WO2018076298A1 - Security capability negotiation method and related device - Google Patents

Security capability negotiation method and related device Download PDF

Info

Publication number
WO2018076298A1
WO2018076298A1 PCT/CN2016/103839 CN2016103839W WO2018076298A1 WO 2018076298 A1 WO2018076298 A1 WO 2018076298A1 CN 2016103839 W CN2016103839 W CN 2016103839W WO 2018076298 A1 WO2018076298 A1 WO 2018076298A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
core network
network element
security capability
entity
Prior art date
Application number
PCT/CN2016/103839
Other languages
French (fr)
Chinese (zh)
Inventor
李�赫
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/103839 priority Critical patent/WO2018076298A1/en
Publication of WO2018076298A1 publication Critical patent/WO2018076298A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/18Negotiating wireless communication parameters

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a security capability negotiation method and related devices.
  • the Long Term Evolution (LTE) system architecture is shown in Figure 1.
  • the Mobility Management Entity (MME) is the network element responsible for security, mobility management, and session management at the core network side.
  • Security that is, the user equipment (UE) needs to perform mutual authentication with the network when initially entering the network.
  • the UE and the core network After mutual authentication, the UE and the core network generate a key.
  • the UE and the MME perform algorithm negotiation, that is, security capability negotiation.
  • the mobility management is to record the location information of the UE, and select a suitable user plane network element device for the UE according to the location information of the UE.
  • Session management is responsible for establishing the user plane link of the UE.
  • the Home Subscriber Server (HSS) is used to store the subscription information of the user.
  • HSS Home Subscriber Server
  • the MME is divided into three functions: NG Auth. Function (AUF), User Management (UMF), and Session Management (SM).
  • NG Auth. Function (AUF)
  • UMF User Management
  • SM Session Management
  • CP NF Control Plane Network Function
  • UP NF Packet Data Network Gateway
  • P-GW Packet Data Network Gateway
  • Common CP NF Common CP NF is a control plane function shared by several slices, including UMF and AUF.
  • the Slice Select Function is used to help the UE select a slice.
  • An Authentication Credential Repository and Processing Function is used to store subscription data of a user in a Unified Data Management (UDM). among them,
  • AUF can be deployed independently or together with entities with UMF capabilities.
  • the AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a security policy management function, where the SEAF entity is used to interact with the UE and the authentication server, and receive the intermediate secret after the authentication process.
  • SEAF entity is used to interact with the UE and the authentication server, and receive the intermediate secret after the authentication process.
  • Key SCMF entity is used to obtain the key from the SEAF entity and further derive other keys.
  • the UE initiates an attach process, which includes a security process.
  • the security process includes two processes: two-way authentication, key generation, and security capability negotiation.
  • Two-way authentication means that the UE and the core network authenticate each other. The effect that can be achieved after the end of authentication is that the UE considers the core network to be authentic, and the core network considers that the UE is authentic.
  • a key for protecting NAS messages is generated after authentication or during authentication. After the key is generated, the security capability negotiation between the UE and the MME is started. Security capabilities, ie encryption algorithms and integrity protection algorithms used subsequently.
  • Step 1 The UE initiates an attach request (Attach Request);
  • Step 2 Perform mutual authentication between the UE and the SEAF entity.
  • Step 3 The UMF entity requests a security context from the SEAF entity.
  • Step 4 The UE and the UMF entity initiate a NAS MM SMC process, which is an MM algorithm negotiation process.
  • Step 5 The SSF entity forwards the Attach Request to the UMF entity.
  • the UE and the UMF entity complete the remaining attach process
  • Step 6 The UMF entity forwards the session management request to the SMF entity.
  • Step 7 The SMF entity obtains a security policy.
  • Step 8 The SMF entity obtains the user plane security context of the UE from the SEAF entity, and the content of the user plane security context has not been defined.
  • Step 9 The SMF entity initiates a user plane NAS UP SMC process
  • Step 10 Start other security processes.
  • the embodiments of the present invention provide a security capability negotiation method and related equipment, which are used to implement security capability negotiation between a UE and a core network in 5G.
  • the embodiment of the present invention provides a security capability negotiation method, including: a security function entity acquiring a security capability priority list of a core network element; the security function entity preferentially obtaining a security capability according to the core network element a security list of the security capabilities of the UE selected by the core network element, and a security capability of the UE selected by the security function entity for the core network element The core network element is given.
  • the security function entity selects an appropriate security capability for the core network element to achieve centralized control, and shares the pressure of the core network element, so that the security capability can be centralized in one network element for processing, and the core network is weakened.
  • the support of the security element by the network element increases security.
  • the method before the security function entity obtains the security capability priority list of the core network element, the method further includes: the security function entity determining a security capability that the UE can use.
  • the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
  • the security function entity acquires, from an authentication credential storage processing function, an ARPF entity, a security capability that is allowed to be used by the UE, and acquires a security capability supported by the UE from the UE, according to the UE, The security capability of the UE and the security capability supported by the UE are used to determine the security capability that the UE can use.
  • the UEs in different subscription states have different security level usage rights, and the UE achieves the security capability according to the contract. .
  • the core network element is a user management function UMF entity or a session management function SMF entity or a user plane core network element allocated to the UE.
  • the security function entity acquires a security capability priority list of the UMF entity, where the security function entity receives a first request message sent by the UMF entity, where the first request message is carried in the first request message. a security capability priority list of the UMF entity; the security function entity acquires a security capability priority list of the UMF entity carried in the first request message.
  • the UMF entity reports the security capability priority list to the security function entity, so that the security function entity can select an appropriate security capability for the UMF entity, and weaken the UMF entity's support for the security function.
  • the security function entity obtains a security capability priority list of a user plane core network element that is allocated to the UE, where the security function entity receives a second request message sent by the SMF entity.
  • the second request message carries a security capability priority list of the user plane core network element that is allocated to the UE; the security function entity acquires the information that is carried in the second request message and is allocated to the UE.
  • the priority list of security capabilities of the user plane core network element is reported the security capability priority list of the user plane core network element assigned to the UE to the security function entity, so that the security function entity can select the user plane core network element allocated to the UE.
  • Appropriate security capabilities weaken the support of SMF entities and user-side core network elements for security functions.
  • the second request message further includes a security capability priority list of the SMF entity, where the security function entity acquires a security capability priority list of the SMF entity, including: the security function entity Obtaining a security capability priority list of the SMF entity carried in the second request message.
  • the SMF entity reports the security capability priority list of the SMF entity to the security function entity, so that the security function entity can select an appropriate security capability for the SMF entity, and weaken the support of the SMF entity for the security function.
  • the security function entity notifies the core network element of the security capability of the UE selected by the UMF entity, including: The security function entity returns a first response message to the UMF entity, The first response message carries the security capability of the UE selected by the UMF entity, and the indication information that carries the security capability supported by the UE.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or
  • the information obtained by the UE's supported security capabilities is encrypted. This embodiment can further reduce the number of exposures of the security capabilities supported by the UE and improve security.
  • the security capability allowed by the UE obtained from the ARPF entity is allowed to be used by the UE under each slice that can be accessed. Security capabilities.
  • the embodiment of the present invention provides a security capability negotiation method, including: a first core network element sends a request message to a security function entity, where the request message carries the first core network element and/or a security capability priority list of the second core network element; the first core network element receives a response message returned by the security function entity, where the response message carries the security function entity as the first core network a security capability of the UE selected by the network element and/or the second core network element, wherein the security capability of the UE selected for the first core network element is determined by the security function entity Determining a security capability priority list of the first core network element and a security capability that the UE can use, the security capability of the UE selected by the second core network element by the security function entity The security capability priority list of the second core network element and the security capability that the UE can use are determined.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core The network element is a user plane core network element allocated to the UE.
  • the request message carries a security capability priority list of the UMF entity
  • the response message carries the SEAF entity as The security capability of the UE selected by the UMF entity, and the indication information of the security capability supported by the UE.
  • the first core network element is a session management function SMF entity
  • the second core network element is the user plane core network element allocated to the UE
  • the request message carries the security capability priority list of the user plane core network element allocated to the UE.
  • the response message carries the security capability of the UE selected by the security function entity for the user plane core network element allocated to the UE.
  • the request message further carries a security capability priority list of the SMF entity
  • the response message further carries the security capability of the UE selected by the security function entity for the SMF entity.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by the UE's supported security capabilities is encrypted.
  • an embodiment of the present invention provides a security capability negotiation method, including: a security function entity determining a security capability that a terminal UE can use; and the security function entity, according to a request of a first core network element, to enable the UE
  • the used security capability is sent to the first core network element, and the first core network element is configured according to the security capability that the UE can use and the security capability priority list of the first core network element. Determining, by the first core network element, the security capability of the UE, and/or by the first core network, according to the security capability that the UE can use, and the security capability priority list of the second core network element, The second core network element selects the security capability of the UE.
  • the security function entity controls the security capability that the UE can use, and provides the core network element with the security capability that the UE can use, achieves the effect of centralized control of the security capability, and increases security.
  • the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
  • the security function entity from the authentication credential storage processing function ARPF Obtaining, by the entity, the security capability that the UE is allowed to use, and acquiring the security capability supported by the UE from the UE, determining, according to the security capability that the UE allows to use and the security capability supported by the UE, Security capability.
  • UEs with different subscription status have different security level usage rights, which achieves the effect of the UE using security capabilities according to the contract.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core network The network element is a user plane core network element allocated to the UE.
  • the embodiment of the present invention provides a security capability negotiation method, including: acquiring, by a first core network element, a security capability that a terminal UE can use from a security function entity; the first core network element according to the UE The security capability that can be used and the security capability priority list of the first core network element are selected by the first core network element as the security capability of the UE, and/or the first core network element is configured according to The security capability that the UE can use and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or
  • the first core network element is a session management function SMF entity
  • the second core network element is a user plane core network element allocated to the UE.
  • an embodiment of the present invention provides a security capability negotiation device, where the security capability negotiation device has a function of implementing a security function entity in the method implementation of the foregoing first or third aspect, and the function may be implemented by using hardware.
  • the corresponding software implementation may also be performed by hardware, the hardware or software including one or more modules corresponding to the above functions.
  • the embodiment of the present invention provides a core network element, where the core network element has the function of implementing the first core network element in the method implementation of the second aspect or the fourth aspect, where the function may be
  • the hardware implementation may also be implemented by hardware, and the hardware or software includes one or more modules corresponding to the above functions.
  • an embodiment of the present invention provides a security capability negotiation device, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the memory.
  • the program in which the method of the first aspect or the third aspect described above is executed in accordance with the program.
  • an embodiment of the present invention provides a core network element, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the program in the memory and executes according to the program.
  • a core network element including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the program in the memory and executes according to the program.
  • 1 is a schematic diagram of an LTE system architecture
  • FIG. 2 is a schematic diagram of a 5G architecture
  • Figure 3 is a schematic diagram of an existing 5G security process
  • FIG. 4 is a schematic structural diagram of a system in an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a process of security capability negotiation according to a first embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a process of security capability negotiation in a first embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a process of security capability negotiation in a third embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a process of security capability negotiation in a fourth embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a process of security capability negotiation in a fifth embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a security capability negotiation device according to a third embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of a core network element in a fourth embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of a security capability negotiation device according to a fifth embodiment of the present invention.
  • FIG. 15 is a schematic structural diagram of a core network element in a sixth embodiment of the present invention.
  • 16 is a schematic structural diagram of a security capability negotiation device according to a seventh embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a core network element in an eighth embodiment of the present invention.
  • FIG. 18 is a schematic structural diagram of a security capability negotiation device according to a ninth embodiment of the present invention.
  • FIG. 19 is a schematic structural diagram of a core network element in a tenth embodiment of the present invention.
  • a security capability negotiation method is provided in the embodiment of the present invention.
  • the 5G system architecture based on the following embodiments is shown in Figure 4.
  • the control plane includes AUF, UMF, Session Management (SMF), Policy Control Function (PCF), SSF, UDM, and Network Exhibition.
  • the AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a Security Policy Control Function (SPCF), where the SEAF entity is used to interact with the UE and the authentication server.
  • SEAF Security Policy Control Function
  • AUF is used as the center of security capability negotiation, and AUF, more specifically SEAF or SPCF, selects appropriate security capabilities for each core network element (such as SMF entity, UMF entity, gateway, etc.); or, by AUF
  • AUF The request of the core network element provides the security capability of the UE for the core network element, and the core network element selects an appropriate security capability.
  • the ARPF can provide the security capability information of the UE for the AUF, and the security capability information can pass the subscription information, and the subscription information may have the security capability that the user can use; or the security capability that the user can use according to the current state of the user; According to the current state of the network, such as the congestion situation and the lawful interception requirement, the security capability that the user can use is determined; or the UE that the UE belongs to, such as the UE of the Internet of Things, the mobile broadband (Mobile BroadBand) UE, can provide the UE to use.
  • Security capabilities can also combine some or all of the above to determine and provide security capabilities that the UE can use.
  • the SEAF entity is used as a security function entity for controlling security capability negotiation.
  • the security function entity may also adopt the 5G network.
  • the functional entity or the logical function is implemented, and is not limited to the SEAF entity.
  • the process of negotiating the security capability with other functional entities or logical functions as the security function entity is the same as the process of negotiating the security capability with the SEAF entity.
  • the process of security capability negotiation in a 5G network is as follows:
  • Step 501 The first core network element sends a request message to the SEAF entity, where the request message carries a security capability priority list of the first core network element and/or the second core network element.
  • the first core network element is a UMF entity or an SMF entity; or the first core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  • the request message carries a security capability priority list of the UMF entity.
  • the second core network element is the user plane core network element allocated to the UE
  • the request message carries The security capability priority list of the user plane core network element assigned to the UE.
  • the request message further carries a security capability priority list of the SMF entity.
  • Step 502 The SEAF entity acquires a security capability priority list of the first core network element and/or the second core network element.
  • the SEAF entity obtains the security capability priority list of the core network element, it is required to determine the security capability that the UE can use.
  • the SEAF entity determines the security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
  • the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
  • the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
  • the security capability allowed by the UE obtained from the ARPF entity is allowed for the security capability of the UE under each slice that can be accessed. .
  • the SEAF entity receives the first request message sent by the UMF entity, where the first request message carries a security capability priority list of the UMF entity; and the SEAF entity obtains the first request message.
  • the SEAF entity receives the second request message sent by the SMF entity, where the second request message carries a security capability priority list of the user plane core network element allocated to the UE; The SEAF entity obtains the security capability priority list of the user plane core network element allocated to the UE carried in the second request message.
  • the second request message may further include a security capability priority list of the SMF entity, where the SEAF entity obtains a security capability priority list of the SMF entity carried in the second request message.
  • Step 503 The SEAF entity determines, according to the security capability priority list of the first core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the first core network element, and/or the SEAF entity. Determining, according to the security capability priority list of the second core network element and the security capability that the terminal UE can use, determining the security capability of the UE selected for the second core network element.
  • Step 504 The SEAF entity returns a response message to the first core network element, where the response message carries the security capability of the UE selected for the first core network element and/or selects the second core network element.
  • the security capabilities of the UE are included in Step 504.
  • the SEAF entity if the first core network element is a UMF entity, the SEAF entity returns a first response message to the UMF entity, where the first response message carries the selection for the UMF entity The security capability of the UE and the indication information carrying the security capability supported by the UE.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or by using a related key pair.
  • the information obtained by the security capability supported by the UE is encrypted.
  • the first core network element is an SMF entity
  • the second core network element is the user plane core network element allocated to the UE
  • the SEAF entity is The SMF entity returns a second response message, where the second response message carries the security capability of the UE selected for the user plane core network element assigned to the UE, optionally, the The second response message also carries the security capabilities of the UE selected for the SMF entity.
  • Step 505 The first core network element receives the response message returned by the SEAF entity.
  • Step 601 The SEAF entity determines the security capabilities that the UE can use.
  • the SEAF entity determines security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
  • the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
  • the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
  • Step 602 The SEAF entity sends the security capability that the UE can use to the first core network element according to the request of the first core network element.
  • Step 603 The first core network element acquires the security capability that the UE can use from the SEAF entity.
  • Step 604 The first core network element selects the security capability of the UE for the first core network element according to the security capability that the UE can use and the security capability priority list of the first core network element. And/or, the first core network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element .
  • the first core network element is a UMF entity or an SMF entity; or, the A core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  • step 0 the UE stores the security capability of the UE.
  • the ARPF entity also stores the security capability of the UE, and can determine the security capability currently available to the UE according to the UE status.
  • the UE status may be understood as a result of the ARPF comprehensively determining according to the subscription information of the UE, and/or the current status information of the UE, and/or the current network condition of the UE, and/or the type of the UE. It is used by the ARPF to determine which security capabilities the UE can use. For example, the UE subscribes to a service that requires security for a general service or a service that requires high security. The price at which the UE subscribes makes it possible to use what level of security capability. In this specific embodiment, the security capabilities of the UE are classified according to the level, and the UEs in different subscription states have different security level usage rights, which achieves the effect of using the security capability of the UE according to the contracting situation.
  • the current state information of the UE may be that the UE is currently in arrears state, the UE is in an emergency call, the UE temporarily improves security capabilities, and the like.
  • the current network situation may be the current state whether the telecommunications network is allowed to be encrypted or decrypted, the current state's requirements for the telecommunications network encryption and decryption, the current network's smooth state, and the current network support for lawful interception.
  • the type of the UE can be classified into an IoT device or a general device, a device that requires power saving, or a normal device.
  • the ARPF entity determines that the security capability that the UE can use is ⁇ B, C, D ⁇ according to the state information of the UE. It should be noted that the ARPF determines the security capability that the UE can use, which is a result of comprehensive consideration according to the state of the UE. For example, the ARPF entity first depends on the type to which the UE belongs (for example, the type of the IoT UE or the UE that is calling normally). Determining an algorithm in the security capabilities that the UE can use; then determining an algorithm in the security capabilities that can be used based on the subscription information of the UE.
  • the network side determines the UE here.
  • Algorithm D in security capability can be used, but the UE does not support the case of algorithm D.
  • One UE does not support Algorithm D, but other UEs of the same type may support Algorithm D.
  • Step 1 The UE initiates an attach request, which carries the identity information of the UE, but does not carry the security capability of the UE.
  • Step 2 After receiving the attach request of the UE, the slice selection function (SSF) entity initiates an authentication request to the SEAF entity, where the authentication request carries information such as the IMSI of the UE, the access network type, and the SSF ID.
  • SSF slice selection function
  • Step 3 The SEAF entity initiates an authentication request and a user data request message to the ARPF entity, where the authentication request and the user data request message carry the IMSI of the UE, the access network type, the SSF ID, the SEAF ID, and the network type. It is used to identify that the UE accesses from the 5G network.
  • Step 4 The ARPF entity determines the corresponding UE according to the received authentication request and the user data request message, and generates an authentication vector (AV) corresponding to the UE, and returns a response message to the SEAF entity, where the AV includes There is data and base key Kng (similar to Kasme) that the authentication UE needs to use.
  • AV authentication vector
  • the response message carries the security capability ⁇ B, C, D ⁇ allowed by the current state of the UE.
  • the ARPF entity carries a security capability set in the response message, where the security capability set includes security capabilities allowed by the current state of the UE under each slice, such as ⁇ slice1]. , ⁇ B, C, D ⁇ , ⁇ Slice2, ⁇ A, B ⁇ , ⁇ Slice3, ⁇ D, E, F ⁇ .
  • Step 5 After receiving the response message returned by the ARPF entity, the SEAF entity stores the data and the base key that the authentication UE needs to generate a key identifier, and the key identifier is used to identify the basic key.
  • the SEAF entity further stores the security capability ⁇ B, C, D ⁇ allowed by the current state of the UE.
  • Step 6 The UE and the SEAF entity initiate an authentication process.
  • the UE reports the supported security capabilities ⁇ A, B, C, E ⁇ .
  • the UE does not upload the security capability of the UE in the attach request.
  • the attach process includes the mobility management process, the security process, and the session management process, and in the 5G network.
  • the session management process may not be included in the attach request.
  • the security capability of the UE is reported only in the authentication process to avoid the process of carrying the number of security capabilities of the UE. Increase the number of exposures of the UE's security capabilities and increase security.
  • Step 7 the SEAF entity obtains the security capability that can be used by the current state of the UE by comparing the security capability allowed by the current state of the UE provided by the ARPF entity with the security capability supported by the UE. And store the security capabilities ⁇ B, C ⁇ that the current state of the UE can use.
  • the SEAF entity receives a set of security capabilities that are allowed to be used by the ARPF entity for the current state of the UE under multiple slices, the security capabilities that the current state of the UE can use are respectively selected for each slice.
  • Step 8 After receiving the authentication success message sent by the SEAF entity, the SSF entity forwards the attach request of the UE to the UMF entity.
  • Step 9 The UMF entity sends a security capability request message to the UE to the SEAF entity, where the request message carries a security capability priority list currently pre-configured by the UMF entity, and the list is ⁇ C, D, B, A, E, F ⁇ .
  • the security capability request message may be combined with other messages, such as a key request message, and the security capability request message may also be referred to as a UE security context request message.
  • the UMF entity requests the security context of the UE from the SEAF entity, The current pre-configured security capability priority list is reported, and the slice information is also reported according to the slice type supported by the UMF entity itself.
  • Step 10 If the security capability that can be used by the current state of the UE is obtained in step 7, the SEAF entity selects the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the security capability that can be used by the current state of the UE obtained in step 7. Security capabilities such as ⁇ C ⁇ . If the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity, the SEAF entity selects the security capability of the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the supported security capability reported by the UE in step 6. .
  • C contains both the integrity protection algorithm and the encryption algorithm. More precisely, the security capability selected by the SEAF entity is encrypted. The method is C and the integrity protection algorithm is also C.
  • Step 11 The SEAF entity returns a security capability response message to the UE to the UMF entity, where the response message carries the security capability ⁇ C ⁇ of the UE selected by the SEF entity for the UMF entity, and the security capability reported by the UE ⁇ A, B, C, E ⁇ and other security required parameters.
  • the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
  • Step 12 The UMF entity generates a corresponding key according to the security capability of the UE selected by the SEF entity for the UMF entity, and initiates a NAS MM SMC message to the UE, where the NAS MM SMC message carries the security capability reported by the UE ⁇ A, B, C , E ⁇ and the security capability ⁇ C ⁇ of the UE selected for the UMF entity, with integrity protection.
  • the algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability ⁇ C ⁇ .
  • Step 13 After generating the key and verifying the integrity protection, the UE replies to the NAS MM SMP message, and performs encryption protection and integrity protection on the message.
  • the algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability ⁇ C ⁇ ; the algorithm used for encryption protection is the corresponding encryption algorithm in the received security capability ⁇ C ⁇ .
  • Step 14 The UE initiates a new session setup request message, where the message carries the identity information of the UE.
  • step 15 the SSF entity forwards the session setup request message to the UMF entity.
  • Step 16 The UMF entity selects a corresponding SMF entity in the slice and forwards the session setup request message to the SMF entity.
  • Step 17 The SMF entity interacts with the gateway used by the UE for external communication, and obtains a priority list ⁇ D, B, C, A ⁇ of the security capabilities supported by the gateway. Or the SMF entity obtains the priority list ⁇ D, B, C, A ⁇ of the security capabilities supported by the gateway through other network elements.
  • Step 18 The SMF entity sends a security capability request of the UE to the SEAF entity, where the security capability request carries a priority list ⁇ D, B, C, A ⁇ of the security capability supported by the gateway, optionally, the security capability request It also carries a priority list ⁇ E, C, A, B ⁇ of the security capabilities supported by the SMF entity.
  • the security capability request message can be combined with other messages, such as a key request message.
  • the full capability request message may also be referred to as a UE security context request message.
  • Step 19 If step 7 obtains the security capability that can be used by the current state of the UE, the SEAF entity can use the priority list ⁇ D, B, C, A ⁇ of the security capability supported by the gateway and the current state of the UE obtained in step 7.
  • the security capability of the UE selects the security capability of the UE for the gateway; if the ARPF entity does not provide the SEAF entity with the security capability allowed by the current state of the UE, the SEAF entity according to the priority list of the security capabilities supported by the gateway ⁇ D, B, C, A ⁇ and the supported security capabilities reported by the UE in step 6, selecting the security capabilities of the UE for the gateway.
  • the security capability request sent by the SMF entity carries the priority list of the security capabilities supported by the SMF entity
  • the security capability that can be used by the current state of the UE is obtained in step 7
  • the priority of the security capability supported by the SAF entity according to the SMF entity The list ⁇ E, C, A, B ⁇ and the security capability that can be used by the current state of the UE obtained in step 7, and the security capability of the UE is selected for the SMF entity; if the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity
  • the SEAF entity selects the security capability of the UE for the SMF entity according to the priority list ⁇ E, C, A, B ⁇ of the security capabilities supported by the SMF entity and the supported security capabilities reported by the UE in step 6.
  • Step 20 The SEAF entity carries the security capability of the UE selected by the gateway and the security capability supported by the UE ⁇ A, B, C, E ⁇ in the response message returned to the SMF entity, and optionally carries the selected for the SMF entity.
  • UE security capabilities It should be noted that the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
  • Step 21 The SMF entity sends an SM SMC message, where the SM SMC message carries the security capability of the UE selected by the gateway and the security capability supported by the UE ⁇ A, B, C, E ⁇ , optionally, also carries the SMF entity selection The security capabilities of the UE. Each of the security capabilities carried in the SMC message has its own indication information, and the indication information is used to notify the UE of the network element to which the security capability applies. If the SMC message carries the security capability of the UE selected for the SMF entity, the SMF entity's key is used for integrity protection. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for integrity protection.
  • Step 22 The UE replies to the SMF entity with an SMP message, if the SMC message carries the SMF
  • the security capability of the UE selected by the entity is encrypted and integrity protected with the key associated with the SMF entity. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for encryption and integrity protection.
  • the SEAF entity stores the security capability that can be used by the current state of the UE or the security capability supported by the UE, and selects an appropriate security capability for each network element, achieves the effect of centralized control, and shares the pressure of each network element. Therefore, the security capabilities of the UE can be concentrated in one network element processing.
  • each network element reports a pre-configured security capability priority list to the SEAF entity, which weakens the support of the security function of each network element, and the security capability of the UE subscription only occurs in the SEAF entity. It is obtained by other network elements and enhances security.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 8.
  • the specific implementation process of the second specific embodiment may refer to the description of the first specific implementation, which is different from the first embodiment. It is only in:
  • the SEAF entity does not directly transmit the security capability ⁇ A, B, C, E ⁇ reported by the UE to the UMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ( ⁇ A, B).
  • C, E ⁇ , key that is, the basic key Kng or the related key further derived from the basic key Kng is used as a key to hash the security capability reported by the UE to obtain a hash value, and the hash is obtained.
  • the value is transmitted to the UMF entity, so that the security capability reported by the UE is not transmitted to the UMF entity in plain text, which improves security.
  • the relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
  • step 12 the UMF entity sends the hash value obtained in step 11 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
  • the SEAF entity does not directly transmit the security capabilities ⁇ A, B, C, E ⁇ reported by the UE to the SMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ( ⁇ A, B, C, E ⁇ , key), that is, using the basic key Kng or a related key further derived from the basic key Kng as a key to hash the security capability reported by the UE to obtain a hash value, The hash value Pass to the SMF entity.
  • the relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
  • step 21 the SM entity sends the hash value obtained in step 20 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
  • the security capability supported by the UE is only exposed once during authentication, and is reduced from 3 exposures in LTE to 1 exposure, improving security.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 9.
  • the specific implementation process of the third embodiment can be referred to the description of the first embodiment, and the difference from the first embodiment.
  • the difference is that the SEAF entity encrypts the security capabilities supported by the UE and sends the security capability to the UMF entity or the SMF entity.
  • the encryption key can be selected in the step 11, the step 12, the step 20, and the second step.
  • the basic key Kng may also be other keys agreed with the UE as an encryption key. This key may not be known by UMF, SMF and UP-GW. Kng is only an example here.
  • the UE After receiving the encrypted information, the UE decrypts the security capability supported by the UE sent by the SEAF entity, and compares the decrypted security capability supported by the UE with the saved security capability of the UE to determine the security supported by the UE. Whether the ability has been changed.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 10 .
  • the specific implementation process of the fourth embodiment refer to the description of the first specific implementation, which is specifically as follows:
  • Step 1 is different from step 1 in the first embodiment in that the UE initiates an attach request and carries the security capability supported by the UE. And the specific embodiment also carries the security capabilities supported by the UE in the subsequent session establishment process.
  • Steps 2 to 3 are the same as the first embodiment.
  • the AV in the response message replied to by the ARPF entity to the SEAF entity in step 4 does not include the security capability allowed by the current state of the UE, and steps 5 and 7 are omitted.
  • Steps 5 to 6 can be referred to the description of step 6 and step 8 in the first embodiment.
  • Step 7 The SEAF entity receives the security capability request message sent by the UMF entity to the UE, where the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
  • Step 8 The SEAF entity returns a security capability response to the UE to the UMF entity, where the response carries the security capability supported by the UE.
  • Step 9 The UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capabilities supported by the UE.
  • Step 10 The UMF entity generates a NAS key according to the security capability of the UE selected by the UMF entity, and sends a NAS SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the UMF entity.
  • the generated NAS key is integrity protected.
  • Step 11 After generating the NAS key and verifying the integrity protection, the UE returns a NAS SMP message to the UMF entity, and performs encryption protection and integrity protection on the message.
  • the steps 12 to 14 are the same as the steps 14 to 16 in the first embodiment, except that the new session establishment request carries the security capability supported by the UE.
  • Step 15 The SMF entity selects the security capability of the UE for the SMF entity according to the security capability supported by the UE carried in the new session establishment request and the security capability priority list pre-configured by the SMF entity.
  • Step 16 The SMF entity generates a NAS key by selecting a security capability of the UE for the SMF entity, and sends an SM SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the SMF entity, and is generated at the same time.
  • the key is integrity protected.
  • Step 17 After generating the NAS key and verifying the integrity protection, the UE returns an SM SMP message to the SMF entity, and performs encryption protection and integrity protection on the message.
  • step 18 to step 21 in this embodiment may refer to the corresponding description of other specific embodiments, or may adopt the following process:
  • Step 18 The SMF entity sends a security context providing message to the GW used for communication with the UE, and the security context providing message carries the security capability supported by the UE.
  • Step 19 The GW according to the pre-configured security capability priority list and the security energy supported by the UE Force to select the security capabilities of the UE for the GW.
  • Step 20 The GW uses the security capability generation key for the GW to select the UE, and sends a GW SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the GW, and the generated key is used. Integrity protection.
  • Step 21 After generating the key and verifying the integrity protection, the UE returns a GW SMP message to the GW, and performs encryption protection and integrity protection on the message.
  • the SMC processes of the SMF entity and the GW are performed separately.
  • the process of the SM SMC may not be performed in the specific embodiment.
  • the process of the NAS SM SMC is required only when the SMF entity needs to perform security protection separately and does not depend on the security protection of the UMF entity. Specifically, in the MNO requirement, the slice where the SMF entity is located has the requirement of secondary authentication, and the requirements of the deployer of the SMF entity need to perform the flow of the NAS SM SMC.
  • the SMF entity needs to perform the process of the NAS SM SMC without independent security, but the identifier of the NAS SM SMC message is used for the description. Face security negotiation.
  • the GW can perform security negotiation and the SMF entity does not need security protection, the GW can perform security capability negotiation without the SM SMC process.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 11.
  • the specific implementation process of the fifth embodiment can refer to the description of the first specific implementation, which is different from the first embodiment. Only in steps 9 to 11, and steps 18 to 20 are as follows:
  • step 9 the UMF entity initiates a security capability request message to the UE for the UEF entity, and the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
  • the SEAF entity returns a security capability response to the UMF entity according to the security capability request message sent by the UMF entity, where the security capability response carries the security capabilities ⁇ A, B, C, E ⁇ reported by the UE.
  • the security capability response further carries the security capability that can be used by the current state of the UE obtained in step 7.
  • the UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capability reported by the UE ⁇ A, B, C, E ⁇ , or the UMF entity according to the UMF entity.
  • Steps 18 to 20 are similar to steps 9 to 11, in which the SMF entity does not carry the pre-configured security capability priority list in the security capability request sent to the SEAF entity; the security capability reported by the SEAF entity is ⁇ A, B, C, E ⁇ is sent to the SMF entity, or the SEAF entity sends the security capability reported by the UE ⁇ A, B, C, E ⁇ and the security capability that the current state of the UE can use to the SMF entity; the SMF entity compares the security reported by the UE.
  • the capability ⁇ A, B, C, E ⁇ and the pre-configured security capability priority list are for the SMF entity or GW to select the security capability of the UE, or the SMF entity compares the security capabilities reported by the UE ⁇ A, B, C, E ⁇
  • the security capability that the current state of the UE can use and the pre-configured security capability priority list select the security capabilities of the UE for the SMF entity or GW.
  • the security capability negotiation device mainly includes:
  • the obtaining module 1201 is configured to obtain a security capability priority list of the core network element.
  • the processing module 1202 is configured to determine, according to the security capability priority list of the core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the core network element.
  • the communication module 1203 is configured to notify the core network element of the security capability of the UE selected by the core network element.
  • the core network element mainly includes:
  • the sending module 1301 is configured to send a request message to the security function entity, where the request message carries a security capability priority list of the core network element and/or the second core network element;
  • the receiving module 1302 is configured to receive a response message returned by the security function entity, where the response message carries the terminal UE selected by the security function entity for the core network element and/or the second core network element.
  • Security capability wherein the UE is selected for the core network element
  • the full capability is determined by the security function entity according to the security capability priority list of the core network element and the security capability that the UE can use, and the security of the UE selected by the second core network element
  • the capability is determined by the security function entity according to a security capability priority list of the second core network element and a security capability that the UE can use.
  • the security capability negotiation device mainly includes:
  • the processing module 1401 is configured to determine a security capability that the terminal UE can use;
  • the sending module 1402 is configured to send, according to the request of the first core network element, the security capability that can be used by the UE to the first core network element, where the first core network element can be used according to the UE
  • the security capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE
  • the security capability used and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the core network element mainly includes:
  • the obtaining module 1501 is configured to acquire, from the security function entity, a security capability that the terminal UE can use;
  • the processing module 1502 is configured to select, according to the security capability that the UE can use and the security capability priority list of the core network element, the security capability of the UE for the core network element, and/or the core
  • the network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element.
  • the security capability negotiation device is further provided in the seventh embodiment of the present invention.
  • the security capability negotiation device mainly includes a processor 1601, a memory 1602, and a communication interface 1603, wherein a preset is saved in the memory 1602.
  • the program 1601 reads the program in the memory 1602, and executes the following process according to the program:
  • the processor is configured to perform the functions of the obtaining module and the processing module in the third embodiment
  • the communication interface is configured to complete the function of the communication module in the third embodiment under the control of the processor.
  • the core network element mainly includes a processor 1701, a memory 1702, and a communication interface 1703.
  • the memory 1702 stores a preset program
  • the processor 1701 reads the program in the memory 1702.
  • a response message returned by the security function entity where the response message carries the security of the terminal UE selected by the security function entity for the core network element and/or the second core network element
  • the capability, wherein the security capability of the UE selected for the core network element is determined by the security function entity according to a security capability priority list of the core network element and a security capability that the UE can use
  • the security capability of the UE selected by the second core network element by the security function entity according to the security capability priority list of the second core network element and the security capability that the UE can use determine.
  • the processor is configured to control the communication interface to complete the functions of the transmitting module and the receiving module in the fourth embodiment.
  • the program mainly includes a processor 1801, a memory 1802, and a communication interface 1803.
  • the memory 1802 stores a preset program
  • the processor 1801 reads a program in the memory 1802, and executes the following process according to the program:
  • the capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE.
  • the security capability and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the processor is configured to perform the functions of the processing module in the fifth embodiment
  • the communication interface is configured to perform the function of the transmitting module in the fifth embodiment under the control of the processor.
  • the core network element mainly includes a processor 1901, a memory 1902, and a communication interface 903.
  • the memory 1902 stores a preset program
  • the processor 1901 reads the memory 1902. In the program, follow the procedure to perform the following process:
  • the security capability priority list of the core network element selects the security capability of the UE for the second core network element.
  • the processor performs the functions of the processing module in the sixth embodiment, and controls the communication interface to perform the functions of the acquisition module.
  • the processor, the memory and the communication interface are connected by a bus, and the bus architecture may include any number of interconnected buses and bridges, specifically represented by one or more processors and memories represented by the processor.
  • the various circuits of the memory are linked together.
  • Bus architecture can also The linking of various other circuits, such as peripherals, voltage regulators, and power management circuits, is well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the communication interface can be a plurality of components, including a transmit interface and a transceiving interface, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Quality & Reliability (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A security capability negotiation method and a related device, wherein same are used for implementing a security capability negotiation between a UE and a core network in 5G. The method comprises: a security function entity acquiring a security capability priority list of a core network element; the security function entity determining the security capability of a UE selected for the core network element according to the security capability priority list of the core network element and the security capability that can be used by the terminal UE; and the security function entity notifying the core network element of the security capability of the UE selected for the core network element.

Description

一种安全能力协商方法及相关设备Security capability negotiation method and related equipment 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种安全能力协商方法及相关设备。The present invention relates to the field of communications technologies, and in particular, to a security capability negotiation method and related devices.
背景技术Background technique
长期演进(Long Term Evolution,LTE)系统架构如图1所示,其中,移动管理实体(Mobility management entity,MME)是核心网侧负责安全、移动性管理和会话管理的网元。安全,即终端(User Equipment,UE)在初始入网时需要和网络进行相互认证。在相互认证后,UE和核心网会生成密钥。生成密钥后,UE和MME会进行算法协商,也就是安全能力协商。移动性管理是记录UE的位置信息,根据UE的位置信息为UE选择合适的用户面网元设备。会话管理负责建立UE的用户面链路。归属签约用户服务器(Home subscriber server,HSS)用于存储用户的签约信息。The Long Term Evolution (LTE) system architecture is shown in Figure 1. The Mobility Management Entity (MME) is the network element responsible for security, mobility management, and session management at the core network side. Security, that is, the user equipment (UE) needs to perform mutual authentication with the network when initially entering the network. After mutual authentication, the UE and the core network generate a key. After the key is generated, the UE and the MME perform algorithm negotiation, that is, security capability negotiation. The mobility management is to record the location information of the UE, and select a suitable user plane network element device for the UE according to the location information of the UE. Session management is responsible for establishing the user plane link of the UE. The Home Subscriber Server (HSS) is used to store the subscription information of the user.
如图2所示的5G架构中,将MME拆分为鉴权(NG Auth.Function,AUF)、用户管理(UE Management Function,UMF)、会话管理(Session Management,SM)3个功能。在5G中,增加了切片(slice)的概念,一个切片可以理解为某一种特殊用户做特定服务的功能的集合。比如,slice A专门针对物联网设备。每个slice都有各自的控制面网元(Control Plane Network Function,CP NF),主要是SM。每一个slice内的用户面网元(User Plane Network Function,UP NF)为分组数据网网关(Packet Data Network Gateway,P-GW),用于将UE的数据转发到合适的服务中。公共CP NF(Common CP NF)是几个slice共用的控制面功能,包含有UMF和AUF。切片选择功能(Slice select function,SSF)用于帮助UE选择slice。鉴权信任状存储处理功能实体(Authentication Credential Repository and Processing Function,ARPF)在统一数据管理实体(Unified Data Management,UDM)中,用于存储用户的签约数据。其中, AUF作为一个安全功能,可以独立部署,也可以与具有UMF功能的实体共同部署。AUF可以进一步分为安全锚点(Security Anchor Function,SEAF)、安全上下文管理功能和安全策略管理功能等实体,其中,SEAF实体用于与UE和鉴权服务器交互,在鉴权流程后接收中间密钥,SCMF实体用于从SEAF实体获得密钥并进一步衍生出其它密钥。这些功能实体也可能不会详细划分,但相应的功能都在AUF中体现。In the 5G architecture shown in FIG. 2, the MME is divided into three functions: NG Auth. Function (AUF), User Management (UMF), and Session Management (SM). In 5G, the concept of a slice is added, and a slice can be understood as a collection of functions of a particular user for a particular service. For example, slice A is specific to IoT devices. Each slice has its own Control Plane Network Function (CP NF), mainly SM. The User Plane Network Function (UP NF) in each slice is a Packet Data Network Gateway (P-GW) for forwarding data of the UE to an appropriate service. Common CP NF (Common CP NF) is a control plane function shared by several slices, including UMF and AUF. The Slice Select Function (SSF) is used to help the UE select a slice. An Authentication Credential Repository and Processing Function (ARPF) is used to store subscription data of a user in a Unified Data Management (UDM). among them, As a security feature, AUF can be deployed independently or together with entities with UMF capabilities. The AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a security policy management function, where the SEAF entity is used to interact with the UE and the authentication server, and receive the intermediate secret after the authentication process. Key, SCMF entity is used to obtain the key from the SEAF entity and further derive other keys. These functional entities may not be detailed, but the corresponding functions are reflected in the AUF.
可以看出,5G到4G最大的演进就是把MME拆分开,拆分后的一部分作为公共功能,一部分放到特定的slice内,为特定的slice服务。It can be seen that the biggest evolution of 5G to 4G is to separate the MME. The split part is used as a public function, and part of it is placed in a specific slice to serve a specific slice.
LTE中,UE入网发起附着(attach)流程,其中包含有安全流程,安全流程包括:双向认证、密钥生成和安全能力协商三个过程。双向认证是指UE和核心网互相认证。认证结束后可以达到的效果是:UE认为核心网是真实的,核心网认为UE是真实的。认证后或认证过程中,会生成保护NAS消息的密钥。密钥生成后,会开始UE和MME之间的安全能力协商。安全能力,即后续使用的加密算法和完整性保护算法。In LTE, the UE initiates an attach process, which includes a security process. The security process includes two processes: two-way authentication, key generation, and security capability negotiation. Two-way authentication means that the UE and the core network authenticate each other. The effect that can be achieved after the end of authentication is that the UE considers the core network to be authentic, and the core network considers that the UE is authentic. A key for protecting NAS messages is generated after authentication or during authentication. After the key is generated, the security capability negotiation between the UE and the MME is started. Security capabilities, ie encryption algorithms and integrity protection algorithms used subsequently.
现有5G安全流程如图3所示,具体地:The existing 5G security process is shown in Figure 3, specifically:
步骤1,UE发起附着请求(Attach Request);Step 1: The UE initiates an attach request (Attach Request);
步骤2,UE和SEAF实体之间完成互相鉴权;Step 2: Perform mutual authentication between the UE and the SEAF entity.
步骤3,UMF实体向SEAF实体请求安全上下文;Step 3: The UMF entity requests a security context from the SEAF entity.
步骤4,UE和UMF实体发起NAS MM SMC流程,是MM算法协商流程;Step 4: The UE and the UMF entity initiate a NAS MM SMC process, which is an MM algorithm negotiation process.
步骤5,SSF实体转发Attach Request给UMF实体;Step 5: The SSF entity forwards the Attach Request to the UMF entity.
UE和UMF实体完成剩下的附着流程;The UE and the UMF entity complete the remaining attach process;
步骤6,UMF实体转发会话管理请求给SMF实体;Step 6. The UMF entity forwards the session management request to the SMF entity.
步骤7,SMF实体获得安全策略;Step 7. The SMF entity obtains a security policy.
步骤8,SMF实体从SEAF实体处获得UE的用户面安全上下文,尚未定义用户面安全上下文的内容;Step 8. The SMF entity obtains the user plane security context of the UE from the SEAF entity, and the content of the user plane security context has not been defined.
步骤9,SMF实体发起用户面NAS UP SMC流程; Step 9. The SMF entity initiates a user plane NAS UP SMC process;
步骤10,开始其它安全流程。 Step 10. Start other security processes.
发明内容Summary of the invention
本发明实施例提供一种安全能力协商方法及相关设备,用以在5G中实现UE和核心网之间的安全能力协商。The embodiments of the present invention provide a security capability negotiation method and related equipment, which are used to implement security capability negotiation between a UE and a core network in 5G.
本发明实施例提供的具体技术方案如下:The specific technical solutions provided by the embodiments of the present invention are as follows:
第一方面,本发明实施例提供了一种安全能力协商方法,包括:安全功能实体获取核心网网元的安全能力优先级列表;所述安全功能实体根据所述核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为所述核心网网元选择的所述UE的安全能力;所述安全功能实体将为所述核心网网元选择的所述UE的安全能力通知给所述核心网网元。In a first aspect, the embodiment of the present invention provides a security capability negotiation method, including: a security function entity acquiring a security capability priority list of a core network element; the security function entity preferentially obtaining a security capability according to the core network element a security list of the security capabilities of the UE selected by the core network element, and a security capability of the UE selected by the security function entity for the core network element The core network element is given.
该方法中,安全功能实体为核心网网元选择合适的安全能力,达到集中控制的效果,分担了核心网网元的压力,使得安全能力可以集中在一个网元进行处理,并且弱化了核心网网元对安全功能的支持,增加了安全性。In this method, the security function entity selects an appropriate security capability for the core network element to achieve centralized control, and shares the pressure of the core network element, so that the security capability can be centralized in one network element for processing, and the core network is weakened. The support of the security element by the network element increases security.
可能的实施方式中,所述安全功能实体获取核心网网元的安全能力优先级列表之前,所述方法还包括:所述安全功能实体确定所述UE能够使用的安全能力。In a possible implementation, before the security function entity obtains the security capability priority list of the core network element, the method further includes: the security function entity determining a security capability that the UE can use.
可能的实施方式中,所述安全功能实体确定终端UE能够使用的安全能力,包括:所述安全功能实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力,该实施方式中不需要获取UE签约的安全能力,进一步弱化了存储签约信息的实体对安全能力的支持。In a possible implementation, the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
可能的实施方式中,所述安全功能实体从鉴权信任状存储处理功能ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力,该实施方式中不同签约状态的UE拥有不同的安全等级使用权限,达到了UE按照签约使用安全能力的效果。 In a possible implementation manner, the security function entity acquires, from an authentication credential storage processing function, an ARPF entity, a security capability that is allowed to be used by the UE, and acquires a security capability supported by the UE from the UE, according to the UE, The security capability of the UE and the security capability supported by the UE are used to determine the security capability that the UE can use. In this implementation manner, the UEs in different subscription states have different security level usage rights, and the UE achieves the security capability according to the contract. .
可能的实施方式中,所述核心网网元为用户管理功能UMF实体或会话管理功能SMF实体或分配给所述UE的用户面核心网网元。In a possible implementation manner, the core network element is a user management function UMF entity or a session management function SMF entity or a user plane core network element allocated to the UE.
可能的实施方式中,所述安全功能实体获取所述UMF实体的安全能力优先级列表,包括:所述安全功能实体接收所述UMF实体发送的第一请求消息,所述第一请求消息中携带所述UMF实体的安全能力优先级列表;所述安全功能实体获取所述第一请求消息中携带的所述UMF实体的安全能力优先级列表。该实施方式中,UMF实体向安全功能实体上报安全能力优先级列表,使得安全功能实体能够为UMF实体选择合适的安全能力,弱化了UMF实体对安全功能的支持。In a possible implementation manner, the security function entity acquires a security capability priority list of the UMF entity, where the security function entity receives a first request message sent by the UMF entity, where the first request message is carried in the first request message. a security capability priority list of the UMF entity; the security function entity acquires a security capability priority list of the UMF entity carried in the first request message. In this implementation manner, the UMF entity reports the security capability priority list to the security function entity, so that the security function entity can select an appropriate security capability for the UMF entity, and weaken the UMF entity's support for the security function.
可能的实施方式中,所述安全功能实体获取分配给所述UE的用户面核心网网元的安全能力优先级列表,包括:所述安全功能实体接收所述SMF实体发送的第二请求消息,所述第二请求消息中携带分配给所述UE的用户面核心网网元的安全能力优先级列表;所述安全功能实体获取所述第二请求消息中携带的所述分配给所述UE的用户面核心网网元的安全能力优先级列表。该实施方式中,SMF实体向安全功能实体上报分配给所述UE的用户面核心网网元的安全能力优先级列表,使得安全功能实体能够为分配给所述UE的用户面核心网网元选择合适的安全能力,弱化了SMF实体以及用户面核心网网元对安全功能的支持。In a possible implementation manner, the security function entity obtains a security capability priority list of a user plane core network element that is allocated to the UE, where the security function entity receives a second request message sent by the SMF entity. The second request message carries a security capability priority list of the user plane core network element that is allocated to the UE; the security function entity acquires the information that is carried in the second request message and is allocated to the UE. The priority list of security capabilities of the user plane core network element. In this implementation manner, the SMF entity reports the security capability priority list of the user plane core network element assigned to the UE to the security function entity, so that the security function entity can select the user plane core network element allocated to the UE. Appropriate security capabilities weaken the support of SMF entities and user-side core network elements for security functions.
可能的实施方式中,所述第二请求消息中还携带所述SMF实体的安全能力优先级列表;所述安全功能实体获取所述SMF实体的安全能力优先级列表,包括:所述安全功能实体获取所述第二请求消息中携带的所述SMF实体的安全能力优先级列表。该实施方式中,SMF实体向安全功能实体上报所述SMF实体的安全能力优先级列表,使得安全功能实体能够为所述SMF实体选择合适的安全能力,弱化了SMF实体对安全功能的支持。In a possible implementation manner, the second request message further includes a security capability priority list of the SMF entity, where the security function entity acquires a security capability priority list of the SMF entity, including: the security function entity Obtaining a security capability priority list of the SMF entity carried in the second request message. In this implementation manner, the SMF entity reports the security capability priority list of the SMF entity to the security function entity, so that the security function entity can select an appropriate security capability for the SMF entity, and weaken the support of the SMF entity for the security function.
可能的实施方式中,若所述核心网网元为用户管理功能UMF实体,所述安全功能实体将为所述UMF实体选择的所述UE的安全能力通知给所述核心网网元,包括:所述安全功能实体向所述UMF实体返回第一响应消息,所述 第一响应消息中携带所述为所述UMF实体选择的所述UE的安全能力,以及携带所述UE支持的安全能力的指示信息。In a possible implementation, if the core network element is a user management function UMF entity, the security function entity notifies the core network element of the security capability of the UE selected by the UMF entity, including: The security function entity returns a first response message to the UMF entity, The first response message carries the security capability of the UE selected by the UMF entity, and the indication information that carries the security capability supported by the UE.
可能的实施方式中,所述UE支持的安全能力的指示信息为采用相关密钥对所述UE支持的安全能力进行哈希处理后得到的哈希值,或者,为采用相关密钥对所述UE支持的安全能力进行加密后得到的信息。该实施方式可以进一步降低UE支持的安全能力的暴露次数,提高安全性。In a possible implementation, the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by the UE's supported security capabilities is encrypted. This embodiment can further reduce the number of exposures of the security capabilities supported by the UE and improve security.
可能的实施方式中,若所述UE能够接入多个切片,则从所述ARPF实体获取的所述UE允许使用的安全能力,为所述UE分别在能够接入的每个切片下允许使用的安全能力。In a possible implementation manner, if the UE is capable of accessing multiple slices, the security capability allowed by the UE obtained from the ARPF entity is allowed to be used by the UE under each slice that can be accessed. Security capabilities.
第二方面,本发明实施例提供了一种安全能力协商方法,包括:第一核心网网元向安全功能实体发送请求消息,所述请求消息中携带所述第一核心网网元和/或第二核心网网元的安全能力优先级列表;所述第一核心网网元接收所述安全功能实体返回的响应消息,所述响应消息中携带所述安全功能实体为所述第一核心网网元和/或所述第二核心网网元选择的终端UE的安全能力,其中,所述为所述第一核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第一核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定,所述为所述第二核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第二核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定。In a second aspect, the embodiment of the present invention provides a security capability negotiation method, including: a first core network element sends a request message to a security function entity, where the request message carries the first core network element and/or a security capability priority list of the second core network element; the first core network element receives a response message returned by the security function entity, where the response message carries the security function entity as the first core network a security capability of the UE selected by the network element and/or the second core network element, wherein the security capability of the UE selected for the first core network element is determined by the security function entity Determining a security capability priority list of the first core network element and a security capability that the UE can use, the security capability of the UE selected by the second core network element by the security function entity The security capability priority list of the second core network element and the security capability that the UE can use are determined.
可能的实施方式中,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;或者,所述第一核心网网元为会话管理功能SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。In a possible implementation manner, the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core The network element is a user plane core network element allocated to the UE.
可能的实施方式中,若所述第一核心网网元为用户管理功能UMF实体,所述请求消息中携带所述UMF实体的安全能力优先级列表;所述响应消息中携带所述SEAF实体为所述UMF实体选择的所述UE的安全能力,以及所述UE支持的安全能力的指示信息。In a possible implementation, if the first core network element is a user management function UMF entity, the request message carries a security capability priority list of the UMF entity, and the response message carries the SEAF entity as The security capability of the UE selected by the UMF entity, and the indication information of the security capability supported by the UE.
可能的实施方式中,若所述第一核心网网元为会话管理功能SMF实体, 所述第二核心网网元为所述分配给所述UE的用户面核心网网元,所述请求消息中携带所述分配给所述UE的用户面核心网网元的安全能力优先级列表;所述响应消息中携带所述安全功能实体为所述分配给所述UE的用户面核心网网元选择的所述UE的安全能力。In a possible implementation manner, if the first core network element is a session management function SMF entity, The second core network element is the user plane core network element allocated to the UE, and the request message carries the security capability priority list of the user plane core network element allocated to the UE. The response message carries the security capability of the UE selected by the security function entity for the user plane core network element allocated to the UE.
可能的实施方式中,所述请求消息中还携带所述SMF实体的安全能力优先级列表;In a possible implementation, the request message further carries a security capability priority list of the SMF entity;
所述响应消息中还携带所述安全功能实体为所述SMF实体选择的所述UE的安全能力。The response message further carries the security capability of the UE selected by the security function entity for the SMF entity.
可能的实施方式中,所述UE支持的安全能力的指示信息为采用相关密钥对所述UE支持的安全能力进行哈希处理后得到的哈希值,或者,为采用相关密钥对所述UE支持的安全能力进行加密后得到的信息。In a possible implementation, the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by the UE's supported security capabilities is encrypted.
第三方面,本发明实施例提供了一种安全能力协商方法,包括:安全功能实体确定终端UE能够使用的安全能力;所述安全功能实体根据第一核心网网元的请求将所述UE能够使用的安全能力发送给所述第一核心网网元,由所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或由所述第一核心网根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。In a third aspect, an embodiment of the present invention provides a security capability negotiation method, including: a security function entity determining a security capability that a terminal UE can use; and the security function entity, according to a request of a first core network element, to enable the UE The used security capability is sent to the first core network element, and the first core network element is configured according to the security capability that the UE can use and the security capability priority list of the first core network element. Determining, by the first core network element, the security capability of the UE, and/or by the first core network, according to the security capability that the UE can use, and the security capability priority list of the second core network element, The second core network element selects the security capability of the UE.
该方法中,安全功能实体控制UE能够使用的安全能力,并为核心网网元提供该UE能够使用的安全能力,达到集中控制安全能力的效果,增加了安全性。In this method, the security function entity controls the security capability that the UE can use, and provides the core network element with the security capability that the UE can use, achieves the effect of centralized control of the security capability, and increases security.
可能的实施方式中,所述安全功能实体确定终端UE能够使用的安全能力,包括:所述安全功能实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力,该实施方式中不需要获取UE签约的安全能力,进一步弱化了存储签约信息的实体对安全能力的支持。In a possible implementation, the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
可能的实施方式中,所述安全功能实体从鉴权信任状存储处理功能ARPF 实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力,该实施方式中不同签约状态的UE拥有不同的安全等级使用权限,达到了UE按照签约使用安全能力的效果。In a possible implementation manner, the security function entity from the authentication credential storage processing function ARPF Obtaining, by the entity, the security capability that the UE is allowed to use, and acquiring the security capability supported by the UE from the UE, determining, according to the security capability that the UE allows to use and the security capability supported by the UE, Security capability. In this implementation mode, UEs with different subscription status have different security level usage rights, which achieves the effect of the UE using security capabilities according to the contract.
可能的实施方式中,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;或者,所述第一核心网网元为会话管理功能SMF实体,所述第二核心网网元为分配给所述UE的用户面核心网网元。In a possible implementation, the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core network The network element is a user plane core network element allocated to the UE.
第四方面,本发明实施例提供了一种安全能力协商方法,包括:第一核心网网元从安全功能实体获取终端UE能够使用的安全能力;所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或,所述第一核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。In a fourth aspect, the embodiment of the present invention provides a security capability negotiation method, including: acquiring, by a first core network element, a security capability that a terminal UE can use from a security function entity; the first core network element according to the UE The security capability that can be used and the security capability priority list of the first core network element are selected by the first core network element as the security capability of the UE, and/or the first core network element is configured according to The security capability that the UE can use and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
可能的实施方式中,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;或者,In a possible implementation manner, the first core network element is a user management function UMF entity or a session management function SMF entity; or
所述第一核心网网元为会话管理功能SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。The first core network element is a session management function SMF entity, and the second core network element is a user plane core network element allocated to the UE.
第五方面,本发明实施例提供了一种安全能力协商设备,该安全能力协商设备具有实现上述第一方面或第三方面的方法实现中的安全功能实体的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现,所述硬件或软件包括一个或多个与上述功能相对应的模块。In a fifth aspect, an embodiment of the present invention provides a security capability negotiation device, where the security capability negotiation device has a function of implementing a security function entity in the method implementation of the foregoing first or third aspect, and the function may be implemented by using hardware. The corresponding software implementation may also be performed by hardware, the hardware or software including one or more modules corresponding to the above functions.
第六方面,本发明实施例提供了一种核心网网元,该核心网网元具有实现上述第二方面或第四方面的方法实现中的第一核心网网元的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现,所述硬件或软件包括一个或多个与上述功能相对应的模块。In a sixth aspect, the embodiment of the present invention provides a core network element, where the core network element has the function of implementing the first core network element in the method implementation of the second aspect or the fourth aspect, where the function may be The hardware implementation may also be implemented by hardware, and the hardware or software includes one or more modules corresponding to the above functions.
第七方面,本发明实施例提供了一种安全能力协商设备,包括处理器、存储器和通信接口,其中,存储器中保存有预设的程序,处理器读取存储器 中的程序,按照该程序执行上述第一方面或第三方面的方法。In a seventh aspect, an embodiment of the present invention provides a security capability negotiation device, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the memory. The program in which the method of the first aspect or the third aspect described above is executed in accordance with the program.
第八方面,本发明实施例提供了一种核心网网元,包括处理器、存储器和通信接口,其中,存储器中保存有预设的程序,处理器读取存储器中的程序,按照该程序执行上述第二方面或第四方面的方法。In an eighth aspect, an embodiment of the present invention provides a core network element, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the program in the memory and executes according to the program. The method of the above second aspect or the fourth aspect.
附图说明DRAWINGS
图1为LTE系统架构示意图;1 is a schematic diagram of an LTE system architecture;
图2为5G架构示意图;2 is a schematic diagram of a 5G architecture;
图3为现有的5G安全流程示意图;Figure 3 is a schematic diagram of an existing 5G security process;
图4为本发明实施例中系统架构示意图;4 is a schematic structural diagram of a system in an embodiment of the present invention;
图5为本发明第一实施例中安全能力协商的过程示意图;FIG. 5 is a schematic diagram of a process of security capability negotiation according to a first embodiment of the present invention; FIG.
图6为本发明第二实施例中安全能力协商的过程示意图;6 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention;
图7为本发明第一具体实施例中安全能力协商的过程示意图;FIG. 7 is a schematic diagram of a process of security capability negotiation in a first embodiment of the present invention; FIG.
图8为本发明第二具体实施例中安全能力协商的过程示意图;8 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention;
图9为本发明第三具体实施例中安全能力协商的过程示意图;9 is a schematic diagram of a process of security capability negotiation in a third embodiment of the present invention;
图10为本发明第四具体实施例中安全能力协商的过程示意图;10 is a schematic diagram of a process of security capability negotiation in a fourth embodiment of the present invention;
图11为本发明第五具体实施例中安全能力协商的过程示意图;11 is a schematic diagram of a process of security capability negotiation in a fifth embodiment of the present invention;
图12为本发明第三实施例中安全能力协商设备的结构示意图;FIG. 12 is a schematic structural diagram of a security capability negotiation device according to a third embodiment of the present invention; FIG.
图13为本发明第四实施例中核心网网元的结构示意图;13 is a schematic structural diagram of a core network element in a fourth embodiment of the present invention;
图14为本发明第五实施例中安全能力协商设备的结构示意图;FIG. 14 is a schematic structural diagram of a security capability negotiation device according to a fifth embodiment of the present invention; FIG.
图15为本发明第六实施例中核心网网元的结构示意图;15 is a schematic structural diagram of a core network element in a sixth embodiment of the present invention;
图16为本发明第七实施例中安全能力协商设备的结构示意图;16 is a schematic structural diagram of a security capability negotiation device according to a seventh embodiment of the present invention;
图17为本发明第八实施例中核心网网元的结构示意图;17 is a schematic structural diagram of a core network element in an eighth embodiment of the present invention;
图18为本发明第九实施例中安全能力协商设备的结构示意图;18 is a schematic structural diagram of a security capability negotiation device according to a ninth embodiment of the present invention;
图19为本发明第十实施例中核心网网元的结构示意图。FIG. 19 is a schematic structural diagram of a core network element in a tenth embodiment of the present invention.
具体实施方式 detailed description
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which FIG. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了能够在5G网络中实现UE和核心网之间的安全能力协商,本发明实施例中提供了一种安全能力协商方法。In order to enable the security capability negotiation between the UE and the core network in the 5G network, a security capability negotiation method is provided in the embodiment of the present invention.
以下各实施例所基于的5G系统架构如图4所示,控制面包括AUF、UMF、会话管理功能(Session Management,SMF)、策略控制功能(Policy Control Function,PCF)、SSF、UDM、网络展出功能(Network Exposure Function,NEF)以及NF存储功能(NF Repository Function,NRF)等。AUF可以进一步分为安全锚点(Security Anchor Function,SEAF)、安全上下文管理功能和安全策略管理功能(Security Policy Control Function,SPCF)等实体,其中,SEAF实体用于与UE和鉴权服务器交互。ARPF是UDM的一部分。The 5G system architecture based on the following embodiments is shown in Figure 4. The control plane includes AUF, UMF, Session Management (SMF), Policy Control Function (PCF), SSF, UDM, and Network Exhibition. Network Exposure Function (NEF) and NF Repository Function (NRF). The AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a Security Policy Control Function (SPCF), where the SEAF entity is used to interact with the UE and the authentication server. ARPF is part of the UDM.
其中,以AUF作为安全能力协商的中心,由AUF,更具体的是SEAF或SPCF,为各核心网网元(如SMF实体、UMF实体、网关等)选择合适的安全能力;或者,由AUF根据核心网网元的请求为该核心网网元提供UE的安全能力,由该核心网网元选择合适的安全能力。Among them, AUF is used as the center of security capability negotiation, and AUF, more specifically SEAF or SPCF, selects appropriate security capabilities for each core network element (such as SMF entity, UMF entity, gateway, etc.); or, by AUF The request of the core network element provides the security capability of the UE for the core network element, and the core network element selects an appropriate security capability.
其中,ARPF可以为AUF提供UE的安全能力信息,安全能力信息可以通过签约信息,签约信息中会有用户可以使用的安全能力;也可以根据用户当前的状态判断用户可以使用的安全能力;也可以根据当前网络的状态,如拥塞情况、合法监听需求判断用户可以使用的安全能力;也可以根据UE属于哪个类型的UE,如物联网的UE,移动宽带(Mobile BroadBand)的UE,提供UE可以使用的安全能力;也可以综合上述部分或所有内容,判断并提供UE可以使用的安全能力。The ARPF can provide the security capability information of the UE for the AUF, and the security capability information can pass the subscription information, and the subscription information may have the security capability that the user can use; or the security capability that the user can use according to the current state of the user; According to the current state of the network, such as the congestion situation and the lawful interception requirement, the security capability that the user can use is determined; or the UE that the UE belongs to, such as the UE of the Internet of Things, the mobile broadband (Mobile BroadBand) UE, can provide the UE to use. Security capabilities; can also combine some or all of the above to determine and provide security capabilities that the UE can use.
以下各实施例中,以SEAF实体作为用于控制安全能力协商的安全功能实体为例进行说明,需要说明的是,安全功能实体还可以采用5G网络中的其 它功能实体或者逻辑功能实现,并不局限于SEAF实体,对于其它功能实体或者逻辑功能作为安全功能实体实现安全能力协商的过程,与SEAF实体进行安全能力协商的过程相同。In the following embodiments, the SEAF entity is used as a security function entity for controlling security capability negotiation. For example, the security function entity may also adopt the 5G network. The functional entity or the logical function is implemented, and is not limited to the SEAF entity. The process of negotiating the security capability with other functional entities or logical functions as the security function entity is the same as the process of negotiating the security capability with the SEAF entity.
本发明第一实施例中,如图5所示,5G网络中安全能力协商的过程具体如下:In the first embodiment of the present invention, as shown in FIG. 5, the process of security capability negotiation in a 5G network is as follows:
步骤501:第一核心网网元向SEAF实体发送请求消息,所述请求消息中携带所述第一核心网网元和/或第二核心网网元的安全能力优先级列表。Step 501: The first core network element sends a request message to the SEAF entity, where the request message carries a security capability priority list of the first core network element and/or the second core network element.
具体实施中,第一核心网网元为UMF实体或SMF实体;或者,第一核心网网元为SMF实体,且第二核心网网元为分配给所述UE的用户面核心网网元。In a specific implementation, the first core network element is a UMF entity or an SMF entity; or the first core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
一个具体实施方式中,若所述第一核心网网元为UMF实体,所述请求消息中携带所述UMF实体的安全能力优先级列表。In a specific implementation, if the first core network element is a UMF entity, the request message carries a security capability priority list of the UMF entity.
另一具体实施方式中,若所述第一核心网网元为SMF实体,所述第二核心网网元为所述分配给所述UE的用户面核心网网元,所述请求消息中携带所述分配给所述UE的用户面核心网网元的安全能力优先级列表。可选地,所述请求消息中还携带所述SMF实体的安全能力优先级列表。In another embodiment, if the first core network element is an SMF entity, the second core network element is the user plane core network element allocated to the UE, and the request message carries The security capability priority list of the user plane core network element assigned to the UE. Optionally, the request message further carries a security capability priority list of the SMF entity.
步骤502:SEAF实体获取第一核心网网元和/或第二核心网网元的安全能力优先级列表。Step 502: The SEAF entity acquires a security capability priority list of the first core network element and/or the second core network element.
具体地,SEAF实体获取核心网网元的安全能力优先级列表之前,需要确定所述UE能够使用的安全能力。Specifically, before the SEAF entity obtains the security capability priority list of the core network element, it is required to determine the security capability that the UE can use.
具体实施中,SEAF实体确定UE能够使用的安全能力,包括但不限于以下两种具体实现方式:In a specific implementation, the SEAF entity determines the security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
第一,SEAF实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力。First, the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
第二,SEAF实体从ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。 Second, the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
具体地,若所述UE能够接入多个切片,则从所述ARPF实体获取的所述UE允许使用的安全能力,为所述UE分别在能够接入的每个切片下允许使用的安全能力。Specifically, if the UE is capable of accessing multiple slices, the security capability allowed by the UE obtained from the ARPF entity is allowed for the security capability of the UE under each slice that can be accessed. .
一个具体实施方式中,SEAF实体接收所述UMF实体发送的第一请求消息,所述第一请求消息中携带所述UMF实体的安全能力优先级列表;所述SEAF实体获取所述第一请求消息中携带的所述UMF实体的安全能力优先级列表。In a specific implementation, the SEAF entity receives the first request message sent by the UMF entity, where the first request message carries a security capability priority list of the UMF entity; and the SEAF entity obtains the first request message. A list of security capability priorities of the UMF entities carried in.
另一个具体实施方式中,SEAF实体接收所述SMF实体发送的第二请求消息,所述第二请求消息中携带分配给所述UE的用户面核心网网元的安全能力优先级列表;所述SEAF实体获取所述第二请求消息中携带的所述分配给所述UE的用户面核心网网元的安全能力优先级列表。In another embodiment, the SEAF entity receives the second request message sent by the SMF entity, where the second request message carries a security capability priority list of the user plane core network element allocated to the UE; The SEAF entity obtains the security capability priority list of the user plane core network element allocated to the UE carried in the second request message.
其中,所述第二请求消息中还可能携带所述SMF实体的安全能力优先级列表;所述SEAF实体获取所述第二请求消息中携带的所述SMF实体的安全能力优先级列表。The second request message may further include a security capability priority list of the SMF entity, where the SEAF entity obtains a security capability priority list of the SMF entity carried in the second request message.
步骤503:SEAF实体根据第一核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为第一核心网网元选择的所述UE的安全能力,和/或,SEAF实体根据第二核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为第二核心网网元选择的所述UE的安全能力。Step 503: The SEAF entity determines, according to the security capability priority list of the first core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the first core network element, and/or the SEAF entity. Determining, according to the security capability priority list of the second core network element and the security capability that the terminal UE can use, determining the security capability of the UE selected for the second core network element.
步骤504:SEAF实体向第一核心网网元返回响应消息,其中,所述响应消息中携带为第一核心网网元选择的所述UE的安全能力和/或为第二核心网网元选择的所述UE的安全能力。Step 504: The SEAF entity returns a response message to the first core network element, where the response message carries the security capability of the UE selected for the first core network element and/or selects the second core network element. The security capabilities of the UE.
一个具体实施方式中,若所述第一核心网网元为UMF实体,所述SEAF实体向所述UMF实体返回第一响应消息,所述第一响应消息中携带所述为所述UMF实体选择的所述UE的安全能力,以及携带所述UE支持的安全能力的指示信息。In a specific implementation, if the first core network element is a UMF entity, the SEAF entity returns a first response message to the UMF entity, where the first response message carries the selection for the UMF entity The security capability of the UE and the indication information carrying the security capability supported by the UE.
具体地,所述UE支持的安全能力的指示信息为采用相关密钥对所述UE支持的安全能力进行哈希处理后得到的哈希值,或者,为采用相关密钥对所 述UE支持的安全能力进行加密后得到的信息。Specifically, the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or by using a related key pair. The information obtained by the security capability supported by the UE is encrypted.
另一具体实施方式中,若所述第一核心网网元为SMF实体,所述第二核心网网元为所述分配给所述UE的用户面核心网网元,所述SEAF实体向所述SMF实体返回第二响应消息,所述第二响应消息中携带所述为所述分配给所述UE的用户面核心网网元选择的所述UE的安全能力,可选地,所述第二响应消息中还携带为所述SMF实体选择的所述UE的安全能力。In another embodiment, if the first core network element is an SMF entity, the second core network element is the user plane core network element allocated to the UE, and the SEAF entity is The SMF entity returns a second response message, where the second response message carries the security capability of the UE selected for the user plane core network element assigned to the UE, optionally, the The second response message also carries the security capabilities of the UE selected for the SMF entity.
步骤505:第一核心网网元接收所述SEAF实体返回的响应消息。Step 505: The first core network element receives the response message returned by the SEAF entity.
基于同一发明构思,本发明第二实施例中,如图6所示,5G网络中安全能力协商的过程具体如下:Based on the same inventive concept, in the second embodiment of the present invention, as shown in FIG. 6, the process of security capability negotiation in a 5G network is as follows:
步骤601:SEAF实体确定UE能够使用的安全能力。Step 601: The SEAF entity determines the security capabilities that the UE can use.
具体地,SEAF实体确定UE能够使用的安全能力,包括但不限于以下两种具体实施方式:Specifically, the SEAF entity determines security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
第一,SEAF实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力。First, the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
第二,SEAF实体从ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。Second, the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
步骤602:所述SEAF实体根据第一核心网网元的请求将所述UE能够使用的安全能力发送给所述第一核心网网元。Step 602: The SEAF entity sends the security capability that the UE can use to the first core network element according to the request of the first core network element.
步骤603:第一核心网网元从所述SEAF实体获取所述UE能够使用的安全能力。Step 603: The first core network element acquires the security capability that the UE can use from the SEAF entity.
步骤604:第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或,所述第一核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。Step 604: The first core network element selects the security capability of the UE for the first core network element according to the security capability that the UE can use and the security capability priority list of the first core network element. And/or, the first core network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element .
具体地,所述第一核心网网元为UMF实体或SMF实体;或者,所述第 一核心网网元为SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。Specifically, the first core network element is a UMF entity or an SMF entity; or, the A core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
以下通过四个具体实施例对5G网络中安全能力的协商过程进行具体说明。The negotiation process of the security capability in the 5G network is specifically described below through four specific embodiments.
第一具体实施例,UE与核心网进行安全能力协商的过程如图7所示,具体描述如下:The first specific embodiment, the process of the security capability negotiation between the UE and the core network is as shown in FIG. 7, and the specific description is as follows:
步骤0,UE存储有UE的安全能力。In step 0, the UE stores the security capability of the UE.
可选地,ARPF实体也存储有UE的安全能力,并且能够根据UE状态确定UE当前可以使用的安全能力。Optionally, the ARPF entity also stores the security capability of the UE, and can determine the security capability currently available to the UE according to the UE status.
UE状态可以理解为ARPF根据UE的签约信息、和/或UE当前的状态信息、和/或UE所在当前的网络情况、和/或UE的类型进行综合判断得出的一种结果,这个结果可以用于ARPF判断UE可以使用哪些安全能力。例如UE签约的是对安全性要求一般的服务还是需要高安全性的服务,UE签约的价位使得可以使用何种等级的安全能力等。该具体实施例中,将UE的安全能力按照等级进行分类,不同签约状态的UE拥有不同的安全等级使用权限,达到了对UE按照签约情况使用安全能力的效果。UE的当前状态信息可以是UE当前是欠费状态、UE正在紧急呼叫、UE临时提升安全能力等。当前的网络情况可以是当前国家对于电信网络是否允许加解密的情况,当前国家对于电信网络加解密的要求等级、当前网络的畅通状态、当前网络对于合法监听的支持情况等的综合。UE的类型可以划分为是物联网设备还是普通设备,是需要省电的设备还是正常设备等类型。The UE status may be understood as a result of the ARPF comprehensively determining according to the subscription information of the UE, and/or the current status information of the UE, and/or the current network condition of the UE, and/or the type of the UE. It is used by the ARPF to determine which security capabilities the UE can use. For example, the UE subscribes to a service that requires security for a general service or a service that requires high security. The price at which the UE subscribes makes it possible to use what level of security capability. In this specific embodiment, the security capabilities of the UE are classified according to the level, and the UEs in different subscription states have different security level usage rights, which achieves the effect of using the security capability of the UE according to the contracting situation. The current state information of the UE may be that the UE is currently in arrears state, the UE is in an emergency call, the UE temporarily improves security capabilities, and the like. The current network situation may be the current state whether the telecommunications network is allowed to be encrypted or decrypted, the current state's requirements for the telecommunications network encryption and decryption, the current network's smooth state, and the current network support for lawful interception. The type of the UE can be classified into an IoT device or a general device, a device that requires power saving, or a normal device.
该具体实施例中,假设UE支持的安全能力为{A,B,C,E},但是ARPF实体根据UE的状态息确定UE可以使用的安全能力为{B,C,D}。需要注意的是,ARPF确定UE可以使用的安全能力,是根据UE的状态综合考量的结果,例如,ARPF实体首先根据UE所属的类型(例如所属的类型是物联网UE还是正常打电话的UE)确定UE可以使用的安全能力中的算法;然后根据UE的签约信息确定可以使用的安全能力中的算法。因此这里出现了网络侧确定UE 可以使用安全能力中的算法D,但是UE不支持算法D的情况。一个UE不支持算法D,但是同类型的其它UE有可能支持算法D。In this embodiment, it is assumed that the security capability supported by the UE is {A, B, C, E}, but the ARPF entity determines that the security capability that the UE can use is {B, C, D} according to the state information of the UE. It should be noted that the ARPF determines the security capability that the UE can use, which is a result of comprehensive consideration according to the state of the UE. For example, the ARPF entity first depends on the type to which the UE belongs (for example, the type of the IoT UE or the UE that is calling normally). Determining an algorithm in the security capabilities that the UE can use; then determining an algorithm in the security capabilities that can be used based on the subscription information of the UE. Therefore, the network side determines the UE here. Algorithm D in security capability can be used, but the UE does not support the case of algorithm D. One UE does not support Algorithm D, but other UEs of the same type may support Algorithm D.
步骤1,UE发起附着请求(attach Request),该附着请求中携带UE的身份信息,但是没有携带UE的安全能力。Step 1: The UE initiates an attach request, which carries the identity information of the UE, but does not carry the security capability of the UE.
步骤2,切片选择功能(Slice Select Function,SSF)实体接收到UE的附着请求后,向SEAF实体发起鉴权请求,该鉴权请求中携带UE的IMSI,接入网络类型,SSF ID等信息。Step 2: After receiving the attach request of the UE, the slice selection function (SSF) entity initiates an authentication request to the SEAF entity, where the authentication request carries information such as the IMSI of the UE, the access network type, and the SSF ID.
步骤3,SEAF实体向ARPF实体发起鉴权请求和用户数据请求消息,该鉴权请求和用户数据请求消息中携带UE的IMSI,接入网络类型,SSF ID,SEAF ID和网络类型,该网络类型用于标识UE从5G网络中接入。Step 3: The SEAF entity initiates an authentication request and a user data request message to the ARPF entity, where the authentication request and the user data request message carry the IMSI of the UE, the access network type, the SSF ID, the SEAF ID, and the network type. It is used to identify that the UE accesses from the 5G network.
步骤4,ARPF实体根据接收到的鉴权请求和用户数据请求消息确定对应的UE,并生成该UE对应的鉴权向量(Authentication Vector,AV),向SEAF实体回复响应消息,其中,AV中包含有鉴权UE需要用到的数据和基础密钥Kng(类似于Kasme)。Step 4: The ARPF entity determines the corresponding UE according to the received authentication request and the user data request message, and generates an authentication vector (AV) corresponding to the UE, and returns a response message to the SEAF entity, where the AV includes There is data and base key Kng (similar to Kasme) that the authentication UE needs to use.
可选地,该响应消息中携带有UE当前状态允许使用的安全能力{B,C,D}。Optionally, the response message carries the security capability {B, C, D} allowed by the current state of the UE.
可选地,如果UE有能力接入多个slice,那么ARPF实体在响应消息中携带安全能力集合,该安全能力集合中包括UE当前状态在每个slice下允许使用的安全能力,如{{slice1,{B,C,D}},{Slice2,{A,B}},{Slice3,{D,E,F}}}。Optionally, if the UE has the capability to access multiple slices, the ARPF entity carries a security capability set in the response message, where the security capability set includes security capabilities allowed by the current state of the UE under each slice, such as {{slice1]. , {B, C, D}}, {Slice2, {A, B}}, {Slice3, {D, E, F}}}.
步骤5,SEAF实体收到ARPF实体返回的响应消息后,存储鉴权UE需要用到的数据和基础密钥,生成密钥标识符,该密钥标识符用于标识该基础密钥。Step 5: After receiving the response message returned by the ARPF entity, the SEAF entity stores the data and the base key that the authentication UE needs to generate a key identifier, and the key identifier is used to identify the basic key.
可选地,若该响应消息中携带UE当前状态允许使用的安全能力,则SEAF实体还存储UE当前状态允许使用的安全能力{B,C,D}。Optionally, if the response message carries the security capability allowed by the current state of the UE, the SEAF entity further stores the security capability {B, C, D} allowed by the current state of the UE.
步骤6,UE和SEAF实体发起鉴权流程,在鉴权流程中,UE上报支持的安全能力{A,B,C,E}。Step 6: The UE and the SEAF entity initiate an authentication process. In the authentication process, the UE reports the supported security capabilities {A, B, C, E}.
该具体实施例中,UE不在附着请求中上传UE的安全能力,在LTE中,附着流程中包含有移动管理流程、安全流程和会话管理流程,而在5G网络中 附着请求中可能不会包含会话管理流程,为了避免UE在发起会话管理流程的过程中再次携带安全能力,仅在鉴权过程中上报UE的安全能力,以避免由于UE的安全能力携带次数过程而增加UE的安全能力的暴露次数,增加安全性。In this specific embodiment, the UE does not upload the security capability of the UE in the attach request. In the LTE, the attach process includes the mobility management process, the security process, and the session management process, and in the 5G network. The session management process may not be included in the attach request. In order to prevent the UE from carrying the security capability again during the process of initiating the session management process, the security capability of the UE is reported only in the authentication process to avoid the process of carrying the number of security capabilities of the UE. Increase the number of exposures of the UE's security capabilities and increase security.
步骤7,可选地,在完成双向鉴权后,SEAF实体会通过对比ARPF实体提供的UE当前状态允许使用的安全能力和UE上报的支持的安全能力,得到UE当前状态能够使用的安全能力,并存储UE当前状态能够使用的安全能力{B,C}。Step 7: Optionally, after performing the two-way authentication, the SEAF entity obtains the security capability that can be used by the current state of the UE by comparing the security capability allowed by the current state of the UE provided by the ARPF entity with the security capability supported by the UE. And store the security capabilities {B, C} that the current state of the UE can use.
如果SEAF实体从ARPF实体收到的为UE当前状态在多个slice下允许使用的安全能力集合,则分别为每个slice选择UE当前状态能够使用的安全能力。If the SEAF entity receives a set of security capabilities that are allowed to be used by the ARPF entity for the current state of the UE under multiple slices, the security capabilities that the current state of the UE can use are respectively selected for each slice.
步骤8,SSF实体在收到SEAF实体发送的鉴权成功消息后,转发UE的附着请求给UMF实体。Step 8: After receiving the authentication success message sent by the SEAF entity, the SSF entity forwards the attach request of the UE to the UMF entity.
步骤9,UMF实体向SEAF实体发起对UE的安全能力请求消息,该请求消息中携带有UMF实体当前预配置的安全能力优先级列表,该列表为{C,D,B,A,E,F}。需要注意的是,安全能力请求消息可以结合在其他消息中,比如密钥请求消息,安全能力请求消息也可以称为UE安全上下文请求消息;总之,UMF实体在向SEAF实体请求UE的安全上下文时,上报当前预配置的安全能力优先级列表,并且也根据UMF实体自身所支持的slice类型,上报slice信息。Step 9: The UMF entity sends a security capability request message to the UE to the SEAF entity, where the request message carries a security capability priority list currently pre-configured by the UMF entity, and the list is {C, D, B, A, E, F }. It should be noted that the security capability request message may be combined with other messages, such as a key request message, and the security capability request message may also be referred to as a UE security context request message. In summary, when the UMF entity requests the security context of the UE from the SEAF entity, The current pre-configured security capability priority list is reported, and the slice information is also reported according to the slice type supported by the UMF entity itself.
步骤10,若步骤7得到了UE当前状态能够使用的安全能力,则SEAF实体根据UMF实体上报的安全能力优先级列表和步骤7得到的UE当前状态能够使用的安全能力,为UMF实体选择UE的安全能力,如{C}。若ARPF实体未向SEAF实体提供UE当前状态允许使用的安全能力,则SEAF实体根据UMF实体上报的安全能力优先级列表和步骤6中UE上报的支持的安全能力,为UMF实体选择UE的安全能力。Step 10: If the security capability that can be used by the current state of the UE is obtained in step 7, the SEAF entity selects the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the security capability that can be used by the current state of the UE obtained in step 7. Security capabilities such as {C}. If the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity, the SEAF entity selects the security capability of the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the supported security capability reported by the UE in step 6. .
这里所有的举例,只是方便理解,需要注意的是,C中既包含完整性保护算法,又包含加密算法,更准确地说,SEAF实体选择的安全能力中加密算 法为C且完整性保护算法也为C。All the examples here are just for easy understanding. It should be noted that C contains both the integrity protection algorithm and the encryption algorithm. More precisely, the security capability selected by the SEAF entity is encrypted. The method is C and the integrity protection algorithm is also C.
步骤11,SEAF实体向UMF实体返回对UE的安全能力响应消息,该响应消息中携带SEAF实体为UMF实体选择的UE的安全能力{C}、UE上报的安全能力{A,B,C,E}以及其他安全需要的参数。需要注意的是,安全能力响应消息可以结合在其他消息中,比如密钥请求回复消息,安全能力响应消息也可以称为UE安全上下文回复消息。Step 11: The SEAF entity returns a security capability response message to the UE to the UMF entity, where the response message carries the security capability {C} of the UE selected by the SEF entity for the UMF entity, and the security capability reported by the UE {A, B, C, E } and other security required parameters. It should be noted that the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
步骤12,UMF实体根据SEAF实体为UMF实体选择的UE的安全能力生成相应的密钥,并向UE发起NAS MM SMC消息,该NAS MM SMC消息中携带UE上报的安全能力{A,B,C,E}和为UMF实体选择的UE的安全能力{C},同时进行了完整性保护。完整性保护使用的算法就是收到的选择的安全能力{C}中对应的完整性保护算法。Step 12: The UMF entity generates a corresponding key according to the security capability of the UE selected by the SEF entity for the UMF entity, and initiates a NAS MM SMC message to the UE, where the NAS MM SMC message carries the security capability reported by the UE {A, B, C , E} and the security capability {C} of the UE selected for the UMF entity, with integrity protection. The algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability {C}.
步骤13,UE在生成密钥,验证完整性保护之后,回复NAS MM SMP消息,同时对该消息进行加密保护和完整性保护。完整性保护使用的算法是收到的选择的安全能力{C}中对应的完整性保护算法;加密保护使用的算法是收到的选择的安全能力{C}中对应的加密算法。Step 13: After generating the key and verifying the integrity protection, the UE replies to the NAS MM SMP message, and performs encryption protection and integrity protection on the message. The algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability {C}; the algorithm used for encryption protection is the corresponding encryption algorithm in the received security capability {C}.
步骤14,UE发起新的会话建立请求(session setup request)消息,该消息中携带UE的身份信息。Step 14: The UE initiates a new session setup request message, where the message carries the identity information of the UE.
步骤15,SSF实体转发session setup request消息给UMF实体。In step 15, the SSF entity forwards the session setup request message to the UMF entity.
步骤16,UMF实体选择slice内相应的SMF实体,并且转发该session setup request消息给该SMF实体。Step 16. The UMF entity selects a corresponding SMF entity in the slice and forwards the session setup request message to the SMF entity.
步骤17,SMF实体与UE外界通信使用的网关交互,获取该网关支持的安全能力的优先级列表{D,B,C,A}。或者SMF实体通过其他网元获得网关支持的安全能力的优先级列表{D,B,C,A}。Step 17: The SMF entity interacts with the gateway used by the UE for external communication, and obtains a priority list {D, B, C, A} of the security capabilities supported by the gateway. Or the SMF entity obtains the priority list {D, B, C, A} of the security capabilities supported by the gateway through other network elements.
步骤18,SMF实体向SEAF实体发送UE的安全能力请求,该安全能力请求中携带有网关支持的安全能力的优先级列表{D,B,C,A},可选地,该安全能力请求中还携带SMF实体支持的安全能力的优先级列表{E,C,A,B}。需要注意的是,安全能力请求消息可以结合在其他消息中,比如密钥请求消息,安 全能力请求消息也可以称为UE安全上下文请求消息。Step 18: The SMF entity sends a security capability request of the UE to the SEAF entity, where the security capability request carries a priority list {D, B, C, A} of the security capability supported by the gateway, optionally, the security capability request It also carries a priority list {E, C, A, B} of the security capabilities supported by the SMF entity. It should be noted that the security capability request message can be combined with other messages, such as a key request message. The full capability request message may also be referred to as a UE security context request message.
步骤19,若步骤7得到了UE当前状态能够使用的安全能力,则SEAF实体根据网关支持的安全能力的优先级列表{D,B,C,A}和步骤7中得到的UE当前状态能够使用的安全能力,为网关选择UE的安全能力;若ARPF实体未向SEAF实体提供UE当前状态允许使用的安全能力,则SEAF实体根据网关支持的安全能力的优先级列表{D,B,C,A}和步骤6中UE上报的支持的安全能力,为网关选择UE的安全能力。Step 19: If step 7 obtains the security capability that can be used by the current state of the UE, the SEAF entity can use the priority list {D, B, C, A} of the security capability supported by the gateway and the current state of the UE obtained in step 7. The security capability of the UE selects the security capability of the UE for the gateway; if the ARPF entity does not provide the SEAF entity with the security capability allowed by the current state of the UE, the SEAF entity according to the priority list of the security capabilities supported by the gateway {D, B, C, A } and the supported security capabilities reported by the UE in step 6, selecting the security capabilities of the UE for the gateway.
并且,若SMF实体发送的安全能力请求中携带SMF实体支持的安全能力的优先级列表,若步骤7得到了UE当前状态能够使用的安全能力,则SEAF实体根据SMF实体支持的安全能力的优先级列表{E,C,A,B}和步骤7中得到的UE当前状态能够使用的安全能力,为SMF实体选择UE的安全能力;若ARPF实体未向SEAF实体提供UE当前状态允许使用的安全能力,则SEAF实体根据SMF实体支持的安全能力的优先级列表{E,C,A,B}和步骤6中UE上报的支持的安全能力,为SMF实体选择UE的安全能力。And, if the security capability request sent by the SMF entity carries the priority list of the security capabilities supported by the SMF entity, if the security capability that can be used by the current state of the UE is obtained in step 7, the priority of the security capability supported by the SAF entity according to the SMF entity The list {E, C, A, B} and the security capability that can be used by the current state of the UE obtained in step 7, and the security capability of the UE is selected for the SMF entity; if the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity The SEAF entity selects the security capability of the UE for the SMF entity according to the priority list {E, C, A, B} of the security capabilities supported by the SMF entity and the supported security capabilities reported by the UE in step 6.
步骤20,SEAF实体在向SMF实体返回的响应消息中携带为网关选择的UE的安全能力和UE支持的安全能力{A,B,C,E},可选地,还携带为SMF实体选择的UE的安全能力。需要注意的是,安全能力响应消息可以结合在其他消息中,比如密钥请求回复消息,安全能力响应消息也可以称为UE安全上下文回复消息。Step 20: The SEAF entity carries the security capability of the UE selected by the gateway and the security capability supported by the UE {A, B, C, E} in the response message returned to the SMF entity, and optionally carries the selected for the SMF entity. UE security capabilities. It should be noted that the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
步骤21,SMF实体发送SM SMC消息,该SM SMC消息中携带为网关选择的UE的安全能力和UE支持的安全能力{A,B,C,E},可选地,还携带为SMF实体选择的UE的安全能力。该SMC消息中携带的各安全能力分别具有各自的指示信息,该指示信息用于通知UE该安全能力所适用的网元。如果该SMC消息中携带有为SMF实体选择的UE的安全能力,则采用SMF实体的密钥进行完整性保护。如果该SMC消息中没有携带为SMF实体选择的UE的安全能力,则用网关的密钥进行完整性保护。Step 21: The SMF entity sends an SM SMC message, where the SM SMC message carries the security capability of the UE selected by the gateway and the security capability supported by the UE {A, B, C, E}, optionally, also carries the SMF entity selection The security capabilities of the UE. Each of the security capabilities carried in the SMC message has its own indication information, and the indication information is used to notify the UE of the network element to which the security capability applies. If the SMC message carries the security capability of the UE selected for the SMF entity, the SMF entity's key is used for integrity protection. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for integrity protection.
步骤22,UE向SMF实体回复SMP消息,如果SMC消息中携带有为SMF 实体选择的UE的安全能力,则用SMF实体相关的密钥进行加密和完整性保护。如果SMC消息中没有携带为SMF实体选择的UE的安全能力,则使用网关的密钥进行加密和完整性保护。Step 22: The UE replies to the SMF entity with an SMP message, if the SMC message carries the SMF The security capability of the UE selected by the entity is encrypted and integrity protected with the key associated with the SMF entity. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for encryption and integrity protection.
该具体实施例中,SEAF实体存储UE当前状态能够使用的安全能力或UE支持的安全能力,并为每个网元选择合适的安全能力,达到了集中控制的效果,分担了各个网元的压力,使得UE的安全能力可以集中在一个网元处理。In this specific embodiment, the SEAF entity stores the security capability that can be used by the current state of the UE or the security capability supported by the UE, and selects an appropriate security capability for each network element, achieves the effect of centralized control, and shares the pressure of each network element. Therefore, the security capabilities of the UE can be concentrated in one network element processing.
并且,该具体实施例中,各网元向SEAF实体上报预配置的安全能力优先级列表,弱化了各个网元对安全功能的支持,并且UE签约的安全能力仅会在SEAF实体出现,不会被其他网元获得,增强了安全性。In addition, in the specific embodiment, each network element reports a pre-configured security capability priority list to the SEAF entity, which weakens the support of the security function of each network element, and the security capability of the UE subscription only occurs in the SEAF entity. It is obtained by other network elements and enhances security.
第二具体实施例中,UE与核心网进行安全能力协商的过程如图8所示,第二具体实施例的具体实施过程可参见第一具体实施的描述,与第一具体实施例的不同之处仅在于:In the second embodiment, the process of the security capability negotiation between the UE and the core network is as shown in FIG. 8. The specific implementation process of the second specific embodiment may refer to the description of the first specific implementation, which is different from the first embodiment. It is only in:
在步骤11中,SEAF实体不是直接将UE上报的安全能力{A,B,C,E}传给UMF实体,而是将UE上报的安全能力进行了安全处理,表示为HAMC({A,B,C,E},密钥),即用基础密钥Kng或由基础密钥Kng进一步衍生的相关密钥作为密钥对UE上报的安全能力进行哈希处理得到哈希值,将该哈希值传给UMF实体,这样UE上报的安全能力不以明文的方式传给UMF实体,提高了安全性。其中,相关密钥,由基础密钥Kng作为输入,生成的UMF、SMF、UP-GW和UE使用的,用于进一步衍生最终密钥的中间密钥Kumf、Ksmf或Kup-GW;还可以是为了保护这条消息而单独生成的密钥。In step 11, the SEAF entity does not directly transmit the security capability {A, B, C, E} reported by the UE to the UMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ({A, B). , C, E}, key), that is, the basic key Kng or the related key further derived from the basic key Kng is used as a key to hash the security capability reported by the UE to obtain a hash value, and the hash is obtained. The value is transmitted to the UMF entity, so that the security capability reported by the UE is not transmitted to the UMF entity in plain text, which improves security. The relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
在步骤12中,UMF实体将步骤11中得到的哈希值发送给UE,UE根据支持的安全能力和密钥进行哈希处理得到哈希值,将得到的哈希值与收到的哈希值进行比较,以确定UE支持的安全能力是否被改变。In step 12, the UMF entity sends the hash value obtained in step 11 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
同理,在步骤20中,SEAF实体不是直接将UE上报的安全能力{A,B,C,E}传给SMF实体,而是将UE上报的安全能力进行了安全处理,表示为HAMC({A,B,C,E},密钥),即用基础密钥Kng或由基础密钥Kng进一步衍生的相关密钥作为密钥对UE上报的安全能力进行哈希处理得到哈希值,将该哈希值 传给SMF实体。这样UE上报的安全能力不以明文的方式传给SMF实体,提高了安全性。其中,相关密钥,由基础密钥Kng作为输入,生成的UMF、SMF、UP-GW和UE使用的,用于进一步衍生最终密钥的中间密钥Kumf、Ksmf或Kup-GW;还可以是为了保护这条消息而单独生成的密钥。Similarly, in step 20, the SEAF entity does not directly transmit the security capabilities {A, B, C, E} reported by the UE to the SMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ({ A, B, C, E}, key), that is, using the basic key Kng or a related key further derived from the basic key Kng as a key to hash the security capability reported by the UE to obtain a hash value, The hash value Pass to the SMF entity. In this way, the security capability reported by the UE is not transmitted to the SMF entity in plain text, which improves security. The relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
在步骤21中,SM实体将步骤20中得到的哈希值发送给UE,UE根据支持的安全能力和密钥进行哈希处理得到哈希值,将得到的哈希值与收到的哈希值进行比较,以确定UE支持的安全能力是否被改变。In step 21, the SM entity sends the hash value obtained in step 20 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
该具体实施例中,UE支持的安全能力仅在鉴权时暴露一次,从LTE中的3次暴露降低为1次暴露,提高了安全性。In this specific embodiment, the security capability supported by the UE is only exposed once during authentication, and is reduced from 3 exposures in LTE to 1 exposure, improving security.
第三具体实施例,UE与核心网进行安全能力协商的过程如图9所示,第三具体实施例的具体实施过程可参见第一具体实施的描述,与第一具体实施例的不同之处仅在于步骤11、步骤12、步骤20以及步骤21中,与第二具体实施例类型,区别在于SEAF实体对UE支持的安全能力进行加密处理后发送给UMF实体或SMF实体,加密密钥可以选用基础密钥Kng,也可以是与UE约定的其它密钥作为加密密钥,此密钥不可以被UMF,SMF和UP-GW知道,这里用Kng只是举例。UE在收到加密信息后,用Kng解密得到SEAF实体发送的UE支持的安全能力,将解密得到的该UE支持的安全的能力与保存的UE支持的安全能力进行比较,以确定UE支持的安全能力是否被改变。The process of the security capability negotiation between the UE and the core network is as shown in FIG. 9. The specific implementation process of the third embodiment can be referred to the description of the first embodiment, and the difference from the first embodiment. The difference is that the SEAF entity encrypts the security capabilities supported by the UE and sends the security capability to the UMF entity or the SMF entity. The encryption key can be selected in the step 11, the step 12, the step 20, and the second step. The basic key Kng may also be other keys agreed with the UE as an encryption key. This key may not be known by UMF, SMF and UP-GW. Kng is only an example here. After receiving the encrypted information, the UE decrypts the security capability supported by the UE sent by the SEAF entity, and compares the decrypted security capability supported by the UE with the saved security capability of the UE to determine the security supported by the UE. Whether the ability has been changed.
第四具体实施例,UE与核心网进行安全能力协商的过程如图10所示,第四具体实施例的具体实施过程可参见第一具体实施的描述,具体如下:For the fourth embodiment, the process of the security capability negotiation between the UE and the core network is as shown in FIG. 10 . For the specific implementation process of the fourth embodiment, refer to the description of the first specific implementation, which is specifically as follows:
步骤1,与第一具体实施例中步骤1的不同之处在于,UE发起附着请求中携带UE支持的安全能力。并且该具体实施例在后面的会话建立流程中,也携带UE支持的安全能力。Step 1 is different from step 1 in the first embodiment in that the UE initiates an attach request and carries the security capability supported by the UE. And the specific embodiment also carries the security capabilities supported by the UE in the subsequent session establishment process.
步骤2至步骤3与第一具体实施例相同。Steps 2 to 3 are the same as the first embodiment.
步骤4中ARPF实体向SEAF实体回复的响应消息中的AV中不包含UE当前状态允许使用的安全能力,并省略了步骤5和步骤7。The AV in the response message replied to by the ARPF entity to the SEAF entity in step 4 does not include the security capability allowed by the current state of the UE, and steps 5 and 7 are omitted.
步骤5至步骤6可参见第一具体实施例中的步骤6以及步骤8的描述。 Steps 5 to 6 can be referred to the description of step 6 and step 8 in the first embodiment.
步骤7,SEAF实体收到UMF实体发送的对UE的安全能力请求消息,该请求消息中不携带UMF实体当前预配置的安全能力优先级列表。Step 7: The SEAF entity receives the security capability request message sent by the UMF entity to the UE, where the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
步骤8,SEAF实体向UMF实体返回对UE的安全能力响应,该响应中携带UE支持的安全能力。Step 8: The SEAF entity returns a security capability response to the UE to the UMF entity, where the response carries the security capability supported by the UE.
步骤9,UMF实体根据预配置的安全能力优先级列表以及UE支持的安全能力,为UMF实体选择UE的安全能力。Step 9. The UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capabilities supported by the UE.
步骤10,UMF实体根据为UMF实体选择的UE的安全能力生成NAS密钥,并向UE发送NAS SMC消息,该消息中携带UE支持的安全能力以及为UMF实体选择的UE的安全能力,同时采用生成的NAS密钥进行了完整性保护。Step 10: The UMF entity generates a NAS key according to the security capability of the UE selected by the UMF entity, and sends a NAS SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the UMF entity. The generated NAS key is integrity protected.
步骤11,UE在生成NAS密钥,验证完整性保护之后,向UMF实体返回NAS SMP消息,同时对该消息进行加密保护和完整性保护。Step 11: After generating the NAS key and verifying the integrity protection, the UE returns a NAS SMP message to the UMF entity, and performs encryption protection and integrity protection on the message.
步骤12至步骤14与第一具体实施例中的步骤14至步骤16相同,不同之处仅在于新的会话建立请求中携带UE支持的安全能力。The steps 12 to 14 are the same as the steps 14 to 16 in the first embodiment, except that the new session establishment request carries the security capability supported by the UE.
步骤15,SMF实体根据新的会话建立请求中携带的UE支持的安全能力以及SMF实体预配置的安全能力优先级列表,为SMF实体选择UE的安全能力。Step 15: The SMF entity selects the security capability of the UE for the SMF entity according to the security capability supported by the UE carried in the new session establishment request and the security capability priority list pre-configured by the SMF entity.
步骤16,SMF实体采用为SMF实体选择UE的安全能力生成NAS密钥,并向UE发送SM SMC消息,该消息中携带UE支持的安全能力以及为SMF实体选择的UE的安全能力,同时采用生成的密钥进行了完整性保护。Step 16: The SMF entity generates a NAS key by selecting a security capability of the UE for the SMF entity, and sends an SM SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the SMF entity, and is generated at the same time. The key is integrity protected.
步骤17,UE在生成NAS密钥,验证完整性保护之后,向SMF实体返回SM SMP消息,同时对该消息进行加密保护和完整性保护。Step 17: After generating the NAS key and verifying the integrity protection, the UE returns an SM SMP message to the SMF entity, and performs encryption protection and integrity protection on the message.
该具体实施例中步骤18~步骤21的实施过程可以参照其它具体实施例的相应描述,也可以采用以下过程:The implementation process of step 18 to step 21 in this embodiment may refer to the corresponding description of other specific embodiments, or may adopt the following process:
步骤18,SMF实体向与UE外界通信使用的GW发送安全上下文提供消息,该安全上下文提供消息中携带UE支持的安全能力。Step 18: The SMF entity sends a security context providing message to the GW used for communication with the UE, and the security context providing message carries the security capability supported by the UE.
步骤19,GW根据预配置的安全能力优先级列表以及UE支持的安全能 力,为GW选择UE的安全能力。Step 19: The GW according to the pre-configured security capability priority list and the security energy supported by the UE Force to select the security capabilities of the UE for the GW.
步骤20,GW采用为GW选择UE的安全能力生成密钥,向UE发送GW SMC消息,该消息中携带UE支持的安全能力以及为GW选择的UE的安全能力,同时采用生成的密钥进行了完整性保护。Step 20: The GW uses the security capability generation key for the GW to select the UE, and sends a GW SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the GW, and the generated key is used. Integrity protection.
步骤21,UE在生成密钥,验证完整性保护之后,向GW返回GW SMP消息,同时对该消息进行加密保护和完整性保护。Step 21: After generating the key and verifying the integrity protection, the UE returns a GW SMP message to the GW, and performs encryption protection and integrity protection on the message.
该具体实施例中,SMF实体和GW的SMC流程分别进行。并且,该具体实施例中可以不进行SM SMC的过程,只有在SMF实体需要单独进行安全保护,且不依赖于UMF实体的安全保护的情况下,才需要进行NAS SM SMC的流程。具体在MNO要求,SMF实体所在的切片有二次鉴权的需求,SMF实体的部署方的需求这三种情况下需要进行NAS SM SMC的流程。In this specific embodiment, the SMC processes of the SMF entity and the GW are performed separately. In addition, the process of the SM SMC may not be performed in the specific embodiment. The process of the NAS SM SMC is required only when the SMF entity needs to perform security protection separately and does not depend on the security protection of the UMF entity. Specifically, in the MNO requirement, the slice where the SMF entity is located has the requirement of secondary authentication, and the requirements of the deployer of the SMF entity need to perform the flow of the NAS SM SMC.
该具体实施例中,如果GW授权SMF实体进行安全协商,则SMF实体在没有独立安全的情况下,需要进行NAS SM SMC的流程,但是会NAS SM SMC消息中有标识位用于说明是为了用户面安全协商。In this embodiment, if the GW authorizes the SMF entity to perform security negotiation, the SMF entity needs to perform the process of the NAS SM SMC without independent security, but the identifier of the NAS SM SMC message is used for the description. Face security negotiation.
该具体实施例中,如果GW自身可以进行安全协商,且SMF实体不需要安全保护,则GW自身可以进行安全能力协商,不需要SM SMC流程。In this embodiment, if the GW can perform security negotiation and the SMF entity does not need security protection, the GW can perform security capability negotiation without the SM SMC process.
第五具体实施例,UE与核心网进行安全能力协商的过程如图11所示,第五具体实施例的具体实施过程可参见第一具体实施的描述,与第一具体实施例的不同之处仅在于步骤9至步骤11,以及步骤18至步骤20,具体如下:The process of the security capability negotiation between the UE and the core network is as shown in FIG. 11. The specific implementation process of the fifth embodiment can refer to the description of the first specific implementation, which is different from the first embodiment. Only in steps 9 to 11, and steps 18 to 20 are as follows:
步骤9中,UMF实体向SEAF实体发起对UE的安全能力请求消息,该请求消息中不携带有UMF实体当前预配置的安全能力优先级列表。In step 9, the UMF entity initiates a security capability request message to the UE for the UEF entity, and the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
步骤10中,SEAF实体根据UMF实体发送的安全能力请求消息,向UMF实体返回安全能力响应,该安全能力响应中携带UE上报的安全能力{A,B,C,E}。可选地,该安全能力响应中还携带步骤7得到的UE当前状态能够使用的安全能力。In step 10, the SEAF entity returns a security capability response to the UMF entity according to the security capability request message sent by the UMF entity, where the security capability response carries the security capabilities {A, B, C, E} reported by the UE. Optionally, the security capability response further carries the security capability that can be used by the current state of the UE obtained in step 7.
步骤11中,UMF实体根据预配置的安全能力优先级列表以及UE上报的安全能力{A,B,C,E}为UMF实体选择UE的安全能力,或者,UMF实体根据 预配置的安全能力优先级列表、UE上报的安全能力{A,B,C,E}以及步骤7得到的UE当前状态能够使用的安全能力,为UMF实体选择UE的安全能力。In step 11, the UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capability reported by the UE {A, B, C, E}, or the UMF entity according to the UMF entity. The pre-configured security capability priority list, the security capabilities reported by the UE {A, B, C, E}, and the security capabilities that can be used by the current state of the UE obtained in step 7, select the security capabilities of the UE for the UMF entity.
步骤18至步骤20与步骤9至步骤11类似,即SMF实体在发送给SEAF实体的安全能力请求中不携带预配置的安全能力优先级列表;SEAF实体将UE上报的安全能力{A,B,C,E}发送给SMF实体,或者,SEAF实体将UE上报的安全能力{A,B,C,E}以及UE当前状态能够使用的安全能力发送给SMF实体;SMF实体通过对比UE上报的安全能力{A,B,C,E}以及预配置的安全能力优先级列表为SMF实体或GW选择UE的安全能力,或者,SMF实体通过对比UE上报的安全能力{A,B,C,E}、UE当前状态能够使用的安全能力以及预配置的安全能力优先级列表为SMF实体或GW选择UE的安全能力。Steps 18 to 20 are similar to steps 9 to 11, in which the SMF entity does not carry the pre-configured security capability priority list in the security capability request sent to the SEAF entity; the security capability reported by the SEAF entity is {A, B, C, E} is sent to the SMF entity, or the SEAF entity sends the security capability reported by the UE {A, B, C, E} and the security capability that the current state of the UE can use to the SMF entity; the SMF entity compares the security reported by the UE. The capability {A, B, C, E} and the pre-configured security capability priority list are for the SMF entity or GW to select the security capability of the UE, or the SMF entity compares the security capabilities reported by the UE {A, B, C, E} The security capability that the current state of the UE can use and the pre-configured security capability priority list select the security capabilities of the UE for the SMF entity or GW.
基于同一发明构思,本发明第三实施例中提供了一种安全能力协商设备,该安全能力协商设备的具体实施可参见第一实施例中关于安全能力实体的相关描述,重复之处不再赘述,如图12所示,该安全能力协商设备主要包括:Based on the same inventive concept, a security capability negotiation device is provided in the third embodiment of the present invention. For the specific implementation of the security capability negotiation device, refer to the related description of the security capability entity in the first embodiment. As shown in FIG. 12, the security capability negotiation device mainly includes:
获取模块1201,用于获取核心网网元的安全能力优先级列表;The obtaining module 1201 is configured to obtain a security capability priority list of the core network element.
处理模块1202,用于根据所述核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为所述核心网网元选择的所述UE的安全能力;The processing module 1202 is configured to determine, according to the security capability priority list of the core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the core network element.
通信模块1203,用于将为所述核心网网元选择的所述UE的安全能力通知给所述核心网网元。The communication module 1203 is configured to notify the core network element of the security capability of the UE selected by the core network element.
基于同一发明构思,本发明第四实施例中提供了一种核心网网元,该核心网网元的具体实施可参见第一实施例部分关于第一核心网网元的相关描述,重复之处不再赘述,如图13所示,该核心网网元主要包括:Based on the same inventive concept, a core network element is provided in the fourth embodiment of the present invention. For the specific implementation of the core network element, refer to the related description of the first core network element in the first embodiment. As shown in FIG. 13, the core network element mainly includes:
发送模块1301,用于向安全功能实体发送请求消息,所述请求消息中携带所述核心网网元和/或第二核心网网元的安全能力优先级列表;The sending module 1301 is configured to send a request message to the security function entity, where the request message carries a security capability priority list of the core network element and/or the second core network element;
接收模块1302,用于接收所述安全功能实体返回的响应消息,所述响应消息中携带所述安全功能实体为所述核心网网元和/或所述第二核心网网元选择的终端UE的安全能力,其中,所述为所述核心网网元选择的所述UE的安 全能力由所述安全功能实体根据所述核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定,所述为所述第二核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第二核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定。The receiving module 1302 is configured to receive a response message returned by the security function entity, where the response message carries the terminal UE selected by the security function entity for the core network element and/or the second core network element. Security capability, wherein the UE is selected for the core network element The full capability is determined by the security function entity according to the security capability priority list of the core network element and the security capability that the UE can use, and the security of the UE selected by the second core network element The capability is determined by the security function entity according to a security capability priority list of the second core network element and a security capability that the UE can use.
基于同一发明构思,本发明第五实施例中提供了另一种安全能力协商设备,该安全能力协商设备的具体实施可参见本发明第二实施例部分关于安全功能实体的具体描述,重复之处不再赘述,如图14所示,该安全能力协商设备主要包括:Based on the same inventive concept, another security capability negotiation device is provided in the fifth embodiment of the present invention. For the specific implementation of the security capability negotiation device, refer to the detailed description of the security function entity in the second embodiment of the present invention. As shown in FIG. 14, the security capability negotiation device mainly includes:
处理模块1401,用于确定终端UE能够使用的安全能力;The processing module 1401 is configured to determine a security capability that the terminal UE can use;
发送模块1402,用于根据第一核心网网元的请求将所述UE能够使用的安全能力发送给所述第一核心网网元,由所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或由所述第一核心网根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。The sending module 1402 is configured to send, according to the request of the first core network element, the security capability that can be used by the UE to the first core network element, where the first core network element can be used according to the UE The security capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE The security capability used and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
基于同一发明构思,本发明第六实施例中提供了另一种核心网网元,该核心网网元的具体实施可参见本发明第二实施例部分关于第一核心网网元的具体描述,重复之处不再赘述,如图15所示,该核心网网元主要包括:Based on the same inventive concept, another core network element is provided in the sixth embodiment of the present invention. For a specific implementation of the core network element, refer to the detailed description of the first core network element in the second embodiment of the present invention. The repetitions are not described again. As shown in FIG. 15, the core network element mainly includes:
获取模块1501,用于从安全功能实体获取终端UE能够使用的安全能力;The obtaining module 1501 is configured to acquire, from the security function entity, a security capability that the terminal UE can use;
处理模块1502,用于根据所述UE能够使用的安全能力以及所述核心网网元的安全能力优先级列表为所述核心网网元选择所述UE的安全能力,和/或,所述核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。The processing module 1502 is configured to select, according to the security capability that the UE can use and the security capability priority list of the core network element, the security capability of the UE for the core network element, and/or the core The network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element.
基于同一发明构思,本发明第七实施例中还提供了安全能力协商设备,该安全能力协商设备的具体实施可参见第一实施例中关于安全能力实体的相关描述,重复之处不再赘述,如图16所示,该安全能力协商设备主要包括处理器1601、存储器1602和通信接口1603,其中,存储器1602中保存有预设 的程序,处理器1601读取存储器1602中的程序,按照该程序执行以下过程:Based on the same inventive concept, the security capability negotiation device is further provided in the seventh embodiment of the present invention. For the specific implementation of the security capability negotiation device, refer to the related description of the security capability entity in the first embodiment, and the repeated description is not repeated. As shown in FIG. 16, the security capability negotiation device mainly includes a processor 1601, a memory 1602, and a communication interface 1603, wherein a preset is saved in the memory 1602. The program 1601 reads the program in the memory 1602, and executes the following process according to the program:
获取核心网网元的安全能力优先级列表;Obtain a security capability priority list of the core network element;
根据所述核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为所述核心网网元选择的所述UE的安全能力;Determining, according to the security capability priority list of the core network element, and the security capability that the terminal UE can use, determining the security capability of the UE selected by the core network element;
通过通信接口1603将为所述核心网网元选择的所述UE的安全能力通知给所述核心网网元。Notifying the core network element of the security capability of the UE selected by the core network element through the communication interface 1603.
具体,处理器用于执行第三实施例中获取模块和处理模块的功能,通信接口用于在处理器的控制下完成第三实施例中通信模块的功能。Specifically, the processor is configured to perform the functions of the obtaining module and the processing module in the third embodiment, and the communication interface is configured to complete the function of the communication module in the third embodiment under the control of the processor.
基于同一发明构思,本发明第八实施例中提供了一种核心网网元,该核心网网元的具体实施可参见第一实施例部分关于第一核心网网元的相关描述,重复之处不再赘述,如图17所示,该核心网网元主要包括处理器1701、存储器1702和通信接口1703,其中,存储器1702中保存有预设的程序,处理器1701读取存储器1702中的程序,按照该程序执行以下过程:Based on the same inventive concept, a core network element is provided in the eighth embodiment of the present invention. For the specific implementation of the core network element, refer to the related description of the first core network element in the first embodiment. As shown in FIG. 17, the core network element mainly includes a processor 1701, a memory 1702, and a communication interface 1703. The memory 1702 stores a preset program, and the processor 1701 reads the program in the memory 1702. Follow the procedure to perform the following process:
通过通信接口1703向安全功能实体发送请求消息,所述请求消息中携带所述核心网网元和/或第二核心网网元的安全能力优先级列表;Sending a request message to the security function entity through the communication interface 1703, where the request message carries a security capability priority list of the core network element and/or the second core network element;
通过通信接口1703接收所述安全功能实体返回的响应消息,所述响应消息中携带所述安全功能实体为所述核心网网元和/或所述第二核心网网元选择的终端UE的安全能力,其中,所述为所述核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定,所述为所述第二核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第二核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定。Receiving, by the communication interface 1703, a response message returned by the security function entity, where the response message carries the security of the terminal UE selected by the security function entity for the core network element and/or the second core network element The capability, wherein the security capability of the UE selected for the core network element is determined by the security function entity according to a security capability priority list of the core network element and a security capability that the UE can use The security capability of the UE selected by the second core network element by the security function entity according to the security capability priority list of the second core network element and the security capability that the UE can use determine.
具体地,处理器用于控制通信接口完成第四实施例中发送模块和接收模块的功能。Specifically, the processor is configured to control the communication interface to complete the functions of the transmitting module and the receiving module in the fourth embodiment.
基于同一发明构思,本发明第九实施例中提供了另一种安全能力协商设备,该安全能力协商设备的具体实施可参见本发明第二实施例部分关于安全功能实体的具体描述,重复之处不再赘述,如图18所示,该安全能力协商设 备主要包括处理器1801、存储器1802和通信接口1803,其中,存储器1802中保存有预设的程序,处理器1801读取存储器1802中的程序,按照该程序执行以下过程:Based on the same inventive concept, another security capability negotiation device is provided in the ninth embodiment of the present invention. For the specific implementation of the security capability negotiation device, refer to the detailed description of the security function entity in the second embodiment of the present invention. I will not go into details, as shown in Figure 18, the security capability negotiation setting The program mainly includes a processor 1801, a memory 1802, and a communication interface 1803. The memory 1802 stores a preset program, and the processor 1801 reads a program in the memory 1802, and executes the following process according to the program:
确定终端UE能够使用的安全能力;Determining the security capabilities that the terminal UE can use;
根据第一核心网网元的请求通过通信接口1803将所述UE能够使用的安全能力发送给所述第一核心网网元,由所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或由所述第一核心网根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。Transmitting, by the communication interface 1803, the security capability that can be used by the UE to the first core network element according to the request of the first core network element, and the first core network element is configured according to the security that the UE can use. The capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE. The security capability and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
具体地,处理器用于执行第五实施例中处理模块的功能,通信接口用于在处理器的控制下执行第五实施例中发送模块的功能。Specifically, the processor is configured to perform the functions of the processing module in the fifth embodiment, and the communication interface is configured to perform the function of the transmitting module in the fifth embodiment under the control of the processor.
基于同一发明构思,本发明第十实施例中提供了另一种核心网网元,该核心网网元的具体实施可参见本发明第二实施例部分关于第一核心网网元的具体描述,重复之处不再赘述,如图19所示,该核心网网元主要包括处理器1901、存储器1902和通信接口903,其中,存储器1902中保存有预设的程序,处理器1901读取存储器1902中的程序,按照该程序执行以下过程:Based on the same inventive concept, another core network element is provided in the tenth embodiment of the present invention. For the specific implementation of the core network element, refer to the detailed description of the first core network element in the second embodiment of the present invention. The repetitive details are not described again. As shown in FIG. 19, the core network element mainly includes a processor 1901, a memory 1902, and a communication interface 903. The memory 1902 stores a preset program, and the processor 1901 reads the memory 1902. In the program, follow the procedure to perform the following process:
从安全功能实体获取终端UE能够使用的安全能力;Obtaining a security capability that the terminal UE can use from the security function entity;
根据所述UE能够使用的安全能力以及所述核心网网元的安全能力优先级列表为所述核心网网元选择所述UE的安全能力,和/或,所述核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。Selecting, according to the security capability that the UE can use, the security capability priority list of the core network element, the security capability of the UE for the core network element, and/or the core network element according to the The security capability that the UE can use and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
具体地,处理器执行第六实施例中处理模块的功能,以及控制通信接口执行获取模块的功能。Specifically, the processor performs the functions of the processing module in the sixth embodiment, and controls the communication interface to perform the functions of the acquisition module.
其中,图16至图19中,处理器、存储器和通信接口之间通过总线连接,总线架构可以包括任意数量的互联的总线和桥,具体由处理器代表的一个或多个处理器和存储器代表的存储器的各种电路链接在一起。总线架构还可以 将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。通信接口可以是多个元件,即包括发送接口和收发接口,提供用于在传输介质上与各种其他装置通信的单元。处理器负责管理总线架构和通常的处理,存储器可以存储处理器在执行操作时所使用的数据。16 to 19, the processor, the memory and the communication interface are connected by a bus, and the bus architecture may include any number of interconnected buses and bridges, specifically represented by one or more processors and memories represented by the processor. The various circuits of the memory are linked together. Bus architecture can also The linking of various other circuits, such as peripherals, voltage regulators, and power management circuits, is well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. The communication interface can be a plurality of components, including a transmit interface and a transceiving interface, providing means for communicating with various other devices on a transmission medium. The processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。 These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (36)

  1. 一种安全能力协商方法,其特征在于,包括:A method for negotiating security capabilities, comprising:
    安全功能实体获取核心网网元的安全能力优先级列表;The security function entity obtains a priority list of security capabilities of the core network element;
    所述安全功能实体根据所述核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为所述核心网网元选择的所述UE的安全能力;Determining, by the security function entity, the security capability of the UE selected by the core network element according to the security capability priority list of the core network element and the security capability that the terminal UE can use;
    所述安全功能实体将为所述核心网网元选择的所述UE的安全能力通知给所述核心网网元。The security function entity notifies the core network element of the security capability of the UE selected by the core network element.
  2. 如权利要求1所述的方法,其特征在于,所述安全功能实体获取核心网网元的安全能力优先级列表之前,所述方法还包括:The method of claim 1, wherein before the security function entity obtains the security capability priority list of the core network element, the method further includes:
    所述安全功能实体确定所述UE能够使用的安全能力。The security function entity determines security capabilities that the UE is capable of using.
  3. 如权利要求2所述的方法,其特征在于,所述安全功能实体确定终端UE能够使用的安全能力,包括:The method according to claim 2, wherein the security function entity determines a security capability that the terminal UE can use, including:
    所述安全功能实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力;The security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use;
    或者,or,
    所述安全功能实体从鉴权信任状存储处理功能ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。The security function entity acquires the security capability allowed by the UE from the authentication credential storage processing function ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability and the security capability allowed by the UE. Describe the security capabilities supported by the UE to determine the security capabilities that the UE can use.
  4. 如权利要求1-3任一项所述的方法,其特征在于,所述核心网网元为用户管理功能UMF实体或会话管理功能SMF实体或分配给所述UE的用户面核心网网元。The method according to any one of claims 1-3, wherein the core network element is a user management function UMF entity or a session management function SMF entity or a user plane core network element allocated to the UE.
  5. 如权利要求4所述的方法,其特征在于,所述安全功能实体获取所述UMF实体的安全能力优先级列表,包括:The method of claim 4, wherein the security function entity obtains a security capability priority list of the UMF entity, including:
    所述安全功能实体接收所述UMF实体发送的第一请求消息,所述第一请求消息中携带所述UMF实体的安全能力优先级列表; Receiving, by the security function entity, the first request message sent by the UMF entity, where the first request message carries a security capability priority list of the UMF entity;
    所述安全功能实体获取所述第一请求消息中携带的所述UMF实体的安全能力优先级列表。The security function entity obtains a security capability priority list of the UMF entity carried in the first request message.
  6. 如权利要求4所述的方法,其特征在于,所述安全功能实体获取分配给所述UE的用户面核心网网元的安全能力优先级列表,包括:The method according to claim 4, wherein the security function entity obtains a security capability priority list of the user plane core network element assigned to the UE, including:
    所述安全功能实体接收所述SMF实体发送的第二请求消息,所述第二请求消息中携带分配给所述UE的用户面核心网网元的安全能力优先级列表;Receiving, by the security function entity, a second request message sent by the SMF entity, where the second request message carries a security capability priority list of a user plane core network element allocated to the UE;
    所述安全功能实体获取所述第二请求消息中携带的所述分配给所述UE的用户面核心网网元的安全能力优先级列表。The security function entity obtains a security capability priority list of the user plane core network element allocated to the UE that is carried in the second request message.
  7. 如权利要求6所述的方法,其特征在于,所述第二请求消息中还携带所述SMF实体的安全能力优先级列表;The method according to claim 6, wherein the second request message further carries a security capability priority list of the SMF entity;
    所述安全功能实体获取所述SMF实体的安全能力优先级列表,包括:The security function entity obtains a security capability priority list of the SMF entity, including:
    所述安全功能实体获取所述第二请求消息中携带的所述SMF实体的安全能力优先级列表。The security function entity acquires a security capability priority list of the SMF entity carried in the second request message.
  8. 如权利要求3所述的方法,其特征在于,若所述核心网网元为用户管理功能UMF实体,所述安全功能实体将为所述UMF实体选择的所述UE的安全能力通知给所述核心网网元,包括:The method according to claim 3, wherein if the core network element is a user management function UMF entity, the security function entity notifies the security capability of the UE selected by the UMF entity to the Core network elements, including:
    所述安全功能实体向所述UMF实体返回第一响应消息,所述第一响应消息中携带所述为所述UMF实体选择的所述UE的安全能力,以及携带所述UE支持的安全能力的指示信息。The security function entity returns a first response message to the UMF entity, where the first response message carries the security capability of the UE selected by the UMF entity, and carries the security capability supported by the UE. Instructions.
  9. 如权利要求8所述的方法,其特征在于,所述UE支持的安全能力的指示信息为采用相关密钥对所述UE支持的安全能力进行哈希处理后得到的哈希值,或者,为采用相关密钥对所述UE支持的安全能力进行加密后得到的信息。The method according to claim 8, wherein the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by encrypting the security capabilities supported by the UE by using the relevant key.
  10. 如权利要求3所述的方法,其特征在于,若所述UE能够接入多个切片,则从所述ARPF实体获取的所述UE允许使用的安全能力,为所述UE分别在能够接入的每个切片下允许使用的安全能力。The method according to claim 3, wherein if the UE is capable of accessing multiple slices, the security capability of the UE that is obtained from the ARPF entity is allowed to be used, and the UE is respectively capable of accessing The security capabilities allowed under each slice.
  11. 一种安全能力协商方法,其特征在于,包括: A method for negotiating security capabilities, comprising:
    第一核心网网元向安全功能实体发送请求消息,所述请求消息中携带所述第一核心网网元和/或第二核心网网元的安全能力优先级列表;The first core network element sends a request message to the security function entity, where the request message carries a security capability priority list of the first core network element and/or the second core network element;
    所述第一核心网网元接收所述安全功能实体返回的响应消息,所述响应消息中携带所述安全功能实体为所述第一核心网网元和/或所述第二核心网网元选择的终端UE的安全能力,其中,所述为所述第一核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第一核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定,所述为所述第二核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第二核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定。The first core network element receives the response message returned by the security function entity, where the response message carries the security function entity as the first core network element and/or the second core network element a security capability of the selected terminal UE, wherein the security capability of the UE selected by the first core network element is determined by the security function entity according to a security capability priority list of the first core network element And determining, by the security capability that the UE can use, the security capability of the UE selected by the second core network element by the security function entity according to the security capability priority of the second core network element A list and security capability determinations that the UE can use.
  12. 如权利要求11所述的方法,其特征在于,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;The method according to claim 11, wherein the first core network element is a user management function UMF entity or a session management function SMF entity;
    或者,or,
    所述第一核心网网元为会话管理功能SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。The first core network element is a session management function SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  13. 如权利要求12所述的方法,其特征在于,若所述第一核心网网元为用户管理功能UMF实体,所述请求消息中携带所述UMF实体的安全能力优先级列表;所述响应消息中携带所述SEAF实体为所述UMF实体选择的所述UE的安全能力,以及所述UE支持的安全能力的指示信息。The method according to claim 12, wherein if the first core network element is a user management function UMF entity, the request message carries a security capability priority list of the UMF entity; the response message And carrying the security capability of the UE selected by the SEAF entity for the UMF entity, and indication information of the security capability supported by the UE.
  14. 如权利要求12所述的方法,其特征在于,若所述第一核心网网元为会话管理功能SMF实体,所述第二核心网网元为所述分配给所述UE的用户面核心网网元,所述请求消息中携带所述分配给所述UE的用户面核心网网元的安全能力优先级列表;所述响应消息中携带所述安全功能实体为所述分配给所述UE的用户面核心网网元选择的所述UE的安全能力。The method according to claim 12, wherein if the first core network element is a session management function SMF entity, the second core network element is the user plane core network allocated to the UE a network element, where the request message carries a security capability priority list of the user plane core network element that is allocated to the UE, and the response message carries the security function entity to be allocated to the UE The security capability of the UE selected by the user plane core network element.
  15. 如权利要求14所述的方法,其特征在于,所述请求消息中还携带所述SMF实体的安全能力优先级列表;The method according to claim 14, wherein the request message further carries a security capability priority list of the SMF entity;
    所述响应消息中还携带所述安全功能实体为所述SMF实体选择的所述UE的安全能力。 The response message further carries the security capability of the UE selected by the security function entity for the SMF entity.
  16. 如权利要求13所述的方法,其特征在于,所述UE支持的安全能力的指示信息为采用相关密钥对所述UE支持的安全能力进行哈希处理后得到的哈希值,或者,为采用相关密钥对所述UE支持的安全能力进行加密后得到的信息。The method according to claim 13, wherein the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by encrypting the security capabilities supported by the UE by using the relevant key.
  17. 一种安全能力协商方法,其特征在于,包括:A method for negotiating security capabilities, comprising:
    安全功能实体确定终端UE能够使用的安全能力;The security function entity determines the security capabilities that the terminal UE can use;
    所述安全功能实体根据第一核心网网元的请求将所述UE能够使用的安全能力发送给所述第一核心网网元,由所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或由所述第一核心网根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。The security function entity sends the security capability that the UE can use to the first core network element according to the request of the first core network element, and the first core network element is used according to the UE. The security capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE. The security capability and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  18. 如权利要求17所述的方法,其特征在于,所述安全功能实体确定终端UE能够使用的安全能力,包括:The method according to claim 17, wherein the security function entity determines a security capability that the terminal UE can use, including:
    所述安全功能实体获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力;The security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use;
    或者,or,
    所述安全功能实体从鉴权信任状存储处理功能ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。The security function entity acquires the security capability allowed by the UE from the authentication credential storage processing function ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability and the security capability allowed by the UE. Describe the security capabilities supported by the UE to determine the security capabilities that the UE can use.
  19. 如权利要求17或18所述的方法,其特征在于,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;The method according to claim 17 or 18, wherein the first core network element is a user management function UMF entity or a session management function SMF entity;
    或者,or,
    所述第一核心网网元为会话管理功能SMF实体,所述第二核心网网元为分配给所述UE的用户面核心网网元。The first core network element is a session management function SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  20. 一种安全能力协商方法,其特征在于,包括: A method for negotiating security capabilities, comprising:
    第一核心网网元从安全功能实体获取终端UE能够使用的安全能力;The first core network element acquires a security capability that the terminal UE can use from the security function entity;
    所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或,所述第一核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。The first core network element selects the security capability of the UE for the first core network element according to the security capability that the UE can use and the security capability priority list of the first core network element, and Or, the first core network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element.
  21. 如权利要求20所述的方法,其特征在于,所述第一核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;The method according to claim 20, wherein the first core network element is a user management function UMF entity or a session management function SMF entity;
    或者,or,
    所述第一核心网网元为会话管理功能SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。The first core network element is a session management function SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  22. 一种安全能力协商设备,其特征在于,包括:A security capability negotiation device, comprising:
    获取模块,用于获取核心网网元的安全能力优先级列表;The obtaining module is configured to obtain a security capability priority list of the core network element;
    处理模块,用于根据所述核心网网元的安全能力优先级列表以及终端UE能够使用的安全能力,确定为所述核心网网元选择的所述UE的安全能力;a processing module, configured to determine, according to a security capability priority list of the core network element, and a security capability that the terminal UE can use, determine a security capability of the UE selected by the core network element;
    通信模块,用于将为所述核心网网元选择的所述UE的安全能力通知给所述核心网网元。And a communication module, configured to notify the core network element of the security capability of the UE selected by the core network element.
  23. 如权利要求22所述的设备,其特征在于,所述获取模块还用于:The device of claim 22, wherein the obtaining module is further configured to:
    获取核心网网元的安全能力优先级列表之前,确定所述UE能够使用的安全能力。Before obtaining the security capability priority list of the core network element, determine the security capability that the UE can use.
  24. 如权利要求23所述的设备,其特征在于,所述获取模块具体用于:The device according to claim 23, wherein the obtaining module is specifically configured to:
    获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力;Obtaining a security capability supported by the UE that is reported by the UE, and determining a security capability supported by the UE as a security capability that the UE can use;
    或者,or,
    从鉴权信任状存储处理功能ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。 Acquiring the security capability allowed by the UE from the authentication credential storage processing function ARPF entity, and acquiring the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security supported by the UE The ability to determine the security capabilities that the UE can use.
  25. 如权利要求22-24任一项所述的设备,其特征在于,所述核心网网元为用户管理功能UMF实体或会话管理功能SMF实体或分配给所述UE的用户面核心网网元。The device according to any one of claims 22-24, wherein the core network element is a user management function UMF entity or a session management function SMF entity or a user plane core network element allocated to the UE.
  26. 如权利要求25所述的设备,其特征在于,所述获取模块具体用于:The device according to claim 25, wherein the obtaining module is specifically configured to:
    接收所述UMF实体发送的第一请求消息,所述第一请求消息中携带所述UMF实体的安全能力优先级列表;Receiving a first request message sent by the UMF entity, where the first request message carries a security capability priority list of the UMF entity;
    获取所述第一请求消息中携带的所述UMF实体的安全能力优先级列表。Obtaining a security capability priority list of the UMF entity carried in the first request message.
  27. 如权利要求25所述的设备,其特征在于,所述获取模块具体用于:The device according to claim 25, wherein the obtaining module is specifically configured to:
    接收所述SMF实体发送的第二请求消息,所述第二请求消息中携带分配给所述UE的用户面核心网网元的安全能力优先级列表;Receiving a second request message sent by the SMF entity, where the second request message carries a security capability priority list of a user plane core network element allocated to the UE;
    获取所述第二请求消息中携带的所述分配给所述UE的用户面核心网网元的安全能力优先级列表。And obtaining, by the second request message, the security capability priority list of the user plane core network element allocated to the UE.
  28. 如权利要求27所述的设备,其特征在于,所述第二请求消息中还携带所述SMF实体的安全能力优先级列表;The device according to claim 27, wherein the second request message further carries a security capability priority list of the SMF entity;
    所述获取模块具体用于:The obtaining module is specifically configured to:
    获取所述第二请求消息中携带的所述SMF实体的安全能力优先级列表。Obtaining a security capability priority list of the SMF entity carried in the second request message.
  29. 如权利要求24所述的设备,其特征在于,若所述核心网网元为用户管理功能UMF实体,所述通信模块具体用于:The device according to claim 24, wherein if the core network element is a user management function UMF entity, the communication module is specifically configured to:
    向所述UMF实体返回第一响应消息,所述第一响应消息中携带所述为所述UMF实体选择的所述UE的安全能力,以及携带所述UE支持的安全能力的指示信息。Returning, to the UMF entity, a first response message, where the first response message carries the security capability of the UE selected by the UMF entity, and indication information that carries the security capability supported by the UE.
  30. 一种核心网网元,其特征在于,包括:A core network element, characterized by comprising:
    发送模块,用于向安全功能实体发送请求消息,所述请求消息中携带所述核心网网元和/或第二核心网网元的安全能力优先级列表;a sending module, configured to send a request message to the security function entity, where the request message carries a security capability priority list of the core network element and/or the second core network element;
    接收模块,用于接收所述安全功能实体返回的响应消息,所述响应消息中携带所述安全功能实体为所述核心网网元和/或所述第二核心网网元选择的终端UE的安全能力,其中,所述为所述核心网网元选择的所述UE的安全能 力由所述安全功能实体根据所述核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定,所述为所述第二核心网网元选择的所述UE的安全能力由所述安全功能实体根据所述第二核心网网元的安全能力优先级列表以及所述UE能够使用的安全能力确定。a receiving module, configured to receive a response message returned by the security function entity, where the response message carries the terminal UE that is selected by the security function entity for the core network element and/or the second core network element Security capability, wherein the security capability of the UE selected for the core network element The security function entity determines, according to the security capability priority list of the core network element and the security capability that the UE can use, the security capability of the UE selected by the second core network element Determined by the security function entity according to the security capability priority list of the second core network element and the security capability that the UE can use.
  31. 如权利要求30所述的核心网网元,其特征在于,所述核心网网元为用户管理功能UMF实体或会话管理功能SMF实体;The core network element of claim 30, wherein the core network element is a user management function UMF entity or a session management function SMF entity;
    或者,or,
    所述核心网网元为会话管理功能SMF实体,且所述第二核心网网元为分配给所述UE的用户面核心网网元。The core network element is a session management function SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  32. 如权利要求31所述的核心网网元,其特征在于,若所述核心网网元为用户管理功能UMF实体,所述请求消息中携带所述UMF实体的安全能力优先级列表;所述响应消息中携带所述SEAF实体为所述UMF实体选择的所述UE的安全能力,以及所述UE支持的安全能力的指示信息。The core network element of claim 31, wherein if the core network element is a user management function UMF entity, the request message carries a security capability priority list of the UMF entity; the response The message carries the security capability of the UE selected by the SEAF entity for the UMF entity, and the indication information of the security capability supported by the UE.
  33. 如权利要求31所述的核心网网元,其特征在于,若所述核心网网元为会话管理功能SMF实体,所述第二核心网网元为所述分配给所述UE的用户面核心网网元,所述请求消息中携带所述分配给所述UE的用户面核心网网元的安全能力优先级列表;所述响应消息中携带所述安全功能实体为所述分配给所述UE的用户面核心网网元选择的所述UE的安全能力。The core network element of claim 31, wherein if the core network element is a session management function SMF entity, the second core network element is the user plane core allocated to the UE a network element, wherein the request message carries a security capability priority list of the user plane core network element allocated to the UE; and the response message carries the security function entity as the UE is allocated to the UE The security capability of the UE selected by the user plane core network element.
  34. 一种安全能力协商设备,其特征在于,包括:A security capability negotiation device, comprising:
    处理模块,用于确定终端UE能够使用的安全能力;a processing module, configured to determine a security capability that the terminal UE can use;
    发送模块,用于根据第一核心网网元的请求将所述UE能够使用的安全能力发送给所述第一核心网网元,由所述第一核心网网元根据所述UE能够使用的安全能力以及所述第一核心网网元的安全能力优先级列表为所述第一核心网网元选择所述UE的安全能力,和/或由所述第一核心网根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。a sending module, configured to send, according to a request of the first core network element, a security capability that can be used by the UE to the first core network element, where the first core network element is available according to the UE The security capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE. The security capability and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  35. 如权利要求34所述的设备,其特征在于,所述处理模块具体用于: The device according to claim 34, wherein the processing module is specifically configured to:
    获取所述UE上报的所述UE支持的安全能力,将所述UE支持的安全能力确定为所述UE能够使用的安全能力;Obtaining a security capability supported by the UE that is reported by the UE, and determining a security capability supported by the UE as a security capability that the UE can use;
    或者,or,
    从鉴权信任状存储处理功能ARPF实体获取所述UE允许使用的安全能力,以及从所述UE获取所述UE支持的安全能力,根据所述UE允许使用的安全能力以及所述UE支持的安全能力,确定所述UE能够使用的安全能力。Acquiring the security capability allowed by the UE from the authentication credential storage processing function ARPF entity, and acquiring the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security supported by the UE The ability to determine the security capabilities that the UE can use.
  36. 一种核心网网元,其特征在于,包括:A core network element, characterized by comprising:
    获取模块,用于从安全功能实体获取终端UE能够使用的安全能力;An obtaining module, configured to acquire, from a security function entity, a security capability that the terminal UE can use;
    处理模块,用于根据所述UE能够使用的安全能力以及所述核心网网元的安全能力优先级列表为所述核心网网元选择所述UE的安全能力,和/或,所述核心网网元根据所述UE能够使用的安全能力以及第二核心网网元的安全能力优先级列表为所述第二核心网网元选择所述UE的安全能力。 a processing module, configured to select, according to a security capability that the UE can use, and a security capability priority list of the core network element, a security capability of the UE for the core network element, and/or the core network The network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element.
PCT/CN2016/103839 2016-10-28 2016-10-28 Security capability negotiation method and related device WO2018076298A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/103839 WO2018076298A1 (en) 2016-10-28 2016-10-28 Security capability negotiation method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/103839 WO2018076298A1 (en) 2016-10-28 2016-10-28 Security capability negotiation method and related device

Publications (1)

Publication Number Publication Date
WO2018076298A1 true WO2018076298A1 (en) 2018-05-03

Family

ID=62023162

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/103839 WO2018076298A1 (en) 2016-10-28 2016-10-28 Security capability negotiation method and related device

Country Status (1)

Country Link
WO (1) WO2018076298A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11284341B2 (en) 2018-05-08 2022-03-22 Huawei Technologies Co., Ltd. Network selection system and method for establishment of inter-networking session
US20220295283A1 (en) * 2020-11-02 2022-09-15 Wins Co., Ltd. Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
WO2023246457A1 (en) * 2022-06-25 2023-12-28 华为技术有限公司 Security decision negotiation method and network element

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242629A (en) * 2007-02-05 2008-08-13 华为技术有限公司 Method, system and device for selection algorithm of user plane
CN101262337A (en) * 2008-02-05 2008-09-10 中兴通讯股份有限公司 Secure function control method and system
CN101854625A (en) * 2009-04-03 2010-10-06 华为技术有限公司 Selective processing method and device of security algorithm, network entity and communication system
CN104219655A (en) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 Method for selecting security algorithms for interfaces in wireless communication systems and MME (mobility management entity)
CN104618089A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Negotiation processing method for security algorithm, control network element and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242629A (en) * 2007-02-05 2008-08-13 华为技术有限公司 Method, system and device for selection algorithm of user plane
CN101262337A (en) * 2008-02-05 2008-09-10 中兴通讯股份有限公司 Secure function control method and system
CN101854625A (en) * 2009-04-03 2010-10-06 华为技术有限公司 Selective processing method and device of security algorithm, network entity and communication system
CN104219655A (en) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 Method for selecting security algorithms for interfaces in wireless communication systems and MME (mobility management entity)
CN104618089A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Negotiation processing method for security algorithm, control network element and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11284341B2 (en) 2018-05-08 2022-03-22 Huawei Technologies Co., Ltd. Network selection system and method for establishment of inter-networking session
US20220295283A1 (en) * 2020-11-02 2022-09-15 Wins Co., Ltd. Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
US11991522B2 (en) * 2020-11-02 2024-05-21 Wins Co., Ltd. Apparatus and method for traffic security processing in 5G mobile edge computing slicing service
WO2023246457A1 (en) * 2022-06-25 2023-12-28 华为技术有限公司 Security decision negotiation method and network element

Similar Documents

Publication Publication Date Title
US11178584B2 (en) Access method, device and system for user equipment (UE)
CN102204304B (en) Support of multiple pre-shared keys in access point
US11582602B2 (en) Key obtaining method and device, and communications system
JP5597676B2 (en) Key material exchange
EP3076710B1 (en) Offload method, user equipment, base station and access point
EP3065334A1 (en) Key configuration method, system and apparatus
US20200228977A1 (en) Parameter Protection Method And Device, And System
US11445370B2 (en) Method and device for verifying key requester
CN107094127B (en) Processing method and device, and obtaining method and device of security information
WO2023280194A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
US11909869B2 (en) Communication method and related product based on key agreement and authentication
WO2022111187A1 (en) Terminal authentication method and apparatus, computer device, and storage medium
EP4187952A1 (en) Method, system and apparatus for determining user plane security algorithm
US20230179400A1 (en) Key management method and communication apparatus
WO2013166908A1 (en) Method, system, terminal equipment and access network apparatus for generating key information
WO2018076298A1 (en) Security capability negotiation method and related device
CN112738800A (en) Method for realizing data security transmission of network slice
US20240089728A1 (en) Communication method and apparatus
CN113543131A (en) Network connection management method and device, computer readable medium and electronic equipment
WO2010094185A1 (en) Secure handoff method and system
CN109155913A (en) The determination method and device of method for connecting network, security node
CN115037504A (en) Communication method and device
WO2019001509A1 (en) Network authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16920153

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16920153

Country of ref document: EP

Kind code of ref document: A1