CN117597963A

CN117597963A - Relay communication method, communication device and communication equipment

Info

Publication number: CN117597963A
Application number: CN202280002242.7A
Authority: CN
Inventors: 商正仪; 陆伟
Original assignee: Beijing Xiaomi Mobile Software Co Ltd
Current assignee: Beijing Xiaomi Mobile Software Co Ltd
Priority date: 2022-06-16
Filing date: 2022-06-16
Publication date: 2024-02-23
Also published as: WO2023240575A1

Abstract

The embodiment of the disclosure provides a relay communication method, a communication device and communication equipment. The communication method can be applied to a 5G terminal-to-network Relay (UE-to-UE Relay) technology. The method may include: the relay terminal receives a first direct communication request message sent by a first remote terminal; the relay terminal establishes a safe first direct communication link with the first remote terminal according to a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal passes by the network equipment; the first direct communication link is used for transmitting transmission information between the first remote terminal and the second remote terminal. In the present disclosure, relay UEs establish a secure layer 3 (L3) U2U link between UE1 and UE2 by establishing secure direct communication links with peer UEs, respectively, to implement 5G ProSe U2U Relay.

Description

Relay communication method, communication device and communication equipment

Technical Field

The disclosure relates to the technical field of wireless communication, and in particular relates to a relay communication method, a communication device and communication equipment.

Background

In fifth generation mobile network (5th generation mobile networks,5G) technology, a proximity service (proximity based services, proSe) enables peer terminals to communicate with each other through terminal-to-terminal relay. This technique may be referred to as terminal-to-terminal Relay (5G ProSe UE-to-UE Relay). This means that if the source terminal cannot reach the target terminal directly, the source terminal will try to discover one relay terminal to reach the target terminal, which may also trigger the relay to discover the target terminal. In fact, relay terminals that are untrusted nodes may be compromised, thereby compromising the security (i.e., integrity and confidentiality) of information between peer terminals.

How to provide terminal-to-terminal secure relay communication is a technical problem to be solved.

Disclosure of Invention

The present disclosure provides a relay communication method, a communication apparatus, and a communication device to provide secure relay communication from terminal to terminal.

According to a first aspect of the present disclosure, there is provided a relay communication method, which can be applied to a relay terminal in a communication system. The method may include: the relay terminal receives a first direct communication request message sent by a first remote terminal; the relay terminal establishes a safe first direct communication link with the first remote terminal according to a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal passes by the network equipment; the first direct communication link is used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible implementations, the first remote terminal and the second remote terminal are peer terminals configured with first long-term credentials.

In some possible implementations, the first direct communication request message carries a first long-term credential identification, the first long-term credential identification identifying the first long-term credential.

In some possible embodiments, the first direct communication request message further includes at least one of the following: the security capability information of the first remote terminal is used for indicating a security algorithm supported by the first remote terminal; a relay service code; a neighbor service code; a first random number.

In some possible embodiments, the method further comprises: the relay terminal sends a first request message to the network equipment, wherein the first request message carries a first long-term credential identifier; the relay terminal receives a first response message from the network device, the first response message carrying the first long-term credential.

In some possible embodiments, the first direct communication request message carries an identifier for the first shared key; the method further comprises the steps of: and the relay terminal determines a first shared key according to the first shared key identifier, wherein the first shared key is used for secure communication between the relay terminal and the first remote terminal.

In some possible embodiments, the method comprises: the relay terminal determines that the first shared key is valid.

In some possible embodiments, the method further comprises: the relay terminal sends a second direct communication request message to a second remote terminal; the relay terminal establishes a safe second direct communication link with a second remote terminal according to the first long-term certificate; the second direct communication link is used for transmitting transmission information.

In some possible implementations, the second direct communication request message carries a first long-term credential identification, the first long-term credential identification identifying the first long-term credential.

In some possible embodiments, the second direct communication request message carries security capability information of the relay terminal, where the security capability information of the relay terminal is used to indicate a security algorithm supported by the relay terminal.

In some possible embodiments, the second direct communication request message further includes at least one of the following: a relay service code; a neighbor service code; and a second random number.

In some possible embodiments, the method further comprises: the relay terminal determines that a second shared key exists, wherein the second shared key is used for safe communication between the relay terminal and a second remote terminal; and the relay terminal loads a second shared key identifier on the second direct communication request message to send, wherein the second shared key identifier is used for identifying the second shared key.

In some possible implementations, the relay terminal determining that the second shared key exists includes: the relay terminal determines that a valid second shared key exists.

In some possible embodiments, the method further comprises: the relay terminal receives a second direct communication receiving message of the second remote terminal; the relay terminal sends a first direct communication acceptance message to the first remote terminal.

In some possible implementations, the identity of the relay terminal is one of: a neighbor service application identifier of the relay terminal; terminal identification of the relay terminal.

According to a second aspect of the present disclosure there is provided a relay communication method, the method being applicable to a first remote terminal in a communication system. The method comprises the following steps: the method comprises the steps that a first remote terminal sends a first direct communication request message to a relay terminal, the relay terminal is provided with a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal is passed by network equipment; the first remote terminal establishes a secure first direct communication link with the relay terminal, the first direct communication link being used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible embodiments, the method further comprises: the first remote terminal discovers the second remote terminal and selects a relay terminal.

In some possible embodiments, the method further comprises: the first remote terminal determines that a first shared key exists, wherein the first shared key is used for safe communication between the relay terminal and the first remote terminal; the relay terminal loads a first shared key identifier on the first direct communication request message to send, and the first shared key identifier is used for identifying the first shared key.

In some possible implementations, the first remote terminal determining that the first shared key is present includes: the relay terminal determines that a valid first shared key exists.

In some possible embodiments, the method further comprises: the first remote terminal receives a first direct communication acceptance message sent by the relay terminal.

According to a third aspect of the present disclosure there is provided a relay communication method, to which the method may be applied, to a network device in a communication system. The method comprises the following steps: the second remote terminal receives the relay terminal and sends a second direct communication request message, the relay terminal is provided with a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal is passed by the network equipment; the second remote terminal establishes a secure second direct communication link with the relay terminal, the second direct communication link being used for transmitting transmission information between the second remote terminal and the first remote terminal.

In some possible embodiments, the method further comprises: the second remote terminal discovers the first remote terminal and selects a relay terminal.

In some possible embodiments, the second direct communication request message carries an identifier for a second shared key; the method further comprises the steps of: and the second remote terminal determines a second shared key according to the second shared key identifier, wherein the second shared key is used for secure communication between the second remote terminal and the relay terminal.

In some possible embodiments, the method further comprises: the second remote terminal determines that the second shared key is valid.

In some possible embodiments, the method further comprises: the second remote terminal sends a second direct communication acceptance message to the relay terminal.

According to a fourth aspect of the present disclosure there is provided a relay communication method, to which the method may be applied, to a network device in a communication system. The method comprises the following steps: the network equipment receives a first request message, wherein the first request message is used for requesting a first long-term credential; the network equipment authenticates the relay terminal; under the condition that authentication is passed, the network equipment sends a first long-term certificate to the relay terminal; the first long-term credential is used for establishing a secure direct communication link between the relay terminal and the peer first remote terminal and the second remote terminal, and the direct communication link is used for relaying transmission information between the first remote terminal and the second remote terminal.

In some possible embodiments, the method further comprises: the network equipment sets a first long-term certificate for the first remote terminal and the second remote terminal; the network device sends a first long-term credential identification and a first long-term credential to the first remote terminal and the second remote terminal, respectively, the first long-term credential identification being used to identify the first long-term credential.

In some possible embodiments, the network device authenticates the relay terminal, including: the network device determines whether the relay terminal is authorized to provide a relay service based on the neighbor service subscription data.

In some possible implementations, the network device determining whether the relay terminal is authorized to provide a relay service based on neighbor service subscription data includes: the network device requests subscription information of the relay terminal to a unified data management function (unified data management, UDM) entity of the relay terminal, the subscription information being used to indicate whether the relay terminal is authorized to provide the relay service; the network equipment receives subscription information sent by a UDM entity; and the network equipment determines whether the relay terminal is authorized to provide the relay service according to the subscription information.

In some possible implementations, the network device determining whether the relay terminal is authorized to provide a relay service based on neighbor service subscription data includes: the network device determines whether the authorization information of the relay terminal is locally stored, and the authorization information is used for indicating that the relay terminal is authorized to provide the relay service.

In some possible embodiments, the method further comprises: the network device obtains the first long-term credential by the neighbor service application server, or the network device obtains the locally stored first long-term credential.

According to a fifth aspect of the present disclosure, there is provided a communication device, which may be a relay terminal in a communication system or a chip or a system on chip of the relay terminal, and may be a functional module in the relay terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the relay terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above. The apparatus may include: a receiving module configured to receive a first direct communication request message sent from a first remote terminal; a processing module configured to establish a secure first direct communication link with the first remote terminal based on a first long-term credential sent by the network device to the relay terminal when authentication of the relay terminal passes; the first direct communication link is used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible embodiments, the apparatus further comprises: the sending module is configured to send a first request message to the network equipment, wherein the first request message carries a first long-term credential identifier; the network device comprises a receiving module configured to receive a first response message from the network device, the first response message carrying a first long-term credential.

In some possible embodiments, the first direct communication request message carries an identifier for the first shared key; and the processing module is configured to determine a first shared key according to the first shared key identifier, wherein the first shared key is used for the secure communication between the relay terminal and the first remote terminal.

In some possible implementations, the processing module is configured to determine that the first shared key is valid.

In some possible embodiments, the apparatus further comprises: a sending module configured to send a second direct communication request message to a second remote terminal; a processing module configured to establish a secure second direct communication link with a second remote terminal based on the first long-term credential; the second direct communication link is used for transmitting transmission information.

In some possible implementations, the processing module is configured to determine that a second shared key is present, the second shared key being used for secure communication between the relay terminal and the second remote terminal; and the sending module is configured to carry a second shared key identifier on the second direct communication request message for sending, and the second shared key identifier is used for identifying the second shared key.

In some possible implementations, the processing module is configured to determine that a valid second shared key is present.

In some possible embodiments, the apparatus further comprises: a transmitting module; a receiving module configured to receive a second direct communication accept message of a second remote terminal; and a transmitting module configured to transmit a first direct communication acceptance message to the first remote terminal.

According to a sixth aspect of the present disclosure, there is provided a communication device, which may be a first remote terminal or a chip or a system on chip of the first remote terminal in a communication system, and may also be a functional module in the first remote terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the first remote terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above. The apparatus may include: a sending module configured to send a first direct communication request message to the relay terminal, the relay terminal having a first long-term credential, the first long-term credential being sent to the relay terminal when authentication of the relay terminal is passed by the network device; and the processing module is configured to establish a safe first direct communication link with the relay terminal, wherein the first direct communication link is used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible implementations, the processing module is further configured to discover a second remote terminal and select a relay terminal.

In some possible embodiments, the apparatus further comprises: a processing module configured to determine that a first shared key is present, the first shared key being used for secure communications between the relay terminal and the first remote terminal; and the sending module is configured to carry a first shared key identifier on the first direct communication request message for sending, wherein the first shared key identifier is used for identifying the first shared key.

In some possible implementations, the processing module is configured to determine that a valid first shared key is present.

In some possible embodiments, the apparatus further comprises: and the receiving module is configured to receive a first direct communication acceptance message sent by the relay terminal.

According to a seventh aspect of the present disclosure, there is provided a communication device, which may be a second remote terminal in a communication system or a chip or a system on chip of the second remote terminal, and may be a functional module in the second remote terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the second remote terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above. The apparatus may include: the receiving module is configured to receive the second direct communication request message sent by the relay terminal, the relay terminal is provided with a first long-term certificate, and the first long-term certificate is sent to the relay terminal when the authentication of the relay terminal is passed by the network equipment; and the processing module is configured to establish a safe second direct communication link with the relay terminal, and the second direct communication link is used for transmitting transmission information between the second remote terminal and the first remote terminal.

In some possible implementations, the processing module is further configured to discover the first remote terminal and select the relay terminal.

In some possible embodiments, the second direct communication request message carries an identifier for a second shared key; the processing module is further configured to determine a second shared key based on the second shared key identification, the second shared key being used for secure communication between the second remote terminal and the relay terminal.

In some possible implementations, the processing module is further configured to determine that the second shared key is valid.

In some possible embodiments, the apparatus further comprises: and the sending module is configured to send a second direct communication acceptance message to the relay terminal.

According to an eighth aspect of the present disclosure, there is provided a communication apparatus, which may be a network device in a communication system or a chip or a system on chip of a network device, and may also be a functional module in a network device for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the network device in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above. The apparatus may include: a receiving module configured to receive a first request message for requesting a first long-term credential; the processing module is configured to authenticate the relay terminal by the network equipment; a transmitting module configured to transmit a first long-term credential to the relay terminal by the network device in case the authentication passes; the first long-term certificate is used for establishing a safe direct communication link between the relay terminal and the first remote terminal and the second remote terminal which are in peer-to-peer connection, and the direct communication link is used for relaying transmission information between the first remote terminal and the second remote terminal;

In some possible implementations, the processing module is configured to set the first long-term credentials for the first remote terminal and the second remote terminal; and a transmitting module configured to transmit a first long-term credential identification and a first long-term credential to the first remote terminal and the second remote terminal, respectively, the first long-term credential identification being used to identify the first long-term credential.

In some possible implementations, the processing module is configured to determine whether the relay terminal is authorized to provide the relay service based on the neighbor service subscription data.

In some possible embodiments, the sending module is configured to request subscription information of the relay terminal from a UDM entity of the relay terminal, where the subscription information is used to indicate whether the relay terminal is authorized to provide the relay service; the receiving module is configured to receive subscription information sent by the UDM entity; and the processing module is configured to determine whether the relay terminal is authorized to provide the relay service according to the subscription information.

In some possible embodiments, the processing module is configured to determine whether authorization information of the relay terminal is stored locally, where the authorization information is used to indicate that the relay terminal is authorized to provide the relay service.

In some possible implementations, the processing module is configured to obtain the first long-term credential by the neighbor service application server, or obtain a locally stored first long-term credential.

According to a ninth aspect of the present disclosure there is provided a communication device, such as a relay terminal, comprising: a memory and a processor; the processor is connected to the memory and configured to execute computer-executable instructions stored on the memory to implement the relay communication method as described in the first aspect and any possible implementation manner thereof.

According to a tenth aspect of the present disclosure there is provided a communication device, such as a first remote terminal, comprising: a memory and a processor; the processor is connected to the memory and is configured to implement the relay communication method according to the second aspect and any possible implementation manner thereof, by executing computer executable instructions stored on the memory.

According to an eleventh aspect of the present disclosure there is provided a communication device, such as a second remote terminal, comprising: a memory and a processor; the processor is connected to the memory and configured to execute computer-executable instructions stored on the memory to implement the relay communication method as described in the third aspect and any possible implementation thereof.

According to a twelfth aspect of the present disclosure there is provided a communication device, such as a network device, comprising: a memory and a processor; the processor is connected to the memory and configured to execute computer-executable instructions stored on the memory to implement the relay communication method according to the fourth aspect and any possible implementation thereof.

According to a thirteenth aspect of the present disclosure there is provided a computer readable storage medium having instructions stored therein; when the instructions are run on a computer, for performing the relay communication method as described in the first to fourth aspects and any possible implementation thereof.

According to a fourteenth aspect of the present disclosure there is provided a computer program or computer program product which, when executed on a computer, causes the computer to implement a relay communication method as described in the first to fourth aspects and any possible implementation thereof.

In the present disclosure, relay UEs establish a secure layer 3 (L3) U2U link between UE1 and UE2 by establishing secure direct communication links with peer UEs, respectively, to implement 5G ProSe U2U Relay.

It should be understood that, the fifth to fourteenth aspects of the present disclosure are consistent with the technical solutions of the first to fourth aspects of the present disclosure, and the advantages obtained by each aspect and the corresponding possible embodiments are similar, and are not repeated.

Drawings

FIG. 1 is a schematic diagram of a communication system in an embodiment of the present disclosure;

fig. 2 is a schematic diagram of a key hierarchy of a direct unicast link in an embodiment of the present disclosure;

fig. 3 is a schematic flow chart of an implementation of a first relay communication method in an embodiment of the disclosure;

fig. 4 is a schematic flow chart of an implementation of establishing a secure direct communication link between a relay UE and UE1 in an embodiment of the disclosure;

fig. 5 is a schematic flow chart of an implementation of establishing a secure direct communication link between a relay UE and a UE2 in an embodiment of the disclosure;

fig. 6 is a schematic flow chart of an implementation of a relay UE requesting long-term credentials from a network device in an embodiment of the disclosure;

fig. 7 is a schematic flow chart of an implementation of a second relay communication method in an embodiment of the disclosure;

fig. 8 is a schematic implementation flow diagram of a relay communication method at a relay UE side in an embodiment of the disclosure;

fig. 9 is a schematic flowchart of an implementation of a relay communication method at the UE1 side in an embodiment of the disclosure;

fig. 10 is a schematic flow chart of an implementation of a relay communication method at the UE2 side in an embodiment of the disclosure;

fig. 11 is a schematic flowchart of an implementation of a relay communication method at a network device side in an embodiment of the disclosure;

fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the disclosure;

Fig. 13 is a schematic structural diagram of a communication device in an embodiment of the disclosure;

fig. 14 is a schematic structural diagram of a terminal device in an embodiment of the disclosure;

fig. 15 is a schematic structural diagram of a network device in an embodiment of the disclosure.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the embodiments of the present disclosure. Rather, they are merely examples of apparatus and methods consistent with aspects of embodiments of the present disclosure as detailed in the accompanying claims.

The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments of the disclosure. As used in this disclosure of embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is merely one relationship that describes an associated object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone. In addition, in the description of the present disclosure, "a plurality" means two or more than two.

It should be understood that although the terms "first," "second," "third," etc. may be used in embodiments of the present disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the "first information" may also be referred to as "second information", and similarly, the "second information" may also be referred to as "first information", without departing from the scope of the embodiments of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

A 5G (fifth generation mobile communication technology) network defines a 5G ProSe terminal-to-terminal Relay (5G ProSe U2U Relay) technology, in which a Relay terminal provides a Relay function to support a connection between 5G ProSe remote terminals.

In the embodiment of the disclosure, the remote terminal is a peer terminal, and the network configures the peer terminal with the same long-term credentials and long-term credential identification.

The disclosed embodiments provide a communication system. The communication system may be a communication system based on cellular mobile communication technology, such as a 5G (fifth generation mobile communication technology) system. Fig. 1 is a schematic diagram of a communication system in an embodiment of the disclosure, referring to fig. 1, the communication system 100 may include: a first remote terminal 101, a terminal-to-terminal Relay (UE-to-UE Relay, abbreviated as U2U Relay) 102, a second remote terminal 103. Here, a terminal-to-terminal Relay (UE-to-UE Relay) 102 may be implemented using a Relay (Relay) terminal. Optionally, a PC5 interface exists between the first remote terminal 101, the UE-to-UE Relay 102, and the second remote terminal 103.

The remote UE and the relay UE may be a terminal with a wireless communication function, and may be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; can also be deployed on the water surface (such as ships, etc.); but may also be deployed in the air (e.g., on aircraft, balloon, satellite, etc.). The terminal may be a mobile phone (mobile phone), a tablet (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self-driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation security (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), or the like. The terminal may also be a handheld device, an in-vehicle device, a wearable device, a computing device, or other processing device connected to a wireless modem, etc. with wireless communication capabilities. Terminal devices in different networks may be called different names, for example: a terminal device, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent or user device, a cellular telephone, a cordless telephone, a session initiation protocol (sessioninitiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA), a terminal in a 5G network or future evolution network, and the like. In the embodiments of the present disclosure, a terminal may be referred to as a User Equipment (UE).

Further, the communication system may further include a network device 104, where the network device 104 may perform security configuration, such as configuration keys, for the remote UE and the relay UE. Here, the network device 104 may be one of: policy control function (policy control function, PCF) entity, 5G direct discovery name management function (direct discovery name management function, DDNMF) entity, 5G neighbor service key management function (ProSe key management function, PKMF) entity, proSe application server (Prose Application Server). It is understood that the network device 104 may be disposed in a 5G core network (5 GC). Of course, the network device 104 may also include various evolution versions of the above functional entities, and other functional entities capable of implementing the above functions, which are not specifically limited by the embodiments of the present disclosure.

It should be noted that the functions and interfaces of the communication devices described above are merely exemplary, and not all the functions of the respective network devices are necessary when applied to the embodiments of the present disclosure. All or part of the devices of the core network may be physical devices or virtualized devices, and are not limited herein. Of course, the communication system in the embodiment of the present disclosure may further include other devices not shown in fig. 1, which is not limited herein.

Currently, in the above communication system, proSe enables peer terminals (i.e., peer UEs) to communicate with each other through 5G ProSe UE-to-UE Relay. This means that if the source terminal (i.e. source UE) cannot reach the target terminal (i.e. target UE) directly, the source UE will attempt to discover one relay terminal (relay UE) to reach the target UE, which also triggers the relay UE to discover the target UE. However, a relay UE that is an untrusted node may be compromised, thereby compromising the security (i.e., integrity and confidentiality) of information between peer UEs. How to provide a secure 5G ProSe UE-to-UE Relay is a technical problem to be solved.

In order to solve the above-described problems, the embodiments of the present disclosure provide a relay communication method that can be applied to the above-described communication system.

In the embodiment of the disclosure, the first remote terminal and the second remote terminal are peer UEs, which may be denoted as UE1 and UE2. Wherein, UE1 is source UE and UE2 is target UE. The network device may be a relay UE, a PKMF entity of UE1 or UE2, a 5G DDNMF entity, or the like. The 5G DDNMF entity may include a DDNMF entity of the relay UE, a DDNMF entity of the UE1, or a DDNMF entity of the UE2.

In some possible implementations, a network device (e.g., a 5G DDNMF entity or a PKMF entity) may pre-configure the same long-term credentials for peer UE1 and UE2 (long term credential) and long-term credential identification (long term credential ID) for representing the long-term credentials. The long-term credentials are root keys of UE1 and UE2 for generating subsequent keys in the secure communication mechanism. For example, the DDNMF entity of UE1 configures a long-term credential identity a and a corresponding long-term credential a for UE1, and likewise, the DDNMF entity of UE2 configures a long-term credential identity a and a corresponding long-term credential a for UE 2. Here, the "long-term credential" may also be described as "long-term certificate", "long-term key", or the like.

In other possible embodiments, UE1 and UE2 may preset the same long-term credentials and long-term credential identification at the factory.

Fig. 2 is a schematic key hierarchy diagram of a direct unicast link in an embodiment of the present disclosure, referring to fig. 2, different key hierarchies are as follows:

the long-term credentials are root credentials provided to the UE and constitute a direct unicast link secure communication mechanism. The long-term credential may include a symmetric key or a public/private key pair. Authentication signaling (authentication signalling) is exchanged between UEs to derive K _NRP 。

K _NRP A 256 bit (bits) root key (also referred to as a shared key, direct key, etc.) is shared between two entities (e.g., peer UEs) communicating using a direct unicast link. K (K) _NRP The updating may be performed by re-running the authentication signaling using the long-term credentials. Random numbers are exchanged between UEs and with K _NRP Together to generate K _NRP-sess (i.e., the next layer key). K may be reserved even when there is no active unicast communication session between UEs _NRP 。K _NRP Identification (K) with 32 bits _NRP ID), i.e. K _NRP ID is used for identifying K _NRP 。

K _NRP-sess Is from K by UE _NRP The derived 256-bit key, which may also be referred to as a session key, is used to protect data transmissions between UEs. K (K) _NRP-sess Is derived per unicast link. Active unicast communication between UEsDuring a session, K may be updated by running a key update procedure _NRP-sess . The actual key used in the confidentiality and integrity algorithm comes directly from K _NRP-sess 。K _NRP-sess Identification (K) with 16 bits _NRP-sess ID), i.e. K _NRP-sess ID is used for identifying K _NRP-sess 。

NRPEK and NRPIK are encryption keys (NRPEK) for direct unicast communication and integrity keys (NRPIK) for direct unicast communication, respectively used in selected confidentiality and integrity algorithms for protecting PC5-S signaling, PC5 radio resource control (radio resource control, RRC) signaling, PC5 user plane data, etc. NRPEK and NRPIK are derived from K _NRP-sess Each time change K _NRP-sess Both NRPEK and NRPIK will automatically refresh.

The relay communication method provided by the embodiment of the present disclosure is described below with reference to the above communication system.

It should be noted that, UE1 and UE2 and the relay UE first perform discovery (discovery) and relay selection (relay selection) processes using the discovery parameters and the discovery security materials, and then perform a process of establishing a direct communication link. Suppose that UE1 and UE2 have discovered each other and selected the same U2U Relay after the discovery and Relay selection procedure, i.e., UE1 and UE2 select the same Relay UE. Then, a U2U Relay link is established between UE1 and UE 2.

Fig. 3 is a schematic flow chart of an implementation of a first relay communication method in an embodiment of the disclosure, referring to a solid line in fig. 3, the communication method may include:

s301, UE1 sends a first direct communication request message (e.g. Direct Connection Request 1) to the relay UE.

Wherein the first direct communication request message may carry a first long-term credential identifier (e.g., a long-term credential identifier a), where the long-term credential identifier a is used to identify the long-term credential a, and the long-term credential a can provide the relay UE, UE1 and UE2 with a shared key for secure communication, such as K _NRP 。

It should be appreciated that when the UE1 needs to send transmission information to the UE2, the UE1 may send a first direct communication request message to the relay UE to request a direct communication link with the relay UE, thereby triggering direct communication with the UE 2.

In some possible embodiments, the first direct communication request message may further include at least one of: UE1 security capability information (security capabilities), relay service code (relay service code, RSC), neighbor service code (ProSe code), and random number 1 (i.e., first random number, which may be denoted as nonce 1). The security capability information of the UE1 is used to indicate a security algorithm supported by the UE 1. The relay UE can determine a selected security algorithm according to the security capability information of the UE1 and its security policy, so as to verify the integrity and/or confidentiality of the signaling between the relay UE and the UE 1.

S302, the relay UE establishes a safe direct communication link with the UE1 according to the long-term certificate A.

It should be appreciated that the relay UE may obtain the long-term credential a after receiving the long-term credential identity a through S301. Then, the relay UE establishes a secure direct communication link (i.e., a first direct communication link, which may be referred to as a direct communication link a) with the UE1 according to the long-term credential a, and establishes a secure direct communication link (i.e., a second direct communication link, which may be referred to as a direct communication link B) with the UE2 according to the long-term credential a.

In an embodiment, referring to the dashed line in fig. 3, after S302, the method further includes S303 to S304.

S303, the relay UE sends a second direct communication request message (e.g. Direct Connection Request 2) to the UE 2.

It should be appreciated that the second direct communication request message may carry the long-term credential identity a, similar to the first direct communication request message.

In an embodiment, the second direct communication request message may further include at least one of the following: the security capability information of the relay UE, RSC, proSe Code, random number 3 (i.e. the second random number, which may be denoted as nonce 3). The security capability information of the relay UE is used for indicating a security algorithm supported by the relay UE. The UE2 can determine a selected security algorithm according to the security capability information of the relay UE and its own security policy for subsequent verification of the integrity and/or confidentiality of the signaling between the relay UE and the UE 2.

S304, the UE2 establishes a safe direct communication link with the relay UE according to the long-term certificate A.

It should be appreciated that after establishing the direct communication link a with UE1, the relay UE sends a second direct communication request message to UE2 to trigger the process of establishing the direct communication link B with UE2 by the relay UE. And the UE2 obtains the long-term certificate A according to the long-term certificate mark a, and then establishes a safe direct communication link B with the relay UE.

In some possible embodiments, the long-term credential a may be sent to the relay UE when the relay UE is authenticated by a network device (e.g., DDNMF or PKMF of the relay UE). Illustratively, the relay UE establishes a direct communication link of the same service type before S301, where the direct communication link uses the same long-term credential a as in S301, and then, in the process of establishing the direct communication link last time, the relay UE may obtain and save the long-term credential a sent by the network device after the authentication of the relay UE passes. Then, after S301, the relay UE may establish a secure direct communication link with UE1 and UE2, respectively, according to the long-term credential a. Alternatively, after S301, the relay UE requests the long-term credential a from the network device and obtains the long-term credential a that the network device transmits after passing the authentication of the relay UE. Next, the relay UE may establish a secure direct communication link with UE1 and UE2, respectively, according to the long-term credential a.

In the above S302 and S304, the relay UE, UE1, and UE2 employ the shared keys K (i.e., the first shared key) and K' (i.e., the second shared key) derived (derive) from the long-term credential a for secure communication. Wherein the shared key K is used for secure communication between UE1 and the relay UE, and the shared key K' is used for secure communication between UE2 and the relay UE. Exemplary, the shared key K may be K _NRP The shared key K 'may be K' _NRP . In an embodiment, the relay UE and UE1 may be according to K _NRP Further derive K _NRP- _sess NRPEK and NRPIK. Relay UE and UE2 may be according to K' _NRP Further dispatchRaw K' _NRP-sess NRPEK 'and NRPIK'.

The shared key K may be the same as or different from the shared key K' due to factors such as different security capabilities of the UE1 and the UE2 and different supported security policies.

In some possible implementations, fig. 4 is a schematic flowchart of an implementation of establishing a secure direct communication link between a relay UE and a UE1 in an embodiment of the disclosure, and referring to fig. 4, S302 may include S401 to S403.

S401, the relay UE sends a first direct security mode command message to UE1 (e.g. Direct Security Mode Command message 1).

The first direct security mode command message carries a selected security algorithm (chosen_algs) and a random number 2 (which may be denoted nonce 2). Here, chosen_algs are determined by the relay UE according to the security capability of UE1 and the direct communication link security policy of the relay UE.

Here, the direct communication link security policy may be one of the following: the control plane confidentiality security policy of the direct communication link, the control plane integrity security policy of the direct communication link, the user plane confidentiality security policy of the direct communication link or the user plane integrity security policy of the direct communication link.

In one embodiment, the security policies may be divided into three types, required (required), non-required (non-required), and optional (preferred). The "required" is security required to be opened, the "not required" is security not required to be opened, the "preferred" prefers to be opened or called optional to be opened, and the security may be opened or not opened, and the details are unified and will not be repeated here.

Illustratively, taking the control plane confidentiality security policy of the direct communication link as an example, the control plane confidentiality security policy of the direct communication link includes: the control plane confidentiality protection of the direct communication link is on (required), the control plane confidentiality protection of the direct communication link is not on (non-required), or the control plane confidentiality protection of the direct communication link is optional (preferred). Examples of the control plane integrity security policy of the direct communication link, the user plane confidentiality security policy of the direct communication link, and the user plane integrity security policy of the direct communication link may refer to examples of the control plane confidentiality protection policy of the direct communication link, and are not described herein.

S402, the UE1 performs integrity verification on the first direct security mode command message based on the selected security policy.

It should be understood that the UE1 performs integrity verification of the first direct security mode command message according to the selected security algorithm (chosen_algs) and the random number 2 in response to the first direct security mode command message, and performs S403 if the verification passes.

S403, UE1 sends a first direct security mode complete message (e.g. Direct Security Mode Complete message 1) to the relay UE.

After S403, the relay UE does not send a response message of the first direct communication request message, such as the first direct communication accept message, to the UE1, but directly initiates a process of establishing the direct communication link B with the UE 2.

In some possible implementations, similar to S401 to S403 described above, fig. 5 is a schematic flow chart of implementation of establishing a secure direct communication link between a relay UE and a UE2 in an embodiment of the disclosure, and referring to fig. 5, S304 may include S501 to S503.

S501, UE2 sends a second direct security mode command message (e.g. Direct Security Mode Command message 2) to the relay UE.

Wherein the second direct connection security mode command message carries a selected security algorithm (chosen_algs') and a random number 4 (which may be denoted nonce 4). Here, chosen_algs' is determined by UE2 according to the security capability of the relay UE and the direct communication link security policy of UE 2.

S502, the relay UE performs integrity verification on the second direct connection security mode command message based on the selected security policy.

It should be understood that the UE2 performs integrity verification of the second direct security mode command message according to the selected security algorithm (chosen_algs') and the random number 4 in response to the second direct security mode command message, and performs S503 in case that the verification is passed.

S503, the relay UE sends a second direct connection security mode complete message (e.g. Direct Security Mode Complete message 2) to the UE 2.

It should be noted that, the process of establishing the direct communication links a and B in the above-mentioned S302 and S304 may be referred to the content described in 3gpp TS 33.536, and will not be described herein.

In some possible embodiments, after S503, UE2 may send a first direct communication accept message (e.g., direct Communication Accept message 1) to the relay UE to indicate to the relay UE that the direct communication link B establishment is complete, and then, in response to the first direct communication accept message, the relay UE sends a second direct communication accept message (e.g., direct Communication Accept message 2) to UE1 to indicate to the relay UE that the direct communication link a establishment is complete.

Through the steps, the direct communication link between the UE1 and the UE2 is established, and the UE1 and the UE2 can perform 5G ProSe U2U Relay communication.

In a possible embodiment, still referring to the dashed line in fig. 3, after S304, the relay UE may further perform S305.

S305, the relay UE relays the transmission information between UE1 and UE2 through the direct communication link a and the direct communication link B.

It should be appreciated that after establishing the direct communication link a and the direct communication link B through S302 and S304, the Relay UE may provide U2U Relay service for the UE1 and the UE2 to Relay transmission information (may also be referred to as traffic, or be described as transmission traffic) between the UE1 and the UE 2. For example, UE1 may first send the transmission information sent to UE2 to the relay UE, which relays to UE2; similarly, UE2 may also send the transmission information sent to UE1 to the relay UE first, and the relay UE relays the transmission information to UE1.

Thus, it is realized that UE1 and UE2 can communicate 5G ProSe U2U Relay.

In some possible embodiments, if UE1 has a shared key K (i.e., existing K _NRP ) The first direct communication request message can also carryThere is a shared key identification k (i.e., a first shared key identification). In this way, the relay UE can directly determine the corresponding shared key K according to the shared key identifier K, thereby generating K _NRP-sess Without generating K from long-term credential a _NRP 。

Alternatively, before the UE1 sends the first direct communication request message in S301, it may confirm that the shared key K of the relay UE exists. Then, UE1 sends the shared key identifier K to the relay UE carrying the first direct communication request message, so that the relay UE can determine the shared key K according to the shared key identifier K.

Accordingly, if the relay UE has an existing shared key K ' (i.e., an existing K ' with which UE2 attempts to communicate ' _NRP ) The second direct communication request message may further carry a shared key identifier k' (i.e., a second shared key identifier). In this way, the UE2 can directly determine the corresponding shared key K ' according to the shared key identifier K ', thereby generating K ' _NRP-sess Without generating K 'from the long-term credential A' _NRP 。

Alternatively, the relay UE may confirm that the shared key K' of UE2 exists itself before transmitting the second direct communication request message in S303. Then, the relay UE sends the shared key identifier K ' to the UE2 in a second direct communication request message, so that the UE2 can determine the shared key K ' according to the shared key identifier K '.

It should be noted that, the sender of the shared key identifier needs to confirm that the shared key is valid first and then send the shared key to the receiver. Or after receiving the shared key, the receiver of the shared key needs to confirm whether the shared key is valid or not, and only when the shared key is valid, the receiver of the shared key uses the shared key. The shared key validity may also be described herein as the shared key being in a validity period and allowed for use by the security policy.

In some possible embodiments, in response to the long-term credential a being sent to the relay UE when authenticated by the network device, the method may further include, after S301, the relay UE requesting the long-term credential a from the network device. After the relay UE requests the long-term credential a, S302 to S305 may be performed.

Fig. 6 is a schematic flow chart of an implementation of a relay UE requesting a long-term credential from a network device in an embodiment of the disclosure, referring to fig. 6, after S301 and before S302, the method may further include: s601 to S603.

S601, the relay UE sends a first request message (e.g. ProSe key request) to a network device (e.g. a 5G DDNMF entity of the relay UE).

Wherein the first request message is for requesting the long-term credential a from the network device.

In practical applications, the first request message may also be described as a key request message (key request), a long-term key request message (long term key request), a long-term credential request message (long term confidential request), etc.

In some possible embodiments, the first request message may carry at least one of the following: relay UE identity (e.g., relay UE ID), long term credential identity a, RSC, or ProSe code.

By way of example, the Relay UE identity may be set to a U2U Relay ProSe application identity (application ID), a user hidden identifier of the Relay UE (subscription concealed identifier, sui), etc.

And S602, the network equipment authenticates the relay UE.

It should be appreciated that upon receipt of the request of the relay UE, the network device determines whether the relay UE is authorized to provide ProSe relay service for that traffic type based on the relay UE identity, the long-term credential identity a, RSC, or ProSe code. Here, "relay UE is authorized to provide Prose relay service under the service type" may also be described as "relay UE is authorized to provide Prose relay service under the service type based on Prose subscription data".

In some possible embodiments, the network device may first look up whether the authorization information of the relay UE is stored locally according to the relay UE identity, the long-term credential identity a, RSC, or ProSecode, to determine whether the relay UE is authorized to provide Prose relay services under the service type. If yes, the relay UE is authorized to provide the Prose relay service under the service type; if not, the relay UE is not authorized to provide the Prose relay service under the service type.

In some possible implementations, the network device may request subscription information of the relay UE from a unified data management function (unified data management, UDM) entity of the relay UE. If the subscription information of the relay UE is stored in the UDM, the UDM feeds back the subscription information of the relay UE to the network equipment. If the relay UE subscription information fed back by the UDM entity to the network equipment has the Prose authorization information under the service type, the relay UE is authorized to provide the Prose relay service under the service type, otherwise, the relay UE is not authorized to provide the Prose relay service under the service type.

In some possible implementations, the network device may also first check whether there is authorization information of the relay UE locally. If the network equipment does not store the authorization information of the relay UE locally, the network equipment requests the subscription information of the relay UE from the UDM entity of the relay UE.

Of course, the network device may also authenticate the relay UE in other manners, which are not specifically limited by the embodiments of the present disclosure.

S603, the network device sends a first response message (e.g. ProSe key response) to the relay UE.

The first response message may carry the long-term credential a and the long-term credential identifier a.

In practical applications, the first request message may also be described as a key response message (key response), a long-term key response message (long term key response), a long-term credential request message (long term confidential response), etc.

In some possible embodiments, in S601 to S603 described above, if the network device locally stores the long-term credential a, the network device may obtain the long-term credential a from the local and provide it to the relay UE. Alternatively, if the long-term credential a is stored in a neighbor service application (ProSe Application) server (server), the network device may obtain the long-term credential a from ProSe Application server and provide it to the relay UE. Of course, the network device may also obtain the long-term credential a in other ways, which embodiments of the present disclosure are not limited in detail.

Thus, a 5G UE-to-UE Relay is implemented.

The above relay communication method will be described below with specific examples.

Suppose that there are relay UE, UE1, UE2, and 5G DDNMF entities in the communication system. The 5G DDNMF entity may include a DDNMF entity of the relay UE, a DDNMF entity of UE1, and a DDNMF entity of UE 2.

Fig. 7 is a schematic flow chart of an implementation of a second relay communication method in an embodiment of the disclosure, and referring to fig. 7, the relay communication process may include:

S701, the 5G DDNMF entity provides discovery and relay security material, such as long-term credential identity a and long-term credential a, to UE1 and UE2, respectively.

S702, UE1 and UE2 perform discovery and relay selection procedures using the discovery parameters and the discovery security material, and UE1 and UE2 select the same relay UE.

S703, UE1 transmits Direct Connection Request 1 to the relay UE.

Wherein Direct Connection Request may include a long-term credential identity a and a shared key identity k. Further, direct Connection Request 1 can further include: security capability information of UE1, RSC, proSe code, nonce 1.

S704, the relay UE sends ProSe key request to the 5G DDNMF entity.

Among them, proSe key request includes: relay UE identity, long-term credential identity a, RSC or ProSe code.

S705, the 5G DDNMF entity determines that the relay UE is authorized to provide Prose relay services under the service type.

S706, the 5G DDNMF entity sends ProSe key response to the relay UE.

Wherein ProSe key response carries a long-term credential identification a and a long-term credential a.

S707, the relay UE transmits Direct Security Mode Command message 1 to UE 1.

Wherein Direct Security Mode Command message carries chosen_algs and nonce 2.

S708, UE1 sends Direct Security Mode Complete message 1 to the relay UE.

S709, the relay UE transmits Direct Connection Request 2 to the UE 2.

Wherein Direct Connection Request 2 may include a long-term credential identity a and a shared key identity k'. Further, direct Connection Request 2 can further include: relay UE security capability information, RSC, proSe code, nonce 4.

S710, UE2 sends Direct Security Mode Command message 2 to the relay UE.

Wherein Direct Security Mode Command message carries chosen_algs' and nonce 2.

S711, the relay UE transmits Direct Security Mode Complete message 2 to UE 2.

S712, UE2 sends Direct Connection Request 2 to the relay UE.

S713, the relay UE transmits Direct Connection Request 1 to UE 1.

S714, the relay UE relays transmission information (traffic) between UE1 and UE 2.

In the embodiment of the disclosure, the relay UE establishes a secure L3U2U link between UE1 and UE2 by respectively establishing a secure direct communication link with peer UEs to implement 5G ProSe U2U Relay. Further, the integrity and confidentiality of the transmission information on 5G ProSe U2U Relay is ensured by the security protection of the direct communication link between the relay UE and UE1 and UE 2. Further, by long-term credentials, it is ensured that the remote UE can identify a malicious attacker acting as a relay UE. Further, it is ensured that the 5G PKMF can securely provide security parameters to both Remote UE and U2U Relay UE.

In some possible implementations, the embodiments of the present disclosure further provide a relay communication method, which may be applied to a relay UE side in a communication system.

Fig. 8 is a schematic implementation flow diagram of a relay communication method at a relay UE side in an embodiment of the disclosure, referring to a solid line in fig. 8, the method may include:

s801, a relay UE receives a first direct communication request message sent by UE 1;

s802, the relay UE establishes a safe first direct communication link with the UE1 according to a first long-term certificate, wherein the first long-term certificate is sent to the relay UE when authentication of the relay UE by network equipment passes; wherein the first direct communication link is used for transmitting transmission information between the UE1 and the UE 2.

In some possible embodiments, referring to the dashed line in fig. 8, the method further includes:

s803, the relay UE sends a second direct communication request message to the UE 2;

s804, the relay UE establishes a safe second direct communication link with the UE2 according to the first long-term certificate; the second direct communication link is used for transmitting transmission information.

In some possible implementations, UE1 and UE2 are peer terminals configured with first long-term credentials.

In some possible embodiments, the first direct communication request message further includes at least one of the following: security capability information of UE1, where the security capability information of UE1 is used to indicate a security algorithm supported by UE 1; RSC; proSe Code; a first random number.

In some possible embodiments, the above method further comprises: the relay UE sends a first request message to the network equipment, wherein the first request message carries a first long-term credential identifier; the relay UE receives a first response message from the network device, the first response message carrying a first long-term credential.

In some possible embodiments, the first direct communication request message carries an identifier for the first shared key; the method further comprises the steps of: the relay UE determines a first shared key according to the first shared key identifier, where the first shared key is used for secure communication between the relay UE and the UE 1.

In some possible embodiments, the above method further comprises: the relay UE determines that the first shared key is valid.

In some possible embodiments, the second direct communication request message carries security capability information of the relay UE, where the security capability information of the relay UE is used to indicate a security algorithm supported by the relay UE.

In some possible embodiments, the second direct communication request message further includes at least one of the following: RSC; proSe Code; and a second random number.

In some possible embodiments, the above method further comprises: the relay UE determines that a second shared key exists, wherein the second shared key is used for the secure communication between the relay UE and the UE 2; and the relay UE loads a second shared key identifier on the second direct communication request message to send, wherein the second shared key identifier is used for identifying the second shared key.

In some possible implementations, the relay UE determining that the second shared key is present includes: the relay UE determines that a valid second shared key exists.

In some possible embodiments, the above method further comprises: the relay UE receives a second direct communication acceptance message of the UE 2; the relay UE sends a first direct communication accept message to UE 1.

In some possible implementations, the identity of the relay UE is one of: a neighbor service application identifier of the relay UE; and relaying the terminal identification of the UE.

In some possible implementations, the embodiments of the present disclosure further provide a relay communication method, which may be applied to a relay UE1 side in a communication system.

It should be noted that, the implementation process of S801 to S804 may refer to the specific description on the relay UE side in the embodiments of fig. 3 to 7, and for brevity of description, the description is omitted here.

Fig. 9 is a schematic implementation flow diagram of a relay communication method at the UE1 side in an embodiment of the disclosure, and referring to fig. 9, the method may include:

s901, UE1 sends a first direct communication request message to a relay UE, the relay UE has a first long-term credential, and the first long-term credential is sent to the relay UE when authentication of the relay UE by a network device passes;

s902, UE1 establishes a secure first direct communication link with the relay UE, where the first direct communication link is used to transmit transmission information between UE1 and UE 2.

In some possible embodiments, the above method further comprises: UE1 discovers UE2 and selects a relay UE.

In some possible embodiments, the above method further comprises: the first remote terminal determines that a first shared key exists, wherein the first shared key is used for relaying the secure communication between the UE and the UE 1; the relay UE loads a first shared key identifier on the first direct communication request message to send, and the first shared key identifier is used for identifying the first shared key.

In some possible implementations, the first remote terminal determining that the first shared key is present includes: the relay UE determines that a valid first shared key exists.

In some possible embodiments, the above method further comprises: the UE1 receives a first direct communication accept message sent by the relay UE.

In some possible implementations, the embodiments of the present disclosure further provide a relay communication method, which may be applied to a relay UE2 side in a communication system.

It should be noted that, the implementation process of S901 to S902 may refer to the specific description on the UE1 side in the embodiments of fig. 3 to 7, and for brevity of description, the description is omitted here.

Fig. 10 is a schematic flow chart of an implementation of a relay communication method at the UE2 side in an embodiment of the disclosure, referring to fig. 10, the method may include:

s1001, UE2 receives a second direct communication request message sent by a relay UE, wherein the relay UE has a first long-term certificate, and the first long-term certificate is sent to the relay UE when authentication of the relay UE by network equipment passes;

S1002, the UE2 establishes a secure second direct communication link with the relay UE, where the second direct communication link is used to transmit transmission information between the UE2 and the UE 1.

In some possible embodiments, the above method further comprises: UE2 discovers UE1 and selects a relay UE.

In some possible embodiments, the second direct communication request message carries an identifier for a second shared key; the method further comprises the steps of: the UE2 determines a second shared key according to the second shared key identifier, where the second shared key is used for secure communication between the UE2 and the relay UE.

In some possible embodiments, the above method further comprises: UE2 determines that the second shared key is valid.

In some possible embodiments, the above method further comprises: UE2 sends a second direct communication accept message to the relay UE.

In some possible implementation manners, the embodiment of the disclosure further provides a relay communication method, which can be applied to a relay network device side in a communication system.

It should be noted that, the implementation process of S1001 to S1002 may refer to the specific description on the UE2 side in the embodiments of fig. 3 to 7, and for brevity of description, the description is omitted here.

Fig. 11 is a schematic implementation flow diagram of a relay communication method at a network device side in an embodiment of the disclosure, and referring to fig. 11, the method may include:

s1101, the network device receiving a first request message, the first request message being for requesting a first long-term credential;

s1102, the network equipment authenticates the relay UE;

s1103, in the case that the authentication passes, the network device sends a first long-term credential to the relay UE; the first long-term credential is used for establishing a secure direct communication link between the relay UE and the peer UE1 and UE2, and the direct communication link is used for relaying transmission information between the UE1 and the UE 2.

In some possible embodiments, the above method further comprises: the network equipment sets a first long-term credential for UE1 and UE 2; the network device sends a first long-term credential identification and a first long-term credential to UE1 and UE2, respectively, the first long-term credential identification being used to identify the first long-term credential.

In some possible implementations, the network device authenticates the relay UE, including: the network device determines whether the relay UE is authorized to provide relay services based on the neighbor service subscription data.

In some possible implementations, the network device determining whether the relay UE is authorized to provide relay services based on neighbor service subscription data includes: the network equipment requests the subscription information of the relay UE from the UDM entity of the relay UE, wherein the subscription information is used for indicating whether the relay UE is authorized to provide the relay service; the network equipment receives subscription information sent by a UDM entity; the network device determines whether the relay UE is authorized to provide the relay service according to the subscription information.

In some possible implementations, the network device determining whether the relay UE is authorized to provide relay services based on neighbor service subscription data includes: the network device determines whether authorization information of the relay UE is stored locally, the authorization information indicating that the relay UE is authorized to provide the relay service.

In some possible embodiments, the above method further comprises: the network device obtains the first long-term credential by the neighbor service application server, or the network device obtains the locally stored first long-term credential.

It should be noted that, the implementation process of S1101 to S1103 may refer to the specific description on the network device side in the embodiments of fig. 3 to 7, and for brevity of description, the description is omitted here.

Based on the same inventive concept, the embodiments of the present disclosure provide a communication device, fig. 12 is a schematic structural diagram of a communication device in the embodiments of the present disclosure, and referring to fig. 12, the communication device 1200 may include: a processing module 1201, a receiving module 1202 and a transmitting module 1203.

In some possible embodiments, the communication device may be a relay terminal in a communication system or a chip or a system on chip of the relay terminal, and may also be a functional module in the relay terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the relay terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above.

Accordingly, a receiving module 1203 configured to receive a first direct communication request message sent from a first remote terminal; a processing module 1201 configured to establish a secure first direct communication link with a first remote terminal based on a first long-term credential sent by a network device to a relay terminal when authentication of the relay terminal passes; the first direct communication link is used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible embodiments, the apparatus further comprises: a sending module 1203 configured to send a first request message to the network device, the first request message carrying a first long-term credential identifier; the receiving module 1203 is configured to receive a first response message from the network device, the first response message carrying the first long-term credentials.

In some possible embodiments, the first direct communication request message carries an identifier for the first shared key; a processing module 1201 is configured to determine a first shared key based on the first shared key identification, the first shared key being used for secure communication between the relay terminal and the first remote terminal.

In some possible implementations, the processing module 1201 is configured to determine that the first shared key is valid.

In some possible embodiments, the apparatus further comprises: a sending module 1203 configured to send a second direct communication request message to a second remote terminal; a processing module 1201 configured to establish a secure second direct communication link with a second remote terminal based on the first long-term credential; the second direct communication link is used for transmitting transmission information.

In some possible implementations, the processing module 1201 is configured to determine that a second shared key is present, the second shared key being used for secure communication between the relay terminal and the second remote terminal; the sending module 1203 is configured to carry a second shared key identifier on the second direct communication request message for sending, where the second shared key identifier is used to identify the second shared key.

In some possible implementations, the processing module 1201 is configured to determine that a valid second shared key is present.

In some possible embodiments, the apparatus further comprises: a transmitting module; a receiving module 1203 configured to receive a second direct communication accept message of a second remote terminal; the sending module 1203 is configured to send a first direct communication accept message to the first remote terminal.

In some possible embodiments, the communication device may be a first remote terminal in a communication system or a chip or a system on chip of the first remote terminal, and may also be a functional module in the first remote terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the first remote terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above.

Correspondingly, the sending module 1203 is configured to send a first direct communication request message to the relay terminal, where the relay terminal has a first long-term credential, and the first long-term credential is sent to the relay terminal when the authentication of the relay terminal is passed by the network device; a processing module 1201 is configured to establish a secure first direct communication link with the relay terminal, the first direct communication link being used for transmitting transmission information between the first remote terminal and the second remote terminal.

In some possible implementations, the processing module 1201 is further configured to discover a second remote terminal and select a relay terminal.

In some possible embodiments, the apparatus further comprises: a processing module 1201 configured to determine that a first shared key is present, the first shared key being used for secure communication between the relay terminal and the first remote terminal; the sending module 1203 is configured to carry a first shared key identifier on the first direct communication request message for sending, where the first shared key identifier is used to identify the first shared key.

In some possible implementations, the processing module 1201 is configured to determine that a valid first shared key is present.

In some possible embodiments, the apparatus further comprises: the receiving module 1203 is configured to receive the first direct communication acceptance message sent by the relay terminal.

In some possible embodiments, the communication device may be a second remote terminal in the communication system or a chip or a system on chip of the second remote terminal, and may also be a functional module in the second remote terminal for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the second remote terminal in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above.

Correspondingly, the receiving module 1203 is configured to receive the second direct communication request message sent by the relay terminal, where the relay terminal has a first long-term credential, and the first long-term credential is sent to the relay terminal when the authentication of the relay terminal is passed by the network device; a processing module 1201 is configured to establish a secure second direct communication link with the relay terminal, the second direct communication link being used for transmitting transmission information between the second remote terminal and the first remote terminal.

In some possible implementations, the processing module 1201 is further configured to discover the first remote terminal and select the relay terminal.

In some possible embodiments, the second direct communication request message carries an identifier for a second shared key; the processing module 1201 is further configured to determine a second shared key based on the second shared key identification, the second shared key being used for secure communication between the second remote terminal and the relay terminal.

In some possible implementations, the processing module 1201 is further configured to determine that the second shared key is valid.

In some possible embodiments, the apparatus further comprises: the sending module 1203 is configured to send a second direct communication accept message to the relay terminal.

In some possible implementations, the communication apparatus may be a network device in a communication system or a chip or a system on a chip of the network device, and may also be a functional module in the network device for implementing the method described in the foregoing embodiments. The communication device may implement the functions performed by the network device in the above embodiments, and these functions may be implemented by hardware executing corresponding software. Such hardware or software includes one or more modules corresponding to the functions described above.

Accordingly, the receiving module 1203 is configured to receive a first request message for requesting the first long-term credential; a processing module 1201 configured for the network device to authenticate the relay terminal; a sending module 1203 configured to send, in case the authentication passes, the first long-term credential to the relay terminal by the network device; the first long-term certificate is used for establishing a safe direct communication link between the relay terminal and the first remote terminal and the second remote terminal which are in peer-to-peer connection, and the direct communication link is used for relaying transmission information between the first remote terminal and the second remote terminal;

In some possible implementations, the processing module 1201 is configured to set a first long-term credential for the first remote terminal and the second remote terminal; the sending module 1203 is configured to send a first long-term credential identity and a first long-term credential to the first remote terminal and the second remote terminal, respectively, the first long-term credential identity being used to identify the first long-term credential.

In some possible implementations, the processing module 1201 is configured to determine whether the relay terminal is authorized to provide a relay service based on the neighbor service subscription data.

In some possible embodiments, the sending module 1203 is configured to request subscription information of the relay terminal from the UDM entity of the relay terminal, where the subscription information is used to indicate whether the relay terminal is authorized to provide the relay service; a receiving module 1203 configured to receive subscription information sent by the UDM entity; a processing module 1201 is configured to determine, according to the subscription information, whether the relay terminal is authorized to provide the relay service.

In some possible embodiments, the processing module 1201 is configured to determine whether authorization information of the relay terminal is stored locally, where the authorization information is used to indicate that the relay terminal is authorized to provide the relay service.

In some possible implementations, the processing module 1201 is configured to obtain the first long-term credential by the neighbor service application server, or obtain a locally stored first long-term credential.

It should be noted that, the specific implementation procedures of the processing module 1201, the receiving module 1202 and the sending module 1203 may refer to the detailed descriptions of the embodiments of fig. 3 to 7, and are not repeated herein for brevity of description.

The receiving module 1202 mentioned in the embodiments of the present disclosure may be a receiving interface, a receiving circuit, a receiver, or the like; the sending module 1203 may be a sending interface, a sending circuit, a sender, or the like; the processing module 1201 may be one or more processors.

Based on the same inventive concept, the embodiments of the present disclosure provide a communication device, which may be the relay terminal, the first remote terminal, the second remote terminal, or the network device described in one or more of the embodiments above. Fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present disclosure, and referring to fig. 13, a communication device 1300, which uses general-purpose computer hardware, including a processor 1301, a memory 1302, a bus 1303, an input device 1304, and an output device 1305.

In some possible implementations, the memory 1302 may include computer storage media in the form of volatile and/or nonvolatile memory such as read only memory and/or random access memory. Memory 1302 may store an operating system, application programs, other program modules, executable code, program data, user data, and the like.

Input devices 1304 may be used to input commands and information to the communication device, such as a keyboard or pointing device 1304, such as a mouse, trackball, touch pad, microphone, joystick, game pad, satellite dish, scanner, or the like. These input devices may be connected to processor 1301 through bus 1303.

The output device 1305 may be configured to output information from a communication device, and in addition to a monitor, the output device 1305 may be configured for other peripheral output devices, such as speakers and/or printing devices, which may also be connected to the processor 1301 via the bus 1303.

The communication device may be connected to a network, for example to a local area network (local area network, LAN), via an antenna 1306. In a networked environment, computer-executable instructions stored in the control device may be stored in a remote memory storage device, and are not limited to being stored locally.

When the processor 1301 in the communication apparatus executes the executable code or the application program stored in the memory 1302, the communication apparatus executes the relay communication method on the UE side or the network apparatus side in the above embodiment, and the specific execution process is referred to the above embodiment and is not repeated herein.

Further, the memory 1302 stores computer-executable instructions for realizing the functions of the processing module 1201, the receiving module 1202, and the transmitting module 1203 in fig. 12. The functions/implementation procedures of the processing module 1201, the receiving module 1202, and the transmitting module 1203 in fig. 12 may be implemented by the processor 1301 in fig. 13 calling computer-executable instructions stored in the memory 1302, and the specific implementation procedure and function refer to the above-mentioned related embodiments.

Based on the same inventive concept, embodiments of the present disclosure provide a terminal device, such as a relay terminal, a first remote terminal, or a second remote terminal, consistent with the relay UE, UE1, and UE2 in one or more of the above embodiments. Alternatively, the terminal device may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, or the like.

Fig. 14 is a schematic structural diagram of a terminal device in an embodiment of the disclosure, and referring to fig. 14, a terminal device 1400 may include one or more of the following components: processing component 1401, memory 1402, power component 1403, multimedia component 1404, audio component 1405, input/output (I/O) interface 1406, sensor component 1407, and communication component 1408.

The processing component 1401 generally controls overall operation of the terminal device 1400, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 1401 may include one or more processors 910 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 1401 may include one or more modules that facilitate interactions between the processing component 1401 and other components. For example, processing component 1401 may include a multimedia module to facilitate interaction between multimedia component 1404 and processing component 1401.

Memory 1402 is configured to store various types of data to support operation at terminal device 1400. Examples of such data include instructions for any application or method operating on terminal device 1400, contact data, phonebook data, messages, pictures, videos, and the like. Memory 1402 may be implemented by any type of volatile or nonvolatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.

Power component 1403 provides power to the various components of terminal device 1400. Power component 1403 can include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for terminal device 1400.

The multimedia component 1404 includes a screen between the terminal device 1400 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation. In some embodiments, multimedia component 1404 includes a front-facing camera and/or a rear-facing camera. The front camera and/or the rear camera may receive external multimedia data when the terminal device 1400 is in an operation mode, such as a photographing mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.

The audio component 1405 is configured to output and/or input audio signals. For example, audio component 1405 includes a Microphone (MIC) configured to receive external audio signals when terminal device 1400 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in memory 1402 or transmitted via communications component 1408. In some embodiments, audio component 1405 further includes a speaker for outputting audio signals.

The I/O interface 1406 provides an interface between the processing component 1401 and a peripheral interface module, which may be a keyboard, click wheel, button, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.

The sensor assembly 1407 includes one or more sensors for providing status assessment of various aspects for the terminal device 1400. For example, the sensor assembly 1407 may detect an on/off state of the terminal device 1400, a relative positioning of the assemblies, such as a display and keypad of the terminal device 1400, the sensor assembly 1407 may also detect a change in position of the terminal device 1400 or one of the assemblies of the terminal device 1400, the presence or absence of a user's contact with the terminal device 1400, an orientation or acceleration/deceleration of the terminal device 1400, and a change in temperature of the terminal device 1400. The sensor assembly 1407 may include a proximity sensor configured to detect the presence of nearby objects in the absence of any physical contact. The sensor assembly 1407 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 1407 can further include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communications component 1408 is configured to facilitate communications between the terminal device 1400 and other devices, either wired or wireless. Terminal device 1400 may access a wireless network based on a communication standard, such as Wi-Fi,2G, or 3G, or a combination thereof. In one exemplary embodiment, the communication component 1408 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 1408 further includes a Near Field Communication (NFC) module to facilitate short range communication. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, the terminal device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.

Based on the same inventive concept, embodiments of the present disclosure provide a network device, such as a 5G DDNMF entity, a PKMF entity, etc., consistent with the network device in one or more of the embodiments described above.

Fig. 15 is a schematic diagram of a network device in an embodiment of the disclosure, and referring to fig. 15, a network device 1500 may include a processing component 1501 further including one or more processors and memory resources represented by a memory 1502 for storing instructions, such as applications, executable by the processing component 1501. An application program stored in the memory 1502 may include one or more modules each corresponding to a set of instructions. Further, the processing component 1501 is configured to execute instructions to perform any of the methods described above as applied to the network device.

The network device 1500 may also include a power component 1503 configured to perform power management of the network device 1500, a wired or wireless network interface 1504 configured to connect the network device 1500 to a network, and an input output (I/O) interface 1505. The network device 1500 may operate based on an operating system stored in the memory 1502, such as Windows Server TM, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.

Based on the same inventive concept, the embodiments of the present disclosure also provide a computer-readable storage medium having instructions stored therein; when the instructions are executed on a computer, the method is used for executing the relay communication method at the terminal equipment side or the network equipment side in one or more embodiments.

Based on the same inventive concept, the embodiments of the present disclosure also provide a computer program or a computer program product, which when executed on a computer, causes the computer to implement the relay communication method at the terminal device side or at the network device side in one or more of the embodiments described above.

Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.

It is to be understood that the invention is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims

A relay communication method, comprising:

the relay terminal receives a first direct communication request message sent by a first remote terminal;

And the relay terminal establishes a safe first direct communication link with the first remote terminal according to a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal is passed by the network equipment.
The method of claim 1, wherein the first direct communication request message carries the first long-term credential identification, the first long-term credential identification identifying the first long-term credential.
The method of claim 2, wherein the first direct communication request message further comprises at least one of:

the security capability information of the first remote terminal is used for indicating a security algorithm supported by the first remote terminal;

a relay service code;

a neighbor service code;

a first random number.
The method of claim 1, wherein the method further comprises:

the relay terminal sends a first request message to network equipment, wherein the first request message carries the first long-term credential identifier;

the relay terminal receives a first response message from the network device, wherein the first response message carries the first long-term credential.
The method of claim 1, wherein the first direct communication request message carries a first shared key identifier;

the method further comprises the steps of:

and the relay terminal determines a first shared key according to the first shared key identifier, wherein the first shared key is used for secure communication between the relay terminal and the first remote terminal.
The method according to claim 5, wherein the method comprises:

the relay terminal determines that the first shared key is valid.
The method of claim 1, wherein the method further comprises:

the relay terminal sends a second direct communication request message to a second remote terminal;

the relay terminal establishes a secure second direct communication link with the second remote terminal according to the first long-term certificate;

wherein the first direct communication link and the second direct communication link are used for transmitting transmission information between the first remote terminal and the second remote terminal.
The method of claim 7, wherein the first remote terminal and the second remote terminal are peer terminals configured with the first long-term credentials.
The method of claim 7, wherein the second direct communication request message carries a first long-term credential identification identifying the first long-term credential.
The method of claim 7, wherein the second direct communication request message carries security capability information of the relay terminal, where the security capability information of the relay terminal is used to indicate a security algorithm supported by the relay terminal.
The method of claim 9, wherein the second direct communication request message further comprises at least one of:

a relay service code;

a neighbor service code;

and a second random number.
The method of claim 7, wherein the method further comprises:

the relay terminal determining that a second shared key exists, the second shared key being used for secure communication between the relay terminal and the second remote terminal;

and the relay terminal loads a second shared key identifier on the second direct communication request message to send, wherein the second shared key identifier is used for identifying the second shared key.
The method of claim 12, wherein the relay terminal determining that a second shared key is present comprises:

The relay terminal determines that a valid second shared key exists.
The method of claim 1, wherein the method further comprises:

the relay terminal receives a second direct communication receiving message of a second remote terminal;

the relay terminal sends a first direct communication acceptance message to the first remote terminal.
The method of claim 1, wherein the identity of the relay terminal is one of:

a neighbor service application identifier of the relay terminal;

terminal identification of the relay terminal.
A relay communication method, comprising:

a first remote terminal sends a first direct communication request message to a relay terminal, wherein the relay terminal is provided with a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal is passed by a network device;

and the first remote terminal establishes a safe first direct communication link with the relay terminal.
The method of claim 16, wherein the first remote terminal is a peer terminal of a second remote terminal, the first remote terminal and the second remote terminal being peer terminals configured with first long-term credentials.
The method of claim 16, wherein the method further comprises:

the first remote terminal discovers a second remote terminal and selects the relay terminal.
The method of claim 16, wherein the first direct communication request message carries a first long-term credential identification identifying the first long-term credential.
The method of claim 19, wherein the first direct communication request message further comprises at least one of:

the security capability information of the first remote terminal is used for indicating a security algorithm supported by the first remote terminal;

a relay service code;

a neighbor service code;

a first random number.
The method of claim 16, wherein the method further comprises:

the first remote terminal determining that a first shared key exists, the first shared key being used for secure communication between the relay terminal and the first remote terminal;

and the relay terminal loads a first shared key identifier on the first direct communication request message to send, wherein the first shared key identifier is used for identifying the first shared key.
The method of claim 21, wherein the first remote terminal determining that a first shared key is present comprises:

the relay terminal determines that a valid first shared key exists.
The method of claim 16, wherein the method further comprises:

and the first remote terminal receives a first direct communication acceptance message sent by the relay terminal.
A relay communication method, comprising:

the second remote terminal receives a relay terminal and sends a second direct communication request message, wherein the relay terminal is provided with a first long-term certificate, and the first long-term certificate is sent to the relay terminal when authentication of the relay terminal is passed by network equipment;

and the second remote terminal establishes a safe second direct communication link with the relay terminal, and the second direct communication link is used for transmitting transmission information between the second remote terminal and the first remote terminal.
The method of claim 24, wherein the first remote terminal and the second remote terminal are peer terminals configured with first long-term credentials.
The method of claim 24, wherein the method further comprises:

The second remote terminal discovers the first remote terminal and selects the relay terminal.
The method of claim 24, wherein the second direct communication request message carries a first long-term credential identification identifying the first long-term credential.
The method of claim 27, wherein the second direct communication request message carries security capability information of the relay terminal, where the security capability information of the relay terminal is used to indicate a security algorithm supported by the relay terminal.
The method of claim 27, wherein the second direct communication request message further comprises at least one of:

a relay service code;

a neighbor service code;

and a second random number.
The method of claim 24, wherein the second direct communication request message carries a second shared key identifier;

the method further comprises the steps of:

and the second remote terminal determines a second shared key according to the second shared key identifier, wherein the second shared key is used for secure communication between the second remote terminal and the relay terminal.
The method of claim 30, wherein the method further comprises:

the second remote terminal determines that the second shared key is valid.
The method of claim 24, wherein the method further comprises:

and the second remote terminal sends a second direct communication acceptance message to the relay terminal.
A relay communication method, comprising:

the network device receives a first request message, wherein the first request message is used for requesting a first long-term credential;

the network equipment authenticates the relay terminal;

in case of passing the authentication, the network device sends a first long-term credential to the relay terminal;

the first long-term credential is used for establishing a secure direct communication link between the relay terminal and a first remote terminal and a second remote terminal which are in peer-to-peer connection, and the direct communication link is used for relaying transmission information between the first remote terminal and the second remote terminal.
The method of claim 33, wherein the method further comprises:

the network device setting the first long-term credentials for the first remote terminal and the second remote terminal;

the network device sends a first long-term credential identification and the first long-term credential to the first remote terminal and the second remote terminal, respectively, the first long-term credential identification being used to identify the first long-term credential.
The method of claim 33, wherein the network device authenticates the relay terminal, comprising:

the network device determines whether the relay terminal is authorized to provide relay services based on neighbor service subscription data.
The method of claim 35, wherein the network device determining whether the relay terminal is authorized to provide relay services based on neighbor service subscription data comprises:

the network device requests subscription information of the relay terminal to a Unified Data Management (UDM) entity of the relay terminal, wherein the subscription information is used for indicating whether the relay terminal is authorized to provide the relay service;

the network equipment receives the subscription information sent by the UDM entity;

and the network equipment determines whether the relay terminal is authorized to provide the relay service according to the subscription information.
The method of claim 35, wherein the network device determining whether the relay terminal is authorized to provide relay services based on neighbor service subscription data comprises:

the network device determines whether authorization information of the relay terminal is locally stored, wherein the authorization information is used for indicating that the relay terminal is authorized to provide the relay service.
The method of claim 33, wherein the method further comprises:

the network device obtains the first long-term credential by a neighbor service application server, or

The network device obtains a local store of the first long-term credential.
A relay communication device, comprising:

a receiving module configured to receive a first direct communication request message sent from a first remote terminal;

and the processing module is configured to establish a safe first direct communication link with the first remote terminal according to a first long-term certificate, wherein the first long-term certificate is sent to the relay terminal when the authentication of the relay terminal is passed by the network equipment.
A communication device, comprising: a memory and a processor; the processor is connected to the memory and configured to implement the relay communication method of any of claims 1 to 38 by executing computer executable instructions stored on the memory.
A computer storage medium storing computer executable instructions which, when executed by a processor, enable the relay communication method according to any one of claims 1 to 38.