WO2019214351A1 - Procédé et dispositif de traitement de message - Google Patents

Procédé et dispositif de traitement de message Download PDF

Info

Publication number
WO2019214351A1
WO2019214351A1 PCT/CN2019/079106 CN2019079106W WO2019214351A1 WO 2019214351 A1 WO2019214351 A1 WO 2019214351A1 CN 2019079106 W CN2019079106 W CN 2019079106W WO 2019214351 A1 WO2019214351 A1 WO 2019214351A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
selection information
element selection
suci
master key
Prior art date
Application number
PCT/CN2019/079106
Other languages
English (en)
Chinese (zh)
Inventor
周巍
Original Assignee
电信科学技术研究院有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院有限公司 filed Critical 电信科学技术研究院有限公司
Publication of WO2019214351A1 publication Critical patent/WO2019214351A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/02Communication route or path selection, e.g. power-based or shortest path routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a message processing method and apparatus.
  • the encrypted information contains the information used by the operator for the internal route registration request (Registration Request), which causes multiple authentication server functions (AUSF) and/or unified data management (UDM) within the operator.
  • Registration Request the information used by the operator for the internal route registration request (Registration Request)
  • AUSF authentication server functions
  • UDM unified data management
  • the embodiment of the present application provides a message processing method and apparatus for accurately routing a registration request from a UE to a target network element.
  • the UE determines a registration request, where the registration request carries the SUCI, and the SUCI includes network element selection information for selecting the target network element in the HPLMN that does not belong to the MSIN;
  • the UE sends the registration request to the network side.
  • the UE determines a registration request, where the registration request carries SUCI, and the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN; the UE sends the registration request to The network side can thereby enable the network side to accurately route the registration request from the UE to the target network element by using the network element selection information.
  • the network element selection information is a network element selection information ciphertext
  • the USIM in the UE uses the network element selection information master key, a random value used to derive the network element selection information encryption key, and uses the key.
  • the derivation algorithm derives the network element selection information encryption key; the UE uses the network element selection information encryption key to encrypt the network element selection information, and obtains the network element selection information ciphertext.
  • the security of the information can be further improved by encrypting the network element selection information.
  • the SUCI further includes a network element selection information master key identifier.
  • the network element selection information master key, the network element selection information, and the network element selection information master key identifier are stored in the USIM.
  • the network element selection information is not encrypted, and the UE sets the network element selection information directly in the SUCI.
  • the UE sends the registration request to the VPLMN, and forwards to the HPLMN through the VPLMN.
  • a message processing method provided by the embodiment of the present application includes:
  • the network element selection information being a network for selecting a target network element in the HPLMN that does not belong to the MSIN Meta-selection information
  • the network element selection information is used to perform network element selection or message routing.
  • the network element selection information is a network element selection information ciphertext
  • Obtaining the SUCI from the registration request, and acquiring the network element selection information from the SUCI specifically includes: performing, by the network element selection information decryption function entity, the following operations:
  • the master key of the network element selection information is obtained by using the network element selection information master key identifier in the SUCI. If the SUCI does not carry the network element selection information master key identifier, the default master key is selected, or the system is configured according to the system configuration. Decryption scheme;
  • the network element selection information is provided to a network element in the HPLMN that needs to perform network element selection or message routing.
  • the network element selection or message routing is performed by using the network element selection information, specifically:
  • the network element that needs to perform network element selection or message routing in the HPLMN forwards the registration request to the target network element according to the network element selection information.
  • the network element that needs to perform network element selection or message routing in the HPLMN adds the obtained network element selection information to the message forwarded to the target network element.
  • a message processing apparatus provided by an embodiment of the present application includes:
  • a memory for storing program instructions
  • a processor configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the registration request carries SUCI
  • the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN;
  • the device further includes a USIM;
  • the network element selection information is a network element selection information ciphertext;
  • the USIM uses the network element selection information master key, a random value used to derive the network element selection information encryption key, and uses the key derivation algorithm to derive the network element selection.
  • Information encryption key
  • the processor encrypts the network element selection information by using the network element selection information encryption key to obtain the network element selection information ciphertext.
  • the SUCI further includes a network element selection information master key identifier.
  • the network element selection information master key, the network element selection information, and the network element selection information master key identifier are stored in the USIM.
  • the processor does not encrypt the network element selection information, and sets the network element selection information directly in the SUCI.
  • the processor sends the registration request to the VPLMN through the transceiver, and forwards to the HPLMN through the VPLMN.
  • a message processing apparatus provided by an embodiment of the present application includes:
  • a memory for storing program instructions
  • a processor configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the network element selection information being a network for selecting a target network element in the HPLMN that does not belong to the MSIN Meta-selection information
  • the network element selection information is used to perform network element selection or message routing.
  • the network element selection information is a network element selection information ciphertext
  • Obtaining the SUCI from the registration request, and acquiring the network element selection information from the SUCI specifically includes: performing, by the network element selection information decryption function entity, the following operations:
  • the master key of the network element selection information is obtained by using the network element selection information master key identifier in the SUCI. If the SUCI does not carry the network element selection information master key identifier, the default master key is selected, or the system is configured according to the system configuration. Decryption scheme;
  • the network element selection information is provided to a network element in the HPLMN that needs to perform network element selection or message routing.
  • the device is a network element that needs to perform network element selection or message routing in the HPLMN; and the network element selection or message routing is performed by using the network element selection information, specifically:
  • the registration request is forwarded to the target network element according to the network element selection information.
  • the processor is further configured to append the obtained network element selection information to a message forwarded to the target network element.
  • another message processing apparatus provided by the embodiment of the present application includes:
  • a determining unit configured to determine a registration request, where the registration request carries an SUCI, where the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN;
  • a sending unit configured to send the registration request to the network side.
  • Another message processing apparatus provided in this embodiment of the present application includes:
  • a first unit configured to receive a registration request from the UE, obtain a SUCI from the registration request, and obtain network element selection information from the SUCI; the network element selection information is used in the HPLMN not belonging to the MSIN Select network element selection information of the target network element;
  • the second unit is configured to perform network element selection or message routing by using the network element selection information.
  • a memory for storing program instructions and storing network element selection information
  • a processor configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the memory further stores the network element selection information master key, using the network element selection information master key, a random value for deriving the network element selection information encryption key, and using the key derivation algorithm to derive the network element selection information encryption key key.
  • the memory further stores a network element selection information master key and a network element selection information master key identifier.
  • Another embodiment of the present application provides a computing device including a memory and a processor, wherein the memory is configured to store program instructions, and the processor is configured to invoke program instructions stored in the memory according to the obtained program. Perform any of the above methods.
  • Another embodiment of the present application provides a computer storage medium storing computer executable instructions for causing the computer to perform any of the methods described above.
  • FIG. 1 is a schematic diagram of a 5G system authentication function entity and an authentication process according to an embodiment of the present application
  • FIG. 2 is a schematic diagram of privacy protection of network element selection information in an initial registration process of a 5G communication system according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of a basic process in a scenario according to Embodiment 1 of the present disclosure
  • FIG. 4 is a schematic diagram of a basic process in a scenario of Embodiment 2 according to an embodiment of the present disclosure
  • FIG. 5 is a schematic flowchart of a message processing method on a UE side according to an embodiment of the present disclosure
  • FIG. 6 is a schematic flowchart of a message processing method on the network side according to an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of a message processing apparatus on a UE side according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a message processing apparatus on the network side according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of another message processing apparatus on the UE side according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another message processing apparatus on the network side according to an embodiment of the present disclosure.
  • the embodiment of the present application provides a message processing method and apparatus for accurately routing a registration request from a UE to a target network element.
  • SUPI protection schemes can be divided into two categories:
  • Null-scheme The null scheme does not encrypt SUPI, that is, the output generated by the null scheme is the same as the input.
  • Public key protection scheme Use the public key to encrypt and protect the content of the SUPI that needs to be encrypted.
  • SUPI consists of three parts:
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • MSIN Mobile Subscriber Identification Number
  • the MSIN related to the user identity in the SUPI will be encrypted, thereby achieving the purpose of protecting the privacy of the user.
  • SUPI In a 5G system, SUPI must be protected by a protection scheme, that is, SUPI always passes through a null-scheme or a public key protection scheme.
  • the SUPI processed by the protection scheme is stored in a data structure called a SUBScription Concealed Identifier (SUCI).
  • SUCI contains the following information:
  • Protection scheme identifier Identifies which protection scheme is used by SUCI, such as null-scheme or public key protection scheme.
  • Public key identifier Identifies which public key is used by SUCI to be encrypted by the home network operator. If null-scheme is used, this field is empty.
  • VPLMN Visited PLMN, Public Land Mobile Network
  • HPLMN Home PLMN, Home PLMN
  • Protection scheme-output The result of a protection scheme, that is, the output generated by an empty scheme or a public key protection scheme.
  • the UE and the Security Anchor Function are located in the VPLMN, the Authentication Server Function (AUSF), the Unified Data Management (UDM), and the identity.
  • the Authentication credential Repository and Processing Function (ARPF) and the Subscription Identifier De-concealing Function (SIDF) are located in the HPLMN.
  • the HPLMN uses the routing information contained in the MSIN to route the registration request to the Home Subscriber Server (HSS).
  • the HPLMN may not be able to route the user's registration request to the target AUSF or UDM.
  • the specific analysis is as follows:
  • UPI encryption uses asymmetric encryption.
  • Asymmetric encryption requires that the decryption party must use the private key corresponding to the encrypted public key to decrypt the encrypted information.
  • Asymmetric encryption technology allows each UDM to generate an unlimited number of public and private key pairs and manage the private keys separately.
  • the management of the private key can be based on HPLMN or UDM-based. When the private key management is based on HPLMN, one UDM can be allowed to have all the private keys, so that the SUCI can be decrypted centrally, and no routing information is needed in the SUCI.
  • the management of the private key is based on UDM, that is, a UDM cannot own the private key of another UDM, a centralized SUCI decryption scheme cannot be used at this time.
  • the management of the private key is based on the UDM case and requires SUCI to provide additional routing information to support message routing in this scenario in order to route messages containing the encrypted SUPI to the target UDM.
  • the information used to discover the AUSF or UDM in the current specification is the MNC and/or MCC in SUPI or SUCI.
  • the MSIN contained in SUPI will be encrypted, and the function SIDF responsible for decryption is located in the UDM. This results in the fact that when the encryption key is based on UDM management (the UDM does not provide the decryption key to other UDMs), the information originally used for routing in the HPLMN will not be available to the NRF or AUSF, resulting in the inability to select the target UDM.
  • the network element selection information used by the HPLMN is added in the SUCI.
  • the network element selection information can only be understood and used by the HPLMN to avoid privacy leakage caused by the network element selection information, such as a UDM set for authenticating a special user group. It will expose the identity of sensitive users or special Internet of Things applications to fully protect the privacy of users.
  • the NEIM stores network element selection information specifically for the HPLMN selection network function, such as network element selection information for selecting an AUSF or UDM.
  • a symmetric key provided by the operator for encrypting the network element selection information is stored in the USIM.
  • the reason for using a symmetric key is because the encryption and decryption speed is fast and does not cause information processing bottlenecks.
  • the HPLMN first needs to decrypt the encrypted network element selection information included in the SUCI in the registration request, and then use the decrypted network element selection information to perform subsequent message routing.
  • the privacy protection method for the network element selection information in the initial registration process of the 5G communication system described in the embodiment of the present application is as shown in FIG. 2 .
  • Network Element Selection Information Some network elements in the HPLMN that participate in the authentication process can use this information to select the target network element for message transmission.
  • the Network Repository Function (NRF) can use this information to discover the target AUSF or UDM.
  • NESI Cipher text NE selection information encrypted by the network element selection information encryption key.
  • NESI Master Key The superior key used to generate the network element selection information encryption key.
  • the NESI Master Key Identify is used to uniquely identify the network element selection information encryption master key in the HPLMN.
  • NESI Encryption Key The encryption key actually used to encrypt the NE selection information. The key is derived by the NE selection information encryption master key.
  • NESI Encryption Key Derivation Function Located in the Universal Subscriber Identity Module (USIM), it is responsible for deriving the NE key selection information encryption key by using the NE selection information encryption master key. .
  • USIM Universal Subscriber Identity Module
  • the NESI Encryption Function (User Equipment, UE) function is responsible for generating the network element selection information ciphertext by using the network element selection information encryption key.
  • NESI Decryption Function Located in the HPLMN Core Network (CN), it is responsible for decrypting the NE selection information ciphertext and obtaining the clear text of the NE selection information.
  • the operator writes to the USIM: network element selection information, network element selection information master key, and network element selection information master key identifier.
  • the network element selection information master key and the network element selection information master key identifier are optional.
  • the network element selection information master key identifier should also be empty.
  • the network element selection information encryption scheme is a null encryption scheme, that is, the encryption operation is not performed.
  • the default key (the default key, which can be set according to actual needs) is used by default.
  • the technical solution provided by the embodiment of the present application performs the following operations:
  • the network element selection information, the network element selection information master key, and the network element selection information master key identifier may be pre-stored in the USIM.
  • the UE requests the USIM to provide: a network element selection information encryption key, a network element selection information master key identifier, and network element selection information. Moreover, the UE needs to provide the USIM with a random value (nonce) for deriving the network element selection information encryption key.
  • the random value is part of the SUCI, such as the ciphertext of the MSIN.
  • the USIM uses the network element to select the information master key, the nonce provided by the UE, and other possible parameters (specifically, it may be determined according to actual needs, and is not limited in the embodiment of the present application, and may of course not have these parameters).
  • the key derivation algorithm (the specific algorithm may be determined according to actual needs, without limitation) derives the network element selection information encryption key. Then, the network element selection information encryption key, the network element selection information master key identifier (optional), and the network element selection information are provided to the UE.
  • the network element selection information master key identifier is optional content.
  • the system uses the null encryption scheme to process the NE selection information by default. At this time, the USIM will only return the NE selection information.
  • the UE (which may be implemented by the network element selection information encryption function module) encrypts the network element selection information by using the network element selection information encryption key to obtain the network element selection information ciphertext.
  • the UE does not encrypt the NE selection information, and uses the NE selection information directly in the SUCI.
  • the UE (which may be implemented by the SUCI generating function module) adds the network element selection information ciphertext and the network element selection information master key identifier (optional) to the SUCI. If the USIM does not provide the NE selection information master key identifier, the SUCI does not include this information.
  • the UE (which may be implemented by the registration request function module) includes the SUCI in the registration request and sends it to the visited network (VPLMN). Further, the VPLMN sends the registration request to the home network (HPLMN).
  • the registration request may be, for example, an initial registration request, but is not limited thereto.
  • the network element in the HPLMN needs to use the network element selection information provided by the SUCI to perform network element selection or message routing, the network element needs to invoke the network element selection information decryption function to decrypt the network element selection information ciphertext included in the SUCI.
  • the network element needs to provide information decryption function to the network element:
  • the network element selects the information ciphertext, nonce, and/or the network element selection information master key identifier (if the SUCI contains the information).
  • the NE selection information decryption function needs to perform the following operations:
  • the network element selection information decryption key is used to decrypt the network element to select the information ciphertext, and the network element selection information is obtained.
  • the network element selection information is provided to the requesting network element in the HPLMN (that is, the network element that needs to perform network element selection or message routing).
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the network element AUSF in the HPLMN directly requests the network element selection information decryption function (NESIDF) to decrypt the network element selection information ciphertext in the SUCI.
  • the AUSF parses the network element selection information to obtain the target UDM.
  • the specific process is shown in Figure 3, including:
  • Step 1 The UE sends an initial registration request to the network, which includes the SUCI. This request is routed to the SEAF of the VPLMN.
  • Step 2 The SEAF sends the initial registration request (which carries the SUCI) to the AUSF in the HPLMN.
  • Step 3 The AUSF selects the information decryption request by the network element, and sends the SUCI in the initial registration request of the UE to the NESIDF, requesting the latter to decrypt the ciphertext selected by the network element in the SUCI.
  • Step 4 NESIDF obtains the corresponding key by using the network element selection information master key identifier carried in the SUCI; uses the value of the nonce in the SUCI and other parameters to perform key derivation, and obtains the network element selection information decryption key; The information decryption key is selected to decrypt the network element selection information ciphertext to obtain the network element selection information; and then the network element selection information is returned to the AUSF through the network element selection information decryption response.
  • Step 5 The AUSF parses the network element selection information, obtains the address of the target UDM, and then sends the initial registration request of the UE (which carries the SUCI) to the target UDM.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the network element AUSF in the HPLMN requests the NRF to provide the address of the target UDM.
  • the NRF calls NESIDF to obtain the clear text of the NE selection information.
  • the NRF parses the network element selection information, obtains the address of the target UDM, and provides it to the AUSF.
  • Figure 4 The specific process is shown in Figure 4, including:
  • Step 11 The UE sends an initial registration request to the network, where the SUCI is included. This request is routed to the SEAF of the VPLMN.
  • Step 12 The SEAF sends an initial registration request (which includes SUCI) to the AUSF in the HPLMN.
  • Step 13 The AUSF sends the SUCI to the NRF through the network element selection request, requesting the latter to provide the address of the target UDM.
  • Step 14 After receiving the network element selection request, the NRF obtains the network element selection information master key identifier, the nonce value in the SUCI, and the network element selection information ciphertext from the SUCI carried in the network element selection request, and then selects the network element through the network element.
  • the information decryption request sends the information (ciphertext) to NESIDF, requesting the latter to decrypt the ciphertext selected by the network element in the SUCI.
  • Step 15 The NESIDF obtains the corresponding key by using the network element selection information master key identifier; uses the nonce and other parameters to perform key derivation, and obtains the network element selection information decryption key; and uses the network element selection information to decrypt the key pair to select the network element.
  • the information ciphertext is decrypted to obtain the network element selection information; then the network element selection information (plaintext) is returned to the NRF through the network element selection information decryption response.
  • Step 16 The NRF receives the network element selection information decryption response, obtains and parses the network element selection information, obtains the address of the target UDM (target network element), and then returns the address of the target UDM to the AUSF.
  • Step 17 The AUSF sends an initial registration request (which includes SUCI) to the target UDM (eg, UDM1).
  • UDM eg, UDM1
  • a message processing method provided by an embodiment of the present application includes:
  • the UE determines a registration request, where the registration request carries an SUCI, where the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN.
  • the UE sends the registration request to the network side.
  • the UE determines a registration request, where the registration request carries SUCI, and the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN; the UE sends the registration request to The network side can thereby enable the network side to accurately route the registration request from the UE to the target network element by using the network element selection information.
  • the network element selection information is a network element selection information ciphertext
  • the USIM in the UE uses the network element selection information master key, a random value used to derive the network element selection information encryption key, and uses the key.
  • the derivation algorithm derives the network element selection information encryption key; the UE uses the network element selection information encryption key to encrypt the network element selection information, and obtains the network element selection information ciphertext.
  • the security of the information can be further improved by encrypting the network element selection information.
  • the SUCI further includes a network element selection information master key identifier.
  • the network element selection information master key, the network element selection information, and the network element selection information master key identifier are stored in the USIM.
  • the network element selection information is not encrypted, and the UE sets the network element selection information directly in the SUCI.
  • the UE sends the registration request to the VPLMN, and forwards to the HPLMN through the VPLMN.
  • a message processing method provided by an embodiment of the present application includes:
  • S201 Receive a registration request from the UE, obtain SUCI from the registration request, and obtain network element selection information from the SUCI.
  • the network element selection information is used to select a target network element in the HPLMN that does not belong to the MSIN.
  • Network element selection information ;
  • the network element selection information is a network element selection information ciphertext
  • Obtaining the SUCI from the registration request, and acquiring the network element selection information from the SUCI specifically includes: performing, by the network element selection information decryption function entity, the following operations:
  • the master key of the network element selection information is obtained by using the network element selection information master key identifier in the SUCI. If the SUCI does not carry the network element selection information master key identifier, the default master key is selected, or the system is configured according to the system configuration. Decryption scheme;
  • the network element selection information is provided to a network element in the HPLMN that needs to perform network element selection or message routing.
  • the network element selection or message routing is performed by using the network element selection information, specifically:
  • the network element that needs to perform network element selection or message routing in the HPLMN forwards the registration request to the target network element according to the network element selection information.
  • the network element that needs to perform network element selection or message routing in the HPLMN adds the obtained network element selection information to the message forwarded to the target network element.
  • a message processing apparatus provided by an embodiment of the present application includes:
  • a memory 620 configured to store program instructions
  • the processor 600 is configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the registration request carries SUCI
  • the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN;
  • the device further includes a USIM (not shown in FIG. 7, and may be referred to FIG. 2); the network element selection information is a network element selection information ciphertext;
  • the USIM uses the network element selection information master key, a random value used to derive the network element selection information encryption key, and uses the key derivation algorithm to derive the network element selection.
  • Information encryption key
  • the processor encrypts the network element selection information by using the network element selection information encryption key to obtain the network element selection information ciphertext.
  • the SUCI further includes a network element selection information master key identifier.
  • the network element selection information master key, the network element selection information, and the network element selection information master key identifier are stored in the USIM.
  • the processor does not encrypt the network element selection information, and sets the network element selection information directly in the SUCI.
  • the processor sends the registration request to the VPLMN through the transceiver, and forwards to the HPLMN through the VPLMN.
  • the transceiver 610 is configured to receive and transmit data under the control of the processor 600.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 600 and various circuits of memory represented by memory 620.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • Transceiver 610 can be a plurality of components, including a transmitter and a receiver, providing means for communicating with various other devices on a transmission medium.
  • the user interface 630 may also be an interface capable of externally connecting the required devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.
  • the processor 600 is responsible for managing the bus architecture and general processing, and the memory 620 can store data used by the processor 600 in performing operations.
  • the processor 600 can be a central processing unit (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (Complex). Programmable Logic Device, CPLD).
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • Complex complex programmable logic device
  • CPLD Programmable Logic Device
  • a memory 520 configured to store program instructions
  • the processor 500 is configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the network element selection information being a network for selecting a target network element in the HPLMN that does not belong to the MSIN Meta-selection information
  • the network element selection information is used to perform network element selection or message routing.
  • the network element selection information is a network element selection information ciphertext
  • Obtaining the SUCI from the registration request, and acquiring the network element selection information from the SUCI specifically includes: performing, by the network element selection information decryption function entity, the following operations:
  • the master key of the network element selection information is obtained by using the network element selection information master key identifier in the SUCI. If the SUCI does not carry the network element selection information master key identifier, the default master key is selected, or the system is configured according to the system configuration. Decryption scheme;
  • the network element selection information is provided to a network element in the HPLMN that needs to perform network element selection or message routing.
  • the device is a network element that needs network element selection or message routing in the HPLMN; and the network element selection or message routing is performed by using the network element selection information, specifically:
  • the registration request is forwarded to the target network element according to the network element selection information.
  • the processor is further configured to append the obtained network element selection information to a message forwarded to the target network element.
  • the transceiver 510 is configured to receive and transmit data under the control of the processor 500.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 500 and various circuits of memory represented by memory 520.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • Transceiver 510 can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 can store data used by the processor 500 when performing operations.
  • the processor 500 can be a central processing unit (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (Complex Programmable Logic Device). CPLD).
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • CPLD complex programmable logic device
  • another message processing apparatus provided by the embodiment of the present application includes:
  • a determining unit 303 configured to determine a registration request, where the registration request carries an SUCI, where the SUCI includes network element selection information for selecting a target network element in the HPLMN that does not belong to the MSIN;
  • the sending unit 304 is configured to send the registration request to the network side.
  • another message processing apparatus provided by the embodiment of the present application includes:
  • the first unit 301 is configured to receive a registration request from the user equipment UE, obtain SUCI from the registration request, and obtain network element selection information from the SUCI; the network element selection information is used for not belonging to the MSIN. Selecting network element selection information of the target network element in the HPLMN;
  • the second unit 302 is configured to perform network element selection or message routing by using the network element selection information.
  • a memory for storing program instructions and storing network element selection information
  • a processor configured to invoke a program instruction stored in the memory, and execute according to the obtained program:
  • the memory further stores the network element selection information master key, using the network element selection information master key, a random value for deriving the network element selection information encryption key, and using the key derivation algorithm to derive the network element selection information encryption key key.
  • the memory further stores a network element selection information master key and a network element selection information master key identifier.
  • the embodiment of the present application provides a computing device, which may be a desktop computer, a portable computer, a smart phone, a tablet computer, a personal digital assistant (PDA), etc.
  • the computing device may include a central processing unit ( Center Processing Unit (CPU), memory, input/output device, etc.
  • the input device may include a keyboard, a mouse, a touch screen, etc.
  • the output device may include a display device such as a liquid crystal display (LCD), a cathode ray tube (Cathode Ray) Tube, CRT), etc.
  • LCD liquid crystal display
  • Cathode Ray cathode ray tube
  • the memory can include read only memory (ROM) and random access memory (RAM) and provides the processor with program instructions and data stored in the memory.
  • ROM read only memory
  • RAM random access memory
  • the memory may be used to store a program of any of the methods provided by the embodiments of the present application.
  • the processor is configured to execute any of the methods provided by the embodiments of the present application in accordance with the obtained program instructions by calling a program instruction stored in the memory.
  • the embodiment of the present application provides a computer storage medium for storing the computer program instructions used by the apparatus provided in the foregoing embodiment of the present application, and includes a program for executing any of the methods provided by the foregoing embodiments of the present application.
  • the computer storage medium can be any available media or data storage device accessible by a computer, including but not limited to magnetic storage (eg, floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.), optical storage (eg, CD, DVD, BD, HVD, etc.), and semiconductor memories (for example, ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid-state hard disk (SSD)).
  • magnetic storage eg, floppy disk, hard disk, magnetic tape, magneto-optical disk (MO), etc.
  • optical storage eg, CD, DVD, BD, HVD, etc.
  • semiconductor memories for example, ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid-state hard disk (SSD)).
  • the method provided by the embodiment of the present application can be applied to a terminal device, and can also be applied to a network device.
  • the terminal device may also be referred to as a user equipment (User Equipment, referred to as "UE"), a mobile station (Mobile Station, referred to as "MS”), a mobile terminal (Mobile Terminal), etc.
  • UE User Equipment
  • MS Mobile Station
  • Mobile Terminal Mobile Terminal
  • the terminal may The ability to communicate with one or more core networks via a Radio Access Network (RAN), for example, the terminal can be a mobile phone (or “cellular” phone), or a computer with mobile nature, etc.
  • RAN Radio Access Network
  • the terminal can also be a portable, pocket, handheld, computer built-in or in-vehicle mobile device.
  • the network device may be a core network device or an access network device, etc., for example, may be a base station (e.g., an access point), and refers to a device in the access network that communicates with the wireless terminal over one or more sectors on the air interface.
  • the base station can be used to convert the received air frame to the IP packet as a router between the wireless terminal and the rest of the access network, wherein the remainder of the access network can include an Internet Protocol (IP) network.
  • IP Internet Protocol
  • the base station can also coordinate attribute management of the air interface.
  • the base station may be a Global System for Mobile communication (GSM) or a base station (BTS, Base Transceiver Station) in Code Division Multiple Access (CDMA), or may be a wideband code division multiple access.
  • GSM Global System for Mobile communication
  • BTS Base Transceiver Station
  • CDMA Code Division Multiple Access
  • the base station (NodeB) in the (Wideband Code Division Multiple Access, WCDMA) may also be an evolved base station (NodeB or eNB or e-NodeB, evolutional Node B) in LTE, or may be a gNB in a 5G system or the like. This embodiment of the present application is not limited.
  • the above method processing flow can be implemented by a software program, which can be stored in a storage medium, and when the stored software program is called, the above method steps are performed.
  • the SUCI includes a network element selection information ciphertext for selecting a target network element in the HPLMN, and possibly key indication information related to the ciphertext.
  • the network element selection information is meaningless to the VPLMN.
  • the network element selection information may be protected by a key-based security mechanism to prevent the message from being eavesdropped during transmission and causing leakage of private information. This encrypted information can only be decrypted by HPLMN.
  • the network element selects information, the network element selects the information master key, and the network element selection information master key identifier should be stored in the USIM.
  • the network element selects the information master key, and the network element selection information master key identifier is optional.
  • the network element selection information encryption key is exported and executed in the USIM.
  • the USIM uses the network element selection information master key to perform a key derivation operation from the SUCI as a random value (nonce) and other possible input parameters.
  • the element selects the information encryption key.
  • the network element selection information master key identifier is not included in the SUCI.
  • HPLMN uses the default master key for key export and decryption by default.
  • the UE uses the null encryption scheme for encryption by default, that is, does not perform key export and encryption.
  • the operation directly adds the network element selection information stored in the USIM to the SUCI, and does not include the network element selection information master key identifier in the SUCI.
  • the network element in the HPLMN that needs to use the network element selection information provided by the SUCI for network element selection or routing should invoke the network element selection information decryption function to decrypt or parse the network element selection information ciphertext included in the SUCI, and needs to be directed to the network element.
  • the information decryption function is provided to provide the network element selection information ciphertext, and the network element selection information master key identifier is from the nonce in the SUCI.
  • the network element selection information master key identifier is an optional item.
  • the network element selection information decryption function acquires the corresponding network element selection information master key by using the network element selection information master key identifier. If the network element selection information master key identifier is empty, the default master key is used by default, or an air decryption scheme is used according to the system configuration.
  • the network element selection information decryption function uses the network element to select the information master key, the value of the nonce in the SUCI, and other possible parameters to derive the network element selection information decryption key by using the key derivation algorithm.
  • the network element selection information decryption function decrypts the network element selection information ciphertext by using the network element selection information decryption key, and obtains the network element selection information.
  • the network element that needs network element selection or message routing in the HPLMN forwards the registration request message to the target network element according to the network element selection information, and optionally adds the obtained network element selection information to the forwarded message, so that the subsequent network element
  • the network element selection information can be directly used for subsequent network element selection and message routing.
  • the embodiment of the present application provides a technical solution for privacy protection of network element selection or routing information required in the registration process in the HPLMN.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un dispositif de traitement de message, utilisés pour acheminer avec précision une demande d'enregistrement provenant d'un équipement utilisateur (EU) vers un élément de réseau cible. Le procédé de traitement de message selon des modes de réalisation de la présente invention comprend les étapes suivantes : un EU détermine une demande d'enregistrement, la demande d'enregistrement transportant un identifiant caché d'abonnement (SUCI), et le SUCI comprenant des informations de sélection d'élément de réseau qui n'appartiennent pas à un numéro d'identification d'abonné mobile (MSIN) et qui sont utilisées pour sélectionner un élément de réseau cible à partir d'un réseau mobile terrestre public domestique (HPLMN) ; l'EU envoie la demande d'enregistrement à un côté réseau.
PCT/CN2019/079106 2018-05-11 2019-03-21 Procédé et dispositif de traitement de message WO2019214351A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810447733.8A CN110475247A (zh) 2018-05-11 2018-05-11 消息处理方法及装置
CN201810447733.8 2018-05-11

Publications (1)

Publication Number Publication Date
WO2019214351A1 true WO2019214351A1 (fr) 2019-11-14

Family

ID=68467286

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/079106 WO2019214351A1 (fr) 2018-05-11 2019-03-21 Procédé et dispositif de traitement de message

Country Status (2)

Country Link
CN (1) CN110475247A (fr)
WO (1) WO2019214351A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113840273A (zh) * 2021-09-18 2021-12-24 中国联合网络通信集团有限公司 用户隐藏标识符生成方法、终端、usim、设备及介质

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113543126B (zh) * 2020-03-31 2023-02-28 华为技术有限公司 密钥获取方法及装置
CN113709729B (zh) * 2020-05-22 2023-05-23 维沃移动通信有限公司 数据处理方法、装置、网络设备及终端
CN111770496B (zh) * 2020-06-30 2022-08-02 中国联合网络通信集团有限公司 一种5g-aka鉴权的方法、统一数据管理网元及用户设备
CN114040386A (zh) * 2020-07-21 2022-02-11 中国移动通信有限公司研究院 一种重放消息的确定方法、装置及设备
CN112235736B (zh) * 2020-10-13 2022-04-15 中国联合网络通信集团有限公司 漫游场景下的用户标识认定方法

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CATT: "3GPP Draft; S 3-180837 pCR to TS33.501 - SIDF description", 3RD GENERATION PARTNERSHIP PROJECT (3GPP, 19 February 2018 (2018-02-19), XP051409248 *
VODAFONE: "3GPP Draft; S 3-180763 pCR to 33.501-addition of routing information into SUCI", 3RD GENERATION PARTNERSHIP PROJECT (3GPP, 19 February 2018 (2018-02-19), XP051409176 *
VODAFONE: "Encryption Protocol issues identified by ETSI SAGE", 3RD GENERATION PARTNERSHIP PROJECT - S 3-173260 -PCR TO 33.501-SUPI, 20 November 2017 (2017-11-20), XP051380510 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113840273A (zh) * 2021-09-18 2021-12-24 中国联合网络通信集团有限公司 用户隐藏标识符生成方法、终端、usim、设备及介质
CN113840273B (zh) * 2021-09-18 2023-05-09 中国联合网络通信集团有限公司 用户隐藏标识符生成方法、终端、usim、设备及介质

Also Published As

Publication number Publication date
CN110475247A (zh) 2019-11-19

Similar Documents

Publication Publication Date Title
US10674355B2 (en) Apparatuses and methods for wireless communication
WO2019214351A1 (fr) Procédé et dispositif de traitement de message
US9077690B2 (en) Preservation of user data privacy in a network
US11510052B2 (en) Identity information processing method, device, and system
KR102398221B1 (ko) 무선 직접통신 네트워크에서 비대칭 키를 사용하여 아이덴티티를 검증하기 위한 방법 및 장치
US11974132B2 (en) Routing method, apparatus, and system
US10798082B2 (en) Network authentication triggering method and related device
WO2020029729A1 (fr) Procédé et dispositif de communication
US11909869B2 (en) Communication method and related product based on key agreement and authentication
WO2018076740A1 (fr) Procédé de transmission de données et dispositif associé
US20230344626A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
EP4021048A1 (fr) Procédé et appareil d'authentification d'identité
JP2020535768A (ja) パラメータ保護方法及びデバイス、並びに、システム
US20210250762A1 (en) Key generation method, device, and system
WO2018053804A1 (fr) Procédé de protection de chiffrement et dispositif associé
CN116746182A (zh) 安全通信方法及设备
CN109586899B (zh) 信令操作及其指示方法、装置及计算机存储介质
WO2022237561A1 (fr) Procédé et appareil de communication
WO2021082558A1 (fr) Procédé de contrôle d'accès pour tranche de réseau, appareil et support de stockage
US20210385088A1 (en) Network access method, user equipment, network entity, and storage medium
US10841792B2 (en) Network connection method, method for determining security node, and apparatus
US20240114345A1 (en) Method and apparatus for lawful interception for akma roaming architecture
WO2023213205A1 (fr) Procédé et appareil de communication
WO2024078922A1 (fr) Gestion de clés pour des applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19800037

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19800037

Country of ref document: EP

Kind code of ref document: A1