CN116097690A - Method and related device in universal guide architecture - Google Patents

Method and related device in universal guide architecture Download PDF

Info

Publication number
CN116097690A
CN116097690A CN202080104200.5A CN202080104200A CN116097690A CN 116097690 A CN116097690 A CN 116097690A CN 202080104200 A CN202080104200 A CN 202080104200A CN 116097690 A CN116097690 A CN 116097690A
Authority
CN
China
Prior art keywords
identifier
network element
request message
terminal device
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080104200.5A
Other languages
Chinese (zh)
Inventor
邓娟
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN116097690A publication Critical patent/CN116097690A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The embodiment of the application provides a method and a related device in a general guide framework, wherein the method comprises the following steps: the method comprises the steps that a first guide request message from terminal equipment is received by a guide server functional network element, wherein the first guide request message comprises a first identifier of the terminal equipment, and the first identifier is generated according to a second identifier of the terminal equipment and an identifier protection key IPK; the guiding server function network element generates a first request message, wherein the first request message comprises a first identifier or a second identifier; the guiding server function network element sends a first request message to the home subscriber server network element; the guiding server function network element receives a first response message from the home subscriber server network element, wherein the first response message comprises a first authentication vector of the terminal equipment, and when the terminal equipment and the BSF in the network adopt GBA to carry out authentication and key negotiation, the privacy information of the terminal equipment is protected, and the communication safety is improved.

Description

Method and related device in universal guide architecture Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for a generic bootstrapping architecture.
Background
A security mechanism is provided in the third generation partnership project (3rd Generation Partnership Project,3GPP) for the terminal device to mutually authenticate with a bootstrapping server function (bootstrapping server function, BSF) in the network and to generate keys for secure communication. The generic bootstrapping architecture (generic bootstrapping architecture, GBA) is a generic mechanism defined by 3GPP for mutual authentication and key agreement established by the BSF in the network and the terminal device.
When the terminal equipment and the BSF in the network adopt GBA to carry out authentication and key negotiation, the privacy of the terminal equipment can be revealed, so that the technical problem of how to protect the privacy information of the terminal equipment and improve the safety of communication is solved by the technical personnel in the field when the terminal equipment and the BSF in the network adopt GBA to carry out authentication and key negotiation.
Disclosure of Invention
The embodiment of the application discloses a method and a related device in a general guide framework, which can protect privacy information of terminal equipment.
The first aspect of the embodiment of the application discloses a method in a general guiding framework, which comprises the following steps:
the method comprises the steps that a first guide request message from terminal equipment is received by a guide server functional network element, wherein the first guide request message comprises a first identifier of the terminal equipment, and the first identifier is generated according to a second identifier of the terminal equipment and an identifier protection key IPK;
The bootstrap server function network element generates a first request message, wherein the first request message comprises the first identifier or the second identifier;
the guiding server function network element sends the first request message to a home subscriber server network element;
the bootstrapping server function network element receives a first response message from the home subscriber server network element, the first response message comprising a first authentication vector of the terminal device.
In the method, the first guiding request message from the terminal equipment is received by the guiding server functional network element, the first guiding request message comprises a first identifier, the first identifier does not relate to the privacy of the terminal equipment, compared with the prior art, the guiding server functional network element receives the first guiding request message from the terminal equipment, and the first guiding request message comprises the plaintext identifier information of the terminal equipment, so that the privacy information of the terminal equipment is leaked.
In a possible implementation manner, the first request message includes the second identifier, and before the bootstrapping server function network element generates the first request message, the method further includes: and the guiding server functional network element decrypts the first identifier and acquires the second identifier.
In one possible implementation, the first response message includes the second identification.
In one possible implementation manner, after the bootstrap server function network element receives the first response message from the home subscriber server network element, the method further includes: and the guiding server functional network element generates a fifth identifier of the terminal equipment according to the second identifier or according to the second identifier and the character for identifying 5G.
In the method, the guiding server functional network element generates the fifth identifier, and then sends the fifth identifier to the terminal equipment, so that when the terminal equipment initiates the guiding request flow again, privacy leakage of the terminal equipment can be avoided in a mode of carrying the fifth identifier, and communication safety is ensured.
In one possible implementation, the method further includes: the guiding server function network element sends the fifth identification to the terminal equipment; and/or the bootstrap server function network element receives a second bootstrap request message from the terminal device, the second bootstrap request message including the fifth identifier; the bootstrapping server function network element determines the second identity corresponding to the fifth identity.
In the above method, the bootstrap server functional network element may receive the second bootstrap request message from the terminal device when the terminal device initiates the bootstrap request procedure again, where the second bootstrap request message includes the fifth identifier, and accordingly, the bootstrap server functional network element may determine the second identifier according to the fifth identifier, by this way, it may be fast determined that the terminal device is a 5G terminal device, or may fast determine that a GBA authentication negotiation mechanism is adopted, thereby saving time.
In one possible implementation, the method further includes: the guiding server function network element receives first indication information, wherein the first indication information is used for indicating the guiding server function network element to generate the fifth identifier; the guiding server function network element receives first indication information, which comprises the following steps: the guiding server function network element receives a first response message from the home subscriber server network element, wherein the first response message comprises first indication information; or the bootstrap server function network element receives a first bootstrap request message from the terminal equipment, wherein the first bootstrap request message comprises the first indication information.
In the above method, by carrying the first indication information for indicating the bootstrapping server function network element to generate the fifth identifier in the first response message or the first bootstrapping request message, resources can be utilized more reasonably.
In one possible implementation, the method further includes: the guiding server function network element generates first guiding transaction identification information according to the character for identifying the 5G, wherein the first guiding transaction identification information is used for identifying guiding transactions performed by the terminal equipment and the guiding server function network element.
In a possible implementation manner, after the bootstrapping server function network element generates the first bootstrapping transaction identification information according to the character for identifying 5G, the method further includes: the guiding server function network element sends the first guiding transaction identification information to the terminal equipment.
A second aspect of the embodiments of the present application discloses a method in a generic bootstrapping architecture, comprising:
the home subscriber server network element receives a first request message from a guide server function network element, wherein the first request message comprises a first identifier of terminal equipment or a second identifier of the terminal equipment, and the first identifier is generated according to the second identifier of the terminal equipment and an identifier protection key IPK;
The home subscriber server network element obtains a first authentication vector of the terminal equipment according to the first identifier or the second identifier;
the home subscriber server network element sends a first response message to the bootstrapping server function network element, the first response message comprising the first authentication vector.
In the method, the home subscriber server network element receives the first request message from the guide server function network element, the first request message comprises the first identifier or the second identifier of the terminal equipment, and when the first request message comprises the first identifier, the privacy of the terminal equipment can be ensured not to be revealed, so that the safety of communication is improved.
In a possible implementation manner, the home subscriber server network element obtains a first authentication vector of the terminal device according to the first identifier or the second identifier, including: the home subscriber server network element sends a second request message to a unified data management network element, wherein the second request message comprises the first identifier or the second identifier, so that the unified data management network element generates a first authentication vector of the terminal equipment according to the first identifier or the second identifier; the home subscriber server network element receives a second response message from the unified data management network element, the second response message comprising the first authentication vector.
In one possible implementation, the second response message includes the second identification.
In a possible implementation manner, the first request message includes the second identifier, and the home subscriber server network element obtains a first authentication vector of the terminal device according to the second identifier, including: and the home subscriber server network element generates a first authentication vector of the terminal equipment according to the second identifier.
In a possible implementation manner, the first request message includes the first identifier, and the home subscriber server network element obtains a first authentication vector of the terminal device according to the first identifier, including: the home subscriber server network element decrypts the first identifier to obtain the second identifier; and the home subscriber server network element generates a first authentication vector of the terminal equipment according to the second identifier.
In a possible implementation manner, the home subscriber server network element obtains a first authentication vector of the terminal device according to the first identifier or the second identifier, including: the home subscriber server network element decrypts the first identifier to obtain the second identifier; the home subscriber server network element sends a second request message to the unified data management network element, wherein the second request message comprises the second identifier, so that the unified data management network element generates a first authentication vector of the terminal equipment according to the second identifier.
In one possible implementation, the first response message includes the second identification; and/or the first response message comprises first indication information, wherein the first indication information is used for indicating the guiding server function network element to generate a fifth identifier of the terminal equipment, and the fifth identifier is an identifier generated according to the second identifier or according to the second identifier and a character for identifying 5G.
In the method, the first response message carries the first indication information for indicating the guiding server function network element to generate the fifth identifier, so that resources can be utilized more reasonably.
A third aspect of the embodiments of the present application discloses a method in a generic bootstrapping architecture, comprising:
the method comprises the steps that a terminal device generates a first guide request message, wherein the first guide request message comprises a first identifier of the terminal device, and the first identifier is generated according to a second identifier of the terminal device and an identifier protection key IPK;
the terminal equipment sends the first guiding request message to a guiding server function network element;
the terminal equipment receives a guide response message from the guide server function network element, wherein the guide response message is used for requesting the terminal equipment to authenticate;
The terminal equipment acquires first guide transaction identification information and/or a fifth identification of the terminal equipment, wherein the first guide transaction identification information is used for identifying guide transactions performed by the terminal equipment and the guide server function network element, and the fifth identification is an identification generated according to the second identification or according to the second identification and characters for identifying 5G.
In the method, the terminal equipment sends the first guiding request message to the guiding server functional network element, the first request message comprises the first identifier, the first identifier does not relate to the privacy of the terminal equipment, the terminal equipment sends the first guiding request message to the guiding server functional network element, and the first guiding request message comprises the plaintext identifier information of the terminal equipment, so that the privacy information of the terminal equipment is leaked.
In a possible implementation manner, the terminal device obtains the first guided transaction identification information and/or the fifth identification of the terminal device, including: the terminal device receives the first guided transaction identification information and/or the fifth identification of the terminal device from the guiding server function network element.
In a possible implementation manner, the terminal device obtains the first guided transaction identification information and/or the fifth identification of the terminal device, including: the terminal equipment generates the first guide transaction identification information and/or a fifth identification of the terminal equipment according to the character for identifying 5G.
In the method, the fifth identifier is generated by the terminal equipment, and when the terminal equipment initiates the guiding request flow again, compared with the identifier information of the terminal equipment carrying the plain text, the privacy disclosure of the terminal equipment can be avoided by carrying the fifth identifier, so that the safety of communication is ensured.
In a possible implementation manner, after the terminal device obtains the fifth identifier of the terminal device, the method further includes: and the terminal equipment sends a second guiding request message to the guiding server function network element, wherein the second guiding request message comprises the fifth identifier.
In a possible implementation manner, the first bootstrap request message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate the fifth identifier of the terminal device.
In the method, the first indication information for indicating the guiding server function network element to generate the fifth identifier is carried in the first guiding request message, so that resources can be utilized more reasonably.
In one possible implementation manner, after the terminal device obtains the first guided transaction identification information, the method further includes: the terminal equipment initiates an application request message to a network application function network element, wherein the application request message comprises the first guided transaction identification information.
A fourth aspect of the present application discloses an apparatus in a generic bootstrapping architecture, including:
a receiving unit, configured to receive a first bootstrap request message from a terminal device, where the first bootstrap request message includes a first identifier of the terminal device, where the first identifier is generated according to a second identifier of the terminal device and an identifier protection key IPK;
a processing unit, configured to generate a first request message, where the first request message includes the first identifier or the second identifier;
a sending unit, configured to send the first request message to a home subscriber server network element;
the receiving unit is further configured to receive a first response message from the home subscriber server network element, where the first response message includes a first authentication vector of the terminal device.
The receiving unit and the transmitting unit perform the operations of receiving and transmitting in the first aspect, and the processing unit performs other operations.
A fifth aspect of the embodiments of the present application discloses an apparatus in a generic bootstrapping architecture, comprising:
a receiving unit, configured to receive a first request message from a bootstrapping server function network element, where the first request message includes a first identifier of a terminal device or a second identifier of the terminal device, where the first identifier is generated according to the second identifier of the terminal device and an identifier protection key IPK;
and the processing unit is used for acquiring a first authentication vector of the terminal equipment according to the first identifier or the second identifier.
And the sending unit is used for sending a first response message to the guide server function network element, wherein the first response message comprises the first authentication vector.
The receiving unit and the transmitting unit perform the operations of receiving and transmitting in the second aspect, and the processing unit performs other operations.
A sixth aspect of the embodiments of the present application discloses an apparatus in a generic bootstrapping architecture, including:
a processing unit, configured to generate a first bootstrap request message, where the first bootstrap request message includes a first identifier of the apparatus, where the first identifier is generated according to a second identifier of the apparatus and an identifier protection key IPK;
A sending unit, configured to send the first bootstrap request message to a bootstrap server functional network element;
a receiving unit, configured to receive a bootstrap response message from a bootstrap server function network element, where the bootstrap response message is used to request the device to perform authentication;
the processing unit is configured to obtain first guided transaction identification information and/or a fifth identification of the device, where the first guided transaction identification information is used to identify a guided transaction performed by the device and the guiding server function network element, and the fifth identification is an identification generated according to the second identification, or according to the second identification and a character for identifying 5G.
The receiving unit and the transmitting unit perform the operations of receiving and transmitting in the third aspect, and the processing unit performs other operations.
A seventh aspect of the embodiments of the present application discloses an apparatus in a generic bootstrapping architecture, comprising at least one processor and a transceiver, wherein the at least one processor is configured to communicate with other apparatuses through the transceiver, the memory is configured to store a computer program, and the processor is configured to invoke the computer program to perform the following operations:
receiving, by the transceiver, a first bootstrap request message from a terminal device, the first bootstrap request message including a first identifier of the terminal device, the first identifier being generated according to a second identifier of the terminal device and an identifier protection key IPK;
Generating a first request message, wherein the first request message comprises the first identification or the second identification;
sending the first request message to a home subscriber server network element through the transceiver;
and receiving a first response message from the home subscriber server network element through the transceiver, wherein the first response message comprises a first authentication vector of the terminal equipment.
The transceiver performs the operations of receiving and transmitting in the first aspect, and the processor performs other operations.
An eighth aspect of the embodiments of the present application discloses an apparatus in a generic bootstrapping architecture, including at least one processor and a transceiver, wherein the at least one processor is configured to communicate with other devices through the transceiver, the memory is configured to store a computer program, and the processor is configured to invoke the computer program to perform the following operations:
receiving, by the transceiver, a first request message from a bootstrapping server function network element, the first request message including a first identifier of a terminal device or a second identifier of the terminal device, the first identifier being generated according to the second identifier of the terminal device and an identifier protection key IPK;
And acquiring a first authentication vector of the terminal equipment according to the first identifier or the second identifier.
And sending a first response message to the bootstrap server function network element through the transceiver, wherein the first response message comprises the first authentication vector.
The transceiver performs the operations of receiving and transmitting in the second aspect, and the processor performs other operations.
A ninth aspect of the embodiments of the present application discloses an apparatus in a generic bootstrapping architecture, including at least one processor and a transceiver, wherein the at least one processor is configured to communicate with other devices through the transceiver, the memory is configured to store a computer program, and the processor is configured to invoke the computer program to perform the following operations:
generating a first bootstrap request message including a first identification of the device, the first identification being generated from a second identification of the device and an identification protection key IPK;
transmitting the first bootstrap request message to a bootstrap server function network element through the transceiver;
receiving, by the transceiver, a bootstrapping response message from a bootstrapping server function network element requesting authentication of a device;
And acquiring first guide transaction identification information and/or a fifth identification of the device, wherein the first guide transaction identification information is used for identifying guide transactions performed by the device and the guide server function network element, and the fifth identification is an identification generated according to the second identification or according to the second identification and characters for identifying 5G.
The transceiver performs the operations of receiving and transmitting in the third aspect, and the processor performs other operations.
With reference to any one of the foregoing aspects or any one of the possible implementation manners of any one of the foregoing aspects, in a possible implementation manner, the second identifier includes one of a subscription permanent identifier SUPI of the terminal device, an internet protocol multimedia private identifier IMPI of the terminal device, an international mobile subscriber identity IMSI of the terminal device, and a general public subscription identifier GPSI of the terminal device.
A tenth aspect of the embodiments of the present application discloses a chip, where the chip includes at least one processor and an interface circuit, and optionally, the chip further includes a memory, where the memory, the interface circuit, and the at least one processor are interconnected by a line, and where the at least one memory stores a computer program; the computer program, when executed by the processor, implements the method described in any aspect or alternative of any aspect.
An eleventh aspect of the embodiments of the present application discloses a computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described in any aspect or an alternative of any aspect.
A twelfth aspect of the embodiments of the present application discloses a computer program product for implementing the method described in any aspect or an alternative of any aspect when the computer program product is run on a processor.
Drawings
Fig. 1 is a schematic illustration of a GBA provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart of a guidance request provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of authentication vector generation according to an embodiment of the present application;
fig. 4 is a schematic diagram of an execution service access flow provided in an embodiment of the present application;
FIG. 5 is a flow chart of a method in a generic bootstrapping architecture provided in an embodiment of the present application;
FIG. 6 is a flow diagram of a method in yet another generic bootstrapping architecture provided by embodiments of the present application;
FIG. 7 is a flow diagram of a method in yet another generic bootstrapping architecture provided by embodiments of the present application;
FIG. 8 is a flow diagram of a method in yet another generic bootstrapping architecture provided by embodiments of the present application;
FIG. 9 is a flow diagram of a method in yet another generic bootstrapping architecture provided by embodiments of the present application;
FIG. 10 is a flow diagram of a method in yet another generic bootstrapping architecture provided by embodiments of the present application;
FIG. 11 is a schematic diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application;
FIG. 12 is a schematic diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application;
FIG. 13 is a schematic diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application;
FIG. 14 is a schematic diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application;
FIG. 15 is a schematic structural diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of a device in a generic bootstrapping architecture according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the accompanying drawings in the embodiments of the present application.
A security mechanism is provided in the third generation partnership project (3rd Generation Partnership Project,3GPP) for the terminal device to mutually authenticate with a bootstrapping server function (bootstrapping server function, BSF) in the network and to generate keys for secure communication. The generic bootstrapping architecture (generic bootstrapping architecture, GBA) is a generic mechanism defined by 3GPP for mutual authentication and key agreement established by the BSF in the network and the terminal device. As shown in fig. 1, fig. 1 shows a schematic view of GBA. The specific functions of each logical entity in the GBA architecture are as follows:
(1) Boot server function (bootstrapping server function, BSF): which may be referred to as a bootstrapping server function network element, the BSF functions as a bootstrapping service, at the home network of the user. The BSF obtains the user security settings and authentication vectors of the GBA from the home subscriber server (home subscriber server, HSS) and completes authentication of the terminal device, establishing a shared key (Ks). The BSF generates a NAF specific key (network application function specific key, NSK) from the Ks and provides the NSK to the network application function (network application function, NAF).
(2) The network application function (network application function, NAF), which may be referred to as a network application function network element, needs to obtain a NAF specific key NSK from the BSF after the NAF receives the terminal equipment application request. The BSF uses the NAF specific key NSK to secure communications with the terminal equipment.
(3) HSS: which may be referred to as HSS network elements, all user security settings, user keys, user subscription data, etc. are stored in the HSS, which supports returning authentication vectors to the BSF.
(4) Terminal equipment: the terminal device needs to support authentication and key agreement protocol (authentication and key agreement, AKA) and digest authentication protocol (digest authentication) of the third generation mobile communication network, and can perform mutual authentication with the bootstrapping service function, and generate a shared key Ks, so as to generate a specific key NSK according to the shared key Ks. The terminal device uses the specific key NSK to secure communication with the BSF.
(5) A subscriber location function (subscriber location function, SLF), which may be referred to as a subscriber location function network element, is used to query the HSS of the subscriber, not necessarily a functional unit.
GBA flows generally include two steps: (1) executing a boot request flow. And realizing the mutual authentication between the BSF and the terminal equipment through an AKA protocol, and establishing a shared key Ks by the terminal equipment and the BSF after the authentication is successful. (2) executing a business access flow. The communication security is protected between the terminal equipment and the NAF through NSK. The execution guidance request flow will be specifically explained below, as shown in fig. 2. When the terminal device wishes to interact with the NAF and the terminal device determines that a boot flow is required, the terminal device initiates a boot request flow. Otherwise, when the terminal device receives the guiding indication information sent to the terminal device by the NAF or the key life cycle in the terminal device is ended, the terminal device initiates the guiding request flow. The guiding request flow is specifically as follows:
step 1: the terminal device sends a bootstrap request message (Bootstrapping Request) to the BSF. When there is a temporary internet protocol multimedia private identity (temporary internet protocol multimedia private identity, TMPI) in the terminal device, then the bootstrap request message carries the TMPI; if there is no TMPI in the terminal device, the bootstrap request message carries an Internet protocol multimedia private identity (internet protocol multimedia private identity, IMPI).
Step 2: after receiving the guiding request message (Bootstrapping Request) carrying the TMPI from the terminal device, the BSF queries the IMPI corresponding to the TMPI from the local database, and if the BSF cannot find the corresponding IMPI, the BSF sends an error message to the terminal device, and correspondingly, the terminal device resends the guiding request message (Bootstrapping Request) after receiving the error message, where the guiding request message carries the IMPI.
Step 3: the BSF sends an authentication vector request message to the HSS or home location register (home location register, HLR), which carries the IMPI or IMSI. Optionally, the authentication vector request message carries a GBA user security settings (user security setting, USS) timestamp.
Step 4: the HSS/HLR generates an authentication vector (authentication vector, AV). AV includes = rand|autn|xres|ck|ik, where RAND is a random number, AUTN is an authentication token (authentication token, AUTN), XRES is an eXpected response (expeted)response, XRES), CK is an intermediate encryption key, IK is an intermediate integrity key, ||denotes a concatenation operation. Where AV is generated as shown in fig. 3, CK, IK, and expected response XRES are all generated based on the long-term key K and random number RAND of the terminal device.
Figure PCTCN2020107992-APPB-000001
Wherein AMF is authentication management domain, SQN is serial number, terminal device and HSS both store SQN, AK is anonymous key, MAC is message authentication code,
Figure PCTCN2020107992-APPB-000002
representing an exclusive-or operation, wherein the MAC is generated based on the SQN, K and AMF and the random number RAND. The HSS/HLR sends the authentication vector AV to the BSF. If the HSS receives the GBA USS time stamp, the HSS compares the GBA USS time stamp with the locally stored time stamp, and if the two time stamps are different, the HSS sends the GBA USS to the BSF.
Step 5: the BSF sends the random number RAND and the authentication token AUTN to the terminal device.
Step 6: the terminal equipment calculates CK and IK according to the received RAND and the locally stored long-term key by adopting the same method as the HSS, and generates response RES by adopting the same method as the HSS for calculating XRES; the terminal device verifies the AUTN to determine that the received RAND and authentication token AUTN are from a genuine network.
Step 7: and the terminal equipment sends the response information of the abstract AKA generated based on the RES to the BSF.
Step 8: the BSF verifies the digest AKA response information using the XRES received from the HSS/HLR. BSF generation sharing key ks=ck||ik. The BSF generates a bootstrapping transaction identification (B-TID) based on the random number RAND and the server name of the BSF, and generates TMPI if a product token (3 gpp-gba-TMPI) is included in the user agent request header information (user agent request-header field) in the message of the terminal device received by the BSF. (the terminal device always carries the product token "3gpp-gba-tmpi" in the user agent request header information in the message sent to the BSF when communicating with the BSF.
Step 9: the BSF sends a 200OK message to the terminal device, which carries the bootstrapping transaction identification (B-TID). The 200OK message is used to indicate that BSF authentication is successful.
Step 10: the terminal device may generate TMPI. If the user agent in the BSF message received by the terminal device requests that the header information include the product token "3gpp-gba-TMPI", the terminal device generates TMPI. (the BSF should always include the product token "3gpp-gba-tmpi" in the user agent request header information in the message sent to the terminal device when communicating with the terminal device. The terminal device and the BSF generate TMPI using the same parameters and methods. Step 11: after the terminal equipment has the TMPI locally, if the terminal equipment initiates the guiding request flow again, and sends a second guiding request message to the BSF, the second guiding request message bears the TMPI.
GBA includes two mechanisms: both generic integrated circuit card enhanced generic bootstrapping architecture (gba_u) and mobile device based generic bootstrapping architecture (gba_me) under which all GBA related functions are performed by the mobile device (ME) are not perceived by the generic integrated circuit card (universal integrated circuit card, UICC). Under the mechanism gba_u, all GBA related functions are commonly borne by ME and UICC, and the above-mentioned boot procedure is equally applicable to the mechanism gba_u, but modified as follows: in step 5, the BSF decides to employ the gba_u mechanism according to the GBA USS. The BSF obtains the MAC from the message authentication code MAC in the received authentication vector AV,
Figure PCTCN2020107992-APPB-000003
Where Trunc represents an intercept operation, SHA-1 is secure hash algorithm 1, and AUTN is determined from MAC, where
Figure PCTCN2020107992-APPB-000004
The BSF then sends the random numbers RAND and AUTN to the terminal device. Other secure hashing methods are also possible for computing MAC. In step 6, the ME receives the random numbers RAND and AUTN* And sending the random number RAND and the local stored long-term key of the terminal equipment to the UICC, calculating CK and IK by adopting the same method as a network side, generating response RES by adopting the same method as the method for generating expected response XRES by the HSS, generating MAC by the UICC, verifying AUTN, and sending RES to the ME by the UICC.
When the terminal device wishes to communicate with the NAF and the terminal device negotiates with the NAF using the GBA mechanism, the terminal device communicates using the security association established by the bootstrapping request procedure, as shown in fig. 4, fig. 4 showing the execution of the service access procedure. The method comprises the following steps: step 1: the terminal equipment generates NSK according to the shared key Ks in the boot request flow. The terminal device sends an application request (Application Request) message to the NAF, the application request message carrying a bootstrapping transaction identification (B-TID). The application request message is secured based on a specific key NSK. Step 2: the NAF sends an authentication request (Authentication Request) message to the BSF based on the received bootstrapping transaction identity (B-TID), the authentication request message carrying the bootstrapping transaction identity (B-TID) and the identity of the NAF (NAF Id). Step 3: the BSF finds the corresponding shared key Ks from the bootstrapping transaction identification (B-TID) to generate a specific key NSK, which is then sent to the NAF. Step 4: the NAF sends an application response message to the terminal device that uses the specific key NSK for security protection. In this way a secure communication between the NAF and the terminal device is possible based on the specific key NSK.
Some of the terms in this application are explained below to facilitate understanding by those skilled in the art.
(1) An international mobile subscriber identity (international mobile subscriber identity, IMSI) for identifying the terminal equipment, the IMSI consisting of a mobile country code (mobile country code, MCC), a mobile network code MCC (mobile network code, MNC), and a mobile subscriber identification number (mobile subscription identification number, MSIN). The MCC length is 3 bits, the MNC length is determined by the MCC value, which can be 2 bits or 3 bits, and the MSIN value is self-allocated by the operator. For example, IMSI is 310150123456789, MCC 310, mnc 150, MSIN 123456789.
(2) An internet protocol multimedia private identity (internet protocol multimedia private identity, IMPI) for identifying the terminal device. IMPI is derived using IMSI. The format of IMPI is "< IMSI > @ ims. MNC < MNC > < MCC >.3gpp network. Org". For example, if the IMSI of one terminal device is 234150999999999 (i.e. mcc=234, mnc=15, msin= 0999999999), the IMPI of the terminal device is 234150999999999@ims.mnc015.mcc234.3gppnetwork.org.
(3) A temporary internet protocol multimedia private identity (temporary internet protocol multimedia private identity, TMPI) for identifying the terminal device. Generated by the terminal device and the BSF, respectively. TMPI is TEMP@tmpi.bsf.3gppnetwork.org, where TEMP generation parameters include: the character "gba-me", random number RAND, IMPI, CK||IK.
(4) The NAF specific key NSK is used to secure communications between the terminal equipment and the NAF. The parameters generated by the specific key NSK include Ks (i.e., CK IK), the characters "gba_me" or "gba_u", the random number RAND, IMPI, and the identity of NAF (NAF-Id). When GBA_U is used, then NSK is generated using the word "gba_u" and no word "gba_me" is used.
(5) A generic public subscription identity (generic public subscription identifier, GPSI) for identifying the terminal device. The GPSI includes a GPSI type and a GPSI value. The GPSI type is a mobile subscriber ISDN number (MSISDN) type or an external identification (External Identifier) type. When the GPSI type is MSISDN type, the GPSI value is MSISDN; when the GPSI type is External Identifier type, the value of GPSI is External Identifier. The MSISDN includes a Country Code (CC), a national destination code (national destination code, NDC), and a subscription number (subscriber number, SN). External Identifier format is username@realm, where username is the user plane and realm is the domain.
In the GBA bootstrap request procedure, when the terminal device performs the bootstrap request procedure for the first time, the terminal device sends an IMPI to the BSF, where the IMPI is derived from the IMSI of the terminal device. If the BSF does not find the corresponding IMPI in the local database when receiving the guidance request message carrying TMPI sent by the terminal device, the BSF will also require the terminal device to resend the guidance request message carrying IMPI. The IMSI of the terminal device belongs to the privacy information, that is, the IMPI includes the privacy information, and by the above method, the privacy of the terminal device is revealed. Therefore, in order to solve the above-described problems, the present application proposes the following solutions.
Referring to fig. 5, fig. 5 is a method in a generic bootstrapping architecture according to an embodiment of the present application, including but not limited to the following steps:
step S501: the terminal device generates a first guidance request message or second guidance request information.
In one example, the first guidance request message includes a first identification of the terminal device, or the first identification of the terminal device and the first indication information. In the embodiment of the present application, the first identifier of the terminal device may also be referred to as a first identifier, and the second identifier of the terminal device may also be referred to as a second identifier. The first identity is generated from the second identity and the identity protection key IPK. The first identity does not relate to the privacy of the terminal device and the second identity relates to the privacy of the terminal device. The second identity comprises one of a subscription permanent identity (subscription permanent identifier, SUPI) of the terminal device, an internet protocol multimedia private identity, IMPI, of the terminal device, an international mobile subscriber identity, IMSI, of the terminal device, and a GPSI of the terminal device.
In one example, the first identifier is generated from the second identifier and an identifier protection key (identity public key, IPK), such as the first identifier is generated by encrypting the second identifier using the IPK. That is to say the first identifier may be an encrypted identifier of the terminal device and the second identifier may be an identifier of the terminal device in the clear. In the embodiment of the present application, one possibility to identify the protection key IPK is the public key of the network side. The identity protection key is configured on the HSS, and/or UDM, and/or BSF. In one example, SUPI is a subscription hiding identity (subscription concealed identifier, sui) of the terminal device. Assuming that the first identifier is sui and the second identifier is SUPI, the first identifier sui is generated by encrypting the second identifier SUPI by using a public key of the network side.
In the embodiment of the present application, when the second identifier is the SUPI of the terminal device, the first identifier is called the SUPI; when the second identifier is the IMPI of the terminal equipment, the first identifier is called IMPI; when the second identifier is the IMSI of the terminal device, the first identifier is referred to as IMSI, and when the second identifier is the GPSI of the terminal device, the first identifier is referred to as GPSI.
In yet another example, the first guidance request message includes a third identification of the terminal device, or the third identification of the terminal device and the first indication information. In the embodiment of the present application, the third identifier of the terminal device may be referred to as a third identifier. The third identifier is a GPSI of the terminal device or a GPSI of a type External Identifier; when the third identifier is the GPSI of the terminal device, the first identifier is referred to as GPSI.
In yet another example, the first indication information is used to instruct the BSF to generate a fifth identity (TMPI) of the terminal device, or instruct the terminal device to support 5G GBA, or instruct the BSF to send the first request message, or instruct the terminal device to be a 5G terminal device, or instruct authentication and key agreement of the 5G GBA to be performed. In the embodiment of the present application, the fifth identifier of the terminal device may also be referred to as a fifth identifier.
In one possible implementation, the first indication information is a character in the user agent request header information in the first bootstrap message that is used to identify 5G. Possibly, the character used to identify 5G is a character comprising "5" or "5G", such as "3gpp-5gba-tmpi" or "3gpp-gba-5tmpi" or "3gpp-5G-gba-tmpi" or "3gpp-gba-5gtmpi".
By including the first indication information in the first guidance request message, resources can be reasonably utilized.
In one possible implementation manner, if the terminal device includes the fifth identifier (TMPI) locally, the terminal device sends a second bootstrap request message to the BSF, where the second bootstrap request message includes the fifth identifier (TMPI), or the fifth identifier and the first indication information. The parameters used to generate the fifth identifier (TMPI) include TEMP and BSF domain names, for example, the fifth identifier is temp@bsf domain name. The parameters used to generate TEMP include: the random number RAND, the 5G GBA key, the second identity of the terminal device, the identity of the BSF, the character used to identify the 5G. The 5G GBA key is generated based on CK and IK, and the character used for identifying 5G can be a character containing '5' and/or '5G-GBA-me' and/or '5G-GBA-u' and/or 'GBA' and/or '5 GBA-me' and/or '5 GBA-u' and/or '5 GBA'. The BSF domain name may include a character that identifies 5G.
In one possible implementation, before the terminal device sends the first bootstrap request message to the BSF, the terminal device generates the first identifier according to the second identifier and the identifier protection key (identity public key, IPK), for example, the terminal device encrypts the second identifier with the protection key IPK to generate the first identifier.
In one possible implementation, the terminal device generates the fifth identity before the terminal device sends the second bootstrap request message to the BSF. The parameters employed to generate the fifth identification are as described above.
By including the first identifier in the first guide request message or the second guide request message, compared with the mode that the second identifier, namely the plaintext identifier of the terminal equipment, is directly carried in the first guide request message, the privacy information of the terminal equipment can be prevented from being revealed, and the safety of communication is improved.
Step S502: the terminal device sends a first bootstrap request message or a second bootstrap request message to the bootstrap server function BSF.
Specifically, the first guidance request message includes any one of the following: the first identifier, or the first identifier and the first indication information, or the third identifier and the first indication information. The second guiding request message comprises a fifth identification or the fifth identification and the first indication information.
Step S503: the BSF receives a first or second bootstrap request message from the terminal device.
Specifically, the first guidance request message includes a first identifier or a third identifier, the first identifier being generated according to the second identifier. The third identity is the GPSI of the terminal device or the GPSI of type External Identifier. The second bootstrap request message includes a fifth identification. Optionally, the first guidance request message or the second guidance request message further includes first indication information.
Step S504: the BSF generates a first request message.
Specifically, the first request message includes a first identifier, a second identifier, or a third identifier, and the first request message is used for acquiring a first authentication vector of the terminal device, or is used for calling a first authentication service of the HSS to acquire the first authentication vector of the terminal device.
Optionally, before the BSF generates the first request message, it determines to generate the first request message or determines to send the first request message to the HSS. The BSF determines that the first request message is to be generated or determines to send the first request message to the HSS, which may be determined according to the received first identity or third identity or fifth identity or first indication information of the terminal device.
Optionally, the BSF may further determine to generate a fifth identifier (TMPI x), or determine that the terminal device supports 5G GBA, or determine that the terminal device is a 5G terminal device, or determine to perform authentication and key negotiation of the 5G GBA according to the first identifier or the third identifier or the fifth identifier or the first indication information.
In one possible implementation, if the BSF receives the first identifier, the BSF obtains the second identifier according to the received first identifier and the IPK, and includes the second identifier in the first request message. The BSF obtains the second identifier according to the received first identifier and the IPK, which may be obtained by decrypting the first identifier with the IPK for the BSF. For example, assuming that the first identifier is IMPI, the BSF determines that the second identifier is IMPI based on the first identifier and the IPK.
In one possible implementation, if the BSF receives the first identification, the BSF includes the received first identification in the first request message; in one possible implementation, if the BSF receives the third identification, the BSF includes the received third identification in the first request message.
In one possible implementation manner, after receiving the first identifier, if the BSF cannot decrypt the first identifier to obtain the second identifier, the BSF sends an error message to the terminal device, where the error message is used to instruct the terminal device to resend the first bootstrap request message carrying the first identifier, or is used to instruct the terminal device to fail to decrypt the first identifier to obtain the second identifier. Correspondingly, after receiving the error message, the terminal device resends the first guiding request message carrying the first identifier.
In one possible implementation, if the BSF receives the fifth identification, the BSF determines a second identification corresponding to the fifth identification and includes the second identification in the first request message.
Step S505: the BSF sends a first request message to a home subscriber server HSS device.
Specifically, the first request message includes a first identifier or a second identifier or a third identifier, and the first request message is used for acquiring a first authentication vector of the terminal device or is used for calling a first authentication service of the HSS to acquire the first authentication vector of the terminal device.
Step S506: the HSS receives a first request message from the BSF.
Specifically, the first request message includes the first identifier or the second identifier or the third identifier.
Step S507: the HSS acquires the first authentication vector of the terminal equipment according to the received first identification, the second identification or the third identification.
In one possible implementation, the first request message includes the second identifier or the third identifier, and the HSS generates the first authentication vector of the terminal device according to the second identifier or the third identifier. The HSS then proceeds directly to step S511. A possible implementation of the first authentication vector of the terminal device is described in S508.
In yet another possible implementation, the first request message includes a first identifier, the HSS obtains a second identifier according to the first identifier and the IPK, and the HSS generates a first authentication vector for the terminal device according to the second identifier. The HSS then directly performs step S511. The HSS obtains the second identifier according to the first identifier and the IPK, for example, the HSS decrypts the first identifier by using the IPK to obtain the second identifier.
In one possible implementation, the HSS sends the second request message to the unified data management (unified data management, UDM) according to the received first, or second, or third identity. Specifically, the second request message includes the first identifier, the second identifier, or the third identifier, and is used for requesting the UDM to generate the first authentication vector of the terminal device, or is used for calling the first authentication service of the UDM to obtain the first authentication vector of the terminal device.
In yet another possible implementation, the HSS obtains a second identifier according to the received first identifier and the IPK, and then the HSS sends a second request message to the UDM, where the second request message includes the obtained second identifier, so that the UDM generates the first authentication vector of the terminal device according to the second identifier.
Step S508: the UDM receives the second request message and generates a first authentication vector according to the first identifier or the second identifier or the third identifier in the second request message.
Specifically, the UDM generates the first authentication vector according to the first identifier, the second identifier or the third identifier, which may be any one of the following possible implementations.
In one possible implementation, the UDM receives the first identification, the UDM obtains the second identification based on the first identification and the IPK, e.g., the UDM obtains the second identification using the IPK to decrypt the first identification, and then generates the first authentication vector based on the second identification. Possibly, the UDM obtains a second identifier according to the first identifier and the IPK, the second identifier is SUPI, and then the UDM generates a first authentication vector according to the SUPI. For example, assuming that the first identifier is sui, the UDM invokes a subscription identifier unhidden function (single network slice selection assistance information, SIDF) to unhidden the sui to obtain sui, and the UDM generates a first authentication vector for the terminal device according to the sui. Assuming that the first identifier is IMPI, the UDM obtains IMPI from IMPI and IPK. Further, the UDM obtains the SUPI according to the IMPI, and generates a first authentication vector of the terminal device according to the SUPI. If the first identity is IMSI, the UDM obtains the IMSI according to the IMSI and the IPK. Further, the UDM generates a SUPI according to the IMSI, and generates a first authentication vector of the terminal device according to the SUPI. If the first identifier is GPSI, the UDM obtains GPSI according to GPSI and IPK, obtains SUPI according to GPSI, and generates a first authentication vector of the terminal device according to SUPI.
In one possible implementation, the UDM receives the second identification, and the UDM generates the first authentication vector based on the second identification. Possibly, assuming that the second identity is an IMSI, the UDM generates a SUPI from the IMSI and generates a first authentication vector for the terminal device from the SUPI. Assuming that the second identifier is an IMPI, the UDM generates a SUPI according to the IMPI and generates a first authentication vector of the terminal device according to the SUPI.
In one possible implementation, the UDM receives the third identification, and the UDM generates the first authentication vector according to the third identification. Possibly, assuming that the third identifier is GPSI, the UDM obtains a corresponding SUPI according to the GPSI, and the UDM generates a first authentication vector of the terminal device according to the SUPI.
The first authentication vector has any one of the following possible implementations. A possible implementation the first authentication vector may be an authentication vector AV, wherein, av=rand||autn|xres|ck and|ik, RAND is a random number, AUTN is an authentication token, XRES represents an expected response, CK is an intermediate encryption key, IK is an intermediate integrity key. Specifically, as described above, the details are not repeated here. The first authentication vector may also generate an EAP-AKA 'authentication vector corresponding to EAP-AKA' for the UDM using a modified extensible authentication protocol (improved extensible authentication protocol method for 3rd generation authentication and key agreement,EAP-AKA ') for 5G authentication and key management, the EAP-AKA' authentication vector comprising a random number RAND, authentication credentials AUTN, XRES, a first intermediate encryption key CK 'and a first intermediate integrity key IK', the generation parameters of the first intermediate encryption key CK 'and the first intermediate integrity key IK' comprising an intermediate encryption key CK, an intermediate integrity key IK, a sequence number SQN, an anonymity key AK and a service network Name SN-Name generated by the UDM or transmitted by the HSS. The service network Name SN-Name comprises a service code and a service network identification SN-Id comprising a mobile country code MCC and a mobile network code MNC, wherein in one example mcc=000, mnc=00, mnc=000; in yet another example mcc=999, mnc=99 or mnc=999. The service code is a string comprising "5g" and/or "gba".
Step S509: the UDM sends a second response message to the HSS.
Specifically, the second response message includes the first authentication vector, or, the first authentication vector and the second identification.
Step S510: the HSS receives a second response message from the UDM.
Specifically, the second response information includes the first authentication vector, or, the first authentication vector, and the second identification.
Step S511: the HSS sends a first response message to the BSF.
Specifically, the first response message includes a first authentication vector, or, a first authentication vector and a second identification. Optionally, the first response message includes first indication information, where the first indication information is used to instruct the BSF to generate a fifth identifier (TMPI) of the terminal device, or instruct the terminal device to support 5G GBA, or instruct the terminal device to be a 5G terminal device, or instruct authentication and key negotiation of the 5G GBA to be performed.
Step S512: the BSF receives a first response message from the HSS.
Step S513: the BSF sends the received random number RAND and the authentication token AUTN, or the received random number RAND and the AUTN generated from the received authentication token AUTN, to the terminal device.
Specifically, if the BSF decides to use the gba_u mechanism, the BSF sends the random number RAND and the authentication token AUTN to the terminal device.
Step S514: the terminal device receives the random number RAND and the authentication token AUTN from the BSF, or the random function RAND and the authentication token AUTN. The terminal device verifies AUTN or AUTN determines that the message is from an authorized network.
Step S515: the terminal device transmits authentication response information generated based on the RES to the BSF.
Step S516: the BSF verifies the authentication response information and transmits a result of verifying the authentication response information to the terminal device.
In one possible implementation, before the BSF sends the result of verifying the authentication response information to the terminal device, the BSF generates a fifth identifier; or the BSF generates a fifth identifier (TMPI) according to the first indication information in the first response message or the first indication information in the first guidance request message. The description of the content included in the fifth identifier is described in step S501, and will not be repeated here. The BSF stores the corresponding relation between the fifth identifier and the second identifier. The correspondence is used for determining a second identifier corresponding to the fifth identifier according to the correspondence when the BSF receives the second bootstrap request message including the fifth identifier.
In one possible implementation, after the BSF generates the fifth identifier, the BSF sends the fifth identifier to the terminal device.
In yet another possible implementation, the BSF generates the first guided transaction identification information (B-TID) before the BSF sends the result of verifying the authentication response information to the terminal device. Specifically, the first guided transaction identification information (B-TID) is used to identify a guided transaction performed by the terminal device and the BSF. The parameters used to generate B-TID include: random number RAND, 5G GBA key, second identification, identification of BSF, character for identifying 5G. The 5G GBA key is generated based on CK and IK, and the character used for identifying 5G can be a character containing '5' and/or '5G-GBA-me' and/or '5G-GBA-u' and/or 'GBA' and/or '5 GBA-me' and/or '5 GBA-u' and/or '5 GBA'.
In yet another possible implementation, after the BSF generates the first guided transaction identification information (B-TID) according to the character used to identify the 5G, the BSF sends the first guided transaction identification information (B-TID) to the terminal device.
Step S517: the terminal device obtains first guided transaction identification information (B-TID) and/or a fifth identification (TMPI).
Specifically, the first guided transaction identification information (B-TID) and the fifth identification (TMPI) are described above, and are not described herein.
In one possible implementation, the terminal device receives first guided transaction identification information (B-TID) and/or a fifth identification (TMPI) from the BSF.
In a further possible implementation, the terminal device generates first guided transaction identification information (B-TID) and/or a fifth identification of the terminal device (TMPI). The parameters used for the generation of the first pilot transaction identification information (B-TID) and the fifth identification (TMPI) are as described above and are not described in detail herein.
Step S518: optionally, the terminal device sends an application request message to the network application function NAF.
Specifically, the application request message includes first guided transaction identification information (B-TID).
Step S519: the NAF receives the application request message from the terminal device.
Specifically, after receiving the application request message from the terminal device, the NAF may determine, according to the BSF domain name carried in the first bootstrapping transaction identification information (B-TID), a BSF that performs a bootstrapping request procedure with the terminal device, and obtain, from the BSF, a key for performing secure communications with the terminal device.
Referring to fig. 6, fig. 6 is a method in yet another generic bootstrapping architecture provided in an embodiment of the present application, including but not limited to the following steps:
Step S601 to step S606 may refer to step S501 to step S506, and will not be described here.
Step S607: the HSS sends a third request message to the authentication server function (authentication server function, AUSF).
Specifically, the third request message includes the first identifier or the second identifier or the third identifier. The third request message is used for requesting the first authentication vector of the terminal device, or is used for calling the first authentication service of the AUSF to acquire the first authentication vector of the terminal device, or is used for sending a fourth request message to the UDM by the AUSF to enable the UDM to generate the first authentication vector of the terminal device.
Step S608: the AUSF receives a third request message from the HSS.
Step S609: the AUSF sends a fourth request message to the UDM.
Specifically, the fourth request message includes the first identity or the second identity or the third identity, and is used by the UDM to generate a first authentication vector of the terminal device, or is used to invoke a first authentication service of the UDM to generate the first authentication vector of the terminal device.
Step S610: the UDM receives the fourth request message and generates a first authentication vector according to the first identification or the second identification or the third identification.
Specifically, the UDM may generate the first authentication vector according to the first identifier or the second identifier or the third identifier, and description of the generation of the first authentication vector according to the first identifier or the second identifier or the third identifier by referring to the UDM described in step S508 may be omitted here. The service network Name SN-Name required by the UDM to generate the first authentication vector may be generated by the UDM or transmitted to the UDM by the HSS through the AUSF. If the service network name SN-name is sent by the HSS to the UDM via the AUSF, the HSS also carries the service network name SN-name in the third request message. The AUSF carries the service network name SN-name in a fourth request message.
Step S611: the UDM sends fourth response information to the AUSF.
Specifically, the fourth response information includes the first authentication vector, or the first authentication vector and the second identification.
Step S612: the AUSF receives a fourth response message from the UDM.
Step S613: the AUSF sends a third response message to the HSS.
Specifically, the third response message includes the first authentication vector, or the first authentication vector and the second identification.
Step S614: the HSS receives the third response message from the AUSF.
Specifically, the third response message includes the first authentication vector, or, the first authentication vector, and the second identification.
Step S615 to step S623 may refer to step S511 to step S519, and are not described here.
Referring to fig. 7, fig. 7 is a method in yet another generic bootstrapping architecture provided in an embodiment of the present application, including but not limited to the following steps:
step S701 to step S703 may refer to step S501 to step S503, and will not be described here.
Step S704: the BSF generates a fifth request message.
Specifically, the fifth request message includes the first identifier or the second identifier or the third identifier. The fifth request message is used for acquiring a first authentication vector of the terminal device or for invoking a first authentication service of the UDM to acquire the first authentication vector of the terminal device.
Optionally, the BSF determines that a fifth request message is to be generated or determines to send the fifth request message to the UDM before generating the fifth request message. The BSF determines that a fifth request message is to be generated or determines to send the fifth request message to the UDM, which may be determined based on the received first or third or fifth identification or first indication information.
Optionally, the BSF may further determine to generate a fifth identifier (TMPI x), or determine that the terminal device supports 5G GBA, or determine that the terminal device is a 5G terminal device, or determine to perform authentication and key negotiation of the 5G GBA according to the first identifier or the third identifier or the fifth identifier or the first indication information.
In one possible implementation, if the BSF receives the first identifier, the BSF obtains the second identifier according to the received first identifier and the IPK, and includes the second identifier in the fifth request message. The BSF obtains the second identifier according to the received first identifier and the IPK, which may be obtained by decrypting the first identifier with the IPK for the BSF. For example, assuming that the first identifier is IMPI, the BSF determines that the second identifier is IMPI based on the first identifier and the IPK.
In one possible implementation, if the BSF receives the first identification, the BSF includes the received first identification in the fifth request message; in one possible implementation, if the BSF receives the third identification, the BSF includes the received third identification in the fifth request message;
In one possible implementation manner, after receiving the first identifier, if the BSF cannot decrypt the first identifier to obtain the second identifier, the BSF sends an error message to the terminal device, where the error message is used to instruct the terminal device to resend the first bootstrap request message carrying the first identifier, or is used to instruct the terminal device to fail to decrypt the first identifier to obtain the second identifier. Correspondingly, after receiving the error message, the terminal device resends the first guiding request message carrying the first identifier.
In one possible implementation, if the BSF receives the fifth identification, the BSF determines a second identification corresponding to the fifth identification and includes the second identification in the fifth request message.
Step S705: the BSF sends a fifth request message to the UDM.
Specifically, the fifth request message includes the first identifier or the second identifier or the third identifier.
Step S706: the UDM receives the fifth request message and generates a first authentication vector according to the first identification or the second identification or the third identification.
Specifically, the UDM may generate the first authentication vector according to the first identifier or the second identifier or the third identifier, and description of the generation of the first authentication vector according to the first identifier or the second identifier or the third identifier by referring to the UDM described in step S508 may be omitted here. Wherein the SN-name may also be generated by the BSF and sent to or generated by the UDM, the SN-name may be carried in the fifth request message when the BSF sends the SN-name to the UDM. The SN-name includes the content specifically in step S508.
Step S707: the UDM sends a fifth response message to the BSF.
Specifically, the fifth response message includes the first authentication vector, or the first authentication vector and the second identification.
Step S708: the BSF receives a fifth response message from the UDM.
Specifically, the fifth response message includes the first authentication vector, or the first authentication vector and the second identification.
In one possible implementation, after the BSF receives the fifth response message from the UDM, the BSF generates a fifth identifier (TMPI x), or the BSF generates the fifth identifier (TMPI x) according to the first indication information. The content included in the fifth identifier is specifically shown in step S512, and will not be described herein. The BSF stores the corresponding relation between the fifth identifier and the second identifier. The correspondence is used for determining a second identifier corresponding to the fifth identifier according to the correspondence when the BSF receives the second bootstrap request message including the fifth identifier.
In one possible implementation, after the BSF generates the fifth identifier (TMPI) of the terminal device, the BSF sends the fifth identifier to the terminal device.
In yet another possible implementation, the BSF generates the first guided transaction identification information (B-TID) after receiving the fifth response message from the UDM. Specifically, the first guided transaction identification information (B-TID) is used to identify a guided transaction performed by the terminal device and the BSF. The parameters used to generate B-TID are described in step S512.
In yet another possible implementation, after the BSF generates the first guided transaction identification information (B-TID), the BSF sends the first guided transaction identification information (B-TID) to the terminal device.
Step S709 to step S715 may refer to step S513 to step S519, and will not be described here.
Referring to fig. 8, fig. 8 is a method in yet another generic bootstrapping architecture provided in an embodiment of the present application, including but not limited to the following steps:
step S801 to step S803 may refer to step S501 to step S503.
Step S804: the BSF generates a sixth request message.
Step S805: the BSF sends a sixth request message to the AUSF.
Specifically, the sixth request message includes the first identifier or the second identifier or the third identifier, and is used for requesting the first authentication vector of the terminal device, or for invoking the first authentication service of the AUSF to obtain the first authentication vector of the terminal device, or for sending the seventh request message to the BSF by the ASUF to cause the UDM to generate the first authentication vector of the terminal device.
Optionally, the BSF determines to send the sixth request message to the AUSF before sending the sixth request message to the AUSF. The BSF determines to send the sixth request message to the AUSF, which may be determined according to the received first or third or fifth identifier or first indication information.
Optionally, the BSF may further determine to generate a fifth identifier (TMPI x), or determine that the terminal device supports 5G GBA, or determine that the terminal device is a 5G terminal device, or determine to perform authentication and key negotiation of the 5G GBA according to the first identifier or the third identifier or the fifth identifier or the first indication information.
In one possible implementation, if the BSF receives the first identifier, the BSF obtains the second identifier according to the received first identifier and the IPK, and includes the second identifier in the sixth request message. The BSF obtains the second identifier according to the received first identifier and the IPK, which may be obtained by decrypting the first identifier with the IPK for the BSF. For example, assuming that the first identifier is IMPI, the BSF determines that the second identifier is IMPI based on the first identifier and the IPK.
In one possible implementation, if the BSF receives the first identification, the BSF includes the received first identification in the sixth request message; in one possible implementation, if the BSF receives the third identification, the BSF includes the received third identification in the sixth request message;
in one possible implementation manner, after receiving the first identifier, if the BSF cannot decrypt the first identifier to obtain the second identifier, the BSF sends an error message to the terminal device, where the error message is used to instruct the terminal device to resend the first bootstrap request message carrying the first identifier, or is used to instruct the terminal device to fail to decrypt the first identifier to obtain the second identifier. Correspondingly, after receiving the error message, the terminal device resends the first guiding request message carrying the first identifier.
In one possible implementation, if the BSF receives the fifth identification, the BSF determines a second identification corresponding to the fifth identification and includes the second identification in the sixth request message.
Step S806: the AUSF receives a sixth request message of the BSF.
Step S807: the AUSF sends a seventh request message to the UDM.
Specifically, the seventh request message includes the first identity or the second identity or the third identity, and the seventh request message is used for requesting the first authentication vector of the terminal device or for invoking the first authentication service of the UDM to generate the first authentication vector of the terminal device.
Step S808: the UDM receives the seventh request message and generates the first authentication vector based on the first identity or the second identity or the third identity.
The generation of the first authentication vector by the UDM according to the first identifier, the second identifier, or the third identifier may refer to the description of the generation of the first authentication vector by the UDM according to the first identifier, the second identifier, or the third identifier in step S508, which is not described herein. The service node Name SN-Name required by the UDM to generate the first authentication vector may be generated by the UDM, or generated by the AUSF and sent to the UDM, or generated by the BSF and sent to the UDM through the AUSF. The SN-name includes the content specifically in step S508. The BSF determines to generate the SN-name according to the first identifier or the third identifier or the fifth identifier or the first indication information. The BSF sends an SN-name to the AUSF, which may be carried in the sixth request message. The AUSF sends an SN-name to the UDM, which may be carried in a seventh request message.
Step S809: the UDM sends a seventh response message to the AUSF.
Specifically, the seventh response message includes the first authentication vector of the terminal device, or the first authentication vector and the second identity.
Step S810: the AUSF receives a seventh response message from the UDM.
Step S811: the AUSF sends a sixth response message to the BSF.
Specifically, the sixth response message includes the first authentication vector of the terminal device, or the first authentication vector and the second identity.
Step S812: the BSF receives a sixth response message from the AUSF.
In one possible implementation, after the BSF receives the sixth response message from the AUSF, the BSF generates a fifth identifier, or the BSF generates a fifth identifier (TMPI) according to the first indication information. The content included in the fifth identifier is specifically shown in step S512, and will not be described herein. The BSF stores the corresponding relation between the fifth identifier and the second identifier. The correspondence is used for determining a second identifier corresponding to the fifth identifier according to the correspondence when the BSF receives the second bootstrap request message including the fifth identifier.
In one possible implementation, after the BSF generates the fifth identifier (TMPI), the BSF sends the fifth identifier to the terminal device.
In yet another possible implementation, the BSF generates the first guided transaction identification information (B-TID) after receiving the sixth response message from the AUSF. Specifically, the first guided transaction identification information (B-TID) is used to identify a guided transaction performed by the terminal device and the BSF. The parameters used to generate B-TID are described in step S512.
In yet another possible implementation, after the BSF generates the first guided transaction identification information (B-TID), the BSF sends the first guided transaction identification information (B-TID) to the terminal device.
Step S813 to step S819 refer to step S513 to step S519, and are not described here.
Referring to fig. 9, fig. 9 is a method in yet another generic bootstrapping architecture provided in an embodiment of the present application, including but not limited to the following steps:
step S901 to step S903 refer to step S501 to step S503, and are not described here.
Step S904: the BSF generates an eighth request message.
Specifically, the eighth request message includes the first identifier or the third identifier received by the BSF. The eighth request message is used to acquire a first authentication vector of the terminal device, or is used to invoke a first authentication service of the HSS, so as to acquire the first authentication vector of the terminal device.
Optionally, before the BSF generates the eighth request message, it determines to generate the eighth request message or determines to send the eighth request message to the HSS. The BSF determines that the eighth request message is to be generated or determines to send the eighth request message to the HSS, which may be determined according to the received first identity or third identity or fifth identity or first indication information of the terminal device.
Optionally, the BSF may further determine to generate a fifth identifier (TMPI x), or determine that the terminal device supports 5G GBA, or determine that the terminal device is a 5G terminal device, or determine to perform authentication and key negotiation of the 5G GBA according to the first identifier or the third identifier or the fifth identifier or the first indication information.
In one possible implementation manner, after receiving the first identifier, if the BSF cannot decrypt the first identifier to obtain the second identifier, the BSF sends an error message to the terminal device, where the error message is used to instruct the terminal device to resend the first bootstrap request message carrying the first identifier, or is used to instruct the terminal device to fail to decrypt the first identifier to obtain the second identifier. Correspondingly, after receiving the error message, the terminal device resends the first guiding request message carrying the first identifier.
Step S905: the BSF sends an eighth request message to the HSS.
Specifically, the eighth request message includes the first identifier or the third identifier.
Step S906: the HSS receives the eighth request message from the BSF.
Specifically, the eighth request message includes the first identifier or the third identifier received by the BSF.
Step S907: the HSS sends a ninth request message to the UDM.
Specifically, the ninth request message includes the received first identification or third identification. The ninth request message is for requesting acquisition of the second identification.
Step S908: the UDM receives a ninth request message from the HSS.
Specifically, the ninth message includes the first identifier or the third identifier.
Specifically, after the UDM receives the first identifier or the third identifier, the second identifier is acquired. In one possible implementation, if the UDM receives the third identification, the UDM finds the SUPI to which the third identification corresponds. In one possible implementation, if the UDM receives the first identification, the UDM obtains the second identification based on the IPK and the first identification, such as the UDM obtaining the second identification using the IPK to decrypt the first identification.
Step S909: the UDM sends a ninth response message to the HSS.
Specifically, the ninth response message includes a second identity, which is used by the HSS to generate the first authentication vector.
Step S910: the HSS receives the ninth response message and generates a first authentication vector according to the received second identification.
A possible implementation of the specific first authentication vector is described in step S508, and is not described herein.
Step S911 to step S919 may refer to step S511 to step S519, and will not be described here.
In this embodiment, the communication between the HSS and the UDM may be through the AUSF, and will not be described here.
Referring to fig. 10, fig. 10 is a method in yet another generic bootstrapping architecture provided in an embodiment of the present application, including but not limited to the following steps:
Step S1001 to step S1003 may refer to step S501 to step S503, and will not be described here.
Step S1004: if the BSF receives the first identification or the third identification, the BSF generates a tenth request message.
Specifically, the tenth request message includes the first identifier or the third identifier, and is used for requesting to acquire the second identifier of the terminal device.
Step S1005: the BSF sends a tenth request message to the UDM.
Specifically, the tenth request message includes the first identifier or the third identifier.
Step S1006: the UDM receives a tenth request message from the BSF.
Specifically, the tenth request message includes the first identifier or the third identifier. After the UDM receives the first identifier or the third identifier, the UDM obtains the second identifier, specifically see S908, where the UDM obtains the description of the second identifier according to the first identifier or the third identifier.
Step S1007: the UDM sends a tenth response message to the BSF.
Specifically, the tenth response message includes the second identification.
Step S1008: the BSF receives a tenth response message from the UDM.
Specifically, the tenth response message includes the second identification.
Step S1009: the BSF sends an eleventh request message to the HSS.
Specifically, the eleventh request message includes the second identifier, and the eleventh request message is used for requesting to acquire the first authentication vector of the terminal device, or is used for calling the first authentication service of the HSS to acquire the first authentication vector of the terminal device.
Step S1010: the HSS receives an eleventh request message from the BSF and generates a first authentication vector according to the second identity.
Specifically, the possible implementation of the first authentication vector is described in step S508, and will not be described herein.
Step S1011: the HSS sends an eleventh response message to the BSF.
Specifically, the eleventh response message includes the first authentication vector, or the first authentication vector and the second identification.
Step S1012: the BSF receives an eleventh response message from the HSS.
In a possible implementation manner, after the BSF receives the eleventh response message from the HSS, the BSF generates the fifth identifier, or the BSF generates the fifth identifier (TMPI) according to the first indication information. The fifth identification is specifically referred to step S512, and will not be described herein. The BSF stores the corresponding relation between the fifth identifier and the second identifier. The correspondence is used for determining a second identifier corresponding to the fifth identifier according to the correspondence when the BSF receives the second bootstrap request message including the fifth identifier. In one possible implementation, after the BSF generates the fifth identifier (TMPI), the BSF sends the fifth identifier to the terminal device.
In yet another possible implementation, the BSF generates the first guided transaction identification information (B-TID) after receiving the eleventh response message from the HSS. Specifically, the first guided transaction identification information (B-TID) is used to identify a guided transaction performed by the terminal device and the BSF. The parameters used for generating B-TID are shown in step S512, and will not be described here again.
Step S1013 to step S1019 refer to step S513 to step S519, and are not described here.
In this embodiment, the communication between the BSF and the UDM may be through the AUSF, and will not be described here.
The foregoing details the method of embodiments of the present application, and the apparatus of embodiments of the present application is provided below.
Referring to fig. 11, fig. 11 is a schematic structural diagram of an apparatus 1100 in a generic bootstrapping architecture provided in an embodiment of the present application, where the apparatus 1100 in the generic bootstrapping architecture may include a receiving unit 1101, a processing unit 1102, and a sending unit 1103, where the detailed descriptions of the respective units are as follows.
A receiving unit 1101, configured to receive a first bootstrap request message from a terminal device, where the first bootstrap request message includes a first identifier of the terminal device, where the first identifier is generated according to a second identifier of the terminal device and an identifier protection key IPK;
a processing unit 1102, configured to generate a first request message, where the first request message includes the first identifier or the second identifier;
a sending unit 1103, configured to send the first request message to a home subscriber server network element;
the receiving unit 1101 is further configured to receive a first response message from the home subscriber server network element, where the first response message includes a first authentication vector of the terminal device.
In a possible implementation manner, the processing unit is further configured to decrypt the first identifier and obtain the second identifier.
In one possible implementation, the first response message includes the second identification.
In a possible implementation manner, the processing unit 1102 is further configured to generate, after receiving the first response message from the home subscriber server network element, a fifth identifier of the terminal device according to the second identifier, or according to the second identifier and a character for identifying 5G.
In a possible implementation manner, the sending unit 1103 is further configured to send the fifth identifier to the terminal device; and/or
The receiving unit 1101 is further configured to receive a second bootstrap request message from the terminal device, where the second bootstrap request message includes the fifth identifier;
the processing unit is configured to determine the second identifier corresponding to the fifth identifier.
In a possible implementation manner, the receiving unit 1101 is further configured to receive first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate the fifth identifier;
The receiving unit 1101 is further configured to receive a first response message from the home subscriber server network element, where the first response message includes first indication information; or alternatively
The receiving unit 1101 is further configured to receive a first bootstrap request message from the terminal device, where the first bootstrap request message includes the first indication information.
In a possible implementation manner, the processing unit 1102 is further configured to generate first guided transaction identification information according to a character for identifying 5G, where the first guided transaction identification information is used to identify a guided transaction performed by the terminal device and the guiding server function network element.
In a possible implementation manner, the sending unit 1103 is further configured to send the first guided transaction identification information to the terminal device after generating the first guided transaction identification information according to the character used for identifying 5G.
Regarding the technical effects brought about by the fourth aspect or various alternative implementations, reference may be made to the description of the technical effects of the first aspect or corresponding embodiments.
It should be noted that the implementation and beneficial effects of each unit may also correspond to the corresponding description of the method embodiment shown in fig. 5.
Referring to fig. 12, fig. 12 is a schematic structural diagram of an apparatus 1200 in a generic bootstrapping architecture according to an embodiment of the present application, where the apparatus 1200 may include a receiving unit 1201, a processing unit 1202, and a sending unit 1203, where the details of the respective units are described below.
A receiving unit 1201, configured to receive a first request message from a bootstrapping server function network element, where the first request message includes a first identifier of a terminal device or a second identifier of the terminal device, where the first identifier is generated according to the second identifier of the terminal device and an identifier protection key IPK;
a processing unit 1202 is configured to obtain a first authentication vector of the terminal device according to the first identifier or the second identifier.
A sending unit 1203 configured to send a first response message to the bootstrapping server function network element, where the first response message includes the first authentication vector.
In a possible implementation manner, the sending unit 1203 is further configured to send a second request message to a unified data management network element, where the second request message includes the first identifier or the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the first identifier or the second identifier; the receiving unit 1201 is further configured to receive a second response message from the unified data management network element, where the second response message includes the first authentication vector.
In one possible implementation, the second response message includes the second identification.
In a possible implementation manner, the first request message includes the second identifier, and the processing unit 1202 is further configured to generate a first authentication vector of the terminal device according to the second identifier.
In a possible implementation manner, the first request message includes the first identifier, and the processing unit 1202 is further configured to decrypt the first identifier and obtain the second identifier; and generating a first authentication vector of the terminal equipment according to the second identifier.
In a possible implementation manner, the processing unit 1202 is further configured to decrypt the first identifier and obtain the second identifier; the sending unit 1203 is further configured to send a second request message to a unified data management network element, where the second request message includes the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the second identifier.
In one possible implementation, the first response message includes the second identification; and/or the first response message comprises first indication information, wherein the first indication information is used for indicating the guiding server function network element to generate a fifth identifier of the terminal equipment, and the fifth identifier is an identifier generated according to the second identifier or according to the second identifier and a character for identifying 5G.
It should be noted that the implementation and beneficial effects of each unit may also correspond to the corresponding description of the method embodiment shown in fig. 5.
Referring to fig. 13, fig. 13 is a schematic structural diagram of an apparatus 1300 in a generic bootstrapping architecture according to an embodiment of the present application, where the apparatus 1300 may include a processing unit 1301, a sending unit 1302, and a receiving unit 1303, where the details of the respective units are described below.
A processing unit 1301 configured to generate a first guidance request message, where the first guidance request message includes a first identifier of the apparatus, where the first identifier is generated according to a second identifier of the apparatus and an identifier protection key IPK;
a sending unit 1302, configured to send the first bootstrap request message to a bootstrap server functional network element;
a receiving unit 1303, configured to receive a bootstrap response message from a bootstrap server function network element, where the bootstrap response message is used to request the device to perform authentication;
a processing unit 1301, configured to obtain first guided transaction identification information and/or a fifth identification of the apparatus, where the first guided transaction identification information is used to identify a guided transaction performed by the device and the guiding server function network element, and the fifth identification is an identification generated according to the second identification, or according to the second identification and a character for identifying 5G.
In a possible implementation manner, the receiving unit 1303 is further configured to receive the first guided transaction identification information and/or a fifth identification of the device from the guiding server function network element.
In a possible implementation manner, the generating unit 1301 is further configured to generate the first guided transaction identification information and/or the fifth identification of the apparatus according to a character used for identifying 5G.
In a possible implementation manner, the sending unit 1302 is further configured to send, after obtaining the fifth identifier of the device, a second bootstrap request message to the bootstrap server function network element, where the second bootstrap request message includes the fifth identifier.
In one possible implementation, the first bootstrap request message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate a fifth identifier of the device.
In a possible implementation manner, the sending unit 1302 is further configured to initiate an application request message to a network application function network element after obtaining the first guided transaction identification information, where the application request message includes the first guided transaction identification information.
It should be noted that the implementation and beneficial effects of each unit may also correspond to the corresponding description of the method embodiment shown in fig. 5.
Referring to fig. 14, fig. 14 is an apparatus 1400 in a generic bootstrapping architecture provided by an embodiment of the present invention, the apparatus 1400 includes at least one processor 1401 and a transceiver 1403. Optionally, a memory 1402 is further included, and the processor 1401, memory 1402 and transceiver 1403 are interconnected by a bus 1404.
Memory 1402 includes, but is not limited to, random access memory (random access memory, RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or portable read-only memory (compact disc read-only memory, CD-ROM), which memory 1402 is used for relevant instructions and data. The transceiver 1403 is used to receive and transmit data.
The processor 1401 may be one or more central processing units (central processing unit, CPU), and in the case where the processor 401 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The processor 1401 in the apparatus 1400 is configured to read the computer program stored in the memory 1402, and perform the following operations:
Receiving, by the transceiver 1403, a first bootstrap request message from a terminal device, the first bootstrap request message including a first identification of the terminal device, the first identification being generated from a second identification of the terminal device and an identification protection key IPK;
generating a first request message, wherein the first request message comprises the first identification or the second identification;
transmitting the first request message to a home subscriber server network element through the transceiver 1403;
a first response message from the home subscriber server network element is received by the transceiver 1403, the first response message comprising a first authentication vector of the terminal device.
In a possible implementation, the first request message includes the second identifier, and the processor 1401 is further configured to decrypt the first identifier and obtain the second identifier before generating the first request message.
In one possible implementation, the first response message includes the second identification.
In a possible implementation manner, the processor 1401 is further configured to generate, after receiving, by the transceiver 1403, the first response message from the home subscriber server network element, a fifth identifier of the terminal device according to the second identifier, or according to the second identifier and a character for identifying 5G.
In a possible implementation, the processor 1401 is further configured to send, through the transceiver 1403, the fifth identifier to the terminal device; and/or receiving a second bootstrap request message from the terminal device through the transceiver 1403, the second bootstrap request message including the fifth identification; and determining the second identifier corresponding to the fifth identifier.
In a possible implementation, the processor 1401 is further configured to receive, through the transceiver 1403, first indication information, where the first indication information is used to instruct the device to generate the fifth identifier;
the processor 1401 is further configured to receive, through the transceiver 1403, a first response message from the home subscriber server network element, where the first response message includes first indication information; or alternatively
The processor 1401 is further configured to receive, via the transceiver 1403, a first guidance request message from the terminal device, where the first guidance request message includes the first indication information.
In a possible implementation, the processor 1401 is further configured to generate first guided transaction identification information according to a character for identifying 5G, where the first guided transaction identification information is used to identify the terminal device and a guided transaction performed by the device.
In a possible implementation, the processor 1401 is further configured to send, via the transceiver 1403, the first guided transaction identification information to the terminal device after generating the first guided transaction identification information according to the character used to identify 5G.
It should be noted that the implementation and beneficial effects of each operation may correspond to the corresponding description of the method embodiment shown in fig. 5.
Referring to fig. 15, fig. 15 is an apparatus 1500 in a generic bootstrapping architecture according to an embodiment of the present invention, the apparatus 1500 includes at least one processor 1501 and a transceiver 1503. Optionally, a memory 1502 is further included, where the processor 1501, the memory 1502 and the transceiver 1503 are interconnected by a bus 1504.
Memory 1502 includes, but is not limited to, random access memory (random access memory, RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or portable read-only memory (compact disc read-only memory, CD-ROM), with memory 1502 for associated instructions and data. The transceiver 1503 is used to receive and transmit data.
The processor 1501 may be one or more central processing units (central processing unit, CPU), and in the case where the processor 401 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The processor 1501 in the apparatus 1500 is configured to read the computer program stored in the memory 1502, and perform the following operations:
receiving, by the transceiver 1503, a first request message from a bootstrapping server function network element, where the first request message includes a first identifier of a terminal device or a second identifier of the terminal device, where the first identifier is generated according to the second identifier of the terminal device and an identifier protection key IPK;
and acquiring a first authentication vector of the terminal equipment according to the first identifier or the second identifier.
A first response message is sent to the bootstrapping server function network element through the transceiver 1503, the first response message comprising the first authentication vector.
In a possible implementation manner, the processor 1501 is configured to send, through the transceiver 1503, a second request message to a unified data management network element, where the second request message includes the first identifier or the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the first identifier or the second identifier; and receiving a second response message from the unified data management network element, wherein the second response message comprises the first authentication vector.
In one possible implementation, the second response message includes the second identification.
In a possible implementation manner, the first request message includes the second identifier, and the processor 1501 is configured to generate a first authentication vector of the terminal device according to the second identifier.
In a possible implementation manner, the first request message includes the first identifier, and the processor 1501 is configured to decrypt the first identifier and obtain the second identifier; and generating a first authentication vector of the terminal equipment according to the second identifier.
In a possible implementation manner, the processor 1501 is configured to decrypt the first identifier and obtain the second identifier; and sending, by the transceiver 1503, a second request message to a unified data management network element, where the second request message includes the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the second identifier.
In one possible implementation, the first response message includes the second identification; and/or the first response message comprises first indication information, wherein the first indication information is used for indicating the guiding server function network element to generate a fifth identifier of the terminal equipment, and the fifth identifier is an identifier generated according to the second identifier or according to the second identifier and a character for identifying 5G.
It should be noted that the implementation and beneficial effects of each operation may also correspond to the corresponding description of the method embodiment shown in fig. 5.
Referring to fig. 16, fig. 16 is a device 1600 in a generic bootstrapping architecture according to an embodiment of the present invention, the device 1600 includes at least one processor 1601 and a transceiver 1603. Optionally, a memory 1602 is also included, the processor 1601, memory 1602, and transceiver 1603 being interconnected by a bus 1604.
Memory 1602 includes, but is not limited to, random access memory (random access memory, RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or portable read-only memory (compact disc read-only memory, CD-ROM), with memory 1602 for associated instructions and data. The transceiver 1603 is used to receive and transmit data.
The processor 1601 may be one or more central processing units (central processing unit, CPU), and in the case where the processor 401 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The processor 1601 in the apparatus 1600 is configured to read the computer program stored in the memory 1602, and perform the following operations:
Generating a first bootstrap request message including a first identification of the device, the first identification being generated from a second identification of the device and an identification protection key IPK;
transmitting the first bootstrap request message to a bootstrap server function network element via the transceiver 1603;
receiving, by the transceiver 1603, a bootstrapping response message from a bootstrapping server function network element requesting authentication of a device;
and acquiring first guide transaction identification information and/or a fifth identification of the device, wherein the first guide transaction identification information is used for identifying guide transactions performed by the device and the guide server function network element, and the fifth identification is an identification generated according to the second identification or according to the second identification and characters for identifying 5G.
In one possible implementation, the processor 1601 is configured to receive, via the transceiver 1603, the first guided transaction identification information and/or a fifth identification of the device from the guiding server function network element.
In one possible implementation, the processor 1601 is configured to generate the first guided transaction identification information and/or a fifth identification of the device according to a character used to identify 5G.
In a possible implementation, the processor 1601 is further configured to send, after obtaining a fifth identifier of the apparatus, a second bootstrap request message to the bootstrap server function network element through the transceiver 1603, where the second bootstrap request message includes the fifth identifier.
In one possible implementation, the first bootstrap request message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate a fifth identifier of the device.
In a possible implementation, the processor 1601 is further configured to initiate, after obtaining the first guided transaction identification information, an application request message to a network application function device through the transceiver 1603, where the application request message includes the first guided transaction identification information.
It should be noted that the implementation and beneficial effects of each operation may also correspond to the corresponding description of the method embodiment shown in fig. 5.
With reference to any one of the foregoing aspects or any one of the possible implementation manners of any one of the foregoing aspects, in a possible implementation manner, the second identifier includes one of a subscription permanent identifier SUPI of the terminal device, an internet protocol multimedia private identifier IMPI of the terminal device, an international mobile subscriber identity IMSI of the terminal device, and a general public subscription identifier GPSI of the terminal device.
The embodiment of the application also provides a chip system, which comprises at least one processor, a memory and an interface circuit, wherein the memory, the transceiver and the at least one processor are interconnected through lines, and instructions are stored in the at least one memory; the method flow shown in fig. 5 is implemented when the instructions are executed by the processor.
The embodiment of the application further provides a computer readable storage medium, in which instructions are stored, and when the computer readable storage medium runs on a bootstrap server function network element/home subscriber server network element/terminal device, the method flow shown in fig. 5 is implemented.
The embodiment of the present application further provides a computer program product, where the method flow shown in fig. 5 is implemented when the computer program product runs on a bootstrap server function network element/home subscriber server network element/terminal device.
Those of ordinary skill in the art will appreciate that implementing all or part of the above-described method embodiments may be accomplished by a computer program to instruct related hardware, the program may be stored in a computer readable storage medium, and the program may include the above-described method embodiments when executed. And the aforementioned storage medium includes: ROM or random access memory RAM, magnetic or optical disk, etc.

Claims (49)

  1. A method in a generic bootstrapping architecture, comprising:
    the method comprises the steps that a first guide request message from terminal equipment is received by a guide server functional network element, wherein the first guide request message comprises a first identifier of the terminal equipment, and the first identifier is generated according to a second identifier of the terminal equipment and an identifier protection key IPK;
    the bootstrap server function network element generates a first request message, wherein the first request message comprises the first identifier or the second identifier;
    the guiding server function network element sends the first request message to a home subscriber server network element;
    the bootstrapping server function network element receives a first response message from the home subscriber server network element, the first response message comprising a first authentication vector of the terminal device.
  2. The method according to claim 1, wherein the second identity comprises any one of a subscription permanent identity SUPI of the terminal device, an internet protocol multimedia private identity IMPI of the terminal device, an international mobile subscriber identity IMSI of the terminal device, a general public subscription identity GPSI of the terminal device.
  3. The method according to claim 1 or 2, wherein the first request message comprises the second identity, the method further comprising, before the bootstrapping server function network element generates the first request message:
    and the guiding server functional network element decrypts the first identifier and acquires the second identifier.
  4. A method according to any one of claim 1 to 3, wherein,
    the first response message includes the second identification.
  5. The method according to any of claims 1-4, wherein after the bootstrapping server function network element receives the first response message from the home subscriber server network element, the method further comprises:
    and the guiding server functional network element generates a fifth identifier of the terminal equipment according to the second identifier or according to the second identifier and the character for identifying 5G.
  6. The method of claim 5, wherein the method further comprises:
    the guiding server function network element sends the fifth identification to the terminal equipment; and/or
    The guiding server functional network element receives a second guiding request message from the terminal equipment, wherein the second guiding request message comprises the fifth identifier;
    The bootstrapping server function network element determines the second identity corresponding to the fifth identity.
  7. The method according to claim 5 or 6, characterized in that the method further comprises:
    the guiding server function network element receives first indication information, wherein the first indication information is used for indicating the guiding server function network element to generate the fifth identifier;
    the guiding server function network element receives first indication information, which comprises the following steps:
    the guiding server function network element receives a first response message from the home subscriber server network element, wherein the first response message comprises first indication information; or alternatively
    The bootstrap server function network element receives a first bootstrap request message from the terminal device, the first bootstrap request message including the first indication information.
  8. The method according to any one of claims 1-7, further comprising:
    the guiding server function network element generates first guiding transaction identification information according to the character for identifying the 5G, wherein the first guiding transaction identification information is used for identifying guiding transactions performed by the terminal equipment and the guiding server function network element.
  9. The method of claim 8, wherein after the bootstrapping server function network element generates the first bootstrapping transaction identification information from the character used to identify the 5G, the method further comprises:
    the guiding server function network element sends the first guiding transaction identification information to the terminal equipment.
  10. A method in a generic bootstrapping architecture, comprising:
    the home subscriber server network element receives a first request message from a guide server function network element, wherein the first request message comprises a first identifier of terminal equipment or a second identifier of the terminal equipment, and the first identifier is generated according to the second identifier of the terminal equipment and an identifier protection key IPK;
    the home subscriber server network element obtains a first authentication vector of the terminal equipment according to the first identifier or the second identifier;
    the home subscriber server network element sends a first response message to the bootstrapping server function network element, the first response message comprising the first authentication vector.
  11. The method according to claim 10, wherein the second identity comprises one of a subscription permanent identity SUPI of the terminal device, an internet protocol multimedia private identity IMPI of the terminal device, an international mobile subscriber identity IMSI of the terminal device, a general public subscription identity GPSI of the terminal device.
  12. The method according to claim 10 or 11, wherein the home subscriber server network element obtaining the first authentication vector of the terminal device according to the first identity or the second identity comprises:
    the home subscriber server network element sends a second request message to a unified data management network element, wherein the second request message comprises the first identifier or the second identifier, so that the unified data management network element generates a first authentication vector of the terminal equipment according to the first identifier or the second identifier;
    the home subscriber server network element receives a second response message from the unified data management network element, the second response message comprising the first authentication vector.
  13. The method of claim 12, wherein the step of determining the position of the probe is performed,
    the second response message includes the second identification.
  14. The method according to claim 10 or 11, wherein the first request message comprises the second identification,
    the home subscriber server network element obtains a first authentication vector of the terminal equipment according to the second identifier, and the method comprises the following steps:
    and the home subscriber server network element generates a first authentication vector of the terminal equipment according to the second identifier.
  15. The method according to claim 10 or 11, wherein the first request message comprises the first identity, and wherein the home subscriber server network element obtains a first authentication vector of the terminal device according to the first identity, comprising:
    the home subscriber server network element decrypts the first identifier to obtain the second identifier;
    and the home subscriber server network element generates a first authentication vector of the terminal equipment according to the second identifier.
  16. The method according to claim 10 or 11, wherein the home subscriber server network element obtaining the first authentication vector of the terminal device according to the first identity or the second identity comprises:
    the home subscriber server network element decrypts the first identifier to obtain the second identifier;
    the home subscriber server network element sends a second request message to the unified data management network element, wherein the second request message comprises the second identifier, so that the unified data management network element generates a first authentication vector of the terminal equipment according to the second identifier.
  17. The method according to any one of claims 10 to 16, wherein,
    The first response message includes the second identification; and/or
    The first response message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate a fifth identifier of the terminal device, where the fifth identifier is an identifier generated according to the second identifier, or according to the second identifier and a character used to identify 5G.
  18. A method in a generic bootstrapping architecture, comprising:
    the method comprises the steps that a terminal device generates a first guide request message, wherein the first guide request message comprises a first identifier of the terminal device, and the first identifier is generated according to a second identifier of the terminal device and an identifier protection key IPK;
    the terminal equipment sends the first guiding request message to a guiding server function network element;
    the terminal equipment receives a guide response message from the guide server function network element, wherein the guide response message is used for requesting the terminal equipment to authenticate;
    the terminal equipment acquires first guide transaction identification information and/or a fifth identification of the terminal equipment, wherein the first guide transaction identification information is used for identifying guide transactions performed by the terminal equipment and the guide server function network element, and the fifth identification is an identification generated according to the second identification or according to the second identification and characters for identifying 5G.
  19. The method of claim 18, wherein the second identity comprises one of a subscription permanent identity, SUPI, an internet protocol multimedia private identity, IMPI, of the terminal device, an international mobile subscriber identity, IMSI, of the terminal device, and a generic public subscription identity, GPSI, of the terminal device.
  20. Method according to claim 18 or 19, wherein the terminal device obtains first guided transaction identification information and/or a fifth identification of the terminal device, comprising:
    the terminal device receives the first guided transaction identification information and/or the fifth identification of the terminal device from the guiding server function network element.
  21. Method according to claim 18 or 19, wherein the terminal device obtains first guided transaction identification information and/or a fifth identification of the terminal device, comprising:
    the terminal equipment generates the first guide transaction identification information and/or a fifth identification of the terminal equipment according to the character for identifying 5G.
  22. The method according to claim 20 or 21, wherein after the terminal device obtains the fifth identification of the terminal device, the method further comprises:
    And the terminal equipment sends a second guiding request message to the guiding server function network element, wherein the second guiding request message comprises the fifth identifier.
  23. The method according to any one of claims 18 to 22, wherein,
    the first bootstrap request message includes first indication information, where the first indication information is used to instruct the bootstrap server functional network element to generate a fifth identifier of the terminal device.
  24. The method according to any of claims 18-23, wherein after the terminal device obtains the first guided transaction identification information, the method further comprises:
    the terminal equipment initiates an application request message to network application function equipment, wherein the application request message comprises the first guided transaction identification information.
  25. An apparatus in a generic bootstrapping architecture, comprising:
    a receiving unit, configured to receive a first bootstrap request message from a terminal device, where the first bootstrap request message includes a first identifier of the terminal device, where the first identifier is generated according to a second identifier of the terminal device and an identifier protection key IPK;
    a processing unit, configured to generate a first request message, where the first request message includes the first identifier or the second identifier;
    A sending unit, configured to send the first request message to a home subscriber server network element;
    the receiving unit is further configured to receive a first response message from the home subscriber server network element, where the first response message includes a first authentication vector of the terminal device.
  26. The apparatus of claim 25, wherein the second identity comprises one of a subscription permanent identity, SUPI, an internet protocol multimedia private identity, IMPI, of the terminal device, an international mobile subscriber identity, IMSI, of the terminal device, and a generic public subscription identity, GPSI, of the terminal device.
  27. The apparatus of claim 25 or 26, wherein the device comprises a plurality of sensors,
    the processing unit is further configured to decrypt the first identifier and obtain the second identifier.
  28. The apparatus of any of claims 25-27, wherein the first response message comprises the second identity.
  29. The apparatus of any one of claims 25-28, wherein,
    the processing unit is further configured to generate a fifth identifier of the terminal device according to the second identifier, or according to the second identifier and the character used for identifying 5G.
  30. The apparatus according to any of claims 25-29, wherein the sending unit is further configured to send the fifth identification to the terminal device; and/or
    The receiving unit is further configured to receive a second guidance request message from the terminal device, where the second guidance request message includes the fifth identifier;
    the processing unit is further configured to determine the second identifier corresponding to the fifth identifier.
  31. The apparatus of claim 30, wherein the receiving unit is further configured to receive first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate the fifth identifier;
    the receiving unit is further configured to receive a first response message from the home subscriber server network element, where the first response message includes first indication information; or alternatively
    The receiving unit is further configured to receive a first guidance request message from the terminal device, where the first guidance request message includes the first indication information.
  32. The apparatus of any one of claims 25-31, wherein,
    the processing unit is further configured to generate first guided transaction identification information according to the character for identifying 5G, where the first guided transaction identification information is used to identify a guided transaction performed by the terminal device and the guided server functional network element.
  33. The apparatus of claim 32, wherein the device comprises a plurality of sensors,
    the sending unit is further configured to send the first guided transaction identification information to the terminal device after generating the first guided transaction identification information according to the character for identifying 5G.
  34. An apparatus in a generic bootstrapping architecture, comprising:
    a receiving unit, configured to receive a first request message from a bootstrapping server function network element, where the first request message includes a first identifier of a terminal device or a second identifier of the terminal device, where the first identifier is generated according to the second identifier of the terminal device and an identifier protection key IPK;
    the processing unit is used for acquiring a first authentication vector of the terminal equipment according to the first identifier or the second identifier;
    and the sending unit is used for sending a first response message to the guide server function network element, wherein the first response message comprises the first authentication vector.
  35. The apparatus of claim 34, wherein the second identity comprises one of a subscription permanent identity, SUPI, an internet protocol multimedia private identity, IMPI, of the terminal device, an international mobile subscriber identity, IMSI, of the terminal device, and a generic public subscription identity, GPSI, of the terminal device.
  36. The apparatus of claim 34 or 35, wherein the device comprises a plurality of sensors,
    the sending unit is further configured to send a second request message to a unified data management network element, where the second request message includes the first identifier or the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the first identifier or the second identifier;
    the receiving unit is further configured to receive a second response message from the unified data management network element, where the second response message includes the first authentication vector.
  37. The apparatus of claim 36, wherein the device comprises a plurality of sensors,
    the second response message includes the second identification.
  38. The apparatus of claim 34 or 35, wherein the first request message comprises the second identification,
    the processing unit is further configured to generate a first authentication vector of the terminal device according to the second identifier.
  39. The apparatus of claim 34 or 35, wherein the first request message comprises the first identification,
    the acquisition unit is further used for decrypting the first identifier and acquiring the second identifier; and generating a first authentication vector of the terminal equipment according to the second identifier.
  40. The apparatus of claim 34 or 35, wherein the device comprises a plurality of sensors,
    the acquisition unit is further used for decrypting the first identifier and acquiring the second identifier;
    the sending unit is further configured to send a second request message to a unified data management network element, where the second request message includes the second identifier, so that the unified data management network element generates a first authentication vector of the terminal device according to the second identifier.
  41. The apparatus of any one of claims 34-40, wherein,
    the first response message includes the second identification; and/or
    The first response message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate a fifth identifier of the terminal device, where the fifth identifier is an identifier generated according to the second identifier, or according to the second identifier and a character used to identify 5G.
  42. An apparatus in a generic bootstrapping architecture, comprising:
    a processing unit, configured to generate a first bootstrap request message, where the first bootstrap request message includes a first identifier of the apparatus, where the first identifier is generated according to a second identifier of the apparatus and an identifier protection key IPK;
    A sending unit, configured to send the first bootstrap request message to a bootstrap server functional network element;
    a receiving unit, configured to receive a bootstrap response message from a bootstrap server function network element, where the bootstrap response message is used to request the terminal device to perform authentication;
    the processing unit is further configured to obtain first guided transaction identification information and/or a fifth identification of the device, where the first guided transaction identification information is used to identify a guided transaction performed by the device and the guiding server function network element, and the fifth identification is an identification generated according to the second identification or according to the second identification and a character for identifying 5G.
  43. The apparatus according to claim 42, comprising:
    the second identifier comprises one of a subscription permanent identifier SUPI of the device, an internet protocol multimedia private identifier IMPI of the device, an international mobile subscriber identity IMSI of the device, and a general public subscription identifier GPSI of the device.
  44. The apparatus of claim 42 or 43, wherein the device comprises,
    the receiving unit is further configured to receive the first guided transaction identification information and/or a fifth identification of the device from the guiding server function network element.
  45. The apparatus of claim 42 or 43, wherein the device comprises,
    the processing unit is further configured to generate the first guided transaction identification information and/or a fifth identification of the device according to the character for identifying 5G.
  46. The apparatus of claim 44 or 45, wherein the device comprises,
    the sending unit is further configured to send a second bootstrap request message to the bootstrap server function network element after the fifth identifier of the device is obtained, where the second bootstrap request message includes the fifth identifier.
  47. The apparatus of any one of claims 42-46, wherein,
    the first bootstrap request message includes first indication information, where the first indication information is used to instruct the bootstrap server function network element to generate a fifth identifier of the device.
  48. The apparatus of any one of claims 42-47, wherein,
    the sending unit is further configured to initiate an application request message to a network application function network element after the first guided transaction identification information is acquired, where the application request message includes the first guided transaction identification information.
  49. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when run, implements the method of any one of claims 1 to 24.
CN202080104200.5A 2020-08-07 2020-08-07 Method and related device in universal guide architecture Pending CN116097690A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/107992 WO2022027674A1 (en) 2020-08-07 2020-08-07 Method for generic bootstrapping architecture and related apparatus

Publications (1)

Publication Number Publication Date
CN116097690A true CN116097690A (en) 2023-05-09

Family

ID=80118604

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080104200.5A Pending CN116097690A (en) 2020-08-07 2020-08-07 Method and related device in universal guide architecture

Country Status (2)

Country Link
CN (1) CN116097690A (en)
WO (1) WO2022027674A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116472731A (en) * 2023-02-19 2023-07-21 北京小米移动软件有限公司 Message verification method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039181B (en) * 2006-03-14 2010-09-08 华为技术有限公司 Method for preventing service function entity of general authentication framework from attack
US8661257B2 (en) * 2010-05-18 2014-02-25 Nokia Corporation Generic bootstrapping architecture usage with Web applications and Web pages
FR3077175A1 (en) * 2018-01-19 2019-07-26 Orange TECHNIQUE FOR DETERMINING A KEY FOR SECURING COMMUNICATION BETWEEN USER EQUIPMENT AND AN APPLICATION SERVER
CN110831002B (en) * 2018-08-10 2021-12-03 华为技术有限公司 Method and device for key deduction and computing storage medium
CN111147421B (en) * 2018-11-02 2023-06-16 中兴通讯股份有限公司 Authentication method based on general guide architecture GBA and related equipment

Also Published As

Publication number Publication date
WO2022027674A1 (en) 2022-02-10

Similar Documents

Publication Publication Date Title
CN110971415B (en) Space-ground integrated space information network anonymous access authentication method and system
JP6778843B2 (en) Subscription concealment identifier
US10284555B2 (en) User equipment credential system
EP2037621B1 (en) Method and device for deriving local interface key
EP3668042B1 (en) Registration method and apparatus based on service-oriented architecture
EP2416540B1 (en) Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel
JP5579872B2 (en) Secure multiple UIM authentication and key exchange
KR100520116B1 (en) A method for discributing the key to mutual nodes to code a key on mobile ad-hoc network and network device using thereof
EP2248317B1 (en) Secure bootstrapping architecture method based on password-based digest authentication
CN111327583B (en) Identity authentication method, intelligent equipment and authentication server
KR101982237B1 (en) Method and system for data sharing using attribute-based encryption in cloud computing
BRPI0617286A2 (en) methods for establishing a security association between a service node and a client, for establishing a security association between first and second clients, and for protecting a node against replay attacks, service node, client endpoint, and code generation
KR102632519B1 (en) Method for determining keys to secure communication between user device and application server
CN108012266B (en) Data transmission method and related equipment
CN104756458A (en) Method and apparatus for securing a connection in a communications network
WO2020151581A1 (en) Method and apparatus for generating key
CN101087261A (en) Method, device and system for realizing push function based on general guiding architecture
CN116097690A (en) Method and related device in universal guide architecture
CN111836260A (en) Authentication information processing method, terminal and network equipment
EP4191904A1 (en) Algorithm negotiation method in generic bootstrapping architecture and related apparatus
CN112839329B (en) Verification method, device, equipment and computer readable storage medium
EP4270856A1 (en) Identity authentication method and apparatus, and device, chip, storage medium and program
WO2022178890A1 (en) Key transmission method and apparatus
CN114079924A (en) Message processing method and device, related equipment and storage medium
CN113556736A (en) Access method, server, terminal to be accessed, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination