WO2018196705A1 - Network security protection method, device and system - Google Patents

Abstract

Provided are a network security protection method, device and system, wherein same can improve the security of a 5G network and other future networks. The method comprises: a terminal determining a first target security context of the terminal; using the first target security context to carry out security protection on an initial NAS request message so as to obtain a security-protected NAS request message; sending the security-protected NAS request message to a first network device; receiving a security-protected NAS rejection message from the first network device, wherein the security-protected NAS rejection message is obtained by using a second target security context of the terminal to carry out security protection on an NAS rejection message, with a message header of the security-protected NAS rejection message being a second NAS message header, and the second NAS message header comprising an identifier of the terminal and second security header type information; determining the second target security context according to the identifier of the terminal and the second security header type information; and using the second target security context to carry out security verification on the security-protected NAS rejection message.

Description

Network security protection method, device and system

This application claims the priority of the Chinese Patent Application, filed on Apr. 25, 2017, filed on Jan. 25,,,,,,,,,,,,,,,,,,,,,,,,,, in.

Technical field

The present application relates to the field of communications technologies, and in particular, to a network security protection method, device, and system.

Background technique

The mobile communication network defined by the 3rd Generation Partnership Project (3GPP) introduces a security protection mechanism to ensure the security of mobile communications, including: confidentiality, integrity and availability of communications. For example, the current Evolved Packet System (EPS) network adopts a two-way identity authentication mechanism to implement mutual authentication between the network and the terminal, and adopts an encryption protection mechanism and an integrity protection mechanism to implement the terminal and the network. Confidentiality and integrity of communication between. Among them, the EPS network introduces an independent two-layer security mechanism, including the Access Stratum (AS) security between the terminal and the access network, and the non-access layer between the terminal and the core network (Non Access Stratum, NAS). )Safety. These two layers of security exist independently in parallel and employ different security contexts.

However, in the current EPS network, the initial NAS request message initiated by the terminal from the idle state is not encrypted, which is easily subject to the denial of service initiated by the pseudo network (or called a fake network). attack. Because when the NAS message is transmitted on the air interface, it is easily intercepted by the pseudo network. Further, the pseudo network may construct a corresponding NAS reject message and carry a reject cause value, for example, the EPS service is unavailable. Since the terminal cannot distinguish whether the received NAS reject message that is not integrity-protected is sent by the real network or sent by the pseudo-network, it adopts a consistent processing manner, and performs the action corresponding to the received reject cause value, thereby A denial of service attack is caused, which affects the normal business use of the terminal.

For the fifth generation (5th generation, 5G) mobile communication network, 3GPP is currently researching and developing an enhanced security mechanism for 5G networks. If the same security protection mechanism as in the above EPS network is still adopted in the 5G network, it will also suffer from the DoS attack.

Summary of the invention

The embodiments of the present application provide a network security protection method, device, and system, which can improve the security of a 5G network and other networks in the future.

To achieve the above objective, the embodiment of the present application provides the following technical solutions:

In a first aspect, a network security protection method is provided, the method comprising: receiving, by a first network device, a non-access stratum NAS request message from a security protection of a terminal, the secured NAS request message being a first target using the terminal The security context is obtained by securing the initial NAS request message, where the header of the secured NAS request message is a first NAS message header, and the first NAS message header includes the identifier of the terminal and the first security header. Type information, the first security header type information is used to indicate a type of the first target security context, where the first target security context includes a first security context or a second security context, where the first security context is a configured security context, The second security context is a security context generated by the authentication process; the security protection includes encryption; the first network device determines the first target security context according to the identifier of the terminal and the first security header type information; the first network device Securely verifying the secured NAS request message using the first target security context The security verification includes decryption; the first network device uses the second target security context to secure the NAS rejection message according to the result of the security verification, and obtains a security-protected NAS rejection message, where the second target security context includes the a first security context or the second security context; the first network device sends the secured NAS rejection message to the terminal, where the header of the secured NAS rejection message is a second NAS message header, the second NAS The identifier includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the type of the second target security context. Based on the solution, on the one hand, since the terminal sends the NAS request message for securing the initial NAS request message to the first network device, the terminal cannot be authenticated by the pseudo network, and the pseudo network does not construct the corresponding NAS reject message. This can avoid some DOS attacks. On the other hand, the NAS reject message of the initial NAS request message sent by the first network device to the terminal is a security-protected NAS reject message. Therefore, after receiving the NAS reject message, the terminal may distinguish the NAS reject message according to whether security protection is performed. It is sent by the real network or sent by the pseudo network. In this way, the corresponding processing can be performed, such as discarding the unprotected NAS rejection message sent by the pseudo network, thereby further preventing the DOS attack risk and improving the 5G network and other futures. Network security.

In a possible design, the first network device uses the second target security context to secure the NAS reject message according to the result of the security verification, including: if the security verification passes, and the first network device does not store the a second security context, the first network device uses the first security context to secure the NAS reject message of the initial NAS request message; or, if the security verification passes, and the second security context is stored in the first network device The first network device uses the second security context to secure the NAS reject message of the initial NAS request message; or, if the security verification fails, and the second security context is not stored in the first network device, the first network The device uses the first security context to secure the NAS reject message; or, if the security verification fails, and the second security context is stored in the first network device, the first network device uses the second security context to the NAS Reject the message for security protection. That is to say, in the embodiment of the present application, the priority of the second security context is higher than the priority of the first security context, and when the second security context exists, the NAS denial message is used for security protection. If the second security context does not exist, the NAS security message is secured using the first security context.

In a possible design, the first target security context includes the first security context; the first network device determines the first target security context according to the identifier of the terminal and the first security header type information, including: Determining whether the first security context is saved locally according to the identifier of the terminal and the first security header type information; and if the first network device determines that the first security context is not saved locally, sending the first to the second network device a message, the first message includes an identifier of the terminal, configured to request to acquire the first security context; the first network device receives the first security context from the second network device; or, if the first network device determines to save locally There is the first security context, and the first security context is obtained locally. Based on the solution, the first network device may determine a first target context for securing the initial NAS request message, and then perform security verification on the securely protected NAS request message according to the first target security context.

Optionally, the first message further includes an identifier of a public land mobile network PLMN currently serving the terminal, an identifier of a network slice currently serving the terminal, or information about an access technology currently used by the terminal. In this way, when the operator configures multiple security contexts for the terminal on the second network device, the second network device may be configured according to the identifier of the terminal and the identifier of the PLMN currently serving the terminal carried in the first message. The identifier of the network slice of the terminal service or the information of the access technology currently used by the terminal selects the first security context from the plurality of security contexts of the terminal.

Optionally, the security protection also includes integrity protection; the security verification also includes an integrity check.

Optionally, the first network device includes an access and mobility management function AMF entity or a session management function SMF entity, and the second network device includes a unified data management UDM entity or an authentication server function AUSF entity.

A second aspect provides a network security protection method, the method comprising: determining, by a terminal, a first target security context of the terminal, where the first target security context includes a first security context or a second security context, where the first security context is The configured security context, the second security context is a security context generated by the authentication process; the terminal uses the first target security context to secure the initial non-access stratum NAS request message, and obtains a securely protected NAS request message, the security The protection includes the encryption; the terminal sends the security-protected NAS request message to the first network device, where the message header of the secured NAS request message is a first NAS message header, and the first NAS message header includes the identifier of the terminal and the a security header type information, the first security header type information is used to indicate a type of the first target security context; the terminal receives a NAS denial message from the first network device security protection, the security protected NAS rejection message is used The second target security context of the terminal is secured by the NAS rejection message. The message header of the security-protected NAS reject message is a second NAS message header, and the second NAS message header includes an identifier of the terminal and second security header type information, where the second security header type information is used. Determining a type of the second target security context, the second target security context including the first security context or the second security context; the terminal determining the second target security according to the identifier of the terminal and the second security header type information Context; the terminal uses the second target security context to perform security verification on the secured NAS rejection message, the security verification including decryption. Based on the solution, on the one hand, since the terminal sends the NAS request message for securing the initial NAS request message to the first network device, the terminal cannot be authenticated by the pseudo network, and the pseudo network does not construct the corresponding NAS reject message. This can avoid some DOS attacks. On the other hand, the NAS reject message of the initial NAS request message sent by the first network device to the terminal is a security-protected NAS reject message. Therefore, after receiving the NAS reject message, the terminal may distinguish the NAS reject message according to whether security protection is performed. It is sent by the real network or sent by the pseudo network. In this way, the corresponding processing can be performed, such as discarding the unprotected NAS rejection message sent by the pseudo network, thereby further preventing the DOS attack risk and improving the 5G network and other futures. Network security.

In a possible design, after the terminal sends the security-protected NAS request message to the first network device, the method further includes: the terminal receiving the NAS rejection message that does not perform the security protection; and the terminal discarding the NAS that does not perform the security protection. Reject the message. That is to say, after receiving the NAS reject message, the terminal can distinguish whether the NAS reject message is sent by the real network or is sent by the pseudo network according to whether security protection is performed, and then the corresponding processing can be performed, for example, discarding the pseudo network transmission. The NAS that does not protect the security rejects the message, so that the risk of DOS attack can be further completely prevented, and the security of the 5G network and other networks in the future can be improved.

In a possible design, the terminal determines the first target security context of the terminal, including: if the terminal determines that the second security context is locally saved, the terminal determines the second security context as the first target security context of the terminal. Or, if the terminal determines that the second security context is not saved locally, the terminal determines the first security context, and determines the first security context as the first target security context of the terminal. That is, in the embodiment of the present application, the priority of the second security context is higher than the priority of the first security context, and when the second security context exists, the initial NAS request message is secured by using the second security context. If the second security context does not exist, the initial NAS request message is secured using the first security context.

In a possible design, the first target security context includes the first security context; the terminal determining the first security context comprises: the terminal reading the first security configured on the global subscriber identity module USIM card of the terminal Context; or, the terminal acquires the first security context configured on the terminal.

Optionally, the operator can also configure the security context on the USIM card used by the terminal and the terminal. In this scenario, the terminal usually uses the security context configured on the USIM card. Of course, the terminal may also use the security context configured on the terminal, which is not specifically limited in this embodiment.

In a possible design, the first target security context includes the first security context; the terminal determines the first security context, including: the terminal is currently serving the terminal according to the public land mobile network PLMN currently serving the terminal. a network slice or an access technology currently used by the terminal, selecting the first security context from a plurality of security contexts of the terminal, wherein the plurality of security contexts includes the first security context, the plurality of security contexts The type is the same as the type of the first security context. In this way, when the operator configures multiple security contexts for the terminal on the terminal, the terminal can select the first security context from multiple security contexts.

Optionally, the security protection also includes integrity protection; the security verification also includes an integrity check.

Optionally, the first network device includes an access and mobility management function AMF entity or a session management function SMF entity.

In a third aspect, a first network device is provided, the first network device having the functionality to implement the method described in the first aspect above. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

A fourth aspect provides a first network device, including: a processor, a memory, a bus, and a communication interface; the memory is configured to store a computer execution instruction, and the processor is connected to the memory through the bus, when the first network device In operation, the processor executes the computer-executable instructions stored by the memory to cause the first network device to perform the network security protection method of any of the first aspects above.

In a fifth aspect, the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores instructions, when executed on a computer, to enable the computer to perform any one of the foregoing first aspects. Network security protection method.

In a sixth aspect, an embodiment of the present application provides a computer program product comprising instructions, which when executed on a computer, enable the computer to perform the network security protection method of any one of the above first aspects.

For the technical effects brought by any one of the third aspect to the sixth aspect, refer to the technical effects brought by different design modes in the first aspect, and details are not described herein again.

In a seventh aspect, a terminal is provided, the terminal having the function of implementing the method described in the second aspect above. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

In an eighth aspect, a terminal is provided, including: a processor, a memory, a bus, and a communication interface; the memory is configured to store a computer execution instruction, and the processor is connected to the memory through the bus, and when the terminal is running, the processor The computer executing the memory stores instructions to cause the terminal to perform the network security protection method as described in any of the above second aspects.

In a ninth aspect, the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores instructions that, when run on a computer, enable the computer to perform any of the foregoing second aspects. Network security protection method.

In a tenth aspect, the embodiment of the present application provides a computer program product comprising instructions, which when executed on a computer, enable the computer to perform the network security protection method of any one of the foregoing second aspects.

For the technical effects brought by any one of the seventh aspect to the tenth aspect, refer to the technical effects brought by different design modes in the second aspect, and details are not described herein again.

In an eleventh aspect, the embodiment of the present application provides a network security protection system, where the network security protection system includes the terminal in any of the foregoing aspects, and the first network device in any of the foregoing aspects.

These and other aspects of the present application will be more readily apparent from the following description of the embodiments.

DRAWINGS

FIG. 1 is a schematic structural diagram of a network security protection system according to an embodiment of the present application;

2 is a schematic diagram of a 5G network architecture provided by an embodiment of the present application;

3 is a schematic diagram of a general hardware architecture of a mobile phone according to an embodiment of the present application;

4 is a schematic diagram of a computer device according to an embodiment of the present application;

FIG. 5 is a schematic flowchart 1 of a network security protection method according to an embodiment of the present application;

FIG. 6 is a second schematic flowchart of a network security protection method according to an embodiment of the present disclosure;

FIG. 7 is a schematic structural diagram 1 of a first network device according to an embodiment of the present disclosure;

FIG. 8 is a schematic structural diagram 2 of a first network device according to an embodiment of the present disclosure;

FIG. 9 is a schematic structural diagram 1 of a terminal according to an embodiment of the present disclosure;

FIG. 10 is a schematic structural diagram 2 of a terminal according to an embodiment of the present disclosure.

detailed description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. In the description of the present application, unless otherwise stated, "/" means the meaning of or, for example, A/B may represent A or B; "and/or" herein is merely an association describing the associated object. The relationship indicates that there may be three kinds of relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise stated. In addition, in order to facilitate the clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first" and "second" are used to distinguish the same or similar items whose functions and functions are substantially the same. Those skilled in the art will understand that the words "first", "second", etc. do not limit the quantity and order of execution. For example, the “first” of the first security context and the “second” in the second security context in the embodiment of the present application are only used to distinguish different security contexts.

The network architecture and the service scenario described in the embodiments of the present application are for the purpose of more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute a limitation of the technical solutions provided by the embodiments of the present application. The technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

FIG. 1 is a schematic structural diagram of a network security protection system 10 provided by an embodiment of the present application. The network security protection system 10 includes a first network device 101 and a terminal 102.

The terminal 102 is configured to: determine a first target security context of the terminal 102, where the first target security context includes a first security context or a second security context, where the first security context is a configured security context, and the second security context is The security context generated by the authentication process; the NAS request message is secured by using the first target security context to obtain a secure NAS request message, the security protection includes encryption; and the NAS message requesting the security protection is sent to the first network device, The header of the securely protected NAS request message is a first NAS message header, and the first NAS message header includes an identifier of the terminal 102 and first security header type information, where the first security header type information is used to indicate the first target security. The type of context.

The first network device 101 is configured to: receive a NAS request message from the security protection of the terminal 102; determine a first target security context according to the identifier of the terminal 102 and the first security header type information; and use the first target security context to protect the security The NAS request message performs security verification, and the security verification includes decryption; according to the result of the security verification, the NAS reject message is secured by using the second target security context to obtain a security-protected NAS reject message, and the first target security context includes a security context or a second security context; sending a security-protected NAS rejection message to the terminal 102, wherein the header of the secured NAS rejection message is a second NAS message header, and the second NAS message header includes the terminal 102 And the second security header type information used to indicate the type of the second target security context.

The terminal 102 is further configured to: receive a NAS denial message of security protection from the first network device; determine a second target security context according to the identifier of the terminal 102 and the second security header type information; and use the second target security context to protect the security The NAS rejects the message for security verification, which includes decryption.

It should be noted that the first network device 101 and the terminal 102 in FIG. 1 may communicate directly, and may also perform communication through forwarding of other network devices, which is not specifically limited in this embodiment of the present application.

Specifically, the foregoing network security protection system 10 can be applied to the 5G network and other networks in the future, which is not specifically limited in this embodiment of the present application.

If the network security protection system 10 is applied to the 5G network, as shown in FIG. 2, the first network device 101 may specifically be an Access and Mobility Management Function (AMF) entity in the 5G network or A session management function (SMF) entity; the terminal 102 may specifically be a terminal in a 5G network. For the main function of the AMF entity, refer to the description of the first network device 101. For the main function of the terminal, refer to the description of the terminal 102, and details are not described herein.

In addition, as shown in FIG. 2, the 5G network may further include an Access Network (AN) device, a Unified Data Management (UDM) entity, and an Authentication Server Function (AUSF) entity. The terminal communicates with the AMF entity through the Next Generation (N) interface 1 (N1 for short), and the AN device communicates with the AMF entity through the N interface 2 (N2 for short), and the AMF entity passes the N interface 11 (referred to as N11) and the UPF entity. In communication, the AMF entity communicates with the UDM entity through the N interface 8 (N8 for short), and the AMF entity communicates with the AUSF entity through the N interface 12 (N12 for short).

The terminal accesses the 5G network through the AN device. The AUSF entity or the UDM entity is used to store the security context configured by the operator for the terminal, that is, the first security context in the following embodiments.

Although not shown, the foregoing 5G network may further include a User Plane Function (UPF) entity, and a Policy Control Function (PCF) entity, and the like, which is not specifically limited in this embodiment of the present application.

It should be noted that the terminal, the RAN access point, the AMF entity, the SMF entity, the AUSF entity, and the UDM entity in the above 5G network are only one name, and the name does not limit the device itself. In the 5G network and other networks in the future, the network element or the entity corresponding to the terminal, the RAN access point, the AMF entity, the SMF entity, the AUSF entity, and the UDM entity may also be other names, which is not specifically described in this embodiment of the present application. limited. For example, the UDM entity may be replaced by a Home Subscriber Server (HSS) or a User Subscription Database (USD) or a database entity, and the like.

It should be noted that the terminal involved in the present application may include various handheld devices with wireless communication functions, in-vehicle devices, wearable devices, computing devices, or other processing devices connected to the wireless modem, and various forms of terminals. Mobile station (MS), user equipment (User Equipment, UE), terminal equipment (Terminal Equipment), soft terminal, and the like. For convenience of description, in the present application, the above mentioned devices are collectively referred to as terminals.

In addition, the first network device 101 in the embodiment of the present disclosure may be implemented by one physical device, or may be implemented by multiple physical devices, and may also be a logical functional module in a physical device. This is not specifically limited.

As shown in FIG. 3, the first network device 101 and the terminal 102 in FIG. 1 can be implemented by the communication device in FIG.

FIG. 3 is a schematic diagram showing the hardware structure of a communication device according to an embodiment of the present application. The communication device 300 includes at least one processor 301, a communication bus 302, a memory 303, and at least one communication interface 304.

The processor 301 can be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more programs for controlling the execution of the program of the present application. integrated circuit.

Communication bus 302 can include a path for communicating information between the components described above.

The communication interface 304 uses a device such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), etc. .

The memory 303 can be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or other type that can store information and instructions. The dynamic storage device can also be an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, and a disc storage device. (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be Any other media accessed, but not limited to this. The memory can exist independently and be connected to the processor via a bus. The memory can also be integrated with the processor.

The memory 303 is used to store application code for executing the solution of the present application, and is controlled by the processor 301 for execution. The processor 301 is configured to execute the application code stored in the memory 303, thereby implementing the network security protection method provided by the following embodiments of the present application.

In a particular implementation, as an embodiment, processor 301 may include one or more CPUs, such as CPU0 and CPU1 in FIG.

In a particular implementation, as an embodiment, communication device 300 can include multiple processors, such as processor 301 and processor 308 in FIG. Each of these processors can be a single-CPU processor or a multi-core processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.

In a particular implementation, as an embodiment, the communication device 300 can also include an output device 305 and an input device 306. Output device 305 is in communication with processor 301 and can display information in a variety of ways. For example, the output device 305 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait. Input device 306 is in communication with processor 301 and can accept user input in a variety of ways. For example, input device 306 can be a mouse, keyboard, touch screen device, or sensing device, and the like.

The communication device 300 described above can be a general purpose computer device or a special purpose computer device. In a specific implementation, the communication device 300 can be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet, a terminal device, an embedded device, or a device having the similar structure in FIG. . The embodiment of the present application does not limit the type of the communication device 300.

The network security protection method provided by the embodiment of the present application will be specifically described below with reference to FIG. 1 to FIG.

First, in conjunction with the network security protection system 10 shown in FIG. 1, the schematic flowchart of the network security protection method provided by the embodiment of the present application is as shown in FIG. 4, and includes the following steps:

S401. The terminal determines a first target security context of the terminal, where the first target security context includes a first security context or a second security context. The first security context is a configured security context, and the second security context is a security context generated by the authentication process.

In the embodiment of the present application, the first target security context is a security context used by the terminal to secure the initial NAS request message sent to the first network device, and is uniformly described herein, and details are not described herein.

S402. The terminal secures the initial NAS request message by using the first target security context to obtain a security-protected NAS request message, where the security protection includes encryption.

S403. The terminal sends a security-protected NAS request message to the first network device, so that the first network device receives the NAS request message from the security protection of the terminal.

The header of the security-protected NAS request message is a first NAS message header, where the first NAS message header includes an identifier of the terminal and first security header type information, where the first security header type information is used to indicate the first target security. The type of context.

S404. The first network device determines the first target security context according to the identifier of the terminal and the first security header type information.

S405. The first network device uses the first target security context to perform security verification on the secured NAS request message, where the security verification includes decryption.

S406. The first network device uses the second target security context to secure the NAS reject message, and obtains a security-protected NAS reject message, where the security protection includes encryption. The second target security context includes a first security context or a second security context.

In the embodiment of the present application, the second target security context is a security context used by the first network device to secure the NAS reject message sent to the terminal, and is uniformly described herein, and details are not described herein.

S407. The first network device sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the first network device for security protection.

The header of the security-protected NAS reject message is a second NAS message header, where the second NAS header includes an identifier of the terminal and second security header type information, where the second security header type information is used to indicate the second target. The type of security context.

S408. The terminal determines a second target security context according to the identifier of the terminal and the second security header type information.

S409. The terminal uses the second target security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

The specific implementation of steps S401-S409 will be explained in detail in the embodiments shown in FIGS. 5 and 6.

Optionally, after the terminal sends the NAS request message of the security protection to the first network device, the terminal may further include: the terminal receiving the NAS rejection message that is not secured; and the terminal discarding the NAS rejection message that is not secured.

Since the NAS refusal message of the real network in the embodiment of the present application is security protection, after the terminal receives the NAS refusal message without security protection, it can be considered as a pseudo network transmission, and thus can directly discard the unsecured message. The protected NAS rejects the message.

The network security protection method provided by the embodiment of the present application, on the one hand, because the terminal sends a NAS request message for securing the initial NAS request message to the first network device, and thus cannot be verified by the pseudo network, and thus the pseudo network does not. A corresponding NAS rejection message will be constructed so that some DOS attacks can be avoided. On the other hand, the NAS reject message of the initial NAS request message sent by the first network device to the terminal is a security-protected NAS reject message. Therefore, after receiving the NAS reject message, the terminal may distinguish the NAS reject message according to whether security protection is performed. It is sent by the real network or sent by the pseudo network. In this way, the corresponding processing can be performed, such as discarding the unprotected NAS rejection message sent by the pseudo network, thereby further preventing the DOS attack risk and improving the 5G network and other futures. Network security.

The actions of the terminals in the foregoing S401, S402, S403, S408, and S409 can be performed by the processor 301 in the communication device 300 shown in FIG. 3, and the application code stored in the memory 303 is called, which is not used in this embodiment of the present application. Any restrictions.

The action of the first network device in the foregoing S404, S405, S406, and S407 may be performed by the processor 301 in the communication device 300 shown in FIG. 3, by calling the application code stored in the memory 303, which is used by the embodiment of the present application. No restrictions are imposed.

Next, the network security protection system 10 shown in FIG. 1 is applied to the 5G network shown in FIG. 2, and the first network device is an AMF entity as an example, and the network security protection method shown in FIG. 4 is expanded.

As shown in FIG. 5, it is a schematic flowchart of a network security protection method provided by an embodiment of the present application. The network security protection method involves interaction between a terminal, an AMF entity, and a UDM entity, and includes the following steps:

The S500 and the operator simultaneously configure the same security context for the terminal on the Universal Subscriber Identity Module (USIM) card used by the terminal or the terminal and on the network side.

The scenario in which the operator configures the security context on the USIM card used by the terminal is more common than the scenario in which the operator configures the security context on the terminal, because the USIM card is issued by the operator. The operator configures the security context on the terminal, which is usually applicable to the terminal that the operator has contracted. A unified explanation is given here, and will not be described below.

Optionally, the operator may configure the security context for the terminal on the network side, or may be configured on the UDM entity on the network side, or on the AUSF entity configured on the network side, or may be other networks configured on the network side. The embodiment of the present application does not specifically limit this.

Optionally, when the security context is configured for the terminal on the terminal, the operator may be configured in a non-volatile memory of the terminal, or may be configured in another memory of the terminal. The comparison of the examples is not specifically limited.

Optionally, the operator can also configure the security context on the USIM card used by the terminal and the terminal. In this scenario, the terminal usually uses the security context configured on the USIM card. Of course, the terminal may also use the security context configured on the terminal, which is not specifically limited in this embodiment.

Optionally, in the embodiment of the present application, the security context configured by the operator may be referred to as a default security context, or an initial security context, or a subscribed security context. No specific limitation.

Optionally, in the embodiment of the present application, the security context configured by the operator includes at least the following parameters: a security protection key and a security protection algorithm. The security protection key may be a root key or a NAS security key that can be directly used. This embodiment of the present application does not specifically limit this. The security protection algorithm includes an encryption algorithm. Optionally, the security protection algorithm may further include an integrity protection algorithm. The embodiment of the present application does not limit the specific algorithm type. If the security protection key in the security context is the NAS security key, the terminal and the AMF entity can directly use the NAS security key and the encryption algorithm to encrypt the NAS message; if the security protection key in the security context is the root The key, the terminal and the AMF entity first need to use the key deduction algorithm to derive the corresponding NAS security key from the root key, and then use the NAS security key and encryption algorithm to encrypt the NAS message, and the terminal and the AMF entity use the same Key deduction algorithm. For a specific key derivation algorithm, reference may be made to the prior art, and details are not described herein again.

Optionally, in the embodiment of the present application, the operator may combine different presets according to a different public land mobile network (PLMN) serving the terminal, or a different network slice (slice) serving the terminal, or Different access technologies adopted by the terminal configure one or more security contexts for the terminal. For example, configuring different or identical security contexts for different visited public mobile mobile networks (VPLMNs) providing roaming services; or configuring different or identical security contexts for different network slices; or, for 3GPP For the wireless air interface access, the non-3GPP air interface access and the fixed network access configuration are different or the same security context, and the like is not limited in this embodiment.

S501. The terminal determines whether the second security context is saved locally. The second security context is a security context generated by the authentication process.

The second security context in step S501 is a security context generated by an authentication process initiated in a process triggered by the last terminal to initiate an initial NAS request message from an idle state.

If the terminal determines that the second security context is not saved locally, then the following steps S502-S510 are continued.

S502. The terminal determines a first security context of the terminal, and determines the first security context as the first target security context of the terminal. The first security context is a configured security context.

Optionally, if the operator configures the security context for the terminal on the USIM card of the terminal, the terminal determines the first security context of the terminal, and the terminal may include: the terminal reads the first security context configured on the USIM card of the terminal.

Optionally, if the operator configures the security context for the terminal on the terminal, the terminal determines the first security context of the terminal, and the terminal may include: acquiring, by the terminal, the first security context configured on the terminal.

Optionally, if the operator configures the security context for the terminal on the USIM card of the terminal and the terminal, the terminal determines the first security context of the terminal, and the terminal may: read the first configuration on the USIM card of the terminal. Security context.

Optionally, when the operator configures multiple security contexts for the terminal, the terminal determines the first security context of the terminal, including: the terminal according to the PLMN currently serving the terminal, the network slice currently serving the terminal, or the current terminal. The access technology employed selects a first security context from a plurality of security contexts of the terminal, wherein the first security context is included in the plurality of security contexts.

It should be noted that the step S501 is an optional step, and the terminal may directly perform step S502, that is, the terminal determines the first security context of the terminal, and determines the first security context as the first target security context of the terminal. The embodiment does not specifically limit this.

S503. The terminal secures the initial NAS request message by using the first security context to obtain a security-protected NAS request message, where the security protection includes encryption.

The initial NAS request message in the embodiment of the present application is an NAS request message initiated by the terminal from an idle state, for example, an attach request (ATTACH REQUEST) message in a fourth generation (4th generation, 4G) mobile communication system, and a tracking domain update. The request (TRACKING AREA UPDATE REQUEST) message, the service request (SERVICE REQUEST) message, the registration request (REGISTRATION REQUEST) message in the 5G mobile communication system, etc., are not limited in this application. A unified explanation is given here, and will not be described below.

Optionally, the security protection in the embodiment of the present application may also include integrity protection, which is uniformly described herein, and details are not described herein again. If the security protection also includes integrity protection, after the terminal encrypts the initial NAS request message using the NAS security key and encryption algorithm, the NAS security key and integrity protection algorithm are used to integrity protect the encrypted NAS request message. The message authentication code (MAC) is generated, which is not specifically limited in this embodiment of the present application.

S504. The terminal sends a security-protected NAS request message to the AMF entity, so that the AMF entity receives the NAS request message from the security protection of the terminal.

The first NAS header includes the identifier of the terminal and the first security header type information, where the first NAS header includes the first security header type information, where the first security header type information is used to indicate the first The type of security context.

Optionally, in the embodiment of the present application, the identifier of the terminal and the first security header type information in the first NAS message header may be not secured.

Optionally, the identifier of the terminal in the embodiment of the present application may be a complete terminal permanent identity, such as an International Mobile Subscriber Identity (IMSI), or may be a partial permanent identity of the terminal, such as in the IMSI. The information may be a security-protected terminal identity, such as the IMSI information protected by the hash algorithm. The specific content of the identifier of the terminal is not specifically limited in this embodiment.

Optionally, the first security header type information may include: Integrity protected and ciphered with default security context, or encrypted using a first security context (Ciphered with default security context) ). Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

Exemplarily, the format of the NAS request message including the security protection of the first NAS message header is as shown in Table 1. The first (n+5)th byte is allocated to the first NAS message header, and the remaining bytes are allocated to the secured NAS request message. If the security protection only includes encryption and does not include integrity protection, the first NAS message header does not include the message verification code and the sequence number; if the security protection includes encryption and integrity protection, the first NAS message header includes the message. Verification code and serial number. It should be noted that, in the example shown in Table 1, the number of bytes occupied by the identifier of the terminal is variable, depending on the length of the identifier used by the terminal, for example, if the complete IMSI is used, the identifier of the terminal The number of bytes is 8.

Table I

After the AMF entity receives the NAS request message from the security protection of the terminal, the first security context may be determined according to the identifier of the terminal in the first NAS message header and the first security header type information, as shown in steps S505-S514 below. .

S505. The AMF entity determines the first security context according to the identifier of the terminal and the first security header type information.

Optionally, the AMF entity determines the first security context according to the identifier of the terminal and the first security header type information, and specifically includes:

The AMF entity determines whether the first security context is saved locally according to the identifier of the terminal and the first security header type information.

If it is determined that the first security context is saved locally, the AMF entity obtains the first security context locally; if it is determined that the first security context is not saved locally, the AMF entity sends a first message to the UDM entity, so that the UDM entity receives the first message. The first message includes an identifier of the terminal, and is used to request to obtain the first security context, and the UDM entity determines, according to the identifier of the terminal carried in the first message, the first security context configured for the terminal; and further, the UDM entity sends the AMF to the AMF. The entity sends a second message to cause the AMF entity to receive the second message. The second message includes a first security context and an identifier of the terminal.

Optionally, the first message in the embodiment of the present application may be a first security context acquisition request, and the second message may be a first security context acquisition response.

Optionally, the first message in the embodiment of the present application may further include an identifier of a PLMN currently serving the terminal, an identifier of a network slice currently serving the terminal, or information about an access technology currently used by the terminal. In this way, when the operator configures multiple security contexts for the terminal on the UDM entity, the UDM entity may, according to the identifier of the terminal, and the identifier of the PLMN currently serving the terminal carried in the first message, and the network currently serving the terminal. The identifier of the slice or the information about the access technology currently used by the terminal, selects a first security context from multiple security contexts of the terminal, where the first security context is included in the multiple security contexts.

Optionally, after receiving the second message, the AMF entity may save the first security context carried in the second message.

The foregoing embodiment is described by taking an example in which an operator configures a security context for a terminal on a UDM entity. Of course, the operator may also configure a security context for the terminal on other devices on the network side, for example, configuring a security context for the terminal on the AUSF entity. When the security context is configured for the terminal on the other device on the network side, the implementation manner of obtaining the first security context from the other device may be implemented by referring to the implementation manner of obtaining the first security context from the UDM entity. The UDM entity can be replaced with other devices, and details are not described herein.

S506. The AMF entity uses the first security context to perform security verification on the secured NAS request message, where the security verification includes decryption.

Optionally, if the security protection includes integrity protection, the security verification also includes an integrity check, which is uniformly described herein, and is not described here.

Further, the AMF entity may determine that the second target security context performs subsequent operations according to the security verification result, as specifically shown in steps S507a-S510a, S507b-S510b, S507c-S510c, and S507d-S510d. The second target security context includes a first security context or a second security context.

S507a. If the security verification is passed, and the second security context is stored in the AMF entity, the AMF entity uses the second security context to secure the NAS rejection message of the initial NAS request message, and obtains a security-protected NAS rejection message.

The second security context in the step S507a may be the security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggering from the idle state, that is, the network side decides to initiate the idle state from the current terminal. The authentication process is not initiated in the process triggered by the initial NAS message. The security context generated by the authentication process initiated by the terminal in the process of initiating the initial NAS message from the idle state is not specifically limited. When the terminal initiates the initial NAS message from the idle state, the AMF entity may reject the initial NAS request message after the initiation of the authentication process to generate a new security context, and the AMF entity may obtain the new security context generated by the authentication process.

If the security protection includes the encryption, the security verification in the embodiment of the present application means that the decryption succeeds; if the security protection includes the encryption and the integrity protection, the security verification in the embodiment of the present application means that the decryption is successful and complete. The sexual inspection is passed, and a unified explanation is given here, and the details are not described below.

The specific implementation of the security protection of the NAS refusal message of the initial NAS request message by using the second security context by the AMF entity may refer to the implementation of the security protection of the initial NAS request message by the terminal using the first security context in step S503. Narration.

S508a. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the second security context. type.

Optionally, the second security header type information in step S508a may include: performing integrity protected and ciphered, or performing ciphering. Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

Exemplarily, the format of the NAS rejection message including the security protection of the second NAS message header is as shown in Table 2. The first (n+5)th byte is allocated to the second NAS message header, and the remaining bytes are allocated to the secured NAS rejection message. If the security protection only includes encryption and does not include integrity protection, the second NAS message header does not include the message verification code and the sequence number; if the security protection includes encryption and integrity protection, the second NAS message header includes the message. Verification code and serial number. It should be noted that, in the example shown in Table 2, the number of bytes occupied by the identifier of the terminal is variable, depending on the length of the identifier used by the terminal, for example, if the complete IMSI is used, the identifier of the terminal The number of bytes is 8.

Table II

S509. The terminal determines the second security context according to the identifier of the terminal and the second security header type information.

The second security context in step S509a and the second security context in step S507a are security contexts generated by the same authentication process. That is, if the second security context in step S507a is the security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggered by the idle state, the second security context in step S509a is also the last time. The security context generated by the authentication process initiated by the initial NAS message triggered by the terminal from the idle state; if the second security context in step S507a is the authentication initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state The security context generated by the process, the second security context in step S509a is also the security context generated by the authentication process initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state.

S510a. The terminal uses the second security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S507a-S510a may also include the reason for rejecting the initial NAS request message. If the terminal security verification is passed, the terminal may perform the corresponding action according to the reason for rejecting the initial NAS request message. For example, the current location area is added to the forbidden list and an attempt is made to select a suitable cell to stay in the other location area. The action performed by the terminal according to the reason for rejecting the initial NAS request message is not specifically limited. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

Optionally, if the terminal receives the NAS rejection message that is not secured, the terminal discards the NAS rejection message that is not secured.

S507b. If the security verification is passed, and the second security context is not stored in the AMF entity, the AMF entity uses the first security context to secure the NAS reject message of the initial NAS request message, and obtains a security-protected NAS reject message.

If the AMF entity does not save the security context generated by the authentication process initiated by the last terminal to initiate the initial NAS message from the idle state, or the last time the terminal initiates the initial NAS message triggered by the idle state, The security context generated by the rights flow is invalid or illegal, and in the process triggered by the initial NAS message initiated by the terminal from the idle state, the AMF entity rejects the initial NAS request message before initiating a new authentication process, and the AMF entity does not store at this time. The second security context.

The first security context may be stored in the AMF, or may be obtained by using the method in the step S505, which is not specifically limited in this embodiment of the present application.

The specific implementation of the security protection of the NAS refusal message of the initial NAS request message by using the first security context by the AMF entity may refer to the implementation of the security protection of the initial NAS request message by the terminal using the first security context in step S503. Narration.

That is, in the embodiment of the present application, the priority of the second security context is higher than the priority of the first security context, and when the second security context exists, the initial NAS request message is secured by using the second security context, or The second security context is used to secure the NAS reject message. If the second security context does not exist, the first security context is used to secure the initial NAS request message, or the first security context is used to secure the NAS rejection message, which is uniformly described herein, and is not described here.

S508b. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the first security context. type.

Optionally, the second security header type information in step S508b may include: Integrity protected and ciphered with default security context, or encrypted using the first security context (Ciphered) With default security context). Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS reject message including the security protection of the second NAS header is shown in Table 2, and details are not described herein.

S509b: The terminal determines the first security context according to the identifier of the terminal and the second security header type information.

S510b: The terminal uses the first security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S507b-S510b may also include a reason for rejecting the initial NAS request message. If the terminal security verification is passed, the terminal may perform the corresponding action according to the reason for rejecting the initial NAS request message. For example, the current location area is added to the forbidden list and an attempt is made to select a suitable cell to stay in the other location area. The action performed by the terminal according to the reason for rejecting the initial NAS request message is not specifically limited. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

Optionally, if the terminal receives the NAS rejection message that is not secured, the terminal discards the NAS rejection message that is not secured.

S507c. If the security verification fails, and the second security context is stored in the AMF entity, the AMF entity uses the second security context to secure the NAS rejection message, and obtains a security-protected NAS rejection message.

The second security context in step S507c may be a security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggering from the idle state, that is, the network side decides to initiate the idle state from the current terminal. The authentication process is not initiated in the process triggered by the initial NAS message. The security context generated by the authentication process initiated by the terminal in the process of initiating the initial NAS message from the idle state is not specifically limited. When the terminal initiates the initial NAS message from the idle state, the AMF entity may perform the NAS rejection after the initiation of the authentication process to generate a new security context. At this time, the AMF entity may obtain a new security context generated by the authentication process.

The NAS rejection message is sent because the security verification failed. For a specific implementation of the security protection of the NAS refusal message by using the second security context, the AMF entity may implement the security protection of the initial NAS request message by using the first security context in the step S503, and details are not described herein.

Optionally, the AMF can directly ignore the received NAS request message of the security protection when the security verification fails. Therefore, the steps S507c-S510c will not be performed, which is not specifically limited in this embodiment of the present application.

S508c. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the second security context. type.

Optionally, the second security header type information in step S508c may include: performing integrity protected and ciphered, or performing ciphering. Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS reject message including the security protection of the second NAS header is shown in Table 2, and details are not described herein.

S509c: The terminal determines the second security context according to the identifier of the terminal and the second security header type information.

The second security context in step S509c and the second security context in step S507c are security contexts generated by the same authentication process. That is, if the second security context in step S507c is the security context generated by the authentication process initiated in the process triggered by the initial NAS initiated by the idle state, the second security context in step S509c is also the last time. The security context generated by the authentication process initiated by the initial NAS message triggered by the terminal from the idle state; if the second security context in step S507c is the authentication initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state The security context generated by the process, the second security context in step S509c is also the security context generated by the authentication process initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state.

S510c: The terminal uses the second security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S507c-S510c may also be a Mobility Management Status message, which is not specifically limited in this embodiment of the present application.

Optionally, the security denied NAS rejection message in steps S507c-S510c may further include a reason for rejection. If the terminal security verification is passed, the terminal may perform a corresponding action according to the rejection reason, for example, directly discarding the NAS rejection message or re-receiving the message. The step S501 is started. The embodiment of the present application does not specifically limit the action performed by the terminal according to the reason for rejection. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

If the terminal receives the NAS rejection message without security protection, the terminal discards the NAS rejection message that is not secured.

S507d. If the security verification fails, and the second security context is not stored in the AMF entity, the AMF entity uses the first security context to secure the NAS rejection message, and obtains the security-protected NAS rejection message.

The first security context may be stored in the AMF, or may be obtained by using the method in the step S505, which is not specifically limited in this embodiment of the present application.

The NAS rejection message is sent because the security verification failed. For a specific implementation of the security protection of the NAS refusal message by using the first security context, the AMF entity may implement the security protection of the initial NAS request message by using the first security context in step S503, and details are not described herein.

Optionally, the AMF can directly ignore the received NAS request message of the security protection when the security verification fails. Therefore, the steps S507c-S510c will not be performed, which is not specifically limited in this embodiment of the present application.

S508d. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the first security context. type.

Optionally, the second security header type information in step S508d may include: Integrity protected and ciphered with default security context, or encrypted using the first security context (Ciphered) With default security context). Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS reject message including the security protection of the second NAS header is shown in Table 2, and details are not described herein.

S509d: The terminal determines the first security context according to the identifier of the terminal and the second security header type information.

S510d: The terminal uses the first security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S507d-S510d may also be a Mobility Management Status message, which is not specifically limited in this embodiment of the present application.

Optionally, the security-rejected NAS reject message in steps S507d-S510d may further include a reason for rejection. If the terminal security verification succeeds, the terminal may perform a corresponding action according to the reason for the rejection, for example, directly discarding the NAS reject message or re-receiving The step S501 is started. The embodiment of the present application does not specifically limit the action performed by the terminal according to the reason for rejection. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

If the terminal receives the NAS rejection message without security protection, the terminal discards the NAS rejection message that is not secured.

The network security protection method provided by the embodiment of the present application, on the one hand, because the terminal sends a NAS request message to the AMF entity for security protection of the initial NAS request message, it cannot be verified by the pseudo network, and thus the pseudo network is not constructed. The corresponding NAS rejects the message, so that some DOS attacks can be avoided. On the other hand, the NAS reject message of the initial NAS request message sent by the AMF entity to the terminal is a security-protected NAS reject message. Therefore, after receiving the NAS reject message, the terminal can distinguish whether the NAS reject message is true or not according to whether security protection is performed. The network sends it, or it is sent by the pseudo network, and can then perform corresponding processing, such as discarding the unprotected NAS rejection message sent by the pseudo network, thereby further preventing the DOS attack risk and improving the 5G network and other future networks. safety.

The actions of the terminals in the foregoing S501, S502, S503, S504, S509a, S510a, S509b, S510b, S509c, S510c, S509d, and S510d may be stored in the memory 303 by the processor 301 in the communication device 300 shown in FIG. The application code is executed, and the embodiment of the present application does not impose any limitation on this.

The actions of the AMF in the above S505, S506, S507a, S508a, S507b, S508b, S507c, S508c, S507d, and S508d may be invoked by the processor 301 in the communication device 300 shown in FIG. 3 to call the application code stored in the memory 303. To be implemented, the embodiment of the present application does not impose any limitation on this.

The embodiment shown in FIG. 5 is an example in which the first network device is an AMF entity. For example, the first network device may be another device on the network side, for example, the first network device may be an SMF entity. When the first network device is another device on the network side, the solution for performing network security protection by using other devices may refer to the embodiment shown in FIG. 5, and only need to replace the AMF entity in the embodiment shown in FIG. 5 with another device. That's it, so I won't go into details here.

Optionally, as shown in FIG. 6 , it is a schematic flowchart of another network security protection method provided by the embodiment of the present application. The network security protection method involves interaction between a terminal, an AMF entity, and a UDM entity, and includes the following steps:

For the S600 and the S500, refer to the embodiment shown in FIG. 5, and details are not described herein again.

S601. The terminal determines whether the second security context is saved locally. The second security context is a security context generated by the authentication process.

The second security context in step S601 is the security context generated by the authentication process in the process triggered by the last terminal initiating the initial NAS request message from the idle state.

If the terminal determines that the second security context is locally saved, then the following steps S602-S610 are continued.

S602. The terminal determines the second security context as the first target security context of the terminal.

S603. The terminal uses the second security context to secure the initial NAS request message, and obtains a security-protected NAS request message, where the security protection includes encryption.

For a description of the initial NAS request message and the security protection, refer to the embodiment shown in FIG. 5, and details are not described herein again.

S604. The terminal sends a security-protected NAS request message to the AMF entity, so that the AMF entity receives the NAS request message from the security protection of the terminal.

The first NAS header includes the identifier of the terminal and the first security header type information, where the first NAS header includes the first NAS header. The first security header type information is used to indicate the second. The type of security context.

Optionally, in the embodiment of the present application, the identifier of the terminal and the first security header type information in the first NAS message header may be not secured.

For a description of the identifier of the terminal, refer to the embodiment shown in FIG. 5, and details are not described herein again.

Optionally, the first security header type information may include: using a second security context for integrity protected and ciphered, or using a second security context for ciphering. Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS request message including the security protection of the first NAS message header is as shown in Table 1, and details are not described herein.

S605. The AMF entity determines whether the second security context is saved locally according to the identifier of the terminal and the first security header type information.

The second security context in step S605 is the security context generated by the authentication process in the process triggered by the last terminal initiating the initial NAS request message from the idle state.

If the second security context is saved locally, the following steps S606-610 are performed.

If the second security context is not saved locally, the security-protected NAS request message cannot be securely verified, and the execution ends.

S606. If saved, the AMF entity uses the second security context to perform security verification on the secured NAS request message, where the security verification includes decryption.

Optionally, if the security protection includes integrity protection, the security verification also includes an integrity check, which is uniformly described herein, and is not described here.

Since the second security context is stored in the AMF entity, the AMF entity can perform subsequent operations using the second security context according to the security verification result, as shown in steps S607a-S610a or steps S607c-S610c below.

S607a. If the security verification succeeds, the AMF entity uses the second security context to secure the NAS reject message of the initial NAS request message, and obtains a security-protected NAS reject message.

The second security context in the step S607a may be the security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggered by the idle state, that is, the network side decides to initiate the idle state from the current terminal. The authentication process is not initiated in the process triggered by the initial NAS message. The security context generated by the authentication process initiated by the terminal in the process of initiating the initial NAS message from the idle state is not specifically limited. When the terminal initiates the initial NAS message from the idle state, the AMF entity may reject the initial NAS request message after the initiation of the authentication process to generate a new security context, and the AMF entity may obtain the new security context generated by the authentication process.

If the security protection includes the encryption, the security verification in the embodiment of the present application means that the decryption succeeds; if the security protection includes the encryption and the integrity protection, the security verification in the embodiment of the present application means that the decryption is successful and complete. The sexual inspection is passed, and a unified explanation is given here, and the details are not described below.

The specific implementation of the security protection of the NAS refusal message of the initial NAS request message by using the second security context by the AMF entity may refer to the implementation of the security protection of the initial NAS request message by the terminal using the first security context in step S503. Narration.

S608a. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the second security context. type.

Optionally, the second security header type information in step S608a may include: using a second security context for integrity protected and ciphered, or using a second security context for ciphering. Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS reject message including the security protection of the second NAS header is shown in Table 2, and details are not described herein.

S609. The terminal determines the second security context according to the identifier of the terminal and the second security header type information.

The second security context in step S609a and the second security context in step S607a are security contexts generated by the same authentication process. That is, if the second security context in step S607a is the security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggered by the idle state, the second security context in step S609a is also the last time. The security context generated by the authentication process initiated by the initial NAS message triggered by the terminal from the idle state; if the second security context in step S607a is the authentication initiated by the terminal initiating the initial NAS message triggered by the idle state The security context generated by the process, the second security context in step S609a is also the security context generated by the authentication process initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state.

S610a. The terminal uses the second security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S607a-S610a may also include the reason for rejecting the initial NAS request message. If the terminal security verification is passed, the terminal may perform the corresponding action according to the reason for rejecting the initial NAS request message. For example, the current location area is added to the forbidden list and an attempt is made to select a suitable cell to stay in the other location area. The action performed by the terminal according to the reason for rejecting the initial NAS request message is not specifically limited. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

Optionally, if the terminal receives the NAS rejection message that is not secured, the terminal discards the NAS rejection message that is not secured.

S607c. If the security verification fails, the AMF entity uses the second security context to secure the NAS rejection message, and obtains the security-protected NAS rejection message.

The second security context in the step S607c may be the security context generated by the authentication process initiated by the last time the terminal initiates the initial NAS message triggered by the idle state, that is, the network side decides to initiate the idle state from the current terminal. The authentication process is not initiated in the process triggered by the initial NAS message. The security context generated by the authentication process initiated by the terminal in the process of initiating the initial NAS message from the idle state is not specifically limited. When the terminal initiates the initial NAS message from the idle state, the AMF entity may reject the initial NAS request message after the initiation of the authentication process to generate a new security context, and the AMF entity may obtain the new security context generated by the authentication process.

The NAS rejection message is sent because the security verification failed. For a specific implementation of the security protection of the NAS refusal message by using the second security context, the AMF entity may implement the security protection of the initial NAS request message by using the first security context in the step S503, and details are not described herein.

Optionally, the AMF can directly ignore the received NAS request message of the security protection when the security verification fails. Therefore, the steps S607c-S610c will not be performed, which is not specifically limited in this embodiment of the present application.

S608c. The AMF entity sends a security-protected NAS reject message to the terminal, so that the terminal receives the NAS denial message from the security protection of the AMF entity.

The message header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the second security context. type.

Optionally, the second security header type information in step S608c may include: using a second security context for integrity protected and ciphered, or using a second security context for ciphering. Wherein, if the terminal and the AMF agreement do not specify to use the first security context, the second security context is used by default.

The format of the NAS reject message including the security protection of the second NAS header is shown in Table 2, and details are not described herein.

S609c: The terminal determines the second security context according to the identifier of the terminal and the second security header type information.

The second security context in step S609c and the second security context in step S607c are security contexts generated by the same authentication process. That is, if the second security context in step S607c is the security context generated by the authentication process initiated in the process triggered by the initial NAS initiated by the idle state, the second security context in step S609c is also the last time. The security context generated by the authentication process initiated by the initial NAS message triggered by the terminal from the idle state; if the second security context in step S607c is the authentication initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state The security context generated by the process, the second security context in step S609c is also the security context generated by the authentication process initiated by the terminal in the process triggered by the initial NAS message initiated by the idle state.

S610c: The terminal uses the second security context to perform security verification on the secured NAS rejection message, where the security verification includes decryption.

Optionally, the NAS message of the security protection in the steps S607c-S610c may also be a Mobility Management Status message, which is not specifically limited in this embodiment of the present application.

Optionally, the security denied NAS rejection message in steps S607c-S610c may further include a reason for rejection. If the terminal security verification is passed, the terminal may perform a corresponding action according to the rejection reason, for example, directly discarding the NAS rejection message or re-receiving the message. Step S601 is started. The embodiment of the present application does not specifically limit the action performed by the terminal according to the reason for rejection. If the terminal security verification fails, the terminal can directly discard the NAS denial message of the security protection.

If the terminal receives the NAS rejection message without security protection, the terminal discards the NAS rejection message that is not secured.

The network security protection method provided by the embodiment of the present application, on the one hand, because the terminal sends a NAS request message to the AMF entity for security protection of the initial NAS request message, it cannot be verified by the pseudo network, and thus the pseudo network is not constructed. The corresponding NAS rejects the message, so that some DOS attacks can be avoided. On the other hand, the NAS reject message of the initial NAS request message sent by the AMF entity to the terminal is a security-protected NAS reject message. Therefore, after receiving the NAS reject message, the terminal can distinguish whether the NAS reject message is true or not according to whether security protection is performed. The network sends it, or it is sent by the pseudo network, and can then perform corresponding processing, such as discarding the unprotected NAS rejection message sent by the pseudo network, thereby further preventing the DOS attack risk and improving the 5G network and other future networks. safety.

The operations of the terminals in the foregoing S601, S602, S603, S604, S609a, S610a, S609c, and S610c may be performed by the processor 301 in the communication device 300 shown in FIG. 3 calling the application code stored in the memory 303. The application embodiment does not impose any limitation on this.

The actions of the AMF in the foregoing S605, S606, S607a, S608a, SS607c, and S608c may be performed by the processor 301 in the communication device 300 shown in FIG. 3, by calling the application code stored in the memory 303. This is not subject to any restrictions.

The embodiment shown in FIG. 6 is an example in which the first network device is an AMF entity. The first network device may be another device on the network side. For example, the first network device may be an SMF entity. When the first network device is another device on the network side, the solution for performing network security protection by using other devices may refer to the embodiment shown in FIG. 6, and only need to replace the AMF entity in the embodiment shown in FIG. 6 with another device. That's it, so I won't go into details here.

The solution provided by the embodiment of the present application is introduced from the perspective of interaction between the first network device and the terminal. It can be understood that, in order to implement the above functions, the foregoing first network device and terminal include corresponding hardware structures and/or software modules for performing respective functions. Those skilled in the art will readily appreciate that the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.

The embodiment of the present application may divide the function modules of the first network device and the terminal according to the foregoing method example. For example, each function module may be divided according to each function, or two or more functions may be integrated into one processing module. . The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of the module in the embodiment of the present application is schematic, and is only a logical function division, and the actual implementation may have another division manner.

For example, in the case of dividing the functional modules by using the respective functions, FIG. 7 is a schematic structural diagram of the first network device involved in the foregoing embodiment. The first network device 700 includes: a receiving module 701. The determining module 702, the verifying module 703, the security protection module 704, and the sending module 705.

The receiving module 701 is configured to receive a NAS request message from the security protection of the terminal, where the secured NAS request message is obtained by using the first target security context of the terminal to secure the initial NAS request message, and the security protection is obtained. The message header of the NAS request message is a first NAS message header, where the first NAS message header includes an identifier of the terminal and first security header type information, where the first security header type information is used to indicate a type of the first target security context. The first target security context includes a first security context or a second security context, the first security context is a configured security context, and the second security context is a security context generated by the authentication process; the security protection includes encryption.

The determining module 702 is configured to determine a first target security context according to the identifier of the terminal and the first security header type information.

The verification module 703 is configured to perform security verification on the secured NAS request message by using the first target security context, where the security verification includes decryption.

The security protection module 704 is configured to perform security protection on the NAS rejection message by using the second target security context according to the result of the security verification, to obtain a security-protected NAS rejection message, where the second target security context includes the first security context or the second security context. .

The sending module 705 is configured to send a security-protected NAS reject message to the terminal, where the header of the secured NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second Security header type information, the second security header type information is used to indicate the type of the second target security context.

Further, as shown in FIG. 7, the first network device further includes a storage module 706. The security protection module 704 is specifically configured to:

If the security verification is passed and the second security context is not stored in the storage module 706, the NAS denial message of the initial NAS request message is secured using the first security context.

Alternatively, if the security verification is passed and the second security context is stored in the storage module 706, the NAS denial message of the initial NAS request message is secured using the second security context.

Alternatively, if the security verification fails, and the second security context is not stored in the storage module 706, the NAS security message is secured using the first security context.

Alternatively, if the security verification fails, and the second security context is stored in the storage module 706, the second security context is used to secure the NAS rejection message.

Optionally, the first target security context includes a first security context. The determining module 702 is specifically configured to:

Determining whether the first security context is saved locally according to the identifier of the terminal and the first security header type information.

If the determining module 702 determines that the first security context is not saved locally, the first message is sent to the second network device, where the first message includes an identifier of the terminal, for requesting to acquire the first security context, and receiving the second network device. A security context.

Alternatively, if the determining module 702 determines that the first security context is stored locally, the first security context is obtained locally.

Optionally, the first message further includes an identifier of the PLMN currently serving the terminal, an identifier of a network slice currently serving the terminal, or information about an access technology currently used by the terminal.

Optionally, the security protection also includes integrity protection; the security verification also includes an integrity check.

Optionally, the first network device comprises an AMF entity or an SMF entity, and the second network device comprises a UDM entity or an AUSF entity.

All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.

FIG. 8 is a schematic diagram showing a possible structure of the first network device involved in the foregoing embodiment, where the first network device 800 includes: a processing module 801 and a communication. Module 802. Optionally, the first network device 800 may further include a storage module 803. The processing module 801 can be used to perform operations performed by the determining module 702, the verifying module 703, and the security module 704 of FIG. 7, and the communications module 802 can be used to perform the receiving module 701 and the sending module 702 of FIG. For example, the storage module 803 can be used to perform the operations that can be performed by the storage module 706 in FIG. 7. For details, refer to the embodiment shown in FIG.

All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.

In this embodiment, the first network device is presented in a form that divides each functional module corresponding to each function, or the first network device is presented in a form that divides each functional module in an integrated manner. A "module" herein may refer to an Application-Specific Integrated Circuit (ASIC), circuitry, a processor and memory that executes one or more software or firmware programs, integrated logic circuitry, and/or other functions that provide the functionality described above. Device. In a simple embodiment, those skilled in the art will appreciate that the first network device 700 or the first network device 800 can take the form shown in FIG. For example, the receiving module 701, the determining module 702, the verifying module 703, the security protecting module 704, and the sending module 705 in FIG. 7 can be implemented by the processor 301 and the memory 303 of FIG. Specifically, the receiving module 701, the determining module 702, the verifying module 703, the security protecting module 704, and the sending module 705 can be executed by calling the application code stored in the memory 303 by the processor 301, and the embodiment of the present application does not do any limit. Alternatively, for example, the receiving module 701, the determining module 702, the verifying module 703, the security protection module 704, the sending module 705, and the storage module 706 in FIG. 7 may be implemented by the processor 301 and the memory 303 of FIG. Specifically, the receiving module 701, the determining module 702, the verifying module 703, the security protecting module 704, the sending module 705, and the storing module 706 can be executed by using the application code stored in the memory 303 by the processor 301. There are no restrictions on this. Alternatively, for example, the processing module 801 and the communication module 802 in FIG. 8 may be implemented by the processor 301 and the memory 303 of FIG. 3. Specifically, the processing module 801 and the communication module 802 may be called by the processor 301 in the memory 303. The stored application code is executed, and the embodiment of the present application does not impose any limitation on this. Alternatively, for example, the processing module 801, the communication module 802, and the storage module 803 in FIG. 8 may be implemented by the processor 301 and the memory 303 of FIG. 3. Specifically, the processing module 801, the communication module 802, and the storage module 803 may pass The processor 301 is configured to execute the application code stored in the memory 303, and the embodiment of the present application does not impose any limitation thereon.

The first network device provided by the embodiment of the present application can be used to perform the foregoing network security protection method. Therefore, the technical effects that can be obtained by reference to the foregoing method embodiments are not described herein.

For example, in the case of dividing each functional module by using corresponding functions, FIG. 9 is a schematic structural diagram of a terminal involved in the foregoing embodiment, and the terminal 900 includes: a determining module 901, a security protection module 902, The sending module 903, the receiving module 904 and the verification module 905.

The determining module 901 is configured to determine a first target security context of the terminal, where the first target security context includes a first security context or a second security context, the first security context is a configured security context, and the second security context is an authentication The security context generated by the process.

The security protection module 902 is configured to secure the initial NAS request message by using the first target security context to obtain a security-protected NAS request message, where the security protection includes encryption.

The sending module 903 is configured to send a security-protected NAS request message to the first network device, where the message header of the secured NAS request message is a first NAS message header, where the first NAS message header includes the identifier of the terminal and the first A security header type information, the first security header type information being used to indicate a type of the first target security context.

The receiving module 904 is configured to receive a NAS refusal message from the first network device, where the NAS refusal message is obtained by using the second target security context of the terminal to secure the NAS refusal message; The header of the security-protected NAS reject message is a second NAS message header, the second NAS message header includes the identifier of the terminal and the second security header type information, and the second security header type information is used to indicate the second target security context. The type, the second target security context includes a first security context or a second security context.

The determining module 901 is further configured to determine the second target security context according to the identifier of the terminal and the second security header type information.

The verification module 905 is configured to perform security verification on the secured NAS rejection message by using the second target security context, where the security verification includes decryption.

Optionally, as shown in FIG. 9, the terminal 900 further includes a discarding module 906.

The receiving module 904 is further configured to: after the sending module 903 sends the secured NAS request message to the first network device, receive the NAS denial message that is not secured.

The discarding module 906 is also used to discard the NAS denial message that is not secured.

Optionally, the determining module 901 determines the first target security context of the terminal, including: if the determining module 901 determines that the second security context is locally saved, determining the second security context as the first target security context of the terminal. Alternatively, if the determining module 901 determines that the second security context is not saved locally, determining the first security context, determining the first security context as the first target security context of the terminal.

Optionally, the first target security context includes a first security context.

The determining module 901 determines the first security context, including: reading the first security context configured on the USIM card of the terminal; or acquiring the first security context configured on the terminal.

Optionally, the first target security context includes a first security context.

The determining module 901 determines the first security context, including: selecting the first one of the multiple security contexts of the terminal according to the PLMN currently serving the terminal, the network slice currently serving the terminal, or the access technology currently used by the terminal. A security context, wherein the first security context is included in the plurality of security contexts, and the types of the plurality of security contexts are the same as the type of the first security context.

Optionally, the security protection also includes integrity protection; the security verification also includes an integrity check.

Optionally, the first network device includes an AMF entity or an SMF entity, and all related content of each step involved in the foregoing method embodiments may be referred to a functional description of the corresponding function module, and details are not described herein again.

In the case of dividing the functional modules in an integrated manner, FIG. 10 shows a possible structural diagram of the terminal involved in the foregoing embodiment. The terminal 1000 includes a processing module 1001 and a communication module 1002. The processing module 1001 can be used to perform the operations that can be performed by the determining module 901, the security protection module 902, the verification module 905, and the discarding module 906 in FIG. 9, and the communication module 1002 can be used to execute the receiving module 904 and the sending module in FIG. For the operations that can be performed by the 903, refer to the embodiment shown in FIG. 9 , and the embodiments of the present application are not described herein again.

All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.

In this embodiment, the terminal is presented in the form of dividing each functional module corresponding to each function, or the terminal is presented in the form of dividing each functional module in an integrated manner. A "module" herein may refer to an Application-Specific Integrated Circuit (ASIC), circuitry, a processor and memory that executes one or more software or firmware programs, integrated logic circuitry, and/or other functions that provide the functionality described above. Device. In a simple embodiment, those skilled in the art will appreciate that terminal 900 or terminal 1000 can take the form shown in FIG. For example, the determining module 901, the security protection module 902, the sending module 903, the receiving module 904, and the verifying module 905 in FIG. 9 can be implemented by the processor 301 and the memory 303 of FIG. Specifically, the determining module 901, the security protection module 902, the sending module 903, the receiving module 904, and the verifying module 905 can be executed by calling the application code stored in the memory 303 by the processor 301, and the embodiment of the present application does not do any limit. Alternatively, for example, the determining module 901, the security protection module 902, the transmitting module 903, the receiving module 904, the verifying module 905, and the discarding module 906 in FIG. 9 may be implemented by the processor 301 and the memory 303 of FIG. Specifically, the determining module 901, the security protection module 902, the sending module 903, the receiving module 904, the verifying module 905, and the discarding module 906 can be executed by calling the application code stored in the memory 303 by the processor 301. There are no restrictions on this. Alternatively, for example, the processing module 1001 and the communication module 1002 in FIG. 10 may be implemented by the processor 301 and the memory 303 of FIG. 3. Specifically, the processing module 1001 and the communication module 1002 may be called by the processor 301 in the memory 303. The stored application code is executed, and the embodiment of the present application does not impose any limitation on this.

The terminal provided by the embodiment of the present application can be used to perform the foregoing network security protection method. Therefore, the technical effects that can be obtained by reference to the foregoing method embodiments are not described herein.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server or data center via wired (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be accessed by a computer or a data storage device that includes one or more servers, data centers, etc. that can be integrated with the media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.

Although the present application has been described herein in connection with the various embodiments, those skilled in the art can Other variations of the disclosed embodiments are achieved. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill several of the functions recited in the claims. Certain measures are recited in mutually different dependent claims, but this does not mean that the measures are not combined to produce a good effect.

While the present invention has been described in connection with the specific embodiments and embodiments thereof, various modifications and combinations can be made without departing from the spirit and scope of the application. Accordingly, the description and drawings are to be regarded as It will be apparent to those skilled in the art that various modifications and changes can be made in the present application without departing from the scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the present invention.

Claims (28)

1. A network security protection method, the method comprising:

   The terminal determines a first target security context of the terminal, the first target security context includes a first security context or a second security context, the first security context is a configured security context, and the second security context is a reference The security context generated by the rights process;

   The terminal performs security protection on the initial non-access stratum NAS request message by using the first target security context to obtain a security-protected NAS request message, where the security protection includes encryption;

   The terminal sends the security-protected NAS request message to the first network device, where the message header of the security-protected NAS request message is a first NAS message header, and the first NAS message header includes the identifier of the terminal. And first security header type information, where the first security header type information is used to indicate a type of the first target security context;

   Receiving, by the terminal, a NAS denial message from the security protection of the first network device, where the security-protected NAS reject message is obtained by using a second target security context of the terminal to secure a NAS reject message; The header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes the identifier of the terminal and the second security header type information, where the second security header type information is used. And indicating the type of the second target security context, where the second target security context includes the first security context or the second security context;

   Determining, by the terminal, the second target security context according to the identifier of the terminal and the second security header type information;

   The terminal uses the second target security context to perform security verification on the secured NAS rejection message, the security verification including decryption.
2. The method according to claim 1, wherein after the terminal sends the secured NAS request message to the first network device, the method further includes:

   Receiving, by the terminal, a NAS reject message that does not perform the security protection;

   The terminal discards the NAS reject message that is not subjected to the security protection.
3. The method according to claim 1 or 2, wherein the determining, by the terminal, the first target security context of the terminal comprises:

   If the terminal determines that the second security context is locally saved, the terminal determines the second security context as the first target security context of the terminal;

   Or, if the terminal determines that the second security context is not saved locally, the terminal determines the first security context, and determines the first security context as a first target security context of the terminal.
4. The method of claim 3, wherein the first target security context comprises the first security context;

   Determining, by the terminal, the first security context, including:

   The terminal reads the first security context configured on the global subscriber identity module USIM card of the terminal; or the terminal acquires the first security context configured on the terminal.
5. The method of claim 3, wherein the first target security context comprises the first security context;

   Determining, by the terminal, the first security context, including:

   The terminal selects the multiple security contexts of the terminal according to a public land mobile network PLMN currently serving the terminal, a network slice currently serving the terminal, or an access technology currently used by the terminal. a first security context, wherein the first security context is included in the plurality of security contexts, the types of the plurality of security contexts being the same as the type of the first security context.
6. The method of any of claims 1-5, wherein the security protection further comprises integrity protection; the security verification further comprising an integrity check.
7. A network security protection method, the method comprising:

   The first network device receives a non-access stratum NAS request message from the security protection of the terminal, where the secured NAS request message is obtained by using the first target security context of the terminal to secure the initial NAS request message. The header of the security-protected NAS request message is a first NAS message header, and the first NAS message header includes an identifier of the terminal and first security header type information, and the first security header type information. And indicating a type of the first target security context, where the first target security context includes a first security context or a second security context, the first security context is a configured security context, and the second security context is a security context generated by the authentication process; the security protection includes encryption;

   Determining, by the first network device, the first target security context according to the identifier of the terminal and the first security header type information;

   The first network device uses the first target security context to perform security verification on the secured NAS request message, where the security verification includes decryption;

   And the first network device performs security protection on the NAS reject message by using the second target security context according to the result of the security verification, to obtain a security-protected NAS reject message, where the second target security context includes the first security context Or the second security context;

   The first network device sends the security-protected NAS reject message to the terminal, where the header of the security-protected NAS reject message is a second NAS message header, and the second NAS message header includes The identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the type of the second target security context.
8. The method according to claim 7, wherein the first network device performs security protection on the NAS reject message by using the second target security context according to the result of the security verification, including:

   If the security verification passes, and the second security context is not stored in the first network device, the first network device uses the first security context to secure the NAS reject message of the initial NAS request message. protection;

   Or, if the security verification is passed, and the second security context is stored in the first network device, the first network device uses the second security context to perform a NAS reject message of the initial NAS request message. Carry out security protection;

   Or, if the security verification fails, and the second security context is not stored in the first network device, the first network device uses the first security context to perform security protection on the NAS reject message;

   Alternatively, if the security verification fails, and the second security context is stored in the first network device, the first network device uses the second security context to perform security protection on the NAS reject message.
9. The method of claim 7 or 8, wherein the first target security context comprises the first security context;

   Determining, by the first network device, the first target security context according to the identifier of the terminal and the first security header type information, including:

   Determining, by the first network device, whether to save the first security context locally according to the identifier of the terminal and the first security header type information;

   If the first network device determines that the first security context is not saved locally, the first message is sent to the second network device, where the first message includes an identifier of the terminal, and is used to request to obtain the first security context. The first network device receives the first security context from the second network device;

   Alternatively, if the first network device determines that the first security context is locally saved, the first security context is obtained locally.
10. The method according to claim 9, wherein the first message further comprises an identifier of a public land mobile network PLMN currently serving the terminal, an identifier of a network slice currently serving the terminal, or the terminal. Information on access technologies currently in use.
11. The method of any of claims 7-10, wherein the security protection further comprises integrity protection; the security verification further comprising an integrity check.
12. The method according to any one of claims 7 to 11, wherein the first network device comprises an access and mobility management function AMF entity or a session management function SMF entity, and the second network device comprises unified data management The UDM entity or authentication server functions the AUSF entity.
13. A terminal, comprising: a determining module, a security protection module, a sending module, a receiving module, and a verification module;

    The determining module is configured to determine a first target security context of the terminal, where the first target security context includes a first security context or a second security context, where the first security context is a configured security context, The second security context is a security context generated by the authentication process;

    The security protection module is configured to perform security protection on the initial non-access stratum NAS request message by using the first target security context to obtain a security-protected NAS request message, where the security protection includes encryption;

    The sending module is configured to send the security-protected NAS request message to the first network device, where the message header of the security-protected NAS request message is a first NAS message header, where the first NAS message header includes The identifier of the terminal and the first security header type information, where the first security header type information is used to indicate a type of the first target security context;

    The receiving module is configured to receive a NAS denial message from the security protection of the first network device, where the NAS message of the security protection is to secure the NAS reject message by using the second target security context of the terminal. Obtaining, wherein the header of the security-protected NAS reject message is a second NAS message header, where the second NAS message header includes an identifier of the terminal and second security header type information, where the second security The header type information is used to indicate a type of the second target security context, and the second target security context includes the first security context or the second security context;

    The determining module is further configured to determine the second target security context according to the identifier of the terminal and the second security header type information;

    The verification module is configured to perform security verification on the secured NAS rejection message by using the second target security context, where the security verification includes decryption.
14. The terminal according to claim 13, wherein the terminal further comprises a discarding module;

    The receiving module is further configured to: after the sending module sends the security-protected NAS request message to the first network device, receive a NAS reject message that is not performed by the security protection;

    The discarding module is further configured to discard the NAS reject message that is not subjected to the security protection.
15. The terminal according to claim 13 or 14, wherein the determining module determines the first target security context of the terminal, including:

    If the determining module determines that the second security context is locally saved, determining the second security context as the first target security context of the terminal;

    Alternatively, if the determining module determines that the second security context is not saved locally, determining the first security context, determining the first security context as the first target security context of the terminal.
16. The terminal according to claim 15, wherein the first target security context is the first security context;

    The determining module determines the first security context, including:

    Reading the first security context configured on the global subscriber identity module USIM card of the terminal; or acquiring the first security context configured on the terminal.
17. The terminal according to claim 15, wherein the first target security context is the first security context;

    The determining module determines the first security context, including:

    Selecting the first security from a plurality of security contexts of the terminal according to a public land mobile network PLMN currently serving the terminal, a network slice currently serving the terminal, or an access technology currently used by the terminal a context, wherein the first security context is included in the plurality of security contexts, the types of the plurality of security contexts being the same as the type of the first security context.
18. The terminal according to any one of claims 13-17, wherein the security protection further comprises integrity protection; the security verification further comprises an integrity check.
19. A first network device, the first network device includes: a receiving module, a determining module, a verifying module, a security protection module, and a sending module;

    The receiving module is configured to receive a non-access stratum NAS request message from the security protection of the terminal, where the security-protected NAS request message is used to secure the initial NAS request message by using the first target security context of the terminal. The first NAS header includes the identifier of the terminal and the first security header type information, where the first NAS header includes the identifier of the NAS message. The header type information is used to indicate a type of the first target security context, the first target security context includes a first security context or a second security context, the first security context is a configured security context, and the second The security context is a security context generated by the authentication process; the security protection includes encryption;

    The determining module is configured to determine the first target security context according to the identifier of the terminal and the first security header type information;

    The verification module is configured to perform security verification on the secured NAS request message by using the first target security context, where the security verification includes decryption;

    The security protection module is configured to perform security protection on the NAS rejection message by using the second target security context according to the result of the security verification, to obtain a security-protected NAS rejection message, where the second target security context includes the first a security context or the second security context;

    The sending module is configured to send the security-protected NAS reject message to the terminal, where the header of the security-protected NAS reject message is a second NAS message header, and the second NAS message header includes The identifier of the terminal and the second security header type information, where the second security header type information is used to indicate the type of the second target security context.
20. The first network device according to claim 19, wherein the first network device further comprises a storage module;

    The security protection module is specifically configured to:

    If the security verification is passed, and the second security context is not stored in the storage module, use the first security context to secure the NAS rejection message of the initial NAS request message;

    Or, if the security verification is passed, and the second security context is stored in the storage module, use the second security context to secure the NAS rejection message of the initial NAS request message;

    Or, if the security verification fails, and the second security context is not stored in the storage module, use the first security context to perform security protection on the NAS reject message;

    Alternatively, if the security verification fails, and the second security context is stored in the storage module, the NAS security message is used to secure the NAS rejection message.
21. The first network device according to claim 19 or 20, wherein the first target security context is the first security context;

    The determining module is specifically configured to:

    Determining whether the first security context is saved locally according to the identifier of the terminal and the first security header type information;

    If the determining module determines that the first security context is not saved locally, the first message is sent to the second network device, where the first message includes an identifier of the terminal, and is used to request to acquire the first security context; The first security context from the second network device;

    Alternatively, if the determining module determines that the first security context is locally saved, the first security context is obtained locally.
22. The first network device according to any one of claims 19 to 21, wherein the security protection further comprises integrity protection; the security verification further comprises an integrity check.
23. The first network device according to any one of claims 19 to 22, wherein the first network device comprises an access and mobility management function AMF entity or a session management function SMF entity, and the second network device comprises Unified Data Management UDM Entity or Authentication Server Function AUSF Entity.
24. A terminal, comprising: a processor, the processor configured to couple with a memory, and read a computer executed instruction stored in the memory and perform the method according to any one of claims 1-6 according to the instruction The network security protection method described.
25. A first network device, comprising: a processor, the processor for coupling with a memory, and reading the computer-executed instructions stored in the memory and performing any of the claims 7-12 according to the instructions A network security protection method as described.
26. A network security protection system, characterized in that the network security protection system comprises the terminal according to any one of claims 13-17 and the first network device according to any one of claims 18-23;

    Alternatively, the network security protection system comprises the terminal of claim 24 and the first network device of claim 25.
27. A computer readable storage medium, wherein the computer readable storage medium stores instructions that, when run on a computer, cause the computer to perform network security as claimed in any one of claims 1-6 Protection method.
28. A computer readable storage medium, wherein the computer readable storage medium stores instructions that, when run on a computer, cause the computer to perform network security as claimed in any one of claims 7-12 Protection method.

Images