WO2016062000A1 - Method, device and system for broadcasting and monitoring device-to-device limiting discovery service - Google Patents

Method, device and system for broadcasting and monitoring device-to-device limiting discovery service Download PDF

Info

Publication number
WO2016062000A1
WO2016062000A1 PCT/CN2015/074909 CN2015074909W WO2016062000A1 WO 2016062000 A1 WO2016062000 A1 WO 2016062000A1 CN 2015074909 W CN2015074909 W CN 2015074909W WO 2016062000 A1 WO2016062000 A1 WO 2016062000A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
prose
discovery
request message
prose server
Prior art date
Application number
PCT/CN2015/074909
Other languages
French (fr)
Chinese (zh)
Inventor
游世林
蔡继燕
彭锦
李阳
林兆骥
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016062000A1 publication Critical patent/WO2016062000A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • the present invention relates to the field of communications, and in particular to a device-to-device restriction discovery service broadcast, monitoring method, apparatus, and system.
  • the Standards Working Group of the 3GPP (3rd Generation Partnership Project) is working on the Evolved Packet System (EPS).
  • the entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility.
  • MME Mobility Management Entity
  • SGSN Serving GPRS Support Node
  • PCRF Policy and Charging Rule Function
  • S-GW Serving Gateway
  • PDN Gateway Packet Data Network
  • PDN Packet Data Network
  • D2D device-to-device
  • the D2D service is also called distance-based.
  • Business ProSe, Proximity-based Services
  • D2D service when the two UEs are relatively close, they can communicate directly, and the connected data path can be bypassed to the core network.
  • data routing can be reduced, and on the other hand, the network can be reduced. Data load. Therefore, D2D services have received the attention of many operators.
  • FIG. 1 is a structural block diagram of a communication architecture of the D2D discovery service in the prior art. As shown in FIG. 1 , two UEs accessed by the D2D can only access the EPC through the E-UTRAN.
  • the two UEs may belong to one Public Land Mobile Network (PLMN) or belong to two PLMNs; for one UE, the PLMN may be divided into a Home PLMN (HPLMN, Home PLMN) and when the UE is from other
  • the visited PLMN (VPLMN, Visited PLMN) when the PLMN is accessed may be collectively referred to as a local public land mobile network (LPLMN, Local PLMN) for the PLMN in which the UE is currently located, regardless of whether the local PLMN is HPLMN or VPLMN.
  • LLMN local public land mobile network
  • the D2D discovery service On the carrier side, not only the EPS but also the ProSe Application Server that deploys the D2D discovery service can be provided.
  • the ProSe application server can be provided by the service provider that operates the D2D service, or can be provided by the network operator that operates the EPS.
  • ProSe Function is also deployed in different PLMNs. For the two UEs of the ProSe service, one of the UEs obtains the service identifier from the ProSe function entity, and then obtains the broadcastable service code from the ProSe function entity. This UE is called an Announcing UE (A-UE). The other UE accepts the broadcast of the A-UE and then matches the ProSe functional entity of the UE. If the matching is successful, the ProSe service is performed with the A-UE. Then, the non-broadcast UE is called a monitoring UE (M-UE).
  • A-UE Announcing UE
  • M-UE monitoring UE
  • the interface with the ProSe application server is a PC1 interface, and provides related authentication functions.
  • the interface between the UE and the UE is the PC5, which is used for direct mutual discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is the PC3, which is used for discovery and authentication through the network.
  • the interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication.
  • the interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service.
  • the ProSe function entity and the ProSe function entity have PC6 and PC7 interfaces respectively, which are used for the UE in both roaming and non-roaming situations.
  • PC7 interface When the UE roams, it is the PC7 interface, and when the UE is not roaming, it is the PC6 interface.
  • the UE performs the D2D discovery service the information interaction between the two ProSe functional entities is performed.
  • the General Bootstrapping Architecture is an authentication mechanism that guarantees the establishment of a secure connection between the terminal and the network service node.
  • Figure 2 is a block diagram of the general authentication mechanism in the prior art.
  • the bootstrap service function (Bootstrappingserver)
  • the function abbreviated as BSF, is in the user's home network.
  • the BSF can obtain the user security vector of the GBA from the HSS; and the UE performs mutual authentication by using the Authentication and Key Agreement (AKA) protocol, and establishes a session key, which will be applied to the UE and the network application function.
  • AKA Authentication and Key Agreement
  • NAF Network application function
  • BSF can pass the key and user security settings to NAF.
  • the UE and the NAF can run some application-related protocols. In these protocols, the authentication of the messages is based on the session key generated in the mutual authentication process between the UE and the BSF. There was no previous security association between the UE and the NAF before the bootstrap process.
  • the NAF obtains the shared key between the UE and the BSF from the BSF, and the NAF should be able to locate and be able to communicate securely with the BSF of the user's home network.
  • the NAF can set the local validity of the shared key according to the local policy, detect the lifetime of the shared key, and take measures with the UE to ensure the refresh of the key in the GBA.
  • the HSS saves the user's security variables.
  • the Subscriber Locator Function (SLF) is used to query the user's HSS. It is not a mandatory functional unit. The UE must support the GBA authentication function.
  • FIG. 3 is a schematic flowchart of a method for limiting discovery service in the prior art. As shown in FIG. 3, the method includes:
  • Step S300 The A-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the restriction service ProSe application identifier.
  • Step S301 After the A-UE and the ProSe functional entity under the HPLMN establish a secure connection, the A-UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the restricted service ProSe application identifier, the discovery service type, and the user identifier. , found that the business type is broadcast service Announce;
  • Step S302 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the restricted service ProSe application identifier, the user identifier, and the ProSe functional entity under the HPLMN of the A-UE allocates the discovery service code, the ProSe service code. Broadcast code for A-UE;
  • Step S303 After the ProSe functional entity of the A-UE of the A-UE authenticates the broadcast request, the device sends a broadcast authentication request response message to the ProSe functional entity in the HPLMN of the A-UE.
  • Step S304 The ProSe functional entity of the HPLMN sends a discovery service request response message to the A-UE.
  • the message carries the discovery service code, the discovery key, the current time, and the maximum duration.
  • the ProSe service code is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the A-UE to the A-UE, and the key is found to be 128 bits in total.
  • the current time is the Greenwich Mean Time, that is, the world unified clock, A-
  • the UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the current discovery, that is, the life cycle of the service code is found, and the maximum duration is invalid;
  • Step S305 The A-UE broadcasts to the air through a broadcast channel, and the broadcast message carries the discovery service code.
  • Step S306 The M-UE obtains configuration parameters from the ProSe server, and obtains a restriction discovery service permission, where the configuration parameter includes a list of restricted service ProSe application identifiers.
  • Step S307 After the M-UE is interested in monitoring at least one restricted service ProSe application identifier, and establishing a secure connection with the ProSe functional entity under the HPLMN of the M-UE, the M-UE sends a discovery service request message to the ProSe functional entity under the HPLMN.
  • the message includes a list of restricted ProSe application identifiers, and the service type is a monitor service monitor and a user identifier.
  • Step S308 If the ProSe functional entity under the HPLMN of the M-UE has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, in the UE context. Contains the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity under the HPLMN of the M-UE sends a snooping authentication request to the ProSe functional entity of the other PLMN, and the message carrying the restricted service ProSe application identifier list and the user identifier;
  • the ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the A-UE. Therefore, the restricted service ProSe application identifier list further includes at least one A-UE restricted service ProSe application identifier.
  • Step S309 the ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe server;
  • Step S310 If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the restricted service ProSe application identifier, the authentication and listening authentication request message is sent back to the ProSe functional entity of the M-UE of the M-UE to send a monitoring authentication request response message, and the message carries the discovery message.
  • the mask corresponding to the service code and the life cycle corresponding to the discovery service code that is, the current time and the maximum duration of the ProSe functional entities of other PLMNs;
  • Step S311 The ProSe functional entity of the HPLMN of the M-UE parses the ProSe service code composition discovery template according to the mask in the interception authentication request response message, and sends a discovery service request response message to the M-UE.
  • the message carries the discovery template, the current time, and the maximum duration;
  • the current time is the current time of the ProSe functional entity of the HPLMN of the M-UE if the ProSe functional entity time of the HPLMN of the M-UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise it is carried by the monitoring authentication response request.
  • the current time, the maximum duration is the maximum duration of the listening authentication response request.
  • the M-UE sets the ProSe clock according to the current time;
  • Step S312 The M-UE receives the broadcast information of the A-UE, where the broadcast information includes the discovery service code.
  • Step S313 If the M-UE finds that the discovery service code broadcast by the A-UE exists in the discovery template, and the discovery service code is within the lifecycle of the discovery template, sends a matching report message to the ProSe functional entity of the HPLMN of the M-UE, The message carries the discovery service code, and the message also carries the ProSe time corresponding to the UE;
  • Step S314 The ProSe functional entity of the HPLMN of the M-UE forwards the matching report message to the ProSe functional entity of the HPLMN of the A-UE.
  • Step S315 The ProSe functional entity of the HPLMN of the A-UE carries the parameter according to the matching report, the ProSe time and the received discovery service code, and checks whether the service code is integrity passed, otherwise it fails, that is, the M-UE discovery service code does not.
  • Step S316 After the ProSe functional entity integrity check of the HPLMN of the A-UE is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the M-UE;
  • Step S317 The ProSe function entity of the HPLMN of the M-UE sends a matching report response message to the M-UE, where the message carries the current time of the ProSe functional entity of the HPLMN of the M-UE, and the M-UE sets the ProSe time. After the matching is successful, the M-UE discovers the A-UE.
  • the restriction discovery service must require the service permission of the ProSe server. Therefore, regardless of the M-UE listening process or the A-UE broadcast process, the UE needs to obtain configuration information and permission from the ProSe server in advance, and also listens to the M-UE. The license to the ProSe server is again in the business, which leads to the cumbersome problem of the D2D discovery service implementation process.
  • the main purpose of the present invention is to provide a device-to-device restriction discovery service broadcast, monitoring method, device, and system, so as to solve the problem that the D2D discovery service implementation process is complicated in the prior art. problem.
  • the present invention provides a device-to-device D2D limiting discovery service broadcast method, including: a broadcast terminal A-UE transmitting a service request message to a distance-based service ProSe server; and the A-UE receiving the ProSe After the server authenticates the service request message, the server obtains a discovery service code, and the A-UE broadcasts the discovery service code.
  • a device-to-device D2D method for monitoring a discovery service including: a listening terminal M-UE transmitting a service request message to a distance-based service ProSe server; the M-UE receiving station After the ProSe server authenticates the service request message, the discovery template of the mask corresponding to the discovery service code is obtained; the M-UE monitors according to the mask corresponding to the discovery service code in the discovery template. Broadcast channel.
  • a device to device D2D limiting discovery service broadcast device comprising: a first sending module, configured to be a distance-based service ProSe server Sending a service request message; the first receiving module is configured to receive a discovery service code that is obtained after the ProSe server authenticates the service request message, and the broadcast module is configured to broadcast the discovery service code.
  • a device-to-device D2D monitoring device for limiting discovery service, the device being located in the monitoring terminal, comprising: a second sending module, configured to send to the distance-based service ProSe server a service request message, the second receiving module is configured to: after receiving the authentication of the service request message, the ProSe server acquires a discovery template consisting of a mask corresponding to the discovery service code; and the monitoring module is configured to be based on the discovery The mask corresponding to the discovery service code in the template listens to the broadcast channel.
  • a processing system for device-to-device D2D restriction discovery service comprising a broadcast terminal located at a broadcast terminal side, a listening terminal located at a listening terminal side, and a distance-based service ProSe server
  • the broadcast terminal includes: a first sending module, configured to send a service request message to the ProSe server; the first receiving module is configured to receive the discovery service code after the ProSe server authenticates the service request message a broadcast module configured to broadcast the discovery service code;
  • the monitoring device includes: a second sending module, configured to send a service request message to the ProSe server; and a second receiving module, configured to receive, after the ProSe server authenticates the service request message, obtain a service code corresponding to the discovery service code And the monitoring module is configured to listen to the broadcast channel according to the mask corresponding to the discovery service code in the discovery template; wherein the service request message is encrypted.
  • the broadcast terminal A-UE is used to send a service request message to the distance-based service ProSe server; the A-UE receives the ProSe server to obtain the discovery service code after authenticating the service request message; A-UE broadcast discovery
  • the service code solves the problem that the limitation of the discovery service must require the service license of the ProSe server in the prior art, and the D2D discovery service implementation process is cumbersome, so that the A-UE can directly obtain the broadcast or authentication license to the ProSe server without passing the
  • the ProSe functional entity simplifies the process steps for discovering a business.
  • FIG. 1 is a structural block diagram of a communication architecture of a D2D discovery service in the prior art
  • FIG. 2 is a structural block diagram of a general authentication mechanism in the prior art
  • FIG. 3 is a schematic flowchart of a method for limiting discovery service in the prior art
  • FIG. 4 is a flowchart of a method for broadcasting a device-to-device D2D restriction discovery service according to a preferred embodiment of the present invention
  • FIG. 5 is a GBA authentication process of a universal authentication mechanism according to an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a device-to-device D2D method for monitoring a discovery service according to an embodiment of the present invention
  • FIG. 7 is a structural block diagram of a broadcast apparatus for limiting a discovery service from a device to a device D2D according to an embodiment of the present invention
  • FIG. 8 is a structural block diagram of a device to device D2D limiting discovery service monitoring device according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a broadcast process for limiting discovery service A-UE according to a preferred embodiment of the present invention.
  • FIG. 10 is a schematic flowchart of a method for monitoring a discovery service M-UE according to a preferred embodiment of the present invention.
  • FIG. 4 is a flowchart of a device to device D2D restriction discovery service broadcast method according to a preferred embodiment of the present invention, as shown in FIG. Methods include:
  • Step S402 The broadcast terminal A-UE sends a service request message to the distance-based service ProSe server.
  • Step S404 The A-UE receives the discovery service code acquired by the ProSe server after the service request message is authenticated and passed.
  • Step S406 The A-UE broadcasts the discovery service code.
  • the broadcast terminal A-UE sends a service request message to the distance-based service ProSe server; the A-UE receives the discovery service code obtained by the ProSe server after authenticating the service request message; A-UE broadcast
  • the discovery of the service code solves the problem that the limitation of the discovery service in the prior art requires the service permission of the ProSe server, which leads to the cumbersome process of implementing the D2D discovery service, thereby enabling the A-UE to directly By obtaining a broadcast or authentication license to the ProSe server, it is not necessary to pass the ProSe functional entity, which simplifies the process steps of discovering the service.
  • the embodiment of the present invention can receive the valid service life of the discovery service code obtained by the ProSe server through the A-UE. .
  • the server sends information that is responsive to the service request information, where the information carries the A-UE pre-signed restricted service ProSe application identifier.
  • the service request message in the embodiment of the present invention is the encrypted service request information, and the service request message carries, but is not limited to, the following information: limiting the type of the discovery service request and the service application type information; The type of the service request is found to be broadcast, and the service request type information is the restricted service ProSe application identifier of the A-UE.
  • the method when the A-UE sends the service request message to the ProSe server, the method further includes: the A-UE sends the B-TID to the ProSe server, and the key period of the B-TID.
  • the ProSe server authenticates the service request message by: the ProSe server sends the B-TID, the ID of the service platform NAF to the A-UE home domain ProSe function requesting entity, and the ProSe server receives the A-UE attribution.
  • the ProSe server authenticates the decrypted restricted service ProSe application identifier.
  • the ProSe server obtains the discovery service code and the effective service life of the discovery service code.
  • the ProSe server After the ProSe server authenticates the service request message, the ProSe server sends a broadcast request message to the A-UE home domain ProSe function entity.
  • the broadcast request message carries the restricted service ProSe application identifier; the ProSe server receives the broadcast request response message in response to the broadcast request message, and the broadcast request response message carries the A-UE home domain ProSe functional entity as the restricted service ProSe application identifier.
  • the obtained discovery service code includes: the A-UE receives the encrypted service request response message sent by the ProSe server, where the service request response The message carries the discovery service code that is restricted by the service ProSe application, the service ProSe application identifier, and the effective service life of the discovery service code.
  • the method before the A-UE sends the service request message to the ProSe server, the method includes: the A-UE performs authentication and key agreement AKA authentication with the A-UE home domain ProSe functional entity to obtain the B-TID and the B-TID. The key period of the TID.
  • FIG. 5 is a GBA authentication process of a universal authentication mechanism according to an embodiment of the present invention.
  • the AKA authentication of the A-UE is implemented by the process, wherein steps 501-506 are bootstrapped through the AKA authentication process, and steps 507-510 are service authentication.
  • the process, as shown in Figure 5, includes:
  • Step S501 The UE sends an initialization request to the BSF.
  • RAND is a random number
  • AUTN is an Authentication Token (AUTN)
  • Step S503 encryption key CK, integrity protection key IK;
  • the BSF obtains an HSS address for storing user information by querying the SLF;
  • Step S504 The BSF sends the RAND and the AUTN to the UE through the 401 message, and saves (CK, IK, XRES), and requests the UE to authenticate the BSF.
  • the UE verifies the AUTN by the authentication algorithm, and confirms that the message is from the authorized network, and the UE calculates CK, IK, RES (authorization result parameter), which makes the session key IK and CK in both the BSF and the UE;
  • Step S505 The UE sends an authorization request message to the BSF, where the message carries an authorization result parameter RES;
  • Step S506 The BSF sends a 200 OK (Success Message) message containing the B-TID to the UE indicating that the authentication is successful, and in the 200 OK message, the BSF provides the lifetime of the Ks;
  • a 200 OK Successess Message
  • KDF is a key generation algorithm
  • IMPI is the IMS identifier of the terminal.
  • the NAF_ID is the ID of the service platform NAF, and the UE sends a B-TID (Bootstrapping Transaction Identifier) to the NAF, and requests to negotiate a key with the NAF;
  • the message also contains the content of the service message, and the message is encrypted using the encryption algorithm using the service key.
  • Step S508 The NAF sends the B-TID and the NAF_ID to the BSF to obtain the service key of the user.
  • Step S509 The BSF derives the Ks_NAF from the Ks by using the same method as the UE, and sends the Ks_NAF to the NAF through the secure channel, and includes information such as the key lifetime of its Ks_NAF;
  • the NAF can decrypt the content in the service message by using the same algorithm as the UE by using the obtained Ks_NAF;
  • Step S510 After the KSF saves the Ks_NAF and the validity period information, the NAF returns a 200 OK response to the UE, and the key Ks_NAF is shared between the UE and the NAF, and can be used for operations such as authentication and message encryption.
  • FIG. 6 is a schematic flowchart of a device-to-device D2D method for monitoring a discovery service according to an embodiment of the present invention. The method includes:
  • Step S602 The monitoring terminal M-UE sends a service request message to the distance-based service ProSe server.
  • Step S604 The M-UE receives a mask corresponding to the discovery service code acquired by the ProSe server after the service request message is authenticated and passed.
  • Step S606 The M-UE listens to the broadcast channel according to the mask corresponding to the discovery service code.
  • the M-UE receives the discovery service code that is obtained by the ProSe server after the service request message is authenticated, and the method further includes: the M-UE receiving the effective use period of the discovery service code obtained by the ProSe server.
  • the service request message is the encrypted service request information, and the service request message carries the following information: the type of the discovery service request and the service application type information.
  • the type of the discovery service request is restricted to be monitored, and the service application type information is the restricted service ProSe application identifier of the M-UE.
  • the method when the A-UE sends the service request message to the ProSe server, the method further includes: the M-UE sends the B-TID to the ProSe server, and the key period of the B-TID.
  • the ProSe server authenticates the service request message by: the ProSe server sends the B-TID, the ID of the service platform NAF to the M-UE home domain ProSe function requesting entity, and the ProSe server receives the M-UE attribution.
  • the ProSe server authenticates the decrypted restricted service ProSe application identifier.
  • the ProSe server obtains the discovery service code and the effective service life of the discovery service code.
  • the ProSe server After the ProSe server authenticates the service request message, the ProSe server sends a monitoring authentication request message to the M-UE home domain ProSe functional entity.
  • the monitoring authentication request message carries the restricted service ProSe application identifier; the ProSe server receives the broadcast request response message in response to the broadcast request message, where the broadcast request response message carries the M-UE home domain ProSe functional entity as the restricted service ProSe application.
  • the M-UE receives the mask corresponding to the discovery service code after the ProSe server authenticates the service request message, and the M-UE receives the encrypted service request response message sent by the ProSe server, where The service request response message carries a mask and a valid use period of the mask corresponding to the discovery service code of the service ProSe application identifier and the service ProSe application identifier.
  • the M-UE before the M-UE sends the service request message to the ProSe server, the M-UE performs the authentication and key agreement AKA authentication with the M-UE home domain ProSe functional entity to obtain the B-TID and the B-TID.
  • the key period of the TID before the M-UE sends the service request message to the ProSe server, the M-UE performs the authentication and key agreement AKA authentication with the M-UE home domain ProSe functional entity to obtain the B-TID and the B-TID.
  • FIG. 7 is a structural block diagram of a device to device D2D restriction discovery service according to an embodiment of the present invention, where the broadcast device is located in a broadcast terminal, such as As shown in FIG. 7, the apparatus includes: a first sending module 72, configured to send a service request message to the distance-based service ProSe server; the first receiving module 74 is coupled to the first sending module 72, and is configured to receive the ProSe server in the pair. After the service request message is authenticated, the obtained discovery service code is obtained; the broadcast module 76 is coupled to the first receiving module 74 for broadcasting the discovery service code.
  • the service request message is an encrypted service request message.
  • the first receiving module is further configured to receive the encrypted service request response message sent by the ProSe server, where the service request response message carries the restricted service ProSe application identifier, the restriction The discovery service code identified by the service ProSe application, and the effective use period of the discovery service code.
  • FIG. 8 is a structural block diagram of a device-to-device D2D-restricted discovery service monitoring device according to an embodiment of the present invention.
  • the monitoring device is located in the monitoring terminal.
  • the device is located in the monitoring terminal.
  • the device includes: a second sending module 82, configured to send a service request message to the distance-based service ProSe server; and the second receiving module 84 is coupled to the second sending module 82.
  • the ProSe server After receiving the authentication request, the ProSe server obtains a discovery template consisting of a mask corresponding to the discovery service code.
  • the monitoring module 86 is coupled to the second receiving module 84 and configured to be configured according to the mask corresponding to the discovery service code.
  • the composed discovery template listens to the broadcast channel.
  • the service request message is an encrypted service request message.
  • the second receiving module is further configured to receive the encrypted service request response message sent by the ProSe server, where the service request response message carries the restricted service ProSe application identifier, the restriction A discovery template consisting of a mask corresponding to the discovery service code of the service ProSe application identifier, and an effective use period of the mask.
  • the modules and units involved in the embodiments of the present invention may be implemented by software or by hardware.
  • the described modules and units in this embodiment may also be disposed in a processor.
  • a processor includes a second sending module and a second receiving module.
  • the names of these modules do not constitute a limitation on the module itself in some cases.
  • the second sending module may also be described as “set to send a service request message to the distance-based service ProSe server”.
  • the present invention also provides a device-to-device D2D-restricted discovery service processing system, which includes a broadcast terminal located on the broadcast terminal side, a listening terminal located on the monitoring terminal side, and a ProSe server;
  • the broadcast terminal includes: a first sending module 72, configured to send a service request message to the distance-based service ProSe server; the first receiving module 74 is coupled to the first sending module 72, and is configured to receive the ProSe server to authenticate the service request message. After the obtaining, the discovery service code is obtained; the broadcast module 76 is coupled to the first receiving module 74 and configured to be a broadcast discovery service code;
  • the monitoring device includes: a second sending module 82, configured to send a service request message to the distance-based service ProSe server; the second receiving module 84 is coupled to the second sending module 82, and is configured to receive the ProSe server to authenticate the service request message. After the obtaining, the mask corresponding to the discovery service code is obtained.
  • the monitoring module 86 is coupled to the second receiving module 84 and configured to listen to the broadcast channel according to the mask corresponding to the discovery service code. ;
  • a preferred embodiment of the present invention provides a broadcast terminal A-UE, which initiates a discovery request to a ProSe server, the ProSe server acquires a shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request, and acquires the discovery service code from the ProSe functional entity. And then sent to the A-UE by encryption.
  • the preferred embodiment of the present invention further provides a listening terminal M-UE.
  • the M-UE initiates a discovery request to the ProSe server, the ProSe server acquires a shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request, and acquires the discovery service code from the ProSe functional entity.
  • the template is then sent to the M-UE by encryption.
  • the D2D restriction discovery service flow of the preferred embodiment of the present invention will be described below in conjunction with the broadcast terminal A-UE and the interception terminal M-UE.
  • the main inventive idea of the discovery service A-UE is: the A-UE initiates a discovery request to the ProSe server, the ProSe server acquires the shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request.
  • the discovery service code is obtained from the ProSe functional entity and then sent to the A-UE through encryption.
  • FIG. 9 is a schematic diagram of a broadcast process for limiting a discovery service A-UE according to a preferred embodiment of the present invention. As shown in FIG. 9, the method includes:
  • Step S901 The A-UE and the A-UE home domain ProSe functional entity perform the steps 501-506 AKA authentication in FIG. 5 to obtain the B-TID and the key period;
  • Step S902 The A-UE initiates a service request to the ProSe server, where the service request carries the B-TID and the encrypted service request message, where the encrypted message includes a restriction discovery request, and the restriction discovery request carries the discovery type as broadcast announce, and the service application type. Or the restricted service ProSe application identifier already existing in the A-UE. Restricting the service ProSe application identifier to be pre-signed by the A-UE or obtained by step 306;
  • Step S903 The ProSe server sends a B-TID and a NAF_ID to the A-UE home domain ProSe function to obtain a service key of the user.
  • Step S904 The A-UE home domain ProSe functional entity derives the Ks_NAF from the Ks by using the same method as the A-UE, and sends the Ks_NAF to the ProSe server through the secure channel, and includes information such as the key lifetime of its Ks_NAF;
  • Step S905 The ProSe server uses the obtained Ks_NAF decryption service request message, the authentication service request and the restriction service ProSe application identifier, or allocates a restricted service ProSe application identifier according to the service application type, and sends a broadcast request message to the A-UE home domain ProSe functional entity.
  • the broadcast request message carries a restricted service ProSe application identifier;
  • Step S906 The A-UE home domain ProSe functional entity allocates a discovery service code for the restricted service ProSe application identifier, and a corresponding validity period. Sending a broadcast request response message to the ProSe server, where the message carries the discovery service code and the corresponding validity period;
  • Step S907 The ProSe server sends a service request response message to the A-UE, where the message carries the encrypted service response message, and the service response message carries the restricted service ProSe application identifier, the service code, and the corresponding validity period;
  • Step S908 The A-UE decrypts the response message, and saves the restricted service ProSe application identifier.
  • the service code is found, and the corresponding validity period, the radio resource is allocated, the service code is broadcasted on the broadcast channel, and the M-UE discovery is provided.
  • FIG. 10 is a schematic flowchart of a method for monitoring a discovery service M-UE according to a preferred embodiment of the present invention. As shown in FIG. 10, the method includes:
  • Step S1001 The M-UE and the M-UE home domain ProSe functional entity perform the step 101-106 AKA authentication in FIG. 3 to obtain the B-TID and the key period;
  • Step S1002 The M-UE initiates a service request to the ProSe server, and the service request carries the B-TID and the encrypted service request message, where the encrypted message includes a restriction discovery request, and the restriction discovery request carries the discovery type as the monitoring monitor, and the service application type. Or the restricted service ProSe application identifier already existing in the M-UE. Restricting the service ProSe application identifier to be pre-signed by the M-UE or obtained by step 408;
  • Step S1003 The ProSe server sends a B-TID and a NAF_ID to the M-UE home domain ProSe function to obtain a service key of the user.
  • Step S1004 The M-UE home domain ProSe functional entity derives the Ks_NAF from the Ks by using the same method as the M-UE, and sends the Ks_NAF to the ProSe server through the secure channel, and includes information such as the key lifetime of the Ks_NAF.
  • Step S1005 The ProSe server uses the obtained Ks_NAF decryption service request message, the authentication service request and the restricted service ProSe application identifier, or allocates a restricted service ProSe application identifier or a restricted service ProSe application identifier list according to the service request type, to the M-UE home domain ProSe.
  • the function entity sends a monitoring authentication request message, and the monitoring authentication request message carries a restricted service ProSe application identifier or a restricted service ProSe application identifier list;
  • Step S1006 The M-UE home domain ProSe functional entity sends a listening request to the ProSe functional entity of the other PLMN, and the message carries the restricted service ProSe application identifier or the restricted service ProSe application identifier list.
  • the ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the A-UE, so the restricted service ProSe application identifier list also includes at least one A-UE restricted service ProSe application identifier;
  • Step S1007 If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the restricted service ProSe application identifier, the authentication and listening request message is sent back to the ProSe function entity of the M-UE of the M-UE to send a monitoring request response message, and the message carries the discovery service code.
  • Corresponding mask, and expiration date that is, the current time and maximum duration of the ProSe functional entities of other PLMNs;
  • Step S1008 The ProSe functional entity of the HPLMN of the M-UE forms a discovery template according to the mask composed of the ProSe service code in the interception request response message, and sends a monitoring authentication request response message to the ProSe server, where the message carries the mask corresponding to the discovery service code, and the validity period. , that is, the current time and maximum duration of the ProSe functional entities of other PLMNs;
  • Step S1009 The ProSe server sends a service request response message to the M-UE, where the message carries the encrypted service response message, the service response message carries the restriction service ProSe application identifier, the mask corresponding to the service code, and the validity period, that is, the ProSe of other PLMNs.
  • Step S1010 The M-UE decrypts the response message, and saves the restricted service ProSe application identifier.
  • the mask corresponding to the service code is found, and the validity period is allocated.
  • the radio resource is allocated, and the A-UE broadcast is intercepted on the broadcast channel.
  • the matching process is initiated. After the matching is successful, the A- is found. UE.
  • the UE to the ProSe server is guaranteed, and the UE can directly obtain the broadcast or authentication permission to the ProSe server without having to pass the ProSe functional entity, thereby saving the message.
  • the broadcast terminal A-UE sends a service request message to the distance-based service ProSe server; and the A-UE receives the discovery service after the ProSe server authenticates the service request message.
  • the A-UE broadcasts the discovery service code, which solves the problem that the limitation of the discovery service must require the service permission of the ProSe server in the prior art, and the implementation process of the D2D discovery service is cumbersome.
  • the A-UE can directly obtain a broadcast or authentication license to the ProSe server without having to pass the ProSe functional entity, which simplifies the process steps of discovering the service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a method, device and system for broadcasting and monitoring a device-to-device (D2D) limiting discovery service. The broadcasting method comprises: a broadcasting terminal (A-UE) sends a service request message to a distance-based service (ProSe) server (S402); the A-UE receives a discovery service code that is acquired after the ProSe server successfully authenticates the service request message (S404); and the A-UE broadcasts the discovery service code (S406). The present invention solves the problem in the prior art of a complex process of implementing a D2D discovery service due to the fact that a limiting discovery service must require service permission of a ProSe server, so that an A-UE can directly acquire broadcast or authentication permission from the ProSe server instead of using a ProSe functional entity, thereby simplifying the process steps of the discovery service.

Description

设备到设备限制发现业务广播、监听方法、装置及系统Device-to-device restriction discovery service broadcast, monitoring method, device and system 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种设备到设备限制发现业务广播、监听方法、装置及系统。The present invention relates to the field of communications, and in particular to a device-to-device restriction discovery service broadcast, monitoring method, apparatus, and system.
背景技术Background technique
为了保持第三代移动通信系统在通信领域的竞争力,并为用户提供速率更快、时延更低、更加个性化的移动通信服务,同时,为了降低运营商的运营成本,第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)标准工作组正致力于演进分组系统(EPS,Evolved Packet System)的研究。整个EPS包括无线接入网(E-UTRAN,Evolved Universal Terrestrial Radio Access Network)和移动核心网(EPC,Evolved Packet Core Networking),其中,EPC包含了归属用户服务器(HSS,Home Subscriber Server)、移动性管理实体(MME,Mobility Management Entity)、服务GPRS支持节点(SGSN,Serving GPRS Support Node)、策略计费规则功能(PCRF,Policy and Charging Rule Function)、服务网关(S-GW,Serving Gateway)、分组数据网关(P-GW,PDN Gateway)和分组数据网络(PDN,Packet Data Network)。In order to maintain the competitiveness of the third generation mobile communication system in the field of communication, and to provide users with faster, less delayed, more personalized mobile communication services, and at the same time, in order to reduce the operator's operating costs, the third generation of cooperation The Standards Working Group of the 3GPP (3rd Generation Partnership Project) is working on the Evolved Packet System (EPS). The entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility. Management entity (MME, Mobility Management Entity), Serving GPRS Support Node (SGSN), Policy and Charging Rule Function (PCRF), Serving Gateway (S-GW), grouping Data Gateway (P-GW, PDN Gateway) and Packet Data Network (PDN).
当两个用户设备(UE,User Equipment)通过EPS进行通信时,两个UE需要分别与EPS建立承载。但是考虑到UE以及各种移动互联网业务的快速发展,很多业务希望能够发现临近的UE并且进行通信,因此催生了设备到设备(D2D,Device to Device)业务,D2D业务还被称为基于距离的业务(ProSe,Proximity-based Services)。在D2D业务中,当两个UE位置比较接近的时候,可以直接通信,其连接的数据路径可以不绕回到核心网,这样,一方面可以减少数据路由的迂回,另一方面也能够减少网络数据负荷。因此,D2D业务已得到了很多运营商的重视。When two user equipments (UE, User Equipment) communicate through the EPS, the two UEs need to establish bearers with the EPS respectively. However, considering the rapid development of the UE and various mobile Internet services, many services want to be able to discover neighboring UEs and communicate, thus spawning a device-to-device (D2D) service. The D2D service is also called distance-based. Business (ProSe, Proximity-based Services). In the D2D service, when the two UEs are relatively close, they can communicate directly, and the connected data path can be bypassed to the core network. Thus, on the one hand, data routing can be reduced, and on the other hand, the network can be reduced. Data load. Therefore, D2D services have received the attention of many operators.
目前,常用的D2D业务有D2D发现业务,图1是现有技术中D2D发现业务的通信架构的结构框图,如图1所示,D2D接入的两个UE只能通过E-UTRAN接入EPC,两个UE可以都属于一个公用陆地移动网络(PLMN,Public Land Mobile Network)或者分属于两个PLMN;对于一个UE,PLMN可以分为归属的PLMN(HPLMN,Home PLMN)和当该UE从其他的PLMN接入时的拜访的PLMN(VPLMN,Visited PLMN),对于UE当前所处区域的PLMN可以统称为本地的公用陆地移动网络(LPLMN,Local PLMN),无论该本地的PLMN是HPLMN还是VPLMN。为了实现D2D发现业务, 在运营商侧不仅仅部署了EPS,还包括部署D2D发现业务的ProSe应用服务器(ProSe Application Server),ProSe应用服务器可以由运营D2D业务的业务提供商提供,也可以由运营EPS的网络运营商提供,在不同PLMN还部署了ProSe功能实体(ProSe Function)。对于ProSe业务的两个UE,其中一个UE从ProSe功能实体获取业务标识后,再向ProSe功能实体获取能够广播的业务码,这个UE被称为广播UE(Announcing UE,简称A-UE),而另外一个UE则接受A-UE的广播,然后与该UE的ProSe功能实体进行匹配,如果匹配成功后,则和A-UE进行ProSe业务。则这个非广播UE称为监听UE(Monitoring UE,简称M-UE)。At present, the commonly used D2D service has a D2D discovery service. FIG. 1 is a structural block diagram of a communication architecture of the D2D discovery service in the prior art. As shown in FIG. 1 , two UEs accessed by the D2D can only access the EPC through the E-UTRAN. The two UEs may belong to one Public Land Mobile Network (PLMN) or belong to two PLMNs; for one UE, the PLMN may be divided into a Home PLMN (HPLMN, Home PLMN) and when the UE is from other The visited PLMN (VPLMN, Visited PLMN) when the PLMN is accessed may be collectively referred to as a local public land mobile network (LPLMN, Local PLMN) for the PLMN in which the UE is currently located, regardless of whether the local PLMN is HPLMN or VPLMN. In order to realize the D2D discovery service, On the carrier side, not only the EPS but also the ProSe Application Server that deploys the D2D discovery service can be provided. The ProSe application server can be provided by the service provider that operates the D2D service, or can be provided by the network operator that operates the EPS. ProSe Function is also deployed in different PLMNs. For the two UEs of the ProSe service, one of the UEs obtains the service identifier from the ProSe function entity, and then obtains the broadcastable service code from the ProSe function entity. This UE is called an Announcing UE (A-UE). The other UE accepts the broadcast of the A-UE and then matches the ProSe functional entity of the UE. If the matching is successful, the ProSe service is performed with the A-UE. Then, the non-broadcast UE is called a monitoring UE (M-UE).
在D2D发现业务通信架构中,由于UE提供相关的ProSe应用(APP,Application),其和ProSe应用服务器的接口为PC1接口,提供相关认证功能。UE与UE之间的接口为PC5,用于UE之间的相互直接发现和通信,而UE与ProSe功能实体之间的接口是PC3,用于通过网络的发现认证。ProSe功能实体与现有EPC之间的接口是PC4,包含与P-GW的用户面接口和与HSS的控制面接口,用于D2D发现业务发现认证。ProSe功能实体与ProSe应用服务器的接口为PC2,用于D2D发现业务的应用实现。ProSe功能实体与ProSe功能实体分别有PC6和PC7接口,分别用于UE在漫游和非漫游的两种情况,UE漫游时为PC7接口,UE非漫游时是为PC6接口,这两个接口用于UE进行D2D发现业务时执行两个ProSe功能实体之间的信息交互。In the D2D discovery service communication architecture, since the UE provides a related ProSe application (APP, Application), the interface with the ProSe application server is a PC1 interface, and provides related authentication functions. The interface between the UE and the UE is the PC5, which is used for direct mutual discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is the PC3, which is used for discovery and authentication through the network. The interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication. The interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service. The ProSe function entity and the ProSe function entity have PC6 and PC7 interfaces respectively, which are used for the UE in both roaming and non-roaming situations. When the UE roams, it is the PC7 interface, and when the UE is not roaming, it is the PC6 interface. When the UE performs the D2D discovery service, the information interaction between the two ProSe functional entities is performed.
另外,在移动网络中,终端通常需要与网络中的业务点建立安全连接。通用认证机制(GeneralBootstrapping Architecture,简称为GBA)就是保证建立终端与网络业务节点安全连接的认证机制,图2是现有技术中通用认证机制结构框图,如图2所示,自举服务功能(Bootstrappingserver function,简称为BSF)处于用户的归属网络中。BSF可以从HSS获得GBA的用户安全向量;和UE利用认证和密钥协商(Authentication and KeyAgreement,简称为AKA)协议进行相互认证,并且建立会话密钥,这个密钥将应用在UE和网络应用功能(Networkapplication function,简称为NAF)之间;BSF可以将该密钥和用户安全设置传递给NAF。NAF在自举结束以后,UE和NAF可以运行一些应用相关协议,在这些协议里面,消息的认证都是基于在UE和BSF相互认证过程中所产生的会话密钥。在自举过程前,UE和NAF之间以前没有安全关联。NAF从BSF获取UE和BSF达成的共享密钥,NAF应该能够定位并且能够与用户归属网络的BSF进行安全的通信。并且,NAF能够根据本地策略设置共享密钥的本地有效情况、检测共享密钥的生存期、以及与UE采取措施来保证GBA中密钥的刷新。HSS保存用户的安全变量。用户位置功能(Subscriber Locator Function,简称SLF)用于查询用户的HSS,不是必须功能单元。UE必须支持GBA的认证功能。 In addition, in mobile networks, terminals typically need to establish secure connections with service points in the network. The General Bootstrapping Architecture (GBA) is an authentication mechanism that guarantees the establishment of a secure connection between the terminal and the network service node. Figure 2 is a block diagram of the general authentication mechanism in the prior art. As shown in Figure 2, the bootstrap service function (Bootstrappingserver) The function, abbreviated as BSF, is in the user's home network. The BSF can obtain the user security vector of the GBA from the HSS; and the UE performs mutual authentication by using the Authentication and Key Agreement (AKA) protocol, and establishes a session key, which will be applied to the UE and the network application function. (Network application function, referred to as NAF); BSF can pass the key and user security settings to NAF. After the bootstrap is completed, the UE and the NAF can run some application-related protocols. In these protocols, the authentication of the messages is based on the session key generated in the mutual authentication process between the UE and the BSF. There was no previous security association between the UE and the NAF before the bootstrap process. The NAF obtains the shared key between the UE and the BSF from the BSF, and the NAF should be able to locate and be able to communicate securely with the BSF of the user's home network. Moreover, the NAF can set the local validity of the shared key according to the local policy, detect the lifetime of the shared key, and take measures with the UE to ensure the refresh of the key in the GBA. The HSS saves the user's security variables. The Subscriber Locator Function (SLF) is used to query the user's HSS. It is not a mandatory functional unit. The UE must support the GBA authentication function.
图3为现有技术限制发现业务实现方法的流程示意图,如图3所示,该方法包括:FIG. 3 is a schematic flowchart of a method for limiting discovery service in the prior art. As shown in FIG. 3, the method includes:
步骤S300:A-UE向ProSe服务器获取配置参数,以及获得限制发现业务许可,配置参数包含限制业务ProSe应用标识;Step S300: The A-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the restriction service ProSe application identifier.
步骤S301:当A-UE和HPLMN下的ProSe功能实体建立安全连接后,A-UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含限制业务ProSe应用标识,发现业务类型,以及用户标识,发现业务类型为广播业务Announce;Step S301: After the A-UE and the ProSe functional entity under the HPLMN establish a secure connection, the A-UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the restricted service ProSe application identifier, the discovery service type, and the user identifier. , found that the business type is broadcast service Announce;
步骤S302:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数。如果发现请求获得认证,ProSe功能实体向VPLMN的ProSe功能实体发送广播认证请求,消息携带限制业务ProSe应用标识,用户标识,以及A-UE的HPLMN下的ProSe功能实体分配发现业务码,ProSe业务码为A-UE的广播码;Step S302: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the restricted service ProSe application identifier, the user identifier, and the ProSe functional entity under the HPLMN of the A-UE allocates the discovery service code, the ProSe service code. Broadcast code for A-UE;
步骤S303:A-UE的VPLMN的ProSe功能实体认证广播请求后,向A-UE的HPLMN下的ProSe功能实体回送广播认证请求响应消息;Step S303: After the ProSe functional entity of the A-UE of the A-UE authenticates the broadcast request, the device sends a broadcast authentication request response message to the ProSe functional entity in the HPLMN of the A-UE.
步骤S304:HPLMN的ProSe功能实体向A-UE回送发现业务请求响应消息。消息携带发现业务码,发现密钥,当前时间,最大时长。Step S304: The ProSe functional entity of the HPLMN sends a discovery service request response message to the A-UE. The message carries the discovery service code, the discovery key, the current time, and the maximum duration.
其中,ProSe业务码为A-UE的HPLMN的ProSe功能实体为A-UE分配的广播业务码,发现密钥一共128位(bit),当前时间为格林威治时间,即世界统一时钟,A-UE根据当前时间,设置A-UE的ProSe时间,即同步与网络的时间,最大时长与当年时间组成本次发现的发现时隙,即发现业务码的生存周期,超过最大时长无效;The ProSe service code is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the A-UE to the A-UE, and the key is found to be 128 bits in total. The current time is the Greenwich Mean Time, that is, the world unified clock, A- The UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the current discovery, that is, the life cycle of the service code is found, and the maximum duration is invalid;
步骤S305:A-UE通过广播信道向空中广播,广播消息携带发现业务码;Step S305: The A-UE broadcasts to the air through a broadcast channel, and the broadcast message carries the discovery service code.
步骤S306:M-UE向ProSe服务器获取配置参数,以及获得限制发现业务许可,配置参数包含限制业务ProSe应用标识列表;Step S306: The M-UE obtains configuration parameters from the ProSe server, and obtains a restriction discovery service permission, where the configuration parameter includes a list of restricted service ProSe application identifiers.
步骤S307:当M-UE感兴趣监听至少一个限制业务ProSe应用标识,和M-UE的HPLMN下的ProSe功能实体建立安全连接后,M-UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含限制业务ProSe应用标识列表,发现业务类型为监听业务monitor,以及用户标识;Step S307: After the M-UE is interested in monitoring at least one restricted service ProSe application identifier, and establishing a secure connection with the ProSe functional entity under the HPLMN of the M-UE, the M-UE sends a discovery service request message to the ProSe functional entity under the HPLMN. The message includes a list of restricted ProSe application identifiers, and the service type is a monitor service monitor and a user identifier.
步骤S308:如果M-UE的HPLMN下的ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中 包含UE的订阅参数。如果发现请求获得认证,M-UE的HPLMN下的ProSe功能实体向其他PLMN的ProSe功能实体发送监听认证请求,消息携带限制业务ProSe应用标识列表,用户标识;Step S308: If the ProSe functional entity under the HPLMN of the M-UE has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, in the UE context. Contains the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity under the HPLMN of the M-UE sends a snooping authentication request to the ProSe functional entity of the other PLMN, and the message carrying the restricted service ProSe application identifier list and the user identifier;
其中,其他的PLMN的ProSe功能实体也包含A-UE对应的HPLMN下的ProSe功能实体,因此限制业务ProSe应用标识列表至少也包含一个A-UE限制业务ProSe应用标识;The ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the A-UE. Therefore, the restricted service ProSe application identifier list further includes at least one A-UE restricted service ProSe application identifier.
步骤S309:其他的PLMN的ProSe功能实体向ProSe服务器获得认证许可;Step S309: the ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe server;
步骤S310:如果其他PLMN的ProSe功能实体保存限制业务ProSe应用标识对应的发现业务码,则认证监听认证请求消息,向M-UE的HPLMN下的ProSe功能实体回送监听认证请求响应消息,消息携带发现业务码对应的掩码,以及对应发现业务码对应的生命周期,即其他PLMN的ProSe功能实体的当前时间和最大时长;Step S310: If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the restricted service ProSe application identifier, the authentication and listening authentication request message is sent back to the ProSe functional entity of the M-UE of the M-UE to send a monitoring authentication request response message, and the message carries the discovery message. The mask corresponding to the service code and the life cycle corresponding to the discovery service code, that is, the current time and the maximum duration of the ProSe functional entities of other PLMNs;
步骤S311:M-UE的HPLMN的ProSe功能实体根据监听认证请求响应消息中掩码组成ProSe业务码组成发现模版,向M-UE回送发现业务请求响应消息。消息携带发现模版,当前时间,最大时长;Step S311: The ProSe functional entity of the HPLMN of the M-UE parses the ProSe service code composition discovery template according to the mask in the interception authentication request response message, and sends a discovery service request response message to the M-UE. The message carries the discovery template, the current time, and the maximum duration;
其中,当前时间如果M-UE的HPLMN的ProSe功能实体时间已经和其他PLMN的ProSe功能实体时间同步,则为M-UE的HPLMN的ProSe功能实体的当前时间,否则为监听认证响应请求所携带的当前时间,最大时长为监听认证响应请求所携带的最大时长。M-UE根据当前时间设置ProSe时钟;The current time is the current time of the ProSe functional entity of the HPLMN of the M-UE if the ProSe functional entity time of the HPLMN of the M-UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise it is carried by the monitoring authentication response request. The current time, the maximum duration is the maximum duration of the listening authentication response request. The M-UE sets the ProSe clock according to the current time;
步骤S312:M-UE接收A-UE的广播信息,广播信息包括发现业务码;Step S312: The M-UE receives the broadcast information of the A-UE, where the broadcast information includes the discovery service code.
步骤S313:如果M-UE发现A-UE广播的发现业务码存在发现模版中,且该发现业务码在发现模版的生命周期内,则向M-UE的HPLMN的ProSe功能实体发送匹配报告消息,消息携带发现业务码,消息还携带UE对应的ProSe时间;Step S313: If the M-UE finds that the discovery service code broadcast by the A-UE exists in the discovery template, and the discovery service code is within the lifecycle of the discovery template, sends a matching report message to the ProSe functional entity of the HPLMN of the M-UE, The message carries the discovery service code, and the message also carries the ProSe time corresponding to the UE;
步骤S314:M-UE的HPLMN的ProSe功能实体向A-UE的HPLMN的ProSe功能实体转发匹配报告消息。Step S314: The ProSe functional entity of the HPLMN of the M-UE forwards the matching report message to the ProSe functional entity of the HPLMN of the A-UE.
步骤S315:A-UE的HPLMN的ProSe功能实体根据匹配报告携带参数,ProSe时间和广播接收到的发现业务码,检查发现业务码是否完整性通过,否则失败,即M-UE的发现业务码不完整; Step S315: The ProSe functional entity of the HPLMN of the A-UE carries the parameter according to the matching report, the ProSe time and the received discovery service code, and checks whether the service code is integrity passed, otherwise it fails, that is, the M-UE discovery service code does not. Complete
步骤S316:A-UE的HPLMN的ProSe功能实体完整性校验成功后,向M-UE的HPLMN的ProSe功能实体回送匹配报告响应消息;Step S316: After the ProSe functional entity integrity check of the HPLMN of the A-UE is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the M-UE;
步骤S317:M-UE的HPLMN的ProSe功能实体向M-UE回送匹配报告响应消息,消息携带M-UE的HPLMN的ProSe功能实体的当前时间,M-UE设置ProSe时间。匹配成功后,M-UE即发现了A-UE。Step S317: The ProSe function entity of the HPLMN of the M-UE sends a matching report response message to the M-UE, where the message carries the current time of the ProSe functional entity of the HPLMN of the M-UE, and the M-UE sets the ProSe time. After the matching is successful, the M-UE discovers the A-UE.
现有技术中,限制发现业务必须要求ProSe服务器的业务许可,因此不管M-UE的监听过程还是A-UE的广播过程都需要UE预先向ProSe服务器获得配置信息和许可,还在M-UE监听业务中再次到ProSe服务器的许可,这样导致了D2D发现业务实现过程繁琐的问题。In the prior art, the restriction discovery service must require the service permission of the ProSe server. Therefore, regardless of the M-UE listening process or the A-UE broadcast process, the UE needs to obtain configuration information and permission from the ProSe server in advance, and also listens to the M-UE. The license to the ProSe server is again in the business, which leads to the cumbersome problem of the D2D discovery service implementation process.
针对现有技术中限制发现业务必须要求ProSe服务器的业务许可,而导致D2D发现业务实现过程繁琐的问题,目前尚未提出有效的解决方案。In the prior art, the problem that the discovery service must require the service license of the ProSe server and the implementation process of the D2D discovery service is cumbersome has not yet been proposed.
发明内容Summary of the invention
本发明的主要目的在于提供一种设备到设备限制发现业务广播、监听方法、装置及系统,以解决现有技术中限制发现业务必须要求ProSe服务器的业务许可,而导致D2D发现业务实现过程繁琐的问题。The main purpose of the present invention is to provide a device-to-device restriction discovery service broadcast, monitoring method, device, and system, so as to solve the problem that the D2D discovery service implementation process is complicated in the prior art. problem.
为了达到上述目的,本发明提供了一种设备到设备D2D限制发现业务的广播方法,包括:广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;所述A-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码;所述A-UE广播所述发现业务码。In order to achieve the above object, the present invention provides a device-to-device D2D limiting discovery service broadcast method, including: a broadcast terminal A-UE transmitting a service request message to a distance-based service ProSe server; and the A-UE receiving the ProSe After the server authenticates the service request message, the server obtains a discovery service code, and the A-UE broadcasts the discovery service code.
根据本发明的另一个实施例,提供了一种设备到设备D2D限制发现业务的监听方法,包括:监听终端M-UE向基于距离的业务ProSe服务器发送业务请求消息;所述M-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;所述M-UE根据所述发现模板中的所述发现业务码对应的掩码监听广播信道。According to another embodiment of the present invention, a device-to-device D2D method for monitoring a discovery service is provided, including: a listening terminal M-UE transmitting a service request message to a distance-based service ProSe server; the M-UE receiving station After the ProSe server authenticates the service request message, the discovery template of the mask corresponding to the discovery service code is obtained; the M-UE monitors according to the mask corresponding to the discovery service code in the discovery template. Broadcast channel.
根据本发明的另一个实施例,还提供了一种设备到设备D2D限制发现业务的广播装置,所述广播装置位于广播终端中,包括:第一发送模块,设置为向基于距离的业务ProSe服务器发送业务请求消息;第一接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码;广播模块,设置为广播所述发现业务码。 According to another embodiment of the present invention, there is further provided a device to device D2D limiting discovery service broadcast device, the broadcast device being located in a broadcast terminal, comprising: a first sending module, configured to be a distance-based service ProSe server Sending a service request message; the first receiving module is configured to receive a discovery service code that is obtained after the ProSe server authenticates the service request message, and the broadcast module is configured to broadcast the discovery service code.
根据本发明的另一个实施例,还提供了一种设备到设备D2D限制发现业务的监听装置,所述装置位于监听终端中,包括:第二发送模块,设置为向基于距离的业务ProSe服务器发送业务请求消息;第二接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;监听模块,设置为根据所述发现模板中的所述发现业务码对应的掩码监听广播信道。According to another embodiment of the present invention, there is also provided a device-to-device D2D monitoring device for limiting discovery service, the device being located in the monitoring terminal, comprising: a second sending module, configured to send to the distance-based service ProSe server a service request message, the second receiving module is configured to: after receiving the authentication of the service request message, the ProSe server acquires a discovery template consisting of a mask corresponding to the discovery service code; and the monitoring module is configured to be based on the discovery The mask corresponding to the discovery service code in the template listens to the broadcast channel.
根据本发明的另一个实施例,还提供了一种设备到设备D2D限制发现业务的处理系统,该系统包括位于广播终端侧的广播终端、位于监听终端侧的监听终端、基于距离的业务ProSe服务器;所述广播终端包括:第一发送模块,设置为向ProSe服务器发送业务请求消息;第一接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码;广播模块,设置为广播所述发现业务码;According to another embodiment of the present invention, there is also provided a processing system for device-to-device D2D restriction discovery service, the system comprising a broadcast terminal located at a broadcast terminal side, a listening terminal located at a listening terminal side, and a distance-based service ProSe server The broadcast terminal includes: a first sending module, configured to send a service request message to the ProSe server; the first receiving module is configured to receive the discovery service code after the ProSe server authenticates the service request message a broadcast module configured to broadcast the discovery service code;
所述监听装置包括:第二发送模块,设置为向ProSe服务器发送业务请求消息;第二接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;监听模块,设置为根据所述发现模板中的所述发现业务码对应的掩码监听广播信道;其中,所述业务请求消息为经过加密的。The monitoring device includes: a second sending module, configured to send a service request message to the ProSe server; and a second receiving module, configured to receive, after the ProSe server authenticates the service request message, obtain a service code corresponding to the discovery service code And the monitoring module is configured to listen to the broadcast channel according to the mask corresponding to the discovery service code in the discovery template; wherein the service request message is encrypted.
通过本发明,采用广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;A-UE接收所述ProSe服务器在对业务请求消息进行认证通过后,获取发现业务码;A-UE广播发现业务码,解决了现有技术中限制发现业务必须要求ProSe服务器的业务许可,而导致D2D发现业务实现过程繁琐的问题,进而使得A-UE可以直接到ProSe服务器获得广播或者认证许可,而不必通过ProSe功能实体,简化了发现业务的流程步骤。With the present invention, the broadcast terminal A-UE is used to send a service request message to the distance-based service ProSe server; the A-UE receives the ProSe server to obtain the discovery service code after authenticating the service request message; A-UE broadcast discovery The service code solves the problem that the limitation of the discovery service must require the service license of the ProSe server in the prior art, and the D2D discovery service implementation process is cumbersome, so that the A-UE can directly obtain the broadcast or authentication license to the ProSe server without passing the The ProSe functional entity simplifies the process steps for discovering a business.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是现有技术中D2D发现业务的通信架构的结构框图;1 is a structural block diagram of a communication architecture of a D2D discovery service in the prior art;
图2是现有技术中通用认证机制结构框图;2 is a structural block diagram of a general authentication mechanism in the prior art;
图3为现有技术限制发现业务实现方法的流程示意图;3 is a schematic flowchart of a method for limiting discovery service in the prior art;
图4是根据本发明优选实施例的设备到设备D2D限制发现业务的广播方法的流程图; 4 is a flowchart of a method for broadcasting a device-to-device D2D restriction discovery service according to a preferred embodiment of the present invention;
图5是根据本发明实施例的通用认证机制GBA认证过程;FIG. 5 is a GBA authentication process of a universal authentication mechanism according to an embodiment of the present invention; FIG.
图6是根据本发明实施例的设备到设备D2D限制发现业务的监听方法的流程示意图;FIG. 6 is a schematic flowchart of a device-to-device D2D method for monitoring a discovery service according to an embodiment of the present invention;
图7是根据本发明实施例的设备到设备D2D限制发现业务的广播装置结构框图;7 is a structural block diagram of a broadcast apparatus for limiting a discovery service from a device to a device D2D according to an embodiment of the present invention;
图8是根据本发明实施例的设备到设备D2D限制发现业务的监听装置的结构框图;FIG. 8 is a structural block diagram of a device to device D2D limiting discovery service monitoring device according to an embodiment of the present invention; FIG.
图9是根据本发明优选实施例限制发现业务A-UE的广播流程示意图;9 is a schematic diagram of a broadcast process for limiting discovery service A-UE according to a preferred embodiment of the present invention;
图10是根据本发明优选实施例的制发现业务M-UE的监听方法流程示意图。FIG. 10 is a schematic flowchart of a method for monitoring a discovery service M-UE according to a preferred embodiment of the present invention.
具体实施方式detailed description
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本发明。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The invention will be described in detail below with reference to the drawings in conjunction with the embodiments.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be performed in a computer system such as a set of computer executable instructions, and although the logical order is shown in the flowchart, in some cases, may differ from this The steps shown are performed in the order shown or described.
本发明实施例提供了一种设备到设备D2D限制发现业务的广播方法,图4是根据本发明优选实施例的设备到设备D2D限制发现业务的广播方法的流程图,如图4所示,该方法包括:The embodiment of the present invention provides a device to device D2D restriction discovery service broadcast method, and FIG. 4 is a flowchart of a device to device D2D restriction discovery service broadcast method according to a preferred embodiment of the present invention, as shown in FIG. Methods include:
步骤S402:广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;Step S402: The broadcast terminal A-UE sends a service request message to the distance-based service ProSe server.
步骤S404:A-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码;Step S404: The A-UE receives the discovery service code acquired by the ProSe server after the service request message is authenticated and passed.
步骤S406:A-UE广播发现业务码。Step S406: The A-UE broadcasts the discovery service code.
通过本发明实施例,采用广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;A-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码;A-UE广播发现业务码,解决了现有技术中限制发现业务必须要求ProSe服务器的业务许可,而导致D2D发现业务实现过程繁琐的问题,进而使得A-UE可以直接 到ProSe服务器获得广播或者认证许可,而不必通过ProSe功能实体,简化了发现业务的流程步骤。According to the embodiment of the present invention, the broadcast terminal A-UE sends a service request message to the distance-based service ProSe server; the A-UE receives the discovery service code obtained by the ProSe server after authenticating the service request message; A-UE broadcast The discovery of the service code solves the problem that the limitation of the discovery service in the prior art requires the service permission of the ProSe server, which leads to the cumbersome process of implementing the D2D discovery service, thereby enabling the A-UE to directly By obtaining a broadcast or authentication license to the ProSe server, it is not necessary to pass the ProSe functional entity, which simplifies the process steps of discovering the service.
在本实施例中,A-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码时,本发明实施例可以通过A-UE接收ProSe服务器获取的发现业务码的有效使用期限。In this embodiment, when the A-UE receives the discovery service code that is obtained by the ProSe server after the service request message is authenticated, the embodiment of the present invention can receive the valid service life of the discovery service code obtained by the ProSe server through the A-UE. .
在本实施例中,服务器发送响应于业务请求信息的信息,该信息中携带有所述A-UE预签约的限制业务ProSe应用标识。In this embodiment, the server sends information that is responsive to the service request information, where the information carries the A-UE pre-signed restricted service ProSe application identifier.
需要说明的是,本发明实施例中的业务请求消息为经过加密后的业务请求信息,且业务请求消息携带有但不限于以下信息:限制发现业务请求的类型和业务申请类型信息;其中,限制发现业务请求的类型为广播,所业务申请类型信息为A-UE的限制业务ProSe应用标识。It should be noted that the service request message in the embodiment of the present invention is the encrypted service request information, and the service request message carries, but is not limited to, the following information: limiting the type of the discovery service request and the service application type information; The type of the service request is found to be broadcast, and the service request type information is the restricted service ProSe application identifier of the A-UE.
在本实施例中,A-UE向ProSe服务器发送业务请求消息时,还包括:A-UE向ProSe服务器发送B-TID,以及B-TID的密钥周期。In this embodiment, when the A-UE sends the service request message to the ProSe server, the method further includes: the A-UE sends the B-TID to the ProSe server, and the key period of the B-TID.
在本实施例中,ProSe服务器通过以下方式对业务请求消息进行认证,包括:ProSe服务器发送B-TID、业务平台NAF的ID给A-UE归属域ProSe功能请求实体;ProSe服务器接收A-UE归属域ProSe功能请求实体发送的业务密钥,其中,A-UE归属域ProSe功能请求实体根据B-TID和业务平台NAF的ID获取业务密钥;ProSe服务器根据业务密钥对业务请求消息进行解密;ProSe服务器对解密后的限制业务ProSe应用标识进行认证。In this embodiment, the ProSe server authenticates the service request message by: the ProSe server sends the B-TID, the ID of the service platform NAF to the A-UE home domain ProSe function requesting entity, and the ProSe server receives the A-UE attribution. The service key sent by the domain ProSe function requesting entity, wherein the A-UE home domain ProSe function requesting entity acquires the service key according to the B-TID and the ID of the service platform NAF; the ProSe server decrypts the service request message according to the service key; The ProSe server authenticates the decrypted restricted service ProSe application identifier.
在本实施例中,ProSe服务器通过以下方式获取发现业务码以及发现业务码有效使用期限:在ProSe服务器对业务请求消息进行认证之后,ProSe服务器向A-UE归属域ProSe功能实体发送广播请求消息,其中,广播请求消息中携带有限制业务ProSe应用标识;ProSe服务器接收响应于广播请求消息的广播请求响应消息,广播请求响应消息中携带有A-UE归属域ProSe功能实体为限制业务ProSe应用标识分配发现业务码,以及发现业务码有效使用期限。In this embodiment, the ProSe server obtains the discovery service code and the effective service life of the discovery service code. After the ProSe server authenticates the service request message, the ProSe server sends a broadcast request message to the A-UE home domain ProSe function entity. The broadcast request message carries the restricted service ProSe application identifier; the ProSe server receives the broadcast request response message in response to the broadcast request message, and the broadcast request response message carries the A-UE home domain ProSe functional entity as the restricted service ProSe application identifier. Discover the service code and discover the effective life of the service code.
在本实施例中,A-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码包括:A-UE接收ProSe服务器发送的加密后的业务请求响应消息,其中,业务请求响应消息携带由限制业务ProSe应用标识、限制业务ProSe应用标识的发现业务码、发现业务码的有效使用期限。 In this embodiment, after the A-UE receives the authentication request from the ProSe server, the obtained discovery service code includes: the A-UE receives the encrypted service request response message sent by the ProSe server, where the service request response The message carries the discovery service code that is restricted by the service ProSe application, the service ProSe application identifier, and the effective service life of the discovery service code.
在本实施例中,A-UE向ProSe服务器发送业务请求消息之前,包括:A-UE通过与A-UE归属域ProSe功能实体进行认证和密钥协商AKA鉴权,获取B-TID以及B-TID的密钥周期。In this embodiment, before the A-UE sends the service request message to the ProSe server, the method includes: the A-UE performs authentication and key agreement AKA authentication with the A-UE home domain ProSe functional entity to obtain the B-TID and the B-TID. The key period of the TID.
图5是根据本发明实施例的通用认证机制GBA认证过程,通过该过程实现了A-UE的AKA鉴权,其中,步骤501-506为自举过AKA认证过程,步骤507-510为业务认证过程,如图5所示,该过程包括:5 is a GBA authentication process of a universal authentication mechanism according to an embodiment of the present invention. The AKA authentication of the A-UE is implemented by the process, wherein steps 501-506 are bootstrapped through the AKA authentication process, and steps 507-510 are service authentication. The process, as shown in Figure 5, includes:
步骤S501:UE发送初始化请求给BSF;Step S501: The UE sends an initialization request to the BSF.
步骤S502:BSF从HSS取回用户的安全配置信息和一个认证向量AV(AV=RAND||AUTN||XRES||CK||IK);Step S502: The BSF retrieves the user's security configuration information and an authentication vector AV from the HSS (AV=RAND||AUTN||XRES||CK||IK);
其中,RAND为随机数,AUTN为认证令牌(Authentication Token,简称AUTN);Where RAND is a random number, and AUTN is an Authentication Token (AUTN);
步骤S503:加密密钥CK,完整性保护密钥IK;Step S503: encryption key CK, integrity protection key IK;
其中,在多HSS环境下,BSF通过询问SLF来得到存储用户信息的HSS地址;Wherein, in a multi-HSS environment, the BSF obtains an HSS address for storing user information by querying the SLF;
步骤S504:BSF通过401消息发送RAND和AUTN给UE,保存(CK、IK、XRES),要求UE对BSF进行认证;Step S504: The BSF sends the RAND and the AUTN to the UE through the 401 message, and saves (CK, IK, XRES), and requests the UE to authenticate the BSF.
其中UE通过鉴权算法验证AUTN,确认此消息来自授权的网络,同时UE计算CK,IK,RES(授权结果参数),这使得在BSF和UE中都有会话密钥IK和CK;The UE verifies the AUTN by the authentication algorithm, and confirms that the message is from the authorized network, and the UE calculates CK, IK, RES (authorization result parameter), which makes the session key IK and CK in both the BSF and the UE;
步骤S505:UE向BSF发送授权请求消息,消息携带授权结果参数RES;Step S505: The UE sends an authorization request message to the BSF, where the message carries an authorization result parameter RES;
其中,BSF通过保存的(CK、IK、XRES)验证授权结果参数RES的正确性;若正确则计算根密钥Ks=CK||IK,同时产生B-TID的值;The BSF verifies the correctness of the authorization result parameter RES by the saved (CK, IK, XRES); if correct, the root key Ks=CK||IK is calculated, and the value of the B-TID is generated;
步骤S506:BSF发送包含B-TID的200OK(成功消息)消息给UE表示认证成功,同时在200OK消息中,BSF提供了Ks的生命期;Step S506: The BSF sends a 200 OK (Success Message) message containing the B-TID to the UE indicating that the authentication is successful, and in the 200 OK message, the BSF provides the lifetime of the Ks;
UE接收到200OK消息后,同样也计算得到Ks=CK||IK,Ks即GBA根密钥,用于推导于应用平台NAF的业务密钥。After receiving the 200 OK message, the UE also calculates Ks=CK||IK, which is the GBA root key, and is used to derive the service key of the application platform NAF.
步骤S507:UE和BSF使用Ks来推导业务密钥Ks_NAF=KDF(Ks,”gba-me”,RAND,IMPI,NAF_ID)。其中,KDF是密钥产生算法,IMPI是终端的IMS标识、 NAF_ID是业务平台NAF的ID,UE发送B-TID((Bootstrapping Transaction Identifier ,引导事务标识符)给NAF,要求与NAF协商密钥;Step S507: The UE and the BSF use Ks to derive the service key Ks_NAF=KDF(Ks, "gba-me", RAND, IMPI, NAF_ID). Among them, KDF is a key generation algorithm, and IMPI is the IMS identifier of the terminal. The NAF_ID is the ID of the service platform NAF, and the UE sends a B-TID (Bootstrapping Transaction Identifier) to the NAF, and requests to negotiate a key with the NAF;
其中,消息还包含业务消息内容,消息使用业务密钥使用加密算法进行加密。The message also contains the content of the service message, and the message is encrypted using the encryption algorithm using the service key.
步骤S508:NAF发送B-TID、NAF_ID给BSF请求获得用户的业务密钥;Step S508: The NAF sends the B-TID and the NAF_ID to the BSF to obtain the service key of the user.
步骤S509:BSF使用与UE相同的方法从Ks推导得到Ks_NAF,通过安全通道将Ks_NAF发送给NAF,同时包括它的Ks_NAF的密钥生命期等信息;Step S509: The BSF derives the Ks_NAF from the Ks by using the same method as the UE, and sends the Ks_NAF to the NAF through the secure channel, and includes information such as the key lifetime of its Ks_NAF;
其中,NAF可以通过得到的Ks_NAF使用与UE相同的算法解密业务消息中的内容;The NAF can decrypt the content in the service message by using the same algorithm as the UE by using the obtained Ks_NAF;
步骤S510:NAF保存Ks_NAF和有效期信息后,返回200OK应答给UE,进而UE和NAF之间共享了密钥Ks_NAF,可以用于认证、消息加密等操作。Step S510: After the KSF saves the Ks_NAF and the validity period information, the NAF returns a 200 OK response to the UE, and the key Ks_NAF is shared between the UE and the NAF, and can be used for operations such as authentication and message encryption.
本发明优选实施例还提供了一种设备到设备D2D限制发现业务的监听方法,图6是根据本发明实施例的设备到设备D2D限制发现业务的监听方法的流程示意图,该方法包括:A preferred embodiment of the present invention further provides a device-to-device D2D method for monitoring a discovery service. FIG. 6 is a schematic flowchart of a device-to-device D2D method for monitoring a discovery service according to an embodiment of the present invention. The method includes:
步骤S602:监听终端M-UE向基于距离的业务ProSe服务器发送业务请求消息;Step S602: The monitoring terminal M-UE sends a service request message to the distance-based service ProSe server.
步骤S604:M-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码对应的掩码;Step S604: The M-UE receives a mask corresponding to the discovery service code acquired by the ProSe server after the service request message is authenticated and passed.
步骤S606:M-UE根据发现业务码对应的掩码监听广播信道。Step S606: The M-UE listens to the broadcast channel according to the mask corresponding to the discovery service code.
在本实施例中,M-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码时,方法还包括:M-UE接收ProSe服务器获取的发现业务码的有效使用期限。In this embodiment, the M-UE receives the discovery service code that is obtained by the ProSe server after the service request message is authenticated, and the method further includes: the M-UE receiving the effective use period of the discovery service code obtained by the ProSe server.
在本实施例中,业务请求消息为经过加密后的业务请求信息,且业务请求消息携带有以下信息:限制发现业务请求的类型和业务申请类型信息。In this embodiment, the service request message is the encrypted service request information, and the service request message carries the following information: the type of the discovery service request and the service application type information.
在本实施例中,限制发现业务请求的类型为监听,所业务申请类型信息为M-UE的限制业务ProSe应用标识。In this embodiment, the type of the discovery service request is restricted to be monitored, and the service application type information is the restricted service ProSe application identifier of the M-UE.
在本实施例中,A-UE向ProSe服务器发送业务请求消息时,还包括:M-UE向ProSe服务器发送B-TID,以及B-TID的密钥周期。 In this embodiment, when the A-UE sends the service request message to the ProSe server, the method further includes: the M-UE sends the B-TID to the ProSe server, and the key period of the B-TID.
在本实施例中,ProSe服务器通过以下方式对业务请求消息进行认证,包括:ProSe服务器发送B-TID、业务平台NAF的ID给M-UE归属域ProSe功能请求实体;ProSe服务器接收M-UE归属域ProSe功能请求实体发送的业务密钥,其中,M-UE归属域ProSe功能请求实体根据B-TID和业务平台NAF的ID获取业务密钥;ProSe服务器根据业务密钥对业务请求消息进行解密;ProSe服务器对解密后的限制业务ProSe应用标识进行认证。In this embodiment, the ProSe server authenticates the service request message by: the ProSe server sends the B-TID, the ID of the service platform NAF to the M-UE home domain ProSe function requesting entity, and the ProSe server receives the M-UE attribution. The service key sent by the domain ProSe function requesting entity, where the M-UE home domain ProSe function requesting entity acquires the service key according to the B-TID and the ID of the service platform NAF; the ProSe server decrypts the service request message according to the service key; The ProSe server authenticates the decrypted restricted service ProSe application identifier.
在本实施例中,ProSe服务器通过以下方式获取发现业务码以及发现业务码有效使用期限:在ProSe服务器对业务请求消息进行认证之后,ProSe服务器向M-UE归属域ProSe功能实体发送监听认证请求消息,其中,监听认证请求消息中携带有限制业务ProSe应用标识;ProSe服务器接收响应于广播请求消息的广播请求响应消息,广播请求响应消息中携带有M-UE归属域ProSe功能实体为限制业务ProSe应用标识分配发现业务码对应的掩码,以及掩码的有效使用期限。In this embodiment, the ProSe server obtains the discovery service code and the effective service life of the discovery service code. After the ProSe server authenticates the service request message, the ProSe server sends a monitoring authentication request message to the M-UE home domain ProSe functional entity. The monitoring authentication request message carries the restricted service ProSe application identifier; the ProSe server receives the broadcast request response message in response to the broadcast request message, where the broadcast request response message carries the M-UE home domain ProSe functional entity as the restricted service ProSe application. Identifies the mask corresponding to the distribution discovery service code and the effective lifetime of the mask.
在本实施例中,M-UE接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码对应的掩码包括:M-UE接收ProSe服务器发送的加密后的业务请求响应消息,其中,业务请求响应消息中携带有限制业务ProSe应用标识、限制业务ProSe应用标识的发现业务码对应的掩码、掩码的有效使用期限。In this embodiment, the M-UE receives the mask corresponding to the discovery service code after the ProSe server authenticates the service request message, and the M-UE receives the encrypted service request response message sent by the ProSe server, where The service request response message carries a mask and a valid use period of the mask corresponding to the discovery service code of the service ProSe application identifier and the service ProSe application identifier.
在本实施例中,M-UE向ProSe服务器发送业务请求消息之前,包括:M-UE通过与M-UE归属域ProSe功能实体进行认证和密钥协商AKA鉴权,获取B-TID以及B-TID的密钥周期。In this embodiment, before the M-UE sends the service request message to the ProSe server, the M-UE performs the authentication and key agreement AKA authentication with the M-UE home domain ProSe functional entity to obtain the B-TID and the B-TID. The key period of the TID.
本发明实施实例还提供了一种设备到设备D2D限制发现业务的广播装置,图7是根据本发明实施例的设备到设备D2D限制发现业务的广播装置结构框图,广播装置位于广播终端中,如图7所示,该装置包括:第一发送模块72,设置为向基于距离的业务ProSe服务器发送业务请求消息;第一接收模块74与第一发送模块72耦合连接,设置为接收ProSe服务器在对业务请求消息进行认证通过后,获取的发现业务码;广播模块76与第一接收模块74耦合连接,用于广播发现业务码。The embodiment of the present invention further provides a device to device D2D limiting discovery service broadcast device, and FIG. 7 is a structural block diagram of a device to device D2D restriction discovery service according to an embodiment of the present invention, where the broadcast device is located in a broadcast terminal, such as As shown in FIG. 7, the apparatus includes: a first sending module 72, configured to send a service request message to the distance-based service ProSe server; the first receiving module 74 is coupled to the first sending module 72, and is configured to receive the ProSe server in the pair. After the service request message is authenticated, the obtained discovery service code is obtained; the broadcast module 76 is coupled to the first receiving module 74 for broadcasting the discovery service code.
在本实施例中,所述业务请求消息为加密后的业务请求消息。In this embodiment, the service request message is an encrypted service request message.
在本实施例中,所述第一接收模块还设置为,接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,所述业务请求响应消息携带由限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码、所述发现业务码的有效使用期限。 In this embodiment, the first receiving module is further configured to receive the encrypted service request response message sent by the ProSe server, where the service request response message carries the restricted service ProSe application identifier, the restriction The discovery service code identified by the service ProSe application, and the effective use period of the discovery service code.
本发明实施实例还提供了一种设备到设备D2D限制发现业务的监听装置,图8是根据本发明实施例的设备到设备D2D限制发现业务的监听装置的结构框图,监听装置位于监听终端中,装置位于监听终端中,如图8所示,该装置包括:第二发送模块82,设置为向基于距离的业务ProSe服务器发送业务请求消息;第二接收模块84与第二发送模块82耦合连接,设置为接收ProSe服务器在对业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;监听模块86与第二接收模块84耦合连接,设置为根据发现业务码对应的掩码组成的发现模板监听广播信道。The embodiment of the present invention further provides a device-to-device D2D-restricted discovery service monitoring device, and FIG. 8 is a structural block diagram of a device-to-device D2D-restricted discovery service monitoring device according to an embodiment of the present invention. The monitoring device is located in the monitoring terminal. The device is located in the monitoring terminal. As shown in FIG. 8, the device includes: a second sending module 82, configured to send a service request message to the distance-based service ProSe server; and the second receiving module 84 is coupled to the second sending module 82. After receiving the authentication request, the ProSe server obtains a discovery template consisting of a mask corresponding to the discovery service code. The monitoring module 86 is coupled to the second receiving module 84 and configured to be configured according to the mask corresponding to the discovery service code. The composed discovery template listens to the broadcast channel.
在本实施例中,所述业务请求消息为加密后的业务请求消息。In this embodiment, the service request message is an encrypted service request message.
在本实施例中,所述第二接收模块还设置为,接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,所述业务请求响应消息携带由限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码对应的掩码组成的发现模板、所述掩码的有效使用期限。In this embodiment, the second receiving module is further configured to receive the encrypted service request response message sent by the ProSe server, where the service request response message carries the restricted service ProSe application identifier, the restriction A discovery template consisting of a mask corresponding to the discovery service code of the service ProSe application identifier, and an effective use period of the mask.
本发明的实施例中所涉及到的模块、单元可以通过软件的方式实现,也可以通过硬件的方式来实现。本实施例中的所描述的模块、单元也可以设置在处理器中,例如,可以描述为:一种处理器包括第二发送模块和第二接收模块。其中,这些模块的名称在某种情况下并不构成对该模块本身的限定,例如,第二发送模块还可以被描述为“设置为向基于距离的业务ProSe服务器发送业务请求消息”。The modules and units involved in the embodiments of the present invention may be implemented by software or by hardware. The described modules and units in this embodiment may also be disposed in a processor. For example, it may be described that a processor includes a second sending module and a second receiving module. The names of these modules do not constitute a limitation on the module itself in some cases. For example, the second sending module may also be described as “set to send a service request message to the distance-based service ProSe server”.
本发明还提供了一种设备到设备D2D限制发现业务的处理系统,该系统包括位于广播终端侧的广播终端、位于监听终端侧的监听终端、ProSe服务器;The present invention also provides a device-to-device D2D-restricted discovery service processing system, which includes a broadcast terminal located on the broadcast terminal side, a listening terminal located on the monitoring terminal side, and a ProSe server;
广播终端包括:第一发送模块72,设置为向基于距离的业务ProSe服务器发送业务请求消息;第一接收模块74与第一发送模块72耦合连接,设置为接收ProSe服务器在对业务请求消息进行认证通过后,获取发现业务码;广播模块76与第一接收模块74耦合连接,设置为广播发现业务码;The broadcast terminal includes: a first sending module 72, configured to send a service request message to the distance-based service ProSe server; the first receiving module 74 is coupled to the first sending module 72, and is configured to receive the ProSe server to authenticate the service request message. After the obtaining, the discovery service code is obtained; the broadcast module 76 is coupled to the first receiving module 74 and configured to be a broadcast discovery service code;
监听装置包括:第二发送模块82,设置为向基于距离的业务ProSe服务器发送业务请求消息;第二接收模块84与第二发送模块82耦合连接,设置为接收ProSe服务器在对业务请求消息进行认证通过后,获取发现业务码对应的掩码;监听模块86与第二接收模块84耦合连接,设置为根据发现业务码对应的掩码监听广播信道。;The monitoring device includes: a second sending module 82, configured to send a service request message to the distance-based service ProSe server; the second receiving module 84 is coupled to the second sending module 82, and is configured to receive the ProSe server to authenticate the service request message. After the obtaining, the mask corresponding to the discovery service code is obtained. The monitoring module 86 is coupled to the second receiving module 84 and configured to listen to the broadcast channel according to the mask corresponding to the discovery service code. ;
需要说明的是,本系统中的业务请求消息为经过加密的。It should be noted that the service request message in the system is encrypted.
下面结合本发明优选实施例对本发明进行详细的说明; The invention will now be described in detail in conjunction with the preferred embodiments of the invention;
本发明优选实施例提供一种广播终端A-UE,该A-UE向ProSe服务器发起发现请求,ProSe服务器向ProSe功能实体获取共享密钥,ProSe服务器认证发现请求,向ProSe功能实体获取发现业务码,然后通过加密方式发送给A-UE。A preferred embodiment of the present invention provides a broadcast terminal A-UE, which initiates a discovery request to a ProSe server, the ProSe server acquires a shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request, and acquires the discovery service code from the ProSe functional entity. And then sent to the A-UE by encryption.
本发明优选实施例还提供一种监听终端M-UE,M-UE向ProSe服务器发起发现请求,ProSe服务器向ProSe功能实体获取共享密钥,ProSe服务器认证发现请求,向ProSe功能实体获取发现业务码模板,然后通过加密方式发送给M-UE。The preferred embodiment of the present invention further provides a listening terminal M-UE. The M-UE initiates a discovery request to the ProSe server, the ProSe server acquires a shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request, and acquires the discovery service code from the ProSe functional entity. The template is then sent to the M-UE by encryption.
下面结合广播终端A-UE和监听终端M-UE对本发明优选实施例的D2D限制发现业务流程进行说明。The D2D restriction discovery service flow of the preferred embodiment of the present invention will be described below in conjunction with the broadcast terminal A-UE and the interception terminal M-UE.
在本发明优选实施例限制发现业务A-UE的广播流程中,主要的发明思想为:A-UE向ProSe服务器发起发现请求,ProSe服务器向ProSe功能实体获取共享密钥,ProSe服务器认证发现请求,向ProSe功能实体获取发现业务码,然后通过加密方式发送给A-UE。图9是根据本发明优选实施例限制发现业务A-UE的广播流程示意图,如图9所示,该方法包括:In a preferred embodiment of the present invention, the main inventive idea of the discovery service A-UE is: the A-UE initiates a discovery request to the ProSe server, the ProSe server acquires the shared key from the ProSe functional entity, and the ProSe server authenticates the discovery request. The discovery service code is obtained from the ProSe functional entity and then sent to the A-UE through encryption. FIG. 9 is a schematic diagram of a broadcast process for limiting a discovery service A-UE according to a preferred embodiment of the present invention. As shown in FIG. 9, the method includes:
步骤S901:A-UE与A-UE归属域ProSe功能实体进行图5中步骤501-506AKA鉴权,获取B-TID以及密钥周期;Step S901: The A-UE and the A-UE home domain ProSe functional entity perform the steps 501-506 AKA authentication in FIG. 5 to obtain the B-TID and the key period;
步骤S902,A-UE向ProSe服务器发起业务请求,业务请求携带B-TID,以及加密后的业务请求消息,加密消息中包括限制发现请求,限制发现请求携带发现类型为广播announce,和业务申请类型或者A-UE中已经存在的限制业务ProSe应用标识。限制业务ProSe应用标识为A-UE预签约或者通过步骤306获取的;Step S902: The A-UE initiates a service request to the ProSe server, where the service request carries the B-TID and the encrypted service request message, where the encrypted message includes a restriction discovery request, and the restriction discovery request carries the discovery type as broadcast announce, and the service application type. Or the restricted service ProSe application identifier already existing in the A-UE. Restricting the service ProSe application identifier to be pre-signed by the A-UE or obtained by step 306;
步骤S903:ProSe服务器发送B-TID、NAF_ID给A-UE归属域ProSe功能请求获得用户的业务密钥;Step S903: The ProSe server sends a B-TID and a NAF_ID to the A-UE home domain ProSe function to obtain a service key of the user.
步骤S904:A-UE归属域ProSe功能实体使用与A-UE相同的方法从Ks推导得到Ks_NAF,通过安全通道将Ks_NAF发送给ProSe服务器,同时包括它的Ks_NAF的密钥生命期等信息;Step S904: The A-UE home domain ProSe functional entity derives the Ks_NAF from the Ks by using the same method as the A-UE, and sends the Ks_NAF to the ProSe server through the secure channel, and includes information such as the key lifetime of its Ks_NAF;
步骤S905:ProSe服务器利用获得Ks_NAF解密业务请求消息,认证业务请求和限制业务ProSe应用标识,或者根据业务申请类型分配一个限制业务ProSe应用标识,向A-UE归属域ProSe功能实体发送广播请求消息,广播请求消息携带限制业务ProSe应用标识; Step S905: The ProSe server uses the obtained Ks_NAF decryption service request message, the authentication service request and the restriction service ProSe application identifier, or allocates a restricted service ProSe application identifier according to the service application type, and sends a broadcast request message to the A-UE home domain ProSe functional entity. The broadcast request message carries a restricted service ProSe application identifier;
步骤S906:A-UE归属域ProSe功能实体为限制业务ProSe应用标识分配发现业务码,以及对应的有效期。向ProSe服务器回送广播请求响应消息,消息携带发现业务码,以及对应的有效期;Step S906: The A-UE home domain ProSe functional entity allocates a discovery service code for the restricted service ProSe application identifier, and a corresponding validity period. Sending a broadcast request response message to the ProSe server, where the message carries the discovery service code and the corresponding validity period;
步骤S907:ProSe服务器向A-UE回送业务请求响应消息,消息携带加密后的业务响应消息,业务响应消息携带限制业务ProSe应用标识,发现业务码,以及对应的有效期;Step S907: The ProSe server sends a service request response message to the A-UE, where the message carries the encrypted service response message, and the service response message carries the restricted service ProSe application identifier, the service code, and the corresponding validity period;
步骤S908:A-UE解密响应消息,保存限制业务ProSe应用标识。发现业务码,以及对应的有效期,分配无线资源,在广播信道上广播发现业务码,提供M-UE发现。Step S908: The A-UE decrypts the response message, and saves the restricted service ProSe application identifier. The service code is found, and the corresponding validity period, the radio resource is allocated, the service code is broadcasted on the broadcast channel, and the M-UE discovery is provided.
本发明限制发现业务M-UE的监听流程的核心思想是:M-UE向ProSe服务器发起发现请求,ProSe服务器向ProSe功能实体获取共享密钥,ProSe服务器认证发现请求,向ProSe功能实体获取发现业务码模板,然后通过加密方式发送给M-UE。图10是根据本发明优选实施例的制发现业务M-UE的监听方法流程示意图,如图10所示,该方法包括:The core idea of the discovery process of the discovery service M-UE is that the M-UE initiates a discovery request to the ProSe server, the ProSe server acquires the shared key from the ProSe functional entity, the ProSe server authenticates the discovery request, and obtains the discovery service from the ProSe functional entity. The code template is then sent to the M-UE by encryption. FIG. 10 is a schematic flowchart of a method for monitoring a discovery service M-UE according to a preferred embodiment of the present invention. As shown in FIG. 10, the method includes:
步骤S1001:M-UE与M-UE归属域ProSe功能实体进行图3中步骤101-106AKA鉴权,获取B-TID以及密钥周期;Step S1001: The M-UE and the M-UE home domain ProSe functional entity perform the step 101-106 AKA authentication in FIG. 3 to obtain the B-TID and the key period;
步骤S1002:M-UE向ProSe服务器发起业务请求,业务请求携带B-TID,以及加密后的业务请求消息,加密消息中包括限制发现请求,限制发现请求携带发现类型为监听monitor,和业务申请类型或者M-UE中已经存在的限制业务ProSe应用标识。限制业务ProSe应用标识为M-UE预签约或者通过步骤408获取的;Step S1002: The M-UE initiates a service request to the ProSe server, and the service request carries the B-TID and the encrypted service request message, where the encrypted message includes a restriction discovery request, and the restriction discovery request carries the discovery type as the monitoring monitor, and the service application type. Or the restricted service ProSe application identifier already existing in the M-UE. Restricting the service ProSe application identifier to be pre-signed by the M-UE or obtained by step 408;
步骤S1003:ProSe服务器发送B-TID、NAF_ID给M-UE归属域ProSe功能请求获得用户的业务密钥;Step S1003: The ProSe server sends a B-TID and a NAF_ID to the M-UE home domain ProSe function to obtain a service key of the user.
步骤S1004:M-UE归属域ProSe功能实体使用与M-UE相同的方法从Ks推导得到Ks_NAF,通过安全通道将Ks_NAF发送给ProSe服务器,同时包括它的Ks_NAF的密钥生命期等信息;Step S1004: The M-UE home domain ProSe functional entity derives the Ks_NAF from the Ks by using the same method as the M-UE, and sends the Ks_NAF to the ProSe server through the secure channel, and includes information such as the key lifetime of the Ks_NAF.
步骤S1005:ProSe服务器利用获得Ks_NAF解密业务请求消息,认证业务请求和限制业务ProSe应用标识,或者根据业务申请类型分配一个限制业务ProSe应用标识或者限制业务ProSe应用标识列表,向M-UE归属域ProSe功能实体发送监听认证请求消息,监听认证请求消息携带限制业务ProSe应用标识或者限制业务ProSe应用标识列表; Step S1005: The ProSe server uses the obtained Ks_NAF decryption service request message, the authentication service request and the restricted service ProSe application identifier, or allocates a restricted service ProSe application identifier or a restricted service ProSe application identifier list according to the service request type, to the M-UE home domain ProSe. The function entity sends a monitoring authentication request message, and the monitoring authentication request message carries a restricted service ProSe application identifier or a restricted service ProSe application identifier list;
步骤S1006:M-UE归属域ProSe功能实体向其他PLMN的ProSe功能实体发送监听请求,消息携带限制业务ProSe应用标识或者限制业务ProSe应用标识列表。其他的PLMN的ProSe功能实体也包含A-UE对应的HPLMN下的ProSe功能实体,因此限制业务ProSe应用标识列表至少也包含一个A-UE限制业务ProSe应用标识;Step S1006: The M-UE home domain ProSe functional entity sends a listening request to the ProSe functional entity of the other PLMN, and the message carries the restricted service ProSe application identifier or the restricted service ProSe application identifier list. The ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the A-UE, so the restricted service ProSe application identifier list also includes at least one A-UE restricted service ProSe application identifier;
步骤S1007:如果其他PLMN的ProSe功能实体保存限制业务ProSe应用标识对应的发现业务码,则认证监听请求消息,向M-UE的HPLMN下的ProSe功能实体回送监听请求响应消息,消息携带发现业务码对应的掩码,以及有效期,即其他PLMN的ProSe功能实体的当前时间和最大时长;Step S1007: If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the restricted service ProSe application identifier, the authentication and listening request message is sent back to the ProSe function entity of the M-UE of the M-UE to send a monitoring request response message, and the message carries the discovery service code. Corresponding mask, and expiration date, that is, the current time and maximum duration of the ProSe functional entities of other PLMNs;
步骤S1008:M-UE的HPLMN的ProSe功能实体根据监听请求响应消息中掩码组成ProSe业务码组成发现模版,向ProSe服务器回送监听认证请求响应消息,消息携带发现业务码对应的掩码,以及有效期,即其他PLMN的ProSe功能实体的当前时间和最大时长;Step S1008: The ProSe functional entity of the HPLMN of the M-UE forms a discovery template according to the mask composed of the ProSe service code in the interception request response message, and sends a monitoring authentication request response message to the ProSe server, where the message carries the mask corresponding to the discovery service code, and the validity period. , that is, the current time and maximum duration of the ProSe functional entities of other PLMNs;
步骤S1009:ProSe服务器向M-UE回送业务请求响应消息,消息携带加密后的业务响应消息,业务响应消息携带限制业务ProSe应用标识,发现业务码对应的掩码,以及有效期,即其他PLMN的ProSe功能实体的当前时间和最大时长;Step S1009: The ProSe server sends a service request response message to the M-UE, where the message carries the encrypted service response message, the service response message carries the restriction service ProSe application identifier, the mask corresponding to the service code, and the validity period, that is, the ProSe of other PLMNs. The current time and maximum duration of the functional entity;
步骤S1010:M-UE解密响应消息,保存限制业务ProSe应用标识。发现业务码对应的掩码,以及有效期,分配无线资源,在广播信道上侦听A-UE广播,当M-UE收到广播的发现业务码后,发起匹配过程,匹配成功后,发现A-UE。Step S1010: The M-UE decrypts the response message, and saves the restricted service ProSe application identifier. The mask corresponding to the service code is found, and the validity period is allocated. The radio resource is allocated, and the A-UE broadcast is intercepted on the broadcast channel. When the M-UE receives the broadcast discovery service code, the matching process is initiated. After the matching is successful, the A- is found. UE.
通过本发明优选实施例,使得UE到ProSe服务器之间的得到了保证,UE可以直接到ProSe服务器获得广播或者认证许可,而不必通过ProSe功能实体,进而可以节省消息。With the preferred embodiment of the present invention, the UE to the ProSe server is guaranteed, and the UE can directly obtain the broadcast or authentication permission to the ProSe server without having to pass the ProSe functional entity, thereby saving the message.
以上仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
基于本发明实施例提供的上述技术方案,采用广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;A-UE接收所述ProSe服务器在对业务请求消息进行认证通过后,获取发现业务码;A-UE广播发现业务码,解决了现有技术中限制发现业务必须要求ProSe服务器的业务许可,而导致D2D发现业务实现过程繁琐的问题, 进而使得A-UE可以直接到ProSe服务器获得广播或者认证许可,而不必通过ProSe功能实体,简化了发现业务的流程步骤。 According to the foregoing technical solution provided by the embodiment of the present invention, the broadcast terminal A-UE sends a service request message to the distance-based service ProSe server; and the A-UE receives the discovery service after the ProSe server authenticates the service request message. The A-UE broadcasts the discovery service code, which solves the problem that the limitation of the discovery service must require the service permission of the ProSe server in the prior art, and the implementation process of the D2D discovery service is cumbersome. In turn, the A-UE can directly obtain a broadcast or authentication license to the ProSe server without having to pass the ProSe functional entity, which simplifies the process steps of discovering the service.

Claims (26)

  1. 一种设备到设备D2D限制发现业务的广播方法,包括:A device-to-device D2D broadcast method for limiting discovery services, including:
    广播终端A-UE向基于距离的业务ProSe服务器发送业务请求消息;The broadcast terminal A-UE sends a service request message to the distance-based service ProSe server;
    所述A-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码;Receiving, by the A-UE, the ProSe server, after obtaining the service request message, the discovery service code;
    所述A-UE广播所述发现业务码。The A-UE broadcasts the discovery service code.
  2. 根据权利要求1所述的方法,其中,所述A-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码时,所述方法还包括:The method according to claim 1, wherein the A-UE further includes: when the A-UE receives the discovery service code that is obtained by the ProSe server after the service request message is authenticated, the method further includes:
    所述A-UE接收所述ProSe服务器获取的所述发现业务码的有效使用期限。The A-UE receives an effective use period of the discovery service code acquired by the ProSe server.
  3. 根据权利要求1所述的方法,其中,所述服务器发送响应于所述业务请求信息的信息,该信息中携带有所述A-UE预签约的限制业务ProSe应用标识。The method of claim 1, wherein the server sends information responsive to the service request information, the information carrying the A-UE pre-signed restricted service ProSe application identifier.
  4. 根据权利要求1所述的方法,其中,所述业务请求消息为经过加密后的业务请求信息,且所述业务请求消息携带有以下信息:限制发现业务请求的类型和业务申请类型信息。The method according to claim 1, wherein the service request message is encrypted service request information, and the service request message carries the following information: limiting the type of the discovery service request and the service application type information.
  5. 根据权利要求4所述的方法,其中,所述限制发现业务请求的类型为广播,所业务申请类型信息为所述A-UE的限制业务ProSe应用标识。The method according to claim 4, wherein the type of the restriction discovery service request is a broadcast, and the service application type information is a restricted service ProSe application identifier of the A-UE.
  6. 根据权利要求5所述的方法,其中,A-UE向ProSe服务器发送业务请求消息时,还包括:The method of claim 5, wherein when the A-UE sends the service request message to the ProSe server, the method further includes:
    所述A-UE向所述ProSe服务器发送B-TID,以及引导事务标识符B-TID的密钥周期。The A-UE sends a B-TID to the ProSe server and a key period for guiding the transaction identifier B-TID.
  7. 根据权利要求6所述的方法,其中,所述ProSe服务器通过以下方式对所述业务请求消息进行认证,包括:The method according to claim 6, wherein the ProSe server authenticates the service request message by:
    所述ProSe服务器发送所述B-TID、业务平台NAF的ID给A-UE归属域ProSe功能请求实体;Sending, by the ProSe server, the ID of the B-TID and the service platform NAF to the A-UE home domain ProSe function requesting entity;
    所述ProSe服务器接收所述A-UE归属域ProSe功能请求实体发送的业务密钥,其中,所述A-UE归属域ProSe功能请求实体根据所述B-TID和业务平台NAF的ID获取所述业务密钥; The ProSe server receives the service key sent by the A-UE home domain ProSe function requesting entity, where the A-UE home domain ProSe function requesting entity acquires the information according to the B-TID and the service platform NAF ID. Business key
    所述ProSe服务器根据所述业务密钥对所述业务请求消息进行解密;Decrypting, by the ProSe server, the service request message according to the service key;
    所述ProSe服务器对解密后的所述限制业务ProSe应用标识进行认证。The ProSe server authenticates the decrypted restricted service ProSe application identifier.
  8. 根据权利要求7所述的方法,其中,所述ProSe服务器通过以下方式获取所述发现业务码以及所述发现业务码有效使用期限:The method according to claim 7, wherein the ProSe server acquires the discovery service code and the effective service life of the discovery service code by:
    在所述ProSe服务器对所述业务请求消息进行认证之后,所述ProSe服务器向A-UE归属域ProSe功能实体发送广播请求消息,其中,所述广播请求消息中携带有限制业务ProSe应用标识;After the ProSe server authenticates the service request message, the ProSe server sends a broadcast request message to the A-UE home domain ProSe function entity, where the broadcast request message carries the restricted service ProSe application identifier;
    所述ProSe服务器接收响应于所述广播请求消息的广播请求响应消息,所述广播请求响应消息中携带有所述A-UE归属域ProSe功能实体为所述限制业务ProSe应用标识分配所述发现业务码,以及所述发现业务码有效使用期限。The ProSe server receives a broadcast request response message in response to the broadcast request message, where the broadcast request response message carries the A-UE home domain ProSe functional entity to allocate the discovery service to the restricted service ProSe application identifier. The code, and the validity period of the discovery service code.
  9. 根据权利要求8所述的方法,其中,所述A-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码包括:The method according to claim 8, wherein the A-UE receives the discovery service code obtained by the ProSe server after the authentication of the service request message is obtained, and the acquired service code includes:
    所述A-UE接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,所述业务请求响应消息携带由限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码、所述发现业务码的有效使用期限。The A-UE receives the encrypted service request response message sent by the ProSe server, where the service request response message carries the discovery service code identified by the restricted service ProSe application identifier, the restricted service ProSe application identifier, The effective service life of the discovery service code.
  10. 根据权利要求6的方法,其中,A-UE向ProSe服务器发送业务请求消息之前,包括:The method of claim 6, wherein before the A-UE sends the service request message to the ProSe server, the method includes:
    所述A-UE通过与A-UE归属域ProSe功能实体进行认证和密钥协商AKA鉴权,获取所述B-TID以及所述B-TID的密钥周期。The A-UE obtains the key period of the B-TID and the B-TID by performing authentication and key agreement AKA authentication with the A-UE home domain ProSe functional entity.
  11. 一种设备到设备D2D限制发现业务的监听方法,包括:A device-to-device D2D method for monitoring a discovery service includes:
    监听终端M-UE向基于距离的业务ProSe服务器发送业务请求消息;The monitoring terminal M-UE sends a service request message to the distance-based service ProSe server;
    所述M-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;After receiving the authentication of the service request message, the M-UE obtains a discovery template consisting of a mask corresponding to the discovery service code;
    所述M-UE根据所述发现模板中的所述发现业务码对应的掩码监听广播信道。The M-UE monitors a broadcast channel according to a mask corresponding to the discovery service code in the discovery template.
  12. 根据权利要求11的方法,其中,所述M-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码时,所述方法还包括:The method of claim 11, wherein the M-UE further includes: when the M-UE receives the discovery service code that is obtained by the ProSe server after the service request message is authenticated, the method further includes:
    所述M-UE接收所述ProSe服务器获取的所述发现业务码的有效使用期限。 The M-UE receives an effective use period of the discovery service code acquired by the ProSe server.
  13. 根据权利要求12的方法,其中,所述业务请求消息为经过加密后的业务请求信息,且所述业务请求消息携带有以下信息:限制发现业务请求的类型和业务申请类型信息。The method according to claim 12, wherein the service request message is encrypted service request information, and the service request message carries the following information: limiting the type of the discovery service request and the service application type information.
  14. 根据权利要求13的方法,其中,所述限制发现业务请求的类型为监听,所业务申请类型信息为所述M-UE的限制业务ProSe应用标识。The method of claim 13, wherein the type of the restricted discovery service request is a snoop, and the service request type information is a restricted service ProSe application identifier of the M-UE.
  15. 根据权利要求14的方法,其中,A-UE向ProSe服务器发送业务请求消息时,还包括:The method of claim 14, wherein when the A-UE sends the service request message to the ProSe server, the method further includes:
    所述M-UE向所述ProSe服务器发送B-TID,以及所述B-TID的密钥周期。The M-UE sends a B-TID to the ProSe server, and a key period of the B-TID.
  16. 根据权利要求15的方法,其中,所述ProSe服务器通过以下方式对所述业务请求消息进行认证,包括:The method of claim 15, wherein the ProSe server authenticates the service request message by:
    所述ProSe服务器发送所述B-TID、业务平台NAF的ID给M-UE归属域ProSe功能请求实体;Sending, by the ProSe server, the ID of the B-TID and the service platform NAF to the M-UE home domain ProSe function requesting entity;
    所述ProSe服务器接收所述M-UE归属域ProSe功能请求实体发送的业务密钥,其中,所述M-UE归属域ProSe功能请求实体根据所述B-TID和业务平台NAF的ID获取所述业务密钥;The ProSe server receives the service key sent by the M-UE home domain ProSe function requesting entity, where the M-UE home domain ProSe function requesting entity acquires the information according to the B-TID and the service platform NAF ID. Business key
    所述ProSe服务器根据所述业务密钥对所述业务请求消息进行解密;Decrypting, by the ProSe server, the service request message according to the service key;
    所述ProSe服务器对解密后的所述限制业务ProSe应用标识进行认证。The ProSe server authenticates the decrypted restricted service ProSe application identifier.
  17. 根据权利要求16的方法,其中,所述ProSe服务器通过以下方式获取所述发现业务码以及所述发现业务码有效使用期限:The method according to claim 16, wherein said ProSe server obtains said discovery service code and said discovery service code effective use period by:
    在所述ProSe服务器对所述业务请求消息进行认证之后,所述ProSe服务器向M-UE归属域ProSe功能实体发送监听认证请求消息,其中,所述监听认证请求消息中携带有限制业务ProSe应用标识;After the ProSe server authenticates the service request message, the ProSe server sends a monitoring authentication request message to the M-UE home domain ProSe functional entity, where the monitoring authentication request message carries the restricted service ProSe application identifier. ;
    所述ProSe服务器接收响应于所述广播请求消息的广播请求响应消息,所述广播请求响应消息中携带有所述M-UE归属域ProSe功能实体为所述限制业务ProSe应用标识分配所述发现业务码对应的掩码,以及所述掩码的有效使用期限。The ProSe server receives a broadcast request response message in response to the broadcast request message, where the broadcast request response message carries the M-UE home domain ProSe functional entity to allocate the discovery service to the restricted service ProSe application identifier. The mask corresponding to the code, and the effective lifetime of the mask.
  18. 根据权利要求17所述的方法,其中,所述M-UE接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码对应的掩码包括: The method of claim 17, wherein the M-UE receives a mask corresponding to the discovery service code that is obtained by the ProSe server after the authentication of the service request message is performed:
    所述M-UE接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,业务请求响应消息中携带有所述限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码对应的掩码、所述掩码的有效使用期限。The M-UE receives the encrypted service request response message sent by the ProSe server, where the service request response message carries the restricted service ProSe application identifier and the discovery service code of the restricted service ProSe application identifier. The corresponding mask, the effective use period of the mask.
  19. 根据权利要求15的方法,其中,M-UE向ProSe服务器发送业务请求消息之前,包括:The method of claim 15, wherein before the M-UE sends the service request message to the ProSe server, the method includes:
    所述M-UE通过与M-UE归属域ProSe功能实体进行认证和密钥协商AKA鉴权,获取所述B-TID以及所述B-TID的密钥周期。The M-UE obtains the key period of the B-TID and the B-TID by performing authentication and key agreement AKA authentication with the M-UE home domain ProSe functional entity.
  20. 一种设备到设备D2D限制发现业务的广播装置,所述广播装置位于广播终端中,包括:A device-to-device D2D broadcast device for limiting a discovery service, the broadcast device being located in a broadcast terminal, comprising:
    第一发送模块,设置为向基于距离的业务ProSe服务器发送业务请求消息;a first sending module, configured to send a service request message to the distance-based service ProSe server;
    第一接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取的发现业务码;a first receiving module, configured to receive a discovery service code acquired by the ProSe server after the service request message is authenticated and passed;
    广播模块,设置为广播所述发现业务码。A broadcast module, configured to broadcast the discovery service code.
  21. 根据权利要求20的装置,其中,所述业务请求消息为加密后的业务请求消息。The apparatus of claim 20 wherein said service request message is an encrypted service request message.
  22. 根据权利要求20的装置,其中,所述第一接收模块还设置为,接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,所述业务请求响应消息携带由限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码、所述发现业务码的有效使用期限。The apparatus according to claim 20, wherein the first receiving module is further configured to receive an encrypted service request response message sent by the ProSe server, wherein the service request response message carries an identifier of the restricted service ProSe application, And limiting the discovery service code of the service ProSe application identifier and the effective use period of the discovery service code.
  23. 一种设备到设备D2D限制发现业务的监听装置,所述装置位于监听终端中,包括:A device-to-device D2D device for monitoring a discovery service, the device being located in the monitoring terminal, comprising:
    第二发送模块,设置为向基于距离的业务ProSe服务器发送业务请求消息;a second sending module, configured to send a service request message to the distance-based service ProSe server;
    第二接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;And the second receiving module is configured to: after receiving the authentication, the ProSe server obtains a discovery template consisting of a mask corresponding to the discovery service code;
    监听模块,设置为根据所述发现模板中的所述发现业务码对应的掩码监听广播信道。The monitoring module is configured to monitor the broadcast channel according to a mask corresponding to the discovery service code in the discovery template.
  24. 根据权利要求23的装置,其中,所述业务请求消息为加密后的业务请求消息。The apparatus of claim 23 wherein said service request message is an encrypted service request message.
  25. 根据权利要求23的装置,其中,所述第二接收模块还设置为,接收所述ProSe服务器发送的加密后的业务请求响应消息,其中,所述业务请求响应消息携带 由限制业务ProSe应用标识、所述限制业务ProSe应用标识的所述发现业务码对应的掩码组成的发现模板、所述掩码的有效使用期限。The apparatus according to claim 23, wherein said second receiving module is further configured to receive an encrypted service request response message sent by said ProSe server, wherein said service request response message carries A discovery template consisting of a mask corresponding to the discovery service code of the restricted service ProSe application identifier and the restricted service ProSe application identifier, and an effective use period of the mask.
  26. 一种设备到设备D2D限制发现业务的处理系统,该系统包括位于广播终端侧的广播终端、位于监听终端侧的监听终端、基于距离的业务ProSe服务器;A device-to-device D2D processing system for limiting discovery services, the system comprising a broadcast terminal located at a broadcast terminal side, a listening terminal located at a listening terminal side, and a distance-based service ProSe server;
    所述广播终端包括:The broadcast terminal includes:
    第一发送模块,设置为向ProSe服务器发送业务请求消息;a first sending module, configured to send a service request message to the ProSe server;
    第一接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码;a first receiving module, configured to receive, after the ProSe server authenticates the service request message, obtain a discovery service code;
    广播模块,设置为广播所述发现业务码;a broadcast module, configured to broadcast the discovery service code;
    所述监听装置包括:The monitoring device includes:
    第二发送模块,设置为向ProSe服务器发送业务请求消息;a second sending module, configured to send a service request message to the ProSe server;
    第二接收模块,设置为接收所述ProSe服务器在对所述业务请求消息进行认证通过后,获取发现业务码对应的掩码组成的发现模板;And the second receiving module is configured to: after receiving the authentication, the ProSe server obtains a discovery template consisting of a mask corresponding to the discovery service code;
    监听模块,设置为根据所述发现模板中的所述发现业务码对应的掩码监听广播信道;a monitoring module, configured to listen to a broadcast channel according to a mask corresponding to the discovery service code in the discovery template;
    其中,所述业务请求消息为经过加密的。 The service request message is encrypted.
PCT/CN2015/074909 2014-10-20 2015-03-23 Method, device and system for broadcasting and monitoring device-to-device limiting discovery service WO2016062000A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410559781.8A CN105592433B (en) 2014-10-20 2014-10-20 method, device and system for broadcasting and monitoring device-to-device restriction discovery service
CN201410559781.8 2014-10-20

Publications (1)

Publication Number Publication Date
WO2016062000A1 true WO2016062000A1 (en) 2016-04-28

Family

ID=55760167

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074909 WO2016062000A1 (en) 2014-10-20 2015-03-23 Method, device and system for broadcasting and monitoring device-to-device limiting discovery service

Country Status (2)

Country Link
CN (1) CN105592433B (en)
WO (1) WO2016062000A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697945A (en) * 2022-04-02 2022-07-01 中国电信股份有限公司 Method and device for generating discovery response message and method for processing discovery message

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019051776A1 (en) * 2017-09-15 2019-03-21 华为技术有限公司 Key transmission method and device
CN110366130B (en) * 2018-04-09 2021-01-29 华为技术有限公司 V2X service authorization method, device and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209412A (en) * 2012-01-17 2013-07-17 华为技术有限公司 Method, device and system for establishing device-to-device connection
US20140211705A1 (en) * 2013-01-28 2014-07-31 Electronics & Telecommunications Research Institute Method for device-to-device communication based on wireless local area network and apparatus for the same
CN104066070A (en) * 2013-03-20 2014-09-24 中兴通讯股份有限公司 Terminal registration method, terminal finding method, terminal and devices

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2663051A1 (en) * 2012-05-07 2013-11-13 Industrial Technology Research Institute Authentication system for device-to-device communication and authentication method therefore
CN103686676A (en) * 2012-08-31 2014-03-26 中兴通讯股份有限公司 Communication method and device of device-to-device communication system and system
US20140094212A1 (en) * 2012-09-28 2014-04-03 Electronics And Telecommunications Research Institute Method of device to device discovery and apparatus thereof
US9674649B2 (en) * 2013-01-14 2017-06-06 Qualcomm Incorporated Methods and apparatus for providing location information with private expressions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209412A (en) * 2012-01-17 2013-07-17 华为技术有限公司 Method, device and system for establishing device-to-device connection
US20140211705A1 (en) * 2013-01-28 2014-07-31 Electronics & Telecommunications Research Institute Method for device-to-device communication based on wireless local area network and apparatus for the same
CN104066070A (en) * 2013-03-20 2014-09-24 中兴通讯股份有限公司 Terminal registration method, terminal finding method, terminal and devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ETRI.: "R2-132589: Discussion on Discovery for D2D Proximity Services", 3GPP TSG-RAN WG2 MEETING #83, 23 August 2013 (2013-08-23), XP050718249 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697945A (en) * 2022-04-02 2022-07-01 中国电信股份有限公司 Method and device for generating discovery response message and method for processing discovery message
CN114697945B (en) * 2022-04-02 2023-10-24 中国电信股份有限公司 Method and device for generating discovery response message and method for processing discovery message

Also Published As

Publication number Publication date
CN105592433B (en) 2019-12-17
CN105592433A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
KR102398221B1 (en) Method and apparatus to identity verification using asymmetric keys in wireless direct communication network
US20220029975A1 (en) Authentication and authorization in proximity based service communication using a group key
JP5996784B2 (en) Secure communication for computing devices using proximity services
US10349271B2 (en) Methods and apparatus for direct communication key establishment
US9973925B2 (en) Method and apparatus for direct communication key establishment
KR102094216B1 (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
KR102100159B1 (en) Security supporting method and system for service discovery and group communication in mobile telecommunication system environment
US20170055149A1 (en) Method and Apparatus for Direct Communication Key Establishment
US10897707B2 (en) Methods and apparatus for direct communication key establishment
JP7470671B2 (en) NON-3GPP DEVICE ACCESS TO CORE NETWORK - Patent application
JP2023162296A (en) Non-3GPP device access to core network
WO2023046457A1 (en) Restricting onboard traffic
CN116746182A (en) Secure communication method and apparatus
CN115989689A (en) User equipment authentication and authorization procedures for edge data networks
WO2016112674A1 (en) Communication method, terminal, system and computer storage medium
JP2024522056A (en) Method and apparatus for provisioning, authentication, authorization, and user equipment (UE) key generation and distribution in on-demand networks - Patents.com
WO2016062000A1 (en) Method, device and system for broadcasting and monitoring device-to-device limiting discovery service
KR102209289B1 (en) Security and information supporting method and system for proximity based service in mobile telecommunication system environment
WO2017009714A1 (en) Establishing a temporary subscription with isolated e-utran network
EP3454583B1 (en) Network connection method, and secure node determination method and device
WO2023159603A1 (en) Security implementation method and apparatus, terminal device, and network elements
WO2023055342A1 (en) Enabling distributed non-access stratum terminations
CN115843447A (en) Network authentication of user equipment access to edge data networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15852491

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15852491

Country of ref document: EP

Kind code of ref document: A1