CN116456451A

CN116456451A - Data acquisition method, system, related network element, edge node and storage medium

Info

Publication number: CN116456451A
Application number: CN202210009615.5A
Authority: CN
Inventors: 宋琪; 李铖阳; 童贞; 王震; 曾熙
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2022-01-06
Filing date: 2022-01-06
Publication date: 2023-07-18

Abstract

The application discloses a data acquisition method, a system, a related network element and a storage medium, wherein the data acquisition method applied to an AMF network element of a private network comprises the following steps: under the condition that the communication between the private network and the public network is interrupted, acquiring authentication parameters from a set core network element of the private network; the set core network element is used for carrying out hot backup on authentication related information in the Unified Data Management (UDM) network element of the public network, and has the capability of authenticating terminal equipment.

Description

Data acquisition method, system, related network element, edge node and storage medium

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a data acquisition method, a system, a related network element, and a storage medium.

Background

In the related art, in a fifth Generation mobile communication technology (5 th-Generation, 5G) public network (macro network) of an operator, a main core network element and a standby core network element are set, so that data stored in the main core network element is backed up through the standby core network element. However, when the 5G public network of the operator fails, since the main core network element and the standby core network element in the public network are unavailable, communication between the local 5G private network and the 5G public network is interrupted, so that the terminal equipment in the 5G private network cannot use the 5G network for communication.

Disclosure of Invention

In order to solve the related technical problems, embodiments of the present application provide a data acquisition method, a system, a related network element, an edge node, and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides a data acquisition method, which is applied to an AMF network element of a private network, and comprises the following steps:

under the condition that the communication between the private network and the public network is interrupted, acquiring authentication parameters from a set core network element of the private network; wherein,,

the set core network element is used for carrying out hot backup on authentication related information in the UDM network element of the public network, and has the capability of authenticating terminal equipment.

In the above scheme, the method further comprises:

and under the condition that the communication between the private network and the public network is interrupted, enabling the capability of the set core network element of the private network to authenticate the terminal equipment.

In the above scheme, the authentication parameter includes a 5G authentication vector; the obtaining the authentication parameter from the set core network element of the private network includes:

receiving a registration request sent by terminal equipment;

based on the registration request, a first authentication request is sent to a set core network element of the private network;

and receiving a 5G authentication vector about the first authentication request sent by a set core network element of the private network.

In the above scheme, the authentication parameter further includes SUPI; the method further comprises the steps of:

and under the condition that the communication between the private network and the public network is interrupted, receiving SUPI of the terminal equipment sent by a set core network element of the private network.

In the above solution, after the receiving the 5G authentication vector about the first authentication request sent by the set core network element of the private network, the method further includes:

generating a security context identifier corresponding to the terminal equipment;

transmitting the second authentication request to the terminal equipment based on the received 5G authentication vector; wherein,,

the second authentication request carries the security context identifier; the security context identifier is used for indicating that the AMF network element of the private network and the terminal equipment do not need re-authentication when data interaction is performed.

In the above scheme, the method further comprises:

under the condition that the communication between the private network and the public network is not interrupted, acquiring authentication parameters from the UDM network element of the public network through the AUSF network element of the public network.

The embodiment of the application also provides a data acquisition method applied to the setting core network element of the private network, which comprises the following steps:

under the condition that communication between the private network and the public network is not interrupted, carrying out hot backup on authentication related information in a UDM network element of the public network;

And feeding back authentication parameters to an AMF network element of the private network under the condition that communication between the private network and the public network is interrupted.

In the above scheme, the authentication parameter includes a 5G authentication vector; the feeding back authentication parameters to the AMF network element of the private network comprises the following steps:

based on a first authentication request sent by an AMF network element of the private network, sending a 5G authentication vector related to the first authentication request to the AMF network element of the private network; wherein,,

the first authentication request is sent in case of receiving a registration request sent by the terminal device.

In the above scheme, the setting core network element of the private network includes an authentication server function AUSF network element and a UDM network element; the sending, by the dedicated network based on the first authentication request sent by the AMF network element of the dedicated network, a 5G authentication vector related to the first authentication request to the AMF network element of the dedicated network includes:

the AUSF network element of the private network receives a first authentication request sent by the AMF network element of the private network, and sends an authentication parameter acquisition request to the UDM network element of the private network based on the first authentication request;

the UDM network element of the private network constructs a 5G attribution environment authentication vector based on the authentication parameter acquisition request, and sends a response message to the AUSF network element of the private network, wherein the response message carries the 5G attribution environment authentication vector;

And the AUSF network element of the private network constructs a 5G authentication vector based on the 5G home environment authentication vector carried by the response message, and sends the 5G authentication vector about the first authentication request to the AMF network element of the private network.

In the scheme, the 5G home environment authentication vector comprises a random number, an authentication token, expected response parameters and an intermediate key; the AUSF network element of the private network constructs a 5G authentication vector based on the 5G home environment authentication vector carried by the response message, which comprises the following steps:

the AUSF network element of the private network calculates a first hash value based on expected response parameters in the 5G home environment authentication vector, and calculates an anchor key based on an intermediate key in the 5G home environment authentication vector;

and the AUSF network element of the private network replaces the expected response parameter in the 5G home environment authentication vector with the calculated first hash value, and replaces the intermediate key in the 5G home environment authentication vector with the calculated anchor key to obtain the 5G authentication vector.

In the above scheme, the authentication parameter obtaining request carries a user hidden identifier sui of the terminal device, and the response message also carries the sui of the terminal device.

In the above scheme, the authentication parameter includes SUPI; the method further comprises the steps of:

And under the condition that the private network and the public network are interrupted in communication and the authentication of the attribution of the terminal equipment is successful, the AUSF network element of the private network sends the SUPI of the terminal equipment to the AMF network element of the private network.

In the above scheme, the method further comprises:

the AUSF network element of the private network stores expected response parameters in the 5G home environment authentication vector in association with at least one of:

the authentication parameter obtains the SUCI carried by the request;

SUPI carried by the response message;

the intermediate key in the 5G home environment authentication vector.

The embodiment of the application also provides a data acquisition system, which comprises:

the AMF network element of the private network is used for requesting to acquire authentication parameters from the UDM network element of the private network under the condition that the communication between the private network and the public network is interrupted;

and the setting core network element of the private network is used for carrying out hot backup on authentication related information in the UDM network element of the public network and providing authentication parameters for the AMF network element of the private network under the condition that communication between the private network and the public network is interrupted.

In the above solution, the AMF network element of the private network is further configured to: and under the condition that the communication between the private network and the public network is interrupted, enabling the authentication capability of the UDM network element of the private network to the terminal equipment.

In the above scheme, the AMF network element of the private network is specifically configured to send a first authentication request to a setting core network element of the private network based on a registration request sent by a terminal device, and receive a 5G authentication vector sent by the setting core network element of the private network with respect to the first authentication request;

the setting core network element of the private network is specifically configured to send a 5G authentication vector related to the first authentication request to an AMF network element of the private network.

In the above solution, the setting core network element of the private network includes:

an AUSF network element, configured to receive a first authentication request sent by an AMF network element of the private network, and send an authentication parameter acquisition request to a UDM network element of the private network based on the first authentication request; and under the condition of receiving a response message sent by the UDM network element of the private network, constructing a 5G authentication vector based on a 5G home environment authentication vector carried by the response message, and sending the 5G authentication vector about the first authentication request to an AMF network element of the private network;

and the UDM network element is used for constructing a 5G home environment authentication vector based on the authentication parameter acquisition request, and sending a response message to the AUSF network element of the private network, wherein the response message carries the 5G home environment authentication vector.

In the above solution, the AMF network element of the private network is further configured to:

sending a second authentication request to the terminal equipment based on the received 5G authentication vector; wherein,,

In the above scheme, the authentication parameter obtaining request carries the sui of the terminal device, and the response message also carries the sui of the terminal device;

the AUSF network element of the private network is further configured to: under the condition that the authentication of the attribution of the terminal equipment is successful, the SUPI of the terminal equipment is sent to an AMF network element of the private network;

the AMF network element of the private network is further configured to: and receiving the SUPI of the terminal equipment sent by the setting core network element of the private network.

In the above scheme, the system is deployed at an edge node and/or a central cloud.

In the above scheme, the system further comprises an SFM network element.

The embodiment of the application also provides an AMF network element of the private network, which comprises:

an obtaining unit, configured to obtain an authentication parameter from a set core network element of the private network in the case that communication between the private network and the public network is interrupted; the UDM network element of the private network is used for carrying out hot backup on authentication related information in the UDM network element of the public network, and has the capability of authenticating terminal equipment.

The embodiment of the application also provides a setting core network element of the private network, which comprises:

a backup unit, configured to perform a hot backup on authentication related information in a UDM network element of the public network under a condition that communication between the private network and the public network is not interrupted;

and the feedback unit is used for feeding back authentication parameters to the AMF network element of the private network under the condition that the communication between the private network and the public network is interrupted.

The embodiment of the application also provides an edge node, which comprises a processor and a communication interface, wherein,

the processor is configured to perform at least one of:

under the condition that the communication between the private network and the public network is interrupted, acquiring authentication parameters from a set core network element of the private network; the UDM network element of the private network is used for carrying out hot backup on authentication related information in the UDM network element of the public network, and has the capability of authenticating terminal equipment;

under the condition that communication between the private network and the public network is not interrupted, carrying out hot backup on authentication related information in a UDM network element of the public network; and feeding back authentication parameters to an AMF network element of the private network under the condition that communication between the private network and the public network is interrupted;

and under the condition that the communication between the private network and the public network is interrupted, feeding back authentication related data acquired from the UDM network element of the private network to the AMF network element of the private network.

The embodiments also provide an edge node comprising a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to execute at least one of:

the step of the data acquisition method of the AMF network element side of the private network;

the step of the data acquisition method of the set core network element side of the private network.

The present embodiments also provide a storage medium having stored thereon a computer program which, when executed by a processor, performs at least one of:

the method for acquiring the data of the AMF network element side of the private network comprises the steps of;

In the embodiment of the application, under the condition that the communication between the private network and the public network is interrupted, the AMF network element of the private network acquires the authentication parameters from the set core network element of the private network. Therefore, under the condition that the communication between the private network and the public network is interrupted, the private network can realize the whole flow control of the user control plane and the user plane. Even if communication between the local 5G private network and the 5G public network is interrupted, when the terminal device needs to register to the core network, the terminal device can register in the private network 5GC through the AMF network element of the private network, so that the 5G network is used for communication, and the communication reliability can be improved.

Drawings

Fig. 1 is a schematic diagram of a communication system provided in an embodiment of the present application;

fig. 2 is a schematic diagram of a networking architecture of a communication system according to an embodiment of the present application;

fig. 3 is an interaction diagram of a data acquisition method provided in an embodiment of the present application;

FIG. 4 is an interaction diagram of a data acquisition method according to another embodiment of the present application;

FIG. 5 is an interaction diagram of a data acquisition method according to another embodiment of the present disclosure;

FIG. 6 is an interaction diagram of a data acquisition method according to another embodiment of the present application;

fig. 7 is an interaction diagram of a data acquisition method according to another embodiment of the present application;

fig. 8 is a schematic diagram of a network architecture according to an embodiment of the present application;

fig. 9 is a schematic implementation flow chart of preprocessing user subscription information according to an embodiment of the present application;

fig. 10 is a schematic implementation flow chart of a method for controlling the number of users accessing to a core network according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of an AMF network element of a private network according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a set core network element of a private network according to an embodiment of the present application;

fig. 13 is a schematic diagram of a hardware composition structure of an edge node according to an embodiment of the present application.

Detailed Description

Currently, the number of government emergency management departments (including government affairs, earthquakes, water conservancy, traffic and the like) above the county level in China is 1800, and 5-10 satellite mobile communication terminals and 2 satellite mobile data terminals are allocated according to each department, so that about 1.4 ten thousand satellite mobile communication terminals and 3600 satellite mobile data terminals are required. Furthermore, there are 2800 county-level administrative units throughout the country, and 4 ten thousand rural administrative units. In general, the emergency field is about 4.5 thousands of user departments nationally, and nearly 10 ten thousand satellite mobile communication terminals and 9 ten thousand satellite mobile data terminals are needed. The whole emergency communication market scale is multiplied in equipment facilities such as system networking, emergency communication vehicles and the like and commercial markets by removing the requirements of terminals.

Under such a huge emergency management requirement, only relying on traditional emergency means and emergency equipment, there are the following bottlenecks and drawbacks:

1. in the emergency guarantee process, the traditional operators first rob transmission resources and lay optical cables, more professionals are needed, more resources are allocated, the time consumption is long, and the danger is high;

2. the emergency communication vehicle needs to enter a disaster area, and a professional engineer advices to rescue and open the life line from the base station to the transmission, so that the danger is high.

3. With satellite communication, bandwidth is limited and there is no possibility of a part of the human hand.

Based on this, the embodiment of the application provides a data acquisition method, where under the condition that communication between the private network and the public network is interrupted, an AMF network element of the private network acquires authentication parameters from a set core network element of the private network. Therefore, after the private network is out of connection with the operator network, the core network of the private network can still operate independently, authentication can be carried out on the terminal equipment, and communication smoothness in an area covered by the private network can be ensured on the premise of not changing cards and numbers.

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

Fig. 1 is a schematic diagram of a communication system according to an embodiment of the present application. The communication system as shown in fig. 1 comprises an operator 5G public network and a local 5G private network. The operator 5G public network comprises a public network 5G core network (5 GC), and the local 5G private network comprises a private network 5GC. Wherein,,

private networks refer to private networks established over the operator's public network.

The public network 5GC comprises at least a unified data management function (UDM, unified Data Management) network element and an authentication server function (AUSF, authentication Server Function) network element, and may further comprise at least one of the following: an access and mobility management function (AMF, access and Mobility Management Function) network element, a session management function (SMF, session Management Function) network element, a packet control function (PCF, packet Control Function) network element, a network opening function (NEF, network Exposure Function) network element, and a user plane function (UPF, user Plane Function) network element.

The private network 5GC at least includes a set core network element and an AMF network element, and may further include at least one of an SMF network element, a PCF network element, and a UPF network element.

A networking architecture diagram of a communication system composed of a terminal Equipment (UE), a public Network 5GC, a private Network 5GC, and a Data Network (DN) is shown in fig. 2. As shown in fig. 2, the AMF network element and the SMF network element of the private network are interconnected with the public network; the UPF network element is arranged below the local private network, so that the data transmission delay can be reduced.

It should be noted that, compared with the private network 5GC in the prior art, the private network 5GC in the embodiment of the present application has a new configuration core network element. Wherein, the set core network element integrates at least the functions of the UDM network element of the public network and the AUSF network element of the public network. The core network element is set for carrying out hot backup on authentication related information in the UDM network element of the public network, and the authentication capability of the terminal equipment is provided.

Under the condition that the communication between the private network and the public network is not interrupted, the capability of the core network element for authenticating the terminal equipment is set to be invalid, and the core network element is not set to be displayed externally. Under the condition that communication between the private network and the public network is interrupted, the capability of the set core network element for authenticating the terminal equipment is effective, and the set core network element is displayed outwards. That is, the setting core network element of the private network is dynamically effective, the existence of the setting core network element has no interference to the normal functions of the private network 5GC and the public network 5GC, and the terminal device has no perception to the setting core network element and does not need to change cards and numbers.

In the private network 5GC, the AMF network element of the private network is displayed to the outside no matter whether the communication between the private network and the public network is interrupted.

As shown in fig. 3, in the case where communication between the private network and the public network is not interrupted, when the terminal device needs to register to the core network, the terminal device registers in the public network 5GC through an AMF network element of the private network. And the AMF network element of the private network acquires authentication parameters from the UDM network element of the public network through the AUSF network element of the public network.

Under the condition that the communication between the private network and the public network is interrupted, namely the private network is disconnected from the operator network, the AMF network element of the private network cannot communicate with the AUSF network element of the public network and the UDM network element of the public network, and the control surface link between the private network and the public network fails. When the terminal equipment needs to be registered to the core network, the terminal equipment is registered in the private network 5GC through an AMF network element of the private network. The AMF network element of the private network acquires authentication parameters from the set core network element of the private network. Therefore, under the condition that the communication between the private network and the public network is interrupted, the private network can realize the whole flow control of the user control plane and the user plane, and the private network still has complete control plane capability. Even if communication between the local 5G private network and the 5G public network is interrupted, the terminal equipment can still register in the 5G private network, so that the 5G network is used for communication, and the communication reliability can be improved.

In addition, under the condition that the communication between the private network and the public network is interrupted, the private network still has complete control plane capability, and the private network can completely reserve the control plane data of the private network, so that the later network fault diagnosis of the private network fault is facilitated.

It should be noted that, in the process of acquiring the authentication parameter, the method mainly relates to a setting core network element of the private network, an AMF network element of the private network, an AUSF network element of the public network, and a UDM network element of the public network. The implementation process of acquiring the authentication parameters is described in detail below with reference to the accompanying drawings.

Fig. 4 is an interaction diagram of a data acquisition method according to another embodiment of the present application. As shown in fig. 4, the data acquisition method includes:

step 401: and under the condition that the communication between the private network and the public network is not interrupted, the set core network element of the private network carries out hot backup on authentication related information in the UDM network element of the public network.

Here, under the condition that the communication between the private network and the public network is not interrupted, the set core network element of the private network performs mirror image hot backup on the authentication related information in the UDM network element of the public network through the set communication interface. The authentication related information refers to information related to authentication, and the authentication related information may include user identification, user subscription information, authentication data, and the like. The authentication related information is used for authenticating the terminal device.

In some embodiments, the setting core network element of the private network performs mirror image hot backup on authentication related information in the UDM network element of the public network through the AMF network element of the private network and the AUSF network element of the public network. The different network elements communicate via standard communication interfaces.

Step 402: and under the condition that the communication between the private network and the public network is interrupted, the AMF network element of the private network acquires authentication parameters from the set core network element of the private network.

Here, under the condition that communication between the private network and the public network is interrupted and a registration request sent by the terminal equipment is received, the AMF network element of the private network requests to acquire authentication parameters from the set core network element of the private network.

In practical application, the AMF network element of the private network may send an authentication request to the set core network element of the private network to request to obtain the authentication parameter.

It should be noted that, under the condition that communication between the private network and the public network is not interrupted, the core network element of the private network may be set for the external display, or the core network element of the private network may not be set for the external display.

In order to save power consumption of the set core network element, in some embodiments, the method further comprises:

and enabling the setting core network element of the private network to authenticate the terminal equipment under the condition that the communication between the private network and the public network is interrupted by the AMF network element of the private network.

Here, under the condition that communication between the private network and the public network is interrupted, the capability of the setting core network element of the private network for authenticating the terminal equipment is enabled, and the setting core network element is displayed outwards. Namely, under the condition that the communication between the private network and the public network is interrupted, the capability of the set core network element of the private network for authenticating the terminal equipment is activated, and the capability of the set core network element of the private network for authenticating the terminal equipment is effective. Under the condition that the communication between the private network and the public network is not interrupted, the authentication capability of the set core network element of the private network to the terminal equipment is deactivated, and at this time, the authentication capability of the set core network element of the private network to the terminal equipment is disabled.

Step 403: and feeding back authentication parameters to the AMF network element of the private network by the set core network element of the private network under the condition that the communication between the private network and the public network is interrupted.

Here, under the condition that communication between the private network and the public network is interrupted, the setting core network element of the private network feeds back authentication parameters to the AMF network element of the private network based on the backup authentication related information under the condition that the authentication request sent by the AMF network element of the private network is received.

In the embodiment of the application, under the condition that the communication between the private network and the public network is not interrupted, the set core network element of the private network carries out hot backup on authentication related information in the UDM network element of the public network; under the condition that communication between the private network and the public network is interrupted, the AMF network element of the private network acquires authentication parameters from the setting core network element of the private network. Therefore, under the condition that the communication between the private network and the public network is interrupted, the private network can realize the whole flow control of the user control plane and the user plane. Even if communication between the local 5G private network and the 5G public network is interrupted, when the terminal device needs to register to the core network, the terminal device can register in the private network 5GC through the AMF network element of the private network, so that the 5G network is used for communication, and the communication reliability can be improved.

Under the condition that communication between the private network and the public network is not interrupted, when the terminal equipment needs to be registered to the core network, the terminal equipment registers in the public network 5GC through an AMF network element of the private network, so that the occupation of resources of the private network 5GC can be reduced, and the data processing efficiency of the private network 5GC is improved. In some embodiments, the method further comprises:

and under the condition that the communication between the private network and the public network is not interrupted, the AMF network element of the private network acquires authentication parameters from the UDM network element of the public network through the AUSF network element of the public network.

Here, in the case where communication between the private network and the public network is not interrupted, when the terminal device needs to register to the core network, the terminal device registers in the operator public network 5GC through an AMF network element of the private network. The terminal equipment sends a registration request to an AMF network element of the private network through the base station. Under the condition that the AMF network element of the private network receives the registration request sent by the terminal equipment, the authentication parameters are acquired from the UDM network element of the public network through the AUSF network element of the public network.

In some embodiments, the authentication parameters include at least a 5G authentication vector, and may also include a user permanent identifier (SUPI, subscription Permanent Identifier).

As shown in fig. 5, the implementation process of acquiring the authentication parameter from the UDM network element of the public network by the AMF network element of the private network through the AUSF network element of the public network is as follows:

1. The UE sends a registration request to an AMF network element of the private network.

The UE sends a registration request to an AMF network element of the private network through the base station.

2. And under the condition that the AMF network element of the private network receives the registration request sent by the UE, sending a Nausf_UEauthentication_ Authenticate Request message to the AUSF network element of the public network.

The AMF network element of the private network sends a nausf_ueauthentication_ Authenticate Request message to the AUSF network element of the public network based on the PUT method of the hypertext transfer protocol (HTTP, hyper Text Transfer Protocol).

3. Under the condition that the AUSF network element of the public network receives the Nausf_UEAuthorization_ Authenticate Request message sent by the UDM network element of the public network, the AUSF network element of the public network sends a Nudm_UEAuthorization_get Request message to the UDM network element of the public network.

The AUSF network element of the public network sends a Nudm_UEauthentication_Get Request message to the UDM network element of the public network based on the HTTP POST method.

4. Under the condition that the UDM network element of the public network receives the Nudm_UEauthentication_get Request message sent by the AUSF network element of the public network, a 5G home environment authentication vector (5G HE AV,5G Home Environment Authentication Vector) is constructed.

Wherein the 5G HE AV includes: RAND, AUTN, XRES and k_ausf; RAND characterizes a 128-bit random number, AUTN characterizes an authentication token, XRES characterizes expected response parameters, and k_ausf characterizes an intermediate key for storage in an AUSF network element of the public network.

The 5G HE AV may be expressed as (RAND, AUTN, XRES, k_ausf).

5. The UDM network element of the public network sends a Nudm_UEAuthority_get Response message to the AUSF network element of the public network, wherein the message at least carries 5G HE AV; in the case that the nudm_ue authentication_get Request message carries the user hidden identifier (sui, subscription Concealed Identifier) of the UE, the nudm_ue authentication_get Response message also carries the SUPI of the UE.

6. Under the condition that the AUSF network element of the public network receives the Nudm_UEauthentication_get Response message sent by the UDM network element of the public network, a 5G authentication vector (5G AV,5G Authentication Vector) is constructed based on the 5G HE AV.

Wherein, 5G AV includes RAND, AUTN, HXRES x and k_seaf.

According to TS33.501 Annex A.5, calculating HXRES in 5G HE AV by AUSF network element of public network; according to TS33.501 Annex A.6, K_SEAF is calculated from K_AUSF in 5G HEAV; replacing XRES in the 5G HE AV with the calculated HXRES; the calculated k_seaf replaces the k_ausf in the 5G HE AV to obtain a 5G AV (RAND, AUTN, HXRES, k_seaf).

7. Under the condition that the AUSF network element of the public network constructs the 5G AV, transmitting a Nausf_UEauthentication_ Authenticate Response message to the AMF network element of the private network based on the constructed 5G AV, wherein the message carries the 5G AV.

The AUSF network element of the public network may also store XRES and k_ausf in the 5G HE AV in association.

In practical application, the ausf_ueauthentication_ Authenticate Response message sent by the AUSF network element of the public network to the AMF network element of the private network may only carry RAND, AUTN and HXRES; RAND, AUTN and HXRES are used for visitor authentication. And under the condition that the authentication of the UE visit place is successful in the subsequent 12, the K_SEAF in the 5G AV is sent to the UE.

8. The AMF network element of the private network sends an authentication request message Authentication Request to the UE, which carries RAND and AUTN in 5G AV.

9. Under the condition that the UE receives Authentication Request sent by the AMF network element of the private network, RES is calculated, and an authentication response message Authentication Response sent to the AMF network element of the private network carries the calculated RES and features an authentication response parameter.

10. When receiving Authentication Response sent by UE, the AMF network element of the private network calculates HRES according to TS33.501 Annex a.5 based on RES carried by Authentication Response.

The AMF network element of the private network compares the calculated HRES with the HXRES in the constructed 5G AV, and if the comparison result represents that the two are the same, the authentication of the visiting place of the UE is successfully represented; and under the condition that the comparison result shows that the two are different, the authentication of the visiting place of the UE fails, and the authentication fails. Wherein, the authentication failure characterizes the UE registration failure.

11. The AMF network element of the private network sends a message from nausf_ueauthentication_ Authenticate Request to the AUSF network element of the public network.

In case that the authentication of the UE visited place is successful, the message carries RES sent by the UE; in case of authentication failure of the UE visited place, the message does not carry RES sent by the UE.

12. Under the condition that an AUSF network element of the public network receives a Nausf_UEAuthentication_ Authenticate Request message sent by an AMF network element of the private network, carrying out home authentication on the UE, and sending a Nausf_UEAuthentication_ Authenticate Response message to the AMF network element of the private network, wherein the message carries a home authentication result.

The AUSF network element of the public network judges whether the 5G AV and/or the 5G HE AV are expired, and if the 5G AV or the 5G HE AV are expired, the authentication failure of the home location is represented, and the authentication failure is transmitted to the AMF network element of the private network, wherein the Nausf_UEauthentication_ Authenticate Response message does not carry the SUPI of the UE.

Comparing RES with XRES in 5G HE AV when the 5G AV and 5G HE AV are not expired, and if RES is the same as XRES in 5G HE AV, characterizing that home authentication is successful, sending a naf_ue authentication_ Authenticate Response message to an AMF network element of the private network, where the SUPI message carries the SUPI of the UE, and may also carry k_seaf in 5G AV.

13. Under the condition that an AMF network element of the private network receives a Nausf_UEauthentication_ Authenticate Response message sent by an AUSF network element of the public network and the message carries the SUPI of the UE, a globally unique temporary UE identifier (GUTI, globally Unique Temporary UE Identity) is allocated to the UE, the GUTI and the SUPI are stored in a correlated manner, and an acceptance registration message Registration Accept carrying the GUTI is sent to the UE. At this time, the UE successfully registers with the operator network.

It should be noted that, in the case of failure in authentication of the UE, the AMF network element of the private network sends a rejection registration message to the UE.

The above description is made in detail with reference to fig. 4 and fig. 5, where the communication between the private network and the public network is not interrupted, and the AMF network element of the private network obtains the authentication parameter from the UDM network element of the public network through the AUSF network element of the public network; the following describes in detail the implementation procedure of acquiring the authentication parameter from the set core network element of the private network by the AMF network element of the private network in the case of the communication interruption between the private network and the public network with reference to fig. 6 to 7.

Fig. 6 is an interaction diagram of a data acquisition method according to another embodiment of the present application, where, as shown in fig. 6, communication between a private network and a public network is interrupted, the data acquisition method includes:

step 601: and under the condition that the communication between the private network and the public network is interrupted, the terminal equipment sends a registration request to an AMF network element of the private network.

Here, in the case where communication between the private network and the public network is interrupted, when the terminal device needs to register to the core network, the terminal device generates a registration request, and sends the registration request to the AMF network element of the private network through the base station.

Under the condition that the terminal equipment is registered for the first time, the registration request carries SUCI of the terminal equipment; in case of non-first registration, the registration request carries the GUTI of the terminal device.

Step 602: the AMF network element of the private network receives a registration request sent by the terminal equipment.

Step 603: and the AMF network element of the private network sends a first authentication request to a setting core network element of the private network based on the registration request.

Here, under the condition that the registration request carries the sui, the AMF network element of the private network decrypts the sui to obtain the corresponding sui, and sends a first authentication request to the set core network element of the private network.

Under the condition that the registration request carries the GUTI, the AMF network element of the private network determines the SUPI corresponding to the GUTI carried by the registration request based on the preset corresponding relation between the GUTI and the SUPI, and sends a first authentication request to the setting core network element of the private network. The first authentication request is for requesting authentication parameters.

In actual application, the first authentication request carries service network identification and resynchronization information, and may also carry sui or determined sui.

Step 604: and the setting core network element of the private network sends a 5G authentication vector related to the first authentication request to the AMF network element of the private network based on the first authentication request sent by the AMF network element of the private network.

Here, under the condition that the setting core network element of the private network receives the first authentication request sent by the AMF network element of the private network, a 5G authentication vector about the first authentication request is created based on the backup authentication related information, and the 5G authentication vector about the first authentication request is sent to the AMF network element of the private network.

In practical application, the setting core network element of the private network may send a response message about the registration request to the AMF network element of the private network, where the response message includes at least a 5G authentication vector about the first authentication request.

Step 605: and the AMF network element of the private network receives the 5G authentication vector about the first authentication request sent by the setting core network element of the private network.

In some embodiments, after step 605, on the basis that the authentication parameters further include SUPI, the method further comprises: and the AMF network element of the private network receives the SUPI of the terminal equipment sent by the setting core network element of the private network under the condition that the communication between the private network and the public network is interrupted.

Here, the setting core network element of the private network sends the SUPI of the terminal device to the AMF network element of the private network based on the first authentication request when receiving the first authentication request sent by the AMF network element of the private network.

In practical application, in the case that the setting core network element of the private network sends a response message about the registration request to the AMF network element of the private network, the response message may also carry the SUPI of the terminal device.

In this embodiment, under the condition that communication between the private network and the public network is interrupted, the AMF network element of the private network obtains the 5G authentication vector and the SUPI from the set core network element of the private network. Thus, in the case of interruption of communication between the private network and the public network, the private network 5GC may authenticate the terminal device, so as to determine whether to allow the terminal device to register with the private network 5GC according to the authentication result. Under the condition that the terminal equipment is successfully registered in the private network 5GC, the terminal equipment can use the 5G network to communicate, and the communication reliability can be improved.

In some embodiments, the set core network element of the private network includes an AUSF network element and a UDM network element; as shown in fig. 7, in the case where communication between the private network and the public network is interrupted, the data acquisition method includes:

step 701: and under the condition that the communication between the private network and the public network is interrupted, the terminal equipment sends a registration request to an AMF network element of the private network.

Step 701 to step 702 are the same as step 601 to step 602, and are not repeated here.

Step 702: the AMF network element of the private network receives a registration request sent by the terminal equipment.

Step 703: and the AMF network element of the private network sends a first authentication request to the AUSF network element of the private network based on the registration request.

Step 703 is similar to step 603, and the detailed implementation process is described with reference to step 603, which is not repeated here.

In practical applications, the first authentication request may be nausf_ueauthentication_ Authenticate Request.

In actual application, the AMF network element of the private network sends a first authentication request to the AUSF network element of the private network based on the POST method of HTTP.

Step 704: the AUSF network element of the private network receives a first authentication request sent by the AMF network element of the private network, and sends an authentication parameter acquisition request to the UDM network element of the private network based on the first authentication request.

Here, the authentication parameter acquisition Request may be a nudm_ueauthentication_get Request. The AUSF network element of the private network sends an authentication parameter acquisition request to the UDM network element of the private network based on the POST method of HTTP. The authentication parameter acquisition request at least carries the service network identifier and the resynchronization information, and may also carry the sui of the terminal device.

Step 705: the UDM network element of the private network constructs a 5G attribution environment authentication vector based on the authentication parameter acquisition request, and sends a response message to the AUSF network element of the private network, wherein the response message carries the 5G attribution environment authentication vector.

Here, each time the UDM network element of the private network receives an authentication parameter acquisition request, a corresponding 5G home environment authentication vector (5G HE AV) is constructed, and a response message carrying the 5G HE AV is sent to the AUSF network element of the private network. Wherein,,

when constructing 5G HEAV, the UDM network element of the private network calculates K_AUSF according to TS33.501 Annex A.2, calculates XRES according to TS33.501 Annex A.4, and constructs 5G HEAV (RAND, AUTN, XRES and K_AUSF) according to K_AUSF and XRES.

In practical application, the Response message may be nudm_ue authentication_get Response. The response message may also carry an authentication type authType.

In some embodiments, the authentication parameter acquisition request carries a sui of the terminal device, and the response message further carries a sui of the terminal device.

Here, in the case where the authentication parameter acquisition request carries the sui of the terminal device, the response message regarding the authentication parameter acquisition request also carries the sui of the terminal device.

In practical application, in the case that the nudm_ueauthentication_get Request carries the sui of the terminal device, the nudm_ueauthentication_get Response also carries the sui of the terminal device.

Step 706: and constructing a 5G authentication vector by the AUSF network element of the private network based on the 5G home environment authentication vector carried by the response message, and sending the 5G authentication vector related to the first authentication request to the AMF network element of the private network.

Here, under the condition that the AUSF network element of the private network receives the response message sent by the UDM network element of the private network, based on the 5G HE AV carried by the response message, a 5G AV (RAND, AUTN, HXRES x, k_seaf) is constructed, and a response message about the first authentication request is sent to the AMF network element of the private network, where the response message carries the 5G AV. In practice, the response message for the first authentication request may be nausf_ueauthentication_ Authenticate Response.

In some embodiments, the 5G home environment authentication vector includes a random number, an authentication token, expected response parameters, and an intermediate key; the AUSF network element of the private network constructs a 5G authentication vector based on the 5G home environment authentication vector carried by the response message, which comprises the following steps:

Here, the method for constructing the 5G AV based on the 5G HE AV (RAND, AUTN, XRES x, k_ausf) by the AUSF network element of the private network is as follows:

the AUSF network element of the private network calculates HXRES according to the XRES in the 5G HE AV according to TS33.501 Annex A.5, calculates K_SEAF according to the K_AUSF in the 5G HE AV according to TS33.501 Annex A.6, replaces the XRES in the 5G HE AV with the calculated HXRES, and replaces the K_AUSF in the 5G HE AV with the calculated K_SEAF to obtain the 5G AV (RAND, AUTN, HXRES and K_SEAF).

Wherein RAND characterizes a random number, AUTN characterizes an authentication token, XRES characterizes an expected response parameter, k_ausf characterizes an intermediate key for storing in a KUSF element of the private network.

To improve data query efficiency, in some embodiments, the method further comprises:

the authentication parameter obtains the SUCI carried by the request;

SUPI carried by the response message;

the intermediate key in the 5G home environment authentication vector.

Here, when receiving the 5G HE AV sent by the private network, the AUSF network element of the private network stores XRES in the 5G HE AV in association with sui or SUPI, and may also store k_ausf in the 5G HE AV in association.

Step 707: and the AMF network element of the private network receives the 5G authentication vector about the first authentication request sent by the AUSF network element of the private network.

To improve communication efficiency, in some embodiments, after step 707, the method further comprises steps 708 to 709:

step 708: the AMF network element of the private network generates a security context identifier corresponding to the terminal equipment;

step 709: the AMF network element of the private network sends the second authentication request to the terminal equipment based on the received 5G authentication vector; wherein,,

Here, the AMF network element of the private network generates a security context identifier corresponding to the terminal device. The security context identification is used to identify security context information. In actual application, the security context identification may be a keyset identifier ngKSI (NAS key set identifier) of the non-access stratum NAS.

After receiving the 5G authentication vector about the first authentication request sent by the setting core network element of the private network, the AMF network element of the private network sends a second authentication request to the terminal equipment based on the received 5G AV, thereby initiating an authentication flow to the terminal equipment. The second authentication request carries RAND, AUTN, and ngKSI in the received 5G AV.

In practical application, the second authentication request is Authentication Request.

In some embodiments, the authentication parameter comprises SUPI; the method further comprises the steps of:

The following describes the implementation procedure of the AUSF network element of the private network to send the SUPI of the terminal device to the AMF network element of the private network in conjunction with steps 710 to 714 in fig. 7:

step 710: under the condition that the terminal equipment receives a second authentication request sent by an AMF network element of the private network, RES is calculated, and an authentication response message related to the second authentication request is sent to the AMF network element of the private network, wherein the authentication response message carries the calculated RES.

Wherein the authentication response message may be Authentication Response.

Step 711: the AMF network element of the private network calculates HRES based on RES transmitted by the terminal device.

Here, when the AMF network element of the private network receives the authentication response message sent by the terminal device, HRES is calculated according to TS33.501 Annex a.5 based on RES carried by the authentication response message.

The AMF network element of the private network compares the calculated HRES with the HXRES in the constructed 5G AV, and if the comparison result represents that the two are the same, the visit area authentication of the terminal equipment is successfully represented; and under the condition that the comparison result shows that the visit place authentication of the terminal equipment fails and the authentication fails. The authentication failure characterizes the registration failure of the terminal equipment.

Step 712: and under the condition that the calculated HRES is the same as HXRES in the constructed 5G authentication vector, the AMF network element of the private network sends a third authentication request to the AUSF network element of the private network, wherein the third authentication request carries RES.

Wherein the third authentication request may be nausf_ueauthentication_ Authenticate Request.

It should be noted that, in the case that the authentication of the visiting place of the terminal device fails, the third authentication request does not carry RES sent by the terminal device.

Step 713: the AUSF network element of the private network sends an authentication response message to the AMF network element of the private network under the condition that the received RES is identical to the XRES in the 5G home environment authentication vector; the authentication response message carries SUPI.

Here, under the condition that the AUSF network element of the private network receives the third authentication request sent by the AMF network element of the private network, the AUSF network element of the private network judges whether the 5G AV and/or the 5G HE AV has expired; and comparing the received RES with XRES in the 5G HE AV if neither the 5G AV nor the 5G HE AV is expired, and characterizing that the home authentication is successful if the RES is the same as the XRES in the 5G HE AV, and sending an authentication response message about the third authentication request to an AMF network element of the private network, wherein the authentication response message at least carries the SUPI of the terminal device. The authentication response message may be nausf_ueauthentication_ Authenticate Response.

It should be noted that, in some embodiments, in step 706, the AUSF network element of the private network may send RAND, AUTN, and HXRES in the 5G AV to the AMF network element of the private network, and in step 713, in case that the authentication of the home location of the terminal device is successful, send the k_seaf in the 5GAV to the AMF network element of the private network. That is, the authentication response message sent by the AUSF network element of the private network to the AMF network element of the private network may also carry the k_seaf in the 5G AV.

It should be noted that, under the condition that the 5G AV or the 5G HE AV has expired, the home authentication fails, the authentication fails, and the AUSF network element of the private network determines to send an authentication response message related to the third authentication request to the AMF network element of the private network, where the authentication response message does not carry SUPI.

Step 714: the AMF network element of the private network sends an acceptance registration message to the terminal equipment; the accept registration message carries the GUTI.

Here, when the AMF network element of the private network receives an authentication response message about the third authentication request sent by the AUSF network element of the private network, and the authentication response message carries the SUPI, the GUTI is allocated to the terminal device, the GUTI and the SUPI are stored in association, and an accept registration message is sent to the UE, where the accept registration message carries the GUTI. At this time, the UE successfully registers in the private network 5GC.

It should be noted that, in the case that the authentication response message related to the third authentication request indicates that the authentication fails, the AMF network element of the private network sends a rejection registration message to the terminal device.

In this embodiment, under the condition that communication between the private network and the public network is interrupted, the AMF network element of the private network obtains the authentication parameter from the UDM network element of the private network through the AUSF network element of the private network. Thus, in the case of interruption of communication between the private network and the public network, the private network 5GC may authenticate the terminal device, so as to determine whether to allow the terminal device to register with the private network 5GC according to the authentication result. Under the condition that the terminal equipment is successfully registered in the private network 5GC, the terminal equipment can use the 5G network to communicate, and the communication reliability can be improved.

The embodiment of the application also provides a data acquisition system, which at least comprises an AMF network element of the private network and a setting core network element of the private network, and can also comprise an SMF network element of the private network. Wherein,,

the AMF network element of the private network is configured to perform the steps on the AMF network element side of the private network in fig. 4 to 7. The setting core network element of the private network is used to execute the steps of setting the core network element side of the private network in fig. 4 to 7, or the steps related to the implementation of the private network by the AUSF network element and the UDM network element of the private network.

The SMF network element of the private network is mainly responsible for interacting with separate data planes, creating, updating and deleting PDU sessions, and managing session context with the UPF.

In some embodiments, the data acquisition system is deployed at an edge node and/or a central cloud.

Here, in the case where the data acquisition system is deployed at an edge node, the edge node may be deployed near a machine room of the private network, or at a machine room local to the operator. The edge nodes may be interconnected with the public network 5GC via an operator-carrying network.

Under the condition that the data acquisition system is deployed in the central cloud, the data acquisition system can be backed up to the central cloud in real time, and the data acquisition system is supported to be downloaded and installed by one key, so that a client side can download and install the data acquisition system according to actual requirements, and the efficiency of deploying the data acquisition system is provided.

In consideration of the situation that the number of users in a certain area is increased rapidly under the condition of natural disasters, large-scale performance and the like, the existing cellular network system can cause excessive load of the cellular network system due to a large number of incoming registration requests, and normal service cannot be provided. In order to ensure that the core network side of the private network preferentially guarantees the registration requirements of resident users, in some embodiments, the data acquisition system may be connected to a private network management platform through a set interface, where the private network management platform has the capability of identifying resident users. The private network management platform can be correspondingly electronic equipment such as a server or a computer. Of course, the proprietary management platform may also be deployed on the data acquisition system.

On the basis that the authentication related information backed up in the setting core network element of the private network comprises user subscription information, the backed up user subscription information is stored in a UDM network element included in the setting core network element of the private network.

Fig. 8 is a schematic diagram of a network architecture provided in an embodiment of the present application, as shown in fig. 8, where a private network management platform reads user subscription information stored in a set core network element of a private network from a data acquisition system through a setting interface, and identifies a resident user based on the read user subscription information, so that a core network side of the private network preferentially guarantees registration requirements of the resident user.

The implementation process of identifying resident users and controlling the number of users accessing to the core network by the private network management platform is as follows:

1. the private network management platform preprocesses the read user subscription information to obtain preprocessed user subscription information. The preprocessing of the read user subscription information comprises the following steps:

based on the read user subscription information, determining a home domain, a resident region, a motion range and a motion frequency corresponding to the UE, and respectively distributing corresponding first identifiers for the home domain, the resident region, the motion range and the motion frequency corresponding to the UE; identifying a home domain user, a resident user and a low mobility user based on the first identification; and allocating a second identifier to each UE according to the principles of home domain user priority, resident user priority and low mobility user priority, wherein the second identifier is used for indicating the access priority.

In practical application, the subscriber subscription information is preprocessed according to fig. 9. It should be noted that, the private network management platform stores the identity of the UE in association with the first identifier and the second identifier corresponding to the UE.

2. Under the condition that the number of mobile phone users in a certain area is increased sharply and a large number of registration requests are in, the GC side of the private network 5 takes the access priority as a judgment condition under the assistance of a private network management platform, and the registration requests of resident users are preferentially ensured in a step-by-step open access mode. And under the condition that the access priority corresponding to the user is greater than or equal to the access priority of the allowed access private network, the AMF of the private network allows the user to register.

3. And rejecting the rest user access requests when the network access quantity is greater than or equal to the set load threshold.

Thus, it is possible to prevent the occurrence of a situation in which the cellular network communication system is paralyzed due to the inability to handle a large number of incoming registration requests in the case where a large number of users are in-rush.

In practical application, the number of users accessing the core network is controlled according to the flow chart shown in fig. 10. As shown in fig. 10:

in the case of flooding in a large number of registration requests, it is determined whether it is necessary to modify the access priority of the allowed access core network.

For example, if the registration request received in the set duration is greater than or equal to the first set threshold, the private network management platform increases the access priority of the allowed access core network; and under the condition that the received registration request within the set time period is smaller than or equal to a second set threshold value, the private network management platform reduces the access priority of the allowed access core network. The first set threshold is greater than the second set threshold.

The AMF network element of the private network forwards the received registration request to the private network management platform.

The private network management platform receives a registration request forwarded by an AMF network element of the private network, and determines a second identifier corresponding to the UE according to the identity identifier of the UE carried by the registration request; comparing the access priority indicated by the second identifier with the access priority of the allowed access core network to obtain a comparison result; and judging whether the UE is allowed to access the core network according to the comparison result, and obtaining a judgment result. And the private network management platform sends the judging result to an AMF network element of the private network.

And under the condition that the access priority indicated by the second identifier is smaller than the access priority of the allowed access core network, the corresponding UE is not allowed to access the core network, and the AMF network element of the private network refuses the UE registration.

And allowing the corresponding UE to access the core network under the condition that the access priority indicated by the second identifier is greater than or equal to the access priority of the allowed access core network, allowing the UE to register by an AMF network element of the private network, registering the UE according to a registration flow, and informing the private network management platform under the condition that the UE is successfully registered so as to update the total access number of the core network by the private network management platform.

The private network management platform calculates network load allowance of the core network based on the total number of accesses of the core network and a set load threshold corresponding to the core network. Wherein network load headroom = set load threshold-total number of accesses to the core network.

And rejecting the rest registration requests by the private network management platform under the condition that the network load allowance of the core network is smaller than or equal to zero.

It should be noted that, in some embodiments, the functions implemented by the private network management platform may be integrated into a private network AMF network element or a setting core network element.

In order to implement the data acquisition method applied to the AMF network element of the private network in the embodiment of the present application, the embodiment of the present application further provides an AMF network element of the private network, as shown in fig. 11, where the AMF network element of the private network includes:

An obtaining unit 111, configured to obtain an authentication parameter from a set core network element of the private network in a case where communication between the private network and the public network is interrupted; the UDM network element of the private network is used for carrying out hot backup on authentication related information in the UDM network element of the public network, and has the capability of authenticating terminal equipment.

In some embodiments, the AMF network element of the private network further comprises:

and the enabling unit is used for enabling the capability of the set core network element of the private network to authenticate the terminal equipment under the condition that the communication between the private network and the public network is interrupted.

In some embodiments, the authentication parameters include a 5G authentication vector; the acquisition unit 111 specifically is configured to:

receiving a registration request sent by terminal equipment;

In some embodiments, the authentication parameters further comprise SUPI; the acquisition unit 111 is further configured to: and under the condition that the communication between the private network and the public network is interrupted, receiving SUPI of the terminal equipment sent by a set core network element of the private network.

the generation unit is used for generating a security context identifier corresponding to the terminal equipment;

a sending unit, configured to send the second authentication request to the terminal device based on the received 5G authentication vector; wherein,,

In some embodiments, the acquisition unit 111 is further configured to:

In practical applications, the acquiring unit 111 and the generating unit may be implemented by a processor in an AMF network element of the private network, such as a central processing unit (CPU, central Processing Unit), a digital signal processor (DSP, digital Signal Processor), a micro control unit (MCU, microcontroller Unit), or a programmable gate array (FPGA, field-Programmable Gate Array), or implemented by a combination of a processor and a communication interface. The sending unit is implemented by a communication interface in an AMF network element of the private network.

It should be noted that: in the embodiment, when the AMF network element of the private network obtains the authentication parameters, only the division of each program module is used for illustration, and in practical application, the processing allocation may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the embodiments of the method for acquiring data and the AMF network element of the private network provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments, which are not repeated herein.

In order to implement the method for obtaining data applied to the setting core network element of the private network in the embodiment of the present application, the embodiment of the present application further provides a setting core network element of the private network, as shown in fig. 12, where the setting core network element of the private network includes:

a backup unit 121, configured to perform a hot backup on authentication related information in a UDM network element of the public network in a case where communication between the private network and the public network is not interrupted;

and the feedback unit 122 is configured to feed back an authentication parameter to an AMF network element of the private network in case that communication between the private network and the public network is interrupted.

In some embodiments, the authentication parameters include a 5G authentication vector; the feedback unit 122 specifically is configured to:

In some embodiments, the set core network element of the private network includes an AUSF network element and a UDM network element; wherein,,

the AUSF network element of the private network is used for receiving a first authentication request sent by the AMF network element of the private network and sending an authentication parameter acquisition request to the UDM network element of the private network based on the first authentication request;

the UDM network element of the private network is used for constructing a 5G attribution environment authentication vector based on the authentication parameter acquisition request, and sending a response message to the AUSF network element of the private network, wherein the response message carries the 5G attribution environment authentication vector;

the AUSF network element of the private network is further configured to construct a 5G authentication vector based on the 5G home environment authentication vector carried by the response message, and send the 5G authentication vector related to the first authentication request to the AMF network element of the private network.

In some embodiments, the 5G home environment authentication vector includes a random number, an authentication token, expected response parameters, and an intermediate key;

The AUSF network element of the private network is specifically configured to calculate a first hash value based on an expected response parameter in the 5G home environment authentication vector, and calculate an anchor key based on an intermediate key in the 5G home environment authentication vector;

the AUSF network element of the private network is specifically configured to replace the expected response parameter in the 5G home environment authentication vector with the calculated first hash value, and replace the intermediate key in the 5G home environment authentication vector with the calculated anchor key, so as to obtain the 5G authentication vector.

In some embodiments, the authentication parameter acquisition request carries a user hidden identifier, sui, of the terminal device, and the response message also carries the SUPI of the terminal device.

In some embodiments, the authentication parameter includes SUPI, and the AUSF network element of the private network is further configured to:

and under the condition that the private network and the public network are interrupted in communication and the authentication of the attribution of the terminal equipment is successful, the SUPI of the terminal equipment is sent to an AMF network element of the private network.

In some embodiments, the AUSF network element of the private network is further configured to:

storing expected response parameters in the 5G home environment authentication vector in association with at least one of:

The authentication parameter obtains the SUCI carried by the request;

SUPI carried by the response message;

the intermediate key in the 5G home environment authentication vector.

In practical applications, the backup unit 121 and the feedback unit 122 may be implemented by a processor in a set core network element of the private network, such as a central processing unit (CPU, central Processing Unit), a digital signal processor (DSP, digital Signal Processor), a micro control unit (MCU, microcontroller Unit), or a programmable gate array (FPGA, field-Programmable Gate Array), or implemented by a combination of a processor and a communication interface. The sending unit is implemented by setting a communication interface in the core network element of the private network.

It should be noted that: the setting core network element of the private network provided in the above embodiment only uses the division of the program modules to illustrate when obtaining the authentication parameters, and in practical application, the processing allocation may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the setting core network element and the data acquisition method embodiment of the private network provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment, which is not described herein again.

Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the application, the embodiment of the application also provides an edge node. Fig. 13 is a schematic diagram of a hardware composition structure of an edge node according to an embodiment of the present application, where, as shown in fig. 13, the edge node 13 includes:

a communication interface 131 capable of information interaction with other devices such as a network device and the like;

the processor 132 is connected to the communication interface 131 to implement information interaction with other devices, and is configured to execute a method provided by one or more technical solutions on the AMF side of the private network or execute a method provided by one or more technical solutions on the set core network element side of the private network when running a computer program. And the computer program is stored on the memory 133.

Of course, in practice, the various components in the edge node 13 are coupled together by a bus system 134. It is understood that the bus system 134 is used to enable connected communications between these components. The bus system 134 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 134 in fig. 13.

The memory 133 in the present embodiment is used to store various types of data to support the operation of the edge node 13. Examples of such data include: any computer program for operating on the edge node 13.

It will be appreciated that the memory 133 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, sync Link Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 133 described in the embodiments herein is intended to comprise, without being limited to, these and any other suitable types of memory.

The methods disclosed in the embodiments of the present application may be applied to the processor 132 or implemented by the processor 132. The processor 132 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the methods described above may be performed by integrated logic circuitry in hardware in processor 132 or by instructions in software. The processor 132 may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 132 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 133. The processor 132 reads the programs in the memory 133 and in combination with its hardware performs the steps of the methods described above.

Optionally, when the processor 132 executes the program, a corresponding flow implemented by the terminal in each method of the embodiments of the present application is implemented, which is not described herein for brevity.

In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a first memory 133 storing a computer program executable by the processor 132 of the terminal for performing the steps of the aforementioned method. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.

The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art, and the computer software product may be stored in a storage medium, and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

The technical solutions described in the embodiments of the present application may be arbitrarily combined without any conflict.

It should be noted that, the term "and/or" in the embodiment of the present invention is merely an association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.

In addition, in the examples of this application, "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.

The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A data acquisition method, characterized in that it is applied to an AMF network element of a private network, the method comprising:

the set core network element is used for carrying out hot backup on authentication related information in the Unified Data Management (UDM) network element of the public network, and has the capability of authenticating terminal equipment.

2. The method according to claim 1, wherein the method further comprises:

3. The method according to claim 1 or 2, wherein the authentication parameters comprise a 5G authentication vector; the obtaining the authentication parameter from the set core network element of the private network includes:

receiving a registration request sent by terminal equipment;

4. A method according to claim 3, characterized in that the authentication parameters further comprise a user permanent identifier SUPI; the method further comprises the steps of:

5. A method according to claim 3, characterized in that after said receiving the 5G authentication vector for the first authentication request sent by the set core network element of the private network, the method further comprises:

6. The method according to claim 1, wherein the method further comprises:

under the condition that the communication between the private network and the public network is not interrupted, acquiring authentication parameters from the UDM network element of the public network through the AUSF network element of the identity verification server function of the public network.

7. A method for obtaining data, characterized in that the method is applied to a set core network element of a private network, the method comprising:

8. The method of claim 7, wherein the authentication parameters comprise a 5G authentication vector; the feeding back authentication parameters to the AMF network element of the private network comprises the following steps:

9. The method of claim 8, wherein the set core network elements of the private network comprise an AUSF network element and a UDM network element; the sending, by the dedicated network based on the first authentication request sent by the AMF network element of the dedicated network, a 5G authentication vector related to the first authentication request to the AMF network element of the dedicated network includes:

10. The method of claim 9, wherein the 5G home environment authentication vector comprises a random number, an authentication token, an expected response parameter, and an intermediate key; the AUSF network element of the private network constructs a 5G authentication vector based on the 5G home environment authentication vector carried by the response message, which comprises the following steps:

11. The method according to claim 9, wherein the authentication parameter acquisition request carries a user hidden identifier, sui, of the terminal device, and the response message also carries the SUPI of the terminal device.

12. The method of claim 11, wherein the authentication parameter comprises SUPI; the method further comprises the steps of:

13. The method of claim 11, wherein the method further comprises:

The authentication parameter obtains the SUCI carried by the request;

SUPI carried by the response message;

the intermediate key in the 5G home environment authentication vector.

14. A data acquisition system, comprising:

15. The system of claim 14, wherein the AMF network element of the private network is further configured to: and under the condition that the communication between the private network and the public network is interrupted, enabling the authentication capability of the UDM network element of the private network to the terminal equipment.

16. The system of claim 14 or 15, wherein the system comprises a plurality of sensors,

the AMF network element of the private network is specifically configured to send a first authentication request to a setting core network element of the private network based on a registration request sent by a terminal device, and receive a 5G authentication vector sent by the setting core network element of the private network and related to the first authentication request;

17. The system of claim 16, wherein the set core network element of the private network comprises:

18. The system of claim 16, wherein the AMF network element of the private network is further configured to:

19. The system of claim 17, wherein the authentication parameter acquisition request carries a sui of a terminal device, and the response message further carries a SUPI of the terminal device;

20. The system of any one of claims 14 to 19, wherein the system is deployed at an edge node and/or a central cloud.

21. The system according to any of the claims 14 to 19, characterized in that the system further comprises a session management function, SFM, network element.

22. An AMF network element for a private network, comprising:

23. A set core network element of a private network, comprising:

24. An edge node comprising a processor and a communication interface, wherein,

the processor is configured to perform at least one of:

25. An edge node comprising a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to execute at least one of:

the method of any one of claims 1 to 6;

the method of any one of claims 7 to 13.

26. A storage medium having a computer program stored thereon, wherein the computer program when executed by a processor performs at least one of:

the method of any one of claims 1 to 6;

the method of any one of claims 7 to 13.