantity of the second terminal equipment, and facilitate the LMF network element to position the position of the second terminal equipment. Therefore, the auxiliary terminal device reports the encryption algorithm, the integrity algorithm and the like determined by the second terminal device, so that the encrypted data sent by the second terminal device can be successfully received by the radio access network device. And, under the encryption transmission mechanism, the safety of the air interface signaling interacted between the second terminal equipment and the wireless access network equipment is ensured.

The above-mentioned embodiment shown in fig. 3 shows a process of the location positioning process of the AMF network element through the second terminal device, and informs the radio access network device of the implementation manner of the ciphering algorithm and the integrity algorithm determined by the second terminal device. In practical application, the AMF network element may also directly send the identifier, the encryption algorithm, the integrity algorithm, and the like of the second terminal device to the radio access network device, and the specific application is not limited in this application.

Referring to fig. 4, fig. 4 is a schematic diagram of another embodiment of a communication method according to an embodiment of the present application. In fig. 4, the method includes:

401. the radio access network device sends the second message.

The second message carries a public key, the public key is used for calculating a second key, and the second key is used for the wireless access network equipment to decrypt the data of the second terminal equipment.

Optionally, the second message further carries at least one of the following:

the key set identifies ngKSI, ciphering algorithm, integrity algorithm. For the functional description of the key set identifier ngKSI, the ciphering algorithm and the integrity algorithm, please refer to the related description of step 201 in the embodiment shown in fig. 2, except that the key set identifier ngKSI, the ciphering algorithm and the integrity algorithm in this embodiment are determined by the access network, or determined by the core network and then sent to the access network.

In this embodiment, the embodiment shown in fig. 4 may be executed based on the successful authentication of the second terminal device in the embodiment shown in fig. 2.

In this embodiment, the second message is a broadcast message or a multicast message. For example, the radio access network device may broadcast the public key, the encryption algorithm, the integrity algorithm, and the like through a broadcast message when configuring the SRS for the second terminal device.

For the core network-dependent case, two possible implementations are shown below.

Implementation mode 1: the public key is sent by the AMF network element to the radio access network device.

Optionally, the AMF network element further sends at least one of the following information to the radio access network device:

the key set identifies ngKSI, ciphering algorithm, integrity algorithm.

Implementation mode 2: and sending a measurement request message to the wireless access network equipment by the LMF network element, wherein the measurement request message carries the public key. In this implementation 2, the embodiment shown in fig. 4 further includes step 401a and step 401 b.

Step 401 a: and the AMF network element sends a positioning service request to the LMF network element.

Wherein the location service request carries the public key.

ciphering algorithm, integrity algorithm, key set identification ngKSI.

In this implementation, the public key, the ciphering algorithm, the integrity algorithm, and the key set identifier ngKSI are determined by the AMF network element in the core network and are notified to the radio access network device in the location positioning process of the second terminal device. The radio access network device may then calculate a second key from the public key to decrypt the data of the second terminal device with the second key and the encryption algorithm.

Step 401 b: and the LMF network element sends a measurement request message to the radio access network equipment.

Wherein the measurement request message carries the public key.

the ciphering algorithm, integrity algorithm, or, the key set identifies ngKSI.

Specifically, the LMF network element requests the radio access network device to measure the positioning measurement quantity of the second terminal device through the measurement request message, and the measurement request message carries the public key, the encryption algorithm, the integrity algorithm, and the like. For example, the radio access network device is a gNB shown in fig. 1B, and the LMF network element sends the measurement request message to the gNB through the AMF network element.

It should be noted that the ciphering algorithm and/or the integrity algorithm may be pre-agreed by the communication protocol, or pre-configured in the second terminal device and the radio access network device, so that the ciphering algorithm and/or the integrity algorithm may not be carried in the second message sent by the radio access network device.

402. The second terminal device generates a second key from the public key.

And the second key is used for the second terminal equipment to encrypt the data of the second terminal equipment.

Optionally, the second terminal device uses the first key K_gNBAnd the public key, or the second terminal equipment calculates the second key according to the first key K_gNBThe public key and the key set identification ngKSI calculate the second key. And a first key K_gNBMay be sent by the AMF network element to the first terminal device.

Specifically, the second terminal device encrypts data of the second terminal device through the second key and the encryption algorithm. For example, the second terminal device may generate the second key and encrypt data of the second terminal device by using an elliptic curve encryption scheme (ECIES), and for a specific process, reference is made to related descriptions of an existing related communication protocol, which is not described herein again.

In a possible implementation manner, the embodiment shown in fig. 4 further includes step 403.

403. The second terminal device generates an integrity key from the public key.

Specifically, when the second message also carries an integrity algorithm, the second terminal device generates an integrity key according to the public key. The integrity key is used for the second terminal device to perform integrity protection on the data of the second terminal device according to the integrity algorithm.

Optionally, the second terminal device uses the first key K_gNBAnd a public key computation integrity key.

In step 401, the encryption algorithm issued by the radio access network device is used by the second terminal device to encrypt the data of the second terminal device through the second key. In step 401, the integrity algorithm issued by the radio access network device is used for the second terminal device to perform integrity protection on the data of the second terminal device through the integrity key.

In the embodiment shown in fig. 4, the radio access network device sends the public key, the encryption algorithm, the integrity algorithm, and the like to the second terminal device in a broadcast or multicast manner. On the basis of the embodiment shown in fig. 4, the location of the second terminal device can be implemented through an existing location procedure. During the position location process of the second terminal device, the radio access network device may implement decryption of the data of the second terminal device through the second key and the encryption algorithm, and integrity verification of the data of the second terminal device through the integrity key and the integrity algorithm. Optionally, the radio access network device may implement decryption of the data of the second terminal device through the ECIES, and for a specific decryption process, please refer to related descriptions of the existing related communication protocol, which is not described herein again.

In the embodiment of the application, the wireless access network equipment sends a second message, and the second message carries a public key; the second terminal device then generates the second key from the public key. In this way, the second terminal device may encrypt the data of the second terminal device by using the second key, and the radio access network device may decrypt the data of the second terminal device by using the second key, so as to ensure the security of the air interface signaling exchanged between the second terminal device and the radio access network device. For example, in the process of positioning the location of the second terminal device, the radio access network device decrypts the data of the second terminal device (for example, the identifier of the second terminal device) sent by the second terminal device, and measures the SRS sent by the second terminal device, so as to measure the positioning measurement quantity of the second terminal device, so that the LMF network element can position the location of the second terminal device. Therefore, the radio access network device broadcasts the public key, the encryption algorithm, the integrity algorithm and the like determined by the radio access network device or the core network to realize that the second terminal device encrypts the data of the second terminal device through the second key, so that the radio access network device can successfully receive the encrypted data of the second terminal device. And, under the encryption transmission mechanism, the safety of the air interface signaling interacted between the second terminal equipment and the wireless access network equipment is ensured.

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 5, fig. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus may be configured to perform the steps performed by the first core network device in the embodiment shown in fig. 2, and refer to the related description in the foregoing method embodiment.

The communication device includes a transceiver module 501. Optionally, the communication device further comprises a processing module 502.

The transceiver module 501 is configured to receive a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; sending a first request message to an AUSF network element, wherein the first request message is used for requesting to execute authentication for second terminal equipment, and the first request message carries an identifier of the second terminal equipment, the random number RAND and a response RES; and receiving a first authentication response sent by the AUSF network element, wherein the first authentication response is used for indicating that the authentication of the second terminal equipment is successful.

In another possible implementation, the first authentication response carries a third key K_SEAF；

The processing module 502 is configured to obtain the third key K_SEAFGenerating a fourth key K_AMF。

In another possible implementation, the first authentication response further carries a hash expected response (HXRES); the processing module 502 is specifically configured to:

In another possible implementation manner, the transceiver module 501 is further configured to:

In this embodiment of the present application, a transceiver module 501 receives a first message sent by a first terminal device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; the transceiver module 501 sends a first request message to the AUSF network element, where the first request message is used to request to perform authentication for the second terminal device, and the first request message carries an identifier of the second terminal device, the random number RAND, and a response RES; the transceiver module 501 receives a first authentication response sent by the AUSF network element, where the first authentication response is used to indicate that the authentication of the second terminal device is successful, so as to implement the authentication of the second terminal device by the network under the condition that the second terminal device does not access the network (including the condition that the second terminal device does not have access capability or the condition that the second terminal device does not need to access the network).

The first terminal device provided in the embodiment of the present application is described below. Referring to fig. 6, fig. 6 is a schematic structural diagram of a first terminal device according to an embodiment of the present application. The first terminal device may be configured to perform the steps performed by the first terminal device in the embodiment shown in fig. 2, and reference may be made to the relevant description in the foregoing method embodiment.

The first terminal device comprises a processing module 601 and a transceiver module 602.

A processing module 601, configured to obtain an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device;

a transceiver module 602, configured to send a first message to a first core network device, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES.

In one possible implementation, the first message further includes at least one of: the key set identifies ngKSI, the inter-architecture anti-bid decline ABBA, an encryption algorithm and an integrity algorithm.

In another possible implementation manner, the transceiver module 602 is further configured to:

In this embodiment, the processing module 601 obtains an identifier of the second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; the transceiver module 602 sends a first message to the first core network device, where the first message carries the identifier of the second terminal device, the random number RAND, and the response RES. So as to realize the authentication of the second terminal equipment by the network. Therefore, the authentication of the second terminal equipment by the network is realized under the condition that the second terminal equipment does not access the network (including the condition that the second terminal equipment does not have the access capability or the condition that the second terminal equipment does not need to access the network).

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 7, fig. 7 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus may be configured to perform the steps performed by the AUSF network element in the embodiment shown in fig. 2, and refer to the relevant description in the foregoing method embodiment.

The communication device includes a transceiver module 701 and a processing module 702.

The transceiver module 701 is configured to receive a first request message sent by a first core network device, where the first request message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device;

the processing module 702 is configured to send a second request message to the UDM network element, where the second request message is used to request an authentication parameter of a second terminal device, and the second request message carries an identifier of the second terminal device and a random number RAND;

the transceiving module 701 is further configured to receive an authentication parameter sent by the UDM network element, where the authentication parameter includes an expected response XRES, and the expected response SREX is generated by the UDM network element according to the random number RAND;

the processing module 702 is further configured to verify the response RES and the expected response XRES;

the transceiver module 701 is further configured to send a first authentication response to the first core network device when the authentication is passed, where the first authentication response is used to indicate that the authentication of the second terminal device is successful.

In a possible implementation manner, the processing module 702 is further configured to:

the transceiver module 701 is specifically configured to:

and sending the first authentication response to the first core network device, wherein the first authentication response carries the hash expected response HXRES.

In this embodiment of the present application, a transceiver module 701 receives a first request message sent by a first core network device, where the first request message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; the processing module 702 sends a second request message to the UDM network element, where the second request message is used to request an authentication parameter of a second terminal device, and the second request message carries an identifier of the second terminal device and a random number RAND; the transceiving module 701 receives an authentication parameter sent by the UDM network element, where the authentication parameter includes an expected response XRES, and the expected response SREX is generated by the UDM network element according to a random number RAND; the processing module 702 verifies the response RES and the expected response XRES; when the verification is passed, the transceiver module 701 sends a first authentication response to the first core network device, where the first authentication response is used to indicate that the authentication of the second terminal device is successful. Therefore, the authentication of the second terminal equipment by the network is realized under the condition that the second terminal equipment does not access the network (including the condition that the second terminal equipment does not have the access capability or the condition that the second terminal equipment does not need to access the network).

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 8, fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication device may be configured to perform the steps performed by the radio access network apparatus in the embodiment shown in fig. 3, and reference may be made to the relevant description in the foregoing method embodiment.

The communication device comprises a transceiver module 801 and a processing module 802.

A transceiver module 801, configured to receive a measurement request message sent by an LMF network element, where the measurement request message carries an encryption algorithm and a first key K_gNB；

A processing module 802 for processing the data according to the secondA secret key K_gNBCalculating a second key; decrypting the data of the second terminal device according to the second key and the encryption algorithm;

the transceiver module 801 is further configured to send a measurement response message to the LMF network element, where the measurement response message carries the positioning measurement quantity of the second terminal device.

In another possible implementation manner, the processing module 802 is further configured to:

according to a first key K_gNBCalculating an integrity key;

In the embodiment of the present application, the transceiver module 801 receives a measurement request message sent by an LMF network element, where the measurement request message carries an encryption algorithm and a first key K_gNB(ii) a The processing module 802 bases on the first key K_gNBAnd calculating a second key and decrypting the data of the second terminal equipment according to the second key and the encryption algorithm. So that the transmitted encrypted data of the second terminal device can be successfully received by the communication means. And, under the encryption transmission mechanism, the safety of the air interface signaling interacted between the second terminal equipment and the communication device is ensured.

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 9, fig. 9 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus may be configured to perform the steps performed by the LMF network element in the embodiment shown in fig. 3, and refer to the relevant description in the foregoing method embodiment.

The communication device includes a transceiver module 901 and a processing module 902.

A transceiver module 901, configured to receive a location service request sent by a first core network device, where the location service request carries a second terminal deviceIdentification of (2), first key K_gNBAnd an encryption algorithm; sending a measurement request message to a wireless access network device, wherein the measurement request message carries an encryption algorithm and a first secret key K_gNBThe encryption algorithm is an algorithm used for the second terminal equipment to encrypt data of the second terminal equipment; receiving a measurement response message sent by the wireless access network equipment, wherein the measurement response message carries the positioning measurement quantity of the second terminal equipment;

the processing module 902 is configured to position the second terminal device according to the positioning measurement quantity carried in the measurement response message, so as to obtain a positioning result of the second terminal device;

the transceiver module 901 is further configured to send a location service request to the first core network device, where the location service request carries a location result of the second terminal device.

In this embodiment, in the process of positioning the second terminal device, the transceiver module 901 sends the first key K to the radio access network device_gNBAnd the encryption algorithm is used for realizing the negotiation between the second terminal equipment and the wireless access network equipment on the encryption algorithm and the key, and ensuring the safety of interactive signaling between the second terminal equipment and the wireless access network equipment. Furthermore, the transceiver module 901 receives a measurement response message sent by the radio access network device, where the measurement response message carries the positioning measurement quantity of the second terminal device; then, the processing module 902 locates the second terminal device according to the positioning measurement quantity to obtain a positioning result of the second terminal device, and sends a positioning service request to the first core network device through the transceiver module 901, where the positioning service request carries the positioning result of the second terminal device, thereby implementing the positioning of the second terminal device.

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 10, fig. 10 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication device may be configured to perform the steps performed by the radio access network apparatus in the embodiment shown in fig. 4, and reference may be made to the relevant description in the foregoing method embodiment.

The communication device includes a transceiver module 1001.

The transceiving module 1001 is configured to send a second message, where the second message carries a public key, where the public key is used to calculate a second key, and the second key is used for the communication apparatus to decrypt data of the second terminal device.

In another possible implementation manner, the transceiver module 1001 is further configured to:

In this embodiment, the transceiver module 1001 sends a second message, where the second message carries a public key, the public key is used to calculate a second key, and the second key is used for the communication apparatus to decrypt data of the second terminal device. In this way, the second terminal device may encrypt the data of the second terminal device by using the second key, and the communication apparatus may decrypt the data of the second terminal device by using the second key, so as to ensure the security of the air interface signaling exchanged between the second terminal device and the communication apparatus.

The second terminal device provided in the embodiment of the present application is described below. Referring to fig. 11, fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus may be configured to perform the steps performed by the second terminal device in the embodiment shown in fig. 4, and refer to the related description in the foregoing method embodiment.

The communication device comprises a transceiver module 1101 and a processing module 1102.

A transceiver module 1101, configured to receive a second message of the radio access network device, where the second message carries a public key;

a processing module 1102, configured to calculate a second key according to the public key, where the second key is used by the second terminal device to encrypt data of the second terminal device.

In another possible implementation manner, the processing module 1102 is configured to calculate an integrity key according to the public key, where the integrity key is used by the second terminal device to perform integrity protection on data of the second terminal device through an integrity algorithm.

In another possible implementation manner, the processing module 1102 is further configured to:

In this embodiment of the present application, the transceiver module 1101 receives a second message of the radio access network device, where the second message carries a public key; the processing module 1102 calculates a second key according to the public key, where the second key is used for the second terminal device to encrypt data of the second terminal device. The second terminal device may encrypt the data of the second terminal device by using the second key, and the radio access network device may decrypt the data of the second terminal device by using the second key, so as to ensure the security of an air interface signaling interacted between the second terminal device and the radio access network device.

The following describes a communication apparatus provided in an embodiment of the present application. Referring to fig. 12, fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication device includes a transceiver module 1201.

A transceiver module 1201, configured to receive a location service request sent by an AMF network element, where the location service request carries an identifier of a second terminal device and a public key, the public key is used to calculate a second key, and the second key is used for the second terminal device to encrypt data of the second terminal device; and sending a measurement request message to the wireless access network equipment, wherein the measurement request message carries the public key.

In this embodiment, the core network determines the public key, and in the positioning process of the second terminal device, the transceiver module 1201 sends the public key to the LMF network element, so that the LMF network element sends the public key to the radio access network device, and thus the radio access network device may send the public key in a broadcast or multicast manner, so as to implement negotiation of the second terminal device and the radio access network device for the key, thereby ensuring the security of an air interface signaling interacted between the second terminal device and the radio access network device.

Referring to fig. 13, another schematic structural diagram of the communication apparatus in the embodiment of the present application is also provided, and the communication apparatus may be configured to execute the steps executed by the first core network device in the embodiment shown in fig. 2, and refer to the related description in the foregoing method embodiment.

The communication device includes: a processor 1301, a memory 1302, and a transceiver 1303.

In one possible implementation, the processor 1301, the memory 1302, and the transceiver 1303 are connected via a bus, and the memory stores computer instructions.

The processing module 502 in the foregoing embodiment may be specifically the processor 1301 in this embodiment, and therefore, detailed implementation of the processor 1301 is not described again. The transceiver module 501 in the foregoing embodiment may be specifically the transceiver 1303 in this embodiment, and therefore details of the implementation of the transceiver 1303 are not described herein.

The embodiment of the present application further provides a first terminal device, where the first terminal device may be configured to execute the action performed by the first terminal device in the foregoing method embodiment.

Fig. 14 shows a simplified schematic diagram of a terminal device. For ease of understanding and illustration, in fig. 14, the terminal device is exemplified by a mobile phone. As shown in fig. 14, the first terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output device. The processor is mainly used for processing a communication protocol and communication data, controlling the first terminal device, executing a software program, processing data of the software program, and the like. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output devices.

When data needs to be sent, the processor performs baseband processing on the data to be sent and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and sends the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is sent to the terminal equipment, the radio frequency circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data. For ease of illustration, only one memory and processor are shown in FIG. 14. In an actual end device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device, etc. The memory may be provided independently of the processor, or may be integrated with the processor, which is not limited in this embodiment.

In the embodiment of the present application, the antenna and the radio frequency circuit with transceiving function may be regarded as a transceiving unit of the first terminal device, and the processor with processing function may be regarded as a processing unit of the first terminal device. As shown in fig. 14, the first terminal device includes a transceiving unit 1410 and a processing unit 1420. A transceiver unit may also be referred to as a transceiver, a transceiving device, etc. A processing unit may also be referred to as a processor, a processing board, a processing module, a processing device, or the like. Alternatively, a device for implementing a receiving function in the transceiving unit 1410 may be regarded as a receiving unit, and a device for implementing a transmitting function in the transceiving unit 1410 may be regarded as a transmitting unit, that is, the transceiving unit 1410 includes a receiving unit and a transmitting unit. A transceiver unit may also sometimes be referred to as a transceiver, transceiving circuitry, or the like. A receiving unit may also be referred to as a receiver, a receiving circuit, or the like. A transmitting unit may also sometimes be referred to as a transmitter, or a transmitting circuit, etc.

It should be understood that the transceiving unit 1410 is configured to perform the transmitting operation and the receiving operation on the first terminal device side in the above method embodiments, and the processing unit 1420 is configured to perform other operations besides the transceiving operation on the first terminal device in the above method embodiments.

For example, in a possible implementation manner, in a downlink positioning scenario, the transceiving unit 1410 is configured to perform transceiving operation on the first terminal device side in step 202 and step 213 in fig. 2, and/or the transceiving unit 910 is further configured to perform other transceiving steps of the first terminal device in this embodiment of the present application; processing unit 1420 is configured to execute step 201 in fig. 2, and/or processing unit 1420 is further configured to execute other processing steps on the terminal device side in the embodiment of the present application.

When the first terminal device is a chip, the chip includes a transceiver unit and a processing unit. The transceiver unit can be an input/output circuit and a communication interface; the processing unit is a processor or a microprocessor or an integrated circuit integrated on the chip.

Referring to fig. 15, another schematic structural diagram of a communication apparatus in this embodiment of the present application is also provided, and the communication apparatus may be configured to execute the steps executed by the AUSF network element in the embodiment shown in fig. 2, and refer to the related description in the foregoing method embodiment.

The communication device includes: a processor 1501, memory 1502, and a transceiver 1503.

In one possible implementation, the processor 1501, the memory 1502 and the transceiver 1503 are connected by a bus, respectively, and the memory stores computer instructions.

The processing module 702 in the foregoing embodiment may specifically be the processor 1501 in this embodiment, and therefore, a specific implementation of the processor 1501 is not described again. The transceiver module 701 in the foregoing embodiment may specifically be the transceiver 1503 in this embodiment, and therefore details of implementation of the transceiver 1503 are not described herein.

Referring to fig. 16, another structural schematic diagram of a communication apparatus in this embodiment of the present application is provided, where the communication apparatus may be configured to perform the steps performed by the radio access network device in the embodiment shown in fig. 3, and refer to the related description in the foregoing method embodiment.

The communication device includes: a processor 1601, a memory 1602, and a transceiver 1603.

In one possible implementation, the processor 1601, the memory 1602 and the transceiver 1603 are respectively connected via a bus, and the memory stores computer instructions.

The processing module 802 in the foregoing embodiment may be the processor 1601 in this embodiment, and therefore, a detailed implementation of the processor 1601 is not described herein. The transceiver module 801 in the foregoing embodiment may specifically be the transceiver 1603 in this embodiment, and therefore detailed implementation of the transceiver 1603 is not described again.

Referring to fig. 17, another schematic structural diagram of the communication apparatus in the embodiment of the present application, the communication apparatus may be configured to perform the steps performed by the LMF network element in the embodiment shown in fig. 3, and refer to the relevant description in the foregoing method embodiment.

The communication device includes: a processor 1701, a memory 1702, and a transceiver 1703.

In one possible implementation, the processor 1701, the memory 1702 and the transceiver 1703 are each coupled via a bus, and the memory has stored therein computer instructions.

The transceiver module 901 in the foregoing embodiment may specifically be the transceiver 1703 in this embodiment, and therefore detailed implementation of the transceiver 1703 is not described again.

Referring to fig. 18, another schematic structural diagram of a communication apparatus in an embodiment of the present application, the communication apparatus may be configured to perform the steps performed by the radio access network device in the embodiment shown in fig. 4, and refer to the related description in the foregoing method embodiment.

The communication device includes: a processor 1801, a memory 1802, and a transceiver 1803.

In one possible implementation, the processor 1801, the memory 1802, and the transceiver 1803 are each coupled via a bus, and the memory has computer instructions stored therein.

The transceiver module 1001 in the foregoing embodiment may be the transceiver 1803 in this embodiment, and therefore details of implementation of the transceiver 1803 are not described herein.

The embodiment of the present application further provides a second terminal device, where the second terminal device may be configured to execute the action performed by the second terminal device in the foregoing method embodiment. The structure of the second terminal device is similar to that of the first terminal device, and specific reference may be made to the related description of the first terminal device shown in fig. 14.

Referring to fig. 19, another schematic structural diagram of a communication device in an embodiment of the present application is provided.

The communication device includes: a processor 1901, a memory 1902, and a transceiver 1903.

In one possible implementation, the processor 1901, the memory 1902, and the transceiver 1903 are each coupled via a bus, and the memory stores computer instructions.

The transceiver module 1201 in the foregoing embodiment may be specifically the transceiver 1903 in this embodiment, and therefore details of the implementation of the transceiver 1903 are not described herein.

Referring to fig. 20, an embodiment of the present application further provides a communication system, where the communication system includes the communication apparatus shown in fig. 5, the first terminal device shown in fig. 6, and the communication apparatus shown in fig. 7. The communication apparatus shown in fig. 5 is configured to execute all or part of the steps executed by the first core network device in the embodiment shown in fig. 2, the first terminal device shown in fig. 6 is configured to execute all or part of the steps executed by the first terminal device in the embodiment shown in fig. 2, and the communication apparatus shown in fig. 7 is configured to execute all or part of the steps executed by the AUSF network element in the embodiment shown in fig. 2.

Optionally, the communication system further includes a communication device shown in fig. 8 and a communication device shown in fig. 9. The communication device shown in fig. 8 is configured to perform all or part of the steps performed by the radio access network equipment in the embodiment shown in fig. 3, and the communication device shown in fig. 9 is configured to perform all or part of the steps performed by the LMF network element in the embodiment shown in fig. 3.

Referring to fig. 21, an embodiment of the present application further provides a communication system, where the communication system includes the communication apparatus shown in fig. 10 and the second terminal device shown in fig. 11. The communication apparatus shown in fig. 10 is configured to perform all or part of the steps performed by the radio access network device in the embodiment shown in fig. 4, and the second terminal device shown in fig. 11 is configured to perform all or part of the steps performed by the second terminal device in the embodiment shown in fig. 4.

Optionally, the communication system further comprises a communication device as shown in fig. 12.

Embodiments of the present application also provide a computer program product including instructions, which when run on a computer, cause the computer to perform the communication method of the embodiments as shown in fig. 2, fig. 3 and fig. 4.

Embodiments of the present application also provide a computer-readable storage medium, which includes computer instructions, when the computer instructions are executed on a computer, the computer executes the communication method of the embodiments as shown in fig. 2, fig. 3 and fig. 4.

An embodiment of the present application further provides a chip apparatus, which includes a processor, configured to connect to a memory, and call a program stored in the memory, so that the processor executes the communication method according to the embodiments shown in fig. 2, fig. 3, and fig. 4.

The processor mentioned in any above may be a general-purpose central processing unit, a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program of the communication method according to the embodiment shown in fig. 2, fig. 3 and fig. 4. Any of the above mentioned memories may be read-only memories (ROMs) or other types of static storage devices that may store static information and instructions, Random Access Memories (RAMs), etc.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. A method of communication, the method comprising:

a first core network device receives a first message sent by a first terminal device, wherein the first message carries an identifier of a second terminal device, a random number RAND and a response RES, and the random number RAND and the response RES are generated by the second terminal device;

the first core network device sends a first request message to an authentication service function (AUSF) network element, where the first request message is used to request authentication of the second terminal device, and the first request message carries an identifier of the second terminal device, the random number (RAND), and the Response (RES);

and the first core network equipment receives a first authentication response sent by the AUSF network element, and the first authentication response is used for indicating that the authentication of the second terminal equipment is successful.

2. The method of claim 1, wherein the first message further comprises at least one of:

3. Method according to claim 1 or 2, characterized in that said first authentication response carries a third key K_SEAF(ii) a The method further comprises the following steps:

the first core network equipment is used for obtaining the third key K according to the first key K_SEAFGenerating a fourth key K_AMF。

4. The method of claim 3, wherein the first authentication response further carries a hashed expected response HXRES; the first core network equipment is used for obtaining the third key K according to the first key K_SEAFGenerating a fourth key K_AMFThe method comprises the following steps:

the first core network equipment calculates a hash response HRES according to the response RES and the random number RAND;

the first core network equipment verifies the HRES and the HXRES;

when the verification is passed, the first core network equipment is according to the third key K_SEAFGenerating the fourth key K_AMF。

5. The method according to any one of claims 1 to 4, further comprising:

and the first core network equipment sends the authentication result of the second terminal equipment to the first terminal equipment.

6. The method of claim 2, further comprising:

the first core network device sends a location service request to a Location Management Function (LMF) network element, wherein the location service request carries the identifier of the second terminal device, the encryption algorithm and the first key K_gNB；

And the first core network equipment receives a positioning service response sent by the LMF network element, wherein the positioning service response carries the positioning result of the second terminal equipment.

7. The method of claim 6, wherein the location service request further carries at least one of:

the integrity algorithm, or alternatively, the key set identifies ngKSI.

8. A method of communication, the method comprising:

a first terminal device acquires an identifier of a second terminal device, a random number RAND and a response RES, wherein the random number RAND and the response RES are generated by the second terminal device;

and the first terminal equipment sends a first message to first core network equipment, wherein the first message carries the identifier of the second terminal equipment, the random number RAND and the response RES.

9. The method of claim 8, wherein the first message further comprises at least one of:

the key set identifies ngKSI, the inter-architecture anti-bid decline ABBA, an encryption algorithm and an integrity algorithm.

10. The method according to claim 8 or 9, characterized in that the method further comprises:

and the first terminal equipment receives the authentication result of the second terminal equipment sent by the first core network equipment.

11. A method of communication, the method comprising:

an AUSF network element receives a first request message sent by first core network equipment, wherein the first request message carries an identifier of second terminal equipment, a random number RAND and a response RES, and the random number RAND and the response RES are generated by the second terminal equipment;

the AUSF network element sends a second request message to a Unified Data Management (UDM) network element, wherein the second request message is used for requesting the authentication parameters of the second terminal equipment, and the second request message carries the identification of the second terminal equipment and the random number (RAND);

the AUSF network element receives authentication parameters sent by the UDM network element, wherein the authentication parameters comprise an expected response XRES, and the expected response XRES is generated by the UDM network element according to the random number RAND;

the AUSF network element verifies the response RES and the expected response XRES;

and when the authentication is passed, the AUSF network element sends a first authentication response to the first core network device, and the first authentication response is used for indicating that the authentication of the second terminal device is successful.

12. The method of claim 11, wherein after the AUSF network element verifies the response RES and the expected response XRES, and before the AUSF network element sends a first authentication response to the first core network device, the method further comprises:

the AUSF network element generates a Hash expected response HXRES according to the expected response XRES and the random number RAND;

the sending, by the AUSF network element, the first authentication response to the first core network device includes:

and the AUSF network element sends the first authentication response to the first core network device, wherein the first authentication response carries the Hash expected response HXRES.

13. A communication apparatus, characterized in that the communication apparatus comprises:

the receiving and sending module is used for receiving a first message sent by first terminal equipment; sending a first request message to an AUSF network element of an authentication service function; receiving a first authentication response sent by the AUSF network element, where the first message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device, the first request message is used to request to perform authentication for the second terminal device, the first request message carries the identifier of the second terminal device, the random number RAND, and the response RES, and the first authentication response is used to indicate that the authentication of the second terminal device is successful.

14. The communications apparatus of claim 13, wherein the first message further comprises at least one of:

key set identification ngKSI, inter-architecture anti-bid descent ABBA, encryption algorithm, or integrity algorithm.

15. The communication device according to claim 13 or 14,wherein the first authentication response carries a third key K_SEAF(ii) a The communication device further comprises a processing module;

the processing module is used for processing the third key K according to the third key K_SEAFGenerating a fourth key K_AMF。

16. The communications device of claim 15, wherein the first authentication response further carries a hashed expected response HXRES; the processing module is specifically configured to:

calculating a hash response HRES according to the response RES and the random number RAND;

verifying the hash response HRES and the hash expected response HXRES;

when the verification is passed, according to the third secret key K_SEAFGenerating the fourth key K_AMF。

17. The communications device of any of claims 13-16, wherein the transceiver module is further configured to:

18. The communications apparatus of claim 14, wherein the transceiver module is further configured to:

sending a location service request to a Location Management Function (LMF) network element, wherein the location service request carries the identifier of the second terminal device, the encryption algorithm and the first key K_gNB；

And receiving a positioning service response sent by the LMF network element, wherein the positioning service response carries a positioning result of the second terminal equipment.

19. The communications apparatus as claimed in claim 18, wherein the location service request further carries at least one of:

the integrity algorithm, or alternatively, the key set identifies ngKSI.

20. A first terminal device, characterized in that the first terminal device comprises:

a transceiver module, configured to send a first message to a first core network device, where the first message carries an identifier of the second terminal device, the random number RAND, and the response RES.

21. The first terminal device of claim 20, wherein the first message further comprises at least one of:

the key set identifies ngKSI, inter-architecture anti-bid descent ABBA, encryption algorithm, or, integrity algorithm.

22. The first terminal device according to claim 20 or 21, wherein the transceiver module is further configured to:

23. A communication apparatus, characterized in that the communication apparatus comprises:

a transceiver module, configured to receive a first request message sent by a first core network device, send a second request message to a unified data management UDM network element, and receive an authentication parameter sent by the UDM network element, where the first request message carries an identifier of a second terminal device, a random number RAND, and a response RES, where the random number RAND and the response RES are generated by the second terminal device; the second request message is used to request an authentication parameter of the second terminal device, where the second request message carries an identifier of the second terminal device and the random number RAND, the authentication parameter includes an expected response XRES, and the expected response XRES is generated by the UDM network element according to the random number RAND;

a processing module for verifying the response RES and the expected response XRES;

the transceiver module is further configured to send a first authentication response to the first core network device, where the first authentication response is used to indicate that the authentication of the second terminal device is successful.

24. The communications apparatus of claim 23, wherein the processing module is further configured to:

the transceiver module is further configured to:

25. A computer readable storage medium comprising computer instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 7, or cause the computer to perform the method of any one of claims 8 to 10, or cause the computer to perform the method of claim 11 or 12.