CN115915126A

CN115915126A - Method and apparatus for secure communication

Info

Publication number: CN115915126A
Application number: CN202111073980.4A
Authority: CN
Inventors: 李�赫; 吴�荣
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-08-06
Filing date: 2021-09-14
Publication date: 2023-04-04

Abstract

The application provides a method for secure communication in a scene that a terminal device accesses a network in a seamless wireless local area Network (NSWO) shunting mode, which comprises the following steps: the unified data management entity receives the indication information from the authentication service function entity; the unified data management entity selects extensible authentication protocol-authentication and key agreement EAP-AKA' in at least two authentication modes according to the indication information to authenticate with the terminal equipment. According to the method and the device for secure communication, the authentication process of the UE and the 5GC in the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method.

Description

Method and apparatus for secure communication

The present application claims priority of chinese patent application entitled "method and apparatus for secure communication" filed by the chinese intellectual property office at 8/6/2021 under the application number 202110904250.8, which is incorporated herein by reference in its entirety.

Technical Field

The present application relates to the field of communications, and more particularly, to a method and apparatus for secure communications.

Background

User Equipment (UE) can access a network by means of a seamless wireless local area network offload (NSWO), so that the UE can access the network by using a non-third generation partnership project (non-3 GPP) technology. Currently, this approach is limited to use in fourth generation (4 th generation,4 g) systems. Therefore, how to expand the application range of the NSWO access mode becomes an urgent problem to be solved.

Disclosure of Invention

The application provides a method and a device for secure communication, an NSWO scene is applied to a fifth generation (5 th generation, 5G) system, the application range of an NSWO access mode is expanded, and the authentication flow of UE and a fifth generation core network (5 th generation core,5 GC) under the NSWO scene can be perfected by indicating an UDM to select an EAP-AKA' authentication method.

In a first aspect, a method for secure communication applicable to a scenario in which a terminal device accesses a network by using a slotted wireless local area network offload (NSWO) manner is provided, including: the unified data management entity receives the indication information from the authentication service function entity; the unified data management entity selects extensible authentication protocol-authentication and key agreement EAP-AKA' from at least two authentication modes according to the indication information to authenticate with the terminal equipment.

According to the scheme, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication flow of the UE and the 5GC under the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology.

With reference to the first aspect, in certain implementations of the first aspect, the indication information is a user hidden identity SUCI in a format of a network access identity NAI, or a field in the user hidden identity SUCI.

With reference to the first aspect, in certain implementations of the first aspect, the indication information includes any one or more of: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or the access technology type indication information, or the access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the unified data management entity stores information for identifying the terminal equipment to access the network in a mode of shunting NSWO by a slotted wireless local area network; or, the unified data management entity stores information for identifying the terminal device accessing the network through the NSWO mode, and an identifier of the authentication service function entity.

According to the scheme, when the UDM records the successful authentication state, the UDM can only record the successful authentication state through the NSWO and does not record the ID of the authentication service functional entity, the UDM is simple to maintain, the number of network elements needing to be changed is small, and the UDM is convenient to use and is quick to use; alternatively, the authentication success status through NSWO may be bound with the ID of the authentication service function entity, so that the entry of the UDM record is clearer.

With reference to the first aspect, in certain implementation manners of the first aspect, the information that the terminal device accesses the network by means of a slotted wireless local area network offload NSWO is used in an extensible authentication protocol EAP re-authentication procedure.

In a second aspect, a method for secure communication is provided, including: the terminal equipment receives a message from a wireless access point; the terminal equipment generates indication information according to the message, wherein the indication information indicates that the terminal equipment is in a seamless wireless local area network shunting NSWO scene; the terminal device transmits the indication information.

According to the scheme, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication process of the UE and the 5GC under the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology.

With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the terminal device determines to access the network using the NSWO mode according to the first message 01.

With reference to the second aspect, in some implementations of the second aspect, the first indication information 01 includes a Subscriber hidden Identity (SUCI), where SUCI is a field in a Network Access Identity (NAI) format, or generated by the terminal device according to a Subscriber permanent Identity (SUPI) of an International Mobile Subscriber Identity (IMSI) type, or generated by the terminal device according to a NAI format, and includes a first field indicating that the EAP-AKA' is selected for authentication with the terminal device.

With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the terminal device generates a master session key, where the master session key is a root key used to generate a key for the terminal device to communicate with a network, and the network is a network to which the terminal device accesses by way of the NSWO.

According to the scheme, the root key used for generating the key for the communication between the terminal equipment and the network is generated after the authentication is successful, so that the subsequent safe communication between the terminal equipment and the network in the NSWO scene is facilitated, and the authentication and key distribution process in the NSWO scene is further perfected.

With reference to the second aspect, in some implementations of the second aspect, the sending, by the terminal device, the indication information includes:

the terminal equipment sends the indication information to a unified data management entity or an authentication service function entity or the wireless access point.

In a third aspect, a method for secure communication is provided, which includes: the authentication service functional entity receives a message from a wireless access point; the authentication service function entity generates indication information according to the message, and the indication information is used for indicating the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' to authenticate with the terminal equipment; the authentication service function entity sends the indication information to the unified data management entity.

With reference to the third aspect, in certain implementations of the third aspect, the indication information includes any one or more of: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or the access technology type indication information, or the access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

With reference to the third aspect, in certain implementations of the third aspect, the method further includes: the authentication service functional entity determines that the terminal equipment accesses the network in the NSWO mode according to the message.

With reference to the third aspect, in certain implementations of the third aspect, the method further includes: the authentication service function entity generates a master session key, wherein the master session key is used for generating a key for the terminal equipment to communicate with the network; the authentication service function entity sends the master session key to the wireless access point.

In a fourth aspect, an apparatus for secure communication is provided, comprising: the receiving and sending module is used for receiving the message from the wireless access point; the processing module is used for generating indication information according to the message, wherein the indication information indicates that the terminal equipment is in a seamless wireless local area network shunting NSWO scene; the transceiver module is further configured to send the indication information.

With reference to the fourth aspect, in some implementations of the fourth aspect, the processing module is further configured to determine to access the network using the NSWO manner according to the message.

With reference to the fourth aspect, in some implementations of the fourth aspect, the indication information is a user hidden identity SUCI in a format of a network access identity NAI, or a field in the user hidden identity SUCI.

With reference to the fourth aspect, in some implementations of the fourth aspect, the processing module is further configured to generate a master session key, where the master session key is used to generate a key for the terminal device to communicate with a network, and the network is a network accessed by the terminal device through the NSWO.

With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver module is further specifically configured to send the indication information to a unified data management entity or an authentication service function entity or the radio access point.

In a fifth aspect, an apparatus for secure communication applicable to a scenario in which a terminal device accesses a network by using a slotted wireless local area network offload NSWO is provided, including: the receiving and sending module is used for receiving the indication information from the authentication service function entity; and the processing module is used for selecting extensible authentication protocol-authentication and key agreement EAP-AKA' from at least two authentication modes according to the indication information to authenticate with the terminal equipment.

With reference to the fifth aspect, in some implementations of the fifth aspect, the indication information is a user hidden identity SUCI in a format of a network access identity NAI, or a field in the user hidden identity SUCI.

With reference to the fifth aspect, in certain implementations of the fifth aspect, the indication information includes any one or more of: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or the access technology type indication information, or the access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing module is further configured to store information that identifies that the terminal device accesses the network by means of a slotted wireless local area network offload NSWO; or, the processing module is further configured to store information for identifying that the terminal device accesses the network through the NSWO, and an identifier of the authentication service function entity.

With reference to the fifth aspect, in some implementations of the fifth aspect, the information that the terminal device accesses the network by offloading NSWO through a slotted wireless local area network is used in an extensible authentication protocol EAP re-authentication procedure.

In a sixth aspect, an apparatus for secure communication is provided, comprising: the receiving and sending module is used for receiving the message from the wireless access point; the processing module is used for generating indication information according to the message, wherein the indication information is used for indicating the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' for authentication with the terminal equipment; the transceiver module is further configured to send the indication information to the unified data management entity.

With reference to the sixth aspect, in some implementations of the sixth aspect, the identifier of the authentication service function entity, or an identifier of a network where the terminal device is located, or access technology type indication information, or access method indication information, where the access type indication information is used to indicate an access network type, and the access method indication information is used to indicate characteristics of an access technology used by the terminal device.

With reference to the sixth aspect, in some implementations of the sixth aspect, the processing module is further configured to determine, according to the message, that the terminal device accesses the network by way of NSWO.

With reference to the sixth aspect, in some implementations of the sixth aspect, the processing module is further configured to generate a master session key, where the master session key is used to generate a key for the terminal device to communicate with the network; the transceiver module is further configured to send the master session key to the wireless access point.

In a seventh aspect, a communication apparatus is provided, and includes: a processor and a memory; the memory for storing a computer program; the processor is configured to execute the computer program stored in the memory to enable the communication apparatus to perform the communication method according to any one of the first aspect to the third aspect.

In an eighth aspect, there is provided a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program runs on a computer, the computer is caused to execute the communication method according to any one of the first to third aspects.

In a ninth aspect, a chip system is provided, which includes: a processor configured to call and run the computer program from the memory, so that the communication device with the system on chip installed therein executes the communication method according to any one of the first to third aspects.

In a tenth aspect, there is provided a system for secure communication, comprising: the terminal equipment is used for receiving a message 01 of wireless access; the terminal equipment is also used for generating indication information 01 according to the message, wherein the indication information 01 indicates that the terminal equipment is in a seamless wireless local area network shunting NSWO scene; the authentication server is also used for sending indication information 01 to the authentication service functional entity; the authentication service function entity is used for receiving the indication information 01; the EAP-AKA authentication server is further configured to send indication information 02 to a unified data management entity, where the indication information 02 is used to indicate that the EAP-AKA' is selected to perform authentication with the terminal device; the unified data management entity is configured to select EAP-AKA' in at least two authentication modes according to the indication information 02 to authenticate with the terminal device.

In an eleventh aspect, a system for secure communication is provided, which includes: an authentication service function entity for receiving the message 02; the device is further configured to generate indication information 02 according to the message 02, where the indication information 02 is used to indicate the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' for authentication with the terminal device; the data management system is also used for sending indication information 02 to the unified data management entity; the unified data management entity is configured to select EAP-AKA' in at least two authentication modes according to the indication information 02 to authenticate the terminal device.

Drawings

Fig. 1 provides a schematic diagram of a non-3GPP access architecture in 4G.

Fig. 2 shows the current 5G network architecture.

Fig. 3 shows the structure of the SUCI.

Fig. 4 shows a schematic interaction diagram of a method 100 of secure communication as provided herein.

Fig. 5 shows a schematic interaction diagram of a method 200 of secure communication as provided by the present application.

Fig. 6 shows a schematic interaction diagram of a method 300 of secure communication provided herein.

Fig. 7 shows a schematic interaction diagram of a method 400 of secure communication provided by the present application.

Fig. 8 shows a key architecture for generating an MSK according to the present application.

Fig. 9 shows a schematic interaction diagram of a method 500 of secure communication provided herein.

Fig. 10 shows a schematic interaction diagram of a method 600 of secure communication provided herein.

Fig. 11 shows a schematic interaction diagram of a method 700 of secure communication provided by the present application.

Fig. 12 is a schematic block diagram of a communication device for secure communication according to an embodiment of the present application.

Fig. 13 is a schematic diagram of an apparatus 20 for secure communication according to an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

The technical scheme provided by the embodiment of the application can be applied to various communication systems, such as: a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5 g) system, a New Radio (NR) system, or a future 3GPP system, etc.

Generally, the conventional communication system supports a limited number of connections and is easy to implement, however, with the development of communication technology, the mobile communication system will support not only conventional communication but also, for example, device to device (D2D) communication, machine to machine (M2M) communication, machine Type Communication (MTC), vehicle to anything (V2X) communication (also may be referred to as vehicle network communication), for example, vehicle to vehicle (V2V) communication (also may be referred to as vehicle to vehicle communication), vehicle to infrastructure (V2I) communication (also may be referred to as vehicle to infrastructure communication), vehicle to pedestrian to vehicle (V2P) communication (also may be referred to as vehicle to vehicle communication), and vehicle to network (N2N) communication.

Fig. 1 provides a schematic diagram of a non-3GPP access architecture in 4G. The following describes each network element that may be involved in the embodiment of the present application with reference to fig. 1.

The non-3GPP access means that the UE accesses to the operator network through the non-3GPP access technology, and uses the network resources of the operator. Non-3GPP access technologies include WLAN, CDMA, etc. access technologies.

1.User Equipment (UE): may be referred to as a terminal device, terminal, access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. The UE may also be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network or a terminal device in a Public Land Mobile Network (PLMN) for future evolution or a non-terrestrial network (NTN), and the like, and may also be an end device, a logic entity, a smart device, a terminal device such as a mobile phone, a smart terminal device, or a communication device such as a server, a gateway, a base station, a controller, and the like, or an internet of things device, such as an internet of things (IoT) device, such as a sensor, an electric meter, a water meter, and the like. But also an Unmanned Aerial Vehicle (UAV) with a communication function. The embodiments of the present application do not limit this.

2. A Home Subscriber Server (HSS) is a server used for storing user subscription information in an Evolved Packet System (EPS), and is mainly responsible for managing subscription data of a user and location information of a mobile user.

3. A Policy and Charging Rules Function (PCRF) is a policy and charging control policy decision point for traffic data flow and Internet Protocol (IP) bearer resources, and selects and provides available policy and charging control decisions for a policy and charging execution function.

4. Public Data Network (PDN) gateway: and functions of session management and bearer control, data forwarding, IP address allocation, non-3GPP user access and the like of the user are provided. It is the anchor point for 3GPP access and non-3GPP access to the public data network PDN.

5. Authentication, authorization and accounting (AAA) server: the server program can process the user access request, provides authentication authorization and account service, and mainly aims to manage the user access to the network server and provide service for the user with access right. The AAA server typically works in conjunction with network access control, gateway servers, databases, and user information directories.

6. Evolved packet data gateway (ePDG)

7. IP Multimedia System (IMS): the method is a brand new multimedia service form, and can meet the requirements of terminal customers on more novelty and diversification of multimedia services.

As can be seen from fig. 1, when the UE accesses the network through the non-3GPP, the UE passes through network elements such as an HSS and an AAA server, but does not pass through a core network element such as a Mobility Management Entity (MME). For example, when the UE accesses the network through a non-seamless WLAN offload (NSWO) mode, the UE may access the network through a WLAN access point (Wi-Fi AP) without passing through the MME.

In 5G networks, it has been standardised that UEs can access a 5G core network via non-3GPP access technologies. However, the standardized protocol of the 5G network does not consider the application of the NSWO access method, that is, a scenario that the UE does not access the 5GC through an access and mobility management function (AMF) is not considered.

Fig. 2 shows the current 5G network architecture. The following describes each network element that may be involved in the embodiment of the present application with reference to fig. 2.

1. UE: with particular reference to the corresponding description of fig. 1.

2. Access Network (AN): the method provides a network access function for authorized users in a specific area, and can use transmission tunnels with different qualities according to the level of the users, the requirements of services and the like. The access network may be an access network employing different access technologies. There are two types of current radio access technologies: 3GPP access technologies (e.g., radio access technologies employed in 3G, 4G, or 5G systems and future 3GPP radio access technologies) and non-third generation partnership project (non-3 GPP) access technologies. The 3GPP access technology refers to an access technology meeting 3GPP standard specifications, and an access network adopting the 3GPP access technology is referred to as a Radio Access Network (RAN), where an access network device in a 5G system is referred to as a next generation Base station (gNB). The non-3GPP access technology refers to an access technology that does not conform to the 3GPP standard specification, for example, an air interface technology represented by an Access Point (AP) in Wi-Fi.

An access network that implements an access network function based on a wireless communication technology may be referred to as a Radio Access Network (RAN). The radio access network can manage radio resources, provide access service for the terminal, and further complete the forwarding of control signals and user data between the terminal and the core network.

The radio access network may be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a Wi-Fi system, and may also be a wireless controller in a Cloud Radio Access Network (CRAN) scenario, or the access network device may be a relay station, an access point, an in-vehicle device, a wearable device, and a network device in a future 5G network or a network device in a future evolved PLMN network, and the like. The embodiments of the present application do not limit the specific technology and the specific device form used by the radio access network device.

3. Access and mobility management function (AMF) entity: the method is mainly used for mobility management, access management, and the like, and can be used for implementing functions other than session management in Mobility Management Entity (MME) functions, such as functions of lawful interception, or access authorization (or authentication), and the like.

4. Authentication service function (AUSF) entity: the method is mainly used for user authentication and the like.

5. Unified Data Management (UDM) entity: for handling subscriber identification, access authentication, registration, or mobility management, etc.

In the network architecture shown in fig. 2, the N1 interface is a reference point between the terminal and the AMF entity; the N2 interface is a reference point of AN entity and AN AMF entity, and is used for sending non-access stratum (NAS) messages and the like; the N3 interface is a reference point between the (R) AN and a User Plane Function (UPF) entity, and is used to transmit data of the user plane, etc.; the N4 interface is a reference point between a Session Management Function (SMF) entity and an UPF entity, and is used to transmit information such as tunnel identification information, data cache indication information, and downlink data notification message of the N3 connection; the N6 interface is a reference point between the UPF entity and the Data Network (DN) for transmitting user plane data, etc.

It should be understood that the network architecture shown in fig. 2 may be applied to the embodiment of the present application, and the network architecture to which the embodiment of the present application is applied is not limited thereto, and any network architecture capable of implementing the functions of the network elements described above is applied to the embodiment of the present application.

It should be further understood that the AMF entity, the SMF entity, the UPF entity, the network open function (NEF), the AUSF entity, the network storage function (NF) relocation function (NRF) entity, the Policy Control Function (PCF) entity, and the UDM entity shown in fig. 2 may be understood as network elements in the core network for implementing different functions, and may be combined into a network slice, for example, as needed. The core network elements may be independent devices, or may be integrated in the same device to implement different functions, which is not limited in this application. It should be noted that the "network element" may also be referred to as an entity, a device, an apparatus, a module, or the like, and the present application is not particularly limited.

It should also be understood that the above-mentioned names are only used for distinguishing different functions, and do not represent that these network elements are respectively independent physical devices, and the present application does not limit the specific form of the above-mentioned network elements, for example, the network elements may be integrated into the same physical device, or may be different physical devices. Furthermore, the above nomenclature is used only to distinguish between different functions and should not be construed as limiting the application in any way, and the application does not preclude the possibility of other nomenclature being used in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terminology in 5G, and may also adopt other names, etc. The description is unified here, and will not be described below.

It should also be understood that the various network elements in fig. 2 communicate with each other based on a service interface, for example, information interaction or service invocation is performed between the various network elements by using the service interface. The name of the interface between each network element in fig. 2 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the transmitted message (or signaling) between the network elements is only an example, and the function of the message itself is not limited in any way.

In the network architecture, the RAN supports 2 access technologies, namely 3GPP access technology and non-3GPP access technology. As can be seen from fig. 2, the UE must go through the AMF if it accesses to the 5GC through the non-3GPP technology. In fact, in the context of 3GPP and non-3GPP convergence, the UE must go through the AMF when accessing 5GC and performing authentication through both 3GPP and non-3GPP access technologies. In this case, if the UE can complete user plane data interaction through non-3GPP access, the burden of AMF processing, signaling interaction, etc. is heavy due to the need to access 5GC, which affects the communication efficiency of the network. In addition, a network architecture in which the UE accesses to the 5GC through the non-3GPP technology has not been actually deployed, and the cost required for deploying the network architecture is very large.

In view of the fact that in the NSWO mode in the 4G system, the UE can access the network through the WLAN access point without passing through a core network element (such as the AMF), and the architecture of the UE accessing the network through the NSWO mode is basically deployed, and there is no scheme for the UE accessing the 5GC through the NSWO mode at present, the present application provides a method and an apparatus for secure communication, so that the UE can access the 5GC through the NSWO mode without passing through the AMF, thereby reducing the burden of the AMF, improving the communication efficiency of the network, and saving the cost for deploying the network architecture. When the UE accesses 5GC through NSWO mode, because the UDM in the 5G system supports two authentication methods, namely EAP-AKA 'and 5G-AKA, and because only EAP-AKA' can be used in the NSWO scenario, how the UDM selects the authentication method becomes a problem to be solved.

In order to better understand the technical solutions of the embodiments of the present application, some related concepts are described below.

The user permanent identifier (SUPI) includes SUPI types (types) and values, wherein the SUPI types include 4 types: IMSI, NSI (network specific Identifier), a Global Line Identifier (GLI) or a Global Cable Identifier (GCI), the format of the value of SUPI has 2 kinds, respectively: IMSI, NAI. The NAI format is a general format, and its expression form is username @ example.

In order not to expose the SUPI of the user at the air interface, a result, which is a part of the user hidden identifier (SUCI), is obtained by calculating a portion except for the SUPI type in the SUPI.

Fig. 3 shows the structure of the SUCI. As shown in fig. 3, SUCI mainly includes the following:

the SUPI type: 0 represents IMSI;1 represents NSI;2 represents GLI;3 represents GCI;4 to 7 have not been defined yet.

A home network identifier (home network identifier) is used to identify the home network of the UE.

When the SUPI type is IMSI, the home network identifier is a Mobile Country Code (MCC) and a Mobile Network Code (MNC). When the SUPI type is NSI, the Home Network Identifier is a string with the format of username @ realm. When the SUPI type is GCI, the format of the Home Network Identifier is 5 gc.mnc.mnc.mnc.mnc < MCC >.3gppnetwork.org.

In order to facilitate understanding of the embodiments of the present application, a description will be given below of some concepts related to the present application.

1. In the present application, the UE may access the network through a 3GPP or non-3GPP manner, and when the UE accesses the network through the non-3GPP, the UE specifically includes a network accessing through NSWO and a network accessing through non-NSWO.

2. The non-seamless WLAN offload (NSWO) means that after the UE uses the operator network credentials and the operator network performs the authentication procedure, the UE directly uses the local AP to send data to the external network. That is to say, NSWO is a method for transferring user data without requiring a 3GPP system to provide services for UE after the identity of the UE is confirmed by using 3GPP credentials, for example, a method for UE to access Wi-Fi AP without transferring user data through a 3GPP core network.

The expressions "NSWO mode", "NSWO technique", "NSWO access mode", and the like referred to in the present application all represent the above.

It should be noted that the NSWO scenario and the method for secure communication in the NSWO scenario in this application are not limited to be implemented in a 4G system, and may be applied in a 5G or NR system, or a future 6G or 7G system.

3. The non-NSWO mode refers to an access mode that UE accesses to a 5G core network through a non-3GPP access technology. The access mode needs an operator to provide a trust state and a corresponding authentication process, and also needs network elements such as an AMF (advanced resource management) and an SMF (simple message format) to create a context used by a 3GPP (third generation partnership project) network of the UE for the UE. The above is a standardized access procedure standardized by 3GPP in Release 15.

The terms "non-NSWO mode", "non-NSWO technique", "non-NSWO access mode", and the like in the present application all mean the above.

4. In this application, a wireless access point (Wi-Fi AP) may also be called a WLAN AP, which may be only one access node or an access node including a control function. The embodiment of the application relates to a situation that a Wi-Fi AP transmits a message, and is also applicable to the following modes:

the first method is as follows: the Wi-Fi AP directly transmits the message to the receiving party as an access node.

The second method comprises the following steps: the Wi-Fi AP first passes the message to an internal Access Controller (AC).

The third method comprises the following steps: the Wi-Fi AP transmits the message to an external AC, and then the message is sent to a receiving party by the AC.

The method 100 for secure communication provided by the present application is described in detail below with reference to fig. 4. Fig. 4 is a schematic interaction diagram of the method 100 of the present application. The method 100 may specifically be implemented by two schemes.

The first scheme is as follows:

s101a, the wireless access point sends a message 01 to the terminal equipment, and correspondingly, the terminal equipment receives the message 01 from the wireless access point.

It should be understood that message 01 may be a message received from the wireless access point during establishment of a connection between the terminal device and the wireless access point. Specifically, the information interaction during the connection establishment between the terminal device and the wireless access point may refer to related steps in the Institute of Electrical and Electronics Engineers (IEEE) 802.11. The terminal device can determine to access the network by using the NSWO mode according to the message 01.

For example, reference may be made to relevant contents in S201 on how the terminal device determines to access the network using the NSWO manner according to the message 01.

And S102a, the terminal equipment generates indication information 01 according to the message 01, wherein the indication information 01 indicates that the terminal equipment is in an NSWO scene, or is used for indicating the unified data management entity to select EAP-AKA' to authenticate with the terminal equipment.

The receiving party indicating the indication information 01 can know that the uniform data management entity needs to be indicated to select the EAP-AKA' to authenticate the terminal equipment according to the indication information 01. When the receiving party is the unified data management entity, the unified data management entity determines to select EAP-AKA' to authenticate the terminal equipment according to the indication information 01.

Specifically, the indication information 01 may be a sui, or may be indication information carried in a sui, or may be separate indication information, which is not limited in this application.

Illustratively, the indication information 01 may be a SUCI in NAI format.

It is to be understood that the NAI formatted SUCI may be generated from different types of SUPI, such as IMSI type SUPI. Since generally the IMSI type SUPI generated sui is IMSI formatted, and the NAI formatted sui generated from IMSI formatted SUPI is distinguished from this, it can be used to implicitly indicate the use of EAP-AKA' authentication method. See S203 of method 200 for a specific implementation.

Illustratively, the indication information 01 may be carried in the SUCI, and the indication information 01 may be a field or a character string or a number in the SUCI, and the application does not limit the position thereof in the SUCI. For example, the indication information 01 may be a character string "NSWO" for indicating that the UE accesses through NSWO. See S203 of method 200 for a specific implementation.

Illustratively, the indication information 01 may be a separate indication information for indicating the UE to access the network by the NSWO method, or for indicating the use of the EAP-AKA' authentication method.

For the description of instructing the unified data management entity to select EAP-AKA' for authentication with the terminal device, reference may be made to the above description.

The receiving party of the instruction information 01 can know that the UE accesses the network in the NSWO mode according to the instruction information 01. When the receiving party is the unified data management entity, the unified data management entity determines to select EAP-AKA' to authenticate the terminal equipment according to the indication information 01.

S103, the terminal device sends instruction information 01, including: the terminal equipment sends the indication information 01 to the wireless access point or the authentication service function entity or the unified data management entity, and correspondingly, when the receiving party is the wireless access point, the wireless access point receives the indication information 01 and forwards the indication information 01 to the authentication service function entity; when the receiving party is the authentication service functional entity, the authentication service functional entity receives the indication information 01 and forwards the indication information to the unified data management entity; and when the receiver is the unified data management entity, the unified data management entity receives the indication information 01 from the terminal equipment.

And S104, the authentication service functional entity sends the indication information 02 to the unified data management entity according to the indication information 01, and correspondingly, the unified data management entity receives the indication information 02 from the authentication service functional entity.

It should be understood that the content included in the indication information 02 may be the same as or different from the content included in the indication information 01.

Illustratively, the indication information 02 includes the same content as the indication information 01. The authentication service function entity forwards the content in the indication information 01. Reference may be made specifically to the description relating to method 200.

Illustratively, the content included in the indication information 02 is different from that included in the indication information 01, and it is understood that the indication information 02 includes other indication information in addition to the indication information 01. The authentication service functional entity adds self-generated information on the basis of the indication information 01, and for convenience of description, the information is referred to as indication information 03 below. For example, the authentication service function entity determines that the UE accesses the network through the NSWO according to the source of the message (e.g., from the Wi-Fi AP) indicating the information 01, thereby generating the indication information 03. Therefore, the indication information 02 includes indication information 01 and indication information 03.

The indication information 03 may indicate that the terminal device is in a seamless wireless local area network offload NSWO scenario, and is used to indicate the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' for authentication with the terminal device. The indication information 03 may be carried in a service network name (SN name), or may be an independent indication information. See, in particular, S306 of method 300.

S105, the unified data management entity selects extensible authentication protocol-authentication and key agreement EAP-AKA' to authenticate with the terminal equipment in at least two authentication modes according to the indication information 02.

It should be noted that, when the terminal device uses EAP-AKA' to authenticate with the network, it does not need to go through the core network element AMF.

Corresponding to the indication information 02 in S104, the unified data management entity selects EAP-AKA' to authenticate the terminal device according to the indication of the indication information 02.

Illustratively, if the indication information 02 is the same as the content of the indication information 01, see specifically S209 in the method 200, and if the indication information 02 includes the indication information 01 and the indication information 03, see specifically the descriptions corresponding to S209 in the method 200 and S309 in the method 300 (for example, the UDM selects EAP-AKA' according to suii or indication information 05, and SN name or indication information 06).

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication flow of the UE and the 5GC under the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology. Furthermore, the UE generates SUCI or indicates UDM to select EAP-AKA' authentication method through indication information, thereby perfecting the authentication process in NSWO scene.

Scheme II:

s101b, the wireless access point sends a message 02 to the authentication service functional entity, and accordingly, the authentication service functional entity receives the message 02 from the wireless access point.

Illustratively, the authentication service functional entity may determine that the terminal device accesses the network through the NSWO by the source or the message name of the message 02, for example, the authentication service functional entity determines from the wireless access point by the message 02, or the authentication service functional entity determines by the message name of the message 02, which is an EAP-response/identity authentication (EAP response/identity) message.

Optionally, the authentication service function entity may also determine that the terminal device accesses the network through the NSWO by using the indication information in the message 02. For example, indication information 01 may also be included in the message 02, and the description of the scheme 1 may specifically refer to the indication information 01.

And S102b, the authentication service functional entity generates indication information 03 according to the message 02.

For example, the indication information 03 generated by the authentication service function entity may indicate that the terminal device is in a seamless wireless local area network offload NSWO scenario, or indicate that the unified data management entity selects extensible authentication protocol-authentication and key agreement EAP-AKA' to authenticate with the terminal device. The indication information 03 may be carried in the SN name, or may be an independent indication information.

The receiving party of the indication information 03 can know that the unified data management entity needs to be indicated to select the EAP-AKA' for authentication with the terminal device according to the indication information 03. When the receiving party is the unified data management entity, the unified data management entity determines to select EAP-AKA' for authentication with the terminal device according to the indication information 03.

The indication information 03 receiving side may know that the UE accesses the network in the NSWO mode according to the indication information 03, where the indication indicates that the terminal device is in a seamless wireless local area network offload NSWO scenario (or is used to indicate that the UE accesses the network in the NSWO mode). When the receiving party is the unified data management entity, the unified data management entity determines to select EAP-AKA' for authentication with the terminal device according to the indication information 03.

Illustratively, the indication information 03 may include any one or more of the following: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or the access technology type indication information, or the access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

It should be understood that the identification of the network in which the terminal device is located herein may include identification information of the serving network and identification information of the access network.

See S306 in method 300.

And S104, the authentication service functional entity sends indication information 02 to the unified data management entity.

It should be understood that the content included in the indication information 02 may or may not be identical to the content included in the indication information 03.

As an example, the indication information 01 is not included in the message 02, and the content included in the indication information 02 may be the same as the content included in the indication information 03.

As another example, indication information 01 is included in the message 02, and the indication information 02 may include indication information 01 and indication information 03.

S105, the unified data management entity selects EAP-AKA' to authenticate with the terminal equipment in at least two authentication modes according to the indication information 02.

Illustratively, if the indication information 02 is the same as the content of the indication information 03, see specifically S309 in the method 300, and if the indication information 02 includes the indication information 01 and the indication information 03, see specifically the descriptions corresponding to S209 in the method 200 and S309 in the method 300 (for example, the UDM selects EAP-AKA' according to suii or indication information 05, and SN name or indication information 06).

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication flow of the UE and the 5GC under the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology.

Optionally, the method 100 further comprises:

the unified data management entity stores that the terminal device accesses the network by means of the NSWO, which may be specifically referred to as means one in S216 or means one in S416.

Or, the unified data management entity stores the identifier of the authentication service function entity and the network access of the terminal device by the NSWO, which may be specifically referred to as the second mode in S216 or the second mode in S416.

In the embodiment of the application, when the UDM records the successful authentication state, the UDM can only record the successful authentication state through the NSWO and does not record the ID of the authentication service functional entity, so that the UDM is simple to maintain, has fewer network elements to be changed, and is convenient, quick and commercial; alternatively, the authentication success status through NSWO may be bound with the ID of the authentication service function entity, so that the entry of the UDM record is clearer.

Optionally, the method 100 further comprises:

the authentication service function entity generates a master session key, and correspondingly, the terminal device also generates the same master session key, where the master session key is a root key used to generate a key for the terminal device to communicate with the network, and the network is a network to which the terminal device accesses in the NSWO manner.

And the authentication service functional entity sends the master session key to the wireless access point, and correspondingly, the wireless access point receives the master session key from the authentication service functional entity.

See S418 of method 400 for details on how the master session key is generated.

In the embodiment of the application, the root key used for generating the key for the communication between the terminal device and the network is generated after the authentication is successful, so that the subsequent secure communication between the terminal device and the network in the NSWO scene is facilitated, and the authentication and key distribution process in the NSWO scene is further improved.

The method 200 for secure communication provided by the present application is described in detail below with reference to fig. 5. Fig. 5 is a schematic interaction diagram of a method 200 of the present application. In the method 200 the selection of EAP-AKA' authentication method is indicated to the UDM by the UE generated suii or indication information.

S201, the UE establishes connection with the non-3GPP access network element.

Illustratively, the non-3GPP access technology used by the UE herein may be WLAN. If the non-3GPP access technology is WLAN, the non-3GPP access network element is a Wi-Fi AP. The Wi-Fi AP is explained as an example.

It should be understood that the Wi-Fi AP network accessed by the UE may support only the NSWO mode or only the non-NSWO mode, and may also support both the NSWO mode and the non-NSWO mode, so when a UE receives a message from the Wi-Fi AP, it needs to first determine whether to access using the non-NSWO mode or the NSWO mode. The message belongs to a message sent by the Wi-Fi AP to the UE in the process of establishing connection between the UE and the Wi-Fi AP, and the information interaction in the process of establishing connection between the UE and the Wi-Fi AP can refer to the related information interaction in IEEE 802.11. As an example, when referring to the related information interaction in IEEE802.11, the information interaction therein may be directly carried forward, and a message sent by the Wi-Fi AP to the UE is used as a trigger condition for triggering the UE to determine whether the UE accesses the network in the non-NSWO mode or the NSWO mode. Or, as another example, on the basis of the related information interaction in IEEE802.11, the indication information indicating that the UE determines whether to use the non-NSWO mode or the NSWO mode may be added to the message sent by the Wi-Fi AP to the UE.

The UE determines whether to access the network using the non-NSWO mode or the NSWO mode, and may determine which access mode to select by, for example, a list that the UE may locally store, a local policy, or a manual selection by the UE user.

As an example, the UE locally maintains a list of Wi-Fi APs or Service Set Identifiers (SSIDs) or names of WLAN networks, and preferably uses non-NSWO access or NSWO access if the list is met. The list operator may be configured to the UE in various manners, for example, over The Air (OTA), or may be delivered to the UE through NAS messages, such as a UE Parameters Update (UPU) procedure, and the like, or may also be configured in other manners, which is not limited in this application.

As another example, the local policy may be a network selection logic or a logic for selecting an access method, which may include one or more policy forms, such as white list, black list, access method prioritization, and the like. The local policy may be that the operator delivers the UE via OTA or NAS messaging, such as UE routing policy (URSP), which may indicate whether to preferentially use non-NSWO access or NSWO access when the UE accesses a Wi-Fi AP. The local policy may also instruct the UE to preferentially use non-NSWO access, and after unsuccessful, may select the NSWO access method. There are many local policy configuration methods, which aim to make the UE access the network according to a certain network access logic. The user of the UE can select a network through the mobile phone screen, and when the network can be accessed by using the non-NSWO and the NSWO at the same time, the user can select a desired access mode according to the screen popup box.

S202, the Wi-Fi AP sends an EAP Request/authentication (EAP-Request/Identity) message to the UE for triggering EAP authentication.

Alternatively, the message may also be an EAP-Request/AKA' -Identity message.

S203, the UE ignores parameters such as a locally stored security context, a 5G globally unique temporary identifier (5G-globally unique temporary identity, 5G-GUTI) and the like, and generates SUCI by using the IMSI.

When the UE has accessed the network through 3GPP or non-NSWO, the UE may locally maintain a valid 5G-GUTI, NAS security context. In this above scenario, if the UE is using 3GPP access, the UE locally holds not only the valid 5G-GUTI, NAS security context, but also the Access Stratum (AS) security context. When the UE determines to use the NSWO mode access, the UE does not use the locally saved 5G-GUTI and the valid security context, but needs to generate sui from the SUPI. This is because the SUPI corresponding to the 5G-GUTI is stored in the AMF, the NSWO access mode is not through the AMF, and if the 5G-GUTI is to be sent, the UDM sends the 5G-GUTI to the corresponding AMF, and the corresponding AMF sends the SUPI to the UDM. In order to instruct the UDM to select the EAP-AKA 'authentication method, the UE may use the following two indication modes, that the UDM selects the EAP-AKA' authentication method through the indication information other than the sui and the sui, respectively, or indicate that the UE is in the NSWO scenario.

The method is used for instructing the unified data management entity to select EAP-AKA 'for authentication with the terminal device, and takes sui as an example, which means that a receiver of the sui can know that the unified data management entity needs to be instructed to select EAP-AKA' for authentication with the terminal device according to the sui. When the receiving party is the unified data management entity, the unified data management entity determines to select EAP-AKA' to authenticate with the terminal equipment according to the SUCI.

The indication information other than the sui is taken as an example to show that the receiving side of the indication information can know that the UE accesses the network in the NSWO mode according to the indication information. When the receiver is the unified data management entity, the unified data management entity determines to select EAP-AKA' for authentication with the terminal equipment according to the indication information.

And the first indication mode is to indicate the UDM to select an EAP-AKA' authentication method through SUCI.

The UE may generate the sui in various ways, and two implementation ways are exemplified below.

In a first implementation, the current access method is indicated to the UDM by suii, so that the UDM can select EAP-AKA'.

As an example, if the SUPI of the UE is of IMSI type, the UE generates sui in NAI format, which is structured to contain part @ nai.5gc.mnc < MNC >. MCC >. 3gppnek.org of the security protection result. That is, the username portion therein includes the security protection result if it corresponds to the NAI format. Such as: IMSI is 2341509999999, with MCC =234, mnc =15, msisn = 099999999999. The routing identifier (routing identifier) is 678, and the home network public key identifier (home network public key identifier) is 27. Then, the sui in NAI format may be constructed as follows:

type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip<encryption of 0999999999>.mac<MAC tag value>@nai.5GC.mnc<MNC>.mcc<MCC>.3gppnetwork.org。

wherein type0.rid678.Schid1.Hnkey27. Eckey < ECC ephemeral public key >. Cip < encryption of 099999999999 >. MAC < MAC tag value > is a username part, and the security protection part is as follows: cip < encryption of 099999999999 > MAC < MAC tag value >.

It should be understood that for the SUCI in FIG. 3, if the SUPI type is 0, i.e., IMSI, then the format of the current SUCI is not that of NAI, but rather that of IMSI.

Correspondingly, in the subsequent step, if the UDM sees sui in NAI format, EAP-AKA' authentication method is selected.

As another example, if the SUPI of the UE is of a non-IMSI type, the UDM may configure suici in NAI format to both select EAP-AKA' authentication methods. At this point, whenever the UDM sees that the SUCI is in NAI format, the UDM will select EAP-AKA' authentication method. Generally, in a 5G system, the UDM may select an authentication method based on SUPI, whereas in the present application the UDM is selected based on the format of SUCI.

To sum up, in the first implementation, if the SUPI format is IMSI, the UDM may be instructed to select the EAP-AKA 'authentication method by generating sui in NAI format, and if the SUPI format is non-IMSI type, the UDM may configure the sui in NAI format to select the EAP-AKA' authentication method.

In the second implementation manner, indication information 04 is added to the SUCI, where the indication information 04 is used to indicate that an EAP-AKA' authentication method needs to be used, or indicate a certain access mode, where the access mode is not a 3GPP or non-NSWO mode access, and may be an NSWO access mode. That is, the indication information 04 may be added to the sui in the NAI format, or the indication information 04 may be added to the sui in the non-NAI format.

It should be noted that the added indication information 04 may be added in the username part of the NAI format; or the added indication information 04 may be in the example part of the NAI format. This is not limited in this application.

Illustratively, the added indication information 04 is used to indicate that the UDM needs to select a suitable access technology according to an access scenario, or to indicate a master authentication method that is intended to be used. In this embodiment, the indication information 04 is used to indicate that the UDM is the NSWO access method, or needs to use the EAP authentication method, and then the UDM selects the EAP-AKA' authentication method according to the indication information. For example, the indication information 04 may be a character string, such as "NSWO", "non-3GPP", etc., where "NSWO" indicates accessing by using NSWO method and "non-3GPP" indicates accessing by using non-NSWO method. For example, the index information 04"nswo" is added to the front of the SUCI, and the SUCI is configured to: "NSWO" username @ nai.5gc.mnc < MNC >. MCC >.3gppnetwork.org, or the added indication information may also be other contents, which is not limited in the present application. For another example, the indication information 04 may be a number such as 0,1, etc., and for example, in the present embodiment, the SUCI may be configured as follows: 6username @ nai.5GC.mnc & ltMNC & gt. MCC & ltMCC & gt, 3gppnetwork.org; or the indication information 04 may be a method0, a method1, and a method2 added to the username portion to indicate that 5G-AKA, EAP-AKA', or other authentication methods need to be used respectively. In this embodiment, SUCI may be constituted by method1.Username @ instance. Com, where method1 indicates that the EAP-AKA' authentication method needs to be used. For another example, the indication information may be bit indication information, for example, 2 bits are selected for indication, and the indication information 00 is used to indicate that the EAP-AKA' authentication method needs to be used or indicate a certain access mode, where the access mode is not 3GPP or non-NSWO mode access.

In the second indication mode, an indication message 05 is transmitted in the message, where the indication message 05 is used to indicate an access method or an authentication method that is intended to be used, for example, the indication message 05 is used to indicate the UDM to select an EAP-AKA' authentication method; alternatively, the indication may indicate a certain access scheme, for example, the access scheme of NSWO.

Illustratively, according to the way of generating the SUCI at present, the generated indication information 05 is added to the EAP response/identity authentication message carrying the SUCI in S204. It should be noted that the indication information 05 may be placed in an EAP message, or may be placed outside the EAP message, which is not limited in this application.

In one possible implementation, after the UE determines that the NSWO mode access is available, the UE selects an RID used by the NSWO mode according to a locally stored Routing ID (RID). RID is an essential component for constituting sui. The value may be a default value or a value configured according to an operator. In the prior art, RID is used to discover and select AUSF and UDM. After the introduction of NSWO by 5G, the operator may use AUSF and UDM that handle NSWO authentication specifically, since the UE only needs to use the main authentication function provided by the operator. The advantage of this is that it can not only minimize the impact on the existing network architecture, but also make the keys used by the UE when accessing the network through NSWO mode and non-NSWO mode simultaneously not affect each other, i.e. 2 modes of the UE do not affect each other when implemented on the network side. This can be achieved by introducing AUSF and UDM that specifically handles NSWO authentication. For example, the operator may configure the RID for use in NSWO mode and the RID for use in non-NSWO mode to the UE separately. Wherein, RID used in NSWO mode is used for discovering AUSF and UDM specially processing NSWO authentication; the RID used by the non-NSWO mode is then used to find AUSF and UDM that can serve legacy access. Therefore, if the UE locally stores one RID used by the NSWO mode and one RID used by the non-NSWO mode, the UE may select the RID corresponding to the NSWO mode when accessing the network using the NSWO mode, and construct the sui using the RID. It is understood that the RID used in the NSWO mode in this manner may be indication information for indicating that the terminal device is in an NSWO scenario/for indicating to select the EAP-AKA' authentication method in the embodiment of the present application.

S204, the UE replies an EAP response/identity authentication message to the Wi-Fi AP, and the Wi-Fi AP forwards the message to the authentication service function entity.

It should be understood that the authentication service function entity may be one network element or a plurality of network elements. For example it may comprise at least 1 of 3GPP AAA server, AUSF.

Exemplarily, corresponding to the first indication manner in S203, the UE sends the sui in the NAI format to the authentication service function entity through the message; or, corresponding to the second indication mode in S203, the UE sends the indication information 05 to the authentication service functional entity through the message. S205, the authentication service function entity selects the UDM based on the RID in the SUCI.

S206, the authentication service functional entity generates SN name.

SN name can be 5G: the serving network ID may be in other forms. Reference may be made in particular to methods 400-700.

Optionally, when the authentication service function entity includes 1 or more functions, or 1 or more network elements, the generation of the SN name and the selection of the UDM may occur at different functions or network elements, and reference may be made to methods 400 to 700 in specific implementation.

S207, the authentication service functional entity sends a UE authentication acquisition Request (numm _ UE authentication _ Get Request) message to the UDM. The message carries the SUCI and the SN name, or the SUCI and the indication information 05 and the SN name indicating the second mode in step S203.

S208, the UDM decrypts the SUCI to obtain the SUPI.

S209, the UDM determines to select the EAP-AKA' authentication method according to the SUCI or the indication information 05 in the indication mode II of the step S203.

Corresponding to the first implementation manner in the first implementation manner indicated in S203, since generally, the SUPI of the IMSI type only generates a SUCI of a non-NAI format, if the UDM receives a SUCI of a NAI format, but the SUPI type of the SUCI is an IMSI, the UDM may select the EAP-AKA' authentication method according to the above. Or, the UDM determines to select the EAP-AKA' authentication method according to SUCI in NAI format.

Or, corresponding to the implementation manner two in the indication manner one in S203, when the UDM receives the SUCI carrying the indication information 04, the UDM may select the EAP-AKA' authentication method according to the indication information 04 in the SUCI.

Or, corresponding to the second indication mode in S203, when the UDM receives the separate indication information 05, the EAP-AKA' authentication method is selected according to the indication information 05.

Optionally, before the UDM selects EAP-AKA' authentication method, the UDM verifies whether the UE has the right to use NSWO mode. For example, the UDM performs authentication based on subscription data of the UE. If the UE supports using NSWO mode recorded in the UDM, the authorization verification is successful. Otherwise, it fails. If the UE authorization verification is successful, step S210 is performed. And if the UE fails in authorization verification, sending a rejection message to the authentication server and carrying a rejection reason value.

S210, the UDM replies a UE authentication acquisition Response (Nudm _ UEauthentication _ Get Response) message to the authentication service function entity, wherein the message carries AV and SUPI.

S211, the authentication service function entity reserves the SUPI, and determines to use the EAP authentication method, and the authentication service function entity sends an EAP Request/AKA 'invite (EAP Request/AKA' -Challenge) message to the UE.

S212, the UE verifies the authenticity of the network side. After the verification is successful, the UE generates the MSK and then carries out the next step.

Illustratively, before the UE verifies the authenticity of the network side, the UE first acquires the same SN Name as the network side. The UE may generate the SN Name itself or acquire the SN Name in step S211.

Optionally, when the authentication service functional entity is an AUSF or the authentication service functional entity is a plurality of network elements including the AUSF, the UE further generates Kausf before performing the next step.

The process of whether the UE generates Kausf may have the following methods:

the first method is as follows: and the UE generates the Kausf in the authentication process, and simultaneously stores the Kausf under the condition of receiving the EAP-Success.

Specifically, after generating Kausf, the UE first stores the Kausf in the buffer area. In the embodiment of the present application, a cache area in which the terminal device stores the intermediate key Kausf is referred to as a first storage space. After receiving the EAP-Success message, kausf is saved. Saving Kausf is replacing the saved Kausf with the last generated Kausf. Specifically, the UE replaces the previously saved Kausf in the second memory space with the newly generated Kausf in the first memory space. The UE subsequently uses Kausf in the second storage space (long-term storage space) for authentication and communication in the SoR or UPU procedure. In another case, if the NSWO scenario supports an EAP re-authentication procedure (ERP) procedure, the UE needs to save Kausf or save a key for ERP authentication.

The second method comprises the following steps: the UE generates Kausf during authentication, but does not save Kausf.

Specifically, the UE determines that Kausf does not need to be saved according to the current NSWO mode. The UE may generate but not save Kausf, or the UE may not generate Kausf. The Kausf is not saved, and may be deleted immediately after the Kausf is generated, or may be deleted after a period of time has elapsed after the Kausf is generated, for example, after the EAP-Success message is received.

The third method comprises the following steps: the UE generates an EMSK (Extended Master Session Key) in the authentication process, but does not use the EMSK as Kausf.

Specifically, the UE determines that it is in the NSWO flow, and the UE does not use the high 256 bits of the EMSK as Kausf. Further, the EMSK is optionally used according to the EAP flow of its own. Such as the root key of an ERP process.

The method is as follows: if the authentication server on the network side is not AUSF, kausf is not generated.

Alternatively, MSK and Kausf may be generated in step S221.

S213, the UE sends an EAP Response/AKA 'invite (EAP Response/AKA' -Challenge) message to the authentication service function entity.

And S214, the authentication service function entity verifies the authenticity of the UE, generates the MSK, and optionally also generates Kausf and stores the Kausf.

Exemplarily, when the authentication service function entity is an AUSF, generating Kausf is a method that minimally changes the AUSF. If minimal changes are not pursued, the AUSF may not generate Kausf, or the AUSF may generate Kausf but not store it. The non-saving may be deleted immediately after the Kausf is generated, or may be deleted after a certain period of time has elapsed. In short, the AUSF considers that the UE does not store Kausf after successful authentication.

Specifically, the following methods can be used to determine whether the AUSF generates Kausf:

the first method is as follows: AUSF generates Kausf, but does not preserve Kausf. For example, if the AUSF is determined to be Kausf generated by NSWO flow, the AUSF does not store Kausf.

The second method comprises the following steps: kausf may be saved if the AUSF requires subsequent use to Kausf. For example, if the AUSF supports SoR and the UpU process, the AUSF stores Kausf.

The third method comprises the following steps: AUSF does not generate Kausf. For example, when the AUSF determines that NSWO access is performed, kausf is not generated. Specifically, the AUSF may generate the EMSK, but the first 256 bits of the EMSK are not used for Kausf. Further, the EMSK is optionally used according to the EAP flow of its own. Such as a root key for an ERP process.

Exemplarily, if the NSWO scenario supports an EAP re-authentication protocol (ERP) flow, when the authentication service function entity is AUSF, the Kausf or the EMSK generating the Kausf needs to be saved.

Illustratively, when the authentication service function entity is a 3GPP AAA, kausf may not be generated.

Optionally, S215, the authentication service function entity sends a UE authentication result confirmation Request (numdm _ UE authentication _ resultconfiguration Request) message to the UDM.

It should be understood that in the case that the standard or scenario needs to save Kausf, or the network side needs to record the authentication result of the UE, step S215 is executed. Accordingly, in one possible implementation, if the authentication function entity determines that the UE is using NSWO mode access, the authentication function entity does not need to initiate the S215-S217 procedure after the UE is successfully authenticated. Note that this step must occur in the case where Kausf needs to be preserved.

Specifically, whether the network side needs to record the authentication result of the UE is determined according to operator requirements or standard specifications.

Optionally, S216, the UDM stores the authentication success status of the current UE through the non-3GPP access. Or, more specifically, the UDM stores the authentication success status of the current UE accessed through WLAN, or the UDM stores the authentication success status of the current UE accessed through NSWO.

If step S215 is performed, it is performed. If step S215 is not performed, this step is not performed either.

The storage method of the UDM will be described in detail below by taking two possible methods as examples.

In the first mode, the UDM maintains a piece of authentication success state information. That is, the UDM multiplexes entries where authentication occurs in a non-NSWO access scheme. And after the UDM determines that the initial authentication of the NSWO access mode is successful, the UDM updates the entry. There are 2 possible UDM update modes: firstly, adding a record of successful authentication of NSWO mode, and newly adding (for example, under the condition that UE has not been accessed by 3GPP and non-NSWO access parties, that is, under the condition that no authentication occurs) the ID of the authenticated service function entity at this time or replacing the ID of the original authenticated service function entity; the second is that the information adds a piece of information for identifying the successful authentication state as NSWO mode in the existing entry, but does not replace the ID of the existing authentication service functional entity or the ID of the newly added authentication service functional entity. At this time, the information related to the authentication success status does not include the ID of the authentication service functional entity used in the NSWO access mode.

It should be understood that the authentication function entity ID for NSWO service is not stored because a UE authenticated by NSWO does not require the network side to maintain the state of the UE. The UE may re-perform the authentication procedure each time it uses NSWO service, so the UDM also does not need to maintain the state information related to the UE authentication, such as whether the authentication is successful.

In the second mode, the UDM may maintain two pieces of authentication state information, one used for the main authentication flow sent in the 3GPP access and non-NSWO access flows, and the other used for the main authentication flow generated in the NSWO access. The two pieces of information related to the authentication success status comprise the ID of the authentication service functional entity and indication information. Wherein, the related information of the authentication state records the authentication result of the current UE initiating the authentication by the NSWO access method, or can indicate the UE to initiate the authentication result by the NSWO mode; the indication information in the other piece of authentication success status related information may indicate the result of authentication of the current UE initiated by 5GC (or more specifically, AMF) or indicate the result of authentication of the UE initiated by 3GPP access and non-NSWO access.

It should be understood that storing the ID of the authentication service function entity may facilitate the UDM to find the authentication service function entity authenticated for the UE in the NSWO scenario, and may use the secret key stored by the authentication service function entity.

And in the third mode, the UDM only receives the message and does not perform any processing.

S217, the UDM replies to the authentication service function entity with a UE authentication result confirmation Response (numdm _ UE authentication _ resultconfiguration Response) message.

S218, the authentication service function entity performs multiple rounds of selectable EAP interaction with the UE.

It should be noted that the numbers of S215 and S218 are not limited in size in the execution order, that is, S218 may be executed before S215 or after S215. S217 and S218 may not have any association.

S219-S220, the authentication service function entity sends EAP Success (EAP-Success) message to the UE through the Wi-Fi AP. In step S219, the authentication service function entity sends the generated MSK to the Wi-Fi AP.

S221, the UE authenticates the authenticity of the authentication service function entity.

Optionally, the UE generates Kausf. If the authentication service function entity is or includes an AUSF and step S212 does not generate Kausf, they are generated at this step. The specific generation manner can be referred to the corresponding description in S212.

S222, the UE completes security establishment with the Wi-Fi AP.

Illustratively, the UE generates a kwlan based on the MSK, and performs security establishment based on the kwlan. The Kwlan may be a key for subsequent communication between the UE and the network side, or the subsequent UE and the network side may further derive a key for communication from the Kwlan.

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication process of the UE and the 5GC in the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology. Meanwhile, when recording the successful authentication state, the UDM can record the successful authentication state through the NSWO without recording the ID of the authentication service functional entity, so that the UDM is simple to maintain, has fewer network elements to be changed, and is convenient, quick and commercial; alternatively, the authentication success status through NSWO may be bound with the ID of the authentication service function entity, so that the entry of the UDM record is clearer.

The method 300 for secure communication provided by the present application is described in detail below with reference to fig. 6. Fig. 6 is a schematic interaction diagram of a method 300 of the present application. In the method 300, the selection of the EAP-AKA' authentication method is indicated to the UDM by the SN name or the indication information generated by the authentication service function entity.

S301 may refer to the related description in S201, and S302 may refer to the related description in S202.

And S303, generating the SUCI by the UE, wherein the specific implementation can refer to the current method for generating the SUCI by the UE.

S304 may refer to the relevant description in S204, and S305 may refer to the relevant description in S205.

S306, the authentication service functional entity generates SN name.

In order to instruct the UDM to select the EAP-AKA' authentication method, the authentication service function entity may use the following two indication modes, respectively, to indicate the access method or the authentication method through the SN name indication or through the indication information other than the SN name.

In the first indication mode, the authentication service functional entity generates an SN name or acquires all or part of the information of the SN name from the received message.

The SN name generated by the authentication service function entity may include at least one of: identification of the authentication service function entity, or identification of the network where the terminal device is located, or access technology type indication information, or access method indication information, etc.

Wherein, (1) the identifier of the network in which the terminal device is located includes an identifier of a serving network or an identifier of an access network. The identification of the access network here can be understood as the identification of the network where the Wi-Fi AP is located. In general, the identity of the serving network is understood as an identity of a network where the AMF is located, and since the embodiments of the present application do not pass through the AMF, the identity of the serving network here may be understood as an identity of a proxy (if the UE accesses the network architecture, the proxy is included), or may be understood as an identity of an access network (if the UE accesses the network architecture, the proxy is not included). (2) The technology type indication information is used to indicate the type of the access technology used by the UE, for example, the access technology may be a 3GPP access technology, a non-3GPP access technology, a WLAN access technology, a bluetooth access technology, a microwave access technology, or the like. (3) The access method indication information is used to indicate a method of an access network that the UE plans to use, such as using an NSWO method, a non-NSWO access method, a 3GPP access method, and a microwave access method. Whether the technology type indication information or the access method indication information, the purpose of the method is to provide the network with information for the network to obtain the current characteristics of the UE so as to influence the decision of the network on the authentication method of the UE.

It should be understood that the access type indication information or the access method indication information may be generated by the authentication service function entity itself or may be obtained in the received message. For example, the access type indication information or the access method indication information may be added by the Wi-Fi AP, and then the Wi-Fi AP may forward the message to the authentication service function entity to deliver the EAP message and simultaneously carry the access type indication information or the access method indication information in the message in step S204. For another example, the access type indication information or the access method indication information may be added by the UE, and then the UE sends the EAP message to the authentication service function entity in step S204.

It should be noted that, in the embodiment of the present application, the technology type indication information and the access method indication information are used to indicate that the UE currently uses the NSWO access method, and the final purpose is to let the UDM refer to the indication information and finally select the EAP-AKA' authentication method.

On one hand, the authentication service functional entity can determine the access method according to the message source or the cell carried in the message, and generate the SN name. For example, when the authentication service function entity receives a message that the UE needs to be authenticated from the AMF, the authentication service function entity may determine that the UE is a 3GPP access method or a non-NSWO access method. For another example, if the cell may carry the network function type, the authentication service function entity may determine, according to the network function type, whether the message sender is an AMF, a Wi-Fi-AP, or a Proxy.

Illustratively, when the authentication service function entity receives a message that the UE needs to be authenticated from the Wi-Fi AP or the non-AMF function entity, the authentication service function entity determines that the UE is NSWO access or determines that the UE is not non-NSWO access. Then, the authentication service function entity identifies a specific access method by using an identifier having a differentiated access method, such as an access network identifier (access network identity) or an access network type (access network type), and generates an SN name according to the identifier.

On the other hand, the access network identity (access network identity), or the access network type (access network type) may also be obtained by the authentication service function entity from the UE or the Wi-Fi AP. For example, the UE sends the access network identity or the access network type to the authentication service function entity along with the EAP message in step S204, or the Wi-Fi AP may add the access network identity or the access network type in the EAP response/AKA' identity authentication message sent to the authentication service function entity in step S204.

In an example, after determining the access method according to the message source or the indication information, the authentication service functional entity obtains or generates an access network identity and an access network type. For example, the access network identity may be an ID of a network where the Wi-Fi AP is located, an ID of the Wi-Fi AP itself, or a bluetooth ID, or an ID that can be identified by the UDM and distinguished from a current service network name. It should be understood that the current service network may be a service network or an operator service network where the AMF is located, and in this application, a service network name (SN name) is distinguished from the current service network name, so that the UDM may determine, according to an ID in the SN name, which service network access network type the UE accesses from, may indicate an access network type, where the access network type is used to indicate a specific wireless air interface technology, such as "WLAN", or "WLAN access network", or "NSWO", or "Bluetooth", or "microwave", or reactive non-3GPP access network type I, or reactive non-3GPP access network type II, or reactive non-3GPP access network type I. In order to have the same format as the existing SN name, 5G may still be added before the SN name, such as 5G: access network identity,5G: access network type. Another example is 5G: WLAN,5G: wi-Fi AP, etc. Alternatively, it may also be possible to not consider having the same format association with an existing SN name, such as passing only received or generated access network identity, or passing only received or generated access network type. The embodiment of the present application does not limit the specific format.

Therefore, in the embodiment of the present application, the SN name generated by the authentication service function entity is distinguished from the SN name used in the case of 3GPP access and non-NSWO access, so as to have an indicating function.

And in the second indication mode, the authentication service function entity obtains or generates an indication message 06, wherein the indication message 06 is used for indicating the UDM to select the EAP-AKA' authentication method.

Alternatively, the indication information 06 may also be used to indicate that the UE accesses in an NSWO scenario, or the UE accesses in an NSWO manner, so that the UDM selects an EAP-AKA' authentication method according to the indication information 06.

In certain scenarios, there may be indication information 05 and indication information 06 delivered in combination. For example, the indication information 05 and the indication information 06 may be merged together and then transmitted through an Information Element (IE) corresponding to the SN name, which may reduce changes caused by newly introducing a function.

As an example, the SN name may be 5g. As another example, the SN name may also be 5g. Alternatively, the SN name may also be in other formats, and the embodiment of the present application does not limit the specific format.

Illustratively, the indication information 06 may be generated by the authentication service function entity according to the message source, or generated according to part or all of the received SN name, or obtained by the authentication service function entity from a Wi-Fi AP delivered message. The indication information 06 may be sent to the UDM through a UE authentication acquisition request message. The authentication acquisition Request message may be a Nudm _ UEauthentication _ Get Request message.

S307 may refer to the related description in S207, and S308 may refer to the related description in S208.

S309, UDM selects EAP-AKA' authentication method according to SN name or indication information 06.

Corresponding to the first indication mode in S306, if the UDM determines that the specific content in the SN name is, for example, the access network type or the access network identification information, the UDM selects an EAP-AKA' authentication method.

Exemplarily, the UDM determines that the terminal device accesses the network in the NSWO scenario according to the SN name, thereby selecting EAP-AKA' for authentication with the terminal device.

Corresponding to the indication mode two in the S306, the UDM receives the SN name and the indication information 06 for indicating the UDM access mode or indicating that the UDM needs to select the EAP-AKA 'authentication method, and determines to select the EAP-AKA' authentication method.

Optionally, before the UDM chooses to select EAP-AKA' authentication method, the UDM verifies if the UE has the right to use NSWO mode. For example, the UDM verifies that the UE has the right to use the serving network indicated by the SN Name. As another example, the UDM performs authentication based on subscription data of the UE. For another example, the UDM verifies the UE according to the subscription data of the UE, and then verifies whether the UE has the right to use the service network indicated by the SN Name after the verification is successful. If the UE authorization verification is successful, step S310 is performed. And if the UE fails in authorization verification, sending a rejection message to the authentication server, wherein the rejection message carries a rejection reason value.

And after the UDM selects the EAP-AKA 'authentication method, generating an EAP-AKA' related authentication vector AV. In case that the SN name includes the indication information 05 and the indication information 06, the UDM may directly use the SN name including the indication information 05 and the indication information 06 to obtain an EAP-AKA' related authentication vector, or the UDM may also use only a portion related to the indication information 05 as the SN name. For example, when the SN Name is 5g, nswo. Mnc015.Mcc 234.3gppnework.org.nswo indicator, UDM uses either 5g.

S310-S322 may refer to the associated descriptions in S210-S222, respectively.

It should be additionally noted that, in step S312, the UE may obtain the SN name by itself, or may obtain the SN name through step S311. The type of the SN name obtained by the UE may refer to the relevant description in step S306. The method for using the SN name by the UE in EAP-AKA' can refer to the relevant description in step S309.

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication process of the UE and the 5GC in the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology. Meanwhile, compared with the authentication state stored in the existing UDM, the authentication state can be recorded only without recording the ID of the authentication service functional entity, so that the maintenance is simple, the number of network elements needing to be changed is small, and the method is convenient and quick to use; or, the indication information of whether the authentication is initiated in the NSWO mode can be added on the basis of the binding of the authentication success state and the authentication service functional entity, so that the entry recorded by the UDM is clearer.

Optionally, in S306, the authentication service function entity may have other implementation manners besides indicating to select the EAP-AKA' authentication method to the UDM through the SN name or the indication information 06. Exemplarily, the access method indicated by the authentication service function entity to the UDM may be NSWO access or non-NSWO access, and the authentication method may be 5G-AKA or EAP-AKA'. Accordingly, when the authentication service function entity indicates an access method to the UDM, the UDM may further decide the authentication method to be selected according to the access method. For example, if NSWO access is indicated, the UDM selects an EAP authentication method. If 3GPP or non-NSWO access is indicated, the UDM selects an authentication method based on SUPI. When the authentication service function entity indicates an authentication method to the UDM, the UDM may directly determine the authentication method.

Optionally, if in S307, the SN name received by the UDM is not the SN name in S306, and the indication information 06 in S306 is not received, the UDM may determine the authentication method according to the method for selecting the authentication mode by the UDM in the current 5G network, that is, select the authentication method according to the SUPI. Alternatively, the UDM may determine that the service network is a 3GPP access or a non-NSWO access according to the name of the SN name of the service network in which the AMF is located, and then select an authentication method according to the SUPI. In this case, the UDM may select an appropriate authentication method for the UDM according to different SN names.

It should be noted that the manner of instructing the UDM to select the EAP-AKA' authentication method may be used alone, for example, the method 200 or the method 300, or may be used in combination, for example, the S303 in the method 300 is replaced by a part or all of the scheme of S203 in the method 200, and the scheme corresponding to the scheme of S203 in S209 in the method 200 is added to S309 in the method 300, or may also be used in combination in other manners, which is not limited in this application.

The method 400 for secure communication provided by the present application is described in detail below with reference to fig. 7. Fig. 7 is a schematic interaction diagram of a method 400 of the present application.

As shown in fig. 7, in the method 400, the authentication service function entity is composed of 2 network elements: a proxy and an AUSF.

S401 specifically refers to the description of S201 above, and S402 specifically refers to the description of S202 above.

S403, generating SUCI from SUPI or generating the instruction information 02.

For a first possible implementation, reference may be specifically made to the description in S203.

For a second possible implementation, reference may be specifically made to the description in S303.

S404 is described with particular reference to S204 above.

S405, the Wi-Fi AP forwards the message received from the UE in S404 to a proxy (proxy).

Specifically, the Wi-Fi AP finds the Proxy according to the preconfigured information or according to the Home Network Identifier in the SUCI, and sends the EAP-Response/Identity message to the Proxy. And the Proxy is used as a previous hop of the next network element, and the Proxy forwards the message to which network element, namely the Proxy of which network element.

It is understood that in method 400, the purpose or effect of adding proxy may include the following:

(1) To find the UE corresponding AUSF: the next hop of the Proxy is AUSF, and in method 400, the next hop of the Proxy is AUSF, and thus may be referred to as AUSF Proxy, or alternatively, may be referred to as AUSF-P.

(2) The exposed surface of the next-hop network element is reduced, or the Wi-Fi AP can not directly find the next-hop network element, so that the function of transferring the message is realized. The AUSF of method 400 is explained below as an example. Since the AUSF is a network element related to processing authentication, the key Kausf of the UE needs to be saved, and if the AUSF is controlled by an attacker, the attacker can obtain the keys of many UEs. Therefore, AUSF should minimize the possibility of being directly found by the non-core network element. Since the Wi-Fi AP is an Internet Protocol (IP) network element, which may not be trusted by the operator, the direct connection of the Wi-Fi AP to the AUSF poses a serious threat to the security of the AUSF. Therefore, in this case, a Proxy is required to receive the message from the Wi-Fi AP first.

(3) Proxy may also have some security functions, such as intercepting tampered packets addressed to the AUSF.

(4) A conversion of the serviced message and the non-serviced message is performed.

It should be noted that, in a specific implementation, the Proxy may be a separate network element, and may also be configured with a non-3GPP interworking function (non-3 GPP interworking function, n3 iwf), an evolved packet data gateway (ePDG), a Trusted WLAN Interworking Function (TWIF), a 3GPP-AAA server, and other network elements. That is, the N3IWF, ePDG, TWIF, 3Gpp-AAA server itself has the function of Proxy.

S406, generating an SN name, or receiving a partial parameter for generating the SN name or constituting the SN name, or generating indication information 03.

Specifically, the authentication service function entity in the method 200 and the method 300 is composed of a proxy and an AUSF in the method 400, and thus S406 may also be performed by the proxy or the AUSF. There may be various ways in the S406 implementation, such as S406a or S406b below.

S406a, the agent generates an SN name, or receives partial parameters for generating the SN name or forming the SN name from the Wi-Fi AP, or generates indication information 03.

Alternatively, the agent may also send partial parameters for generating the SN name or composing the SN name to the AUSF.

In particular, generating the SN name or indicating information 03 with respect to the agent can be accomplished by a variety of implementations.

Corresponding to the first possible implementation manner in S403, the description of the authentication service function entity in S206 may be specifically referred to as S406 a.

It should be understood that the SUCI or the indication information 05 in S203 is generated in S403, then the SN name is generated as usual in S406a with reference to S206, and then the authentication method is indicated to the UDM through the UE-generated SUCI or the indication information 05 in S411 with reference to S209.

A second possible implementation manner corresponds to the second possible implementation manner in S403, and reference may be specifically made to the description about the authentication service function entity in S306 for S406 a.

It should be understood that the SUCI is generated as a general case in S403, the SN name or the indication information 06 is generated with reference to S306 in S406a, and then the authentication method is indicated to the UDM by the SN name or the indication information 06 generated by the agent with reference to S309 in S411.

A third possible implementation manner corresponds to the first possible implementation manner in S403, and reference may be specifically made to the description about the authentication service function entity in S306 for S406 a.

It should be understood that the SUCI or the indication information 05 in S203 is generated in S403, and the SN name or the indication information 06 is generated in S306 a, then the authentication method is indicated to the UDM through the UE-generated SUCI or the indication information 05, and the agent-generated SN name or the indication information 06 in S411, in reference to S209 and S309.

Illustratively, the agent generates the SN name from its network ID. For another example, the agent generates the SN name according to the parameters constituting the SN name received from the UE.

Further, the agent may optionally select the AUSF supporting NSWO authentication function locally, or through NRF, depending on the value of RID.

S406b, the AUSF generates an SN name, or receives a partial parameter for generating the SN name or constituting the SN name from the agent, or generates the indication information 03.

In particular, generating the SN name and the indication 03 with respect to the AUSF may be implemented in a variety of ways.

The first possible implementation manner corresponds to the first possible implementation manner in S403, and reference may be specifically made to the description about the authentication service function entity in S206 for S406b.

A second possible implementation manner corresponds to the second possible implementation manner in S403, and reference may be specifically made to the description about the authentication service function entity in S306 for S406b.

It should be understood that the SUCI is generated as a general case in S403, the SN name or the indication information 06 is generated with reference to S306 in S406a, and then the authentication method is indicated to the UDM through the SN name or the indication information 06 generated by the AUSF with reference to S309 in S411.

A third possible implementation manner corresponds to the first possible implementation manner in S403, and reference may be specifically made to the description about the authentication service function entity in S306 for S406b.

It should be understood that the SUCI or indication 05 in S203 is generated in S403, and the SN name or indication 06 is generated in S306 a in S406, then the authentication method is indicated to the UDM by the UE-generated SUCI or indication 05, and the AUSF-generated SN name or indication 06 in S411, in reference to S209 and S309.

Illustratively, the AUSF receives a network ID for the agent from the agent and generates an SN name from the network ID. For another example, the parameter received by the AUSF from the agent may be a partial parameter received by the agent from the UE or the Wi-Fi-AP for composing or generating the SN name, and the SN name is generated by the AUSF according to the access network identity (access network identity) or the access network type (access network type) received from the agent.

S407, the agent sends a UE authentication Request (Nausf _ UE authentication _ authentication Request) message to the AUSF. The SUCI is carried in the message. Optionally, if S406 is implemented as S406a, the SN name generated by the agent is also included in the message.

S408, the AUSF selects the UDM based on the SUCI.

Optionally, if the message received by the AUSF in S407 does not carry the SN name, S406 is implemented according to S406b.

S409 is described in detail with reference to S207, and S410 is described in detail with reference to S208.

S411, the UDM selects EAP-AKA' as the authentication method.

Corresponding to the first possible implementation manner in S406, reference may be specifically made to the description about the authentication service function entity in S209 in S411.

It should be understood that the SUCI or the indication information 05 in S203 is generated in S403, then the SN name is generated as a general case with reference to S206 in S406a, and then the authentication method is indicated to the UDM through the UE-generated SUCI or the indication information 05 with reference to S209 in S411.

A second possible implementation manner corresponds to the second possible implementation manner in S406, and reference may be specifically made to the description about the authentication service function entity in S309 in S411.

It should be understood that the SUCI is generated as a general case in S403, the SN name or the indication information 06 is generated with reference to S306 in S406a, and then the authentication method is indicated to the UDM through the SN name or the indication information 06 generated by the AUSF or the agent with reference to S309 in S411.

A third possible implementation manner, which corresponds to the third possible implementation manner in S406, specifically, reference may be made to the description about the authentication service function entity in S209 and S309 in S411.

It should be understood that the SUCI or indication 05 in S203 is generated in S403, and the SN name or indication 06 is generated in S306 a in S406a, then the authentication method is indicated to the UDM by the UE generated SUCI or indication 05, and the AUSF or proxy generated SN name or indication 06 in S411, in reference to S209 and S309.

At S412, the UDM replies to the AUSF with a numm _ UEAuthentication _ Get Response message. The message carries authentication vectors AV and SUPI.

S413, the AUSF replies a UE authentication Response (Nausf _ UE authentication _ authentication Response) message to the Proxy.

S414, the proxy forwards the AV and the generated SN Name to the UE through an EAP Request (EAP Request) message. Alternatively, the EAP Request here may also be an AKA' -Challenge message.

S415 refers specifically to the description of S212.

The UE sends an EAP Response (EAP Response) message to the proxy S416. Alternatively, the EAP Response here may also be an AKA' -Challenge message.

S417, the agent sends a UE authentication Request (Nausf _ UE authentication _ authentication Request) message to the AUSF.

S418, the AUSF verifies the authenticity of the UE and generates an MSK.

As shown in fig. 8, the AUSF may generate the MSK through a variety of methods by the following key infrastructure.

In the key structure shown in fig. 8 (a), on the network side, the UDM generates CK and IK according to K, and then sends CK and IK to the AUSF, and after receiving CK 'and IK', the AUSF generates MSK and EMSK. Wherein the high 256 bits of EMSK will be referred to as Kausf. The AUSF sends the MSK to the Wi-Fi AP, and the Wi-Fi AP generates the kwlan according to the MSK. Similarly, on the UE side, the same steps as on the network side are performed by a Universal Subscriber Identity Module (USIM) and a Mobile Equipment (ME).

In the first method, after CK 'and IK' are received by AUSF, MSK and EMSK are generated. Wherein the high 256 bits of EMSK will be referred to as Kausf. Because the MSK is not currently used, the AUSF sends the MSK directly to the Wi-Fi AP.

If the UDM saves the entry in step S426 in the first manner, the Kausf may not be saved, or the Kausf may also be saved, and the Kausf in the last authentication process is covered. If the Kausf is not stored, confusion of the Kausf under a non-NSWO scene can be avoided, because the SOR, UPU and other flows only occur under the non-NSWO scene but not under the NSWO scene. If the Kausf is stored, the Kausf in the last authentication process is covered, the method is compatible with the current AUSF for storing the entry successfully authenticated by the UE, namely, the Kausf needs to be stored as long as the Kausf is generated no matter what scene occurs. In another possibility, if the NSWO scenario supports ERP authentication, kausf needs to be generated and saved.

If the UDM uses mode two in saving the entry, the AUSF may save Kausf.

Fig. 8 (b) shows another key architecture, which is different from the first key architecture in that MSK is further generated by Kausf.

In the second method, MSK is further generated by Kausf. The method by which Kausf generates MSK may be various. For example, the MSK is generated using the SN name as an input parameter, or the MSK is generated using "WLAN" as an input parameter, or the MSK is generated using SUPI as an input parameter. Further, a discriminator may be introduced, with different access scenarios being distinguished using different values. Such as MSK = KDF (Kausf, discriminator length, SUPI length). The use of the specifier can reduce Kausf, adapt to future development logic, reduce development workload and accelerate commercial speed.

In addition, for preservation of Kausf, refer to the description in the first method.

The key architecture shown in (c) of fig. 8 is different from the key architecture shown in (a) of fig. 8 in that a new MSK is generated using the lower 256 bits of the EMSK as a base key, directly as an MSK, or as a root key.

In the third method, the low 256 bits of the EMSK are used as a basic key, and the basic key is directly used as the MSK or used as a root key to generate a new MSK. The method for generating the new MSK can refer to the description of the second method. For the preservation method of Kausf, the first method is referred to for description. The benefit of using the 256bit as the base key is to prevent key confusion. The high 256bit key of the EMSK is used as the key root key of the AMF to participate in authentication, and the low 256bit key is used as the root key of other authentication.

S419 refers specifically to the description in S218.

The AUSF sends a UE authentication Response (Nausf _ UE authentication _ authentication Response) message to the proxy S420. The SUPI of the UE is not carried in this message.

It is to be appreciated that in this scenario, the Wi-Fi AP cannot perceive the SUPI of the UE, nor any other network element needs to perceive the SUPI of the UE, so the AUSF does not carry the SUPI of the UE in this message.

When the UE is authenticated by the AMF, if the AUSF receives SUCI, the step must carry SUPI, since SUPI is sent to the AMF.

S421-S424 can be seen in S219 to S222.

In S423, the UE generates the same MSK as in step S418. The description of step S418 may be referred to for both the MSK generation method and the Kausf storage.

S425 may be referred to the description of S215. The network element for executing the authentication function entity is AUSF. Similarly as in S215, in one possible implementation, if the authentication function entity determines that the UE is using NSWO mode access, the AUSF does not need to initiate the S425-S427 procedure after the UE is successfully authenticated.

S426, the UDM saves the authentication status of the UE accessed through the non-3 GPP.

The UDM may record the state of the UE successfully authenticated, and may record in the following two possible ways.

In a first way, the UDM maintains only one entry for the UE.

In a possible case, if the AUSF and the UE are authenticated before, the UDM uses the AUSF ID used in the current authentication to cover the AUSF ID stored after the authentication is successful. In this case, both AUSF and UE need to generate and store Kausf. The AUSF ID used for NSWO authentication may or may not override the previous non-NSWO authentication, if any. If the NSWO authentication can cover the AUSF ID, the current general situation is followed, that is, the UDM is required to only store the Kausf corresponding to the last authenticated AUSF.

Illustratively, the entries maintained by the UDM are shown in Table 1.

TABLE 1

In a possible case two, the UDM only records the AUSF ID used in non-NSWO authentication. In this case, neither the AUSF nor the UE needs to generate Kausf, or generate Kausf but does not need to store Kausf. In this case, it can also be understood that if NSWO authentication does not cover AUSF ID, then UPU and SoR may be needed after authentication by AMF because UPU and roaming selection (SoR) flows can only occur through AMF. In other words, NSWO authentication has no relation to UPU and SoR because it does not pass AMF. So under this understanding, the AUSF ID used by NSWO authentication and the generated Kausf are not required to be used subsequently.

Exemplarily, the entry maintained by the UDM is shown in table 2, the combination of the second column and the fourth column indicates that the UE successfully authenticates through NSWO, the combination of the third column and the fourth column identifies that the UE successfully authenticates through non-NSWO, and the AUSF ID in the fifth column is the AUSF ID recorded when the non-NSWO successfully authenticates.

TABLE 2

UE ID＝SUPI

NSWO authentication

non-NSWO authentication

Successful

AUSF ID

And in the second mode, the UDM maintains 2 items of successful authentication for the UE.

Wherein, one entry of the UDM record is marked as WLAN authentication or NSWO authentication for distinguishing the context generated by UE through AMF and AUSF authentication. If the UE has been authenticated with the AUSF before accessing through the WLAN and generates a security context Kausf, the AUSF also records another entry and marks the entry as being authenticated through the AMF. At this time, when the UDM initiates a SoR flow or a UE Parameter Update (UPU) flow, the UDM needs to protect parameters that need to be protected by the SoR and UPU flows by using Kausf generated through AMF authentication. When the UDM initiates re-authentication of the ERP in the NSWO scenario, kausf in the authentication process in the NSWO access scenario is used. That is, at this point Kausf may be used for the ERP flow.

Exemplarily, table 3 shows 2 entries of successful authentication of the same UE maintained by the AUSF. The second column, "NSWO authentication" and "non-NSWO authentication" are used to distinguish whether or not AMF access AUSF is used for authentication, and the fourth column AUSF ID is used to indicate which AUSF is storing Kausf, so the two schemes mainly aim at making the UDM to specify which AUSF should be used for communication with the UE through non-3GPP, so as to determine which key is used for protection. At this time, when the UDM initiates the SoR flow or the UPU flow, the UDM needs to use Kausf stored in the AUSF corresponding to the AUSF ID in the non-NSWO authentication entry in table 3 to protect parameters that need to be protected by the SoR and UPU flows. When the UDM initiates re-authentication of the ERP in the NSWO scenario, kausf in the authentication process in the NSWO access scenario is used. And the UDM uses Kausf or EMSK stored in AUSF corresponding to the AUSF ID in the NSWO authentication entry to perform re-authentication process.

TABLE 3

It should be noted that, in the embodiment of the present application, the AUSF executes the authentication function as an example for description, so that the IDs of the authentication service functional entities recorded by the UDM are all AUSF IDs, and if the authentication service functional entity is another network element, the ID of the authentication service functional entity recorded by the UDM is an ID of another network element, which is not limited in the present application. Illustratively, the authentication service function entity is an AAA server, and the ID recorded by the authentication service function entity is an AAA ID.

S427 can be referred to the description of S217.

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication process of the UE and the 5GC in the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology. Meanwhile, compared with the authentication state stored in the current UDM, the authentication method can record the successful authentication state without recording the ID of the authentication service functional entity, is simple to maintain, has fewer network elements needing to be changed, and is convenient, quick and commercial; or, the indication information of whether the authentication is initiated in the NSWO mode can be added on the basis of the binding of the authentication success state and the authentication service functional entity, so that the entry recorded by the UDM is clearer. In addition, an authentication service functional entity is formed by the agent and the AUSF, so that the exposed surface of the AUSF is reduced, and the safety performance is further improved; the root key of the key used for communication between the UE and the network side is generated by being compatible with the current key architecture, so that the authentication and key distribution mechanism is perfected, the development workload is reduced, and the commercial speed is accelerated.

The method 500 for secure communication provided by the present application is described in detail below with reference to fig. 9. Fig. 9 is a schematic interaction diagram of a method 500 of the present application.

Method 500 differs from method 400 in that:

(1) The AUSF in method 400 is replaced with an AAA server so that the key structure in method 400 also needs to be changed accordingly. Because the AAA server does not need to generate Kasuf, the AAA server directly generates MSK and EMSK at step 18 without regarding the high 256 bits of EMSK as Kausf. The AAA server then sends the MSK to the Wi-Fi AP.

(2) In S526, if the UDM records an entry that the UE successfully authenticates in the mode two, the entry needs to contain an identity of the AAA server, i.e., AAA ID, based on which AAA server the UE successfully authenticates.

On the basis of the beneficial effects of the method 400, the embodiment of the application can realize that the authentication passes through the AAA server in the NSWO scene, the authentication passes through the AUSF in the non-NSWO scene, and the natural separation is realized through the difference of network elements, so that the two authentication modes are more independent and clear.

Steps of method 500 other than the differences described above may be seen in relation to steps of method 400.

The method 600 for secure communication provided by the present application is described in detail below with reference to fig. 10. Fig. 10 is a schematic interaction diagram of a method 600 of the present application.

Method 600 differs from method 500 in that:

(1) The proxy in the method 500 is replaced by an AAA server, the AUSF in the method 500 is replaced by a conversion network element of an AAA protocol and a service protocol, and a seamless WLAN Offload authentication and authorization function (NSWOAAF). The NSWOAAF specially processes the authentication process under the NSWO scene, and is an authentication service functional entity. The authentication process and the key generation process in the method 600 may be sent to the AAA server, and reference may be specifically made to the corresponding descriptions in the method 500. During the authentication process, NSWOAAF is used for protocol conversion. The NSWOAAF may be a separate function or network element or entity, or may be a part of the AUSF.

(2) The message name in S607 may be different as the message content in S507, for example, the message name in S607 may be request AKA authentication (request AKA vector).

(3) In S613, the message name may be different as the message content in S513, for example, the message name in S613 may be return AKA authentication (return AKA vector).

In the embodiment of the application, the NSWO scene is applied to the 5G system, the application range of the NSWO access mode is expanded, and the authentication process of the UE and the 5GC in the NSWO scene can be perfected by indicating the UDM to select the EAP-AKA' authentication method. In addition, in the NSWO scenario, the terminal device may access the 5GC through the non-3GPP access technology without passing through the AMF, which reduces the burden of the AMF and also saves the overhead of deploying the architecture in which the UE accesses the 5GC through the non-3GPP technology.

The method 700 for secure communication provided by the present application is described in detail below with reference to fig. 11. Fig. 11 is a schematic interaction diagram of a method 700 of the present application.

Method 700 differs from method 400 in that:

the proxy in method 400 is replaced with an AAA server, which is responsible for the conversion between AAA protocol and service protocol, and AAA proxy is added in the architecture, which is responsible for finding a 3GPP AAA server when Wi-Fi AP cannot directly find the AAA server, and AUSF is responsible for authentication and key derivation.

The information interaction in method 700 may refer to similar steps in method 400, with the interaction steps between the AAA proxy and the AAA server as shown in fig. 11.

The method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to 11. Hereinafter, the apparatus provided in the embodiment of the present application will be described in detail with reference to fig. 12 to 13.

Fig. 12 is a schematic block diagram of a communication device for secure communication according to an embodiment of the present application. As shown in fig. 12, the communication device 10 may include a transceiver module 11 and a processing module 12.

The transceiver module 11 may be configured to receive information sent by other apparatuses, and may also be configured to send information to other apparatuses. Such as receiving a first message or sending a first indication. The processing module 12 may be configured to perform content processing of the device, for example, generating the first indication information according to the first message.

In one possible design, the communication device 10 may correspond to a terminal device in the above-described method embodiment.

Specifically, the communication apparatus 10 may correspond to a terminal device or a UE in any one of the methods 100 to 700 according to the embodiment of the present application, the communication apparatus 10 may include a module for performing an operation performed by the terminal device in the corresponding method, and each unit in the communication apparatus 10 is respectively configured to implement the operation performed by the terminal device in the corresponding method.

Illustratively, when the communication device 10 corresponds to the terminal device in the method 100, the transceiver module 11 is configured to execute steps S101 and S103, and the processing module 12 is configured to execute step S102.

Illustratively, when the communication device 10 corresponds to the UE in the method 200, the transceiver module 11 is configured to execute steps S201, S202, S204, S211, S213, S218, S220, and S222, and the processing module 12 is configured to execute steps S203, S212, and S221.

Illustratively, when the communication device 10 corresponds to the UE in the method 300, the transceiver module 11 is configured to execute steps S301, S302, S304, S311, S313, S318, S320, and S322, and the processing module 12 is configured to execute steps S303, S312, and S321.

Illustratively, when the communication device 10 corresponds to the UE in the method 400, the transceiver module 11 is configured to execute steps S401, S402, S404, S414, S416, S419, S422, and S424, and the processing module 12 is configured to execute steps S403, S415, and S423.

Illustratively, when the communication device 10 corresponds to the UE in the method 500, the transceiver module 11 is configured to execute steps S501, S502, S504, S514, S516, S519, S522, and S524, and the processing module 12 is configured to execute steps S503, S515, and S523.

Illustratively, when the communication device 10 corresponds to the UE in the method 600, the transceiver module 11 is configured to execute steps S601, S602, S604, S614, S616, S619, S622, and S624, and the processing module 12 is configured to execute steps S603, S615, and S623.

Illustratively, when the communication device 10 corresponds to the UE in the method 700, the transceiver module 11 is configured to execute steps S701, S702, S704, S714, S716, S719, S722, and S724, and the processing module 12 is configured to execute steps S703, S715, and S723.

In particular, in a possible embodiment, the transceiver module 11 is configured to receive a message from a wireless access point; a processing module 12, configured to generate indication information according to the message, where the indication information indicates that the terminal device is in a seamless wireless local area network offload NSWO scenario; the transceiver module is further configured to send the indication information.

Wherein, the processing module 12 is further configured to determine to access the network using the NSWO mode according to the message.

Wherein, the indication information is a user hidden identity SUCI in a format of a network access identity NAI, or a field in the user hidden identity SUCI.

The processing module 12 is further configured to generate a master session key, where the master session key is used to generate a key for the terminal device to communicate with a network, and the network is a network to which the terminal device accesses in the NSWO mode.

The transceiver module 11 is further specifically configured to send the indication information to a unified data management entity or an authentication service function entity or the wireless access point.

In another possible design, the communication device 10 may correspond to a unified data management entity or UDM in the above-described method embodiment.

In particular, the communication device 10 may correspond to the unified data management entity or the UDM in any of the methods 100 to 700 according to the embodiments of the present application, the communication device 10 may include a module for performing operations performed by the unified data management entity or the UDM in the respective method, and each unit in the communication device 10 is for implementing the operations performed by the unified data management entity or the UDM in the respective method, respectively.

Illustratively, when the communication device 10 corresponds to the unified data management entity in the method 100, the transceiver module 11 is configured to execute step S106, and the processing module 12 is configured to execute step S107.

Illustratively, when the communication device 10 corresponds to the UDM of the method 200, the transceiver module 11 is configured to perform steps S207, S210, S215, S217, and the processing module 12 is configured to perform steps S208, S209, S216.

Illustratively, when the communication device 10 corresponds to the UDM of the method 300, the transceiver module 11 is configured to perform steps S307, S310, S315, S317, and the processing module 12 is configured to perform steps S308, S309, S316.

Illustratively, when the communication device 10 corresponds to the UDM in the method 400, the transceiver module 11 is configured to execute steps S409, S412, S425, and S427, and the processing module 12 is configured to execute steps S410, S411, and S426.

Illustratively, when the communication device 10 corresponds to the UDM of the method 500, the transceiver module 11 is configured to perform steps S509, S512, S525, S527, and the processing module 12 is configured to perform steps S510, S511, S526.

Illustratively, when the communication device 10 corresponds to the UDM in the method 600, the transceiver module 11 is configured to perform steps S609, S612, S624, S626, and the processing module 12 is configured to perform steps S610, S611, S625.

Illustratively, when the communication device 10 corresponds to the UDM in the method 700, the transceiver module 11 is configured to execute steps S709, S712, S725, S727, and the processing module 12 is configured to execute steps S710, S711, S726.

Specifically, in a possible embodiment, the transceiver module 11 is configured to receive indication information from an authentication service function entity; and a processing module 12, configured to select extensible authentication protocol-authentication and key agreement EAP-AKA' in at least two authentication modes according to the indication information to authenticate with the terminal device.

Wherein the indication information comprises any one or more of the following: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or the access technology type indication information, or the access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

Wherein, the processing module 12 is further configured to store information for identifying that the terminal device accesses the network in a manner of shunting, NSWO, through a slotted wireless local area network; or, the processing module 12 is further configured to store information for identifying that the terminal device accesses the network by way of the NSWO, and an identifier of the authentication service function entity.

The information that the terminal equipment accesses the network by shunting NSWO through the slotted wireless local area network is used for the extensible authentication protocol EAP re-authentication process.

In another possible design, the communication device 10 may correspond to an authentication service entity or AUSF or proxy or AAA server or NSWOAAF in the above-described method embodiment.

Specifically, the communication device 10 may correspond to the authentication service entity or the AUSF or proxy or the AAA server or the NSWOAAF in any one of the methods 100 to 700 according to the embodiments of the present application, the communication device 10 may include a module for performing an operation performed by the authentication service entity or the AUSF or proxy or the AAA server or the NSWOAAF in the corresponding method, and each unit in the communication device 10 is configured to implement the operation performed by the authentication service entity or the AUSF or proxy or the AAA server or the NSWOAAF in the corresponding method, respectively.

Illustratively, when the communication device 10 corresponds to the authentication service function entity in the method 100, the transceiver module 11 is configured to execute steps S103, S104, and S106, and the processing module 12 is configured to execute step S105.

Illustratively, when the communication device 10 corresponds to the authentication service function entity in the method 200, the transceiver module 11 is configured to execute steps S204, S207, S210, S211, S213, S215, S217, S218, and S219, and the processing module 12 is configured to execute steps S205, S206, and S214.

Illustratively, when the communication device 10 corresponds to the authentication service function entity in the method 300, the transceiver module 11 is configured to perform steps S304, S307, S310, S311, S313, S315, S317, S318, and S319, and the processing module 12 is configured to perform steps S305, S306, and S314.

Illustratively, when the communication device 10 corresponds to the AUSF of the method 400, the transceiver module 11 is configured to execute steps S407, S409, S4122, S413, S417, S418, S420, S425, and S427, and the processing module 12 is configured to execute steps S408, S406b, and S418.

Illustratively, when the communication device 10 corresponds to the AAA server in the method 500, the transceiver module 11 is configured to execute steps S507, S509, S512, S513, S517, S520, S525 and S527, and the processing module 12 is configured to execute steps S508, S506b and S518.

Illustratively, when the communication device 10 corresponds to the AAA server in the method 600, the transceiver module 11 is configured to execute steps S502 and S504, and the processing module 12 is configured to execute steps S606 and S617.

Illustratively, when the communication device 10 corresponds to the AUSF in the method 700, the transceiver module 11 is configured to execute steps S707, S709, S701, S713, S717, S720, S725, and S727, and the processing module 12 is configured to execute steps S708, S706b, and S718.

In particular, in a possible embodiment, the transceiving module 11 is configured to receive a message from a wireless access point; the processing module 12 is configured to generate indication information according to the message, where the indication information is used to indicate the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' for authentication with the terminal device; the transceiver module 11 is further configured to send the indication information to the unified data management entity.

The identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or access technology type indication information, or access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

Wherein, the processing module 12 is further configured to determine, according to the message, that the terminal device accesses the network in the NSWO mode.

Wherein, the processing module 12 is further configured to generate a master session key, where the master session key is used to generate a key for the terminal device to communicate with the network; the transceiver module is further configured to send the master session key to the wireless access point.

In one possible design, the apparatus 20 may be a unified data management entity, or may be a chip or a system of chips located on the unified data management entity.

In a possible design, the apparatus 20 may be an authentication service function entity, and may also be a chip or a chip system located on the authentication service function entity.

In one possible design, the apparatus 20 may be a terminal device including various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem, and various forms of terminals, mobile stations, terminals, user equipment, soft terminals, etc., and may also be a chip or a system of chips located on the terminal device, etc.

The apparatus 20 may include a processor 21 (i.e., an example of a processing module) and a memory 22. The memory 22 is used for storing instructions and the processor 21 is used for executing the instructions stored by the memory 22 to make the apparatus 20 implement the steps performed by the devices in the various possible designs as described above in the corresponding methods in fig. 4 to 11.

Further, the apparatus 20 may further include an input port 23 (i.e., one example of a transceiver module) and an output port 24 (i.e., another example of a transceiver module). Further, the processor 21, memory 22, input port 23 and output port 24 may communicate with each other via internal connection paths, passing control and/or data signals. The memory 22 is used for storing a computer program, and the processor 21 may be used for calling and running the computer program from the memory 22 to control the input port 23 to receive a signal and the output port 24 to send a signal, so as to complete the steps of the method described above for the terminal device, the radio access network device, the UE, or the base station. The memory 22 may be integrated in the processor 21 or may be provided separately from the processor 21.

Alternatively, if the message transmitting device 20 is a communication device, the input port 23 is a receiver and the output port 24 is a transmitter. Wherein the receiver and the transmitter may be the same or different physical entities. When the same physical entity, may be collectively referred to as a transceiver.

Alternatively, if the device 20 is a chip or a circuit, the input port 23 is an input interface, and the output port 24 is an output interface.

As an implementation manner, the functions of the input port 23 and the output port 34 may be realized by a transceiver circuit or a dedicated chip for transceiving. The processor 21 may be considered to be implemented by a dedicated processing chip, processing circuitry, a processor, or a general purpose chip.

As another implementation manner, a device provided in this embodiment of the present application may be considered to be implemented by using a general-purpose computer. Program code that implements the functions of the processor 21, the input ports 23 and the output ports 24 is stored in the memory 22, and a general-purpose processor implements the functions of the processor 21, the input ports 23 and the output ports 24 by executing the code in the memory 22.

Each module or unit in the apparatus 20 may be configured to execute each action or processing procedure executed by a device (e.g., a terminal device) performing random access in the foregoing method, and a detailed description thereof is omitted here to avoid redundancy.

For the concepts, explanations, details and other steps related to the technical solutions provided in the embodiments of the present application related to the apparatus 20, please refer to the descriptions of the foregoing methods or other embodiments, which are not repeated herein.

It should be understood that, in the embodiment of the present application, the processor may be a Central Processing Unit (CPU), and the processor may also be other general processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method executed by the authentication service function entity or the unified data management entity or the terminal device in the above method embodiments are stored.

For example, when being executed by a computer, the computer program enables the computer to implement the method performed by the authentication service function entity or the unified data management entity or the terminal device in the above method embodiments.

The embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method performed by the authentication service function entity or the unified data management entity or the terminal device in the foregoing method embodiment are stored.

It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DR RAM).

The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method for secure communication suitable for a scenario in which a terminal device accesses a network by using a slotted wireless local area network offload (NSWO), the method comprising:

the unified data management entity receives indication information from the authentication service function entity;

and the unified data management entity selects extensible authentication protocol-authentication and key agreement EAP-AKA' from at least two authentication modes according to the indication information to authenticate with the terminal equipment.

2. The method of claim 1,

the indication information is a user hidden identity SUCI in a Network Access Identity (NAI) format or a field in the user hidden identity SUCI.

3. The method of claim 1, wherein the indication information comprises any one or more of: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or access technology type indication information, or access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

4. The method according to any one of claims 1 to 3, further comprising:

the unified data management entity stores information for identifying the terminal equipment to access the network in a mode of shunting NSWO by a slotted wireless local area network;

or, the unified data management entity stores information identifying that the terminal device accesses the network in the NSWO mode, and an identifier of the authentication service function entity.

5. The method according to claim 4, characterized in that the information that the terminal device accesses the network by means of slotted wireless local area network offload NSWO is used in extensible authentication protocol EAP re-authentication procedure.

6. A method of secure communication, comprising:

the terminal equipment receives a message from a wireless access point;

the terminal equipment generates indication information according to the message, wherein the indication information indicates that the terminal equipment is in a seamless wireless local area Network (NSWO) shunting scene;

and the terminal equipment sends the indication information.

7. The method of claim 6, further comprising:

and the terminal equipment determines to access the network by using the NSWO mode according to the message.

8. The method according to claim 6 or 7,

9. The method according to any one of claims 6 to 8, further comprising:

and the terminal equipment generates a master session key, wherein the master session key is used for generating a key for the terminal equipment to communicate with a network, and the terminal equipment is accessed to the network in the NSWO mode.

10. The method according to any one of claims 6 to 9, wherein the terminal device sends the indication information, including:

and the terminal equipment sends the indication information to a unified data management entity or an authentication service function entity or the wireless access point.

11. A method for secure communication suitable for a scenario in which a terminal device accesses a network by using a slotted wireless local area network offload (NSWO), the method comprising:

the authentication service functional entity receives a message from a wireless access point;

the authentication service function entity generates indication information according to the message, and the indication information is used for indicating the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' to authenticate with the terminal equipment;

and the authentication service functional entity sends the indication information to the unified data management entity.

12. The method of claim 11,

the indication information comprises any one or more of the following: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or access technology type indication information, or access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

13. The method according to claim 11 or 12, characterized in that the method further comprises:

and the authentication service functional entity determines that the terminal equipment accesses the network in an NSWO mode according to the message.

14. The method according to any one of claims 11 to 13, further comprising:

the authentication service functional entity generates a master session key, wherein the master session key is used for generating a key for the terminal equipment to communicate with the network;

and the authentication service functional entity sends the master session key to the wireless access point.

15. An apparatus for secure communication in a scenario where a terminal device accesses a network by using a slotted wireless local area network offload (NSWO), the apparatus comprising:

the receiving and sending module is used for receiving the indication information from the authentication service function entity;

and the processing module is used for selecting extensible authentication protocol-authentication and key agreement EAP-AKA' from at least two authentication modes according to the indication information to authenticate with the terminal equipment.

16. The apparatus of claim 15,

17. The apparatus of claim 15, wherein the indication information comprises any one or more of: the identifier of the authentication service function entity, or the identifier of the network where the terminal device is located, or access technology type indication information, or access method indication information, where the access type indication information is used to indicate the type of the access network, and the access method indication information is used to indicate the characteristics of the access technology used by the terminal device.

18. The apparatus of any one of claims 15 to 17,

the processing module is further configured to store information identifying that the terminal device accesses the network in a manner of seamless wireless local area network offload NSWO;

or, the processing module is further configured to store information for identifying that the terminal device accesses the network in the NSWO mode, and an identifier of the authentication service function entity.

19. The apparatus according to claim 18, wherein the information that the terminal device accesses the network by means of a slotted wireless local area network offload NSWO is used in an extensible authentication protocol EAP re-authentication procedure.

20. An apparatus for secure communications, comprising:

the receiving and sending module is used for receiving the message from the wireless access point;

the processing module is used for generating indication information according to the message, wherein the indication information indicates that the terminal equipment is in a seamless wireless local area network shunting NSWO scene;

the transceiver module is further configured to send the indication information.

21. The apparatus of claim 20,

the processing module is further configured to determine to access a network using the NSWO mode according to the message.

22. The apparatus of claim 20 or 21,

23. The apparatus of any one of claims 20 to 22,

the processing module is further configured to generate a master session key, where the master session key is used to generate a key for communication between the terminal device and a network, and the network is a network to which the terminal device accesses in the NSWO mode.

24. The apparatus of any one of claims 21 to 23,

the transceiver module is further specifically configured to send the indication information to a unified data management entity or an authentication service function entity or the wireless access point.

25. An apparatus for secure communication applicable to a scenario in which a terminal device accesses a network by using a slotted wireless local area network offload (NSWO), the apparatus comprising:

the processing module is used for generating indication information according to the message, wherein the indication information is used for indicating the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' to authenticate with the terminal equipment;

the transceiver module is further configured to send the indication information to the unified data management entity.

26. The apparatus of claim 25,

27. The apparatus of claim 25 or 26,

and the processing module is further used for determining that the terminal equipment accesses the network in an NSWO mode according to the message.

28. The apparatus of any one of claims 25 to 27,

the processing module is further configured to generate a master session key, where the master session key is used to generate a key for the terminal device to communicate with the network;

the transceiver module is further configured to send the master session key to the wireless access point.

29. A communications apparatus, comprising:

a processor and a memory;

the memory for storing a computer program;

the processor configured to execute a computer program stored in the memory to cause the communication apparatus to perform the communication method of any one of claims 1 to 5, or to perform the communication method of any one of claims 6 to 10, or to perform the communication method of any one of claims 11 to 14.

30. A computer-readable storage medium, having stored thereon a computer program which, when run on a computer, causes the computer to perform the communication method of any one of claims 1 to 5, or the communication method of any one of claims 6 to 10, or the communication method of any one of claims 11 to 14.

31. A chip system, comprising: a processor for calling and running a computer program from a memory so that a communication device on which the system-on-chip is installed performs the communication method of any one of claims 1 to 5, or performs the communication method of any one of claims 6 to 10, or performs the communication method of any one of claims 11 to 14.

32. A system for secure communications, comprising any of:

the terminal equipment is used for receiving a message 01 of wireless access; the terminal equipment is further configured to generate indication information 01 according to the message 01, where the indication information 01 indicates that the terminal equipment is in a seamless wireless local area network offload (NSWO) scene; the authentication service function entity is also used for sending indication information 01 to the authentication service function entity;

the authentication service functional entity is used for receiving the indication information 01; the method is further used for sending indication information 02 to a unified data management entity, wherein the indication information 02 is used for indicating to select the EAP-AKA' for authentication with the terminal equipment;

and the unified data management entity is used for selecting EAP-AKA' from at least two authentication modes to authenticate with the terminal equipment according to the indication information 02.

33. A system for secure communications, comprising:

the authentication service function entity is used for receiving the message 02; the authentication server is further configured to generate indication information 02 according to the message 02, where the indication information 02 is used to indicate the unified data management entity to select extensible authentication protocol-authentication and key agreement EAP-AKA' for authentication with the terminal device; the system is also used for sending indication information 02 to the unified data management entity;