WO2020038236A1

WO2020038236A1 - Routing method, apparatus and system

Info

Publication number: WO2020038236A1
Application number: PCT/CN2019/099792
Authority: WO
Inventors: 李华; 张博
Original assignee: 华为技术有限公司
Priority date: 2018-08-23
Filing date: 2019-08-08
Publication date: 2020-02-27
Also published as: CN109842880B; CN109842880A

Abstract

The present application relates to the technical field of communications, and provides a routing method, apparatus and system, capable of solving the problem of updating, if a routing indicator (RI) in a subscription concealed identifier changes when a user migrates to a new user unified data management (UDM) network element, the routing indicator in the subscription concealed identifier. The method comprises: an authentication server function (AUSF) network element sends a first authentication vector acquisition request to a first UDM network element, and if the AUSF network element receives an RI sent by the first UDM network element, the AUSF network element sends the RI to an access and mobility management function (AMF) network element. The method is applied to an RI updating process of a terminal.

Description

Routing method, device and system

This application claims the priority of the Chinese application filed on August 23, 2018 with the application number 201810970120.2 and the invention name "routing method, device and system", and the application number 201811289488.9, filed on October 31, 2018 The priority of the Chinese application whose invention name is "routing method, device and system", the entire contents of which are incorporated herein by reference.

Technical field

The present application relates to the field of communication technologies, and in particular, to a routing method, device, and system.

Background technique

Generally, to ensure the security of the network and the terminal, when the terminal accesses the network, the network and the terminal need to perform two-way authentication, that is, the network needs to verify the legitimacy of the terminal, and the terminal also needs to verify the security of the network. In a Long Term Evolution (LTE) network, before the terminal and the network have not established a security context before the two-way authentication is completed, the user ’s International Mobile Subscriber Identifier (IMSI) is in the air interface. Clear text transmission, causing the attacker to obtain the IMSI from the air interface for a series of attacks.

Fifth-generation (5th-Generation, 5G) mobile communication technology In order to mitigate the attackers using the IMSI obtained through the air interface to attack, before the two-way authentication is completed, an encrypted user concealed identifier (SUCI) is used instead of the unencrypted User Permanent Identifier (SUPI) or IMSI. When the terminal accesses the network for authentication, it needs to address the user's home unified data management (UDM) network element, and obtain the authentication vector from the UDM to which the user belongs. Specifically, in a 5G network, when the terminal accesses the network for authentication, the terminal sends an authentication request to the network device, and carries the SUCI in the authentication request. Among them, the SUCI includes a routing indicator (RI), which is used to address the UDM to which the user belongs.

Currently, a static configuration of the correspondence between RI and UDM is usually used to ensure that RI is addressed to the corresponding UDM. However, this static configuration method lacks flexibility, and in many scenarios of 5G networks, it cannot adapt to the rich service requirements of 5G.

Summary of the Invention

The embodiments of the present application provide a routing method, device, and system that can change the RI information in SUCI to more flexibly address the UDM to which the user belongs, and adapt to the rich service requirements of 5G.

To achieve the above purpose, the embodiments of the present application adopt the following technical solutions:

In a first aspect, an embodiment of the present application provides a routing method that can be applied to AUSF or a chip in AUSF. The method includes: an authentication server function AUSF network element sends a first authentication to a first unified data management UDM network element Weight vector acquisition request; if the AUSF network element receives the routing indication RI sent by the first UDM network element, it sends the RI to the access and mobility management function AMF network element.

In the routing method provided in the embodiment of the present application, the AUSF sends a first authentication vector acquisition request to the first UDM, and if the AUSF receives the RI sent by the first UDM, it sends the RI to the AMF. Subsequently, the AMF of the management terminal sends the RI to the terminal, so that the terminal can update its own RI, so that the terminal can address the correct UDM when it enters the network for authentication.

In a possible design, after the AUSF network element sends a first authentication vector acquisition request to the first UDM network element, the AUSF network element may further perform the following steps:

If the AUSF network element receives the redirect message sent by the first UDM network element, the AUSF network element sends a second authentication vector acquisition request to the second UDM network element according to the redirect message; the AUSF network element receives the second UDM network element and sends it. RI; and the AUSF network element sends the RI to the AMF network element.

It can be seen that with the above routing method, even if AUSF routes the user's first authentication vector acquisition request to a non-home UDM (first UDM), since the first UDM sends a redirect message to AUSF, AUSF can still The directional message performs the next operation of addressing the home UDM for the user, which improves the probability of successful addressing.

In a possible design, in order to protect the integrity of the RI, the AUSF network element performs the following steps:

The AUSF network element determines the integrity verification code of the RI according to the integrity protection key and the RI; the AUSF network element sends the integrity verification code to the AMF network element.

Optionally, the AUSF may generate an RI integrity verification code based on a preset policy of the AUSF. The preset policy includes, but is not limited to, receiving the RI issued by the UDM network element. Of course, the AUSF network element may also generate an RI integrity verification code after receiving the integrity protection request message sent by the UDM network element. Specifically, the AUSF network element receives the first UDM network element or the second UDM network element. An integrity protection request message, and an RI integrity verification code is generated under the trigger of the integrity protection request message, where the integrity protection request message is used to instruct the AUSF to generate an integrity verification code for the RI.

In a second aspect, an embodiment of the present application provides a routing method. The method may be applied to a UDM or a chip in the UDM. The method includes:

The first unified data management UDM network element receives a first authentication vector acquisition request sent by the authentication server function AUSF network element; in response to the first authentication vector acquisition request, the first UDM network element sends a redirect message or route to the AUSF network element Indicate RI.

In a possible design, the case where the first UDM sends the RI to the AUSF specifically refers to: when the first UDM network element is a UDM network element to which the user belongs, the first UDM network element sends the RI to the AUSF network element.

In a possible design, the case where the first UDM sends a redirect message to the AUSF specifically refers to: when the first UDM network element is not a UDM network element to which the user belongs, the first UDM network element sends the AUSF network element Send a redirect message.

In a possible design, the first UDM instructs the AUSF to generate an integrity verification code for the RI in the process of the terminal requesting user data. Specifically, the first UDM network element receives a user data acquisition request message sent by the AMF network element; The first UDM network element sends an integrity protection request message to the AUSF network element, and the integrity protection request message is used to instruct the AUSF network element to generate an integrity verification code for the RI.

In a possible design, after the first UDM network element sends an integrity protection request message to the AUSF network element, the first UDM network element receives the integrity verification code sent by the AUSF network element.

It can be understood that if the AUSF has generated an integrity verification code for the RI during the two-way authentication process, after receiving the integrity protection request message sent by the first UDM, the AUSF directly sends the RI integrity verification to the first UDM. Or, if after receiving the integrity protection request message sent by the first UDM, the AUSF finds that it has not yet generated an RI integrity verification code, it generates an RI integrity verification code at this time and sends it to the first UDM Generated RI integrity verification code.

The sending of the RI to the AUSF network element by the first UDM network element includes: sending, by the first UDM network element, the RI protected by the integrity verification code to the AUSF network element.

In a third aspect, an embodiment of the present application provides a routing method, which can be applied to a terminal or a chip in the terminal. The method includes:

The terminal receives the routing indication RI sent by the access and mobility management function AMF network element, and uses the RI to update the user's hidden identification SUCI information.

With the above routing method, the terminal can receive the updated RI issued by the network side and update the SUCI information stored in itself. Subsequently, the terminal can use the RI included in the updated SUCI to address the user's home UDM.

In a possible design, in the case of performing integrity protection on the RI, if the terminal receives the integrity verification code corresponding to the RI, the integrity verification code is used to perform integrity verification on the RI.

Wherein, the terminal uses the RI to update the SUCI information, which can be specifically implemented as follows: if the integrity verification of the RI is successful, the terminal uses the RI to update the SUCI information.

In a possible design, the terminal receiving the RI sent by the AMF may be specifically implemented as follows:

The terminal receives the non-access layer security mode command NAS SMC message sent by the AMF, and the NAS SMC message carries the RI.

Using this routing method, the AMF can perform integrity protection on the RI carried in the NAS SMC message based on the integrity protection mechanism of the SMC.

In a fourth aspect, an embodiment of the present application provides a routing method, which is applied to a UDM or a UDM chip. The method includes: when a unified data management UDM network element to which a user belongs changes from a first UDM to a second UDM, The first UDM network element sends a routing indication RI to the access and mobility management function AMF network element.

Here, the RI sent by the first UDM to the AMF is the RI corresponding to the second UDM.

It can be seen that with the above-mentioned first UDM actively initiating the RI update routing method, when the first UDM learns that the user's home UDM has changed, the first UDM can directly update the updated user to the RI corresponding to the UDM (that is, the second UDM) It is sent to the AMF, which saves the intermediate signaling process and reduces network resource overhead.

In a possible design, if the first UDM determines that integrity protection is required for the RI, the first UDM may perform the following steps: the first UDM network element sends an integrity protection request message to the AUSF network element, and the integrity protection request The message is used to instruct the AUSF to generate an integrity verification code for the RI; the first UDM network element receives the integrity verification code of the RI sent by the AUSF network element; the first UDM sends the integrity verification code to the AMF network element.

In a fifth aspect, an embodiment of the present application provides a routing method. The method is applied to an AUSF or an AUSF chip. The method includes:

Authentication server function AUSF network element receives the integrity protection request message sent by the first unified data management UDM network element, the integrity protection request message carries the routing instruction RI; the AUSF network element generates the integrity verification of the RI according to the integrity protection key and the RI Code; the AUSF network element sends an integrity verification code to the first UDM network element.

In a sixth aspect, an embodiment of the present application provides a routing method, which is applied to a terminal or a chip of the terminal. The method includes: the terminal receives a routing instruction RI sent by an access and mobility management function AMF network element; the terminal uses the RI Update the user hidden information SUCI.

In a possible design, if the terminal receives an integrity verification code corresponding to the RI, that is, integrity protection is performed on the RI, the terminal uses the integrity verification code to perform integrity verification on the RI.

The terminal uses the RI to update the SUCI information. The specific implementation is: if the integrity verification of the RI is successful, the terminal uses the RI to update the SUCI information.

When the user's home UDM changes from the first UDM to the second UDM, the terminal can deregister the relevant information in the first UDM and re-register to the second UDM. Optionally, the terminal initiates re-registration. If the terminal learns its own storage, If the RI of the RI changes, the terminal registers with the second UDM indicated by the RI. Alternatively, the AMF initiates re-registration. Specifically, the AMF sends a deregistration request message to the terminal, and the reason value carried in the deregistration request message indicates that the RI is changed. After receiving the deregistration request message, the terminal registers with the second UDM indicated by the RI.

In a seventh aspect, an embodiment of the present application provides a routing device, where the device is provided with a processor and a transceiver. The transceiver is configured to send a first authentication vector acquisition request to the first unified data management UDM network element; if the AUSF network element receives the routing instruction RI sent by the first UDM network element, it sends the access and mobility management Function AMF network element sends RI.

In a possible design, the transceiver is further configured to: if a redirect message sent by the first UDM network element is received, send a second authentication vector acquisition request to the second UDM network element according to the redirect message; RIs sent by two UDM network elements; and RIs sent to AMF network elements.

In a possible design, the processor is configured to determine the integrity verification code of the RI according to the integrity protection key and the RI; the transceiver is further configured to send the integrity verification code to the AMF network element.

In a possible design, the transceiver is further configured to receive an integrity protection request message sent by the first UDM network element or the second UDM network element, and the integrity protection request message is used to instruct the AUSF to generate an integrity verification for the RI code.

In an eighth aspect, an embodiment of the present application provides a routing device, where the device is provided with a processor and a transceiver. The transceiver is configured to receive a first authentication vector acquisition request sent by an authentication server function AUSF network element; and in response to the first authentication vector acquisition request, send a redirect message or a routing instruction RI to the AUSF network element.

In a possible design, the transceiver is configured to send the RI to the AUSF network element, including: when the first UDM network element is a UDM network element to which the user belongs, send the RI to the AUSF network element.

In a possible design, the transceiver is configured to send a redirection message to the AUSF network element, and includes: when the first UDM network element is not a UDM network element to which the user belongs, sending a redirection message to the AUSF network element.

In a possible design, the transceiver is further configured to receive a user data acquisition request message sent by the AMF network element; send an integrity protection request message to the AUSF network element, and the integrity protection request message is used to instruct the AUSF network element to generate RI integrity verification code.

In a possible design, the transceiver is further configured to send an integrity protection request message to the AUSF network element; receive the integrity verification code sent by the AUSF network element; the transceiver is configured to send the RI to the AUSF network element, including: It is used to send the RI protected by the integrity verification code to the AUSF network element.

In a ninth aspect, an embodiment of the present application provides a routing device, where the device is provided with a processor and a transceiver. The transceiver is configured to receive the routing indication RI sent by the access and mobility management function AMF network element; and the processor is configured to use the RI to update the user's hidden identification SUCI information.

In a possible design, the processor is further configured to use the integrity verification code to verify the integrity of the RI if the transceiver receives the integrity verification code corresponding to the RI; the processor is configured to use the RI to update the SUCI. The information includes information for updating the SUCI by using the RI if the integrity verification of the RI is successful.

In a possible design, the transceiver is configured to receive the RI sent by the AMF, including: receiving a non-access layer security mode command NAS SMC message sent by the AMF, and the NAS SMC message carries the RI.

According to a tenth aspect, an embodiment of the present application provides a routing device. The device is provided with a processor and a transceiver. The transceiver is configured to send a routing indication RI to the access and mobility management function AMF network element when the unified data management UDM network element to which the user belongs changes from the first UDM to the second UDM.

In a possible design, the transceiver is further configured to send an integrity protection request message to the AUSF network element, the integrity protection request message is used to instruct the AUSF to generate an integrity verification code for the RI; receive the RI sent by the AUSF network element Integrity verification code; send the integrity verification code to the AMF network element.

According to an eleventh aspect, an embodiment of the present application provides a routing device. The device is provided with a processor and a transceiver. The transceiver is configured to receive an integrity protection request message sent by the first unified data management UDM network element, the integrity protection request message carries a routing instruction RI; and the processor is configured to generate an RI according to the integrity protection key and the RI. Integrity verification code; the transceiver is further configured to send the integrity verification code to the first UDM network element.

In a twelfth aspect, an embodiment of the present application provides a routing device, where the device is provided with a processor and a transceiver. The transceiver is configured to receive the routing indication RI sent by the access and mobility management function AMF network element; and the processor is configured to use the RI to update the user's hidden identification SUCI information.

In a possible design, the processor is further configured to register the terminal to a second UDM indicated by the RI if the RI stored in the terminal changes.

In a possible design, the processor is further configured to register the terminal to the second indicated by the RI if the transceiver receives the deregistration request message sent by the AMF and the reason value carried in the deregistration request message indicates that the RI is changed. UDM.

According to a thirteenth aspect, an embodiment of the present application provides a routing device having a routing method for implementing any of the foregoing first aspect, or second aspect, or third aspect, or fourth aspect, or fifth aspect or sixth aspect. Functions. This function can be realized by hardware, and can also be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

According to a fourteenth aspect, a routing device is provided, including: a processor and a memory; the memory is configured to store computer execution instructions, and when the routing device is running, the processor executes the computer execution instructions stored in the memory, so that the The routing device executes the routing method according to any one of the first aspect, the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect or the sixth aspect.

According to a fifteenth aspect, a routing device is provided, including: a processor; the processor is configured to be coupled to the memory, and after reading the instructions in the memory, execute the first or second aspect or the third aspect or the first aspect according to the instructions. The routing method of any one of the fourth aspect or the fifth aspect or the sixth aspect.

According to a sixteenth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores instructions that, when run on a computer, enable the computer to execute the first aspect or the second aspect or the third aspect or The routing method of any one of the fourth aspect or the fifth aspect or the sixth aspect.

A seventeenth aspect provides a computer program product containing instructions, which, when run on a computer, enables the computer to execute the first aspect, the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect The routing method of any of the aspects.

According to an eighteenth aspect, a circuit system is provided. The circuit system includes a processing circuit configured to execute any one of the first aspect, the second aspect, or the third aspect, or the fourth aspect, or the fifth aspect, or the sixth aspect. One routing method.

In a nineteenth aspect, a chip is provided. The chip includes a processor, the processor is coupled to a memory, the memory stores program instructions, and the foregoing is implemented when the program instructions stored in the memory are executed by the processor. The routing method according to any one of the first aspect, the second aspect, the third aspect, or the fourth aspect, or the fifth aspect or the sixth aspect.

In a twentieth aspect, a routing system is provided. The routing system includes the terminal (or terminal chip), AMF (or chip in AMF), AUSF (or chip in AUSF), and UDM (or chip in UDM) of the above aspect. ).

For the technical effects brought by any one of the design methods in the second aspect to the twentieth aspect, refer to the technical effects brought by the different design methods in the first aspect, which will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of SUCI provided by an embodiment of the present application;

2 is a schematic diagram of a 5G network architecture according to an embodiment of the present application;

FIG. 3 is a schematic structural diagram of a routing system according to an embodiment of the present application; FIG.

4 is a schematic structural diagram of a communication device according to an embodiment of the present application;

5 is a flowchart of a routing method according to an embodiment of the present application;

6 is a flowchart of a routing method according to an embodiment of the present application;

7 is a flowchart of a routing method according to an embodiment of the present application;

8 is a flowchart of a routing method according to an embodiment of the present application;

9 is a flowchart of a routing method according to an embodiment of the present application;

10 is a flowchart of a routing method according to an embodiment of the present application;

11 is a flowchart of a routing method according to an embodiment of the present application;

12 is a flowchart of a routing method according to an embodiment of the present application;

FIG. 13 is a schematic structural diagram of a routing apparatus according to an embodiment of the present application.

detailed description

First, the technical terms involved in the embodiments of the present application are given:

SUPI: User identification in 5G, which is used to characterize the user's true identity, and functions similar to IMSI in LTE.

SUCI: In 5G, in order to avoid the problem that SUPI in plain text is vulnerable to theft by attackers, the public key is used to encrypt SUPI, and the encrypted cipher text forms SUCI. Subsequently, the network-side device can use the private key paired with the encrypted public key to decrypt SUCI to obtain SUPI to learn the user's true identity. As shown in Figure 1, it is the structure of SUCI defined in 3GPP 23.003. Among them, SUCI includes a 3-digit mobile country code (MCC), a 3-digit mobile network code (MNC), and an RI. The MCC is used to address the country where the user belongs to the UDM. The MNC is used to address the network to which the user belongs to the UDM (for example, the UDM belongs to China Telecom, or the UDM belongs to China Unicom), and the RI is used to address the UDM to which the user belongs. For a detailed description of other information included in SUCI, refer to the prior art, which is not described in the embodiment of the present application.

The 5G network architecture involved in the embodiments of this application is as follows:

As shown in Figure 2, the system includes a Network Slice Selection Function (NSSF), a Network Open Function (NEF), a Network Storage Function (NRF), and a Policy Control Function (Policy Control). Function (PCF), Application Function (AF), Unified Data Management (UDM), Authentication Server Function (AUSF), Access and Mobility Management Function (Core, Access, and Mobility Management) Function (AMF), Session Management Function (SMF), Access Network (AN) network element, where AN includes wired access network and Radio Access Network (RAN), user Network elements or devices such as user plane functions (UPF), data network (DN) network elements, and terminals.

Among them, the terminal accesses the AN through wireless (such as Wireless-Fidelity (WiFi)) or wired, and the terminal communicates with the AMF through N1; the AN communicates with the UPF through N3, the AN communicates with the AMF through N2; and the UPF communicates with N4 through N4 SMF communication, UPF communicates with DN network elements through N6; SMF communicates with AMF through N11 (not shown in Figure 2), SMF communicates with UDM through N10 (not shown in Figure 2), and SMF communicates with N7 (Figure 2) (Not shown in the figure) communicates with the PCF; the AMF communicates with the AUSF through N12 (not shown in FIG. 2), and the AUSF communicates with the UDM through N13 (not shown in FIG. 2).

It can be understood that according to the requirements of 5G system deployment, the above-mentioned network elements can communicate in a certain manner (for example, the terminal communicates with the AMF through N1). The above only lists the network elements related to the technical solution in the embodiment of the present application. For the purpose of simplifying the description, the embodiments of this application will not repeat the communication modes between other network elements.

Optionally, the terminals involved in the embodiments of the present application may include various handheld devices, wearable devices, computing devices, or other processing devices connected to a modem with a communication function; and may also include a personal digital assistant ( A personal digital assistant (PDA) computer, a tablet computer, a laptop computer, a machine type communication (MTC) terminal, a user equipment (UE), and the like.

Optionally, the names of the network elements in FIG. 2 and the names of the interfaces between the network elements are only examples. In specific implementation, the names of the network elements or the interfaces between the network elements may be other names, or network elements. It may also be called an entity, which is not specifically limited in the embodiment of the present application. All or part of the network elements of the core network may be physical physical network elements or virtualized network elements, which is not limited herein.

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Wherein, in the description of the present application, unless otherwise stated, "/" represents or means, for example, A / B may represent A or B; "and / or" herein is merely an association describing an associated object Relationship, which means that there can be three kinds of relationships, for example, A and / or B, can mean: there are three cases of A alone, A and B, and B alone. And, in the description of the present application, unless stated otherwise, "plurality" means two or more. In addition, in order to facilitate a clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as “first” and “second” are used to distinguish between the same or similar items having substantially the same functions and functions. Those skilled in the art can understand that the words "first", "second" and the like do not limit the number and execution order, and the words "first" and "second" are not necessarily different.

In the embodiment of the present application, when a certain network element (for example: network element A) obtains information from another network element (for example: network element B), it can mean that network element A receives information directly from network element B, or It means that network element A receives information from network element B through other network elements (for example: network element C). When network element A receives information from network element B through network element C, network element C can transparently transmit the information or process the information, for example, carrying the information in different messages for transmission or filtering the information Only send the filtered information to network A. Similarly, in the embodiments of the present application, the network element A sends information to the network element B, which can refer to the network element A directly sending information to the network element B, or the network element A through other network elements (for example, the C network) Yuan) to send information to network element B.

In addition, the network architecture and service scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

As shown in FIG. 3, an embodiment of the present application provides a routing system 300. The routing system 300 includes: a terminal 301, an AMF 302, an AUSF 303, and at least one UDM 304 (only one is given as an example in FIG. 3).

Among them, UDM 304 is used to receive a request message for obtaining an authentication vector from AUSF, and determine whether it is a UDM to which the user belongs according to the request message. If it is a UDM to which the user belongs, it sends it to AUSF 303 according to local policies RI, if it is not the UDM to which the user belongs, it sends a redirect message to AUSF 303, so that AUSF 303 redirects the message to obtain the authentication vector to another UDM, or the UDM directly sends the authentication vector to another UDM Request message. It is also used to receive a request message for acquiring user data sent by the AMF, and carry the RI in the user data acquisition response, and send the RI to the AMF 302. It is also used to actively initiate the process of updating the terminal RI after determining that the user's home UDM has changed. Specifically, when UDM 304 determines that the terminal RI needs to be updated, it actively sends the RI to terminal 301 through AMF 302 to facilitate terminal 301 Update RI in SUCI.

AUSF 303 is used to send a request message for obtaining an authentication vector to UDM 304, so as to obtain the RI issued by UDM 304 in subsequent processes, and after receiving the RI sent by UDM 304, send the RI to AMF 302. Alternatively, after receiving the redirect message sent by UDM 304 shown in FIG. 3, according to its own pre-configured policy, a request message for obtaining an authentication vector is sent to another UDM to request the RI for addressing the user's home UDM.

AMF 302 is used to receive the RI issued by AUSF 303 or UDM304, and send the RI to the terminal 301.

The terminal 301 is configured to receive an RI from the AMF 302, and use the RI to update SUCI information.

It should be noted that FIG. 3 only shows the connection relationship between the network elements related to the technical solution in the embodiment of the present application, and there may be other connection relationships between the network elements, which will not be repeated here.

The routing system provided in the embodiment of the present application may be applied to a 5G system shown in FIG. 2 or a subsequent evolved system.

Optionally, the terminals 301, AMF, 302, AUSF, 303, or UDM 304 in FIG. 3 can be used as independent devices, and the functions of the network elements described above can also be implemented in one device, for example, different function modules in one device. This embodiment of the present application does not specifically limit this. It can be understood that the foregoing function module may be a network element in a hardware device, a software function running on a hardware device, or a virtualization function instantiated on a platform (for example, a cloud platform).

For example, the terminal, AMF, AUSF, or UDM in the embodiment of the present application may be implemented by the communication device in FIG. 4. FIG. 4 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application. The communication device 400 includes at least one processor 401, a communication line 402, a memory 403, and at least one communication interface 404.

The processor 401 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the program of the solution of the present application. integrated circuit.

The communication line 402 may include a path for transmitting information between the aforementioned components.

The communication interface 404 uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area networks (WLAN), etc. .

The memory 403 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM-ready-only memory (EEPROM)), compact disc (read-only memory (CD-ROM)) or other optical disk storage, optical disk storage (Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other media accessed, but not limited to this. The memory may exist independently, and is connected to the processor through the communication line 402. The memory can also be integrated with the processor.

The memory 403 is configured to store computer execution instructions for executing the solutions in the embodiments of the present application, and the execution is controlled by the processor 401. The processor 401 is configured to execute computer execution instructions stored in the memory 403, so as to implement the routing method provided in the following embodiments of the present application.

Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.

In a specific implementation, as an embodiment, the processor 401 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 4.

In a specific implementation, as an embodiment, the communication device 400 may include multiple processors. Each of these processors may be a single-CPU processor or a multi-CPU processor. A processor herein may refer to one or more devices, circuits, and / or processing cores for processing data (such as computer program instructions).

It can be understood that FIG. 4 only shows an exemplary hardware structure diagram of a communication device. In order to implement the technical solution of the embodiment of the present application, the communication device 400 may further include other components. Limitation.

The above-mentioned communication device 400 may be a general-purpose device or a special-purpose device. In a specific implementation, the communication device 400 may be a device having a similar structure as in FIG. 4. The embodiment of the present application does not limit the type of the communication device 400.

It should be noted that the names of the messages or the names of the parameters in the messages between the various network elements in the following embodiments of this application are only examples, and other names may also be used in the specific implementation, which are uniformly described here and will not be described below. To repeat.

Optionally, the routing method provided in the embodiment of the present application is applied to a process in which a terminal performs two-way authentication with a network side. The terminal may perform a two-way authentication process with the network side in different scenarios. For example, the terminal registers with During network, terminal location update, and terminal call processing, the following describes the routing method in the embodiment of the present application by taking bidirectional authentication with the network side in the terminal registration scenario as an example.

As shown in FIG. 5, an embodiment of the present application provides a routing method, including the following steps:

S501. The terminal sends a registration request message (Registration Request) to the AMF.

Correspondingly, the AMF receives a registration request message sent by the terminal.

The registration request message carries the user's SUCI.

S502. The AMF determines the AUSF according to the SUCI.

Among them, alternatively, the AMF determines the AUSF according to the SUCI and the first configuration policy.

Among them, alternatively, the AMF determines the AUSF according to the SUPI. (If the correspondence between SUCI and SUPI is stored in the AMF, the SUPI corresponding to SUCI can be obtained).

Optionally, in some scenarios, in some countries or regions, the number of users is small, and all users belong to one or a few UDMs. Accordingly, the number of AUSFs set in the network may also be small. This is the default value. At this time, RI is not used to point to AUSF, and RI is not used to point to UDM. Or, in the future evolution scenario, when RI is not used to indicate UDM, SUCI may not include RI. In these scenarios, S502 may be implemented as follows: the AMF selects an AUSF according to the MCC and MNC in the SUCI and the first configuration policy.

Optionally, the first configuration strategy is to select the nearest AUSF (or AUSF in the preset area). For example, the AMF selects the AUSF closest to the current terminal. Alternatively, the AMF selects the AUSF for the user in a polling manner, and balances the load between each AUSF. Alternatively, the AMF selects an AUSF with a higher priority for the user according to the priority of the AUSF.

Optionally, in other scenarios, in some countries or regions, the number of users is large, and the users belong to multiple UDMs. Correspondingly, RI is required to indicate AUSF and the UDM to which the user belongs. In this scenario, S502 can be implemented as: AMF determines AUSF according to MCC, MNC and RI in SUCI. As a possible implementation manner, the AMF queries the NRF according to the MCC, MNC, and RI in the SUCI, and then obtains the AUSF corresponding to the MCC, MNC, and RI in the NRF.

S503. The AMF sends an authentication request message to the AUSF.

Correspondingly, the AUSF receives the authentication request message sent by the AMF.

The authentication request message carries SUCI.

As a possible implementation manner, the AMF calls the Nausf_UEAuthentication_AuthenticateRequest service of the AUSF to send an authentication request message to the AUSF.

S504. The AUSF network element determines the first UDM according to the SUCI or according to the SUCI and the second configuration policy.

Similar to the process of AMF determining an AUSF, when the RI in SUCI is not used to indicate UDM, S504 is implemented as: AUSF according to MNC, MCC and second configuration policy in SUCI Nearest rule) Select a first UDM. In other implementations, if the private key stored in each UDM is different, in order to prevent that the private key used to decrypt SUCI does not exist on the randomly searched UDM, one or a set of default UDMs may be deployed, the one or more The UDM includes all the private keys used for decryption. In this way, AUSF preferentially selects the default UDM or a UDM in the default UDM group.

When the RI in SUCI can point to the UDM, S504 is implemented as: AUSF determines the first UDM according to the MNC, MCC, and RI in SUCI. Of course, the AUSF may query the NRF according to the MNC, MCC, and RI to obtain the first UDM corresponding to the MNC, MCC, and RI.

S505. The AUSF sends a first authentication vector acquisition request to the first UDM network element.

Correspondingly, the first UDM receives a first authentication vector acquisition request sent by the AUSF.

The first authentication vector acquisition request carries SUCI. Optionally, the first authentication vector acquisition request carries an RI delivery instruction.

As a possible implementation manner, the AUSF calls the Nudm_UEAuthentication_GetRequest service of the first UDM to send a first authentication vector acquisition request to the first UDM to request to obtain an authentication vector from the first UDM.

S506. The first UDM uses the private key to decrypt the SUCI to obtain the plaintext SUPI.

S507. The first UDM judges whether it is the home UDM of the user indicated by SUPI, if not, executes S508, and if so, executes S511.

As a possible implementation manner, the first UDM stores the SUPI of a managed user. After the first UDM obtains the user's SUPI, if it is found through query that it does not store the SUPI, the first UDM determines that it is not the user Of the UDM.

S508. The first UDM network element sends a redirection message to the AUSF network element.

Correspondingly, the AUSF receives the redirect message sent by the first UDM.

As a possible implementation manner, the first UDM returns a Nudm_UEAuthentication_GetResponse service response to send a redirect message to the AUSF.

Optionally, the redirect message carries the plaintext SUPI obtained by decryption by the first UDM. Alternatively, if the addressing information of the home UDM of the user indicated by SUPI is stored in the first UDM, the redirection message may carry the addressing information of the home UDM of the user. The addressing information of the UDM includes, but is not limited to, a Fully Qualified Domain Name (FQDN) of the UDM, an Internet Protocol (IP) address, and the like.

S509. The AUSF network element sends a second authentication vector acquisition request to the second UDM network element according to the redirection message.

Correspondingly, the second UDM receives a second authentication vector acquisition request sent by the AUSF.

Optionally, as described above, if the redirect message received by the AUSF carries the plaintext SUPI decrypted by the first UDM, the AUSF determines the second UDM according to the SUPI, and sends a second authentication vector acquisition request to the second UDM. As another possible implementation, the AUSF queries the NRF according to the MCC, MNC, and RI in the SUCI, and then obtains the UDM corresponding to the MCC, MNC, and RI in the NRF. If the redirection message received by the AUSF carries the addressing information of the user's home UDM indicated by SUPI, the second UDM is determined according to the addressing information of the user's home UDM, and a second authentication vector acquisition request is sent to the second UDM.

Optionally, the second authentication vector acquisition request carries an RI delivery instruction.

As a possible implementation manner, the AUSF calls the Nudm_UEAuthentication_Get Request service of the second UDM to send a second authentication vector acquisition request to the second UDM.

S510. The second UDM sends an RI to the AUSF.

Correspondingly, the AUSF network element receives the RI sent by the second UDM network element.

As a possible implementation manner, S510 is implemented as follows: the second UDM returns a Nudm_UEAuthentication_GetResponse service response to send a second authentication vector acquisition response to the AUSF, and the second authentication vector acquisition response carries an RI and an authentication vector (AV). The authentication vector includes parameters such as a random number (RAND) and an authentication token (AUTN).

Optionally, when receiving the second authentication vector acquisition request, the second UDM sends the RI to the AUSF according to the RI delivery instruction carried in the second authentication vector acquisition request. Or, the second UDM may issue the RI after receiving the second authentication vector acquisition request. Or, when the second UDM receives the second vector acquisition request sent by the AUSF, the RI in the SUCI carried in the second vector acquisition request is not used to indicate the UDM, or the second UDM receives the second authentication sent by the AUSF Vector acquisition request, when it is found that the RI in the second authentication vector acquisition request does not match the RI corresponding to the second UDM, in order to facilitate subsequent terminals to quickly address the home UDM, the second UDM issues the RI. The embodiment of the present application does not limit the conditions and timing of triggering the second UDM to issue the RI.

S511. The first UDM network element sends an RI to the AUSF network element.

Correspondingly, the AUSF network element receives the RI sent by the first UDM network element.

As a possible implementation manner, S511 is implemented as follows: the first UDM returns a Nudm_UEAuthentication_GetResponse service response to send a first authentication vector acquisition response to the AUSF network element, and the first authentication vector acquisition response carries an RI and an authentication vector.

Referring to the discussion above, the embodiment of the present application does not limit the conditions and timing of triggering the first UDM to issue the RI.

(Optional) S512. The AUSF network element determines an integrity verification code of the RI according to an integrity protection key and the RI.

As a possible implementation manner, in the two-way authentication process, AUSF generates a key 1 (such as Kausf) related to two-way authentication, and AUSF generates an integrity protection key (Kri) according to Kausf and key parameters, and The integrity protection key and the RI generate an RI integrity verification code (Routing Indicator-Message Authentication Code, RI-MAC). The key parameter is a random number in the authentication vector and / or an incremented counter value (Counter). Correspondingly, AUSF may calculate the integrity protection key based on Kausf and random numbers in the authentication vector, or AUSF may calculate the integrity protection key based on Kausf and the counter value, or AUSF may calculate the integrity protection key based on Kausf and the randomness in the authentication vector. Number and counter value to calculate the integrity protection key.

The counting increment condition can be set for the counter. For example, the increment condition is that the AUSF receives the integrity protection request message sent by the UDM, that is, each time the AUSF receives the UDM integrity protection request message, the AUSF sets the The counter counts up.

Optionally, in order to protect the counter (Counter) updated by the RI, an integrity protection key and a Counter can be used to calculate a Counter-Message Authentication Code (Counter-MAC). Among them, it should be noted that subsequent implementation For the Counter and Counter-MAC appearing in the example, refer to the explanation in this embodiment.

Using this method of RI integrity protection, AUSF generates RI integrity verification codes, which can ensure that RI is not tampered with during air interface transmission, and improves the security of RI transmission.

S513. The AUSF sends the RI to an AMF network element.

Accordingly, the AMF receives the RI sent by the AUSF.

Optionally, the AUSF sends the RI integrity verification code at the same time it sends the RI to the AMF. Among them, if AUSF uses Kausf and counter value in S512 or uses Kausf, counter value, random number to generate the integrity protection key, AUSF can also send the counter value (Counter) to AMF, and, optionally, can also Send (Counter-MAC) to AMF.

S514. The AMF sends an RI to the terminal.

Correspondingly, the terminal receives the RI sent by the AMF.

Optionally, the AMF sends an RI integrity verification code while sending the RI to the terminal. In the case where the AUSF uses Kausf and the counter value to generate the integrity protection key, the AMF sends the counter value (Counter) from the AUSF to the terminal, so that the terminal can use the counter value to verify the integrity protection later, and Optionally, it can also send a Counter-MAC to the terminal.

In the embodiment of the present application, according to the timing of message transmission, the network side may take any one of the following at least three ways to specifically implement the process of sending the RI to the terminal:

Method 1: AUSF issues RI to the terminal through AMF during the authentication process. Specifically, as shown in FIG. 6, S513 and S514 can be replaced with S613 and S614:

S613. The AUSF sends a first authentication response to the AMF.

Correspondingly, the AMF receives the first authentication response sent by the AUSF.

As a possible implementation manner, the AUSF returns a Nausf_UEAuthentication_AuthenticateResponse service response and sends a first authentication response to the AMF.

The first authentication response carries an RI.

Optionally, in the two-way authentication process, if the AMF calls the authentication service of AUSF multiple times, the AUSF may be included in the response message of any authentication service (such as a message of successful authentication or an authentication message of other intermediate processes). Carry the RI and deliver the RI to the AMF.

Optionally, when using EAP (Extensible Authentication Protocol Protocol Extensible Authentication Protocol) authentication, for example, using EAP-AKA '(Extensible Authentication Protocol Method for Third Generation Generation Authentication and Key Agreement Agreement), RI can be used in The EAP packet can also be outside the EAP packet, which is not limited here.

Optionally, the first authentication response carries an authentication vector, that is, when the AMF invokes the authentication service of the AUSF multiple times, the AUSF sends the first authentication response to the AMF multiple times, and the first authentication response multiple times One of the first authentication responses in the one carries the authentication vector. Of course, as described above, the RI may also be carried in the first authentication response.

Optionally, the first authentication response carries the RI integrity verification code generated in S512. Optionally, the first authentication response carries Counter and Counter-MAC.

S614. The AMF sends an authentication request message for the network to the terminal.

Correspondingly, the terminal receives an authentication request message for the network sent by the AMF.

The authentication request message for the network carries the RI.

Optionally, the authentication request message for the network carries part or all of the parameters in the authentication vector. Optionally, the authentication request message carries the RI integrity verification code generated in S512. Optionally, the authentication request message carries Counter and Counter-MAC.

The terminal may use some parameters in the received authentication vector (such as a random number in the authentication vector) to authenticate the network. When determining that the network is a legitimate network, the terminal sends an authentication request response message for the network to the AMF. It instructs the AMF to authenticate the terminal, thereby completing the entire two-way authentication process.

Of course, the AUSF may also send the RI to the AMF in any other interaction between the AUSF and the AMF during the two-way authentication process, which is not limited in this application.

Method 2: The network side sends the RI to the terminal based on the SMC mechanism. Specifically, as shown in FIG. 7, S513 and S514 in FIG. 5 may be replaced with S713 and S714:

S713. The AUSF sends a second authentication response to the AMF.

Correspondingly, the AMF receives the second authentication response sent by the AUSF.

As a possible implementation manner, AUSF returns a Nausf_UEAuthentication_AuthenticateResponse service response, and sends a second authentication response to the AMF.

The second authentication response carries the RI.

Optionally, the second authentication response carries the RI integrity verification code generated by the AUSF in S512. Optionally, the second authentication response carries Counter and Counter-MAC.

S714. The AMF sends a NAS SMC message to the terminal.

Correspondingly, the terminal receives the NAS SMC message sent by the AMF.

The NAS SMC message carries the RI.

Optionally, the NAS SMC message carries the RI integrity verification code generated by the AUSF in S512. Optionally, the NAS SMC message carries Counter and Counter-MAC.

By adopting the method for carrying RI transmission in the NAS SMC message, the RI can be integrity protected based on the SMC's own integrity protection mechanism.

Method 3: The UDM sends the RI to the terminal at the same time as the user subscription data is sent to the terminal, that is, the condition that triggers the UDM to send the RI is that the UDM receives the AMF user data acquisition request message. Specifically, taking the first UDM as the user's home UDM and not performing integrity protection on the RI as an example, as shown in FIG. 8, S507 to S514 in FIG. 5 can be replaced with S807 to S810:

S807. The first UDM determines that it is the home UDM of the user indicated by the SUPI, and sends a first authentication vector acquisition response to the AUSF.

The first authentication vector acquisition response carries an authentication vector.

Afterwards, AUSF, AMF, and the terminal perform two-way authentication according to the specifications defined by 3GPP to ensure the legitimacy of the terminal and the network.

S808. After the two-way authentication process, the AMF sends a user data acquisition request message to the first UDM.

Correspondingly, the first UDM receives a user data acquisition request message sent by the AMF.

As a possible implementation manner, the AMF calls the Nudm_SDM_Get request service of the first UDM to send a user data acquisition request message to the first UDM.

The user data acquisition request message carries SUPI. Optionally, the user data acquisition request message carries an RI integrity protection identifier, which is used to indicate whether the first UDM performs integrity protection on the RI.

S809. If the first UDM determines that integrity protection is not performed on the RI, it sends a user data acquisition response to the AMF.

Correspondingly, the AMF receives the user data acquisition response sent by the first UDM.

As a possible implementation manner, the first UDM returns a Nudm_SDM_Getresponse service response to send a user data acquisition response to the AMF.

The user data acquisition response carries the RI and the user's contract data. The user's contract data includes, but is not limited to, the consumer package and consumer package-related services of the Universal Subscriber Identity Module (USIM) card of the terminal.

Optionally, the first UDM determines whether to protect the RI according to the RI integrity protection identifier carried in the user data acquisition request message. Exemplarily, the length of the RI integrity protection flag is 1 bit. When the RI integrity protection flag is set to 0, the first UDM does not perform integrity protection on the RI. Or the first UDM may determine whether to perform integrity protection on the RI according to its own pre-configured policy, which is not limited in this embodiment of the present application. Here, only the length of the RI integrity protection identifier is taken as an example. The format of the RI integrity protection identifier and the number of bits used, and the meaning of each bit are not limited in the embodiments of the present application.

S810. The AMF sends a registration acceptance message (Registration Accept) to the terminal.

The registration acceptance message carries the RI.

Alternatively, as shown in FIG. 9, in mode 3, in a case where the second UDM is a user-owned UDM and the second UDM performs integrity protection on the RI, S507 to S514 in FIG. 5 may be specifically replaced as follows: Steps S907 to S916:

S907. The first UDM determines that it is not the home UDM of the user indicated by the SUPI, and sends a redirect message to the AUSF.

S908. The AUSF sends a second authentication vector acquisition request to the second UDM.

S909. If the second UDM determines that it is the home UDM of the user indicated by the SUPI, it sends a second authentication vector acquisition response to the AUSF.

The second authentication vector acquisition response carries the authentication vector. Optionally, if the timing and conditions for triggering the second UDM to issue the RI are to receive the second authentication vector acquisition request sent by the AUSF, the second authentication vector acquisition response It also carries RI. (Optional) S910 and AUSF determine an RI integrity verification code according to the integrity protection key and the RI.

For detailed descriptions of S907 to S910, reference may be made to the description of corresponding steps in the processes of FIGS. 5 to 8, and details are not described herein again.

S911 and AMF send a user data acquisition request message to the second UDM.

Correspondingly, the second UDM receives a user data acquisition request message sent by the AMF.

As a possible implementation manner, the AMF calls the Nudm_SDM_Get request service of the second UDM to send a user data acquisition request message to the second UDM.

The user data acquisition request message carries SUPI. Optionally, the user data acquisition request message carries an RI integrity protection identifier.

S912. If the second UDM determines to perform integrity protection on the RI, send an integrity protection request message to the AUSF.

Correspondingly, the AUSF receives the integrity protection request message sent by the second UDM, and the user of the message obtains the RI request RI integrity verification code.

Optionally, the second UDM determines whether to protect the RI according to the RI integrity protection identifier carried in the user data acquisition request message. For example, when the RI integrity protection identifier is 1 bit and is 1, the second UDM determines RI protects integrity. Or the second UDM may determine whether to perform integrity protection on the RI according to its own pre-configured policy, which is not limited in the embodiment of the present application.

Optionally, as described above, there are multiple possible conditions for triggering the second UDM to issue the RI to the AUSF. If the condition that triggers the second UDM to issue the RI to the AUSF is that the second UDM receives the user data acquisition request message, the first The two UDMs carry an RI in the integrity protection request message, which is used by the AUSF to generate an RI integrity verification code.

S913. AUSF determines whether an RI integrity verification code has been generated. If the second authentication vector acquisition response received by AUSF carries RI and AUSF has performed S910 to generate an RI integrity verification code, it sends RI integrity to the second UDM Verification code.

Optionally, while the AUSF sends the RI integrity verification code to the second UDM, the Counter and Counter-MAC may also be sent to the second UDM.

S914. If the generated RI integrity verification code does not exist in the AUSF, generate an RI integrity verification code, and send the newly generated RI integrity verification code to the second UDM.

Among them, in the following two cases, the generated RI integrity verification code does not exist:

1. The second UDM does not carry the RI in the second authentication vector acquisition response.

2. The second UDM carries the RI in the second authentication vector acquisition response, and the AUSF receives the RI but does not use the RI to generate an RI integrity verification code.

S915. The second UDM sends a user data acquisition response to the AMF, and the user data acquisition response carries the RI and user data. Optionally, the user data acquisition response carries RI-MAC, Counter, and Counter-MAC.

Correspondingly, the AMF receives the user data acquisition response sent by the second UDM.

As a possible implementation manner, the second UDM returns a Nudm_SDM_Getresponse service response to send a user data acquisition response to the AMF.

S916. The AMF sends a registration acceptance message (Registration Accept) to the terminal.

Correspondingly, the terminal receives the registration acceptance message sent by the AMF.

The registration acceptance message carries the RI and the RI integrity verification code.

It should be noted that after the network side sends the RI to the terminal through any of the above three methods, the terminal can also perform S515:

S515. The terminal uses the received RI to update SUCI information.

There are two cases in which the terminal updates the SUCI information in S515:

Case 1: If the RI received by the terminal is not integrity-protected, the terminal directly uses the RI to update the SUCI information.

Generally, the terminal includes a Mobile Equipment (ME) module and a USIM card. Among them, ME is used to provide applications and services, and USIM is used to provide user identification. Correspondingly, the terminal can write the updated RI to the ME or the USIM card. Specifically, the terminal calls the read-write interface to update the RI bit included in the SUCI in the USIM card or the ME to the received RI.

Case 2: If the terminal receives the integrity verification code corresponding to the RI, the terminal uses the RI integrity verification code to perform integrity verification on the RI. After the integrity verification of the RI is successful, all the The terminal uses the RI to update SUCI information. Specifically, the terminal performs the inverse operation of generating the RI integrity verification code described above, generates an integrity protection key by using Kausf and key parameters, and then calculates an X-MAC by using the generated integrity protection key and the received RI. If the X-MAC is consistent with the value of the RI-MAC received by the terminal, it means that the RI has not been tampered with by a third party, and the terminal uses the RI to update the SUCI information. The key parameters used by the terminal are the same as those used when AUSF generates the RI integrity verification code. That is, if AUSF uses the random number in the authentication vector and Kausf to generate the integrity protection key, the terminal When verifying whether the RI has been tampered with by a third party, it also uses the random number in the authentication vector and Kausf in the terminal to generate the integrity protection key. If AUSF uses Kausf and the counter value to generate the integrity protection key, the terminal also uses Kausf and Receive the counter value from AUSF to calculate the integrity protection key.

Optionally, when the terminal receives the Counter-MAC, the integrity verification is performed on the counter. If the verification succeeds, it indicates that the counter has not been tampered. At this time, if the terminal finds that the counter value is greater than the counter's locally stored counter value, the terminal receives The counter received is newly issued by the network side, and the terminal further performs integrity verification on the RI. After the RI integrity verification is passed, the terminal uses the RI to update the SUCI information. Correspondingly, the terminal updates the local Counter value.

It should be noted that in the embodiment of the present application, multiple information transmitted and received between network elements may be carried in one message and transmitted in different messages, which is not limited in the embodiment of the present application.

The embodiment of the present application also provides another routing method. When the first UDM receives the first authentication vector acquisition request and determines that it is not the user's home UDM, the first UDM may also send a second authentication to the second UDM. Weight vector acquisition request. Specifically, as shown in FIG. 10, the above S508 to S510 can be replaced with the following steps:

S1008. The first UDM sends a second authentication vector acquisition request to the second UDM.

As a possible implementation manner, the first UDM calls the Nudm_UEAuthentication_Get Request service of the second UDM to send a second authentication vector acquisition request to the second UDM.

S1009. The second UDM sends a second authentication vector acquisition response to the first UDM.

As a possible implementation manner, the second UDM returns a Nudm_UEAuthentication_GetResponse service response and sends a second authentication vector acquisition response to the first UDM.

S1010. The first UDM sends a second authentication vector acquisition response to the AUSF.

As a possible implementation manner, the first UDM returns a Nudm_UEAuthentication_GetResponse service response and sends a second authentication vector acquisition response to the AUSF.

For a detailed description of the second authentication vector acquisition request and the second authentication vector acquisition response, reference may be made to the foregoing, and details are not described herein again.

With this routing method, the first UDM can determine a second UDM and directly send a second authentication vector acquisition request to the second UDM, without the need for intermediate forwarding and processing by other network elements, reducing the transmission time between network elements. Delay.

This embodiment of the present application also provides another routing method, which is applied to an Over-the-Air (OTA) platform. As shown in FIG. 11, the method includes:

S1101. An operation and maintenance (OM) device sends a SUPI and an RI to be modified to an OTA platform.

S1102. The OTA platform modifies the RI information of the corresponding SUPI.

Exemplarily, the OTA platform sends an SMC message to the terminal, where the SMC message is used to instruct the terminal to update the RI.

S1103: The terminal updates the RI.

S1104: The terminal sends an update result to the OTA platform.

This embodiment of the present application also provides a routing method. Initially, a user registers with a first UDM, and subsequently migrates to a second UDM due to service requirements. In this scenario, the first UDM actively initiates a RI update process.

For example, if the first UDM determines that the RI information of the terminal needs to be modified, it sends the modified RI to the AMF. Optionally, before sending the modified RI to the AMF, the modified RI may also be integrity protected.

Specifically, as shown in FIG. 12, the method includes the following steps:

S1201. For some reason, the first UDM determines that the RI information of the terminal needs to be modified, such as the RI modification caused by the user's UDM adjustment.

S1202. The first UDM determines whether to perform integrity protection on the RI according to the local policy. If not, execute S1203, and if yes, execute S1204.

S1203. The first UDM sends an RI to the AMF.

Correspondingly, the AMF receives the RI sent by the first UDM.

S1204. The first UDM sends an integrity protection request message to the AUSF.

Correspondingly, the AUSF receives the integrity protection request message sent by the first UDM.

The integrity protection request message carries an RI corresponding to the second UDM.

S1205. The AUSF generates the RI-MAC according to the integrity protection key and the RI corresponding to the second UDM. Optionally, the counter-MAC is generated according to the Counter and the integrity protection key.

S1206. The AUSF sends an integrity protection response to the first UDM.

Correspondingly, the first UDM receives the integrity protection response sent by the AUSF.

The integrity protection response carries an RI-MAC, a counter (optional), and a counter-MAC (optional).

S1207. The first UDM sends a notification message to the AMF.

Correspondingly, the AMF receives the notification message sent by the first UDM.

As a possible implementation manner, the first UDM sends a notification message to the AMF using the Nudm_SDM_Notification request service.

The notification message carries RI, RI-MAC (optional), Counter (optional), and Counter-MAC (optional).

S1208. The AMF sends a configuration modification request to the terminal.

Correspondingly, the terminal receives the configuration modification request sent by the AMF.

The configuration modification request carries RI, RI-MAC (optional), Counter (optional), and Counter-MAC (optional).

S1209: The terminal updates the RI.

Optionally, if the terminal receives the RI-MAC corresponding to the RI, the terminal performs integrity verification on the RI-MAC. After the verification passes, the terminal updates the RI.

Optionally, if the terminal receives the Counter and Counter-MAC, the terminal first performs integrity verification on the Counter-MAC to confirm that the received Counter value is greater than the Counter value stored locally, and then passes the RI-MAC after the verification is passed. Integrity verification, finally confirming that the value of RI has not been tampered with.

S1210. The terminal sends a configuration modification response to the AMF.

Correspondingly, the AMF receives a configuration modification response sent by the terminal.

S1211. The AMF sends a notification response to the first UDM.

Correspondingly, the first UDM receives the notification response sent by the AMF.

As a possible implementation manner, the AMF returns a Nudm_SDM_Notification response service response and sends a notification response to the first UDM.

The notification response is used to notify the first UDM that the RI update of the terminal is successful.

S1212. A logout process is performed between the terminal and the first UDM.

After the terminal updates the RI, optionally, it actively initiates a logout process to the first UDM.

Alternatively, in another optional implementation manner, in S1212, the first UDM may initiate a logout process. Specifically, the first UDM sends a re-registration notification message to the AMF using the Nudm_UECM_Deregistration Notification Service, and the AMF sends a Deregistration Request message deregistration request message to the terminal. The reason value carried in the deregistration request message is the RI change, and the terminal receives the carry reason value as the RI change. Logout request message and complete logout in the first UDM.

S1213. The terminal uses the updated RI to register with the second UDM to which it belongs.

The terminal sends a registration request message to the second UDM to request registration to the second UDM. The registration request message carries the RI corresponding to the second UDM. For a specific process of the terminal registering with the UDM by initiating a registration request message, refer to the prior art, and details are not described in the embodiment of the present application.

The method flow in FIG. 12 includes steps similar to those in the method flows shown in FIG. 5 to FIG. 11. For a detailed description of these steps, reference may be made to the foregoing, and details are not described herein again.

In addition, in another embodiment of the present invention, a method for updating parameters in a terminal is provided.

It can be understood that the terminals include ME (Mobile Equipment) and USIM. Among them, the update parameters mainly include two types: USIM parameters (that is, parameters that need to be updated in the USIM) and ME parameters (that is, parameters that need to be updated in the ME).

Among them, the USIM parameters are RI information, slice selection parameters, slice ID, public key identification, public key parameters, NSSAI (Network Slice Selection Assistant Information), S-NSSAI (Single-Network Slice Selection Assistant Information), single Slice selection assistance information), Configured NSSAI (Configured Network Selection Selection Assistant Information), Requested NSSAI (Requested Network Selection Selection Assistant Information), closed access group identification, closed Group identification, closed user group identification, group identification, user group identification, network group identification and other parameters;

Among them, ME parameters are RI information, slice selection parameters, slice ID, public key identification, public key parameters, NSSAI (Network Slice Selection Assistant Information), S-NSSAI (Single-Network Slice Selection Assistant Information), single Slice selection assistance information), Configured NSSAI (Configured Network Selection Selection Assistant Information), Requested NSSAI (Requested Network Selection Selection Assistant Information), closed access group identification, closed Group identification, closed user group identification, group identification, user group identification, network group identification and other parameters.

In addition, it should be further pointed out that the reason for updating the parameters in the terminal may be: the user's UDM adjustment causes the parameters in the USIM card and / or ME to be modified.

Specifically, the method for updating parameters in the terminal includes:

S1301. The first UDM sends a first notification message to the AMF.

Optionally, the first notification message includes update parameters (USIM parameters and / or ME parameters).

Optionally, the first notification message includes a USIM parameter and a first security parameter. It should be noted that the first security parameter is calculated by the first UDM according to the shared key between the first UDM and the USIM and the USIM parameter. The shared key may be an initially configured key or a key generated during authentication, such as an OTA (Over The Air) key, an authentication root key, a CK (Cipher Key, encryption key), and IK (Integrity Key (integrity key), MSK (Master Session Key, Master Session Key), EMSK (Extended Master Session Key, Extended Master Session Key) and so on. The first security parameter may include a USIM parameter and a USIM verification parameter. The USIM verification parameter is used by the USIM to verify the correctness of the USIM parameter in the first security parameter.

S1302. The AMF sends a second notification message to the terminal.

The second notification message may be a downlink NAS message.

The second notification message carries an update parameter, a first security parameter, an Update-MAC (optional), and a Counter (optional).

S1303. The terminal receives the second notification message.

S1304. The terminal updates parameters in the terminal according to the second notification message.

In addition, optionally, before step S1301, the method further includes: the first UDM interacts with the AUSF to obtain an Update MAC. The Update MAC is used to perform integrity protection on USIM parameters.

Specifically, the first UDM interacts with AUSF to obtain Update MAC, including S1305-1307.

S1305. The first UDM sends a protection request message to the AUSF.

Correspondingly, the AUSF receives the protection request message sent by the first UDM.

Optionally, the protection request message carries USIM parameters.

Optionally, the protection request message carries a USIM parameter and a first security parameter.

Optionally, the protection request message carries a first security parameter.

Optionally, the protection request message may further include a desired USIM card response;

Optionally, the protection request message may further include a desired UE response.

S1306. The AUSF generates an Update-MAC according to the protection request message.

Optionally, the AUSF generates an Update-MAC according to a USIM parameter and a first security parameter.

Optionally, the AUSF generates an Update-MAC according to the first security parameter.

Optionally, the AUSF generates an Update-MAC according to a Counter (a counter value stored in the AUSF), a USIM parameter, and a first security parameter.

Optionally, the AUSF generates an Update-MAC according to a protection key, a Counter (a counter value stored by the AUSF), a USIM parameter, and a first security parameter.

Optionally, the AUSF generates an Update-MAC according to the Counter (the count value stored by the AUSF) and the first security parameter.

Optionally, the AUSF generates an Update-MAC according to a protection key, a Counter (a counter value stored by the AUSF), and a first security parameter.

The protection key is a key shared by the UE and the AUSF. The protection key here may be an initially configured key, or a key generated during authentication, such as a Kausf key.

Optionally, the AUSF generates a Counter-MAC according to the Counter and the protection key. The Counter-MAC is used to perform integrity protection on the Counter. In addition, it should be noted that the input of the calculation parameters of the Counter-MAC may also include the expected USIM response. Counter-MAC calculation parameter input may also include expected UE response

S1307. The AUSF sends a protection response to the first UDM.

Correspondingly, the first UDM receives the protection response sent by the AUSF.

The protection response carries the Update-MAC.

Optionally, the protection response may further include Counter and / or Counter-MAC.

Correspondingly, after the first UDM receives the protection response, the first notification message sent to the AMF includes Update-MAC. Of course, it is also possible to include the Counter received from AUSF. It can be understood that if the first notification message received by the AMF includes Update-MAC and / or Counter, the AMF will add these parameters to the second notification message and send it to the terminal through the second notification message; of course It is also possible to send the received parameters to the terminal through other messages.

Correspondingly, if the terminal receives the Update-MAC, the terminal performs integrity verification on the Update-MAC. After the authentication is passed, the USIM parameters are updated.

Optionally, the USIM parameter update includes: the terminal sends the received USIM parameter to the USIM card, so that the USIM updates the internal parameters according to the USIM parameter.

Optionally, the USIM parameter update includes: the terminal sends the first security parameter to the USIM card, and the USIM card verifies the first security parameter. After the authentication is successful, it sends a response message USIM card response to the ME. Of course, after the USIM card successfully verifies the first security parameter, the parameters in the USIM card will be updated.

Optionally, the integrity verification method may be: if the terminal receives the counter, the terminal first checks the counter to confirm that the received counter value is greater than the counter value stored locally. After the verification is passed, the UE-Update-MAC on the terminal side is calculated according to the same calculation method as AUSF. If the UE-Update-MAC is the same as the received Update-MAC, the verification is successful, and finally it is confirmed that the update parameters and the first security parameter have not been tampered with.

Optionally, the integrity verification method may be: the terminal calculates the UE-Update-MAC on the terminal side according to the same calculation method as the AUSF. If the UE-Update-MAC is the same as the received Update-MAC, the verification is successful, and finally it is confirmed that the update parameters and the first security parameter have not been tampered with.

Further optionally, after the terminal finishes updating the USIM parameters, the terminal feedbacks to the first UDM. Specifically, the feedback method specifically includes steps S1308-1310.

S1308: The terminal sends a first feedback message to the AMF.

The first feedback message may be an uplink NAS message.

Correspondingly, the AMF receives an uplink NAS message sent by the terminal.

The message includes a UE-Counter-MAC; wherein the UE-Counter-MAC is an integrity protection for the count value received by the UE side. Optionally, a USIM response is also included; optionally, a response from the UE is also included.

The UE-Counter-MAC is generated according to the protection key and the received Counter. Optionally, the response of the USIM card and / or the response of the UE is also a UE-Counter-MAC optional parameter.

S1309. The AMF sends a second feedback message to the first UDM.

The message includes a UE-Counter-MAC; optionally, it also includes a USIM response; optionally, it also includes a response from the UE.

S1310. The first UDM receives a notification message sent by the AMF.

The first UDM checks whether the UE-Counter-MAC received is the same as the Counter-MAC received from the AUSF. If they are the same, it means that the UE has finished updating the update parameters and the first security parameter.

In the above process, the calculation functions of Update-MAC, UE-Update-MAC, Counter-MAC, and UE-Counter-MAC are applicable to any message verification code function, such as key-related hash operation message authentication code, and key derivation function. Wait without restrictions. The above process is described in USIM, and it can also be other UICC without limitation.

Among them, the ME parameters are RI information, slice selection parameters, slice ID, public key identification, public key parameters, NSSAI (Network Slice Selection Assistant Information), S-NSSAI (Single-Network Slice Selection Assistant Information), single Slice selection assistance information), Configured NSSAI (Configured Network Selection Selection Assistant Information), Requested NSSAI (Requested Network Selection Selection Assistant Information), closed access group identification, closed Group identification, closed user group identification, group identification, user group identification, network group identification and other parameters.

Specifically, the method for updating parameters in the terminal includes:

S1401. The first UDM sends a first notification message to the AMF.

Optionally, the first notification message includes an update parameter and a first security parameter. It should be noted that the first security parameter is calculated by the first UDM according to the shared key between the first UDM and the USIM and the USIM parameter. The shared key may be an initially configured key or a key generated during authentication, for example, at least one of an OTA key, an authentication root key, CK, IK, MSK, and EMSK. The first security parameter may include a USIM parameter and a USIM verification parameter. The USIM verification parameter is used by the USIM to verify the correctness of the USIM parameter in the first security parameter.

S1402. The AMF sends a second notification message to the terminal.

The second notification message may be a downlink NAS message.

The second notification message carries an update parameter, a first security parameter (optional), an Update-MAC (optional), and a Counter (optional).

S1403. The terminal receives the second notification message.

S1404. The terminal updates parameters in the terminal according to the second notification message.

In addition, optionally, before step S1301, the method further includes: the first UDM interacts with the AUSF to obtain an Update MAC. The Update MAC is used to perform integrity protection on update parameters.

Specifically, the first UDM interacts with AUSF to obtain Update MAC, including S1405-1407.

S1405. The first UDM sends a protection request message to the AUSF.

Optionally, if the USIM parameter is included in the update parameter, the first UDM first calculates the first security parameter according to the shared key of the first UDM and the USIM and the USIM parameter. The security parameter 1 may include USIM parameters and USIM verification parameters. The USIM verification parameter is used for correctness of the USIM parameter in the USIM verification security parameter.

Optionally, the protection request message carries an update parameter and a first security parameter.

Optionally, the protection request message carries update parameters.

S1406. The AUSF generates an Update-MAC according to the protection request message.

Optionally, the AUSF generates an Update-MAC according to an update parameter and / or a first security parameter.

Optionally, the AUSF generates an Update-MAC by updating parameters according to a protection key and a Counter (a counter value stored by the AUSF).

Optionally, the AUSF generates an Update-MAC according to a protection key, a Counter (a counter value stored by the AUSF), an update parameter, and a first security parameter.

S1407. The AUSF sends a protection response to the first UDM.

The protection response carries the Update-MAC.

Correspondingly, if the terminal receives the Update-MAC, the terminal performs integrity verification on the Update-MAC. After the authentication is passed, the update parameters are updated.

Upon receiving the ME parameters in the update parameters, the terminal updates the corresponding parameters stored in the ME. If the second notification message further includes the first security parameter, the first security parameter is sent to the USIM in the terminal.

Optionally, the USIM parameter update includes: the terminal sends the received USIM parameter to the USIM card, so that the USIM updates the internal parameters according to the USIM parameter. The USIM card will then send a response message to the ME to respond to the USIM card.

Further optionally, after the terminal finishes updating the USIM parameters, the terminal feedbacks to the first UDM. Specifically, the feedback method specifically includes steps S1408-1410.

S1408: The terminal sends a first feedback message to the AMF.

The first feedback message may be an uplink NAS message.

Correspondingly, the AMF receives an uplink NAS message sent by the terminal.

The UE-Counter-MAC is generated according to the protection key and the received Counter. Optionally, the USIM-Response and / or the response of the UE is also a UE-Counter-MAC optional parameter.

S1409. The AMF sends a second feedback message to the first UDM.

The message includes a UE-Counter-MAC; optionally, it also includes a USIM response; and optionally, it also includes a response from the UE.

S1410. The first UDM receives a notification message sent by the AMF.

The first UDM checks whether the UE-Counter-MAC received is the same as the Counter-MAC received from the AUSF. If they are the same, it means that the UE has completed updating the update parameters and / or the first security parameter.

In addition, it should be pointed out that, for the above process, the updating of USIM parameters, the updating of ME parameters, and the updating of USIM parameters and ME parameters may be completed at the same time.

For example, the update parameters may include only ME parameters or only USIM parameters.

For example: the update parameters may also include parameters that both the USIM and the ME need to update. The UDM can use the parameters that both the USIM and the ME need to update as input parameters for the calculation of the first safety parameter to obtain the first safety parameter; meanwhile, send this parameter to the AUSF so that the AUSF can use the parameters that both the USIM and the ME need to update as Update-MAC calculation input. In addition, the UDM also sends this parameter to the UE, so that the UE uses the parameters that both the USIM and the ME need to update as input for the UE-Update-MAC calculation to obtain the UE-Update-MAC. The UE-Update-MAC is compared with the Update-MAC to verify the correctness of the Update-MAC. If the verification is successful, the related parameters in the ME are updated; in addition, the first security parameter is sent to the USIM.

For example: the update parameters may also include parameters that both the USIM and the ME need to update. The UDM can use this parameter as the input parameter for the calculation of the second security parameter to obtain the second security parameter; at the same time, send this parameter and the second security parameter to the AUSF, so that the AUSF calculates this parameter and the second security parameter as Update-MAC input of. At the same time, the UDM also sends the parameters that the USIM and the ME need to update and the second security parameter to the UE. The UE uses the parameters that both the USIM and the ME need to update and the second security parameter as inputs for the UE-Update-MAC calculation to obtain the UE-Update-MAC. The UE-Update-MAC is compared with the Update-MAC to verify the correctness of the Update-MAC. If the verification is successful, the related parameters in the ME are updated; in addition, the first security parameter and the second security parameter are sent to the USIM.

For example, the security parameters (the first security parameter and / or the second security parameter) may include corresponding parameters and information of security verification. If the security parameters include only the information of security verification, the UE needs to send the corresponding parameters and security parameters to the USIM; in addition, updating the parameters also needs to retain the USIM parameters.

Possibility: The safety parameters (the first safety parameter and / or the second safety parameter) may include corresponding parameters and information of safety verification. At this time, the USIM parameters can also be removed from the update parameters, and only the ME parameters and / or the parameters that both the USIM and the ME need to be updated are included.

Possibility: If the update parameter includes the USIM parameter, the UDM may not calculate the first security parameter and / or the second security parameter, and only sends the update parameter to the AUSF, so that the AUSF calculates the Update-MAC according to the update parameter. After that, other processes do not need to reflect the first safety parameter and / or the second safety parameter.

Possibility: The UDM may also send an indication of whether the UE is required to send a response message to the AUSF. The AUSF uses this indication of whether the UE needs to send a response message as an input to the Update-MAC calculation. The UDM also sends an indication of whether the UE is required to send a response message to the UE. The UE uses the indication of whether the UE needs to send a response message as an input of the UE-Update-MAC calculation, and checks whether the calculated UE-Update-MAC is consistent with the received Update-MAC. If they are consistent, the UE sends a response message to the UDM.

Possibility: The UDM may also send an indication to the AUSF whether the UE needs to re-register. The AUSF uses this indication of whether UE re-registration is required as input for the Update-MAC calculation. The UDM also sends an indication of whether the UE needs to re-register to the UE. The UE uses the indication of whether the UE needs to re-register as an input of the UE-Update-MAC calculation, and checks whether the calculated UE-Update-MAC is consistent with the received Update-MAC. If they are consistent, the UE will then initiate a re-registration process to the UDM.

For the above embodiment, it is not only included that the RI needs to be updated. Other parameters can also be updated through the processes of all the above embodiments.

It can be understood that, in order to implement the foregoing functions, the network element in the embodiment of the present application includes a hardware structure and / or a software module corresponding to each function. With reference to the units and algorithm steps of each example described in the embodiments disclosed in this application, the embodiments of this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is performed by hardware or computer software-driven hardware depends on the specific application of the technical solution and design constraints. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the technical solutions of the embodiments of the present application.

In the embodiment of the present application, functional unit division may be performed on the network element according to the foregoing method example. For example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The above integrated unit may be implemented in the form of hardware or in the form of software functional unit. It should be noted that the division of the units in the embodiments of the present application is schematic, and is only a logical function division. There may be another division manner in actual implementation.

FIG. 13 shows a schematic block diagram of a routing device provided in an embodiment of the present application, where the routing device may be the foregoing terminal or AMF, AUSF, or UDM. The routing device 1300 may exist in the form of software, or may be a chip that can be used in a device. The routing device 1300 includes a processing unit 1302 and a communication unit 1303.

If the routing device 1300 is a terminal, the processing unit 1302 may be used to support the terminal to perform S515 in FIG. 5 to FIG. 9, two-way authentication in FIG. 7, FIG. 8, and FIG. 9, S1103 in FIG. 11, and S1209 in FIG. , S1212, S1213, etc., and / or other processes for the schemes described herein. The communication unit 1303 is used to support communication between the terminal and other network elements (such as AMF, etc.), for example, to support the terminal to execute S501 in FIG. 5 to FIG. 9, S514 in FIG. 4, S614 in FIG. 6, and S714, S810 in FIG. 8, S916 in FIG. 9, S514 in FIG. 10, S1102, S1104 in FIG. 11, S1208, S1210 in FIG. 12, and the like.

If the routing device 1300 is an AMF, the processing unit 1302 may be used to support the AMF to perform S502 in FIGS. 5 to 9, FIG. 6, FIG. 7, FIG. 8, and FIG. , And / or other processes for the schemes described herein. The communication unit 1303 is configured to support communication between the AMF and other network elements, for example, to support the AMF to perform S501 and S503 in FIGS. 5 to 9 and S513 in FIG. 5.

If the routing device 1300 is AUSF, the processing unit 1302 may be used by the AUSF network element to perform S504 as shown in FIG. 5 to FIG. 9 and / or other processes used in the scheme described herein. The communication unit 1303 is, for example, used to support AUSF to perform S503 and S505 in FIG. 5 to FIG. 8 and S613 in FIG. 6.

If the routing device 1300 is a UDM, the processing unit 1302 may be used for the UDM network element to perform S506 and the like as shown in FIG. 5 to FIG. 10 and / or other processes for the scheme described herein. The communication unit 1303 is, for example, used to support the UDM to perform S505 in FIG. 5 to FIG. 10, S508 in FIG. 5 to FIG. 7, and the like.

Optionally, the routing device 1300 may further include a storage unit 1301 for storing program code and data of the routing device 1300. The data may include, but is not limited to, original data or intermediate data.

In a possible manner, the processing unit 1302 may be a controller or the processor 401 or the processor 405 shown in FIG. 4, for example, it may be a central processing unit (Central Processing Unit, CPU), a general-purpose processor, and digital signal processing ( Digital Signal Processing (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any of them combination. It may implement or execute various exemplary logical blocks, modules, and circuits described in connection with the present disclosure. The processor may also be a combination that implements computing functions, such as a combination including one or more microprocessors, a combination of a DSP and a microprocessor, and so on. The communication unit 1303 may be a transceiver, a transceiver circuit, or the communication interface 404 shown in FIG. 4 and the like. The storage unit 1301 may be a memory 403 shown in FIG. 4.

A person of ordinary skill in the art may understand that in the foregoing embodiments, all or part may be implemented by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions according to the embodiments of the present application are generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server, or data center Transmission to another website site, computer, server or data center via wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, and the like including one or more available medium integration. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a Digital Video Disc (DVD)), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)) )Wait.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, which may be located in one place, or may be distributed to multiple network devices (for example, Terminal device). Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each functional unit may exist independently, or two or more units may be integrated into one unit. The above integrated unit may be implemented in the form of hardware, or in the form of hardware plus software functional units.

Through the description of the above embodiments, those skilled in the art can clearly understand that this application can be implemented by means of software plus necessary general hardware, and of course, also by hardware, but in many cases the former is a better implementation. . Based on such an understanding, the technical solution of this application that is essentially or contributes to the existing technology can be embodied in the form of a software product, which is stored in a readable storage medium, such as a computer's floppy disk , A hard disk or an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments of the present application.

The above description is only a specific implementation of the present application, but the scope of protection of the present application is not limited thereto, and changes or replacements within the technical scope disclosed in the present application shall be covered by the protection of the present application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

A routing method, comprising:

The authentication server function AUSF network element sends a first authentication vector acquisition request to the first unified data management UDM network element;

If the AUSF network element receives the routing indication RI sent by the first UDM network element, it sends the RI to an access and mobility management function AMF network element.
The routing method according to claim 1, further comprising:

If the AUSF network element receives a redirect message sent by the first UDM network element, the AUSF network element sends a second authentication vector acquisition request to a second UDM network element according to the redirect message;

Receiving, by the AUSF network element, an RI sent by the second UDM network element; and

Sending, by the AUSF network element, the RI to the AMF network element.
The routing method according to claim 1 or 2, wherein the method further comprises:

Determining, by the AUSF network element, an integrity verification code of the RI according to the integrity protection key and the RI;

The AUSF network element sends the integrity verification code to an AMF network element.
The routing method according to claim 3, wherein before the AUSF network element determines the integrity verification code of the RI according to the integrity protection key and the RI, the method further comprises:

The AUSF network element receives an integrity protection request message sent by the first UDM network element or the second UDM network element, and the integrity protection request message is used to instruct the AUSF to generate an integrity verification code for the RI.
A routing method, comprising:

The first unified data management UDM network element receives a first authentication vector acquisition request sent by an authentication server function AUSF network element;

In response to the first authentication vector acquisition request, the first UDM network element sends a redirect message or a route indication RI to the AUSF network element.
The routing method according to claim 5, wherein the sending, by the first UDM network element, the RI to the AUSF network element comprises:

When the first UDM network element is a UDM network element to which a user belongs, the first UDM network element sends an RI to the AUSF network element.
The routing method according to claim 5, wherein the sending a redirect message by the first UDM network element to the AUSF network element comprises:

When the first UDM network element is not the UDM network element to which the user belongs, the first UDM network element sends a redirect message to the AUSF network element.
The routing method according to any one of claims 5 to 7, wherein the method further comprises:

Receiving, by the first UDM network element, a user data acquisition request message sent by an AMF network element;

The first UDM network element sends an integrity protection request message to an AUSF network element, and the integrity protection request message is used to instruct the AUSF network element to generate an integrity verification code for an RI.
The routing method according to claim 8, wherein the method further comprises:

Sending, by the first UDM network element, an integrity protection request message to the AUSF network element;

Receiving, by the first UDM network element, an integrity verification code sent by the AUSF network element;

The sending, by the first UDM network element to the AUSF network element, an RI includes:

Sending, by the first UDM network element, the RI protected by the integrity verification code to the AUSF network element.
A routing method, comprising:

The terminal receives the routing indication RI sent by the access and mobility management function AMF network element;

The terminal uses the RI to update the user's hidden identification SUCI information.
The routing method according to claim 10, wherein the method further comprises:

If the terminal receives an integrity verification code corresponding to the RI, use the integrity verification code to perform integrity verification on the RI;

The updating, by the terminal, SUCI information using the RI includes:

If the integrity verification of the RI is successful, the terminal uses the RI to update SUCI information.
The routing method according to claim 10 or 11, wherein the receiving the RI sent by the AMF comprises:

The terminal receives the non-access layer security mode command NAS SMC message sent by the AMF, and the NAS SMC message carries the RI.
A routing method, comprising:

When the unified data management UDM network element to which the user belongs changes from the first UDM to the second UDM, the first UDM network element sends a routing indication RI to the access and mobility management function AMF network element.
The routing method according to claim 13, further comprising:

The first UDM network element sends an integrity protection request message to the AUSF network element, where the integrity protection request message is used to instruct the AUSF to generate an integrity verification code for the RI;

Receiving, by the first UDM network element, an integrity verification code of an RI sent by the AUSF network element;

Sending, by the first UDM, the integrity verification code to the AMF network element.
A routing method, comprising:

The authentication server function AUSF network element receives the integrity protection request message sent by the first unified data management UDM network element, where the integrity protection request message carries a routing instruction RI;

The AUSF network element generates an RI integrity verification code according to the integrity protection key and the RI;

Sending, by the AUSF network element, the integrity verification code to the first UDM network element.
A routing method, comprising:

The terminal receives the routing indication RI sent by the access and mobility management function AMF network element;

The terminal uses the RI to update the user's hidden identification SUCI information.
The routing method according to claim 16, further comprising:

If the terminal receives an integrity verification code corresponding to the RI, use the integrity verification code to perform integrity verification on the RI;

The updating, by the terminal, SUCI information using the RI includes:

If the integrity verification of the RI is successful, the terminal uses the RI to update SUCI information.
The routing method according to claim 16 or 17, wherein the method further comprises:

If the RI stored in the terminal changes, the terminal registers with a second UDM indicated by the RI.
The routing method according to claim 16 or 17, wherein the method further comprises:

If the terminal receives the deregistration request message sent by the AMF, and the reason value carried in the deregistration request message indicates that the RI is changed, the terminal registers with the second UDM indicated by the RI.
A routing device, comprising:

A transceiver, configured to send a first authentication vector acquisition request to a first unified data management UDM network element; if the AUSF network element receives a routing instruction RI sent by the first UDM network element, it sends an access and mobile The sexual management function AMF network element sends the RI.
The routing device according to claim 20, wherein

The transceiver is further configured to: if a redirect message sent by the first UDM network element is received, send a second authentication vector acquisition request to a second UDM network element according to the redirect message; and receive the first RI sent by two UDM network elements; and sending the RI to the AMF network element.
The routing device according to claim 20 or 21, wherein

A processor, configured to determine an integrity verification code of the RI according to the integrity protection key and the RI;

The transceiver is further configured to send the integrity verification code to an AMF network element.
The routing device according to claim 22, wherein

The transceiver is further configured to receive an integrity protection request message sent by the first UDM network element or the second UDM network element, and the integrity protection request message is used to instruct the AUSF to generate an integrity verification for the RI code.
A routing device, comprising:

The transceiver is configured to receive a first authentication vector acquisition request sent by an authentication server function AUSF network element; and in response to the first authentication vector acquisition request, send a redirect message or a routing instruction RI to the AUSF network element.
The routing device according to claim 24, wherein the transceiver is configured to send an RI to the AUSF network element, and comprises: when the first UDM network element is a UDM network element to which a user belongs And sending an RI to the AUSF network element.
The routing device according to claim 24, wherein the transceiver is configured to send a redirect message to the AUSF network element, and comprises: when the first UDM network element is not a UDM network to which a user belongs. Sending a redirect message to the AUSF network element.
The routing device according to any one of claims 24 to 26, wherein

The transceiver is further configured to receive a user data acquisition request message sent by an AMF network element; send an integrity protection request message to an AUSF network element, and the integrity protection request message is used to instruct the AUSF network element to generate Integrity verification code.
The routing device according to claim 27, wherein

The transceiver is further configured to send an integrity protection request message to the AUSF network element; receive an integrity verification code sent by the AUSF network element;

The transceiver is configured to send an RI to the AUSF network element, and includes: sending the RI protected by the integrity verification code to the AUSF network element.
A routing device, comprising:

A transceiver for receiving a routing indication RI sent by an access and mobility management function AMF network element;

A processor, configured to use the RI to update the user's hidden identification SUCI information.
The routing device according to claim 29, wherein

The processor is further configured to perform integrity verification on the RI by using the integrity verification code if the transceiver receives the integrity verification code corresponding to the RI;

The processor configured to update the SUCI information by using the RI includes: used to update the SUCI information by using the RI if the integrity verification of the RI is successful.
The routing device according to claim 29 or 30, wherein the transceiver is configured to receive an RI sent by an AMF, and comprises: receiving a non-access layer security mode command NASSMC message sent by the AMF, The NAS SMC message carries the RI.
A routing device, comprising:

The transceiver is configured to send a routing indication RI to the access and mobility management function AMF network element when the unified data management UDM network element to which the user belongs changes from the first UDM to the second UDM.
The routing device according to claim 32, wherein

The transceiver is further configured to send an integrity protection request message to an AUSF network element, where the integrity protection request message is used to instruct the AUSF to generate an integrity verification code for an RI; receive the RI sent by the AUSF network element Sending an integrity verification code to the AMF network element.
A routing device, comprising:

A transceiver, configured to receive an integrity protection request message sent by a first unified data management UDM network element, where the integrity protection request message carries a routing instruction RI;

A processor, configured to generate an RI integrity verification code according to the integrity protection key and the RI;

The transceiver is further configured to send the integrity verification code to the first UDM network element.
A routing device, comprising:

A transceiver for receiving a routing indication RI sent by an access and mobility management function AMF network element;

A processor, configured to use the RI to update the user's hidden identification SUCI information.
The routing device according to claim 35, wherein

The processor is further configured to perform integrity verification on the RI by using the integrity verification code if the transceiver receives the integrity verification code corresponding to the RI;

The processor configured to update the SUCI information by using the RI includes: used to update the SUCI information by using the RI if the integrity verification of the RI is successful.
The routing device according to claim 35 or 36, wherein

The processor is further configured to register the terminal to a second UDM indicated by the RI if the RI stored in the terminal changes.
The routing device according to claim 35 or 36, wherein

The processor is further configured to register the terminal with the RI if the transceiver receives the logout request message sent by the AMF and the reason value carried in the logout request message indicates that the RI is changed. Indicated second UDM.
A method for routing instruction security update, which comprises:

The authentication server function AUSF network element receives an integrity protection request message sent by the unified data management UDM network element, where the integrity protection request message includes a route indication RI;

Generating, by the AUSF network element, an RI message verification code according to the integrity protection key and the RI;

The AUSF network element sends an integrity protection response message to the UDM network element, and the integrity protection response includes a message verification code of the RI.
The method according to claim 39, wherein the integrity protection request message further comprises an indication of whether a user equipment UE is required to send a response message;

The AUSF network element generating the RI message verification code according to the integrity protection key and the RI includes:

The AUSF network element generates a message verification code of the RI according to an integrity protection key, an indication of whether a UE is required to send a response message, and the RI.
The method according to claim 39, wherein the integrity protection request message further comprises an indication of whether a UE re-registration is required;

The AUSF network element generating the RI message verification code according to the integrity protection key and the RI includes:

The AUSF network element generates a message verification code of the RI according to an integrity protection key, an indication of whether a UE re-registration is required, and the RI.
The method according to claim 39, wherein the integrity protection request message further comprises an indication of whether UE re-registration is required and an indication of whether UE re-registration is required;

The AUSF network element generating the RI message verification code according to the integrity protection key and the RI includes:

The AUSF network element generates an RI message verification code according to the integrity protection key, an indication of whether the UE needs to send a response message, an indication of whether the UE needs to re-register, and the RI.
The method according to claim 39, wherein the integrity protection request message further comprises configured slice selection assistance information;

The AUSF network element generating the RI message verification code according to the integrity protection key and the RI includes:

Generating, by the AUSF network element, an RI message verification code according to the integrity protection key, the configured slice selection auxiliary information, and the RI.
A method for routing instruction security update, which comprises:

The unified data management UDM network element sends an integrity protection request message to the authentication server function AUSF network element, where the integrity protection request message is routed to indicate the RI;

Receiving, by the UDM network element, an integrity protection response message sent by the AUSF network element, where the integrity protection response message includes a message verification code of the RI;

The UDM network element sends a notification message to the AMF network element, and the notification message includes the RI and a message verification code of the RI.
The method according to claim 44, further comprising:

The UDM network element receives the notification response sent by the AMF network element.
The method according to claim 44 or 45, wherein the integrity protection request message further includes an indication of whether the UE is required to send a response message; and the notification message further includes an indication of whether the UE is required to send a response message.
The method according to claim 44 or 45, wherein the integrity protection request message further includes an indication of whether UE re-registration is required; and the notification message further includes an indication of whether UE re-registration is required.
The method according to claim 44 or 45, wherein the integrity protection request message further includes an indication of whether the UE needs to re-register and an indication of whether the UE needs to send a response message; and the notification message further includes whether or not it is required An indication of UE re-registration and an indication of whether the UE is required to send a response message.
The method according to claim 44 or 45, wherein the integrity protection request message includes configured slice selection assistance information; and the notification message includes the configured slice selection assistance information.
A method for routing instruction security update, which comprises:

The terminal receives a configuration modification request message sent by an access and management function AMF network element, where the configuration modification request message includes a routing instruction RI and a message verification code of the RI;

The terminal performs integrity verification on the message verification code of the RI;

After the verification is passed, the terminal updates the RI stored by the terminal by using the received RI.
The method according to claim 50, wherein the configuration modification request message further comprises:

Indication of whether the UE needs to send a response message;

The terminal performing integrity verification on the message verification code of the RI includes:

The terminal performs integrity verification on the message verification code of the RI by using the indication of whether the UE is required to send a response message.
The method according to claim 50, wherein the configuration modification request message further comprises:

Whether the UE needs to be re-registered;

The terminal performing integrity verification on the message verification code of the RI includes:

The terminal performs integrity verification on the message verification code of the RI by using the indication of whether UE re-registration is required.
The method according to claim 50, wherein the configuration modification request message further comprises:

An indication of whether the UE needs to send a response message, and an indication of whether the UE needs to re-register;

The terminal performing integrity verification on the message verification code of the RI includes:

The terminal performs integrity verification on the message verification code of the RI by using the indication of whether the UE needs to re-register and the indication of whether the UE needs to send a response message.
The method according to claim 50, wherein the configuration modification request message further comprises: configured slice selection assistance information;

The terminal performing integrity verification on the message verification code of the RI includes:

The terminal performs integrity verification on the message verification code of the RI by using the configured slice selection auxiliary information.
The method according to claim 54, further comprising: after the verification is passed, the terminal uses the configured slice selection assistance information to update the slice selection assistance information stored by the terminal.
The method according to claim 50, further comprising:

The terminal sends a configuration modification response message to the AMF network element.
A method for routing instruction security update, which comprises:

The AMF network element receives a notification message sent by the unified data management UDM network element, where the notification message includes a routing instruction RI and a message verification code of the RI;

Sending, by the AMF network element, a configuration modification request message to a terminal, where the configuration modification request message includes the RI and a message verification code of the RI;

The AMF network element receives a configuration modification response message sent by the terminal.
The method according to claim 57, wherein the notification message further includes an indication of whether the UE is required to send a response message; and the configuration modification request message includes an indication of whether the UE is required to send a response message
The method according to claim 57, wherein the configuration modification request message further includes an indication of whether the UE needs to send a response message; and the configuration modification request message includes an indication of whether the UE needs to re-register.
The method according to claim 57, wherein the configuration modification request message further includes configured slice selection assistance information; the configuration modification request message further includes the configured slice selection assistance information.
A routing device, comprising:

A communication unit configured to receive an integrity protection request message sent by a unified data management UDM network element, where the integrity protection request message includes a routing indication RI;

A processing unit, configured to generate an RI message verification code according to the integrity protection key and the RI;

The communication unit is configured to send an integrity protection response message to the UDM, where the integrity protection response includes a message verification code of the RI.
The routing device according to claim 61, wherein the integrity protection request message further includes an indication of whether a user equipment UE is required to send a response message;

The processing unit is specifically configured to generate a message verification code of the RI according to an integrity protection key, an indication of whether a UE is required to send a response message, and the RI.
The routing device according to claim 61, wherein the integrity protection request message further includes an indication of whether UE re-registration is required;

The processing unit is specifically configured to generate a message verification code of the RI according to an integrity protection key, an indication of whether the UE needs to re-register, and the RI.
The routing device according to claim 61, wherein the integrity protection request message further includes an indication of whether UE re-registration is required and an indication of whether UE re-registration is required;

The processing unit is specifically configured to generate a message verification code of the RI according to the integrity protection key, an indication of whether the UE needs to send a response message, an indication of whether the UE needs to reregister, and the RI.
The routing device according to claim 61, wherein the integrity protection request message further comprises configured slice selection assistance information;

The processing unit is specifically configured to generate a message verification code of the RI according to the integrity protection key, the configured slice selection auxiliary information, and the RI.
A routing device, comprising:

A communication unit, configured to send an integrity protection request message to an authentication server function AUSF network element, where the integrity protection request message includes a routing indication RI;

The communication unit is configured to receive an integrity protection response message sent by the authentication server function AUSF network element, where the integrity protection response includes a message verification code of RI;

The communication unit is further configured to send a notification message to an AMF network element, where the notification message includes the RI and a message verification code of the RI.
The routing device according to claim 66, wherein the method further comprises:

The communication unit is further configured to receive a notification response sent by the AMF network element.
The routing device according to claim 66 or 67, wherein the integrity protection request message further includes an indication of whether the UE needs to send a response message; and the notification message further includes an indication of whether the UE needs to send a response message.
The routing device according to claim 66 or 67, wherein the integrity protection request message further includes an indication of whether UE re-registration is required; and the notification message further includes an indication of whether UE re-registration is required.
The routing device according to claim 66 or 67, wherein the integrity protection request message further includes an indication of whether the UE needs to re-register and an indication of whether the UE needs to send a response message; and the notification message further includes whether or not An indication that the UE needs to re-register and an indication whether the UE needs to send a response message.
The routing device according to claim 66 or 67, wherein the integrity protection request message includes configured slice selection assistance information; and the notification message includes the configured slice selection assistance information.
A terminal, comprising:

A communication unit, configured to receive a configuration modification request message sent by an access and management function AMF network element, where the configuration modification request message includes a routing instruction RI and a message verification code of the RI;

A processing unit, configured to perform integrity verification on the message verification code;

The processing unit is further configured to update the RI stored in the terminal by using the received RI after the verification is passed.
The terminal according to claim 72, wherein the configuration modification request message further comprises:

Indication of whether the UE needs to send a response message;

The processing unit is specifically configured to perform integrity verification on the message verification code of the RI by using the indication of whether the UE is required to send a response message.
The terminal according to claim 72, wherein the configuration modification request message further comprises:

Whether the UE needs to be re-registered;

The processing unit is specifically configured to perform integrity verification on the message verification code of the RI by using the indication of whether UE re-registration is required.
The terminal according to claim 72, wherein the configuration modification request message further comprises:

An indication of whether the UE needs to send a response message, and an indication of whether the UE needs to re-register;

The processing unit is specifically configured to perform integrity verification on the message verification code of the RI by using the indication of whether the UE needs to re-register and the indication of whether the UE needs to send a response message.
The terminal according to claim 72, wherein the configuration modification request message further comprises: configured slice selection auxiliary information;

The processing unit is specifically configured to perform integrity verification on the message verification code of the RI by using the configured slice selection auxiliary information.
The terminal according to claim 76, wherein:

The processing unit is further configured to update the slice selection assistance information stored in the terminal by using the configured slice selection assistance information after the verification is passed.
The terminal according to any one of claims 72 to 77, wherein the processing unit is further configured to send a configuration modification response message to the AMF.
A routing device, comprising:

A communication unit, configured to receive a notification message sent by a unified data management UDM network element, where the notification message includes a routing instruction RI and a message verification code of the RI;

The communication unit is further configured to send a configuration modification request message to the terminal, where the configuration modification request message includes the RI and a message verification code of the RI;

The communication unit is further configured to receive a configuration modification response message sent by the terminal.
The routing device according to claim 79, wherein the notification message further includes an indication of whether the UE needs to send a response message; and the configuration modification request message includes an indication of whether the UE needs to send a response message
The routing device according to claim 79, wherein the configuration modification request message further includes an indication of whether the UE needs to send a response message; and the configuration modification request message includes an indication of whether the UE needs to reregister.
The routing device according to claim 79, wherein the configuration modification request message further includes configured slice selection assistance information; the configuration modification request message further includes the configured slice selection assistance information.
A routing system, characterized in that the system includes:

The unified data management UDM network element sends an integrity protection request message to the authentication server function AUSF network element;

Receiving, by the authentication server function, an AUSF network element, the integrity protection request message sent by the UDM network element, where the integrity protection request message includes a routing indication RI;

Generating, by the AUSF network element, an RI message verification code according to the integrity protection key and the RI;

Sending, by the AUSF network element, an integrity protection response message to the UDM network element; the integrity protection response includes a message verification code of the RI;

Receiving, by the UDM network element, an integrity protection response message sent by the AUSF network element;

The UDM network element sends a notification message to the AMF network element, where the notification message includes the RI and a message verification code of the RI;

Receiving, by the AMF network element, a notification message sent by the UDM network element;

Sending, by the AMF network element, a configuration modification request message to a terminal, where the configuration modification request message includes the RI and a message verification code of the RI;

The AMF network element receives a configuration modification response message sent by the terminal.
A computer-readable storage medium stores instructions in the computer-readable storage medium. When the instructions are executed, the method according to any one of claims 50 to 56 will be executed.
A chip comprising a processor, the processor being coupled to a memory, the memory storing program instructions, and when the program instructions are executed, the method according to any one of claims 50 to 56 will be executed .
A circuit system includes a processing circuit configured to perform the method of any one of claims 50-56.