CN117882413A - Terminal equipment capability indication method and device - Google Patents
Terminal equipment capability indication method and device Download PDFInfo
- Publication number
- CN117882413A CN117882413A CN202280002831.5A CN202280002831A CN117882413A CN 117882413 A CN117882413 A CN 117882413A CN 202280002831 A CN202280002831 A CN 202280002831A CN 117882413 A CN117882413 A CN 117882413A
- Authority
- CN
- China
- Prior art keywords
- information
- indication information
- terminal
- capability
- check code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 228
- 230000007246 mechanism Effects 0.000 claims description 70
- 230000006870 function Effects 0.000 claims description 60
- 230000004044 response Effects 0.000 claims description 56
- 238000004891 communication Methods 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 25
- 230000015654 memory Effects 0.000 claims description 20
- 238000013523 data management Methods 0.000 claims description 12
- 230000003993 interaction Effects 0.000 abstract description 20
- 238000009795 derivation Methods 0.000 description 26
- 238000012545 processing Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 14
- 230000008859 change Effects 0.000 description 12
- 239000004065 semiconductor Substances 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 229910044991 metal oxide Inorganic materials 0.000 description 5
- 150000004706 metal oxides Chemical class 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 229910000577 Silicon-germanium Inorganic materials 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- JBRZTFJDHDCESZ-UHFFFAOYSA-N AsGa Chemical compound [As]#[Ga] JBRZTFJDHDCESZ-UHFFFAOYSA-N 0.000 description 1
- LEVVHYCKPQWKOP-UHFFFAOYSA-N [Si].[Ge] Chemical compound [Si].[Ge] LEVVHYCKPQWKOP-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000010304 firing Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application discloses a terminal equipment capability indicating method and device, wherein first information and/or an identifier of the terminal equipment are/is sent to first core network equipment through an access network, the first information comprises first indicating information and safety information, the first indicating information is used for indicating the capability of the terminal equipment, so that the terminal equipment can resist sniffing, deleting or falsifying of the information sent by the terminal equipment by the access network, the capability information of the terminal equipment can be safely indicated to a home network, the information interaction safety between the terminal equipment and the home network is protected, and the safety of a system is improved.
Description
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for indicating a capability of a terminal device.
In 3GPP technical specification TS 22.261, it is specified that the HPLMN (Home Public Land Mobile Network ) should be able to provide the UE (User Equipment) with priority information of the VPLMN (Visited Public Land Mobile Network ) that can be used by the UE registration network slice to support the active network slice service of the roaming UE.
In particular, in 3GPP technical report TR 23.700-41, the UE may need to indicate UPU/SoR capabilities to the home network before the home network triggers the UPU (UE Parameters Update, UE parameter update)/SoR (Steering of Roaming, roaming steering) procedure. However, the capability indication information may be tampered with or deleted by the VPLMN.
Disclosure of Invention
An embodiment of a first aspect of the present application proposes a method for indicating a capability of a terminal device, where the method is performed by the terminal device, and the method includes:
sending first information and/or identification of the terminal equipment to first core network equipment through an access network;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a second aspect of the present application proposes a method for indicating a capability of a terminal device, where the method is performed by a first core network device, and the method includes:
receiving first information sent by terminal equipment through an access network and/or an identifier of the terminal equipment;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a third aspect of the present application provides a method for indicating a capability of a terminal device, where the method is performed by a second core network device, and the method includes:
Receiving first information and an identifier of terminal equipment, wherein the first information and the identifier are sent by first core network equipment;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a fourth aspect of the present application provides a terminal device capability indicating apparatus, where the apparatus is applied to a terminal device, and the apparatus includes:
the receiving and transmitting unit is used for transmitting first information and/or the identification of the terminal equipment to the first core network equipment through the access network;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a fifth aspect of the present application proposes a terminal device capability indication apparatus, where the apparatus is applied to a first core network device, the apparatus includes:
the receiving and transmitting unit is used for receiving first information sent by the terminal equipment through the access network and/or the identification of the terminal equipment;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a sixth aspect of the present application proposes a terminal device capability indication apparatus, where the apparatus is applied to a second core network device, the apparatus includes:
The receiving and transmitting unit is used for receiving the first information sent by the first core network equipment and the identification of the terminal equipment;
the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
An embodiment of a seventh aspect of the present application proposes a communication apparatus, where the apparatus includes a processor and a memory, where the memory stores a computer program, and the processor executes the computer program stored in the memory, so that the apparatus executes the method for indicating a capability of a terminal device according to the embodiment of the first aspect.
An eighth aspect of the present application proposes a communication apparatus, the apparatus including a processor and a memory, the memory storing a computer program, the processor executing the computer program stored in the memory, to cause the apparatus to execute the terminal device capability indication method according to the second aspect of the present application, or execute the terminal device capability indication method according to the third aspect of the present application.
An embodiment of a ninth aspect of the present application proposes a communication device, the device comprising a processor and an interface circuit, the interface circuit being configured to receive code instructions and transmit the code instructions to the processor, the processor being configured to execute the code instructions to cause the device to perform the method for indicating a capability of a terminal device according to the embodiment of the first aspect.
An embodiment of a tenth aspect of the present application proposes a communication device, the device comprising a processor and an interface circuit, the interface circuit being configured to receive code instructions and transmit the code instructions to the processor, the processor being configured to execute the code instructions to cause the device to perform the method for indicating a capability of a terminal device according to the embodiment of the second aspect or to perform the method for indicating a capability of a terminal device according to the embodiment of the third aspect.
An embodiment of an eleventh aspect of the present application proposes a computer readable storage medium storing instructions that, when executed, cause the terminal device capability indication method described in the embodiment of the first aspect to be implemented.
An embodiment of a twelfth aspect of the present application proposes a computer readable storage medium storing instructions that, when executed, cause a terminal device capability indication method according to the embodiment of the second aspect described above to be implemented, or cause a terminal device capability indication method according to the embodiment of the third aspect described above to be implemented.
An embodiment of a thirteenth aspect of the present application proposes a computer program which, when run on a computer, causes the computer to perform the terminal device capability indication method of the embodiment of the first aspect.
An embodiment of a fourteenth aspect of the present application proposes a computer program, which when run on a computer, causes the computer to perform the terminal device capability indication method according to the embodiment of the second aspect, or to perform the terminal device capability indication method according to the embodiment of the third aspect described above.
According to the terminal equipment capability indicating method and device, the first information and/or the identifier of the terminal equipment are/is sent to the first core network equipment through the access network, the first information comprises the first indicating information and the safety information, the first indicating information is used for indicating the capability of the terminal equipment, so that the terminal equipment can resist sniffing, deleting or falsifying of the information sent by the terminal equipment by the access network, the capability information of the terminal equipment can be indicated to the home network safely, the information interaction safety between the terminal equipment and the home network is protected, and the safety of the system is improved.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
In order to more clearly describe the technical solutions in the embodiments or the background of the present application, the following description will describe the drawings that are required to be used in the embodiments or the background of the present application.
Fig. 1 is a schematic architecture diagram of a communication system according to an embodiment of the present application;
fig. 2 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 3 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 4 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 5 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 6 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 7 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 8 is a flow chart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 9 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 10 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 11 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 12 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
Fig. 13 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 14 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a terminal device capability indicating device provided in an embodiment of the present application;
fig. 16 is a schematic structural diagram of a terminal device capability indicating device provided in an embodiment of the present application;
fig. 17 is a schematic structural diagram of a terminal device capability indicating device provided in an embodiment of the present application;
fig. 18 is a schematic diagram of a communication system according to an embodiment of the present application;
fig. 19 is a schematic structural diagram of another terminal device capability indicating device provided in an embodiment of the present application;
fig. 20 is a schematic structural diagram of a chip according to an embodiment of the present application.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the embodiments of the present application. Rather, they are merely examples of apparatus and methods consistent with aspects of embodiments of the present application as detailed in the accompanying claims.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments of the application. As used in this application in the examples and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of embodiments of the present application. The words "if" and "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination", depending on the context.
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the like or similar elements throughout. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present application and are not to be construed as limiting the present application.
In order to better understand a method for indicating a capability of a terminal device disclosed in an embodiment of the present application, a communication system to which the embodiment of the present application is applicable is first described below.
Referring to fig. 1, fig. 1 is a schematic architecture diagram of a communication system according to an embodiment of the present application. The communication system may include, but is not limited to, one terminal device and one core network device, and the number and form of devices shown in fig. 1 are only for example and not limiting the embodiments of the present application, and may include two or more network devices and two or more terminal devices in practical applications. The communication system shown in fig. 1 is exemplified as comprising a terminal device 101, a first core network device 102 and a second core network device 103.
It should be noted that the technical solution of the embodiment of the present application may be applied to various communication systems. For example: a long term evolution (Long Term Evolution, LTE) system, a fifth generation mobile communication system, a 5G new air interface system, or other future new mobile communication systems, etc.
The terminal device 101 in this embodiment of the present application is an entity on the user side for receiving or transmitting signals, such as a mobile phone. The Terminal device may also be referred to as a Terminal device (Terminal), a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal device (MT), etc. The terminal device may be an automobile with a communication function, a Smart car, a Mobile Phone, a wearable device, a tablet computer (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an augmented Reality (Augmented Reality, AR) terminal device, a wireless terminal device in industrial control (Industrial Control), a wireless terminal device in Self-Driving (Self-Driving), a wireless terminal device in teleoperation (Remote Medical Surgery), a wireless terminal device in Smart Grid (Smart Grid), a wireless terminal device in transportation security (Transportation Safety), a wireless terminal device in Smart City (Smart City), a wireless terminal device in Smart Home (Smart Home), or the like. The embodiment of the application does not limit the specific technology and the specific equipment form adopted by the terminal equipment.
In the embodiment of the present application, the first core network device 102 and the second core network device 103 are both core network devices in the home network HPLMN. The first core network device 102 may be a unified data management (Unified Data Management, UDM), and the second core network device may be an authentication service function (Authentication Server Function, AUSF). It will be appreciated that other core network devices may also be present in the home network HPLMN, such as roaming guidance application functions (Steering of Roaming Application Function, soR AF) etc.
In the embodiment of the present application, the terminal device 101 may not be under the coverage of the home network HPLMN, and the terminal device 101 may interact with the home network HPLMN through the visited network VPLMN. It will be appreciated that at least one core network device may also be present in the visited network VPLMN, such as an AMF, a user plane function (User Plane Function, UPF), a session management function (Session Management Function, SMF), etc.
In 3GPP technical specification TS 22.261, it is specified that the HPLMN (Home Public Land Mobile Network ) should be able to provide the UE with priority information of the VPLMN (Visited Public Land Mobile Network ) that can be used by the UE registration network slice to support the active network slice service of the roaming UE.
In particular, in 3GPP technical report TR 23.700-41, the UE may need to indicate UPU/SoR capabilities to the home network before the home network triggers the UPU (UE Parameters Update, UE parameter update)/SoR (Steering of Roaming, roaming steering) procedure. However, the capability indication information may be tampered with or deleted by the VPLMN. Therefore, it is necessary to design a security mechanism so that the terminal device can securely indicate its UPU/SoR capability to the core network device in the home network. The capability indication procedure may be initiated by the terminal device itself.
It can be understood that in the embodiments of the present application, information interaction between the terminal device and each core network device is completed through transparent transmission of the access network device.
It may be understood that, the communication system described in the embodiments of the present application is for more clearly describing the technical solution of the embodiments of the present application, and is not limited to the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the system architecture and the appearance of a new service scenario, the technical solution provided in the embodiments of the present application is equally applicable to similar technical problems.
The method and the device for indicating the terminal equipment capability provided by the application are described in detail below with reference to the accompanying drawings.
Referring to fig. 2, fig. 2 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the terminal device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 2, the method may include the steps of:
step 201, sending first information and/or an identification of the terminal device to a first core network device through an access network.
In the embodiment of the application, the terminal device can send first information to the first core network device through the access network, and the first information can indicate the capability of the terminal device.
The first information comprises first indication information and an integrity check code, wherein the first indication information is used for indicating the capability of the terminal equipment.
Alternatively, the identity of the terminal device may be a user permanent identifier (Subscription Permanent Identifier, SUPI) or a user hidden identifier (Subscription Concealed Identifier, sui).
Optionally, the terminal device may not send the identifier of the terminal device to the first core network device, and the first core network device may obtain the SUPI of the terminal device through the session parameter.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The terminal device may send the first information to the UDM via an AMF in the visited network VPLMN.
Optionally, the capability of the terminal device is a UPU/SoR capability of the terminal device, where the UPU/SoR capability of the terminal device can indicate whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information includes at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information (RequestedNetwork Slice Selection Assistance Information, requested-NSSAI).
In an embodiment of the present application, the security information includes at least one of:
the second indication information is used for indicating a security mechanism adopted by the first indication information;
counter for terminal capability Counter UC ;
An integrity check code.
Wherein, the terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used to verify the freshness of the first information.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the first indication information, the second indication information, the terminal capability counter, and the integrity check code. Wherein the integrity check code is a security key corresponding to the terminal equipment, and the terminal capability Counter is used for the terminal equipment UC The second indication information, and the first indication information. The second indication information is also used to indicate an integrity protection algorithm employed to generate the integrity check code.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the terminal capability counter and the integrity check code. Wherein the integrity check code is a security key corresponding to the terminal equipment, and the terminal capability Counter is used for the terminal equipment UC And the first indication information is generated by adopting a preset integrity protection algorithm.
That is, if the terminal device does not include the second indication information in the first information sent to the core network device, the terminal device is considered to adopt the security mechanism of integrity protection and adopts a preset integrity protection algorithm. The preset integrity protection algorithm may be specified by a protocol or indicated by a network side.
In some embodiments, the terminal device employs a security mechanism for integrity and confidentiality protection of the first indication information, the first information including the encrypted first indication information, the second indication information, the terminal capability Counter UC And the integrity check code. Wherein the encrypted first indication information is that the terminal equipment adopts a security key corresponding to the terminal equipment and a Counter of the terminal capability Counter UC And encrypting the first indication information. The integrity check code is the terminal equipment based on the security key, the terminal capability Counter UC The second indication information, and the encrypted first indication information. The second indication information is also used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
In the embodiment of the application, the terminal device can be a terminal capability Counter UC Setting an initial value, and if the security key of the terminal equipment is updated, resetting the terminal capability Counter by the terminal equipment UC Is an initial value.
Optionally, in embodiments of the present application, the terminal capability Counter UC May be a 16-bit Counter associated with the security key of the terminal device, the terminal device being capable of counting the terminal capability Counter when the security key is updated UC Reset to an initial value.
Optionally, the terminal capability Counter UC The initial value of (2) may be 0x00, 0x01.
Alternatively, the terminal device may count the terminal capability Counter UC Stored in a global subscriber identity module (Universal Subscriber Identity Module, USIM) which supports both parameter storage and parameter expansion storage, the terminal capability Counter may also be used UC Stored in a non-volatile memory of the Mobile Equipment (ME).
In the application implementIn the example, the Counter is based on the terminal capability Counter each time UC After the integrity check code is generated, the terminal device updates the terminal capability Counter UC Is a value of (2).
Optionally, based on the terminal capability Counter each time UC After the integrity check code is generated, the terminal capability Counter is incremented UC Is a value of (2).
Optionally, the terminal capability Counter UC The initial value may be 0x00 x01, based on the terminal capability Counter for the first time UC After generating the integrity check code, the terminal device updates the terminal capability Counter UC Is 0x00 0x02,0x00 0x00 is not used to calculate the integrity check code.
In some embodiments, if the terminal capability Counter UC The value of (1) reaches the Counter of the terminal capability Counter UC The terminal device can cease indicating the capability of the terminal device to the first core network device.
In the embodiment of the application, the terminal capability Counter UC Is valid during the validity period of the security key corresponding to the terminal device.
In the embodiment of the present application, the first information sent by the terminal device to the first core network device may be forwarded to the second core network device for verification. The second core network device is an authentication service function AUSF.
It should be noted that, in the embodiments of the present application, the security key corresponds to the terminal device, and both the terminal device and the AUSF store the security key. Alternatively, the security key may be K AUSF Or the SUPI of the terminal device may be other information pre-agreed with the AUSF for the terminal device.
Wherein K is AUSF Is generated by AUSF in home network of the terminal equipment when the terminal equipment is initially registered, and the K is stored in both the terminal equipment and the AUSF AUSF And the K is AUSF Corresponding to the terminal device.
It can be understood that in the embodiments of the present application, the information interaction between the terminal device and the core network device is completed through transparent transmission of the access network device.
In summary, the access network sends the first information and/or the identifier of the terminal device to the first core network device, so that the terminal device can resist sniffing, deleting or tampering of the information sent by the terminal device by the access network, safely indicate own capability information to the home network, protect information interaction security between the terminal device and the home network, and improve the security of the system.
Referring to fig. 3, fig. 3 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the terminal device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 3, the method may include the steps of:
step 301, according to a security key K corresponding to the terminal device AUSF And the terminal capability counter, the second indication information and the first indication information generate an integrity check code.
In the embodiment of the application, the terminal equipment adopts a security mechanism of integrity protection. The terminal equipment can be according to the security key K corresponding to the terminal equipment AUSF The terminal capability Counter UC Generating an integrity check code UC-MAC1-I by the second indication information and the first indication information UE 。
The first indication information is used for indicating the capability of the terminal equipment, the second indication information is used for indicating a security mechanism of integrity protection adopted by the first indication information, and an integrity protection algorithm adopted by the integrity check code generation.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information includes at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
The first indication is transparent to the visited network, i.e. the first indication is protected by the home network security information.
In some embodiments, a key derivation function (Key Derivation Function, KDF) may be employed to generate the integrity check code UC-MAC1-I UE 。
Optionally, generating the integrity check code UC-MAC1-I UE The KEY input parameter KEY of the KEY derivation function KDF is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (2);
the parameter P2 is second indication information;
the parameter L2 is the length of the data included in the parameter P2, that is, the length of the data of the second indication information.
In embodiments of the present application, the terminal device can be a terminal capability Counter UC Setting an initial value if the security key K of the terminal device AUSF Updating, the terminal device resets the terminal capability Counter UC Is an initial value.
Optionally, in various embodiments of the present applicationIn the terminal capability Counter UC May be a 16-bit counter which is associated with the security key K of the terminal device AUSF Associated, when the security key K AUSF When updating, the terminal equipment can count the terminal capability Counter UC Reset to an initial value.
Optionally, the terminal capability Counter UC The initial value of (2) may be 0x00, 0x01.
Alternatively, the terminal device may count the terminal capability Counter UC Stored in USIM (the USIM supports both parameter storage and parameter extension storage) or the terminal capability Counter UC Stored in a non-volatile memory of the mobile device.
In the embodiment of the application, the Counter is based on the terminal capability Counter each time UC After the integrity check code is generated, the terminal device updates the terminal capability Counter UC Is a value of (2).
Optionally, based on the terminal capability Counter each time UC After the integrity check code is generated, the terminal capability Counter is incremented UC Is a value of (2).
Optionally, the terminal capability Counter UC The initial value may be 0x00 x01, based on the terminal capability Counter for the first time UC After generating the integrity check code, the terminal device updates the terminal capability Counter UC Is 0x00 0x02,0x00 0x00 is not used to calculate the integrity check code.
In some embodiments, if the terminal capability Counter UC The value of (1) reaches the Counter of the terminal capability Counter UC The terminal device can cease indicating the capability of the terminal device to the first core network device.
In the embodiment of the application, the terminal capability Counter UC K corresponding to the terminal equipment AUSF Is effective within the effective period of (1)A kind of electronic device.
Step 302, sending, by the visited network, first information and/or an identifier of the terminal device to a first core network device of the home network, where the first information includes the first indication information, the second indication information, the terminal capability counter and the integrity check code.
In the embodiment of the application, the terminal equipment generates the integrity check code UC-MAC1-I UE Thereafter, a first message can be sent to the first core network device via the access network, wherein the first message includes the first indication information, the second indication information, and the terminal capability Counter UC The integrity check code UC-MAC1-I generated in step 301 UE 。
In embodiments of the present application, the terminal device may initiate the capability indication procedure when performing an initial registration or when the terminal device considers that the home network needs to guide a change of the terminal device (e.g., a terminal device capability change or the terminal device requesting a new network slice).
In the embodiment of the present application, the first indication information may be included in a core network registration request of the terminal device. The first indication information may indicate that the terminal device requests the UDM of the home network to provide the terminal device with information related to the subscribed/requested nsai in the current visited network and in other visited networks where the terminal device is currently located.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The terminal device may send the first information to the UDM via an AMF in the visited network VPLMN.
In some embodiments, the terminal device may include the first information in a registration request Registration Request, send to the AMF, and the AMF may include the first information in a nudm_uecm_reg request, and send to the UDM. Meanwhile, the AMF may also transparently forward the identity of the terminal device to the UDM.
Alternatively, the identity of the terminal device may be a user permanent identifier SUPI or a user hidden identifier sui.
In the embodiment of the present application, the first information sent by the terminal device to the first core network device UDM is forwarded to the second core network device for verification. The second core network device is an authentication service function AUSF.
In summary, by the security key K corresponding to the terminal equipment AUSF The terminal capability counter, the second indication information and the first indication information generate an integrity check code, the first information and/or the identification of the terminal equipment are/is sent to a first core network device of a home network through a visiting network, the first information comprises the first indication information, the second indication information, and the terminal capability counter and the integrity check code enable the terminal equipment to resist sniffing, deleting or tampering of information sent by the terminal equipment by the visiting network, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 4, fig. 4 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the terminal device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 4, the method may include the steps of:
step 401, according to the security key K corresponding to the terminal device AUSF And generating an integrity check code by adopting a preset integrity protection algorithm through the terminal capability counter and the first indication information.
In the embodiment of the application, the terminal equipment adopts a security mechanism of integrity protection. The terminal equipment can be according to the security key K corresponding to the terminal equipment AUSF The terminal capability Counter UC And the first indication information adopts a preset integrity protection algorithm to generate an integrity check code UC-MAC1-I UE 。
The first indication information is used for indicating the capability of the terminal equipment. That is, if the terminal device does not include the second indication information in the first information sent to the core network device, the terminal device is considered to adopt the security mechanism of integrity protection and adopts a preset integrity protection algorithm. The preset integrity protection algorithm may be specified by a protocol or indicated by a network side.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information includes at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
The first indication is transparent to the visited network, i.e. the first indication is protected by the home network security information.
In some embodiments, a key derivation function (Key Derivation Function, KDF) may be employed to generate the integrity check code UC-MAC1-I UE 。
Optionally, generating the integrity check code UC-MAC1-I UE The KEY input parameter KEY of the KEY derivation function KDF is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (c).
In the embodiment of the application, the terminal capability Counter UC Can be related toEmbodiments of the present application will not be described in detail herein with reference to any embodiment of the present application.
Step 402, sending, by the visited network, first information and/or an identifier of the terminal device to a first core network device of the home network, where the first information includes the first indication information, the terminal capability counter and the integrity check code.
In the embodiment of the application, the terminal equipment generates the integrity check code UC-MAC1-I UE Thereafter, a first message can be sent to the first core network device via the access network, wherein the first message includes the first indication message, and the terminal capability Counter UC The integrity check code UC-MAC1-I generated in step 401 UE 。
In embodiments of the present application, the terminal device may initiate the capability indication procedure when performing an initial registration or when the terminal device considers that the home network needs to guide a change of the terminal device (e.g., a terminal device capability change or the terminal device requesting a new network slice).
In the embodiment of the present application, the first indication information may be included in a core network registration request of the terminal device. The first indication information may indicate that the terminal device requests the UDM of the home network to provide the terminal device with information related to the subscribed/requested nsai in the current visited network and in other visited networks where the terminal device is currently located.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The terminal device may send the first information to the UDM via an AMF in the visited network VPLMN.
In some embodiments, the terminal device may include the first information in a registration request Registration Request, send to the AMF, and the AMF may include the first information in a nudm_uecm_reg request, and send to the UDM. Meanwhile, the AMF may also transparently forward the identity of the terminal device to the UDM.
Alternatively, the identity of the terminal device may be a user permanent identifier SUPI or a user hidden identifier sui.
In the embodiment of the present application, the first information sent by the terminal device to the first core network device UDM is forwarded to the second core network device for verification. The second core network device is an authentication service function AUSF.
In summary, by the security key K corresponding to the terminal equipment AUSF The terminal capability counter and the first indication information adopt a preset integrity protection algorithm to generate an integrity check code, the first information and/or the identification of the terminal equipment are transmitted to first core network equipment of the home network through the access network, the first information comprises the first indication information, and the terminal capability counter and the integrity check code enable the terminal equipment to resist sniffing, deleting or falsifying of the information transmitted by the terminal equipment by the access network, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 5, fig. 5 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the terminal device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 5, the method may include the steps of:
step 501, adopting a security key K corresponding to the terminal equipment AUSF And the terminal capability counter encrypts the first indication information to obtain encrypted first indication information.
In the embodiment of the application, the terminal equipment adopts a security mechanism for integrity and confidentiality protection. The terminal equipment can adopt the security key K corresponding to the terminal equipment AUSF And the terminal capability Counter UC And encrypting the first indication information to obtain the encrypted first indication information.
The first indication information is used for indicating the capability of the terminal equipment.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information includes at least one of the following information:
The parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
The first indication is transparent to the visited network, i.e. the first indication is protected by the home network security information.
In the embodiment of the application, the terminal equipment can indicate the confidentiality protection algorithm adopted by the terminal equipment for encrypting the first indication information to the core network equipment through the second indication information. That is, the second indication information is used to indicate a security mechanism for integrity and confidentiality protection, and to indicate a confidentiality protection algorithm employed to encrypt the first indication information, and an integrity protection algorithm employed to generate an integrity check code.
In some embodiments, the input parameters of the confidentiality protection algorithm may be:
the KEY parameter being the security KEY K AUSF ;
The Counter is the terminal capability Counter UC ;
The parameter BEARER is 0x00;
the parameter DIRECTION is 0x00;
parameter LENGTH (LENGTH): LEN (first indication information), wherein LEN (x) represents the length of x (expressed in number of bits).
The confidentiality protection algorithm may be selectively determined by the terminal device according to its own security capability, and indicated to the AUSF by the second indication information.
It should be noted that, regarding the confidentiality protection algorithm used, reference may be made to annex d.1 of reference 3GPP technical specification TS 33.501; for the use and operation mode of the confidentiality protection algorithm reference may be made to the provisions in annex d.2 of the 3GPP technical specification TS 33.501.
Step 502, based on the security key K AUSF The terminal capability counter, the second indication information and the encrypted first indication information generate an integrity check code.
In the embodiment of the application, the terminal equipment adopts a security mechanism for integrity and confidentiality protection. The terminal device can be based on the security key K AUSF The terminal capability Counter UC The second indication information and the encrypted first indication information obtained in step 501 generate an integrity check code UC-MAC2-I UE 。
The first indication information is used for indicating the capability of the terminal equipment. The second indication information is used for indicating a security mechanism adopting integrity and confidentiality protection, and is used for indicating a confidentiality protection algorithm adopted for encrypting the first indication information and an integrity protection algorithm adopted for generating the integrity check code.
In some embodiments, the integrity check code UC-MAC2-I may be generated using a key derivation function KDF UE 。
Optionally, generating the integrity check code UC-MAC2-I UE The KEY input parameter KEY of the KEY derivation function KDF is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is the encrypted first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the encrypted first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (2);
the parameter P2 is second indication information;
the parameter L2 is the length of the data included in the parameter P2, that is, the length of the data of the second indication information.
In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
Step 503, the first information and/or the identifier of the terminal device are/is sent to the first core network device of the home network through the visited network, where the first information includes the first indication information, the second indication information, the terminal capability counter and the integrity check code.
In the embodiment of the application, the terminal equipment generates the integrity check code UC-MAC2-I UE Thereafter, a first message can be sent to the first core network device through the access network, wherein the first message includes the encrypted first indication information obtained in step 501, the second indication information, and the terminal capability Counter UC The integrity check code UC-MAC2-I generated in step 502 UE 。
In embodiments of the present application, the terminal device may initiate the capability indication procedure when performing an initial registration or when the terminal device considers that the home network needs to guide a change of the terminal device (e.g., a terminal device capability change or the terminal device requesting a new network slice).
In the embodiment of the present application, the first indication information may be included in a core network registration request of the terminal device. The first indication information may indicate that the terminal device requests the UDM of the home network to provide the terminal device with information related to the subscribed/requested nsai in the current visited network and in other visited networks where the terminal device is currently located.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The terminal device may send the first information to the UDM via an AMF in the visited network VPLMN.
In some embodiments, the terminal device may include the first information in a registration request Registration Request, send to the AMF, and the AMF may include the first information in a nudm_uecm_reg request, and send to the UDM. Meanwhile, the AMF may also transparently forward the identity of the terminal device to the UDM.
Alternatively, the identity of the terminal device may be a user permanent identifier SUPI or a user hidden identifier sui.
In the embodiment of the present application, the first information sent by the terminal device to the first core network device UDM is forwarded to the second core network device for verification. The second core network device is an authentication service function AUSF.
In summary, by adopting the security key K corresponding to the terminal equipment AUSF And a terminal capability counter for encrypting the first indication information to obtain encrypted first indication information according to the security key K AUSF The terminal capability counter, the second indication information and the encrypted first indication information generate an integrity check code, the first information and/or the identification of the terminal equipment are/is sent to a first core network device of a home network through an access network, the first information comprises the first indication information, the second indication information, the terminal capability counter and the integrity check code enable the terminal equipment to resist sniffing, deleting or falsifying of information sent by the terminal equipment by the access network, the capability information of the terminal equipment is indicated to the home network safely, information interaction safety between the terminal equipment and the home network is protected, and safety of a system is improved.
Referring to fig. 6, fig. 6 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the first core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 6, the method may include the steps of:
step 601, receiving first information sent by a terminal device through an access network and/or an identification of the terminal device.
In the embodiment of the application, the first core network device of the home network can receive the first information and/or the identifier of the terminal device, which are sent by the terminal device through the access network, and the first information can indicate the capability of the terminal device.
The first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
Alternatively, the identity of the terminal device may be a user permanent identifier SUPI or a user hidden identifier sui.
Alternatively, the first core network device may not receive the SUPI or the sui sent by the terminal device, but obtain the SUPI of the terminal device from the session parameter, and send the SUPI or the sui to the second core network device.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The UDM may receive the first information sent by the terminal device via the AMF in the visited network VPLMN.
Optionally, the capability of the terminal device is a UPU/SoR capability of the terminal device, where the UPU/SoR capability of the terminal device can indicate whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
In an embodiment of the present application, the security information may include at least one of:
the second indication information is used for indicating a security mechanism adopted by the first indication information;
counter for terminal capability Counter UC ;
An integrity check code.
Wherein, the terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used toThe freshness of the first information is verified. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the first indication information, the second indication information, the terminal capability counter, and the integrity check code. Wherein the integrity check code is a security key corresponding to the terminal equipment, and the terminal capability Counter is used for the terminal equipment UC The second indication information, and the first indication information. The second indication information is also used to indicate an integrity protection algorithm employed to generate the integrity check code.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the terminal capability counter and the integrity check code. Wherein the integrity check code is a security key corresponding to the terminal equipment, and the terminal capability Counter is used for the terminal equipment UC And the first indication information is generated by adopting a preset integrity protection algorithm.
That is, if the terminal device does not include the second indication information in the first information sent to the core network device, the terminal device is considered to adopt the security mechanism of integrity protection and adopts a preset integrity protection algorithm. The preset integrity protection algorithm may be specified by a protocol or indicated by a network side.
In some embodiments, the terminal device employs a security mechanism for integrity and confidentiality protection of the first indication information, the first information including the encrypted first indication information, the second indication information, the terminal capability Counter UC And the integrity check code. Wherein the encrypted first indication information is that the terminal equipment adopts a security key corresponding to the terminal equipment and a Counter of the terminal capability Counter UC For a pair ofThe first indication information is obtained by encrypting. The integrity check code is the terminal equipment based on the security key, the terminal capability Counter UC The second indication information, and the encrypted first indication information. The second indication information is also used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
It should be noted that, in the embodiments of the present application, the security key corresponds to the terminal device, and both the terminal device and the AUSF store the security key. Alternatively, the security key may be K AUSF Or the SUPI of the terminal equipment, and other information pre-agreed by the terminal equipment and the AUSF.
In the embodiment of the application, the first core network device can send the first information and the identifier of the terminal device to the second core network device, so that the second core network device verifies whether the first information is tampered according to the integrity check code in the first information. The second core network device may be an authentication service function AUSF.
Wherein optionally, the identifier of the terminal device sent by the first core network device to the second core network device is SUPI.
It can be understood that if the identifier of the terminal device acquired by the first core network device is SUPI, the first core network device directly sends the SUPI of the terminal device to the second core network device, and if the identifier of the terminal device acquired by the first core network device is SUPI, the first core network device decrypts according to the SUPI to obtain the SUPI of the terminal device, and sends the SUPI to the second core network device.
In the embodiment of the application, the first core network device can also receive the first indication information sent by the second core network device after verification, and can determine the capability of the terminal device according to the first indication information, and determine whether the terminal device supports slice-based SoR information.
It may be appreciated that, in the embodiment of the present application, after the first core network device acquires the capability of the terminal device, the first core network device may request SoR information based on the network slice from the SoR AF according to the capability of the terminal device, and so on.
In summary, by receiving the first information and/or the identifier of the terminal device sent by the terminal device through the access network, the terminal device can resist sniffing, deleting or tampering of the information sent by the terminal device by the access network, safely indicate own capability information to the home network, protect information interaction security between the terminal device and the home network, and improve the security of the system.
Referring to fig. 7, fig. 7 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the first core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 7, the method may include the steps of:
step 701, receiving first information sent by a terminal device through an access network and/or an identification of the terminal device.
In the embodiment of the application, the first core network device of the home network can receive the first information and/or the identifier of the terminal device, which are sent by the terminal device through the access network, and the first information can indicate the capability of the terminal device.
The first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
Alternatively, the identity of the terminal device may be a user permanent identifier SUPI or a user hidden identifier sui.
Alternatively, the first core network device may not receive the SUPI or the sui sent by the terminal device, but obtain the SUPI of the terminal device from the session parameter, and send the SUPI or the sui to the second core network device.
In an embodiment of the present application, the first core network device may manage UDM for unified data in the home network HPLMN. The UDM may receive the first information sent by the terminal device via the AMF in the visited network VPLMN.
In some embodiments, the terminal device may include the first information in a registration request Registration Request, send to the AMF, and the AMF may include the first information in a nudm_uecm_reg request, and send to the UDM. Meanwhile, the AMF may also transparently forward the identity of the terminal device to the UDM.
Optionally, the capability of the terminal device is a UPU/SoR capability of the terminal device, where the UPU/SoR capability of the terminal device can indicate whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
In an embodiment of the present application, the security information may include at least one of:
the second indication information is used for indicating a security mechanism adopted by the first indication information;
counter for terminal capability Counter UC ;
An integrity check code.
Wherein, the terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used to verify the freshness of the first information. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the first indication information, the second indication information, the terminal capability counter, and the integrity check code. Wherein the integrity check code is a security key corresponding to the terminal equipment by the terminal equipment K AUSF The terminal capability Counter UC The second indication information, and the first indication information. The second indication information is also used to indicate an integrity protection algorithm employed to generate the integrity check code.
In some embodiments, the terminal device employs a security mechanism for integrity protection for the first indication information, where the first indication information includes the terminal capability counter and the integrity check code. Wherein the integrity check code is a security key K corresponding to the terminal equipment by the terminal equipment AUSF The terminal capability Counter UC And the first indication information is generated by adopting a preset integrity protection algorithm.
That is, if the terminal device does not include the second indication information in the first information sent to the core network device, the terminal device is considered to adopt the security mechanism of integrity protection and adopts a preset integrity protection algorithm. The preset integrity protection algorithm may be specified by a protocol or indicated by a network side.
In some embodiments, the terminal device employs a security mechanism for integrity and confidentiality protection of the first indication information, the first information including the encrypted first indication information, the second indication information, the terminal capability Counter UC And the integrity check code. Wherein the encrypted first indication information is that the terminal equipment adopts a security key K corresponding to the terminal equipment AUSF And the terminal capability Counter UC And encrypting the first indication information. The integrity check code is a terminal device according to the security key K AUSF The terminal capability Counter UC The second indication information, and the encrypted first indication information. The second indication information is also used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
And step 702, the first information and the identification of the terminal equipment are sent to the second core network equipment.
The integrity check code in the first information is used for the second core network device to verify whether the first information is tampered or not. The identifier of the terminal equipment is used for the second core network equipment to identify the security key K corresponding to the terminal equipment AUSF 。
Optionally, the identifier of the terminal device is SUPI.
It can be understood that if the identifier of the terminal device acquired by the first core network device is SUPI, the first core network device directly sends the SUPI of the terminal device to the second core network device, and if the identifier of the terminal device acquired by the first core network device is SUPI, the first core network device decrypts according to the SUPI to obtain the SUPI of the terminal device, and sends the SUPI to the second core network device.
In the embodiment of the application, the first core network device can also receive the first indication information sent by the second core network device after verification, and can determine the capability of the terminal device according to the first indication information, and determine whether the terminal device supports slice-based SoR information.
It may be appreciated that, in the embodiment of the present application, after the first core network device acquires the capability of the terminal device, the first core network device may request SoR information based on the network slice from the SoR AF according to the capability of the terminal device, and so on.
In summary, by receiving the first information and the identifier of the terminal device, which are sent by the terminal device through the access network, the first information and the identifier of the terminal device are sent to the second core network device, so that the terminal device can resist sniffing, deleting or tampering of the information sent by the terminal device by the access network, safely indicate own capability information to the home network, protect information interaction security between the terminal device and the home network, and improve security of the system.
Referring to fig. 8, fig. 8 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the second core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 8, the method may include the steps of:
Step 801, receiving first information and an identifier of a terminal device sent by a first core network device.
The first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
In the embodiment of the application, the second core network device can receive the first information and the terminal device identifier sent by the first core network device, determine a security mechanism according to the security information included in the first information, and verify whether the first information is tampered.
In the embodiment of the present application, the first core network device may be a unified data management UDM in the home network HPLMN, and the second core network device may be an authentication service function AUSF in the HPLMN.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
In an embodiment of the present application, the security information may include at least one of:
the second indication information is used for indicating a security mechanism adopted by the first indication information;
counter for terminal capability Counter UC ;
An integrity check code.
Wherein, the terminal capability Counter UC Is a counter generated by the terminal equipment and can be used for protectingThe integrity and confidentiality of the first information can also be used to verify the freshness of the first information. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
In the embodiment of the application, the second core network device receives the identifier of the terminal device sent by the first core network device, and can determine the self-stored security key corresponding to the terminal device according to the identifier of the terminal device.
Optionally, the identifier of the terminal device is SUPI.
In some embodiments, in response to the received first information including second indication information, where the second indication information indicates a security mechanism employing integrity protection, the second core network device is capable of determining, according to the identity of the terminal device, a security key corresponding to the terminal device stored in the second core network device; the terminal capability Counter in the first information is then based on the security key UC The second indication information in the first information and the first indication information in the first information are adopted to indicate an integrity protection algorithm by the second indication information, and a new integrity check code is generated; and judging the consistency of the new integrity check code and the integrity check code in the first information.
If the new integrity check code is consistent with the integrity check code in the first information, the first indication information is sent to first core network equipment;
if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
In some embodiments, in response to the received first information not including the second indication information, the second core network device is capable of determining, according to the identity of the terminal device, a security key corresponding to the terminal device stored in the second core network device; the terminal capability Counter in the first information is then based on the security key UC Second indication information in the first information and the secondA first indication information in the information adopts a preset integrity protection algorithm to generate a new integrity check code; and judging the consistency of the new integrity check code and the integrity check code in the first information. The preset integrity protection algorithm may be specified by a protocol or indicated by a network side.
If the new integrity check code is consistent with the integrity check code in the first information, the first indication information is sent to first core network equipment;
if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
In some embodiments, in response to the received first information including second indication information, where the second indication information indicates a security mechanism that employs integrity and confidentiality protection, the second core network device is capable of determining, according to the identity of the terminal device, a security key corresponding to the terminal device stored in the second core network device; the terminal capability Counter in the first information is then based on the security key UC Generating a new integrity check code by adopting an integrity protection algorithm indicated by second indication information in the first information and encrypted first indication information in the first information; and judging the consistency of the new integrity check code and the integrity check code in the first information.
If the new integrity check code is consistent with the integrity check code in the first information, sending first indication information to first core network equipment; wherein the first indication information is based on the security key and the terminal capability Counter UC Decrypting the encrypted first indication information in the first information by adopting a confidentiality protection algorithm indicated by the second indication information;
if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
In the embodiment of the present application, the second core network device is receivingAfter the first information, the terminal capability Counter in the first information can be determined UC Whether or not the value of (a) is greater than the terminal capability Counter stored in itself UC Is a value of (2). Only the received terminal capability Counter UC The value of (2) is greater than the terminal capability Counter stored in itself UC To indicate that the first information is fresh (fresh) and that the second core network device will be based on the received terminal capability Counter UC Generates the new integrity check code.
In some embodiments, if the new integrity check code generated by the second core network device is consistent with the integrity check code in the received first information, the second core network device is capable of storing a terminal capability Counter in the first information UC Is a value of (2).
In some embodiments, the terminal device sets the terminal capability Counter UC The initial value of (1) may be 0x00 x01, corresponding to the terminal capability Counter stored in the second core network device UC The initial value of (2) may be 0x00 and 0x00.
In some embodiments, the second core network device is able to terminate the indication procedure of the capability of the terminal device if the second core network device does not support the confidentiality protection algorithm indicated by the second indication information.
In some embodiments, if the end capability Counter UC The value of which reaches the end capability Counter UC The second core network device can also stop the indication procedure of the capabilities of the terminal device.
In the embodiment of the application, the terminal capability Counter UC And the security key is valid in the effective period of the security key corresponding to the terminal equipment.
It should be noted that, in the embodiments of the present application, the security key corresponds to the terminal device, and both the terminal device and the AUSF store the security key. Alternatively, the security key mayTo be K AUSF Or the SUPI of the terminal equipment, and other information pre-agreed by the terminal equipment and the AUSF.
In summary, by receiving the first information and the identifier of the terminal device sent by the first core network device, whether the first information is tampered or not can be verified through the security information in the first information, so that the terminal device can resist sniffing, deleting or tampering of the information sent by the terminal device by the access network, safely indicate own capability information to the home network, protect information interaction security between the terminal device and the home network, and improve the security of the system.
Referring to fig. 9, fig. 9 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the second core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 9, the method may include the steps of:
step 901, receiving first information and an identifier of a terminal device, where the first information is sent by a first core network device, the first information includes second indication information, and the second indication information indicates a security mechanism adopting integrity protection.
In the embodiment of the application, the second core network device can receive the first information and the identifier of the terminal device, which are sent by the first core network device, where the first information includes second indication information, and the second indication information indicates a security mechanism adopting integrity protection. The second core network device can receive the first information and the terminal device identifier sent by the first core network device, determine a security mechanism according to security information included in the first information, and verify whether the first information is tampered.
Optionally, the identifier of the terminal device is SUPI.
In the embodiment of the present application, the first core network device may be a unified data management UDM in the home network HPLMN, and the second core network device may be an authentication service function AUSF in the HPLMN.
In the embodiments of the present application,the first information includes first indication information, second indication information, and a terminal capability Counter UC An integrity check code.
The first indication information is used for indicating the capability of the terminal equipment. The second indication information is used for indicating the security mechanism adopted by the first indication information to be the security mechanism of integrity protection and is used for indicating an integrity protection algorithm adopted by the generation of the integrity check code. The terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used to verify the freshness of the first information. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
Step 902, determining a security key K corresponding to the terminal device stored in the second core network device according to the identifier of the terminal device AUSF 。
In the embodiment of the present application, the second core network device AUSF may determine, according to the identifier of the terminal device, the security key K stored in the second core network device AUSF and corresponding to the terminal device AUSF 。
Optionally, the identifier of the terminal device is SUPI.
Step 903, based on the security key K AUSF A terminal capability counter in the first information, a second indication information in the first informationAnd the first indication information in the first information is adopted to generate a new integrity check code by adopting an integrity protection algorithm indicated by the second indication information.
In the embodiment of the application, the second core network device determines a Counter of a terminal capability Counter in the received first information UC Is greater than the terminal capability Counter stored in itself UC Is a value of (2).
In the embodiment of the present application, the second core network device is configured to store the security key K AUSF A terminal capability counter in the first information, second indication information in the first information and first indication information in the first information, and generating a new integrity check code UC-MAC1-I 'by adopting an integrity protection algorithm indicated by the second indication information' UE 。
In some embodiments, the key derivation function KDF may be employed to generate the new integrity check code UC-MAC1-I' UE 。
Optionally, the input parameter KEY of the KEY derivation function KDF for generating the new integrity check code is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (2);
the parameter P2 is second indication information;
the parameter L2 is the length of the data included in the parameter P2, that is, the length of the data of the second indication information.
Step 904, determining the consistency of the new integrity check code and the integrity check code in the first information.
In this embodiment of the present application, after the second core network device generates the new integrity check code, it may be determined whether the new integrity check code generated by itself is consistent with the integrity check code in the received first information. If so, step 905 is performed, and if not, step 906 is performed.
In step 905, the first indication information is sent to the first core network device in response to the new integrity check code being identical to the integrity check code in the first information.
In the embodiment of the application, if the new integrity check code UC-MAC1-I 'is generated by the second core network device' UE And the integrity check code UC-MAC1-I in the received first information UE And if the first information is consistent, the first information is not tampered, and the first information is safe. The second core network device can send the first indication information in the first information to the first core network device. The first core network device can acquire the capability of the terminal device according to the first indication information.
Step 906, terminating the indication process of the capability of the terminal device in response to the new integrity check code not being identical to the integrity check code in the first information.
In the embodiment of the application, if the new integrity check code UC-MAC1-I 'is generated by the second core network device' UE And the integrity check code UC-MAC1-I in the received first information UE Disagreement indicates that the first information may be tampered with and not secure. The second core network device can terminate the procedure of capability indication of the terminal device.
In summary, by receiving first information sent by a first core network device and an identifier of a terminal device, where the first information includes second indication information, and the second indication information indicates a security mechanism adopting integrity protection, a security key K stored in a second core network device and corresponding to the terminal device is determined according to the identifier of the terminal device AUSF According to the security key K AUSF A terminal capability counter in the first information, a second indication in the first informationThe method comprises the steps of generating a new integrity check code by adopting an integrity protection algorithm indicated by the second indication information, judging the consistency of the new integrity check code and the integrity check code in the first information, sending the first indication information to first core network equipment in response to the consistency of the new integrity check code and the integrity check code in the first information, stopping the indication process of the capability of the terminal equipment in response to the inconsistency of the new integrity check code and the integrity check code in the first information, enabling the terminal equipment to resist sniffing, deleting or tampering of the information sent by the terminal equipment by an access network, safely indicating own capability information to a home network, protecting information interaction safety between the terminal equipment and the home network, and improving the safety of the system.
Referring to fig. 10, fig. 10 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the second core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 10, the method may include the steps of:
step 1001, receiving first information sent by a first core network device and an identifier of a terminal device, where the first information does not include second indication information.
In the embodiment of the present application, the second core network device may receive first information sent by the first core network device and an identifier of the terminal device, where the first information does not include the second indication information. The second core network device determines a security mechanism employing integrity protection. The second core network device can receive the first information and the terminal device identifier sent by the first core network device, determine a security mechanism according to security information included in the first information, and verify whether the first information is tampered.
Optionally, the identifier of the terminal device is SUPI.
In the embodiment of the present application, the first core network device may be a unified data management UDM in the home network HPLMN, and the second core network device may be an authentication service function AUSF in the HPLMN.
In this embodiment of the present application, the first information includes first indication information, and a terminal capability Counter UC An integrity check code.
The first indication information is used for indicating the capability of the terminal equipment. The terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used to verify the freshness of the first information. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
Step 1002, determining a security key K corresponding to the terminal device stored in the second core network device according to the identifier of the terminal device AUSF 。
In the embodiment of the present application, the second core network device AUSF may determine, according to the identifier of the terminal device, the security key K stored in the second core network device AUSF and corresponding to the terminal device AUSF 。
Optionally, the identifier of the terminal device is SUPI.
Step 1003, based on the security key K AUSF Terminal capability Counter in first information UC And a first indication information in the first information, adopting a preset integrity protection algorithm to generate a piece of informationA new integrity check code.
In the embodiment of the application, the second core network device determines a Counter of a terminal capability Counter in the received first information UC Is greater than the terminal capability Counter stored in itself UC Is a value of (2).
In the embodiment of the present application, the second core network device is configured to store the security key K AUSF The terminal capability counter in the first information and the first indication information in the first information adopt a preset integrity protection algorithm to generate a new integrity check code UC-MAC1-I '' UE 。
In some embodiments, the key derivation function KDF may be employed to generate the new integrity check code UC-MAC1-I' UE 。
Optionally, the input parameter KEY of the KEY derivation function KDF for generating the new integrity check code is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (c).
In this embodiment of the present application, the preset integrity protection algorithm may be specified by a protocol, or may be indicated by a network side.
Step 1004, determining the consistency of the new integrity check code and the integrity check code in the first information.
In this embodiment of the present application, after the second core network device generates the new integrity check code, it may be determined whether the new integrity check code generated by itself is consistent with the integrity check code in the received first information. If so, step 1005 is performed, and if not, step 1006 is performed.
Step 1005, in response to the new integrity check code being consistent with the integrity check code in the first information, sending the first indication information to the first core network device.
In the embodiment of the application, if the new integrity check code UC-MAC1-I 'is generated by the second core network device' UE UC-MAC1-I consistent with the integrity check code in the received first information UE It is safe to say that the first information has not been tampered with. The second core network device can send the first indication information in the first information to the first core network device. The first core network device can acquire the capability of the terminal device according to the first indication information.
In step 1006, in response to the new integrity check code not being identical to the integrity check code in the first information, the indicating process of the capability of the terminal device is terminated.
In the embodiment of the application, if the new integrity check code UC-MAC1-I 'is generated by the second core network device' UE And the integrity check code UC-MAC1-I in the received first information UE Disagreement indicates that the first information may be tampered with and not secure. The second core network device can terminate the procedure of capability indication of the terminal device.
In summary, by receiving first information sent by a first core network device and an identifier of a terminal device, where the first information does not include second indication information, a security key K stored in a second core network device and corresponding to the terminal device is determined according to the identifier of the terminal device AUSF According to the security key K AUSF Terminal capability Counter in first information UC And a first indication information in the first information, generating a new integrity check code by adopting a preset integrity protection algorithm, judging the consistency of the new integrity check code and the integrity check code in the first information, and responding to the consistency of the new integrity check code and the integrity check code in the first informationThe first indication information is sent to the first core network equipment, and the indication process of the capability of the terminal equipment is terminated in response to the inconsistency of the new integrity check code and the integrity check code in the first information, so that the terminal equipment can resist sniffing, deleting or tampering of the information sent by the terminal equipment by the access network, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 11, fig. 11 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. It should be noted that, the method for indicating the capability of the terminal device in the embodiment of the present application is executed by the second core network device. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 11, the method may include the steps of:
Step 1101, receiving first information and an identifier of a terminal device sent by a first core network device, where the first information includes second indication information, and the second indication information indicates a security mechanism that employs integrity and confidentiality protection.
In the embodiment of the application, the second core network device can receive the first information and the identifier of the terminal device, which are sent by the first core network device, where the first information includes second indication information, and the second indication information indicates a security mechanism adopting integrity and confidentiality protection. The second core network device can receive the first information and the terminal device identifier sent by the first core network device, determine a security mechanism according to security information included in the first information, and verify whether the first information is tampered.
Optionally, the identifier of the terminal device is SUPI.
In the embodiment of the present application, the first core network device may be a unified data management UDM in the home network HPLMN, and the second core network device may be an authentication service function AUSF in the HPLMN.
In this embodiment of the present application, the first information includes a first indication information, a second indication information, and a terminal capability Counter UC An integrity check code.
The first indication information is used for indicating the capability of the terminal equipment. The second indication information is used for indicating the security mechanism adopted by the first indication information to be the security mechanism of integrity and confidentiality protection, and is used for indicating the confidentiality protection algorithm adopted by the first indication information and the integrity protection algorithm adopted by the generation of the integrity check code. The terminal capability Counter UC Is a counter generated by the terminal device and can be used to protect the integrity and confidentiality of the first information and can also be used to verify the freshness of the first information. In the embodiment of the application, the terminal capability Counter UC The related information of (a) may be described in any embodiment of the present application, and the embodiments of the present application are not described herein.
Optionally, the first indication information is used for indicating UPU/SoR capability of the terminal device, and indicating whether the terminal device supports slice-based SoR information.
In an embodiment of the present application, the first indication information may include at least one of the following information:
the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;
position information of the terminal device;
the terminal device requests network slice selection assistance information request-NSSAI.
Step 1102, determining a security key K corresponding to the terminal device stored in the second core network device according to the identifier of the terminal device AUSF 。
In the embodiment of the present application, the second core network device AUSF may determine, according to the identifier of the terminal device, the security key K stored in the second core network device AUSF and corresponding to the terminal device AUSF 。
Optionally, the identifier of the terminal device is SUPI.
Step 1103, based on the security key K AUSF A terminal capability counter in the first information, second indication information in the first information and addition in the first informationAnd generating a new integrity check code by adopting the first indication information and the integrity protection algorithm indicated by the second indication information.
In the embodiment of the application, the second core network device determines a Counter of a terminal capability Counter in the received first information UC Is greater than the terminal capability Counter stored in itself UC Is a value of (2).
In the embodiment of the present application, the second core network device is configured to store the security key K AUSF Terminal capability Counter in first information UC Generating a new integrity check code UC-MAC2-I 'by adopting an integrity protection algorithm indicated by second indicating information in the first indicating information and encrypted first indicating information in the first information' UE 。
In some embodiments, the key derivation function KDF may be employed to generate the new integrity check code UC-MAC2-I' UE 。
Optionally, the input parameter KEY of the KEY derivation function KDF for generating the new integrity check code is the security KEY K AUSF . The input parameters S of the key derivation function KDF may include:
the code number FC of the key derivation function;
the parameter P0 is first indication information;
the parameter L0 is the length of the data included in the parameter P0, that is, the length of the data of the first indication information;
the parameter P1 is a terminal capability Counter UC ;
The parameter L1 is the Counter of the terminal capability Counter UC Is a length of (2);
the parameter P2 is second indication information;
the parameter L2 is the length of the data included in the parameter P2, that is, the length of the data of the second indication information.
Step 1104, determining the consistency of the new integrity check code and the integrity check code in the first information.
In this embodiment of the present application, after the second core network device generates the new integrity check code, it may be determined whether the new integrity check code generated by itself is consistent with the integrity check code in the received first information. If so, step 1105 is performed, and if not, step 1106 is performed.
Step 1105, in response to the new integrity check code being consistent with the integrity check code in the first information, sending the first indication information to the first core network device.
Wherein the first indication information is based on the security key K AUSF And the terminal capability Counter UC And decrypting the encrypted first indication information in the first information by adopting a confidentiality protection algorithm indicated by the second indication information.
It should be noted that the confidentiality protection algorithm may refer to the algorithm described in annex d.1 of 3GPP technical specification TS 33.501; for the use and operation mode of the encryption algorithm reference may be made to the provision in annex d.2 of 3GPP technical specification TS 33.501.
In the embodiment of the application, if the new integrity check code UC-MAC2-I 'is generated by the second core network device' UE And the integrity check code UC-MAC2-I in the received first information UE And if the first information is consistent, the first information is not tampered, and the first information is safe. The second core network device can send the first indication information in the first information to the first core network device. The first core network device can acquire the capability of the terminal device according to the first indication information.
In some embodiments, the second core network device is able to terminate the indication procedure of the terminal device capability if the second core network device does not support the confidentiality protection algorithm indicated by the second indication information.
In step 1106, in response to the new integrity check code not being consistent with the integrity check code in the first information, terminating the indicating of the capabilities of the terminal device.
In the embodiment of the application, ifThe new integrity check code UC-MAC2-I 'generated by the second core network equipment' UE And the integrity check code UC-MAC2-I in the received first information UE Disagreement indicates that the first information may be tampered with and not secure. The second core network device can terminate the procedure of capability indication of the terminal device.
In summary, by receiving first information sent by a first core network device and an identifier of a terminal device, where the first information includes second indication information, and the second indication information indicates a security mechanism adopting integrity and confidentiality protection, a security key K stored in a second core network device and corresponding to the terminal device is determined according to the identifier of the terminal device AUSF According to the security key K AUSF The terminal capability counter in the first information, the second indication information in the first information and the encrypted first indication information in the first information adopt an integrity protection algorithm indicated by the second indication information to generate a new integrity check code, judge the consistency of the new integrity check code and the integrity check code in the first information, send the first indication information to the first core network equipment in response to the consistency of the new integrity check code and the integrity check code in the first information, terminate the capability indication process of the terminal equipment in response to the inconsistency of the new integrity check code and the integrity check code in the first information, enable the terminal equipment to resist sniffing, deleting or tampering of the information sent by the terminal equipment by an access network, safely indicate own capability information to a home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 12, fig. 12 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 12, the method may include the steps of:
1. at roaming, the terminal device includes a new transparent container (first indication information) in the core network registration request when the terminal device performs an initial registration or when the terminal device wishes the HPLMN to know about a terminal device change (e.g., a terminal device capability change or a terminal device requesting a new network slice). This new container (first indication information) can indicate the capabilities of the terminal device, indicating that the terminal device wants the UDM to provide the terminal device with information related to the NSSAI of subscriptions/requests in the current VPLMN and in other VPLMNs where the terminal device is currently located.
The transparent container (first indication information) is protected (transparent to the AMF, i.e. the container is protected by the home network security information), and the container (first indication information) includes: UPU/SoR capability information of the terminal equipment, position information of the terminal equipment, requested-NSSAI of the terminal equipment, and the like.
The terminal device may provide integrity protection only for the transparent container.
The terminal equipment can be according to the security key K corresponding to the terminal equipment AUSF The terminal capability Counter UC Second indication information and the transparent container (first indication information) to generate an integrity check code UC-MAC1-I UE 。
The transparent container (first indication information) is used for indicating the capability of the terminal equipment, and the second indication information is used for indicating a security mechanism that the first indication information adopts integrity protection and an integrity protection algorithm that the integrity check code is generated.
The transparent container, the terminal capability Counter UC The second indication information and the integrity check code UC-MAC1-I UE Considered as a protected container (first information).
2. The AMF transparently forwards the received first information sent by the terminal device to the UDM in a nudm_uecm_reg request. The AMF also sends an identity of the terminal device (e.g., SUPI or the sui of the UE) sent by the terminal device to the UDM.
3. The UDM sends the protected container (first information) of the terminal device and the SUPI of the terminal device to the AUSF.
4. AUSF utilizes S of terminal equipmentUPI to identify the security key K corresponding to the terminal device AUSF . The AUSF should be able to determine whether the transparent container (first indication information) is encrypted based on the second indication information. The AUSF should be able to check the received terminal capability Counter UC Whether fresh or not. The AUSF should accept only a value greater than the stored terminal capability Counter UC Terminal capability Counter of the value of (2) UC 。
AUSF can be based on the security key K AUSF Received terminal capability Counter UC The received second indication information and the received transparent container (first indication information) adopt an integrity protection algorithm indicated by the second indication information to generate a new integrity check code; and judging the consistency of the new integrity check code and the integrity check code in the first information. If the new integrity check code is consistent with the integrity check code in the first information, the transparent container (first indication information) is sent to the first core network equipment; if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
5. The UDM obtains the terminal device capabilities from the transparent container (first indication information). The UDM uses the terminal device capabilities to check whether the terminal device has the capability to process additional information. If the terminal device does support additional information, the UDM initiates a request to the SoR AF and indicates the terminal device capabilities in such a request.
6. The UDM sends a nsoraf_sor_get request (VPLMN ID), SUPI of the terminal device, access type (see 3GPP technical specification TS 29.571, subscribed S-nsai, location of the terminal device, capability of the terminal device to receive enhancement information) to the SoR AF. The UDM also transparently passes information contained in the transparent container (first indication information) and related to the SoR AF for consideration by the SoR AF.
7. The SoR AF creates slice-based SoR information while taking into account the information provided by the UDM and the availability of subscribed S-nsais (Single-nsais, single network slice selection assistance information) in the possible VPLMN. In order for the SoR AF to be able to create slice-based SoR information, the SoR AF scans the possible VPLMN lists and determines for each list the degree of support of subscribed nsais. The SoR AF may then sort the information into an example as follows:
the VPLMN supports nsais for all subscriptions in any order preferred by the HPLMN;
the VPLMN supports a subset of subscribed nsais in any order preferred by the HPLMN;
other network lists support subscription NSSAI or HPLMN less preferred requests NSSAI.
8. SoR AF sends slice-based SoR information to the UDM in nsoraf_sor_get Response.
9. The HPLMN (or CH) sends SoR information in the AMF access and mobile subscription data, i.e. the AMF is transparent to the content of such data.
10. The AMF forwards the "roaming guidance SoR information" in registration accept Registration Accept according to the current specification.
11. The terminal device uses the slice-based SoR information and if all slices required by the terminal device are not included in the allowed nsai, the terminal device scans the VPLMN supported S-nsais not in the allowed nsai and selects and registers accordingly.
In summary, the method for indicating the capability of the terminal equipment provided by the embodiment of the application can provide a protection mechanism (integrity protection) for the terminal capability indicating process, so that the terminal equipment can resist sniffing, deleting or tampering of information sent by the terminal equipment by an access network, safely indicate own capability information to a home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of a system.
Referring to fig. 13, fig. 13 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 13, the method may include the steps of:
1. at roaming, the terminal device includes a new transparent container (first indication information) in the core network registration request when the terminal device performs an initial registration or when the terminal device wishes the HPLMN to know about a terminal device change (e.g., a terminal device capability change or a terminal device requesting a new network slice). This new container (first indication information) can indicate the capabilities of the terminal device, indicating that the terminal device wants the UDM to provide the terminal device with information related to the NSSAI of subscriptions/requests in the current VPLMN and in other VPLMNs where the terminal device is currently located.
The transparent container (first indication information) is protected (transparent to the AMF, i.e. the container is protected by the home network security information), and the container (first indication information) includes: UPU/SoR capability information of the terminal equipment, position information of the terminal equipment, requested-NSSAI of the terminal equipment, and the like.
The terminal device may provide integrity protection only for the transparent container.
The terminal equipment can be according to the security key K corresponding to the terminal equipment AUSF The terminal capability Counter UC And the transparent container (first indication information) generates an integrity check code UC-MAC1-I by adopting a preset integrity protection algorithm UE 。
Wherein the transparent container (first indication information) is used to indicate the capabilities of the terminal device.
The transparent container, the terminal capability Counter UC And the integrity check code UC-MAC1-I UE Considered as a protected container (first information).
2. The AMF transparently forwards the received first information sent by the terminal device to the UDM in a nudm_uecm_reg request. The AMF also sends an identity of the terminal device (e.g., SUPI or the sui of the UE) sent by the terminal device to the UDM.
3. The UDM sends the protected container (first information) of the terminal device and the SUPI of the terminal device to the AUSF.
4. AUSF identifies the security key K corresponding to the terminal device using SUPI of the terminal device AUSF . The AUSF should be able to determine whether the transparent container (first indication information) is encrypted based on the second indication information. AUSF should be able toChecking received terminal capability Counter UC Whether fresh or not. The AUSF should accept only a value greater than the stored terminal capability Counter UC Terminal capability Counter of the value of (2) UC 。
AUSF can be based on the security key K AUSF Received terminal capability Counter UC And the received transparent container (first indication information) adopts a preset integrity protection algorithm to generate a new integrity check code; and judging the consistency of the new integrity check code and the integrity check code in the first information. If the new integrity check code is consistent with the integrity check code in the first information, the transparent container (first indication information) is sent to the first core network equipment; if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
5. The UDM obtains the terminal device capabilities from the transparent container (first indication information). The UDM uses the terminal device capabilities to check whether the terminal device has the capability to process additional information. If the terminal device does support additional information, the UDM initiates a request to the SoR AF and indicates the terminal device capabilities in such a request.
6. The UDM sends a nsoraf_sor_get request (VPLMN ID), SUPI of the terminal device, access type (see 3GPP technical specification TS 29.571, subscribed S-nsai, location of the terminal device, capability of the terminal device to receive enhancement information) to the SoR AF. The UDM also transparently passes information contained in the transparent container (first indication information) and related to the SoR AF for consideration by the SoR AF.
7. The SoR AF creates slice-based SoR information while taking into account the information provided by the UDM and the availability of subscribed S-nsais (Single-nsais, single network slice selection assistance information) in the possible VPLMN. In order for the SoR AF to be able to create slice-based SoR information, the SoR AF scans the possible VPLMN lists and determines for each list the degree of support of subscribed nsais. The SoR AF may then order the information as an example as follows:
the VPLMN supports nsais for all subscriptions in any order preferred by the HPLMN;
the VPLMN supports a subset of subscribed nsais in any order preferred by the HPLMN;
other network lists support subscription NSSAI or HPLMN less preferred requests NSSAI.
8. SoR AF sends slice-based SoR information to the UDM in nsoraf_sor_get Response.
9. The HPLMN (or CH) sends SoR information in the access and mobile subscription data, i.e. the AMF is transparent to the content of such data.
10. The AMF forwards the "roaming guidance SoR information" in registration accept Registration Accept according to the current specification.
11. The terminal device uses the slice-based SoR information and if all slices required by the terminal device are not included in the allowed nsai, the terminal device scans the VPLMN supported S-nsais not in the allowed nsai and selects and registers accordingly.
In summary, the method for indicating the capability of the terminal equipment provided by the embodiment of the application can provide a protection mechanism (integrity protection) for the terminal capability indicating process, so that the terminal equipment can resist sniffing, deleting or tampering of information sent by the terminal equipment by an access network, safely indicate own capability information to a home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of a system.
Referring to fig. 14, fig. 14 is a flowchart of a method for indicating capability of a terminal device according to an embodiment of the present application. The method may be performed independently or in combination with any of the other embodiments of the present application. As shown in fig. 14, the method may include the steps of:
1. at roaming, the terminal device includes a new transparent container (first indication information) in the core network registration request when the terminal device performs an initial registration or when the terminal device wishes the HPLMN to know about a terminal device change (e.g., a terminal device capability change or a terminal device requesting a new network slice). This new container (first indication information) can indicate the capabilities of the terminal device, indicating that the terminal device wants the UDM to provide the terminal device with information related to the NSSAI of subscriptions/requests in the current VPLMN and in other VPLMNs where the terminal device is currently located.
The transparent container (first indication information) is protected (transparent to the AMF, i.e. the container is protected by the home network security information), and the container (first indication information) includes: UPU/SoR capability information of the terminal equipment, position information of the terminal equipment, requested-NSSAI of the terminal equipment, and the like.
The terminal device may determine to provide integrity and confidentiality protection to the transparent container.
The terminal equipment can be according to the security key K corresponding to the terminal equipment AUSF And the terminal capability Counter UC The transparent container (first instruction information) is encrypted to obtain an encrypted transparent container (first instruction information).
The terminal device can be based on the security key K AUSF The terminal capability Counter UC The second indication information and the encrypted transparent container (first indication information) generate an integrity check code UC-MAC2-I UE 。
Wherein the transparent container (first indication information) is used for indicating the capability of the terminal equipment, the second indication information is used for indicating a security mechanism that the first indication information adopts integrity and confidentiality protection, and is used for indicating a confidentiality protection algorithm adopted for encrypting the transparent container (first indication information) and an integrity protection algorithm adopted for generating the integrity check code.
The encrypted transparent container, the terminal capability Counter UC The second indication information and the integrity check code UC-MAC2-I UE Considered as a protected container (first information).
2. The AMF transparently forwards the received first information sent by the terminal device to the UDM in a nudm_uecm_reg request. The AMF also sends an identity of the terminal device (e.g., SUPI or the sui of the UE) sent by the terminal device to the UDM.
3. The UDM sends the protected container (first information) of the terminal device and the SUPI of the terminal device to the AUSF.
4. AUSF identifies the security key K corresponding to the terminal device using SUPI of the terminal device AUSF . The AUSF should be able to determine whether the transparent container (first indication information) is encrypted based on the second indication information. The AUSF should be able to check the received terminal capability Counter UC Whether fresh or not. The AUSF should accept only a value greater than the stored terminal capability Counter UC Terminal capability Counter of the value of (2) UC 。
AUSF can be based on the security key K AUSF Received terminal capability Counter UC The received second indication information and the received encrypted transparent container (first indication information) adopt an integrity protection algorithm indicated by the second indication information to generate a new integrity check code; and judging the consistency of the new integrity check code and the integrity check code in the first information. If the new integrity check code is identical to the integrity check code in the first information, the AUSF can be based on the security key K AUSF And a received terminal capability Counter UC Decrypting the encrypted transparent container (first indication information) by adopting a confidentiality algorithm indicated by the second indication information to obtain the transparent container (first indication information), and sending the transparent container (first indication information) to first core network equipment; if the new integrity check code is inconsistent with the integrity check code in the first information, terminating the indicating process of the capability of the terminal device.
5. The UDM obtains the terminal device capabilities from the transparent container (first indication information). The UDM uses the terminal device capabilities to check whether the terminal device has the capability to process additional information. If the terminal device does support additional information, the UDM initiates a request to the SoR AF and indicates the terminal device capabilities in such a request.
6. The UDM sends a nsoraf_sor_get request (VPLMN ID), SUPI of the terminal device, access type (see 3GPP technical specification TS 29.571, subscribed S-nsai, location of the terminal device, capability of the terminal device to receive enhancement information) to the SoR AF. The UDM also transparently passes information contained in the transparent container (first indication information) and related to the SoR AF for consideration by the SoR AF.
7. The SoR AF creates slice-based SoR information while taking into account the information provided by the UDM and the availability of subscribed S-nsais (Single-nsais, single network slice selection assistance information) in the possible VPLMN. In order for the SoR AF to be able to create slice-based SoR information, the SoR AF scans the possible VPLMN lists and determines for each list the degree of support of subscribed nsais. The SoR AF may then sort the information into an example as follows:
the VPLMN supports nsais for all subscriptions in any order preferred by the HPLMN;
the VPLMN supports a subset of subscribed nsais in any order preferred by the HPLMN;
other network lists support subscription NSSAI or HPLMN less preferred requests NSSAI.
8. SoR AF sends slice-based SoR information to the UDM in nsoraf_sor_get Response.
9. The HPLMN (or CH) sends SoR information in the access and mobile subscription data, i.e. the AMF is transparent to the content of such data.
10. The AMF forwards the "roaming guidance SoR information" in registration accept Registration Accept according to the current specification.
11. The terminal device uses the slice-based SoR information and if all slices required by the terminal device are not included in the allowed nsai, the terminal device scans the VPLMN supported S-nsais not in the allowed nsai and selects and registers accordingly.
In summary, the method for indicating the capability of the terminal equipment provided by the embodiment of the application can provide a protection mechanism (integrity and confidentiality protection) for the terminal capability indicating process, so that the terminal equipment can resist sniffing, deleting or tampering of information sent by the terminal equipment by a visiting network, safely indicate own capability information to a home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of a system.
Corresponding to the terminal equipment capability indication methods provided in the foregoing embodiments, the present application further provides a terminal equipment capability indication device, and since the terminal equipment capability indication device provided in the embodiments of the present application corresponds to the method provided in the foregoing embodiments, implementation of the terminal equipment capability indication method is also applicable to the terminal equipment capability indication device provided in the following embodiments, which are not described in detail in the following embodiments.
Referring to fig. 15, fig. 15 is a schematic structural diagram of a device for indicating capability of a terminal device according to an embodiment of the present application.
As shown in fig. 15, the terminal device capability indicating apparatus 1500 includes: a transceiving unit 1510, wherein:
a transceiver 1510, configured to send, through the access network, first information and/or an identifier of the terminal device to the first core network device;
The first information includes first indication information for indicating capabilities of the terminal device and security information.
Optionally, the security information includes at least one of: the second indication information is used for indicating a security mechanism adopted by the first indication information; a terminal capability counter; an integrity check code.
Optionally, in response to the first indication information adopting a security mechanism of integrity protection, the security information includes the second indication information, the terminal capability counter and the integrity check code, the apparatus further includes a processing unit (not shown in the figure), and the processing unit is configured to: generating the integrity check code according to the security key corresponding to the terminal equipment, the terminal capability counter, the second indication information and the first indication information; the second indication information is also used to indicate an integrity protection algorithm employed to generate the integrity check code.
Optionally, in response to the first indication information adopting a security mechanism of integrity protection, the security information includes the terminal capability counter and the integrity check code, the apparatus further includes a processing unit (not shown in the figure), and the processing unit is configured to: and generating the integrity check code by adopting a preset integrity protection algorithm according to the security key KAUSF corresponding to the terminal equipment, the terminal capability counter and the first indication information.
Optionally, in response to the first indication information adopting a security mechanism for integrity and confidentiality protection, the first information includes the encrypted first indication information and the security information, the security information includes the second indication information, the terminal capability counter and the integrity check code, and the apparatus further includes a processing unit (not shown in the figure), and the processing unit is configured to: encrypting the first indication information by adopting a security key corresponding to the terminal equipment and the terminal capability counter to obtain encrypted first indication information; generating the integrity check code according to the security key, the terminal capability counter, the second indication information and the encrypted first indication information; the second indication information is also used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
Optionally, the processing unit is further configured to: and resetting the terminal capability counter to an initial value in response to the security key update.
Optionally, after generating the integrity check code according to the terminal capability counter, the processing unit is further configured to: the value of the terminal capability counter is updated.
Optionally, the processing unit is further configured to: responsive to the value of the terminal capability counter reaching an upper limit of the counting capability of the terminal capability counter, the indication of the capability of the terminal device to the first core network device is stopped.
Optionally, the terminal capability counter is valid during a validity period of the security key corresponding to the terminal device.
Optionally, the first core network device is a unified data management UDM.
Optionally, the first indication information includes at least one of: the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information; position information of the terminal equipment; the terminal device requests network slice selection assistance information request-NSSAI.
Optionally, the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
The terminal equipment capability indicating device of the embodiment can send the first information and/or the identifier of the terminal equipment to the first core network equipment through the access network, so that the terminal equipment can resist sniffing, deleting or falsifying of the information sent by the terminal equipment by the access network, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 16, fig. 16 is a schematic structural diagram of a device for indicating capability of a terminal device according to an embodiment of the present application.
As shown in fig. 16, the terminal device capability indicating apparatus 1600 includes: a transceiver unit 1610, wherein:
a transceiver 1610, configured to receive first information sent by a terminal device through an access network and/or an identifier of the terminal device;
the first information includes first indication information for indicating capabilities of the terminal device and security information.
Optionally, the security information includes at least one of: the second indication information is used for indicating a security mechanism adopted by the first indication information; a terminal capability counter; an integrity check code.
Optionally, in response to the first indication information, adopting a security mechanism of integrity protection, wherein the security information comprises the second indication information, the terminal capability counter and the integrity check code; the integrity check code is generated according to the security key corresponding to the terminal equipment, the terminal capability counter, the second indication information and the first indication information; the second indication information is also used to indicate an integrity protection algorithm employed to generate the integrity check code.
Optionally, a security mechanism for integrity protection is adopted in response to the first indication information, and the security information comprises the terminal capability counter and the integrity check code; the integrity check code is generated by adopting a preset integrity protection algorithm according to a security key corresponding to the terminal equipment, the terminal capability counter and the first indication information.
Optionally, in response to the first indication information adopting a security mechanism of integrity and confidentiality protection, the first information including encrypted first indication information and the security information, the security information including the second indication information, the terminal capability counter and the integrity check code; the encrypted first indication information is obtained by encrypting the first indication information by adopting a security key corresponding to the terminal equipment and the terminal capability counter; the integrity check code is generated according to the security key, the terminal capability counter, the second indication information and the encrypted first indication information; the second indication information is also used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
Optionally, the transceiver 1610 is further configured to: transmitting the first information and the identification of the terminal equipment to second core network equipment;
the integrity check code is used for verifying whether the first indication information is tampered or not by the second core network device.
Optionally, the transceiver 1610 is further configured to: and receiving the verified first indication information sent by the second core network equipment.
Optionally, the first core network device is a unified data management UDM, and the second core network device is an authentication service function AUSF.
Optionally, the first indication information includes at least one of: the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information; position information of the terminal equipment; the terminal device requests network slice selection assistance information request-NSSAI.
Optionally, the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
The terminal equipment capability indicating device of the embodiment can enable the terminal equipment to resist sniffing, deleting or tampering of information sent by the terminal equipment by the access network by receiving the first information sent by the terminal equipment by the access network and the identifier of the terminal equipment, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of a system.
Referring to fig. 17, fig. 17 is a schematic structural diagram of a device for indicating capability of a terminal device according to an embodiment of the present application.
As shown in fig. 17, the terminal device capability indicating apparatus 1700 includes: a transceiver unit 1710, wherein:
a transceiver 1710, configured to receive first information sent by a first core network device and an identifier of a terminal device;
the first information includes first indication information for indicating capabilities of the terminal device and security information.
Optionally, the security information includes at least one of: the second indication information is used for indicating a security mechanism adopted by the first indication information; a terminal capability counter; an integrity check code.
Optionally, in response to the security information including the second indication information and the second indication information indicating that the first indication information adopts a security mechanism of integrity protection, the apparatus further includes a processing unit (not shown in the figure), where the processing unit is configured to: determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identifier of the terminal equipment; generating a new integrity check code by adopting an integrity protection algorithm indicated by the second indication information according to the security key, the terminal capability counter in the security information, the second indication information in the security information and the first indication information in the first information; and judging the consistency of the new integrity check code and the integrity check code in the safety information.
Optionally, the transceiver 1710 is further configured to: responding to the new integrity check code consistent with the integrity check code in the safety information, and sending the first indication information to the first core network equipment; and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the security information.
Optionally, in response to the security information not including the second indication information, the apparatus further includes a processing unit (not shown in the figure), the processing unit being configured to: determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identifier of the terminal equipment; generating a new integrity check code by adopting a preset integrity protection algorithm according to the security key, a terminal capability counter in the security information and first indication information in the first information; and judging the consistency of the new integrity check code and the integrity check code in the safety information.
Optionally, the transceiver 1710 is further configured to: responding to the new integrity check code consistent with the integrity check code in the safety information, and sending the first indication information to the first core network equipment; and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the security information.
Optionally, in response to the security information including the second indication information, the second indication information indicates that the first indication information adopts a security mechanism of integrity and confidentiality protection, the apparatus further includes a processing unit (not shown in the figure), where the processing unit is configured to: determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identifier of the terminal equipment; generating a new integrity check code according to the security key, the terminal capability counter in the security information, the second indication information in the security information and the encrypted first indication information in the first information by adopting an integrity protection algorithm indicated by the second indication information; and judging the consistency of the new integrity check code and the integrity check code in the safety information.
Optionally, the transceiver 1710 is further configured to: responding to the new integrity check code consistent with the integrity check code in the safety information, and sending the first indication information to the first core network equipment; the first indication information is obtained by decrypting the encrypted first indication information according to a confidentiality protection algorithm indicated by the second indication information; and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the security information.
Optionally, the processing unit is further configured to: and generating the new integrity check code in response to the value of the terminal capability counter in the first information being greater than the value of the terminal capability counter stored in the second core network device.
Optionally, in response to the new integrity check code being identical to the integrity check code in the first information, the processing unit is further configured to: the value of the terminal capability counter in the first information is stored.
Optionally, the processing unit is further configured to: and terminating the indicating process of the capability of the terminal equipment in response to the second core network equipment not supporting the confidentiality protection algorithm indicated by the second indicating information.
Optionally, the processing unit is further configured to: and stopping the capability indication of the terminal equipment in response to the value of the terminal capability counter reaching the upper limit of the counting capability of the terminal capability counter.
Optionally, the terminal capability counter is valid during a validity period of the security key corresponding to the terminal device.
Optionally, the first core network device is a unified data management UDM, and the second core network device is an authentication service function AUSF.
Optionally, the first indication information includes at least one of: the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information; position information of the terminal equipment; the terminal device requests network slice selection assistance information request-NSSAI.
Optionally, the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
The terminal equipment capability indicating device of the embodiment can verify whether the first information is tampered or not through receiving the first information sent by the first core network equipment and the identifier of the terminal equipment and through the safety information in the first information, so that the terminal equipment can resist sniffing, deleting or tampering of the information sent by the terminal equipment by the access network, safely indicate own capability information to the home network, protect information interaction safety between the terminal equipment and the home network and improve the safety of the system.
Referring to fig. 18, fig. 18 is a schematic diagram of a communication system according to an embodiment of the present application.
As shown in fig. 18, the communication system includes: a first core network device and a second core network device, wherein:
the first core network device is used for receiving first information and/or an identifier of the terminal device, which are sent by the terminal device through the access network; transmitting the first information and the identification of the terminal equipment to second core network equipment;
the second core network device is used for receiving the first information and the identification of the terminal device and verifying the first information; and sending first indication information in the verified first information to the first core network equipment.
Optionally, the first information includes first indication information and security information, the security information including at least one of: the second indication information is used for indicating a security mechanism adopted by the first indication information; a terminal capability counter; an integrity check code.
Optionally, the first indication information includes at least one of: the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information; position information of the terminal equipment; the terminal device requests network slice selection assistance information request-NSSAI.
In order to achieve the foregoing embodiments, embodiments of the present application further provide a communication device, including: a processor and a memory in which a computer program is stored, the processor executing the computer program stored in the memory to cause the apparatus to perform the method shown in the embodiments of fig. 2 to 5.
In order to achieve the foregoing embodiments, embodiments of the present application further provide a communication device, including: a processor and a memory, in which a computer program is stored, the processor executing the computer program stored in the memory to cause an apparatus to perform the method shown in the embodiments of fig. 6 to 7 or to perform the method shown in the embodiments of fig. 8 to 11.
In order to achieve the foregoing embodiments, embodiments of the present application further provide a communication device, including: a processor and interface circuitry for receiving code instructions and transmitting to the processor, the processor for executing the code instructions to perform the methods illustrated in the embodiments of fig. 2-5.
In order to achieve the foregoing embodiments, embodiments of the present application further provide a communication device, including: a processor and interface circuitry for receiving code instructions and transmitting to the processor, the processor for executing the code instructions to perform the methods illustrated in the embodiments of fig. 6-7 or to perform the methods illustrated in the embodiments of fig. 8-11.
Referring to fig. 19, fig. 19 is a schematic structural diagram of another capability indicating device of a terminal device according to an embodiment of the present application. The terminal device capability indicating apparatus 1900 may be a network device, a terminal device, a chip system, a processor or the like that supports the network device to implement the method, or a chip, a chip system, a processor or the like that supports the terminal device to implement the method. The device can be used for realizing the method described in the method embodiment, and can be particularly referred to the description in the method embodiment.
The terminal device capability indication apparatus 1900 may include one or more processors 1901. The processor 1901 may be a general purpose processor or a special purpose processor, etc. For example, a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processor may be used to control terminal device capability indicating devices (e.g., base station, baseband chip, terminal device chip, DU or CU, etc.), execute computer programs, and process data of the computer programs.
Optionally, the terminal device capability indicating apparatus 1900 may further include one or more memories 1902, on which a computer program 1903 may be stored, and the processor 1901 executes the computer program 1903, so that the terminal device capability indicating apparatus 1900 performs the method described in the above method embodiments. The computer program 1903 may be solidified in the processor 1901, in which case the processor 1901 may be implemented by hardware.
Optionally, the memory 1902 may also have data stored therein. The terminal device capability indication apparatus 1900 and the memory 1902 may be provided separately or may be integrated.
Optionally, the terminal device capability indicating apparatus 1900 may further include a transceiver 1905 and an antenna 1906. The transceiver 1905 may be referred to as a transceiver unit, a transceiver circuit, or the like, for implementing a transceiver function. The transceiver 1905 may include a receiver, which may be referred to as a receiver or a receiving circuit, etc., for implementing a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., for implementing a transmitting function.
Optionally, one or more interface circuits 1907 may also be included in the terminal device capability indication apparatus 1900. The interface circuit 1907 is configured to receive code instructions and transmit the code instructions to the processor 1901. The processor 1901 executes code instructions to cause the terminal device capability indication apparatus 1900 to perform the method described in the method embodiments above.
In one implementation, a transceiver for implementing receive and transmit functions may be included in processor 1901. For example, the transceiver may be a transceiver circuit, or an interface circuit. The transceiver circuitry, interface or interface circuitry for implementing the receive and transmit functions may be separate or may be integrated. The transceiver circuit, interface or interface circuit may be used for reading and writing codes/data, or the transceiver circuit, interface or interface circuit may be used for transmitting or transferring signals.
In one implementation, the terminal device capability indication apparatus 1900 may include circuitry that may implement the functions of transmitting or receiving or communicating in the foregoing method embodiments. The processors and transceivers described herein may be implemented on integrated circuits (integrated circuit, ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (application specific integrated circuit, ASIC), printed circuit boards (printed circuit board, PCB), electronic devices, and the like. The processor and transceiver may also be fabricated using a variety of IC process technologies such as complementary metal oxide semiconductor (complementary metal oxide semiconductor, CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
The terminal device capability indicating apparatus in the above embodiment description may be a network device or a terminal device, but the scope of the terminal device capability indicating apparatus described in the present application is not limited thereto, and the structure of the terminal device capability indicating apparatus may not be limited by fig. 15 to 17. The terminal device capability indication means may be a stand alone device or may be part of a larger device. For example, the terminal device capability indication means may be:
(1) A stand-alone integrated circuit IC, or chip, or a system-on-a-chip or subsystem;
(2) A set of one or more ICs, optionally including storage means for storing data, a computer program;
(3) An ASIC, such as a Modem (Modem);
(4) Modules that may be embedded within other devices;
(5) A receiver, a terminal device, an intelligent terminal device, a cellular phone, a wireless device, a handset, a mobile unit, a vehicle-mounted device, a network device, a cloud device, an artificial intelligent device, and the like;
(6) Others, and so on.
For the case where the terminal device capability indicating means may be a chip or a chip system, reference may be made to the schematic structural diagram of the chip shown in fig. 20. The chip shown in fig. 20 includes a processor 2001 and an interface 2002. Wherein the number of processors 2001 may be one or more, and the number of interfaces 2002 may be a plurality.
For the case where the chip is used to implement the functions of the network device in the embodiments of the present application:
an interface 2002 for code instructions and transmission to the processor;
processor 2001, for executing code instructions to perform the methods as in fig. 6-7, or to perform the methods as in fig. 8-11.
For the case where the chip is used to implement the functions of the terminal device in the embodiment of the present application:
an interface 2002 for code instructions and transmission to the processor;
processor 2001, for executing code instructions to perform the methods as in fig. 2-5.
Optionally, the chip further comprises a memory 2003, the memory 2003 being used for storing the necessary computer programs and data.
Those of skill would further appreciate that the various illustrative logical blocks (illustrative logical block) and steps (steps) described in connection with the embodiments herein may be implemented as electronic hardware, computer software, or combinations of both. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art may implement the functionality in a variety of ways for each particular application, but such implementation should not be understood to be beyond the scope of the embodiments of the present application.
The embodiment of the application also provides a communication system, which comprises the terminal equipment capability indicating device as the terminal equipment in the embodiment of fig. 15-17, or comprises the terminal equipment capability indicating device as the terminal equipment in the embodiment of fig. 19.
The present application also provides a readable storage medium having instructions stored thereon which, when executed by a computer, perform the functions of any of the method embodiments described above.
The present application also provides a computer program product which, when executed by a computer, implements the functions of any of the method embodiments described above.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer programs. When the computer program is loaded and executed on a computer, the flow or functions according to embodiments of the present application are fully or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer program may be stored in or transmitted from one computer readable storage medium to another, for example, a website, computer, server, or data center via a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) connection. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc., that contain an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Those of ordinary skill in the art will appreciate that: the first, second, etc. numbers referred to in this application are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application, but also to indicate the sequence.
At least one of the present application may also be described as one or more, and a plurality may be two, three, four or more, and the present application is not limited thereto. In the embodiment of the present application, for a technical feature, the technical features of the technical feature are distinguished by "first", "second", "third", "a", "B", "C", and "D", and the technical features described by "first", "second", "third", "a", "B", "C", and "D" are not in sequence or in order of magnitude.
The correspondence relationship shown in each table in the present application may be configured or predefined. The values of the information in each table are merely examples, and may be configured as other values, which are not limited in this application. In the case of the correspondence between the configuration information and each parameter, it is not necessarily required to configure all the correspondence shown in each table. For example, in the table in the present application, the correspondence shown by some rows may not be configured. For another example, appropriate morphing adjustments, e.g., splitting, merging, etc., may be made based on the tables described above. The names of the parameters indicated in the tables may be other names which are understood by the communication device, and the values or expressions of the parameters may be other values or expressions which are understood by the communication device. When the tables are implemented, other data structures may be used, for example, an array, a queue, a container, a stack, a linear table, a pointer, a linked list, a tree, a graph, a structure, a class, a heap, a hash table, or a hash table.
Predefined in this application may be understood as defining, predefining, storing, pre-negotiating, pre-configuring, curing, or pre-firing.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the embodiments of the present application may be performed in parallel, sequentially, or in a different order, so long as the desired result of the technical solution disclosed in the present application can be achieved, which is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (45)
- A method of indicating capabilities of a terminal device, the method being performed by the terminal device, the method comprising:sending first information and/or identification of the terminal equipment to first core network equipment through an access network;the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- The method of claim 1, wherein the security information comprises at least one of:the second indication information is used for indicating a security mechanism adopted by the first indication information;a terminal capability counter;an integrity check code.
- The method of claim 2, wherein in response to the first indication information employing a security mechanism for integrity protection, the security information includes the second indication information, the terminal capability counter, and the integrity check code, the method further comprising:Generating the integrity check code according to the security key corresponding to the terminal equipment, the terminal capability counter, the second indication information and the first indication information;the second indication information is further used for indicating an integrity protection algorithm adopted for generating the integrity check code.
- The method of claim 2, wherein in response to the first indication information employing a security mechanism for integrity protection, the security information includes the terminal capability counter and the integrity check code, the method further comprising:and generating the integrity check code by adopting an integrity protection algorithm according to the security key corresponding to the terminal equipment, the terminal capability counter and the first indication information.
- The method of claim 2, wherein in response to the first indication information employing a security mechanism for integrity and confidentiality protection, the first information includes the encrypted first indication information and the security information, the security information includes the second indication information, the terminal capability counter, and the integrity check code, the method further comprising:Encrypting the first indication information by adopting a security key corresponding to the terminal equipment and the terminal capability counter to obtain encrypted first indication information;generating the integrity check code according to the security key, the terminal capability counter, the second indication information and the encrypted first indication information;the second indication information is further used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
- The method according to any one of claims 3-5, further comprising:and resetting the terminal capability counter to an initial value in response to the security key update.
- The method according to any of claims 3-5, wherein after generating the integrity check code from the terminal capability counter, the method further comprises:updating the value of the terminal capability counter.
- The method of claim 7, wherein the method further comprises:and stopping indicating the capability of the terminal equipment to the first core network equipment in response to the value of the terminal capability counter reaches the upper limit of the counting capability of the terminal capability counter.
- The method according to any of claims 6-8, wherein the terminal capability counter is valid during a validity period of a security key corresponding to the terminal device.
- The method according to any of claims 1-9, wherein the first core network device is a unified data management, UDM.
- The method according to any one of claims 1-9, wherein the first indication information comprises at least one of:the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;position information of the terminal equipment;the terminal device requests network slice selection assistance information request-NSSAI.
- The method according to any of claims 1-9, wherein the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
- A method for indicating capability of a terminal device, wherein the method is performed by a first core network device, the method comprising:receiving first information sent by terminal equipment through an access network and/or an identifier of the terminal equipment;the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- The method of claim 13, wherein the security information comprises at least one of:the second indication information is used for indicating a security mechanism adopted by the first indication information;a terminal capability counter;an integrity check code.
- The method of claim 14, wherein employing a security mechanism for integrity protection in response to the first indication information, the security information comprises: the second indication information, the terminal capability counter and the integrity check code;the integrity check code is generated according to a security key corresponding to the terminal equipment, the terminal capability counter, the second indication information and the first indication information;the second indication information is further used for indicating an integrity protection algorithm adopted for generating the integrity check code.
- The method of claim 14, wherein employing a security mechanism for integrity protection in response to the first indication information, the security information comprises: the terminal capability counter and the integrity check code;the integrity check code is generated by adopting an integrity protection algorithm according to a security key corresponding to the terminal equipment, the terminal capability counter and the first indication information.
- The method of claim 14, wherein the first information comprises encrypted first indication information and the security information in response to the first indication information employing a security mechanism for integrity and confidentiality protection, the security information comprising: the second indication information, the terminal capability counter and the integrity check code;wherein the encrypted first indication information is a security key K corresponding to the terminal equipment AUSF The terminal capability counter encrypts the first indication information;the integrity check code is generated according to the security key, the terminal capability counter, the second indication information and the encrypted first indication information;the second indication information is further used for indicating a confidentiality protection algorithm adopted by the encrypted first indication information and an integrity protection algorithm adopted by the integrity check code.
- The method according to any one of claims 15-17, further comprising:transmitting the first information and the identification of the terminal equipment to a second core network device of a home network;The integrity check code is used for the second core network device to verify whether the first indication information is tampered.
- The method of claim 18, wherein the method further comprises:and receiving the verified first indication information sent by the second core network equipment.
- The method according to any of claims 13-19, wherein the first core network device is a unified data management, UDM, and the second core network device is an authentication service function, AUSF.
- The method of any of claims 13-19, wherein the first indication information comprises at least one of:the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;position information of the terminal equipment;the terminal device requests network slice selection assistance information request-NSSAI.
- The method according to any of claims 13-19, wherein the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
- A method for indicating capability of a terminal device, wherein the method is performed by a second core network device, the method comprising:receiving first information and an identifier of terminal equipment, wherein the first information and the identifier are sent by first core network equipment;The first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- The method of claim 23, wherein the security information comprises at least one of:the second indication information is used for indicating a security mechanism adopted by the first indication information;a terminal capability counter;an integrity check code.
- The method of claim 24, wherein in response to the security information including the second indication information therein and the second indication information indicating that the first indication information employs a security mechanism for integrity protection, the method further comprises:determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identification of the terminal equipment;generating a new integrity check code by adopting an integrity protection algorithm indicated by the second indication information according to the security key, the terminal capability counter in the security information, the second indication information in the security information and the first indication information in the first information;and judging the consistency of the new integrity check code and the integrity check code in the first information.
- The method of claim 25, wherein the method further comprises:transmitting the first indication information to the first core network device in response to the new integrity check code being consistent with the integrity check code in the first information;and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the first information.
- The method of claim 24, wherein in response to the second indication information not being included in the security information, the method further comprises:determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identification of the terminal equipment;generating a new integrity check code by adopting an integrity protection algorithm according to the security key, the terminal capability counter in the security information and the first indication information in the first information;and judging the consistency of the new integrity check code and the integrity check code in the first information.
- The method of claim 27, wherein the method further comprises:Transmitting the first indication information to the first core network device in response to the new integrity check code being consistent with the integrity check code in the first information;and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the first information.
- The method of claim 24, wherein in response to the second indication information being included in the security information and the second indication information indicating a security mechanism in which the first indication information employs integrity and confidentiality protection, the method further comprises:determining a security key corresponding to the terminal equipment stored in the second core network equipment according to the identification of the terminal equipment;generating a new integrity check code by adopting an integrity protection algorithm indicated by the second indication information according to the security key, the terminal capability counter in the security information, the second indication information in the security information and the encrypted first indication information in the first information;and judging the consistency of the new integrity check code and the integrity check code in the first information.
- The method of claim 29, further comprising:transmitting the first indication information to the first core network device in response to the new integrity check code being consistent with the integrity check code in the first information; the first indication information is obtained by decrypting the encrypted first indication information according to a confidentiality protection algorithm indicated by the second indication information;and terminating the indicating process of the capability of the terminal equipment in response to the new integrity check code not being consistent with the integrity check code in the first information.
- The method of claim 25 or 27 or 29, further comprising:and generating the new integrity check code in response to the value of the terminal capability counter in the security information being greater than the value of the terminal capability counter stored in the second core network device.
- The method of claim 26 or 28 or 30, wherein in response to the new integrity check code being consistent with the integrity check code in the security information, the method further comprises:storing the value of a terminal capability counter in the security information.
- The method according to claim 29 or 30, characterized in that the method further comprises:and terminating the indicating process of the capability of the terminal equipment in response to the second core network equipment not supporting the confidentiality protection algorithm indicated by the second indicating information.
- The method of claim 25 or 27 or 29, further comprising:and stopping the capability indication of the terminal equipment in response to the value of the terminal capability counter reaching the upper limit of the counting capability of the terminal capability counter.
- The method of claim 34, wherein the terminal capability counter is valid for a validity period of a security key corresponding to the terminal device.
- The method according to any of claims 23-35, wherein the first core network device is a unified data management, UDM, and the second core network device is an authentication service function, AUSF.
- The method of any of claims 23-35, wherein the first indication information comprises at least one of:the parameter of the terminal equipment updates UPU/roaming guidance SoR capability information;position information of the terminal equipment;the terminal device requests network slice selection assistance information request-NSSAI.
- The method of any of claims 23-35, wherein the security key is K AUSF Or the user permanent identifier SUPI of the terminal device.
- A terminal capability indication device, wherein the device is applied to a terminal apparatus, the device comprising:a receiving and transmitting unit, configured to send first information and/or an identifier of the terminal device to a first core network device of a home network through a visited network;the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- A terminal capability indication device, wherein the device is applied to a first core network device, the device comprising:the receiving and transmitting unit is used for receiving first information sent by the terminal equipment through the access network and/or the identification of the terminal equipment;the first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- A terminal capability indication device, wherein the device is applied to a second core network device, the device comprising:the receiving and transmitting unit is used for receiving the first information sent by the first core network equipment and the identification of the terminal equipment;The first information comprises first indication information and safety information, wherein the first indication information is used for indicating the capability of the terminal equipment.
- A communication device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the computer program stored in the memory to cause the device to perform the method of any one of claims 1 to 12, or to perform the method of any one of claims 13 to 22, or to perform the method of any one of claims 23 to 38.
- A communication device, comprising: a processor and interface circuit;the interface circuit is used for receiving code instructions and transmitting the code instructions to the processor;the processor for executing the code instructions to perform the method of any one of claims 1 to 12, or to perform the method of any one of claims 13 to 22, or to perform the method of any one of claims 23 to 38.
- A communication system, the system comprising:the first core network device is used for receiving first information sent by the terminal device through the access network and/or the identification of the terminal device; transmitting the first information and the identification of the terminal equipment to second core network equipment;The second core network device is used for receiving the first information and the identification of the terminal device and verifying the first information; and sending first indication information in the verified first information to the first core network equipment.
- A computer readable storage medium storing instructions which, when executed, cause the method of any one of claims 1 to 12 to be implemented, or cause the method of any one of claims 13 to 22 to be implemented, or cause the method of any one of claims 23 to 38 to be implemented.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2022/112326 WO2024031724A1 (en) | 2022-08-12 | 2022-08-12 | Terminal device capability indication method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117882413A true CN117882413A (en) | 2024-04-12 |
Family
ID=89850420
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202280002831.5A Pending CN117882413A (en) | 2022-08-12 | 2022-08-12 | Terminal equipment capability indication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117882413A (en) |
| WO (1) | WO2024031724A1 (en) |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11290882B2 (en) * | 2019-04-24 | 2022-03-29 | Apple Inc. | Re-authentication procedure for security key (KAUSF) generation and steering of roaming (SOR) data delivery |
| CN112601222B (en) * | 2019-09-16 | 2022-04-22 | 华为技术有限公司 | Safety protection method and device for air interface information |
| US20210105611A1 (en) * | 2019-10-04 | 2021-04-08 | Qualcomm Incorporated | User equipment radio capability protection |
| CN113543121A (en) * | 2020-03-31 | 2021-10-22 | 华为技术有限公司 | Protection method for updating terminal parameter and communication device |
| CN113766495A (en) * | 2020-05-30 | 2021-12-07 | 华为技术有限公司 | Information protection method, system and communication device |
| CN116391376A (en) * | 2020-09-30 | 2023-07-04 | 华为技术有限公司 | Communication method and device |
| EP4154675A4 (en) * | 2020-10-16 | 2023-12-06 | NEC Corporation | Method of communication terminal, communication terminal, method of core network apparatus, and core network apparatus |
| CN113449286B (en) * | 2021-07-08 | 2024-03-26 | 深圳职业技术学院 | Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) |
-
2022
- 2022-08-12 WO PCT/CN2022/112326 patent/WO2024031724A1/en active Application Filing
- 2022-08-12 CN CN202280002831.5A patent/CN117882413A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024031724A1 (en) | 2024-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2018340618B2 (en) | Parameter protection method and device, and system | |
| CN115516891A (en) | Positioning method/device/equipment and storage medium | |
| CN117882413A (en) | Terminal equipment capability indication method and device | |
| WO2024031732A1 (en) | Terminal device capability indication method and apparatus | |
| WO2024065335A1 (en) | Sidelink positioning method and apparatus | |
| CN116472731B (en) | Message verification method and device | |
| WO2024138581A1 (en) | Authorization method and apparatus for network slices, devices, and storage medium | |
| WO2023225878A1 (en) | Re-authentication authorization method/apparatus/device for ai network function, and storage medium | |
| WO2024065336A1 (en) | Sidelink positioning method and apparatus | |
| WO2024065706A1 (en) | Connection construction method and apparatus | |
| WO2023221000A1 (en) | Authentication and authorization method and apparatus for ai function in core network | |
| WO2023245520A1 (en) | Direct communication method and apparatus in localization service | |
| WO2024092826A1 (en) | Identity verification method and apparatus | |
| WO2024000331A1 (en) | Perception service obtaining method and apparatus | |
| WO2024065339A1 (en) | Network satellite coverage data authorization method, device, and storage medium | |
| WO2024082143A1 (en) | Device service role verification method and apparatus and device, and storage medium | |
| WO2023245686A1 (en) | Method and apparatus for managing internet-of-things devices | |
| WO2024197474A1 (en) | Key agreement method, apparatus, device and storage medium | |
| WO2024065564A1 (en) | Api invoking method, apparatus, device, and storage medium | |
| CN118120269A (en) | Application function authorization method and device | |
| CN118614096A (en) | Key acquisition method, device, equipment and chip system | |
| CN116830629A (en) | Communication method and device based on network slicing | |
| CN118318414A (en) | Key distribution method, device, equipment and storage medium | |
| CN118786692A (en) | Network identification transmission method and device | |
| CN116458206A (en) | Method and device for transmitting Radio Resource Control (RRC) reject message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |