WO2019158028A1 - 一种通信方法及装置 - Google Patents

一种通信方法及装置 Download PDF

Info

Publication number
WO2019158028A1
WO2019158028A1 PCT/CN2019/074767 CN2019074767W WO2019158028A1 WO 2019158028 A1 WO2019158028 A1 WO 2019158028A1 CN 2019074767 W CN2019074767 W CN 2019074767W WO 2019158028 A1 WO2019158028 A1 WO 2019158028A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
suci
message
home
ausf
Prior art date
Application number
PCT/CN2019/074767
Other languages
English (en)
French (fr)
Inventor
李华
何承东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019158028A1 publication Critical patent/WO2019158028A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • the present application relates to the field of mobile communications technologies, and in particular, to a communication method and apparatus.
  • the UE and the network have not negotiated the air interface key for air interface encryption, so the user permanently identifies, for example, an international mobile user.
  • the identifier international mobile subscriber identifier, IMSI
  • IMSI international mobile subscriber identifier
  • the IMSI is transmitted in the clear text of the air interface, which is likely to cause the user's IMSI information to be intercepted, thereby causing the user's information (such as location information) to be leaked.
  • the security problem of the plaintext transmission in the air interface is first registered.
  • the user permanent identifier (SUPI) is not transmitted on the air interface
  • the user hidden identifier (SUCI) is used instead of the SUPI.
  • the 5G network needs to support the SUCI to address the unified data management (UDM) network element, and obtain the user's authentication data and service subscription data.
  • UDM unified data management
  • the 5G network does not support the use of SUCI to address the user's home UDM network element.
  • the embodiment of the present application provides a communication method and device, which are implemented. To achieve the above objective, the present application provides the following technical solutions:
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a private key is deployed on an NRF network element and is not roaming.
  • the communication method is mainly performed by an AMF network element, an AUSF network element, and an NRF network element, and the method can implement the AUSF network element to address the UDM network element according to the SUCI.
  • the SUCI encrypted by the AUSF network element obtains information from the NRF network element, and addresses the home UDM network element according to the obtained information.
  • the method performed by the AUSF network element includes:
  • the AUSF network element receives a first message from the AMF network element, where the first message is used to request authentication from the AUSF network element, the first message includes a user hidden identifier SUCI, and the SUCI includes the generated according to the public key.
  • the AUSF network element sends a second message to the NRF network element, where the second message is used to request the NRF network element to discover the UDM network element, and the second message includes the SUCI; the AUSF network
  • the element receives first addressing information from the NRF network element, the first addressing information is that the NRF network element decrypts the SUCI according to a local private key, obtains decryption information of the SUCI, and decrypts according to the SUCI.
  • the method performed by the NRF network element in the design includes: receiving, by the NRF network element, a second message from the AUSF network element, where the second message is used to request the NRF network element to discover the UDM network element, where the second The message includes a user-hidden identifier SUCI, the SUCI includes a ciphertext generated according to the public key, and the NRF network element decrypts the SUCI according to the local private key to obtain decryption information of the SUCI; Decoding the SUCI, and transmitting the first addressing information to the AUSF network element.
  • the first addressing information is UDM network element addressing information obtained by the NRF network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user home zone information.
  • the first addressing information includes one or more UDM network element addresses associated with the user home area information; or the first addressing information includes The UDM network element address and the SUPI; or the first addressing information includes the UDM network element address and the user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a private key is deployed on a UDM network element and is not roaming.
  • the communication method is mainly performed by an AMF network element, an AUSF network element, and a UDM network element, and the method can implement the AUSF network element to address the UDM network element according to the SUCI.
  • the AUSF network element obtains information from the UDM network element according to the encrypted SUCI, and addresses the home UDM network element according to the obtained information.
  • the AUSF network element performs the following method: the AUSF network element receives the a first message of the AMF network element, where the first message is used to request authentication from the AUSF network element, the first message includes a user hidden identifier SUCI, and the SUCI includes a ciphertext generated according to the public key;
  • the AUSF network element sends a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI; the AUSF network element Receiving a fourth message from the first UDM network element, where the fourth message includes decryption information of the SUCI or addressing information of a home UDM network element; the AUSF network element according to the fourth message
  • the home UDM network element sends a third message, where the home
  • the method performed by the first UDM network element includes: receiving, by the first UDM network element, a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector,
  • the third message includes a SUCI;
  • the SUCI includes a ciphertext generated according to a public key;
  • the first UDM network element decrypts the SUCI according to a local private key to obtain decryption information of the SUCI;
  • the UDM network element sends, according to the decryption information of the SUCI, that the home UDM network element is not the first UDM network element, the first UDM network element sends a fourth message to the AUSF network element, where the fourth message includes The decryption information of the SUCI or the addressing information of the home UDM network element, the addressing information of the home UDM network element is obtained by the first UDM network element according to the decryption information of the SUCI.
  • the method performed by the first UDM network element includes:
  • the first UDM network element receives a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector, and the third message includes a user hidden identifier SUCI, the SUCI
  • the ciphertext is generated according to the public key; the first UDM network element decrypts the SUCI according to the local private key to obtain decryption information of the SUCI; and the first UDM network element is used according to the decryption information of the SUCI.
  • the network element is obtained based on the decryption information of the SUCI.
  • the AUSF network element obtains information from the UDM network element according to the encrypted SUCI, and addresses the home UDM network element according to the obtained information.
  • the method performed by the AUSF network element includes: the AUSF network element.
  • the AUSF network element sends a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI; the AUSF The network element receives the authentication vector, where the authentication vector is when the first UDM network element decrypts the SUCI according to the local private key and determines that the home UDM network element is the first UDM network element, The first UDM network element is sent to the AUSF network element.
  • the method performed by the first UDM network element in the design includes: the first UDM network element receives a third message from the AUSF network element, and the third message is used to request the first UDM network element to obtain an authentication vector.
  • the third message includes a SUCI, the SUCI includes a ciphertext generated according to a public key, and the first UDM network element decrypts the SUCI according to a local private key to obtain a SUPI; the first UDM network element is configured according to The SUPI determines the home UDM network element; when the home UDM network element is the first UDM network element, the first UDM network element sends an authentication vector to the AUSF network element.
  • the AUSF network element obtains information from the UDM network element according to the encrypted SUCI, and addresses the home UDM network element according to the obtained information.
  • the method performed by the AUSF network element includes: the AUSF network element.
  • the AUSF network element sends a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI; the AUSF Receiving, by the network element, the authentication vector, where the first UDM network element decrypts the SUCI according to the local private key and determines that the home UDM network element is the second UDM network element, where the first The UDM network element sends the authentication vector to the AUSF network element after acquiring the authentication vector from the second UDM network element.
  • the method performed by the first UDM network element in the design includes: the first UDM network element receives a third message from the AUSF network element, and the third message is used to request the first UDM network element to obtain an authentication vector, where
  • the third message includes a SUCI, the SUCI includes a ciphertext generated according to a public key; the first UDM network element decrypts the SUCI according to a local private key to obtain a SUPI; the first UDM network element according to the The SUPI determines the home UDM network element; when the home UDM network element is the second UDM network element, the first UDM network element obtains the authentication vector from the second UDM network element, and the The AUSF network element sends the authentication vector.
  • the AUSF network element obtains information from the UDM network element according to the encrypted SUCI, and addresses the home UDM network element according to the obtained information.
  • the method performed by the AUSF network element includes: the AUSF network element.
  • the AUSF network element sends a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI; the AUSF The network element receives the authentication vector, where the authentication vector is after the first UDM network element determines that the home UDM network element is the second UDM network element and sends the third message to the second UDM network element, The third UDM network element is sent to the AUSF network element, and the third message is used to request the second UDM network element to obtain an authentication vector, where the third message includes the SUPI, so that the The second UDM network element generates the authentication vector according to the SUPI.
  • the method performed by the first UDM network element in the design includes: the first UDM network element receives a third message from the AUSF network element, and the third message is used to request the first UDM network element to obtain an authentication vector, where
  • the third message includes a SUCI, the SUCI includes a ciphertext generated according to a public key; the first UDM network element decrypts the SUCI according to a local private key to obtain a SUPI; the first UDM network element according to the The first UDM network element sends a third message to the second UDM network element, where the third UDM network element is the second UDM network element, and the third message is sent to the second UDM network element.
  • a method for requesting the second UDM network element to obtain an authentication vector where the third message includes a SUPI, so that the second UDM network element generates the authentication vector according to the SUPI.
  • the decryption information of the SUCI includes SUPI or user home zone information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a private key is deployed on an AUSF network element and is not roaming.
  • the communication method is mainly performed by an AMF network element, an AUSF network element, and a UDM network element, and the method can implement the AUSF network element to address the UDM network element according to the SUCI.
  • the AUSF network element decrypts the encrypted SUCI and interacts with the home UDM network element according to the decryption information.
  • the AUSF network element performs the method: the AUSF network element receives the first from the AMF network element.
  • the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, the SUCI includes a ciphertext generated according to a public key, and the AUSF network element is based on a local private Decrypting the SUCI to obtain a SUPI; the AUSF network element sends a third message to the home UDM network element associated with the SUPI, where the third message is used to request an acquisition of an authentication vector from the home UDM network element.
  • the third message includes the SUPI; the AUSF network element receives an authentication vector from the home UDM network element, and the authentication vector is generated by the home UDM network element according to the SUPI.
  • the first AUSF network element decrypts the encrypted SUCI, and the home UDM network element is addressed by interacting with the home AUSF network element according to the decryption information.
  • the method performed by the first AUSF network element includes: The AUSF network element receives a first message from the AMF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key.
  • the message is used to request authentication from the home AUSF network element, the first message includes the SUPI; the first AUSF network element receives the authentication vector from the home AUSF network element, the authentication The vector is obtained by the home AUSF network element from the home UDM network element according to the SUPI.
  • the first AUSF network element decrypts the encrypted SUCI, and the AUV network element is exchanged with the AMF network element according to the decryption information to address the home UDM network element.
  • the first AUSF network The method performed by the element includes: the method performed by the first AUSF network element includes: the first AUSF network element receiving the first message from the AMF network element, the first message being used to request authentication from the first AUSF network element
  • the first message includes a user hidden identifier SUCI, the SUCI includes a ciphertext generated according to a public key, and the first AUSF network element decrypts the SUCI according to a local private key to obtain a SUPI; the first AUSF Transmitting, according to the SUPI, a fourth message to the AMF network element, where the fourth message includes addressing information of the SUPI or a home AUSF network element, where the addressing information of the home AUSF network element is the first The AUSF network element is obtained
  • the method performed by the AMF network element in the design includes: the AMF network element sends a first message to the first AUSF network element, where the first message is used to request authentication from the first AUSF network element, the first message Include a user hidden identifier SUCI, the SUCI includes a ciphertext generated according to a public key; the AMF network element receives a fourth message from the first AUSF network element, where the fourth message includes a SUPI or a home AUSF network element Addressing information, the SUPI or addressing information of the home AUSF network element is obtained by decrypting information that the first AUSF network element decrypts the SUCI according to a local private key; the AMF network element is according to the a fourth message, the first message is sent to the home AUSF network element, where the home AUSF network element is an AUSF network element associated with the addressing information of the home AUSF network element or the SUPI, where the first message is used to The home AUSF network element requests authentication.
  • the method performed by the home AUSF network element in the design includes: the home AUSF network element receives a first message from the AMF network element, the first message is used to request authentication from the home AUSF network element, the first message Include a SUCI, the SUCI includes a ciphertext generated according to a public key; when the first message includes the SUCI, the home AUSF network element decrypts the SUCI according to a local private key to obtain the SUPI; The home AUSF network element sends a third message to the home UDM network element, where the third message is used to request the home UUD network element to obtain an authentication vector, the third message includes the SUPI; the home AUSF network The element receives the authentication vector from the home UDM network element, and the authentication vector is generated by the home UDM network element according to the SUPI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a private key is deployed on an NRF network element and is not roaming.
  • the method can implement the AMF network element to address the AUSF network element according to the SUCI.
  • the AMF network element obtains information from the NRF network element according to the encrypted SUCI, and addresses the home AUSF network element according to the obtained information.
  • the method performed by the AMF network element includes: the AMF network element.
  • the method includes: the AMF network element sends a second message to the NRF network element, where the second message is used to request the NRF network element to discover the AUSF network element, and the second message includes the user hidden identifier SUCI, the SUCI
  • the ciphertext generated by the public key is received; the AMF network element receives second addressing information from the NRF network element, and the second addressing information is that the NRF network element performs the SUCI according to the local private key.
  • the NRF network element performs the method in the design, the NRF network element receives a second message from the AMF network element, and the second message is used to request the NRF network element to discover the AUSF network element, where the second message includes the user. Hiding the identifier SUCI, the SUCI includes a ciphertext generated according to the public key; the NRF network element decrypts the SUCI according to the local private key to obtain decryption information of the SUCI; and the NRF network element is according to the SUCI And decrypting the information, and sending the second addressing information to the AMF network element, where the second addressing information is AUSF network element addressing information that is obtained by the NRF network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user home zone information.
  • the second addressing information includes one or more AUSF network element addresses associated with user home area information; or the second addressing information includes the AUSF The network element address and the SUPI; or the second addressing information includes the AUSF network element address and the user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a private key is deployed on an NRF network element and roamed.
  • the method can implement the AMF network element to address the AUSF network element according to the SUCI.
  • the home NRF network element obtains information from the home SEPP network element according to the encrypted SUCI, and the AMF network element addresses the home AUSF network element according to the information acquired by the home NRF network element.
  • the service network The method performed by the AMF network element includes: the AMF network element of the service network sends a second message, the second message is used to request the discovery of the AUSF network element from the home NRF network element, and the second message includes the user hidden identifier SUCI
  • the SUCI includes a ciphertext generated according to a public key; the AMF network element receives second addressing information from a home NRF network element, and the second addressing information is that the home NRF network element is from the home SEPP AUSF network element addressing information acquired according to the decryption information of the SUCI after the decryption information of the SUCI is obtained by the network element; the AMF network element is associated with the second addressing information according to the second addressing information
  • the method for performing the homing of the SEPP network element in the design includes: the home SEPP network element receives a second message from the AMF network element of the service network, and the second message is used to request the home NRF network element to discover the AUSF network element, where The second message includes a user hidden identifier SUCI, the SUCI includes a ciphertext generated according to the public key, and the home SEPP network element decrypts the SUCI according to the local private key to obtain decryption information of the SUCI; the home SEPP network The second message is sent to the home NRF network element, where the second message is used to request the home NRF network element to discover the AUSF network element, and the second message includes the decryption information of the SUCI.
  • the method for performing the homing of the NRF network element in the design includes: the home NRF network element receives the second message from the home SEPP network element, and the second message is used to request the home NRF network element to discover the AUSF network element, where The second message includes the decryption information of the SUCI; the home NRF network element sends the second addressing information to the AMF network element according to the decryption information of the SUCI; the second addressing information is that the home NRF network element is according to the AUSF network element addressing information obtained by SUCI decryption information.
  • the home NRF network element decrypts the encrypted SUCI, and the AMF network element addresses the home AUSF network element according to the decryption information of the home NRF network element.
  • the AMF network element of the service network performs The method includes: the AMF network element of the service network sends a second message to the home NRF network element by using the home SEPP network element, where the second message is used to request the home NRF network element to discover the AUSF network element, the second message.
  • the SUCI includes a ciphertext generated according to a public key
  • the AMF network element receives second addressing information from a home NRF network element, and the second addressing information is the home NRF network element Decrypting the SUCI according to the local private key, obtaining the decryption information of the SUCI, and obtaining the AUSF network element addressing information according to the decryption information of the SUCI; the AMF network element according to the second addressing information, to the second
  • the home AUSF network element associated with the addressing information sends a first message, where the first message is used to request authentication from the home AUSF network element, and the first message includes the SUCI or the decryption information of the SUCI.
  • the method for the homing of the NRF network element in the design includes: the home NRF network element receives the second message from the home SEPP network element, and the second message is used to request the home NRF network element to discover the AUSF network element,
  • the second message includes a user hidden identifier SUCI, the SUCI includes a ciphertext generated according to the public key, and the home NRF network element decrypts the SUCI according to the local private key to obtain decryption information of the SUCI;
  • the home NRF The network element sends second addressing information to the AMF network element according to the decryption information of the SUCI; the second addressing information is AUSF network element addressing information obtained by the home NRF network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user home zone information.
  • the second addressing information includes one or more AUSF network element addresses associated with user home area information; or the second addressing information includes the AUSF The network element address and the SUPI; or the second addressing information includes the AUSF network element address and the user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted according to a public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a terminal flexibly encrypts a SUPI.
  • the method is based on the first SUCI obtained by the terminal using the first encryption method, and the AMF network element can be configured to address the AUSF network element according to the first SUCI, and the AUSF network element addresses the UDM network element according to the first SUCI.
  • the terminal encrypts the user's permanent identifier SUPI according to the local public key to obtain the first SUCI, the first SUCI includes the MSIN, and the user attribution area information in the MSIN is plaintext, the MSIN The remaining information is ciphertext; the terminal sends a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, and the fifth message includes the first SUCI.
  • the terminal encrypts the SUPI according to the local public key to obtain the first SUCI, including: when the terminal determines that the service network is the home network according to the current location information, the SUPI is based on the local public key. Encryption is performed to obtain the first SUCI.
  • the AMF network element receives a fifth message from the terminal, the fifth message is used to request registration from the AMF network element, and the fifth message includes a first SUCI, the first SUCI Including the MSIN, the user home area information of the MSIN is a plaintext, and the remaining information of the MSIN is a ciphertext; the AMF network element is related to the home SUUS network element associated with the first SUCI according to the first SUCI. Sending a first message, where the first message is used to request authentication from the home AUSF network element, where the first message includes the first SUCI.
  • the AUSF network element receives the first message from the AMF network element, the first message is used to request authentication from the home AUSF network element, and the first message includes the first SUCI,
  • the first SUCI includes an MSIN, the user home area information of the MSIN is a plaintext, and the remaining information of the MSIN is a ciphertext;
  • the AUSF network element sends a third message to the home UDM network element, where the third message is used. Requesting, by the home UDM network element, an acquisition of an authentication vector, the third message including the first SUCI; the AUSF network element receiving the authentication vector from the home UDM network element, the authentication vector The home UDM network element is generated according to the first SUCI.
  • the embodiment of the present application provides a communication method, which is applicable to a scenario in which a terminal flexibly encrypts a SUPI.
  • the method is based on the second SUCI obtained by the terminal using the second encryption method, and the AMF network element can be used to address the AUSF network element according to the second SUCI, and the AUSF network element addresses the UDM network element according to the second SUCI.
  • the terminal encrypts the user permanent identifier SUPI according to the local public key to obtain the second SUCI, the second SUCI includes the MSIN, and the MSIN is all ciphertext; the terminal sends the AMF network element And sending a fifth message, where the fifth message is used to request registration from the AMF network element, where the fifth message includes the second SUCI and user home area information.
  • the terminal encrypts the user's permanent identifier SUPI according to the local public key, and obtains the second SUCI, including: the terminal determines, according to the current location information, that the service network is a roaming network, according to the local public key pair.
  • the SUPI performs encryption to obtain the second SUCI.
  • the AMF network element receives a fifth message from the terminal, the fifth message is used to request registration from the AMF network element, and the fifth message includes a second SUCI and user home area information,
  • the second SUCI includes an MSIN, and the MSINs are all ciphertexts;
  • the AMF network element sends a first message to the home AUSF network element associated with the user home zone information according to the user home zone information, where the A message is used to request authentication from the home AUSF network element, where the first message includes the user home area information and the second SUCI.
  • the AUSF network element receives a first message from an AMF network element, the first message is used to request authentication from the AUSF network element, the first message includes a second SUCI and a user attribution
  • the area information, the second SUCI includes an MSIN, and the MSINs are all ciphertexts;
  • the AUSF network element sends a third message to the home UDM network element, where the third message is used to request acquisition from the home UDM network element.
  • An authentication vector, the third message includes the second SUCI and the user home area information;
  • the AUSF network element receives the authentication vector from the home UDM network element, where the authentication vector is The home UDM network element is generated according to the second SUCI and the user home area information.
  • the application provides a communication device, which may be an AMF network element or a chip.
  • the apparatus has the function of implementing the AMF network element in the first aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the embodiments of the seventh aspect.
  • This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the third aspect AMF network element, including:
  • a sending unit configured to send a first message to the first AUSF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a ciphertext generated from a public key;
  • a receiving unit configured to receive a fourth message from the first AUSF network element, where the fourth message includes addressing information of a SUPI or a home AUSF network element, and the addressing information of the SUPI or the home AUSF network element Obtaining, by the first AUSF network element, decryption information for decrypting the SUCI according to a local private key;
  • a processing unit configured to send, by using a sending unit, a first message to a home AUSF network element according to the fourth message, where the home AUSF network element is addressing information with the home AUSF network element or decryption information of the SUCI (SUPI) associated AUSF network element, the first message is used to request authentication from the home AUSF network element.
  • SUPI SUCI
  • the application provides an apparatus, including: a processor and a memory; the memory is configured to store an instruction, when the apparatus is running, the processor executes the instruction stored in the memory, so that the apparatus performs the first Aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the method performed by the AMF network element in any of the implementation methods of the seventh aspect.
  • the memory may be integrated in the processor or may be independent of the processor.
  • the application provides an apparatus, the apparatus comprising a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the first aspect, or the second aspect, or The third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the method performed by the AMF network element in any implementation method of the seventh aspect.
  • the application provides a communication device, which may be an AUSF network element (including a first AUSF network element and a home AUSF network element), or may be a chip.
  • the apparatus has the function of implementing the AMF network element in the first aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the embodiments of the seventh aspect. This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first aspect AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key Generated ciphertext;
  • a sending unit configured to send a second message to the NRF network element, where the second message is used to request the NRF network element to discover the UDM network element, and the second message includes the SUCI;
  • the receiving unit is further configured to receive first addressing information from the NRF network element, where the first addressing information is that the NRF network element decrypts the SUCI according to a local private key to obtain a decryption of the SUCI.
  • a processing unit configured to send, by using a sending unit, a third message to the home UDM network element associated with the first addressing information, where the third message is used to send the home UDM network element according to the first addressing information Requesting an acquisition of an authentication vector, the third message containing the SUCI.
  • the present application provides an apparatus, including: a processor and a memory; the memory is configured to store an instruction, when the apparatus is running, the processor executes the instruction stored in the memory, so that the apparatus performs the foregoing
  • the AUSF network element (including the first AUSF network element and the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or any implementation method of the seventh aspect, The method of belonging to the AUSF network element).
  • the memory may be integrated in the processor or may be independent of the processor.
  • the application provides an apparatus, the apparatus comprising a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the first aspect, or the second aspect, according to the instruction, Or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the method performed by the AUSF network element (including the first AUSF network element and the home AUSF network element) in any implementation method of the seventh aspect .
  • the present application provides a communication device, which may be an NRF network element or a chip.
  • the apparatus has the function of implementing the NRF network element in the first aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the embodiments of the seventh aspect.
  • This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first aspect NRF network element, including:
  • a receiving unit configured to receive a second message from the AUSF network element, where the second message is used to request the NRF network element to discover a UDM network element, and the second message includes a user hidden identifier SUCI, where the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI;
  • the processing unit is further configured to send the first addressing information to the AUSF network element by using a sending unit according to the decryption information of the SUCI.
  • the first addressing information is UDM network element addressing information obtained by the NRF network element according to the decryption information of the SUCI.
  • the application provides an apparatus, including: a processor and a memory; the memory is configured to store an instruction, when the apparatus is running, the processor executes the instruction stored in the memory, so that the apparatus performs the foregoing In one aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the method performed by the NRF network element in any of the implementation methods of the seventh aspect. It should be noted that the memory may be integrated in the processor or may be independent of the processor.
  • the application provides an apparatus, the apparatus comprising a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the first aspect, or the second aspect, according to the instruction, Or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the method performed by the NRF network element in any implementation method of the seventh aspect.
  • the application provides a communication device, which may be a UDM network element (including a first UDM network element and a home UDM network element), or may be a chip.
  • the apparatus has the function of implementing the AMF network element in the first aspect, or the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the embodiments of the seventh aspect. This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first UDM network element in the second aspect, including:
  • a receiving unit configured to receive a third message from an AUSF network element, where the third message is used to request an acquisition of an authentication vector from the first UDM network element, where the third message includes a SUCI;
  • the ciphertext generated by the key
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain decryption information of the SUCI; and the first UDM network element determines, according to the decryption information of the SUCI, that the home UDM network element is not the first UDM And sending, by the sending unit, the fourth message to the AUSF network element, where the fourth message includes the decryption information of the SUCI or the addressing information of the home UDM network element, and the addressing information of the home UDM network element Obtained for the first UDM network element according to the decryption information of the SUCI.
  • the application provides an apparatus, including: a processor and a memory; the memory is configured to store an instruction, when the apparatus is running, the processor executes the instruction stored in the memory, so that the apparatus performs the foregoing
  • the memory may be integrated in the processor or may be independent of the processor.
  • the present application provides an apparatus, the apparatus comprising a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the first aspect, or the second aspect, according to the instruction, Or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect, or the UDM network element (including the first UDM network element and the home UDM network element) in any implementation method of the seventh aspect is executed by the network element Methods.
  • the present application provides a device, which may be a terminal or a chip.
  • the apparatus has the function of implementing the above-described sixth aspect, or the AMF network element in each embodiment of the seventh aspect. This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the terminal of the sixth aspect, including:
  • the processing unit is configured to encrypt the user permanent identifier SUPI according to the local public key, to obtain the first SUCI, where the first SUCI includes the MSIN, the user attribution area information in the MSIN is plaintext, and the remaining information of the MSIN is Cipher text
  • a sending unit configured to send a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, where the fifth message includes the first SUCI.
  • the present application provides an apparatus comprising: a processor and a memory; the memory is configured to store an instruction, when the apparatus is running, the processor executes the instruction stored in the memory, so that the apparatus performs the above
  • the sixth aspect, or the method performed by the terminal in any implementation method of the seventh aspect may be integrated in the processor or may be independent of the processor.
  • the present application provides an apparatus, the apparatus comprising a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the sixth aspect, or the seventh aspect, according to the instruction A method performed by a terminal in any of the implementation methods.
  • the present application further provides a readable storage medium having stored therein a program or an instruction that, when run on a computer, causes any of the communication methods of the above aspects to be performed.
  • the present application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform any of the above various aspects.
  • the present application further provides a system that includes an AMF network element, where the AMF network element can be used to perform the method provided by any of the foregoing aspects or the solution provided by the embodiment of the present invention. The steps performed by the meta.
  • system may further include other devices, such as an AUSF, or a terminal device, and the like that interact with the AMF network element in the solution provided by the embodiment of the present application.
  • other devices such as an AUSF, or a terminal device, and the like that interact with the AMF network element in the solution provided by the embodiment of the present application.
  • the present application further provides a system, where the system may further include an AUSF network element, where the AUSF network element may be used to perform the method in any of the foregoing aspects or the solution provided by the embodiment of the present invention.
  • the steps performed by the AUSF network element may be used to perform the method in any of the foregoing aspects or the solution provided by the embodiment of the present invention. The steps performed by the AUSF network element.
  • system may further include other devices that interact with the AUSF network element in the solution provided by the embodiment of the present application, such as an AMF network element or a UDM network element.
  • other devices that interact with the AUSF network element in the solution provided by the embodiment of the present application, such as an AMF network element or a UDM network element.
  • the present application further provides a system, where the system may further include a UDM network element, where the UDM network element may be used to perform the method in any of the foregoing aspects or the solution provided by the embodiment of the present invention. The steps performed by the UDM network element.
  • the system may further include other devices that interact with the UDM network element in the solution provided by the embodiment of the present application, such as an AUSF network element and the like.
  • the application further provides a system, the system may further include an NRF network element, where the NRF network element may be used to perform the method in any of the foregoing aspects or the solution provided by the embodiment of the present invention. The steps performed by the NRF network element.
  • the system may further include other devices that interact with the NRF network element in the solution provided by the embodiment of the present application, such as an AMF network element, an AUSF network element, and the like.
  • the present application further provides a system, where the system may further include a terminal, where the terminal may be used to perform the method in any one of the foregoing sixth and seventh aspects or the solution provided by the embodiment of the present invention. The steps performed by the terminal.
  • system may further include other devices that interact with the terminal network element in the solution provided by the embodiment of the present application, such as an AMF network element and the like.
  • FIG. 1(a) is a schematic diagram of a possible network architecture involved in an embodiment of the present application
  • FIG. 1(b) is a schematic diagram of still another possible network architecture involved in the embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a method for a communication method according to an embodiment of the present application
  • FIG. 3 is a second schematic flowchart of a method for a communication method according to an embodiment of the present disclosure
  • FIG. 4 is a third schematic flowchart of a method for a communication method according to an embodiment of the present application.
  • FIG. 5 is a fourth schematic flowchart of a method for a communication method according to an embodiment of the present disclosure
  • FIG. 6 is a fifth schematic flowchart of a method for a communication method according to an embodiment of the present disclosure.
  • FIG. 7 is a sixth schematic flowchart of a method for a communication method according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart of a method for a communication method according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of a method for a communication method according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • 16 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 17 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 18 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • FIG. 19 is a schematic structural diagram of still another apparatus according to an embodiment of the present application.
  • the network architecture includes a network architecture diagram of a 3GPP system of a network data analysis function (NWDAF) network element.
  • NWDAF network data analysis function
  • the network architecture in FIG. 1(a) includes a terminal, a (radio) access network, a (R) AN network element, a user plane function (UPF) network element, and a DN network element.
  • Access and mobility management function network element
  • SMF session management function
  • AUSF authentication server function
  • AF application function
  • UDM unified data management
  • PCF policy control function
  • NEF network open function
  • NEF network exposure function
  • NSSF network slice selection function
  • the (R) AN network element and the UPF network element are logically interconnected through the N3 interface, and the DN network element and the UPF network element are logically interconnected through the N6 interface, and the terminal and the AMF network element are logically interconnected through the N1 interface.
  • the (R) AN network element and the AMF network element are logically interconnected through the N2 interface, and the SMF network element and the UPF network element are logically interconnected through the N4 interface.
  • the network elements that may be involved in the communication method provided by the present application mainly include a terminal, an AMF network element, an AUSF network element, an NRF network element, and an NRF network element.
  • the main functions are as follows:
  • a terminal is a device with wireless transceiver capability that can be deployed on land, indoors or outdoors, handheld or on-board; it can also be deployed on the water (such as ships); it can also be deployed in the air (such as airplanes, balloons, and Satellite, etc.).
  • the terminal may be a UE, a mobile phone, a tablet, a computer with a wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, and an industrial control (industrial control).
  • Wireless terminal wireless terminal in self driving, wireless terminal in remote medical, wireless terminal in smart grid, wireless terminal in transport safety Wireless terminals in smart cities, wireless terminals in smart homes, and so on.
  • AMF network element responsible for terminal access management and mobility management. In practical applications, it includes the mobility management function of the mobility management entity (MME) in the network framework of LTE, and joins the access management function. .
  • MME mobility management entity
  • the function associated with this application is to manage access authorization ⁇ authentication.
  • the AMF network element of the service network sends an initial authentication request to the home network AUSF network element, and receives an authentication vector from the AUSF network element of the home network to complete authentication of the service network of the terminal.
  • the AMF network element initiates a registration process, and the AMF network element obtains the user subscription data from the UDM network element.
  • future communications for example, in 6G
  • the network element responsible for access management and mobility management may still be an AMF network element, or have other names, which are not limited in this application.
  • the NRF network element has an NF registration and discovery function.
  • the AMF network element discovers the AUSF network element through the NRF network element, or the AUSF network element discovers the UDM network element through the NRF network element.
  • the network element responsible for the network function registration and discovery function can still be an NRF network element, or have other names, which are not limited in this application.
  • AUSF network element used for authentication.
  • the authentication request message is sent to the home network UDM network element to apply for the authentication vector.
  • the network element responsible for authentication and authentication may still be an AUSF network element, or have other names, which are not limited in this application.
  • UDM network element used to store user authentication data and user subscription data.
  • the authentication method is selected, an authentication vector is generated, and the home network AUSF network element is fed back Weight vector.
  • the home network UDM network element After receiving the registration message sent by the service network AMF, the home network UDM network element returns the user subscription data. It can be understood that, in the future communication, the network element responsible for storing the user's authentication data and user subscription data may still be a UDM network element, or have other names, which are not limited in this application.
  • the function of the above network element can be either a network component in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (for example, a cloud platform).
  • the present application provides a corresponding communication method and apparatus for a non-roaming scenario, so as to implement how the AUSF network element addresses the UDM network according to the encrypted SUCI in the user authentication process of the present application.
  • the communication method provided by the present application implements the AUSF network element to address the UDM network element according to the encrypted SUCI by deploying the private key on the UDM network element.
  • the communication method provided by the present application implements the AUSF network element to address the UDM network element according to the encrypted SUCI by deploying the private key on the NRF network element.
  • the communication method provided by the present application implements the AUSF network element to address the UDM network element according to the encrypted SUCI by deploying the private key on the AUSF network element.
  • the communication method provided by the present application can perform the partial encryption of the SUPI of the SUPI by deploying the flexible encryption mode on the USIM of the terminal, so that the AUSF network element can be found according to the encrypted SUCI. Address UDM network element.
  • the communication method provided by the present application can implement the AUSF network element to address the UDM according to the encrypted SUCI in the non-roaming scenario by adding the plaintext including the information of the user's home zone information in the MSIN. Network element.
  • the communication method provided by the present application implements the AMF network element to address the AUSF network element according to the encrypted SUCI by deploying the private key on the NRF network element.
  • the communication method provided by the present application can implement partial encryption of the SUPI of the SUPI by deploying a flexible encryption mode on the USIM of the terminal, so that the AMF network element can be searched according to the encrypted SUCI. Address AUSF network element.
  • the communication method provided by the present application can implement the AMF network element to address the AUSF according to the encrypted SUCI in the non-roaming scenario by adding the plaintext including the information of the user's home zone information in the MSIN. Network element.
  • FIG. 1(b) is a schematic diagram of another possible 5G system roaming network architecture applicable to the present application.
  • the network architecture is composed of a network structure of a roaming service network and a home service network.
  • the roaming service network is referred to as a service network, and is referred to as a home service.
  • the network is the home network.
  • the network elements involved in the service network mainly include a terminal, (R) AN network element, UPF network element, AMF network element, SMF network element, PCF network element, NRF network element, NEF network element, NSSF network element, and security edge protection.
  • SEPP Security edge protection proxy
  • the network elements involved in the home network mainly include UPF network elements, DN network elements, SMF network elements, AUSF network elements, PCF network elements, AF network elements, UDM network elements, NRF network elements, NEF network elements, and SEPP network elements. It can be understood that the names of the foregoing network elements are only examples, and can be replaced with other network elements having corresponding functions.
  • SEPP network element for topology hiding and control plane message filtering between networks.
  • the AMF network element of the service network may be simply referred to as a V-AMF network element
  • the NRF network element of the service network may be simply referred to as a V-NRF network element
  • the SEEP network element of the service network may be simply referred to as V-SEPP
  • the network element, the SEPP network element of the home network may be referred to as an H-SEPP network element
  • the NRF network element of the home network may be simply referred to as an H-NRF network element.
  • the present application provides a corresponding communication method and apparatus for a roaming scenario, so as to solve how the V-AMF network element in the user authentication process of the present application addresses the H according to the encrypted SUCI.
  • the problem with the AUSF network element For the user authentication process of the roaming scenario of the present application, when the V-AMF network element addresses the H-AUSF network element, the V-AMF network element sequentially passes the V-NRF network element, the V-SEPP network element, and the H-SEPP. The network element and the H-NRF network element interact to implement addressing the H-AUSF network element.
  • the communication method provided by the present application by deploying the SUCI encrypted private key on the H-SEPP network element, can realize that the V-AMF network element is addressed according to the encrypted SUCI in the roaming scenario.
  • H-AUSF network element H-AUSF network element.
  • the communication method provided by the present application can implement the SUCI encrypted private key on the H-NRF network element, so that the V-AMF network element can be found according to the encrypted SUCI in the roaming scenario. Address H-AUSF network element.
  • the communication method provided by the present application can realize that the V-AMF network element is addressed according to the encrypted SUCI in the roaming scenario by adding the plaintext including the information of the user's home zone in the MSIN. H-AUSF network element.
  • the network function discovery request involved in the present application may be an Nnrf_NF Discovery Service request.
  • the authentication request involved in this application may be an Nnrf_UE Authentication request.
  • the authentication vector acquisition request involved in the present application may be an Nnrf_Authentication Vector Retrieval request.
  • the network element may be a physical entity network element or a virtual network element, which is not limited herein.
  • step numbers are merely for convenience of description, and there is no strict execution relationship between the steps.
  • the communication method provided by the present application implements the AUSF network element to use the encrypted SUCI to address the UDM network element by deploying the private key on the UDM network element.
  • FIG. 2 A communication method provided by the present application is shown in FIG. 2, and mainly includes the following method processes:
  • Step 101 The AUSF network element receives the user hidden identifier SUCI from the AMF network element, where the SUCI is used for authentication by the AUSF network element, and the SUCI includes the ciphertext generated according to the public key.
  • the AUSF network element may receive any message from the AMF network element for requesting authentication from the AUSF network element, where the message includes the SUCI.
  • the AUSF network element receives the first message from the AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes The ciphertext generated by the public key.
  • an AUSF network element may receive an authentication request from an AMF network element, the authentication request including SUCI.
  • the SUCI is obtained by encrypting the SUPI by the USIM of the terminal or the terminal, and the SUCI includes the ciphertext generated according to the public key, specifically, the ciphertext encrypted by the terminal according to the MSIN in the SUPI according to the public key.
  • the terminal encrypts the MSIN in the SUPI according to the public key to form the SUCI, and the SUCI formed by any encryption mode of the terminal is within the protection scope of the present application.
  • the encryption method in which the terminal encrypts the MSIN in the SUPI according to the public key to form the SUCI is not limited to the encryption method provided by the present application.
  • the present application provides an encryption method for a terminal to form an SUCI by encrypting an MSIN in a SUPI according to a public key, as follows:
  • the terminal generates its own public-private key pair, generates a shared key according to its own private key and the locally configured home network public key, and then encrypts SUPI according to the shared key to obtain SUCI.
  • the network side network element may have multiple flexible decryption modes for decrypting the SUCI according to the private key, and is not limited to the present application.
  • the way to decrypt For example, its decryption process is:
  • the network side network element (such as AUSF/UDM/NRF/H-SEEP/H-NRF) first generates a shared key according to the public key of the terminal and the locally configured home network private key, and decrypts the SUCI according to the shared key to obtain the SUPI. .
  • SUPI has two formats, one is IMSI format, and the other is network access identifier (NAS) format.
  • IMSI format IMSI format
  • NAS network access identifier
  • USIM global subscriber identity module
  • the SUPI in the NAS format can be derived based on the IMSI prefix and domain name deduction. For details, see 3GPP TS 23.003. In this paper, only the IMSI format is described, and the NAI can be derived according to the same rules.
  • the IMSI format is 234150999999999.
  • the NAS format can be 0234150999999999@nai.epc.mnc015.mcc234.3gppnetwork.org.
  • IMSI can be divided into three parts, MCC+MNC+MSIN, where MCC is the mobile country code (such as China's mobile country code is 460), MNC is the mobile network number (such as China Telecom's mobile network number is 03), MSIN is Mobile user ID to distinguish different users.
  • MCC is the mobile country code (such as China's mobile country code is 460)
  • MNC is the mobile network number (such as China Telecom's mobile network number is 03)
  • MSIN Mobile user ID to distinguish different users.
  • the SUCI obtained by encrypting SUPI includes the MCC of the plaintext, the MNC of the plaintext, and the MSIN of the ciphertext.
  • the MSIN is further refined into n-bit user attribution area information and m-bit remaining number segments.
  • the MSIN is further refined into H1H2H3H4X1X2X3X4X5X6, where the first four bits H1H2H3H4 in the MSIN are used to indicate the province where the user is located.
  • the first four bits H1H2H3H4 in the MSIN are referred to as user home area information.
  • the n-bit user attribution area information of the MSIN and the remaining number segments of the m-bit may be different.
  • MSIN is described by taking China as an example.
  • the user attribution area information in this application may be used to determine the UDM network element and/or the AUSF network element of the user's home location.
  • the user home area information H1H2H3H4 is used to indicate the province where the user is located, and the AMF network element is addressed in the AUSF.
  • the AUSF network element of the province where the user is located may be determined according to the user's home area information of the plaintext.
  • the AUSF network element may determine the UDM network element of the province where the user is located according to the user's home area information of the plaintext.
  • the ciphertext included in the SUCI may be an MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • Step 102 The AUSF network element sends the SUCI to a first UDM network element, where the SUCI is used by the first UDM network element to generate an authentication vector.
  • the AUSF network element may send, to the first UDM network element, any message that can be used to request the first UDM network element to obtain an authentication vector, where the message includes the SUCI.
  • the AUSF network element sends a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI .
  • the AUSF network element may send an authentication vector acquisition request to the first UDM network element, where the authentication vector acquisition request includes SUCI.
  • the first UDM network element may be any UDM network element of the home network, or may be a UDM network element determined by the AUSF network element from multiple UDM network elements of the home network according to the local policy.
  • Step 103 The first UDM network element receives the SUCI from the AUSF network element, and decrypts the SUCI according to the local private key to obtain decryption information of the SUCI.
  • the first UDM network element receives a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI.
  • the first UDM network element receives an authentication vector acquisition request from an AUSF network element, and the authentication vector acquisition request includes SUCI.
  • the first UDM network element decrypts the SUCI according to the local private key, and may have multiple flexible decryption modes. For example, as an example, the first UDM network element may pair the MSIN in the SUCI according to the local private key. All the decryption is performed, and the MSIN of the plaintext is restored. The MSIN in the SUCI may be partially decrypted according to the local private key, and only the user attribution area information H1H2H3H4 of the plaintext is restored.
  • SUCI's decryption information can be flexibly configured.
  • the decryption information of SUCI includes SUPI, which is obtained based on the MCC, MNC, and MSIN of the plaintext.
  • the decryption information of the SUCI includes user home zone information, that is, the number segment H1H2H3H4 of the MSIN.
  • Step 104 The first UDM network element sends the decryption information of the SUCI or the addressing information of the home UDM network element to the AUSF network element.
  • the first UDM network element sends any type of message to the AUSF network element, where the message includes the decryption information of the SUCI or the addressing information of the home UDM network element.
  • the first UDM network element sends a fourth message to the AUSF network element according to the decryption information of the SUCI, where the fourth message includes the decryption information of the SUCI or the home UDM network element. Addressing information.
  • the first UDM network element sends a redirect message to the AUSF network element according to the decryption information of the SUCI, where the redirect message includes the decryption information of the SUCI or the home UDM network element. Addressing information.
  • the fourth message includes SUPI.
  • the fourth message includes the user home zone information.
  • the addressing information of the home UDM network element may be any type of information used to address the home UDM network element.
  • the addressing information of the home UDM network element may be the address information of the home UDM network element.
  • the addressing information of the home UDM network element may be the first UDM network element, which is obtained according to the decryption information of the SUCI.
  • the first UDM network element can determine the home UDM network element and acquire the addressing information of the home UDM network element according to the MCC+MNC and the user home area information H1H2H3H4.
  • the home UDM network element stores the home user data, including the authentication data and the subscription data.
  • Step 105 The AUSF network element receives addressing information of the home UDM network element from the first UDM network element or decryption information of the SUCI, where the AUSF network element network element is sent to the home UDM network element.
  • the addressing information or the home UDM network element associated with the decryption information of the SUCI sends a SUCI, and the SUCI is used by the home UDM network element to generate an authentication vector.
  • the AUSF network element may send any type of message to the home UDM network element, where the message is used to request the home UUD network element to obtain an authentication vector, where the message includes the SUCI.
  • the AUSF network element sends, according to the fourth message, a third message to the home UDM network element associated with the addressing information of the home UDM network element or the decryption information of the SUCI, the third message.
  • the method is used to request an acquisition of an authentication vector from the home UDM network element.
  • the AUSF network element may send an authentication vector acquisition request to the home UDM network element, where the authentication vector acquisition request includes the SUCI.
  • the AUSF network element sends, according to the fourth message, a third message to the home UDM network element associated with the addressing information of the home UDM network element or the decryption information of the SUCI, including:
  • the AUSF network element determines the home UDM network element according to the addressing information of the home UDM network element or the decryption information of the SUCI, and the AUSF network element sends the third message to the home UDM network element.
  • the AUSF network element determines the home UDM network element according to the SUPI (at least according to the MCC, the MNC, and the user home area information H1H2H3H4).
  • the AUSF network element determines the home UDM network element according to the MCC and the MNC in the SUCI and the user home area information included in the fourth message.
  • the AUSF network element may directly determine the home UDM network element according to the addressing information of the home UDM network element.
  • the third message includes the SUCI, so that the home UDM network element decrypts the SUCI according to the local private key to obtain the SUPI, and then generates an authentication vector according to the SUPI, and feeds back the authentication vector to the AUSF network element. .
  • Step 106 The AUSF network element receives an authentication vector from the home UDM network element.
  • the first UDM network element may also determine the home UDM network element according to the decryption information of the SUCI, and then go to the AUSF network. The element sends a fourth message.
  • the foregoing step 104 may be replaced by: determining, by the first UDM network element, the home UDM network element according to the decryption information of the SUCI; and determining that the home UDM network element is not the first UDM network element,
  • the first UDM network element sends a fourth message to the AUSF network element, where the fourth message includes the decryption information of the SUCI or the addressing information of the home UDM network element.
  • the AUSF network element may directly send the SUPI to the home UDM network element, and the home UDM is omitted.
  • the decryption process of the network element is also replaced by: the AUSF network element sends a SUPI to the home UDM network element, so that the home UDM network element directly generates an authentication vector according to the SUPI.
  • the foregoing step 103 may be replaced by: the first UDM network element receives the SUCI from the AUSF network element, and the first UDM network element decrypts the SUCI according to the local private key to obtain the SUPI.
  • step 104 to step 105 may be replaced by: determining, by the first UDM network element, the home UDM network element according to the SUPI; and when the home UDM network element is the first UDM network element, the first UDM The network element obtains an authentication vector according to the SUPI, and sends an authentication vector to the AUSF network element.
  • the above step 106 may be replaced by: the AUSF network element receiving an authentication vector from the first UDM network element.
  • the foregoing step 103 may be replaced by: the first UDM network element receives the SUCI from the AUSF network element, and the first UDM network element decrypts the SUCI according to the local private key to obtain the SUPI.
  • the first UDM network element receives a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI.
  • the third message may be an authentication vector acquisition request.
  • step 104 to step 106 may be replaced by the following steps: the first UDM network element determines a home UDM network element according to the SUPI; and when the home UDM network element is a second UDM network element, the first UDM The network element obtains the authentication vector from the second UDM network element, and sends the authentication vector to the AUSF network element.
  • the obtaining, by the first UDM network element, the authentication vector from the second UDM network element includes:
  • the first UDM network element sends a third message to the second UDM network element, where the third message is used to request the second UDM network element to obtain an authentication vector, the third message.
  • the third message may be an authentication vector acquisition request.
  • the above step 107 may be replaced by: the AUSF network element receiving an authentication vector from the first UDM network element.
  • the foregoing step 103 may be replaced by: the first UDM network element receives the SUCI from the AUSF network element, and the first UDM network element decrypts the SUCI according to the local private key to obtain the SUPI.
  • step 104 to step 106 may be replaced by: the first UDM network element determining the home UDM network element according to the SUPI; and when the home UDM network element is the second UDM network element, the first UDM network element Sending a SUPI to the second UDM, where the SUPI is used by the second UDM network element to generate an authentication vector, so that the second UDM network element sends the authentication vector to the AUSF network element after generating the authentication vector according to the SUPI Authentication vector.
  • the first UDM network element sends a third message to the second UDM network element, where the third message is used to request the second UDM network element to obtain an authentication vector, the third message.
  • a SUPI is included to cause the second UDM network element to generate the authentication vector according to the SUPI.
  • the third message may be an authentication vector acquisition request.
  • the above step 106 may be replaced by: the AUSF network element receiving an authentication vector from the second UDM network element.
  • the foregoing step 103 may be replaced by: the first UDM network element receives the SUCI from the AUSF network element, and the first UDM network element decrypts the SUCI according to the local private key to obtain the SUPI.
  • step 104 to step 105 may be replaced by the following steps: the first UDM network element determines a home UDM network element according to the SUPI; and when the home UDM network element is a second UDM network element, the first UDM The network element sends a SUCI to the second UDM network element, where the SUCI is used by the second UDM network element to generate an authentication vector, so that the second UDM network element decrypts the SUCI according to the local private key to obtain a SUPI generated packet. After the weight vector, the authentication vector is sent to the AUSF network element.
  • the above step 106 may be replaced by: the AUSF network element receiving an authentication vector from the second UDM network element.
  • the communication method provided by the present application implements the AUSF network element to use the encrypted SUCI to address the UDM network element by deploying the private key on the NRF network element.
  • the communication method mainly includes the following method processes:
  • Step 201 The AUSF network element receives the user hidden identifier SUCI from the AMF network element, where the SUCI is used for the AUSF network element authentication, and the SUCI includes the ciphertext generated according to the public key.
  • the ciphertext included in the SUCI may be an MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • MSIN ciphertext means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • the AUSF network element receives any message from the AMF network element for requesting authentication from the AUSF network element, and the message includes the SUCI.
  • the AUSF network element receives the first message from the AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes the user hidden identifier SUCI.
  • an AUSF network element may receive an authentication request from an AMF network element, the authentication request including SUCI.
  • Step 202 The AUSF network element sends the SUCI to an NRF network element, where the SUCI is used by an NRF network element to discover a UDM network element.
  • the AUSF network element When the AUSF network element sends the SUCI to the NRF network element, the AUSF network element sends any message to the NRF network element for requesting the NRF network element to discover the UDM network element, where the message includes the SUCI.
  • the AUSF network element sends a second message to the NRF network element, where the second message is used to request the NRF network element to discover the UDM network element, and the second message includes the SUCI.
  • the AUSF network element sends a network function discovery request to the NRF network element, where the network function discovery request includes the SUCI.
  • Step 203 The NRF network element receives the SUCI from the AUSF network element, where the NRF network element decrypts the SUCI according to the local private key to obtain the decryption information of the SUCI, and the NRF network element obtains the decryption information according to the SUCI. Transmitting the first addressing information to the AUSF network element, where the first addressing information is UDM network element addressing information obtained by the NRF network element according to the decryption information of the SUCI.
  • step 103 For details about decrypting the SUCI according to the local private key, refer to step 103 in the foregoing embodiment, and details are not described herein.
  • SUCI's decryption information can be flexibly configured.
  • the decryption information of SUCI includes SUPI, which is obtained based on the MCC, MNC, and MSIN of the plaintext.
  • the decryption information of the SUCI includes user home zone information, that is, the number segment H1H2H3H4 of the MSIN.
  • the first addressing information can also be flexibly configured.
  • the first addressing information includes one or more UDM network element addresses associated with the user home area information.
  • the UDM network element address may be an IP address of the UDM network element, or may be an endpoint information (such as a URL) of the UDM network element, or may be a fully qualified domain name (FQDN) of the UDM network element.
  • the first addressing information includes a SUPI in addition to one or more UDM network element addresses associated with the user home area information.
  • the first addressing information includes the user home area information in addition to one or more UDM network element addresses associated with the user home area information.
  • Step 204 The AUSF network element receives first addressing information from the NRF network element, and the AUSF network element sends, according to the first addressing information, a home UDM network element associated with the first addressing information. Said SUCI, said SUCI is used by said home UDM network element to generate an authentication vector.
  • the AUSF network element may send, to the home UDM network element, any message for requesting the home UUD network element to obtain an authentication vector, where the message includes the SUCI.
  • the AUSF network element sends, according to the first addressing information, a third message to the home UDM network element associated with the first addressing information, where the third message is used to send to the home UDM network.
  • the meta-request acquires an authentication vector, and the third message contains the SUCI.
  • the AUSF network element may send an authentication vector acquisition request to the home UDM network element, where the authentication vector acquisition request includes the SUCI.
  • the AUSF network element before the sending, by the AUSF network element, the third message to the home UDM network element associated with the first addressing information, the AUSF network element includes:
  • the AUSF network element determines, according to the first addressing information, a home UDM network element associated with the first addressing information.
  • the AUSF network element may save an association relationship between the user home area information and the UDM network element address in the first addressing information, so that, when the AUSF network element is next addressed, The home UDM network element can be directly addressed according to the association between the user home area information and the UDM network element address, which can reduce the number of interactions between the AUSF network element and the NRF network element, and save signaling overhead.
  • the AUSF network element may save the user attribution area information, the UDM network element address, and the validity period information of the user attribution area information in the first addressing information. The relationship between them.
  • the AUSF network element may select to poll the plurality of UDM network element addresses in the first addressing information according to the local policy, until the address to the home UDM network element, or according to the first addressing information
  • the priority information of the plurality of UDM network element addresses is preferably a high priority UDM network element address, and a UDM network element address may be randomly selected.
  • Step 205 The AUSF network element receives an authentication vector from the home UDM network element.
  • step 204 is applicable to the application scenario in which the home UDM network element supports the SUCI decryption.
  • the home UDM network element After the home UDM network element receives the SUCI, the home UDM network element decrypts the SUCI according to the local private key, obtains the SUPI, and generates the SUPI according to the SUPI. Authentication vector.
  • the foregoing step 204 may be further replaced by the step of: sending, by the AUSF network element, the SUPI to the home UDM network element associated with the first addressing information according to the first addressing information,
  • the SUPI is used by the home UDM network element to generate an authentication vector.
  • the SUPI is obtained by the NRF network element decrypting the SUCI according to the local private key.
  • the communication method provided by the present application implements the AUSF network element to use the encrypted SUCI to address the UDM network element by deploying the private key on the AUSF network element.
  • the first implementation manner of the present application is applicable to a scenario in which an AUSF network element supports interaction with a UDM network element across a region.
  • the communication method mainly includes the following method processes:
  • Step 301 The first AUSF network element receives the SUCI from the AMF network element, the SUCI is used for the first AUSF network element authentication, and the SUCI includes the ciphertext generated according to the public key.
  • the ciphertext included in the SUCI may be the MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • MSIN ciphertext the MSIN ciphertext
  • the AUSF network element receives any message from the AMF network element for requesting authentication from the AUSF network element, and the message includes the SUCI.
  • the AUSF network element receives the first message from the AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes the user hidden identifier SUCI.
  • an AUSF network element may receive an authentication request from an AMF network element, the authentication request including SUCI.
  • Step 302 The first AUSF network element decrypts the SUCI according to a local private key to obtain a SUPI.
  • step 103 For details about decrypting the SUCI according to the local private key, refer to step 103 in the foregoing embodiment, and details are not described herein.
  • Step 303 The first AUSF network element sends the SUPI to the home UUD network element associated with the SUPI according to the SUPI, where the SUPI is used by the home UDM network element to generate an authentication vector.
  • the AUSF network element may send, to the home UDM network element, any message for requesting the home UUD network element to obtain an authentication vector, where the message includes the SUPI.
  • the AUSF network element sends a third message to the home UDM network element associated with the SUPI, where the third message is used to request an acquisition of an authentication vector from the home UDM network element, where the third message includes The SUPI is such that the home UDM network element generates an authentication vector according to the SUPI.
  • the AUSF network element may send an authentication vector acquisition request to the home UDM network element, where the authentication vector acquisition request includes SUPI.
  • the first AUSF network element is any AUSF network element that directly interacts with the UDM network element in which the second AUSF network element is located in the same user home area.
  • the home UDM network element may be a UDM network element that is located in the same user home area as the first AUSF network element, or may be a UDM network element that is located in the same user home area as the second AUSF network element.
  • Step 304 The first AUSF network element receives an authentication vector from the home UDM network element.
  • the foregoing step 303 and step 304 may be performed. Replace as follows:
  • the above step 303 is replaced by: the first AUSF sending the SUPI to the home AUSF network element associated with the SUPI.
  • the first AUSF sends a first message to the home AUSF network element associated with the SUPI, where the first message is used to request authentication from the home AUSF network element, where the first message includes the SUPI, so that the home AUSF network element obtains an authentication vector from the home UDM network element according to the SUPI.
  • the first message is an authentication request
  • the SUPI is included in the authentication request.
  • the first AUSF sends the SUPI to the SUPI-associated home AUSF network element, including: the first AUSF network element determines a home AUSF network element according to the SUPI, and when the home AUSF network element is the second When the AUSF network element is used, the first AUSF network element sends the SUPI to the second AUSF network element, where the SUPI is used to request authentication to the second AUSF network element, so that the second AUSF network The element obtains an authentication vector from the home UDM network element according to the SUPI.
  • the foregoing step 304 may be replaced by: the first AUSF network element receiving the authentication vector from the second AUSF network element.
  • the first AUSF network element is an AUSF network element that only supports the UDM network element that is in the same user home area as the first AUSF network element.
  • the home UDM network element herein refers to a UDM network element that is located in the same user home zone as the second AUSF network element.
  • the second AUSF network element obtains the authentication vector from the home UDM network element according to the SUPI, and the second AUSF network element sends the SUPI to the home UDM network element, where the SUPI is used by the The home UDM network element requests to obtain an authentication vector.
  • the first AUSF network element determines the home AUSF network element according to the SUPI
  • the first AUSF network element is directed to the The home UUD network element of the first AUSF network element in the same user home area sends the SUPI, and the SUPI is used to request acquisition of the home UDM network element located in the same user home area as the first AUSF network element.
  • Vector the foregoing step 304 is replaced by: the first AUSF network element receiving the authentication vector from the home UDM network element that is located in the same user home zone as the first AUSF network element.
  • the communication method mainly includes the following method flow:
  • Step 401 The AMF network element sends a SUCI to the first AUSF network element, where the SUCI is used for the first AUSF network element authentication, and the SUCI includes the ciphertext generated according to the public key.
  • the ciphertext included in the SUCI may be the MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • MSIN ciphertext the MSIN ciphertext
  • any message for requesting authentication to the AUSF network element may be sent, where the message includes the SUCI.
  • the AMF network element sends a first message to the first AUSF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes the user hidden identifier SUCI.
  • the AMF network element sends an authentication request to the first AUSF network element, where the authentication request includes SUCI.
  • Step 402 The first AUSF network element receives the SUCI from the AMF network element, and decrypts the SUCI according to the local private key to obtain the SUPI.
  • step 103 For details about decrypting the SUCI according to the local private key, refer to step 103 in the foregoing embodiment, and details are not described herein.
  • Step 403 The first AUSF network element sends the addressing information of the SUPI or the home AUSF network element to the AMF network element according to the SIPI.
  • the addressing information of the home AUSF network element is obtained by decrypting information that the first AUSF network element decrypts the SUCI according to a local private key.
  • the first AUSF sends a fourth message to the AMF network element according to the SUPI, where the fourth message includes addressing information of the SUPI or a home AUSF network element.
  • the fourth message is a redirect message
  • the redirect message includes addressing information of the SUPI or the home AUSF network element.
  • the addressing information of the home AUSF network element may be any type of information used to address the home AUSF network element.
  • the addressing information of the home AUSF network element may be the address information of the home AUSF network element.
  • the first AUSF sends a fourth message to the AMF network element according to the SUPI, including: the first AUSF network element determines a home AUSF network element according to the SUPI, when the home AUSF network element When the second AUSF network element is the second AUSF network element, the first AUSF network element sends a fourth message to the AMF network element.
  • Step 404 The AMF network element receives addressing information of the SUPI or the home AUSF network element from the first AUSF network element, and sends the SUPI to the home AUSF network element, where the SUPI is used for the home AUSF Network element authentication, wherein the home AUSF network element is an AUSF network element associated with addressing information or SUPI of the home AUSF network element.
  • the AMF network element When the AMF network element sends the SUPI to the home AUSF network element, it may send any message for requesting authentication to the home AUSF network element, where the message includes SUPI.
  • the AMF network element receives a fourth message from the first AUSF network element, and the AMF network element sends a first message to the home AUSF network element according to the fourth message, where the first message is sent. And configured to request authentication from the home AUSF network element.
  • the AMF network element sends an authentication request to the home AUSF network element, where the authentication request includes SUPI.
  • the AMF network element sends the SUPI to the home AUSF network element, specifically: the AMF network element determines a home AUSF network element according to the fourth message; and sends the first to the determined home AUSF network element. Message.
  • the AMF network element determines the home AUSF network element according to the fourth message, and includes: when the fourth message includes the SUPI, the AMF network element determines the home AUSF network element according to the SUPI; and when the fourth message includes the When the addressing information of the AUSF network element is belonged, the AMF network element determines the home AUSF network element according to the addressing information of the home AUSF network element.
  • the AMF network element sends the first message to the determined home AUSF network element, including: when the home AUSF network element is the second AUSF network element, the AMF network element to the second AUSF The network element sends the SUPI, and the SUPI is used for the second AUSF network element authentication.
  • Step 405 The home AUSF network element receives the SUPI from the AMF network element, and sends the SUPI to the home UDM network element, where the SUPI is used by the home UDM network element to generate an authentication vector.
  • the home AUSF network element receives the first message from the AMF network element, where the first message is used to request authentication from the home AUSF network element, where the first message includes the SUPI.
  • the first message is an authentication request
  • the authentication request includes SUPI.
  • the second AUSF network element When the second AUSF network element receives the SUPI, the second AUSF network element sends the SUPI to the home UDM network element according to the SUPI, so that the home UDM network element generates an authentication vector according to the SUPI, and The home AUSF network element sends an authentication vector.
  • Step 406 The second AUSF network element receives the authentication vector from the home UDM network element.
  • the AMF network element may send the SUPI to the home AUSF network element, or may send the SUCI to the home AUSF, where the fourth message includes the home AUSF.
  • the AMF network element may send the SUCI to the home AUSF network element.
  • the foregoing step 404 can be replaced by the following steps: the AMF network element receives addressing information from the SUPI or the home AUSF network element of the first AUSF network element, and sends the SUCI to the home AUSF network element.
  • step 405 may be replaced by the following steps: the home AUSF network element decrypts the SUCI to obtain the SUPI, and the home AUSF network element sends the SUPI to the home UDM network element, so that the home UDM network element is based on SUPI, generates an authentication vector.
  • the home AUSF network element may not decrypt the SUCI, and send the SUCI to the home UDM network element.
  • the first AUSF network element may directly send a redirect message to the AMF network element, and correspondingly, the foregoing step 403 to step 404 may be replaced as follows. :
  • the foregoing step 403 may be replaced by the following step: the first AUSF network element sends the SUPI to the AMF network element according to the SIPI.
  • the first AUSF network element sends a fourth message to the AMF network element, where the fourth message includes the SUPI.
  • the fourth message is a redirect message.
  • the foregoing step 404 may be replaced by the following steps: the AMF network element receives the SUPI from the first AUSF network element, and sends the SUPI to a home AUSF network element, where the SUPI is used for the home AUSF network element right.
  • the AMF network element receives a fourth message from the first AUSF network element, and the AMF network element sends a first message to the home AUSF network element according to the fourth message, where the first message is sent. And configured to request authentication from the home AUSF network element, where the first message includes a SUPI.
  • the following describes how the AMF network element addresses the AUSF network element in different scenarios according to the present application.
  • the communication method provided by the present application implements the AMF network element to use the encrypted SUCI to address the AUSF network element by deploying the private key on the NRF network element.
  • Step 501 The AMF network element sends an SUCI to the NRF network element, where the SUCI is used by the NRF network element to discover an AUSF network element, where the SUCI includes a ciphertext generated according to the public key.
  • the ciphertext included in the SUCI may be an MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • MSIN ciphertext means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • the AMF network element When the AMF network element sends the SUCI to the NRF network element, it may send any message for requesting the NRF network element to discover the AUSF network element, where the message includes the SUCI.
  • the AMF network element sends a second message to the NRF network element, where the second message is used to request the NRF network element to discover the AUSF network element, and the second message includes the SUCI.
  • the AMF network element sends a network function discovery request to the NRF network element, where the network function discovery request includes the SUCI.
  • Step 502 The NRF network element receives the SUCI from the AMF network element, and the NRF network element decrypts the SUCI according to the local private key to obtain the decryption information of the SUCI.
  • the NRF network element obtains the decryption information according to the SUCI. And transmitting, by the AMF network element, the second addressing information, where the second addressing information is AUSF network element addressing information obtained according to the decryption information of the SUCI.
  • step 103 For details about decrypting the SUCI according to the local private key, refer to step 103 in the foregoing embodiment, and details are not described herein.
  • the NRF network element sends the second addressing information to the AMF network element according to the decryption information of the SUCI, where the NRF network element obtains the second homing according to the decryption information of the SUCI. Address information, sending the second addressing information to the AMF network element.
  • the decryption information of SUCI can also be flexibly configured.
  • the decryption information of SUCI includes SUPI, which is obtained based on the MCC, MNC, and MSIN of the plaintext.
  • the decryption information of the SUCI includes the user home zone information, that is, the number segment H1H2H3H4 of the MSIN.
  • the second addressing information can have multiple configurations.
  • the second addressing information includes one or more AUSF network element addresses associated with user home zone information.
  • the AUSF network element address may be any form of address information for addressing the AUSF network element.
  • the AUSF network element address may be an IP address of the AUSF network element, or may be an endpoint information (such as a URL) of the AUSF network element. Or it can be a fully qualified domain name (FQDN) of the AUSF network element.
  • FQDN fully qualified domain name
  • the second addressing information includes SUPI in addition to one or more AUSF network element addresses associated with user home area information.
  • the second addressing information includes the user attribution area information in addition to one or more AUSF network element addresses associated with the user home area information.
  • Step 503 the AMF network element receives second addressing information from the NRF network element, and sends the SUCI to the home AUSF network element associated with the second addressing information according to the second addressing information.
  • the SUCI is used for the home AUSF network element authentication.
  • the AMF network element sends the SUCI to the home AUSF network element associated with the second addressing information according to the second addressing information, where the AMF network element determines the home AUSF network according to the second addressing information.
  • the element then transmits the SUCI to the home AUSF network element.
  • any message that can be used to request authentication from the home AUSF network element may be sent to the home AUSF network element, where the message includes the SUCI.
  • the AMF network element sends a first message to the home AUSF network element associated with the second addressing information according to the second addressing information, where the first message is used to request authentication from the home AUSF network element.
  • the SUCI is included in the first message.
  • the AMF network element sends an authentication request to the home AUSF network element, where the authentication request includes SUCI.
  • the AMF network element may save the association relationship between the user home area information and the AUSF network element address in the second addressing information, so that the AUSF network element next time
  • the home AUSF network element can be directly addressed according to the association between the user's home area information and the AUSF network element address, which can reduce the number of interactions between the AMF network element and the NRF network element, and save signaling overhead.
  • the AMF network element may save the user attribution area information, the AUSF network element address, and the validity period information of the user attribution area information in the second addressing information. The relationship between them.
  • the AMF network element may select to poll the plurality of AUSF network element addresses in the second addressing information according to the local policy, until the home AUSF network element is addressed, or according to the second addressing information.
  • the priority information of the multiple AUSF network element addresses is preferably a certain high priority AUSF network element address, and one AUSF network element address may be randomly selected.
  • the foregoing step 503 may be replaced by: the AMF network element sending the decryption information of the SUCI to the home AUSF network element, and the decryption information of the SUCI is used for the home AUSF network element authentication.
  • the AMF network element sends, according to the second addressing information, a first message to the home AUSF network element associated with the second addressing information, where the first message is used to send the home AUSF network element Requesting authentication, the first message includes decryption information of the SUCI, such as SUPI or user attribution area information.
  • the communication method provided by the present application implements the AMF network element to use the encrypted SUCI to address the AUSF network element by deploying the private key on the H-SEPP network element.
  • the communication method provided by the present application implements the AMF network element to use the encrypted SUCI to address the AUSF network element by deploying the private key on the H-SEPP network element.
  • it mainly includes the following method flow:
  • Step 601 The V-AMF network element sends the SUCI to the H-SEPP network element, where the SUCI is used for H-NRF network element authentication, and the SUCI includes the ciphertext generated according to the public key.
  • the ciphertext included in the SUCI may be the MSIN ciphertext, which means that the user home zone information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN are all encrypted into ciphertext.
  • MSIN ciphertext the MSIN ciphertext
  • the V-AMF network element When the V-AMF network element sends the SUCI to the H-SEPP network element, it can send any message to the H-SEPP network element that can be used to request authentication from the H-NRF network element, and the message includes the SUCI.
  • the V-AMF network element sends a second message to the H-SEPP network element, where the second message is used to request the discovery of the AUSF network element from the home NRF network element, and the second message includes the user hidden identifier SUCI. .
  • the V-AMF network element sends an authentication request to the H-SEPP network element, where the authentication request includes the SUCI.
  • the V-AMF network element may send an authentication request to the H-SEPP network element through the V-NRF network element and the V-SEPP network element, where the authentication request includes the SUCI.
  • Step 602 The H-SEPP network element receives the SUCI from the V-AMF network element, and the H-SEPP network element decrypts the SUCI according to the local private key to obtain the decryption information of the SUCI.
  • the H-SEPP network The element sends the decryption information of the SUCI to the H-NRF network element, and the decryption information of the SUCI is used by the H-NRF network element to discover the AUSF network element.
  • the H-SEPP network element receives the second message from the V-AMF network element, where the second message is used to request the home NRF network element to discover the AUSF network element, and the second message includes the user hidden identifier. SUCI.
  • the decryption information of SUCI can be flexibly configured.
  • the decryption information of SUCI includes SUPI, which is obtained based on the MCC, MNC, and MSIN of the plaintext.
  • the decryption information of the SUCI includes user home zone information, that is, the number segment H1H2H3H4 of the MSIN.
  • the H-SEPP network element When the H-SEPP network element sends the decryption information of the SUCI to the H-NRF network element, the H-NRF network element may be sent to the H-NRF network element to request to discover the AUSF network element from the H-NRF network element.
  • the message contains the decryption information of SUCI.
  • the H-SEPP network element sends a second message to the H-NRF network element, where the second message is used to request the H-NRF network element to discover an AUSF network element, where the second message is sent.
  • the H-SEPP network element sends a sending network function discovery request to the H-NRF network element, where the network function discovery request includes the decryption information of the SUCI.
  • Step 603 The H-NRF network element receives the decryption information from the H-SEPP network element to send the SUCI, and the H-NRF network element sends the second addressing information to the V-AMF network element according to the decryption information of the SUCI.
  • the second addressing information is AUSF network element addressing information obtained by the H-NRF network element according to the decryption information of the SUCI.
  • the H-NRF network element receives the second message from the H-SEPP network element, where the second message is used to request the H-NRF network element to discover the AUSF network element, where the second message includes the SUCI Decrypt the information.
  • the second addressing information can be presented in multiple manners.
  • the second addressing information includes one or more AUSF network element addresses associated with user home zone information.
  • the AUSF network element address may be any form of address information for addressing the AUSF network element.
  • the AUSF network element address may be an IP address of the AUSF network element, or may be an endpoint information (such as a URL) of the AUSF network element. Or it can be a fully qualified domain name (FQDN) of the AUSF network element.
  • FQDN fully qualified domain name
  • the second addressing information includes SUPI in addition to one or more AUSF network element addresses associated with user home area information.
  • the second addressing information includes the user attribution area information in addition to one or more AUSF network element addresses associated with the user home area information.
  • the H-NRF network element may send the second addressing information to the V-AMF network element by using the H-SEPP network element and the V-SEPP network element.
  • Step 604 the V-AMF network element receives the second addressing information from the H-NRF network element, and the V-AMF network element sends the SUCI to the home AUSF network element associated with the second addressing information, where the SUCI is used by the The attribution AUSF network element authentication.
  • the V-AMF network element sends the SUCI to the home AUSF network element associated with the second addressing information, including: the V-AMF network element determines the home AUSF network element according to the second addressing information, and then belongs to the AUSF network. The element sends the SUCI.
  • any message that can be used to request authentication from the home AUSF network element may be sent to the home AUSF network element, where the message includes the SUCI.
  • the AMF network element sends, according to the second addressing information, a first message to the home AUSF network element associated with the second addressing information, where the first message is used to send the home AUSF network element Requesting authentication, the first message includes the SUCI.
  • the AMF network element sends an authentication request to the home AUSF network element, where the authentication request includes SUCI.
  • the V-AMF network element may send an authentication request to the home AUSF network element by using the V-NRF network element, the V-SEPP network element, and the H-SEPP network element, where the authentication request includes the SUCI.
  • the foregoing step 604 may be replaced by: the AMF network element sends the decryption information of the SUCI to the home AUSF network element, and the decryption information of the SUCI is used for the home AUSF network element authentication.
  • the communication method provided by the present application implements the AMF network element by using the encrypted SUCI to address the AUSF network by deploying the private key on the H-NRF network element. yuan.
  • the present application provides an alternative implementation of the foregoing steps 601 to 606.
  • the foregoing steps 602 and 603 may be replaced by the following:
  • the foregoing step 602 can be replaced by: the H-SEPP network element receives the SUCI of the AMF network element from the serving network, and sends the SUCI to the H-NRF network element, where the SUCI is used by the H-NRF network element to discover the AUSF network element. .
  • the H-NRF network element may be sent to the H-NRF network element to request to discover the AUSF network element from the H-NRF network element.
  • the message contains SUCI.
  • the H-SEPP network element sends a second message to the H-NRF network element, where the second message is used to request the home NRF network element to discover an AUSF network element, where the second message includes SUCI.
  • the H-SEPP network element sends a sending network function discovery request to the H-NRF network element, where the network function discovery request includes a SUCI.
  • the foregoing step 603 can be replaced by: the H-NRF network element receives the SUCI from the H-SEPP network element, decrypts the SUCI according to the local private key, and obtains the decryption information of the SUCI, where the H-NRF network element is The decryption information of the SUCI is sent to the V-AMF network element, where the second addressing information is the AUSF network element addressing information obtained by the H-NRF network element according to the decryption information of the SUCI.
  • the terminal can flexibly encrypt the SUPI according to different application scenarios.
  • the terminal encrypts the user's permanent identifier SUPI according to the local public key, and obtains the first SUCI, the first SUCI includes the MSIN, the user's home area information in the MSIN is plaintext, and the remaining information of the MSIN is ciphertext. .
  • the terminal encrypts the user permanent identifier SUPI according to the local public key to obtain a second SUCI, and the second SUCI includes an MSIN, and all the MSINs are ciphertexts.
  • the terminal determines, according to the current location information, that the serving network is a home network, and encrypts the SUPI according to the local public key to obtain the first SUCI.
  • the terminal determines, according to the current location information, that the serving network is a roaming network, encrypts the SUPI according to the local public key, to obtain the second SUCI.
  • the present application provides a communication method, after the terminal encrypts the SUPI into the first SUCI, the AMF network element addresses the home AUSF network element according to the first SUCI, and the AUSF network element searches for the first SUCI according to the first SUCI.
  • the address belongs to the UDM network element.
  • Step 701 The terminal encrypts the user permanent identifier SUPI according to the local public key, and obtains the first SUCI, where the first SUCI includes the MSIN, the user attribution area information in the MSIN is plaintext, and the remaining information of the MSIN is confidential. Text.
  • the SUPI includes an MCC, an MNC, and an MSIN, where the MSIN includes user home area information H1H2H3H4 and remaining number segments X1X2X3X4X5X6.
  • the terminal encrypts the SUPI according to the local public key, and obtains the first SUCI, which means that the remaining number segment X1X2X3X4X5X6 is encrypted, and the user home area information H1H2H3H4 included in the MCC, the MNC, and the MSIN is not encrypted, and the finally obtained first SUCI includes Plain text MCC, MNC and user attribution area information, and the remaining number of ciphertext X1X2X3X4X5X6.
  • the SUPI is encrypted according to the local public key to obtain the first SUCI.
  • Step 702 The terminal sends the first SUCI to an AMF network element, where the first SUCI is used by the AMF network element to register the terminal.
  • any message for requesting registration with the AMF network element may be sent, where the message includes the first SUCI.
  • the terminal sends a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, and the fifth message includes the first SUCI.
  • the terminal sends a registration request to the AMF network element, where the registration request includes the first SUCI, and the registration request may be sent when the terminal performs initial registration with the service network.
  • Step 703 The AMF network element receives the first SUCI from the terminal, and sends the first SUCI to the home AUSF network element, where the first SUCI is used for the AUSF authentication.
  • the AMF network element before sending the first SUCI to the home AUSF network element, the AMF network element further includes determining, by the AMF network element, the home AUSF network element according to the first SUCI.
  • any message for requesting authentication to the AUSF may be sent, where the message includes the first SUCI.
  • the AMF network element receives a fifth message from the terminal, where the fifth message is used to request registration from the AMF network element, and the fifth message includes the first SUCI.
  • the AMF network element sends an authentication request to the home AUSF network element, where the authentication request includes the first SUCI, and the authentication request may be sent when the AMF network element triggers the authentication process.
  • the AMF network element determines the home AUSF network element according to the user home area information of the plaintext in the first SUCI.
  • Step 704 The AUSF network element receives the first SUCI from the AMF network element, and sends the first SUCI to the primary UUD network element associated with the first SUCI according to the first SUCI, where the first SUCI is used by the first SUCI.
  • the home UDM network element generates an authentication vector, so that the home UDM network element generates an authentication vector according to the first SUCI.
  • the AUSF network element When the AUSF network element sends the first SUCI to the home UDM network element, it may send any message for requesting the home UUD network element to obtain an authentication vector, where the message includes the first SUCI.
  • the AUSF network element sends a third message to the home UDM network element, where the third message is used to request the home UUD network element to obtain an authentication vector, where the third message includes the first SUCI .
  • the AUSF network element sends a sending authentication vector acquisition request to the home UDM network element, where the first SUCI is included in the authentication vector obtaining request.
  • Step 705 The AUSF network element receives the authentication vector from the home UDM network element, where the authentication vector is generated by the home UDM network element according to the first SUCI.
  • the implementation manner of the AUSF network element to address the home UDM network element according to the first SUCI may be referred to the embodiment part corresponding to FIG. 2 to FIG. 5, specifically, the present embodiment may be used.
  • the implementation method corresponding to step 101 to step 106 of the foregoing embodiment, or the replacement of step 101 to step 106 may also adopt the implementation method corresponding to step 201 to step 205 of the foregoing embodiment of the present application, or the replacement of step 201 to step 205.
  • the implementation method corresponding to the step 301 to the step 304 of the foregoing embodiment of the present application, or the replacement method of the step 301 to the step 104, or the implementation method corresponding to the step 401 to the step 406 of the foregoing embodiment of the present application, or the step may be used.
  • the specific implementation manner of the AMF network element to address the home AUSF network element according to the first SUCI may be referred to the embodiment part corresponding to FIG. 6 to FIG. 7.
  • the present application further provides another communication method for implementing, after the terminal encrypts the SUPI into the second SUCI, the AUSF network element addresses the home UDM network element according to the first SUCI, and the AMF network element addresses the home AUSF according to the first SUCI.
  • the NE can be used in non-roaming scenarios or in roaming scenarios. Specifically, as shown in FIG. 9, the following steps are included:
  • the terminal encrypts the SUPI into the second SUCI.
  • the following describes how the AMF network element addresses the home AUSF network element in the scenario and how the AUSF network element addresses the home UDM network element. As shown in FIG. 9, the following steps are specifically included:
  • Step 801 The terminal encrypts the user permanent identifier SUPI according to the local public key to obtain a second SUCI, and the second SUCI includes an MSIN, and all the MSINs are ciphertexts.
  • the SUPI includes an MCC, an MNC, and an MSIN, where the MSIN includes user home area information H1H2H3H4 and remaining number segments X1X2X3X4X5X6.
  • the terminal encrypts the SUPI according to the local public key to obtain the second SUCI, which is to encrypt the user home area information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN, and finally obtain the second SUCI including the plain text MCC and MNC, and the secret.
  • the text of the MSIN is to encrypt the user home area information H1H2H3H4 and the remaining number segments X1X2X3X4X5X6 of the MSIN.
  • the terminal determines, according to the current location information, that the serving network is a roaming network, encrypts the SUPI according to the local public key, to obtain the second SUCI.
  • Step 802 The terminal sends the second SUCI and user home area information to the AMF network element, where the second SUCI and the user home area information are used to register the terminal with the AMF network element.
  • the terminal may send any message for requesting registration to the AMF network element, where the message includes the second SUCI and the user attribution area. information.
  • the terminal sends a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, and the fifth message includes the second SUCI and user home area information.
  • the terminal sends a registration request to the AMF network element, where the registration request includes the second SUCI and user home area information, and the registration request may be sent when the terminal performs initial registration with the service network.
  • Step 803 The AMF network element receives the second SUCI and the user home area information from the terminal, and the AMF network element sends the user home area information and the second SUCI to the home AUSF network element associated with the user home area information.
  • the user home area information and the second SUCI are used for the AUSF authentication.
  • the method further includes: the AMF network element according to the user home area information And determining a home AUSF network element associated with the user home zone information.
  • any message for requesting authentication to the AUSF may be sent, where the message includes the user attribution area.
  • Information and the second SUCI may be sent, where the message includes the user attribution area.
  • the AMF network element sends a first message to the home AUSF network element associated with the user home area information according to the user home area information, where the first message is used to request the home AUSF network element.
  • the first message includes the user attribution area information and the second SUCI.
  • the AMF network element sends an authentication request to the home AUSF network element, where the authentication request includes the user home area information and the second SUCI, and the authentication request may be triggered by the AMF network element. Sent when the process.
  • Step 804 the AUSF network element receives the second SUCI and the user home zone information from the AMF network element, and the AUSF network element sends the second SUCI and the user home zone information to the home UDM network element according to the user home zone information.
  • the second SUCI and the user home area information are used by the home UDM network element to obtain an authentication vector.
  • the AUSF network element receives the first message from the AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes the second SUCI and the user attribution area information.
  • the first message is an authentication vector.
  • the AUSF network element may send any message for requesting the home UUD network element to obtain an authentication vector, where the message includes the The second SUCI and the user attribution area information.
  • the AUSF network element sends a third message to the home UDM network element, where the third message is used to request the home UUD network element to obtain an authentication vector, and the third message includes the second SUCI And the user attribution area information.
  • the AUSF network element sends a sending authentication vector acquisition request to the home UDM network element, where the authentication vector acquisition request includes the second SUCI and the user attribution area information.
  • Step 805 The home UDM network element generates an authentication vector according to the second SUCI and the user home area information, and sends the authentication vector to the AUSF network element.
  • each of the foregoing network elements includes a hardware structure and/or a software module corresponding to each function.
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first aspect AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key Generated ciphertext;
  • a sending unit configured to send a second message to the NRF network element, where the second message is used to request the NRF network element to discover the UDM network element, and the second message includes the SUCI;
  • the receiving unit is further configured to receive first addressing information from the NRF network element, where the first addressing information is that the NRF network element decrypts the SUCI according to a local private key to obtain a decryption of the SUCI.
  • a processing unit configured to send, by using a sending unit, a third message to the home UDM network element associated with the first addressing information, where the third message is used to send the home UDM network element according to the first addressing information Requesting an acquisition of an authentication vector, the third message containing the SUCI.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first aspect NRF network element, including:
  • a receiving unit configured to receive a second message from the AUSF network element, where the second message is used to request the NRF network element to discover a UDM network element, and the second message includes a user hidden identifier SUCI, where the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI;
  • the processing unit is further configured to send the first addressing information to the AUSF network element by using a sending unit according to the decryption information of the SUCI.
  • the first addressing information is UDM network element addressing information obtained by the NRF network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the first addressing information includes one or more UDM network element addresses associated with the user home area information; or
  • the first addressing information includes an address with the UDM network element and the SUPI; or
  • the first addressing information includes the UDM network element address and the user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the second aspect AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key Generated ciphertext;
  • a sending unit configured to send a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI;
  • the receiving unit is further configured to receive a fourth message from the first UDM network element, where the fourth message includes the decryption information of the SUCI or the addressing information of the home UDM network element;
  • a processing unit configured to send, by using a sending unit, a third message to the home UDM network element according to the fourth message, where the home UDM network element is addressing information with the home UDM network element or decryption information of the SUCI An associated UDM network element; the third message is used to request an acquisition of an authentication vector from the home UDM network element;
  • the receiving unit is further configured to receive an authentication vector from the home UDM network element.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first UDM network element in the second aspect, including:
  • a receiving unit configured to receive a third message from an AUSF network element, where the third message is used to request an acquisition of an authentication vector from the first UDM network element, where the third message includes a SUCI;
  • the ciphertext generated by the key
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain decryption information of the SUCI; and the first UDM network element determines, according to the decryption information of the SUCI, that the home UDM network element is not the first UDM And sending, by the sending unit, the fourth message to the AUSF network element, where the fourth message includes the decryption information of the SUCI or the addressing information of the home UDM network element, and the addressing information of the home UDM network element Obtained for the first UDM network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first UDM network element in the second aspect, including:
  • a receiving unit configured to receive a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes a user hidden identifier SUCI, the SUCI Including ciphertext generated based on the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI, and send, by using a sending unit, a fourth message to the AUSF network element according to the decryption information of the SUCI, where the fourth message is sent
  • the message includes the decryption information of the SUCI or the addressing information of the home UDM network element, and the addressing information of the home UDM network element is obtained by the first UDM network element according to the decryption information of the SUCI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the second aspect AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key Generated ciphertext;
  • a sending unit configured to send a third message to the first UDM network element, where the third message is used to request the first UDM network element to obtain an authentication vector, where the third message includes the SUCI;
  • the receiving unit is further configured to receive, by the AUSF network element, an authentication vector, where the authentication vector is that the first UMM network element decrypts the SUCI according to a local private key and determines that the home UDM network element is the When the first UDM network element is sent, the first UDM network element is sent to the AUSF network element; or the authentication vector is that the first UDM network element decrypts the SUCI according to a local private key and determines When the primary UDM network element is the second UDM network element, the first UDM network element is sent to the AUSF network element after acquiring the authentication vector from the second UDM network element; or, the authentication The vector is that the first UDM network element determines that the home UDM network element is the second UDM network element and sends a third message to the second UDM network element, the second UDM network element to the AUSF network element Sending, the third message is used to request the second UDM network element to obtain an authentication vector, and the third message includes the SUPI, so that the second UDM network
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the first UDM network element in the second aspect, including:
  • a receiving unit configured to receive a third message from the AUSF network element, where the third message is used to request the first UDM network element to obtain an authentication vector, the third message includes a SUCI, and the SUCI includes The ciphertext generated by the key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain a SUPI; determine, according to the SUPI, a home UDM network element; when the home UDM network element is the first UDM network element, pass the sending unit Sending an authentication vector to the AUSF network element; or, when the home UDM network element is a second UDM network element, the first UDM network element acquiring the authentication vector from the second UDM network element Transmitting, by the sending unit, the authentication vector to the AUSF network element; or, when the home UDM network element is the second UDM network element, sending, by the sending unit, the second UDM network element a third message, the third message is used to request an acquisition of an authentication vector from the second UDM network element, where the third message includes a SUPI, so that the second UDM network element generates the authentication according to the SUPI Vector.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the third aspect AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a public key according to the public key Generated ciphertext;
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain a SUPI
  • a sending unit configured to send a third message to the home UDM network element associated with the SUPI, where the third message is used to request an acquisition of an authentication vector from the home UDM network element, where the third message includes the SUPI;
  • the receiving unit is further configured to receive an authentication vector from the home UDM network element, where the authentication vector is generated by the home UDM network element according to the SUPI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the first AUSF network element in the third aspect, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain a SUPI
  • a sending unit configured to send a first message to the home AUSF network element associated with the SUPI, where the first message is used to request authentication from the home AUSF network element, where the first message includes the SUPI;
  • the receiving unit is further configured to receive the authentication vector from the home AUSF network element, where the authentication vector is obtained by the home AUSF network element from the home UDM network element according to the SUPI.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the first AUSF network element in the third aspect, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain a SUPI; and send, according to the SUPI, a fourth message to the AMF network element by using a sending unit, where the fourth message includes the SUPI or a home AUSF
  • the addressing information of the network element, the addressing information of the home AUSF network element is obtained by the decryption information that the first AUSF network element decrypts the SUCI according to a local private key.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the first AUSF network element in the third aspect, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key to obtain a SUPI
  • a sending unit configured to send a fourth message to the AMF network element, where the fourth message includes the SUPI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, where the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the third aspect AMF network element, including:
  • a sending unit configured to send a first message to the first AUSF network element, where the first message is used to request authentication from the first AUSF network element, where the first message includes a user hidden identifier SUCI, and the SUCI includes a ciphertext generated from a public key;
  • a receiving unit configured to receive a fourth message from the first AUSF network element, where the fourth message includes addressing information of a SUPI or a home AUSF network element, and the addressing information of the SUPI or the home AUSF network element Obtaining, by the first AUSF network element, decryption information for decrypting the SUCI according to a local private key;
  • a processing unit configured to send, by using a sending unit, a first message to a home AUSF network element according to the fourth message, where the home AUSF network element is addressing information with the home AUSF network element or decryption information of the SUCI (SUPI) associated AUSF network element, the first message is used to request authentication from the home AUSF network element.
  • SUPI SUCI
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the third aspect of the home AUSF network element, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the home AUSF network element, where the first message includes a SUCI, and the SUCI includes a public key generated Cipher text
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain the SUPI
  • a sending unit configured to send a third message to the home UDM network element, where the third message is used to request an acquisition of an authentication vector from the home UDM network element, where the third message includes the SUPI;
  • the receiving unit is further configured to receive the authentication vector from the home UDM network element, where the authentication vector is generated by the home UDM network element according to the SUPI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the fourth aspect AMF network element, including:
  • a sending unit configured to send a second message to the NRF network element, where the second message is used to request the NRF network element to discover an AUSF network element, where the second message includes a user hidden identifier SUCI, and the SUCI includes The ciphertext generated by the key;
  • a receiving unit configured to receive first addressing information from the NRF network element, where the second addressing information is that the NRF network element decrypts the SUCI according to a local private key, and obtains decryption information of the SUCI, and AUSF network element addressing information obtained according to the decryption information of SUCI;
  • a processing unit configured to send, by using a sending unit, a first message to a home AUSF network element associated with the second addressing information, where the first message is used to request the home AUSF network element according to the second addressing information
  • the first message includes decryption information of the SUCI or the SUCI.
  • the decryption information of the SUCI includes SUPI or user attribution area information.
  • the second addressing information includes one or more AUSF network element addresses associated with user home area information; or the second addressing information includes the AUSF network element address and the SUPI; or the second addressing information includes the AUSF network element address and the user attribution area information.
  • the ciphertext generated according to the public key is specifically a ciphertext encrypted by the public key to the MSIN in the SUPI, wherein the MSIN includes user home zone information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the fourth aspect NRF network element, including:
  • a receiving unit configured to receive a second message from the AMF network element, where the second message is used to request the NRF network element to discover an AUSF network element, and the second message includes a user hidden identifier SUCI, where the SUCI includes The ciphertext generated by the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI;
  • a processing unit configured to send the second addressing information to the AMF network element according to the decryption information of the SUCI, where the second addressing information is obtained by the NRF network element according to the decryption information of the SUCI AUSF network element addressing information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the AMF network element of the service network of the fifth aspect, including:
  • a sending unit configured to send a second message, where the second message is used to request to discover the AUSF network element from the home NRF network element, where the second message includes a user hidden identifier SUCI, and the SUCI includes the generated according to the public key.
  • a receiving unit configured to receive second addressing information from the home NRF network element, where the second addressing information is that the home NRF network element decrypts the SUCI according to the local private key, and obtains the decryption information of the SUCI, and AUSF network element addressing information obtained according to the decryption information of the SUCI; or the second addressing information is after the home NRF network element obtains the decryption information of the SUCI from the home SEPP network element, according to the SUCI AUSF network element addressing information obtained by decrypting the information;
  • a processing unit configured to send, according to the second addressing information, a first message to the home AUSF network element associated with the second addressing information, where the first message is used to request authentication from the home AUSF network element,
  • the first message includes decryption information of the SUCI or the SUCI.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the fifth aspect of the home SEPP network element, including:
  • a receiving unit configured to receive a second message from an AMF network element of the serving network, where the second message is used to request discovery of an AUSF network element from a home NRF network element, and the second message includes a user hidden identifier SUCI, the SUCI Including ciphertext generated based on the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI;
  • a sending unit configured to send a second message to the home NRF network element, where the second message is used to request discovery of an AUSF network element from the home NRF network element, where the second message includes decryption information of the SUCI.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the fifth aspect of the NRF network element, including:
  • a receiving unit configured to receive a second message from a home SEPP network element, where the second message is used to request discovery of an AUSF network element from the home NRF network element, where the second message includes decryption information of the SUCI;
  • a processing unit configured to send second addressing information to the AMF network element according to the decryption information of the SUCI;
  • the second addressing information is an AUSF network element that is obtained by the home NRF network element according to the decryption information of the SUCI Addressing information.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the fifth aspect of the home NRF network element, including:
  • a receiving unit configured to receive a second message from a home SEPP network element, where the second message is used to request discovery of an AUSF network element from the home NRF network element, where the second message includes a user hidden identifier SUCI, the SUCI Including ciphertext generated based on the public key;
  • a processing unit configured to decrypt the SUCI according to a local private key, to obtain decryption information of the SUCI;
  • a processing unit configured to send second addressing information to the AMF network element according to the decryption information of the SUCI;
  • the second addressing information is an AUSF network element search obtained by the home NRF network element according to the decryption information of the SUCI Address information.
  • the embodiment of the present application provides a device, which can be used to perform the functions of the terminal of the sixth aspect, including:
  • the processing unit is configured to encrypt the user permanent identifier SUPI according to the local public key, to obtain the first SUCI, where the first SUCI includes the MSIN, the user attribution area information in the MSIN is plaintext, and the remaining information of the MSIN is Cipher text
  • a sending unit configured to send a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, where the fifth message includes the first SUCI.
  • the terminal encrypts the SUPI according to the local public key to obtain the first SUCI, including:
  • the processing unit is configured to: when determining that the serving network is the home network according to the current location information, encrypt the SUPI according to the local public key to obtain the first SUCI.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the AMF network element in the sixth aspect, including:
  • a receiving unit configured to receive a fifth message from the terminal, where the fifth message is used to request registration from the AMF network element, the fifth message includes a first SUCI, and the first SUCI includes an MSIN, the MSIN User local area information is plain text, and the remaining information of the MSIN is cipher text;
  • a processing unit configured to send, according to the first SUCI, a first message to the home AUSF network element associated with the first SUCI, where the first message is used to request authentication from the home AUSF network element, where The first message includes the first SUCI.
  • the embodiment of the present application provides an apparatus, which is used to perform the functions of the AUSF network element in the sixth aspect, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the home AUSF network element, where the first message includes a first SUCI, and the first SUCI includes an MSIN
  • the user attribution area information of the MSIN is plaintext, and the remaining information of the MSIN is a ciphertext;
  • a sending unit configured to send a third message to the home UDM network element, where the third message is used to request an acquisition of an authentication vector from the home UDM network element, where the third message includes the first SUCI;
  • the receiving unit is further configured to receive the authentication vector from the home UDM network element, where the authentication vector is generated by the home UDM network element according to the first SUCI.
  • the embodiment of the present application provides a device, which can be used to perform the functions of the terminal in the seventh aspect, including:
  • a processing unit configured to encrypt a user permanent identifier SUPI according to a local public key, to obtain a second SUCI, where the second SUCI includes an MSIN, where the MSINs are all ciphertexts;
  • a sending unit configured to send a fifth message to the AMF network element, where the fifth message is used to request registration from the AMF network element, where the fifth message includes the second SUCI and user home area information.
  • the terminal encrypts the user's permanent identifier SUPI according to the local public key, and obtains the second SUCI, including:
  • the processing unit is configured to: when determining that the service network is a roaming network according to the current location information, encrypt the SUPI according to the local public key to obtain the second SUCI.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the AMF network element of the seventh aspect, including:
  • a receiving unit configured to receive a fifth message from the terminal, where the fifth message is used to request registration from the AMF network element, the fifth message includes a second SUCI and user home area information, and the second SUCI includes MSIN, the MSINs are all cipher texts;
  • a processing unit configured to send, according to the user home area information, a first message to a home AUSF network element associated with the user home area information, where the first message is used to request authentication from the home AUSF network element, where The first message includes the user attribution area information and the second SUCI.
  • the embodiment of the present application provides an apparatus, which can be used to perform the functions of the AUSF network element in the sixth aspect, including:
  • a receiving unit configured to receive a first message from an AMF network element, where the first message is used to request authentication from the AUSF network element, where the first message includes a second SUCI and user home area information, where The second SUCI includes an MSIN, and the MSINs are all ciphertexts;
  • a sending unit configured to send a third message to the home UDM network element, where the third message is used to request an acquisition of an authentication vector from the home UDM network element, where the third message includes the second SUCI and the user Home area information;
  • a receiving unit configured to receive the authentication vector from the home UDM network element, where the authentication vector is generated by the home UDM network element according to the second SUCI and the user attribution area information.
  • FIG. 10 shows a possible exemplary block diagram of a device involved in the embodiment of the present invention.
  • the device 1000 may exist in the form of software, or may be an AMF network element. It can be a chip in an AMF network element.
  • the apparatus 1000 includes a processing unit 1002 and a communication unit 1003, and the communication unit 1003 may include a receiving unit and a transmitting unit.
  • the processing unit 1002 is configured to control and manage the actions of the device 1000.
  • the communication unit 1003 is configured to support communication between the device 1000 and other network entities (eg, terminals, network function library network elements).
  • the device 1000 may further include a storage unit 1001 for storing program codes and data of the device 1000.
  • the processing unit 1002 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1003 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name.
  • the communication interface may include multiple interfaces, for example, may include: an interface between the AMF network element and the terminal. , an interface between the AMF network element and the network function library network element, and/or other interfaces.
  • the storage unit 1001 may be a memory.
  • Processing unit 1002 may support apparatus 1000 to perform the actions of the AMF network elements in the various method examples above.
  • the communication unit 1003 can support communication between the device 1000 and the terminal.
  • the communication unit 1003 can support the device 1000 to perform the processing involving the AMF network element in the method shown in FIG. 2 to FIG. 9 and/or the technical solution described in this application. Other processes.
  • the apparatus 1000 involved in the embodiment of the present invention may be the AMF network element 1100 shown in FIG.
  • the AMF network element 1100 includes a processor 1102, a communication interface 1103, and a memory 1101 (optional).
  • the AMF network element 1100 may further include a bus 1104.
  • the communication interface 1103, the processor 1102, and the memory 1101 may be connected to each other through a bus 1104; the bus 1104 may be a PCI bus or an EISA bus or the like.
  • the bus 1104 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 9, but it does not mean that there is only one bus or one type of bus.
  • FIG. 12 shows a possible exemplary block diagram of an apparatus involved in the embodiment of the present invention.
  • the apparatus 1200 may exist in the form of software, or may be an AUSF network element. It can be a chip in an AUSF network element.
  • the apparatus 1200 includes a processing unit 1202 and a communication unit 1203, and the communication unit 1203 may include a receiving unit and a transmitting unit.
  • the processing unit 1202 is configured to control and manage the actions of the device 1200.
  • Communication unit 1203 is used to support communication of device 1200 with other network entities, such as multimedia system ingress network elements.
  • the device 1200 can also include a storage unit 1201 for storing program codes and data of the device 1200.
  • the processing unit 1202 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1203 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name. In a specific implementation, the communication interface may include multiple interfaces, for example, the AUSF network element and the multimedia system entry network element may be included. Interface between, and / or other interfaces.
  • the storage unit 1201 may be a memory.
  • Processing unit 1202 may support apparatus 1200 to perform the actions of the AUSF network element in the various method examples above.
  • the communication unit 1203 can support communication between the device 1200 and the terminal.
  • the communication unit 1203 can support the device 1200 to perform the processing involving the AUSF network element in the method shown in FIG. 2 to FIG. 9 and/or the technical solution described in this application. Other processes.
  • the apparatus 1200 involved in the embodiment of the present invention may be the AUSF network element 1300 shown in FIG.
  • the AUSF network element 1300 includes a processor 1302, a communication interface 1303, and a memory 1301 (optional).
  • the AUSF network element 1300 may further include a bus 1304.
  • the communication interface 1303, the processor 1302, and the memory 1301 may be connected to each other through a bus 1304; the bus 1304 may be a PCI bus or an EISA bus or the like.
  • the bus 1304 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus.
  • FIG. 14 shows a possible exemplary block diagram of a device involved in the embodiment of the present invention.
  • the device 1400 may exist in the form of software, or may be a UDM network element. It can be a chip in a UDM network element.
  • the apparatus 1400 includes a processing unit 1402 and a communication unit 1403, and the communication unit 1403 may include a receiving unit and a transmitting unit.
  • the processing unit 1402 is configured to control and manage the actions of the device 1400.
  • the communication unit 1403 is configured to support communication of the device 1400 with other network entities, such as multimedia system ingress network elements.
  • the device 1400 can also include a storage unit 1401 for storing program codes and data of the device 1400.
  • the processing unit 1402 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1403 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name. In a specific implementation, the communication interface may include multiple interfaces, for example, may include: a UDM network element and a multimedia system entry network element. Interface between, and / or other interfaces.
  • the storage unit 1401 may be a memory.
  • Processing unit 1402 may support apparatus 1400 to perform the actions of the UDM network elements in the various method examples above.
  • the communication unit 1403 can support communication between the device 1400 and the terminal.
  • the communication unit 1403 can support the device 1400 to perform the processing involving the UDM network element in the methods shown in FIG. 2 to FIG. 9 and/or the technology described in the present application. Other processes of the program.
  • the apparatus 1400 involved in the embodiment of the present invention may be the UDM network element 1500 shown in FIG.
  • the UDM network element 1500 includes a processor 1502, a communication interface 1503, and a memory 1501 (optional).
  • the UDM network element 1500 may further include a bus 1504.
  • the communication interface 1503, the processor 1502, and the memory 1501 may be connected to each other through a bus 1504.
  • the bus 1504 may be a PCI bus or an EISA bus.
  • the bus 1504 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 15, but it does not mean that there is only one bus or one type of bus.
  • FIG. 16 shows a possible exemplary block diagram of a device involved in the embodiment of the present invention.
  • the device 1600 may be in the form of software, may be a terminal, or may be The chip in the terminal.
  • the device 1600 includes a processing unit 1602 and a communication unit 1603.
  • communication unit 1603 includes a receiving unit and a transmitting unit.
  • the processing unit 1602 is configured to control and manage the actions of the device 1600.
  • Communication unit 1603 is used to support communication of device 1600 with other network entities (e.g., DNS, P-CSCF).
  • the communication unit 1603 performs, with the support device 1600, the processing related to the terminal in the method shown in FIG. 8 or FIG. 9 and/or other processes of the technical solutions described in the present application.
  • the device 1600 can also include a storage unit 1601 for storing program code and data of the device 1600.
  • the processing unit 1602 can be a processor or a controller, for example, a general central processing unit (CPU), a general-purpose processor, a digital signal processing (DSP), and an application specific integrated Circuits, ASICs, field programmable gate arrays (FPGAs) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1603 may be a communication interface, a transceiver, a transceiver circuit, or the like.
  • the storage unit 1601 may be a memory.
  • the apparatus 1600 When the processing unit 1602 is a processor, the communication unit 1603 is a transceiver, and the storage unit 1601 is a memory, the apparatus 1600 according to the embodiment of the present invention may be the terminal 1700 shown in FIG.
  • FIG. 17 is a simplified schematic diagram showing one possible design structure of a terminal involved in an embodiment of the present invention.
  • the terminal 1700 includes a transmitter 1701, a receiver 1702, and a processor 1703.
  • the processor 1703 may also be a controller, and is represented as "controller/processor 1703" in FIG.
  • the terminal 1700 may further include a modem processor 1705.
  • the modem processor 1705 may include an encoder 1706, a modulator 1707, a decoder 1708, and a demodulator 1709.
  • the transmitter 1701 adjusts (eg, analog transforms, filters, amplifies, upconverts, etc.) the output samples and generates an uplink signal that is transmitted via an antenna to the DNS described in the above embodiments, P-CSCF.
  • the antenna receives the downlink signal.
  • Receiver 1702 conditions (eg, filters, amplifies, downconverts, digitizes, etc.) the signals received from the antenna and provides input samples.
  • encoder 1706 receives the traffic data and signaling messages to be transmitted on the uplink and processes (e.g., formats, codes, and interleaves) the traffic data and signaling messages.
  • Modulator 1707 further processes (e.g., symbol maps and modulates) the encoded service data and signaling messages and provides output samples.
  • Demodulator 1709 processes (e.g., demodulates) the input samples and provides symbol estimates.
  • the decoder 1708 processes (e.g., deinterleaves and decodes) the symbol estimates and provides decoded data and signaling messages that are sent to the terminal 1700.
  • Encoder 1706, modulator 1707, demodulator 1709, and decoder 1708 may be implemented by a composite modem processor 1705. These units are processed according to the radio access technology employed by the radio access network (e.g., access technologies of LTE and other evolved systems). It should be noted that when the terminal 1700 does not include the modem processor 1705, the above functions of the modem processor 1705 can also be completed by the processor 1703.
  • the processor 1703 performs control management on the operation of the terminal 1700 for performing the processing performed by the terminal 1700 in the above embodiment of the present invention.
  • the processor 1703 is also configured to perform the processes related to the terminal in the method shown in FIG. 9 or FIG. 8 and/or other processes of the technical solutions described in the present application.
  • the terminal 1700 can also include a memory 1704 for storing program codes and data for the terminal 1700.
  • FIG. 18 shows a possible exemplary block diagram of a device involved in the embodiment of the present invention.
  • the device 1800 may exist in the form of software, or may be an NRF network element. It can be a chip in an NRF network element.
  • the apparatus 1800 includes a processing unit 1802 and a communication unit 1803, and the communication unit 1803 may include a receiving unit and a transmitting unit.
  • the processing unit 1802 is configured to control and manage the actions of the device 1800.
  • Communication unit 1803 is used to support communication of device 1800 with other network entities, such as multimedia system ingress network elements.
  • the device 1800 can also include a storage unit 1801 for storing program codes and data of the device 1800.
  • the processing unit 1802 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1803 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name. In a specific implementation, the communication interface may include multiple interfaces, for example, the NRF network element and the multimedia system entry network element may be included. Interface between, and / or other interfaces.
  • the storage unit 1801 may be a memory.
  • Processing unit 1802 can support apparatus 1800 to perform the actions of the NRF network elements in the various method examples above.
  • the communication unit 1803 can support communication between the device 1800 and the terminal.
  • the communication unit 1803 can support the device 1800 to perform the processing involving the NRF network element in the methods shown in FIGS. 2 to 9 and/or the techniques described in the present application. Other processes of the program.
  • the apparatus 1800 may be the NRF network element 1900 shown in FIG.
  • the NRF network element 1900 includes a processor 1902, a communication interface 1903, and a memory 1901 (optional).
  • the NRF network element 1900 can also include a bus 1904.
  • the communication interface 1903, the processor 1902, and the memory 1901 may be connected to each other through a bus 1904; the bus 1904 may be a PCI bus or an EISA bus or the like.
  • the bus 1904 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 19, but it does not mean that there is only one bus or one type of bus.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.
  • a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape
  • an optical medium eg, a DVD
  • a semiconductor medium such as a Solid State Disk (SSD)
  • a general purpose processor may be a microprocessor.
  • the general purpose processor may be any conventional processor, controller, microcontroller, or state machine.
  • the processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration. achieve.
  • the steps of the method or algorithm described in the embodiments of the present application may be directly embedded in hardware, a software unit executed by a processor, or a combination of the two.
  • the software unit can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium in the art.
  • the storage medium can be coupled to the processor such that the processor can read information from the storage medium and can write information to the storage medium.
  • the storage medium can also be integrated into the processor.
  • the processor and the storage medium may be disposed in the ASIC, and the ASIC may be disposed in the terminal device. Alternatively, the processor and the storage medium may also be disposed in different components in the terminal device.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本申请实施例提供一种通信方法及装置,实现AUSF网元根据加密的SUCI从NRF网元处获取信息,根据获取的信息来寻址归属UDM网元,该方法包括:AUSF网元接收来自AMF网元的第一消息,第一消息用于向AUSF网元请求鉴权,第一消息包含用户隐藏标识SUCI,SUCI包括根据公钥生成的密文;AUSF网元向NRF网元发送第二消息,第二消息用于向NRF网元请求发现UDM网元,第二消息包含SUCI;AUSF网元接收来自NRF网元的第一寻址信息,第一寻址信息是NRF网元根据本地私钥对SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;AUSF网元根据第一寻址信息,向第一寻址信息关联的归属UDM网元发送第三消息,第三消息用于向归属UDM网元请求获取鉴权矢量,第三消息包含SUCI。

Description

一种通信方法及装置
本申请要求于2018年2月13日提交中国国家知识产权局、申请号为201810149811.6、发明名称为“一种通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及移动通信技术领域,尤其涉及一种通信方法及装置。
背景技术
在2/3/4G移动网络中,用户设备(user equipment,UE)在首次注册时,由于UE和网络还没有协商出用于空口加密的空口密钥,所以用户永久标识,如:国际移动用户标识符(international mobile subscriber identifier,IMSI)只能在空口明文传递。但是IMSI在空口明文传输,容易导致用户的IMSI信息被截获,从而导致用户的信息(如位置信息)被泄露。
第五代(5th generation,5G)系统及未来的通信系统中,为了解决首次注册时用户永久标识,如:用户隐藏标识(subscription concealed identifier,SUPI),在空口明文传输的安全隐患问题,首次注册时,在空口上不传输用户永久标识subscription permanent identifier,SUPI),而使用用户隐藏标识(SUCI)代替SUPI。其中,SUPI的格式可以为明文的SUPI=移动网号(mobile network code MCC)+移动国家码(mobile country code,MNC)+移动用户识别号(mobile subscriber identification number,MSIN),SUCI的格式可以为:SUCI=MCC+MNC+加密的MSIN,即明文的MCC+明文的MNC+密文的MSIN。
由于在初始注册时使用SUCI替代了SUPI,所以5G网络中需要支持通过SUCI来寻址统一数据管理(unified data management,UDM)网元,获取用户的鉴权数据以及业务签约数据。但是,由于SUCI中的MSIN为密文,在归属存在多个UDM的情况下,仅根据MCC和MNC,只能寻址到用户的归属(如中国移动),还无法确定到用户实际归属哪一个UDM网元(如中国移动哪一个省的UDM网元)。
综上,当归属存在多个UDM网元的情况下,5G网络存在不支持使用SUCI寻址到用户的归属UDM网元。
发明内容
本申请实施例提供一种通信方法及装置,用以实现。为达到上述目的,本申请提供如下技术方案:
第一方面,本申请实施例提供一种通信方法,适用于私钥部署在NRF网元且非漫游的的场景。
在一种可能的设计中,该通信方法主要由AMF网元、AUSF网元和NRF网元执行,该方法可实现AUSF网元根据SUCI寻址UDM网元。
在一种可能的设计中,AUSF网元加密的SUCI从NRF网元处获取信息,根据获取的 信息来寻址归属UDM网元,此过程由AUSF网元执行的方法包括:
AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含所述SUCI;所述AUSF网元接收来自所述NRF网元的第一寻址信息,所述第一寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;所述AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
其中,该设计中由NRF网元执行的方法包括:NRF网元接收来自AUSF网元的第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述NRF网元根据所述SUCI的解密信息,向所述AUSF网元发送所述第一寻址信息。所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
在第一方面的上述几种可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第一方面的上述几种可能的设计中,所述第一寻址信息包括一个或多个与所述用户归属区域信息关联的UDM网元地址;或者,所述第一寻址信息包括与所述UDM网元地址和所述SUPI;或者,所述第一寻址信息包括与所述UDM网元地址和所述用户归属区域信息。
在第一方面的上述几种可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
第二方面,本申请实施例提供一种通信方法,适用于私钥部署在UDM网元且非漫游的的场景。
在一种可能的设计中,该通信方法主要由AMF网元、AUSF网元和UDM网元执行,该方法可实现AUSF网元根据SUCI寻址UDM网元。
在一种可能的设计中,AUSF网元根据加密的SUCI从UDM网元处获取信息,根据获取的信息来寻址归属UDM网元,此过程中AUSF网元执行以下方法:AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;所述AUSF网元接收来自所述第一UDM网元的第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息;所述AUSF网元根据所述第四消息,向归属UDM网元发送第三消息,所述归属UDM网元是与所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的UDM网元;所述第三消息用于向所述归属UDM网元请求获取鉴权矢量;所述AUSF网元接收来自所述归属UDM网元的鉴权矢量。
该设计中,第一UDM网元执行的方法包括:第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI;所述SUCI包括根据公钥生成的密文;所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述第一UDM网元根据所述SUCI的解密信息,确定归属UDM网元不是所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送第四消息,所述第四消息包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息为所述第一UDM网元根据所述SUCI的解密信息获得。
在一种可替换的设计中,所述第一UDM网元执行的方法包括:
第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述第一UDM网元根据所述SUCI的解密信息,向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息是所述第一UDM网元根据所述SUCI的解密信息获得的。
在又一种可能的设计中,AUSF网元根据加密的SUCI从UDM网元处获取信息,根据获取的信息来寻址归属UDM网元,此过程中AUSF网元执行的方法包括:AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;所述AUSF网元接收鉴权矢量;其中,所述鉴权矢量是所述第一UDM网元根据本地私钥对所述SUCI进行解密并确定归属UDM网元为所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送的。
该设计中所述第一UDM网元执行的方法包括:第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送鉴权矢量。
在又一种可能的设计中,AUSF网元根据加密的SUCI从UDM网元处获取信息,根据获取的信息来寻址归属UDM网元,此过程中AUSF网元执行的方法包括:AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;所述AUSF网元接收鉴权矢量;其中,所述鉴权矢量是所述第一UDM网元根据本地私钥对所述SUCI进行解密并确定归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量之后向所述AUSF网元发送的。
该设计中第一UDM网元执行的方法包括:第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量,并向所述AUSF网元发送所述鉴权矢量。
在又一种可能的设计中,AUSF网元根据加密的SUCI从UDM网元处获取信息,根据获取的信息来寻址归属UDM网元,此过程中AUSF网元执行的方法包括:AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;所述AUSF网元接收鉴权矢量;其中,所述鉴权矢量是所述第一UDM网元确定归属UDM网元为所述第二UDM网元并向所述第二UDM网元发送第三消息之后,所述第二UDM网元向所述AUSF网元发送的,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
该设计中第一UDM网元执行的方法包括:第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为所述第二UDM网元时,所述第一UDM网元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
在第二方面的上述几种可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第二方面的上述几种可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
第三方面,本申请实施例提供一种通信方法,适用于私钥部署在AUSF网元且非漫游的的场景。该通信方法主要由AMF网元、AUSF网元和UDM网元执行,该方法可实现AUSF网元根据SUCI寻址UDM网元。
在一种可能的设计中,AUSF网元对加密的SUCI进行解密,根据解密信息与归属UDM网元交互,此过程中AUSF网元执行的方法为:AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述AUSF网元向所述SUPI关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI;所述 AUSF网元接收来自所述归属UDM网元的鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成的。
在又一种可能的设计中,第一AUSF网元对加密的SUCI进行解密,根据解密信息与归属AUSF网元交互来寻址归属UDM网元,第一AUSF网元执行的方法包括:第一AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述第一AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述第一AUSF向所述SUPI关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述SUPI;所述第一AUSF网元接收来自所述归属AUSF网元的所述鉴权矢量,所述鉴权矢量是所述归属AUSF网元根据所述SUPI从归属UDM网元处获取的。
在又一种可能的设计中,第一AUSF网元对加密的SUCI进行解密,根据解密信息与AMF网元交互归属AUSF网元信息来寻址归属UDM网元,此过程中,第一AUSF网元执行的方法包括:由第一AUSF网元执行的方法包括:第一AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述第一AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;所述第一AUSF根据所述SUPI,向所述AMF网元发送第四消息,所述第四消息包含所述SUPI或归属AUSF网元的寻址信息,所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的。
该设计中由AMF网元执行的方法包括:AMF网元向第一AUSF网元发送第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AMF网元接收来自所述第一AUSF网元的第四消息,所述第四消息包含SUPI或归属AUSF网元的寻址信息,所述SUPI或所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的;所述AMF网元根据所述第四消息,向归属AUSF网元发送第一消息,所述归属AUSF网元是与所述归属AUSF网元的寻址信息或所述SUPI关联的AUSF网元,所述第一消息用于向所述归属AUSF网元请求鉴权。
该设计中由归属AUSF网元执行的方法包括:归属AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含SUCI,所述SUCI包括根据公钥生成的密文;当所述第一消息包含所述SUCI时,所述归属AUSF网元根据本地私钥对所述SUCI进行解密,得到所述SUPI;所述归属AUSF网元向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI;所述归属AUSF网元接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成。
在第三方面的上述几种可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第三方面的上述几种可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
第四方面,本申请实施例提供一种通信方法,适用于私钥部署在NRF网元且非漫游的的场景。该方法可实现AMF网元根据SUCI寻址AUSF网元。
在一种可能的设计中,AMF网元根据加密的SUCI从NRF网元处获取信息,根据获取的信息来寻址归属AUSF网元,此过程中,AMF网元执行的方法包括:AMF网元执行的方法包括:AMF网元向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AMF网元接收来自所述NRF网元的第二寻址信息,所述第二寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的AUSF网元寻址信息;所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI或者所述SUCI的解密信息。
该设计中NRF网元执行的方法包括:NRF网元接收来自AMF网元的第二消息,所述第二消息用于向所述NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述NRF网元根据所述SUCI的解密信息,向所述AMF网元发送所述第二寻址信息,所述第二寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的AUSF网元寻址信息。
在第四方面的上述两种可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第四方面的上述两种可能的设计中,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址;或者,所述第二寻址信息包括所述AUSF网元地址和所述SUPI;或者,所述第二寻址信息包括所述AUSF网元地址和所述用户归属区域信息。
在第四方面的上述两种可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
第五方面,本申请实施例提供一种通信方法,适用于私钥部署在NRF网元且漫游的的场景。该方法可实现AMF网元根据SUCI寻址AUSF网元。
在一种可能的设计中,归属NRF网元根据加密的SUCI从归属SEPP网元处获取信息,AMF网元根据归属NRF网元获取的信息来寻址归属AUSF网元,此过程中,服务网络的AMF网元执行的方法包括:服务网络的AMF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AMF网元接收来自归属NRF网元的第二寻址信息,所述第二寻址信息是所述归属NRF网元从所述归属SEPP网元处获取所述SUCI的解密信息之后,根据SUCI的解密信息获取的AUSF网元寻址信息;所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI或者所述SUCI的解密信息。
该设计中归属SEPP网元执行的方法包括:归属SEPP网元接收来自服务网络的AMF网元的第二消息,所述第二消息用于向归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述归属SEPP网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述归属SEPP网元向所述归属NRF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含所述SUCI的解密信息。
该设计中归属NRF网元执行的方法包括:归属NRF网元接收来自归属SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含SUCI的解密信息;所述归属NRF网元根据所述SUCI的解密信息,向AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
在另一种可能的设计中,归属NRF网元对加密的SUCI进行解密,AMF网元根据归属NRF网元的解密信息来寻址归属AUSF网元,此过程中,服务网络的AMF网元执行的方法包括:服务网络的AMF网元通过归属SEPP网元向归属NRF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述AMF网元接收来自归属NRF网元的第二寻址信息,所述第二寻址信息是所述归属NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的AUSF网元寻址信息;所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI或者所述SUCI的解密信息。
该设计中归属NRF网元执行的方法,包括:归属NRF网元接收来自归属SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;所述归属NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述归属NRF网元根据所述SUCI的解密信息向AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
在第五方面的上述两种可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第五方面的上述两种可能的设计中,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址;或者,所述第二寻址信息包括所述AUSF网元地址和所述SUPI;或者,所述第二寻址信息包括所述AUSF网元地址和所述用户归属区域信息。
在第五方面的上述两种可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
第六方面,本申请实施例提供一种通信方法,适用于终端对SUPI灵活加密的场景。该方法基于终端采用第一种加密方式得到的第一SUCI,可实现AMF网元根据第一SUCI寻 址AUSF网元,以及AUSF网元根据第一SUCI寻址UDM网元。
在一种可能的设计中,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文;所述终端向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第一SUCI。
在一种可能的设计中,所述终端根据本地公钥对SUPI进行加密,得到第一SUCI,包括:当所述终端根据当前位置信息,确定服务网络为归属网络时,根据本地公钥对SUPI进行加密得到所述第一SUCI。
在一种可能的设计中,AMF网元接收来自终端的第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含第一SUCI,所述第一SUCI包括MSIN,所述MSIN的用户归属区域信息为明文,所述MSIN的其余信息为密文;所述AMF网元根据所述第一SUCI,向所述第一SUCI关联的所述归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述第一SUCI。
在一种可能的设计中,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含第一SUCI,所述第一SUCI包括MSIN,所述MSIN的用户归属区域信息为明文,所述MSIN的其余信息为密文;所述AUSF网元向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第一SUCI;所述AUSF网元接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述第一SUCI生成。
第七方面,本申请实施例提供一种通信方法,适用于终端对SUPI灵活加密的场景。该方法基于终端采用第二种加密方式得到的第二SUCI,可实现AMF网元根据第二SUCI寻址AUSF网元,以及AUSF网元根据第二SUCI寻址UDM网元。
在一种可能的设计中,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,所述第二SUCI包括MSIN,所述MSIN全部为密文;所述终端向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第二SUCI和用户归属区域信息。
在一种可能的设计中,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,包括:所述终端根据当前位置信息,确定服务网络为漫游网络时,根据本地公钥对所述SUPI进行加密,得到所述第二SUCI。
在一种可能的设计中,AMF网元接收来自终端的第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含第二SUCI和用户归属区域信息,所述第二SUCI包括MSIN,所述MSIN全部为密文;所述AMF网元根据所述用户归属区域信息,向所述用户归属区域信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述用户归属区域信息和所述第二SUCI。
在一种可能的设计中,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含第二SUCI和用户归属区域信息,所述第二SUCI包括MSIN,所述MSIN全部为密文;所述AUSF网元向归属UDM网元发送第三消 息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第二SUCI和所述用户归属区域信息;所述AUSF网元接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述第二SUCI和所述用户归属区域信息生成的。
第八方面,本申请提供一种通信装置,该装置可以是AMF网元,也可以是芯片。该装置具有实现上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的各实施例中AMF网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
在一种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面AMF网元的功能,包括:
发送单元,用于向第一AUSF网元发送第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
接收单元,用于接收来自所述第一AUSF网元的第四消息,所述第四消息包含SUPI或归属AUSF网元的寻址信息,所述SUPI或所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的;
处理单元,用于根据所述第四消息,通过发送单元向归属AUSF网元发送第一消息,所述归属AUSF网元是与所述归属AUSF网元的寻址信息或所述SUCI的解密信息(SUPI)关联的AUSF网元,所述第一消息用于向所述归属AUSF网元请求鉴权。
第九方面,本申请提供一种装置,包括:处理器和存储器;该存储器用于存储指令,当该装置运行时,该处理器执行该存储器存储的该指令,以使该装置执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的AMF网元执行的方法。需要说明的是,该存储器可以集成于处理器中,也可以是独立于处理器之外。
第十方面,本申请提供一种装置,该装置包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令并根据所述指令执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的AMF网元执行的方法。
第十一方面,本申请提供一种通信装置,该装置可以是AUSF网元(包括第一AUSF网元和归属AUSF网元),也可以是芯片。该装置具有实现上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的各实施例中AMF网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
例如,在一种可能的设计中,本申请实施例提供一种装置,可用于执行第一方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
发送单元,用于向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含所述SUCI;
所述接收单元,还用于接收来自所述NRF网元的第一寻址信息,所述第一寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;
处理单元,用于根据所述第一寻址信息,通过发送单元向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
第十二方面,本申请提供一种装置,包括:处理器和存储器;该存储器用于存储指令,当该装置运行时,该处理器执行该存储器存储的该指令,以使该装置执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的AUSF网元(包括第一AUSF网元和归属AUSF网元)执行的方法。需要说明的是,该存储器可以集成于处理器中,也可以是独立于处理器之外。
第十三方面,本申请提供一种装置,该装置包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令并根据所述指令执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的AUSF网元(包括第一AUSF网元和归属AUSF网元)执行的方法。
第十四方面,本申请提供一种通信装置,该装置可以是NRF网元,也可以是芯片。该装置具有实现上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的各实施例中NRF网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
例如,在一种可能的设计中,本申请实施例提供一种装置,可用于执行第一方面NRF网元的功能,包括:
接收单元,用于接收来自AUSF网元的第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
处理单元,还用于根据所述SUCI的解密信息,通过发送单元向所述AUSF网元发送所述第一寻址信息。所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
第十五方面,本申请提供一种装置,包括:处理器和存储器;该存储器用于存储指令,当该装置运行时,该处理器执行该存储器存储的该指令,以使该装置执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的NRF网元执行的方法。需要说明的是,该存储器可以集成于处理器中,也可以 是独立于处理器之外。
第十六方面,本申请提供一种装置,该装置包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令并根据所述指令执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的NRF网元执行的方法。
第十七方面,本申请提供一种通信装置,该装置可以是UDM网元(包括第一UDM网元和归属UDM网元),也可以是芯片。该装置具有实现上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的各实施例中AMF网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
例如,在一种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面第一UDM网元的功能,包括:
接收单元,用于接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI;所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述第一UDM网元根据所述SUCI的解密信息,确定归属UDM网元不是所述第一UDM网元时,通过发送单元向所述AUSF网元发送第四消息,所述第四消息包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息为所述第一UDM网元根据所述SUCI的解密信息获得。
第十八方面,本申请提供一种装置,包括:处理器和存储器;该存储器用于存储指令,当该装置运行时,该处理器执行该存储器存储的该指令,以使该装置执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的UDM网元(包括第一UDM网元和归属UDM网元)执行的方法。需要说明的是,该存储器可以集成于处理器中,也可以是独立于处理器之外。
第十九方面,本申请提供一种装置,该装置包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令并根据所述指令执行上述第一方面,或第二方面,或第三方面,或第四方面,或第五方面,或第六方面,或第七方面的任一实现方法中的UDM网元(包括第一UDM网元和归属UDM网元)网元执行的方法。
第二十方面,本申请提供一种装置,该装置可以是终端,也可以是芯片。该装置具有实现上述第六方面,或第七方面的各实施例中AMF网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
在一种可能的设计中,本申请实施例提供一种装置,可用于执行第六方面终端的功能,包括:
处理单元,用于根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所 述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文;
发送单元,用于向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第一SUCI。
第二十一方面,本申请提供一种装置,包括:处理器和存储器;该存储器用于存储指令,当该装置运行时,该处理器执行该存储器存储的该指令,以使该装置执行上述第六方面,或第七方面的任一实现方法中的终端执行的方法。需要说明的是,该存储器可以集成于处理器中,也可以是独立于处理器之外。
第二十二方面,本申请提供一种装置,该装置包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令并根据所述指令执行上述第六方面,或第七方面的任一实现方法中的终端执行的方法。
第二十三方面,本申请还提供一种可读存储介质,所述可读存储介质中存储有程序或指令,当其在计算机上运行时,使得上述各方面的任意通信方法被执行。
第二十四方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面中的任意通信方法。
第二十五方面,本申请还提供一种系统,该系统包AMF网元,所述AMF网元可用于执行上述各方面中的任一方法中或者本发明实施例提供的方案中由AMF网元执行的步骤。
在一些可能的实现方式中,所述系统还可以包括本申请实施例提供的方案中与该AMF网元进行交互的其他设备,例如AUSF,或者终端设备等等。
第二十六方面,本申请还提供一种系统,所述系统还可以包括AUSF网元,所述AUSF网元可用于执行上述各方面中的任一方法中或者本发明实施例提供的方案中由AUSF网元执行的步骤。
在一些可能的实现方式中,所述系统还可以包括本申请实施例提供的方案中与该AUSF网元进行交互的其他设备,例如AMF网元或者UDM网元等等。
第二十七方面,本申请还提供一种系统,所述系统还可以包括UDM网元,所述UDM网元可用于执行上述各方面中的任一方法中或者本发明实施例提供的方案中由UDM网元执行的步骤。
在一些可能的实现方式中,所述系统还可以包括本申请实施例提供的方案中与该UDM网元进行交互的其他设备,例如AUSF网元等等。
第二十八方面,本申请还提供一种系统,所述系统还可以包括NRF网元,所述NRF网元可用于执行上述各方面中的任一方法中或者本发明实施例提供的方案中由NRF网元执行的步骤。
在一些可能的实现方式中,所述系统还可以包括本申请实施例提供的方案中与该NRF网元进行交互的其他设备,例如AMF网元、AUSF网元等等。
第二十九方面,本申请还提供一种系统,所述系统还可以包括终端,所述终端可用于执行上述第六方面及第七方面的任一方法中或者本发明实施例提供的方案中由终端执行的步骤。
在一些可能的实现方式中,所述系统还可以包括本申请实施例提供的方案中与该终端网元进行交互的其他设备,例如AMF网元等等。
另外,第八方面至第二十九方面中任一种设计方式所带来的技术效果可参见第一方面至第四方面中不同实现方式所带来的技术效果,此处不再赘述。
本申请的这些方面或其他方面在以下实施例的描述中会更加简明易懂。
附图说明
图1(a)为本申请实施例涉及的一种可能的网络架构示意图;
图1(b)为本申请实施例涉及的又一种可能的网络架构示意图;
图2为本申请实施例提供的一种通信方法的方法流程示意图之一;
图3为本申请实施例提供的一种通信方法的方法流程示意图之二;
图4为本申请实施例提供的一种通信方法的方法流程示意图之三;
图5为本申请实施例提供的一种通信方法的方法流程示意图之四;
图6为本申请实施例提供的一种通信方法的方法流程示意图之五;
图7为本申请实施例提供的一种通信方法的方法流程示意图之六;
图8为本申请实施例提供的一种通信方法的方法流程示意图之七;
图9为本申请实施例提供的通信方法的方法流程示意图之八;
图10为本申请实施例提供的一种装置的结构示意图;
图11为本申请实施例提供的又一种装置的结构示意图;
图12为本申请实施例提供的又一种装置的结构示意图;
图13为本申请实施例提供的又一种装置的结构示意图;
图14为本申请实施例提供的又一种装置的结构示意图;
图15为本申请实施例提供的又一种装置的结构示意图;
图16为本申请实施例提供的又一种装置的结构示意图;
图17为本申请实施例提供的又一种装置的结构示意图;
图18为本申请实施例提供的又一种装置的结构示意图;
图19为本申请实施例提供的又一种装置的结构示意图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。
如图1(a)所示,为本申请适用的一种可能的5G系统非漫游网络架构示意图。该网络架构包括网络数据分析功能(network data analysis function,NWDAF)网元的3GPP系统的网络架构示意图。图1(a)中的网络架构包括终端、(无线)接入网络((radio)access network,(R)AN网元、用户面功能(user plane function,UPF)网元,DN网元,接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、认证服务器功能(authentication server function,AUSF)网元、应用功能(application function,AF)网元、统一数据管理(Unified Data Management,UDM)网元、策略控制功能(policy control function,PCF)网元、网络注册和发现功能(the NF repository function,NRF)网元、网络开放功能(network exposure function,NEF)网元和网络切片选择功能(network slice selection function,NSSF)网元等。这些网元通过总线实现逻辑上的两两互联。
其中,(R)AN网元与UPF网元通过N3接口实现逻辑上的互联,DN网元与UPF网元通过N6接口实现逻辑上的互联,终端与AMF网元通过N1接口实现逻辑上的互联,(R)AN网元与AMF网元通过N2接口实现逻辑上的互联,SMF网元与UPF网元通过N4接口实现逻辑上的互联。
针对非漫游场景,本申请提供的通信方法可能涉及的网元主要包括终端,AMF网元、AUSF网元、NRF网元、NRF网元,其主要功能如下:
终端,是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。该终端可以是UE,手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。
AMF网元:负责终端的接入管理和移动性管理,在实际应用中,其包括了LTE中网络框架中移动管理实体(mobility management entity,MME)的移动性管理功能,并加入了接入管理功能。与本申请相关的功能是对接入授权\鉴权方面进行管理。当终端注册到服务网络时,服务网络的AMF网元向归属网络AUSF网元发送鉴权初始请求,并从归属地的AUSF网元接收鉴权矢量,完成对终端在服务网络的鉴权。当终端在服务网络鉴权通过以后,AMF网元发起注册流程,AMF网元到UDM网元中获取用户签约数据。可以理解,在未来通信(例如6G中),负责接入管理和移动性管理的网元仍可以是AMF网元,或有其它的名称,本申请不做限定。
NRF网元,具有NF注册和发现功能,在鉴权流程中AMF网元通过NRF网元发现AUSF网元,或者AUSF网元通过NRF网元发现UDM网元。可以理解,在未来通信,负责网络 功能注册和发现功能的网元仍可以是NRF网元,或有其它的名称,本申请不做限定。
AUSF网元:用于进行鉴权认证。对于归属网络AUSF网元来说,在接收服务网络AMF网元发来的鉴权初始请求后,向归属网络UDM网元发送鉴权请求消息,申请获取鉴权矢量。可以理解,在未来通信,负责鉴权认证的网元仍可以是AUSF网元,或有其它的名称,本申请不做限定。
UDM网元:用于存储用户的鉴权数据和用户签约数据。对于归属网络UDM网元来说,在鉴权流程中,在收到归属网络AUSF网元发来的鉴权请求消息之后,选择鉴权方法,生成鉴权矢量,向归属网络AUSF网元反馈鉴权矢量。在注册流程中,归属网络UDM网元收到服务网络AMF发来的注册消息之后,返回用户签约数据。可以理解,在未来通信,负责存储用户的鉴权数据和用户签约数据的网元仍可以是UDM网元,或有其它的名称,本申请不做限定。
上述网元的功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。
基于上述图1(a)所示的网络架构,本申请将针对非漫游场景,提供相应的通信方法及装置,以实现本申请用户鉴权流程中AUSF网元如何根据加密的SUCI寻址UDM网元,以及AMF网元如何根据加密的SUCI寻址AUSF网元。
在一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在UDM网元上部署私钥,实现AUSF网元根据加密的SUCI寻址UDM网元。
在又一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在NRF网元上部署私钥,实现AUSF网元根据加密的SUCI寻址UDM网元。
在又一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在AUSF网元上部署私钥,实现AUSF网元根据加密的SUCI寻址UDM网元。
在又一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在终端的USIM上部署灵活加密方式,只将SUPI的MSIN进行部分加密,可以实现AUSF网元根据加密的SUCI寻址UDM网元。
在又一种实施例中,针对漫游场景,本申请提供的通信方法,通过增加信元包含MSIN中用户归属区域信息的明文,可以实现在非漫游场景下AUSF网元根据加密的SUCI寻址UDM网元。
在一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在NRF网元上部署私钥,实现AMF网元根据加密的SUCI寻址AUSF网元。
在又一种实施例中,针对非漫游场景,本申请提供的通信方法,通过在终端的USIM上部署灵活加密方式,只将SUPI的MSIN进行部分加密,可以实现AMF网元根据加密的SUCI寻址AUSF网元。
在又一种实施例中,针对漫游场景,本申请提供的通信方法,通过增加信元包含MSIN中用户归属区域信息的明文,可以实现在非漫游场景下AMF网元根据加密的SUCI寻址AUSF网元。
如图1(b)所示,为本申请适用的另一种可能的5G系统漫游网络架构示意图。该网络架构由漫游地服务网络和归属地服务网络两部分的网络架构构成,为了方便描述,本申请中, 当终端在漫游地注册服务时,称漫游地服务网络为服务网络,称归属地服务网络为归属网络。其中,服务网络涉及的网元主要包括终端、(R)AN网元、UPF网元,AMF网元、SMF网元、PCF网元、NRF网元、NEF网元、NSSF网元和安全边缘保护代理(security edge protection proxy,SEPP)网元。归属网络涉及的网元主要包括UPF网元,DN网元,SMF网元、AUSF网元、PCF网元、AF网元、UDM网元、NRF网元、NEF网元和SEPP网元。可以理解的是,上述网元的名称仅是举例说明,可以被替换为其他具有相应功能的网元。
SEPP网元,用于拓扑隐藏和网络间的控制面消息过滤。
为了便于描述,针对漫游场景,服务网络的AMF网元可以简称为V-AMF网元,服务网络的NRF网元可以简称为V-NRF网元,服务网络的SEEP网元可以简称为V-SEPP网元,归属网络的SEPP网元可以简称为H-SEPP网元,归属网络的NRF网元可以简称为H-NRF网元。
基于上述图1(b)所示的网络架构,本申请将针对漫游场景,提供相应的通信方法及装置,以解决本申请用户鉴权流程中V-AMF网元如何根据加密的SUCI寻址H-AUSF网元的问题。其中,针对本申请漫游场景的用户鉴权流程,在V-AMF网元寻址H-AUSF网元时,V-AMF网元依次通过V-NRF网元、V-SEPP网元、H-SEPP网元和H-NRF网元交互进而实现寻址H-AUSF网元。
在一种实施例中,针对漫游场景,本申请提供的通信方法,通过在H-SEPP网元上部署SUCI加密的私钥,可以实现在漫游场景下V-AMF网元根据加密的SUCI寻址H-AUSF网元。
在又一种实施例中,针对漫游场景,本申请提供的通信方法,通过在H-NRF网元上部署SUCI加密的私钥,可以实现在漫游场景下V-AMF网元根据加密的SUCI寻址H-AUSF网元。
在又一种实施例中,针对漫游场景,本申请提供的通信方法,通过增加信元包含MSIN中用户归属区域信息的明文,可以实现在漫游场景下V-AMF网元根据加密的SUCI寻址H-AUSF网元。
本申请涉及的网络功能发现请求,可以是Nnrf_NF Discovery Service请求。
本申请涉及的鉴权请求,可以是Nnrf_UE Authentication请求。
本申请涉及的鉴权矢量获取请求,可以是Nnrf_Authentication Vector Retrieval请求。
本申请中,上述网元可以是物理上的实体网元,也可以是虚拟的网元,在此不做限定。
在以下实施例中,步骤编号仅仅是为了方便描述,各步骤之间没有严格的执行先后关系。
下面结合附图具体说明本申请在不同场景下AUSF网元如何寻址UDM网元。
基于图1(a)所示的5G系统的非漫游网络架构,本申请提供的一种通信方法,通过在UDM网元上部署私钥,实现AUSF网元使用加密的SUCI寻址UDM网元。
本申请提供的一种通信方法如图2所示,主要包括以下方法流程:
步骤101,AUSF网元接收来自AMF网元的用户隐藏标识SUCI,所述SUCI用于所述AUSF网元进行鉴权,所述SUCI包括根据公钥生成的密文。
其中,AUSF网元可以接收来自AMF网元的任何一种用于向所述AUSF网元请求鉴权的消息,消息中包含SUCI。
可选的,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文。
作为一种示例,AUSF网元可以接收来自AMF网元的鉴权请求,所述鉴权请求中包含SUCI。
其中,SUCI是终端或终端的USIM对SUPI进行加密得到,所述SUCI包括根据公钥生成的密文,具体为终端根据根据公钥对SUPI中的MSIN加密成的密文。
本申请中,终端根据公钥对SUPI中的MSIN加密形成SUCI,其中终端的任何加密方式所形成的SUCI均在本申请的保护范围之内。终端根据公钥对SUPI中的MSIN加密形成SUCI的加密方式不限于本申请提供的加密方式。
例如,本申请提供一种终端根据公钥对SUPI中的MSIN加密形成SUCI的加密方式,具体如下:
终端生成自己的公私钥对,根据自己的私钥和本地配置的归属网络公钥生成一个共享密钥,然后根据共享密钥对SUPI加密得到SUCI。
可选的,对于本申请涉及本地配置私钥能够对SUCI进行解密的网络侧网元来说,网络侧网元可以有多种根据私钥对SUCI进行解密的灵活解密方式,不限于本申请提供的解密方式。例如,其解密过程为:
网络侧网元(如AUSF/UDM/NRF/H-SEEP/H-NRF)根据终端的公钥和本地配置的归属网络私钥首先生成一个共享密钥,再根据共享密钥对SUCI解密得到SUPI。
其中,SUPI有2种格式,一种是IMSI格式,一种是网络接入标识(network access identifier,NAS)格式。对于全球用户身份模块(universal subscriber identity module,USIM)卡,NAS格式的SUPI可以根据IMSI增加前缀和域名推导得到,具体可以参见3GPP TS23.003。本文中仅以IMSI格式进行描述,NAI的给可以根据同样的规则推导而出。
例如,IMSI格式为234150999999999,根据IMSI增加前缀和域名推导得到NAS格式可以为0234150999999999@nai.epc.mnc015.mcc234.3gppnetwork.org。
IMSI的可以分为3部分,MCC+MNC+MSIN,其中MCC是移动国家码(如中国的移动国家码是460),MNC为移动网号(如中国电信的移动网号是03),MSIN为移动用户识别号,用于区别不同的用户。
因此,对SUPI加密后得到的SUCI包括明文的MCC、明文的MNC和密文的MSIN。
不同的国家,MSIN又被细化为n位的用户归属区域信息和m位的剩余号段。
例如对于中国,MSIN又被细化为H1H2H3H4X1X2X3X4X5X6,其中MSIN中的前四位H1H2H3H4用于表示用户所在的省份,本申请中,MSIN中的前四位H1H2H3H4称为用户归属区域信息。不同的国家,MSIN的n位的用户归属区域信息和m位的剩余号段可能不同。下文所有实施例中MSIN以中国为例进行说明。
本申请中用户归属区域信息可以用于确定用户归属地的UDM网元和/或AUSF网元,例如,在中国,用户归属区域信息H1H2H3H4用于表示用户所在的省份,AMF网元在寻址AUSF网元时,可以根据明文的用户归属区域信息确定用户所在省的AUSF网元,AUSF网元在寻址UDM网元时,可以根据明文的用户归属区域信息确定用户所在省的UDM网元。
步骤101中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。
步骤102,所述AUSF网元向第一UDM网元发送所述SUCI,所述SUCI用于所述第一UDM网元生成鉴权矢量。
其中,AUSF网元可以向第一UDM网元发送任何可用于向所述第一UDM网元请求获取鉴权矢量的消息,消息中包含SUCI。
可选的,所述AUSF网元向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
作为一种示例,AUSF网元可以向第一UDM网元发送鉴权矢量获取请求,所述鉴权矢量获取请求中包含SUCI。
其中,第一UDM网元可以为归属网络的任意一个UDM网元,也可以是AUSF网元根据本地策略从归属网络的多个UDM网元中确定的一个UDM网元。
步骤103,所述第一UDM网元接收来自AUSF网元的SUCI,并根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息。
可选的,第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
作为一种示例,所述第一UDM网元接收来自AUSF网元的鉴权矢量获取请求,所述鉴权矢量获取请求中包含SUCI。
其中,第一UDM网元根据本地私钥对所述SUCI进行解密,可以有多种灵活解密方式,例如,作为一种示例,第一UDM网元可以根据本地私钥对所述SUCI中的MSIN进行全部解密,恢复明文的MSIN,也可以根据本地私钥对所述SUCI中的MSIN进行部分解密,仅恢复明文的用户归属区域信息H1H2H3H4。
其中,SUCI的解密信息可灵活配置。
作为一种示例,SUCI的解密信息包括SUPI,SUPI根据明文的MCC、MNC和MSIN得到。
作为另外一种示例,SUCI的解密信息包括用户归属区域信息,即MSIN的号段H1H2H3H4。
步骤104,所述第一UDM网元向所述AUSF网元发送SUCI的解密信息或所述归属UDM网元的寻址信息。
其中,所述第一UDM网元向所述AUSF网元发送任何类型的消息,消息中包含SUCI的解密信息或所述归属UDM网元的寻址信息。
可选的,所述第一UDM网元根据所述SUCI的解密信息,向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或所述归属UDM网元的寻址信息。
作为一种示例,所述第一UDM网元根据所述SUCI的解密信息,向所述AUSF网元发送重定向消息,所述重定向消息包含所述SUCI的解密信息或所述归属UDM网元的寻址信息。
作为一种示例,当SUCI的解密信息包括SUPI时,第四消息中包含SUPI。
作为一种示例,当SUCI的解密信息包括用户归属区域信息时,第四消息中包含用户归 属区域信息。
其中,归属UDM网元的寻址信息可以是用于寻址归属UDM网元的任何一种信息,作为一种示例,归属UDM网元的寻址信息可以是归属UDM网元的地址信息。
归属UDM网元的寻址信息可以是第一UDM网元,根据SUCI的解密信息获取的。作为一种示例,第一UDM网元根据MCC+MNC以及用户归属区域信息H1H2H3H4,就可以确定归属UDM网元,以及获取归属UDM网元的寻址信息。其中,归属UDM网元存储有归属地用户数据,包括鉴权数据和签约数据。
步骤105,所述AUSF网元接收来自所述第一UDM网元的所述归属UDM网元的寻址信息或所述SUCI的解密信息,所述AUSF网元网元向所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的归属UDM网元发送SUCI,所述SUCI用于所述归属UDM网元生成鉴权矢量。
其中,AUSF网元可以向所述归属UDM网元发送任何一种类型的消息,所述消息用于向所述归属UDM网元请求获取鉴权矢量,消息中包含SUCI。
可选的,所述AUSF网元根据所述第四消息,向所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量。
作为一种示例,AUSF网元可以向所述归属UDM网元发送鉴权矢量获取请求,鉴权矢量获取请求中包含SUCI。
可选的,所述AUSF网元根据所述第四消息,向所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的归属UDM网元发送第三消息,包括:
所述AUSF网元根据所述归属UDM网元的寻址信息或所述SUCI的解密信息,确定归属UDM网元,所述AUSF网元向所述归属UDM网元发送所述第三消息。
当第四消息中包含SUPI时,所述AUSF网元根据SUPI(至少根据MCC,MNC和用户归属区域信息H1H2H3H4),确定归属UDM网元。
当第四消息中包含用户归属区域信息时,所述AUSF网元根据SUCI中的MCC和MNC,以及第四消息中包含的用户归属区域信息,确定归属UDM网元。
当第四消息中包含归属UDM网元的寻址信息时,所述AUSF网元可以直接根据归属UDM网元的寻址信息,确定归属UDM网元。
可选的,所述第三消息中包含SUCI,以使归属UDM网元根据本地私钥对所述SUCI进行解密得到SUPI,进而根据SUPI,生成鉴权矢量,并向AUSF网元反馈鉴权矢量。
步骤106,所述AUSF网元接收来自所述归属UDM网元的鉴权矢量。
作为上述步骤104的一种可替换的实现方式,在第一UDM网元得到SUCI的解密信息之后,第一UDM网元也可以根据SUCI的解密信息,确定归属UDM网元之后,再向AUSF网元发送第四消息。相应的,上述步骤104可替换为:所述第一UDM网元根据所述SUCI的解密信息,确定归属UDM网元;当确定所述归属UDM网元不是所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或所述归属UDM网元的寻址信息。
作为上述步骤105的一种可替换的实现方式,当第四消息中包含的SUCI的解密信息为SUPI时,所述AUSF网元可以直接向所述归属UDM网元发送SUPI,省去了归属UDM网元的解密过程。相应的,步骤106也可替换为:所述AUSF网元向所述归属UDM网元发送SUPI,以使归属UDM网元直接根据SUPI,生成鉴权矢量。
作为上述步骤101至上述步骤106的第一种可替换实现方式,将上述步骤103至上述步骤106进行如下替换:
上述步骤103可替换为:第一UDM网元接收来自AUSF网元的SUCI,所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI。
上述步骤104至步骤105可替换为:所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为所述第一UDM网元时,所述第一UDM网元根据SUPI,获取鉴权矢量,向所述AUSF网元发送鉴权矢量。
上述步骤106可替换为:所述AUSF网元接收来自所述第一UDM网元的鉴权矢量。
作为上述步骤101至上述步骤107的第二种可替换实现方式,将上述步骤103至上述步骤107进行如下替换:
上述步骤103可替换为:第一UDM网元接收来自AUSF网元的SUCI,所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI。
可选的,第一UDM网元接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI。作为一种示例第三消息可以是鉴权矢量获取请求。
上述步骤104至步骤106可替换为以下步骤:所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量,并向所述AUSF网元发送所述鉴权矢量。
其中,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量,包括:
所述第一UDM网元向所述第二UDM发送SUPI,所述SUPI用于向第二UDM网元请求获取鉴权矢量,以使所述第二UDM网元根据所述SUPI生成鉴权矢量,以及向所述第一UDM网元发送所述鉴权矢量。
可选的,所述第一UDM网元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI。作为一种示例第三消息可以是鉴权矢量获取请求。
上述步骤107可替换为:所述AUSF网元接收来自所述第一UDM网元的鉴权矢量。
作为上述步骤101至上述步骤107的第三种可替换实现方式,将上述步骤103至上述步骤107进行如下替换:
上述步骤103可替换为:第一UDM网元接收来自AUSF网元的SUCI,所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI。
上述步骤104至步骤106可替换为:所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为第二UDM网元时,所述第一UDM网元向所述第二UDM发送SUPI,所述SUPI用于第二UDM网元生成鉴权矢量,以使所述第二UDM网元根据所述SUPI生成鉴权矢量之后,向AUSF网元发送所述鉴权矢量。
可选的,所述第一UDM网元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。作为一种示例第三消息可以是鉴权矢量获取请求。
上述步骤106可替换为:所述AUSF网元接收来自所述第二UDM网元的鉴权矢量。
作为上述步骤101至上述步骤107的第四种可替换实现方式,将上述步骤103至上述步骤107进行如下替换:
上述步骤103可替换为:第一UDM网元接收来自AUSF网元的SUCI,所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI。
上述步骤104至步骤105可替换为以下步骤:所述第一UDM网元根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为第二UDM网元时,所述第一UDM网元向所述第二UDM网元发送SUCI,所述SUCI用于第二UDM网元生成鉴权矢量,以使所述第二UDM网元根据本地私钥对所述SUCI解密得到SUPI生成鉴权矢量之后,向AUSF网元发送所述鉴权矢量。
上述步骤106可替换为:所述AUSF网元接收来自所述第二UDM网元的鉴权矢量。
基于图1(a)所示的5G系统的非漫游网络架构,本申请提供的一种通信方法,通过在NRF网元上部署私钥,实现AUSF网元使用加密的SUCI寻址UDM网元。
如图3所示,该通信方法主要包括以下方法流程:
步骤201,AUSF网元接收来自AMF网元的用户隐藏标识SUCI,所述SUCI用于所述AUSF网元鉴权,所述SUCI包括根据公钥生成的密文。
其中步骤201中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。SUCI的具体内容参见上述步骤101,此处不再详述。
其中,AUSF网元接收来自AMF网元的任何一种用于向所述AUSF网元请求鉴权的消息,消息中包含SUCI。
可选的,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI。
作为一种示例,AUSF网元可以接收来自AMF网元的鉴权请求,所述鉴权请求中包含SUCI。
步骤202,所述AUSF网元向NRF网元发送所述SUCI,所述SUCI用于NRF网元发现UDM网元。
其中,AUSF网元向NRF网元发送所述SUCI时,AUSF网元向NRF网元发送任何一种用于向所述NRF网元请求发现UDM网元的消息,消息中包含SUCI。
可选的,所述AUSF网元向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含所述SUCI。
作为一种示例,AUSF网元向NRF网元发送网络功能发现请求,所述网络功能发现请求中包含SUCI。
步骤203,NRF网元接收来自AUSF网元的SUCI,所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述NRF网元根据所述SUCI的解密信息,向所述AUSF网元发送所述第一寻址信息,所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
根据本地私钥对所述SUCI进行解密的具体内容参见前述实施例步骤103,此处不再累述。
其中,SUCI的解密信息可灵活配置。
作为一种示例,SUCI的解密信息包括SUPI,SUPI根据明文的MCC、MNC和MSIN得到。
作为另外一种示例,SUCI的解密信息包括用户归属区域信息,即MSIN的号段H1H2H3H4。
其中,第一寻址信息也可灵活配置。
作为一种可选的示例,所述第一寻址信息包括一个或多个与所述用户归属区域信息关联的UDM网元地址。其中,UDM网元地址可以为UDM网元的IP地址,或者可以为UDM网元的端点信息(如URLs),或者也可以为UDM网元的全量域名(fully qualified domain name,FQDN)。
作为又一种可选的示例,所述第一寻址信息除了包括一个或多个与所述用户归属区域信息关联的UDM网元地址,还包括SUPI。
作为又一种可选的示例,所述第一寻址信息除了包括一个或多个与所述用户归属区域信息关联的UDM网元地址,还包括所述用户归属区域信息。
步骤204,所述AUSF网元接收来自所述NRF网元的第一寻址信息,AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送所述SUCI,所述SUCI用于所述归属UDM网元生成鉴权矢量。
其中,AUSF网元可以向所述归属UDM网元发送任何一种用于向所述归属UDM网元请求获取鉴权矢量的消息,消息中包含SUCI。
可选的,所述AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
作为一种示例,AUSF网元可以向所述归属UDM网元发送鉴权矢量获取请求,鉴权矢量获取请求中包含SUCI。
可选的,所述AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送第三消息之前,包括:
所述AUSF网元根据所述第一寻址信息,确定述第一寻址信息关联的归属UDM网元。
可选的,当获取第一寻址信息之后,AUSF网元可以保存第一寻址信息中的用户归属区域信息与UDM网元地址之间的关联关系,以便AUSF网元下次寻址时,可以直接根据用户归属区域信息与UDM网元地址之间的关联关系来寻址归属UDM网元,可减少AUSF网元与NRF网元交互的次数,节省信令开销。
可选的,如果第一寻址信息中还包括用户归属区域信息的有效期信息,AUSF网元可以保存第一寻址信息中的用户归属区域信息、UDM网元地址和用户归属区域信息的有效期信息之间的关联关系。
可选的,在所述AUSF网元根据所述第一寻址信息,确定述第一寻址信息关联的归属UDM网元时,如果第一寻址信息中包括多个与用户归属区域信息关联的UDM网元地址,AUSF网元可以根据本地的策略,选择轮询第一寻址信息中的多个UDM网元地址,直到寻址到归属UDM网元,也可以根据第一寻址信息中的多个UDM网元地址的优先级信息,优选某个高优先级的UDM网元地址,也可以随机选一个UDM网元地址。
步骤205,所述AUSF网元接收来自所述归属UDM网元的鉴权矢量。
需要说明的是,上述步骤204适用于归属UDM网元支持对SUCI解密的应用场景,归属UDM网元接收到SUCI之后,归属UDM网元根据本地私钥对SUCI解密,得到SUPI,进而根据SUPI生成鉴权矢量。
如果归属UDM不支持解密,上述步骤204还可以替换为以下步骤:所述AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送所述SUPI,所述SUPI用于所述归属UDM网元生成鉴权矢量。其中,SUPI是NRF网元根据本地私钥对所述SUCI进行解密得到的。
基于图1(a)所示的5G系统的非漫游网络架构,本申请提供的一种通信方法,通过在AUSF网元上部署私钥,实现AUSF网元使用加密的SUCI寻址UDM网元。
本申请提供的第一种实现方式,适用于AUSF网元支持与跨区域的UDM网元交互的场景,如图4所示,该通信方法主要包括以下方法流程:
步骤301,第一AUSF网元接收来自AMF网元的SUCI,所述SUCI用于所述第一AUSF网元鉴权,所述SUCI包括根据公钥生成的密文。
其中步骤301中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。SUCI的具体内容参见上述步骤101,此处不再详述。
其中,AUSF网元接收来自AMF网元的任何一种用于向所述AUSF网元请求鉴权的消息,消息中包含SUCI。
可选的,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI。
作为一种示例,AUSF网元可以接收来自AMF网元的鉴权请求,所述鉴权请求中包含SUCI。
步骤302,所述第一AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI。
根据本地私钥对所述SUCI进行解密的具体内容参见前述实施例步骤103,此处不再累述。
步骤303,所述第一AUSF网元根据SUPI向所述SUPI关联的归属UDM网元发送所述SUPI,所述SUPI用于所述归属UDM网元生成鉴权矢量。
其中,AUSF网元可以向所述归属UDM网元发送任何一种用于向所述归属UDM网元请求获取鉴权矢量的消息,消息中包含SUPI。
可选的,所述AUSF网元向所述SUPI关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI,以使所述归属UDM网元根据所述SUPI生成鉴权矢量。
作为一种示例,AUSF网元可以向所述归属UDM网元发送鉴权矢量获取请求,鉴权矢量获取请求中包含SUPI。
其中,第一AUSF网元为任意一个支持与第二AUSF网元位于相同用户归属区域的UDM网元直接交互的AUSF网元。其中,归属UDM网元可以是与第一AUSF网元位于相同用户归属区域的UDM网元,也可以是与第二AUSF网元位于相同用户归属区域的UDM网元。
步骤304,所述第一AUSF网元接收来自所述归属UDM网元的鉴权矢量。
当第一AUSF网元不支持与第二AUSF网元位于相同用户归属区域的UDM网元直接交互时,作为上述步骤301至步骤304的一种可替换实现方式,可将上述步骤303和步骤304替换如下:
上述步骤303替换为:所述第一AUSF向所述SUPI关联的归属AUSF网元发送所述SUPI。
可选的,所述第一AUSF向所述SUPI关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述SUPI,以使所述归属AUSF网元根据所述SUPI从归属UDM网元处获取鉴权矢量。
作为一种示例,第一消息为鉴权请求,鉴权请求中包含所述SUPI。
例如,所述第一AUSF向所述SUPI关联的归属AUSF网元发送所述SUPI,包括:所述第一AUSF网元根据SUPI,确定归属AUSF网元,当所述归属AUSF网元为第二AUSF网元时,所述第一AUSF网元向所述第二AUSF网元发送所述SUPI,所述SUPI用于向所述第二AUSF网元请求鉴权,以使所述第二AUSF网元根据所述SUPI从归属UDM网元处获取鉴权矢量。相应的,上述步骤304可替换为:所述第一AUSF网元接收来自所述第二AUSF网元的所述鉴权矢量。
其中,第一AUSF网元为任意一个仅支持与第一AUSF网元位于相同用户归属区域的UDM网元交互的AUSF网元。此处的归属UDM网元是指与第二AUSF网元位于相同用户归属区域的UDM网元。
其中,所述第二AUSF网元根据所述SUPI从归属UDM网元处获取鉴权矢量,包括:所述第二AUSF网元向归属UDM网元发送所述SUPI,所述SUPI用于向所述归属UDM网元请求获取鉴权矢量。
需要说明的是,当所述第一AUSF网元根据SUPI,确定归属AUSF网元之后,当所述归属AUSF网元刚好为第一AUSF网元时,所述第一AUSF网元向所述与第一AUSF网元位于相同用户归属区域的归属UDM网元发送所述SUPI,所述SUPI用于向与所述第一AUSF网元位于相同用户归属区域的所述归属UDM网元请求获取鉴权矢量。相应的,上述步骤304替换为:所述第一AUSF网元接收来自所述与第一AUSF网元位于相同用户归属区域的归属UDM网元的所述鉴权矢量。
本申请提供的另一种通信方法,如图5所示,该通信方法主要包括以下方法流程:
步骤401,AMF网元向第一AUSF网元发送SUCI,所述SUCI用于所述第一AUSF网元鉴权,所述SUCI包括根据公钥生成的密文。
其中步骤401中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。SUCI的具体内容参见上述步骤101,此处不再详述。
其中,AMF网元向第一AUSF网元发送SUCI时,可发送任何一种用于向所述AUSF网元请求鉴权的消息,消息中包含SUCI。
可选的,AMF网元向第一AUSF网元发送第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI。
作为一种示例,AMF网元向第一AUSF网元发送鉴权请求,所述鉴权请求中包含SUCI。
步骤402,第一AUSF网元接收来自AMF网元的SUCI,根据本地私钥对所述SUCI进行解密,得到SUPI。
根据本地私钥对所述SUCI进行解密的具体内容参见前述实施例步骤103,此处不再累述。
步骤403,所述第一AUSF网元根据所述SIPI,向所述AMF网元发送所述SUPI或归属AUSF网元的寻址信息。所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的。
可选的,所述第一AUSF根据所述SUPI,向所述AMF网元发送第四消息,所述第四消息包含所述SUPI或归属AUSF网元的寻址信息。
作为一种示例,第四消息为重定向消息,重定向消息包含所述SUPI或归属AUSF网元的寻址信息。
其中,归属AUSF网元的寻址信息可以是用于寻址归属AUSF网元的任何一种信息,作为一种示例,归属AUSF网元的寻址信息可以是归属AUSF网元的地址信息。
例如,所述第一AUSF根据所述SUPI,向所述AMF网元发送第四消息,包括:所述第一AUSF网元根据所述SUPI,确定归属AUSF网元,当所述归属AUSF网元为第二AUSF网元时,所述第一AUSF网元向所述AMF网元发送第四消息。
步骤404,所述AMF网元接收来自所述第一AUSF网元的所述SUPI或归属AUSF网元的寻址信息,向归属AUSF网元发送所述SUPI,所述SUPI用于所述归属AUSF网元鉴权,其中,所述归属AUSF网元是与所述归属AUSF网元的寻址信息或SUPI关联的AUSF网元。
其中,AMF网元向归属AUSF网元发送SUPI时,可发送任何一种用于向所述归属AUSF网元请求鉴权的消息,消息中包含SUPI。
可选的,所述AMF网元接收来自所述第一AUSF网元的第四消息,所述AMF网元根据所述第四消息,向归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权。
作为一种示例,AMF网元向归属AUSF网元发送鉴权请求,所述鉴权请求中包含SUPI。
例如,所述AMF网元向归属AUSF网元发送所述SUPI,具体包括:所述AMF网元根据所述第四消息,确定归属AUSF网元;向确定的归属AUSF网元发送所述第一消息。
其中,所述AMF网元根据所述第四消息,确定归属AUSF网元,包括:当第四消息包括所述SUPI时,AMF网元根据SUPI确定归属AUSF网元;当第四消息包括所述归属AUSF网元的寻址信息时,AMF网元根据归属AUSF网元的寻址信息确定归属AUSF网元。
作为一种示例,AMF网元向确定的归属AUSF网元发送所述第一消息,包括:当所述归属AUSF网元为第二AUSF网元时,所述AMF网元向所述第二AUSF网元发送所述SUPI,所述SUPI用于所述第二AUSF网元鉴权。
步骤405,归属AUSF网元接收来自AMF网元的SUPI,向归属UDM网元发送所述SUPI,所述SUPI用于所述归属UDM网元生成鉴权矢量。
可选的,归属AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含SUPI。
作为一种示例,第一消息为鉴权请求,鉴权请求中包含SUPI。
当所述第二AUSF网元接收所述SUPI时,所述第二AUSF网元根据SUPI向归属UDM网元发送所述SUPI,以使归属UDM网元根据SUPI,生成鉴权矢量,并向所述归属AUSF网元发送鉴权矢量。
步骤406,所述第二AUSF网元接收来自所述归属UDM网元的所述鉴权矢量。
需要说明的是,在上述步骤404中,当第四消息包括所述SUPI时,AMF网元可以向归属AUSF网元发送SUPI,也可以向归属AUSF发送SUCI,当第四消息包括所述归属AUSF网元的寻址信息时,AMF网元可以向归属AUSF网元发送SUCI。
因此,作为上述步骤404至步骤406的一种可替换方案,上述步骤404、步骤405和步骤406替换如下:
上述步骤404可替换为以下步骤:所述AMF网元接收来自所述第一AUSF网元的所述SUPI或归属AUSF网元的寻址信息,向归属AUSF网元发送所述SUCI。
上述步骤405可替换为以下步骤:所述归属AUSF网元对所述SUCI进行解密,得到所述SUPI,所述归属AUSF网元向归属UDM网元发送所述SUPI,以使归属UDM网元根据SUPI,生成鉴权矢量。
可选的,对于上述步骤405的替换步骤,如果归属UDM网元同时也支持解密,归属AUSF网元也可不对所述SUCI进行解密,向归属UDM网元发送所述SUCI。
作为上述步骤401至上述步骤406的可替换方案,第一AUSF网元在对SUCI进行解密之后,可直接向AMF网元发送重定向消息,相应的可将上述步骤403至上述步骤404进行 如下替换:
上述步骤403可替换为以下步骤:所述第一AUSF网元根据所述SIPI,向所述AMF网元发送所述SUPI。
可选的,所述第一AUSF网元向所述AMF网元发送第四消息,所述第四消息包含所述SUPI。作为一种示例,第四消息为重定向消息。
上述步骤404可替换为以下步骤:所述AMF网元接收来自所述第一AUSF网元的所述SUPI,向归属AUSF网元发送所述SUPI,所述SUPI用于所述归属AUSF网元鉴权。
可选的,所述AMF网元接收来自所述第一AUSF网元的第四消息,所述AMF网元根据所述第四消息,向归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含SUPI。
下面结合附图具体说明本申请在不同场景下AMF网元如何寻址AUSF网元。
基于图1(a)所示的5G系统的非漫游网络架构,本申请提供的一种通信方法,通过在NRF网元上部署私钥,实现AMF网元使用加密的SUCI寻址AUSF网元。
如图6所示,主要包括以下方法流程:
步骤501,AMF网元向NRF网元发送SUCI,所述SUCI用于所述NRF网元发现AUSF网元,所述SUCI包括根据公钥生成的密文。
其中步骤501中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。SUCI的具体内容参见上述步骤101,此处不再详述。
其中,AMF网元向NRF网元发送SUCI时,可发送任何一种用于向NRF网元请求发现AUSF网元的消息,消息中包含SUCI。
可选的,AMF网元向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现AUSF网元,所述第二消息包含SUCI。
作为一种示例,AMF网元向NRF网元发送网络功能发现请求,所述网络功能发现请求中包含SUCI。
步骤502,NRF网元接收来自AMF网元的SUCI,所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述NRF网元根据所述SUCI的解密信息,向所述AMF网元发送所述第二寻址信息,所述第二寻址信息是根据所述SUCI的解密信息获取到的AUSF网元寻址信息。
根据本地私钥对所述SUCI进行解密的具体内容参见前述实施例步骤103,此处不再累述。
可选的,所述NRF网元根据所述SUCI的解密信息,向所述AMF网元发送所述第二寻址信息,包括:所述NRF网元根据所述SUCI的解密信息获取第二寻址信息,向所述AMF网元发送所述第二寻址信息。
其中,SUCI的解密信息也可灵活配置。
作为一种示例,SUCI的解密信息包括SUPI,SUPI根据明文的MCC、MNC和MSIN得到。作为另外一种示例,SUCI的解密信息包括用户归属区域信息,即MSIN的号段 H1H2H3H4。
其中,第二寻址信息可以有多种配置。
作为一种可选示例,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址。其中,AUSF网元地址可以是任何形式的用于寻址AUSF网元的地址信息,例如,AUSF网元地址可以为AUSF网元的IP地址,或者可以为AUSF网元的端点信息(如URLs),或者也可以为AUSF网元的全量域名(fully qualified domain name,FQDN)。
作为又一种可选示例,所述第二寻址信息除了包括一个或多个与用户归属区域信息关联的AUSF网元地址,还包括SUPI。
作为又一种可选示例,所述第二寻址信息除了包括一个或多个与用户归属区域信息关联的AUSF网元地址,还包括所述用户归属区域信息。
步骤503,所述AMF网元接收来自所述NRF网元的第二寻址信息,根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送所述SUCI,所述SUCI用于所述归属AUSF网元鉴权。
其中,AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送所述SUCI,包括所述AMF网元根据所第二寻址信息,确定归属AUSF网元,然后向归属AUSF网元发送所述SUCI。
其中,所述AMF网元向所述归属AUSF网元发送所述SUCI时,可以向归属AUSF网元发送任何可用于向归属AUSF网元请求鉴权的消息,消息中包含SUCI。
所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI。
作为一种示例,所述AMF网元向所述归属AUSF网元发送鉴权请求,所述鉴权请求中包含SUCI。
可选的,步骤503中,当获取第二寻址信息之后,AMF网元可以保存第二寻址信息中的用户归属区域信息与AUSF网元地址之间的关联关系,以便AUSF网元下次寻址时,可以直接根据用户归属区域信息与AUSF网元地址之间的关联关系来寻址归属AUSF网元,可减少AMF网元与NRF网元交互的次数,节省信令开销。
可选的,如果第二寻址信息中还包括用户归属区域信息的有效期信息,AMF网元可以保存第二寻址信息中的用户归属区域信息、AUSF网元地址和用户归属区域信息的有效期信息之间的关联关系。
可选的,在所述AMF网元根据所述第二寻址信息,确定述第二寻址信息关联的归属AUSF网元时,如果第二寻址信息中包括多个与用户归属区域信息关联的AUSF网元地址,AMF网元可以根据本地的策略,选择轮询第二寻址信息中的多个AUSF网元地址,直到寻址到归属AUSF网元,也可以根据第二寻址信息中的多个AUSF网元地址的优先级信息,优选某个高优先级的AUSF网元地址,也可以随机选一个AUSF网元地址。
可替换的,上述步骤503可替换为:所述AMF网元向所述归属AUSF网元发送所述SUCI的解密信息,SUCI的解密信息用于所述归属AUSF网元鉴权。
可选的,所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI的解密信息,如SUPI或用户归属区域信息。
基于图1(b)所示的5G系统的漫游网络架构,本申请提供的一种通信方法,通过在H-SEPP网元上部署私钥,实现AMF网元使用加密的SUCI寻址AUSF网元,如图7所示,主要包括以下方法流程:
步骤601,V-AMF网元向H-SEPP网元发送SUCI,所述SUCI用于H-NRF网元鉴权,所述SUCI包括根据公钥生成的密文。
其中步骤601中,SUCI包括的密文可以是MSIN密文,其含义为MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6全部被加密成密文。SUCI的具体内容参见上述步骤101,此处不再详述。
其中,V-AMF网元向H-SEPP网元发送SUCI时,可以向H-SEPP网元发送任何可用于向H-NRF网元请求鉴权的消息,消息中包含SUCI。
可选的,V-AMF网元向H-SEPP网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI。
作为一种示例,V-AMF网元向H-SEPP网元发送鉴权请求,所述鉴权请求中包含SUCI。
作为一种可选示例,V-AMF网元可经过V-NRF网元和V-SEPP网元向H-SEPP网元发送鉴权请求,所述鉴权请求中包含SUCI。
步骤602,H-SEPP网元接收来自V-AMF网元的SUCI,所述H-SEPP网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述H-SEPP网元向所述H-NRF网元发送所述SUCI的解密信息,所述SUCI的解密信息可用于H-NRF网元发现AUSF网元。
可选的,H-SEPP网元接收来自V-AMF网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI。
其中,SUCI的解密信息可以灵活配置。作为一种示例,SUCI的解密信息包括SUPI,SUPI根据明文的MCC、MNC和MSIN得到。作为另外一种示例,SUCI的解密信息包括用户归属区域信息,即MSIN的号段H1H2H3H4。
其中,所述H-SEPP网元向所述H-NRF网元发送所述SUCI的解密信息时,可以向所述H-NRF网元发送任何可用于向H-NRF网元请求发现AUSF网元的消息,消息中包含SUCI的解密信息。
可选的,所述H-SEPP网元向所述H-NRF网元发送第二消息,所述第二消息用于向所述H-NRF网元请求发现AUSF网元,所述第二消息包含所述SUCI的解密信息。
作为一种示例,所述H-SEPP网元向所述H-NRF网元发送发送网络功能发现请求,所述网络功能发现请求中包含SUCI的解密信息。
步骤603,H-NRF网元接收来自H-SEPP网元发送SUCI的解密信息;所述H-NRF网元根据所述SUCI的解密信息,向V-AMF网元发送第二寻址信息,所述第二寻址信息是所 述H-NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
可选的,H-NRF网元接收来自H-SEPP网元的第二消息,所述第二消息用于向所述H-NRF网元请求发现AUSF网元,所述第二消息包含SUCI的解密信息。
其中,第二寻址信息可以有多种呈现。
作为一种可选示例,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址。其中,AUSF网元地址可以是任何形式的用于寻址AUSF网元的地址信息,例如,AUSF网元地址可以为AUSF网元的IP地址,或者可以为AUSF网元的端点信息(如URLs),或者也可以为AUSF网元的全量域名(fully qualified domain name,FQDN)。
作为又一种可选示例,所述第二寻址信息除了包括一个或多个与用户归属区域信息关联的AUSF网元地址,还包括SUPI。
作为又一种可选示例,所述第二寻址信息除了包括一个或多个与用户归属区域信息关联的AUSF网元地址,还包括所述用户归属区域信息。
其中,H-NRF网元可经过H-SEPP网元和V-SEPP网元向V-AMF网元发送第二寻址信息。
步骤604,V-AMF网元接收来自H-NRF网元的第二寻址信息,V-AMF网元向第二寻址信息关联的归属AUSF网元发送所述SUCI,所述SUCI用于所述归属AUSF网元鉴权。
其中,V-AMF网元向第二寻址信息关联的归属AUSF网元发送所述SUCI,包括:V-AMF网元根据所第二寻址信息,确定归属AUSF网元,然后向属AUSF网元发送所述SUCI。
其中,所述AMF网元向所述归属AUSF网元发送所述SUCI时,可以向归属AUSF网元发送任何可用于向归属AUSF网元请求鉴权的消息,消息中包含SUCI。
可选的,所述AMF网元根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI。
作为一种示例,所述AMF网元向所述归属AUSF网元发送鉴权请求,所述鉴权请求中包含SUCI。
作为一种可选示例,V-AMF网元可经过V-NRF网元、V-SEPP网元和H-SEPP网元向归属AUSF网元发送鉴权请求,所述鉴权请求中包含SUCI。
可替换的,上述步骤604可替换为:所述AMF网元向所述归属AUSF网元发送所述SUCI的解密信息,SUCI的解密信息用于所述归属AUSF网元鉴权。
基于图1(b)所示的5G系统的非漫游网络架构,本申请提供的一种通信方法,通过在H-NRF网元上部署私钥,实现AMF网元使用加密的SUCI寻址AUSF网元。
具体而言,本申请提供一种上述步骤601至步骤606的可替换的实现方式,可将上述步骤602和步骤603替换如下:
上述步骤602可替换为:H-SEPP网元接收来自服务网络的AMF网元的SUCI,向所述H-NRF网元发送所述SUCI,所述SUCI用于H-NRF网元发现AUSF网元。
其中,所述H-SEPP网元向所述H-NRF网元发送所述SUCI的解密信息时,可以向所 述H-NRF网元发送任何可用于向H-NRF网元请求发现AUSF网元的消息,消息中包含SUCI。
可选的,所述H-SEPP网元向所述H-NRF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含SUCI。
作为一种示例,所述H-SEPP网元向所述H-NRF网元发送发送网络功能发现请求,所述网络功能发现请求中包含SUCI。
上述步骤603可替换为:H-NRF网元接收来自H-SEPP网元的SUCI,根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息,所述H-NRF网元根据所述SUCI的解密信息,向V-AMF网元发送第二寻址信息,所述第二寻址信息是所述H-NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
在其他可替换的实现方式中,终端可以根据不同的应用场景,对SUPI进行灵活加密。
比如,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文。
比如,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,所述第二SUCI包括MSIN,所述MSIN全部为密文。
可选的,所述终端根据当前位置信息,确定服务网络为归属网络时,根据本地公钥对所述SUPI进行加密,得到所述第一SUCI。
可选的,所述终端根据当前位置信息,确定服务网络为漫游网络时,根据本地公钥对所述SUPI进行加密,得到所述第二SUCI。
针对非漫游场景,本申请提供一种通信方法,用以实现在终端将SUPI加密成第一SUCI之后,AMF网元根据第一SUCI寻址归属AUSF网元,以及AUSF网元根据第一SUCI寻址归属UDM网元。如图8所示,具体包括以下步骤:
步骤701,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文。
其中,SUPI包括MCC、MNC和MSIN,其中MSIN包括用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6。终端根据本地公钥对SUPI的进行加密,得到第一SUCI,是指对剩余号段X1X2X3X4X5X6进行加密,而对MCC、MNC和MSIN包括的用户归属区域信息H1H2H3H4不加密,最终得到的第一SUCI包括明文的MCC、MNC和用户归属区域信息,以及密文的剩余号段X1X2X3X4X5X6。
作为一种可选示例,当所述终端根据当前位置信息,确定服务网络为归属网络时,根据本地公钥对SUPI进行加密得到所述第一SUCI。
步骤702,所述终端向AMF网元发送所述第一SUCI,所述第一SUCI用于所述AMF网元对终端进行注册。
其中,所述终端向AMF网元发送所述第一SUCI时,可以发送任何用于向所述AMF网元请求注册的消息,消息中包含第一SUCI。
可选的,所述终端向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第一SUCI。
作为一种示例,所述终端向AMF网元发送注册请求,注册请求中包含所述第一SUCI,该注册请求可以是终端向服务网络进行初次注册时发送的。
步骤703,AMF网元接收来自终端的第一SUCI,向所述归属AUSF网元发送所述第一SUCI,所述第一SUCI用于所述AUSF鉴权。
可选的,AMF网元在向所述归属AUSF网元发送所述第一SUCI之前,还包括所述AMF网元根据所述第一SUCI,确定归属AUSF网元。
其中,AMF网元向所述归属AUSF网元发送所述第一SUCI时,可以发送任何用于向所述AUSF请求鉴权的消息,消息中包含第一SUCI。
可选的,AMF网元接收来自终端的第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第一SUCI。
作为一种示例,AMF网元向所述归属AUSF网元发送鉴权请求,鉴权请求中包含所述第一SUCI,该鉴权请求可以是AMF网元触发鉴权流程时发送的。
其中,所述AMF网元根据所述第一SUCI中明文的用户归属区域信息,确定归属AUSF网元。
步骤704,AUSF网元接收来自AMF网元的第一SUCI,根据所述第一SUCI,向所述第一SUCI关联的归属UDM网元发送所述第一SUCI,所述第一SUCI用于所述归属UDM网元生成鉴权矢量,以使所述归属UDM网元根据所述第一SUCI生成鉴权矢量。
其中,AUSF网元向归属UDM网元发送所述第一SUCI时,可以发送任何用于向所述归属UDM网元请求获取鉴权矢量的消息,消息中包含第一SUCI。
可选的,所述AUSF网元向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第一SUCI。
作为一种示例,AUSF网元向归属UDM网元发送发送鉴权矢量获取请求,鉴权矢量获取请求中包含所述第一SUCI。
步骤705,所述AUSF网元接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述第一SUCI生成的。
对于终端将SUPI加密成第二SUCI对的场景,AUSF网元根据第一SUCI寻址归属UDM网元的实现方式可以参见图2至图5所对应的实施例部分,具体而言,可以采用本申请上述实施例步骤101至步骤106对应的实现方法,或者步骤101至步骤106的替换方案,也可以采用本申请上述实施例步骤201至步骤205对应的实现方法,或者步骤201至步骤205的替换方案,也可以采用本申请上述实施例步骤301至步骤304对应的实现方法,或者步骤301至步骤104的替换方案,也可以采用本申请上述实施例步骤401至步骤406对应的实现方法,或者步骤401至步骤406的替换方案。具体内容,此处不再累述。
对于终端将SUPI加密成第二SUCI对的场景,AMF网元根据第一SUCI寻址归属AUSF网元的具体实现方式,可以参见图6至图7所对应的实施例部分,具体而言,可以采用本申请上述实施例步骤501至步骤503对应的实现方法,或者步骤501至步骤503的替换方 案,也可以采用本申请上述实施例步骤601至步骤604对应的实现方法,或者步骤601至步骤604的替换方案。具体内容此处不再累述。
本申请还提供另一种通信方法,用于实现在终端将SUPI加密成第二SUCI之后,AUSF网元根据第一SUCI寻址归属UDM网元,以及AMF网元根据第一SUCI寻址归属AUSF网元,可适用于非漫游场景,也可以适用于漫游场景。具体如图9所示,包括如下步骤:
终端将SUPI加密成第二SUCI,下面结合附图说明此种场景下AMF网元如何寻址归属AUSF网元,以及AUSF网元如何寻址归属UDM网元。如图9所示,具体包括以下步骤:
步骤801,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,所述第二SUCI包括MSIN,所述MSIN全部为密文。
其中,SUPI包括MCC、MNC和MSIN,其中MSIN包括用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6。终端根据本地公钥对SUPI的进行加密,得到第二SUCI,是指对MSIN的用户归属区域信息H1H2H3H4和剩余号段X1X2X3X4X5X6都进行加密,最终得到的第二SUCI包括明文的MCC和MNC,以及密文的MSIN。
作为一种可选示例,所述终端根据当前位置信息,确定服务网络为漫游网络时,根据本地公钥对所述SUPI进行加密,得到所述第二SUCI。
步骤802,所述终端向AMF网元发送所述第二SUCI和用户归属区域信息,所述第二SUCI和所述用户归属区域信息用于向所述AMF网元对终端进行注册。
其中,所述终端向AMF网元发送所述第二SUCI和用户归属区域信息时,可以发送任何用于向所述AMF网元请求注册的消息,消息中包含所述第二SUCI和用户归属区域信息。
可选的,所述终端向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第二SUCI和用户归属区域信息。
作为一种示例,所述终端向AMF网元发送注册请求,注册请求中包含所述第二SUCI和用户归属区域信息,该注册请求可以是终端向服务网络进行初次注册时发送的。
步骤803,AMF网元接收来自终端的第二SUCI和用户归属区域信息,AMF网元向所述用户归属区域信息关联的归属AUSF网元发送所述用户归属区域信息和所述第二SUCI,所述用户归属区域信息和所述第二SUCI用于所述AUSF鉴权。
可选的,AMF网元向所述用户归属区域信息关联的归属AUSF网元发送所述用户归属区域信息和所述第二SUCI之前,还包括:所述AMF网元根据所述用户归属区域信息,确定用户归属区域信息关联的归属AUSF网元。
其中,AMF网元向所述归属AUSF网元发送所述用户归属区域信息和所述第二SUCI时,可以发送任何用于向所述AUSF请求鉴权的消息,消息中包含所述用户归属区域信息和所述第二SUCI。
可选的,所述AMF网元根据所述用户归属区域信息,向所述用户归属区域信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述用户归属区域信息和所述第二SUCI。
作为一种示例,AMF网元向所述归属AUSF网元发送鉴权请求,鉴权请求中包含所述用户归属区域信息和所述第二SUCI,该鉴权请求可以是AMF网元触发鉴权流程时发送的。
步骤804,AUSF网元接收来自AMF网元的第二SUCI和用户归属区域信息,所述AUSF网元根据用户归属区域信息,向归属UDM网元发送所述第二SUCI和所述用户归属区域信息,所述第二SUCI和所述用户归属区域信息用于所述归属UDM网元获取鉴权矢量。
可选的,AUSF网元接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含第二SUCI和用户归属区域信息。作为一种示例,第一消息为鉴权矢量。
其中,AUSF网元向归属UDM网元发送所述第二SUCI和所述用户归属区域信息时,可以发送任何用于向所述归属UDM网元请求获取鉴权矢量的消息,消息中包含所述第二SUCI和所述用户归属区域信息。
可选的,所述AUSF网元向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第二SUCI和所述用户归属区域信息。
作为一种示例,AUSF网元向归属UDM网元发送发送鉴权矢量获取请求,鉴权矢量获取请求中包含所述第二SUCI和所述用户归属区域信息。
步骤805,归属UDM网元根据所述第二SUCI和所述用户归属区域信息生成鉴权矢量,向所述AUSF网元发送所述鉴权矢量。
上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是,上述实现各网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
在第一种可能的设计中,本申请实施例提供一种装置,可用于执行第一方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
发送单元,用于向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含所述SUCI;
所述接收单元,还用于接收来自所述NRF网元的第一寻址信息,所述第一寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;
处理单元,用于根据所述第一寻址信息,通过发送单元向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
在第一种可能的设计中,本申请实施例提供一种装置,可用于执行第一方面NRF网元的功能,包括:
接收单元,用于接收来自AUSF网元的第二消息,所述第二消息用于向所述NRF网元请求发现UDM网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
处理单元,还用于根据所述SUCI的解密信息,通过发送单元向所述AUSF网元发送所述第一寻址信息。所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述第一寻址信息包括一个或多个与所述用户归属区域信息关联的UDM网元地址;或者,
所述第一寻址信息包括与所述UDM网元地址和所述SUPI;或者,
所述第一寻址信息包括与所述UDM网元地址和所述用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第二种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
发送单元,用于向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;
接收单元,还用于接收来自所述第一UDM网元的第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息;
处理单元,用于根据所述第四消息,通过发送单元向归属UDM网元发送第三消息,所述归属UDM网元是与所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的UDM网元;所述第三消息用于向所述归属UDM网元请求获取鉴权矢量;
接收单元,还用于接收来自所述归属UDM网元的鉴权矢量。
在第二种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面第一UDM网元的功能,包括:
接收单元,用于接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI;所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述第一UDM网元根据所述SUCI的解密信息,确定归属UDM网元不是所述第一UDM网元时,通过发送单元向所述AUSF网元发送第四消息,所述第四消息包含所述SUCI的解 密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息为所述第一UDM网元根据所述SUCI的解密信息获得。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第二种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面第一UDM网元的功能,包括:
接收单元,用于接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;根据所述SUCI的解密信息,通过发送单元向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息是所述第一UDM网元根据所述SUCI的解密信息获得的。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第三种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
发送单元,用于向第一UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;
接收单元,还用于所述AUSF网元接收鉴权矢量;其中,所述鉴权矢量是所述第一UDM网元根据本地私钥对所述SUCI进行解密并确定归属UDM网元为所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送的;或者,所述鉴权矢量是所述第一UDM网元根据本地私钥对所述SUCI进行解密并确定归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量之后向所述AUSF网元发送的;或者,所述鉴权矢量是所述第一UDM网元确定归属UDM网元为所述第二UDM网元并向所述第二UDM网元发送第三消息之后,所述第二UDM网元向所述AUSF网元发送的,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
在第三种可能的设计中,本申请实施例提供一种装置,可用于执行第二方面第一UDM网元的功能,包括:
接收单元,用于接收来自AUSF网元的第三消息,所述第三消息用于向所述第一UDM 网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为所述第一UDM网元时,通过发送单元向所述AUSF网元发送鉴权矢量;或者,当所述归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量,并通过发送单元向所述AUSF网元发送所述鉴权矢量;或者,当所述归属UDM网元为所述第二UDM网元时,通过发送单元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
在第四种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;
发送单元,用于向所述SUPI关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI;
接收单元,还用于接收来自所述归属UDM网元的鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成的。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第五种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面第一AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;
发送单元,用于向所述SUPI关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述SUPI;
接收单元,还用于接收来自所述归属AUSF网元的所述鉴权矢量,所述鉴权矢量是所述归属AUSF网元根据所述SUPI从归属UDM网元处获取的。
在第六种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面第一AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密 文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;根据所述SUPI,通过发送单元向所述AMF网元发送第四消息,所述第四消息包含所述SUPI或归属AUSF网元的寻址信息,所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第七种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面第一AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;
发送单元,用于向所述AMF网元发送第四消息,所述第四消息包含所述SUPI。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
其中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第七种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面AMF网元的功能,包括:
发送单元,用于向第一AUSF网元发送第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
接收单元,用于接收来自所述第一AUSF网元的第四消息,所述第四消息包含SUPI或归属AUSF网元的寻址信息,所述SUPI或所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的;
处理单元,用于根据所述第四消息,通过发送单元向归属AUSF网元发送第一消息,所述归属AUSF网元是与所述归属AUSF网元的寻址信息或所述SUCI的解密信息(SUPI)关联的AUSF网元,所述第一消息用于向所述归属AUSF网元请求鉴权。
在第七种可能的设计中,本申请实施例提供一种装置,可用于执行第三方面归属AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUPI;
发送单元,用于向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM 网元请求获取鉴权矢量,所述第三消息包含所述SUPI;
接收单元,还用于接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成。
其中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在第八种可能的设计中,本申请实施例提供一种装置,可用于执行第四方面AMF网元的功能,包括:
发送单元,用于向NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
接收单元,用于接收来自所述NRF网元的第一寻址信息,所述第二寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的AUSF网元寻址信息;
处理单元,用于根据所第二寻址信息,通过发送单元向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI或者所述SUCI的解密信息。
在上述可能的设计中,所述SUCI的解密信息包括SUPI或用户归属区域信息。
在上述可能的设计中,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址;或者,所述第二寻址信息包括所述AUSF网元地址和所述SUPI;或者,所述第二寻址信息包括所述AUSF网元地址和所述用户归属区域信息。
在上述可能的设计中,所述根据公钥生成的密文具体是根据公钥对SUPI中的MSIN加密成的密文,其中所述MSIN包括用户归属区域信息。
在第八种可能的设计中,本申请实施例提供一种装置,可用于执行第四方面NRF网元的功能,包括:
接收单元,用于接收来自AMF网元的第二消息,所述第二消息用于向所述NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
处理单元,用于根据所述SUCI的解密信息,向所述AMF网元发送所述第二寻址信息,所述第二寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的AUSF网元寻址信息。
在第九种可能的设计中,本申请实施例提供一种装置,可用于执行第五方面服务网络的AMF网元的功能,包括:
发送单元,用于发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
接收单元,用于接收来自归属NRF网元的第二寻址信息,所述第二寻址信息是所述归属NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的AUSF网元寻址信息;或者,所述第二寻址信息是所述归属NRF网元从所述归属SEPP网元处获取所述SUCI的解密信息之后,根据SUCI的解密信息获取的AUSF网元寻址信息;
处理单元,用于根据所第二寻址信息,向所述第二寻址信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息中包含所述SUCI或者所述SUCI的解密信息。
在第十种可能的设计中,本申请实施例提供一种装置,可用于执行第五方面归属SEPP网元的功能,包括:
接收单元,用于接收来自服务网络的AMF网元的第二消息,所述第二消息用于向归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
发送单元,用于向所述归属NRF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含所述SUCI的解密信息。
在第十种可能的设计中,本申请实施例提供一种装置,可用于执行第五方面归属NRF网元的功能,包括:
接收单元,用于接收来自归属SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含SUCI的解密信息;
处理单元,用于根据所述SUCI的解密信息,向AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
在第十一种可能的设计中,本申请实施例提供一种装置,可用于执行第五方面归属NRF网元的功能,包括:
接收单元,用于接收来自归属SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
处理单元,用于根据所述SUCI的解密信息向AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
在第十二种可能的设计中,本申请实施例提供一种装置,可用于执行第六方面终端的功能,包括:
处理单元,用于根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文;
发送单元,用于向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第一SUCI。
在第十二种可能的设计中,所述终端根据本地公钥对SUPI进行加密,得到第一SUCI,包括:
处理单元,用于根据当前位置信息,确定服务网络为归属网络时,根据本地公钥对SUPI进行加密得到所述第一SUCI。
在第十二种可能的设计中,本申请实施例提供一种装置,可用于执行第六方面AMF网元的功能,包括:
接收单元,用于接收来自终端的第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含第一SUCI,所述第一SUCI包括MSIN,所述MSIN的用户归属区域信息为明文,所述MSIN的其余信息为密文;
处理单元,用于根据所述第一SUCI,向所述第一SUCI关联的所述归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述第一SUCI。
在第十二种可能的设计中,本申请实施例提供一种装置,可用于执行第六方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含第一SUCI,所述第一SUCI包括MSIN,所述MSIN的用户归属区域信息为明文,所述MSIN的其余信息为密文;
发送单元,用于向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第一SUCI;
接收单元,还用于接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述第一SUCI生成。
在第十三种可能的设计中,本申请实施例提供一种装置,可用于执行第七方面终端的功能,包括:
处理单元,用于根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,所述第二SUCI包括MSIN,所述MSIN全部为密文;
发送单元,用于向AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第二SUCI和用户归属区域信息。
在第十三种可能的设计中,终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,包括:
处理单元,用于根据当前位置信息,确定服务网络为漫游网络时,根据本地公钥对所述SUPI进行加密,得到所述第二SUCI。
在第十三种可能的设计中,本申请实施例提供一种装置,可用于执行第七方面AMF网 元的功能,包括:
接收单元,用于接收来自终端的第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含第二SUCI和用户归属区域信息,所述第二SUCI包括MSIN,所述MSIN全部为密文;
处理单元,用于根据所述用户归属区域信息,向所述用户归属区域信息关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述用户归属区域信息和所述第二SUCI。
在第十三种可能的设计中,本申请实施例提供一种装置,可用于执行第六方面AUSF网元的功能,包括:
接收单元,用于接收来自AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含第二SUCI和用户归属区域信息,所述第二SUCI包括MSIN,所述MSIN全部为密文;
发送单元,用于向归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述第二SUCI和所述用户归属区域信息;
接收单元,用于接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述第二SUCI和所述用户归属区域信息生成的。
在采用集成的单元的情况下,图10示出了本发明实施例中所涉及的一种装置的可能的示例性框图,该装置1000可以以软件的形式存在,也可以为AMF网元,还可以为AMF网元中的芯片。装置1000包括:处理单元1002和通信单元1003,通信单元1003可以包括接收单元和发送单元。处理单元1002用于对装置1000的动作进行控制管理。通信单元1003用于支持装置1000与其他网络实体(例如终端、网络功能库网元)的通信。装置1000还可以包括存储单元1001,用于存储装置1000的程序代码和数据。
其中,处理单元1002可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1003可以是通信接口、收发器或收发电路等,其中,该通信接口是统称,在具体实现中,该通信接口可以包括多个接口,例如可以包括:AMF网元和终端之间的接口,AMF网元和网络功能库网元之间的接口,和/或其他接口。存储单元1001可以是存储器。
处理单元1002可以支持装置1000执行上文中各方法示例中AMF网元的动作。通信单元1003可以支持装置1000与终端之间的通信,例如,通信单元1003可以支持装置1000执行图2至图9所示方法中涉及AMF网元的处理过程和/或本申请所描述的技术方案的其他过程。
当处理单元1002为处理器,通信单元1003为通信接口,存储单元1001为存储器时,本发明实施例所涉及的装置1000可以为图11所示的AMF网元1100。
参阅图11所示,该AMF网元1100包括:处理器1102、通信接口1103、存储器1101(可选的)。可选的,AMF网元1100还可以包括总线1104。其中,通信接口1103、处理器 1102以及存储器1101可以通过总线1104相互连接;总线1104可以是PCI总线或EISA总线等。所述总线1104可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在采用集成的单元的情况下,图12示出了本发明实施例中所涉及的一种装置的可能的示例性框图,该装置1200可以以软件的形式存在,也可以为AUSF网元,还可以为AUSF网元中的芯片。装置1200包括:处理单元1202和通信单元1203,通信单元1203可以包括接收单元和发送单元。处理单元1202用于对装置1200的动作进行控制管理。通信单元1203用于支持装置1200与其他网络实体(例如多媒体系统入口网元)的通信。装置1200还可以包括存储单元1201,用于存储装置1200的程序代码和数据。
其中,处理单元1202可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1203可以是通信接口、收发器或收发电路等,其中,该通信接口是统称,在具体实现中,该通信接口可以包括多个接口,例如可以包括:AUSF网元和多媒体系统入口网元之间的接口,和/或其他接口。存储单元1201可以是存储器。
处理单元1202可以支持装置1200执行上文中各方法示例中AUSF网元的动作。通信单元1203可以支持装置1200与终端之间的通信,例如,通信单元1203可以支持装置1200执行图2至图9所示方法中涉及AUSF网元的处理过程和/或本申请所描述的技术方案的其他过程。
当处理单元1202为处理器,通信单元1203为通信接口,存储单元1201为存储器时,本发明实施例所涉及的装置1200可以为图13所示的AUSF网元1300。
参阅图13所示,该AUSF网元1300包括:处理器1302、通信接口1303、存储器1301(可选的)。可选的,AUSF网元1300还可以包括总线1304。其中,通信接口1303、处理器1302以及存储器1301可以通过总线1304相互连接;总线1304可以是PCI总线或EISA总线等。所述总线1304可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在采用集成的单元的情况下,图14示出了本发明实施例中所涉及的一种装置的可能的示例性框图,该装置1400可以以软件的形式存在,也可以为UDM网元,还可以为UDM网元中的芯片。装置1400包括:处理单元1402和通信单元1403,通信单元1403可以包括接收单元和发送单元。处理单元1402用于对装置1400的动作进行控制管理。通信单元1403用于支持装置1400与其他网络实体(例如多媒体系统入口网元)的通信。装置1400还可以包括存储单元1401,用于存储装置1400的程序代码和数据。
其中,处理单元1402可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也 可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1403可以是通信接口、收发器或收发电路等,其中,该通信接口是统称,在具体实现中,该通信接口可以包括多个接口,例如可以包括:UDM网元和多媒体系统入口网元之间的接口,和/或其他接口。存储单元1401可以是存储器。
处理单元1402可以支持装置1400执行上文中各方法示例中UDM网元的动作。通信单元1403可以支持装置1400与终端之间的通信,例如,通信单元1403可以支持装置1400执行图2至图9所示方法中中涉及UDM网元的处理过程和/或本申请所描述的技术方案的其他过程。
当处理单元1402为处理器,通信单元1403为通信接口,存储单元1401为存储器时,本发明实施例所涉及的装置1400可以为图15所示的UDM网元1500。
参阅图15所示,该UDM网元1500包括:处理器1502、通信接口1503、存储器1501(可选的)。可选的,UDM网元1500还可以包括总线1504。其中,通信接口1503、处理器1502以及存储器1501可以通过总线1504相互连接;总线1504可以是PCI总线或EISA总线等。所述总线1504可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在采用集成的单元的情况下,图16示出了本发明实施例中所涉及的一种装置的可能的示例性框图,该装置1600可以以软件的形式存在,也可以为终端,还可以为终端中的芯片。装置1600包括:处理单元1602和通信单元1603。在一种实现方式中,通信单元1603包括接收单元和发送单元。处理单元1602用于对装置1600的动作进行控制管理。通信单元1603用于支持装置1600与其他网络实体(例如DNS、P-CSCF)的通信。例如,通信单元1603用支持装置1600执行图8或者图9所示方法中涉及终端的处理过程和/或本申请所描述的技术方案的其他过程。装置1600还可以包括存储单元1601,用于存储装置1600的程序代码和数据。
其中,处理单元1602可以是处理器或控制器,例如可以是通用中央处理器(central processing unit,CPU),通用处理器,数字信号处理(digital signal processing,DSP),专用集成电路(application specific integrated circuits,ASIC),现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1603可以是通信接口、收发器或收发电路等。存储单元1601可以是存储器。
当处理单元1602为处理器,通信单元1603为收发器,存储单元1601为存储器时,本发明实施例所涉及的装置1600可以为图17所示的终端1700。
图17示出了本发明实施例中所涉及的终端的一种可能的设计结构的简化示意图。所述终端1700包括发射器1701,接收器1702和处理器1703。其中,处理器1703也可以为控制器,图17中表示为“控制器/处理器1703”。可选的,所述终端1700还可以包括调制解调处理器1705,其中,调制解调处理器1705可以包括编码器1706、调制器1707、解码器 1708和解调器1709。
在一个示例中,发射器1701调节(例如,模拟转换、滤波、放大和上变频等)输出采样并生成上行链路信号,该上行链路信号经由天线发射给上述实施例中所述的DNS、P-CSCF。在下行链路上,天线接收下行链路信号。接收器1702调节(例如,滤波、放大、下变频以及数字化等)从天线接收的信号并提供输入采样。在调制解调处理器1705中,编码器1706接收要在上行链路上发送的业务数据和信令消息,并对业务数据和信令消息进行处理(例如,格式化、编码和交织)。调制器1707进一步处理(例如,符号映射和调制)编码后的业务数据和信令消息并提供输出采样。解调器1709处理(例如,解调)该输入采样并提供符号估计。解码器1708处理(例如,解交织和解码)该符号估计并提供发送给终端1700的已解码的数据和信令消息。编码器1706、调制器1707、解调器1709和解码器1708可以由合成的调制解调处理器1705来实现。这些单元根据无线接入网采用的无线接入技术(例如,LTE及其他演进系统的接入技术)来进行处理。需要说明的是,当终端1700不包括调制解调处理器1705时,调制解调处理器1705的上述功能也可以由处理器1703完成。
处理器1703对终端1700的动作进行控制管理,用于执行上述本发明实施例中由终端1700进行的处理过程。例如,处理器1703还用于执行图9或图8所示方法中涉及终端的处理过程和/或本申请所描述的技术方案的其他过程。
进一步的,终端1700还可以包括存储器1704,存储器1704用于存储用于终端1700的程序代码和数据。
在采用集成的单元的情况下,图18示出了本发明实施例中所涉及的一种装置的可能的示例性框图,该装置1800可以以软件的形式存在,也可以为NRF网元,还可以为NRF网元中的芯片。装置1800包括:处理单元1802和通信单元1803,通信单元1803可以包括接收单元和发送单元。处理单元1802用于对装置1800的动作进行控制管理。通信单元1803用于支持装置1800与其他网络实体(例如多媒体系统入口网元)的通信。装置1800还可以包括存储单元1801,用于存储装置1800的程序代码和数据。
其中,处理单元1802可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1803可以是通信接口、收发器或收发电路等,其中,该通信接口是统称,在具体实现中,该通信接口可以包括多个接口,例如可以包括:NRF网元和多媒体系统入口网元之间的接口,和/或其他接口。存储单元1801可以是存储器。
处理单元1802可以支持装置1800执行上文中各方法示例中NRF网元的动作。通信单元1803可以支持装置1800与终端之间的通信,例如,通信单元1803可以支持装置1800执行图2至图9所示方法中中涉及NRF网元的处理过程和/或本申请所描述的技术方案的其他过程。
当处理单元1802为处理器,通信单元1803为通信接口,存储单元1801为存储器时,本发明实施例所涉及的装置1800可以为图19所示的NRF网元1900。
参阅图19所示,该NRF网元1900包括:处理器1902、通信接口1903、存储器1901(可选的)。可选的,NRF网元1900还可以包括总线1904。其中,通信接口1903、处理器1902以及存储器1901可以通过总线1904相互连接;总线1904可以是PCI总线或EISA总线等。所述总线1904可以分为地址总线、数据总线、控制总线等。为便于表示,图19中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中,ASIC可以设置于终端设备中。可选地,处理器和存储媒介也可以设置于终端设备中的不同的部件中。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
尽管结合具体特征及其实施例对本发明进行了描述,显而易见的,在不脱离本发明的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本发明的示例性说明,且视为已覆盖本发明范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。

Claims (33)

  1. 一种通信方法,其特征在于,包括:
    认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述AUSF网元向网络注册和发现功能NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现统一数据管理UDM网元,所述第二消息包含所述SUCI;
    所述AUSF网元接收来自所述NRF网元的第一寻址信息,所述第一寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;
    所述AUSF网元根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
  2. 一种通信方法,其特征在于,包括:
    网络注册和发现功能NRF网元接收来自认证服务器功能AUSF网元的第二消息,所述第二消息用于向所述NRF网元请求发现统一数据管理UDM网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述NRF网元根据所述SUCI的解密信息,向所述AUSF网元发送所述第一寻址信息。所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
  3. 根据权利要求1或2所述的通信方法,其特征在于,所述第一寻址信息包括一个或多个与所述用户归属区域信息关联的UDM网元地址;或者,
    所述第一寻址信息包括与所述UDM网元地址和所述SUPI;或者,
    所述第一寻址信息包括与所述UDM网元地址和所述用户归属区域信息。
  4. 一种通信方法,其特征在于,包括:
    认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述AUSF网元向第一统一数据管理UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;
    所述AUSF网元接收来自所述第一UDM网元的第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息;
    所述AUSF网元根据所述第四消息,向归属UDM网元发送第三消息,所述归属UDM网元是与所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的UDM网元;所述第三消息用于向所述归属UDM网元请求获取鉴权矢量;
    所述AUSF网元接收来自所述归属UDM网元的鉴权矢量。
  5. 一种通信方法,其特征在于,包括:
    第一统一数据管理UDM网元接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI;所述SUCI包括根据公钥生成的密文;
    所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;所述第一UDM网元根据所述SUCI的解密信息,确定归属UDM网元不是所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送第四消息,所述第四消息包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息为所述第一UDM网元根据所述SUCI的解密信息获得。
  6. 一种通信方法,其特征在于,包括:
    第一统一数据管理UDM网元接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述第一UDM网元根据所述SUCI的解密信息,向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息是所述第一UDM网元根据所述SUCI的解密信息获得的。
  7. 一种通信方法,其特征在于,包括:
    第一统一数据管理UDM网元接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;
    所述第一UDM网元根据本地私钥对所述SUCI进行解密,得到SUPI;
    所述第一UDM网元根据所述SUPI,确定归属UDM网元;
    当所述归属UDM网元为所述第一UDM网元时,所述第一UDM网元向所述AUSF网元发送鉴权矢量;或者,
    当所述归属UDM网元为第二UDM网元时,所述第一UDM网元从所述第二UDM网元处获取所述鉴权矢量,并向所述AUSF网元发送所述鉴权矢量;或者,
    当所述归属UDM网元为所述第二UDM网元时,所述第一UDM网元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
  8. 一种通信方法,其特征在于,包括:
    认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;
    所述AUSF网元向所述SUPI关联的归属统一数据管理UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI;
    所述AUSF网元接收来自所述归属UDM网元的鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成的。
  9. 一种通信方法,其特征在于,包括:
    第一认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述第一AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;
    所述第一AUSF向所述SUPI关联的归属AUSF网元发送第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含所述SUPI;
    所述第一AUSF网元接收来自所述归属AUSF网元的所述鉴权矢量,所述鉴权矢量是所述归属AUSF网元根据所述SUPI从归属UDM网元处获取的。
  10. 一种通信方法,其特征在于,包括:
    第一认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述第一AUSF网元根据本地私钥对所述SUCI进行解密,得到SUPI;
    所述第一AUSF根据所述SUPI,向所述AMF网元发送第四消息,所述第四消息包含所述SUPI或归属AUSF网元的寻址信息,所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的。
  11. 一种通信方法,其特征在于,包括:
    接入和移动性管理功能AMF网元向第一认证服务器功能AUSF网元发送第一消息,所述第一消息用于向所述第一AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述AMF网元接收来自所述第一AUSF网元的第四消息,所述第四消息包含SUPI或归属AUSF网元的寻址信息,所述SUPI或所述归属AUSF网元的寻址信息是所述第一AUSF网元根据本地私钥对所述SUCI进行解密的解密信息获得的;
    所述AMF网元根据所述第四消息,向归属AUSF网元发送第一消息,所述归属AUSF网元是与所述归属AUSF网元的寻址信息或所述SUPI关联的AUSF网元,所述第一消息用于向所述归属AUSF网元请求鉴权。
  12. 一种通信方法,其特征在于,包括:
    归属认证服务器功能AUSF网元接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向所述归属AUSF网元请求鉴权,所述第一消息包含SUCI,所述SUCI包括根据公钥生成的密文;
    当所述第一消息包含所述SUCI时,所述归属AUSF网元根据本地私钥对所述SUCI进行解密,得到所述SUPI;
    所述归属AUSF网元向归属统一数据管理UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUPI;
    所述归属AUSF网元接收来自所述归属UDM网元的所述鉴权矢量,所述鉴权矢量是所述归属UDM网元根据所述SUPI生成。
  13. 一种通信方法,其特征在于,包括:
    网络注册和发现功能NRF网元接收来自接入和移动性管理功能AMF网元的第二消息,所述第二消息用于向所述NRF网元请求发现认证服务器功能AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述NRF网元根据所述SUCI的解密信息,向所述AMF网元发送所述第二寻址信息,所述第二寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的AUSF网元寻址信息。
  14. 一种通信方法,其特征在于,包括:
    归属SEPP网元接收来自服务网络的接入和移动性管理功能AMF网元的第二消息,所述第二消息用于向归属网络注册和发现功能NRF网元请求发现认证服务器功能AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述归属SEPP网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述归属SEPP网元向所述归属NRF网元发送第二消息,所述第二消息用于向所述归属NRF网元请求发现AUSF网元,所述第二消息包含所述SUCI的解密信息。
  15. 一种通信方法,其特征在于,包括:
    归属网络注册和发现功能NRF网元接收来自归属安全边界代理保护SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现认证服务器功能AUSF网元,所述第二消息包含SUCI的解密信息;
    所述归属NRF网元根据所述SUCI的解密信息,向接入和移动性管理功能AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
  16. 一种通信方法,其特征在于,包括:
    归属网络注册和发现功能NRF网元接收来自归属安全边界代理保护SEPP网元的第二消息,所述第二消息用于向所述归属NRF网元请求发现认证服务器功能AUSF网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    所述归属NRF网元根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述归属NRF网元根据所述SUCI的解密信息向接入和移动性管理功能AMF网元发送第二寻址信息;所述第二寻址信息是所述归属NRF网元根据所述SUCI的解密信息获取的AUSF网元寻址信息。
  17. 根据权利要求15或16所述的通信方法,其特征在于,所述第二寻址信息包括一个或多个与用户归属区域信息关联的AUSF网元地址;或者,
    所述第二寻址信息包括所述AUSF网元地址和所述SUPI;或者,
    所述第二寻址信息包括所述AUSF网元地址和所述用户归属区域信息。
  18. 根据权利要求1-17所述的通信方法,所述SUCI的解密信息包括SUPI或用户归属区域信息。
  19. 一种通信方法,其特征在于,包括:
    终端根据本地公钥对用户永久标识SUPI的进行加密,得到第一SUCI,所述第一SUCI包括MSIN,所述MSIN中的用户归属区域信息为明文,所述MSIN的其余信息为密文;
    所述终端向接入和移动性管理功能AMF网元发送第五消息,所述第五消息用于向所述 AMF网元请求注册,所述第五消息包含所述第一SUCI。
  20. 一种通信方法,其特征在于,包括:
    终端根据本地公钥对用户永久标识SUPI的进行加密,得到第二SUCI,所述第二SUCI包括MSIN,所述MSIN全部为密文;
    所述终端向接入和移动性管理功能AMF网元发送第五消息,所述第五消息用于向所述AMF网元请求注册,所述第五消息包含所述第二SUCI和用户归属区域信息。
  21. 一种装置,其特征在于,包括:
    接收单元,用于接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向认证服务器功能AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    发送单元,还用于向网络注册和发现功能NRF网元发送第二消息,所述第二消息用于向所述NRF网元请求发现统一数据管理UDM网元,所述第二消息包含所述SUCI;
    所述接收单元,还用于接收来自所述NRF网元的第一寻址信息,所述第一寻址信息是所述NRF网元根据本地私钥对所述SUCI进行解密,获得SUCI的解密信息,并根据SUCI的解密信息获取的UDM网元寻址信息;
    处理单元,用于根据所述第一寻址信息,向所述第一寻址信息关联的归属UDM网元发送第三消息,所述第三消息用于向所述归属UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI。
  22. 一种通信,其特征在于,包括:
    接收单元,用于接收来自认证服务器功能AUSF网元的第二消息,所述第二消息用于向网络注册和发现功能NRF网元请求发现统一数据管理UDM网元,所述第二消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述处理单元,用于根据所述SUCI的解密信息,通过所述发送单元向所述AUSF网元发送所述第一寻址信息。所述第一寻址信息是所述NRF网元根据所述SUCI的解密信息获取到的UDM网元寻址信息。
  23. 根据权利要求21或22所述的装置,所述第一寻址信息包括一个或多个与所述用户归属区域信息关联的UDM网元地址;或者,
    所述第一寻址信息包括与所述UDM网元地址和所述SUPI;或者,
    所述第一寻址信息包括与所述UDM网元地址和所述用户归属区域信息。
  24. 一种装置,其特征在于,包括:
    接收单元,用于接收来自接入和移动性管理功能AMF网元的第一消息,所述第一消息用于向认证服务器功能AUSF网元请求鉴权,所述第一消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    发送单元,用于向第一统一数据管理UDM网元发送第三消息,所述第三消息用于向所述第一UDM网元请求获取鉴权矢量,所述第三消息包含所述SUCI;
    接收单元,还用于接收来自所述第一UDM网元的第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息;
    处理单元,用于根据所述第四消息,通过所述发送单元向归属UDM网元发送第三消息,所述归属UDM网元是与所述归属UDM网元的寻址信息或所述SUCI的解密信息关联的UDM网元;所述第三消息用于向所述归属UDM网元请求获取鉴权矢量;
    所述接收单元,还用于接收来自所述归属UDM网元的鉴权矢量。
  25. 一种装置,其特征在于,包括:
    接收单元,用于接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向第一统一数据管理UDM网元请求获取鉴权矢量,所述第三消息包含SUCI;所述SUCI包括根据公钥生成的密文;
    处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述处理单元,还用于根据所述SUCI的解密信息,确定归属UDM网元不是所述第一UDM网元时,通过发送单元向所述AUSF网元发送第四消息,所述第四消息包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息为所述第一UDM网元根据所述SUCI的解密信息获得。
  26. 一种装置,其特征在于,包括:
    接收单元,用于接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向第一统一数据管理UDM网元请求获取鉴权矢量,所述第三消息包含用户隐藏标识SUCI,所述SUCI包括根据公钥生成的密文;
    处理单元,用于根据本地私钥对所述SUCI进行解密,得到所述SUCI的解密信息;
    所述处理单元,还用于根据所述SUCI的解密信息,通过发送单元向所述AUSF网元发送第四消息,所述第四消息中包含所述SUCI的解密信息或归属UDM网元的寻址信息,所述归属UDM网元的寻址信息是所述第一UDM网元根据所述SUCI的解密信息获得的。
  27. 一种装置,其特征在于,包括:
    接收单元,用于接收来自认证服务器功能AUSF网元的第三消息,所述第三消息用于向第一统一数据管理UDM网元请求获取鉴权矢量,所述第三消息包含SUCI,所述SUCI包括根据公钥生成的密文;
    处理单元,用于根据本地私钥对所述SUCI进行解密,得到SUPI;
    所述处理单元,还用于根据所述SUPI,确定归属UDM网元;当所述归属UDM网元为所述第一UDM网元时,通过发送单元向所述AUSF网元发送鉴权矢量;或者,当所述归属UDM网元为第二UDM网元时,从所述第二UDM网元处获取所述鉴权矢量,并通过所述发送单元向所述AUSF网元发送所述鉴权矢量;或者,当所述归属UDM网元为所述第二UDM网元时,通过所述发送单元向所述第二UDM网元发送第三消息,所述第三消息用于向所述第二UDM网元请求获取鉴权矢量,所述第三消息包含SUPI,以使所述第二UDM网元根据所述SUPI生成所述鉴权矢量。
  28. 一种装置,其特征在于,包括处理器和存储器,所述存储器中存储有计算机程序,所述处理器读取并执行所述存储器中存储的计算机程序时,使得所述通信装置实现权利要求1至20中任意一项所述的方法。
  29. 一种芯片,其特征在于,所述芯片与存储器相连,所述存储器中存储有计算机程序,所述芯片用于读取并执行所述存储器中存储的计算机程序,以执行权利要求1至20 中任意一项所述的方法。
  30. 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机软件指令,该计算机软件指令可通过处理器进行加载来执行权利要求1至20中任一项所述的方法。
  31. 一种可读存储介质,其特征在于,所述可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行权利要求1至20中任一项所述的方法。
  32. 一种传输信息的装置,用于执行权利要求1至20中任一项所述方法。
  33. 一种通信系统,其特征在于,包括如权利要求28所述的装置。
PCT/CN2019/074767 2018-02-13 2019-02-11 一种通信方法及装置 WO2019158028A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810149811.6A CN110167013B (zh) 2018-02-13 2018-02-13 一种通信方法及装置
CN201810149811.6 2018-02-13

Publications (1)

Publication Number Publication Date
WO2019158028A1 true WO2019158028A1 (zh) 2019-08-22

Family

ID=67619667

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/074767 WO2019158028A1 (zh) 2018-02-13 2019-02-11 一种通信方法及装置

Country Status (2)

Country Link
CN (1) CN110167013B (zh)
WO (1) WO2019158028A1 (zh)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468483A (zh) * 2020-11-24 2021-03-09 中国电子科技集团公司第三十研究所 基于5g边缘防护代理的服务动态分配及信令防护方法
CN112672336A (zh) * 2019-09-30 2021-04-16 华为技术有限公司 实现外部认证的方法、通信装置及通信系统
WO2021109436A1 (en) * 2020-04-28 2021-06-10 Zte Corporation Authentication server function selection in an authentication and key agreement
US20220030413A1 (en) * 2018-11-05 2022-01-27 Telefonaktiebolaget Lm Ericsson (Publ) Fully qualified domain name handling for service interactions in 5g
CN114401506A (zh) * 2021-12-16 2022-04-26 中国电信股份有限公司 通信方法及装置、存储介质
US20220191694A1 (en) * 2020-12-15 2022-06-16 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5g) communications networks
CN115843434A (zh) * 2020-09-29 2023-03-24 Oppo广东移动通信有限公司 网元发现方法、装置、设备及存储介质
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
WO2023213209A1 (zh) * 2022-05-06 2023-11-09 华为技术有限公司 密钥管理方法及通信装置
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface
US11974134B2 (en) 2022-01-28 2024-04-30 Oracle International Corporation Methods, systems, and computer readable media for validating subscriber entities against spoofing attacks in a communications network
CN118317281A (zh) * 2024-06-07 2024-07-09 中国电信股份有限公司 网元发现方法、终端注册方法及相关设备

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112566072B (zh) * 2019-09-26 2022-07-22 华为技术有限公司 一种基于nf的通信方法、设备及存储介质
CN112584371B (zh) * 2019-09-30 2022-05-10 华为技术有限公司 漫游信令消息发送的方法、相关设备和通信系统
CN113382410B (zh) * 2020-02-21 2022-12-06 华为技术有限公司 通信方法和相关装置及计算机可读存储介质
CN113541925B (zh) * 2020-03-30 2023-02-14 华为技术有限公司 通信系统、方法及装置
CN113596831B (zh) * 2020-04-14 2022-12-30 华为技术有限公司 一种切片认证中标识用户设备的通信方法和通信设备
CN111638997A (zh) * 2020-05-28 2020-09-08 中国联合网络通信集团有限公司 数据恢复方法、装置及网络设备
CN111741467B (zh) * 2020-06-19 2023-04-18 中国联合网络通信集团有限公司 一种鉴权方法及装置
CN111770496B (zh) * 2020-06-30 2022-08-02 中国联合网络通信集团有限公司 一种5g-aka鉴权的方法、统一数据管理网元及用户设备
CN114071465B (zh) * 2020-07-31 2024-08-06 维沃移动通信有限公司 接入控制方法、装置及通信设备
CN112003912B (zh) * 2020-08-13 2021-11-02 广州爱浦路网络技术有限公司 一种5g核心网中sepp认证nf的方法
CN114245378A (zh) * 2020-09-07 2022-03-25 中国移动通信有限公司研究院 一种数据传输方法、相关网络设备和存储介质
CN114423001A (zh) * 2020-10-13 2022-04-29 中兴通讯股份有限公司 解密方法、服务器及存储介质
CN114727285B (zh) * 2021-01-04 2024-05-14 中国移动通信有限公司研究院 一种鉴权方法、鉴权网元及安全锚点实体

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000074282A2 (en) * 1999-06-01 2000-12-07 Nortel Networks Limited High speed ethernet based on sonet technology
CN107580324A (zh) * 2017-09-22 2018-01-12 中国电子科技集团公司第三十研究所 一种用于移动通信系统imsi隐私保护的方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969638B (zh) * 2010-09-30 2013-08-14 中国科学院软件研究所 一种移动通信中对imsi进行保护的方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000074282A2 (en) * 1999-06-01 2000-12-07 Nortel Networks Limited High speed ethernet based on sonet technology
CN107580324A (zh) * 2017-09-22 2018-01-12 中国电子科技集团公司第三十研究所 一种用于移动通信系统imsi隐私保护的方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security Architecture and Procedures for 5G System (Release 15", 3GPP TS 33.501 V0.7.0, vol. SA WG3, no. V0.7.0, 7 February 2018 (2018-02-07), pages 1 - 109, XP051392930 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220030413A1 (en) * 2018-11-05 2022-01-27 Telefonaktiebolaget Lm Ericsson (Publ) Fully qualified domain name handling for service interactions in 5g
US11895735B2 (en) * 2018-11-05 2024-02-06 Telefonaktiebolaget Lm Ericsson (Publ) Fully qualified domain name handling for service interactions in 5G
CN112672336A (zh) * 2019-09-30 2021-04-16 华为技术有限公司 实现外部认证的方法、通信装置及通信系统
CN112672336B (zh) * 2019-09-30 2024-04-30 华为技术有限公司 实现外部认证的方法、通信装置及通信系统
WO2021109436A1 (en) * 2020-04-28 2021-06-10 Zte Corporation Authentication server function selection in an authentication and key agreement
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface
CN115843434A (zh) * 2020-09-29 2023-03-24 Oppo广东移动通信有限公司 网元发现方法、装置、设备及存储介质
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
CN112468483B (zh) * 2020-11-24 2022-02-08 中国电子科技集团公司第三十研究所 基于5g边缘防护代理的服务动态分配及信令防护方法
CN112468483A (zh) * 2020-11-24 2021-03-09 中国电子科技集团公司第三十研究所 基于5g边缘防护代理的服务动态分配及信令防护方法
US11818570B2 (en) * 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US20220191694A1 (en) * 2020-12-15 2022-06-16 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5g) communications networks
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
CN114401506A (zh) * 2021-12-16 2022-04-26 中国电信股份有限公司 通信方法及装置、存储介质
US11974134B2 (en) 2022-01-28 2024-04-30 Oracle International Corporation Methods, systems, and computer readable media for validating subscriber entities against spoofing attacks in a communications network
WO2023213209A1 (zh) * 2022-05-06 2023-11-09 华为技术有限公司 密钥管理方法及通信装置
CN118317281A (zh) * 2024-06-07 2024-07-09 中国电信股份有限公司 网元发现方法、终端注册方法及相关设备

Also Published As

Publication number Publication date
CN110167013B (zh) 2020-10-27
CN110167013A (zh) 2019-08-23

Similar Documents

Publication Publication Date Title
WO2019158028A1 (zh) 一种通信方法及装置
RU2722508C1 (ru) Скрытый идентификатор подписки абонента
CN110971415B (zh) 一种天地一体化空间信息网络匿名接入认证方法及系统
US11974132B2 (en) Routing method, apparatus, and system
RU2737348C1 (ru) Индикаторы конфиденциальности для управления запросами аутентификации
RU2755196C1 (ru) Управление унифицированными идентификаторами подписки в системах связи
US20200228977A1 (en) Parameter Protection Method And Device, And System
JP2021532627A (ja) 通信方法および通信装置
JP7164602B2 (ja) 端末情報の配信方法及び関連製品
CN112492580A (zh) 信息处理方法及装置、通信设备及存储介质
WO2020020007A1 (zh) 网络接入方法、装置、终端、基站和可读存储介质
JP7461515B2 (ja) データ伝送方法及びシステム、電子機器、並びにコンピュータ可読記憶媒体
US10484187B2 (en) Cellular network authentication
JP7398030B2 (ja) Ue、ネットワーク装置、ueの方法、及びネットワーク装置の方法
WO2018053804A1 (zh) 一种加密保护方法及相关设备
US11357062B2 (en) Communication method and apparatus
CN104883339B (zh) 一种用户隐私保护的方法、设备和系统
CN106550362B (zh) 智能设备安全接入无线局域网络的方法和系统
US20210168614A1 (en) Data Transmission Method and Device
WO2020147854A1 (zh) 认证方法、装置、系统以及存储介质
US20220159457A1 (en) Providing ue capability information to an authentication server
CN112688908A (zh) 安全通信的方法和装置
WO2023223118A1 (en) Subscription identification in networks
WO2024078922A1 (en) Key management for applications
WO2023241899A1 (en) Apparatus, method and computer program for privacy protection of subscription identifiers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19753781

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19753781

Country of ref document: EP

Kind code of ref document: A1