WO2019157935A1 - Authentication method and device, message processing method and device, and storage medium - Google Patents

Authentication method and device, message processing method and device, and storage medium Download PDF

Info

Publication number
WO2019157935A1
WO2019157935A1 PCT/CN2019/073379 CN2019073379W WO2019157935A1 WO 2019157935 A1 WO2019157935 A1 WO 2019157935A1 CN 2019073379 W CN2019073379 W CN 2019073379W WO 2019157935 A1 WO2019157935 A1 WO 2019157935A1
Authority
WO
WIPO (PCT)
Prior art keywords
network function
message
terminal
authentication
nas
Prior art date
Application number
PCT/CN2019/073379
Other languages
French (fr)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019157935A1 publication Critical patent/WO2019157935A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • the present disclosure relates to the field of communications technologies, and, for example, to an authentication method and apparatus, a message processing method and apparatus, and a storage medium.
  • the 3rd Generation Partnership Project (3GPP) proposes a registration scheme for a multi-NAS (Non Access Stratum) connection.
  • the terminal establishes a first access network and a first access management function.
  • the second access management function is registered, and after the second access management function acquires the context of the terminal from the first access management function, the first access network access management function is notified to change, and the registration with the terminal is completed.
  • the first access management function or the second access management function may not correctly serve the terminal.
  • At least one embodiment of the present disclosure provides an authentication method and apparatus, such that when a terminal (User Equipment, UE) performs a multi-NAS connection, the network side can provide services for the terminal.
  • a terminal User Equipment, UE
  • the network side can provide services for the terminal.
  • At least one embodiment of the present disclosure provides an authentication method, including:
  • the terminal After the first network function establishes a connection with the non-access stratum NAS, the terminal sends an authentication request or a re-authentication request to the terminal;
  • the first network function receives a context transfer request for the terminal from a second network function, and sends a first key to the second network function, the first key being based on an authentication vector of the terminal Key derivation.
  • An embodiment of the present disclosure provides an authentication method, including:
  • the second network function receives a registration request from the terminal
  • the second network function requests context information of the terminal from the first network function, and receives a first key sent by the first network function, where the first key is based on a key in an authentication vector of the terminal Derived.
  • An embodiment of the present disclosure provides an authentication apparatus, including a memory and a processor, where the memory stores a program, and when the program is read and executed by the processor, the authentication method described in any of the embodiments is implemented.
  • An embodiment of the present disclosure provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the foregoing An authentication method as described in an embodiment.
  • At least one embodiment of the present disclosure provides a message processing method and apparatus, so that a UE can correctly process a NAS message from a terminal when performing a multi-NAS connection.
  • At least one embodiment of the present disclosure provides a message processing method, including:
  • the third network function receives a first NAS message from the terminal, and sends the first NAS message to the fourth network function; or the third network function receives the fourth network function and sends the a second NAS message, wherein the second NAS message is sent by the terminal to the fourth network function; or the third network function sends a third NAS message to the terminal, waiting for a third preset time After that, the context information of the terminal is sent to the fourth network function.
  • An embodiment of the present disclosure provides a message processing method, including:
  • the fourth network function receives the registration request from the terminal by using the first access network element
  • the fourth network function requests context information of the terminal from a third network function
  • the second access network element receives the second NAS message from the terminal, and sends the second NAS message to the third network function.
  • An embodiment of the present disclosure provides a message processing apparatus including a memory and a processor, where the memory stores a program, and when the program is read and executed by the processor, the message processing described in any of the above embodiments is implemented. method.
  • An embodiment of the present disclosure provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the foregoing A message processing method according to an embodiment.
  • FIG. 1 is a registration method in a related art in a multi-NAS connection
  • FIG. 3 is a flowchart of another authentication method provided by an embodiment
  • FIG. 4 is a flowchart of an authentication provided by an embodiment
  • FIG. 5 is another authentication flowchart provided by an embodiment
  • FIG. 7 is another authentication flowchart provided by an embodiment
  • FIG. 8 is another flow chart of authentication provided by an embodiment
  • FIG. 9 is a schematic diagram of another message processing method according to an embodiment.
  • FIG. 10 is a schematic diagram of a message processing method according to an embodiment
  • FIG. 11 is a flowchart of another message processing method according to an embodiment
  • FIG. 12 is a schematic diagram of another message processing method provided by an embodiment.
  • the registration scheme in the related art includes the following steps.
  • Step 1010 The UE registers with the mobile network through the first radio access network (Radom Access Network 1, RAN1), thereby establishing a NAS connection with the first access management function (Access Management Function 1, AMF1).
  • Radom Access Network 1, RAN1 Random Access Network 1
  • AMF1 Access Management Function
  • Step 1020 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 1030 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 1040 The AMF2 determines that it does not have the context of the UE, and then obtains the related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, such as a Transfer UE Context Request. Message.
  • Step 1050 The AMF1 returns the context information of the UE to the AMF2, so that the AMF2 can provide services for the UE regardless of which radio access network the UE sends a message.
  • the AMF1 may carry the context information of the UE by using a Transfer UE Context Response message.
  • Step 1060 The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
  • Step 1070 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 1080 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sends a Register Accept message.
  • Step 1090 The RAN2 forwards the registration accept message to the UE.
  • the AMF1 initiates an authentication process to the terminal through the RAN1
  • the UE when the UE does not receive the return message of the UE, the UE initiates registration with the mobile network through the RAN2, and after the UE modifies the security context through the authentication process, the authentication is performed.
  • the return message may be received by RAN1 before RAN1 receives the AMF change request, so RAN1 will still forward the message to AMF1.
  • AMF1 Since AMF1 has transferred the context of the UE to AMF2, AMF1 has no context of the UE, so The message cannot be processed, and the AMF2 and the UE may also perform a security process through the RAN2, such as a NAS Security Mode Control (SMC) process, to activate a new security context, at which time the security context content of the UE has changed.
  • SMC NAS Security Mode Control
  • the security context content in the context information of the UE obtained by the AMF2 is unchanged, that is, the security content of the UE and the AMF2 are different, and the security process performed by the AMF2 and the UE fails, and the network cannot continue to provide services for the UE. Therefore, in the present disclosure, the new key generated by the authentication is transmitted to the AMF 2 such that the security context content of the AMF 2 and the UE are consistent.
  • the terminal UE when the terminal UE sends a NAS message through RAN1 and then initiates registration with the mobile network through RAN2, the first NAS message may be received by RAN1 before RAN1 receives the AMF change request, so RAN1 will The NAS message is still forwarded to the AMF1. Since the AMF1 has transferred the context of the terminal UE to the AMF2, the AMF1 does not have the context of the terminal UE, and the NAS message cannot be processed.
  • FIG. 2 is an authentication method provided by an embodiment. As shown in FIG. 2, the method includes the following steps.
  • Step 2010 After the first network function establishes a NAS connection with the terminal, the first network function sends an authentication request or a re-authentication request to the terminal.
  • Step 2020 the first network function receives a context transfer request for the terminal from a second network function, and sends a first key to the second network function, where the first key is based on the terminal Key derivation in the authentication vector.
  • the context transfer request is used to request context information of the terminal.
  • the first network function sends the first key derived based on the key in the authentication vector of the terminal to the second network function, so that the key of the second network function and the first network function can be consistent.
  • the first network function and the second network function may be an access management function, or may be other core network devices that implement access management.
  • the first network function may carry the first key by using a context transfer response.
  • the method further includes: the first network function sending a NAS security mode command to the terminal, receiving a NAS security mode completion message returned by the terminal, and sending the NAS security mode completion message to The second network function.
  • the NAS SMC process is initiated by the first network function to activate a new security context, and after the first network function receives the NAS security mode complete message, since the context of the UE has been transferred to the second network function, The NAS security mode completion message is forwarded to the second network function processing.
  • the method further includes that the first network function receives an authentication response or a re-authentication response returned by the terminal, and sends the authentication response or the re-authentication response to the second network function.
  • the first network function when the first network function returns the first key to the second network function, the authentication response or the re-authentication response from the terminal has not been received, and only the second network function is currently in the authentication process, and is received.
  • the second network function processes the authentication response or the re-authentication response.
  • the method before the sending the authentication response or the re-authentication response to the second network function, the method further includes: the first network function sending an expected response in the authentication vector of the terminal to the second a network function, or the first network function sends a desired response and a random string in the authentication vector of the terminal to the second network function.
  • the second network function determines whether the authentication is valid according to the expected response or based on the expected response and the random string.
  • the sending the first key to the second network function comprises: after the first network function receives the authentication response or the NAS security mode completion message returned by the terminal, to the second The network function sends the first key. That is, the first network function needs to wait for receiving the authentication response or the re-authentication response or the NAS security mode completion message before transmitting the first key to the second network function.
  • the method further includes: the first network function sending status information to the second network function,
  • the status information indicates the progress status of the authentication process or the NAS security mode process.
  • the second network function can perform subsequent operations according to the status information.
  • the method further includes: the first network function waiting to receive the authentication request or the heavy After the response of the authentication request, the context information of the terminal is sent to the second network function; or the first network function waits for the first preset time, and sends the context information of the terminal to the first The second network function; or the first network function caches the context information of the terminal for a second preset time.
  • FIG. 3 is another authentication method provided by an embodiment. As shown in FIG. 3, the method includes the following steps.
  • step 3010 the second network function receives a registration request from the terminal.
  • Step 3020 the second network function requests context information of the terminal from the first network function, and receives a first key sent by the first network function, where the first key is based on the first network function. Key derivation in the authentication vector of the terminal.
  • the method further includes: the second network function receiving status information sent by the first network function, where the status information indicates that the second network function waits for a preset time when the authentication is completed. Perform the NAS security mode control process.
  • the method further includes: receiving, by the second network function, status information sent by the first network function, and waiting to receive an authentication response or re-authentication returned by the first network function according to the status information. Response or NAS security mode completion message.
  • FIG. 4 is a schematic diagram of an authentication process provided by an embodiment. As shown in FIG. 4, the process includes the following steps.
  • Step 4010 The UE registers with the mobile network through RAN1, thereby establishing a NAS connection with AMF1.
  • Step 4020 The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends an authentication request (User Authentication Request), and carries the network authentication parameter (AUTN) and the random string (RAND) in the authentication vector. ).
  • User Authentication Request User Authentication Request
  • AUTN network authentication parameter
  • RAND random string
  • Step 4030 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a registration request (Register Request) message, where the message carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 4040 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 4050 After receiving the authentication request or the re-authentication request, the UE determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes
  • the RAN1 sends an authentication response or a re-authentication response to the AMF1, such as sending a User Authentication Response, carrying the RES, and the AMF1 determines that the RES is valid according to the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES.
  • the access management key Kamf2 is then derived by the key Kseaf in the authentication vector of the UE, which is the same as the Kamf2 generated by the UE.
  • Step 4060 When the AMF1 has not performed the NAS SMC procedure, it receives a context transfer request for the UE from the AMF2, such as a Transfer UE Context Request message.
  • step 4060 occurs before step 4050, and AMF1 may wait for a period of time to receive the authentication response or re-authentication response of step 4050, or may wait for the authentication response or re-authentication response of step 4050 to be received.
  • the context may be cached for a period of time while the step 4070 is executed, and the cache time may be preset.
  • Step 4070 The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the context information of the UE.
  • the context information of the UE includes the activation security context information of the UE, and carries the status information and the derived new key Kamf2.
  • the status information indicates that the authentication process of the UE is completed.
  • AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context, which may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
  • Step 4080 In an embodiment, the AMF2 waits for a preset time, so that the message that may be sent to the UE before the AMF1 can reach the UE, and the messages are all protected based on the activation security context, and the AMF2 will perform the NAS SMC process after the end of the waiting. Generate a new activation security context.
  • the preset time may be set as needed.
  • Step 4090 The AMF2 performs a NAS SMC procedure, and sends a NAS Security Mode Command message to the UE through the RAN2, and the NAS security mode command message is secured based on the derived key of Kamf2.
  • Step 4100 The UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS Security Mode Complete message is sent to the AMF2 through the RAN2, the NAS. The secure mode completion message is secured and encrypted using Kamf2's derived key.
  • Step 4110 The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 forwards the received message from the UE to the AMF2. No longer AMF1.
  • Step 4120 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 4130 The AMF2 sends a registration accept message to the UE by using the RAN2, for example, sending a Register Accept message.
  • Step 4140 The RAN2 forwards the registration accept message to the UE.
  • the AMF1 receives the context transfer request of the AMF2 after receiving the authentication response, and after transmitting the Kamf2 to the AMF2, the AMF2 performs the NAS SMC process to activate the new security context.
  • FIG. 5 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 5, the process includes the following steps.
  • Step 5010 The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
  • Step 5020 The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
  • Step 5030 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 5040 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 5050 The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication or re-authentication request message, and generates an access management key Kamf2, and then sends the access management key Kamf2 to
  • the AMF1 sends an authentication or re-authentication response, such as sending a User Authentication Response, carrying the RES.
  • the AMF1 determines that the RES is valid according to the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES, and then passes the key in the authentication vector. Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
  • Step 5060 AMF1 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through RAN1, and the message is guaranteed based on the derived key of Kamf2.
  • Step 5070 AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
  • Step 5080 The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE.
  • the AMF1 caches the context of the UE for a second preset time.
  • Step 5090 The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context information, where the UE context information includes the activated security context information of the UE, and carries the status information and the derived new key Kamf2, and the status information indicates While the NAS SMC process is in progress, AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context.
  • the activation security context may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
  • the AMF1 after waiting for the first preset time, the AMF1 sends the context of the UE to the AMF2.
  • Step 5100 AMF2 determines to wait according to the status information to receive the NAS security mode complete message.
  • Step 5110 The UE receives the NAS security mode command message. Because the UE has performed the authentication process, the UE uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS security mode is sent to the AMF1 through the RAN1. NAS Security Mode Complete) message, which is secured and encrypted using Kamf2's derived key.
  • Step 5120 AMF1 determines that the context of the UE has been transferred to AMF2, and then sends the NAS security mode complete message to AMF2 for processing.
  • Step 5130 The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is sent to the AMF2 instead of AMF1.
  • Step 5140 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 5150 The AMF2 sends a registration accept message to the UE by using the RAN2, for example, sending a Register Accept message.
  • Step 5160 The RAN2 sends the registration accept message to the UE.
  • the AMF1 receives the context transfer request after transmitting the security mode command to the UE. Therefore, after receiving the security mode complete message, the security mode complete message is sent to the AMF2 process.
  • FIG. 6 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 6, the process includes the following steps.
  • Step 6010 The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
  • Step 6020 The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
  • Step 6030 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 6040 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 6050 AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
  • Step 6060 The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE, and the AMF1 is derived by using the key Kseaf in the authentication vector.
  • the key Kamf2 is managed, and the access management key Kamf2 is the same as the Kamf2 generated by the UE.
  • Step 6070 The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context information, where the UE context information includes the activation security context information of the UE, and carries the status information, the derived new key Kamf2, and the authentication vector.
  • the expected response HXRES may also carry RAND in the authentication vector, wherein the status information indicates that the authentication process is in progress.
  • AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context.
  • the activation security context may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
  • Step 6080 The AMF2 determines to wait for the preset time according to the status information, so as to receive the forwarded authentication response message.
  • Step 6090 The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1.
  • Step 6100 AMF1 determines that the context of the UE has been transferred to AMF2, and then forwards the authentication response or re-authentication response message to AMF2, and AMF2 determines that RES is valid by expecting response HXRES, or RAND and expected response HXRES.
  • Step 6110 The AMF2 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through the RAN2, and the message is guaranteed based on the derived key of Kamf2.
  • Step 6120 The UE receives the NAS security mode command message, because the UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message, and after the verification is passed, the NAS security mode is sent to the AMF2 through the RAN2 ( NAS Security Mode Complete) message, which is secured and encrypted using Kamf2's derived key.
  • RAN2 NAS Security Mode Complete
  • Step 6130 The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
  • Step 6140 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 6150 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
  • Step 6160 The RAN2 forwards the registration accept message to the UE.
  • the AMF1 receives the context transfer request before receiving the authentication response. Therefore, after receiving the authentication response, the authentication response is forwarded to the AMF2, and processed by the AMF2.
  • FIG. 7 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 7, the process includes the following steps.
  • Step 7010 The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
  • Step 7020 The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
  • Step 7030 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 7040 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 7050 AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
  • Step 7060 AMF1 has not received the authentication response message, so waits for a preset time to receive the authentication response message, or waits to receive the authentication response message.
  • Step 7070 The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1.
  • the key Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
  • Step 7080 AMF1 sends a context transfer response to AMF2, such as a Transfer UE Context Response message, carrying UE context information, the UE context information includes the activation security context information of the UE, and carries a derived new key Kamf2, which may be based on activation security.
  • the key Kamf in the context derives a new key Kamf1, which may also contain Kamf1 in the activation security context, at which time Kamf1 and Kamf2 are derived based on different keys, respectively.
  • the context transfer response may also carry status information indicating that the authentication process is complete.
  • Step 7090 The AMF2 performs a NAS SMC procedure, and sends a NAS Security Mode Command to the UE through the RAN2, and the NAS security mode command message is secured based on the derived key of Kamf2.
  • Step 7100 The UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS Security Mode Complete message is sent to the AMF2 through the RAN2, and the message uses Kamf2. The derived key is secured and encrypted.
  • Step 7110 The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
  • Step 7120 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 7130 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
  • Step 7140 The RAN2 forwards the registration accept message to the UE.
  • the AMF1 when receiving the context transfer request of the AFM2, the AMF1 does not receive the authentication response or the re-authentication response returned by the UE. Therefore, the AMF1 waits to receive the authentication response returned by the UE, and then sends the context transfer response to the AMF2.
  • FIG. 8 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 8, the process includes the following steps.
  • Step 8010 The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
  • Step 8020 The AMF1 holds the authentication vector of the UE, and then initiates an authentication request or a re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector of the UE.
  • Step 8030 The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
  • RAN2 radio access network
  • Step 8040 The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
  • AMF2 second access management function
  • Step 8050 The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1.
  • the key Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
  • Step 8060 AMF1 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through RAN1, and the message is guaranteed based on the derived key of Kamf2.
  • Step 8070 AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
  • Step 8080 AMF1 has not received the NAS security mode completion message, so it waits for a preset time to receive the NAS security mode complete message, or waits to receive the NAS security mode complete message.
  • Step 8090 The UE receives the NAS security mode command message. Because the UE has performed the authentication process, the UE uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS security mode is sent to the AMF1 through the RAN1. NAS Security Mode Complete) message that the NAS security mode completion message is secured and encrypted using Kamf2's derived key.
  • Step 8100 AMF1 completes the NAS SMC process, generates a new activation security context, and the new activation security context includes a derived new key Kamf2, and then sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context.
  • the UE context information includes the activated security context information of the UE.
  • Step 8110 AMF2 informs RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
  • Step 8120 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
  • Step 8130 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
  • Step 8140 The RAN2 forwards the registration accept message to the UE.
  • the AMF1 after the AMF1 sends the security mode command to the UE, it receives the context transfer request sent by the AMF2, and the AMF1 waits to receive the security mode complete message before transmitting the context transfer response to the AMF2.
  • FIG. 9 is a message processing method according to an embodiment. As shown in FIG. 9, the method includes the following steps.
  • Step 9010 After the third network function establishes a NAS connection with the terminal, receiving a context transfer request for the terminal sent by the fourth network function.
  • Step 9020 the third network function receives a first NAS message from the terminal, and sends the first NAS message to the fourth network function; or the third network function receives the fourth network function. a second NAS message sent by the function, wherein the second NAS message is sent by the terminal to the fourth network function; or the third network function sends a third NAS message to the terminal, waiting for a third After the preset time, the context information of the terminal is sent to the fourth network function.
  • the third network function and the fourth network function may be an access management function, or another core network device that implements access management.
  • the first NAS message, the second NAS message, the third NAS message, and the following fourth NAS message and fifth NAS message may be any type of NAS message.
  • the method further includes: sending, by the third network function, the fourth network function to the terminal by using the fourth network function. NAS message.
  • the method further includes: the third network function records the location of the context information of the terminal For the fourth network function. Since the third network function sends the context information of the terminal to the fourth network function, the storage location of the context information of the recording terminal is stored in the fourth network function.
  • the third network function receives a first NAS message from the terminal, and sending the first NAS message to the fourth network function comprises: when the third network function is according to the The third network function sends the first NAS message to the fourth network function when the category, or the name of the first NAS message, or the content judgment needs to be forwarded, or when the first NAS message cannot be decrypted .
  • the class refers to whether the message is a request message, a response message, an indication message, or the like.
  • the type of the message to be forwarded is preset, or the name of the message to be forwarded is preset, and the content to be forwarded is preset.
  • the first NAS message is a preset category, or is a preset message name, or contains a preset.
  • the third network function sends the first NAS message to the fourth network function.
  • FIG. 10 is another message processing method according to an embodiment, where the method includes the following steps.
  • Step 10010 The fourth network function receives a registration request from the terminal by using the first access network element.
  • Step 10020 The fourth network function requests context information of the terminal from a third network function.
  • Step 10030 the fourth network function receives a first NAS message sent by the third network function, where the first NAS message is sent by the terminal to the third network function; or, the fourth The network function receives the second NAS message from the terminal by the second access network element, and sends the second NAS message to the third network function.
  • the fourth network function after receiving the first NAS message sent by the third network function, the fourth network function further includes: when the first NAS message is encrypted, the fourth network function decrypts the The first NAS message sends the decrypted first NAS message to the third network function.
  • the transmitting the decrypted first NAS message to the third network function comprises: when the fourth network function successfully verifies the integrity protection of the first NAS message (referred to as a complete guarantee), the decrypted The first NAS message is sent to the third network function.
  • the sending, by the third network function, the second NAS message includes: when the registration process of the terminal is not completed, the fourth network function sends the third network function to the third network function The second NAS message is described. In another embodiment, if the registration process of the terminal has been completed, the fourth network function may not forward the second NAS message to the third network function.
  • FIG. 11 is a flowchart of another message processing method according to an embodiment. As shown in FIG. 11, the process includes the following steps.
  • Step 11010 The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
  • Step 11020 The UE registers with the mobile network through the RAN2, and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE.
  • Step 11030 RAN2 selects AMF2, and forwards the registration request message to the AMF2.
  • Step 11040 AMF2 determines that it does not have the context of the UE, and then acquires related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, for example, sends a Transfer UE Context Request. Message.
  • Step 11050 The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE.
  • Step 11060 The AMF1 returns the context information of the UE to the AMF2, for example, sends a Transfer UE Context Response message, and carries the context information of the UE, where the context information does not need to include AMF2 related information, so that no matter which wireless the UE passes.
  • the access network sends a message, and the AMF2 can provide services for the UE.
  • the AMF1 may send a NAS message to the UE through the RAN1 and wait for another NAS message to be received before the step 11050.
  • the AMF1 may wait for a preset time to receive another NAS message. Returns the context information of the UE.
  • Step 11070 The UE sends a NAS message to the core network through the RAN1, and the RAN1 has not received the message that the access management function is changed, and then forwards the NAS message to the original core network function, that is, AMF1.
  • Step 11080 AMF1 determines that the context of the UE has been transferred to AMF2, and then forwards the NAS message to AMF2 for processing.
  • the AMF1 before the AMF1 forwards the message, according to the category (Class, Request, Response, or Indication) or Type (Message Type) or content of the message. Determine if you need to forward.
  • category Class, Request, Response, or Indication
  • Type Message Type
  • the AMF1 may forward the received NAS message after being decrypted, or may forward the undecrypted NAS message because the UE cannot decrypt (the UE uses the new key when transmitting the 11070 step message);
  • Step 11090 The AMF2 determines that the received forwarded NAS message is guaranteed or encrypted, and then decrypts the forwarded NAS message, and the verification is completed. After the verification is successful, the NAS message is forwarded to the AMF1.
  • step 11090 is optional, that is, in another embodiment, step 11090 may not be performed.
  • Step 11100 AMF2 may cache the NAS message for a period of time, and then process the NAS message after completing the registration process.
  • Step 11110 The AMF2 notifies the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
  • Step 11120 The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response (Access Management Function Change Response) message.
  • AMF Mobility Response Access Management Function Change Response
  • Step 11130 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
  • Step 11140 The RAN2 forwards the registration accept message to the UE.
  • FIG. 12 is a flowchart of another message processing method according to an embodiment. As shown in FIG. 12, the process includes the following steps.
  • Step 12010 The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
  • Step 12020 The UE registers with the mobile network through the RAN2, and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE.
  • Step 12030 RAN2 selects AMF2, and forwards the registration request message to the AMF2.
  • Step 12040 The AMF2 determines that it does not have the context of the UE, and then acquires the related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, for example, sends a Transfer UE Context Request. Message.
  • Step 12050 The AMF1 buffers the context information of the UE, and then returns the context information of the terminal UE to the AMF2, for example, sends a Transfer UE Context Response message, and carries the context information of the terminal UE.
  • Step 12060 AMF2 informs RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message. Upon receiving the message, RAN1 forwards the received message from the UE to AMF2 instead of AMF1.
  • Step 12070 The UE sends the first NAS message to the core network through the RAN1.
  • Step 12080 The RAN1 has received the message that the access management function is changed, and then forwards the first NAS message to the new core network function, that is, AMF2.
  • Step 12090 The AMF2 forwards the received first NAS message from the RAN1 to the AMF1. In an embodiment, before the AMF2 forwards, it is determined that the registration process through the RAN2 has not been completed and the forwarding is decided.
  • Step 12100 After receiving the access management function change message, the RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, for example, sending an AMF Mobility Response message.
  • Step 12110 In an embodiment, the AMF1 receives the forwarded NAS message and decides to return the second NAS message, and then forwards the second NAS message through the AMF2.
  • Step 12120 The AMF2 receives the forwarded second NAS message, and after corresponding processing, such as encryption and security, sends a second NAS message to the UE through RAN1 or RAN2.
  • Step 12130 The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
  • Step 12140 The RAN2 forwards the registration accept message to the UE.
  • An embodiment provides an authentication apparatus, including a memory and a processor, the memory storing a program, when the program is read and executed by the processor, the following operations are performed: establishing a non-access stratum NAS connection with the terminal Sending an authentication request or a re-authentication request to the terminal; receiving a context transfer request for the terminal from the second network function, and transmitting a first key to the second network function, the first key being based on Key derivation in the authentication vector of the terminal.
  • the program when executed by the processor, implements the authentication method described in any of the above embodiments.
  • An embodiment provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement any of the above implementations The authentication method described in the example.
  • An embodiment provides a message processing apparatus including a memory and a processor, the memory storing a program, when the program is read and executed by the processor, the following operations are performed: after establishing a NAS connection with the terminal, receiving a context transfer request for the terminal from a fourth network function; receiving a first NAS message from the terminal, transmitting the first NAS message to the fourth network function; or receiving the fourth network a second NAS message sent by the function, where the second NAS message is sent by the terminal to the fourth network function; or, after sending a third NAS message to the terminal, waiting for a third preset time, The context information of the terminal is sent to the fourth network function.
  • the program further implements the message processing method described in any of the above embodiments when read by the processor.
  • An embodiment provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement any of the above implementations The message processing method described in the example.
  • the computer readable storage medium includes: at least one of a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • removable hard disk a hard disk
  • magnetic disk a magnetic disk
  • optical disk a removable hard disk.
  • Embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware aspects. Moreover, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) containing computer usable program code.
  • a computer-usable storage media including but not limited to disk storage and optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are an authentication method and device, a message processing method and device, and a storage medium. The authentication method comprises: after a non-access stratum (NAS) connection has been established between a first network function and a terminal, transmitting an authentication request or a re-authentication request to the terminal; and the first network function receiving, from a second network function, a context transfer request associated with the terminal, and transmitting a first cipher key to the second network function, the first cipher key being derived from a cipher key in an authentication vector of the terminal.

Description

认证方法及装置、消息处理方法及装置、存储介质Authentication method and device, message processing method and device, and storage medium
本公开要求在2018年02月13日提交中国专利局、申请号为201810150834.9的中国专利申请的优先权,该申请的全部内容通过引用结合在本公开中。The present disclosure claims priority to Chinese Patent Application No. 201101150834.9, filed on Jan. 13, 2018, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本公开涉及通信技术领域,例如涉及一种认证方法及装置、消息处理方法及装置、存储介质。The present disclosure relates to the field of communications technologies, and, for example, to an authentication method and apparatus, a message processing method and apparatus, and a storage medium.
背景技术Background technique
第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)提出了一种多NAS(Non Access Stratum,非接入层)连接的注册方案,终端通过第一接入网与第一接入管理功能建立NAS连接后,向第二接入管理功能注册,第二接入管理功能从第一接入管理功能获取终端的上下文后,通知第一接入网接入管理功能改变,完成与终端的注册。上述注册过程中可能会出现第一接入管理功能或第二接入管理功能无法正确为终端服务的问题。另外,可能出现无法处理来自终端的NAS消息的问题。The 3rd Generation Partnership Project (3GPP) proposes a registration scheme for a multi-NAS (Non Access Stratum) connection. The terminal establishes a first access network and a first access management function. After the NAS is connected, the second access management function is registered, and after the second access management function acquires the context of the terminal from the first access management function, the first access network access management function is notified to change, and the registration with the terminal is completed. During the above registration process, the first access management function or the second access management function may not correctly serve the terminal. In addition, there may be a problem that the NAS message from the terminal cannot be processed.
发明内容Summary of the invention
本公开至少一实施例提供了一种认证方法和装置,使得终端(User Equipment,UE)在进行多NAS连接时,网络侧能为终端提供服务。At least one embodiment of the present disclosure provides an authentication method and apparatus, such that when a terminal (User Equipment, UE) performs a multi-NAS connection, the network side can provide services for the terminal.
本公开至少一实施例提供了一种认证方法,包括:At least one embodiment of the present disclosure provides an authentication method, including:
第一网络功能与终端建立非接入层NAS连接后,向所述终端发送认证请求或重认证请求;After the first network function establishes a connection with the non-access stratum NAS, the terminal sends an authentication request or a re-authentication request to the terminal;
所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求,向所述第二网络功能发送第一密钥,所述第一密钥基于所述终端的认证向量中的密钥派生。The first network function receives a context transfer request for the terminal from a second network function, and sends a first key to the second network function, the first key being based on an authentication vector of the terminal Key derivation.
本公开一实施例提供一种认证方法,包括:An embodiment of the present disclosure provides an authentication method, including:
第二网络功能接收到来自终端的注册请求;The second network function receives a registration request from the terminal;
所述第二网络功能向第一网络功能请求所述终端的上下文信息,接收所述第一网络功能发送的第一密钥,所述第一密钥基于所述终端的认证向量中的密钥派生。The second network function requests context information of the terminal from the first network function, and receives a first key sent by the first network function, where the first key is based on a key in an authentication vector of the terminal Derived.
本公开一实施例提供一种认证装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现上述任一实施例所述的认证方法。An embodiment of the present disclosure provides an authentication apparatus, including a memory and a processor, where the memory stores a program, and when the program is read and executed by the processor, the authentication method described in any of the embodiments is implemented.
本公开一实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现上述任一实施例所述的认证方法。An embodiment of the present disclosure provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the foregoing An authentication method as described in an embodiment.
本公开至少一实施例提供了一种消息处理方法和装置,使得UE在进行多NAS连接时,能正确处理来自终端的NAS消息。At least one embodiment of the present disclosure provides a message processing method and apparatus, so that a UE can correctly process a NAS message from a terminal when performing a multi-NAS connection.
本公开至少一实施例提供了一种消息处理方法,包括:At least one embodiment of the present disclosure provides a message processing method, including:
第三网络功能与终端建立NAS连接后,接收到第四网络功能发送的针对所述终端的上下文转移请求;After the third network function establishes a NAS connection with the terminal, receiving a context transfer request for the terminal sent by the fourth network function;
所述第三网络功能接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第四网络功能;或,所述第三网络功能接收所述第四网络功能发送的第二NAS消息,其中,所述第二NAS消息由所述终端发送给所述第四网络功能;或,所述第三网络功能向所述终端发送第三NAS消息,等待第三预设时间后,将所述终端的上下文信息发送给所述第四网络功能。The third network function receives a first NAS message from the terminal, and sends the first NAS message to the fourth network function; or the third network function receives the fourth network function and sends the a second NAS message, wherein the second NAS message is sent by the terminal to the fourth network function; or the third network function sends a third NAS message to the terminal, waiting for a third preset time After that, the context information of the terminal is sent to the fourth network function.
本公开一实施例提供一种消息处理方法,包括:An embodiment of the present disclosure provides a message processing method, including:
第四网络功能通过第一接入网网元接收到来自终端的注册请求;The fourth network function receives the registration request from the terminal by using the first access network element;
所述第四网络功能向第三网络功能请求所述终端的上下文信息;The fourth network function requests context information of the terminal from a third network function;
所述第四网络功能接收所述第三网络功能发送的第一NAS消息,其中,所述第一NAS消息由所述终端发送给所述第三网络功能;或,所述第四网络功能通过第二接入网网元接收到来自所述终端的第二NAS消息,向所述第三网络功能发送所述第二NAS消息。Receiving, by the fourth network function, the first NAS message sent by the third network function, where the first NAS message is sent by the terminal to the third network function; or, the fourth network function is passed The second access network element receives the second NAS message from the terminal, and sends the second NAS message to the third network function.
本公开一实施例提供一种消息处理装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现上述任一实施例所 述的消息处理方法。An embodiment of the present disclosure provides a message processing apparatus including a memory and a processor, where the memory stores a program, and when the program is read and executed by the processor, the message processing described in any of the above embodiments is implemented. method.
本公开一实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现上述任一实施例所述的消息处理方法。An embodiment of the present disclosure provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the foregoing A message processing method according to an embodiment.
附图说明DRAWINGS
图1为相关技术中多NAS连接下的注册方法;FIG. 1 is a registration method in a related art in a multi-NAS connection;
图2为一实施例提供的一种认证方法流程图;2 is a flowchart of an authentication method provided by an embodiment;
图3为一实施例提供的另一种认证方法流程图;FIG. 3 is a flowchart of another authentication method provided by an embodiment;
图4为一实施例提供的一种认证流程图;FIG. 4 is a flowchart of an authentication provided by an embodiment;
图5为一实施例提供的另一种认证流程图;FIG. 5 is another authentication flowchart provided by an embodiment;
图6为一实施例提供的另一种认证流程图;6 is another authentication flowchart provided by an embodiment;
图7为一实施例提供的另一种认证流程图;FIG. 7 is another authentication flowchart provided by an embodiment;
图8为一实施例提供的另一种认证流程图;FIG. 8 is another flow chart of authentication provided by an embodiment;
图9为一实施例提供的另一种消息处理方法程图;FIG. 9 is a schematic diagram of another message processing method according to an embodiment; FIG.
图10为一实施例提供的一种消息处理方法程图;FIG. 10 is a schematic diagram of a message processing method according to an embodiment; FIG.
图11为一实施例提供的另一种消息处理方法程图;FIG. 11 is a flowchart of another message processing method according to an embodiment; FIG.
图12为一实施例提供的另一种消息处理方法程图。FIG. 12 is a schematic diagram of another message processing method provided by an embodiment.
具体实施方式Detailed ways
下文中将结合附图对本公开的实施例进行说明。Embodiments of the present disclosure will be described hereinafter with reference to the accompanying drawings.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions.
如图1所示,相关技术中的注册方案包括如下步骤。As shown in FIG. 1, the registration scheme in the related art includes the following steps.
步骤1010:UE通过第一无线接入网(Radom Access Network 1,RAN1)向移动网络注册,从而与第一接入管理功能(Access Management Function 1,AMF1)建立NAS连接。Step 1010: The UE registers with the mobile network through the first radio access network (Radom Access Network 1, RAN1), thereby establishing a NAS connection with the first access management function (Access Management Function 1, AMF1).
步骤1020:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 1020: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
步骤1030:RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 1030: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤1040:AMF2判断自己没有该UE的上下文,于是从所述注册请求消息中获取所述AMF1的相关信息,并向所述AMF1发送转移上下文请求,比如发送转移终端上下文请求(Transfer UE Context Request)消息。Step 1040: The AMF2 determines that it does not have the context of the UE, and then obtains the related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, such as a Transfer UE Context Request. Message.
步骤1050:所述AMF1向AMF2返回所述UE的上下文信息,从而使得无论该UE通过哪个无线接入网发送消息,AMF2都可以为该UE提供服务。Step 1050: The AMF1 returns the context information of the UE to the AMF2, so that the AMF2 can provide services for the UE regardless of which radio access network the UE sends a message.
本实施例中,AMF1可以通过转移终端上下文响应(Transfer UE Context Response)消息携带所述UE的上下文信息。In this embodiment, the AMF1 may carry the context information of the UE by using a Transfer UE Context Response message.
步骤1060:AMF2向RAN1告知接入管理功能发生改变,比如发送接入管理功能改变请求(AMF Mobility Request)消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 1060: The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
步骤1070:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送接入管理功能改变响应(AMF Mobility Response)消息.Step 1070: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤1080:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送注册接受(Register Accept)消息。Step 1080: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sends a Register Accept message.
步骤1090:所述RAN2转发所述注册接受消息给所述UE。Step 1090: The RAN2 forwards the registration accept message to the UE.
图1所示的注册流程中,当AMF1通过RAN1向终端发起认证过程,在尚未收到UE的返回消息时,UE通过RAN2向移动网络发起注册,则UE通过认证过程修改了安全上下文后,认证的返回消息可能会在RAN1收到AMF改变请求前被RAN1收到,从而RAN1会将该消息仍旧转发给AMF1,由于AMF1已经将UE的上下文转移给了AMF2,AMF1没有了该UE的上下文,因此导致无法处理该消息,而AMF2与UE可能还会通过RAN2执行安全过程,比如NAS安全模式控制(Security Mode Control,SMC)过程,以激活新的安全上下文,此时UE的安全上下文内容已经改变,而AMF2获得的UE的上下文信息中的安 全上下文内容没有改变,即UE和AMF2的安全内容已经不同,AMF2与UE执行的安全过程失败,导致网络无法为UE继续提供服务。因此,本公开中,将认证产生的新密钥发送给AMF2,使得AMF2和UE的安全上下文内容保持一致。In the registration process shown in FIG. 1, when the AMF1 initiates an authentication process to the terminal through the RAN1, when the UE does not receive the return message of the UE, the UE initiates registration with the mobile network through the RAN2, and after the UE modifies the security context through the authentication process, the authentication is performed. The return message may be received by RAN1 before RAN1 receives the AMF change request, so RAN1 will still forward the message to AMF1. Since AMF1 has transferred the context of the UE to AMF2, AMF1 has no context of the UE, so The message cannot be processed, and the AMF2 and the UE may also perform a security process through the RAN2, such as a NAS Security Mode Control (SMC) process, to activate a new security context, at which time the security context content of the UE has changed. The security context content in the context information of the UE obtained by the AMF2 is unchanged, that is, the security content of the UE and the AMF2 are different, and the security process performed by the AMF2 and the UE fails, and the network cannot continue to provide services for the UE. Therefore, in the present disclosure, the new key generated by the authentication is transmitted to the AMF 2 such that the security context content of the AMF 2 and the UE are consistent.
图1的注册流程中,当终端UE通过RAN1发送NAS消息,而后又通过RAN2向移动网络发起注册,则先发送的NAS消息可能会在RAN1收到AMF改变请求前被RAN1收到,从而RAN1会将该NAS消息仍旧转发给AMF1,由于AMF1已经将终端UE的上下文转移给了AMF2,AMF1没有了终端UE的上下文,导致无法处理该NAS消息。In the registration process of FIG. 1, when the terminal UE sends a NAS message through RAN1 and then initiates registration with the mobile network through RAN2, the first NAS message may be received by RAN1 before RAN1 receives the AMF change request, so RAN1 will The NAS message is still forwarded to the AMF1. Since the AMF1 has transferred the context of the terminal UE to the AMF2, the AMF1 does not have the context of the terminal UE, and the NAS message cannot be processed.
图2为一实施例提供的一种认证方法。如图2所示,该方法包括如下步骤。FIG. 2 is an authentication method provided by an embodiment. As shown in FIG. 2, the method includes the following steps.
步骤2010,第一网络功能与终端建立NAS连接后,向所述终端发送认证请求或重认证请求。Step 2010: After the first network function establishes a NAS connection with the terminal, the first network function sends an authentication request or a re-authentication request to the terminal.
步骤2020,所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求,向所述第二网络功能发送第一密钥,所述第一密钥基于所述终端的认证向量中的密钥派生。 Step 2020, the first network function receives a context transfer request for the terminal from a second network function, and sends a first key to the second network function, where the first key is based on the terminal Key derivation in the authentication vector.
本实施例中,上下文转移请求用于请求终端的上下文信息。In this embodiment, the context transfer request is used to request context information of the terminal.
本实施例提供的方案,第一网络功能将基于终端的认证向量中的密钥派生的第一密钥发送给第二网络功能,使得第二网络功能和第一网络功能的密钥能保持一致。In the solution provided by the embodiment, the first network function sends the first key derived based on the key in the authentication vector of the terminal to the second network function, so that the key of the second network function and the first network function can be consistent. .
本实施例中,第一网络功能、第二网络功能可以是接入管理功能,也可以是其他实现接入管理的核心网设备。In this embodiment, the first network function and the second network function may be an access management function, or may be other core network devices that implement access management.
本实施例中,步骤2020中,第一网络功能可以通过上下文转移响应携带所述第一密钥。In this embodiment, in step 2020, the first network function may carry the first key by using a context transfer response.
在一实施例中,所述方法还包括,所述第一网络功能向所述终端发送NAS安全模式命令,接收所述终端返回的NAS安全模式完成消息,将所述NAS安全模式完成消息发送给所述第二网络功能。该实施例中,由第一网络功能发起NAS SMC过程,以激活新的安全上下文,而第一网络功能收到NAS安全模式完成消息后,由于UE的上下文已经转移给第二网络功能,因此将NAS安全模式完成消息转发给第二网络功能处理。In an embodiment, the method further includes: the first network function sending a NAS security mode command to the terminal, receiving a NAS security mode completion message returned by the terminal, and sending the NAS security mode completion message to The second network function. In this embodiment, the NAS SMC process is initiated by the first network function to activate a new security context, and after the first network function receives the NAS security mode complete message, since the context of the UE has been transferred to the second network function, The NAS security mode completion message is forwarded to the second network function processing.
在一实施例中,所述方法还包括,所述第一网络功能接收所述终端返回的认证响应或重认证响应,将所述认证响应或重认证响应发送给所述第二网络功能。本实施例中,第一网络功能返回第一密钥给第二网络功能时,还未接收到来自终端的认证响应或重认证响应,仅告知第二网络功能当前处于认证过程中,在收到认证响应或重认证响应后转发给第二网络功能,由第二网络功能处理认证响应或重认证响应。In an embodiment, the method further includes that the first network function receives an authentication response or a re-authentication response returned by the terminal, and sends the authentication response or the re-authentication response to the second network function. In this embodiment, when the first network function returns the first key to the second network function, the authentication response or the re-authentication response from the terminal has not been received, and only the second network function is currently in the authentication process, and is received. After the authentication response or the re-authentication response is forwarded to the second network function, the second network function processes the authentication response or the re-authentication response.
在一实施例中,将所述认证响应或重认证响应发送给所述第二网络功能前,还包括:所述第一网络功能发送所述终端的认证向量中的期望响应给所述第二网络功能,或者,所述第一网络功能发送所述终端的认证向量中的期望响应和随机字符串给所述第二网络功能。第二网络功能根据期望响应或者,根据期望响应和随机字符串来判断认证是否有效。In an embodiment, before the sending the authentication response or the re-authentication response to the second network function, the method further includes: the first network function sending an expected response in the authentication vector of the terminal to the second a network function, or the first network function sends a desired response and a random string in the authentication vector of the terminal to the second network function. The second network function determines whether the authentication is valid according to the expected response or based on the expected response and the random string.
在一实施例中,所述向所述第二网络功能发送第一密钥包括:所述第一网络功能接收到所述终端返回的认证响应或NAS安全模式完成消息后,向所述第二网络功能发送所述第一密钥。即第一网络功能需要等待接收到认证响应或重认证响应或NAS安全模式完成消息后,才发送第一密钥给第二网络功能。In an embodiment, the sending the first key to the second network function comprises: after the first network function receives the authentication response or the NAS security mode completion message returned by the terminal, to the second The network function sends the first key. That is, the first network function needs to wait for receiving the authentication response or the re-authentication response or the NAS security mode completion message before transmitting the first key to the second network function.
在一实施例中,所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求后,还包括:所述第一网络功能向所述第二网络功能发送状态信息,所述状态信息指示认证过程或NAS安全模式过程的进行状态。第二网络功能可以根据该状态信息执行后续操作。In an embodiment, after the first network function receives the context transfer request for the terminal from the second network function, the method further includes: the first network function sending status information to the second network function, The status information indicates the progress status of the authentication process or the NAS security mode process. The second network function can perform subsequent operations according to the status information.
在一实施例中,所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求后,还包括:所述第一网络功能等待接收到所述认证请求或所述重认证请求的响应后,将所述终端的上下文信息发送给所述第二网络功能;或者,所述第一网络功能等待第一预设时间后,将所述终端的上下文信息发送给所述第二网络功能;或者,所述第一网络功能将所述终端的上下文信息缓存第二预设时间。In an embodiment, after the first network function receives the context transfer request for the terminal from the second network function, the method further includes: the first network function waiting to receive the authentication request or the heavy After the response of the authentication request, the context information of the terminal is sent to the second network function; or the first network function waits for the first preset time, and sends the context information of the terminal to the first The second network function; or the first network function caches the context information of the terminal for a second preset time.
图3为一实施例提供的另一种认证方法。如图3所示,该方法包括如下步骤。FIG. 3 is another authentication method provided by an embodiment. As shown in FIG. 3, the method includes the following steps.
步骤3010,第二网络功能接收到来自终端的注册请求。In step 3010, the second network function receives a registration request from the terminal.
步骤3020,所述第二网络功能向第一网络功能请求所述终端的上下文信息, 接收所述第一网络功能发送的第一密钥,所述第一密钥基于所述第一网络功能中所述终端的认证向量中的密钥派生。 Step 3020, the second network function requests context information of the terminal from the first network function, and receives a first key sent by the first network function, where the first key is based on the first network function. Key derivation in the authentication vector of the terminal.
在一实施例中,所述方法还包括,所述第二网络功能接收所述第一网络功能发送的状态信息,所述状态信息指示认证完成时,所述第二网络功能等待预设时间后执行NAS安全模式控制过程。In an embodiment, the method further includes: the second network function receiving status information sent by the first network function, where the status information indicates that the second network function waits for a preset time when the authentication is completed. Perform the NAS security mode control process.
在一实施例中,所述方法还包括,所述第二网络功能接收所述第一网络功能发送的状态信息,根据所述状态信息等待接收所述第一网络功能返回的认证响应或重认证响应或NAS安全模式完成消息。In an embodiment, the method further includes: receiving, by the second network function, status information sent by the first network function, and waiting to receive an authentication response or re-authentication returned by the first network function according to the status information. Response or NAS security mode completion message.
图4为一实施例提供的一种认证程示意图,如图4所示,该流程包括如下步骤。FIG. 4 is a schematic diagram of an authentication process provided by an embodiment. As shown in FIG. 4, the process includes the following steps.
步骤4010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接.Step 4010: The UE registers with the mobile network through RAN1, thereby establishing a NAS connection with AMF1.
步骤4020:AMF1持有UE的认证向量,于是通过RAN1向UE发起认证或重认证请求,比如发送认证请求(User Authentication Request),携带认证向量中的网络认证参数(AUTN)和随机字符串(RAND)。Step 4020: The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends an authentication request (User Authentication Request), and carries the network authentication parameter (AUTN) and the random string (RAND) in the authentication vector. ).
步骤4030:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送注册请求(Register Request)消息,该消息携带所述UE之前注册的AMF1的相关信息.Step 4030: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a registration request (Register Request) message, where the message carries information about the AMF1 previously registered by the UE. .
步骤4040:所述RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 4040: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤4050:UE收到认证请求或重认证请求后,判断AUTN有效,于是依据认证请求或重认证请求消息中的RAND和AUTN等信息计算挑战响应RES,并生成接入管理密钥Kamf2,然后通过RAN1向AMF1发送认证响应或重认证响应,比如发送用户认证响应(User Authentication Response),携带RES,AMF1根据认证向量中的期望响应HXRES,或认证向量中的RAND和期望响应HXRES,判断RES有效,于是通过UE的认证向量中的密钥Kseaf派生出接入管理密钥Kamf2,该接入管理密钥Kamf2与UE生成的Kamf2相同。Step 4050: After receiving the authentication request or the re-authentication request, the UE determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes The RAN1 sends an authentication response or a re-authentication response to the AMF1, such as sending a User Authentication Response, carrying the RES, and the AMF1 determines that the RES is valid according to the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES. The access management key Kamf2 is then derived by the key Kseaf in the authentication vector of the UE, which is the same as the Kamf2 generated by the UE.
步骤4060:AMF1尚未执行NAS SMC过程时,收到来自AMF2的针对UE的上下文转移请求,比如转移终端上下文请求(Transfer UE Context Request)消 息。Step 4060: When the AMF1 has not performed the NAS SMC procedure, it receives a context transfer request for the UE from the AMF2, such as a Transfer UE Context Request message.
本实施例的另一种情况是步骤4060发生在步骤4050前,则AMF1可以等待一段时间以便接收到步骤4050的认证响应或重认证响应,也可以等待接收到步骤4050的认证响应或重认证响应后再执行步骤4070,也可以在执行步骤4070的同时缓存上下文一段时间,缓存时间可以预先设定。In another case of this embodiment, step 4060 occurs before step 4050, and AMF1 may wait for a period of time to receive the authentication response or re-authentication response of step 4050, or may wait for the authentication response or re-authentication response of step 4050 to be received. After step 4070 is performed, the context may be cached for a period of time while the step 4070 is executed, and the cache time may be preset.
步骤4070:AMF1向AMF2发送上下文转移响应,比如Transfer UE Context Response消息,携带UE的上下文信息,UE的上下文信息中包含UE的激活安全上下文信息,并携带状态信息和派生的新密钥Kamf2,所述状态信息指示所述UE的认证过程完成。Step 4070: The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the context information of the UE. The context information of the UE includes the activation security context information of the UE, and carries the status information and the derived new key Kamf2. The status information indicates that the authentication process of the UE is completed.
在另一实施例中,AMF1可能会基于激活安全上下文中的密钥Kamf派生新的密钥Kamf1,所述激活安全上下文中可能还包含Kamf1,此时Kamf1和Kamf2分别基于不同的密钥派生。In another embodiment, AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context, which may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
步骤4080:在一实施例中,AMF2等待预设时间,以便AMF1之前可能发送给UE的消息都能到达UE,这些消息都是基于激活安全上下文被保护的,等待结束后AMF2将执行NAS SMC过程生成新的激活安全上下文。Step 4080: In an embodiment, the AMF2 waits for a preset time, so that the message that may be sent to the UE before the AMF1 can reach the UE, and the messages are all protected based on the activation security context, and the AMF2 will perform the NAS SMC process after the end of the waiting. Generate a new activation security context.
本实施例中,所述预设时间可以根据需要设定。In this embodiment, the preset time may be set as needed.
步骤4090:AMF2执行NAS SMC过程,通过RAN2向UE发送NAS安全模式命令(NAS Security Mode Command)消息,所述NAS安全模式命令消息基于Kamf2的派生密钥完保。Step 4090: The AMF2 performs a NAS SMC procedure, and sends a NAS Security Mode Command message to the UE through the RAN2, and the NAS security mode command message is secured based on the derived key of Kamf2.
步骤4100:UE已经执行完认证过程,因此使用Kamf2的派生密钥验证NAS安全模式命令消息的完保,验证通过后通过RAN2向AMF2发送NAS安全模式完成(NAS Security Mode Complete)消息,所述NAS安全模式完成消息使用Kamf2的派生密钥完保和加密。Step 4100: The UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS Security Mode Complete message is sent to the AMF2 through the RAN2, the NAS. The secure mode completion message is secured and encrypted using Kamf2's derived key.
步骤4110:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 4110: The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 forwards the received message from the UE to the AMF2. No longer AMF1.
步骤4120:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 4120: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤4130:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送注册接受(Register Accept)消息。Step 4130: The AMF2 sends a registration accept message to the UE by using the RAN2, for example, sending a Register Accept message.
步骤4140:所述RAN2转发所述注册接受消息给所述UE。Step 4140: The RAN2 forwards the registration accept message to the UE.
本实施例中,AMF1在收到认证响应后才接收到AMF2的上下文转移请求,将Kamf2发送给AMF2后,由AMF2执行NAS SMC过程激活新的安全上下文。In this embodiment, the AMF1 receives the context transfer request of the AMF2 after receiving the authentication response, and after transmitting the Kamf2 to the AMF2, the AMF2 performs the NAS SMC process to activate the new security context.
图5为一实施例提供的另一种认证程示意图,如图5所示,该流程包括如下步骤。FIG. 5 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 5, the process includes the following steps.
步骤5010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接。Step 5010: The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
步骤5020:AMF1持有UE的认证向量,于是通过RAN1向UE发起认证或重认证请求,比如发送User Authentication Request,携带认证向量中的网络认证参数AUTN和随机字符串RAND。Step 5020: The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
步骤5030:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 5030: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
步骤5040:所述RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 5040: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤5050:UE收到认证请求或重认证请求,判断AUTN有效,于是依据认证或重认证请求消息中的RAND和AUTN等信息计算挑战响应RES,并生成接入管理密钥Kamf2,然后通过RAN1向AMF1发送认证或重认证响应,比如发送User Authentication Response,携带RES,AMF1根据认证向量中的期望响应HXRES,或认证向量中的RAND和期望响应HXRES,判断RES有效,于是通过认证向量中的密钥Kseaf派生出接入管理密钥Kamf2,该接入管理密钥Kamf2与UE生成的Kamf2相同。Step 5050: The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication or re-authentication request message, and generates an access management key Kamf2, and then sends the access management key Kamf2 to The AMF1 sends an authentication or re-authentication response, such as sending a User Authentication Response, carrying the RES. The AMF1 determines that the RES is valid according to the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES, and then passes the key in the authentication vector. Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
步骤5060:AMF1执行NAS SMC过程,通过RAN1向终端发送NAS安全模式命令(NAS Security Mode Command),消息基于Kamf2的派生密钥完保。Step 5060: AMF1 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through RAN1, and the message is guaranteed based on the derived key of Kamf2.
步骤5070:AMF1收到来自AMF2的针对UE的上下文转移请求,比如Transfer UE Context Request消息。Step 5070: AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
步骤5080:AMF1标记UE上下文的新位置,比如在缓存的UE的上下文信息中设置AMF2的相关信息,或记录UE相对应的AMF2的相关信息。Step 5080: The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE.
本实施例中,AMF1将UE的上下文缓存第二预设时间。In this embodiment, the AMF1 caches the context of the UE for a second preset time.
步骤5090:AMF1向AMF2发送上下文转移响应,比如Transfer UE Context Response消息,携带UE上下文信息,UE上下文信息中包含UE的激活安全上下文信息,并携带状态信息和派生的新密钥Kamf2,状态信息指示NAS SMC过程进行中,AMF1可能会基于激活安全上下文中的密钥Kamf派生新的密钥Kamf1,激活安全上下文中可能还包含Kamf1,此时Kamf1和Kamf2分别基于不同的密钥派生。Step 5090: The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context information, where the UE context information includes the activated security context information of the UE, and carries the status information and the derived new key Kamf2, and the status information indicates While the NAS SMC process is in progress, AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context. The activation security context may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
在另一实施例中,AMF1等待第一预设时间后,发送UE的上下文给AMF2。In another embodiment, after waiting for the first preset time, the AMF1 sends the context of the UE to the AMF2.
步骤5100:AMF2依据状态信息决定等待,以便接收NAS安全模式完成消息。Step 5100: AMF2 determines to wait according to the status information to receive the NAS security mode complete message.
步骤5110:UE收到NAS安全模式命令消息,因UE已经执行完认证过程,因此使用Kamf2的派生密钥验证NAS安全模式命令消息的完保,验证通过后通过RAN1向AMF1发送NAS安全模式完成(NAS Security Mode Complete)消息,消息使用Kamf2的派生密钥完保和加密。Step 5110: The UE receives the NAS security mode command message. Because the UE has performed the authentication process, the UE uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS security mode is sent to the AMF1 through the RAN1. NAS Security Mode Complete) message, which is secured and encrypted using Kamf2's derived key.
步骤5120:AMF1判断UE的上下文已经转移给AMF2,于是将该NAS安全模式完成消息发送给AMF2处理。Step 5120: AMF1 determines that the context of the UE has been transferred to AMF2, and then sends the NAS security mode complete message to AMF2 for processing.
步骤5130:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request(接入管理功能改变请求)消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息发送给所述AMF2而不再是AMF1。Step 5130: The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is sent to the AMF2 instead of AMF1.
步骤5140:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 5140: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤5150:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept消息。Step 5150: The AMF2 sends a registration accept message to the UE by using the RAN2, for example, sending a Register Accept message.
步骤5160:所述RAN2发送所述注册接受消息给所述UE。Step 5160: The RAN2 sends the registration accept message to the UE.
本实施例中,AMF1在发送安全模式命令给UE后接收到上下文转移请求, 因此,在收到安全模式完成消息后,将安全模式完成消息发送给AMF2处理。In this embodiment, the AMF1 receives the context transfer request after transmitting the security mode command to the UE. Therefore, after receiving the security mode complete message, the security mode complete message is sent to the AMF2 process.
图6为一实施例提供的另一种认证程示意图,如图6所示,该流程包括如下步骤。FIG. 6 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 6, the process includes the following steps.
步骤6010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接。Step 6010: The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
步骤6020:AMF1持有UE的认证向量,于是通过RAN1向UE发起认证或重认证请求,比如发送User Authentication Request,携带认证向量中的网络认证参数AUTN和随机字符串RAND。Step 6020: The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
步骤6030:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 6030: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
步骤6040:所述RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 6040: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤6050:AMF1收到来自AMF2的针对UE的上下文转移请求,比如Transfer UE Context Request消息。Step 6050: AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
步骤6060:AMF1标记UE上下文的新位置,比如在缓存的UE的上下文信息中设置AMF2的相关信息,或记录UE相对应的AMF2的相关信息,AMF1通过认证向量中的密钥Kseaf派生出接入管理密钥Kamf2,该接入管理密钥Kamf2与UE生成的Kamf2相同。Step 6060: The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE, and the AMF1 is derived by using the key Kseaf in the authentication vector. The key Kamf2 is managed, and the access management key Kamf2 is the same as the Kamf2 generated by the UE.
步骤6070:AMF1向AMF2发送上下文转移响应,比如Transfer UE Context Response消息,携带UE上下文信息,UE上下文信息中包含UE的激活安全上下文信息,并携带状态信息、派生的新密钥Kamf2、和认证向量中的期望响应HXRES,还可能携带认证向量中的RAND,其中,所述状态信息指示认证过程进行中。Step 6070: The AMF1 sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context information, where the UE context information includes the activation security context information of the UE, and carries the status information, the derived new key Kamf2, and the authentication vector. The expected response HXRES may also carry RAND in the authentication vector, wherein the status information indicates that the authentication process is in progress.
在另一实施例中,AMF1可能会基于激活安全上下文中的密钥Kamf派生新的密钥Kamf1,激活安全上下文中可能还包含Kamf1,此时Kamf1和Kamf2分别基于不同的密钥派生。In another embodiment, AMF1 may derive a new key Kamf1 based on the key Kamf in the activation security context. The activation security context may also include Kamf1, where Kamf1 and Kamf2 are derived based on different keys, respectively.
步骤6080:AMF2依据状态信息决定等待预设时间,以便接收转发的认证 响应消息。Step 6080: The AMF2 determines to wait for the preset time according to the status information, so as to receive the forwarded authentication response message.
步骤6090:UE收到认证请求或重认证请求,判断AUTN有效,于是依据认证请求或重认证请求消息中的RAND和AUTN等信息计算挑战响应RES,并生成接入管理密钥Kamf2,然后通过RAN1发送认证响应或重认证响应,比如发送User Authentication Response,携带RES。Step 6090: The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1. Send an authentication response or a re-authentication response, such as sending a User Authentication Response, carrying the RES.
步骤6100:AMF1判断UE的上下文已经转移给AMF2,于是将该认证响应或重认证响应消息转发给AMF2处理,AMF2通过期望响应HXRES,或RAND和期望响应HXRES,判断RES有效。Step 6100: AMF1 determines that the context of the UE has been transferred to AMF2, and then forwards the authentication response or re-authentication response message to AMF2, and AMF2 determines that RES is valid by expecting response HXRES, or RAND and expected response HXRES.
在另一实施例中,AMF2判断RES无效时,不使用Kamf2,而使用Kamf1作为密钥。In another embodiment, when AMF2 judges that RES is invalid, Kamf2 is not used, and Kamf1 is used as the key.
步骤6110:AMF2执行NAS SMC过程,通过RAN2向终端发送NAS安全模式命令(NAS Security Mode Command),消息基于Kamf2的派生密钥完保。Step 6110: The AMF2 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through the RAN2, and the message is guaranteed based on the derived key of Kamf2.
步骤6120:UE收到NAS安全模式命令消息,因UE已经执行完认证过程,因此使用Kamf2的派生密钥验证NAS安全模式命令消息的完保,验证通过后通过RAN2向AMF2发送NAS安全模式完成(NAS Security Mode Complete)消息,消息使用Kamf2的派生密钥完保和加密。Step 6120: The UE receives the NAS security mode command message, because the UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message, and after the verification is passed, the NAS security mode is sent to the AMF2 through the RAN2 ( NAS Security Mode Complete) message, which is secured and encrypted using Kamf2's derived key.
步骤6130:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request(接入管理功能改变请求)消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 6130: The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
步骤6140:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 6140: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤6150:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept消息。Step 6150: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
步骤6160:所述RAN2转发所述注册接受消息给所述UE。Step 6160: The RAN2 forwards the registration accept message to the UE.
本实施例中,AMF1在收到认证响应之前接收到上下文转移请求,因此,在收到认证响应后将认证响应转发给AMF2,由AMF2进行处理。In this embodiment, the AMF1 receives the context transfer request before receiving the authentication response. Therefore, after receiving the authentication response, the authentication response is forwarded to the AMF2, and processed by the AMF2.
图7为一实施例提供的另一种认证程示意图,如图7所示,该流程包括如下步骤。FIG. 7 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 7, the process includes the following steps.
步骤7010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接。Step 7010: The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
步骤7020:AMF1持有UE的认证向量,于是通过RAN1向UE发起认证或重认证请求,比如发送User Authentication Request,携带认证向量中的网络认证参数AUTN和随机字符串RAND。Step 7020: The AMF1 holds the authentication vector of the UE, and then initiates an authentication or re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector.
步骤7030:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 7030: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
步骤7040:所述RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 7040: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤7050:AMF1收到来自AMF2的针对UE的上下文转移请求,比如Transfer UE Context Request消息。Step 7050: AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
步骤7060:AMF1因尚未收到认证响应消息,因此等待预设时间以便接收认证响应消息,或等待接收认证响应消息。Step 7060: AMF1 has not received the authentication response message, so waits for a preset time to receive the authentication response message, or waits to receive the authentication response message.
步骤7070:UE收到认证请求或重认证请求,判断AUTN有效,于是依据认证请求或重认证请求消息中的RAND和AUTN等信息计算挑战响应RES,并生成接入管理密钥Kamf2,然后通过RAN1向AMF1发送认证响应或重认证响应,比如发送User Authentication Response,携带RES,AMF1通过认证向量中的期望响应HXRES,或认证向量中的RAND和期望响应HXRES,判断RES有效,于是通过认证向量中的密钥Kseaf派生出接入管理密钥Kamf2,该接入管理密钥Kamf2与UE生成的Kamf2相同。Step 7070: The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1. Send an authentication response or a re-authentication response to the AMF1, such as sending a User Authentication Response, carrying the RES, and the AMF1 determines that the RES is valid by the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES, and then passes the authentication vector. The key Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
步骤7080:AMF1向AMF2发送上下文转移响应,比如Transfer UE Context Response消息,携带UE上下文信息,UE上下文信息中包含UE的激活安全上下文信息,并携带派生的新密钥Kamf2,AMF1可能会基于激活安全上下文中的密钥Kamf派生新的密钥Kamf1,激活安全上下文中可能还包含Kamf1,此时Kamf1和Kamf2分别基于不同的密钥派生。Step 7080: AMF1 sends a context transfer response to AMF2, such as a Transfer UE Context Response message, carrying UE context information, the UE context information includes the activation security context information of the UE, and carries a derived new key Kamf2, which may be based on activation security. The key Kamf in the context derives a new key Kamf1, which may also contain Kamf1 in the activation security context, at which time Kamf1 and Kamf2 are derived based on different keys, respectively.
在另一实施例中,上下文转移响应中还可携带状态信息,所述信息指示认 证过程完成。In another embodiment, the context transfer response may also carry status information indicating that the authentication process is complete.
步骤7090:AMF2执行NAS SMC过程,通过RAN2向UE发送NAS安全模式命令(NAS Security Mode Command),所述NAS安全模式命令消息基于Kamf2的派生密钥完保。Step 7090: The AMF2 performs a NAS SMC procedure, and sends a NAS Security Mode Command to the UE through the RAN2, and the NAS security mode command message is secured based on the derived key of Kamf2.
步骤7100:UE已经执行完认证过程,因此使用Kamf2的派生密钥验证NAS安全模式命令消息的完保,验证通过后通过RAN2向AMF2发送NAS安全模式完成(NAS Security Mode Complete)消息,消息使用Kamf2的派生密钥完保和加密。Step 7100: The UE has performed the authentication process, and therefore uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS Security Mode Complete message is sent to the AMF2 through the RAN2, and the message uses Kamf2. The derived key is secured and encrypted.
步骤7110:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request(接入管理功能改变请求)消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 7110: The AMF2 informs the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
步骤7120:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 7120: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤7130:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept消息。Step 7130: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
步骤7140:所述RAN2转发所述注册接受消息给所述UE。Step 7140: The RAN2 forwards the registration accept message to the UE.
本实施例中,AMF1在收到AFM2的上下文转移请求时,未接收到UE返回的认证响应或重认证响应,因此,AMF1等待接收到UE返回的认证响应后,才发送上下文转移响应给AMF2。In this embodiment, when receiving the context transfer request of the AFM2, the AMF1 does not receive the authentication response or the re-authentication response returned by the UE. Therefore, the AMF1 waits to receive the authentication response returned by the UE, and then sends the context transfer response to the AMF2.
图8为一实施例提供的另一种认证程示意图,如图8所示,该流程包括如下步骤。FIG. 8 is a schematic diagram of another authentication process provided by an embodiment. As shown in FIG. 8, the process includes the following steps.
步骤8010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接。Step 8010: The UE registers with the mobile network through the RAN1 to establish a NAS connection with the AMF1.
步骤8020:AMF1持有UE的认证向量,于是通过RAN1向UE发起认证请求或重认证请求,比如发送User Authentication Request,携带所述UE的认证向量中的网络认证参数AUTN和随机字符串RAND。Step 8020: The AMF1 holds the authentication vector of the UE, and then initiates an authentication request or a re-authentication request to the UE through the RAN1, for example, sends a User Authentication Request, and carries the network authentication parameter AUTN and the random string RAND in the authentication vector of the UE.
步骤8030:所述UE通过第二无线接入网(RAN2)向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 8030: The UE registers with the mobile network through the second radio access network (RAN2), and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE. .
步骤8040:所述RAN2选择第二接入管理功能(AMF2),向所述AMF2转发所述注册请求消息。Step 8040: The RAN2 selects a second access management function (AMF2), and forwards the registration request message to the AMF2.
步骤8050:UE收到认证请求或重认证请求,判断AUTN有效,于是依据认证请求或重认证请求消息中的RAND和AUTN等信息计算挑战响应RES,并生成接入管理密钥Kamf2,然后通过RAN1向AMF1发送认证响应或重认证响应,比如发送User Authentication Response,携带RES,AMF1根据认证向量中的期望响应HXRES,或认证向量中的RAND和期望响应HXRES,判断RES有效,于是通过认证向量中的密钥Kseaf派生出接入管理密钥Kamf2,该接入管理密钥Kamf2与UE生成的Kamf2相同。Step 8050: The UE receives the authentication request or the re-authentication request, determines that the AUTN is valid, and then calculates the challenge response RES according to the information such as RAND and AUTN in the authentication request or the re-authentication request message, and generates an access management key Kamf2, and then passes the RAN1. Sending an authentication response or a re-authentication response to the AMF1, such as sending a User Authentication Response, carrying the RES, and the AMF1 determines that the RES is valid according to the expected response HXRES in the authentication vector, or the RAND in the authentication vector and the expected response HXRES, and then passes the authentication vector. The key Kseaf derives the access management key Kamf2, which is the same as the Kamf2 generated by the UE.
步骤8060:AMF1执行NAS SMC过程,通过RAN1向终端发送NAS安全模式命令(NAS Security Mode Command),消息基于Kamf2的派生密钥完保。Step 8060: AMF1 performs a NAS SMC process, and sends a NAS Security Mode Command to the terminal through RAN1, and the message is guaranteed based on the derived key of Kamf2.
步骤8070:AMF1收到来自AMF2的针对UE的上下文转移请求,比如Transfer UE Context Request消息。Step 8070: AMF1 receives a context transfer request for the UE from AMF2, such as a Transfer UE Context Request message.
步骤8080:AMF1因尚未收到NAS安全模式完成消息,因此等待预设时间以便接收NAS安全模式完成消息,或等待接收NAS安全模式完成消息。Step 8080: AMF1 has not received the NAS security mode completion message, so it waits for a preset time to receive the NAS security mode complete message, or waits to receive the NAS security mode complete message.
步骤8090:UE收到NAS安全模式命令消息,因UE已经执行完认证过程,因此使用Kamf2的派生密钥验证NAS安全模式命令消息的完保,验证通过后通过RAN1向AMF1发送NAS安全模式完成(NAS Security Mode Complete)消息,所述NAS安全模式完成消息使用Kamf2的派生密钥完保和加密。Step 8090: The UE receives the NAS security mode command message. Because the UE has performed the authentication process, the UE uses the derived key of Kamf2 to verify the security of the NAS security mode command message. After the verification is passed, the NAS security mode is sent to the AMF1 through the RAN1. NAS Security Mode Complete) message that the NAS security mode completion message is secured and encrypted using Kamf2's derived key.
步骤8100:AMF1完成NAS SMC过程,生成新的激活安全上下文,新的激活安全上下文中包含派生的新密钥Kamf2,然后向AMF2发送上下文转移响应,比如Transfer UE Context Response消息,携带所述UE上下文信息,UE上下文信息中包含所述UE的激活安全上下文信息。Step 8100: AMF1 completes the NAS SMC process, generates a new activation security context, and the new activation security context includes a derived new key Kamf2, and then sends a context transfer response to the AMF2, such as a Transfer UE Context Response message, carrying the UE context. Information, the UE context information includes the activated security context information of the UE.
步骤8110:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request(接入管理功能改变请求)消息,收到该接入管理功能改变请 求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 8110: AMF2 informs RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
步骤8120:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 8120: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response message.
步骤8130:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept消息。Step 8130: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
步骤8140:所述RAN2转发所述注册接受消息给所述UE。Step 8140: The RAN2 forwards the registration accept message to the UE.
本实施例中,AMF1发送安全模式命令给UE后,接收到AMF2发送的上下文转移请求,AMF1等待接收到安全模式完成消息后,才发送上下文转移响应给AMF2。In this embodiment, after the AMF1 sends the security mode command to the UE, it receives the context transfer request sent by the AMF2, and the AMF1 waits to receive the security mode complete message before transmitting the context transfer response to the AMF2.
图9为一实施例提供的一种消息处理方法,如图9所示,该方法包括如下步骤。FIG. 9 is a message processing method according to an embodiment. As shown in FIG. 9, the method includes the following steps.
步骤9010,第三网络功能与终端建立NAS连接后,接收第四网络功能发送的针对所述终端的上下文转移请求。Step 9010: After the third network function establishes a NAS connection with the terminal, receiving a context transfer request for the terminal sent by the fourth network function.
步骤9020,所述第三网络功能接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第四网络功能;或,所述第三网络功能接收所述第四网络功能发送的第二NAS消息,其中,所述第二NAS消息由所述终端发送给所述第四网络功能;或,所述第三网络功能向所述终端发送第三NAS消息,等待第三预设时间后,将所述终端的上下文信息发送给所述第四网络功能。 Step 9020, the third network function receives a first NAS message from the terminal, and sends the first NAS message to the fourth network function; or the third network function receives the fourth network function. a second NAS message sent by the function, wherein the second NAS message is sent by the terminal to the fourth network function; or the third network function sends a third NAS message to the terminal, waiting for a third After the preset time, the context information of the terminal is sent to the fourth network function.
本实施例中,第三网络功能、第四网络功能可以是接入管理功能,或其他实现接入管理的核心网设备。第一NAS消息、第二NAS消息、第三NAS消息以及后面的第四NAS消息、第五NAS消息可以是任意类型的NAS消息。In this embodiment, the third network function and the fourth network function may be an access management function, or another core network device that implements access management. The first NAS message, the second NAS message, the third NAS message, and the following fourth NAS message and fifth NAS message may be any type of NAS message.
在一实施例中,所述第三网络功能接收所述第四网络功能发送的第二NAS消息后,还包括,所述第三网络功能通过所述第四网络功能向所述终端发送第四NAS消息。In an embodiment, after the third network function receives the second NAS message sent by the fourth network function, the method further includes: sending, by the third network function, the fourth network function to the terminal by using the fourth network function. NAS message.
在一实施例中,所述第三网络功能接收到来自所述第四网络功能的针对所述终端的上下文转移请求后,还包括:所述第三网络功能记录所述终端的上下 文信息所在位置为第四网络功能。由于第三网络功能会把终端的上下文信息发送给第四网络功能,因此记录终端的上下文信息的存储位置,即存储在第四网络功能。In an embodiment, after the third network function receives the context transfer request for the terminal from the fourth network function, the method further includes: the third network function records the location of the context information of the terminal For the fourth network function. Since the third network function sends the context information of the terminal to the fourth network function, the storage location of the context information of the recording terminal is stored in the fourth network function.
在一实施例中,所述第三网络功能接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第四网络功能包括:当所述第三网络功能根据所述第一NAS消息的类别,或名称,或内容判断需要转发时,或者,所述第一NAS消息无法解密时,所述第三网络功能将所述第一NAS消息发送给所述第四网络功能。本实施例中,类别(class)指消息为请求消息、还是响应消息、还是指示消息等等。比如,预设需要转发的消息类别,或者,预设需要转发的消息名称、预设需要转发的内容,当第一NAS消息为预设的类别、或者为预设的消息名称、或者包含预设的内容时,所述第三网络功能将所述第一NAS消息发送给所述第四网络功能。In an embodiment, the third network function receives a first NAS message from the terminal, and sending the first NAS message to the fourth network function comprises: when the third network function is according to the The third network function sends the first NAS message to the fourth network function when the category, or the name of the first NAS message, or the content judgment needs to be forwarded, or when the first NAS message cannot be decrypted . In this embodiment, the class refers to whether the message is a request message, a response message, an indication message, or the like. For example, the type of the message to be forwarded is preset, or the name of the message to be forwarded is preset, and the content to be forwarded is preset. When the first NAS message is a preset category, or is a preset message name, or contains a preset. The third network function sends the first NAS message to the fourth network function.
图10为一实施例提供的另一种消息处理方法,所述方法包括如下步骤。FIG. 10 is another message processing method according to an embodiment, where the method includes the following steps.
步骤10010,第四网络功能通过第一接入网网元接收到来自终端的注册请求。Step 10010: The fourth network function receives a registration request from the terminal by using the first access network element.
步骤10020,所述第四网络功能向第三网络功能请求所述终端的上下文信息。Step 10020: The fourth network function requests context information of the terminal from a third network function.
步骤10030,所述第四网络功能接收所述第三网络功能发送的第一NAS消息,其中,所述第一NAS消息由所述终端发送给所述第三网络功能;或,所述第四网络功能通过第二接入网网元接收到来自所述终端的第二NAS消息,向所述第三网络功能发送所述第二NAS消息。 Step 10030, the fourth network function receives a first NAS message sent by the third network function, where the first NAS message is sent by the terminal to the third network function; or, the fourth The network function receives the second NAS message from the terminal by the second access network element, and sends the second NAS message to the third network function.
在一实施例中,所述第四网络功能接收所述第三网络功能发送的第一NAS消息后,还包括:当所述第一NAS消息有加密时,所述第四网络功能解密所述第一NAS消息,将所述解密的第一NAS消息发送给所述第三网络功能。In an embodiment, after receiving the first NAS message sent by the third network function, the fourth network function further includes: when the first NAS message is encrypted, the fourth network function decrypts the The first NAS message sends the decrypted first NAS message to the third network function.
所述将所述解密的第一NAS消息发送给所述第三网络功能包括:所述第四网络功能成功校验第一NAS消息的完整性保护(简称完保)时,将所述解密的第一NAS消息发送给所述第三网络功能。The transmitting the decrypted first NAS message to the third network function comprises: when the fourth network function successfully verifies the integrity protection of the first NAS message (referred to as a complete guarantee), the decrypted The first NAS message is sent to the third network function.
在一实施例中,所述向所述第三网络功能发送所述第二NAS消息包括:当所述终端的注册过程未完成时,所述第四网络功能向所述第三网络功能发送所述第二NAS消息。在另一实施例中,如果终端的注册过程已完成,则第四网络功能可以不向第三网络功能转发所述第二NAS消息。In an embodiment, the sending, by the third network function, the second NAS message includes: when the registration process of the terminal is not completed, the fourth network function sends the third network function to the third network function The second NAS message is described. In another embodiment, if the registration process of the terminal has been completed, the fourth network function may not forward the second NAS message to the third network function.
图11为一实施例提供的另一种消息处理方法流程图,如图11所示,该流程包括如下步骤。FIG. 11 is a flowchart of another message processing method according to an embodiment. As shown in FIG. 11, the process includes the following steps.
步骤11010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接。Step 11010: The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
步骤11020:所述UE通过RAN2向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 11020: The UE registers with the mobile network through the RAN2, and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE.
步骤11030:RAN2选择AMF2,向所述AMF2转发所述注册请求消息。Step 11030: RAN2 selects AMF2, and forwards the registration request message to the AMF2.
步骤11040:AMF2判断自己没有该UE的上下文,于是从所述注册请求消息中获取所述AMF1的相关信息,并向所述AMF1发送转移上下文请求,比如发送Transfer UE Context Request(转移终端上下文请求)消息。Step 11040: AMF2 determines that it does not have the context of the UE, and then acquires related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, for example, sends a Transfer UE Context Request. Message.
步骤11050:AMF1标记UE上下文的新位置,比如在缓存的UE的上下文信息中设置AMF2的相关信息,或记录UE相对应的AMF2的相关信息。Step 11050: The AMF1 marks a new location of the UE context, for example, setting related information of the AMF2 in the context information of the cached UE, or recording related information of the AMF2 corresponding to the UE.
步骤11060:AMF1向AMF2返回UE的上下文信息,比如发送Transfer UE Context Response(转移终端上下文响应)消息,携带UE的上下文信息,该上下文信息中不必包含AMF2相关的信息,从而使得无论UE通过哪个无线接入网发送消息,AMF2都可以为UE提供服务,AMF1可能在步骤11050前通过RAN1发送了一条NAS消息给UE并等待接收另一条NAS消息,AMF1可以等待预设时间以便接收另一条NAS消息后在返回UE的上下文信息。Step 11060: The AMF1 returns the context information of the UE to the AMF2, for example, sends a Transfer UE Context Response message, and carries the context information of the UE, where the context information does not need to include AMF2 related information, so that no matter which wireless the UE passes. The access network sends a message, and the AMF2 can provide services for the UE. The AMF1 may send a NAS message to the UE through the RAN1 and wait for another NAS message to be received before the step 11050. The AMF1 may wait for a preset time to receive another NAS message. Returns the context information of the UE.
步骤11070:UE通过RAN1发送NAS消息给核心网,RAN1尚未收到接入管理功能改变的消息,于是将该NAS消息转发给原核心网功能,即AMF1。Step 11070: The UE sends a NAS message to the core network through the RAN1, and the RAN1 has not received the message that the access management function is changed, and then forwards the NAS message to the original core network function, that is, AMF1.
步骤11080:AMF1判断UE的上下文已经转移给AMF2,于是将该NAS消息转发给AMF2处理。Step 11080: AMF1 determines that the context of the UE has been transferred to AMF2, and then forwards the NAS message to AMF2 for processing.
在一实施例中,AMF1转发该消息前,根据该消息的类别(Class,即请求(Request),还是响应(Response),还是通知(Indication))或类型(Message Type,即消息名称)或内容判断是否需要转发。In an embodiment, before the AMF1 forwards the message, according to the category (Class, Request, Response, or Indication) or Type (Message Type) or content of the message. Determine if you need to forward.
本实施例中,AMF1可以解密收到的NAS消息后转发,也可以因为无法解密(UE在发送11070步的消息时使用了新的密钥)而转发未解密的NAS消息;In this embodiment, the AMF1 may forward the received NAS message after being decrypted, or may forward the undecrypted NAS message because the UE cannot decrypt (the UE uses the new key when transmitting the 11070 step message);
步骤11090:AMF2判断接收到的转发的NAS消息有完保或被加密,则解密该转发的NAS消息,校验完保,校验成功后再将NAS消息转发给AMF1.Step 11090: The AMF2 determines that the received forwarded NAS message is guaranteed or encrypted, and then decrypts the forwarded NAS message, and the verification is completed. After the verification is successful, the NAS message is forwarded to the AMF1.
本实施例中,步骤11090可选,即另一实施例中,也可以不执行步骤11090。In this embodiment, step 11090 is optional, that is, in another embodiment, step 11090 may not be performed.
步骤11100:AMF2可以缓存该NAS消息一段时间,等完成注册过程后再处理该NAS消息。Step 11100: AMF2 may cache the NAS message for a period of time, and then process the NAS message after completing the registration process.
步骤11110:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request(接入管理功能改变请求)消息,收到该接入管理功能改变请求消息后,RAN1将收到的来自所述UE的消息转发给所述AMF2而不再是AMF1。Step 11110: The AMF2 notifies the RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message, and after receiving the access management function change request message, the RAN1 will receive the UE from the UE. The message is forwarded to the AMF2 instead of AMF1.
步骤11120:RAN1返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response(接入管理功能改变响应)消息。Step 11120: The RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, such as sending an AMF Mobility Response (Access Management Function Change Response) message.
步骤11130:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept(注册接受)消息。Step 11130: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
步骤11140:所述RAN2转发所述注册接受消息给所述UE。Step 11140: The RAN2 forwards the registration accept message to the UE.
图12为一实施例提供的另一种消息处理方法流程图,如图12所示,该流程包括如下步骤。FIG. 12 is a flowchart of another message processing method according to an embodiment. As shown in FIG. 12, the process includes the following steps.
步骤12010:UE通过RAN1向移动网络注册,从而与AMF1建立NAS连接.Step 12010: The UE registers with the mobile network through RAN1 to establish a NAS connection with AMF1.
步骤12020:所述UE通过RAN2向移动网络注册,发送注册请求给RAN2,比如发送Register Request(注册请求)消息,该消息携带所述UE之前注册的AMF1的相关信息。Step 12020: The UE registers with the mobile network through the RAN2, and sends a registration request to the RAN2, for example, sends a Register Request message, which carries information about the AMF1 previously registered by the UE.
步骤12030:RAN2选择AMF2,向所述AMF2转发所述注册请求消息。Step 12030: RAN2 selects AMF2, and forwards the registration request message to the AMF2.
步骤12040:AMF2判断自己没有该UE的上下文,于是从所述注册请求消息中获取所述AMF1的相关信息,并向所述AMF1发送转移上下文请求,比如发送Transfer UE Context Request(转移终端上下文请求)消息。Step 12040: The AMF2 determines that it does not have the context of the UE, and then acquires the related information of the AMF1 from the registration request message, and sends a transfer context request to the AMF1, for example, sends a Transfer UE Context Request. Message.
步骤12050:AMF1缓存所述UE的上下文信息,然后向AMF2返回终端UE的上下文信息,比如发送Transfer UE Context Response消息,携带终端UE的上下文信息。Step 12050: The AMF1 buffers the context information of the UE, and then returns the context information of the terminal UE to the AMF2, for example, sends a Transfer UE Context Response message, and carries the context information of the terminal UE.
步骤12060:AMF2向RAN1告知接入管理功能发生改变,比如发送AMF Mobility Request消息,收到该消息,RAN1就会将收到的来自UE的消息转发给AMF2而不再是AMF1。Step 12060: AMF2 informs RAN1 that the access management function has changed, for example, sends an AMF Mobility Request message. Upon receiving the message, RAN1 forwards the received message from the UE to AMF2 instead of AMF1.
步骤12070:UE通过RAN1发送第一NAS消息给核心网。Step 12070: The UE sends the first NAS message to the core network through the RAN1.
步骤12080:RAN1已经收到接入管理功能改变的消息,于是将该第一NAS消息转发给新核心网功能,即AMF2。Step 12080: The RAN1 has received the message that the access management function is changed, and then forwards the first NAS message to the new core network function, that is, AMF2.
步骤12090:AMF2将收到的来自RAN1的第一NAS消息转发给AMF1,在一实施例中,AMF2转发前,判断经过RAN2的注册过程尚未完成而决定转发。Step 12090: The AMF2 forwards the received first NAS message from the RAN1 to the AMF1. In an embodiment, before the AMF2 forwards, it is determined that the registration process through the RAN2 has not been completed and the forwarding is decided.
步骤12100:RAN1收到接入管理功能改变消息后,返回消息给AMF2,告知接入管理功能改变接受,比如发送AMF Mobility Response消息。Step 12100: After receiving the access management function change message, the RAN1 returns a message to the AMF2, informing the access management function to change the acceptance, for example, sending an AMF Mobility Response message.
步骤12110:在一实施例中,AMF1收到转发的第一NAS消息,决定要返回第二NAS消息,于是通过AMF2转发该第二NAS消息。Step 12110: In an embodiment, the AMF1 receives the forwarded NAS message and decides to return the second NAS message, and then forwards the second NAS message through the AMF2.
步骤12120:AMF2收到转发的第二NAS消息,经过相应处理后,比如加密和完保,通过RAN1或RAN2向UE发送第二NAS消息。Step 12120: The AMF2 receives the forwarded second NAS message, and after corresponding processing, such as encryption and security, sends a second NAS message to the UE through RAN1 or RAN2.
步骤12130:所述AMF2通过RAN2向所述UE发送注册接受消息,比如发送Register Accept(注册接受)消息。Step 12130: The AMF2 sends a registration accept message to the UE through the RAN2, for example, sending a Register Accept message.
步骤12140:所述RAN2转发所述注册接受消息给所述UE。Step 12140: The RAN2 forwards the registration accept message to the UE.
一实施例提供一种认证装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现如下操作:与终端建立非接入 层NAS连接后,向所述终端发送认证请求或重认证请求;接收到来自第二网络功能的针对所述终端的上下文转移请求,向所述第二网络功能发送第一密钥,所述第一密钥基于所述终端的认证向量中的密钥派生。An embodiment provides an authentication apparatus, including a memory and a processor, the memory storing a program, when the program is read and executed by the processor, the following operations are performed: establishing a non-access stratum NAS connection with the terminal Sending an authentication request or a re-authentication request to the terminal; receiving a context transfer request for the terminal from the second network function, and transmitting a first key to the second network function, the first key being based on Key derivation in the authentication vector of the terminal.
在另一实施例中,所述程序在被所述处理器读取执行时,还实现上述任一实施例所述的认证方法。In another embodiment, the program, when executed by the processor, implements the authentication method described in any of the above embodiments.
一实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现上述任一实施例所述的认证方法。An embodiment provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement any of the above implementations The authentication method described in the example.
一实施例提供一种消息处理装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现如下操作:与终端建立NAS连接后,接收到来自第四网络功能的针对所述终端的上下文转移请求;接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第四网络功能;或,接收所述第四网络功能发送的第二NAS消息,其中,所述第二NAS消息由所述终端发送给所述第四网络功能;或,向所述终端发送第三NAS消息,等待第三预设时间后,将所述终端的上下文信息发送给所述第四网络功能。An embodiment provides a message processing apparatus including a memory and a processor, the memory storing a program, when the program is read and executed by the processor, the following operations are performed: after establishing a NAS connection with the terminal, receiving a context transfer request for the terminal from a fourth network function; receiving a first NAS message from the terminal, transmitting the first NAS message to the fourth network function; or receiving the fourth network a second NAS message sent by the function, where the second NAS message is sent by the terminal to the fourth network function; or, after sending a third NAS message to the terminal, waiting for a third preset time, The context information of the terminal is sent to the fourth network function.
在另一实施例中,所述程序在被所述处理器读取执行时,还实现上述任一实施例所述的消息处理方法。In another embodiment, the program further implements the message processing method described in any of the above embodiments when read by the processor.
一实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现上述任一实施例所述的消息处理方法。An embodiment provides a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement any of the above implementations The message processing method described in the example.
所述计算机可读存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等至少一种可以存储程序代码的介质。The computer readable storage medium includes: at least one of a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk. The medium of the code.
本公开的实施例可提供为方法、系统、或计算机程序产品。因此,本公开可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware aspects. Moreover, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) containing computer usable program code.
本公开是参照根据本公开实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Claims (22)

  1. 一种认证方法,包括:An authentication method that includes:
    第一网络功能与终端建立非接入层NAS连接后,向所述终端发送认证请求或重认证请求;After the first network function establishes a connection with the non-access stratum NAS, the terminal sends an authentication request or a re-authentication request to the terminal;
    所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求,向所述第二网络功能发送第一密钥,其中,所述第一密钥基于所述终端的认证向量中的密钥派生。The first network function receives a context transfer request for the terminal from a second network function, and sends a first key to the second network function, wherein the first key is based on the authentication of the terminal Key derivation in vector.
  2. 如权利要求1所述的认证方法,还包括:所述第一网络功能向所述终端发送NAS安全模式命令,并接收所述终端返回的NAS安全模式完成消息,将所述NAS安全模式完成消息发送给所述第二网络功能。The authentication method according to claim 1, further comprising: said first network function transmitting a NAS security mode command to said terminal, and receiving a NAS security mode completion message returned by said terminal, said NAS security mode completion message Sended to the second network function.
  3. 如权利要求1所述的认证方法,还包括:所述第一网络功能接收所述终端返回的认证响应或重认证响应,将所述认证响应或重认证响应发送给所述第二网络功能。The authentication method according to claim 1, further comprising: said first network function receiving an authentication response or a re-authentication response returned by said terminal, and transmitting said authentication response or re-authentication response to said second network function.
  4. 如权利要求3所述的认证方法,其中,在所述将所述认证响应或重认证响应发送给所述第二网络功能前,还包括:The authentication method of claim 3, wherein before the sending the authentication response or the re-authentication response to the second network function, the method further comprises:
    所述第一网络功能发送所述终端的认证向量中的期望响应给所述第二网络功能,或者,所述第一网络功能发送所述终端的认证向量中的期望响应和随机字符串给所述第二网络功能。Transmitting, by the first network function, an expected response in an authentication vector of the terminal to the second network function, or sending, by the first network function, an expected response and a random string in an authentication vector of the terminal to the The second network function is described.
  5. 如权利要求1所述的认证方法,其中,所述向所述第二网络功能发送第一密钥包括:所述第一网络功能接收到所述终端返回的认证响应或重认证响应或NAS安全模式完成消息后,向所述第二网络功能发送第一密钥。The authentication method according to claim 1, wherein said transmitting said first key to said second network function comprises: said first network function receiving an authentication response or re-authentication response or NAS security returned by said terminal After the mode complete message, the first key is sent to the second network function.
  6. 如权利要求1至5任一所述的认证方法,在所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求后,还包括:所述第一网络功能向所述第二网络功能发送状态信息,其中,所述状态信息指示认证过程或NAS安全模式过程的进行状态。The authentication method according to any one of claims 1 to 5, after the first network function receives the context transfer request for the terminal from the second network function, the method further includes: the first network function The second network function sends status information, wherein the status information indicates an ongoing status of the authentication process or the NAS security mode process.
  7. 如权利要求1至5任一所述的认证方法,其中,所述第一网络功能接收到来自第二网络功能的针对所述终端的上下文转移请求后,还包括:所述第一网络功能等待接收到所述认证请求或所述重认证请求的响应后,将所述终端的上下文信息发送给所述第二网络功能;或者,所述第一网络功能等待第一预设 时间后,将所述终端的上下文信息发送给所述第二网络功能;或者,所述第一网络功能将所述终端的上下文信息缓存第二预设时间。The authentication method according to any one of claims 1 to 5, wherein, after the first network function receives the context transfer request for the terminal from the second network function, the method further includes: the first network function waiting After receiving the response to the authentication request or the re-authentication request, sending the context information of the terminal to the second network function; or, after the first network function waits for the first preset time, The context information of the terminal is sent to the second network function; or the first network function caches the context information of the terminal for a second preset time.
  8. 一种认证方法,包括:An authentication method that includes:
    第一网络功能接收到来自终端的注册请求;The first network function receives a registration request from the terminal;
    所述第一网络功能向第二网络功能请求所述终端的上下文信息,接收所述第二网络功能发送的第一密钥,其中,所述第一密钥基于所述终端的认证向量中的密钥派生。The first network function requests context information of the terminal from the second network function, and receives a first key sent by the second network function, where the first key is based on an authentication vector of the terminal Key derivation.
  9. 如权利要求8所述的认证方法,还包括:所述第一网络功能接收所述第二网络功能发送的状态信息,其中,所述状态信息指示认证完成时,所述第一网络功能等待预设时间后执行非接入层NAS安全模式控制过程。The authentication method of claim 8, further comprising: the first network function receiving status information sent by the second network function, wherein the status information indicates that the first network function waits for pre-authentication when the authentication is completed After the time is set, the non-access stratum NAS security mode control process is performed.
  10. 如权利要求8所述的认证方法,还包括:所述第一网络功能接收所述第二网络功能发送的状态信息,根据所述状态信息等待接收所述第二网络功能返回的认证响应或重认证响应或NAS安全模式完成消息。The authentication method according to claim 8, further comprising: said first network function receiving status information transmitted by said second network function, waiting to receive an authentication response returned by said second network function or according to said status information Authentication response or NAS security mode completion message.
  11. 一种认证装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现如权利要求1至10任一所述的认证方法。An authentication apparatus comprising a memory and a processor, the memory storing a program, the program implementing the authentication method according to any one of claims 1 to 10 when read by the processor.
  12. 一种计算机可读存储介质,所述计算机可读存储介质存储有至少一个程序,所述至少一个程序可被至少一个处理器执行,以实现如权利要求1至10任一所述的认证方法。A computer readable storage medium storing at least one program executable by at least one processor to implement the authentication method of any one of claims 1 to 10.
  13. 一种消息处理方法,包括:A message processing method includes:
    第一网络功能与终端建立非接入层NAS连接后,接收到第二网络功能发送的针对所述终端的上下文转移请求;After the first network function establishes a non-access stratum NAS connection with the terminal, receiving a context transfer request for the terminal sent by the second network function;
    所述第一网络功能接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第二网络功能;或,所述第一网络功能接收所述第二网络功能发送的第二NAS消息,其中,所述第二NAS消息由所述终端发送给所述第二网络功能;或,所述第一网络功能向所述终端发送第三NAS消息,等待预设时间后,将所述终端的上下文信息发送给所述第二网络功能。The first network function receives a first NAS message from the terminal, and sends the first NAS message to the second network function; or the first network function receives the second network function sent a second NAS message, wherein the second NAS message is sent by the terminal to the second network function; or the first network function sends a third NAS message to the terminal, waiting for a preset time, Sending context information of the terminal to the second network function.
  14. 如权利要求13所述的消息处理方法,在所述第一网络功能接收所述第二网络功能发送的第二NAS消息后,还包括:所述第一网络功能通过所述第二 网络功能向所述终端发送第四NAS消息。The message processing method according to claim 13, after the first network function receives the second NAS message sent by the second network function, the method further includes: the first network function is used by the second network function The terminal sends a fourth NAS message.
  15. 如权利要求13所述的消息处理方法,在所述第一网络功能接收到来自所述第二网络功能的针对所述终端的上下文转移请求后,还包括:所述第一网络功能记录所述终端的上下文信息所在位置为第二网络功能。The message processing method according to claim 13, after the first network function receives the context transfer request for the terminal from the second network function, the method further includes: the first network function recording The location of the context information of the terminal is the second network function.
  16. 如权利要求13所述的消息处理方法,其中,所述第一网络功能接收来自所述终端的第一NAS消息,将所述第一NAS消息发送给所述第二网络功能包括:The message processing method according to claim 13, wherein the first network function receives the first NAS message from the terminal, and the sending the first NAS message to the second network function comprises:
    当所述第一网络功能根据所述第一NAS消息的类别,或名称,或内容判断需要转发时,或者,所述第一NAS消息无法解密时,所述第一网络功能将所述第一NAS消息发送给所述第二网络功能。When the first network function determines that forwarding is required according to the category, or name, or content of the first NAS message, or when the first NAS message cannot be decrypted, the first network function will be the first The NAS message is sent to the second network function.
  17. 一种消息处理方法,包括:A message processing method includes:
    第一网络功能通过第一接入网网元接收到来自终端的注册请求;The first network function receives the registration request from the terminal by using the first access network element;
    所述第一网络功能向第二网络功能请求所述终端的上下文信息;The first network function requests context information of the terminal to a second network function;
    所述第一网络功能接收所述第二网络功能发送的第一NAS消息,其中,所述第一NAS消息由所述终端发送给所述第二网络功能;或,所述第一网络功能通过第二接入网网元接收到来自所述终端的第二NAS消息,向所述第二网络功能发送所述第二NAS消息。Receiving, by the first network function, the first NAS message sent by the second network function, where the first NAS message is sent by the terminal to the second network function; or the first network function is passed The second access network element receives the second NAS message from the terminal, and sends the second NAS message to the second network function.
  18. 如权利要求17所述的消息处理方法,在所述第一网络功能接收所述第二网络功能发送的第一NAS消息后,还包括:当所述第一NAS消息有加密时,所述第一网络功能解密所述第一NAS消息,将所述解密的第一NAS消息发送给所述第二网络功能。The message processing method according to claim 17, after the first network function receives the first NAS message sent by the second network function, the method further includes: when the first NAS message is encrypted, the A network function decrypts the first NAS message, and sends the decrypted first NAS message to the second network function.
  19. 如权利要求18所述的消息处理方法,其中,所述将所述解密的第一NAS消息发送给所述第二网络功能包括:The message processing method according to claim 18, wherein said transmitting said decrypted first NAS message to said second network function comprises:
    所述第一网络功能成功校验所述第一NAS消息的完整性保护时,将所述解密的第一NAS消息发送给所述第二网络功能。When the first network function successfully checks the integrity protection of the first NAS message, the decrypted first NAS message is sent to the second network function.
  20. 如权利要求17所述的消息处理方法,其中,所述向所述第二网络功能发送所述第二NAS消息包括:The message processing method according to claim 17, wherein said transmitting said second NAS message to said second network function comprises:
    当所述终端的注册过程未完成时,所述第一网络功能向所述第二网络功能发送所述第二NAS消息。The first network function sends the second NAS message to the second network function when the registration process of the terminal is not completed.
  21. 一种消息处理装置,包括存储器和处理器,所述存储器存储有程序,所述程序在被所述处理器读取执行时,实现如权利要求13至20任一所述的消息处理方法。A message processing apparatus comprising a memory and a processor, the memory storing a program, the program implementing the message processing method according to any one of claims 13 to 20 when read by the processor.
  22. 一种计算机可读存储介质,所述计算机可读存储介质存储有至少一个程序,所述至少一个程序可被至少一个处理器执行,以实现如权利要求13至20任一所述的消息处理方法。A computer readable storage medium storing at least one program executable by at least one processor to implement the message processing method according to any one of claims 13 to 20. .
PCT/CN2019/073379 2018-02-13 2019-01-28 Authentication method and device, message processing method and device, and storage medium WO2019157935A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810150834.9A CN110167081B (en) 2018-02-13 2018-02-13 Authentication method and device, message processing method and device, and storage medium
CN201810150834.9 2018-02-13

Publications (1)

Publication Number Publication Date
WO2019157935A1 true WO2019157935A1 (en) 2019-08-22

Family

ID=67620212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/073379 WO2019157935A1 (en) 2018-02-13 2019-01-28 Authentication method and device, message processing method and device, and storage medium

Country Status (2)

Country Link
CN (1) CN110167081B (en)
WO (1) WO2019157935A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114531254B (en) * 2020-10-30 2023-03-31 中国移动通信有限公司研究院 Authentication information acquisition method and device, related equipment and storage medium
CN118139044A (en) * 2022-12-02 2024-06-04 中国移动通信有限公司研究院 Terminal authentication verification method and terminal authentication verification device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355785A (en) * 2007-07-26 2009-01-28 华为技术有限公司 Method and system for transmitting non-access layer information during switching procedure
CN102547655A (en) * 2012-02-23 2012-07-04 大唐移动通信设备有限公司 Intersystem roaming attachment method and device
CN103002521A (en) * 2011-09-08 2013-03-27 华为技术有限公司 Context transmission method and mobility management entity
WO2014067542A1 (en) * 2012-10-29 2014-05-08 Nokia Solutions And Networks Oy Methods, apparatuses and computer program products enabling to improve handover security in mobile communication networks
WO2017048434A1 (en) * 2015-09-15 2017-03-23 Qualcomm Incorporated Apparatus and method for mobility procedure involving mobility management entity relocation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103379490A (en) * 2012-04-12 2013-10-30 华为技术有限公司 Authentication method, device and system of user equipment
GB2537377B (en) * 2015-04-13 2021-10-13 Vodafone Ip Licensing Ltd Security improvements in a cellular network
CN107566115B (en) * 2016-07-01 2022-01-14 华为技术有限公司 Secret key configuration and security policy determination method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355785A (en) * 2007-07-26 2009-01-28 华为技术有限公司 Method and system for transmitting non-access layer information during switching procedure
CN103002521A (en) * 2011-09-08 2013-03-27 华为技术有限公司 Context transmission method and mobility management entity
CN102547655A (en) * 2012-02-23 2012-07-04 大唐移动通信设备有限公司 Intersystem roaming attachment method and device
WO2014067542A1 (en) * 2012-10-29 2014-05-08 Nokia Solutions And Networks Oy Methods, apparatuses and computer program products enabling to improve handover security in mobile communication networks
WO2017048434A1 (en) * 2015-09-15 2017-03-23 Qualcomm Incorporated Apparatus and method for mobility procedure involving mobility management entity relocation

Also Published As

Publication number Publication date
CN110167081A (en) 2019-08-23
CN110167081B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
US11178543B2 (en) Apparatus and method for mobility procedure involving mobility management entity relocation
US10674355B2 (en) Apparatuses and methods for wireless communication
CN109699031B (en) Verification method and device adopting shared secret key, public key and private key
CN109104727B (en) EAP-AKA' based security enhancement method for authentication process between network elements of core network
US8452007B2 (en) Security key generating method, device and system
US8583809B2 (en) Destroying a secure session maintained by a server on behalf of a connection owner
CN101841810B (en) The update method of air interface key, core net node and wireless access system
TWI636373B (en) Method and device for authorizing between devices
CN109474927B (en) Information interaction method, home network, user terminal and information interaction system
WO2018120217A1 (en) Verification method and apparatus for key requester
EP3634023B1 (en) Re-establishing a radio resource control connection
WO2019157935A1 (en) Authentication method and device, message processing method and device, and storage medium
CN101909292B (en) The update method of air interface key, core net node and subscriber equipment
JP2011515904A (en) System and method for performing handover or key management during handover in a wireless communication system
WO2010028603A1 (en) Key generation method and system when a tracking area is updated
US9307406B2 (en) Apparatus and method for authenticating access of a mobile station in a wireless communication system
WO2018126791A1 (en) Authentication method and device, and computer storage medium
WO2018137617A1 (en) Secure small data transmission method and device utilized in mobile network
CN112400335B (en) Method and computing device for performing data integrity protection
WO2019024937A1 (en) Key negotiation method, apparatus and system
WO2018176273A1 (en) Communication method, apparatus and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19754482

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23/12/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19754482

Country of ref document: EP

Kind code of ref document: A1