CN114071452A - Method and device for acquiring user subscription data - Google Patents

Method and device for acquiring user subscription data Download PDF

Info

Publication number
CN114071452A
CN114071452A CN202010790909.7A CN202010790909A CN114071452A CN 114071452 A CN114071452 A CN 114071452A CN 202010790909 A CN202010790909 A CN 202010790909A CN 114071452 A CN114071452 A CN 114071452A
Authority
CN
China
Prior art keywords
network
subscription data
user subscription
user
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010790909.7A
Other languages
Chinese (zh)
Other versions
CN114071452B (en
Inventor
李飞
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202010790909.7A priority Critical patent/CN114071452B/en
Priority to PCT/CN2021/108022 priority patent/WO2022028259A1/en
Publication of CN114071452A publication Critical patent/CN114071452A/en
Application granted granted Critical
Publication of CN114071452B publication Critical patent/CN114071452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Abstract

A method and a device for acquiring user subscription data are provided. The terminal device generates pk1 and sk1, and transmits a registration request to the first network, the registration request including pk 1; a first network element in a first network sends an authentication request aiming at the terminal equipment to a second network element in a second network, wherein the authentication request comprises pk1, and the second network element sends an identifier of a private network to the first network; the first network element acquires first user subscription data from a third network according to the identifier of the private network, wherein the first user subscription data is obtained by encrypting second user subscription data by adopting pk 1; the terminal device decrypts the first user subscription data by using the sk1 to obtain the second user subscription data. By adopting the scheme of the application, the acquisition of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication safety is improved; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.

Description

Method and device for acquiring user subscription data
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for acquiring user subscription data.
Background
Current fifth generation (5)thgeneration, 5G) mobile communication technology proposes a new application scenario, namely enhanced non-public-network (eNPN). The eNPN can realize end-to-end resource isolation, provide an exclusive access network for the vertical industry and ensure exclusive sharing of client resources in the vertical industry. Meanwhile, the eNPN can provide support for Local Area Network (LAN) services, and can meet the requirements of some enterprises, residences, schools, and the like for reliable and stable private networks. The eNPN is further divided into a completely independently deployed network, i.e., a stand-alone non-public-network (SNPN), and a non-public-network (PNI-NPN) integrated into a public network, e.g., a non-public network carried by a Public Land Mobile Network (PLMN).
As shown in fig. 1, an architecture diagram of an eNPN network is shown, where the eNPN network architecture includes a User Equipment (UE), an online-independent non-public-network (O-SNPN), a Default Certificate Server (DCS), a Provisioning Server (PS), and an SNPN. The enPN comprises an uplink (associating) service, which means that the UE is online to the enPN, so that the enPN can acquire user subscription data of the UE in the SNPN network from the PS and issue the user subscription data to the UE, and the UE can be accessed to the SNPN network. SNPN bought a manufacturer's device (e.g., UE), and may use a uniform configuration instead of configuring the UE in a one-by-one manner. Specifically, as shown in the online process of fig. 1, the UE may first access the O-SNPN network and then connect to the PS. The PS stores the user subscription data of the SNPN, or the PS acquires the user subscription data from the SNPN. The PS sends the user subscription data to the UE. The UE can then access the SNPN network using the new identity according to the subscription data of the user.
However, the SNPN network, as a private network, has a high requirement on the security of the online of the UE, so how to protect the acquisition of the user subscription data and avoid the user subscription data from being stolen is a problem to be solved.
Disclosure of Invention
The application provides a method and a device for acquiring user subscription data, which are used for protecting the acquisition of the user subscription data.
In a first aspect, a method for acquiring user subscription data is provided, including: generating a first public key and a first private key; sending a registration request to a first network, the registration request including the first public key; receiving first user subscription data, wherein the first user subscription data is obtained by encrypting second user subscription data by adopting the first public key; and decrypting the first user subscription data by using the first private key to obtain the second user subscription data. In the aspect, the encrypted first user subscription data returned by the third network is received, and the first private key generated by the first private key is used for decrypting the first user subscription data to obtain the second user subscription data, so that the obtaining of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication safety is improved; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
With reference to the first aspect, in a possible implementation, the registration request further includes an online indication, where the online indication is used to indicate that the type of the registration request is an online service. In the implementation, the registration request carries the online indication, so that the second network element in the second network determines the first authentication server in the first network, and the first authentication server requests the second network to authenticate the terminal device requesting to be online.
With reference to the first aspect, in yet another possible implementation, the registration request further includes a hidden user identifier, where the hidden user identifier includes the first public key. In this implementation, the user hidden identifier is calculated by using the first public key, so that the first public key can be carried in the user hidden identifier, and the transfer of the first public key is implemented.
In a second aspect, a method for acquiring user subscription data is provided, including: receiving an authentication request from a first network for a terminal device, the authentication request comprising a first public key; saving the first public key; sending an identity of a private network to the first network; and sending the first public key to a third network. In the aspect, the terminal device is authenticated, and the identifier of the private network accessible to the terminal device is sent to the first network element in the first network, so that the first network element can acquire the first user subscription data from the third network according to the identifier of the private network, and the first user subscription data is encrypted data, thereby protecting the acquisition of the user subscription data, avoiding the user subscription data from being stolen, and improving the security of communication; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
With reference to the second aspect, in a possible implementation, the authentication request further includes a hidden user identifier, where the hidden user identifier includes the first public key.
With reference to the second aspect, in yet another possible implementation, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service; the saving the first public key comprises: and saving the first public key according to the online indication. In this aspect, when it is determined that the type of the authentication request is an online service, the first public key is saved so that the first public key can be subsequently sent to the PS.
In a third aspect, a method for acquiring user subscription data is provided, including: a first network element in a first network receives an identification of a private network from a second network; the first network element sends a user subscription data acquisition request of the terminal equipment to a third network according to the identification of the private network; the first network element receives a user subscription data acquisition response returned by the third network, wherein the user subscription data acquisition response comprises first user subscription data of the terminal equipment in the private network; and the first network element sends the first user subscription data to the terminal equipment. In this aspect, a proper PS may be selected to obtain correct user subscription data according to the identity of the private network received from the second network; furthermore, the received first public key can be used for encrypting the second user subscription data to obtain the first user subscription data, and the first user subscription data is sent, so that the acquisition of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication safety is improved.
With reference to the third aspect, in a possible implementation, before the receiving, by the first network element, the identity of the private network from the second network, the method further includes: the first network element receives a registration request from the terminal equipment, wherein the registration request carries at least one of the following items: hiding an identifier, an online indication, a registration type and a slice identifier by a user; the first network element determines a first authentication server in the first network according to the registration request; the first network element sends an authentication request of the terminal equipment to the second network through the first authentication server; wherein determining the first authentication server according to the registration request comprises: the user hidden identifier comprises an identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier comprises a routing indication, and the first authentication server is determined according to the routing indication; or determining the first authentication server according to the online indication, wherein the online indication is used for indicating that the type of the registration request is an online service; or determining the first authentication server according to the registration type, wherein the registration type is an online service; or determining the first authentication server according to the slice identifier. In the existing registration process, the first network element receives the registration request of the terminal device, and generally sends the registration request to the authentication server of the network where the first network element is located for subsequent processing. However, in this implementation, the first network element determines that the online service is performed according to the received registration request, and then determines the first authentication server of the network, and the first authentication server submits an authentication request to the second network performing authentication management on the online service, so as to perform authentication and authorization on the UE.
With reference to the third aspect, in yet another possible implementation, before the registration request includes the first public key, and the first network element receives the identity of the private network from the second network, the method further includes: and sending the first public key to the second network, wherein the first user subscription data is obtained by encrypting second user subscription data by adopting the first public key.
With reference to the third aspect, in yet another possible implementation, the registration request includes a hidden user identifier, and the hidden user identifier includes the first public key.
In a fourth aspect, a method for acquiring user subscription data is provided, which is applied to a communication system, where the communication system includes a first network element in a first network and a second network element in a second network, and includes: the first network element sends an authentication request aiming at the terminal equipment to the second network element, wherein the authentication request comprises a first public key; the second network element saves the first public key; the second network element sends the identification of the private network to the first network element; the second network element sends the first public key to a third network; the first network element sends a user subscription data acquisition request of the terminal equipment to the third network according to the identifier of the private network; the first network element receives a user subscription data acquisition response returned by the third network, wherein the user subscription data acquisition response comprises first user subscription data of the terminal equipment in the private network; and the first network element sends the first user subscription data to the terminal equipment.
For a specific interaction process related to the terminal device, the first network element, the second network element, and the third network, reference may be made to any implementation manner of the foregoing first aspect to the third aspect, which is not described herein again.
In a fifth aspect, an apparatus for acquiring user subscription data is provided to perform the method in the first aspect or any possible implementation of the first aspect. The acquiring device of the user subscription data may be a terminal device in the first aspect or any possible implementation of the first aspect, or a module, such as a chip or a chip system, applied in the terminal device. The device for acquiring the user subscription data comprises modules, units or means (means) corresponding to the method, and the modules, units or means can be realized by hardware, software or hardware to execute corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
With reference to the fifth aspect, in a possible implementation, the apparatus for acquiring user subscription data includes: a generating unit, a transmitting unit, a receiving unit and a decrypting unit; the generating unit is used for generating a first public key and a first private key; a sending unit, configured to send a registration request to a first network, where the registration request includes the first public key; a receiving unit, configured to receive first user subscription data, where the first user subscription data is obtained by encrypting second user subscription data by using the first public key; and the decryption unit is used for decrypting the first user subscription data by using the first private key to obtain the second user subscription data.
With reference to the fifth aspect, in yet another possible implementation, the apparatus for acquiring user subscription data includes: the device comprises an input interface, an output interface and a processing circuit; the processing circuit is used for generating a first public key and a first private key; an output interface for sending a registration request to a first network, the registration request including the first public key; the input interface is used for receiving first user subscription data, and the first user subscription data is obtained by encrypting second user subscription data by adopting the first public key; and the processing circuit is used for decrypting the first user subscription data by using the first private key to obtain the second user subscription data.
The apparatus for acquiring user subscription data may further include a memory coupled with the at least one processor, and the at least one processor is configured to execute program instructions stored in the memory, so as to cause the apparatus for acquiring user subscription data to perform the method of the first aspect or any possible implementation of the first aspect.
In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, and the at least one processor may call and execute program instructions stored in the memory to cause the apparatus for acquiring subscriber subscription data to perform the method of the first aspect or any possible implementation of the first aspect.
The acquiring device of the user subscription data further illustratively comprises a communication interface, and the communication interface is used for the acquiring device of the user subscription data to communicate with other devices. When the device for acquiring the user subscription data is a terminal device, the communication interface is a transceiver, an input/output interface, or a circuit.
In one possible design, the obtaining device of the user subscription data includes: at least one processor and a communication interface for performing the method of the first aspect or any possible implementation of the first aspect, in particular comprising: the at least one processor communicates with the outside using the communication interface; the at least one processor is configured to execute a computer program to cause the obtaining means of the user subscription data to perform the method of the first aspect or any possible implementation of the first aspect. It will be appreciated that the external portion may be an object other than the processor, or an object other than the acquisition device of the user subscription data.
In another possible design, the device for acquiring the user subscription data is a chip or a chip system. The communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit, etc. on the chip or system of chips. The processor may also be embodied as a processing circuit or a logic circuit.
The technical effects brought by any one of the design manners in the fifth aspect can be referred to the technical effects brought by the different design manners in the first aspect, and are not described herein again.
In a sixth aspect, there is provided a communications apparatus for performing the method of the second aspect or any possible implementation of the second aspect. The communication device may be a second network element in the second network in any possible implementation of the second aspect or the second aspect, or a module, such as a chip or a system of chips, applied to the second network element. The communication device comprises modules, units or means corresponding to the implementation of the method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
With reference to the sixth aspect, in one possible implementation, a communication device includes: a receiving unit, a processing unit and a transmitting unit; the terminal device comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving an authentication request aiming at the terminal device from a first network, and the authentication request comprises a first public key; the processing unit is used for saving the first public key; a sending unit, configured to send an identifier of a private network to the first network; and the sending unit is further configured to send the first public key to a third network.
Optionally, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service; and the processing unit is used for storing the first public key according to the online indication.
With reference to the sixth aspect, in yet another possible implementation, a communication apparatus includes: the device comprises an input interface, an output interface and a processing circuit; the terminal device comprises an input interface, a first network and a second network, wherein the input interface is used for receiving an authentication request aiming at the terminal device from the first network, and the authentication request comprises a first public key; processing circuitry to store the first public key; an output interface for sending an identity of a private network to the first network; and the output interface is further used for sending the first public key to a third network.
Optionally, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service; and the processing circuit is used for saving the first public key according to the online indication.
The communication device further illustratively includes a memory coupled with the at least one processor, the at least one processor being configured to execute program instructions stored in the memory to cause the communication device to perform the method of the second aspect or any possible implementation of the second aspect.
In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, which may invoke and execute program instructions stored in the memory to cause the communication device to perform a method according to the second aspect or any possible implementation of the second aspect.
Illustratively, the communication device further comprises a communication interface for the communication device to communicate with other devices. When the communication device is a second network element, the communication interface is a transceiver, an input/output interface, or a circuit, etc.
In one possible design, the communication device includes: at least one processor and a communication interface for performing the method of the second aspect or any possible implementation of the second aspect, in particular comprising: the at least one processor communicates with the outside using the communication interface; the at least one processor is configured to execute the computer program to cause the communication apparatus to perform the method of the second aspect or any possible implementation of the second aspect. It will be appreciated that the external may be an object other than a processor, or an object other than the communication device.
In another possible design, the communication device is a chip or a system of chips. The communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit, etc. on the chip or system of chips. The processor may also be embodied as a processing circuit or a logic circuit.
The technical effects brought by any one of the design manners in the sixth aspect can be referred to the technical effects brought by the different design manners in the second aspect, and are not described herein again.
In a seventh aspect, a communication device is provided for performing the method in the third aspect or any possible implementation of the third aspect. The communication device may be a first network element in the first network in any possible implementation of the third aspect or the third aspect, or a module, such as a chip or a system of chips, applied to the first network element. The communication device comprises modules, units or means corresponding to the implementation of the method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
With reference to the seventh aspect, in one possible implementation, a communication apparatus includes: a receiving unit, a processing unit and a transmitting unit; wherein, the receiving unit is used for receiving the identification of the private network from the second network; the processing unit is used for determining a user signing data acquisition request of the terminal equipment according to the identification of the private network; a sending unit, configured to send the user subscription data acquisition request to a third network; the receiving unit is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes first user subscription data of the terminal device in the private network; and the sending unit is further configured to send the first user subscription data to the terminal device.
Optionally, the receiving unit is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: hiding an identifier, an online indication, a registration type and a slice identifier by a user; the processing unit is further configured to determine a first authentication server in the first network according to the registration request; the sending unit is further configured to send an authentication request of the terminal device to the second network through the first authentication server; the processing unit is specifically configured to determine, according to the identifier of the second network, the first authentication server, where the hidden identifier of the user includes an identifier of the second network; or the processing unit is specifically configured to determine, according to a routing indication included in the hidden identifier of the user, the first authentication server; or the processing unit is specifically configured to determine the first authentication server according to the online indication, where the online indication is used to indicate that the type of the registration request is an online service; or the processing unit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or the processing unit is specifically configured to determine the first authentication server according to the slice identifier.
With reference to the seventh aspect, in yet another possible implementation, a communication apparatus includes: the device comprises an input interface, an output interface and a processing circuit; wherein the input interface is configured to receive an identification of the private network from the second network; an output interface, configured to send a user subscription data acquisition request of a terminal device to a third network according to the identifier of the private network; the input interface is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes first user subscription data of the terminal device in the private network; and the output interface is further configured to send the first user subscription data to the terminal device.
Optionally, the input interface is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: hiding an identifier, an online indication, a registration type and a slice identifier by a user; the processing circuit is configured to determine a first authentication server in the first network according to the registration request; the sending unit is further configured to send an authentication request of the terminal device to the second network through the first authentication server; the processing circuit is specifically configured to determine, in the hidden identifier of the user, the first authentication server according to an identifier of the second network, where the identifier of the second network is included in the hidden identifier of the user; or the processing circuit, specifically configured to determine the first authentication server according to a routing indication included in the user hidden identifier; or the processing circuit is specifically configured to determine the first authentication server according to the online indication, where the online indication is used to indicate that the type of the registration request is an online service; or the processing circuit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or the processing circuit, is specifically configured to determine the first authentication server according to the slice identifier.
The communication device illustratively further comprises a memory coupled with the at least one processor, the at least one processor being configured to execute program instructions stored in the memory to cause the communication device to perform the method of the third aspect or any possible implementation of the third aspect.
In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, and the at least one processor may invoke and execute program instructions stored in the memory to cause the communication device to perform the method of the third aspect or any possible implementation of the third aspect.
Illustratively, the communication device further comprises a communication interface for the communication device to communicate with other devices. When the communication device is a first network element, the communication interface is a transceiver, an input/output interface, or a circuit, etc.
In one possible design, the communication device includes: at least one processor and a communication interface for performing the method of the third aspect or any possible implementation of the third aspect, in particular comprising: the at least one processor communicates with the outside using the communication interface; the at least one processor is configured to execute the computer program to cause the communication apparatus to perform the method of the third aspect or any possible implementation of the third aspect. It will be appreciated that the external may be an object other than a processor, or an object other than the communication device.
In another possible design, the communication device is a chip or a system of chips. The communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit, etc. on the chip or system of chips. The processor may also be embodied as a processing circuit or a logic circuit.
The technical effects brought by any one of the design manners in the seventh aspect may be referred to the technical effects brought by the different design manners in the third aspect, and are not described herein again.
In an eighth aspect, a communication system is provided, where the communication system includes a first network element in a first network and a second network element in a second network, where the first network element is configured to send an authentication request for a terminal device to the second network element, and the authentication request includes a first public key; the second network element is used for storing the first public key; the second network element is further configured to send an identifier of a private network to the first network element; the second network element is further configured to send the first public key to a third network; the first network element is further configured to send a user subscription data acquisition request of the terminal device to the third network according to the identifier of the private network; the first network element is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes first user subscription data of the terminal device in the private network; and the first network element is further configured to send the first user subscription data to the terminal device.
With reference to the eighth aspect, in a possible implementation, the authentication request further includes a user hidden identifier, where the user hidden identifier includes the first public key.
With reference to the eighth aspect, in yet another possible implementation, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service, and the second network element is further configured to store the first public key according to the online indication.
With reference to the eighth aspect, in yet another possible implementation, the first network element is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: hiding an identifier, an online indication, a registration type and a slice identifier by a user; the first network element is further configured to determine a first authentication server in the first network according to the registration request; the first network element is further configured to send an authentication request of the terminal device to the second network through the first authentication server; the first network element is specifically configured to determine, by the first network element, the first authentication server according to an identifier of the second network, where the hidden identifier of the user includes the identifier of the second network; or the first network element is specifically configured to determine, according to a routing indication included in the user hidden identifier, the first authentication server; or the first network element is specifically configured to determine the first authentication server according to the online indication, where the online indication is used to indicate that the type of the registration request is an online service; or the first network element is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or the first network element is specifically configured to determine the first authentication server according to the slice identifier.
With reference to the eighth aspect, in yet another possible implementation, the registration request includes a first public key, the first network element is further configured to send the first public key to the second network element, and the first user subscription data is obtained by encrypting second user subscription data with the first public key.
With reference to the eighth aspect, in yet another possible implementation, the registration request includes a hidden user identifier, and the hidden user identifier includes the first public key.
In a ninth aspect, there is provided a computer readable storage medium storing a computer program which, when run on a computer, causes any of the above aspects or aspects to be performed implementing the method.
In a tenth aspect, there is provided a computer program product which, when run on a computer, causes the method described in any of the above aspects or aspects to be performed.
In an eleventh aspect, there is provided a computer program which, when run on a computer, causes the method described in any of the above aspects or aspects to be performed.
Drawings
Fig. 1 is a schematic diagram of an eNPN network architecture;
fig. 2 is a schematic architecture diagram of a communication system 100 according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a method for acquiring user subscription data according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another method for acquiring user subscription data according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another method for acquiring user subscription data according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a communication device 200 according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an apparatus 300 for acquiring user subscription data according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a communication device 400 according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a communication device 500 according to an embodiment of the present disclosure.
Detailed Description
The embodiments of the present application will be described below with reference to the drawings.
The technical scheme of the embodiment of the application can be applied to various communication systems. For example: an enhanced-long-term evolution (lte) system, a fifth generation (5G) system, a New Radio (NR), and the like, the 5G mobile communication system related in the present application includes a non-standalone (NSA) 5G mobile communication system or a Standalone (SA) 5G mobile communication system. The technical scheme provided by the application can also be applied to future communication systems, such as a sixth generation mobile communication system. The communication system may also be a Public Land Mobile Network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, an internet of things (IoT) communication system, or other communication systems.
Fig. 2 is a schematic architecture diagram of a communication system 100 according to an embodiment of the present application. As shown in fig. 2, the communication system 100 includes a first network, a second network, and a third network. The first network may be an online network (online network), the second network may be a network where a DCS/Unified Data Management (UDM) is located, and the third network may be a network where a PS is located. In the embodiment of the present application, the PS is generally set separately from the private network, that is, the third network is generally a different network from the private network. The UE initiates a registration request in a first network, the first network requests a second network to authenticate the UE, the second network returns the identification of a private network to the first network after the authentication of the UE is passed, the first network requests user subscription data from a third network according to the identification of the private network, and the third network encrypts the user subscription data and sends the user subscription data to the UE.
The first network includes a first network element 11, the second network includes a second network element 12, and the third network includes PS 13. The first network element 11 may be a mobility management network element and the second network element 12 may be a unified data management network element or a DCS. The network element or entity corresponding to the mobility management network element may be an access and mobility management function (AMF) entity in the 5G mobile communication system, and the network element or entity corresponding to the unified data management network element may be a UDM functional entity in the 5G mobile communication system, which is not specifically limited in this embodiment of the present application. The above network elements may communicate directly with each other, or may communicate through forwarding of other network elements, which is not specifically limited in this embodiment of the present application. Although not shown, the communication system may further include other network elements, which is not specifically limited in this embodiment of the application.
The embodiment of the application provides a method and a device for acquiring user subscription data, wherein a first network element in a first network requests to perform authentication and certification on UE after receiving a registration request of the UE; the second network element in the second network authenticates the UE, sends the identifier of the private network which can be accessed by the UE to the first network element in the first network, and sends pk1 to the third network; the first network element may request to acquire the first user subscription data from the third network according to the identifier of the private network, and the third network encrypts the second user subscription data by using pk1 to obtain the first user subscription data; the third network sends the first user subscription data to the UE through a control plane of the first network or through a user plane of the first network. Therefore, the acquisition of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication security is improved; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
Specifically, the scheme is applicable to the above-described communication system. The scheme comprises the following steps: the first network element sends an authentication request aiming at the terminal equipment to the second network element, wherein the authentication request comprises a first public key pk 1; the second network element saves the pk 1; the second network element sends the identification of the private network to the first network element; the second network element sends the pk1 to a third network; the first network element sends a user subscription data acquisition request of the terminal equipment to the third network according to the identifier of the private network; the first network element receives a user subscription data acquisition response returned by the third network, wherein the user subscription data acquisition response comprises first user subscription data of the terminal equipment in the private network; and the first network element sends the first user subscription data to the terminal equipment.
In one possible implementation, the authentication request further includes a user hidden identifier, and the user hidden identifier includes the pk 1.
In another possible implementation, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service, and the storing, by the second network element, the pk1 includes: and the second network element saves the pk1 according to the online indication.
In yet another possible implementation, before the second network element sends the identity of the private network to the first network element, the method further includes: the first network element receives a registration request from the terminal equipment, wherein the registration request carries at least one of the following items: hiding an identifier, an online indication, a registration type and a slice identifier by a user; the first network element determines a first authentication server in the first network according to the registration request; the first network element sends an authentication request of the terminal equipment to the second network through the first authentication server; wherein determining the first authentication server according to the registration request comprises: the user hidden identifier comprises an identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier comprises a routing indication, and the first authentication server is determined according to the routing indication; or determining the first authentication server according to the online indication, wherein the online indication is used for indicating that the type of the registration request is an online service; or determining the first authentication server according to the registration type, wherein the registration type is an online service; or determining the first authentication server according to the slice identifier.
In yet another possible implementation, the registration request includes the first public key pk1, and before the second network element sends the identity of the private network to the first network element, the method further includes: and the first network element sends the pk1 to the second network element, and the first user subscription data is obtained by encrypting second user subscription data by adopting the pk 1.
In yet another possible implementation, the registration request includes a user hidden identifier that includes the pk 1.
Wherein, the AMF entity: is mainly responsible for the processing of signaling, such as: access control, mobility management, attach and detach, and gateway selection. When the AMF entity provides a service for a session in a terminal, it provides a storage resource of a control plane for the session, so as to store a session identifier, an identifier of a Session Management Function (SMF) entity associated with the session identifier, and the like.
UDM entity: the method is mainly used for managing the subscription information of the user.
The DCS includes information that can be used to verify the terminal equipment. For example, if the terminal device includes only the manufacturer's certificate (parent), the DCS includes information (i.e., root certificate) that can verify the manufacturer's certificate. The DCS may transmit the authenticated information to an authentication service function (AUSF) entity, or may perform authentication by itself.
PS: and the entity is used for providing the SNPN identity, and can acquire the user subscription data of the SNPN from the SNPN and send the identification of the SNPN to the terminal equipment.
It should be noted that the above functional entity is only a name, and the name itself does not limit the entity. For example, it is also possible that the mobility management function entity is replaced with a "mobility management function" or other name. Furthermore, the mobility management function entity may correspond to an entity including other functions in addition to the mobility management function. It is also possible that the unified data management function entity is replaced by a "unified data management function" or other name, and that the unified data management function entity may correspond to an entity that includes other functions in addition to the unified data management function. The description is unified here, and will not be repeated below.
A terminal device accesses a network through a Radio Access Network (RAN) device or AN Access Network (AN) device. The RAN device is mainly a wireless network device in a 3GPP network, and the AN may be AN access network device defined by non-3 GPP.
Alternatively, the terminal device in the embodiment of the present application may refer to an access terminal, a subscriber unit, a subscriber station, a mobile station, a relay station, a remote terminal, a mobile device, a user terminal (user equipment), a User Equipment (UE), a terminal (terminal), a wireless communication device, a user agent, a user equipment, a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a future 5G network or a terminal device in a future evolved Public Land Mobile Network (PLMN), or a terminal device in a future vehicle networking, and the like, the embodiments of the present application do not limit this.
By way of example and not limitation, in the embodiment of the present application, the terminal device may be a mobile phone, a tablet computer, a computer with a wireless transceiving function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in tele-surgery, a wireless terminal in smart grid, a wireless terminal in transportation security, a wireless terminal in smart city, a wireless terminal in smart home, and the like.
By way of example and not limitation, in the embodiments of the present application, a wearable device may also be referred to as a wearable smart device, which is a generic term for intelligently designing daily wearing and developing wearable devices, such as glasses, gloves, watches, clothing, shoes, and the like, by applying wearable technology. A wearable device is a portable device that is worn directly on the body or integrated into the clothing or accessories of the user. The wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction and cloud interaction. The generalized wearable smart device includes full functionality, large size, and can implement full or partial functionality without relying on a smart phone, such as: smart watches or smart glasses and the like, and only focus on a certain type of application functions, and need to be used in cooperation with other devices such as smart phones, such as various smart bracelets for physical sign monitoring, smart jewelry and the like.
In addition, in the embodiment of the present application, the terminal device may also be a terminal device in an internet of things (IoT) system, where IoT is an important component of future information technology development, and a main technical feature of the present application is to connect an article with a network through a communication technology, so as to implement an intelligent network with interconnected human-computer and interconnected objects. In the embodiment of the present application, the IoT technology may achieve massive connection, deep coverage, and power saving for the terminal through, for example, a Narrowband (NB) technology.
In addition, in this embodiment of the application, the terminal device may further include sensors such as an intelligent printer, a train detector, and a gas station, and the main functions include collecting data (part of the terminal device), receiving control information and downlink data of the access network device, and sending electromagnetic waves to transmit uplink data to the access network device.
Optionally, the access network device in this embodiment may be any communication device with a wireless transceiving function, which is used for communicating with the terminal device. The access network devices include, but are not limited to: an evolved node B (eNB), a baseband unit (BBU), an Access Point (AP) in a wireless fidelity (WIFI) system, a wireless relay node, a wireless backhaul node, a Transmission Point (TP), or a TRP. The access network device may also be a gNB or a TRP or a TP in a 5G system, or one or a group (including multiple antenna panels) of antenna panels of a base station in a 5G system. In addition, the access network device may also be a network node forming a gNB or TP, such as a BBU, a Distributed Unit (DU), or the like.
In some deployments, the gNB may include a Centralized Unit (CU) and a DU. Furthermore, the gNB may also include an Active Antenna Unit (AAU). The CU implements part of the function of the gNB and the DU implements part of the function of the gNB. For example, the CU is responsible for processing non-real-time protocols and services, and implementing functions of a Radio Resource Control (RRC) layer and a Packet Data Convergence Protocol (PDCP) layer. The DU is responsible for processing a physical layer protocol and a real-time service, and implements functions of a Radio Link Control (RLC) layer, a Medium Access Control (MAC) layer, and a Physical (PHY) layer. The AAU implements part of the physical layer processing functions, radio frequency processing and active antenna related functions. Since the information of the RRC layer eventually becomes or is converted from the information of the PHY layer, the higher layer signaling, such as the RRC layer signaling, may also be considered to be transmitted by the DU or transmitted by the DU and the AAU under this architecture. It is to be understood that the access network device may be a device comprising one or more of a CU node, a DU node, an AAU node.
Optionally, in this embodiment of the present application, the access network device and the terminal device may communicate through a licensed spectrum, may also communicate through an unlicensed spectrum, and may also communicate through the licensed spectrum and the unlicensed spectrum at the same time. The access network device and the terminal device may communicate with each other through a frequency spectrum of less than 6 gigahertz (GHz), may communicate through a frequency spectrum of more than 6GHz, and may communicate using both a frequency spectrum of less than 6GHz and a frequency spectrum of more than 6 GHz. The embodiment of the present application does not limit the spectrum resources used between the access network device and the terminal device 101.
Optionally, the terminal device and the network device in the embodiment of the present application may be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; can also be deployed on the water surface; it may also be deployed on airborne airplanes, balloons and satellite vehicles. The embodiment of the application does not limit the application scenes of the terminal equipment and the network equipment.
Optionally, in this embodiment of the present application, the terminal device or the network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer. The hardware layer includes hardware such as a Central Processing Unit (CPU), a Memory Management Unit (MMU), and a memory (also referred to as a main memory). The operating system may be any one or more computer operating systems that implement business processing through processes (processes), such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a windows operating system. The application layer comprises applications such as a browser, an address list, word processing software, instant messaging software and the like. Furthermore, the embodiment of the present application does not particularly limit the specific structure of the execution main body of the method provided by the embodiment of the present application, as long as the communication can be performed according to the method provided by the embodiment of the present application by running the program recorded with the code of the method provided by the embodiment of the present application, for example, the execution main body of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module capable of calling the program and executing the program in the terminal device or the network device.
In other words, the functions related to the terminal device, the first network element, and the second network element in the embodiment of the present application may be implemented by one device, may also be implemented by multiple devices together, and may also be implemented by one or more functional modules in one device, which is not limited in this embodiment of the present application. It is understood that the above functions may be network elements in a hardware device, or software functions running on dedicated hardware, or a combination of hardware and software, or virtualization functions instantiated on a platform (e.g., a cloud platform).
The following describes a method for acquiring user subscription data according to an embodiment of the present application with reference to fig. 1 to 5.
It should be noted that, in the following embodiments of the present application, names of messages between network elements or names of parameters in messages are only an example, and other names may also be used in a specific implementation, which is not specifically limited in this embodiment of the present application.
As shown in fig. 3, a schematic flow chart of a method for acquiring user subscription data according to an embodiment of the present application is shown. The method may comprise the steps of:
s100, the UE generates a first public key (pk) 1 and a first private key (sk) 1.
The UE generates public and private key pairs pk1 and sk1, and may decrypt the pk1 encrypted data using sk 1.
Specifically, the UE generating public and private key pairs pk1 and sk1 may have the following implementation:
in one implementation, the UE may generate public and private key pairs pk1 and sk1 for computing a user hidden identifier (SUCI). The UE encrypts a user temporary identifier (SUPI) with sk1 to obtain the SUCI.
In another implementation, the UE may also generate the public-private key pairs pk1 and sk1 automatically and separately, instead of generating the public-private key pairs pk1 and sk1 when calculating the sui.
S101, the UE sends a registration request to a first network element in the first network, where the registration request includes pk 1. Accordingly, the first network element receives the registration request.
In this embodiment, the first network is an online network, the second network is a network where DCS/UDM is located, and the third network is a network where PS is located. The registration request is for requesting registration to an online network. The UE carries out an online service through the first network, namely, the UE requests to send user subscription data of the UE to the UE through the first network, so that the UE can be online in a private network.
Specifically, the UE sends a registration request to a first network element in a first network. The first network element may be, for example, an AMF. The registration request includes pk 1.
S102, the first network element sends an authentication request for the UE to a second network element in a second network, where the authentication request includes pk 1. Accordingly, the second network element receives an authentication request for the UE from the first network.
After receiving the registration request, the first network element knows that the registration request is a request for registering on the uplink network to access the private network, and the second network performs authentication and authorization on the UE accessing the private network. Thus, the first network element sends an authentication request for the UE to a second network element in the second network. The authentication request is used for requesting authentication and authorization of the UE. The authentication request includes pk1, such that pk1 is communicated to the second network element.
S103, the second network element stores pk 1.
The second network element receives the registration request sent by the first network element, thereby recognizing that the registration request is an online service, and the second network element stores pk1 carried in the authentication request.
S104, the second network element sends the private network identification to the first network element. Accordingly, the first network element receives an identification of the private network.
And the second network element performs authentication and authorization on the UE, and sends the identifier of the private network to the first network element after the authentication is passed. The identity of the private network is used to uniquely identify the private network.
The online network can serve a plurality of private networks and can also be in butt joint with PS corresponding to the private networks, so that the first network element can select a proper PS to acquire the user subscription data by acquiring the identifier of the private network.
S105, the second network element sends pk1 to the PS in the third network. Accordingly, the PS receives the pk 1.
After receiving pk1, the second network element finally transfers pk1 to the PS in the third network.
It can be understood that there is no execution sequence between steps S104 and S105, that is, S104 may be executed first, and then S105 may be executed; or executing S105 first and then executing S104; or S104 and S105 are performed simultaneously.
Alternatively, pk1 may also be sent by the first network element to the PS in the third network in step S106 described below, or after step S106 the PS actively requests the key, i.e. pk1, from the AMF.
S106, the first network element sends a user subscription data acquisition request of the UE to the PS in the third network according to the private network identifier. Accordingly, the PS receives the user subscription data acquisition request.
After obtaining the identifier of the private network, the first network element may request the user subscription data of the UE from the PS in the third network according to the identifier of the private network. The first network element requests to acquire user subscription data of the UE, so that the UE can access to the private network.
S107, the PS returns a user subscription data acquisition response to the first network element, and the user subscription data acquisition response comprises first user subscription data of the UE in the private network. Correspondingly, the first network element receives the user subscription data acquisition response, and analyzes and acquires the first user subscription data carried in the user subscription data acquisition response.
The second network element authenticates the UE, and the PS can receive the user subscription data acquisition request. And the PS acquires the second user subscription data of the UE. And the PS acquires the public key pk1 of the UE, so that pk1 can be used to encrypt the second user subscription data to obtain the first user subscription data, thereby protecting the second user subscription data, avoiding the user subscription data from being stolen, and improving the security of communication.
S108, the first network element sends the first user subscription data to the UE. Accordingly, the UE receives the first user subscription data.
The first network element sends first user subscription data to the UE, wherein the first user subscription data is encrypted, so that the first user subscription data can be protected.
S109, the UE decrypts the first user subscription data by using the sk1 to obtain the second user subscription data.
And after receiving the first user subscription data, the UE decrypts the first user subscription data by adopting the sk1 corresponding to the pk1 to obtain second user subscription data. Therefore, the UE can access to the private network based on the second user subscription data, and the process of the UE online is completed.
According to the method for acquiring the user subscription data provided by the embodiment of the application, the second network element in the second network authenticates the UE and sends the identifier of the private network accessible to the UE to the first network element in the first network, so that the first network element can acquire the first user subscription data from the third network according to the identifier of the private network, and the first user subscription data is encrypted subscription data, thereby protecting the acquisition of the user subscription data, avoiding the stealing of the user subscription data and improving the communication security; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
Fig. 4 is a schematic flow chart of another method for acquiring user subscription data according to the embodiment of the present application. The method may comprise the steps of:
s200a, the UE presets the PS public key pk 2.
The UE may factory preset the public key pk2 for encrypted communication with the PS. Alternatively, the UE may also preset a PS certificate that includes the PS public key pk 2.
S200b, PS of the third network presets the public key pk2 and the private key sk 2.
The PS may also preset public and private key pairs pk2, sk 2.
S201, the UE generates a public and private key pair pk1 and sk 1.
Specifically, the UE generating public and private key pairs pk1 and sk1 may have the following implementation:
in one implementation, the UE may generate public-private key pairs pk1 and sk1 for computing sui. The UE encrypts SUPI with sk1 to obtain SUCI.
In another implementation, the UE may also generate the public-private key pairs pk1 and sk1 automatically and separately, instead of generating the public-private key pairs pk1 and sk1 when calculating the sui.
S202, the UE sends a registration request to an AMF in an uplink network (uplink network). Accordingly, the AMF receives the registration request.
The registration request is for requesting registration to an online network. The registration request includes a SUCI, and may further include at least one of: an online indication (associating indication), a registration type, a slice identification.
Wherein, the on-line indication is used for indicating that the type of the registration request is an on-line service.
The SUCI includes pk1 described above.
The registration type is an online service.
The slice identity is used to indicate the identity of the network slice in which the private network the UE requests registration is located.
S203, the AMF determines a first authentication server (AUSF1/AUSF 1) in the first network according to the registration request.
In the existing registration process, the AMF receives a registration request of the UE, and generally sends the registration request to the AUSF of the network where the AMF is located for subsequent processing. However, in this embodiment, the AMF determines that the online service is performed according to the received registration request, determines the first authentication server of the network, and submits an authentication request to the second network performing authentication management on the online service through the first authentication server, so as to perform authentication and authorization on the UE.
Specifically, the AMF determines the first authentication server in the first network according to the registration request, and may have the following implementation manners:
in one implementation, the SUCI includes an identity of the second network, and the first authentication server is determined based on the identity of the second network. The identification of the second network may be a DCS ID, or an ID of the network in which the DCS is located, or a DCS administrator ID (e.g., vendor ID). That is, the AMF determines that the second network is required to perform authentication and authorization for the UE according to the identifier of the second network, and then determines a first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1) dedicated for the online service.
In another implementation, a Routing Indicator (RI) is included in the SUCI, and the first authentication server is determined according to the routing indicator. The route indication is used to indicate a route to the SNPN. The AMF determines that the service is online according to the routing indication, determines that the second network is required to authenticate the UE, and determines a first authentication server (AUSF1) of the network or selects an AUSF (AUSF1) dedicated for the online service.
In yet another implementation, the first authentication server is determined according to an online indication, where the online indication is used to indicate that the type of the registration request is an online service. And the AMF determines that the online service is performed according to the online indication, determines that the second network is required to perform authentication and authentication on the UE, and determines a first authentication server (AUSF1) of the network or selects an AUSF (AUSF1) special for the online service.
In yet another implementation, the first authentication server is determined according to a registration type, and the registration type is an online service. The existing registration types of the UE include: initial registration, mobility registration, periodic registration. The present embodiment proposes a new registration type: and (5) performing online service. The AMF determines that the online service is performed according to the registration type, determines that the second network is required to perform authentication and authorization for the UE, and determines a first authentication server (AUSF1) of the network or selects an AUSF (AUSF1) dedicated for the online service.
In yet another implementation, the first authentication server is determined based on the slice identification. And the AMF determines that the UE is performing online service according to the slice identifier carried in the registration request, wherein the slice identifier is used for indicating the identifier of the network slice where the private network requested to be registered by the UE is located, and determines that the UE needs to be authenticated and authenticated by a second network, and then determines a first authentication server (AUSF1) of the network or selects an AUSF (AUSF1) special for the online service.
S204, after determining the first authentication server, the AMF sends an authentication request aiming at the UE to the first authentication server. The authentication request is used for requesting authentication and authorization of the UE. The authentication request includes the SUCI and may also include an on-line indication. Accordingly, the first authentication server receives the authentication request. The SUCI includes pk1 described above.
S205, the first authentication server determines to forward the authentication request to the second network according to the authentication request.
And the first authentication server determines that the online service is carried out according to the authentication request, and then determines to forward the authentication request to the second network.
S206, the first authentication server forwards the authentication request to the AUSF2 of the second network. The authentication request is used for requesting authentication and authorization of the UE. The authentication request includes the SUCI and may also include an on-line indication. Accordingly, after receiving the authentication request, the AUSF2 forwards the authentication request to the UDM/DCS of the second network. The UDM/DCS of the second network receives the authentication request.
S207, the UDM/DCS of the second network decrypts the SUPI from the SUCI, extracts pk1 in the SUCI and stores the pk 1.
And the UDM/DCS of the second network acquires the SUCI carried in the authentication request and can decrypt the SUPI.
And the UDM/DCS of the second network receives the authentication request, and because the authentication request further includes an online indication, which is used to indicate that the type of the authentication request is an online service, the UDM/DCS stores pk1 according to the online indication.
And the AMF acquires the SUPI of the UE by finishing the authentication. The subsequent SUPI-based signal transmission between the first network and the second network can be performed with respect to the UE.
S208, the UDM/DCS of the second network sends pk1 to the PS of the third network. Accordingly, the PS receives the pk 1.
After the UDM/DCS of the second network authenticates the UE, pk1 may be sent to the PS in the third network so that subsequent PSs may use this pk1 to encrypt data. When the UDM/DCS performs key pushing, it may also carry general public user identity (GPSI) and pk 1. Further, a service network name (serving network name) may also be carried. The GPSI corresponds to SUPI.
The above is that the UDM/DCS of the second network actively pushes pk1 to the PS in the third network. Alternatively, in step S212 described below, the pk1 may be carried when the AMF in the first network requests the PS in the third network to acquire the user subscription data. Alternatively, after step S212, when the PS in the third network receives the user subscription data acquisition request, the PS in the third network requests the UDM/DCS in the second network to acquire the secret key, and then the UDM/DCS in the second network sends the pk1 to the PS in the third network.
S209, the AMF in the first network sends a first acquisition request to the UDM/DCS of the second network, wherein the first acquisition request comprises SUPI and can also comprise an online indication. Accordingly, the UDM/DCS of the second network receives the first acquisition request.
The online network can serve multiple private networks and can also be in butt joint with PS corresponding to the multiple private networks, so that the AMF in the first network sends a first acquisition request to the UDM/DCS of the second network to acquire the identifier of the private network, and the first network element can select a proper PS to acquire user subscription data. And after the UDM/DCS of the second network authenticates the UE, the identity of the private network that the UE can access may be sent to the AMF.
S210, the UDM/DCS of the second network acquires the identification of the private network according to the online indication or the local configuration.
The UDM/DCS searches for the identity of a private network to which the UE can access, based on the SUPI, and obtains the identity of the private network (i.e., SNPN ID) based on an online indication or a local configuration. The SNPN network is identified by using a PLMN ID and a Network Identifier (NID), and the SNPN ID includes a Public Land Mobile Network (PLMN) ID and an NID. The PLMN ID may be an inherent value reserved by a third-party operator, or may be a specific value of a PLMN operator deploying the SNPN.
Specifically, the UDM/DCS searches for the identities of a plurality of private networks to which the UE can access, according to the SUPI, determines a private network to which the UE requests to perform an online service, and acquires the identity of the private network. The identity of the private network is one or more of the identities of the private networks.
Or, the UDM/DCS searches the identities of a plurality of private networks which can be accessed by the UE according to the SUPI and determines the identity of the private network which is allowed to be accessed by the UE according to the local configuration, thereby acquiring the identity of the private network which is allowed to be accessed by the UE.
And S211, the UDM/DCS of the second network sends a first acquisition response to the AMF, wherein the first acquisition response comprises SUPI, the identity of the private network and pk 1. Accordingly, the AMF receives the first acquisition response.
S212, the AMF in the first network sends a user subscription data acquisition request of the UE to the PS in the third network according to the identifier of the private network. Accordingly, the PS in the third network receives the user subscription data acquisition request.
After obtaining the identifier of the private network, the AMF may request the user subscription data of the UE from the PS in the third network according to the identifier of the private network.
Wherein, the user subscription data acquisition request comprises GPSI. Further, pk1, an on-line indication, and a service network name may be included.
S213, the PS in the third network encrypts the second user subscription data by adopting pk1 to obtain first user subscription data, and signs the first user subscription data by using sk 2.
And after receiving the user subscription data acquisition request, the PS searches second user subscription data of the UE according to the GPSI. And the second user subscription data is encrypted according to the acquired pk1 corresponding to the UE to obtain the first user subscription data, so that the second user subscription data can be protected from being stolen. Further, the sk2 preset by the PS in step S200b may be further used to sign the first user subscription data, so as to protect the first user subscription data from being tampered with.
S214, the PS in the third network sends a user subscription data acquisition response to the AMF in the first network. The user subscription data acquisition response includes the signed first user subscription data. Accordingly, the AMF in the first network receives the subscriber subscription data acquisition response.
In this embodiment, the PS issues the signed first user subscription data through the control plane. Specifically, the PS sends a user subscription data acquisition response to the UE through the AMF in the first network. The user subscription data acquisition response includes the signed first user subscription data.
S215, the AMF in the first network issues the signed first user subscription data through a terminal configured updated (UCU) process. Accordingly, the UE receives the signed first user subscription data.
S216, the UE verifies the signature by adopting pk2, and after the signature verification is passed, the sk1 is adopted to decrypt the first user subscription data to obtain second user subscription data.
After receiving the user subscription data acquisition response, the UE extracts the signed first user subscription data carried in the user subscription data acquisition response, verifies the signature by using pk2 preset by the UE in step S200a, and decrypts the first user subscription data by using sk1 to obtain second user subscription data after the signature verification is passed.
S217, the UE sends UCU response to the AMF in the first network. Accordingly, the AMF receives the UCU response.
The UCU response is used to indicate that the UE successfully received the user subscription data acquisition response.
According to the method for acquiring the user subscription data provided by the embodiment of the application, the second network element in the second network authenticates the UE and sends the identifier of the private network accessible to the UE to the first network element in the first network, so that the first network element can acquire the first user subscription data from the third network according to the identifier of the private network and sends the first user subscription data to the UE through the control plane, wherein the first user subscription data is encrypted subscription data, thereby protecting the acquisition of the user subscription data, avoiding the stealing and tampering of the user subscription data, and improving the communication security; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
Fig. 5 is a schematic flow chart of another method for acquiring user subscription data according to the embodiment of the present application. The method may comprise the steps of:
s300a, the UE presets the PS public key pk 2.
The specific implementation of this step can refer to step S200a in the embodiment shown in fig. 4.
S300b, PS of the third network presets the public key pk2 and the private key sk 2.
The specific implementation of this step can refer to step S200b in the embodiment shown in fig. 4.
S301, the UE generates public and private key pairs pk1 and sk 1.
The specific implementation of this step can refer to step S201 of the embodiment shown in fig. 4.
S302, the UE sends a registration request to an AMF in an uplink network (uplink network), where the registration request includes a sui and may also include an online indication. Accordingly, the AMF receives the registration request.
The specific implementation of this step can refer to step S202 in the embodiment shown in fig. 4.
S303, the AMF determines a first authentication server (AUSF1/AUSF 1) in the first network according to the registration request.
The specific implementation of this step can refer to step S203 of the embodiment shown in fig. 4.
S304, the AMF sends an authentication request for the UE to the first authentication server. The authentication request includes the SUCI and may also include an on-line indication. Accordingly, the first authentication server receives the authentication request.
The specific implementation of this step can refer to step S204 in the embodiment shown in fig. 4.
S305, the first authentication server determines to forward the authentication request to the second network according to the authentication request.
The specific implementation of this step can refer to step S205 of the embodiment shown in fig. 4.
S306, the first authentication server forwards the authentication request to the AUSF2 of the second network. The authentication request includes the SUCI and may also include an on-line indication. Accordingly, after receiving the authentication request, the AUSF2 forwards the authentication request to the UDM/DCS of the second network. The UDM/DCS of the second network receives the authentication request.
The specific implementation of this step can refer to step S206 in the embodiment shown in fig. 4.
S307, the UDM/DCS of the second network decrypts the SUPI from the SUCI, extracts pk1 in the SUCI and stores the pk 1.
The specific implementation of this step can refer to step S207 of the embodiment shown in fig. 4.
And the AMF acquires the SUPI of the UE by finishing the authentication.
S308, the AMF sends a second acquisition request to the UDM/DCS of the second network, wherein the second acquisition request comprises SUPI and can also comprise an online indication. Accordingly, the UDM/DCS of the second network receives the second acquisition request. The second acquisition request is used for acquiring the identity of the private network which can be accessed by the UE.
The specific implementation of this step can refer to step S209 of the embodiment shown in fig. 4.
S309, the UDM/DCS of the second network acquires the identification of the private network according to the online indication or the local configuration.
The specific implementation of this step can refer to step S210 in the embodiment shown in fig. 4.
Steps S308 and S309 are optional steps, and are indicated by dotted lines in the figure. In this embodiment, the user subscription data is issued through the user plane, and therefore, the SMF also obtains the identifier of the private network from the UDM/DCS of the second network, which is specifically described in steps S314 and S315.
And S310, the UDM/DCS of the second network sends a second acquisition response to the AMF, wherein the second acquisition response comprises SUPI, the identity of the private network and pk 1. Accordingly, the AMF receives the second acquisition response.
The specific implementation of this step can refer to step S211 of the embodiment shown in fig. 4.
S311, the AMF of the first network sends a registration response to the UE. Accordingly, the UE receives the registration response.
The registration response is used to indicate a success or failure of the registration.
After the UE completes registration in the third network, a Protocol Data Unit (PDU) session may be established with the third network.
S312, the UE sends a PDU session establishment request to the AMF of the first network. Accordingly, the AMF of the first network receives the PDU session setup request.
S313, the AMF of the first network sends a PDU session setup request to the SMF of the second network. The PDU session establishment request includes SUPI/GPSI and may also include the identity of the private network, pk 1. Accordingly, the SMF of the second network receives the PDU session setup request and establishes the PDU session.
S314, the SMF of the second network sends a third acquisition request to the UDM/DCS of the second network, wherein the third acquisition request comprises SUPI and can also comprise an online instruction. Accordingly, the UDM/DCS of the second network receives the third acquisition request. The third acquisition request is used for requesting to acquire the identity of the private network accessible to the UE.
And the UDM/DCS of the second network searches the identification of the private network accessible to the UE and pk1 according to the SUPI, and carries the identification of the private network and pk1 in a third acquisition request to send to the SMF.
And S315, the UDM/DCS of the second network sends a third acquisition response to the SMF of the second network, wherein the third acquisition response comprises SUPI, the identity of the private network and pk 1.
At this point, the PDU session setup is completed.
S316, the SMF of the second network sends pk1 to the PS of the third network. Accordingly, the PS of the third network receives the pk 1.
Unlike the embodiment shown in fig. 4, pk1 may be pushed by the SMF of the second network to the PS of the third network when setting up the session.
Specifically, if the SMF of the second network obtains pk1 in the first user subscription data obtaining response, the SMF of the second network may push pk1 to the PS of the third network. The key push carries the GPSI, pk1, and may also include the service network name.
Alternatively, after the session establishment described below is completed, the SMF of the second network sends a key acquisition response to the PS of the third network after receiving the key acquisition request of the PS of the third network. The key acquisition request includes a GPSI, and may further include a service network name, an online indication, and the like. The key acquisition response includes GPSI, pk 1.
And S317, the PS encrypts the second user subscription data by adopting pk1 to obtain first user subscription data, and signs the first user subscription data by using sk 2.
The specific implementation of this step can refer to step S213 in the embodiment shown in fig. 4.
And S318, when the PS receives the pk1 sent by the SMF, triggering the PS to send a user subscription data acquisition response to the UE. The user subscription data acquisition response includes the signed first user subscription data. Accordingly, the UE receives the user subscription data acquisition response.
In this embodiment, the PS sends a user subscription data acquisition response to the UE through the established session channel, that is, through the user plane.
And S319, verifying the signature by the UE through pk2, and decrypting the first user subscription data through sk1 to obtain second user subscription data after the signature verification is passed.
The specific implementation of this step can refer to step S216 in the embodiment shown in fig. 4.
According to the method for acquiring the user subscription data provided by the embodiment of the application, the second network element in the second network authenticates the UE and sends the identifier of the private network accessible to the UE to the first network element in the first network, so that the first network element can acquire the first user subscription data from the third network according to the identifier of the private network and issue the first user subscription data to the UE through the user plane, wherein the first user subscription data is encrypted subscription data, thereby protecting the acquisition of the user subscription data, avoiding the stealing and tampering of the user subscription data, and improving the communication security; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
It is to be understood that, in the above embodiments, the method and/or the steps implemented by the terminal device may also be implemented by a component (e.g., a chip or a circuit) that can be used for the terminal device; the methods and/or steps implemented by the first network element may also be implemented by components (e.g., chips or circuits) that may be used in the first network element; the methods and/or steps implemented by the second network element may also be implemented by components (e.g. chips or circuits) that may be used in the second network element.
The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. Correspondingly, the embodiment of the application also provides a device, and the device is used for realizing the various methods. The apparatus may be the terminal device, the first network element, and the second network element in the foregoing method embodiment. It is understood that the apparatus comprises corresponding hardware structures and/or software modules for performing the respective functions in order to realize the above-mentioned functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, functional modules of the apparatus may be divided according to the method embodiment, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
The related functions of the communication apparatus in the embodiment of the present application can be realized by the communication apparatus 200 in fig. 6. Fig. 6 is a schematic structural diagram of a communication device 200 according to an embodiment of the present disclosure. The communication device 200 includes one or more processors 21, a communication line 22, and at least one communication interface (which is only exemplary in fig. 6 to include a communication interface 24 and one processor 21 for illustration), and optionally may further include a memory 23.
The processor 21 may be a CPU, a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs in accordance with the teachings of the present application.
The communication link 22 may include a path for connecting between the various components.
The communication interface 24, which may be a transceiver module, is used for communicating with other devices or communication networks, such as ethernet, RAN, Wireless Local Area Networks (WLAN), etc. For example, the transceiver module may be a transceiver, or the like. Optionally, the communication interface 24 may also be a transceiver circuit located in the processor 21, so as to realize signal input and signal output of the processor.
The memory 23 may be a device having a memory function. Such as, but not limited to, read-only memory (ROM) or other types of static storage devices that may store static information and instructions, Random Access Memory (RAM) or other types of dynamic storage devices that may store information and instructions, electrically erasable programmable read-only memory (EEPROM), compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be separate and coupled to the processor via a communication line 22. The memory may also be integral to the processor.
The memory 23 is used for storing computer-executable instructions for executing the scheme of the application, and is controlled by the processor 21 to execute. The processor 21 is configured to execute computer-executable instructions stored in the memory 23, so as to implement the method for acquiring the user subscription data provided in the embodiment of the present application.
Alternatively, in this embodiment of the present application, the processor 21 may execute a function related to processing in the method for acquiring user subscription data provided in the following embodiments of the present application, and the communication interface 24 is responsible for communicating with other devices or a communication network, which is not specifically limited in this embodiment of the present application.
The computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
In particular implementations, processor 21 may include one or more CPUs such as CPU0 and CPU1 in fig. 6, for example, as an example.
In particular implementations, communication apparatus 200 may include a plurality of processors, such as processor 21 and processor 27 in FIG. 6, as one embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In one implementation, the communications apparatus 200 may further include an output device 25 and an input device 26. An output device 25 is in communication with the processor 21 and may display information in a variety of ways.
The communication device 200 may be a general-purpose device or a special-purpose device. For example, the communication apparatus 200 may be a desktop computer, a portable computer, a web server, a Personal Digital Assistant (PDA), a mobile phone, a tablet computer, a wireless user equipment, an embedded device, or a device having a similar structure as in fig. 6. The embodiment of the present application does not limit the type of the communication apparatus 200.
Fig. 7 is a schematic structural diagram of another apparatus for acquiring user subscription data according to an embodiment of the present application, where the apparatus for acquiring user subscription data may be a terminal device in the foregoing embodiment. The apparatus 300 for acquiring user subscription data includes: a processing unit 31, a transmitting unit 32, and a receiving unit 33; wherein:
a processing unit 31 for generating a first public key pk1 and a first private key sk 1;
a sending unit 32, configured to send a registration request to a first network, where the registration request includes the pk 1;
a receiving unit 33, configured to receive first user subscription data, where the first user subscription data is obtained by encrypting second user subscription data by using the pk 1;
the processing unit 31 is further configured to decrypt the first user subscription data using the sk1 to obtain the second user subscription data.
The specific implementation of the processing unit 31, the sending unit 32 and the receiving unit 33 can refer to the related description of the UE in the embodiments shown in fig. 3 to fig. 5.
According to the device for acquiring the user subscription data, the device receives the encrypted first user subscription data returned by the third network, decrypts the first user subscription data by using the first private key generated by the device, and acquires the second user subscription data, so that the acquisition of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication security is improved; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
Fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application, where the communication device may be a second network element in a second network in the foregoing embodiments. The communication apparatus 400 includes: a receiving unit 41, a processing unit 42, and a transmitting unit 43; wherein:
a receiving unit 41, configured to receive an authentication request for a terminal device from a first network, where the authentication request includes a first public key pk 1;
a processing unit 42 for saving the pk 1;
a sending unit 43, configured to send an identifier of a private network to the first network;
the sending unit 43 is further configured to send the pk1 to a third network.
In a possible implementation, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service; and the processing unit 42 is configured to save the pk1 according to the online indication.
The relevant description of the receiving unit 41, the processing unit 42 and the sending unit 43 can refer to the relevant description of the second network element in the embodiments shown in fig. 3 to 5.
According to the communication device provided by the embodiment of the application, the device authenticates the terminal equipment and sends the identifier of the private network accessible to the terminal equipment to the first network element in the first network, so that the first network element can acquire the first user subscription data from the third network according to the identifier of the private network, and the first user subscription data is encrypted data, thereby protecting the acquisition of the user subscription data, avoiding the user subscription data from being stolen, and improving the communication security; and the first network element can acquire correct user subscription data from a proper PS by acquiring the identification of the private network from the second network element.
Fig. 9 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application, where the communication apparatus may be a first network element in a first network in the foregoing embodiments. The communication device 500 includes: a receiving unit 51, a processing unit 52, and a transmitting unit 53; wherein:
a receiving unit 51 for receiving an identity of a private network from a second network;
a processing unit 52, configured to determine, according to the identifier of the private network, a user subscription data acquisition request of the terminal device;
a sending unit 53, configured to send the user subscription data acquisition request to a third network;
the receiving unit 51 is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes first user subscription data of the terminal device in the private network;
the sending unit 53 is further configured to send the first user subscription data to the terminal device.
In a possible implementation, the receiving unit 51 is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: hiding an identifier, an online indication, a registration type and a slice identifier by a user;
the processing unit 52 is further configured to determine a first authentication server in the first network according to the registration request;
the sending unit 53 is further configured to send an authentication request of the terminal device to the second network through the first authentication server;
the processing unit 52 is specifically configured to include, in the hidden identifier of the user, an identifier of the second network, and determine the first authentication server according to the identifier of the second network; or
The processing unit 52 is specifically configured to determine the first authentication server according to a routing indication included in the hidden identifier of the user; or
The processing unit 52 is specifically configured to determine the first authentication server according to the online indicator, where the online indicator is used to indicate that the type of the registration request is an online service; or
The processing unit 52 is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
The processing unit 52 is specifically configured to determine the first authentication server according to the slice identifier.
The specific implementation of the receiving unit 51, the processing unit 52 and the sending unit 53 can refer to the description of the first network element in the embodiments shown in fig. 3 to 5.
According to the communication device provided by the embodiment of the application, the device can select a proper PS to acquire correct user subscription data according to the private network identifier received from the second network; furthermore, the device can encrypt the second user subscription data by adopting the received first public key to obtain the first user subscription data and send the first user subscription data, so that the acquisition of the user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication security is improved.
Optionally, an embodiment of the present application further provides a chip system, including: at least one processor coupled with the memory through the interface, and an interface, the at least one processor causing the method of any of the above method embodiments to be performed when the at least one processor executes the computer program or instructions in the memory. Optionally, the chip system may be composed of a chip, and may also include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.
It should be understood that in the description of the present application, unless otherwise indicated, "/" indicates a relationship where the objects associated before and after are an "or", e.g., a/B may indicate a or B; wherein A and B can be singular or plural. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise specified. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance. Also, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion for ease of understanding.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the present application are all or partially generated upon loading and execution of computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or can comprise one or more data storage devices, such as a server, a data center, etc., that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Although the present application has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and figures are merely exemplary of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the present application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (20)

1. A method for acquiring user subscription data is characterized by comprising the following steps:
generating a first public key and a first private key;
sending a registration request to a first network, the registration request including the first public key;
receiving first user subscription data, wherein the first user subscription data is obtained by encrypting second user subscription data by adopting the first public key;
and decrypting the first user subscription data by using the first private key to obtain the second user subscription data.
2. The method of claim 1, wherein the registration request further comprises an online indication, and wherein the online indication is used to indicate that the type of the registration request is an online service.
3. The method according to claim 1 or 2, wherein the registration request further comprises a hidden identifier of the user, wherein the first public key is included in the hidden identifier of the user.
4. A method for acquiring user subscription data is characterized by comprising the following steps:
receiving an authentication request from a first network for a terminal device, the authentication request comprising a first public key;
saving the first public key;
sending an identity of a private network to the first network;
and sending the first public key to a third network.
5. The method of claim 4, wherein the authentication request further comprises a hidden user identifier, and wherein the hidden user identifier comprises the first public key.
6. The method according to claim 4 or 5, wherein the authentication request further comprises an online indication, and the online indication is used for indicating that the type of the authentication request is an online service;
the saving the first public key comprises:
and saving the first public key according to the online indication.
7. A method for acquiring user subscription data is characterized by comprising the following steps:
a first network element in a first network receives an identification of a private network from a second network;
the first network element sends a user subscription data acquisition request of the terminal equipment to a third network according to the identification of the private network;
the first network element receives a user subscription data acquisition response returned by the third network, wherein the user subscription data acquisition response comprises first user subscription data of the terminal equipment in the private network;
and the first network element sends the first user subscription data to the terminal equipment.
8. The method of claim 7, wherein prior to the first network element receiving the identity of the private network from the second network, further comprising:
the first network element receives a registration request from the terminal equipment, wherein the registration request carries at least one of the following items: hiding an identifier, an online indication, a registration type and a slice identifier by a user;
the first network element determines a first authentication server in the first network according to the registration request;
the first network element sends an authentication request of the terminal equipment to the second network through the first authentication server;
wherein determining the first authentication server according to the registration request comprises:
the user hidden identifier comprises an identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or
The user hidden identifier comprises a routing indication, and the first authentication server is determined according to the routing indication; or
Determining the first authentication server according to the online indication, wherein the online indication is used for indicating that the type of the registration request is an online service; or
Determining the first authentication server according to the registration type, wherein the registration type is an online service; or
And determining the first authentication server according to the slice identifier.
9. The method of claim 8, wherein the registration request includes a first public key, and wherein, prior to the first network element receiving the identity of the private network from the second network, further comprising:
and sending the first public key to the second network, wherein the first user subscription data is obtained by encrypting second user subscription data by adopting the first public key.
10. Method according to claim 8 or 9, wherein the registration request comprises a hidden identifier of the user, wherein the first public key is included in the hidden identifier of the user.
11. An apparatus for acquiring user subscription data, comprising:
the processing unit is used for generating a first public key and a first private key;
a sending unit, configured to send a registration request to a first network, where the registration request includes the first public key;
a receiving unit, configured to receive first user subscription data, where the first user subscription data is obtained by encrypting second user subscription data by using the first public key;
the processing unit is further configured to decrypt the first user subscription data using the first private key to obtain the second user subscription data.
12. The apparatus according to claim 11, wherein the registration request further includes an online indication, and the online indication is used to indicate that the type of the registration request is an online service.
13. The apparatus according to claim 11 or 12, wherein the registration request further comprises a hidden identifier of the user, the hidden identifier of the user comprising the first public key.
14. A communications apparatus, comprising:
a receiving unit, configured to receive an authentication request for a terminal device from a first network, where the authentication request includes a first public key;
the processing unit is used for saving the first public key;
a sending unit, configured to send an identifier of a private network to the first network;
the sending unit is further configured to send the first public key to a third network.
15. The apparatus of claim 14, wherein the authentication request further comprises a hidden user identifier, and wherein the hidden user identifier comprises the first public key.
16. The apparatus according to claim 14 or 15, wherein the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service;
and the processing unit is used for storing the first public key according to the online indication.
17. A communications apparatus, comprising:
a receiving unit configured to receive an identification of a private network from a second network;
the processing unit is used for determining a user signing data acquisition request of the terminal equipment according to the identification of the private network;
a sending unit, configured to send the user subscription data acquisition request to a third network;
the receiving unit is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes first user subscription data of the terminal device in the private network;
the sending unit is further configured to send the first user subscription data to the terminal device.
18. The apparatus of claim 17, wherein:
the receiving unit is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: hiding an identifier, an online indication, a registration type and a slice identifier by a user;
the processing unit is further configured to determine a first authentication server in the first network according to the registration request;
the sending unit is further configured to send an authentication request of the terminal device to the second network through the first authentication server;
the processing unit is specifically configured to determine, according to the identifier of the second network, the first authentication server, where the hidden identifier of the user includes an identifier of the second network; or
The processing unit is specifically configured to determine, according to a routing indication included in the hidden identifier of the user, the first authentication server; or
The processing unit is specifically configured to determine the first authentication server according to the online indication, where the online indication is used to indicate that the type of the registration request is an online service; or
The processing unit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
The processing unit is specifically configured to determine the first authentication server according to the slice identifier.
19. The apparatus of claim 18, wherein the registration request comprises a first public key, and the sending unit is further configured to send the first public key to the second network, and the first user subscription data is obtained by encrypting second user subscription data with the first public key.
20. The apparatus according to claim 18 or 19, wherein the registration request comprises a hidden identifier of the user, the hidden identifier of the user comprising the first public key.
CN202010790909.7A 2020-08-07 2020-08-07 Method and device for acquiring user subscription data Active CN114071452B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010790909.7A CN114071452B (en) 2020-08-07 2020-08-07 Method and device for acquiring user subscription data
PCT/CN2021/108022 WO2022028259A1 (en) 2020-08-07 2021-07-23 User subscription data obtaining method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010790909.7A CN114071452B (en) 2020-08-07 2020-08-07 Method and device for acquiring user subscription data

Publications (2)

Publication Number Publication Date
CN114071452A true CN114071452A (en) 2022-02-18
CN114071452B CN114071452B (en) 2023-04-04

Family

ID=80119902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010790909.7A Active CN114071452B (en) 2020-08-07 2020-08-07 Method and device for acquiring user subscription data

Country Status (2)

Country Link
CN (1) CN114071452B (en)
WO (1) WO2022028259A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023202631A1 (en) * 2022-04-22 2023-10-26 维沃移动通信有限公司 Subscription method and apparatus, and communication device, internet of things device and network element
WO2024051600A1 (en) * 2022-09-06 2024-03-14 华为技术有限公司 Network information processing method and apparatus

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022876A (en) * 2022-05-30 2022-09-06 中国电信股份有限公司 User subscription data updating method, device and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778381A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Digital certificate generation method, user key acquisition method, mobile terminal and device
CN109919579A (en) * 2019-02-27 2019-06-21 上海棕榈电脑系统有限公司 Electronic document contracting method, device, storage medium and equipment
CN110198538A (en) * 2018-02-26 2019-09-03 北京华为数字技术有限公司 A kind of method and device obtaining device identification
CN110636506A (en) * 2018-06-22 2019-12-31 维沃移动通信有限公司 Network access method, terminal and network side network element
CN111465011A (en) * 2019-01-18 2020-07-28 华为技术有限公司 Cross-network access method, device, storage medium and communication system
US20200245235A1 (en) * 2019-01-24 2020-07-30 Lg Electronics Inc. Method for selecting non-public network in wireless communication system and apparatus thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114615023A (en) * 2018-09-05 2022-06-10 华为技术有限公司 Communication method and related device
CN110971641B (en) * 2018-09-30 2022-04-19 维沃移动通信有限公司 Network service control method and communication equipment
CN109492367A (en) * 2018-10-17 2019-03-19 平安国际融资租赁有限公司 Electronic contract signature processing method, device, computer equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778381A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Digital certificate generation method, user key acquisition method, mobile terminal and device
CN110198538A (en) * 2018-02-26 2019-09-03 北京华为数字技术有限公司 A kind of method and device obtaining device identification
CN110636506A (en) * 2018-06-22 2019-12-31 维沃移动通信有限公司 Network access method, terminal and network side network element
CN111465011A (en) * 2019-01-18 2020-07-28 华为技术有限公司 Cross-network access method, device, storage medium and communication system
US20200245235A1 (en) * 2019-01-24 2020-07-30 Lg Electronics Inc. Method for selecting non-public network in wireless communication system and apparatus thereof
CN109919579A (en) * 2019-02-27 2019-06-21 上海棕榈电脑系统有限公司 Electronic document contracting method, device, storage medium and equipment

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
3GPP;TSGSSA: ""23700-07-040_MCCclean"", 《3GPP SPECS\ARCHIVE》 *
3GPP;TSGSSA: ""33501-f80"", 《3GPP SPECS\ARCHIVE》 *
HUAWEI等: ""S2-2004370 wasS2-2003995r03 KI #4, New Sol UE onboarding and provisioning for SNPN subscription"", 《3GPP TSG_SA\WG2_ARCH》 *
SAMSUNG: "S2-2004254 "KI #4, Sol #5: Update to clarify discovering and selecting DCS, PS and SNPN owning the subscription."", 《3GPP TSG_SA\WG2_ARCH》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023202631A1 (en) * 2022-04-22 2023-10-26 维沃移动通信有限公司 Subscription method and apparatus, and communication device, internet of things device and network element
WO2024051600A1 (en) * 2022-09-06 2024-03-14 华为技术有限公司 Network information processing method and apparatus

Also Published As

Publication number Publication date
CN114071452B (en) 2023-04-04
WO2022028259A1 (en) 2022-02-10

Similar Documents

Publication Publication Date Title
US20210058783A1 (en) Network authentication method, and related device and system
US11829774B2 (en) Machine-to-machine bootstrapping
CN114071452B (en) Method and device for acquiring user subscription data
WO2022057736A1 (en) Authorization method and device
KR20190004499A (en) Apparatus and methods for esim device and server to negociate digital certificates
WO2021227866A1 (en) Network authentication method and apparatus, and system
US20230354024A1 (en) Method and device for authenticating ue
CN114025352A (en) Authentication method and device for terminal equipment
KR20200013053A (en) Communication method and device
CN113841366B (en) Communication method and device
CN115699678A (en) Device logout method, device registration method, communication device and cloud platform
US20220174497A1 (en) Communication Method And Apparatus
JP2018526846A (en) Wireless device configuration and authentication
CN116114315A (en) Wireless communication method, terminal equipment and network equipment
CN112135253B (en) Network connection method and device
CN115515130A (en) Method and device for generating session key
CN114978556A (en) Slice authentication method, device and system
CN115836539A (en) Communication method, device and system
CN102487505B (en) Access authentication method of sensor node, apparatus thereof and system thereof
CN112788795A (en) Connection recovery method and device
CN114731513A (en) Method for controlling communication access, AP and communication equipment
WO2023070433A1 (en) Authentication between wireless devices and edge servers
CN116528234B (en) Virtual machine security and credibility verification method and device
CN113453311B (en) Method and device for processing information of closed access group
US20240056302A1 (en) Apparatus, method, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant