WO2020151677A1 - 通信方法和相关产品 - Google Patents

通信方法和相关产品 Download PDF

Info

Publication number
WO2020151677A1
WO2020151677A1 PCT/CN2020/073317 CN2020073317W WO2020151677A1 WO 2020151677 A1 WO2020151677 A1 WO 2020151677A1 CN 2020073317 W CN2020073317 W CN 2020073317W WO 2020151677 A1 WO2020151677 A1 WO 2020151677A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
new
kamf
input parameter
key input
Prior art date
Application number
PCT/CN2020/073317
Other languages
English (en)
French (fr)
Inventor
邓娟
何承东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20744950.5A priority Critical patent/EP3883280A4/en
Publication of WO2020151677A1 publication Critical patent/WO2020151677A1/zh
Priority to US17/380,961 priority patent/US12015707B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/12Reselecting a serving backbone network switching or routing node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • This application relates to the field of communication technology, in particular to communication methods and related products.
  • mutually exclusive slices can be defined as: when two network slices (Network Slices) each have a single network slice assistance information (S-NSSAI, network slice selection assistance information) in the user equipment (UE) , User Equipment) subscription data, and when the UE cannot access the two S-NSSAIs at the same time, the two network slices are mutually exclusive to the UE, so the two network slices can be called mutually exclusive slices. .
  • Network Slices Network Slices
  • S-NSSAI network slice assistance information
  • UE user equipment
  • User Equipment User Equipment
  • the network side When a UE switches from the network slice Slice 1 to the mutually exclusive network slice Slice 2, the network side reallocates the access and mobility management functions (AMF, Access and Mobility Management Function). How to ensure the forward security of Kamf during the slice switching process is a problem that needs to be considered.
  • AMF Access and Mobility Management Function
  • the embodiments of the application provide communication methods and related products.
  • a communication method includes: when a UE switches from one source slice to another mutually exclusive target slice, the UE sends a registration request message, the registration request message carrying the UE The requested network slice selection assistance information (NSSAI) of the target slice; the UE obtains the first AMF key Kamf_new, where the Kamf_new is different from the second AMF key Kamf_old, and the Kamf_new serves the target slice
  • NSSAI network slice selection assistance information
  • the method may further include: the UE receives a first message carrying key input parameters sent by the target AMF, and generates The Kamf_new uses the key input parameter carried in the first message.
  • the key input parameter carried in the first message includes, for example, one or more of the following key input parameters: key input parameter T2, key input parameter T3, or key input parameter T4.
  • key input parameter T2 is provided by the target AMF, for example;
  • key input parameter T3 is provided by AUSF, for example,
  • key input parameter T4 is provided by SEAF, for example, and
  • key input parameter T5 is provided by AAA-S, for example.
  • the method may further include: receiving a second message carrying a first key update indication sent by the target AMF, and the first key update The indication is used to instruct the UE to update the AMF key.
  • the UE acquiring the first AMF key Kamf_new may be executed under the trigger of the first key update instruction.
  • the second message and the first message may be the same message or different messages.
  • the second message and the first message may be a non-access stratum security mode control (NAS Security Mode Command) message or other messages.
  • NAS Security Mode Command non-access stratum security mode control
  • the registration request message may carry a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the key input parameter T1 is provided by the UE, and the UE transmits the key input parameter T1 to the network side through a registration request message, so that the network side can generate the Kamf_new accordingly.
  • the registration request message carries a second key update instruction
  • the second key update instruction is used to instruct the network side to update the AMF key.
  • the acquisition of the first AMF key Kamf_new by the network-side related device may be executed under the trigger of the second key update instruction.
  • a communication method may include: in a case where a UE switches from one source slice to another target slice that is mutually exclusive with it, a target AMF serving the target slice receives a registration request message from the UE , Wherein the registration request message carries the network slice selection assistance information NSSAI of the target slice requested by the UE; the target AMF obtains the first AMF key Kamf_new, and the first AMF key Kamf_new is different from the first AMF key Kamf_new.
  • Two AMF key Kamf_old, the Kamf_new is the key of the target AMF, and the Kamf_old is the key of the source AMF serving the source slice.
  • the registration request message further carries a second key update instruction, and the second key update instruction is used to instruct the network side to update the AMF key; or, the target AMF obtains the Kamf_new It is executed when it is determined that the locally preset key update condition is met.
  • the registration request message carries a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the key input parameter T1 is used to generate the Kamf_new.
  • other key input parameters may also be used to generate the Kamf_new.
  • the method may further include:
  • the target AMF sends a key update service request to the authentication server function AUSF.
  • the key update service request carries the key input parameter T1 and/or the key input parameter T2; the target AMF receives the pair returned by the AUSF.
  • the response to the key update service request, the response carrying the SEAF key Kseaf_new, the key input parameter T1 and/or the key input parameter T2 are used to generate the Kseaf_new; the Kseaf_new is used to generate the Kamf_new.
  • the target AMF may send to the UE a first message carrying part or all of the key input parameters (for example, the key input parameter T2, etc.) used to generate the Kseaf_new.
  • the method may further include:
  • the target AMF sends a key update service request to AUSF; the target AMF receives a response to the key update service request returned by the AUSF, and the response carries the Kseaf_new and the key input parameter T3, and generates
  • the Kseaf_new uses the key input parameter T3; the Kseaf_new is used to generate the Kamf_new; the target AMF sends a first message carrying the key input parameter T3 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request to the AUSF, where the key update service request carries a key input parameter T2 and/or a key input parameter T1; the target AMF receives the pair of keys returned by the AUSF
  • the response to the key update service request, the response carries the Kseaf_new and the key input parameter T3, wherein the key input parameter T3 and the key input parameter T3 and the key input parameter carried in the key update service request are used to generate the Kseaf_new Key input parameter; wherein the Kseaf_new is used to generate the Kamf_new, and the target AMF sends a first message carrying the key input parameter T3 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request to the security anchor function SEAF, and the key update service invocation request carries the key input parameter T2 and/or the key input parameter T1; the target AMF receives the A response to the key update service request returned by SEAF, the response carrying the Kamf_new, wherein the key input parameter T2 and/or the key input parameter T1 are used to generate the Kamf_new. Further, the target AMF may send to the UE a first message carrying part or all of the key input parameters (for example, key input parameter T2, etc.) used to generate the Kamf_new.
  • the key update service invocation request carries the key input parameter T2 and/or the key input parameter T1
  • the target AMF receives the A response to the key update service request returned by SEAF, the response carrying the Kamf_new, wherein the key input parameter T2 and/or the key input parameter T1 are used to generate the Kamf_new.
  • the target AMF may send to the UE a first message carrying part or all of the
  • the method may further include:
  • the target AMF sends a key update service request to SEAF; the target AMF receives a response to the key update service request returned by the SEAF, and the response carries the Kamf_new and the key input parameter T4, where , Generating the Kamf_new uses the key input parameter T4; the target AMF sends a first message carrying the key input parameter T4 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request of SEAF, where the key update service request carries a key input parameter T2 and/or the key input parameter T1; the target AMF receives the SEAF The returned response to the key update service request, the response carries the Kamf_new and the key input parameter T4, and the key input parameter T4 is used to generate the Kamf_new and carried in the key update service The key input parameter of the key; the target AMF sends a first message carrying the key input parameter T4 to the UE.
  • the method may further include:
  • the target AMF sends a message carrying a key parameter indication to the slice authentication and authorization server AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives the AAA-S The key generation parameter T5 sent by S, and the key input parameter T5 is used to generate the Kamf_new;
  • the target AMF sends a message carrying a key parameter indication to AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives the key sent by the AAA-S Generate parameter T5; wherein, the key input parameter T5 is used to generate the Kamf_new, and the key input parameter T1 and/or the key input parameter T2 are also used to generate the Kamf_new.
  • a communication method includes:
  • the AUSF After receiving a key update service request from the target AMF, the AUSF generates Kseaf_new, and the Kseaf_new is used to generate Kamf_new;
  • the Kamf_new is different from the second AMF key Kamf_old, the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice;
  • the AUSF returns a response to the key update service request to the target AMF, where the response carries the Kseaf_new, and the Kseaf_new is used to generate the Kamf_new;
  • key input parameter T1 key input parameter T2
  • key input parameter T3 key input parameter T3
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request;
  • the key input parameter T3 is used when generating Kseaf_new, and the key input parameter T3 is carried in the response of the key update service request.
  • a communication method includes:
  • the SEAF After receiving a key update service request from the SEAF of the target AMF, the SEAF generates Kamf_new, where the Kamf_new is different from The second AMF key Kamf_old, where the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice;
  • the SEAF returns a response to the key update service to the target AMF, where the response carries the Kamf_new;
  • generating the Kamf_new uses one or more of the key input parameter T1, the key input parameter T2, and the key input parameter T4;
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request;
  • the key input parameter T4 is used when generating Kseaf_new, and the key input parameter T4 is carried in the response of the key update service request.
  • a user equipment UE includes:
  • the transceiving unit is configured to send a registration request message when the UE switches from one source slice to another mutually exclusive target slice, wherein the registration request message carries the target slice requested by the UE Network slice selection auxiliary information NSSAI;
  • the processing unit is configured to obtain the first AMF key Kamf_new, where the Kamf_new is different from the second AMF key Kamf_old, the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the target AMF serving the target slice.
  • the transceiver unit is further configured to receive the first message carrying the key input parameter sent by the target AMF before acquiring the first AMF key Kamf_new, and generate the Kamf_new to be used The key input parameter.
  • the transceiving unit is further configured to receive a second message carrying a first key update indication sent by the target AMF before acquiring the first AMF key Kamf_new, and the first key
  • the key update indication is used to instruct the UE to update the AMF key.
  • the registration request message carries a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the registration request message carries a second key update instruction
  • the second key update instruction is used to instruct the network side to update the AMF key.
  • a target AMF includes:
  • the transceiving unit is configured to receive a registration request message from the UE when the UE switches from one source slice to another target slice that is mutually exclusive with the UE, wherein the registration request message carries the information requested by the UE Network slice selection assistance information NSSAI of the target slice;
  • the processing unit is configured to obtain the first AMF key Kamf_new, the first AMF key Kamf_new is different from the second AMF key Kamf_old, and the Kamf_new is the key of the target AMF, wherein the target AMF is a service For the AMF of the target slice, the Kamf_old is the key of the source AMF serving the source slice.
  • the registration request message further carries a second key update instruction, and the second key update instruction is used to instruct the network side to update the AMF key; or, the target AMF obtains the Kamf_new It is executed when it is determined that the locally preset key update condition is met.
  • the registration request message carries a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the transceiver unit is further configured to: after receiving a registration request message from the UE,
  • the transceiving unit may also be configured to send a first message carrying part or all of the key input parameters (for example, the key input parameter T2, etc.) used to generate the Kseaf_new to the UE.
  • the key input parameters for example, the key input parameter T2, etc.
  • the transceiver unit is further configured to: after receiving a registration request message from the UE,
  • the transceiver unit is further configured to send a key update service request to AUSF after receiving the registration request message from the UE, and the key update service request carries a key input Parameter T2 and/or key input parameter T1; receiving the response to the key update service request returned by the AUSF, the response carrying the Kseaf_new and the key input parameter T3, and generating the Kseaf_new to be used
  • the key input parameter T3 and the key input parameter carried in the key update service request; the Kseaf_new is used to generate the Kamf_new, and the first message carrying the key input parameter T3 is sent to the UE.
  • the transceiver unit is further configured to send a key update service request to the security anchor function SEAF after receiving the registration request message from the UE, where the key update service The request carries the key input parameter T2 and/or the key input parameter T1; the response to the key update service request returned by the SEAF is received, and the response carries the Kamf_new, wherein the Kamf_new uses the key input parameter T2 and/or the key input parameter T1.
  • the transceiving unit may be further configured to send a first message carrying part or all of the key input parameters (such as key input parameters T2, etc.) used to generate the Kamf_new to the UE.
  • the transceiver unit is further configured to, after receiving the registration request message from the UE, send a key update service request to SEAF; receive the key update service request returned by the SEAF A response to a service request, the response carrying the Kamf_new and the key input parameter T4, wherein the key input parameter T4 is used to generate the Kamf_new; sending the key input parameter T4 to the UE The first news.
  • the transceiver unit is further configured to send a key update service request to SEAF after receiving the registration request message from the UE, where the key update service request carries The key input parameter T2 and/or the key input parameter T1; receiving the response to the key update service request returned by the SEAF, the response carrying the Kamf_new and the key input parameter T4, where: The key input parameter T4 and the key input parameter carried in the key update service request are used to generate the Kamf_new; and the first message carrying the key input parameter T4 is sent to the UE.
  • the transceiver unit is further configured to, after receiving the registration request message from the UE, send a message carrying the key parameter indication to the slice authentication and authorization server (AAA-S); the key parameter indication is used Instruct AAA-S to generate a key input parameter T5; receive the key generation parameter T5 sent by the AAA-S, and generate the Kamf_new can use the key input parameter T5;
  • AAA-S slice authentication and authorization server
  • the target AMF sends a message carrying a key parameter indication to AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives a message sent by the AAA-S Key generation parameter T5; the key input parameter T5 is used to generate the Kamf_new, and the key input parameter T1 and/or the key input parameter T2 are also used to generate the Kamf_new.
  • an authentication server function AUSF includes:
  • the processing unit is configured to generate Kseaf_new by the AUSF after receiving a key update service request from the target AMF when the UE switches from one source slice to another target slice that is mutually exclusive with it.
  • Kamf_new is different from the second AMF key Kamf_old
  • the Kamf_new is the key of the target AMF serving the target slice
  • the Kamf_old is the key of the source AMF serving the source slice;
  • a transceiver unit configured to return a response to the key update service request to the target AMF, where the response carries the Kseaf_new, and the Kseaf_new is used to generate the Kamf_new;
  • key input parameter T1 key input parameter T2
  • key input parameter T3 key input parameter T3
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request of the AUSF;
  • the key input parameter T3 is used when generating Kseaf_new, and the key input parameter T3 is carried in the response of the key update service request.
  • a security anchor function SEAF may include:
  • the processing unit is configured to generate Kamf_new after receiving the key update service request from the target AMF when the UE switches from one source slice to another target slice that is mutually exclusive with it.
  • Kamf_new is different from the second AMF key Kamf_old, where Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice;
  • the transceiver unit is configured to return a response to the key update service request to the target AMF, where the response carries the Kamf_new;
  • generating the Kamf_new uses one or more of the key input parameter T1, the key input parameter T2, and the key input parameter T4;
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the SEAF key update service request;
  • the key input parameter T4 is used when generating Kseaf_new, and the key input parameter T4 is carried in the response of the key update service request.
  • the key input parameter T1 can be provided by the UE, for example; the key input parameter T2 can be provided by the target AMF, for example; the key input parameter T3 can be provided by AUSF, for example; the key input parameter T4 can be provided by SEAF, for example, and the key input parameter T5 can be provided by AAA-, for example. S provided.
  • a user equipment includes: a processor and a memory that are coupled to each other; wherein the processor is configured to call a computer program stored in the memory to execute any of the methods provided in the embodiments of the present application. Part or all of the steps performed by the UE.
  • a computer-readable storage medium stores a computer program, and the computer program is executed by a processor to perform the part executed by the UE in any of the methods provided in the embodiments of this application Or all steps.
  • a target AMF includes: a processor and a memory coupled to each other; wherein the processor is used to call a computer program stored in the memory to execute any of the methods provided in the embodiments of the present application Some or all of the steps performed by the target AMF.
  • a computer-readable storage medium stores a computer program, and the computer program is executed by a processor to complete the execution of the target AMF in any of the methods provided in the embodiments of this application. Part or all of the steps.
  • an AUSF includes: a processor and a memory coupled to each other; wherein, the processor is used to call a computer program stored in the memory to execute any of the methods provided in the embodiments of this application. Part or all of the steps performed by AUSF.
  • a computer-readable storage medium stores a computer program, and the computer program is executed by a processor to complete the part executed by AUSF in any method provided in the embodiments of this application Or all steps.
  • a SEAF includes: a processor and a memory coupled with each other; wherein the processor is used to call a computer program stored in the memory to execute any method provided in the embodiments of the present application. Part or all of the steps performed by SEAF.
  • a computer-readable storage medium stores a computer program that is executed by a processor to complete the part executed by SEAF in any of the methods provided in the embodiments of this application Or all steps.
  • a communication method includes:
  • the slice authentication and authorization server AAA-S receives a message carrying a key parameter indication from the target AMF, and the key parameter indication is used for Instruct AAA-S to generate key input parameter T5;
  • Generate a key input parameter T5 send a key generation parameter T5 to the target AMF, wherein the key input parameter T5 can be used to generate the first AMF key Kamf_new; wherein, the first AMF key Kamf_new is different In the second AMF key Kamf_old, the Kamf_new is the key of the target AMF, where the target AMF is the AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice .
  • a slice authentication and authorization server AAA-S includes:
  • the transceiver unit is used to receive a message carrying a key parameter indication from the target AMF when the UE switches from one source slice to another target slice that is mutually exclusive with it.
  • the key parameter indication is used to instruct AAA-S generation Key input parameter T5;
  • the transceiver unit is further configured to send a key generation parameter T5 to the target AMF, wherein the key input parameter T5 can be used to generate the first AMF key Kamf_new; wherein, the first AMF key Kamf_new is different from The second AMF key Kamf_old, the Kamf_new is the key of the target AMF, wherein the target AMF is the AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice.
  • a slice authentication and authorization server AAA-S includes: a processor and a memory coupled to each other; the processor is used to call a computer program stored in the memory to execute any one of the embodiments provided in the present application. Part or all of the steps performed by AAA-S in this method.
  • a computer-readable storage medium stores a computer program that is executed by a processor to complete any of the methods provided in the embodiments of the present application and is executed by AAA-S Some or all of the steps.
  • the embodiments of the present application provide a computer program product including instructions.
  • the computer device can execute any device executed by any device provided in the embodiment of the present application. Part or all of the steps of a method.
  • Fig. 1-A is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • Fig. 1-B is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • Fig. 2 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 3 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 4 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 5 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 6 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 7 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 8 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 10 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a target AMF provided by an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of an AUSF provided by an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a SEAF provided by an embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of another user equipment provided by an embodiment of the present application.
  • FIG. 16 is a schematic structural diagram of another target AMF provided by an embodiment of the present application.
  • Fig. 17 is a schematic structural diagram of another AUSF provided by an embodiment of the present application.
  • Figure 18 is a schematic structural diagram of another SEAF provided by an embodiment of the present application.
  • FIG. 1-A is a schematic diagram of a 5G network architecture exemplified in an embodiment of the present application.
  • the 5G network splits certain functional network elements of the 4G network (for example, Mobility Management Entity (MME, Mobility Management Entity), etc.), and defines an architecture based on a service-oriented architecture.
  • MME Mobility Management Entity
  • MMF Session Management Function
  • the user terminal accesses the data network (DN, Data Network) and so on by accessing the operator's network, and uses the service provided by the operator or a third party on the DN.
  • DN Data Network
  • Access and Mobility Management Function is a control plane network element in the 3GPP network, which is mainly responsible for the access control and mobility management of the UE accessing the operator's network.
  • the security anchor function SEAF, Security Anchor Function
  • SEAF may be deployed in the AMF, or the SEAF may also be deployed in another device different from the AMF.
  • the SEAF is deployed in the AMF as an example.
  • SEAF and AMF are collectively referred to as AMF.
  • the session management function is a control plane network element in the 3GPP network. Among them, the SMF is mainly used to manage the data packet (PDU, Packet Data Unit) session of the UE.
  • the PDU session is a channel used to transmit PDUs, and the UE can send PDUs to each other through the PDU session and the DN.
  • SMF is responsible for management work such as establishment, maintenance and deletion of PDU sessions.
  • DN Data Network
  • PDN Packet Data Network
  • a certain DN is a private network of a smart factory.
  • the sensors installed on the smart factory workshop play the role of UE, and the sensor control server is deployed in the DN.
  • the UE communicates with the control server. After the UE obtains an instruction from the control server, it can transmit the collected data to the control server according to the instruction.
  • a DN is a company's internal office network, and the terminal used by the company's employees can play the role of a UE, and this UE can access the company's internal information and other resources.
  • the unified data management network element (UDM, Unified Data Management) is also a control plane network element in the 3GPP network.
  • UDM is mainly responsible for storing the subscription data, credentials and persistent identities of the subscribers (UE) in the 3GPP network.
  • Identity SUPI, Subscriber Permanent Identifier, etc. These data can be used for authentication and authorization of the UE to access the operator's 3GPP network.
  • the authentication server function (AUSF, Authentication Server Function) is also a control plane network element in the 3GPP network, and the AUSF is mainly used for the first-level authentication (that is, the 3GPP network authenticates its subscribers).
  • the Network Exposure Function (NEF, Network Exposure Function) is also a control plane network element in the 3GPP network.
  • NEF is mainly responsible for opening the external interface of the 3GPP network to third parties in a safe manner.
  • NEF when network elements such as SMF need to communicate with third-party network elements, NEF can be used as a communication relay.
  • NEF when relaying, NEF can translate internal and external logos. For example, when sending the SUPI of the UE to a third party from the 3GPP network, the NEF can translate the SUPI into its corresponding external identity (ID, Identity). Conversely, NEF can translate the external identity ID into the corresponding SUPI when sending it to the 3GPP network.
  • ID external identity
  • the network storage function (NRF, Network Repository Function) is also a control plane network element in the 3GPP network, which is mainly responsible for storing the configuration service profile of the accessible network function (NF) and providing it for other network elements Discovery service for network functions.
  • User Plane Function is the gateway for the communication between the 3GPP network and the DN.
  • the policy control function (PCF, Policy Control Function) is a control plane function in the 3GPP network, which is used to provide the SMF with the policy of the PDU session.
  • Policies can include billing, quality of service (QoS, Quality of Service), authorization-related policies, etc.
  • Access Network is a sub-network of the 3GPP network. To access the 3GPP network, the UE first needs to go through the AN. In the wireless access scenario, AN is also called Radio Access Network (RAN, Radio Access Network), so the two terms RAN and AN are often mixed without distinction.
  • RAN Radio Access Network
  • a 3GPP network refers to a network that complies with 3GPP standards. Among them, the part except UE and DN in Figure 1-A can be regarded as a 3GPP network.
  • 3GPP networks are not limited to 5G networks defined by 3GPP, but can also include 2G, 3G, and 4G networks. Usually 3GPP networks are operated by operators.
  • N1, N2, N3, N4, N6, etc. in the architecture shown in Fig. 1-A respectively represent reference points between related network elements/network functions. Nausf, Namf..., etc., respectively represent service-oriented interfaces of related network functions.
  • the technical solutions of the embodiments of the present application can be implemented specifically based on the communication system of the architecture illustrated in FIG. 1-A or its deformed architecture.
  • the embodiments of the present application provide some solutions for realizing secure communication in the case of AMF redistribution, for example, solutions for realizing forward security.
  • AMF serving Slice 1 (network slice 1), that is, Source AMF (source AMF), cannot obtain the AMF key Kamf between the UE and Target AMF (target AMF).
  • AMF serving Slice 2 (Network Slice 2), that is, Target AMF, cannot obtain the AMF key Kamf between the UE and the Source AMF.
  • network slice 1 and network slice 2 are two mutually exclusive network slices.
  • some embodiments of the present application sometimes abbreviate network slices as “slices”, that is, slices and network slices are sometimes mixed.
  • FIG. 1-B is a schematic flowchart of a communication method provided by an embodiment of this application.
  • a communication method may include:
  • the UE sends a registration request message to the target AMF, the registration request message carrying the target slice requested by the UE Network slice selection assistance information (NSSAI).
  • NSSAI Network slice selection assistance information
  • the target AMF serving the target slice receives the registration request message from the UE.
  • the UE obtains the first AMF key Kamf_new.
  • the target AMF obtains the first AMF key Kamf_new.
  • Kamf_new is different from the second AMF key Kamf_old
  • the Kamf_new is the key of the Target AMF serving the target slice
  • the Kamf_old is the key of the Source AMF serving the source slice.
  • step 102 and step 103 there is no necessary order of execution of step 102 and step 103.
  • the method may further include: the UE receives a first message carrying key input parameters sent by the target AMF, and generates The Kamf_new uses the key input parameter carried in the first message.
  • the key input parameter carried in the first message includes, for example, one or more of the following key input parameters: key input parameter T2, key input parameter T3, or key input parameter T4.
  • key input parameter T2 is provided by the target AMF, for example;
  • key input parameter T3 is provided by AUSF, for example,
  • key input parameter T4 is provided by SEAF, for example, and
  • key input parameter T5 is provided by AAA-S, for example.
  • the method may further include: receiving a second message carrying a first key update indication sent by the target AMF, and the first key update The indication is used to instruct the UE to update the AMF key.
  • the UE acquiring the first AMF key Kamf_new may be executed under the trigger of the first key update instruction.
  • the second message and the first message may be the same message or different messages.
  • the second message and the first message may be a non-access stratum security mode control (NAS Security Mode Command) message or other messages.
  • NAS Security Mode Command non-access stratum security mode control
  • the registration request message may carry a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the key input parameter T1 is provided by the UE, and the UE transmits the key input parameter T1 to the network side through a registration request message, so that the network side can generate the Kamf_new accordingly.
  • the registration request message further carries a second key update instruction
  • the second key update instruction is used to instruct the network side to update the AMF key.
  • the acquisition of the first AMF key Kamf_new by the network-side related device may be executed under the trigger of the second key update instruction.
  • the method may further include:
  • the target AMF sends a key update service request to the authentication server function AUSF (the target AMF calls the key update service of AUSF by sending a key update service request to the authentication server function AUSF), and the key update service request carries Key input parameter T1 and/or key input parameter T2; the target AMF receives the response to the key update service request returned by the AUSF, and the response carries the SEAF key Kseaf_new, which is used to generate the Kseaf_new To the key input parameter T1 and/or the key input parameter T2; the Kseaf_new is used to generate the Kamf_new. Further, the target AMF may send to the UE a first message carrying part or all of the key input parameters (for example, the key input parameter T2, etc.) used to generate the Kseaf_new.
  • the target AMF may send to the UE a first message carrying part or all of the key input parameters (for example, the key input parameter T2, etc.) used to generate the Kse
  • the method may further include:
  • the target AMF sends a key update service request to AUSF; the target AMF receives a response to the key update service request returned by the AUSF, and the response carries the Kseaf_new and the key input parameter T3, and generates
  • the Kseaf_new uses the key input parameter T3; the Kseaf_new is used to generate the Kamf_new; the target AMF sends a first message carrying the key input parameter T3 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request to the AUSF, where the key update service request carries a key input parameter T2 and/or a key input parameter T1; the target AMF receives the pair of keys returned by the AUSF
  • the response to the key update service request, the response carries the Kseaf_new and the key input parameter T3, wherein the key input parameter T3 and the key input parameter T3 and the key input parameter carried in the key update service request are used to generate the Kseaf_new Key input parameter; wherein the Kseaf_new is used to generate the Kamf_new, and the target AMF sends a first message carrying the key input parameter T3 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request to the security anchor function SEAF, and the key update service invocation request carries the key input parameter T2 and/or the key input parameter T1; the target AMF receives the A response to the key update service request returned by SEAF, the response carrying the Kamf_new, wherein the key input parameter T2 and/or the key input parameter T1 are used to generate the Kamf_new. Further, the target AMF may send to the UE a first message carrying part or all of the key input parameters (for example, key input parameter T2, etc.) used to generate the Kamf_new.
  • the key update service invocation request carries the key input parameter T2 and/or the key input parameter T1
  • the target AMF receives the A response to the key update service request returned by SEAF, the response carrying the Kamf_new, wherein the key input parameter T2 and/or the key input parameter T1 are used to generate the Kamf_new.
  • the target AMF may send to the UE a first message carrying part or all of the
  • the method may further include:
  • the target AMF sends a key update service request to SEAF; the target AMF receives a response to the key update service request returned by the SEAF, and the response carries the Kamf_new and the key input parameter T4, where , Generating the Kamf_new uses the key input parameter T4; the target AMF sends a first message carrying the key input parameter T4 to the UE.
  • the method may further include:
  • the target AMF sends a key update service request of SEAF, where the key update service request carries a key input parameter T2 and/or the key input parameter T1; the target AMF receives the SEAF
  • the returned response to the key update service request, the response carries the Kamf_new and the key input parameter T4, and the key input parameter T4 is used to generate the Kamf_new and carried in the key update service
  • the key input parameter of the key the target AMF sends a first message carrying the key input parameter T4 to the UE.
  • the first message may also carry some or all other key input parameters used to generate the Kamf_new.
  • the method may further include:
  • the target AMF sends a message carrying a key parameter indication to the slice authentication and authorization server AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives the AAA-S
  • the key generation parameter T5 sent by S, the key input parameter T5 is used to generate the Kamf_new,
  • the target AMF sends a message carrying a key parameter indication to AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives the key sent by the AAA-S Generate parameter T5; wherein, the key input parameter T5 is used to generate the Kamf_new, and the key input parameter T1 and/or the key input parameter T2 are also used to generate the Kamf_new.
  • the solution of this embodiment does not need to update the entire key system through master authentication, and can achieve key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with updating the entire key system through master authentication, To implement the Kamf forward security solution, the related efficiency of the solution in the embodiments of the present application is significantly improved.
  • a communication method may include:
  • the target AMF sends a key update service request to AUSF.
  • the target AMF may request the key update service of AUSF after receiving a registration request message requesting access to the target slice from the UE.
  • the AUSF After receiving the key update service request from the target AMF, the AUSF generates Kseaf_new, and the Kseaf_new is used to generate Kamf_new.
  • generating Kseaf_new uses one or more of the key input parameter T1, the key input parameter T2, and the key input parameter T3, for example.
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request.
  • AUSF returns a response to the key update service request to the target AMF, where the response carries the Kseaf_new.
  • the target AMF uses Kseaf_new to generate Kamf_new.
  • the Kamf_new is different from the second AMF key Kamf_old, where the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice.
  • the key input parameter T3 is used when generating Kseaf_new, and the key input parameter T3 is carried in the response of the key update service request.
  • the solution of this embodiment does not need to update the entire key system through master authentication, and uses the key update service of AUSF to update Kseaf_new and Kamf_new, which can achieve key isolation between Source AMF and Target AMF in the slice switching scenario.
  • the relevant efficiency of the scheme of the embodiments of the present application is significantly improved.
  • SEAF requests UE authentication from AUSF.
  • AUSF requests UDM to generate an authentication vector.
  • the UE, the serving network and the home network perform mutual authentication.
  • Update the key system of the service network After the Hong Kong authentication becomes functional, Update the key system of the service network.
  • the entire key system is updated, including updating the AUSF key.
  • the main SEAF requests a key update from the AUSF.
  • the AUSF key is not updated, and UDM is not required to participate, and the related efficiency is significantly improved.
  • FIG. 3 is a schematic flowchart of another communication method provided by an example of an embodiment of this application.
  • Another communication method may include:
  • the target AMF sends a key update service request to the SEAF to request to invoke the key update service of the SEAF.
  • the target AMF may send a key update service request to the SEAF to request to invoke the key update service of the SEAF.
  • the SEAF After receiving the key update service request from the target AMF, the SEAF generates Kamf_new.
  • the Kamf_new is different from the second AMF key Kamf_old, where the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice.
  • generating the Kamf_new uses one or more of the key input parameter T1, the key input parameter T2, and the key input parameter T4;
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request.
  • the SEAF returns a response to the key update service request to the target AMF, where the response carries the Kamf_new.
  • the target AMF receives a response to the key update service request returned by the SEAF, and the target AMF obtains Kamf_new from the response.
  • the key input parameter T4 is used when generating Kseaf_new, and the key input parameter T4 is carried in the response of the key update service request. Furthermore, the key input parameter T4 can be passed to the UE through the target AMF.
  • the solution of this embodiment does not need to update the entire key system through master authentication, and uses SEAF's key update service to update Kamf_new, which can achieve key isolation between Source AMF and Target AMF in a slice switching scenario. Since the entire key system is updated through the master authentication to realize the Kamf forward security solution, the related efficiency of the solution in the embodiments of the present application is significantly improved.
  • the condition for triggering the update of the target AMF key may be: the UE instructs the target AMF to update the key of the target AMF; or the target AMF determines whether the locally preset key update condition is satisfied. Whether it is necessary to update the key of the target AMF.
  • the condition for triggering the UE to update the key of the target AMF may be: the UE itself judges whether the key of the target AMF needs to be updated by judging whether the locally preset key update condition is satisfied, or the target AMF indicates the key of the UE target AMF.
  • the network side generates Kamf_new for use by Target AMF.
  • Kamf_new is generated on the network side, different network elements can cooperate to complete it.
  • AUSF generates a new Kseaf, namely Kseaf_new.
  • SEAF generates Kamf_new according to Kseaf_new; for example, SEAF generates Kamf_new; for example, Target AMF generates Kamf_new.
  • the UE and the network side use the same method to generate Kamf_new.
  • the key input parameters may include but are not limited to one or more of the following parameters: random number, key update Counter, NASUL Counter, identifier of the target slice instance, description information of the target slice instance, and slice to which the target slice belongs The identifier of the group or slice class, the description information of the slice group or slice class to which the target slice belongs, and so on.
  • FIG. 4 is a schematic flowchart of another communication method provided by an embodiment of the application.
  • SEAF and AMF can be collectively referred to as AMF
  • AMF the integrated deployment of SEAF and AMF
  • AUSF When the UE switches from one source slice to another mutually exclusive target slice, AUSF generates Kseaf_new, and sends the generated Kseaf_new to Target AMF (built-in SEAF).
  • Target AMF generates Kamf_new according to Kseaf_new.
  • a communication method may include:
  • the UE sends a Registration Request (Registration Request) message.
  • the registration request message carries the NSSAI(s) of the target slice that the UE requests to access, and the registration request message also carries the key input parameter T1 used to generate the new AMF key Kamf_new.
  • the key input parameter T1 may include one or more of the following parameters: a random number generated by the UE, a counter used for key update that is synchronously maintained between the UE and AUSF, the S-NSSAI of the target slice, and the target slice belongs to The description information of the slice group (or slice class), the identifier of the slice group (or slice class) to which the target slice belongs, the description information of the target slice instance, the identifier of the target slice instance, and so on.
  • the purpose of the key input parameter T1 is to isolate the final Kamf_new from Kamf_old.
  • the embodiment of this application does not limit the specific type of the key input parameter T1, as long as the input parameter meets the purpose of the input parameter.
  • the registration request message may also carry integrity verification information Auth_T1 of the key input parameter T1.
  • Auth_T1 can be used for AUSF to verify whether the source of the key input parameter T1 is the UE, and can also be used to verify whether the key input parameter T1 has been tampered with, and so on.
  • An example of Auth_T1: Auth_T1 HMAC (Kausf, key input parameter T1).
  • AUSF can verify the source of the key input parameter T1 through Auth_T1 and whether the key input parameter T1 has been tampered with.
  • the registration request message may also carry New_Kseaf_Kamf_Indicator.
  • the UE uses this New_Kseaf_Kamf_Indicator to notify the Target that the AMF network side needs to generate Kseaf_new and Kamf_new.
  • the UE can also notify the network side that it needs to generate Kseaf_new and Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request, the Target AMF initiates the UE Context Transfer (UE Context Transfer) process. Among them, Target AMF can obtain Source AMF key Kamf_old and UE's permanent identity (SUPI, Subscriber Permanent Identifier) from Source AMF through the UE Context Transfer process.
  • UE Context Transfer UE Context Transfer
  • Target AMF sends a key update service request (Nausf_KeyUpdate_MEANS Request) to AUSF to request to call the key update service of AUSF.
  • a key update service request (Nausf_KeyUpdate_MEANS Request)
  • the Target AMF can send a key update service request to AUSF under the instruction of the New_Kseaf_Kamf_Indicator carried in the registration request message to request to invoke the key update service of AUSF.
  • the Target AMF may send a key update service request to AUSF when it determines that the preset key update conditions are met, to request to invoke the key update service of AUSF.
  • the key update service request sent to the AUSF may carry the key input parameter T1 from the registration request message.
  • the key update service request sent to the AUSF may also carry the UE's persistent identity (SUPI) and service network name (SN-name).
  • SUPI persistent identity
  • SN-name service network name
  • the registration request message carries integrity verification information Auth_T1
  • the key update service request sent to AUSF also carries integrity verification information Auth_T1.
  • AUSF receives the key update service request from Target AMF.
  • the key input parameter T1 carried in the key update service request from Target AMF includes the Counter for key update that is maintained synchronously between the UE and AUSF, then AUSF can further detect the Counter included in the key input parameter T1 Is it acceptable. If it cannot be accepted, AUSF can return the cause of the error to Target AMF and terminate the subsequent key update process.
  • AUSF will verify the source of the key input parameter T1 and whether the key input parameter T1 has been tampered with. If it is tampered with, AUSF returns the cause of the error to Target AMF and can terminate the subsequent key update process.
  • AUSF generates Kseaf_new.
  • Kausf is used as the input key for generating Kseaf_new
  • the key input parameters may include key input parameters T1 and SN-name.
  • AUSF sends a key update service response (Nausf_KeyUpdate_MEANSResponse) to the Target AMF.
  • the key update service response (that is, the response to the key update service request) carries a success indication (Success) and Kseaf_new, etc.
  • the key update service response The reason for failure can be carried.
  • Target AMF receives the key update service response from AUSF.
  • the Target AMF generates Kamf_new (specifically, the SEAF built in the Target AMF generates Kamf_new).
  • the input key used by Target AMF to generate Kamf_new is Kseaf_new.
  • the key input parameters of Kamf_new include SUPI and ABBA (Anti-bidding down between architectures, anti-dimensionality reduction attacks of different architectures), etc.
  • the key input parameter of Kamf_new may also include the key input parameter T1.
  • Kamf_new KDF(Kseaf_new, SUPI, ABBA, [T1]).
  • the parameters in [] indicate optional parameters.
  • the Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kseaf_Kamf_Indicator in the message M4, where this New_Kseaf_Kamf_Indicator may be used to instruct the UE to generate Kseaf_new and Kamf_new. If the registration request message carries New_Kseaf_Kamf_Indicator, the Target AMF may not carry New_Kseaf_Kamf_Indicator in the message M4.
  • the message M4 may also carry the key input parameter T1 and so on.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives the message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new.
  • the UE can also determine whether it needs to generate Kseaf_new and Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new. In this case, the UE can perform operations of determining whether to generate Kseaf_new and Kamf_new and generating Kseaf_new and Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses the NAS keys generated by Kamf_new for integrity protection, after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate related procedures, for example.
  • the UE sends a message M5 to the Target AMF to notify the Target AMF to complete the key activation.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • the key input parameter T1 in this embodiment may include the key update Counter maintained between the UE and the AUSF.
  • This application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 401-409 in this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • the UE can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • FIG. 5 is a schematic flowchart of another communication method provided by an embodiment of the application.
  • SEAF and AMF can be collectively called AMF
  • AMF Access Management Function
  • AUSF When the UE switches from one source slice to another mutually exclusive target slice, AUSF generates Kseaf_new, and sends the generated Kseaf_new to Target AMF (built-in SEAF).
  • Target AMF generates Kamf_new according to Kseaf_new.
  • a communication method may include:
  • the UE sends a registration request message.
  • the registration request message carries the NSSAI(s) of the target slice to be accessed.
  • the registration request message may also carry New_Kseaf_Kamf_Indicator.
  • the UE uses this New_Kseaf_Kamf_Indicator to notify the Target that the AMF network side needs to generate Kseaf_new and Kamf_new.
  • the UE can also notify the network side that it needs to generate Kseaf_new and Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request, the Target AMF initiates the UE Context Transfer (UE Context Transfer) process. Among them, Target AMF can obtain Source AMF key Kamf_old, UE's persistent identity (SUPI), network slice instance, etc. from Source AMF through the UE Context Transfer process.
  • UE Context Transfer UE Context Transfer
  • Target AMF sends a key update service request Nausf_KeyUpdate_MEANS Request to AUSF.
  • the Target AMF can send a key update service request to AUSF under the instruction of the New_Kseaf_Kamf_Indicator carried in the registration request message to request to invoke the key update service of AUSF.
  • the Target AMF may send a key update service request to AUSF when it determines that the preset key update conditions are met, to request to invoke the key update service of AUSF.
  • the key input parameter T2 is carried in the key update service request sent to the AUSF.
  • the key input parameter T2 can be one or several of the following parameters: the random number generated by Target AMF, the counter maintained between TargetAMF and AUSF for key update (may be referred to as the key update counter), and the target slice
  • the description information of the slice group (or slice class) to which it belongs the identifier of the slice group (or slice class) to which the target slice belongs, the description information of the S-NSSAI target slice instance of the NAS UL Counter target slice, and the identifier of the target slice instance ,
  • the purpose of the key input parameter T2 is to isolate the final Kamf_new from Kamf_old.
  • the key update service request sent to AUSF can carry the key input parameter T2 from the registration request message.
  • the key update service request sent to the AUSF may also carry the UE's persistent identity (SUPI) and service network name (SN-name).
  • SUPI persistent identity
  • SN-name service network name
  • AUSF receives the key update service request Nausf_KeyUpdate_MEANS Request of Target AMF.
  • the key input parameter T2 carried in the key update service request from Target AMF includes the Counter for key update that is synchronously maintained between TargetAMF and AUSF, then AUSF can further detect the Counter included in the key input parameter T2 Is it acceptable. If it cannot be accepted, AUSF can return the cause of the error to Target AMF and terminate the subsequent key update process.
  • AUSF generates Kseaf_new.
  • Kausf is used as the input key to generate Kseaf_new
  • the key input parameters may include key input parameters T2 and SN-name.
  • AUSF sends a key update service response Nausf_KeyUpdate_MEANS Response to Target AMF.
  • the key update service response (that is, the response to the key update service request) carries a success indication (Success) and Kseaf_new, etc.
  • the key update service The response can carry the reason for failure, etc.
  • Target AMF receives the key update service response from AUSF.
  • the Target AMF If the key update service response indicates that the key update is successful, the Target AMF generates Kamf_new (specifically, the SEAF built in the Target AMF generates Kamf_new).
  • the input key used by Target AMF to generate Kamf_new is Kseaf_new.
  • the key input parameters of Kamf_new include SUPI and ABBA.
  • the key input parameter of Kamf_new may also include the key input parameter T2.
  • Kamf_new KDF(Kseaf_new, SUPI, ABBA, [T2]).
  • the parameters in [] indicate optional parameters.
  • Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kseaf_Kamf_Indicator in the message M4, where this New_Kseaf_Kamf_Indicator may be used to instruct the UE to generate Kseaf_new and Kamf_new. If the registration request message carries New_Kseaf_Kamf_Indicator, the Target AMF may not carry New_Kseaf_Kamf_Indicator in the message M4.
  • the UE does not know, such as the random number generated by the Target AMF, the key update Counter maintained by the Target AMF and AUSF, etc., the Target AMF carries these parameters in the message M4, or the Target AMF also All parameters included in the key input parameter T2 can be carried in the message M4.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives the message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new.
  • the UE can also determine whether it needs to generate Kseaf_new and Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new. In this case, the UE may perform operations of determining whether to generate Kseaf_new and Kamf_new and Kseaf_new and Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses the NAS keys generated by Kamf_new for integrity protection, after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate related procedures, for example.
  • the UE further sends a message M5 to the Target AMF to notify the Target AMF to complete the key activation.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • the key input parameter T2 in this embodiment may include the key update Counter maintained between Target AMF and AUSF.
  • this application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 501-509 of this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • Target AMF can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • FIG. 6 is a schematic flowchart of another communication method provided by an embodiment of the application.
  • SEAF and AMF can be collectively referred to as AMF
  • AMF the integrated deployment of SEAF and AMF
  • AUSF When the UE switches from one source slice to another mutually exclusive target slice, AUSF generates Kseaf_new, and sends the generated Kseaf_new to Target AMF (built-in SEAF).
  • Target AMF generates Kamf_new according to Kseaf_new.
  • another communication method may include:
  • the UE sends a registration request message.
  • the registration request message carries the NSSAI(s) of the target slice to be accessed.
  • the registration request message may also carry New_Kseaf_Kamf_Indicator.
  • the UE uses this New_Kseaf_Kamf_Indicator to notify the Target that the AMF network side needs to generate Kseaf_new and Kamf_new.
  • the UE can also notify the network side that it needs to generate Kseaf_new and Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request, the Target AMF initiates the UE Context Transfer (UE Context Transfer) process. Among them, Target AMF can obtain Source AMF key Kamf_old, UE's persistent identity (SUPI), network slice instance, etc. from Source AMF through the UE Context Transfer process.
  • UE Context Transfer UE Context Transfer
  • Target AMF sends a key update service request Nausf_KeyUpdate_MEANS Request to AUSF.
  • the Target AMF can send a key update service request to AUSF under the instruction of the New_Kseaf_Kamf_Indicator carried in the registration request message to request to invoke the key update service of AUSF.
  • the Target AMF may send a key update service request to AUSF when it determines that the preset key update conditions are met, to request to invoke the key update service of AUSF.
  • the key update service request may also carry the UE's persistent identity (SUPI) and service network name (SN-name) and so on.
  • SUPI persistent identity
  • SN-name service network name
  • AUSF receives the key update service request Nausf_KeyUpdate_MEANS Request from Target AMF.
  • AUSF generates Kseaf_new.
  • Kausf is used as the input key to generate Kseaf_new
  • the key input parameters include key input parameters T3 and SN-name.
  • the key input parameter T3 can be one or more of the following input parameters: a key update Counter maintained between TargetAMF and AUSF, a random number generated by AUSF, and so on.
  • the purpose of using the key input parameter T3 is to isolate the final Kamf_new from Kamf_old.
  • the embodiment of the present application does not limit the specific type of the key input parameter T3, as long as the input parameter meets the purpose.
  • AUSF sends a key update service response Nausf_KeyUpdate_MEANS Response to Target AMF.
  • the key update service response is the response to the key update service request) carrying success indication (Success), Kseaf_new, and key input parameter T3, etc.
  • success indication Success
  • Kseaf_new Kseaf_new
  • key input parameter T3 key input parameter
  • the key update service response may carry the failure reason, etc.
  • Target AMF receives the key update service response from AUSF.
  • the Target AMF If the key update service response indicates that the key update is successful, the Target AMF generates Kamf_new (specifically, the SEAF built in the Target AMF generates Kamf_new).
  • the input key used by Target AMF to generate Kamf_new is Kseaf_new.
  • the key input parameters of Kamf_new include SUPI and ABBA.
  • the key input parameter of Kamf_new may also include the key input parameter T3.
  • Kamf_new KDF(Kseaf_new, SUPI, ABBA, [T3]).
  • the parameters in [] indicate optional parameters.
  • the Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kseaf_Kamf_Indicator in the message M4, where this New_Kseaf_Kamf_Indicator may be used to instruct the UE to generate Kseaf_new and Kamf_new. If the registration request message carries New_Kseaf_Kamf_Indicator, the Target AMF may not carry New_Kseaf_Kamf_Indicator in the message M4.
  • the message M4 carries the keyable input parameter T3.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command (NAS SMC) message.
  • NAS SMC NAS Security Mode Command
  • the UE receives the message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new.
  • the UE can also determine whether it needs to generate Kseaf_new and Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kseaf_new and Kamf_new. In this case, the UE may perform operations of determining whether to generate Kseaf_new and Kamf_new and Kseaf_new and Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses the NAS keys generated by Kamf_new for integrity protection, after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate related procedures, for example.
  • the UE further sends a message M5 to the Target AMF to notify the Target AMF to complete the key activation.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF sends a Registration Accept (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • the key input parameter T3 in this embodiment may include the key update Counter maintained between Target AMF and AUSF.
  • this application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 601-609 in this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • AUSF can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • Kseaf_new is mainly generated by AUSF and given to Target AMF.
  • Target AMF generates Kamf_new according to Kseaf_new.
  • the key input parameters are provided by the UE, Target AMF, or AUSF as examples for explanation.
  • AUSF may still generate Kseaf_new and give it to SEAF, and Target AMF may then generate Kamf_new according to Kseaf_new.
  • the key input parameter for generating Kseaf_new can also be provided by one or more of the UE, AUSF, and Target AMF.
  • the key input parameter T1 provided by the UE and the key input parameter T3 provided by the AUSF are jointly used as the key Key input parameter; another example is the key input parameter T2 provided by Target AMF and the key input parameter T3 provided by AUSF together as the key input parameter.
  • the key input parameter T1 provided by the UE, the key input parameter T2 provided by Target AMF, and the key input parameter T3 provided by AUSF are collectively used as the key input parameter.
  • Other situations can be deduced by analogy.
  • FIG. 7 is a schematic flowchart of another communication method provided by an embodiment of the application.
  • the Target AMF and the SEAF are deployed separately (that is, the SEAF is not deployed in the AMF), and the SEAF generates Kamf_new and sends it to the Target AMF.
  • the key input parameters to be used to generate Kamf_new are provided by the UE.
  • a communication method may include:
  • the UE sends a registration request message.
  • the registration request message carries the NSSAI(s) of the requested target slice, and the registration request message also carries a key input parameter T1 for generating a new key.
  • the key input parameter T1 can be one or more of the following parameters: a random number generated by the UE, a counter maintained between the UE and SEAF for key update, the S-NSSAI of the target slice, and the target slice belongs to The description information of the slice group (or slice class), the identifier of the slice group (or slice class) to which the target slice belongs, the description information of the target slice instance, the identifier of the target slice instance, and so on.
  • the purpose of using the key input parameter T1 is to isolate the finally generated Kamf_new from Kamf_old.
  • the embodiment of this application does not limit the specific type of the key input parameter T1, as long as the input parameter meets the purpose.
  • the registration request message may also carry integrity verification information Auth_T1 of the key input parameter T1.
  • Auth_T1 can be used for AUSF to verify whether the source of the key input parameter T1 is the UE, and can also be used to verify whether the key input parameter T1 has been tampered with.
  • An example of Auth_T1: Auth_T1 HMAC (Kausf, key input parameter T1).
  • AUSF can verify the source of the key input parameter T1 through Auth_T1 and whether the key input parameter T1 has been tampered with.
  • the registration request message may also carry New_Kamf_Indicator1.
  • the UE uses New_Kamf_Indicator1 to notify the Target that the AMF network side needs to generate Kamf_new.
  • the UE may also notify the network side that it needs to generate Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request message, it can initiate a UE Context Transfer (UE Context Transfer) process. Through the UE Context Transfer process, the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • UE Context Transfer UE Context Transfer
  • the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • SUPI Subscriber Permanent Identifier
  • Target AMF sends a key update service request Nseaf_KeyUpdate_MEANS Request to SEAF.
  • the Target AMF can send a key update service request to the SEAF under the instruction of the New_Kamf_Indicator1 carried in the registration request message to request to invoke the key update service of the SEAF.
  • the Target AMF may send a key update service request to the SEAF when it determines that the preset key update condition is satisfied, to request to call the SEAF key update service.
  • the key input parameter T1 and SUPI can be carried in the key update service request.
  • the SEAF receives the key update service request Nseaf_KeyUpdate_MEANS Request from the Target AMF.
  • the SEAF detects whether the Counter is acceptable. If it cannot be accepted, SEAF returns the cause of the error to Target AMF, and terminates the subsequent key update process.
  • SEAF verifies whether the source of the key input parameter T1 and the key input parameter T1 have been tampered with. If it is tampered with, SEAF returns the cause of the error to Target AMF and can terminate the subsequent key update process.
  • the generation of Kamf_new uses Kseaf as the input key, and the key input parameter includes the key input parameter T2.
  • the way of Kamf_new generation can be, for example, way A, way B and way C.
  • Method A directly use Kseaf as the input key to generate Kamf_new, and directly use the key input parameter T1 as the part of the key input parameter to generate Kamf_new:
  • Kamf_new KDF(Kseaf, SUPI, ABBA, T1).
  • Method B directly use Kseaf as the input key and indirectly use the key input parameter T1 as the key input parameter to generate Kamf_new.
  • ABBA’ F(ABBA, T1)
  • Kamf_new KDF (Kseaf, SUPI, ABBA').
  • Method C Indirectly use Kseaf as the input key to generate Kamf_new, for example, first use Kseaf as the input key to generate Kseaf’, and then use Kseaf’ as the input key to generate Kamf_new:
  • Kseaf' KDF(Kseaf, T1).
  • Kamf_new KDF(Kseaf', SUPI, ABBA, [T1]).
  • the parameters in [] indicate optional parameters.
  • Kseaf is obtained based on Kseaf
  • Kseaf can still be regarded as the input key of Kamf_new
  • T1 can be regarded as the key input parameter of Kamf_new.
  • the SEAF sends a key update service response Nseaf_KeyUpdate_MEANS Response to the Target AMF.
  • the key update service response carries a success indication (Success) and Kamf_new, etc.
  • the key update service response may carry the failure reason, etc.
  • the Target AMF receives the key update service response from the SEAF.
  • the Target AMF may send a notification of, for example, access slice failure to the UE, and the notification may be carried in, for example, a registration rejection message.
  • the Target AMF sends a message M4 for activating the new key.
  • Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kamf_Indicator1 in the message M4, where this New_Kamf_Indicator1 may be used to instruct the UE to generate Kamf_new. If the registration request message carries New_Kamf_Indicator1, the Target AMF may not carry New_Kamf_Indicator1 in the message M4.
  • the message M4 may also carry the key input parameter T1.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives the message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate Kamf_new.
  • the UE can also determine whether it needs to produce Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kamf_new. In this case, the UE may perform operations of determining whether to generate Kamf_new and generating Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses the NAS keys generated by Kamf_new for integrity protection, after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate the process, for example.
  • the UE further sends a message M5 to the Target AMF to notify the Target AMF to complete the key activation.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF After the network slice authentication of the target slice is passed, the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • a registration acceptance Registration Accept
  • the key input parameter T1 in this embodiment may include a key update Counter maintained between the UE and the SEAF.
  • This application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 701-709 in this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • the UE can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • FIG. 8 is a schematic flowchart of another communication method for Lin according to an embodiment of the application.
  • the AMF and the SEAF are deployed separately (that is, the SEAF is not deployed in the AMF), and the SEAF generates Kamf_new and sends it to the AMF.
  • the key input parameters to be used to generate Kamf_new are provided by Target AMF.
  • a communication method may include:
  • the UE sends a Registration Request message.
  • the registration request message carries the NSSAI(s) of the target slice to be accessed.
  • the registration request message may also carry New_Kamf_Indicator1.
  • the UE uses New_Kamf_Indicator1 to notify the Target that the AMF network side needs to generate Kamf_new.
  • the UE may also notify the network side that it needs to generate Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request message, it can initiate a UE Context Transfer (UE Context Transfer) process. Through the UE Context Transfer process, the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • UE Context Transfer UE Context Transfer
  • the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • SUPI Subscriber Permanent Identifier
  • the Target AMF sends a key update service request Nseaf_KeyUpdate_MEANS Request to the SEAF.
  • the Target AMF can send a key update service request to the SEAF under the instruction of the New_Kamf_Indicator1 carried in the registration request message to request to invoke the key update service of the SEAF.
  • the Target AMF may send a key update service request to the SEAF when it determines that the preset key update conditions are met, so as to request to call the SEAF key update service.
  • the key update service request of SEAF carries key input parameters T2 and SUPI.
  • the key input parameter T2 can be one or several of the following parameters: the random number generated by Target AMF, the Counter maintained between TargetAMF and SEAF for key update, NAS UL Counter, and the S-NSSAI of the target slice , The description information of the slice group (or slice class) to which the target slice belongs, the identifier of the slice group (or slice class) to which the target slice belongs, the description information of the target slice instance, the identifier of the target slice instance, and the identifier of Target AMF , The description information of the Target AMF instance, the instance identifier of the Target AMF, the description information of the AMF Set to which the Target AMF belongs, the identifier of the AMF Set to which the Target AMF belongs, and so on.
  • the purpose of the key input parameter T2 is to isolate the generated Kamf_new from Kamf_old.
  • the embodiment of the present application does not limit the specific type of the key input parameter T2, as
  • the key update service request carries the key input parameter T2 from the registration request message.
  • the key update service request of the SEAF may also carry the UE's persistent identity (SUPI) and service network name (SN-name).
  • SUPI persistent identity
  • SN-name service network name
  • SEAF receives the key update service request Nseaf_KeyUpdate_MEANS Request from Target AMF.
  • the key input parameter T2 carried in the key update service request from Target AMF includes the Counter for key update that is synchronously maintained between TargetAMF and SEAF, then SEAF can further detect the Counter included in the key input parameter T2 Is it acceptable. If it is not acceptable, SEAF can return the cause of the error to Target AMF and terminate the subsequent key update process.
  • SEAF generates Kamf_new.
  • the generation of Kamf_new uses Kseaf as the input key, and the key input parameter includes the key input parameter T2.
  • the way of Kamf_new generation may be, for example, way A, way B, way C and so on.
  • Method A directly use Kseaf as the input key to generate Kamf_new:
  • Kamf_new KDF (Kseaf, SUPI, ABBA, T2).
  • Method B directly use Kseaf as the input key and indirectly use the key input parameter T1 as the key input parameter to generate Kamf_new.
  • ABBA’ F(ABBA, T2)
  • Kamf_new KDF (Kseaf, SUPI, ABBA').
  • Method C Indirectly use Kseaf as the input key to generate Kamf_new, for example, first use Kseaf as the input key to generate Kseaf’, and then use Kseaf’ as the input key to generate Kamf_new:
  • Kseaf' KDF(Kseaf, T2).
  • Kamf_new KDF(Kseaf’, SUPI, ABBA, [T2]).
  • the parameters in [] indicate optional parameters.
  • Kseaf is obtained based on Kseaf
  • Kseaf can still be regarded as the input key of Kamf_new
  • T2 can be regarded as the key input parameter of Kamf_new.
  • the SEAF sends a key update service response Nseaf_KeyUpdate_MEANS Response to the Target AMF.
  • the key update service response carries a success indication (Success) and Kamf_new, and if the key update fails, the key update service response can carry the reason for failure, etc.
  • Target AMF receives a response from the SEAF key update service.
  • the Target AMF may send a notification of, for example, access slice failure to the UE, and the notification may be carried in, for example, a registration rejection message.
  • the Target AMF sends a message M4 for activating the new key.
  • the Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kamf_Indicator1 in the message M4, where this New_Kamf_Indicator1 may be used to instruct the UE to generate Kamf_new. If the registration request message carries New_Kamf_Indicator1, the Target AMF may not carry New_Kamf_Indicator1 in the message M4.
  • Target AMF sends these parameters in message M4, or Target AMF also All parameters included in T2 can be sent in message M4.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate and Kamf_new.
  • the UE can also determine whether it needs to generate Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kamf_new. In this case, the UE may perform operations of determining whether to generate Kamf_new and generating Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses the NAS keys generated by Kamf_new for integrity protection, after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate related procedures, for example.
  • the UE may further send a message M5 to the Target AMF to notify the Target AMF that the key activation is completed.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • the key input parameter T2 in this embodiment may include the key update Counter maintained between Target AMF and SEAF.
  • this application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 801-809 in this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • Target AMF can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of the application.
  • the Target AMF and the SEAF are deployed separately (that is, the SEAF is not deployed in the AMF), and the SEAF generates Kamf_new and sends it to the Target AMF.
  • the key input parameters to be used to generate Kamf_new are provided by SEAF.
  • another communication method may include:
  • the UE sends a registration request message.
  • the registration request message carries the NSSAI(s) of the target slice requested by the UE.
  • the registration request message may also carry New_Kamf_Indicator1.
  • the UE uses New_Kamf_Indicator1 to notify the Target that the AMF network side needs to generate Kamf_new.
  • the UE may also notify the network side that it needs to generate Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request message, it can initiate a UE Context Transfer (UE Context Transfer) process. Through the UE Context Transfer process, the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • UE Context Transfer UE Context Transfer
  • the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • SUPI Subscriber Permanent Identifier
  • Target AMF sends a key update service request Nseaf_KeyUpdate_MEANS Request to SEAF.
  • the Target AMF can send a key update service request to the SEAF under the instruction of the New_Kamf_Indicator1 carried in the registration request message to request to invoke the key update service of the SEAF.
  • the Target AMF may send a key update service request to the SEAF when it determines that the preset key update conditions are met, so as to request to call the SEAF key update service.
  • the key update service request carries SUPI and so on.
  • the SEAF receives the key update service request Nseaf_KeyUpdate_MEANS Request from the Target AMF.
  • the SEAF generates Kamf_new.
  • Kseaf is used as the input key for generating Kamf_new
  • the key input parameter includes the key input parameter T4.
  • the key input parameter T4 may be one or more of the following parameters: a random number generated by the SEAF, a Counter jointly maintained between the SEAF and the UE, and so on.
  • the purpose of the key input parameter T4 is to isolate the final Kamf_new from Kamf_old.
  • the embodiment of the application does not limit the specific type of the key input parameter T4, as long as the input parameter meets the purpose.
  • the way of Kamf_new generation may be, for example, way A, way B, way C and so on.
  • Method A directly use Kseaf as the input key to generate Kamf_new:
  • Kamf_new KDF (Kseaf, SUPI, ABBA, T4).
  • Method B directly use Kseaf as the input key and indirectly use the key input parameter T1 as the key input parameter to generate Kamf_new.
  • ABBA’ F(ABBA, T4)
  • Kamf_new KDF (Kseaf, SUPI, ABBA').
  • Method C Indirectly use Kseaf as the input key to generate Kamf_new, for example, first use Kseaf as the input key to generate Kseaf’, and then use Kseaf’ as the input key to generate Kamf_new:
  • Kseaf' KDF (Kseaf, T4).
  • Kamf_new KDF(Kseaf', SUPI, ABBA, [T4]).
  • the parameters in [] indicate optional parameters.
  • Kseaf is obtained based on Kseaf
  • Kseaf can still be regarded as the input key of Kamf_new
  • T4 can be regarded as the key input parameter of Kamf_new.
  • the SEAF sends a key update service response Nseaf_KeyUpdate_MEANS Response to the Target AMF.
  • the key update service response carries a success indication (Success), Kamf_new, and T4, etc.
  • the key update service response may carry the failure reason, etc.
  • Target AMF receives a response from the SEAF key update service.
  • the Target AMF may send a notification of, for example, access slice failure to the UE, and the notification may be carried in, for example, a registration rejection message.
  • the Target AMF sends a message M4 for activating the new key.
  • Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kamf_Indicator1 in the message M4, where this New_Kamf_Indicator1 may be used to instruct the UE to generate Kamf_new. If the registration request message carries New_Kamf_Indicator1, the Target AMF may not carry New_Kamf_Indicator1 in the message M4.
  • the message M4 carries the key input parameter T4.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives the message M4 from Target AMF.
  • the UE uses the same mechanism as the network side to generate and Kamf_new.
  • the UE can also determine whether it needs to generate Kamf_new by itself. If necessary, the UE uses the same mechanism as the network side to generate Kamf_new. In this case, the UE may perform operations of determining whether to generate Kamf_new and generating Kamf_new at any time after sending the registration request message and before sending the message M5.
  • the message M4 uses NAS keys generated by Kamf_new for integrity protection
  • the UE after the UE generates Kamf_new, it can verify the integrity of the message M4 according to the NAS keys generated by Kamf_new. Among them, if the integrity verification fails, the UE may terminate the process, for example.
  • the UE may further send a message M5 to the Target AMF to notify the Target AMF that the key activation is completed.
  • the message M5 is, for example, a NAS Security Mode Complete (NAS Security Mode Complete) message.
  • the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • the key input parameter T4 in this embodiment may include a key update Counter maintained synchronously between Target AMF and SEAF.
  • This application does not specifically limit the generation, initial value setting, update after use, and synchronization of the key update Counter.
  • Steps 901-909 of this embodiment occur between the initiation of the slice conversion and the end of the conversion.
  • SEAF can provide some parameters for generating Kseaf_new and Kamf_new, which can realize key isolation between Source AMF and Target AMF in mutually exclusive slice switching scenarios, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario. Compared with some update the entire key system through master authentication, To realize the possible solution of Kamf forward security, the related efficiency of the solution of the embodiment of the present application is significantly improved.
  • the Kamf_new is mainly generated by SEAF and given to the Target AMF.
  • the key input parameters are provided by the UE, Target AMF, or SEAF as an example for description.
  • the SEAF may still generate Kamf_new to the Target AMF.
  • the key input parameter for generating Kamf_new can also be provided by one or more of the UE, SEAF, and Target AMF.
  • the key input parameter T1 provided by the UE and the key input parameter T4 provided by the SEAF are jointly used as the key Key input parameter; another example is the key input parameter T2 provided by Target AMF and the key input parameter T4 provided by SEAF together as the key input parameter.
  • the key input parameter T1 provided by the UE, the key input parameter T2 provided by Target AMF, and the key input parameter T4 provided by the SEAF are collectively used as the key input parameter. In other cases, the same applies.
  • FIG. 10 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • the AMF and the SEAF are deployed together (that is, the SEAF is deployed in the AMF), where the Target AMF generates Kamf_new.
  • some key input parameters for generating Kamf_new are provided by AAA-S.
  • another communication method may include:
  • the UE sends a registration request message.
  • the registration request message carries the NSSAI(s) of the requested target slice.
  • the registration request message may also carry a key update indication New_Kamf_Indicator2.
  • the key update indication New_Kamf_Indicator2 is used to indicate that the Target AMF network side needs to generate Kamf_new.
  • the UE may also notify the network side that it needs to generate Kamf_new in other ways.
  • Target AMF After the Target AMF receives the registration request message, it can initiate a UE Context Transfer (UE Context Transfer) process. Through the UE Context Transfer process, the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • UE Context Transfer UE Context Transfer
  • the Target AMF can obtain, for example, the key Kamf of the Source AMF, the UE's persistent identity (SUPI, Subscriber Permanent Identifier), and the instance of the network slice from the Source AMF.
  • SUPI Subscriber Permanent Identifier
  • Target AMF decides to initiate a slice authentication process.
  • Target AMF initiates the EAPID acquisition process.
  • TargetAMF sends an EAPID request to the UE.
  • the UE After receiving the EAPID request, the UE sends an EAPID response carrying the corresponding EAPID to the TargetAMF.
  • Target AMF sends an authentication request (Authentication Request) to AAA-F.
  • Authentication Request an authentication request
  • the Target AMF can carry the parameter request indication ParaReqIndicator in the authentication request message under the indication of New_Kamf_Indicator2 carried in the registration request message.
  • the TargetAMF may carry the parameter request indication ParaReqIndicator in the authentication request message when it determines that the preset key update condition is satisfied.
  • the parameter request indication ParaReqIndicator is used to indicate the AAA-S production key input parameter T5.
  • the key input parameter T5 is used to generate Kamf_new.
  • AAA-F forwards the aforementioned Authentication Request to AAA-S.
  • AAA-S receives the Authentication Request forwarded by AAA-F.
  • the AAA-S If the authentication request carries the parameter request indication ParaReqIndicator, the AAA-S generates the key input parameter T5 under the indication of the parameter request indication ParaReqIndicator.
  • the AAA-S can generate the key input parameter T5 when it is determined that the preset key parameter generation condition is satisfied.
  • the key input parameter T5 can be generated using a shared secret between the UE and the AAA-S, such as the Extended Master Session Key (EMSK) generated by slice authentication.
  • EMSK Extended Master Session Key
  • This application does not limit the generation algorithm of the key input parameter T5 and the input used. As long as the generated key input parameter T5 can be satisfied: only the UE and AAA-S can generate the key input parameter T5.
  • AAA-S sends an authentication response (Authentication Response) to AAA-F.
  • the above authentication response carries the key input parameter T5.
  • AAA-F after receiving the Authentication Response from AAA-S, forwards the Authentication Response to Target AMF.
  • TargetAMF receives AAA-F's Authentication Response Authentication Response.
  • Target AMF generates Kamf_new.
  • the input key used to generate Kamf_new is the Kamf obtained by Target AMF from Source AMF, and the key input parameters used to generate Kamf_new include the key input parameter T5.
  • Kamf_new KDF(Kamf_old, T5).
  • Target AMF sends a message M4 for activating the new key to the UE.
  • the Target AMF may carry New_Kamf_Indicator2 in the message M4, where this New_Kamf_Indicator2 may be used to instruct the UE to generate Kamf_new. If the registration request message carries New_Kamf_Indicator1, the Target AMF may not carry New_Kamf_Indicator1 in the message M4.
  • the message M4 may use the NAS keys generated by Kamf_new for integrity protection, for example.
  • the message M4 may be a NAS Security Mode Command message.
  • the UE receives message M4 from Target AMF.
  • the UE uses the same mechanism as AAA-S to generate the key input parameter T5 according to the instruction, and uses the same mechanism as TargetAMF to generate Kamf_new.
  • the UE can also use the same mechanism as AAA-S to generate the key input parameter T5, and use the same mechanism as TargetAMF to generate Kamf_new if the preset key update condition is satisfied. In this case, the UE can judge and generate the key input parameters T5 and Kamf_new at any time after sending the registration request message and before sending the M5 message.
  • the UE may first verify the integrity of the message M4, and after passing the integrity verification, perform the steps of generating Kseaf_new and Kamf_new. If the integrity verification fails, the UE may terminate the process, for example.
  • the UE sends a message M4 to the Target AMF.
  • the message M4 is, for example, a NAS Security Mode Complete message.
  • the Target AMF sends a registration acceptance (Registration Accept) message for notifying the successful registration of the target slice to the UE.
  • Target AMF can also send ParaReqIndicator to AAA-S in any authentication request.
  • the AAA-S may send the key input parameter T5 to the network in any authentication response message of the slice authentication after generating the key input parameter T5.
  • the above solution of this embodiment can realize the key isolation between Source AMF and Target AMF in the slice switching scenario, thereby realizing Kamf forward security.
  • the solution of this embodiment does not need to update the entire key system through the master authentication, and can realize the key isolation between Source AMF and Target AMF in the slice switching scenario, which is compared with updating the entire key system through master authentication .
  • the related efficiency of the solution of the embodiment of this application is obviously improved.
  • the target AMF is mainly used to generate Kamf_new.
  • the key input parameters are provided by AAA-S as an example for description.
  • the Target AMF may still generate Kamf_new.
  • the key input parameter T1 provided by the UE and the key input parameter T5 provided by AAA-S are jointly used as the key input parameter; or,
  • the key input parameter T2 provided by Target AMF and the key input parameter T5 provided by AAA-S are jointly used as the key input parameter; or,
  • AAA-S Provided by AAA-S, UE and Target AMF, that is, the key input parameter T1 provided by the UE, the key input parameter T5 provided by AAA-S, and the key input parameter T2 provided by Target AMF are collectively used as the key input parameter.
  • the foregoing example solutions of the embodiments corresponding to FIGS. 4 to 10 are all based on when the UE switches from one source slice to the next mutually exclusive target slice, the UE initiates a registration request message to the network side.
  • the UE when it switches from one source slice to the next mutually exclusive target slice, it can also be triggered by the network side.
  • the source AMF serving the source slice obtains the target AMF that can serve the target slice according to the target slice, and notifies the target AMF, which connects the UE to the target slice.
  • Kamf's forward security can still be implemented using a similar mechanism to the above example scheme.
  • the network element that generates the new key Kamf_new/Kseaf_new may be one of the following network elements: AUSF, SEAF, and Target AMF.
  • the network element that provides the key input parameters used to generate the new key can be one of the following network elements: Target AMF, AUSF, SEAF (separate deployment in SEAF and AMF Under the scene) and AAA-S and so on.
  • Target AMF provides the key input parameter T2.
  • the key input parameter T2 can be one or more of the following parameters: random number generated by Target AMF, Counter for key update, NAS UL Counter, S-NSSAI of the target slice, and slice group to which the target slice belongs ( (Or slice type), the identifier of the slice group (or slice class) to which the target slice belongs, the description information of the target slice instance, the identifier of the target slice instance, the identifier of Target AMF, the instance of Target AMF, and Target AMF The instance identifier of the Target AMF, the description information of the AMF Set to which the Target AMF belongs, the identifier of the AMF Set to which the Target AMF belongs, and so on.
  • the purpose of providing the key input parameter T2 is to isolate the finally generated Kamf_new from Kamf_old.
  • the embodiment of the present application does not limit the specific type of the key input parameter T2, as long as the input parameter meets the purpose.
  • AUSF provides the generated key input parameter T3.
  • the key input parameter T3 can be one or more of the following parameters: a random number generated by AUSF, a Counter used for key update, and so on.
  • the purpose of the key input parameter T3 is to isolate the finally generated Kamf_new from Kamf_old.
  • the embodiment of the present application does not limit the specific type of the key input parameter T3, as long as the input parameter meets the purpose.
  • the key input provided by the SEAF provides the generated key input parameter T4.
  • the key input T4 can be one or more of the following parameters: a random number generated by SEAF, a Counter used for key update, and so on.
  • the purpose of the key input parameter T4 is to isolate the final Kamf_new from Kamf_old.
  • the embodiment of the application does not limit the specific type of the key input parameter T4, as long as the input parameter meets the purpose.
  • the key input parameter T5 is provided by the slice authentication and authorization function AAA-S.
  • the generation of the key input parameter T5, for example, uses the shared secret between the UE and AAA-S, such as the Extended Master Session Key established between the UE and AAA-S.
  • the invention does not limit the method used to generate the key input parameter T5, as long as it is satisfied that only UE and AAA-S can generate the key input parameter T5.
  • the main difference is that the condition that triggers the network side to generate Kamf_new can be: Source AMF indicates Target AMF; or Target AMF determines whether it needs to generate Kamf_new by itself.
  • the condition for triggering the UE side to generate Kamf_new may be: Target AMF instructs the UE to generate Kamf_new.
  • a user equipment UE1100 may include: a transceiver unit 1110 and a processing unit 1120.
  • the transceiving unit 1110 is configured to send a registration request message when the UE switches from one source slice to another target slice that is mutually exclusive with it, where the registration request message carries the information of the target slice requested by the UE.
  • Network slice selection auxiliary information NSSAI Network slice selection auxiliary information
  • the processing unit 1120 is configured to obtain the first AMF key Kamf_new, where the Kamf_new is different from the second AMF key Kamf_old, the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the service provider The key of the source AMF of the source slice.
  • the transceiver unit 1110 is further configured to receive the first message carrying the key input parameter sent by the target AMF before acquiring the first AMF key Kamf_new, and generate the Kamf_new to use Enter parameters to the key.
  • the transceiver unit 1110 is further configured to receive a second message that carries a first key update indication sent by the target AMF before acquiring the first AMF key Kamf_new, and the first The key update indication is used to instruct the UE to update the AMF key.
  • the registration request message carries a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the registration request message carries a second key update instruction
  • the second key update instruction is used to instruct the network side to update the AMF key.
  • each functional module of the user equipment 1100 in this embodiment can cooperate to complete part or all of the steps of any method executed by the UE in the foregoing method embodiment.
  • a target AMF may include: a transceiver unit 1210 and a processing unit 1220.
  • the transceiver unit 1210 is configured to receive a registration request message from the UE when the UE switches from one source slice to another target slice that is mutually exclusive with the UE, wherein the registration request message carries the UE request
  • the processing unit 1220 is configured to obtain the first AMF key Kamf_new, the first AMF key Kamf_new is different from the second AMF key Kamf_old, and the Kamf_new is the key of the target AMF, where the target AMF is The AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice.
  • the registration request message further carries a second key update instruction, and the second key update instruction is used to instruct the network side to update the AMF key; or, the target AMF obtains the Kamf_new It is executed when it is determined that the locally preset key update condition is met.
  • the registration request message carries a key input parameter T1, and the key input parameter T1 is used to generate the Kamf_new.
  • the transceiver unit 1210 is further configured to: after receiving a registration request message from the UE,
  • the transceiving unit may also be configured to send a first message carrying part or all of the key input parameters (for example, the key input parameter T2, etc.) used to generate the Kseaf_new to the UE.
  • the key input parameters for example, the key input parameter T2, etc.
  • the transceiver unit 1210 is further configured to send a key update service request to the AUSF after receiving the registration request message from the UE; Update the response of the service request, the response carries the Kseaf_new and the key input parameter T3, wherein the key input parameter T3 is used to generate the Kseaf_new; the Kseaf_new is used to generate the Kamf_new; The UE sends the first message carrying the key input parameter T3.
  • the transceiving unit 1210 is further configured to send a key update service request to AUSF after receiving the registration request message from the UE, and the key update service request carries the key input Parameter T2 and/or key input parameter T1; receiving the response to the key update service request returned by the AUSF, the response carrying the Kseaf_new and the key input parameter T3, and generating the Kseaf_new to be used
  • the key input parameter T3 and the key input parameter carried in the key update service request; the Kseaf_new is used to generate the Kamf_new, and the first message carrying the key input parameter T3 is sent to the UE.
  • the transceiver unit 1210 is further configured to send a key update service request to the security anchor function SEAF after receiving the registration request message from the UE, where the key update service The request carries the key input parameter T2 and/or the key input parameter T1; the response to the key update service request returned by the SEAF is received, and the response carries the Kamf_new, wherein the Kamf_new uses the key input parameter T2 and/or the key input parameter T1.
  • the transceiving unit may be further configured to send a first message carrying part or all of the key input parameters (such as key input parameters T2, etc.) used to generate the Kamf_new to the UE.
  • the transceiver unit 1210 is further configured to send a key update service request to the SEAF after receiving the registration request message from the UE; and receive the key update service request returned by the SEAF. Update the response of the service request, the response carrying the Kamf_new and the key input parameter T4, wherein the key input parameter T4 is used to generate the Kamf_new; sending the key input parameter T4 to the UE The first news.
  • the transceiver unit 1210 is further configured to send a key update service request to SEAF after receiving the registration request message from the UE, wherein the key update service request carries a secret Key input parameter T2 and/or the key input parameter T1; receiving the response to the key update service request returned by the SEAF, the response carrying the Kamf_new and the key input parameter T4, wherein The Kamf_new uses the key input parameter T4 and the key input parameter carried in the key update service request; and sends a first message carrying the key input parameter T4 to the UE.
  • the transceiver unit 1210 is further configured to send a key parameter indication to the slice authentication and authorization server (AAA-S) after receiving a registration request message from the UE requesting to access the target slice.
  • the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; to receive the key generation parameter T5 sent by the AAA-S, the key input parameter T5 can be used to generate the Kamf_new;
  • the target AMF sends a message carrying a key parameter indication to AAA-S; the key parameter indication is used to instruct AAA-S to generate a key input parameter T5; the target AMF receives a message sent by the AAA-S Key generation parameter T5; the key input parameter T5 is used to generate the Kamf_new, and the key input parameter T1 and/or the key input parameter T2 are also used to generate the Kamf_new.
  • each functional module of the target AMF 1200 in this embodiment can cooperate to complete some or all of the steps of any method executed by the target AMF in the foregoing method embodiment.
  • an authentication server function AUSF 1300 including:
  • the processing unit 1320 is configured to generate Kseaf_new after receiving the key update service request from the target AMF when the UE switches from one source slice to another target slice that is mutually exclusive with it. Used to generate Kamf_new; the Kamf_new is different from the second AMF key Kamf_old, the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice;
  • the transceiver unit 1310 is configured to return a response to the key update service request to the target AMF, where the response carries the Kseaf_new, and the Kseaf_new is used to generate the Kamf_new.
  • key input parameter T1 key input parameter T2
  • key input parameter T3 key input parameter T3
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request of the AUSF.
  • the key input parameter T3 is used when generating Kseaf_new, and the key input parameter T3 is carried in the response of the key update service request.
  • the various functional modules of the AUSF 1300 in this embodiment can cooperate to complete some or all of the steps of any method executed by the AUSF in the foregoing method embodiment.
  • a security anchor function SEAF 1400 which may include:
  • the processing unit 1420 is configured to generate Kamf_new after receiving the key update service request from the target AMF when the UE switches from one source slice to another target slice that is mutually exclusive with it.
  • the Kamf_new is different from the second AMF key Kamf_old, the Kamf_new is the key of the target AMF serving the target slice, and the Kamf_old is the key of the source AMF serving the source slice;
  • the transceiver unit 1410 is configured to return a response to the key update service request to the target AMF, where the response carries the Kamf_new;
  • generating the Kamf_new uses one or more of the key input parameter T1, the key input parameter T2, and the key input parameter T4;
  • the key input parameter T1 and/or the key input parameter T2 are used, and the key input parameter T1 and/or the key input parameter T2 are carried in the key update service request of the SEAF.
  • the key input parameter T4 is used when generating Kseaf_new, and the key input parameter T4 is carried in the response of the key update service request.
  • the functional modules of SEAF 1400 in this embodiment can cooperate to complete part or all of the steps of any method executed by SEAF in the foregoing method embodiment.
  • a user equipment 1500 includes: a processor 1510 and a memory 1520 coupled with each other; the processor 1510 is configured to call a computer program stored in the memory to execute any one of the embodiments provided in the present application Part or all of the steps performed by the UE in the method.
  • a target AMF 1600 includes: a processor 1610 and a memory 1620 coupled with each other; the processor 1610 is configured to call a computer program stored in the memory to execute any one of the embodiments provided in the present application Part or all of the steps performed by the target AMF in the method.
  • an AUSF 1700 includes: a processor 1710 and a memory 1720 that are coupled to each other; the processor 1710 is configured to call a computer program stored in the memory to execute any method provided in the embodiments of the present application Some or all of the steps performed by AUSF.
  • a SEAF 1800 includes: a processor 1810 and a memory 1820 that are coupled to each other; the processor 1810 is configured to call a computer program stored in the memory to execute any method provided in the embodiments of the present application Part or all of the steps performed by SEAF.
  • the embodiment of the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program is executed by hardware (such as a processor, etc.). Part or all of the steps of any method performed by the meta.
  • the embodiments of the present application also provide a computer program product including instructions.
  • the computer program product is run on a computer device, the computer device is caused to execute any method executed by any one of the above aspects. Part or all of the steps.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, an optical disk), or a semiconductor medium (for example, a solid state hard disk).
  • the disclosed device may also be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division.
  • there may be other division methods for example, multiple units or components can be combined or integrated.
  • the displayed or discussed indirect coupling or direct coupling or communication connection between each other may be through some interfaces, indirect coupling or communication connection between devices or units, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units . Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may also be implemented in the form of software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • a software product ie a computer program
  • a storage medium includes several instructions to make a computer device (which may be a personal computer, user equipment, mobile communication network element, server, or fixed network network element, etc.) execute all or part of the methods described in the various embodiments of the present application step.
  • the aforementioned storage medium may include, for example, U disk, mobile hard disk, Read-Only Memory (ROM), Random Access Memory (RAM, Random Access Memory), magnetic disks or optical disks, etc., which can store program codes. medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

一种通信方法和相关产品,一种通信方法包括:在UE从一个源切片转到另一个互斥的目标切片情况下,服务目标切片的目标AMF和所述UE均可获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf,其中第二AMF密钥Kamf是服务源切片的源AMF的密钥。方案有利于在互斥切片切换场景下提高通信安全性和有效性。

Description

通信方法和相关产品 技术领域
本申请涉及通信技术领域,尤其涉及了通信方法和相关产品。
背景技术
在例如5G网络等通信网络中,互斥切片可以被定义为:当两个网络切片(Network Slice)各自的单个网络切片辅助信息(S-NSSAI,network slice selection assistance information)都在用户设备(UE,User Equipment)的订阅数据中,并且,UE不能够同时访问这两个S-NSSAIs之时,则这两个网络切片对UE是互相排斥的,那么两个网络切片可互称为互斥切片。
互斥切片的应用例子非常多,例如,某些公司、部门或者运营商等的内部规定禁止UE同时访问“常规的”和“特殊的”服务。具体例如,某个特定机构的官员所使用的UE受限只能处于off-duty模式(常规)或者on-duty模式(特殊),规定禁止该UE同时访问off-duty服务和on-duty服务。
当一个UE从网络切片Slice 1切换到与之互斥的网络切片Slice 2时,网络侧重新分配接入与移动性管理功能(AMF,Access and Mobility Management Function)。在切片切换过程中如何保证Kamf的前向安全性是一个需要考虑的问题。
发明内容
本申请实施例提供通信方法和相关产品。
第一方面,一种通信方法,包括:在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,所述UE发送注册请求消息,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息(NSSAI);所述UE获取第一AMF密钥Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF(Target AMF)的密钥,所述Kamf_old为服务所述源切片的源AMF(Source AMF)的密钥。
可见,本申请实施例上述方案,在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,UE获取第一AMF密钥Kamf_new,Kamf_new不同于第二AMF密钥Kamf_old,由于Kamf_new不同于Kamf_old,进而可实现在互斥切片切换的场景下,Source AMF和Target AMF之间的密钥隔离,进而可实现Kamf前向安全。
在一些可能的实施方式中,所述UE获取所述第一AMF密钥Kamf_new之前,所述方法还可以包括:所述UE接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到第一消息携带的密钥输入参数。
其中,第一消息携带的密钥输入参数例如包括如下密钥输入参数中的一种或多种:密钥输入参数T2、密钥输入参数T3或密钥输入参数T4。密钥输入参数T2例如由目标AMF提供;密钥输入参数T3例如由AUSF提供;密钥输入参数T4例如由SEAF提供;密钥输入参数T5例如由AAA-S提供。
在一些可能的实施方式中,UE获取第一AMF密钥Kamf_new之前,方法还可包括:接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。相应的,例如UE获取第一AMF密钥Kamf_new可以是在所述第一密钥更新指示的触发下执行。
例如,第二消息和第一消息可为同一消息,也可以是不同消息。例如第二消息和第一消息可为非接入层安全模式控制(NAS Security Mode Command)消息或其他消息。
在一些可能的实施方式中,所述注册请求消息可携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。例如密钥输入参数T1例如由UE提供,UE通过注册请求消息将密钥输入参数T1传递给网络侧,以便于网络侧据此生成所述Kamf_new。
在一些可能的实施方式中,所述注册请求消息携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥。相应的,例如网络侧相关设备获取第一AMF密钥Kamf_new可以是在所述第二密钥更新指示的触发下执行。
第二方面,一种通信方法,可以包括:在UE从一个源切片转到另一个与之互斥的目标切片的情况下,服务所述目标切片的目标AMF接收来自所述UE的注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;所述目标AMF获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
在一些可能的实施方式中,所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥;或者,所述目标AMF获取所述Kamf_new是在确定本地预设的密钥更新条件满足的情况下执行。
在一些可能的实施方式中,注册请求消息携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。当然生成所述Kamf_new还可能使用到其它密钥输入参数。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向认证服务器功能AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new。进一步的,所述目标AMF可向所述UE发送携带生成所述Kseaf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等等)的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向AUSF发送密钥更新服务请求;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述 方法可还包括:
所述目标AMF向AUSF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3和携带于所述密钥更新服务请求的密钥输入参数;其中,所述Kseaf_new用于生成所述Kamf_new,所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向安全锚点功能SEAF发送密钥更新服务请求,所述密钥更新服务调用请求中携带密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1。进一步的,所述目标AMF可向所述UE发送携带生成所述Kamf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向SEAF发送密钥更新服务请求;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向发送SEAF的密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务的密钥输入参数;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向切片认证和授权服务器AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new使用到所述密钥输入参数T5;
或者,
所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;其中,生成所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/ 或密钥输入参数T2。
第三方面,一种通信方法,包括:
在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于生成Kamf_new;所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
所述AUSF向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new,所述Kseaf_new用于生成所述Kamf_new;
其中,生成Kseaf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种;
其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中;
其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
第四方面,一种通信方法,包括:
在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的SEAF的密钥更新服务请求后,所述SEAF生成Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
所述SEAF向所述目标AMF返回对所述密钥更新服务的响应,其中,所述响应携带所述Kamf_new;
其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中;
其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。
第五方面,一种用户设备UE,包括:
收发单元,用于在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,发送注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
处理单元,用于获取第一AMF密钥Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
在一些可能的实施方式中,所述收发单元,还用于获取所述第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到所述密钥输入参数。
在一些可能的实施方式中,所述收发单元,还用于获取第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。
在一些可能的实施方式中,所述注册请求消息携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。
在一些可能的实施方式中,所述注册请求消息携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥。
第六方面,一种目标AMF,包括:
收发单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,接收来自所述UE的注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
处理单元,用于获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,其中,所述目标AMF为服务所述目标切片的AMF,所述Kamf_old为服务所述源切片的源AMF的密钥。
在一些可能的实施方式中,所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥;或者,所述目标AMF获取所述Kamf_new是在确定本地预设的密钥更新条件满足的情况下执行。
在一些可能的实施方式中,所述注册请求消息携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,
向认证服务器功能AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new。
进一步的,所述收发单元还可用于向所述UE发送携带生成所述Kseaf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,
向AUSF发送密钥更新服务请求;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,向AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3和携 带于所述密钥更新服务请求的密钥输入参数;所述Kseaf_new用于生成所述Kamf_new,向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,向安全锚点功能SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1。进一步的,所述收发单元还可用于向所述UE发送携带生成所述Kamf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,向SEAF发送密钥更新服务请求;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4;向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能的实施方式之中,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,向SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务请求的密钥输入参数;向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能实施方式中,收发单元,还用于在接收来自所述UE的注册请求消息后,向切片认证和授权服务器(AAA-S)发送携带密钥参数指示的消息;密钥参数指示用于指示AAA-S生成密钥输入参数T5;接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new可使用到所述密钥输入参数T5;
或者,所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;生成所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/或密钥输入参数T2。
第七方面,一种认证服务器功能AUSF,包括:
处理单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于生成Kamf_new;所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
收发单元,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new,所述Kseaf_new用于生成所述Kamf_new;
其中,生成Kseaf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种;
其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述AUSF的密钥更新服务请求中;
其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
第八方面,一种安全锚点功能SEAF,可包括:
处理单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述SEAF生成Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
收发单元,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其中,所述响应携带所述Kamf_new;
其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述SEAF的密钥更新服务请求中;
其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。
上述一些举例中提到了密钥输入参数T1、密钥输入参数T2、密钥输入参数T3、密钥输入参数T4和密钥输入参数T5。密钥输入参数T1例如可由UE提供;密钥输入参数T2例如可由目标AMF提供;密钥输入参数T3例如可由AUSF提供;密钥输入参数T4例如可由SEAF提供;密钥输入参数T5例如可由AAA-S提供。
第九方面,一种用户设备,包括:相互耦合的处理器和存储器;其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由UE执行的部分或全部步骤。
第十方面,一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行,以完成执行本申请实施例提供的任意一种方法中由UE执行的部分或全部步骤。
第十一方面,一种目标AMF,包括:相互耦合的处理器和存储器;其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由目标AMF执行的部分或全部步骤。
第十二方面,一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行,以完成本申请实施例提供的任意一种方法中由目标AMF执行的部分或全部步骤。
第十三方面,一种AUSF,包括:相互耦合的处理器和存储器;其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由AUSF执行的部分或全部步骤。
第十四方面,一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行,以完成本申请实施例提供的任意一种方法中由AUSF执行的部分或全部步骤。
第十五方面,一种SEAF,包括:相互耦合的处理器和存储器;其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由SEAF执行的部分或全部步骤。
第十六方面,一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行,以完成本申请实施例提供的任意一种方法中由SEAF执行的部分或全部步骤。
第十七方面,一种通信方法,包括:
在UE从一个源切片转到另一个与之互斥的目标切片的情况下,切片认证和授权服务器AAA-S接收来自目标AMF的携带密钥参数指示的消息,所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;
生成密钥输入参数T5;向所述目标AMF发送密钥生成参数T5,其中,生成第一AMF密钥Kamf_new可使用到所述密钥输入参数T5;其中,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,其中,所述目标AMF为服务所述目标切片的AMF,所述Kamf_old为服务所述源切片的源AMF的密钥。
第十八方面,一种切片认证和授权服务器AAA-S,包括:
收发单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,接收来自目标AMF的携带密钥参数指示的消息,密钥参数指示用于指示AAA-S生成密钥输入参数T5;
处理单元,用于生成密钥输入参数T5;
收发单元还用于,向所述目标AMF发送密钥生成参数T5,其中,生成第一AMF密钥Kamf_new可使用到所述密钥输入参数T5;其中,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,其中,所述目标AMF为服务所述目标切片的AMF,所述Kamf_old为服务所述源切片的源AMF的密钥。
第十九方面,一种切片认证和授权服务器AAA-S包括:相互耦合的处理器和存储器;所述处理器用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由AAA-S执行的部分或全部步骤。
第二十方面,一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行,以完成本申请实施例提供的任意一种方法中由AAA-S执行的部分或全部步骤。
第二十一方面,本申请实施例提供了一种包括指令的计算机程序产品,当所述计算机程序产品计算机设备上运行时,使得计算机设备可执行以本申请实施例提供的任意设备执行的任意一种方法的部分或全部步骤。
附图说明
下面将对本申请实施例涉及的一些附图进行说明。
图1-A是本申请实施例提供的一种通信系统的结构示意图。
图1-B是本申请实施例提供的一种通信方法的流程示意图。
图2是本申请实施例提供的另一种通信方法的流程示意图。
图3是本申请实施例提供的另一种通信方法的流程示意图。
图4是本申请实施例提供的另一种通信方法的流程示意图。
图5是本申请实施例提供的另一种通信方法的流程示意图。
图6是本申请实施例提供的另一种通信方法的流程示意图。
图7是本申请实施例提供的另一种通信方法的流程示意图。
图8是本申请实施例提供的另一种通信方法的流程示意图。
图9是本申请实施例提供的另一种通信方法的流程示意图。
图10是本申请实施例提供的另一种通信方法的流程示意图。
图11是本申请实施例提供的一种用户设备的结构示意图。
图12是本申请实施例提供的一种目标AMF的结构示意图。
图13是本申请实施例提供的一种AUSF的结构示意图。
图14是本申请实施例提供的一种SEAF的结构示意图。
图15是本申请实施例提供的另一种用户设备的结构示意图。
图16是本申请实施例提供的另一种目标AMF的结构示意图。
图17是本申请实施例提供的另一种AUSF的结构示意图。
图18是本申请实施例提供的另一种SEAF的结构示意图。
具体实施方式
下面结合本申请实施例中的附图对本申请实施例进行描述。
参见图1-A,图1-A是本申请实施例举例的一种5G网络架构的示意图。其中,5G网络对4G网络的某些功能网元(例如移动性管理实体(MME,Mobility Management Entity)等等)进行了一定拆分,并定义了基于服务化架构的架构。在图1-A所示网络架构中,类似4G网络中的MME的功能,被拆分成了接入与移动性管理功能(AMF,Access and Mobility Management Function)和会话管理功能(SMF,Session Management Function)等等。
下面对其他一些相关网元/实体进行介绍。
用户终端(UE,User Equipment)通过接入运营商网络来访问数据网络(DN,Data Network)等等,使用DN上的由运营商或第三方提供的业务。
接入与移动性管理功能(AMF)是3GPP网络中的一种控制面网元,主要负责UE接入运营商网络的接入控制和移动性管理。其中,安全锚点功能(SEAF,Security Anchor Function)可以部署于AMF之中,或SEAF也可能部署于不同于AMF的另一设备中,图1-A中以SEAF被部署于AMF中为例。当SEAF被部署于AMF中时,SEAF和AMF和合称AMF。
会话管理功能(SMF)是3GPP网络中的一种控制面网元,其中,SMF主要用于负责管理UE的数据包(PDU,Packet Data Unit)会话。PDU会话是一个用于传输PDU的通道,UE可以通过PDU会话与DN互相发送PDU。SMF负责PDU会话的建立、维护和删除等管理工作。
数据网络(DN,Data Network)也称为分组数据网络(PDN,Packet Data Network),是位于3GPP网络之外的网络。其中,3GPP网络可接入多个DN,DN上可部署运营商或第三方提供的多种业务。例如,某个DN是一个智能工厂的私有网络,安装在智能工厂车间的传感器扮 演UE的角色,DN中部署了传感器的控制服务器。UE与控制服务器通信,UE在获取控制服务器的指令之后,可根据这个指令将采集的数据传递给控制服务器。又例如,DN是一个公司的内部办公网络,该公司员工所使用的终端则可扮演UE的角色,这个UE可以访问公司内部的信息和其他资源。
其中,统一数据管理网元(UDM,Unified Data Management)也是3GPP网络中的一种控制面网元,UDM主要负责存储3GPP网络中签约用户(UE)的签约数据、信任状(credential)和持久身份标识(SUPI,Subscriber Permanent Identifier)等。这些数据可以被用于UE接入运营商3GPP网络的认证和授权。
认证服务器功能(AUSF,Authentication Server Function)也是3GPP网络中的一种控制面网元,AUSF主要用于第一级认证(即3GPP网络对其签约用户的认证)。
其中,网络开放功能(NEF,Network Exposure Function)也是3GPP网络之中的一种控制面网元。NEF主要负责以安全的方式对第三方开放3GPP网络的对外接口。其中,在SMF等网元需要与第三方网元通信时,可以以NEF为通信的中继。其中,中继时,NEF可以进行内外部标识的翻译。比如,将UE的SUPI从3GPP网络发送到第三方时,NEF可以将SUPI翻译成其对应的外部身份标识(ID,Identity)。反之,NEF可以将外部身份ID在发送到3GPP网络时,将其翻译成对应的SUPI。
其中,网络存储功能(NRF,Network Repository Function)也是3GPP网络中的一种控制面网元,主要负责存储可被访问的网络功能(NF)的配置额服务资料(profile),为其他网元提供网络功能的发现服务。
用户面功能(UPF,User Plane Function)是3GPP网络与DN通信的网关。
策略控制功能(PCF,Policy Control Function)是3GPP网络中的一种控制面功能,用于向SMF提供PDU会话的策略。策略可包括计费、服务质量(QoS,Quality of Service)、授权相关策略等。
接入网(AN,Access Network)是3GPP网络的一个子网络,UE要接入3GPP网络,首先需要经过AN。在无线接入场景下AN也称无线接入网(RAN,Radio Access Network),因此RAN和AN这两个术语经常不做区分的混用。
3GPP网络是指符合3GPP标准的网络。其中,图1-A中除了UE和DN以外的部分可看作是3GPP网络。3GPP网络不只局限于3GPP定义的5G网络,还可包括2G、3G、4G网络。通常3GPP网络由运营商来运营。此外,在图1-A所示架构中的N1、N2、N3、N4、N6等分别代表相关网元/网络功能之间的参照点(Reference Point)。Nausf、Namf...等,分别代表相关网络功能的服务化接口。本申请实施例的技术方案可以基于图1-A举例所示架构的通信系统或其形变架构来具体实施。
本申请实施例提供一些在AMF重新分配情况下实现安全通信的方案,例如实现前向安全性的方案。
其中,前向安全性:服务Slice 1(网络切片1)的AMF,即Source AMF(源AMF),不能获取UE和Target AMF(目标AMF)之间的AMF密钥Kamf。后向安全性:服务Slice 2(网络切片2)的AMF,即Target AMF,不能获取UE和Source AMF之间的AMF密钥Kamf。例如网络切片1 与网络切片2为互斥的两个网络切片。
为简化描述,本申请一些实施例有时候也将网络切片简称为“切片”,即切片和网络切片有时候是混用的。
下面通过具体一些实施例进行举例说明。
参见图1-B,图1-B为本申请实施例提供的一种通信方法的流程示意图。一种通信方法可包括:
101.在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,所述UE向目标AMF发送注册请求消息,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息(NSSAI)。
相应的,服务所述目标切片的目标AMF接收来自所述UE的注册请求消息。
102.所述UE获取第一AMF密钥Kamf_new。
103.所述目标AMF获取第一AMF密钥Kamf_new。
其中,Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的Target AMF的密钥,所述Kamf_old为服务所述源切片的Source AMF的密钥。
其中,步骤102和步骤103的没有必然的执行先后顺序。
在一些可能的实施方式中,所述UE获取所述第一AMF密钥Kamf_new之前,所述方法还可以包括:所述UE接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到第一消息携带的密钥输入参数。
其中,第一消息携带的密钥输入参数例如包括如下密钥输入参数中的一种或多种:密钥输入参数T2、密钥输入参数T3或密钥输入参数T4。密钥输入参数T2例如由目标AMF提供;密钥输入参数T3例如由AUSF提供;密钥输入参数T4例如由SEAF提供;密钥输入参数T5例如由AAA-S提供。
在一些可能的实施方式中,UE获取第一AMF密钥Kamf_new之前,方法还可包括:接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。相应的,例如UE获取第一AMF密钥Kamf_new可以是在所述第一密钥更新指示的触发下执行。
例如,第二消息和第一消息可为同一消息,也可以是不同消息。例如第二消息和第一消息可为非接入层安全模式控制(NAS Security Mode Command)消息或其他消息。
在一些可能的实施方式中,所述注册请求消息可携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。例如密钥输入参数T1例如由UE提供,UE通过注册请求消息将密钥输入参数T1传递给网络侧,以便于网络侧据此生成所述Kamf_new。
在一些可能的实施方式中,所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥。相应的,例如网络侧相关设备获取第一AMF密钥Kamf_new可以是在所述第二密钥更新指示的触发下执行。
可见,本实施例上述方案,可实现在切片切换场景下Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向认证服务器功能AUSF发送密钥更新服务请求(目标AMF通过向认证服务器功能AUSF发送密钥更新服务请求,来调用AUSF的密钥更新服务),所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new。进一步的,所述目标AMF可向所述UE发送携带生成所述Kseaf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等等)的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向AUSF发送密钥更新服务请求;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法可还包括:
所述目标AMF向AUSF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3和携带于所述密钥更新服务请求的密钥输入参数;其中,所述Kseaf_new用于生成所述Kamf_new,所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向安全锚点功能SEAF发送密钥更新服务请求,所述密钥更新服务调用请求中携带密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1。进一步的,所述目标AMF可向所述UE发送携带生成所述Kamf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向SEAF发送密钥更新服务请求;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的请求接入所述目标切片的注册请求消息之后,所述方法还可包括:
所述目标AMF向发送SEAF的密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务的密钥输入参数;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息。此外,第一消息还可携带生成所述Kamf_new使用到其它部分或全部密钥输入参数。
在一些可能的实施方式中,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还可包括:
所述目标AMF向切片认证和授权服务器AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new使用到所述密钥输入参数T5,
或者,
所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;其中,生成所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/或密钥输入参数T2。
可见,本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于通过主认证来更新整个密钥体系,来实现Kamf前向安全方案,本申请实施例方案的相关效率明显提高。
参见图2,图2为本申请实施例举例提供的一种通信方法的流程示意图。一种通信方法可以包括:
201.在UE从一个源切片转到另一个与之互斥的目标切片的情况下,所述目标AMF向AUSF发送密钥更新服务请求。
其中,目标AMF可在接收到来自UE的请求接入所述目标切片的注册请求消息后,请求AUSF的密钥更新服务。
202.在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于生成Kamf_new。
其中,生成Kseaf_new例如使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种。
其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中。
203.AUSF向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new。
204.接收对密钥更新服务请求的响应之后,目标AMF使用Kseaf_new生成Kamf_new。所 述Kamf_new不同于第二AMF密钥Kamf_old,其中,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
可见,本实施例上述方案,可以实现在切片切换场景下Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。
可见,本实施例方案无需通过主认证来更新整个密钥体系,利用AUSF的密钥更新服务来更新Kseaf_new和Kamf_new,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于通过主认证来更新整个密钥体系,来实现Kamf前向安全方案,本申请实施例方案的相关效率明显提高。
例如如果采用主认证流程,SEAF向AUSF请求进行UE认证,AUSF接受到请求之后向UDM请求生成认证向量,基于认证向量,UE和服务网络及归属网络进行相互认证,在香港认证成功能之后,才更新服务网络的密钥体系。主认证过程中,整个密钥体系都进行更新,包括更新AUSF密钥。本申请实施例一些方案中,主要SEAF向AUSF请求进行密钥更新。更新的是SEAF密钥和AMF密钥。AUSF密钥没有更新,也不需要UDM参与,相关效率明显提高。
参见图3,图3为本申请实施例举例提供的另一种通信方法的流程示意图。另一种通信方法可以包括:
301.在UE从一个源切片转到另一个与之互斥的目标切片的情况下,所述目标AMF向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
目标AMF可在接收到来自UE的注册请求消息之后,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
302.在接收到来自目标AMF的密钥更新服务请求后,所述SEAF生成Kamf_new。所述Kamf_new不同于第二AMF密钥Kamf_old,其中,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中。
303.SEAF向所述目标AMF返回对所述密钥更新服务请求的响应,其中,所述响应携带所述Kamf_new。
相应的,所述目标AMF接收SEAF返回的对密钥更新服务请求的响应,所述目标AMF从所述响应获取Kamf_new。
其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。进而可通过目标AMF将密钥输入参数T4传递给UE。
可见,本实施例上述方案,可以实现在切片切换场景下Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。
并且,本实施例方案无需通过主认证来更新整个密钥体系,利用SEAF的密钥更新服务来更新Kamf_new,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于通过主认证来更新整个密钥体系来实现Kamf前向安全的方案,本申请实施例方案的相关效率明显提高。
其中,在本申请一些实施例中,触发更新目标AMF密钥的条件可以是:由UE指示目标AMF更新目标AMF的密钥;或者目标AMF通过判断本地预设的密钥更新条件是否满足来判断是否需要更新目标AMF的密钥。触发UE更新目标AMF的密钥的条件可以是:UE自己通过判断本地预设的密钥更新条件是否满足来判断是否需要更新目标AMF的密钥,或者由目标AMF指示UE目标AMF的密钥。
其中,网络侧生成Kamf_new给Target AMF使用。网络侧在生成Kamf_new时,可以由不同的网元配合完成,例如:AUSF生成一个新的Kseaf,即Kseaf_new。SEAF根据Kseaf_new生成Kamf_new;例如:SEAF生成Kamf_new;例如:Target AMF生成Kamf_new。
UE与网络侧采用同样的方式生成Kamf_new。
关于生成Kamf_new需使用到的密钥输入参数。生成Kamf_new时可引入新参数,以保证Kamf_new和Source AMF的Kamf(或其水平推演生成的Kamf’)之间的隔离。
其中,密钥输入参数可能包括但不限于如下参数的一种或多种:随机数、密钥更新Counter、NASUL Counter、目标切片实例的标识符、目标切片实例的描述信息、目标切片所属的切片组或者切片类的标识符、目标切片所属的切片组或者切片类的描述信息等。
当然,本申请实际上不对生成Kamf_new使用的参数做特别限制,只要求使用的这些参数生成的Kamf_new和Source AMF的Kamf_old(或者其水平生成的Kamf’)是隔离的即可。
下面通过一些更具体的应用场景进行举例说明。
参见图4,图4为本申请实施例提供的另一种通信方法的流程示意图。
本实施例中,以SEAF和AMF一体部署(这种情况下SEAF和AMF可合称AMF)为例。在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,由AUSF来生成Kseaf_new,将生成的Kseaf_new发送给Target AMF(内置SEAF)。Target AMF根据Kseaf_new生成Kamf_new。生成Kseaf_new和Kamf_new要使用到的一些参数由UE提供。
如图4举例所示,一种通信方法可包括:
401.UE发送注册请求(Registration Request)消息。
其中,所述注册请求消息携带UE请求接入的目标切片的NSSAI(s),所述注册请求消息还携带生成新AMF密钥Kamf_new需使用到的密钥输入参数T1。
其中,密钥输入参数T1可以包括以下参数的一种或者几种:UE生成的随机数、UE和AUSF之间同步维护的用于密钥更新的Counter、目标切片的S-NSSAI、目标切片所属的切片组(或者切片类class)的描述信息、目标切片所属的切片组(或者切片类)的标识符、目标切片实例的描述信息、目标切片实例的标识符等等。密钥输入参数T1的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T1的具体类型做限制,只要满 足该目的输入参数都可以。
可选地,所述注册请求消息还可携带密钥输入参数T1的完整性验证信息Auth_T1。Auth_T1可用于AUSF验证密钥输入参数T1的来源是否为是UE,还可用于验证密钥输入参数T1是否被篡改等等。Auth_T1的一种样例:Auth_T1=HMAC(Kausf,密钥输入参数T1)。这里不对Auth_T1的具体形式做限制,只要可满足:AUSF通过Auth_T1能够验证密钥输入参数T1的来源和密钥输入参数T1是否被篡改即可。
可选地,注册请求消息还可携带New_Kseaf_Kamf_Indicator。其中,UE使用这个New_Kseaf_Kamf_Indicator来通知Target AMF网络侧需要生成Kseaf_new和Kamf_new。当然UE也可通过其他方式来通知网络侧需要生成Kseaf_new和Kamf_new。
402.Target AMF接收注册请求后,Target AMF发起UE上下文传输(UE Context Transfer)流程。其中,Target AMF通过UE Context Transfer流程可从Source AMF处获取Source AMF的密钥Kamf_old和UE的持久身份标识(SUPI,Subscriber Permanent Identifier)等。
403.Target AMF向AUSF发送密钥更新服务请求(Nausf_KeyUpdate_MEANS Request),以请求调用AUSF的密钥更新服务。
若注册请求消息携带有New_Kseaf_Kamf_Indicator(即Kseaf_Kamf更新指示),那么Target AMF可以在注册请求消息携带的New_Kseaf_Kamf_Indicator的指示下,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
此外,如果注册请求消息未携带New_Kseaf_Kamf_Indicator,那么Target AMF可以在确定预置的密钥更新条件满足时,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
其中,在向AUSF发送的密钥更新服务请求中可以携带来自于注册请求消息的密钥输入参数T1。
其中,在向AUSF发送的密钥更新服务请求中还可携带UE的持久身份标识(SUPI)和服务网络名称(SN-name)等。
如果若注册请求消息携带完整性验证信息Auth_T1,则向AUSF发送的密钥更新服务请求中还携带完整性验证信息Auth_T1。
404.AUSF接收来自Target AMF的密钥更新服务请求。
其中,若来自Target AMF的密钥更新服务请求中携带的密钥输入参数T1包括UE和AUSF之间同步维护的用于密钥更新的Counter,则AUSF可进一步检测密钥输入参数T1包括的Counter是否可接受。如果不能接受,则AUSF可以返回错误原因给Target AMF,并可终止后面的密钥更新流程。
若来自Target AMF的密钥更新服务请求中携带Auth_T1,则AUSF则验证密钥输入参数T1的来源和密钥输入参数T1是否被篡改。如果被篡改,则AUSF返回错误原因给Target AMF,并可终止后面的密钥更新流程。
AUSF生成Kseaf_new。其中,生成Kseaf_new使用Kausf作为输入密钥,密钥输入参数可包括密钥输入参数T1和SN-name等。
405、AUSF向Target AMF发送密钥更新服务响应(Nausf_KeyUpdate_MEANS Response)。
其中,如果密钥更新成功,密钥更新服务响应(即对密钥更新服务请求的响应)中携带成功指示(Success)和Kseaf_new等等,此外,如果密钥更新失败,密钥更新服务响应中可携带失败原因等。
406、Target AMF接收来自AUSF的密钥更新服务响应。
其中,如果密钥更新服务响应指示密钥更新成功,则Target AMF生成Kamf_new(具体由内置于Target AMF中的SEAF生成Kamf_new)。
其中,Target AMF生成Kamf_new所使用的输入密钥为Kseaf_new。其中,Kamf_new的密钥输入参数包括SUPI和ABBA(Anti-bidding down between architectures,不同架构的防降维攻击)等。Kamf_new的密钥输入参数还可包括密钥输入参数T1。
例如Kamf_new=KDF(Kseaf_new,SUPI,ABBA,[T1])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
407.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kseaf_Kamf_Indicator,那么Target AMF可在消息M4中携带New_Kseaf_Kamf_Indicator,其中,这个New_Kseaf_Kamf_Indicator可以用于指示UE生成Kseaf_new和Kamf_new。如果注册请求消息中携带New_Kseaf_Kamf_Indicator,那么Target AMF可不在消息M4中携带New_Kseaf_Kamf_Indicator。
其中,消息M4还可携带密钥输入参数T1等。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
408.UE接收到来自Target AMF的消息M4。
其中,如果消息M4中携带New_Kseaf_Kamf_Indicator,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。
此外,UE也可自己判断是否需要生成Kseaf_new和Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kseaf_new和Kamf_new和生成Kseaf_new和Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证未通过,UE例如可终止相关流程等。
UE向Target AMF发送消息M5来通知Target AMF完成密钥激活。消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
409.执行目标切片的网络切片认证流程。
410.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T1可包括UE和AUSF之间维护的密钥更新Counter。该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤401-409发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由UE来提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
参见图5,图5为本申请实施例提供的另一种通信方法的流程示意图。
以SEAF和AMF一体部署(这种情况下SEAF和AMF可合称AMF)为例。在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,由AUSF来生成Kseaf_new,将生成的Kseaf_new发送给Target AMF(内置SEAF)。Target AMF根据Kseaf_new生成Kamf_new。生成Kseaf_new和Kamf_new要使用到的一些参数由Target AMF提供。
如图5举例所示,一种通信方法可包括:
501.UE发送注册请求消息。
其中,所述注册请求消息携带请求接入的目标切片的NSSAI(s)。
可选地,注册请求消息还可携带New_Kseaf_Kamf_Indicator。其中,UE使用这个New_Kseaf_Kamf_Indicator来通知Target AMF网络侧需要生成Kseaf_new和Kamf_new。当然UE也可通过其他方式来通知网络侧需要生成Kseaf_new和Kamf_new。
502.Target AMF接收注册请求后,Target AMF发起UE上下文传输(UE Context Transfer)流程。其中,Target AMF通过UE Context Transfer流程可从Source AMF处获取Source AMF的密钥Kamf_old、UE的持久身份标识(SUPI)、网络切片的实例等。
503.Target AMF向AUSF发送密钥更新服务请求Nausf_KeyUpdate_MEANS Request。
若注册请求消息携带有New_Kseaf_Kamf_Indicator(即Kseaf_Kamf更新指示),那么Target AMF可以在注册请求消息携带的New_Kseaf_Kamf_Indicator的指示下,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
此外,如果注册请求消息未携带New_Kseaf_Kamf_Indicator,那么Target AMF可以在确定预置的密钥更新条件满足时,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
其中,在向AUSF发送的密钥更新服务请求中携带密钥输入参数T2。其中这个密钥输入参数T2可以是以下参数的一种或者几种:Target AMF生成的随机数、TargetAMF和AUSF之间维护的用于密钥更新的Counter(可以简称密钥更新Counter)、目标切片所属的切片组(或切片类)的描述信息、目标切片所属的切片组(或切片类)的标识符、NAS UL Counter目标切片的S-NSSAI目标切片实例的描述信息、目标切片实例的标识符、Target AMF的标识符、Target AMF的实例的描述信息、Target AMF的实例标识符、Target AMF所属的AMF Set的描述信息、或者Target AMF所属的AMF Set的标识符等等。密钥输入参数T2的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T2的具体类型做限制,只要满足该目的输入参数都可以。
其中,在向AUSF发送的密钥更新服务请求中可以携带来自于注册请求消息的密钥输入 参数T2。
其中,在向AUSF发送的密钥更新服务请求中还可以携带UE的持久身份标识(SUPI)和服务网络名称(SN-name)等。
504.AUSF接收Target AMF的密钥更新服务请求Nausf_KeyUpdate_MEANS Request。
其中,若来自Target AMF的密钥更新服务请求中携带的密钥输入参数T2包括TargetAMF和AUSF之间同步维护的用于密钥更新的Counter,则AUSF可进一步检测密钥输入参数T2包括的Counter是否可接受。如果不能接受,则AUSF可以返回错误原因给Target AMF,并可终止后面的密钥更新流程。
AUSF生成Kseaf_new。其中,生成Kseaf_new使用Kausf作为输入密钥,密钥输入参数可包括密钥输入参数T2和SN-name等。
505、AUSF向Target AMF发送密钥更新服务响应Nausf_KeyUpdate_MEANS Response。
其中,如果密钥更新成功,密钥更新服务响应(即对密钥更新服务请求的响应)中携带成功指示(Success)和Kseaf_new等等,此外,如果密钥更新失败了,密钥更新服务的响应中可以携带失败原因等。
506、Target AMF接收来自AUSF的密钥更新服务响应。
如果密钥更新服务响应指示密钥更新成功,则Target AMF生成Kamf_new(具体由内置于Target AMF中的SEAF生成Kamf_new)。
其中,Target AMF生成Kamf_new所使用的输入密钥为Kseaf_new。其中,Kamf_new的密钥输入参数包括SUPI和ABBA等。Kamf_new的密钥输入参数还可包括密钥输入参数T2。
例如Kamf_new=KDF(Kseaf_new,SUPI,ABBA,[T2])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
507.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kseaf_Kamf_Indicator,那么Target AMF可在消息M4中携带New_Kseaf_Kamf_Indicator,其中,这个New_Kseaf_Kamf_Indicator可以用于指示UE生成Kseaf_new和Kamf_new。如果注册请求消息中携带New_Kseaf_Kamf_Indicator,那么Target AMF可不在消息M4中携带New_Kseaf_Kamf_Indicator。
如果密钥输入参数T2中的一些参数,UE不知道,比如Target AMF生成的随机数、Target AMF和AUSF维护的密钥更新Counter等,则Target AMF在消息M4中携带这些参数,或者Target AMF也可在消息M4中携带密钥输入参数T2包括的所有参数。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
508.UE接收到来自Target AMF的消息M4。
如果消息M4中携带New_Kseaf_Kamf_Indicator,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。
此外,UE也可自己判断是否需要生成Kseaf_new和Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kseaf_new和Kamf_new和生成 Kseaf_new和Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证未通过,UE例如可终止相关流程等。
UE进一步向Target AMF发送消息M5来通知Target AMF完成密钥激活。消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
509.执行目标切片的网络切片认证流程。
510.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T2可以包括Target AMF和AUSF之间维护的密钥更新Counter。其中,该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤501-509发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由Target AMF提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而可以实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
参见图6,图6为本申请实施例提供的另一种通信方法的流程示意图。
本实施例中,以SEAF和AMF一体部署(这种情况下SEAF和AMF可合称AMF)为例。在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,由AUSF来生成Kseaf_new,将生成的Kseaf_new发送给Target AMF(内置SEAF)。Target AMF根据Kseaf_new生成Kamf_new。生成Kseaf_new和Kamf_new要使用到的一些参数由AUSF提供。
如图6举例所示,另一种通信方法可包括:
601.UE发送注册请求消息。
其中,所述注册请求消息携带请求接入的目标切片的NSSAI(s)。
可选地,注册请求消息还可携带New_Kseaf_Kamf_Indicator。其中,UE使用这个New_Kseaf_Kamf_Indicator来通知Target AMF网络侧需要生成Kseaf_new和Kamf_new。当然UE也可通过其他方式来通知网络侧需要生成Kseaf_new和Kamf_new。
602.Target AMF接收注册请求后,Target AMF发起UE上下文传输(UE Context Transfer)流程。其中,Target AMF通过UE Context Transfer流程可从Source AMF处获取Source AMF的密钥Kamf_old、UE的持久身份标识(SUPI)、网络切片的实例等。
603.Target AMF向AUSF发送密钥更新服务请求Nausf_KeyUpdate_MEANS Request。
若注册请求消息携带有New_Kseaf_Kamf_Indicator(即Kseaf_Kamf更新指示),那么Target AMF可以在注册请求消息携带的New_Kseaf_Kamf_Indicator的指示下,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
此外,如果注册请求消息未携带New_Kseaf_Kamf_Indicator,那么Target AMF可以在确定预置的密钥更新条件满足时,向AUSF发送密钥更新服务请求,以请求调用AUSF的密钥更新服务。
在密钥更新服务请求中还可以携带UE的持久身份标识(SUPI)和服务网络名称(SN-name)等等。
604.AUSF接收来自Target AMF的密钥更新服务请求Nausf_KeyUpdate_MEANS Request。
AUSF生成Kseaf_new。其中,生成Kseaf_new使用Kausf作为输入密钥,密钥输入参数包括密钥输入参数T3和SN-name。
其中,密钥输入参数T3可以是以下输入参数中的一种或者几种:TargetAMF和AUSF之间维护的密钥更新Counter、AUSF生成的随机数等。使用密钥输入参数T3的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T3的具体类型做限制,只要满足该目的输入参数都可以。
605、AUSF向Target AMF发送密钥更新服务响应Nausf_KeyUpdate_MEANS Response。
其中,如果密钥更新成功,密钥更新服务响应即对密钥更新服务请求的响应)中携带成功指示(Success)、Kseaf_new和密钥输入参数T3等,此外,如果密钥更新失败了,密钥更新服务响应中可以携带失败原因等。
606、Target AMF接收来自AUSF的密钥更新服务响应。
如果密钥更新服务响应指示密钥更新成功,则Target AMF生成Kamf_new(具体由内置于Target AMF中的SEAF生成Kamf_new)。
其中,Target AMF生成Kamf_new所使用的输入密钥为Kseaf_new。其中,Kamf_new的密钥输入参数包括SUPI和ABBA等。Kamf_new的密钥输入参数还可包括密钥输入参数T3。
例如Kamf_new=KDF(Kseaf_new,SUPI,ABBA,[T3])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
607.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kseaf_Kamf_Indicator,那么Target AMF可在消息M4中携带New_Kseaf_Kamf_Indicator,其中,这个New_Kseaf_Kamf_Indicator可以用于指示UE生成Kseaf_new和Kamf_new。如果注册请求消息中携带New_Kseaf_Kamf_Indicator,那么Target AMF可不在消息M4中携带New_Kseaf_Kamf_Indicator。
其中,消息M4中携带可密钥输入参数T3。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command(NAS SMC)消息。
608.UE接收到来自Target AMF的消息M4。
如果消息M4中携带New_Kseaf_Kamf_Indicator,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。
此外,UE也可自己判断是否需要生成Kseaf_new和Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kseaf_new和Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kseaf_new和Kamf_new和生成 Kseaf_new和Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证未通过,UE例如可终止相关流程等。
UE进一步向Target AMF发送消息M5来通知Target AMF完成密钥激活。消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
609.执行目标切片的网络切片认证流程。
610.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T3可以包括Target AMF和AUSF之间维护的密钥更新Counter。其中,该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤601-609发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由AUSF提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
此外,图4-图6所示实施例中,主要是以AUSF生成Kseaf_new并给Target AMF。Target AMF再根据Kseaf_new生成Kamf_new。这几个实施例中,密钥输入参数分别由UE、Target AMF或AUSF提供为例进行说明。
然而,另在一些可能的实施方式中,也可能仍由AUSF生成Kseaf_new并给SEAF,Target AMF再根据Kseaf_new生成Kamf_new。并且,生成Kseaf_new的密钥输入参数,还可以由UE、AUSF和Target AMF中的一个或者几个共同提供,例如,UE提供的密钥输入参数T1和AUSF提供的密钥输入参数T3共同作为密钥输入参数;又例如Target AMF提供的密钥输入参数T2和AUSF提供密钥输入参数T3共同作为密钥输入参数。又例如,UE提供的密钥输入参数T1、Target AMF提供的密钥输入参数T2和AUSF提供的密钥输入参数T3共同作为密钥输入参数。其他情况可以此类推。
参见图7,图7为本申请实施例提供的另一种通信方法的流程示意图。
本实施例中,Target AMF和SEAF分体部署(即SEAF未部署于AMF中),由SEAF生成Kamf_new之后发送给Target AMF。其中,生成Kamf_new要使用到的密钥输入参数由UE提供。
如图7举例所示,一种通信方法可包括:
701.UE发送注册请求消息。
其中,所述注册请求消息携带请求的目标切片的NSSAI(s),所述注册请求消息还携带用于生成新密钥的密钥输入参数T1。
其中,密钥输入参数T1可为以下参数的一种或者几种:UE生成的随机数、UE和SEAF之间维护的用于密钥更新的Counter、目标切片的S-NSSAI、目标切片所属的切片组(或者切片类)的描述信息、目标切片所属的切片组(或切片类)的标识符、目标切片实例的描述信息、目标切片实例的标识符等等。
其中,使用密钥输入参数T1的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T1的具体类型做限制,只要满足该目的输入参数都可以。
可选的,所述注册请求消息还可携带密钥输入参数T1的完整性验证信息Auth_T1。Auth_T1可用于AUSF验证密钥输入参数T1的来源是否为是UE,还可用于验证密钥输入参数T1是否被篡改等。Auth_T1的一种样例:Auth_T1=HMAC(Kausf,密钥输入参数T1)。这里不对Auth_T1的具体形式做限制,只要可满足:AUSF通过Auth_T1能够验证密钥输入参数T1的来源和密钥输入参数T1是否被篡改即可。
可选地,注册请求消息还可携带New_Kamf_Indicator1。UE使用New_Kamf_Indicator1来通知Target AMF网络侧需要生成Kamf_new。当然,UE也可通过其他方式来通知网络侧需要生成Kamf_new。
702.Target AMF接收注册请求消息后,可以发起UE上下文传输(UE Context Transfer)流程。Target AMF通过UE Context Transfer流程可从Source AMF处获取例如Source AMF的密钥Kamf、UE的持久身份标识(SUPI,Subscriber Permanent Identifier)、和网络切片的实例等等。
703.Target AMF向SEAF发送密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
若注册请求消息携带New_Kamf_Indicator1,那么Target AMF可以在注册请求消息携带的New_Kamf_Indicator1的指示下,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
此外,如果注册请求消息未携带New_Kamf_Indicator1,那么Target AMF可以在确定预置的密钥更新条件满足时,SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
其中,在密钥更新服务请求中可携带密钥输入参数T1和SUPI等。
704.SEAF接收来自Target AMF的密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
其中,如果来自Target的密钥更新服务请求携带的密钥输入参数T1包括:UE和SEAF之间维护的用于密钥更新的Counter,则SEAF检测该Counter是否可接受。如果不能接受,则SEAF返回错误原因给Target AMF,并终止后面密钥更新流程。
如果来自Target AMF的密钥更新服务请求中携带Auth_T1,则SEAF验证密钥输入参数T1的来源和密钥输入参数T1是否被篡改。如果被篡改,则SEAF返回错误原因给Target AMF,并可终止后面的密钥更新流程。
SEAF生成Kamf_new。其中,生成Kamf_new使用Kseaf作为输入密钥,密钥输入参数包括密钥输入参数T2。其中,Kamf_new生成的方式例如可以可有方式A、方式B和方式C。
方式A:直接以Kseaf作为输入密钥来生成Kamf_new,且直接以密钥输入参数T1作为密钥输入参数的部分来生成Kamf_new:
例如Kamf_new=KDF(Kseaf,SUPI,ABBA,T1)。
方式B:直接以Kseaf作为输入密钥、间接以密钥输入参数T1作为密钥输入参数来生成Kamf_new。例如先使用ABBA和密钥输入参数T1作为参数,使用某种算法生成ABBA’。这里对生成ABBA’的算法不做限制。生成ABBA’后,以Kseaf为输入密钥,SUPI和ABBA’为密钥输入参数生成Kamf_new:
例如ABBA’=F(ABBA,T1);
例如Kamf_new=KDF(Kseaf,SUPI,ABBA’)。
方式C:间接以Kseaf作为输入密钥来生成Kamf_new,具体例如先以Kseaf作为输入密钥来生成Kseaf’,再以Kseaf’作为输入密钥来生成Kamf_new:
例如Kseaf’=KDF(Kseaf,T1)。
例如Kamf_new=KDF(Kseaf’,SUPI,ABBA,[T1])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
当然,方式B和C中,由于Kseaf’基于Kseaf得到,因此仍然可将Kseaf看作是Kamf_new的输入密钥,将T1看做是Kamf_new的密钥输入参数。
705、SEAF向Target AMF发送密钥更新服务响应Nseaf_KeyUpdate_MEANS Response。
如果密钥更新成功,密钥更新服务响应中携带成功指示(Success)和Kamf_new等,此外如果密钥更新失败,密钥更新服务响应中可携带失败原因等。
706、Target AMF接收来自SEAF的密钥更新服务响应。
如果该密钥更新服务响应指示密钥更新失败,则Target AMF可向UE发送例如接入切片失败的通知,该通知可在例如注册拒绝消息中携带。
其中,如果该密钥更新服务响应指示密钥更新成功,则Target AMF发送用于激活新密钥的消息M4。
707.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kamf_Indicator1,那么Target AMF可在消息M4中携带New_Kamf_Indicator1,其中,这个New_Kamf_Indicator1可以用于指示UE生成Kamf_new。如果注册请求消息中携带有New_Kamf_Indicator1,那么Target AMF可不在消息M4中携带New_Kamf_Indicator1。
其中,消息M4中也可携带密钥输入参数T1。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
708.UE接收到来自Target AMF的消息M4。
其中,如果消息M4中携带了New_Kamf_Indicator1,则UE采用跟网络侧相同的机制生成Kamf_new。
此外,UE也可自己判断是否需要生产Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kamf_new和生成Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证 未通过,UE例如可终止流程等。
UE进一步向Target AMF发送消息M5通知Target AMF完成密钥激活。
其中,消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
709.执行目标切片的网络切片认证流程。
710.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T1可包括UE和SEAF之间维护的密钥更新Counter。该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤701-709发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由UE提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
参见图8,图8为本申请实施例提供的林另一种通信方法的流程示意图。
本实施例中,AMF和SEAF分体部署(即SEAF未部署于AMF中),由SEAF生成Kamf_new之后发送给AMF。其中,生成Kamf_new要使用到的密钥输入参数由Target AMF提供。
如图8举例所示,一种通信方法可包括:
801.UE发送注册请求Registration Request消息。
其中,所述注册请求消息携带请求接入的目标切片的NSSAI(s)。
可选地,注册请求消息还可携带New_Kamf_Indicator1。UE使用New_Kamf_Indicator1来通知Target AMF网络侧需要生成Kamf_new。当然,UE也可通过其他方式来通知网络侧需要生成Kamf_new。
802.Target AMF接收注册请求消息后,可以发起UE上下文传输(UE Context Transfer)流程。Target AMF通过UE Context Transfer流程可从Source AMF处获取例如Source AMF的密钥Kamf、UE的持久身份标识(SUPI,Subscriber Permanent Identifier)、和网络切片的实例等等。
803.Target AMF向SEAF发送密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
若注册请求消息携带New_Kamf_Indicator1,那么Target AMF可以在注册请求消息携带的New_Kamf_Indicator1的指示下,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
此外,如果注册请求消息未携带New_Kamf_Indicator1,那么Target AMF可以在确定预置的密钥更新条件满足时,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
其中,在SEAF的密钥更新服务请求中,携带密钥输入参数T2和SUPI等。其中这个密钥输入参数T2可以是以下参数的一种或者几种:Target AMF生成的随机数、TargetAMF和SEAF 之间维护的用于密钥更新的Counter、NAS UL Counter、目标切片的S-NSSAI、目标切片所属的切片组(或者切片类)的描述信息、目标切片所属的切片组(或者切片类)的标识符、目标切片实例的描述信息、目标切片实例的标识符、Target AMF的标识符、Target AMF的实例的描述信息、Target AMF的实例标识符、Target AMF所属的AMF Set的描述信息、Target AMF所属的AMF Set的标识符等等。密钥输入参数T2的目的是使生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T2的具体类型做限制,只要满足该目的输入参数都可以。
其中,密钥更新服务请求中携带来自于注册请求消息的密钥输入参数T2。
其中,在SEAF的密钥更新服务请求中还可以携带UE的持久身份标识(SUPI)和服务网络名称(SN-name)等。
804.SEAF接收来自Target AMF的密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
其中,若来自Target AMF的密钥更新服务请求中携带的密钥输入参数T2包括TargetAMF和SEAF之间同步维护的用于密钥更新的Counter,则SEAF可进一步检测密钥输入参数T2包括的Counter是否可接受。如果不能接受,则SEAF可以返回错误原因给Target AMF,并可终止后面的密钥更新流程。
SEAF生成Kamf_new。其中,生成Kamf_new使用Kseaf作为输入密钥,密钥输入参数包括密钥输入参数T2。
其中,Kamf_new生成的方式例如可以可有方式A、方式B和方式C等。
方式A:直接以Kseaf作为输入密钥来生成Kamf_new:
例如Kamf_new=KDF(Kseaf,SUPI,ABBA,T2)。
方式B:直接以Kseaf作为输入密钥、间接以密钥输入参数T1作为密钥输入参数来生成Kamf_new。例如先使用ABBA和密钥输入参数T2作为参数,使用某种算法生成ABBA’。这里对生成ABBA’的算法不做限制。生成ABBA’后,以Kseaf为输入密钥,SUPI和ABBA’为密钥输入参数生成Kamf_new:
例如ABBA’=F(ABBA,T2);
例如Kamf_new=KDF(Kseaf,SUPI,ABBA’)。
方式C:间接以Kseaf作为输入密钥来生成Kamf_new,具体例如先以Kseaf作为输入密钥来生成Kseaf’,再以Kseaf’作为输入密钥来生成Kamf_new:
例如Kseaf’=KDF(Kseaf,T2)。
例如Kamf_new=KDF(Kseaf’,SUPI,ABBA,[T2])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
当然,方式B和C中,由于Kseaf’基于Kseaf得到,因此仍然可将Kseaf看作是Kamf_new的输入密钥,将T2看做是Kamf_new的密钥输入参数。
805、SEAF向Target AMF发送密钥更新服务响应Nseaf_KeyUpdate_MEANS Response。
其中,如果密钥更新成功,密钥更新服务响应中携带成功指示(Success)和Kamf_new,此外如果密钥更新失败了,密钥更新服务响应中可以携带失败原因等。
806、Target AMF接收来自SEAF的密钥更新服务的响应。
如果该密钥更新服务响应指示密钥更新失败,则Target AMF可向UE发送例如接入切片失败的通知,该通知可在例如注册拒绝消息中携带。
其中,如果该密钥更新服务响应指示密钥更新成功,则Target AMF发送用于激活新密钥的消息M4。
807.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kamf_Indicator1,那么Target AMF可在消息M4中携带New_Kamf_Indicator1,其中,这个New_Kamf_Indicator1可以用于指示UE生成Kamf_new。如果注册请求消息中携带有New_Kamf_Indicator1,那么Target AMF可不在消息M4中携带New_Kamf_Indicator1。
如果密钥生产参数T2中的一些参数,UE不知道,比如Target AMF生成的随机数、Target AMF和SEAF维护的密钥更新Counter等,则Target AMF在消息M4中发送这些参数、或者Target AMF也可在消息M4中发送T2包括的所有参数。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
808.UE接收到来自Target AMF的消息M4。
其中,如果消息M4中携带New_Kamf_Indicator1,则UE采用跟网络侧相同的机制生成和Kamf_new。
此外,UE也可自己判断是否需要生成Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kamf_new和生成Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证未通过,UE例如可终止相关流程等。
UE可进一步向Target AMF发送消息M5通知Target AMF完成密钥激活。消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
809.执行目标切片的网络切片认证流程。
810.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T2可包括Target AMF和SEAF之间维护的密钥更新Counter。其中,该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤801-809发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由Target AMF提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而可以实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
参见图9,图9为本申请实施例提供的另一种通信方法的流程示意图。
本实施例中,Target AMF和SEAF分体部署(即SEAF未部署于AMF中),由SEAF生成Kamf_new之后发送给Target AMF。其中,生成Kamf_new要使用到的密钥输入参数由SEAF提供。
如图9举例所示,另一种通信方法可包括:
901.UE发送注册请求消息。
其中,所述注册请求消息携带UE请求的目标切片的NSSAI(s)。
可选地,注册请求消息还可携带New_Kamf_Indicator1。UE使用New_Kamf_Indicator1来通知Target AMF网络侧需要生成Kamf_new。当然,UE也可通过其他方式来通知网络侧需要生成Kamf_new。
902.Target AMF接收注册请求消息后,可以发起UE上下文传输(UE Context Transfer)流程。Target AMF通过UE Context Transfer流程可从Source AMF处获取例如Source AMF的密钥Kamf、UE的持久身份标识(SUPI,Subscriber Permanent Identifier)、和网络切片的实例等等。
903.Target AMF向SEAF发送密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
若注册请求消息携带New_Kamf_Indicator1,那么Target AMF可以在注册请求消息携带的New_Kamf_Indicator1的指示下,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
此外,如果注册请求消息未携带New_Kamf_Indicator1,那么Target AMF可以在确定预置的密钥更新条件满足时,向SEAF发送密钥更新服务请求,以请求调用SEAF的密钥更新服务。
其中,在密钥更新服务请求中携带SUPI等。
904.SEAF接收来自Target AMF的密钥更新服务请求Nseaf_KeyUpdate_MEANS Request。
SEAF生成Kamf_new。其中,生成Kamf_new使用Kseaf作为输入密钥,密钥输入参数包括密钥输入参数T4。其中,该密钥输入参数T4可以是以下几种参数的一种或者几种:SEAF生成的随机数、SEAF和UE之间共同维护的Counter等。密钥输入参数T4的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T4的具体类型做限制,只要满足该目的输入参数都可以。
其中,Kamf_new生成的方式例如可以可有方式A、方式B和方式C等。
方式A:直接以Kseaf作为输入密钥来生成Kamf_new:
例如Kamf_new=KDF(Kseaf,SUPI,ABBA,T4)。
方式B:直接以Kseaf作为输入密钥、间接以密钥输入参数T1作为密钥输入参数来生成Kamf_new。例如先使用ABBA和密钥输入参数T4作为参数,使用某种算法生成ABBA’。这里对生成ABBA’的算法不做限制。生成ABBA’后,以Kseaf为输入密钥,SUPI和ABBA’为密钥输入参数生成Kamf_new:
例如ABBA’=F(ABBA,T4);
例如Kamf_new=KDF(Kseaf,SUPI,ABBA’)。
方式C:间接以Kseaf作为输入密钥来生成Kamf_new,具体例如先以Kseaf作为输入密钥来生成Kseaf’,再以Kseaf’作为输入密钥来生成Kamf_new:
例如Kseaf’=KDF(Kseaf,T4)。
例如Kamf_new=KDF(Kseaf’,SUPI,ABBA,[T4])。
其中,本申请各实施例中,[]中的参数表示是可选参数。
当然,方式B和C中,由于Kseaf’基于Kseaf得到,因此仍然可将Kseaf看作是Kamf_new的输入密钥,将T4看做是Kamf_new的密钥输入参数。
905、SEAF向Target AMF发送密钥更新服务响应Nseaf_KeyUpdate_MEANS Response。
其中,如果密钥更新成功,密钥更新服务响应中携带成功指示(Success)、Kamf_new和和T4等,此外,如果密钥更新失败,密钥更新服务响应中可携带失败原因等。
906、Target AMF接收来自SEAF的密钥更新服务的响应。
如果该密钥更新服务响应指示密钥更新失败,则Target AMF可向UE发送例如接入切片失败的通知,该通知可在例如注册拒绝消息中携带。
其中,如果该密钥更新服务响应指示密钥更新成功,则Target AMF发送用于激活新密钥的消息M4。
907.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kamf_Indicator1,那么Target AMF可在消息M4中携带New_Kamf_Indicator1,其中,这个New_Kamf_Indicator1可以用于指示UE生成Kamf_new。如果注册请求消息中携带有New_Kamf_Indicator1,那么Target AMF可不在消息M4中携带New_Kamf_Indicator1。
其中,消息M4中携带密钥输入参数T4。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
908.UE接收到来自Target AMF的消息M4。
其中,如果消息M4中携带New_Kamf_Indicator1,则UE采用跟网络侧相同的机制生成和Kamf_new。
此外,UE也可自己判断是否需要生成Kamf_new,如果需要的话,则UE采用跟网络侧相同的机制生成Kamf_new。这种情况下,UE可在发送注册请求消息之后且在发送消息M5之前的任何时候,执行判断是否需要生成Kamf_new和生成Kamf_new的操作。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE生成Kamf_new之后,可以根据Kamf_new生成的NAS keys,并验证消息M4的完整性。其中,如果完整性验证未通过,UE例如可终止流程等。
UE可进一步向Target AMF发送消息M5通知Target AMF完成密钥激活。消息M5例如为非接入层安全模式完成(NAS Security Mode Complete)消息。
909.执行目标切片的网络切片认证流程。
910.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册 成功的注册接受(Registration Accept)消息。
其中,本实施例中密钥输入参数T4可包括Target AMF和SEAF之间同步维护的密钥更新Counter。该密钥更新Counter的生成、初始值设置、使用后的更新和同步方式,本申请不做具体限定。
本实施例的步骤901-909发生在切片转换发起和转换结束之间。
可见,本实施例方案,可由SEAF提供生成Kseaf_new和Kamf_new的一些参数,可在互斥切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。并且本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
此外,在图7-图9所示实施例中,主要是以SEAF生成Kamf_new并给Target AMF。这几个实施例中,密钥输入参数分别由UE、Target AMF或SEAF提供为例进行说明。
然而,另在一些可能的实施方式中,也可能仍由SEAF生成Kamf_new给Target AMF。并且,生成Kamf_new的密钥输入参数,还可以由UE、SEAF和Target AMF中的一个或者几个共同提供,例如,UE提供的密钥输入参数T1和SEAF提供的密钥输入参数T4共同作为密钥输入参数;又例如Target AMF提供的密钥输入参数T2和SEAF提供密钥输入参数T4共同作为密钥输入参数。又例如,UE提供的密钥输入参数T1、Target AMF提供的密钥输入参数T2和SEAF提供的密钥输入参数T4共同作为密钥输入参数。其他情况以此类推。
参见图10,图10为本申请实施例提供的另一种通信方法的流程示意图。
本实施例中,AMF和SEAF合体部署(即SEAF部署于AMF中),其中,由Target AMF生成Kamf_new。其中,生成Kamf_new的一些密钥输入参数由AAA-S提供。
如图10举例所示,另一种通信方法可包括:
1001.UE发送注册请求消息。
其中,所述注册请求消息携带请求的目标切片的NSSAI(s)。
其中,所述注册请求消息还可携带密钥更新指示New_Kamf_Indicator2。密钥更新指示New_Kamf_Indicator2用于指示Target AMF网络侧需要生成Kamf_new。当然,UE也可通过其他方式来通知网络侧需要生成Kamf_new。
1002.Target AMF接收注册请求消息后,可以发起UE上下文传输(UE Context Transfer)流程。Target AMF通过UE Context Transfer流程可从Source AMF处获取例如Source AMF的密钥Kamf、UE的持久身份标识(SUPI,Subscriber Permanent Identifier)、和网络切片的实例等等。
1003.Target AMF决定发起切片认证流程。Target AMF发起EAPID获取流程。TargetAMF向UE发送EAPID请求。
1004.UE在接收到EAPID请求后,发送携带对应的EAPID的EAPID响应给TargetAMF。
1005.Target AMF向AAA-F发送认证请求(Authentication Request)。
若注册请求消息携带New_Kamf_Indicator2,那么Target AMF可以在注册请求消息携带的New_Kamf_Indicator2的指示下,在认证请求消息中携带参数请求指示ParaReqIndicator。
如果注册请求消息中没有携带New_Kamf_Indicator2,那么TargetAMF可以在确定预置的密钥更新条件满足时,在认证请求消息中携带参数请求指示ParaReqIndicator。
其中,参数请求指示ParaReqIndicator用于指示AAA-S生产密钥输入参数T5。该密钥输入参数T5用于生成Kamf_new。
1006.AAA-F向AAA-S转发上述认证请求Authentication Request。
1007.AAA-S接收到AAA-F转发的认证请求Authentication Request。
如果该认证请求中,携带有参数请求指示ParaReqIndicator,则AAA-S在该参数请求指示ParaReqIndicator的指示下,生成密钥输入参数T5。
如果该认证请求中,没有携带参数请求指示ParaReqIndicator,则AAA-S可在确定预设的密钥参数生成条件满足的情况下,生成密钥输入参数T5。
其中。该密钥输入参数T5的生成可以使用UE和AAA-S之间的共享秘密,例如切片认证产生的Extended Master Session Key(EMSK)。该本申请不对该密钥输入参数T5的生成算法和使用的输入做限制。只要生成的密钥输入参数T5能满足:只有UE和AAA-S才能生成密钥输入参数T5即可。
1008.AAA-S发送认证响应(Authentication Response)给AAA-F。
其中,上述认证响应中携带密钥输入参数T5。
1009.AAA-F在接收到来自AAA-S的Authentication Response之后,向Target AMF转发这个Authentication Response。
1010.TargetAMF接收AAA-F的认证响应Authentication Response。
1011.Target AMF生成Kamf_new。生成Kamf_new使用的输入密钥是Target AMF从Source AMF获取的Kamf,生成Kamf_new使用的密钥输入参数包括密钥输入参数T5。
例如:Kamf_new=KDF(Kamf_old,T5)。
1012.Target AMF向UE发送用于激活新密钥的消息M4。
其中,如果注册请求消息中未携带New_Kamf_Indicator2,那么Target AMF可在消息M4中携带New_Kamf_Indicator2,其中,这个New_Kamf_Indicator2可以用于指示UE生成Kamf_new。如果注册请求消息中携带有New_Kamf_Indicator1,那么Target AMF可不在消息M4中携带New_Kamf_Indicator1。
其中,消息M4例如可使用由Kamf_new生成的NAS keys做完整性保护。
举例来说,消息M4可以为NAS Security Mode Command消息。
1013.UE接收到来自Target AMF的消息M4。
如果消息M4中携带New_Kamf_Indicator2,则UE根据该指示,采用跟AAA-S相同的机制生成密钥输入参数T5,采用跟TargetAMF相同的机制生成Kamf_new。
如果消息M4中未携带New_Kamf_Indicator2,UE也可在确定预设的密钥更新条件满足的情况下,采用跟AAA-S相同的机制生成密钥输入参数T5,采用跟TargetAMF相同的机制生成Kamf_new。这种情况下,UE可在发送注册请求消息后,在发送M5消息之前的任何时候,进 行判断以及生成密钥输入参数T5和Kamf_new。
此外,如果消息M4使用由Kamf_new生成的NAS keys做完整性保护,那么UE可先验证消息M4的完整性,在完整性验证通过之后,执行生成Kseaf_new和Kamf_new的步骤。如果完整性验证未通过,UE例如可终止流程等。
1014.UE向Target AMF发送消息M4。
其中,消息M4例如为NAS Security Mode Complete消息。
1015.在目标切片的网络切片认证通过后,Target AMF向UE发送用于通知目标切片注册成功的注册接受(Registration Accept)消息。
此外,图10所示实施例中,Target AMF还可在任何一条认证请求中发送ParaReqIndicator给AAA-S。
此外,图10所示实施例中,AAA-S可在生成密钥输入参数T5之后,在切片认证的任何一条认证响应消息中发送密钥输入参数T5给网络。
可见,本实施例上述方案,可以实现在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,进而实现Kamf前向安全。并且,本实施例方案无需通过主认证来更新整个密钥体系,便可在切片切换场景下实现Source AMF和Target AMF之间的密钥隔离,相比于一些通过主认证来更新整个密钥体系,来实现Kamf前向安全的可能方案,本申请实施例方案的相关效率明显提高。
此外,图10所示实施例中,主要是以Target AMF生成Kamf_new。该实施例中,密钥输入参数,由AAA-S提供为例进行说明。然而,另在一些可能的实施方式中,也可能仍由Target AMF生成Kamf_new。
并且,生成Kamf_new的密钥输入参数,还可:
由AAA-S和UE提供,即UE提供的密钥输入参数T1和AAA-S提供密钥输入参数T5共同作为密钥输入参数;或者,
由AAA-S和Target AMF提供,即Target AMF提供的密钥输入参数T2和AAA-S提供密钥输入参数T5共同作为密钥输入参数;或者,
由AAA-S、UE和Target AMF提供,即,UE提供的密钥输入参数T1、AAA-S提供密钥输入参数T5、Target AMF提供的密钥输入参数T2共同作为密钥输入参数。
前面图4-图10对应实施例的举例方案中,都是基于当UE从一个源切片切换到下一个互斥的目标切片,由UE向网络侧发起注册请求消息。实际上,当UE从一个源切片切换到下一个互斥的目标切片,也可以是由网络侧触发的,如服务源切片的源AMF根据目标切片获取可服务目标切片的目标AMF,并通知目标AMF,将UE接入目标切片。在这种场景中,Kamf的前向安全仍可采用上述举例方案的类似机制实现,
其中,生成新密钥Kamf_new/Kseaf_new的网元可以是如下网元中的一个:AUSF、SEAF和Target AMF。
主要不同之处在于,提供生成新的密钥(Kamf_new/Kseaf_new)使用到的秘钥输入参数的网元可以是如下网元中的一个:Target AMF、AUSF、SEAF(在SEAF和AMF分体部署场景下)和AAA-S等等。
其中,由Target AMF提供密钥输入参数T2。密钥输入参数T2可以是以下参数中的一种或几种:Target AMF生成的随机数、用于密钥更新的Counter、NAS UL Counter、目标切片的S-NSSAI、目标切片所属的切片组(或切片类)的描述信息、目标切片所属的切片组(或切片类)的标识符、目标切片实例的描述信息、目标切片实例的标识符、Target AMF的标识符、Target AMF的实例、Target AMF的实例标识符、Target AMF所属的AMF Set的描述信息、Target AMF所属的AMF Set的标识符等等。其中,提供密钥输入参数T2的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T2的具体类型做限制,只要满足该目的输入参数都可以。
其中,由AUSF提供生成密钥输入参数T3。其中,密钥输入参数T3可以是以下参数中的一种或者几种:AUSF生成的随机数、用于密钥更新的Counter等等。其中,密钥输入参数T3的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T3的具体类型做限制,只要满足该目的输入参数都可以。
其中,由SEAF提供密钥输入提供生成密钥输入参数T4。密钥输入T4可以是以下参数中的一种或者几种:SEAF生成的随机数、用于密钥更新的Counter等等。密钥输入参数T4的目的是使最终生成的Kamf_new跟Kamf_old隔离。本申请实施例不对密钥输入参数T4的具体类型做限制,只要满足该目的输入参数都可以。
由切片认证和授权的功能AAA-S提供密钥输入参数T5。密钥输入参数T5的生成例如使用UE和AAA-S之间的共享秘密例如UE和AAA-S之间建立的Extended Master Session Key等。该发明不对密钥输入参数T5生成使用的方法做限制,只要满足只有UE和AAA-S才能生成密钥输入参数T5即可。
主要不同之处还在于:触发网络侧生成Kamf_new的条件可以是:由Source AMF指示Target AMF;或者Target AMF自己判断是否需要生成Kamf_new。触发UE侧生成Kamf_new的条件可以是:由Target AMF指示UE生成Kamf_new。
其中,由网络侧触发的UE从一个源切片切换到下一个互斥的目标切片的场景,相似实施方式可以参考上述实施例的相关描述,此处不再赘述。
下面还提供本申请实施例方案涉及的一些产品。
参见图11,一种用户设备UE1100,可以包括:收发单元1110和处理单元1120。
收发单元1110用于在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,发送注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI。
处理单元1120,用于获取第一AMF密钥Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
在一些可能的实施方式中,所述收发单元1110,还用于获取所述第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到所述密钥输入参数。
在一些可能的实施方式中,所述收发单元1110,还用于获取第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。
在一些可能的实施方式中,所述注册请求消息携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。
在一些可能的实施方式中,所述注册请求消息携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥。
其中,本实施例中用户设备1100的各个功能模块,可以配合完成上述方法实施例中由UE执行的任意方法的部分或全部步骤。
参见图12,一种目标AMF,可以包括:收发单元1210和处理单元1220。
收发单元1210,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,接收来自所述UE的注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
处理单元1220,用于获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,其中,所述目标AMF为服务所述目标切片的AMF,所述Kamf_old为服务所述源切片的源AMF的密钥。
在一些可能的实施方式中,所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥;或者,所述目标AMF获取所述Kamf_new是在确定本地预设的密钥更新条件满足的情况下执行。
在一些可能的实施方式中,所述注册请求消息携带密钥输入参数T1,生成所述Kamf_new使用到所述密钥输入参数T1。
在一些可能的实施方式中,所述收发单元1210,还用于在接收来自所述UE的注册请求消息之后,
向认证服务器功能AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new。
进一步的,所述收发单元还可用于向所述UE发送携带生成所述Kseaf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式之中,所述收发单元1210,还用于在接收来自所述UE的注册请求消息之后,向AUSF发送密钥更新服务请求;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;向所述UE发送携带所 述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述收发单元1210,还用于在接收来自所述UE的注册请求消息之后,向AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3和携带于所述密钥更新服务请求的密钥输入参数;所述Kseaf_new用于生成所述Kamf_new,向所述UE发送携带所述密钥输入参数T3的第一消息。
在一些可能的实施方式中,所述收发单元1210,还用于在接收来自所述UE的注册请求消息之后,向安全锚点功能SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1。进一步的,所述收发单元还可用于向所述UE发送携带生成所述Kamf_new使用到的部分或全部密钥输入参数(例如密钥输入参数T2等)的第一消息。
在一些可能的实施方式之中,所述收发单元1210,还用于在接收来自所述UE的注册请求消息之后,向SEAF发送密钥更新服务请求;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4;向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能的实施方式之中,收发单元1210,还用于在接收来自所述UE的注册请求消息之后,向SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务请求的密钥输入参数;向所述UE发送携带所述密钥输入参数T4的第一消息。
在一些可能实施方式中,收发单元1210还用于在接收来自所述UE的请求接入所述目标切片的注册请求消息后,向切片认证和授权服务器(AAA-S)发送携带密钥参数指示的消息;密钥参数指示用于指示AAA-S生成密钥输入参数T5;接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new可使用到所述密钥输入参数T5;
或者,所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;生成所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/或密钥输入参数T2。
其中,本实施例中目标AMF 1200的各个功能模块,可以配合完成上述方法实施例中由目标AMF执行的任意方法的部分或全部步骤。
参见图13,一种认证服务器功能AUSF 1300,包括:
处理单元1320,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于 生成Kamf_new;所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
收发单元1310,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new,所述Kseaf_new用于生成所述Kamf_new。
其中,生成Kseaf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种;
其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述AUSF的密钥更新服务请求中。
其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
其中,本实施例中AUSF 1300的各个功能模块,可以配合完成上述方法实施例中由AUSF执行的任意方法的部分或全部步骤。
参见图14,一种安全锚点功能SEAF 1400,可包括:
处理单元1420,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述SEAF生成Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
收发单元1410,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其中,所述响应携带所述Kamf_new;
其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述SEAF的密钥更新服务请求中。
其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。
其中,本实施例中SEAF 1400的各个功能模块,可以配合完成上述方法实施例中由SEAF执行的任意方法的部分或全部步骤。
参见图15,一种用户设备1500,包括:相互耦合的处理器1510和存储器1520;所述处理器1510用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由UE执行的部分或全部步骤。
参见图16,一种目标AMF 1600,包括:相互耦合的处理器1610和存储器1620;所述处理器1610用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由目标AMF执行的部分或全部步骤。
参见图17,一种AUSF 1700,包括:相互耦合的处理器1710和存储器1720;所述处理器1710用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由AUSF执行的部分或全部步骤。
参见图18,一种SEAF 1800,包括:相互耦合的处理器1810和存储器1820;所述处理器1810用于调用所述存储器中存储的计算机程序,以执行本申请实施例提供的任意一种方法中由SEAF执行的部分或全部步骤。
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被硬件(例如处理器等)执行,以本申请实施例中由任意一个网元执行的任意一种方法的部分或全部步骤。
本申请实施例还提供了一种包括指令的计算机程序产品,当所述计算机程序产品在计算机设备上运行时,使得所述计算机设备执行以上各方面的任意一个网元执行的任意一种方法的部分或全部步骤。
在上述实施例中,可全部或部分地通过软件、硬件、固件、或其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如软盘、硬盘、磁带)、光介质(例如光盘)、或者半导体介质(例如固态硬盘)等。在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。
在本申请所提供的几个实施例中,应该理解到,所揭露的装置,也可以通过其它的方式实现。例如以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可结合或者可以集成到另一个系统,或一些特征可以忽略或不执行。另一点,所显示或讨论的相互之间的间接耦合或者直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者,也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例的方案的目 的。
另外,在本申请各实施例中的各功能单元可集成在一个处理单元中,也可以是各单元单独物理存在,也可两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,或者也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品(即计算机程序)的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、用户设备、移动通信网元、服务器或固网网元等)执行本申请各个实施例所述方法的全部或部分步骤。而前述存储介质例如可包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或光盘等各种可存储程序代码的介质。

Claims (34)

  1. 一种通信方法,其特征在于,包括:
    在用户设备UE从一个源切片切换到另一个与之互斥的目标切片的情况下,所述UE发送注册请求消息,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
    所述UE获取第一AMF密钥Kamf_new;
    其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
  2. 根据权利要求1所述的方法,其特征在于,
    所述UE获取第一AMF密钥Kamf_new之前,所述方法还包括:
    所述UE接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到所述密钥输入参数。
  3. 根据权利要求1或2所述的方法,其特征在于,
    所述UE获取第一AMF密钥Kamf_new之前,所述方法还包括:
    接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。
  4. 根据权利要求1所述的方法,其特征在于,
    所述注册请求消息携带密钥输入参数T1,其中,生成所述Kamf_new使用到所述密钥输入参数T1。
  5. 根据权利要求1或4所述的方法,其特征在于,
    所述注册请求消息携带第二密钥更新指示,其中,所述第二密钥更新指示用于指示网络侧更新AMF密钥。
  6. 一种通信方法,其特征在于,包括:
    在UE从一个源切片转到另一个与之互斥的目标切片的情况下,服务所述目标切片的目标AMF接收来自所述UE的注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
    所述目标AMF获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
  7. 根据权利要求6所述的方法,其特征在于,
    所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥;所述目标AMF根据所述第二密钥更新指示获取所述Kamf_new;
    或者,所述目标AMF获取所述Kamf_new是在确定本地预设的密钥更新条件满足的情况下执行。
  8. 根据权利要求6或7所述的方法,其特征在于,
    所述注册请求消息携带密钥输入参数T1,其中,生成所述Kamf_new使用到所述密钥输入参数T1。
  9. 根据权利要求6至8任意一项所述的方法,其特征在于,所述目标AMF在接收来自所述UE的注册请求消息之后,所述方法还包括:
    所述目标AMF向认证服务器功能AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new;
    或者,
    所述目标AMF向AUSF发送密钥更新服务请求;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息;
    或者,
    所述目标AMF向AUSF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;所述目标AMF接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3和携带于所述密钥更新服务请求的密钥输入参数;其中,所述Kseaf_new用于生成所述Kamf_new,所述目标AMF向所述UE发送携带所述密钥输入参数T3的第一消息。
  10. 根据权利要求6至8任意一项所述的方法,其特征在于,所述目标AMF接收来自所述UE的注册请求消息之后,所述方法还包括:
    所述目标AMF向安全锚点功能SEAF发送密钥更新服务请求,所述密钥更新服务调用请求中携带密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1;
    或者,
    所述目标AMF向SEAF发送密钥更新服务请求;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,生成所述Kamf_new使用到所述密钥输入参数T4;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息;
    或者,
    所述目标AMF向发送SEAF的密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;所述目标AMF接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务的密钥输入参数;所述目标AMF向所述UE发送携带所述密钥输入参数T4的第一消息。
  11. 根据权利要求6至8任意一项所述的方法,其特征在于,所述目标AMF接收来自所 述UE的注册请求消息之后,所述方法还包括:
    所述目标AMF向切片认证和授权服务器AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new使用到所述密钥输入参数T5;
    或者
    所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;生成所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/或密钥输入参数T2。
  12. 一种通信方法,其特征在于,包括:
    在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于生成Kamf_new;所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
    所述AUSF向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new,所述Kseaf_new用于生成所述Kamf_new;
    其中,生成Kseaf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种;
    其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中;
    其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
  13. 一种通信方法,其特征在于,包括:
    在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的SEAF的密钥更新服务请求后,所述SEAF生成Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
    所述SEAF向所述目标AMF返回对所述密钥更新服务的响应,其中,所述响应携带所述Kamf_new;
    其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
    其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述密钥更新服务请求中;
    其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。
  14. 一种用户设备UE,其特征在于,包括:
    收发单元,用于在UE从一个源切片切换到另一个与之互斥的目标切片的情况下,发送 注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
    处理单元,用于获取第一AMF密钥Kamf_new,
    其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥。
  15. 根据权利要求14所述的UE,其特征在于,
    所述收发单元,还用于获取所述第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带密钥输入参数的第一消息,生成所述Kamf_new使用到所述密钥输入参数。
  16. 根据权利要求14或15所述的UE,其特征在于,
    所述收发单元,还用于获取第一AMF密钥Kamf_new之前,接收所述目标AMF发送的携带有第一密钥更新指示的第二消息,所述第一密钥更新指示用于指示所述UE更新AMF密钥。
  17. 根据权利要求14所述的UE,其特征在于,
    所述注册请求消息携带密钥输入参数T1,其中,生成所述Kamf_new使用到所述密钥输入参数T1。
  18. 根据权利要求14或17所述的UE,其特征在于,
    所述注册请求消息携带第二密钥更新指示,其中,所述第二密钥更新指示用于指示网络侧更新AMF密钥。
  19. 一种目标AMF,其特征在于,包括:
    收发单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,接收来自所述UE的注册请求消息,其中,所述注册请求消息携带有所述UE请求的所述目标切片的网络切片选择辅助信息NSSAI;
    处理单元,用于获取第一AMF密钥Kamf_new,所述第一AMF密钥Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为所述目标AMF的密钥,其中,所述目标AMF为服务所述目标切片的AMF,所述Kamf_old为服务所述源切片的源AMF的密钥。
  20. 根据权利要求19所述的目标AMF,其特征在于,
    所述注册请求消息还携带第二密钥更新指示,所述第二密钥更新指示用于指示网络侧更新AMF密钥;所述目标AMF根据所述第二密钥更新指示获取所述Kamf_new;
    或者,所述目标AMF获取所述Kamf_new是在确定本地预设的密钥更新条件满足的情况下执行。
  21. 根据权利要求19或20所述的目标AMF,其特征在于,
    所述注册请求消息携带密钥输入参数T1,其中,生成所述Kamf_new使用到所述密钥输入参数T1。
  22. 根据权利要求19至21任意一项所述的目标AMF,其特征在于,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,
    向认证服务器功能AUSF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T1和/或密钥输入参数T2;接收所述AUSF返回的对所述密钥更新服务请求的响应,其中,所述响应中携带SEAF密钥Kseaf_new,生成所述Kseaf_new使用到所述密 钥输入参数T1和/或密钥输入参数T2;所述Kseaf_new用于生成所述Kamf_new;
    或者,
    向AUSF发送密钥更新服务请求;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,其中,生成所述Kseaf_new使用到所述密钥输入参数T3;所述Kseaf_new用于生成所述Kamf_new;向所述UE发送携带所述密钥输入参数T3的第一消息;
    或者,
    向AUSF发送密钥更新服务请求,所述密钥更新服务请求中携带密钥输入参数T2和/或密钥输入参数T1;接收所述AUSF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kseaf_new和密钥输入参数T3,生成所述Kseaf_new使用到所述密钥输入参数T3和携带于所述密钥更新服务请求的密钥输入参数;所述Kseaf_new用于生成所述Kamf_new,向所述UE发送携带所述密钥输入参数T3的第一消息。
  23. 根据权利要求19至22任意一项所述的目标AMF,其特征在于,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,
    向安全锚点功能SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new,其中,生成所述Kamf_new使用到密钥输入参数T2和/或所述密钥输入参数T1;
    或者,
    向SEAF发送密钥更新服务请求;
    接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4;向所述UE发送携带所述密钥输入参数T4的第一消息;
    或者,
    向SEAF发送密钥更新服务请求,其中,所述密钥更新服务请求中携带有密钥输入参数T2和/或所述密钥输入参数T1;接收所述SEAF返回的对所述密钥更新服务请求的响应,所述响应中携带所述Kamf_new和密钥输入参数T4,其中,生成所述Kamf_new使用到所述密钥输入参数T4和携带于所述密钥更新服务请求的密钥输入参数;向所述UE发送携带所述密钥输入参数T4的第一消息。
  24. 根据权利要求19至21任意一项所述的目标AMF,其特征在于,所述收发单元,还用于在接收来自所述UE的注册请求消息之后,
    向切片认证和授权服务器AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;接收所述AAA-S发送的密钥生成参数T5,生成所述Kamf_new使用到所述密钥输入参数T5;
    或者,
    所述目标AMF向AAA-S发送携带密钥参数指示的消息;所述密钥参数指示用于指示AAA-S生成密钥输入参数T5;所述目标AMF接收所述AAA-S发送的密钥生成参数T5;生成 所述Kamf_new使用到所述密钥输入参数T5,生成所述Kamf_new还使用到密钥输入参数T1和/或密钥输入参数T2。
  25. 一种认证服务器功能AUSF,其特征在于,包括:
    处理单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述AUSF生成Kseaf_new,所述Kseaf_new用于生成Kamf_new;所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
    收发单元,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其在,所述响应携带所述Kseaf_new,所述Kseaf_new用于生成所述Kamf_new;
    其中,生成Kseaf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T3中的一种或多种;
    其中,当生成Kseaf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述AUSF的密钥更新服务请求中;
    其中,当生成Kseaf_new使用到密钥输入参数T3,所述密钥更新服务请求的响应中携带所述密钥输入参数T3。
  26. 一种安全锚点功能SEAF,其特征在于,包括:
    处理单元,用于在UE从一个源切片转到另一个与之互斥的目标切片的情况下,在接收到来自目标AMF的密钥更新服务请求后,所述SEAF生成Kamf_new,其中,所述Kamf_new不同于第二AMF密钥Kamf_old,所述Kamf_new为服务所述目标切片的目标AMF的密钥,所述Kamf_old为服务所述源切片的源AMF的密钥;
    收发单元,用于向所述目标AMF返回对所述密钥更新服务请求的响应,其中,所述响应携带所述Kamf_new;
    其中,生成所述Kamf_new使用到密钥输入参数T1、密钥输入参数T2和密钥输入参数T4中的一种或多种;
    其中,当生成Kamf_new使用到密钥输入参数T1和/或密钥输入参数T2,所述密钥输入参数T1和/或密钥输入参数T2携带于所述SEAF的密钥更新服务请求中;
    其中,当生成Kseaf_new使用到密钥输入参数T4,所述密钥更新服务请求的响应中携带所述密钥输入参数T4。
  27. 一种用户设备,其特征在于,包括:
    相互耦合的处理器和存储器;
    其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行权利要求1至5任意一项所述的方法。
  28. 一种计算机可读存储介质,其特征在于,
    所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行以完成权利要求1至5任意一项所述的方法。
  29. 一种目标AMF,其特征在于,包括:
    相互耦合的处理器和存储器;
    其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行权利要求6至11任意一项所述的方法。
  30. 一种计算机可读存储介质,其特征在于,
    所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行以完成权利要求6至11任意一项所述的方法。
  31. 一种AUSF,其特征在于,包括:
    相互耦合的处理器和存储器;
    其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行权利要求12所述的方法。
  32. 一种计算机可读存储介质,其特征在于,
    所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行以完成权利要求12所述的方法。
  33. 一种SEAF,其特征在于,包括:
    相互耦合的处理器和存储器;
    其中,所述处理器用于调用所述存储器中存储的计算机程序,以执行权利要求13所述的方法。
  34. 一种计算机可读存储介质,其特征在于,
    所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行以完成权利要求13所述的方法。
PCT/CN2020/073317 2019-01-21 2020-01-20 通信方法和相关产品 WO2020151677A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20744950.5A EP3883280A4 (en) 2019-01-21 2020-01-20 COMMUNICATION PROCEDURE AND RELATED PRODUCT
US17/380,961 US12015707B2 (en) 2019-01-21 2021-07-20 Communication method and related product

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910055000.4A CN111465012B (zh) 2019-01-21 2019-01-21 通信方法和相关产品
CN201910055000.4 2019-01-21

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/380,961 Continuation US12015707B2 (en) 2019-01-21 2021-07-20 Communication method and related product

Publications (1)

Publication Number Publication Date
WO2020151677A1 true WO2020151677A1 (zh) 2020-07-30

Family

ID=71679104

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/073317 WO2020151677A1 (zh) 2019-01-21 2020-01-20 通信方法和相关产品

Country Status (4)

Country Link
US (1) US12015707B2 (zh)
EP (1) EP3883280A4 (zh)
CN (1) CN111465012B (zh)
WO (1) WO2020151677A1 (zh)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022094812A1 (zh) * 2020-11-04 2022-05-12 华为技术有限公司 一种切片隔离方法、装置及系统
US11937170B2 (en) * 2021-07-14 2024-03-19 Hewlett Packard Enterprise Development Lp Managing mutually exclusive access to network slices
JP7434225B2 (ja) * 2021-08-23 2024-02-20 株式会社東芝 認証装置、無線通信装置、無線通信システム、方法及びプログラム
CN114258017B (zh) * 2021-12-27 2024-01-30 中国电信股份有限公司 互斥切片接入方法、装置、电子设备及计算机可读介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018121880A1 (en) * 2016-12-30 2018-07-05 Telefonaktiebolaget Lm Ericsson (Publ) Network slice selection
CN109005540A (zh) * 2017-07-28 2018-12-14 华为技术有限公司 安全实现方法、相关装置以及系统
CN109151933A (zh) * 2017-06-19 2019-01-04 三星电子株式会社 用于网络虚拟化和会话管理的方法和装置

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1870808A (zh) * 2005-05-28 2006-11-29 华为技术有限公司 一种密钥更新方法
CN101931951B (zh) * 2009-06-26 2012-11-07 华为技术有限公司 密钥推演方法、设备及系统
EP3398379B1 (de) * 2015-12-30 2021-10-06 Deutsche Telekom AG Verfahren zum aufbauen einer kommunikationsverbindung eines kommunikationsendgerätes über ein kommunikationsnetzwerk-slice
CN107666666B (zh) * 2016-07-27 2022-11-08 中兴通讯股份有限公司 密钥的衍生方法及装置
WO2018079691A1 (ja) * 2016-10-26 2018-05-03 日本電気株式会社 通信システム、セキュリティ装置、通信端末、及び通信方法
CN114143849A (zh) * 2017-01-05 2022-03-04 日本电气株式会社 gNB、用户设备及其方法
US11265705B2 (en) * 2017-01-17 2022-03-01 Nec Corporation Communication system, communication terminal, AMF entity, and communication method
PT3574669T (pt) * 2017-01-30 2021-10-26 Ericsson Telefon Ab L M Gestão de contexto de segurança em 5g durante o modo conectado
WO2018199649A1 (en) * 2017-04-27 2018-11-01 Samsung Electronics Co., Ltd. Method and apparatus for registration type addition for service negotiation
US10264506B2 (en) * 2017-05-13 2019-04-16 Qualcomm Incorporated Enable a network-trigger change of network slices
US10841302B2 (en) * 2017-05-24 2020-11-17 Lg Electronics Inc. Method and apparatus for authenticating UE between heterogeneous networks in wireless communication system
EP3641424B1 (en) * 2017-06-17 2022-05-04 LG Electronics Inc. Method for registering a user equipment with a network slice in a wireless communication system and user equipment therefor
KR102588974B1 (ko) * 2017-06-19 2023-10-12 아이디에이씨 홀딩스, 인크. 5g 슬라이스 식별자의 프라이버시 보호를 위한 방법 및 시스템
US11071021B2 (en) * 2017-07-28 2021-07-20 Qualcomm Incorporated Security key derivation for handover
KR102425675B1 (ko) * 2017-08-14 2022-07-28 삼성전자 주식회사 5g 시스템에서 네트워크와 단말 간 제공 기능 협상 및 슬라이스 정보 맵핑 방법
US11172437B2 (en) * 2017-10-02 2021-11-09 Lg Electronics Inc. Method and device for transmitting or receiving information in wireless communication system supporting network slicing
JP2021502739A (ja) * 2017-11-13 2021-01-28 テレフオンアクチーボラゲット エルエム エリクソン(パブル) 通信ネットワークにおけるセキュアな認証
US10834668B2 (en) * 2017-11-14 2020-11-10 Ofinno, Llc AMF selection for isolated network slice
US10542428B2 (en) * 2017-11-20 2020-01-21 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
KR20240116587A (ko) * 2017-12-22 2024-07-29 레노보 (싱가포르) 피티이. 엘티디. 네트워크 슬라이스 선택 보조 정보 구성
US20190230556A1 (en) * 2018-01-19 2019-07-25 Electronics And Telecommunications Research Institute Apparatus and method for network function profile management

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018121880A1 (en) * 2016-12-30 2018-07-05 Telefonaktiebolaget Lm Ericsson (Publ) Network slice selection
CN109151933A (zh) * 2017-06-19 2019-01-04 三星电子株式会社 用于网络虚拟化和会话管理的方法和装置
CN109005540A (zh) * 2017-07-28 2018-12-14 华为技术有限公司 安全实现方法、相关装置以及系统

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Update of Solution #1.36 for SEAF Realization via AMF", 3GPP S3-170778, 31 March 2017 (2017-03-31), XP051248529, DOI: 20200401113211X *
NOKIA: "Evolution Scenario for AMF and SEAF from 5G Phase 1 to Later Phases", 3GPP S3-170636, 31 March 2017 (2017-03-31), XP051248390, DOI: 20200401113547A *
See also references of EP3883280A4 *

Also Published As

Publication number Publication date
US12015707B2 (en) 2024-06-18
CN111465012A (zh) 2020-07-28
US20210351925A1 (en) 2021-11-11
EP3883280A4 (en) 2022-01-05
EP3883280A1 (en) 2021-09-22
CN111465012B (zh) 2021-12-10

Similar Documents

Publication Publication Date Title
US10728757B2 (en) Security implementation method, related apparatus, and system
WO2020151677A1 (zh) 通信方法和相关产品
JP6732095B2 (ja) 異種ネットワークのための統一認証
WO2020024764A1 (zh) 一种鉴权过程中验证用户设备标识的方法及装置
WO2020221219A1 (zh) 通信方法和通信设备
JP2022502908A (ja) Nasメッセージのセキュリティ保護のためのシステム及び方法
US20170359719A1 (en) Key generation method, device, and system
WO2020207156A1 (zh) 认证方法、装置及设备
WO2020248624A1 (zh) 一种通信方法、网络设备、用户设备和接入网设备
US20230269589A1 (en) Slice-specific security requirement information
CN113676901B (zh) 密钥管理方法、设备及系统
WO2021063304A1 (zh) 通信认证方法和相关设备
WO2023213301A1 (zh) 鉴权方法、通信装置和计算机可读存储介质
WO2021249325A1 (zh) 切片服务验证方法及其装置
US12132823B2 (en) Communication authentication method and related device
WO2024065843A1 (zh) 私有物联网单元pine的接入认证方法和装置
CN118489231A (zh) 对电子设备连接到电信网络的认证支持

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20744950

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020744950

Country of ref document: EP

Effective date: 20210615

NENP Non-entry into the national phase

Ref country code: DE