WO2016065985A1

WO2016065985A1 - Key issuing method, method for implementing authorization checking on ue, and related devices

Info

Publication number: WO2016065985A1
Application number: PCT/CN2015/088741
Authority: WO
Inventors: 张丽佳; 李志明; 曹龙雨
Original assignee: 华为技术有限公司
Priority date: 2014-10-31
Filing date: 2015-09-01
Publication date: 2016-05-06
Also published as: CN104348627B; CN104348627A

Abstract

Embodiments of the present invention provide a key issuing method, a method for implementing authorization checking on a UE, and related devices. The key issuing method comprises: generating a multimedia broadcast multicast service key (MSK); establishing or acquiring, from a broadcast multicast service center (BM-SC), a mapping between the MSK and a group identifier and/or a service identifier of each group communication service enabler (GCSE) group; and sending the generated MSK to a user equipment (UE) in the corresponding GCSE group according to the mapping between the MSK and the group identifier and/or the service identifier of each GCSE group. According to the embodiments of the present invention, in the precondition that the BM-SC is invisible to the GCSE group, it is ensured that the service authorization checking on the UE is realized by the BM-SC in a scenario where an MBMS security mechanism is completely reused, and the MSK can be issued by a GCS AS in a scenario where the MBMS security mechanism is partially reused, so that the communication security can be guaranteed by means of the MBMS security mechanism.

Description

Key issuing method, method for authorizing authentication of UE, and related device

This application claims priority to the Chinese Patent Application filed on October 31, 2014, the Chinese Patent Application No. 201410608570.9, the invention entitled "Key Issuance Method, Method for Authorizing Inspection of the UE and Related Equipment", which The entire contents are incorporated herein by reference.

Technical field

The embodiments of the present invention relate to the field of communications technologies, and in particular, to a method for issuing a key, a method for performing an authorization check on a UE, and related devices.

Background technique

The Multimedia Broadcast Multicast Service (MBMS) is a multimedia broadcast multicast function defined in The 3rd Generation Partnership Project (3GPP) R6.

MBMS supports two modes: multimedia broadcast service and multicast service. It can broadcast multimedia video information directly to all users or to a group of paid subscription users. It can help operators to carry out multimedia advertisements, free and paid TV channels. , MMS group and other commercial applications. Operators can launch mobile TV services at a lower network deployment cost.

The main changes to the existing communication network of MBMS are: increase the Broadcast Multicast Service Center (BM-SC), and upgrade the MBMS function of the existing packet switching (PS) domain related network elements to support MBMS-specific interface features (such as Gmb), unique channels, unique physical layer procedures, and unique business processes such as subscriptions.

BM-SC can provide and manage MBMS services. For the content provider, the BM-SC is the entry of the MBMS service content; for the bearer network, the BM-SC is responsible for authorizing, initiating the MBMS service, and scheduling and transmitting the MBMS service content. As the core functional entity of MBMS, BM-SC includes 5 parts of functions:

1) Membership function: Responsible for saving the subscription information of the user, authorizing the user equipment (User Equipment, UE) to join the MBMS service, and generating the charging record.

2) Session and transmission function: responsible for initiating and terminating the MBMS session, authorizing the external content provider, and receiving and transmitting the MBMS service data.

3) Proxy and forwarding function: On the control plane, BM-SC is a common grouping of internal functions and gateways. A proxy for signaling interaction between the Gateway General Packet Radio Service Support Node (GGSN) is a bridge between the session and the transmission function to transmit MBMS service data to the GGSN on the user plane.

4) Service declaration function: It is responsible for providing MBMS service information to the UE, including media description (such as video type, voice coding) and session description (such as service identification, address, and play time).

5) Security function: Provide integrity and privacy protection for MBMS service data, and provide keys to UEs that have been authorized by MBMS.

The BM-SC implements control of the MBMS service through two control plane interfaces (Gmb interface, Mz interface). The Gmb interface supports the signaling interaction between the GGSN and the BM-SC, which is the edge of the MBMS bearer service; the Mz interface supports signaling interaction between different BM-SCs, and provides the capability of roaming across the BM-SC for the MBMS service. . The signaling that is exchanged on the two interfaces includes: MBMS bearer related (eg, MBMS session start and stop) and MBMS user related (eg, authorization, MBMS service activation). In addition, the BM-SC transmits MBMS service data through the Gi interface.

The Group Communication Service Enabler over Long Term Evolution (GCSE_LTE) is a cluster communication based on the LTE network, and can be implemented by using a unicast bearer or a multicast bearer. The multicast bearer can be established through MBMS. At present, the SA2 determines that the Group Communication Service Enabler Application Server (GCS AS) performs Group Communication Service Enabler (GCSE) group management, and the group management is implemented by application layer signaling. In this case, when the multicast bearer is selected, the BM-SC is not visible to the GCSE group. The content transmitted in different GCSE groups may be different, and different service identifiers need to be assigned to different group communications (eg one police station staff member as a GCSE group, one fire brigade staff member as a GCSE group, police station and The fire brigade group communication content is different, and different service identifiers are required to implement multicast/multicast services within the group. The GCSE group members access the corresponding service identifiers to receive data.

That is, in the cluster communication based on the LTE network, the GCSE group management is performed by the GCS AS, and the BM-SC is invisible to the GCSE group. If the MBMS mechanism is completely reused (the BM-SC performs the entire process of providing the MBMS service), the BM-SC cannot perform the authorization check on the UE requesting the service; if the partial MBMS mechanism is reused (the BM-SC performs part of the process of providing the MBMS service, The GCS AS performs another part of the process of providing the MBMS service. The function of the BM-SC to deliver the MSK will be placed on the GCS AS. How the GCS AS implements the MSK is an urgent problem to be solved.

Summary of the invention

In view of this, the embodiment of the present invention provides a method for issuing a key, a method for performing an authorization check on a UE, and related devices, which can ensure complete reuse of the MBMS security mechanism on the premise that the BM-SC is invisible to the GCSE group. In the scenario, the BM-SC implements the service authorization check for the UE, and the GCS AS performs the MSK delivery in the scenario of partially reusing the MBMS security mechanism, so that the MBMS security mechanism can be used to ensure communication security.

In a first aspect, the group communication service application server GCS AS provided by the embodiment of the present invention includes:

An MSK generating unit, configured to generate a multimedia broadcast multicast service key MSK;

a processing unit, configured to establish or obtain, from the broadcast multicast service center BM-SC, a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group;

And a sending unit, configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

With reference to the first aspect, in a first implementation manner of the first aspect, the sending unit is further configured to: before the MSK generating unit generates an MSK, send a request message to the BM-SC, where the request message is And including the requested number of group identifiers and/or the number of groups and/or the number of requested services, where the request message is used to request the BM-SC to allocate a service identifier and/or a group identifier;

The GCS AS also includes:

a first receiving unit, configured to receive a response message sent by the BM-SC, where the response message includes a service identifier and/or a group identifier allocated by the BM-SC;

The sending unit is further configured to: after the processing unit establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, send the MSK to the BM-SC.

With reference to the first aspect, in a second implementation manner of the first aspect, the sending unit is further configured to: after the MSK generating unit generates an MSK, send a request message to the BM-SC, where the request message is Include the number of the requested group identifiers and the MSK, the request message is used to request the BM-SC to allocate a group identifier and/or a service identifier, and establish a mapping relationship between each group identifier and/or each service identifier and each MSK;

The processing unit is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.

In conjunction with the first aspect, in a third implementation manner of the first aspect, the GCS AS further includes:

a mapping establishing unit, configured to establish an MSK and after the MSK generating unit generates the MSK Mapping relationship of group identifiers of each GCSE group;

The sending unit is further configured to send a request message to the BM-SC, where the request message includes a mapping relationship between each MSK and a group identifier of each GCSE group, where the request message is used to request the BM-SC allocation. The service identifier is used to establish a mapping relationship between each service identifier and each group identifier.

The processing unit is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.

In conjunction with the first aspect, in a fourth implementation manner of the first aspect, the GCS AS further includes:

a second receiving unit, configured to receive a key request message sent by the BM-SC before the MSK generating unit generates an MSK, where the key request message includes a service identifier and a requested number of MSKs;

With reference to the first embodiment of the first aspect, or the second embodiment of the first aspect, or the third embodiment of the first aspect, or the fourth embodiment of the first aspect, in the first aspect In the fifth implementation manner, the MSK generating unit is further configured to generate an MSK identifier and a key validity period for each MSK;

The sending unit is further configured to: when the MSK is sent to the BM-SC, or after sending the MSK to the UE in the corresponding GCSE group, the MSK identifier and the key validity period of each MSK, and each MSK. The group identifier and/or service identifier of the corresponding GCSE group is sent to the UE in the BM-SC and the corresponding GCSE group.

With reference to the first embodiment of the first aspect, or the second embodiment of the first aspect, or the third embodiment of the first aspect, or the fourth embodiment of the first aspect, in the first aspect In the six implementation manners, the GCS AS further includes:

a third receiving unit, configured to: before the sending unit sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, receiving the BM-SC sending The MSK identifier and the key validity period of each MSK, and the MSK identifier and key validity period of each MSK are generated by the BM-SC;

The sending unit is further configured to: when the MSK is sent to the BM-SC, or after sending the MSK to the UE in the corresponding GCSE group, the group identifier and/or service of the GCSE group corresponding to each MSK. The identifier is sent to the BM-SC; the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the corresponding UEs within the GCSE group.

With reference to the first aspect, or the first embodiment of the first aspect, or the second embodiment of the first aspect, or the third embodiment of the first aspect, or the fourth embodiment of the first aspect, In a seventh implementation manner of the first aspect, the GCS AS further includes:

a determining unit, configured to determine, according to a preset rule, whether the MSK needs to be updated;

The MSK generating unit is further configured to: when the determining result of the determining unit is yes, generate a new MSK;

The sending unit is further configured to send a first key update message to the BM-SC, and send a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the corresponding GCSE group The UE updates the key, and the new MSK is included in the first key update message and the second key update message.

With reference to the seventh implementation manner of the first aspect, in the eighth implementation manner of the first aspect, the preset rule includes the joining and/or leaving of the UE in the GCSE group, or the MSK to the validity period.

With reference to the seventh embodiment of the first aspect, in a ninth implementation manner of the first aspect, the MSK generating unit is further configured to: send, by the sending unit, a first key update message to the BM-SC Before generating the MSK identifier and the key validity period of the new MSK;

The first key update message and the second key update message further include: an MSK identifier of the new MSK and a key validity period, and a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK. .

With reference to the seventh embodiment of the first aspect, in a tenth implementation manner of the first aspect, the GCS AS further includes:

a fourth receiving unit, configured to receive an MSK identifier and a key validity period of the new MSK sent by the BM-SC before the sending unit sends the first key update message to the BM-SC;

The first key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the second key update message includes: the MSK identifier and the secret of the new MSK Key validity period, the group identifier and/or service identifier of the GCSE corresponding to the new MSK.

With reference to the first aspect, or the first embodiment of the first aspect, or the second embodiment of the first aspect, or the third embodiment of the first aspect, or the fourth embodiment of the first aspect, In an eleventh implementation manner of the first aspect, the GCS AS further includes:

a fifth receiving unit, configured to receive a key update trigger message sent by the BM-SC, where the secret is The key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK identifier of the MSK that needs to be updated;

The MSK generating unit is further configured to generate a new MSK;

The sending unit is further configured to send a third key update message to the BM-SC, and send a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the corresponding GCSE group The UE updates the key, and the third key update message and the fourth key update message include the new MSK.

With reference to the eleventh embodiment of the first aspect, in a twelfth implementation manner of the first aspect, the MSK generating unit is further configured to: send, by the sending unit, a third key to the BM-SC Before updating the message, generating an MSK identifier and a key validity period of the new MSK;

The third key update message and the fourth key update message further include: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK .

With reference to the eleventh embodiment of the first aspect, in the thirteenth implementation manner of the first aspect, the GCS AS further includes:

a sixth receiving unit, configured to receive, after the sending unit sends a third key update message to the BM-SC, an MSK identifier and a key validity period of the new MSK sent by the BM-SC;

The third key update message further includes: a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK; and the fourth key update message further includes: the MSK identifier of the new MSK And a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK.

In a second aspect, the GCS AS provided by the embodiment of the present invention includes:

An obtaining unit, configured to acquire a multimedia broadcast multicast service key MSK from a broadcast multicast service center BM-SC;

a mapping establishing unit, configured to establish a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group;

With reference to the second aspect, in a first implementation manner of the second aspect, the sending unit is further configured to: before the acquiring unit acquires the MSK from the BM-SC, send a request message to the BM-SC, The request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services, The request message is used to request the BM-SC to allocate an MSK and a service identifier and/or a group identifier;

The acquiring unit is configured to receive a response message sent by the BM-SC, where the response message includes an MSK and a service identifier and/or a group identifier that are allocated by the BM-SC.

With reference to the first implementation manner of the second aspect, in the second implementation manner of the second aspect, the request message is further used to request the BM-SC to generate an MSK identifier and a key validity period for each MSK;

The response message further includes an MSK identifier and a key validity period of each MSK;

The sending unit is further configured to: when sending the MSK to the UE in the corresponding GCSE group, send the identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the corresponding UEs within the GCSE group.

In a third aspect, the broadcast multicast service center BM-SC provided by the embodiment of the present invention includes:

a list establishing unit, configured to establish, according to the authorized UE list establishment request sent by the group communication service application server GCS AS, an authorized UE list corresponding to the service identifier;

a receiving unit, configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

An authorization checking unit, configured to check whether the identifier of the UE is in an authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, if not, then The authorization check of the UE fails.

With reference to the third aspect, in a first implementation manner of the third aspect, the receiving unit is further configured to: before the list establishing unit establishes an authorized UE list corresponding to the service identifier, receive the request message sent by the GCS AS The request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services;

The BM-SC also includes:

a first generating unit, configured to generate a service identifier;

a sending unit, configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates a service identifier to each group communication service GCSE group;

The GCS AS sends the authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the service identifier of the GCSE group and the identifier of the corresponding authorized UE.

With reference to the third aspect, in a second implementation manner of the third aspect, the receiving unit is further configured to: before the list establishing unit establishes an authorized UE list corresponding to the service identifier, receive the GCS a request message sent by the AS, where the request message includes a group identifier of a GCSE group;

The BM-SC also includes:

a second generating unit, configured to generate a service identifier and establish a mapping relationship between the group identifier and the service identifier;

The GCS AS sends the authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE.

The list establishing unit is specifically configured to:

And determining, according to the mapping relationship, a service identifier corresponding to the group identifier included in the authorized UE list establishment request, and establishing an authorized UE list corresponding to the service identifier.

With the first implementation of the third aspect, in a third implementation manner of the third aspect, the receiving unit is further configured to receive an authorized UE list update request sent by the GCS AS, where the authorized UE list is updated. The request includes a service identifier, an identifier of the UE, a deletion, and/or an addition indication.

The BM-SC also includes:

And a first update unit, configured to update the corresponding authorized UE list according to the authorized UE list update request.

With the second implementation of the third aspect, in a fourth implementation manner of the third aspect, the receiving unit is further configured to receive an authorized UE list update request sent by the GCS AS, where the authorized UE list is updated. The request includes a group identifier and/or a service identifier, an identifier of the UE, a deletion, and/or an addition indication.

The BM-SC also includes:

And a second updating unit, configured to update the corresponding authorized UE list according to the authorized UE list update request.

In a fourth aspect, the BM-SC provided by the embodiment of the present invention includes:

a sending unit, configured to send an authorization check request to the group communication service application server GCS AS, to request the GCS AS to check whether the identifier of the UE is a group communication service GCSE group corresponding to a service identifier of a service that the UE wants to activate If yes, the authorization check for the UE is successful, and if not, the authorization check for the UE fails.

With reference to the fourth aspect, in a first implementation manner of the fourth aspect, the receiving unit is further configured to: Before receiving the service activation request sent by the UE, receiving a request message sent by the GCS AS, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services;

The BM-SC also includes:

a first generating unit, configured to generate a service identifier;

The sending unit is further configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns a service identifier to each GCSE group;

The authorization check request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

With reference to the fourth aspect, in a second implementation manner of the fourth aspect, the receiving unit is further configured to: before receiving a service activation request sent by the UE, receive a request message sent by the GCS AS, where the request message is a group identifier containing the GCSE group;

The BM-SC also includes:

a searching unit, configured to search for a group identifier corresponding to the service identifier included in the service activation request, before the sending unit sends an authorization check request to the GCS AS;

The authorization check request includes the identifier of the UE and a group identifier corresponding to the service identifier of the service that the UE wants to activate.

The fifth aspect, the method for issuing a key provided by the embodiment of the present invention includes:

Generating a multimedia broadcast multicast service key MSK;

Establishing or obtaining a mapping relationship between the MSK and the group identifier and/or service identifier of each group communication service GCSE group from the broadcast multicast service center BM-SC;

The generated MSK is sent to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group.

With reference to the fifth aspect, in a first implementation manner of the fifth aspect, before the generating the MSK, the method further includes:

Sending a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services, and the request message is used to request the BM-SC allocation Business identification and/or group identification;

Receiving a response message sent by the BM-SC, where the response message includes a service identifier and/or a group identifier allocated by the BM-SC;

After the mapping between the MSK and the group identity and/or the service identifier of each GCSE group is established, the method further includes:

The MSK is sent to the BM-SC.

With reference to the fifth aspect, in a second implementation manner of the fifth aspect, after the generating the MSK, the method further includes:

Sending a request message to the BM-SC, where the request message includes the requested group identifier number and the MSK, where the request message is used to request the BM-SC to allocate a group identifier and/or a service identifier and establish each group identifier. And/or mapping relationship between each service identifier and each MSK;

The mapping relationship between the MSK and the group identifier and/or service identifier of each GCSE group obtained from the BM-SC includes:

And receiving, by the BM-SC, a response message, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.

With reference to the fifth aspect, in a third implementation manner of the fifth aspect, after the generating the MSK, the method further includes:

Establish a mapping relationship between the MSK and the group identifier of each GCSE group;

Sending a request message to the BM-SC, where the request message includes a mapping relationship between the MSK and a group identifier of each GCSE group, where the request message is used to request the BM-SC to allocate a service identifier and establish each service identifier and each Mapping relationship of group identifiers;

Receiving a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.

With reference to the fifth aspect, in a fourth implementation manner of the fifth aspect, before the generating the MSK, the method further includes:

Receiving a key request message sent by the BM-SC, where the key request message includes a service identifier and a requested number of MSKs;

The MSK is sent to the BM-SC.

Combining the first embodiment of the fifth aspect, or the second embodiment of the fifth aspect, or the fifth A third implementation manner of the aspect, or the fourth implementation manner of the fifth aspect, in the fifth implementation manner of the fifth aspect, the mapping relationship between the group identifier and/or the service identifier according to the MSK and each GCSE group Before the generated MSK is sent to the UEs in the corresponding GCSE group, it also includes:

Generate an MSK identifier and a key validity period for each MSK;

When the MSK is sent to the BM-SC, or after the MSK is sent to the UE in the corresponding GCSE group, the method further includes:

The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.

With reference to the first embodiment of the fifth aspect, or the second embodiment of the fifth aspect, or the third embodiment of the fifth aspect, or the fourth embodiment of the fifth aspect, the fifth aspect In the foregoing implementation manner, before the sending the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group, the method further includes:

Receiving an MSK identifier and a key validity period of each MSK sent by the BM-SC, and an MSK identifier and a key validity period of each MSK are generated by the BM-SC;

Sending the group identifier and/or the service identifier of the GCSE group corresponding to each MSK to the BM-SC; sending the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK. Give the UEs in the corresponding GCSE group.

With reference to the fifth aspect, or the first embodiment of the fifth aspect, or the second embodiment of the fifth aspect, or the third embodiment of the fifth aspect, or the fourth embodiment of the fifth aspect, In a seventh implementation manner of the fifth aspect, the method further includes:

Determine whether the MSK needs to be updated according to a preset rule;

If yes, generate a new MSK;

Sending a first key update message to the BM-SC, and sending a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key, where the The new MSK is included in a key update message and the second key update message.

With reference to the seventh implementation manner of the fifth aspect, in the eighth implementation manner of the fifth aspect, the preset rule includes the joining and/or leaving of the UE in the GCSE group, or the MSK to the validity period.

In conjunction with the seventh embodiment of the fifth aspect, in the ninth embodiment of the fifth aspect, Before the BM-SC sends the first key update message, the method further includes:

Generating an MSK identifier and a key validity period of the new MSK;

With reference to the seventh implementation manner of the fifth aspect, in a tenth implementation manner of the fifth aspect, before the sending the first key update message to the BM-SC, the method further includes:

Receiving an MSK identifier and a key validity period of the new MSK sent by the BM-SC;

With reference to the fifth aspect, or the first embodiment of the fifth aspect, or the second embodiment of the fifth aspect, or the third embodiment of the fifth aspect, or the fourth embodiment of the fifth aspect, In an eleventh implementation manner of the fifth aspect, the method further includes:

Receiving a key update trigger message sent by the BM-SC, where the key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK identifier of the MSK that needs to be updated;

Generate a new MSK;

Sending a third key update message to the BM-SC, and sending a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key, where the The new MSK is included in the three key update message and the fourth key update message.

With reference to the eleventh embodiment of the fifth aspect, in a twelfth implementation manner of the fifth aspect, before the third key update message is sent to the BM-SC, the method further includes:

Generating an MSK identifier and a key validity period of the new MSK;

With reference to the eleventh embodiment of the fifth aspect, in the thirteenth implementation manner of the fifth aspect, before the third key update message is sent to the BM-SC, the method further includes:

The third key update message further includes: a group label of the GCSE group corresponding to the new MSK The fourth key update message further includes: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK.

The sixth aspect, the method for issuing a key according to the embodiment of the present invention includes:

Obtaining a multimedia broadcast multicast service key MSK from the broadcast multicast service center BM-SC;

Establish a mapping relationship between the MSK and the group identifier and/or service identifier of each group communication service GCSE group;

With reference to the sixth aspect, in a first implementation manner of the sixth aspect, before acquiring the MSK from the BM-SC, the method further includes:

Sending a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services, and the request message is used to request the BM-SC allocation MSK and business identification and/or group identification;

The obtaining the MSK from the BM-SC includes:

Receiving a response message sent by the BM-SC, where the response message includes an MSK and a service identifier and/or a group identifier allocated by the BM-SC.

With reference to the first implementation manner of the sixth aspect, in a second implementation manner of the sixth aspect, the request message is further used to request the BM-SC to generate an MSK identifier and a key validity period for each MSK;

When the MSK is sent to the UE in the corresponding GCSE group, the method further includes:

The identifiers of the respective MSKs and the key validity period, and the group identifiers and/or service identifiers of the GCSE groups corresponding to the respective MSKs are sent to the UEs in the corresponding GCSE group.

In a seventh aspect, a method for performing an authorization check on a user equipment UE according to an embodiment of the present invention includes:

And establishing, according to the authorized UE list establishment request sent by the group communication service application server GCS AS, the authorized UE list corresponding to the service identifier;

Receiving a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

Checking whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, if not, the The authorization check of the UE failed.

With reference to the seventh aspect, in a first implementation manner of the seventh aspect, before the establishing the authorized UE list corresponding to the service identifier, the method further includes:

Receiving a request message sent by the GCS AS, where the request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services;

Generate a business identifier;

Sending a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates a service identifier to each group communication service GCSE group;

With reference to the seventh aspect, in the second implementation manner of the seventh aspect, before the establishing the authorized UE list corresponding to the service identifier, the method further includes:

Receiving a request message sent by the GCS AS, where the request message includes a group identifier of a GCSE group;

Generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

The GCS AS sends the authorized UE list establishment request according to the UEs included in the respective GCSE groups, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE, according to the GCS AS The authorized UE list establishment request to send the authorized UE corresponding to the service identifier includes:

With reference to the first embodiment of the seventh aspect, in a third implementation manner of the seventh aspect, the method further includes:

Receiving an authorized UE list update request sent by the GCS AS, where the authorized UE list update request includes a service identifier, an identifier of the UE, and a deletion and/or an addition indication;

Updating the corresponding authorized UE list according to the authorized UE list update request.

With reference to the second implementation manner of the seventh aspect, in a fourth implementation manner of the seventh aspect, the method further includes:

Receiving an authorized UE list update request sent by the GCS AS, the authorized UE list update The request includes a group identifier and/or a service identifier, an identifier of the UE, a deletion, and/or an addition indication.

In an eighth aspect, a method for performing an authorization check on a user equipment UE according to an embodiment of the present invention includes:

Sending an authorization check request to the group communication service application server GCS AS to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate, if The authorization check for the UE is successful, and if not, the authorization check for the UE fails.

With reference to the eighth aspect, in a first implementation manner of the eighth aspect, before receiving the service activation request sent by the UE, the method further includes:

Generate a business identifier;

Sending a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns a service identifier to each GCSE group;

With reference to the eighth aspect, in a second implementation manner of the eighth aspect, before receiving the service activation request sent by the UE, the method further includes:

Before sending an authorization check request to the GCS AS, it also includes:

Finding a group identifier corresponding to the service identifier included in the service activation request;

It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages:

In the embodiment of the present invention, the GCS AS may generate or acquire an MSK from the BM-SC, establish or The BM-SC obtains the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group, and then sends the MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group. That is, the GCS AS completes the delivery of the MSK in the scenario of partially reusing the MBMS security mechanism.

In addition, the BM-SC may establish an authorized UE list according to the authorized UE list establishment request sent by the GCS AS, so that after receiving the service activation request sent by the UE, the authorization check of the UE may be implemented according to the authorized UE list established by the UE; Or, after receiving the service activation request sent by the UE, the BM-SC may send an authorization check request to the GCS AS to request the GCS AS to perform an authorization check on the UE, so that when the BM-SC is invisible to the GCSE group, The service authorization check of the BM-SC to the UE in the scenario of completely reusing the MBMS security mechanism.

DRAWINGS

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.

1 is a schematic diagram of an embodiment of a GCS AS according to the present invention;

2 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

3 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

4 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

FIG. 5 is a schematic diagram of another embodiment of a GCS AS according to the present invention; FIG.

6 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

7 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

8 is a schematic diagram of another embodiment of a GCS AS according to the present invention;

FIG. 9 is a schematic diagram of an embodiment of a BM-SC according to the present invention; FIG.

FIG. 10 is a schematic diagram of another embodiment of a BM-SC according to the present invention; FIG.

11 is a schematic diagram of another embodiment of a BM-SC according to the present invention;

12 is a schematic diagram of another embodiment of a BM-SC according to the present invention;

13 is a schematic diagram of another embodiment of a BM-SC according to the present invention;

Figure 14 is a schematic view showing another embodiment of the BM-SC of the present invention;

15 is a schematic diagram of an embodiment of a method for issuing a key according to the present invention;

FIG. 16 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention; FIG.

17 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention;

FIG. 18 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention; FIG.

19 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention;

20 is a schematic diagram of an embodiment of a key update method according to the present invention;

21 is a schematic diagram of another embodiment of a method for updating a key according to the present invention;

FIG. 22 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention; FIG.

FIG. 23 is a schematic diagram of another embodiment of a method for issuing a key according to the present invention; FIG.

24 is a schematic diagram of an embodiment of a method for performing an authorization check on a UE according to the present invention;

25 is a schematic diagram of another embodiment of a method for performing an authorization check on a UE according to the present invention;

26 is a schematic diagram of another embodiment of a method for performing an authorization check on a UE according to the present invention;

FIG. 27 is a schematic diagram of another embodiment of a method for performing an authorization check on a UE according to the present invention;

28 is a schematic diagram of another embodiment of a method for performing an authorization check on a UE according to the present invention;

FIG. 29 is a schematic diagram of another embodiment of a method for performing an authorization check on a UE according to the present invention.

detailed description

The technical solutions in the embodiments of the present invention will be clearly described with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention are within the scope of the present invention.

Since the BM-SC is invisible to the GCSE group in the LTE network-based trunking communication, the GCS AS is responsible for the management of the UEs in the GCSE group, that is, the GCSE knows which UE belongs to which GCSE group, but each GCSE group has no service identifier, and There may be no group ID. The GCSE group can be established by the GCS AS at the time of UE registration, although the GCSE group can also be pre-established. For example, the UE is registered with the GCS AS, and the registration information carries the identifier of the UE. The GCS AS establishes a GCSE group for the registered UE. The number of registered UEs may be one or more, and the number of established GCSE groups may also be one or more. It is not limited here; or, the GCSE group is established in advance, and the UE directly carries the group identifier and the identifier of the UE when registering with the GCS AS. When it is determined that the UE adopts the multicast bearer and implements the establishment of the multicast bearer by reusing part of the MBMS mechanism, it is necessary to consider how the GCS AS implements the MSK delivery problem; When the UE adopts the multicast bearer and implements the establishment of the multicast bearer by completely reusing the MBMS mechanism, it is necessary to consider how the BM-SC performs an authorization check on the UE requesting the service. The multicast mentioned in the embodiment of the present invention may be multicast or broadcast. The following description is respectively made by different embodiments.

Device embodiment 1:

Referring to FIG. 1 , FIG. 1 is a schematic diagram of an embodiment of a GCS AS according to the present invention. The GCS AS 10 in this embodiment is used to implement the sending of the MSK. The GCS AS in this embodiment includes:

The MSK generating unit 11 is configured to generate an MSK;

The processing unit 12 is configured to establish or obtain, from the BM-SC, a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group;

In a specific implementation, the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group is established or obtained from the BM-SC, including: establishing or mapping the mapping between the MSK and the group identifier of each GCSE group from the BM-SC, establishing or The mapping relationship between the MSK and the service identifiers of the respective GCSE groups is obtained from the BM-SC, and the mapping relationship between the MSK, the group identifier of each GCSE group, and the service identifier of each GCSE group is established or obtained from the BM-SC.

The group identifier may be a fixed group identifier that the GCS AS allocates for the GCSE group or the GCSE group itself, or may be a temporary mobile group identifier generated by the BM-SC according to the request of the GCS AS, for example, TMGI (Temporary Mobile Group Identity). .

There may be multiple MSKs generated. Each GCSE group can establish a mapping relationship with one MSK or a plurality of MSKs. That is, each GCSE group can have only one MSK or multiple MSKs. For ease of description, the following embodiments will be described in the case where there is only one MSK per GCSE group, and each GCSE group has only one group identifier and/or service identifier.

The sending unit 13 is configured to send the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

Device embodiment 2:

This embodiment is a specific description of the GCS AS of the present invention. Referring to FIG. 2, the GCS AS 20 of this embodiment includes:

The sending unit 21 is configured to send a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services;

a first receiving unit 22, configured to receive a response message sent by the BM-SC, where the response message includes a service identifier and/or a group identifier allocated by the BM-SC;

An MSK generating unit 23, configured to generate an MSK;

The processing unit 24 is configured to establish a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

The sending unit 21 is further configured to send the MSK to the BM-SC, and send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In this embodiment, it can be understood that the group identifier of the GCSE group is the temporary mobility group identifier generated by the BM-SC.

In a specific implementation, when it is determined that the UE adopts a multicast bearer, the sending unit 21 sends a request message to the BM-SC, where the request message is used to request the BM-SC to allocate a service identifier and/or a group identifier, where the request message includes a request. The number of groups identified and/or the number of groups and/or the number of services requested. The number of group identifiers and/or the number of groups and/or the number of requested services may be determined by the number of groups of GCSE groups managed by the GCS AS, that is, the GCS AS manages several GCSE groups, and subsequently requests several group identifiers and / or several business identifiers.

In this embodiment, it can be understood that the GCS AS itself knows which UE belongs to which GCSE group, but each GCSE group does not have a group identifier and a service identifier, and needs to request BM-SC generation.

After generating the group identifier and/or the service identifier, the BM-SC sends a response message to the GCS AS, where the response message includes the group identifier and/or the service identifier generated by the BM-SC, and the first receiving unit 22 receives the response message.

Next, the MSK generating unit 23 generates an MSK, the processing unit 24 establishes a mapping relationship between the MSK and the group identifier and/or the service identifier, and the transmitting unit 21 transmits the MSK to the BM-SC and maps according to the MSK and the group identifier and/or the service identifier. The relationship sends the MSK to the UE within the corresponding GCSE group. The following examples are given:

For example, the GCS AS manages two GCSE groups, the first GCSE group includes UE1 and UE2, and the second GCSE group includes UE3 and UE4. After the MSK is generated by the GCS AS and the group identifier and the service identifier are obtained from the BM-SC, a one-to-one mapping relationship between the MSK, the group identifier (temporary mobile group identifier), and the service identifier is established (for example, MSK1, group identifier 1, and service identifier are set). As a group and assigned to the first GCSE group, the MSK2, the group identifier 2 and the service identifier 2 are grouped and assigned to the second GCSE group, and the subsequent GCS AS directly sends the generated MSK to the BM-SC. And sending the MSK to the UE in the corresponding GCSE group according to the established mapping relationship, in this example, sending the MSK1 to the first The UEs in the GCSE group send MSK2 to the UEs in the second GCSE group.

In addition, each MSK should also have an MSK identity and a key validity period. The MSK ID and key validity period of each MSK can be generated by the GCS AS or generated by the BM-SC and sent to the GCS AS.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the sending unit 21 needs to send the MSK to the BM-SC and the UE in the corresponding GCSE group, and also needs to validate the MSK identifier and the key of each MSK. And the group identifier and/or service identifier of the GCSE group corresponding to each MSK is sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then transmitted to the GCS AS, the MSK identity and key validity period of each MSK generated and transmitted by the BM-SC needs to be received by the third receiving unit 25. In this case, the sending unit 21 sends the MSK to the BM-SC and the corresponding UE in the GCSE group, and also needs to send the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM-SC; The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the UEs in the corresponding GCSE group.

Device embodiment three:

This embodiment is another specific description of the GCS AS of the present invention. Referring to FIG. 3, the GCS AS 30 of this embodiment includes:

An MSK generating unit 31, configured to generate an MSK;

The sending unit 32 is configured to send a request message to the BM-SC, where the request message includes the requested group identifier number and the MSK;

The processing unit 33 is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.

The sending unit 32 is further configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In a specific implementation, the MSK generating unit 31 generates an MSK according to the number of GCSE groups managed by the GCS AS, and the number of generated MSKs may be the same as the number of GCSE groups managed by the GCS AS. After the MSK generating unit 31 generates the MSK, the sending unit 32 sends a request message to the BM-SC, which invites The request message includes the number of requested group identifiers and the MSK, and the request message is used to request the BM-SC to allocate a group identifier and/or a service identifier and establish a mapping relationship between each group identifier and/or each service identifier and each MSK.

The BM-SC allocates a group identifier and/or a service identifier according to the request message sent by the sending unit 32, and establishes a mapping relationship between each group identifier and/or each service identifier and each MSK, and then sends a response message to the GCS AS. The processing unit 33 receives the response message sent by the BM-SC, where the response message includes the mapping relationship between each group identifier and/or each service identifier and each MSK.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the sending unit 32 needs to transmit the MSK identifier of each MSK after transmitting the MSK to the BM-SC and transmitting the MSK to the UE in the corresponding GCSE group. And the key validity period, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then transmitted to the GCS AS, the MSK identity and key validity period of each MSK generated and transmitted by the BM-SC needs to be received by the third receiving unit 25. In this case, after the sending unit 21 sends the MSK to the BM-SC and sends the MSK to the UE in the corresponding GCSE group, the group identifier and/or the service identifier of the GCSE group corresponding to each MSK need to be sent to The BM-SC sends the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the UE in the corresponding GCSE group.

The device embodiment 2 and the device embodiment 3 describe the implementation of the GCS AS delivered by the MSK when the group identification of the GCSE group is the temporary mobility group identifier generated by the BM-SC. The following two device embodiments will introduce the group of the GCSE group. When the ID is a fixed group ID, the GCS AS delivered by the MSK is implemented.

Device Embodiment 4:

Referring to FIG. 4, the GCS AS 40 of this embodiment includes:

An MSK generating unit 41, configured to generate an MSK;

The mapping establishing unit 42 is configured to establish a mapping relationship between the MSK and the group identifier of each GCSE group;

The sending unit 43 is configured to send a request message to the BM-SC, where the request message includes a mapping relationship between each MSK and a group identifier of each GCSE group;

The processing unit 44 is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.

In a specific implementation, the MSK generating unit 41 generates an MSK according to the number of GCSE groups managed by the GCS AS, and the number of generated MSKs may be the same as the number of GCSE groups managed by the GCS AS. After the MSK generating unit 41 generates the MSK, the mapping establishing unit 42 establishes a mapping relationship between the MSK and the group identifiers of the respective GCSE groups, and then the transmitting unit 43 sends a request message to the BM-SC, where the request message includes each MSK and each GCSE group. The mapping relationship of the group identifier is used to request the BM-SC to allocate a service identifier and establish a mapping relationship between each service identifier and each group identifier. The BM-SC generates the service identifier, and the number of the generated service identifiers is the same as the number of the MSK and/or the group identifier. After the service identifier is generated, the BM-SC establishes a mapping relationship between the group identifier and the service identifier and sends a response message to the GCS AS. . The processing unit 44 receives the response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.

In this embodiment, the GCS AS establishes and stores the mapping relationship between the group identifier and the MSK of the GCSE group. After obtaining the mapping relationship between the service identifier and the group identifier from the BM-SC, the GCS AS has the MSK, the group identifier, and the service. The mapping relationship between the three parties is identified. According to the mapping relationship between the three, the GCS AS can send the MSK to the UE in the corresponding GCSE group. The following examples are given:

For example, the GCS AS manages two GCSE groups. The group ID of the first GCSE group is group ID 1 (fixed group ID), the first GCSE group contains UE1 and UE2, and the group ID of the second GCSE group is group ID 2 (fixed group identification), the second GCSE group contains UE3 and UE4. After the MSK is generated by the GCS AS, the mapping relationship between the MSK and the group identifier is established (for example, the group identifier 1 and the MSK1 are a group, and the group identifier 2 and the MSK2 are a group). After the GCS AS obtains the mapping relationship between the group identifier and the service identifier from the BM-SC (for example, the group identifier 1 and the service identifier 1 are a group, and the group identifier 2 and the service identifier 2 are a group), the GCS AS has the MSK and the group. A one-to-one mapping relationship between the identifier and the service identifier (ie, MSK1, group identifier 1, and service identifier 1 as a group corresponding to the first GCSE group, MSK2, group identifier 2, and service identifier 2 as a group corresponding to the second The GCSE group), the subsequent GCS AS sends the MSK to the UE in the corresponding GCSE group according to the acquired mapping relationship. In this example, the MSK1 is sent to the UE in the first GCSE group, and the MSK2 is sent to the second GCSE. UE within the group.

In addition, each MSK should also have an MSK identity and a key validity period. The MSK ID and key validity period of each MSK can be generated by the GCS AS or generated by the BM-SC and sent to the GCS. AS.

When the MSK identity and key validity period of each MSK is generated by the GCS AS, the transmitting unit 43 needs to send the MSK of each MSK after transmitting the MSK to the BM-SC and transmitting the MSK to the UEs in the corresponding GCSE group. The identifier and the key validity period, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then transmitted to the GCS AS, the third receiving unit 45 needs to receive the MSK identity and key validity period of each MSK generated and transmitted by the BM-SC. In this case, the transmitting unit 43 sends the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the UE after transmitting the MSK to the BM-SC and the MSK to the UE in the corresponding GCSE group. The BM-SC sends the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the UE in the corresponding GCSE group.

Device Embodiment 5:

Referring to FIG. 5, the GCS AS 50 of this embodiment includes:

a second receiving unit 51, configured to receive a key request message sent by the BM-SC, where the key request message includes a service identifier and a requested number of MSKs;

MSK generating unit 52, configured to generate an MSK;

The processing unit 53 is configured to establish a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

The sending unit 55 is configured to send the MSK to the BM-SC, and send the MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In a specific implementation, the GCS AS may send a request message including the number of groups and/or the number of services to the BM-SC according to the number of the GCSE groups managed by the GCS AS, and the number of groups and/or the number of groups sent by the BM-SC according to the GCS AS. The service number sends a key request message, where the key request message includes the service identifier and the requested number of MSKs, the second receiving unit 51 receives the key request message, and the MSK generating unit 52 generates the MSK according to the key request message. . The processing unit 53 establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, and the sending unit 55 sends the MSK to the BM-SC according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group. The MSK is sent to the UEs in the corresponding GCSE group.

In addition, each MSK should also have an MSK identity and a key validity period. MSK per MSK The ID and key validity period can be generated by the GCS AS or generated by the BM-SC and delivered to the GCS AS.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the sending unit 55 needs to send the MSK to the BM-SC and the UE in the corresponding GCSE group, and also needs to validate the MSK identifier and the key of each MSK. And the group identifier and/or service identifier of the GCSE group corresponding to each MSK is sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then transmitted to the GCS AS, the third receiving unit 54 needs to receive the MSK identity and key validity period of each MSK generated and transmitted by the BM-SC. In this case, the sending unit 55 sends the MSK to the BM-SC and the corresponding UE in the GCSE group, and also sends the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM-SC; The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the UEs in the corresponding GCSE group.

The above several device embodiments describe the implementation of the GCS AS delivered by the MSK. The following device embodiments will describe the GCS AS that implements the MSK update.

Device Embodiment 6:

Referring to FIG. 6, the GCS AS 60 of this embodiment includes:

The determining unit 61 is configured to determine, according to a preset rule, whether the MSK needs to be updated;

The preset rule includes joining and/or leaving of the UE in the GCSE group, or MSK to the validity period.

The MSK generating unit 62 is configured to generate a new MSK when the determination result of the determining unit 61 is YES;

The sending unit 64 is configured to send a first key update message to the BM-SC, and send a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key. The new MSK is included in the first key update message and the second key update message.

The new MSK should also have an MSK identity and a key validity period. The MSK identifier and the key validity period of the new MSK may be generated by the GCS AS or generated by the BM-SC and sent to the GCS AS.

When the MSK identifier and the key validity period of the new MSK are generated by the GCS AS, the MSK generating unit 62 is further configured to generate the new MSK before the sending unit 64 sends the first key update message to the BM-SC. MSK identification and key validity period. The first key update message and the second key update message further include: an MSK identifier of the new MSK and a key validity period, the new The MSK corresponds to the GCSE group's group ID and/or service identifier.

When the MSK identifier and the key validity period of the new MSK are generated by the BM-SC and sent to the GCS AS, the fourth receiving unit 63 receives the BM before the sending unit 64 sends the first key update message to the BM-SC. - The MSK identity and key validity period of the new MSK sent by the SC. The first key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the second key update message includes: the MSK identifier and the secret of the new MSK Key validity period, the group identifier and/or service identifier of the GCSE corresponding to the new MSK.

The device embodiment 6 describes a GCS AS that performs MSK update by itself, and the device embodiment 7 will describe a GCS AS triggered by the BM-SC for MSK update.

Device Embodiment 7:

Referring to FIG. 7, the GCS AS 70 of this embodiment includes:

The fifth receiving unit 71 is configured to receive a key update trigger message sent by the BM-SC, where the key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK identifier of the MSK that needs to be updated. ;

In a specific implementation, the BM-SC may determine whether the MSK needs to be updated, and the criterion for determining is, for example, a key to an expiration date. If the MSK needs to be updated, the BM-SC sends a key update trigger message to the GCS AS.

MSK generating unit 72, configured to generate a new MSK;

The sending unit 74 is configured to send a third key update message to the BM-SC, and send a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key. The new MSK is included in the third key update message and the fourth key update message.

When the MSK identifier and the key validity period of the new MSK are generated by the GCS AS, the MSK generating unit 72 is further configured to generate the new MSK before the sending unit 74 sends the third key update message to the BM-SC. MSK identification and key validity period. The third key update message and the fourth key update message further include: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK .

When the MSK identifier and the key validity period of the new MSK are generated by the BM-SC and sent to the GCS In the AS, the sixth receiving unit 73 needs to receive the MSK identifier and the key validity period of the new MSK sent by the BM-SC before the sending unit 74 sends the third key update message to the BM-SC. The third key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the fourth key update message includes: the MSK identifier and the secret of the new MSK Key validity period, the group identifier and/or service identifier of the GCSE corresponding to the new MSK.

The above seven device embodiments describe the GCS AS that is sent by the MSK when the MSK is generated by the GCS AS. The following device embodiment will describe the GCS AS delivered by the MSK when the MSK is generated by the BM-SC.

Device Embodiment 8:

Referring to FIG. 8, the GCS AS 80 of this embodiment includes:

An obtaining unit 81, configured to acquire an MSK from the BM-SC;

The mapping establishing unit 82 is configured to establish a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group;

The sending unit 83 is configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In a specific embodiment, the sending unit 83 may send a request message to the BM-SC according to the number of GCSE groups managed by the GCS AS, where the request message includes the requested group identifier number and/or the number of groups and/or Or the number of requested services, the request message is used to request the BM-SC to allocate the MSK and the service identifier and/or the group identifier. The number of group identifiers and/or groups requested in the request message and/or the number of requested services may be the same as the number of GCSE groups managed by the GCS AS.

The BM-SC allocates the MSK and the service identity and/or group identity to the GCSE and sends a response message to the GCS AS. The obtaining unit 81 receives the response message sent by the BM-SC, where the response message includes the MSK and the service identifier and/or the group identifier allocated by the BM-SC. In addition, the request message is further used to request the BM-SC to generate an MSK identifier and a key validity period for each MSK; the response message further includes an MSK identifier and a key validity period of each MSK.

The mapping establishing unit 82 establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group, and the sending unit 83 generates the MSK according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group. The identifiers and key validity periods of the respective MSKs, and the group identifiers and/or service identifiers of the GCSE groups corresponding to the respective MSKs are sent to the UEs in the corresponding GCSE group.

In a specific embodiment: the GCS AS can include a processor and a transmitter, wherein:

The processor is configured to: generate an MSK, establish or obtain, from the BM-SC, a mapping relationship between the MSK and a group identifier and/or a service identifier of each group communication service GCSE group;

The transmitter is configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

or

The processor is configured to acquire an MSK from the BM-SC, and establish a mapping relationship between the MSK and a group identifier and/or a service identifier of each group communication service GCSE group;

It should be noted that, in the various embodiments described above for the GCS AS, it can be understood that among the various mapping relationships that the BM-SC sends to the GCS AS, the mapping relationship itself utilizes the MSK, the group identifier, and the service identifier itself. Therefore, the mapping relationship includes both the MSK, the group identifier, the service identifier itself, and the mapping relationship between the three. Of course, in other embodiments, the mapping relationship may also be represented by the identifier of the MSK, the group identifier, and other information of the service identifier. When the BM-SC sends various mapping relationships to the GCS AS, the mapping relationship should also be The MSK, group identification and service identifier involved are sent to the GCS AS.

In addition, in the various embodiments described above for the GCS AS, the various mapping relationships established by the GCS AS can be understood as the GCS AS establishing a mapping relationship by using the MSK, the group identifier, and the service identifier itself, or can be understood as GCS AS. The mapping relationship is established by using the information of the MSK identifier, the group identifier, and the service identifier. This is not specifically limited.

The BM-SC in the embodiment of the present invention is described below. The BM-SC in the embodiment of the present invention is used to implement authorization check on the UE.

Device Example 9:

Referring to FIG. 9, the BM-SC 90 of this embodiment includes:

The list establishing unit 91 is configured to establish, according to the authorized UE list establishment request sent by the GCS AS, an authorized UE list corresponding to the service identifier;

The receiving unit 92 is configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

The authorization checking unit 93 is configured to check whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, and if yes, the authorization check on the UE is successful, If not, the authorization check for the UE fails.

Device Example 10:

This embodiment is a detailed introduction of the BM-SC of the present invention. Referring to FIG. 10, the BM-SC of this embodiment includes:

The receiving unit 101 receives a request message sent by the GCS AS, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services;

The first generating unit 102 is configured to generate a service identifier.

The sending unit 103 is configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates the service identifier to each GCSE group;

The receiving unit 101 is further configured to receive an authorized UE list establishment request sent by the GCS AS and a service activation request sent by the UE;

The BM-SC also includes:

The list establishing unit 104 is configured to establish, according to the authorized UE list establishment request sent by the GCS AS, an authorized UE list corresponding to the service identifier;

The authorization checking unit 105 is configured to check whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, if not, the UE is The authorization check failed.

In other embodiments, the BM-SC may further include a first update unit 106, configured to update the corresponding authorized UE list according to the authorized UE list update request received by the receiving unit 101.

In a specific embodiment, the GCS AS sends a request message to the BM-SC according to the number of GCSE groups managed by itself, where the request message includes the requested number of group identifiers and/or the number of groups and/or the requested The number of services, the number of group identifiers and/or the number of groups of the request, and/or the number of requested services may be the same as the number of GCSE groups managed by the GCS AS. The receiving unit 101 receives the request message sent by the GCS AS.

In this embodiment, it can be understood that the GCS AS itself knows which UE belongs to which GCSE group, but each GCSE group does not have a group identifier and a service identifier, and therefore needs to request BM-SC generation.

The first generating unit 102 generates a service identifier according to the request message. The sending unit 103 sends a response message to the GCS AS according to the service identifier generated by the first generating unit 102, where the response message includes a service identifier, so that the GCS AS allocates the service identifier to each group communication service GCSE group. After the GCS AS assigns the service identifier to each GCSE group, it sends the location according to the UEs included in each GCSE group. The authorized UE list establishment request includes the service identifier of the GCSE group and the identifier of the corresponding authorized UE.

The list establishing unit 104 establishes an authorized UE list corresponding to the service identifier according to the authorized UE list establishment request sent by the GCS AS, and the authorized UE list corresponding to each service identifier includes the identifier of the corresponding UE. After the receiving unit 101 receives the service activation request sent by the UE, the authorization checking unit 105 checks whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, and if so, The authorization check of the UE is successful, and if not, the authorization check of the UE fails. The service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

In addition, the first generating unit 102 may generate a group identifier according to the request message, and may also generate a group identifier, and send the group identifier to the GCS AS, so that the GCS AS also assigns the group identifier to each GCSE group. The group identification here can be understood as a mobile temporary group identification. The following examples are given:

For example, the GCS AS manages two GCSE groups, the first GCSE group includes UE1 and UE2, and the second GCSE group includes UE3 and UE4. After the BM-SC sends the generated group identifier and the service identifier to the GCS AS, the GCS AS assigns the group identifier (temporary mobile group identifier) and the service identifier to each GCSE group (for example, group ID 1 and service identifier 1 are grouped together). And assigned to the first GCSE group, group ID 2 and service identifier 2 are grouped and assigned to the second GCSE group, and the subsequent GCS AS sends an authorized UE list establishment request to the BM-SC, where the request includes the GCSE group. The service identifier and the identifier of the corresponding authorized UE (such as the service identifier 1 and the identifiers of the UE1 and the UE2, the service identifier 2, and the identifiers of the UE3 and the UE4). The BM-SC establishes an authorized UE list corresponding to the service identifier (that is, the authorized UE list corresponding to the service identifier 1 includes the UE1 and the UE2, and the authorized UE list corresponding to the service identifier 2 includes the UE3 and the UE4). When the BM-SC receives the service activation request sent by the UE, it can find and determine whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, and if so, The authorization check of the UE is successful. If not, the authorization check of the UE fails.

When the GCS AS finds that the authorized UE list needs to be updated, the authorized UE list update request may be sent to the BM-SC, and the receiving unit 101 receives the authorized UE list update request, where the authorized UE list update request includes the service identifier and the UE. Identifying, deleting, and/or adding an indication; the first update unit 106 updates the corresponding authorized UE list according to the authorized UE list update request.

Device Example 11:

In the tenth embodiment of the device, the GCSE group may be configured as a temporary mobile group identifier generated by the BM-SC, or the group identification is a temporary mobile group identifier generated by the BM-SC. In this embodiment, the BM- SC, referring to FIG. 11, the BM-SC 110 of this embodiment includes:

The receiving unit 111 is configured to receive a request message sent by the GCS AS, where the request message includes a group identifier of the GCSE group;

The second generating unit 112 is configured to generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

The receiving unit 111 is further configured to: receive an authorized UE list establishment request sent by the GCS AS, and a service activation request sent by the UE, where the authorized UE list establishment request includes a group identifier of the GCSE group and an identifier of the corresponding authorized UE;

The BM-SC also includes:

The list establishing unit 113 is configured to search, according to the mapping relationship, a service identifier corresponding to the group identifier included in the authorized UE list establishment request, and establish an authorized UE list corresponding to the service identifier;

The authorization checking unit 114 is configured to check whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, and if yes, the authorization check for the UE is successful, if not, The authorization check for the UE failed.

In other embodiments, the BM-SC may further include a second update unit 115, configured to update the corresponding authorized UE list according to the authorized UE list update request received by the receiving unit 111.

In a specific embodiment, the GCS AS sends a request message to the BM-SC according to the number of GCSE groups that it manages. The request message includes the group identifier of the GCSE group, the number of group identifiers, and the GCSE managed by the GCS AS. The number of groups is the same, and the receiving unit 111 receives the request message. The second generating unit 112 generates a service identifier according to the request message and establishes a mapping relationship between the group identifier and the service identifier.

The GCS AS sends an authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE. The receiving unit 111 receives the authorized UE list establishment request, and the list establishing unit 113 searches for the service identifier corresponding to the group identifier included in the authorized UE list establishment request according to the mapping relationship between the established group identifier and the service identifier, and establishes a search identifier. The service identifier corresponds to the list of authorized UEs. The authorized UE list contains the identifier of the corresponding UE.

After the receiving unit 111 receives the service activation request sent by the UE, the authorization checking unit 114, If the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, and if not, the UE is Authorization check failed.

When the GCS AS finds that the authorized UE list needs to be updated, the authorized UE list update request may be sent to the BM-SC, and the receiving unit 111 receives the authorized UE list update request, where the authorized UE list update request includes the service identifier and/or The group identifier, the identifier of the UE, the deletion, and/or the addition indication; the second update unit 115 updates the corresponding authorized UE list according to the authorized UE list update request.

In a specific embodiment, the BM-SC may further include a processor and a receiver, where

The processor is configured to: establish, according to the authorized UE list establishment request sent by the GCS AS, a list of authorized UEs corresponding to the service identifier;

The receiver is configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

The processor is further configured to: check whether the identifier of the UE is in an authorized UE list corresponding to a service identifier of a service that the UE wants to activate, if yes, the authorization check for the UE is successful, if not, Then the authorization check for the UE fails.

The device embodiments 10 and 11 describe the BM-SC in which the authorized UE list is established to implement the authorization check for the UE. The following embodiment will describe the BM that does not establish the authorized UE list but needs to perform the authorization check on the UE. -SC.

Device Example 12:

Referring to FIG. 12, the BM-SC 120 of this embodiment includes:

The receiving unit 121 is configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

The sending unit 122 is configured to send an authorization check request to the GCS AS, to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate, if The authorization check for the UE is successful, and if not, the authorization check for the UE fails.

Device Example 13:

This embodiment is a detailed description of the BM-SC of the present invention. Referring to FIG. 13, the BM-SC 130 of this embodiment includes:

The receiving unit 131 is configured to receive a request message sent by the GCS AS, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services;

The first generating unit 132 is configured to generate a service identifier.

The sending unit 133 is configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns the service identifier to each GCSE group;

The receiving unit 131 is further configured to: receive an authorization check request sent by the UE, where the authorization check request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

The sending unit 133 is further configured to send an authorization check request to the GCS AS, to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate, The authorization check for the UE is successful, and if not, the authorization check for the UE fails.

In a specific embodiment, the GCS AS sends a request message to the BM-SC according to the number of GCSE groups managed by itself, where the request message includes the requested number of group identifiers and/or the number of groups and/or the requested The number of services, the number of group identifiers and/or the number of groups of the request, and/or the number of requested services may be the same as the number of GCSE groups managed by the GCS AS. The receiving unit 131 receives the request message sent by the GCS AS.

The first generating unit 132 generates a service identifier according to the request message. The sending unit 133 sends a response message to the GCS AS according to the service identifier generated by the first generating unit 132, where the response message includes a service identifier, so that the GCS AS allocates the service identifier to each group communication service GCSE group, which is equivalent to the GCS AS. There is a list of authorized UEs corresponding to the service identifier.

After the receiving unit 131 receives the service activation request sent by the UE, the sending unit 133 sends an authorization check request to the GCS AS to request the GCS AS to check whether the identifier of the UE is corresponding to the service identifier of the service that the UE wants to activate. In the group communication service GCSE group, if yes, the authorization check for the UE is successful, and if not, the authorization check for the UE fails. The authorization check request includes an identifier of the UE and a service identifier of a service that the UE wants to activate. After the GCS AS performs an authorization check on the UE, the authorization check result can be sent to the BM-SC.

In addition, the first generating unit 132 may generate a group identifier according to the request message, and may also generate a group identifier, and send the group identifier to the GCS AS, so that the GCS AS also assigns the group identifier to each GCSE group. The group identification here can be understood as a mobile temporary group identification. The following examples are given:

For example, the GCS AS manages two GCSE groups, and the first GCSE group includes UE1 and UE2. UE3 and UE4 are included in the second GCSE group. After the BM-SC sends the generated group identifier and the service identifier to the GCS AS, the GCS AS assigns the group identifier (temporary mobile group identifier) and the service identifier to each GCSE group (for example, group ID 1 and service identifier 1 are grouped together). And assigned to the first GCSE group, group ID 2 and service identifier 2 are grouped and assigned to the second GCSE group), and when the BM-SC receives the service activation request sent by a certain UE, the BM-SC can The GCS AS sends an authorization check request to request the GCS AS to check whether the identity of the UE is in the GCSE group corresponding to the service identifier of the service that the UE wants to activate. If yes, the authorization check for the UE is successful, if not, then The authorization check for the UE failed.

Device Example 14:

In the thirteenth embodiment of the device, the GCSE group is not required to be a group identifier, or the group identifier is a temporary mobility group identifier generated by the BM-SC. In this embodiment, the BM that performs the authorization check on the UE when the group identifier of the GCSE is the fixed group identifier is introduced. -SC, referring to FIG. 14, the BM-SC 140 of this embodiment includes:

The receiving unit 141 is configured to receive a request message sent by the GCS AS, where the request message includes a group identifier of a GCSE group;

The second generating unit 142 is configured to generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

The receiving unit 141 is further configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

The BM-SC also includes:

The searching unit 143 is configured to search for a group identifier corresponding to the service identifier included in the service activation request.

The sending unit 144 is configured to send an authorization check request to the GCS AS, where the authorization check request includes the identifier of the UE and a group identifier corresponding to the service identifier of the service that the UE wants to activate, to request the GCS AS checkpoint. Whether the identifier of the UE is in the GCSE group corresponding to the group identifier corresponding to the service identifier of the service that the UE wants to activate.

In a specific embodiment, the GCS AS sends a request message to the BM-SC according to the number of GCSE groups managed by itself, and the request message includes a group identifier of the GCSE group, in this case, the GCS AS itself has a group. The corresponding authorized UE list is identified, and the receiving unit 141 receives the request message. The second generating unit 142 generates a service identifier according to the request message and establishes a mapping relationship between the group identifier and the service identifier.

After the receiving unit 141 receives the service activation request sent by the UE, the searching unit 143 searches for the group identifier corresponding to the service identifier included in the service activation request, where the service activation request includes the identifier of the UE and the UE. The business identifier of the business you want to activate. The sending unit 144 sends an authorization check request to the GCS AS, where the authorization check request includes the identifier of the UE and the group identifier corresponding to the service identifier of the service that the UE wants to activate, to request the GCS AS to check whether the identifier of the UE is The GCSE group corresponding to the found group identifier is successful. If yes, the authorization check for the UE is successful. Otherwise, the authorization check for the UE fails. After the GCS AS performs an authorization check on the UE, the authorization check result can be sent to the BM-SC.

In a specific embodiment, the BM-SC may further include a receiver and a transmitter, where

The transmitter is configured to send an authorization check request to the group communication service application server GCS AS to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate. If yes, the authorization check for the UE is successful, and if not, the authorization check for the UE fails.

The method for issuing a key provided by the present invention is described below.

Method embodiment one:

Referring to FIG. 15, FIG. 15 is an embodiment of a method for issuing a key. The method in this embodiment includes:

S11, GCS AS generates MSK;

S12. The GCS AS establishes or obtains, from the BM-SC, a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

The group identifier may be a fixed group identifier that is allocated by the GCS AS for the GCSE group or the GCSE group itself, or may be a temporary mobile group identifier generated by the BM-SC according to the request of the GCS AS, for example, TMGI.

There may be multiple MSKs generated, and each GCSE group can establish a mapping relationship with an MSK. It is also possible to establish a mapping relationship with multiple MSKs, that is, each GCSE group may have only one MSK or multiple MSKs. For ease of description, the following embodiments will be described in the case where there is only one MSK per GCSE group, and each GCSE group has only one group identifier and/or service identifier.

S13. The GCS AS sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In this embodiment, the GCS AS may generate an MSK, and obtain or obtain a mapping relationship between the MSK and the group identity and/or service identifier of each GCSE group from the BM-SC, and then according to the group identity and/or service of the MSK and each GCSE group. The mapping relationship of the identity is sent to the UE in the corresponding GCSE group, that is, the GCS AS completes the delivery of the MSK in the scenario of partially reusing the MBMS security mechanism.

Method Embodiment 2:

This embodiment is a specific description of the method for issuing a key according to the present invention. Referring to FIG. 16, the method in this embodiment includes:

S21. The GCS AS sends a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services.

In a specific implementation, when it is determined that the UE adopts a multicast bearer, the GCS AS sends a request message to the BM-SC, where the request message is used to request the BM-SC to allocate a service identifier and/or a group identifier, where the request message includes the requested The group identifies the number and/or number of groups and/or the number of services requested. The number of group identifiers and/or the number of groups and/or the number of requested services may be determined by the number of groups of GCSE groups managed by the GCS AS, that is, the GCS AS manages several GCSE groups, and subsequently requests several group identifiers and / or several business identifiers.

S22. The GCS AS receives the response message sent by the BM-SC, where the response message includes the service identifier and/or the group identifier allocated by the BM-SC.

The BM-SC generates a group identifier and/or a service identifier, and sends a response message to the GCS AS, where the response message includes a group identifier and/or a service identifier generated by the BM-SC, and the GCS AS receives the response message.

S23, GCS AS generates MSK;

S24. The GCS AS establishes a mapping between the MSK and the group identifier and/or service identifier of each GCSE group. relationship;

S25. The GCS AS sends the MSK to the BM-SC, and sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group. The following examples are given:

For example, the GCS AS manages two GCSE groups, the first GCSE group includes UE1 and UE2, and the second GCSE group includes UE3 and UE4. After the MSK is generated by the GCS AS and the group identifier and the service identifier are obtained from the BM-SC, a one-to-one mapping relationship between the MSK, the group identifier (temporary mobile group identifier), and the service identifier is established (for example, MSK1, group identifier 1, and service identifier are set). As a group and assigned to the first GCSE group, the MSK2, the group identifier 2 and the service identifier 2 are grouped and assigned to the second GCSE group, and the subsequent GCS AS directly sends the generated MSK to the BM-SC. And sending the MSK to the UE in the corresponding GCSE group according to the established mapping relationship. In this example, the MSK1 is sent to the UE in the first GCSE group, and the MSK2 is sent to the UE in the second GCSE group.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the GCS AS needs to send the MSK to the BM-SC and the UE in the corresponding GCSE group, and also needs to validate the MSK identifier and the key validity period of each MSK. And the group identifier and/or service identifier of the GCSE group corresponding to each MSK is sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identifier and key validity period of each MSK is generated by the BM-SC and then transmitted to the GCS AS, the GCS AS also receives the MSK identifier and key of each MSK generated and transmitted by the BM-SC before step S25. Validity period. In this case, the GCS AS sends the MSK to the BM-SC and the corresponding UE in the GCSE group, and also needs to send the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM-SC; The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the UEs in the corresponding GCSE group.

Method embodiment three:

This embodiment is a specific description of the method for issuing a key according to the present invention. Referring to FIG. 17, the method in this embodiment includes:

S31, GCS AS generates MSK;

In a specific implementation, the GCS AS generates an MSK according to the number of GCSE groups managed by itself, and the number of generated MSKs may be the same as the number of GCSE groups managed by the GCS AS.

S32, the GCS AS sends a request message to the BM-SC, where the request message includes the requested group identifier number and the MSK;

The request message is used to request the BM-SC to allocate a group identifier and/or a service identifier and establish a mapping relationship between each group identifier and/or each service identifier and each MSK.

S33. The GCS AS receives a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.

S34. The GCS AS sends the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the GCS AS needs to send the MSK identifier of each MSK after transmitting the MSK to the BM-SC and sending the MSK to the UE in the corresponding GCSE group. The key validity period, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then sent to the GCS AS, the GCS AS also needs to receive the MSK identifier and key of each MSK generated and transmitted by the BM-SC before step S34. Validity period. In this case, after the MSC is sent to the BM-SC and the MSK is sent to the UE in the corresponding GCSE group, the GCS AS needs to send the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM. -SC; Send the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the UE in the corresponding GCSE group.

Method Embodiment 2 and Method Embodiment 3 describes a method for implementing MSK delivery when the group identifier of the GCSE group is the temporary mobility group identifier generated by the BM-SC. The following two method embodiments will introduce the group identifier of the GCSE group. The method for sending the MSK is implemented when the group ID is fixed.

Method Embodiment 4:

Referring to FIG. 18, the method of this embodiment includes:

S41, GCS AS generates MSK;

The GCS AS can generate the MSK according to the number of GCSE groups managed by itself, and the number of generated MSKs can be the same as the number of GCSE groups managed by the GCS AS.

S42. The GCS AS establishes a mapping relationship between the MSK and the group identifier of each GCSE group.

S43. The GCS AS sends a request message to the BM-SC, where the request message includes a mapping relationship between each MSK and a group identifier of each GCSE group.

S44. The GCS AS receives a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.

S45. The GCS AS sends the MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

When the MSK identity and key validity period of each MSK is generated by the GCS AS, the GCS AS needs to send the MSK identifier of each MSK after transmitting the MSK to the BM-SC and sending the MSK to the UEs in the corresponding GCSE group. And the key validity period, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then sent to the GCS AS, before the step S45, the GCS AS also needs to receive the MSK identifier and key of each MSK generated and transmitted by the BM-SC. Validity period. In this case, after transmitting the MSK to the BM-SC and sending the MSK to the UEs in the corresponding GCSE group, the GCS AS also sends the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM. -SC; Send the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the UE in the corresponding GCSE group.

Method Embodiment 5:

Referring to FIG. 19, the method for issuing a key in this embodiment includes:

S51. The GCS AS receives a key request message sent by the BM-SC, where the key request message includes a service identifier and a requested number of MSKs.

The GCS AS may send a request message including the number of groups and/or the number of services to the BM-SC according to the number of GCSE groups managed by the GCS AS, and the BM-SC sends the number of groups and/or the number of services sent by the GCS AS according to the number of groups and/or the number of services sent by the GCS AS. A key request message, where the key request message includes a service identifier and a number of MSKs requested, and the GCS AS receives the key request message.

S52. The GCS AS generates an MSK.

S53. The GCS AS establishes a mapping relationship between the MSK and the group identifier and/or service identifier of each GCSE group.

S54. The GCS AS sends the MSK to the BM-SC, and sends the MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

When the MSK identifier and the key validity period of each MSK are generated by the GCS AS, the GCS AS needs to send the MSK to the BM-SC and the UE in the corresponding GCSE group, and also needs to validate the MSK identifier and the key validity period of each MSK. And the group identification and/or industry of the GCSE group corresponding to each MSK. The service identifier is sent to the BM-SC and the UE within the corresponding GCSE group.

When the MSK identity and key validity period of each MSK is generated by the BM-SC and then sent to the GCS AS, before the step S54, the GCS AS also needs to receive the MSK identifier and key of each MSK generated and transmitted by the BM-SC. Validity period. In this case, the sending unit 55 sends the MSK to the BM-SC and the corresponding UE in the GCSE group, and also sends the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the BM-SC; The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the UEs in the corresponding GCSE group.

The foregoing method embodiments describe the MSK delivery method. The following method embodiments will describe a method for updating the MSK after the MSK is delivered.

Method Embodiment 6:

Referring to FIG. 20, the MSK update method in this embodiment includes:

S61: The GCS AS determines, according to the preset rule, whether the MSK needs to be updated; if yes, step S62 is performed; otherwise, step S64 is performed to end the processing;

S62, GCS AS generates a new MSK;

S63. The GCS AS sends a first key update message to the BM-SC, and sends a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key. The new MSK is included in the first key update message and the second key update message.

When the MSK identifier and the key validity period of the new MSK are generated by the GCS AS, the GCS AS also generates an MSK identifier and a key validity period of the new MSK before transmitting the first key update message. The first key update message and the second key update message further include: an MSK identifier of the new MSK and a key validity period, and a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK. .

When the MSK identifier and the key validity period of the new MSK are generated by the BM-SC and sent to the GCS AS, the GCS AS also receives the BM-SC before sending the first key update message to the BM-SC. The MSK identification and key validity period of the new MSK sent. The first key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the second key update message includes: the MSK identifier and the secret of the new MSK Key validity period, the group identifier and/or service identifier of the GCSE corresponding to the new MSK.

Method Embodiment 6 describes a method for the GCS AS to perform MSK update by itself. The method embodiment 7 will describe a method for triggering the GCS AS for MSK update by the BM-SC.

Method Embodiment 7:

Referring to FIG. 21, the MSK update method in this embodiment includes:

S71. The GCS AS receives a key update trigger message sent by the BM-SC, where the key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK identifier of the MSK that needs to be updated.

S72. Generate a new MSK.

S73. Send a third key update message to the BM-SC, and send a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key, the third secret. The new MSK is included in the key update message and the fourth key update message.

When the MSK identifier and the key validity period of the new MSK are generated by the GCS AS, the GCS AS also generates the MSK identifier and the key validity period of the new MSK before transmitting the third key update message to the BM-SC. The third key update message and the fourth key update message further include: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK .

When the MSK identifier and the key validity period of the new MSK are generated by the BM-SC and sent to the GCS AS, the GCS AS also receives the BM-SC transmission before sending the third key update message to the BM-SC. The MSK identity and key validity period of the new MSK. The third key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; the fourth key is further The new message includes: an MSK identifier of the new MSK and a key validity period, and a group identifier and/or a service identifier of the GCSE corresponding to the new MSK.

The above seven method embodiments describe the method for the MSK to be sent by the GCS AS when the MSK is generated by the GCS AS. The following method embodiment describes the method for the GCS AS to implement the MSK when the MSK is generated by the BM-SC.

Method Embodiment 8:

Referring to FIG. 22, the method of this embodiment includes:

S81, the GCS AS acquires the MSK from the BM-SC;

S82. The GCS AS establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group.

S83. The GCS AS sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In this embodiment, the GCS AS may obtain the MSK from the BM-SC, establish a mapping relationship between the MSK and the group identifiers and/or service identifiers of the respective GCSE groups, and then map according to the group identifier and/or service identifier of the MSK group and each GCSE group. The relationship is sent to the UE in the corresponding GCSE group, that is, the GCS AS completes the delivery of the MSK in the scenario of partially reusing the MBMS security mechanism.

Method Example 9:

Referring to FIG. 23, when the MSK is generated by the BM-SC, a specific embodiment of the method for the GCS AS to implement the MSK delivery includes:

S91. The GCS AS sends a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services.

The GCS AS may send a request message to the BM-SC according to the number of GCSE groups managed by itself, and the number of group identifiers and/or the number of groups requested in the request message and/or the number of requested services may be managed by the GCS AS. The number of GCSE groups is the same.

The request message is used to request the BM-SC to allocate the MSK and the service identifier and/or the group identifier. In addition, the request message is further used to request the BM-SC to generate an MSK identifier and a key validity period for each MSK.

S92. The GCS AS receives the response message sent by the BM-SC, where the response message includes the MSK and the service identifier and/or the group identifier allocated by the BM-SC.

In addition, the response message further includes an MSK identifier and a key validity period of each MSK.

S93. The GCS AS establishes a group identity and/or service of the MSK and each group communication service GCSE group. The mapping relationship of the identifier;

S94. The GCS AS sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.

In addition, the GCS AS also sends the identifiers and key validity periods of the respective MSKs, and the group identifiers and/or service identifiers of the GCSE groups corresponding to the respective MSKs to the UEs in the corresponding GCSE group.

It should be noted that, in various embodiments in which the method for issuing a key is described above, it can be understood that among the various mapping relationships sent by the BM-SC to the GCS AS, the mapping relationship itself utilizes the MSK, the group identifier, and The service identifier itself is represented. Therefore, the mapping relationship includes the MSK, the group identifier, the service identifier itself, and the mapping relationship between the three. Of course, in other embodiments, the mapping relationship may also be represented by the identifier of the MSK, the group identifier, and other information of the service identifier. When the BM-SC sends various mapping relationships to the GCS AS, the mapping relationship should also be The MSK, group identification and service identifier involved are sent to the GCS AS.

In addition, in the various embodiments in which the method for issuing a key is described above, the various mapping relationships established by the GCS AS can be understood as that the GCS AS establishes a mapping relationship by using the MSK, the group identifier, and the service identifier itself, and can also understand The GCS AS establishes a mapping relationship by using the information of the MSK identifier, the group identifier, and the service identifier, and is not specifically limited herein.

The method for performing authorization check on the UE provided by the present invention is introduced below.

Method Embodiment 10:

Referring to FIG. 24, the method of this embodiment includes:

S101. The BM-SC establishes a list of authorized UEs corresponding to the service identifier according to the authorized UE list establishment request sent by the GCS AS.

S102. The BM-SC receives a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

S103: The BM-SC checks whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, and if yes, the authorization check for the UE is successful, if not, the The authorization check of the UE failed.

In this embodiment, the BM-SC may establish an authorized UE list according to the authorized UE list establishment request sent by the GCS AS, so that after receiving the service activation request sent by the UE, the MME may directly implement the UE according to the authorized UE list established by the UE. Authorization check, which realizes the service authorization of the BM-SC to the UE in the scenario of completely reusing the MBMS security mechanism when the BM-SC is invisible to the GCSE group. an examination.

Method Embodiment 11:

This embodiment is a detailed description of the method for performing the authorization check on the UE in the present invention. Referring to FIG. 25, the method in this embodiment includes:

S111. The BM-SC receives a request message sent by the GCS AS, where the request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services.

The GCS AS sends a request message to the BM-SC according to the number of GCSE groups managed by itself, and the number of group identifiers and/or the number of groups and/or the number of requested services of the request may be related to the GCSE group managed by the GCS AS. The number is the same.

S112. The BM-SC generates a service identifier.

S113. The BM-SC sends a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates the service identifier to each GCSE group.

In addition, the BM-SC may generate a group identifier according to the request message, and may also generate a group identifier, and send the group identifier to the GCS AS, so that the GCS AS also assigns the group identifier to each GCSE group. The group identification here can be understood as a mobile temporary group identification.

S114. The BM-SC establishes a list of authorized UEs corresponding to the service identifier according to the authorized UE list establishment request sent by the GCS AS.

After the GCS AS allocates the service identifier to each GCSE group, the authorized UE list establishment request is sent according to the UE included in each GCSE group, where the authorized UE list establishment request includes the service identifier of the GCSE group and the identifier of the corresponding authorized UE. . The authorized UE list corresponding to each service identifier includes the identifier of the corresponding UE.

S115. The BM-SC receives a service activation request sent by the GCS AS.

The service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

S116. The BM-SC checks whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate. If yes, the authorization check for the UE is successful. If not, the authorization for the UE is performed. The check failed;

S117. The BM-SC receives an authorized UE list update request sent by the GCS AS.

S118. The BM-SC updates the corresponding authorized UE list.

The BM-SC may send the authorized UE list update request to the BM-SC, where the MME-SC receives the authorized UE list update request, and the authorized UE list update request includes the service identifier and the UE. Identifying, deleting, and/or adding an indication; the BM-SC updates the corresponding authorized UE list according to the authorized UE list update request. The following examples are given:

Method Embodiment 12:

In the embodiment of the method, the GCSE group does not need the group identifier, or the group identifier is the temporary mobile group identifier generated by the BM-SC. In this embodiment, the BM-SC authorizes the UE when the group identifier of the GCSE is the fixed group identifier. For the method of checking, please refer to FIG. 26, the method of this embodiment includes:

S121. The BM-SC receives a request message sent by the GCS AS, where the request message includes a group identifier of the GCSE group.

The GCS AS sends a request message to the BM-SC according to the number of GCSE groups that it manages. The request message includes the group identifier of the GCSE group, and the number of group identifiers is the same as the number of GCSE groups managed by the GCS AS.

S122. The BM-SC generates a service identifier and establishes a mapping relationship between the group identifier and the service identifier.

S123. The BM-SC establishes an authorized UE list according to the authorized UE list establishment request sent by the GCS AS, where the authorized UE list establishment request includes the group identifier of the GCSE group and the corresponding authorized UE. Identification

The GCS AS sends an authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE. The BM-SC searches for the service identifier corresponding to the group identifier included in the authorized UE list establishment request according to the mapping relationship between the group identifier and the service identifier, and establishes the list of authorized UEs corresponding to the found service identifier. The authorized UE list contains the identifier of the corresponding UE.

S124. The BM-SC receives a service activation request sent by the UE.

The service activation request includes the identifier of the UE and the service identifier of the service that the UE wants to activate.

S125. The BM-SC checks whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate. If yes, the authorization check for the UE succeeds. If not, the MME-SC The authorization check of the UE fails.

S126. An authorized UE list update request received by the BM-SC.

S127. The BM-SC updates the corresponding authorized UE list.

When the GCS AS finds that the authorized UE list needs to be updated, the BM-SC may send an authorized UE list update request, and the BM-SC receives the authorized UE list update request, where the authorized UE list update request includes the service identifier and/or The group identifier, the identifier of the UE, the deletion, and/or the addition indication; the BM-SC updates the corresponding authorized UE list according to the authorized UE list update request.

Method Embodiments 11 and 12 describe a method in which the BM-SC itself establishes an authorized UE list, thereby implementing an authorization check on the UE. The following embodiment will describe that the BM-SC itself does not establish an authorized UE list, but needs to be a UE. The method of performing an authorization check.

Method Embodiment 13:

Referring to FIG. 27, the method of this embodiment includes:

S131. The BM-SC receives a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

S132. Send an authorization check request to the GCS AS, to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate, and if yes, The authorization check of the UE is successful. If not, the authorization check of the UE fails.

In this embodiment, after receiving the service activation request sent by the UE, the BM-SC sends an authorization check request to the GCS AS to request the GCS AS to perform an authorization check on the UE, so that the BM-SC implements the authorization check. When the BM-SC is invisible to the GCSE group, the BM-SC checks the service authorization of the UE in the scenario of completely reusing the MBMS security mechanism.

Method Embodiment 14:

This embodiment is a detailed description of a method in which the BM-SC does not establish an authorized UE list, but needs to perform an authorization check on the UE. Referring to FIG. 28, the method in this embodiment includes:

S141. The BM-SC receives the request message sent by the GCS AS, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services.

The GCS AS sends a request message to the BM-SC according to the number of GCSE groups that it manages, where the request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services, the requested The number of group identifiers and/or the number of groups and/or the number of requested services may be the same as the number of GCSE groups managed by the GCS AS, and the BM-SC receives the request message sent by the GCS AS.

S142. The BM-SC generates a service identifier.

S143. The BM-SC sends a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns the service identifier to each GCSE group.

At this time, the GCS AS is equivalent to having a list of authorized UEs corresponding to the service identifier.

S144. The BM-SC receives an authorization check request sent by the UE, where the authorization check request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

S145. The BM-SC sends an authorization check request to the GCS AS to request the GCS AS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate. The authorization check for the UE is successful, and if not, the authorization check for the UE fails.

After the GCS AS performs an authorization check on the UE, the authorization check result can be sent to the BM-SC.

The following examples are given:

For example, the GCS AS manages two GCSE groups, the first GCSE group includes UE1 and UE2, and the second GCSE group includes UE3 and UE4. After the BM-SC sends the generated group identifier and the service identifier to the GCS AS, the GCS AS assigns the group identifier (temporary mobile group identifier) and the service identifier to each GCSE group (for example, group ID 1 and service identifier 1 are grouped together). And assigned to the first GCSE group, The group identifier 2 and the service identifier 2 are grouped and assigned to the second GCSE group. When the BM-SC receives the service activation request sent by a certain UE, the BM-SC may send an authorization check request to the GCS AS to request The GCS AS checks whether the identity of the UE is in the GCSE group corresponding to the service identifier of the service that the UE wants to activate. If yes, the authorization check for the UE is successful. If not, the authorization check for the UE fails.

Method Example 15:

In the fourteenth method, the GCSE group is not required to be the group identifier, or the group identifier is the temporary mobility group identifier generated by the BM-SC. In this embodiment, the method for performing the authorization check on the UE when the group identifier of the GCSE is the fixed group identifier is introduced. Referring to FIG. 29, the method of this embodiment includes:

S151. The BM-SC receives a request message sent by the GCS AS, where the request message includes a group identifier of the GCSE group.

In a specific implementation, the GCS AS may send a request message to the BM-SC according to the number of the GCSE groups that it manages, where the request message includes the group identifier of the GCSE group. In this case, the GCS AS itself has a group identifier corresponding to the group. Authorize the list of UEs.

S152. Generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

S153. Receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.

S154. Search for a group identifier corresponding to the service identifier included in the service activation request.

S155. The device sends an authorization check request to the GCS AS, where the authorization check request includes the identifier of the UE and a group identifier corresponding to the service identifier of the service that the UE wants to activate, to request the GCS AS to check the UE. Whether the identifier is in the GCSE group corresponding to the group identifier corresponding to the service identifier of the service that the UE wants to activate.

In the several embodiments provided herein, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical or otherwise.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .

The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or some of the technical features are replaced by equivalents; and the modifications or substitutions do not deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims

A group communication service application server GCS AS, comprising:

An MSK generating unit, configured to generate a multimedia broadcast multicast service key MSK;

a processing unit, configured to establish or obtain, from the broadcast multicast service center BM-SC, a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group;

And a sending unit, configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.
The GCS AS of claim 1 wherein:

The sending unit is further configured to: before the MSK generating unit generates the MSK, send a request message to the BM-SC, where the request message includes the requested group identifier number and/or the number of groups and/or the request The number of services, the request message is used to request the BM-SC to allocate a service identifier and/or a group identifier;

The GCS AS also includes:

a first receiving unit, configured to receive a response message sent by the BM-SC, where the response message includes a service identifier and/or a group identifier allocated by the BM-SC;

The sending unit is further configured to: after the processing unit establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, send the MSK to the BM-SC.
The GCS AS of claim 1 wherein:

The sending unit is further configured to: after the MSK generating unit generates the MSK, send a request message to the BM-SC, where the request message includes the requested group identifier number and the MSK, where the request message is used for the request The BM-SC allocates a group identifier and/or a service identifier and establishes a mapping relationship between each group identifier and/or each service identifier and each MSK;

The processing unit is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.
The GCS AS according to claim 1, wherein the GCS AS further comprises:

a mapping establishing unit, configured to establish, after the MSK generating unit generates the MSK, a mapping relationship between the MSK and the group identifier of each GCSE group;

The sending unit is further configured to send a request message to the BM-SC, where the request message includes a mapping relationship between each MSK and a group identifier of each GCSE group, where the request message is used to request a location The BM-SC allocates a service identifier and establishes a mapping relationship between each service identifier and each group identifier.

The processing unit is configured to receive a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.
The GCS AS according to claim 1, wherein the GCS AS further comprises:

a second receiving unit, configured to receive a key request message sent by the BM-SC before the MSK generating unit generates an MSK, where the key request message includes a service identifier and a requested number of MSKs;

The sending unit is further configured to: after the processing unit establishes a mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, send the MSK to the BM-SC.
The GCS AS according to any one of claims 2 to 5, wherein the MSK generating unit is further configured to generate an MSK identifier and a key validity period for each MSK;

The sending unit is further configured to: when the MSK is sent to the BM-SC, or after sending the MSK to the UE in the corresponding GCSE group, the MSK identifier and the key validity period of each MSK, and each MSK. The group identifier and/or service identifier of the corresponding GCSE group is sent to the UE in the BM-SC and the corresponding GCSE group.
The GCS AS according to any one of claims 2 to 5, wherein the GCS AS further comprises:

a third receiving unit, configured to: before the sending unit sends the generated MSK to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, receiving the BM-SC sending The MSK identifier and the key validity period of each MSK, and the MSK identifier and key validity period of each MSK are generated by the BM-SC;

The sending unit is further configured to: when the MSK is sent to the BM-SC, or after sending the MSK to the UE in the corresponding GCSE group, the group identifier and/or service of the GCSE group corresponding to each MSK. The identifier is sent to the BM-SC; the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the UE in the corresponding GCSE group.
The GCS AS according to any one of claims 1 to 5, wherein the GCS AS further comprises:

a determining unit, configured to determine, according to a preset rule, whether the MSK needs to be updated;

The MSK generating unit is further configured to: when the determining result of the determining unit is yes, generate a new MSK;

The sending unit is further configured to send a first key update message to the BM-SC, and send a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the corresponding GCSE group The UE updates the key, and the new MSK is included in the first key update message and the second key update message.
The GCS AS of claim 8, wherein the predetermined rule comprises joining and/or leaving of the UE within the GCSE group, or MSK to an expiration date.
The GCS AS of claim 8 wherein:

The MSK generating unit is further configured to: before the sending unit sends the first key update message to the BM-SC, generate an MSK identifier and a key validity period of the new MSK;

The first key update message and the second key update message further include: an MSK identifier of the new MSK and a key validity period, and a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK. .
The GCS AS of claim 8, wherein the GCS AS further comprises:

a fourth receiving unit, configured to receive an MSK identifier and a key validity period of the new MSK sent by the BM-SC before the sending unit sends the first key update message to the BM-SC;

The first key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the second key update message includes: the MSK identifier and the secret of the new MSK Key validity period, the group identifier and/or service identifier of the GCSE corresponding to the new MSK.
The GCS AS according to any one of claims 1 to 5, wherein the GCS AS further comprises:

a fifth receiving unit, configured to receive a key update trigger message sent by the BM-SC, where the key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK of the MSK that needs to be updated. Identification

The MSK generating unit is further configured to generate a new MSK;

The sending unit is further configured to send a third key update message to the BM-SC, and send a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the corresponding GCSE group The UE updates the key, and the third key update message and the fourth key update message include the new MSK.
The GCS AS of claim 12, wherein

The MSK generating unit is further configured to send a third secret to the BM-SC at the sending unit. Generating the MSK identifier and the key validity period of the new MSK before the key update message;

The third key update message and the fourth key update message further include: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK .
The GCS AS of claim 12, wherein the GCS AS further comprises:

a sixth receiving unit, configured to receive, after the sending unit sends a third key update message to the BM-SC, an MSK identifier and a key validity period of the new MSK sent by the BM-SC;

The third key update message further includes: a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK; and the fourth key update message further includes: the MSK identifier of the new MSK And a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK.
A group communication service application server GCS AS, comprising:

An obtaining unit, configured to acquire a multimedia broadcast multicast service key MSK from a broadcast multicast service center BM-SC;

a mapping establishing unit, configured to establish a mapping relationship between the MSK and the group identifier and/or the service identifier of each group communication service GCSE group;

And a sending unit, configured to send the generated MSK to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group.
The GCS AS of claim 15 wherein:

The sending unit is further configured to: before the acquiring unit acquires the MSK from the BM-SC, send a request message to the BM-SC, where the request message includes the requested group identifier number and/or group Number and/or number of requested services, the request message is used to request the BM-SC to allocate an MSK and a service identifier and/or a group identifier;

The acquiring unit is configured to receive a response message sent by the BM-SC, where the response message includes an MSK and a service identifier and/or a group identifier that are allocated by the BM-SC.
The GCS AS according to claim 16, wherein the request message is further used to request the BM-SC to generate an MSK identifier and a key validity period for each MSK;

The response message further includes an MSK identifier and a key validity period of each MSK;

The sending unit is further configured to: when sending the MSK to the UE in the corresponding GCSE group, send the identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK to the corresponding UEs within the GCSE group.
A broadcast multicast service center BM-SC, which is characterized by comprising:

a list establishing unit, configured to establish, according to the authorized UE list establishment request sent by the group communication service application server GCS AS, an authorized UE list corresponding to the service identifier;

a receiving unit, configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

An authorization checking unit, configured to check whether the identifier of the UE is in an authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, if not, then The authorization check of the UE fails.
The BM-SC according to claim 18, characterized in that

The receiving unit is further configured to: before the list establishing unit establishes the authorized UE list corresponding to the service identifier, receive a request message sent by the GCS AS, where the request message includes the requested group identifier number and/or group Number and/or number of services requested;

The BM-SC also includes:

a first generating unit, configured to generate a service identifier;

a sending unit, configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates a service identifier to each group communication service GCSE group;

The GCS AS sends the authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the service identifier of the GCSE group and the identifier of the corresponding authorized UE.
The BM-SC according to claim 18, characterized in that

The receiving unit is further configured to: before the list establishing unit establishes the authorized UE list corresponding to the service identifier, receive the request message sent by the GCS AS, where the request message includes a group identifier of the GCSE group;

The BM-SC also includes:

a second generating unit, configured to generate a service identifier and establish a mapping relationship between the group identifier and the service identifier;

The GCS AS sends the authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE.

The list establishing unit is specifically configured to:

Finding, according to the mapping relationship, a group identifier corresponding to the group identifier included in the authorized UE list establishment request The service identifier is a list of authorized UEs corresponding to the service identifier.
The BM-SC according to claim 19, characterized in that

The receiving unit is further configured to: receive an authorized UE list update request sent by the GCS AS, where the authorized UE list update request includes a service identifier, an identifier of the UE, and a deletion and/or an addition indication;

The BM-SC also includes:

And a first update unit, configured to update the corresponding authorized UE list according to the authorized UE list update request.
The BM-SC according to claim 20, characterized in that

The receiving unit is further configured to: receive an authorized UE list update request sent by the GCS AS, where the authorized UE list update request includes a group identifier and/or a service identifier, an identifier, a deletion, and/or an addition indication of the UE;

The BM-SC also includes:

And a second updating unit, configured to update the corresponding authorized UE list according to the authorized UE list update request.
A broadcast multicast service center BM-SC, which is characterized by comprising:

a receiving unit, configured to receive a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

a sending unit, configured to send an authorization check request to the group communication service application server GCS AS, to request the GCS AS to check whether the identifier of the UE is a group communication service GCSE group corresponding to a service identifier of a service that the UE wants to activate If yes, the authorization check for the UE is successful, and if not, the authorization check for the UE fails.
The BM-SC according to claim 23, characterized in that

The receiving unit is further configured to: before receiving the service activation request sent by the UE, receive a request message sent by the GCS AS, where the request message includes the requested group identifier number and/or the number of groups and/or the request Number of businesses;

The BM-SC also includes:

a first generating unit, configured to generate a service identifier;

The sending unit is further configured to send a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns a service identifier to each GCSE group;

The authorization check request includes an identifier of the UE and a service of the service that the UE wants to activate. Service identification.
The BM-SC according to claim 23, characterized in that

The receiving unit is further configured to: before receiving the service activation request sent by the UE, receive a request message sent by the GCS AS, where the request message includes a group identifier of a GCSE group;

The BM-SC also includes:

a second generating unit, configured to generate a service identifier and establish a mapping relationship between the group identifier and the service identifier;

a searching unit, configured to search for a group identifier corresponding to the service identifier included in the service activation request, before the sending unit sends an authorization check request to the GCS AS;

The authorization check request includes the identifier of the UE and a group identifier corresponding to the service identifier of the service that the UE wants to activate.
A method for issuing a key, comprising:

Generating a multimedia broadcast multicast service key MSK;

Establishing or obtaining a mapping relationship between the MSK and the group identifier and/or service identifier of each group communication service GCSE group from the broadcast multicast service center BM-SC;

The generated MSK is sent to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group.
The method of claim 26, wherein before the generating the MSK, the method further comprises:

Sending a request message to the BM-SC, where the request message includes the requested number of group identifiers and/or the number of groups and/or the number of requested services, and the request message is used to request the BM-SC allocation Business identification and/or group identification;

Receiving a response message sent by the BM-SC, where the response message includes a service identifier and/or a group identifier allocated by the BM-SC;

After the mapping between the MSK and the group identity and/or the service identifier of each GCSE group is established, the method further includes:

The MSK is sent to the BM-SC.
The method of claim 26, wherein after the generating the MSK, the method further comprises:

Sending a request message to the BM-SC, where the request message includes the requested group identifier number and the MSK, where the request message is used to request the BM-SC to allocate a group identifier and/or a service identifier and establish each Group identification and/or mapping relationship between each service identifier and each MSK;

The mapping relationship between the MSK and the group identifier and/or service identifier of each GCSE group obtained from the BM-SC includes:

And receiving, by the BM-SC, a response message, where the response message includes a mapping relationship between each group identifier and/or each service identifier and each MSK.
The method of claim 26, wherein after the generating the MSK, the method further comprises:

Establish a mapping relationship between the MSK and the group identifier of each GCSE group;

Sending a request message to the BM-SC, where the request message includes a mapping relationship between the MSK and a group identifier of each GCSE group, where the request message is used to request the BM-SC to allocate a service identifier and establish each service identifier and each Mapping relationship of group identifiers;

The mapping relationship between the MSK and the group identifier and/or service identifier of each GCSE group obtained from the BM-SC includes:

Receiving a response message sent by the BM-SC, where the response message includes a mapping relationship between each group identifier and each service identifier.
The method of claim 26, wherein before the generating the MSK, the method further comprises:

Receiving a key request message sent by the BM-SC, where the key request message includes a service identifier and a requested number of MSKs;

After the mapping between the MSK and the group identity and/or the service identifier of each GCSE group is established, the method further includes:

The MSK is sent to the BM-SC.
The method according to any one of claims 27 to 30, wherein before the generated MSK is transmitted to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group, Also includes:

Generate an MSK identifier and a key validity period for each MSK;

When the MSK is sent to the BM-SC, or after the MSK is sent to the UE in the corresponding GCSE group, the method further includes:

The MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK are sent to the BM-SC and the UE in the corresponding GCSE group.
The method according to any one of claims 27 to 30, wherein the MSK is sent to the UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identifier and/or the service identifier of each GCSE group. ,Also includes:

Receiving an MSK identifier and a key validity period of each MSK sent by the BM-SC, and an MSK identifier and a key validity period of each MSK are generated by the BM-SC;

When the MSK is sent to the BM-SC, or after the MSK is sent to the UE in the corresponding GCSE group, the method further includes:

Sending the group identifier and/or the service identifier of the GCSE group corresponding to each MSK to the BM-SC; sending the MSK identifier and the key validity period of each MSK, and the group identifier and/or service identifier of the GCSE group corresponding to each MSK. Give the UEs in the corresponding GCSE group.
The method of any of claims 26 to 30, wherein the method further comprises:

Determine whether the MSK needs to be updated according to a preset rule;

If yes, generate a new MSK;

Sending a first key update message to the BM-SC, and sending a second key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key, where the The new MSK is included in a key update message and the second key update message.
The method of claim 33, wherein the preset rule comprises joining and/or leaving of the UE within the GCSE group, or MSK to an expiration date.
The method of claim 33, further comprising: before sending the first key update message to the BM-SC,

Generating an MSK identifier and a key validity period of the new MSK;

The first key update message and the second key update message further include: an MSK identifier of the new MSK and a key validity period, and a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK. .
The method of claim 33, further comprising: before sending the first key update message to the BM-SC,

Receiving an MSK identifier and a key validity period of the new MSK sent by the BM-SC;

The first key update message further includes: a group identifier and/or a service identifier of the GCSE corresponding to the new MSK; and the second key update message includes: the MSK identifier of the new MSK And a key validity period, a group identifier and/or a service identifier of the GCSE corresponding to the new MSK.
The method of any of claims 26 to 30, wherein the method further comprises:

Receiving a key update trigger message sent by the BM-SC, where the key update trigger message includes a group identifier and/or a service identifier of the GCSE group and/or an MSK identifier of the MSK that needs to be updated;

Generate a new MSK;

Sending a third key update message to the BM-SC, and sending a fourth key update message to the UE in the corresponding GCSE group, so that the BM-SC and the UE in the corresponding GCSE group update the key, where the The new MSK is included in the three key update message and the fourth key update message.
The method according to claim 37, further comprising: before transmitting the third key update message to the BM-SC;

Generating an MSK identifier and a key validity period of the new MSK;

The third key update message and the fourth key update message further include: an MSK identifier of the new MSK and a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK .
The method of claim 37, further comprising: before transmitting the third key update message to the BM-SC,

Receiving an MSK identifier and a key validity period of the new MSK sent by the BM-SC;

The third key update message further includes: a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK; and the fourth key update message further includes: the MSK identifier of the new MSK And a key validity period, a group identifier and/or a service identifier of the GCSE group corresponding to the new MSK.
A method for issuing a key, comprising:

Obtaining a multimedia broadcast multicast service key MSK from the broadcast multicast service center BM-SC;

Establish a mapping relationship between the MSK and the group identifier and/or service identifier of each group communication service GCSE group;

The generated MSK is sent to the user equipment UE in the corresponding GCSE group according to the mapping relationship between the MSK and the group identity and/or the service identifier of each GCSE group.
The method of claim 40, wherein before the obtaining the MSK from the BM-SC, the method further comprises:

Sending a request message to the BM-SC, where the request message includes the number of requested group identifiers and/or Or the number of groups and/or the number of services requested, the request message is used to request the BM-SC to allocate an MSK and a service identifier and/or a group identifier;

The obtaining the MSK from the BM-SC includes:

Receiving a response message sent by the BM-SC, where the response message includes an MSK and a service identifier and/or a group identifier allocated by the BM-SC.
The method according to claim 41, wherein the request message is further configured to request the BM-SC to generate an MSK identifier and a key validity period for each MSK;

The response message further includes an MSK identifier and a key validity period of each MSK;

When the MSK is sent to the UE in the corresponding GCSE group, the method further includes:

The identifiers of the respective MSKs and the key validity period, and the group identifiers and/or service identifiers of the GCSE groups corresponding to the respective MSKs are sent to the UEs in the corresponding GCSE group.
A method for performing authorization check on a user equipment UE, which is characterized by:

And establishing, according to the authorized UE list establishment request sent by the group communication service application server GCS AS, the authorized UE list corresponding to the service identifier;

Receiving a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

Checking whether the identifier of the UE is in the authorized UE list corresponding to the service identifier of the service that the UE wants to activate, if yes, the authorization check for the UE is successful, and if not, the authorization check for the UE failure.
The method according to claim 43, wherein before the establishing the list of authorized UEs corresponding to the service identifier, the method further comprises:

Receiving a request message sent by the GCS AS, where the request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services;

Generate a business identifier;

Sending a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS allocates a service identifier to each group communication service GCSE group;

The GCS AS sends the authorized UE list establishment request according to the UE included in each GCSE group, where the authorized UE list establishment request includes the service identifier of the GCSE group and the identifier of the corresponding authorized UE.
The method of claim 43 wherein the establishing of the service identifier corresponds to the grant Before the right UE list, it also includes:

Receiving a request message sent by the GCS AS, where the request message includes a group identifier of a GCSE group;

Generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

The GCS AS sends the authorized UE list establishment request according to the UEs included in the respective GCSE groups, where the authorized UE list establishment request includes the group identifier of the GCSE group and the identifier of the corresponding authorized UE, according to the GCS AS The authorized UE list establishment request to send the authorized UE corresponding to the service identifier includes:

And determining, according to the mapping relationship, a service identifier corresponding to the group identifier included in the authorized UE list establishment request, and establishing an authorized UE list corresponding to the service identifier.
The method of claim 44, wherein the method further comprises:

Receiving an authorized UE list update request sent by the GCS AS, where the authorized UE list update request includes a service identifier, an identifier of the UE, and a deletion and/or an addition indication;

Updating the corresponding authorized UE list according to the authorized UE list update request.
The method of claim 45, wherein the method further comprises:

Receiving an authorized UE list update request sent by the GCS AS, where the authorized UE list update request includes a group identifier and/or a service identifier, an identifier, a deletion, and/or an addition indication of the UE;

Updating the corresponding authorized UE list according to the authorized UE list update request.
A method for performing authorization check on a user equipment UE, which is characterized by:

Receiving a service activation request sent by the UE, where the service activation request includes an identifier of the UE and a service identifier of a service that the UE wants to activate;

Sending an authorization check request to the group communication service application server GCS AS to request the GCSAS to check whether the identifier of the UE is in a group communication service GCSE group corresponding to the service identifier of the service that the UE wants to activate, if yes, The authorization check for the UE is successful, and if not, the authorization check for the UE fails.
The method of claim 48, wherein the method further comprises: before receiving the service activation request sent by the UE, the method further comprising:

Receiving a request message sent by the GCS AS, where the request message includes the number of requested group identifiers and/or the number of groups and/or the number of requested services;

Generate a business identifier;

Sending a response message to the GCS AS, where the response message includes a service identifier, so that the GCS AS assigns a service identifier to each GCSE group;

The authorization check request includes an identifier of the UE and a service identifier of a service that the UE wants to activate.
The method of claim 48, wherein the method further comprises: before receiving the service activation request sent by the UE, the method further comprising:

Receiving a request message sent by the GCS AS, where the request message includes a group identifier of a GCSE group;

Generate a service identifier and establish a mapping relationship between the group identifier and the service identifier.

Before sending an authorization check request to the GCS AS, it also includes:

Finding a group identifier corresponding to the service identifier included in the service activation request;

The authorization check request includes the identifier of the UE and a group identifier corresponding to the service identifier of the service that the UE wants to activate.