CN116996882A - Method for protecting 5G network roaming user identity - Google Patents
Method for protecting 5G network roaming user identity Download PDFInfo
- Publication number
- CN116996882A CN116996882A CN202311090874.6A CN202311090874A CN116996882A CN 116996882 A CN116996882 A CN 116996882A CN 202311090874 A CN202311090874 A CN 202311090874A CN 116996882 A CN116996882 A CN 116996882A
- Authority
- CN
- China
- Prior art keywords
- supi
- temporary
- user
- domain
- home domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 230000011664 signaling Effects 0.000 claims abstract description 15
- 238000013507 mapping Methods 0.000 claims abstract description 11
- 101000684181 Homo sapiens Selenoprotein P Proteins 0.000 claims abstract 14
- 102100023843 Selenoprotein P Human genes 0.000 claims abstract 14
- 229940119265 sepp Drugs 0.000 claims abstract 14
- 230000008569 process Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/75—Temporary identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for protecting the identity of a 5G network roaming user, which comprises the steps of firstly establishing a roaming special temporary SUPI pool, then randomly selecting a temporary SUPI which is not currently used from the roaming special temporary SUPI pool by a home domain SEPP to provide the temporary SUPI for a visiting domain, simultaneously recording the mapping relation between the user real SUPI and the temporary SUPI by the home domain SEPP, and then returning the temporary SUPI to the roaming special temporary SUPI pool by the home domain SEPP according to the mapping relation between the user real SUPI and the temporary SUPI recorded by the home domain SEPP, converting the user real SUPI in the signaling into the temporary SUPI and then transferring the temporary SUPI to the visiting domain, and after the 5G network roaming user is logged off in the visiting domain, releasing the temporary SUPI allocated to the user by the home domain SEPP. The method provided by the invention provides higher security for the 5G network roaming user, and enhances the security capability of the SEPP.
Description
Technical Field
The invention relates to the technical field of mobile communication, in particular to a method for protecting the identity of a roaming user of a 5G network.
Background
SUCI (SUbscription Concealed Identifier) is a security feature that is newly added to the fifth generation mobile communication network (abbreviated as 5G network) compared with the fourth generation mobile communication network (abbreviated as 4G network). The SUCI replaces the SUPI (SUbscription Permanent Identifier, typically IMSI-International Mobile Subscriber Identity) of the user and is transmitted in plain text over the air, preventing serious security problems such as tracking of the user. The SUPI encrypts and integrity protects the SUPI, which can be updated through OTA (Over the Air) procedures.
However, while the user is roaming, the user's SUPI is still transferred to the devices AMF (Access and Mobility Management Function), SMF (Session Management Function), etc. of the visited domain. If the security protection of the visited domain is insufficient, the user SUPI faces a compromise, and the user faces a threat of being tracked.
Security in 5G network roaming scenarios is mainly provided by SEPP (Security Edge Protection Proxy), and the security mechanisms provided by SEPP include message filtering and topology hiding, without the ability to hide the user SUPI.
Therefore, there is a need in the art for a technical solution capable of protecting user identity in a 5G roaming scenario.
Disclosure of Invention
The invention aims to provide a technical scheme for preventing SUPI of a 5G network roaming user from being leaked.
In order to achieve the above object, the present invention provides the following solutions:
a method of protecting the identity of a roaming user of a 5G network, comprising:
the home domain of the 5G network user prepares a batch of temporary SUPI special for roaming in advance, and establishes a temporary SUPI pool special for roaming in the home domain SEPP;
when a 5G network roaming user registers in a visiting domain, when a home domain successfully authenticates UE in a home domain AUSF according to standard requirements and provides a user real SUPI for the visiting domain, the home domain SEPP randomly selects a temporary SUPI which is not currently used from a roaming special temporary SUPI pool and provides the temporary SUPI for the visiting domain, and meanwhile, the home domain SEPP records the mapping relation between the user real SUPI and the temporary SUPI;
in the process of using network service by a 5G network roaming user, for a user temporary SUPI used in a signaling in a visiting domain, a home domain SEPP converts the user temporary SUPI in the signaling into a real SUPI according to a mapping relation between the user real SUPI and the temporary SUPI recorded by the user temporary SUPI, and then transfers the user temporary SUPI to the home domain; for user real SUPI used in signaling by the home domain, the home domain SEPP converts the user real SUPI in the signaling into temporary SUPI according to the mapping relation between the user real SUPI and the temporary SUPI recorded by the home domain SEPP, and then the user real SUPI is transferred to the visiting domain;
after the 5G network roaming user logs off in the visiting domain, the home domain SEPP releases the temporary SUPI allocated to the user, and returns the temporary SUPI to the roaming special temporary SUPI pool.
Optionally, for the related records of the 5G network roaming user such as the ticket, the tracking ticket and the like using the 5G network service, the visiting domain is identified by the user temporary SUPI, the home domain is identified by the user real SUPI, and the SEPP provides the function of inquiring the user real SUPI and temporary SUPI association history so that the home domain can correctly associate the visiting domain, the ticket and the tracking ticket of the home domain.
Compared with the prior art, the invention has the following beneficial effects:
(1) The invention provides higher security for the 5G network roaming user.
(2) The invention enhances the safety capability of the SEPP.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a hidden user SUPI function provided by hSEPP when a 5G network roaming user is registered according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of the function of hsep to provide a hidden user SUPI when a 5G network roaming user uses a network service according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a SUPI function of a hidden user provided by hsep when a 5G network roaming user logs off according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide a method capable of preventing SUPI of a 5G network roaming user from being leaked.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Example 1:
the embodiment provides a method for protecting the identity of a roaming user of a 5G network, which comprises the following specific embodiments:
the home domain of the 5G network user prepares a batch of temporary SUPIs special for roaming in advance, and establishes a temporary SUPI pool special for roaming in hSEPP (home domain SEPP).
As shown in fig. 1, when a 5G network roaming user registers in a visited domain, according to standard requirements, after the home domain AUSF successfully authenticates the UE, a message about nausf_ue authentication_ Authenticate Response sent to the visited domain AMF carries the user real SUPI. After the Nausf_UEauthentication_ Authenticate Response message sent to the visiting domain AMF by the home domain AUSF reaches the hSEPP, before forwarding to the vSEPP (visiting domain SEPP), the hSEPP randomly selects 1 currently unused temporary SUPI from the roaming special temporary SUPI pool, and modifies the user real SUPI in the Nausf_UEauthentication_ Authenticate Response message into the temporary SUPI allocated to the user, and then sends the temporary SUPI to the vSEPP. Meanwhile, the hSEPP records the mapping relation between the real SUPI and the temporary SUPI of the user.
In the process of using network service by the 5G network roaming user, signaling interaction between the visiting domain and the home domain occurs, such as the process of creating PDU session shown in figure 2, for the user temporary SUPI used in the visiting domain in the signaling, the hSEPP converts the user temporary SUPI in the signaling into the real SUPI according to the mapping relationship between the user real SUPI and the temporary SUPI recorded by the user, and then transfers the user temporary SUPI to the home domain. On the contrary, for the user real SUPI used in the signaling by the home domain, the hSEPP is required to convert the user real SUPI in the signaling into the temporary SUPI according to the mapping relation between the user real SUPI and the temporary SUPI recorded by the hSEPP, and then the user real SUPI is transferred to the visiting domain.
As shown in fig. 3, after the 5G network roaming user logs off the visited domain, the visited domain initiates a Purge procedure to the home domain. The hSEPP replaces the user temporary SUPI in the signaling sent from the visiting domain to the home domain with the real SUPI, releases the temporary SUPI allocated to the user after receiving the nudm_uecm_ Deregistration request message, and returns the temporary SUPI to the roaming dedicated temporary SUPI pool.
For the related records of the call ticket, the tracking ticket and the like of the 5G network roaming user using the 5G network service, the visiting domain is marked by the user temporary SUPI, the home domain is marked by the user real SUPI, and in order to correctly associate the call ticket, the tracking ticket and the like of the visiting domain and the home domain, the hSEPP provides the function of inquiring the association history of the user real SUPI and the temporary SUPI, and can provide the association relation of the user real SUPI and the temporary SUPI at a fixed time point or in a fixed time period. Of course, such a query can only be made in the home domain, and the user's true SUPI and temporary SUPI association history cannot be leaked to the visited domain.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present invention and the core ideas thereof; also, it is within the scope of the present invention to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the invention.
Claims (2)
1. A method for protecting the identity of a roaming user in a 5G network, comprising:
the home domain of the 5G network user prepares a batch of temporary SUPI special for roaming in advance, and establishes a temporary SUPI pool special for roaming in the home domain SEPP;
when a 5G network roaming user registers in a visiting domain, when a home domain successfully authenticates UE in a home domain AUSF according to standard requirements and provides a user real SUPI for the visiting domain, the home domain SEPP randomly selects a temporary SUPI which is not currently used from a roaming special temporary SUPI pool and provides the temporary SUPI for the visiting domain, and meanwhile, the home domain SEPP records the mapping relation between the user real SUPI and the temporary SUPI;
in the process of using network service by a 5G network roaming user, for a user temporary SUPI used in a signaling in a visiting domain, a home domain SEPP converts the user temporary SUPI in the signaling into a real SUPI according to a mapping relation between the user real SUPI and the temporary SUPI recorded by the user temporary SUPI, and then transfers the user temporary SUPI to the home domain; for user real SUPI used in signaling by the home domain, the home domain SEPP converts the user real SUPI in the signaling into temporary SUPI according to the mapping relation between the user real SUPI and the temporary SUPI recorded by the home domain SEPP, and then the user real SUPI is transferred to the visiting domain;
after the 5G network roaming user logs off in the visiting domain, the home domain SEPP releases the temporary SUPI allocated to the user, and returns the temporary SUPI to the roaming special temporary SUPI pool.
2. The method of claim 1, wherein for the 5G network roaming user of the ticket and tracking ticket, the visited domain is identified by a user temporary SUPI and the home domain is identified by a user real SUPI, the SEPP provides a function of querying a user real SUPI and temporary SUPI association history so that the home domain correctly associates the ticket and tracking ticket of the visited domain and home domain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311090874.6A CN116996882A (en) | 2023-08-28 | 2023-08-28 | Method for protecting 5G network roaming user identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311090874.6A CN116996882A (en) | 2023-08-28 | 2023-08-28 | Method for protecting 5G network roaming user identity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116996882A true CN116996882A (en) | 2023-11-03 |
Family
ID=88528360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311090874.6A Pending CN116996882A (en) | 2023-08-28 | 2023-08-28 | Method for protecting 5G network roaming user identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116996882A (en) |
-
2023
- 2023-08-28 CN CN202311090874.6A patent/CN116996882A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107580324B (en) | Method for protecting IMSI privacy of mobile communication system | |
| US10034324B2 (en) | Optimization of power consumption in dual SIM mobiles in connected mode in a wireless network | |
| US7050797B2 (en) | Remote control system in mobile communication terminal and method thereof | |
| EP3493569A1 (en) | Method and device for preventing signaling attack | |
| US11496882B2 (en) | Method to select the right UDM instance and ensure the UDM instance security | |
| CN101248644A (en) | Management of user data | |
| WO2018204228A1 (en) | Identity request control for user equipment | |
| CN109041054B (en) | Privacy protection method for initiating number change at network side | |
| EP2731365A1 (en) | Method and system for implementing packet switch domain short message service, and user equipment | |
| EP1547352B1 (en) | Mobile terminal identity protection through home location register modification | |
| CA2551747A1 (en) | A method for processing the request of position information from a user equipment | |
| EP3522668B1 (en) | Method and device for trust relationship establishment | |
| CN113170369B (en) | Method and apparatus for security context handling during intersystem changes | |
| CN110944329A (en) | Information processing method, terminal and server | |
| WO2017147993A1 (en) | Access method and access device for vowi-fi network | |
| CN104980912A (en) | Methods and devices for informing and updating ProSe (Proximity-based Services) temporary mark | |
| CN116996882A (en) | Method for protecting 5G network roaming user identity | |
| CN112788738A (en) | Code number processing method and device for public and private network convergence system | |
| CN101431754B (en) | Method for preventing clone terminal access | |
| CN111970695B (en) | 5G charging domain user privacy protection method, charging system and core network system | |
| CN107911814B (en) | HSS (home subscriber server) -enhanced user identity information protection method and system | |
| US11576232B2 (en) | Method for establishing a connection of a mobile terminal to a mobile radio communication network and communication network device | |
| EP3488627B1 (en) | Proof-of-presence indicator | |
| CN112235736B (en) | User identification method in roaming scene | |
| CN117528511A (en) | User authentication method and device, computer storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |