WO2020029729A1 - 一种通信方法和装置 - Google Patents
一种通信方法和装置 Download PDFInfo
- Publication number
- WO2020029729A1 WO2020029729A1 PCT/CN2019/094818 CN2019094818W WO2020029729A1 WO 2020029729 A1 WO2020029729 A1 WO 2020029729A1 CN 2019094818 W CN2019094818 W CN 2019094818W WO 2020029729 A1 WO2020029729 A1 WO 2020029729A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user information
- entity
- request
- udm
- amf
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/75—Temporary identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/08—Upper layer protocols
- H04W80/10—Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
- H04W12/45—Security arrangements using identity modules using multiple identity modules
Definitions
- the present application relates to the field of communication technologies, and in particular, to a communication method and device.
- 5G networks mobile communication networks will not only serve individual consumers, but more importantly, they will serve different industries. For example, various industries, such as medical health, smart furniture, and intelligent transportation, can transfer business data to 5G network platforms, that is, 5G core networks.
- a user equipment wants to access service data
- the UE can access the core network.
- the UE can access the core network through multiple access technologies (AT), such as the 3rd Generation Partnership Project (3GPP) access technology to access the core network.
- 3GPP access technology accesses the core network.
- AT access technologies
- 3GPP 3rd Generation Partnership Project
- No matter which AT is used to access the core network after the UE accesses the core network, the interaction information between the various network function (NF) entities on the core network side directly carries the user information of the UE. Once the UE users Information leakage can lead to user privacy.
- 3GPP 3rd Generation Partnership Project
- the embodiments of the present application provide a communication method and device, which help reduce the possibility of user information leakage during the information interaction process between the various NF entities on the core network side.
- an embodiment of the present application provides a communication method.
- This method can be applied to a communication device, such as an AMF entity.
- the method includes: the AMF receives a first PDU session creation request sent by the UE; the first PDU session creation request is used to request the creation of a PDU session; the AMF encrypts user information of the UE to obtain encrypted user information
- the AMF sends a second PDU session creation request to the SMF, and the encrypted user information is carried in the second PDU session creation request; wherein the SMF is configured to perform the request according to the second PDU session creation Invoke a UPF, which creates a PDU session for the UE.
- the AMF entity encrypts the user information of the UE to obtain the encrypted user information.
- the interaction information between the AMF entity and other NF entities does not directly carry the user information, but instead carries the encrypted information. User information.
- the interaction information between each NF entity (such as the AMF entity and the SMF entity) carries encrypted user information, which helps prevent the leakage of user privacy.
- the AMF receives a first decryption request sent by a UDM, and the first decryption request carries the encrypted user information; the AMF decrypts the encrypted user information, Obtain the user information; the AMF sends the user information to the UDM.
- the AMF receives a second decryption request sent by the PCF, and the second decryption request carries the encrypted user information; the AMF decrypts the encrypted user information, Obtain the user information; the AMF sends the user information to the PCF.
- the AMF receives a third decryption request sent by the CHF, and the third decryption request carries the encrypted user information; and the AMF decrypts the encrypted user information To obtain the encrypted user information; the AMF sends the user information to the CHF.
- an embodiment of the present application provides a communication method.
- This method can be applied to a communication device, such as a UDM entity.
- the method includes: a UDM receives a request sent by an SMF for obtaining UE's subscription information, the request carries the encrypted user information of the UE; the UDM decrypts the encrypted user information to obtain the user Information; the UDM determines subscription information of the UE according to the user information; the UDM sends the subscription information to the SMF.
- the interaction information between the UDM and the SMF in the core network does not directly carry user information, but carries encrypted user information.
- the probability that the SMF is moved down to the edge cloud is relatively large. In this way, the SMF can not directly contact the user information, which helps prevent the leakage of user privacy.
- the UDM decrypting the encrypted user information to obtain the user information includes: the UDM sends a first decryption request to the AMF, and the first decryption request is used for Requesting the encrypted user information to be decrypted; the UDM receiving the user information obtained by decrypting the encrypted user information sent by the AMF.
- the UDM decrypting the encrypted user information to obtain the user information includes: the UDM decrypting the encrypted user information through a key to obtain the user information .
- the UDM receives a second decryption request sent by the PCF; the second decryption request is used to request decryption of the encrypted user information; and the UDM encrypts the encryption by using a key
- the user information is decrypted to obtain the user information; the UDM sends the user information to the PCF.
- the UDM receives a third decryption request sent by the CHF; the third decryption request is used to request decryption of the encrypted user information; and the UDM encrypts the encryption by using a key
- the user information is decrypted to obtain user information; the UDM sends the user information to the CHF.
- an embodiment of the present application provides a communication method, which is applicable to a communication device, such as a PCF entity.
- the method includes: the PCF receives request information sent by the SMF, the request information is used to request to obtain a session management policy of the UE, and the request information carries encrypted user information of the UE; The encrypted user information is decrypted to obtain user information; the PCF determines a session management policy of the UE according to the user information; and the PCF sends the session management policy to the SMF.
- the interaction information between the PCF and the SMF in the core network does not directly carry user information, but carries encrypted user information.
- the probability that the SMF is moved down to the edge cloud is relatively large. In this way, the SMF can not directly contact the user information, which helps prevent the leakage of user privacy.
- the PCF decrypting the encrypted user information to obtain user information includes: the PCF sends a decryption request to the AMF, and the decryption request is used to request the encrypted user information Decrypt the user information; the PCF receives the user information obtained by decrypting the encrypted user information sent by the AMF.
- the PCF decrypting the encrypted user information to obtain user information includes: the PCF decrypting the encrypted user information by using a key to obtain the user information.
- the PCF decrypts the encrypted user information to obtain user information, including: the PCF sends a decryption request to the UDM, and the decryption request is used to request the encrypted user Decrypt the information; the PCF receives user information sent by the UDM, and the user information is obtained by the UDM decrypting the encrypted user information according to a key.
- an embodiment of the present application provides a communication method, which is applicable to a communication device, such as a CHF entity.
- the method includes: the CHF receives a charging request sent by the SMF, the charging request is used to request to record fee information for the UE; the charging request carries the encrypted user information of the UE; The encrypted user information is decrypted to obtain user information; and the CHF charges the UE according to the user information.
- the interaction information between the CHF and the SMF in the core network does not directly carry user information, but carries encrypted user information.
- the probability that the SMF is moved down to the edge cloud is relatively large. In this way, the SMF can not directly contact the user information, which helps prevent the leakage of user privacy.
- the CHF decrypting the encrypted user information to obtain the user information includes: the CHF sends a decryption request to the AMF, and the decryption request is used to request the encrypted user information Decrypt the user information; the CHF receives the user information obtained by decrypting the encrypted user information sent by the AMF.
- the CHF decrypting the encrypted user information to obtain user information includes: the CHF decrypting the encrypted user information by using a key to obtain the user information.
- the CHF decrypts the encrypted user information to obtain user information, including: the CHF sends a decryption request to the UDM, and the decryption request is used to request the encrypted user The information is decrypted; the CHF receives user information sent by the UDM, and the user information is obtained by the UDM decrypting the encrypted user information according to a key.
- the user information includes one or more of a subscriber's permanent identity SUPI, an international mobile subscriber identity IMSI, and a mobile station integrated service digital network number MSISDN.
- a communication device has the function of implementing AMF in the above method design. These functions can be realized by hardware, and can also be implemented by hardware executing corresponding software.
- the hardware or software includes one or more units corresponding to the functions described above.
- the structure of the communication device may include a receiver, a processor, and a transmitter.
- the receiver, processor, and transmitter may perform corresponding functions in the method provided by the first aspect or any one of the possible designs of the first aspect.
- a communication device has the function of realizing the UDM in the above method design. These functions can be realized by hardware, and can also be implemented by hardware executing corresponding software.
- the hardware or software includes one or more units corresponding to the functions described above.
- the structure of the communication device may include a receiver, a processor, and a transmitter.
- the receiver, the processor, and the transmitter may perform corresponding functions in the method provided by the second aspect or any one of the possible designs of the second aspect.
- a communication device has the function of realizing the PCF in the above method design. These functions can be realized by hardware, and can also be implemented by hardware executing corresponding software.
- the hardware or software includes one or more units corresponding to the functions described above.
- the structure of the communication device may include a receiver, a processor, and a transmitter.
- the receiver, the processor, and the transmitter may perform corresponding functions in the method provided by the third aspect or any one of the possible designs of the third aspect.
- a communication device has the function of realizing the CHF in the above method design. These functions can be realized by hardware, and can also be implemented by hardware executing corresponding software.
- the hardware or software includes one or more units corresponding to the functions described above.
- the structure of the communication device may include a receiver and a processor.
- the receiver and the processor may perform corresponding functions in the method provided by the fourth aspect or any one of the possible designs of the fourth aspect.
- a communication device may be an AMF or a functional module such as a chip provided in the AMF.
- the communication device includes a memory for storing computer executable program code, a transceiver, and a processor, and the processor is coupled to the memory and the transceiver.
- the program code stored in the memory includes instructions. When the processor executes the instructions, the instructions cause the communication device to execute the method performed by the AMF in the first aspect or any one of the possible designs of the first aspect.
- a communication device may be a UDM, or a functional module such as a chip set in the UDM.
- the communication device includes a memory for storing computer executable program code, a transceiver, and a processor, and the processor is coupled to the memory and the transceiver.
- the program code stored in the memory includes instructions. When the processor executes the instructions, the instructions cause the communication device to execute the method performed by the UDM in the second aspect or any one of the possible designs of the second aspect.
- a communication device may be a PCF, or a functional module such as a chip provided in the PCF.
- the communication device includes a memory for storing computer executable program code, a transceiver, and a processor, and the processor is coupled to the memory and the transceiver.
- the program code stored in the memory includes instructions. When the processor executes the instructions, the instructions cause the communication device to execute the method performed by the PCF in the third aspect or any one of the possible designs of the third aspect.
- a communication device may be a CHF, or a functional module such as a chip provided in the CHF.
- the communication device includes a memory for storing computer executable program code, a transceiver, and a processor, and the processor is coupled to the memory and the transceiver.
- the program code stored in the memory includes instructions. When the processor executes the instructions, the instructions cause the communication device to perform the method performed by the CHF in the fourth aspect or any one of the possible designs of the fourth aspect.
- a computer-readable storage medium in an embodiment of the present application.
- the computer-readable storage medium includes a computer program, and when the computer program runs on the AMF, the AMF executes the first aspect or the foregoing. Any possible design method of the first aspect.
- a computer-readable storage medium in an embodiment of the present application.
- the computer-readable storage medium includes a computer program, and when the computer program runs on a UDM, the UDM executes the second aspect or the foregoing. Any possible design method of the second aspect.
- an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium includes a computer program, and when the computer program runs on the PCF, the PCF executes the third aspect or the foregoing. Any possible design method of the third aspect.
- a computer-readable storage medium is also provided in an embodiment of the present application.
- the computer-readable storage medium includes a computer program, and when the computer program runs on the CHF, the CHF executes the fourth aspect or the foregoing. Any possible design method of the fourth aspect.
- an embodiment of the present application further provides a computer program product that, when the computer program product runs on an AMF, causes the AMF to execute the first aspect or any one of the possible designs of the first aspect.
- an embodiment of the present application further provides a computer program product that, when the computer program product runs on a UDM, causes the UDM to execute the second aspect or any one of the possible designs of the second aspect.
- an embodiment of the present application further provides a computer program product that, when the computer program product runs on a PCF, causes the PCF to implement the third aspect or any one of the possible designs of the third aspect.
- an embodiment of the present application further provides a computer program product that, when the computer program product runs on a CHF, causes the CHF to execute the fourth aspect or any one of the possible designs of the fourth aspect.
- FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present application.
- FIG. 2 is a schematic diagram of information interaction between various NFs in a core network in the prior art
- FIG. 3 is a schematic diagram of another application scenario according to an embodiment of the present application.
- FIG. 4 is a schematic diagram of another application scenario according to an embodiment of the present application.
- 5A is a schematic diagram of an application scenario for establishing a PDU session according to an embodiment of the present application
- 5B is a schematic flowchart of a communication method according to an embodiment of the present application.
- 6A is a schematic diagram of an application scenario for establishing a PDU session according to an embodiment of the present application
- 6B is a schematic flowchart of a communication method according to an embodiment of the present application.
- FIG. 7A is a schematic diagram of an application scenario for establishing a PDU session according to an embodiment of the present application.
- FIG. 7B is a schematic flowchart of a communication method according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application.
- FIG. 9 is a schematic structural diagram of a communication device according to an embodiment of the present application.
- the user equipment UE involved in this embodiment of the present application may be a wireless terminal device or a wired terminal device.
- the wireless terminal device may be a device that provides voice and / or other business data connectivity to the user, and a handheld device with a wireless connection function. , Or other processing equipment connected to the wireless modem.
- a wireless terminal device can communicate with one or more core networks via a radio access network (RAN).
- the wireless terminal device can be a mobile terminal, such as a mobile phone (or a "cellular" phone) and a mobile terminal.
- the computer for example, may be a portable, pocket, handheld, built-in, wearable, or vehicle-mounted mobile device that exchanges language and / or data with a wireless access network.
- a wireless terminal device can also be called a system, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, Access terminal (access terminal), user terminal (user terminal), user agent (user agent), user equipment (user device, user equipment).
- the radio access network RAN involved in the embodiments of the present application is a network device capable of implementing radio physical layer functions, resource scheduling and radio resource management, radio access control, and mobility management functions.
- RAN Take RAN as an example of a base station in an access network that communicates with a wireless terminal device through one or more sectors on the air interface.
- the base station can be used to convert the received air frames and IP packets to each other, and serve as a router between the terminal device and the rest of the access network, where the rest of the access network can include the IP network.
- the base station can also coordinate the attribute management of the air interface.
- the base station may include an evolved base station (nodeB or eNB or e-NodeB, evolutional node B) in a long term evolution (LTE) system or an evolved LTE system (LTE-advanced (LTE-A)), or It may include a next generation node B (gNB) in a 5G system, which is not limited in the embodiment of the present invention.
- nodeB or eNB or e-NodeB evolutional node B
- LTE-advanced (LTE-A) long term evolution
- LTE-A evolved LTE system
- gNB next generation node B
- the core network designed in the embodiment of the present application includes multiple NF entities, such as: access control and mobility management function (AMF) entity (hereinafter referred to as AMF entity), session management function (session management function) , SMF) entity (hereinafter referred to as SMF entity), policy control function (PCF) entity (hereinafter referred to as PCF entity), user plane function (UPF) entity (hereinafter referred to as UPF entity), and data network (hereinafter referred to as UPF entity)
- a data network (DN) entity hereinafter referred to as a DN entity
- AUSF authentication server function
- UDM user data management
- the core network side also includes other NF entities.
- the above types are just examples, which are not limited in the embodiments of the present application.
- each NF entity is as follows:
- AMF entity mainly responsible for UE registration, authentication management, UE connection line management and mobility management, network slice selection, SMF entity selection and other functions.
- the AMF entity can establish a control plane signaling connection with the RAN to implement functions such as radio access bearer control.
- SMF entity Connects to the AMF entity (for example, through the N11 interface), and is mainly responsible for all control plane functions of UE session management, including selection of UPF entity and selection of UDM entity; it is also responsible for obtaining UE's session management policy from the PCF entity.
- the UDM entity is connected to the SMF entity (for example, connected through the N10 interface), and is used to register a PDU session context for the UE and store the subscription context of the UE.
- the UDM entity is also connected to the AUSF entity (for example, connected through the N13 interface).
- the AUSF entity sends the user authentication set of the UE to the AUSF entity, and the AUSF entity authenticates the UE.
- the AUSF entity is connected to the AMF entity (for example, connected through an N12 interface) and is used to obtain a security authentication vector, which is used to perform security authentication between the UE and the network.
- the PCF entity is connected to the SMF entity (for example, connected through an N7 interface), and is configured to obtain a session management policy of the UE and provide the session management policy of the UE to the SMF entity.
- the CHF entity is connected to the SMF entity and is responsible for the charging function of the UE and supports offline and online charging functions of the user.
- the UPF entity is connected to the SMF entity (for example, connected through the N4 interface), and is responsible for filtering data packets, data transmission or forwarding, and rate control of the UE.
- the DN entity is connected to the UPF entity (for example, connected through the N6 interface), and is used to store service data, and is also used to receive uplink data sent by the UE, and generate downlink data to be sent to the UE according to the uplink data, Said downlink data is sent to the UE.
- UDR User data record
- UDR entities can be used to store data for UDM entities and PCF entities.
- UDRs can be used to store subscription information and session management policies.
- UDR entities can be connected to UDM entities and PCF entities, respectively. Among them, the UDM entity can obtain the contract information from the UDR, and the PCF entity can obtain the session management policy from the UDR.
- the subscription information may include service information signed by the UE, and the like, and the session management policy may include package information ordered by the UE, and so on.
- the subscription information or the session management information may also have other names.
- the session management policy may also be referred to as policy information, and the embodiment of the present application does not limit the comparison.
- each NF entity shown in the above figure may be a single device physically, or two or more entities may be integrated on the same physical device, which is not specifically described in the embodiment of the present invention. limited. It should be understood that the name of the “entity” is not limited in the embodiments of the present application, and may have other names, such as “network element”, “network element device”, “gateway”, or “gateway device”.
- FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
- the UE includes a smart phone and a portable computer as an example, and the RAN uses a base station as an example.
- the enterprise can store business data in the core network.
- the UE wants to access the business data of the enterprise, it enters the core network through the base station and obtains the business data from the core network.
- the core network includes multiple NF entities.
- the interaction information between the various NF entities on the core network side will carry the user information of the UE. Disclosure of user information.
- FIG. 2 is a schematic diagram of a process for establishing a PDU session by the UE in the prior art.
- the UE sends a PDU session creation request to the RAN, and the PDU session creation request carries a Subscriber Concealed Identifier (SUCI).
- SUCI Subscriber Concealed Identifier
- SUCI Subscriber Concealed Identifier
- SUPI Subscriber Concealed Identifier
- the RAN sends the PDU session creation request to an AMF entity.
- the AMF entity obtains SUPI according to SUCI (for example, AMF can call UDM and parse SUCI to obtain SUPI through UDM).
- the AMF entity sends a request message for creating a PDU session context to the SMF entity, and the request message carries SUPI.
- the SMF entity sends request information for registering the PDU session context to the UDM entity, and the request information carries SUPI.
- the SMF entity sends a request message for acquiring a session management policy to the PCF entity, and the request message also carries SUPI.
- the communication method provided in the embodiment of the present application the interaction information between each NF entity in the core network carries encrypted user information to prevent leakage of user privacy.
- This method can be applied to the application scenario shown in FIG. 1, and of course, it can also be applied to other application scenarios. Two other application scenarios are listed below.
- the location of each NF entity in the core network may be different. Therefore, the core network has a distinction between edge clouds and center clouds. Some NF entities are deployed in the edge cloud, and some NF entities are deployed in the central cloud. For example, in order to shorten data routing, reduce transmission costs, and reduce service delay, the SMF entity and / or the UPF entity may be moved down to the edge cloud near the base station.
- FIG. 3 is a schematic diagram of an example of another application scenario provided by an embodiment of the present application.
- the SMF entity and the UPF entity are moved down to the edge cloud near the base station.
- the enterprise can store business data in the DN entity in the core network. When the user's UE wants to access the business data of the enterprise, it enters the core network through the base station and passes through the edge cloud And each NF entity in the central cloud to obtain business data in the DN entity.
- NF entities deployed in the edge cloud are prone to security risks, such as limited hardware resources and unattended issues. They are easily vulnerable to hacking and control. Therefore, if each NF entity in the core network (especially deployed at the edge) If the information interaction between NF entities in the cloud still directly carries user information, it is easier to leak user privacy.
- Figure 3 only uses the SMF entity and the UPF entity to be moved down to the edge cloud near the base station as an example.
- other NF entities in the core network may also be moved down to the edge cloud, no matter which When an NF entity is moved down to the edge cloud, the communication method provided in the embodiment of the present application can be adopted to reduce the possibility of leaking user privacy during the information interaction process between the various NF entities in the core network.
- the communication method provided in the embodiment of the present application is applicable.
- the communication method provided in the embodiment of the present application is also applicable to other scenarios that need to consider that the interaction information between various NF entities in the core network does not directly carry user information, such as the following application scenario two.
- FIG. 4 is a schematic diagram of another application scenario provided by an embodiment of the present application.
- the core network includes two network slices (Slice # 1 and Slice # 2).
- Each network slice has different functional characteristics and faces different needs and services.
- the UE can access different network slices according to different requirements.
- Each network slice is composed of independent NF entities. Take SMF entity and UPF entity as an example, each network slice has its own SMF entity and UPF entity. For example, Slice # 1 includes SMF # 11, SMF # 12, and UPF # 1; Slice # 2 includes SMF # 21, SMF # 22, and UPF # 2. Because each network slice implements different functions, the SMF and UPF entities in a certain network slice may not be within the security trust of the operator.
- the communication method provided in the embodiments of the present application can be applied to all network slices, and can also be applied to network slices where the NF entity is not in the security and trust scope of the operator.
- the communication method provided in the embodiment of the present application may also be a part of the NF entity in the network slice.
- the communication method provided in the embodiment of the present application is only applicable to a certain network slice, and the NF entity that is not in the security trust scope of the operator (that is, the interaction information received or sent by the NF entity does not directly carry user information, but instead Encrypted user information).
- the interaction information received or sent by the NF entity does not directly carry user information, but instead Encrypted user information.
- information can be exchanged in the existing technology (that is, the interaction information can directly carry the user information).
- the communication method provided in the embodiments of the present application helps reduce the possibility of leaking the user's privacy during the information interaction between the various NF entities in the core network.
- the communication method provided in the embodiment of the present application may also be applicable to other application scenarios.
- the foregoing types are merely examples, and the embodiment of the present application does not limit this.
- FIG. 5A is a schematic diagram of an application scenario for establishing a PDU session according to an embodiment of the present application. As shown in FIG. 5A
- the AMF entity can encrypt the user information of the UE and carry the encrypted user information in the interaction information with the SMF entity.
- the interaction information between the SMF entity and the UDM entity, the PCF entity and the CHF entity also carries encrypted user information to prevent the interaction information between the various NF entities from directly carrying the user information and causing the leakage of user information.
- the UDM entity since the AMF entity can encrypt user information, if the UDM entity needs the user information, it can request the AMF entity to send the user information to the UDM entity.
- the same method is used for PCF entities and CHF entities. In this way, the interaction information between the SMF entity and the UPF entity does not directly carry user information, but instead carries encrypted user information, which helps reduce the possibility of leaking user privacy.
- FIG. 5B is a schematic flowchart of a communication method according to an embodiment of the present application.
- FIG. 5B can also be understood as a schematic diagram of an information interaction process between the UE and the NF entity in the core network. As shown in FIG. 5B, the process includes:
- S501a-S501b S501a: The UE sends a first PDU session creation request to the RAN; the first PDU session creation request is used to request the creation of a PDU session; correspondingly, the RAN receives the first PDU session creation request sent by the UE; S501b: RAN Sending the first PDU session creation request to an AMF entity.
- the UE needs to complete the registration process before accessing the core network (the registration process of the UE will be described later).
- the UE After the UE completes registration, if the UE requests to establish a PDU session, the UE sends a first PDU session creation request to the AMF entity.
- the AMF entity After receiving the first PDU session creation request sent by the UE, the AMF entity may encrypt the user information of the UE to obtain the encrypted user information. It should be noted that during the UE registration process, the AMF entity can know the user information of the UE (the specific process will be described later), so after the UE registration is completed, the AMF entity receives the first PDU session creation request sent by the UE At this time, the user information of the UE may be encrypted to obtain the encrypted user information.
- the user information of the UE may include one or more of: SUPI, International Mobile Subscriber Identity (IMSI), and Mobile Station Integrated Services Digital Network Number (MSISDN). .
- SUPI International Mobile Subscriber Identity
- IMSI International Mobile Subscriber Identity
- MSISDN Mobile Station Integrated Services Digital Network Number
- S502 The AMF entity encrypts the user information to obtain the encrypted user information.
- the AMF entity can encrypt SUPI and IMSI through the key to obtain the encrypted user information.
- the key may be allocated by the operator to the AMF entity, or may be obtained by the AMF entity through other methods, which is not limited in the embodiment of the present application.
- S503 The AMF entity sends a second PDU session creation request to the SMF entity.
- the second PDU session creation request is used to request creation of a PDU session context.
- the second PDU session creation request carries encrypted user information (that is, S502 (Encrypted user information).
- S504 The SMF entity selects a UDM entity.
- the core network may include multiple UDM entities, so the SMF entity may select a suitable UDM entity from multiple UDM entities.
- the encrypted user information may carry UDM routing information.
- the UDM routing information is a field in the encrypted user information, so the SMF entity may use multiple routes based on the UDM routing information. Choose a suitable UDM entity among the UDM entities.
- the encrypted user information may not carry UDM routing information, and the second PDU session creation request carries UDM routing information, that is, the UDM routing information is not a field in the encrypted user information, but rather Other fields carried in the second PDU session creation request and independent of the encrypted user information.
- the SMF entity may also select the UDM entity by other methods.
- the above is only an example, which is not limited in the embodiment of the present application.
- the SMF entity calls the UDM entity (that is, the UDM entity selected in S504) to obtain the subscription information of the UE.
- S505 can be divided into four steps: S505a-S505e.
- S505a-1 The SMF entity sends a PDU session context registration request to the UDM entity.
- the PDU session context registration request is used to request registration of a PDU session context, and the PDU session context registration request carries encrypted user information.
- S505a-2 The UDM entity sends a response message to the SMF entity to indicate that the PDU session context registration is successful.
- S505a-3 The SMF entity sends a request to the UDM entity to obtain a contracting context.
- S505a-4 The UDM entity sends a subscription context to the SMF entity.
- the UDM entity Since the PDU session context registration request received by the UDM entity carries the encrypted user information, and the UDM entity needs to know the user information of the UE in order to obtain the contract information from the UDR, the UDM entity can request the AMF entity to encrypt the encrypted user information. The user information is decrypted to obtain the user information.
- the AMF entity encrypts the user information. Therefore, the AMF entity knows the encryption method used to encrypt user information. Therefore, the UDM entity can request the AMF entity to decrypt the encrypted user information.
- the user encrypted information obtained by the AMF entity encrypting the user information may carry the routing information of the AMF entity. In this case, after the PDU session context registration request received by the UDM entity may be based on the AMF carried in the encrypted user information The routing information of the entity determines which AMF entity encrypts the user information.
- the first decryption request is used to request decryption of the encrypted user information ( That is S505b).
- the AMF entity decrypts the encrypted user information to obtain user information (ie, S505c).
- the AMF entity sends the user information to the UDM entity (ie, S505d).
- the UDM entity obtains the user information of the UE, it may send a request to the UDR for obtaining the subscription information of the UE, and the request carries the user information of the UE (that is, S505e).
- the UDR sends the UE's subscription information to the UDM entity (ie, S505f).
- the UDM entity sends the subscription information of the UE to the SMF entity (ie, S505g).
- the SMF entity calls the PCF entity to obtain the session management policy of the UE.
- S506 can be divided into five steps: S506a-S506e.
- S506a the SMF entity sends a request for obtaining a session management policy of the UE to the PCF entity, and the request carries encrypted user information.
- the session management policy of the UE is stored in the UDR, so the PCF entity needs to know the user information of the UE in order to obtain the session management policy of the UE from the UDR.
- the PCF entity can request the AMF entity to decrypt the encrypted user information to obtain the user information.
- the second decryption request is used to request decryption of the encrypted user information (ie, S506b).
- the AMF entity decrypts the encrypted user information to obtain user information (ie, S506c).
- the AMF entity sends the user information to the PCF entity (ie, S506d).
- the PCF entity may send a request to the UDR for obtaining the session management policy of the UE, and the request carries the user information of the UE (that is, S506e).
- the UDR sends the UE's session management policy to the PCF entity (ie, S506f).
- the PCF entity sends the UE's session management policy to the SMF entity (ie, S506g).
- the AMF entity has decrypted the encrypted user information once. Therefore, after S505c, the AMF entity can store the user information. When the AMF entity receives the second decryption request, it is not necessary to execute S506c. Send the stored user information to the PCF entity.
- the SMF entity calls the CHF entity to charge the UE.
- S507 can be divided into five steps: S507a-S507e.
- S507a the SMF entity sends a request to the CHF entity to record the fee for the UE, and the request carries the encrypted user information. Since the request received by the CHF entity for recording the cost for the UE carries encrypted user information, when the CHF entity needs to know the user information of the UE, similar to the UDM entity, the CHF entity can request the AMF entity to encrypt After the user information is decrypted. That is, after the third decryption request sent by the CHF entity to the AMF entity, the third decryption request is used to request decryption of the encrypted user information (ie, S507b).
- the AMF entity After receiving the third decryption request, the AMF entity decrypts the encrypted user information to obtain user information (ie, S507c).
- the AMF entity sends the user information to the CHF entity (ie, S507d).
- the CHF entity After the CHF entity obtains the user information, it can obtain the UE's session management policy from the UDR entity. Taking the session management policy as the package information ordered by the UE as an example, the CHF entity may charge the UE based on the package information.
- S507e The PCF entity sends response information to the SMF entity to indicate successful charging.
- the AMF entity has decrypted the encrypted user information once. Therefore, after S505c, the AMF entity can store the user information. When the AMF entity receives the third decryption request, it is not necessary to execute S507c Send the stored user information to the CHF entity.
- the SMF entity calls the UPF entity to complete the N4 session establishment (the UPF entity connects with the SMF entity through the N4 interface).
- S508 can be implemented in two steps, S508a-S508b.
- S508a the SMF entity sends an N4 session establishment request to the UPF entity, and the N4 session establishment request is used to request establishment of a PDU session.
- S508b the SMF entity receives an N4 session establishment response sent by the UPF entity, and the N4 session establishment response is used to indicate that the PDU session establishment is successful.
- the AMF entity can encrypt user information.
- a UDM entity, a PCF entity, or a CHF entity needs to decrypt the user information, it can The AMF is requested to decrypt the encrypted user information, and send the decrypted result to the certain entity.
- neither the SMF entity nor the UPF entity receives or sends user information directly, but instead carries encrypted user information. Therefore, for UPF entities and SMF entities that are moved down to the edge cloud, it helps prevent the leakage of user information.
- the AMF entity can encrypt user information.
- the UDM entity, PCF entity, and CHF entity may The encrypted user information is decrypted to obtain the user information.
- FIG. 6A is a schematic diagram of an application scenario in which a UE establishes a PDU session according to an embodiment of the present application.
- the operator assigns keys to AMF entities, UDM entities, PCF entities, and CHF entities, respectively.
- the AMF entity can encrypt the user information and carry the encrypted user information in the interaction information with the SMF entity.
- the interaction information between the SMF entity, the UDM entity, the PCF entity, and the CHF entity also carries encrypted user information to prevent the interaction information between the various NF entities from directly carrying the user information and causing the leakage of user information.
- UDM entities, PCF entities, and CHF entities store keys, if UDM entities, PCF entities, and CHF entities need user information, they can decrypt the encrypted user information themselves to obtain user information. In this way, the interaction information between the SMF entity and the UPF entity does not directly carry user information, but instead carries encrypted user information, which helps reduce the possibility of leaking user privacy.
- FIG. 6B is a schematic flowchart of a communication method according to an embodiment of the present application.
- a scenario in which the UE requests to establish a PDU session shown in FIG. 6A is taken as an example to describe an information interaction process between the UE and an entity in the core network.
- the process includes:
- S601 The operator assigns keys to the AMF entity, UDM entity, PCF entity, and CHF entity.
- S601 can be implemented in four steps: S601a-S601d.
- S601a The operator allocates a private key to the AMF entity.
- S601b-S601d Operators can assign public keys to UDM entities, PCF entities, and CHF entities, respectively. That is, the AMF entity encrypts the user information according to the private key, and the UDM entity, the PCF entity, and the CHF entity each decrypt the encrypted user information according to the public key to obtain the user information. It should be noted that the embodiments of this application do not limit the execution order between S601a-S601d.
- S601 can be executed periodically or only once (for example, when the operator first uses the AMF entity, UDM entity, PCF entity, and CHF entity, it assigns a key to them, and in the subsequent use process , Just use the key). If S601 is executed periodically, the execution cycles of S601a-S601d may be the same or different.
- the operator only assigns keys to the AMF entity, UDM entity, PCF entity, and CHF entity as an example. In practical applications, there may be other key distributions. Method (another method for assigning keys to NF entities is described later).
- S602a-S602b S602a: The UE sends a first PDU session creation request to the RAN; correspondingly, the RAN receives the first PDU session creation request sent by the UE; the first PDU session creation request carries user information.
- S602b The RAN sends the first PDU session creation request to an AMF entity.
- S603 The AMF entity encrypts the user information according to the private key to obtain the encrypted user information.
- S604 The AMF entity sends a second PDU session creation request to the SMF entity, where the second PDU session creation request is used to request creation of a PDU session context, and the second PDU session creation request carries encrypted user information (that is, S603 (Encrypted user information).
- S605 The SMF entity selects a UDM entity.
- the SMF entity calls the UDM entity (that is, the UDM entity selected in S605) to obtain the subscription information of the UE.
- S606 can be divided into three steps: S606a-S606c.
- S606a-1 The SMF entity sends a PDU session context registration request to the UDM entity.
- the PDU session context registration request is used to request registration of a PDU session context.
- the PDU session context registration request carries encrypted user information.
- S606a-2 The UDM entity sends a response message to the SMF entity to indicate that the PDU session context registration is successful.
- S606a-3 The SMF entity sends a request to the UDM entity to obtain a subscription context.
- S606a-4 The UDM entity sends a subscription context to the SMF entity.
- the UDM entity needs to know the user information of the UE in order to obtain the contract information of the UE, and the operator has assigned a public key to the UDM entity, so the UDM entity can decrypt the encrypted user information through the public key to obtain User information (ie S606b).
- the UDM entity may send a request to the UDR for obtaining the subscription information of the UE, where the request carries the user information of the UE (ie, S606c).
- the UDR sends the subscription information of the UE to the UDM entity (ie, S606d).
- the UDM entity sends the subscription information of the UE to the SMF entity (ie, S606e).
- the SMF entity calls the PCF entity to obtain the session management policy of the UE.
- S607 can be divided into three steps: S607a-S607c.
- S607a the SMF entity sends a request for obtaining the session management policy of the UE to the PCF entity, and the request carries the encrypted user information. Since the PCF entity needs to know the user information of the UE to determine the UE's session management policy, and the operator has assigned a public key to the PCF entity, the PCF entity can decrypt the encrypted user information through the public key to obtain User information (ie S607b).
- the PCF entity After the PCF entity obtains the user information of the UE, it may send a request to the UDR for obtaining the session management policy of the UE, and the request carries the user information of the UE (that is, S607c).
- the UDR sends the session management policy of the UE to the PCF entity (ie, S607d).
- the PCF entity sends the UE's session management policy to the SMF entity (ie, S607e).
- S607c The PCF entity sends the session management policy of the UE to the SMF entity.
- S608 The SMF entity calls the CHF entity to charge the UE.
- S608 can be divided into three steps S608a-S608c.
- S608a the SMF entity sends a request to the CHF entity to record fees for the UE, and the request carries encrypted user information.
- the CHF entity needs to know the user information of the UE, the encrypted user information can be decrypted according to the public key assigned by the operator to the CHF entity to obtain the user information (ie, S608b).
- S608c The CHF entity sends a response message that the charging is successful to the SMF entity.
- S609 The SMF entity calls the UPF entity to complete the establishment of the N4 session.
- S609 can be implemented in two steps, S609a-S609b.
- S609a the SMF entity sends an N4 session establishment request to the UPF entity, and the N4 session establishment request is used to request establishment of a PDU session.
- S609b the SMF entity receives an N4 session establishment response sent by the UPF entity, and the N4 session establishment response is used to indicate that the PDU session establishment is successful.
- the AMF entity can encrypt the user information.
- the UDM entity, PCF entity, and CHF entity need to decrypt the user information
- the UDM entity, PCF entity, The CHF entity can decrypt the encrypted user information by itself to obtain the user information.
- the AMF entity can encrypt the user information
- the UDM entity can decrypt the encrypted user information by itself.
- the PCF entity and the CHF entity can request the UDM entity to encrypt the user.
- the information is decrypted, and the decrypted result is sent to the PCF entity and the CHF entity.
- FIG. 7A is a schematic diagram of an application scenario in which a UE establishes a PDU session according to an embodiment of the present application.
- the AMF entity can encrypt the user information and carry the encrypted user information in the interaction information with the SMF entity.
- the interaction information between the SMF entity and the UDM entity, the PCF entity and the CHF entity also carries encrypted user information, so as to prevent the interaction information between the various NF entities from directly carrying user information and causing user information leakage.
- the UDM entity can decrypt the encrypted user information by itself to obtain the user information.
- the PCF entity and the CHF entity may request the UDM entity to decrypt the encrypted user information and send the decrypted result to the PCF entity and the CHF entity.
- the interaction information between the SMF entity and the UPF entity does not directly carry user information, but instead carries encrypted user information, which helps reduce the possibility of leaking user privacy.
- FIG. 7B shows a flowchart of a communication method according to an embodiment of the present application.
- a scenario in which a UE requests to establish a PDU session shown in FIG. 7A is taken as an example to describe an information interaction process between the UE and an entity in a core network.
- the process includes:
- the UE can register in the core network. Therefore, during the UE registration process, the core network needs to verify the legitimacy of the UE. If the core network verifies that the UE is legitimate, the UE is successfully registered.
- the S700 can be implemented in six steps: S700a-S700g.
- S700a The UE sends a registration request (registration request) to the RAN, where the registration request is used to request registration of a core network, and the registration request carries a SUCI.
- S700b The RAN sends the registration request to an AMF entity.
- S700c The AMF entity sends an authentication request to the AUSF entity, and the authentication request carries a SUCI.
- S700d The AUSF entity sends a request for a user authentication set to the UDM entity, and the user authentication set includes parameters for verifying whether the UE is a legitimate user.
- the user authentication set may be authentication parameters assigned by the operator to the UE and UDM, respectively.
- S700e The UDM entity sends the user authentication set to the AUSF entity.
- S700f The AUSF entity authenticates the UE through the user authentication set, and obtains the authentication result.
- S700g The AUSF entity sends the authentication result to the AMF entity.
- the AUSF entity may assign a key to the AMF.
- the UE may also authenticate the core network, and the UE may authenticate the core network in the manner of the prior art. For the sake of brevity of the description, details are not described herein.
- the UDM entity can decrypt the encrypted user, so the UDM entity knows the key.
- the AUSF entity assigns a key to the AMF entity, so the AUSF may also assign a key to the UDM entity (not shown in FIG. 7B), or the operator is a UDM entity A key is assigned (not shown in Figure 7B).
- the AUSF entity does not assign a key to the AMF entity, and the operator assigns the key to the AMF entity and the UDM entity together.
- there may be other ways of distributing keys which are not limited in the embodiments of the present application.
- S701a-S701b S701a: the UE sends a first PDU session creation request to the RAN; correspondingly, the RAN receives the first PDU session creation request sent by the UE; the first PDU session creation request carries user information.
- S701b The RAN sends the first PDU session creation request to an AMF entity.
- S702 The AMF entity encrypts the user information to obtain the encrypted user information.
- user information may include multiple types. Assuming that the user information is only SUPI, the AMF entity may not need to perform S702. Because in the S700a-S700c during the registration process, the AMF entity has obtained the UE's SUCI (SUCI is obtained by encrypting SUPI). Therefore, if the user information is only SUPI, the AMF entity can directly execute S703 without executing S702, that is, SUCI is the encrypted user information, that is, the second PDU session creation request carries SUCI.
- S703 The AMF entity sends a second PDU session creation request to the SMF entity, the second PDU session creation request is used to request the creation of a PDU session context, and the second PDU session creation request carries encrypted user information (that is, S702 (Encrypted user information).
- S704 The SMF entity selects a UDM entity.
- the SMF entity obtains the subscription information of the UE through the UDM entity (that is, the UDM entity selected in S704).
- S705 can be divided into two steps, S705a-S705b.
- S705a-1 The SMF entity sends a PDU session context registration request to the UDM entity.
- the PDU session context registration request is used to request registration of a PDU session context, and the PDU session context registration request carries encrypted user information.
- S705a-2 The UDM entity sends a response message to the SMF entity to indicate that the PDU session context registration is successful.
- S705a-3 The SMF entity sends a request to the UDM entity to obtain a contracting context.
- S705a-4 The UDM entity sends a subscription context to the SMF entity.
- the UDM entity Since the PDU session context registration request received by the UDM entity carries encrypted user information, when the UDM entity needs user information, it can decrypt the encrypted user information. As can be seen from the foregoing, the UDM entity stores a key, so the UDM entity can decrypt the encrypted user information by itself to obtain the user information (ie, S705b). After the UDM entity obtains the user information of the UE, it may send a request to the UDR for obtaining the subscription information of the UE, where the request carries the user information of the UE (ie, S705c). The UDR sends the subscription information of the UE to the UDM entity (ie, S705d). The UDM entity sends the subscription information of the UE to the SMF entity (ie, S705e).
- S706 The SMF entity calls the PCF entity to obtain the session management policy of the UE.
- S706 can be divided into four steps, S706a-S706d.
- S706a the SMF entity sends a request for obtaining the session management policy of the UE to the PCF entity, and the request carries the encrypted user information. Because the request received by the PCF entity for acquiring the session management policy of the UE carries encrypted user information. Therefore, when the PCF entity needs to obtain user information, it can request the UDM entity to decrypt the encrypted user information. That is, after the first decryption request sent by the PCF entity to the UDM entity, the first decryption request is used to request decryption of the encrypted user information (ie, S706b).
- the UDM entity After receiving the first decryption request, the UDM entity sends the user information to the PCF entity (ie, S706c). After the PCF entity obtains the user information of the UE, it may send a request to the UDR for obtaining the session management policy of the UE, and the request carries the user information of the UE (that is, S706d). The UDR sends the UE's session management policy to the PCF entity (ie, S706e). The PCF entity sends the UE's session management policy to the SMF entity (ie, S706f).
- the SMF entity calls the CHF entity to charge the UE.
- S707 can be divided into four steps S707a-S707d.
- S707a the SMF entity sends a request to the CHF entity to record the cost for the UE, and the request carries the encrypted user information. Because the request received by the CHF entity for recording fees for the UE carries encrypted user information. Therefore, when the CHF entity needs to obtain user information, similar to the PCF entity, the CHF entity can also request the UDM entity to decrypt the encrypted user information. That is, after the second decryption request sent by the CHF entity to the UDM entity, the second decryption request is used to request decryption of the encrypted user information (that is, S707b).
- the UDM entity After receiving the second decryption request, the UDM entity sends the user information to the CHF entity (ie, S707c). After the CHF entity obtains the user information, it can obtain the session management policy of the UE from the UDR entity, such as the package information ordered by the UE, and the CHF entity charges the UE based on the package information.
- S707d The PCF entity sends a response message for successful charging to the SMF entity.
- S708 The SMF entity calls the UPF entity to complete the N4 session establishment.
- S708 can be implemented in two steps, S708a-S708b.
- S708a the SMF entity sends an N4 session establishment request to the UPF entity, and the N4 session establishment request is used to request establishment of a PDU session.
- S708b the SMF entity receives an N4 session establishment response sent by the UPF entity, and the N4 session establishment response is used to indicate that the PDU session establishment is successful.
- the AMF entity can encrypt the user information, while the UDM entity can decrypt the encrypted user information by itself, and the PCF entity and CHF entity can request the UDM entity to The encrypted user information is decrypted, and the decrypted result is sent to the PCF entity and the CHF entity.
- the AMF entity can encrypt the user information, the PCF entity can decrypt the encrypted user information by itself, and the UDM entity and the CHF entity can request the PCF entity to decrypt the encrypted user information and decrypt it. The result is sent to the UDM entity and the CHF entity.
- the AMF entity and the PCF entity need to know the key, so the keys can be assigned to the AMF entity and the PCF entity in the manner described above, for example, the operator can assign the keys to the AMF entity and the PCF entity.
- the AMF entity can encrypt the user information
- the CHF entity can decrypt the encrypted user information itself
- the UDM entity and the PCF entity can request the CHF entity to decrypt the encrypted user information and decrypt it.
- the results are sent to the UDM entity and the PCF entity.
- the AMF entity and the CHF entity need to know the key, so the key can be assigned to the AMF entity and the CHF entity in the manner described above for key distribution.
- the scenario shown in FIG. 3 is used as an example for illustration, and the UPF entity and the SMF entity are moved to the edge cloud as an example for illustration.
- other NF entities such as UDM entities or PCF entities, may be moved down to the edge cloud.
- the PCF entity moved to the edge cloud as an example, in order to ensure that user information is not leaked as much as possible, the PCF entity itself does not touch the user information as much as possible (for example, the information received or sent by the PCF entity does not carry user information)
- the same idea based on the communication method shown in FIG. 5B can also be adopted.
- the AUSF entity assigns keys to the AMF entity and the UDM entity
- the PCF entity or the CHF entity
- it may not request the UDM entity. Instead, it requests the AMF entity to decrypt the encrypted user information, and sends the decrypted result to the PCF entity (or CHF entity).
- each NF entity may include a hardware structure and / or a software module, and implements the foregoing functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above functions is executed by a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application of the technical solution and design constraints.
- FIG. 8 is a schematic structural diagram of a communication device 800.
- the communication device 900 can implement the functions of the AMF entity mentioned above.
- the communication device 800 may include a receiver 801, a processor 802, and a transmitter 803.
- the receiver 801, the processor 802, and the transmitter 803 may be connected through a bus.
- the receiver 801, the processor 802, and the transmitter 803 may not be a bus structure, but may be other structures, such as a star structure, which are not specifically limited in this application.
- the receiver 801 may be used to execute S501b, S505c, S506b, S507b, and / or other processes for supporting the technology described herein in the embodiment shown in FIG. 5B; or, the receiver 801 may be used to execute S601a, S602b in the embodiment shown in FIG. 6B, and / or other processes for supporting the technology described herein; or, the receiver 801 may be used to perform S700b, S700g, S701b, and / or other processes for supporting the techniques described herein.
- the processor 802 may be used to execute S502, S505c, S506c, S507c, and / or other processes for supporting the technology described herein in the embodiment shown in FIG. 5B; or, the processor 802 may be used to execute FIG. 6B S603 in the illustrated embodiment, and / or other processes for supporting the technology described herein; or, the processor 802 may be used to perform S702 in the embodiment shown in FIG. 7B, and / or for supporting Other processes for the techniques described herein.
- the transmitter 803 may be used to perform S503, S505d, S506d, S507d, and / or other processes for supporting the technology described herein in the embodiment shown in FIG. 5B; or, the transmitter 803 may be used to perform FIG. 6B S604 in the illustrated embodiment, and / or other processes for supporting the technology described herein; or, the sender 803 may be configured to perform S700c, S703, and / or in the embodiment shown in FIG. 7B. Other processes that support the techniques described herein.
- FIG. 9 shows a schematic structural diagram of a communication device 900.
- the communication device 900 can implement the functions of the UDM entity mentioned above.
- the communication device 900 may include a receiver 901, a processor 902, and a transmitter 903.
- the receiver 901, the processor 902, and the transmitter 903 may be connected through a bus.
- the receiver 901, the processor 902, and the transmitter 903 may not be a bus structure, but may be other structures, such as a star structure, which are not specifically limited in this application.
- the receiver 901 may be used to execute S505a-1, S505a-3, S505d, S505f, and / or other processes for supporting the technology described herein in the embodiment shown in FIG. 5B; or, the receiver 901 It may be used to perform S601b, S606a-1, S606a-3, S606d, and / or other processes used to support the technology described herein in the embodiment shown in FIG. 6B; or, the receiver 901 may be used to perform S700d, S705a-1, S705a-3, S705d, and / or other processes for supporting the techniques described herein in the embodiment shown in 7B.
- the processor 902 may be configured to execute S606b in the embodiment shown in FIG. 6B, and / or other processes for supporting the technology described herein; or, the processor 902 may be used to execute the embodiment shown in FIG. 7B. S705b, and / or other processes used to support the techniques described herein.
- the transmitter 903 may be used to perform S505a-2, S505a-4, S505b, S505b, S505g, and / or other processes for supporting the technology described herein in the embodiment shown in FIG. 5B; or, the transmitter 903 It may be used to perform S606a-2, S606a-4, S606c, S606e, and / or other processes to support the techniques described herein in the embodiment shown in FIG. 6B; or, the sender 903 may be used to execute the diagram S700e, S705a-2, S705a-4, S705c, S705e, and / or other processes for supporting the technology described herein in the embodiment shown in 7B.
- the processor in the communication device shown in FIG. 8 or FIG. 9 may specifically be a general-purpose central processing unit or an application-specific integrated circuit (English: Application Specific Integrated Circuit, ASIC for short), which may be one or more
- the integrated circuit for controlling program execution may be a hardware circuit developed using a field programmable gate array (English: Field Programmable Gate Array, FPGA for short), and may be a baseband processor.
- the processor may include at least one processing core.
- the transmitter and receiver may be physically independent or integrated together.
- the transmitter and receiver can be radio frequency circuits; or the transmitter is a transmitting port and the receiver is a receiving port.
- the communication device shown in FIG. 8 or FIG. 9 may further include a memory, and the memory may include a read-only memory (English: Read Only Memory, abbreviated as ROM), a random access memory (English: Random Access Memory, abbreviated as : RAM) and disk storage.
- ROM Read Only Memory
- RAM Random Access Memory
- the memory may be used to store data and / or instructions required by the processor while it is running. The number of memories may be one or more.
- An embodiment of the present application further provides a computer storage medium.
- the storage medium may include a memory, and the memory may store a program.
- the method includes the method described in the method embodiments shown in FIG. 5B, FIG. 6B, or FIG. All steps performed by AMF.
- An embodiment of the present application further provides a computer storage medium.
- the storage medium may include a memory, and the memory may store a program.
- the program When the program is executed, the method includes the method described in the method embodiments shown in FIG. 5B, FIG. 6B, or FIG. 7B. All steps performed by UDM.
- An embodiment of the present invention further provides a computer program product.
- the AMF executes a method including the method described in the previous embodiment shown in FIG. 5B, FIG. 6B, or FIG. 7B. All steps performed by AMF.
- An embodiment of the present invention also provides a computer program product.
- the UDM executes a method including the method described in the previous embodiment shown in FIG. 5B, FIG. 6B, or FIG. 7B. All steps performed by UDM.
- the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Moreover, the embodiments of the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
- computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- Embodiments of the present invention are described with reference to flowcharts and / or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and / or block in the flowcharts and / or block diagrams, and combinations of processes and / or blocks in the flowcharts and / or block diagrams can be implemented by computer program instructions.
- These computer program instructions may be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to produce a machine, so that the instructions generated by the processor of the computer or other programmable data processing device are used to generate instructions Means for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.
- These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing device to work in a particular manner such that the instructions stored in the computer-readable memory produce a manufactured article including an instruction device, the instructions
- the device implements the functions specified in one or more flowcharts and / or one or more blocks of the block diagram.
- These computer program instructions can also be loaded on a computer or other programmable data processing device, so that a series of steps can be performed on the computer or other programmable device to produce a computer-implemented process, which can be executed on the computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (18)
- 一种通信方法,其特征在于,包括:AMF接收UE发送的第一PDU会话创建请求;所述第一PDU会话创建请求用于请求创建PDU会话;所述AMF对所述UE的用户信息进行加密,得到加密后的用户信息;所述AMF向SMF发送第二PDU会话创建请求,将所述第二PDU会话创建请求中携带有所述加密后的用户信息。
- 如权利要求1所述的方法,其特征在于,所述方法还包括:所述AMF接收UDM发送的第一解密请求,所述第一解密请求中携带有所述加密后的用户信息;所述AMF对所述加密后的用户信息解密,得到所述用户信息;所述AMF将所述用户信息发送给所述UDM。
- 如权利要求1或2所述的方法,其特征在于,所述方法还包括:所述AMF接收PCF发送的第二解密请求,所述第二解密请求中携带有所述加密后的用户信息;所述AMF对所述加密后的用户信息解密,得到所述用户信息;所述AMF将所述用户信息发送给所述PCF。
- 如权利要求1-3任一所述的方法,其特征在于,所述方法还包括:所述AMF接收CHF发送的第三解密请求,所述第三解密请求中携带有所述加密后的用户信息;所述AMF对所述加密后的用户信息进行解密,得到所述加密后的用户信息;所述AMF将所述用户信息发送给所述CHF。
- 一种通信方法,其特征在于,所述方法包括:UDM接收SMF发送的用于获取UE的签约信息的请求,所述请求中携带UE的加密后的用户信息;所述UDM对所述加密后的用户信息解密,得到用户信息;所述UDM根据所述用户信息,确定所述UE的签约信息;所述UDM将所述签约信息发送给所述SMF。
- 如权利要求5所述的方法,其特征在于,所述UDM对所述加密后的用户信息解密,得到用户信息,包括:所述UDM向所述AMF发送第一解密请求,所述第一解密请求用于请求对所述加密后的用户信息解密;所述UDM接收所述AMF发送的对所述加密后的用户信息解密得到的用户信息。
- 如权利要求5所述的方法,其特征在于,所述UDM对所述加密后的用户信息解密,得到用户信息,包括:所述UDM通过密钥对所述加密后的用户信息解密,得到所述用户信息。
- 如权利要求5-7任一所述的方法,其特征在于,所述方法还包括:所述UDM接收PCF发送的第二解密请求;所述第二解密请求用于请求对所述加密后的用户信息进行解密;所述UDM通过密钥对所述加密后的用户信息解密,得到所述用户信息;所述UDM将所述用户信息发送给所述PCF。
- 如权利要求5-8任一所述的方法,其特征在于,所述方法还包括:所述UDM接收CHF发送的第三解密请求;所述第三解密请求用于请求对所述加密后的用户信息进行解密;所述UDM通过密钥对所述加密后的用户信息解密,得到用户信息;所述UDM将所述用户信息发送给所述CHF。
- 一种通信装置,其特征在于,包括:接收器,用于接收UE发送的第一PDU会话创建请求;所述第一PDU会话创建请求用于请求创建PDU会话;处理器,用于对所述UE的用户信息进行加密,得到加密后的用户信息;发送器,用于向SMF发送第二PDU会话创建请求,将所述第二PDU会话创建请求中携带有所述加密后的用户信息。
- 如权利要求10所述的装置,其特征在于,所述接收器还用于:接收UDM发送的第一解密请求,所述第一解密请求中携带有所述加密后的用户信息;所述处理器还用于对所述加密后的用户信息解密,得到所述用户信息;所述发送器还用于将所述用户信息发送给所述UDM。
- 如权利要求10或11所述的装置,其特征在于,所述接收器还用于:接收PCF发送的第二解密请求,所述第二解密请求中携带有所述加密后的用户信息;所述处理器还用于对所述加密后的用户信息解密,得到所述用户信息;所述发送器还用于将所述用户信息发送给所述PCF。
- 如权利要求10-12任一所述的装置,其特征在于,所述接收器还用于:接收CHF发送的第三解密请求,所述第三解密请求中携带有所述加密后的用户信息;所述处理器还用于对所述加密后的用户信息进行解密,得到所述加密后的用户信息;所述发送器还用于将所述用户信息发送给所述CHF。
- 一种通信装置,其特征在于,包括:接收器,用于接收SMF的用于获取UE的签约信息的请求,所述请求中携带UE的加密后的用户信息;处理器,用于对所述加密后的用户信息解密,得到所述用户信息;所述处理器,还用于根据所述用户信息,确定所述UE的签约信息;发送器,用于将所述签约信息发送给所述SMF。
- 如权利要求14所述的装置,其特征在于,所述发送器还用于:向所述AMF发送第一解密请求,所述第一解密请求用于请求对所述加密后的用户信息解密;所述接收器还用于接收所述AMF发送的对所述加密后的用户信息解密得到的用户信息。
- 如权利要求14所述的装置,其特征在于,所述处理器具体用于:通过密钥对所述加密后的用户信息解密,得到所述用户信息。
- 如权利要求14-16任一所述的装置,其特征在于,所述接收器还用于:接收PCF发送的第二解密请求;所述第二解密请求用于请求对所述加密后的用户信息进行解密;所述处理器还用于通过密钥对所述加密后的用户信息解密,得到所述用户信息;所述发送器还用于将所述用户信息发送给所述PCF。
- 如权利要求14-17任一所述的装置,其特征在于,所述接收器还用于:接收CHF发送的第三解密请求;所述第三解密请求用于请求对所述加密后的用户信息进行解密;所述处理器还用于通过密钥对所述加密后的用户信息解密,得到用户信息;所述发送器还用于将所述用户信息发送给所述CHF。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2021500157A JP7286751B2 (ja) | 2018-08-09 | 2019-07-05 | 通信方法および通信装置 |
KR1020207037377A KR102332020B1 (ko) | 2018-08-09 | 2019-07-05 | 통신 방법 및 통신 장치 |
EP19848370.3A EP3817422A4 (en) | 2018-08-09 | 2019-07-05 | COMMUNICATION PROCESS AND DEVICE |
US17/129,479 US11570617B2 (en) | 2018-08-09 | 2020-12-21 | Communication method and communications apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810904425.3A CN110830989B (zh) | 2018-08-09 | 2018-08-09 | 一种通信方法和装置 |
CN201810904425.3 | 2018-08-09 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/129,479 Continuation US11570617B2 (en) | 2018-08-09 | 2020-12-21 | Communication method and communications apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020029729A1 true WO2020029729A1 (zh) | 2020-02-13 |
Family
ID=69415361
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/094818 WO2020029729A1 (zh) | 2018-08-09 | 2019-07-05 | 一种通信方法和装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11570617B2 (zh) |
EP (1) | EP3817422A4 (zh) |
JP (1) | JP7286751B2 (zh) |
KR (1) | KR102332020B1 (zh) |
CN (1) | CN110830989B (zh) |
WO (1) | WO2020029729A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021211023A1 (en) * | 2020-04-14 | 2021-10-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Shared reference for a charging data resource for pdu sessions in communications system |
CN113596781A (zh) * | 2020-04-30 | 2021-11-02 | 大唐移动通信设备有限公司 | 一种订阅方法、服务网元及用户数据管理网元 |
JP2023531845A (ja) * | 2021-05-25 | 2023-07-26 | 深▲せん▼艾靈网絡有限公司 | 時刻同期方法、電子設備および記憶媒体 |
EP4228303A4 (en) * | 2020-11-24 | 2024-03-13 | Huawei Technologies Co., Ltd. | COMMUNICATION SYSTEM, COMMUNICATION METHOD AND COMMUNICATION APPARATUS |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110830989B (zh) * | 2018-08-09 | 2021-06-08 | 华为技术有限公司 | 一种通信方法和装置 |
WO2021196011A1 (zh) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | 一种终端设备标识的获取方法、装置及系统 |
CN111787533B (zh) * | 2020-06-30 | 2022-08-26 | 中国联合网络通信集团有限公司 | 加密方法、切片管理方法、终端及接入和移动性管理实体 |
US11751023B2 (en) * | 2021-05-21 | 2023-09-05 | T-Mobile Usa, Inc. | Charging function fallback |
US11785662B2 (en) | 2021-07-07 | 2023-10-10 | Cisco Technology, Inc. | Providing session continuity for parallel sessions involving a multiple universal subscriber identity module user equipment |
CN114205814B (zh) * | 2021-12-03 | 2023-11-21 | 中国联合网络通信集团有限公司 | 一种数据传输方法、装置、系统、电子设备及存储介质 |
CN116419238A (zh) * | 2021-12-31 | 2023-07-11 | 华为技术有限公司 | 一种网络功能创建方法及通信装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107743307A (zh) * | 2017-10-30 | 2018-02-27 | 中国联合网络通信集团有限公司 | 一种基于位置的mec的处理方法及设备 |
CN108370600A (zh) * | 2017-05-09 | 2018-08-03 | 华为技术有限公司 | 一种会话管理方法、终端及系统 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2943319B2 (ja) * | 1990-11-20 | 1999-08-30 | 株式会社デンソー | 車両用始動充電装置 |
CN101562813B (zh) * | 2009-05-12 | 2012-01-11 | 中兴通讯股份有限公司 | 实时数据业务的实现方法、实时数据业务系统和移动终端 |
EP3703401B1 (en) * | 2014-11-17 | 2022-07-13 | Samsung Electronics Co., Ltd. | Apparatus and method for profile installation in communication system |
WO2018006017A1 (en) * | 2016-07-01 | 2018-01-04 | Idac Holdings, Inc. | Methods for supporting session continuity on per-session basis |
KR102246671B1 (ko) * | 2016-11-11 | 2021-05-03 | 텔레호낙티에볼라게트 엘엠 에릭슨(피유비엘) | 제5세대 코어 네트워크에 대한 비-3gpp 액세스를 위한 사용자 평면 모델 |
CN107580324B (zh) * | 2017-09-22 | 2020-05-08 | 中国电子科技集团公司第三十研究所 | 一种用于移动通信系统imsi隐私保护的方法 |
CN110830989B (zh) * | 2018-08-09 | 2021-06-08 | 华为技术有限公司 | 一种通信方法和装置 |
-
2018
- 2018-08-09 CN CN201810904425.3A patent/CN110830989B/zh active Active
-
2019
- 2019-07-05 JP JP2021500157A patent/JP7286751B2/ja active Active
- 2019-07-05 EP EP19848370.3A patent/EP3817422A4/en active Pending
- 2019-07-05 WO PCT/CN2019/094818 patent/WO2020029729A1/zh unknown
- 2019-07-05 KR KR1020207037377A patent/KR102332020B1/ko active IP Right Grant
-
2020
- 2020-12-21 US US17/129,479 patent/US11570617B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108370600A (zh) * | 2017-05-09 | 2018-08-03 | 华为技术有限公司 | 一种会话管理方法、终端及系统 |
CN107743307A (zh) * | 2017-10-30 | 2018-02-27 | 中国联合网络通信集团有限公司 | 一种基于位置的mec的处理方法及设备 |
Non-Patent Citations (2)
Title |
---|
"SA WG2 Meeting #S2-122 S 2-174451", TS 23.502: MODIFICATION OF THE REGISTRATION PROCEDURE FOR UE IDENTITY REQUEST, vol. SA WG2, 20 June 2017 (2017-06-20), XP051309508 * |
See also references of EP3817422A4 |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021211023A1 (en) * | 2020-04-14 | 2021-10-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Shared reference for a charging data resource for pdu sessions in communications system |
CN113596781A (zh) * | 2020-04-30 | 2021-11-02 | 大唐移动通信设备有限公司 | 一种订阅方法、服务网元及用户数据管理网元 |
CN113596781B (zh) * | 2020-04-30 | 2022-06-07 | 大唐移动通信设备有限公司 | 一种订阅方法、服务网元及用户数据管理网元 |
EP4228303A4 (en) * | 2020-11-24 | 2024-03-13 | Huawei Technologies Co., Ltd. | COMMUNICATION SYSTEM, COMMUNICATION METHOD AND COMMUNICATION APPARATUS |
JP2023531845A (ja) * | 2021-05-25 | 2023-07-26 | 深▲せん▼艾靈网絡有限公司 | 時刻同期方法、電子設備および記憶媒体 |
JP7383827B2 (ja) | 2021-05-25 | 2023-11-20 | 深▲せん▼艾靈网絡有限公司 | 時刻同期方法、電子設備および記憶媒体 |
Also Published As
Publication number | Publication date |
---|---|
JP7286751B2 (ja) | 2023-06-05 |
KR20210014669A (ko) | 2021-02-09 |
US11570617B2 (en) | 2023-01-31 |
CN110830989B (zh) | 2021-06-08 |
JP2021532627A (ja) | 2021-11-25 |
EP3817422A1 (en) | 2021-05-05 |
EP3817422A4 (en) | 2022-01-05 |
CN110830989A (zh) | 2020-02-21 |
KR102332020B1 (ko) | 2021-12-01 |
US20210112406A1 (en) | 2021-04-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020029729A1 (zh) | 一种通信方法和装置 | |
US11689920B2 (en) | System and method for security protection of NAS messages | |
US11889405B2 (en) | Handling a UE that is in the idle state | |
WO2018170617A1 (zh) | 一种基于非3gpp网络的入网认证方法、相关设备及系统 | |
CN111818516B (zh) | 认证方法、装置及设备 | |
CN103609154A (zh) | 一种无线局域网接入鉴权方法、设备及系统 | |
KR102568230B1 (ko) | 보안 컨텍스트를 취득하기 위한 방법 및 장치와 통신 시스템 | |
CN116746182A (zh) | 安全通信方法及设备 | |
WO2020253408A1 (zh) | 二级认证的方法和装置 | |
US20240089728A1 (en) | Communication method and apparatus | |
WO2023071836A1 (zh) | 一种通信方法及装置 | |
WO2023016160A1 (zh) | 一种会话建立方法和相关装置 | |
WO2022032692A1 (zh) | 通信方法、装置及系统 | |
WO2021073382A1 (zh) | 注册方法及装置 | |
US10841792B2 (en) | Network connection method, method for determining security node, and apparatus | |
WO2024092624A1 (en) | Encryption key transfer method and device for roaming users in communication networks | |
RU2772709C1 (ru) | Системы и способ защиты безопасности сообщений nas | |
WO2023160624A1 (zh) | 一种通信方法及装置 | |
WO2023213209A1 (zh) | 密钥管理方法及通信装置 | |
WO2024060626A1 (zh) | 鉴权方法、通信装置及通信系统 | |
WO2024092529A1 (en) | Determining authentication credentials for a device-to-device service | |
CN113784351A (zh) | 切片服务验证方法及其装置 | |
WO2023241899A1 (en) | Apparatus, method and computer program for privacy protection of subscription identifiers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19848370 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20207037377 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019848370 Country of ref document: EP Effective date: 20201223 |
|
ENP | Entry into the national phase |
Ref document number: 2021500157 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |