WO2020215331A1 - 一种通信方法及装置 - Google Patents

一种通信方法及装置 Download PDF

Info

Publication number
WO2020215331A1
WO2020215331A1 PCT/CN2019/084657 CN2019084657W WO2020215331A1 WO 2020215331 A1 WO2020215331 A1 WO 2020215331A1 CN 2019084657 W CN2019084657 W CN 2019084657W WO 2020215331 A1 WO2020215331 A1 WO 2020215331A1
Authority
WO
WIPO (PCT)
Prior art keywords
auxiliary information
slice selection
selection auxiliary
rand
terminal device
Prior art date
Application number
PCT/CN2019/084657
Other languages
English (en)
French (fr)
Inventor
胡昊
雷中定
吴�荣
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP19926409.4A priority Critical patent/EP3952374B1/en
Priority to CN201980088829.2A priority patent/CN113302958B/zh
Priority to PCT/CN2019/084657 priority patent/WO2020215331A1/zh
Publication of WO2020215331A1 publication Critical patent/WO2020215331A1/zh
Priority to US17/452,185 priority patent/US11956715B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/12Mobility data transfer between location registers or mobility servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Definitions

  • This application relates to the field of wireless communication technology, and in particular to a communication method and device.
  • the NSSAI may include the service/slice type (SST) and slice differentiation ( slice differentiator, SD);
  • SST service/slice type
  • SD slice differentiator
  • the base station can select the appropriate access and mobility management function (AMF) network element according to the NSSAI and local policies to provide slice services for the terminal equipment; in addition, the base station also AMF congestion control will be performed according to the NSSAI sent by the terminal device through the access stratum (AS).
  • AMF access and mobility management function
  • This application provides a communication method and device to effectively protect the AS-layer NSSAI without changing the existing security protocol process.
  • a communication method includes: a terminal device obtains first slice selection auxiliary information, the first slice selection auxiliary information is encrypted by the second slice selection auxiliary information, and the second slice selection auxiliary information is allowed
  • the terminal device sends a registration request message to the access network device for the selection auxiliary information of the slice accessed by the terminal device, and the registration request message includes the first slice selection auxiliary information.
  • the method may be executed by a first communication device.
  • the first communication device may be a terminal device or a communication device capable of supporting the terminal device to implement the functions required by the method, and of course, it may also be another communication device, such as a chip system.
  • the first communication device is a terminal device.
  • the terminal device can send the encrypted slice selection auxiliary information to the access network device through the registration request message, which can effectively protect the AS layer slice selection auxiliary information without changing the existing security protocol process.
  • the terminal device may adopt, but is not limited to, obtain the first slice selection auxiliary information in the following manner.
  • Manner 1 The terminal device generates the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • Manner 2 The terminal device receives the first slice selection auxiliary information from the mobility management network element.
  • the first mode and the second mode are respectively described below.
  • the terminal device Based on Manner 1, in a possible implementation manner, the terminal device generates the first slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first random number (RAND).
  • the terminal device may also obtain the first slice selection auxiliary information in but not limited to the following manners.
  • One RAND may also obtain the first slice selection auxiliary information in but not limited to the following manners.
  • Manner 1 The terminal device receives the first RAND from the mobility management network element.
  • the terminal device receives the second RAND from the mobility management network element, and generates the first RAND according to the second RAND and the first key.
  • the terminal device may derive the first key according to the locally stored second key.
  • the terminal device may also receive a third RAND from the mobility management network element, and the third RAND is used to update the first RAND or the second RAND.
  • the terminal device when the third RAND is used to update the first RAND, the terminal device generates third slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the third RAND, or when the third RAND is used to update In the second RAND, the terminal device generates fourth slice selection auxiliary information according to the second slice selection auxiliary information, the first function, the first key, and the third RAND, and the terminal device uses the fourth slice selection auxiliary information to update the first slice selection Supplementary information.
  • the terminal device receives the first correspondence from the mobility management network element, and the first correspondence includes the correspondence between the first slice selection auxiliary information and the second slice selection auxiliary information .
  • the terminal device may also receive the third slice selection auxiliary information from the mobility management network element, the third slice selection auxiliary information is used to update the first slice selection auxiliary information, and the terminal The device uses the third slice selection auxiliary information to update the first slice selection auxiliary information.
  • the terminal device may receive a second corresponding relationship from the mobility management network element, and the second corresponding relationship includes the corresponding relationship between the second slice selection auxiliary information and the third slice selection auxiliary information .
  • the first function includes an encryption function, or the first function includes correspondences between multiple RANDs and multiple first mappings, and each first mapping includes multiple first slice selection auxiliary information Mapping relationship with multiple second slice selection auxiliary information and/or mapping relationship between multiple third slice selection auxiliary information and multiple second slice selection auxiliary information and/or multiple fourth slice selection auxiliary information and multiple first slice selection auxiliary information
  • the second slice selects the mapping relationship of auxiliary information.
  • a communication method includes: an access network device receives a first registration request message from a terminal device, the first registration request message includes first slice selection auxiliary information, and first slice selection auxiliary information Obtained by encrypting the second slice selection auxiliary information, the second slice selection auxiliary information is the slice selection auxiliary information that the terminal device is allowed to access, and the access network device generates the second slice selection auxiliary information according to the first slice selection auxiliary information, and Send a second registration request message to the mobility management network element, where the second registration request message includes second slice selection auxiliary information.
  • the method can be executed by a second communication device.
  • the second communication device can be an access network device or a communication device capable of supporting the access network device to implement the functions required by the method, and of course, it can also be another communication device, such as a chip system.
  • the second communication device is an access network device.
  • the terminal device when the terminal device sends the slice selection auxiliary information to the access network device through the AS layer, it can send the encrypted slice selection auxiliary information. After receiving the encrypted slice selection auxiliary information, the access network device can The slice selection auxiliary information is decrypted, and the decrypted slice selection auxiliary information is sent to the mobility management network element. In this way, the AS layer can protect the slice selection auxiliary information and prevent the leakage of user privacy and slice information. At the same time, the availability of the slice selection auxiliary information in the access network device is not reduced.
  • the access network device may generate the second slice selection auxiliary information according to the first slice selection auxiliary information, the first function, and the first RAND.
  • the access network device before the access network device generates the second slice selection auxiliary information according to the first slice selection auxiliary information, the first function, and the first RAND, it may also adopt but not limited to obtain the first slice selection auxiliary information through the following methods. RAND.
  • Method 1 The access network device receives the first RAND from the mobility management network element.
  • Method 2 The access network device receives the second RAND and the first key from the mobility management network element, and generates the first RAND according to the second RAND and the first key.
  • the access network device may also receive a third RAND from the mobility management network element, and the third RAND is used to update the first RAND or the second RAND.
  • the first function includes an encryption function, or the first function includes correspondences between multiple RANDs and multiple first mappings, and each first mapping includes multiple first slice selection auxiliary information Mapping relationship with multiple second slice selection auxiliary information.
  • a communication method includes: a mobility management network element receives a registration request message from a terminal device, the registration request message includes selection assistance information of a slice that requests access, and the mobility management network element establishes a security context After that, a registration acceptance message is sent to the terminal device, the registration acceptance message includes the first slice selection auxiliary information, the first slice selection auxiliary information is encrypted by the second slice selection auxiliary information, and the second slice selection auxiliary information is to allow the terminal device to access Selection auxiliary information of the imported slice.
  • the method can be executed by a third communication device.
  • the third communication device can be a mobility management network element or a communication device capable of supporting the mobility management network element to realize the functions required by the method. Of course, it can also be another communication device, such as a chip system. . Here, it is taken as an example that the third communication device is a mobility management network element.
  • the mobility management network element when the mobility management network element sends the slice selection auxiliary information that allows access to the terminal device, it sends the encrypted slice selection auxiliary information, so that when the subsequent terminal device initiates a registration request again, it can connect to the terminal device through the AS layer.
  • the network access device sends the encrypted slice selection auxiliary information, which can achieve the purpose of protecting the slice selection auxiliary information at the AS layer, thereby preventing the leakage of user privacy and slice information.
  • the mobility management network element may also determine the second slice selection auxiliary information according to the selection auxiliary information of the slice to be accessed, and select the second slice according to the second slice selection auxiliary information.
  • the auxiliary information generates the first slice selection auxiliary information.
  • the mobility management network element may, but is not limited to, generate the first slice selection auxiliary information according to the second slice selection auxiliary information in the following manner: the mobility management network element generates the first RAND, and according to the first RAND The second slice selection auxiliary information, the first function, and the first RAND generate the first slice selection auxiliary information.
  • the mobility management network element may also generate a first corresponding relationship according to the first slice selection auxiliary information and the second slice selection auxiliary information, and store the first corresponding relationship, where the first corresponding relationship includes the first The corresponding relationship between one slice selection auxiliary information and the second slice selection auxiliary information.
  • the registration acceptance message includes a first corresponding relationship
  • the first slice selection auxiliary information includes the first corresponding relationship
  • the mobility management network element may also send the first RAND to the access network device accessed by the terminal device.
  • the mobility management network element may also generate a second RAND, the second RAND is used to update the first RAND, and the mobility management network element selects the auxiliary information, the first function, and the second slice according to the second slice.
  • the RAND generates third slice selection auxiliary information, the third slice selection auxiliary information is used to update the first slice selection auxiliary information, and the mobility management network element sends the third slice selection auxiliary information to the terminal device.
  • the mobility management network element may also generate a second corresponding relationship according to the second slice selection auxiliary information and the third slice selection auxiliary information, and store the second corresponding relationship.
  • the second corresponding relationship includes the second The corresponding relationship between the slice selection auxiliary information and the third slice selection auxiliary information.
  • the mobility management network element may also send the second correspondence to the terminal device.
  • the mobility management network element may send the second RAND to the access network device accessed by the terminal device.
  • the first function includes an encryption function, or the first function includes correspondences between multiple RANDs and multiple first mappings, and each first mapping includes multiple first slice selection auxiliary information A mapping relationship with multiple second slice selection auxiliary information and/or a mapping relationship between multiple third slice selection auxiliary information and multiple second slice selection auxiliary information.
  • a communication method includes: a mobility management network element generates a first RAND or a second RAND, and the mobility management network element sends the first RAND or the second RAND to a terminal device.
  • the method can be executed by a third communication device.
  • the third communication device can be a mobility management network element or a communication device capable of supporting the mobility management network element to realize the functions required by the method. Of course, it can also be another communication device, such as a chip system. . Here, it is taken as an example that the third communication device is a mobility management network element.
  • the mobility management network element can send the first RAND or the second RAND to the terminal device, so that the terminal device can generate encrypted slice selection auxiliary information according to the first RAND or the second RAND, so that the subsequent terminal device can pass the AS
  • the layer sends the encrypted slice selection auxiliary information to the access network device, which can achieve the purpose of protecting the slice selection auxiliary information at the AS layer, thereby preventing the leakage of user privacy and slice information.
  • the mobility management network element may also send the first RAND to the access network device accessed by the terminal device; or, the mobility management network element may send the first RAND to the access network device accessed by the terminal device. Send the second RAND and the first key.
  • the mobility management network element may also send a third RAND to the terminal device or the access network device accessed by the terminal device, and the third RAND is used to update the first RAND or the second RAND.
  • the present application provides a communication device, which has the function of implementing any of the foregoing aspects or the implementation method in any aspect.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the present application provides a communication device, including: a processor and a memory; the memory is used to store computer execution instructions, and when the device is running, the processor executes the computer execution instructions stored in the memory to enable the The device executes any aspect or implementation method in any aspect described above.
  • the present application provides a communication device, including: a unit or means for performing each step of any of the above aspects.
  • the present application provides a communication device including a processor and an interface circuit.
  • the processor is configured to communicate with other devices through the interface circuit and execute any method provided in any of the above aspects.
  • the processor includes one or more.
  • the present application provides a communication device, including a processor, configured to be connected to a memory, and configured to call a program stored in the memory to execute the method in any implementation manner of any of the foregoing aspects.
  • the memory can be located inside the device or outside the device.
  • the processor includes one or more.
  • the present application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause a processor to execute the method described in any of the foregoing aspects.
  • the present application also provides a computer program product including instructions, which when run on a computer, cause the computer to execute the method described in any of the above aspects.
  • the present application also provides a chip system, including a processor, configured to execute the methods described in the foregoing aspects.
  • the present application also provides a communication system, including a terminal device for executing any implementation method of the foregoing first aspect or the first aspect, and a terminal device for executing any implementation method of the foregoing second aspect or the second aspect Access network equipment, a mobility management network element for executing any implementation method of the third aspect or the third aspect, or a mobility management network element for executing any implementation method of the fourth aspect or the fourth aspect At least two.
  • FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of this application.
  • FIG. 2 is a schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of generating first slice selection auxiliary information according to an embodiment of the application.
  • FIG. 4 is a schematic diagram of generating a first RAND according to an embodiment of the application.
  • FIG. 5 is a schematic diagram of generating second slice selection auxiliary information according to an embodiment of this application.
  • FIG. 6a is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 6b is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 6c is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 7a is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 7b is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 7c is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 9 is a schematic structural diagram of another communication device provided by an embodiment of this application.
  • FIG. 10 is a schematic structural diagram of another communication device provided by an embodiment of this application.
  • FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of this application.
  • FIG. 12 is a schematic structural diagram of an access network device provided by an embodiment of this application.
  • FIG. 13 is a schematic structural diagram of a mobility management network element provided by an embodiment of this application.
  • FIG. 1 it is a schematic diagram of the fifth generation (5G) network architecture based on a service-oriented architecture.
  • the 5G network architecture shown in FIG. 1 may include three parts, namely a terminal equipment part, a data network (DN), and an operator network part.
  • DN data network
  • the operator network may also be referred to as a mobile communication network, and is mainly a network through which mobile network operators (mobile network operator, MNO) provide users with mobile broadband access services.
  • the operator network described in the embodiment of this application may specifically be a network that meets the requirements of the 3rd generation partnership project (3rd generation partnership project, 3GPP) standard, referred to as the 3GPP network.
  • 3GPP networks are operated by operators, including but not limited to 5G networks, fourth-generation mobile communication technology (4th-generation, 4G) networks, third-generation mobile communication technology (3rd-generation, 3G) networks and second-generation wireless Telephone technology (2-generation wireless telephone technology, 2G) network, etc.
  • the operator's network is a 5G network as an example.
  • 5G operator networks may include network exposure function (NEF) network elements, network storage function (network function repository function, NRF) network elements, policy control function (PCF) network elements, and unified data management ( unified data management (UDM) network element, application function (AF) network element, authentication server function (authentication server function, AUSF) network element, access and mobility management function (access and mobility management function, AMF) network Element, session management function (SMF) network element, (radio) access network ((radio) access network, (R)AN), user plane function (UPF) network element, etc.
  • NEF network exposure function
  • NRF network storage function repository function
  • PCF policy control function
  • UDM unified data management
  • AF application function
  • authentication server function authentication server function
  • AUSF access and mobility management function
  • AMF access and mobility management function
  • SMF session management function
  • R radio access network
  • UPF user plane function
  • the terminal device of this application can provide call and/or data services, and can be a wired or wireless terminal device.
  • Wireless terminal devices can be mobile phones, computers, tablet computers, personal digital assistants (personal digital assistants, PDAs), mobile Internet devices (mobile Internet devices, MIDs), wearable devices, and e-book readers (e-book readers), etc. .
  • the wireless terminal device may be a mobile station (mobile station) or an access point (access point).
  • UE User equipment
  • LTE long term evolution
  • the above-mentioned terminal equipment can establish a connection with the operator's network through an interface (such as N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network.
  • the terminal device can also access the DN through the operator's network, and use the operator's service deployed on the DN and/or the service provided by a third party.
  • the above-mentioned third party may be a service party other than the operator's network and terminal equipment, and may provide other data and/or voice services for the terminal equipment.
  • the specific form of expression of the aforementioned third party can be determined according to actual application scenarios, and is not limited here.
  • AN is a sub-network of an operator's network and an implementation system between service nodes and terminal equipment in the operator's network.
  • the terminal device To access the operator's network, the terminal device first passes through the AN, and then can be connected to the service node of the operator's network through the AN.
  • the AN equipment in this application is a type of equipment that provides wireless communication functions for terminal equipment.
  • the access network equipment includes but is not limited to: next-generation base stations (gnodeB, gNB) in 5G and evolved node B (evolved node B) , ENB), radio network controller (RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station ( For example, home evolved nodeB, or home node B, HNB, baseband unit (BBU), transmission point (transmitting and receiving point, TRP), transmission point (TP), mobile switching center, etc.
  • gnodeB next-generation base stations
  • gNB next-generation base stations
  • ENB radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • home base station For example, home evolved nodeB, or home node B, HNB, baseband unit (BBU), transmission point (transmitting and receiving point, TRP), transmission point (TP), mobile switching center, etc.
  • the AMF network element is a control plane network element provided by the operator's network. It is responsible for the access control and mobility management of terminal equipment accessing the operator's network. For example, it includes functions such as mobile status management, allocation of temporary user identities, authentication and authorization of users, etc. .
  • the SMF network element is a control plane network element provided by the operator's network, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device.
  • a PDU session is a channel used to transmit PDUs, and terminal devices need to transmit PDUs to each other through the PDU session and DN.
  • the PDU session is established, maintained, and deleted by the SMF network element.
  • SMF network elements include session management (such as session establishment, modification and release, including tunnel maintenance between UPF and AN), UPF network element selection and control, service and session continuity (SSC) mode selection, Session-related functions such as roaming.
  • session management such as session establishment, modification and release, including tunnel maintenance between UPF and AN
  • UPF network element selection and control including tunnel maintenance between UPF and AN
  • SSC service and session continuity
  • the UPF network element is a gateway provided by the operator and a gateway for the communication between the operator's network and the DN.
  • UPF network elements include user plane-related functions such as packet routing and transmission, packet inspection, service usage reporting, quality of service (QoS) processing, lawful monitoring, uplink packet inspection, and downlink packet storage.
  • QoS quality of service
  • DN also called packet data network (PDN)
  • PDN packet data network
  • the operator’s network can be connected to multiple DNs, and multiple services can be deployed on the DN to provide terminal equipment. Services such as data and/or voice.
  • DN is the private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • a DN is an internal office network of a company.
  • the mobile phones or computers of employees of the company can be terminal devices, and the mobile phones or computers of employees can access information and data resources on the company's internal office network.
  • the UDM network element is a control plane network element provided by the operator. It is responsible for storing the subscriber permanent identifier (SUPI), credential, security context, and subscription data of subscribers in the operator’s network. And other information.
  • the information stored in UDM network elements can be used for authentication and authorization of terminal equipment accessing the operator's network.
  • the contracted users of the above-mentioned operator's network may specifically be users who use the services provided by the operator's network, such as users who use China Telecom's mobile phone core card, or users who use China Mobile's mobile phone core card.
  • the SUPI of the aforementioned subscriber can be the number of the mobile phone core card, etc.
  • the credential and security context of the aforementioned subscriber may be a small file stored such as the encryption key of the mobile phone core card or information related to the encryption of the mobile phone core card for authentication and/or authorization.
  • the aforementioned security context may be data (cookie) or token (token) stored on the user's local terminal (for example, mobile phone).
  • the contract data of the aforementioned subscriber may be the supporting service of the mobile phone core card, such as the data package of the mobile phone core card or the use of the network.
  • permanent identifiers, credentials, security contexts, authentication data (cookies), and tokens are equivalent to information related to authentication and authorization.
  • no distinction or restriction is made for the convenience of description. If no special instructions are given, the embodiments of the present application will be described using a security context as an example, but the embodiments of the present application are also applicable to authentication and/or authorization information in other expression modes.
  • the AUSF network element is a control plane network element provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device (subscriber) and the operator's network. After the AUSF network element receives the authentication request initiated by the subscriber, it can authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM network element, or generate the authentication and/or authorization of the subscriber through the UDM network element. Or authorization information. The AUSF network element can feed back authentication information and/or authorization information to the subscriber.
  • NEF network elements are control plane network elements provided by operators. NEF network elements open the external interface of the operator's network to third parties in a safe manner. When the SMF network element needs to communicate with a third-party network element, the NEF network element can serve as a relay for the communication between the SMF network element and the third-party network element. When the NEF network element is used as a relay, it can be used as the translation of the identification information of the subscriber and the translation of the identification information of the third-party network element. For example, when NEF sends the SUPI of the subscriber from the operator network to the third party, it can translate the SUPI into its corresponding external identity (identity, ID). Conversely, when the NEF network element sends the external ID (third-party network element ID) to the operator's network, it can be translated into SUPI.
  • ID external identity
  • the PCF network element is a control plane function provided by the operator to provide the SMF network element with a PDU session strategy.
  • Policies can include charging-related policies, QoS-related policies, and authorization-related policies.
  • the network slice selection function (NSSF) network element (not shown in the figure) is responsible for determining the network slice instance (NSI), selecting the AMF network element, and so on.
  • the network elements involved in the embodiments of this application may also be referred to as functions or functional entities, which are not limited in this application.
  • the mobility management network element may also be called a mobility management function or a mobility management function entity
  • the session management function network element may be called a session management function or a session management function entity.
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of these interface serial numbers can refer to the meaning defined in the 3GPP standard protocol, which is not limited here.
  • the mobility management network element in this application may be the AMF network element shown in FIG. 1, or may be a network element having the function of the above-mentioned AMF network element in a future communication system.
  • the mobility management network element in this application may also be a mobility management entity (mobility management entity, MME) in LTE.
  • the access network equipment in this application may be the next generation radio access network (NG-RAN) in the 5G network.
  • NG-RAN includes but is not limited to: gNB, RNC or TRP in 5G.
  • future communications for example, 6G or other networks
  • the access network equipment may still be NG-RAN or have other names, which is not limited by this application.
  • the access network equipment in this application may also be an eNB or NB in LTE.
  • the mobility management network element is AMF as an example
  • the access network device is NG-RAN as an example
  • the terminal device is UE as an example. It can be replaced with mobility management network elements, UE can be replaced with terminal equipment, and NG-RAN can be replaced with access network equipment.
  • Slice in this application can also be called “network slice” or “network slice instance”, and the three have the same meaning.
  • 3GPP emphasizes that network slices do not affect each other. For example, a large number of sudden meter reading services should not affect normal mobile broadband services.
  • 3GPP In order to meet diverse needs and isolation between slices, relatively independent management and operation and maintenance between businesses are required, and tailor-made business functions and analysis capabilities are provided. Instances of different types of services are deployed on different network slices, and different instances of the same service type can also be deployed on different network slices.
  • the slice in the 5G network is a virtual private network, which is composed of a set of network functions and sub-networks.
  • AN, AMF, SMF, UPF in Figure 1 can form a slice.
  • Each type of network function in Figure 1 is only schematically drawn, but in actual network deployment, each type of network function or sub-network can have multiple, tens or hundreds.
  • Many network slices can be deployed in the operator's network, and each slice can have different performance to meet the needs of different applications and different vertical industries. Operators can tailor a slice according to the needs of customers in different vertical industries. Operators can also allow some industry customers to enjoy greater autonomy and participate in part of the management and control functions of slicing.
  • slice-level authentication is a network control function participated by industry customers, that is, authentication and authorization of terminal users to access slices.
  • the selection process of the network slice When a network slice is deployed in the network and the user initially attaches (or is called register) to the network, the selection process of the network slice will be triggered.
  • the selection process of the network slice depends on the user's subscription data, local configuration information, roaming agreement, operator's strategy, etc.
  • the above parameters need to be considered comprehensively to select the best slice type for the UE. After the best slice type is selected for the UE, the UE can access the slice service.
  • the UE may provide the requested network slice information to the core network for the core network to select a network slice instance for the UE.
  • the network slice information may be requested network slice selection assistance information (requested network slice selection assistance information, requested NSSAI).
  • the requested NSSAI is composed of one or more single network slice selection assistance information (S-NSSAI).
  • S-NSSAI single network slice selection assistance information
  • Each S-NSSAI is used to identify a single network slice type, which can also be understood as S-NSSAI.
  • S-NSSAI is the identification information of a single network slice. Since NSSAI is composed of one or more S-NSSAIs, in the following description, NSSAI can be replaced with S-NSSAIs or S-NSSAI.
  • the core network element such as AMF or NSSF or UDM
  • the UE's NSSAI such as the UE's requested NSSAI or requested S-NSSAIs or requested S-NSSAI
  • roaming agreement and local configuration Comprehensive judgment of other information
  • select the network slice that is allowed to be accessed for the UE and can send the allowed network slice selection assistance information (allowed NSSAI) to the UE.
  • the access-allowed network slice selection auxiliary information can be represented by allowed NSSAI or allowed S-NSSAIs or allowed S-NSSAI
  • allowed S-NSSAI is the S-NSSAI allowed to be accessed by the current operator's network.
  • the allowed S-NSSAIs takes the allowed S-NSSAIs to be used as an example to describe the auxiliary information of network slice selection that is allowed to access.
  • the UE After the UE receives the allowed S-NSSAIs, it can request access to these slices, and send the allowed S-NSSAIs to the NG-RAN (for example, gNB). After the NG-RAN receives the allowed S-NSSAIs, it can request access to these slices according to the allowed S-NSSAIs.
  • S-NSSAIs select the appropriate AMF to provide slicing services for the UE; in addition, NG-RAN will also perform AMF congestion control according to the allowed S-NSSAIs sent by the UE through the access stratum (AS).
  • AS access stratum
  • an eavesdropper can determine whether there is a police station in a certain area by intercepting allowed S-NSSAIs at the AS layer; for example, an eavesdropper can also determine the type of slice that a user has recently accessed by intercepting allowed S-NSSAIs at the AS layer. Recent behavior of this user. Therefore, how to design an effective AS-layer protection method for allowed S-NSSAIs without changing the existing security protocol process is a problem that needs to be solved urgently.
  • this application provides a variety of communication methods to effectively protect the allowed S-NSSAIs at the AS layer without changing the existing security protocol process, which will be described in detail below.
  • the mobility management network element is AMF
  • the access network equipment is NG-RAN
  • the The terminal device is a UE as an example, and the method includes the following steps:
  • Step 101 UE obtains first slice selection auxiliary information
  • the first slice selection auxiliary information is obtained by encrypting the second slice selection auxiliary information, or the first slice selection auxiliary information is obtained by using the second slice selection auxiliary information as an input operation.
  • the second slice selection auxiliary information is selection auxiliary information of slices that the UE is allowed to access.
  • the second slice selection auxiliary information may be allowed S-NSSAIs or allowed NSSAI.
  • the first slice selection auxiliary information can be described as temporary selection auxiliary information of the slices that the UE is allowed to access, allowed TS-NSSAIs or allowed T-NSSAI.
  • the UE may obtain the first slice selection auxiliary information in but not limited to the following two ways.
  • the UE In the first manner, the UE generates the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • the UE may use but not limited to the following methods to generate the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • the UE generates the first slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first random number (RAND).
  • the first function may be a public function pre-stored in the UE.
  • the UE can use but not limited to the following methods to generate the first slice selection auxiliary information: RAND input 128-NEA1, generate a key stream block (KEYStream Block), XOR the KEYStream Block and the second slice selection auxiliary information to generate the first slice selection auxiliary information.
  • RAND input 128-NEA1 generates a key stream block (KEYStream Block)
  • KEYStream Block key stream block
  • XOR the KEYStream Block XOR the KEYStream Block
  • the second slice selection auxiliary information to generate the first slice selection auxiliary information.
  • the first function may be an encryption function.
  • the UE may also obtain the first RAND in the following manner, but is not limited to.
  • the UE receives the first RAND from the AMF.
  • the UE receives the second RAND from the AMF, and generates the first RAND according to the second RAND and the first key.
  • the first key may be the base root key K_gNB of the base station.
  • the UE can use the first algorithm supported by the specific standard selected by K_gNB and AMF, such as 128-NEA1, according to the second RAND and the first key Generate the first RAND.
  • the UE may receive the first RAND or the second RAND from the AMF through a registration acceptance message.
  • the first key may be derived from the locally stored second key.
  • the UE can derive K_gNB according to the locally stored AMF basic root key K_AMF.
  • the AMF can initiate an update procedure for the first RAND.
  • the AMF sends the third RAND to the UE.
  • the UE receives the third RAND from the AMF.
  • the third RAND is used to update the first RAND.
  • the UE can select auxiliary information according to the second slice.
  • the first function and the third RAND generate third slice selection auxiliary information, and the third slice selection auxiliary information can be used to update the first slice selection auxiliary information.
  • the AMF can initiate an update procedure for the second RAND.
  • the AMF sends the third RAND to the UE.
  • the UE receives the third RAND from the AMF.
  • the third RAND is used to update the second RAND.
  • the UE can select auxiliary information according to the second slice.
  • the first function, the first key, and the third RAND generate fourth slice selection auxiliary information, and the fourth slice selection auxiliary information can be used to update the first slice selection auxiliary information.
  • the AMF may send the third RAND to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • Manner 2 The UE generates first slice selection auxiliary information according to the second slice selection auxiliary information, the first RAND, and the correspondence between multiple RANDs and multiple first mappings, each of the first mappings includes multiple first slice selections The mapping relationship between the auxiliary information and the multiple second slice selection auxiliary information.
  • the correspondence between multiple RANDs and multiple first mappings can be understood as the first function in this application, that is, the first function is formed by the correspondence between multiple RANDs and multiple first mappings, which can be understood as In method 2, the first function is a mapping relationship or a corresponding relationship.
  • the correspondence between multiple RANDs and multiple first mappings may be pre-stored in the UE.
  • the UE may also use the above-mentioned method before generating the first slice selection auxiliary information according to the second slice selection auxiliary information, the first RAND, and the correspondence between the multiple RANDs and the multiple first mappings.
  • Method 1a or Method 1b obtains the first RAND.
  • the AMF can initiate an update procedure for the first RAND.
  • the AMF sends the third RAND to the UE.
  • the UE receives the third RAND from the AMF.
  • the third RAND is used to update the first RAND.
  • the UE can select auxiliary information according to the second slice.
  • the correspondence between the multiple RANDs and the multiple first mappings and the third RAND generate fifth slice selection auxiliary information, and the fifth slice selection auxiliary information may be used to update the first slice selection auxiliary information.
  • the AMF can initiate an update procedure for the second RAND.
  • the AMF sends the third RAND to the UE.
  • the UE receives the third RAND from the AMF.
  • the third RAND is used to update the second RAND.
  • the UE can select auxiliary information according to the second slice.
  • the first function, the first key, and the third RAND generate sixth slice selection auxiliary information, and the sixth slice selection auxiliary information can be used to update the first slice selection auxiliary information.
  • the AMF can periodically initiate an update to the first RAND or the second RAND according to the first cycle.
  • the first period can be controlled by a timer.
  • the AMF can initiate an update procedure for the first RAND or the second RAND.
  • the AMF may send the third RAND to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • the correspondence between multiple RANDs and multiple first mappings may be in the form of a list, as shown in Table 1, one type of multiple RANDs and multiple Correspondence of the first mapping.
  • Table 1 the second slice selection auxiliary information is allowed NSSAI, and the first slice selection auxiliary information is allowed T-NSSAI as an example.
  • the UE generates the first slice selection auxiliary information according to the second slice selection auxiliary information, the first RAND, and the correspondence relationship between the multiple RANDs and the multiple first mappings.
  • the second slice selection auxiliary information as allowed NSSAI and the first RAND as RAND1 as an example
  • the first slice selection auxiliary information generated by the UE according to allowed NSSAI1, RAND1 and the correspondence shown in Table 1 is allowed T-NSSAI 1.
  • the first slice selection auxiliary information generated by the UE according to allowed NSSAI 2, RAND2 and the correspondence shown in Table 1 is allowed T -NSSAI 3.
  • the first slice selection auxiliary information generated by the UE according to allowed NSSAI 3, RAND3 and the correspondence shown in Table 1 is allowed T -NSSAI 20.
  • Table 1 is only an example of the correspondence between multiple RANDs and multiple first mappings, and is not limited.
  • the AMF sends the first slice selection assistance information to the UE, and correspondingly, the UE receives the first slice selection assistance information from the AMF.
  • the UE may receive the first slice selection assistance information from the AMF through a registration acceptance message.
  • the AMF may generate the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • the AMF may adopt but not limited to the following methods to generate the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • AMF generates a first RAND, and generates first slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first RAND.
  • the first function may be a public function pre-stored in the AMF.
  • the AMF may initiate an update process of the first slice selection auxiliary information.
  • AMF generates a first RAND'
  • the first RAND' is used to update the first RAND
  • AMF generates seventh slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first RAND'
  • the selection assistance information is used to update the first slice selection assistance information
  • the AMF sends the seventh slice selection assistance information to the UE, and the UE can use the seventh slice selection assistance information to update the first slice selection assistance information.
  • the first slice selects auxiliary information can be used to the
  • the AMF may send the seventh slice selection assistance information to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • the AMF generates the first RAND, and generates the first slice selection auxiliary information according to the second slice selection auxiliary information, the correspondence between the multiple RANDs and the multiple first mappings, and the first RAND.
  • the correspondence between multiple RANDs and multiple first mappings may be pre-stored in the AMF.
  • the second slice selection auxiliary information is allowed NSSAI 2
  • the correspondence between multiple RANDs and multiple first mappings is the correspondence shown in Table 1
  • the first RAND is RAND3 as an example
  • AMF is based on allowed NSSAI 2
  • Table The correspondence shown in 1 and the first slice selection auxiliary information generated by RAND3 is allowed T-NSSAI 9.
  • the AMF can initiate an update procedure for the first slice selection auxiliary information.
  • the AMF generates a first RAND'
  • the first RAND' is used to update the first RAND
  • the AMF generates the first RAND according to the second slice selection auxiliary information, the correspondence between multiple RANDs and multiple first mappings, and the first RAND' Eight slice selection auxiliary information
  • the eighth slice selection auxiliary information is used to update the first slice selection auxiliary information
  • the AMF sends the eighth slice selection auxiliary information to the UE, and the UE can use the eighth slice selection auxiliary information to update the first slice selection Supplementary information.
  • the second slice selection auxiliary information is allowed NSSAI 2
  • the correspondence between multiple RANDs and multiple first mappings is the correspondence shown in Table 1
  • the first RAND' is RAND2 as an example
  • AMF is based on allowed NSSAI 2.
  • the correspondence shown in Table 1 and the eighth slice selection auxiliary information generated by RAND2 is allowed T-NSSAI 3, and allowed T-NSSAI 3 can be used to update the first slice selection auxiliary information.
  • the AMF may send the eighth slice selection auxiliary information to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • the AMF may periodically initiate the update process of the first slice selection auxiliary information according to the second cycle.
  • the second period can be controlled by a timer, and when the timer expires, the AMF can initiate an update procedure for the first slice selection auxiliary information.
  • AMF may also generate a first corresponding relationship according to the first slice selection auxiliary information and the second slice selection auxiliary information, and store the first corresponding relationship.
  • the relationship includes the corresponding relationship between the first slice selection auxiliary information and the second slice selection auxiliary information. For example, taking the first slice selection auxiliary information as allowed TS-NSSAIs and the second slice selection auxiliary information as allowed S-NSSAIs as an example, AMF can generate the first corresponding relationship according to allowed TS-NSSAIs and allowed S-NSSAIs ⁇ allowed TS -NSSAIs, allowed S-NSSAIs ⁇ .
  • the AMF may send the first slice selection assistance information to the UE by sending the first correspondence to the UE. It can be understood that the first slice selection auxiliary information is carried or included in the first correspondence.
  • the AMF may send the first correspondence to the UE through a registration acceptance message.
  • the AMF may also generate a second correspondence relationship based on the first slice selection auxiliary information and the seventh slice selection auxiliary information, and store the second correspondence relationship.
  • the second correspondence relationship includes the first The corresponding relationship between the slice selection auxiliary information and the seventh slice selection auxiliary information.
  • the AMF may send the seventh slice selection assistance information to the UE by sending the second correspondence to the UE. It can be understood that the seventh slice selection auxiliary information is carried or included in the second correspondence.
  • the AMF may send the second correspondence to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • the AMF may also generate a third corresponding relationship according to the first slice selection auxiliary information and the eighth slice selection auxiliary information, and store the third corresponding relationship, the third corresponding relationship includes the first Correspondence between the slice selection auxiliary information and the eighth slice selection auxiliary information.
  • the AMF may send the eighth slice selection assistance information to the UE by sending the third correspondence to the UE. It can be understood that the eighth slice selection auxiliary information is carried or included in the third correspondence.
  • the AMF may send the third correspondence to the UE through a UE configuration update command (UE configuration update command).
  • UE configuration update command UE configuration update command
  • Step 102 The UE sends a first registration request message to the NG-RAN.
  • the NG-RAN receives the first registration request message from the UE.
  • the first registration request message includes the first slice selection auxiliary information.
  • Step 103 The NG-RAN generates second slice selection auxiliary information according to the first slice selection auxiliary information.
  • the following three kinds of NG-RAN generate the second slice according to the first slice selection auxiliary information are provided accordingly Choose the method of auxiliary information.
  • the NG-RAN generates the second slice selection auxiliary information according to the first slice selection auxiliary information, the first function, and the first RAND.
  • the first function may be a public function pre-stored in NG-RAN.
  • the UE when the UE generates the first slice selection auxiliary information in the following manner: the UE inputs the first RAND into 128-NEA1, generates KEYStream Block, and sets KEYStream Block and the second slice selection auxiliary information are XORed to generate the first slice selection auxiliary information.
  • the NG-RAN can generate the second slice selection auxiliary information in the following manner: NG-RAN inputs the first RAND into 128-NEA1 to generate KEYStream Block, XOR the KEYStream Block and the first slice selection auxiliary information to generate the second slice selection auxiliary information. It can be understood that the NG-RAN uses the inverse operation of the operation performed by the UE to generate the second slice selection auxiliary information.
  • the NG-RAN generates the second slice selection auxiliary information according to the first slice selection auxiliary information, the inverse function of the first function, and the first RAND.
  • the first function may be an encryption function.
  • the NG-RAN generates the second slice selection auxiliary information according to the first slice selection auxiliary information, the first RAND, and the correspondence between the multiple RANDs and the multiple first mappings.
  • the correspondence between multiple RANDs and multiple first mappings may be stored in the NG-RAN in advance.
  • the third manner will be described.
  • the UE taking the first slice selection auxiliary information as allowed T-NSSAI 3 and the first RAND as RAND1 as an example, the UE generates the second slice selection auxiliary information according to allowed T-NSSAI 3, RAND1, and the corresponding relationship shown in Table 1. It is allowed NSSAI 3.
  • the UE taking the first slice selection assistance information as allowed T-NSSAI 4 and the first RAND as RAND2 as an example, the UE generates the second slice selection assistance according to allowed T-NSSAI 4, RAND2 and the correspondence relationship shown in Table 1. The information is allowed NSSAI 3.
  • the UE For another example, taking the first slice selection auxiliary information as allowed T-NSSAI 9 and the first RAND as RAND3 as an example, the UE generates the second slice selection auxiliary information according to allowed T-NSSAI9, RAND3, and the correspondence relationship shown in Table 1. It is allowed NSSAI 2.
  • the NG-RAN can obtain the first RAND in but not limited to the following manners before executing manner one or manner two or manner three.
  • the NG-RAN receives the first RAND from the AMF.
  • the NG-RAN receives the second RAND and the first key from the AMF, and generates the first RAND according to the second RAND and the first key.
  • the first key may be the base root key K_gNB of the base station.
  • the NG-RAN can generate the first RAND using the process shown in FIG. 4.
  • the NG-RAN may receive the first RAND or the second RAND and the first key from the AMF through a key transfer message.
  • the AMF can initiate an update procedure for the first RAND.
  • the AMF sends the third RAND to the NG-RAN, and correspondingly, the NG-RAN receives the third RAND from the AMF, and the third RAND is used to update the first RAND.
  • the AMF can initiate an update procedure for the second RAND.
  • the AMF sends the third RAND to the NG-RAN, and correspondingly, the NG-RAN receives the third RAND from the AMF, and the third RAND is used to update the second RAND.
  • the AMF may send the third RAND to the NG-RAN through an update radio access message (update RAN).
  • Step 104 The NG-RAN sends a second registration request message to the AMF, where the second registration request message includes the second slice selection auxiliary information.
  • the UE when the UE sends the slice selection auxiliary information to the NG-RAN through the AS layer, it can send the encrypted slice selection auxiliary information.
  • the NG-RAN After the NG-RAN receives the encrypted slice selection auxiliary information, it can The slice selection auxiliary information is decrypted, and the decrypted slice selection auxiliary information is sent to the AMF.
  • the AS layer can protect the slice selection auxiliary information and prevent the leakage of user privacy and slice information. Reduce the availability of slice selection auxiliary information in NG-RAN.
  • the encryption method of the present application is aimed at the granularity of slice selection auxiliary information, and there is no need to turn on the encryption function of the AS layer, only the slice selection auxiliary information needs to be encrypted, the algorithm overhead is small, and the algorithm selection is more flexible.
  • the two methods for the UE to obtain the first slice selection auxiliary information provided by the present application are described below with examples.
  • the mobility management network element is AMF and the access network device is NG-RAN.
  • the method includes the following steps:
  • Step 201 The UE sends a registration request message 1 to the AMF, and the AMF receives the registration request message 1 from the UE.
  • the registration request message 1 includes requested S-NSSAIs.
  • the UE may send the registration request message 1 to the AMF through the NG-RAN.
  • Step 202 The AMF generates a first RAND or a second RAND, and determines allowed S-NSSAIs according to the requested S-NSSAIs.
  • the AMF can send the requested S-NSSAIs to the UDM or NSSF, and the UDM or NSSF will determine the allowed S-NSSAIs based on the requested S-NSSAIs, and send the determined allowed S-NSSAIs To AMF.
  • Step 203 AMF sends registration acceptance message 1 to the UE, and the UE receives registration acceptance message 1 from AMF.
  • Registration acceptance message 1 includes the first RAND and allowed S-NSSAIs, or registration acceptance message 1 includes the second RAND and allowed S-NSSAIs .
  • Step 204 AMF sends a key transfer message (key transfer) 1 to NG-RAN, and NG-RAN receives a key transfer message 1 from AMF.
  • the key transfer message 1 includes the first RAND and K_gNB, or includes the second RAND and K_gNB.
  • FIG. 6a is only for illustration, and in actual applications, FIG. 6a may also include more or fewer steps, which is not limited in this application.
  • Fig. 6a depicts the procedure for the UE to obtain the first RAND or the second RAND. The following describes the procedure for the UE to generate and use allowed T-S-NSSAIs according to the obtained allowed S-NSSAIs in conjunction with Fig. 6b.
  • the mobility management network element is AMF and the access network device is NG-RAN.
  • the method includes the following steps:
  • Step 301 The UE generates allowed T-S-NSSAIs according to allowed S-NSSAIs.
  • the UE can use the following method to generate allowed T-S-NSSAIs.
  • Method 1 The UE generates allowed T-S-NSSAIs according to the allowed S-NSSAIs, the stored first function, and the first RAND.
  • the UE can generate allowed T-S-NSSAIs according to allowed S-NSSAIs, f, and the first RAND:
  • Method 2 The UE generates allowed T-S-NSSAIs according to allowed S-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND. For example, taking the correspondence relationship between multiple RANDs and multiple first mappings as shown in Table 1, allowed S-NSSAIs is allowed NSSAI 3, and the first RAND is RAND1 in Table 1, as an example, the UE can follow the allowed NSSAI 3 , Correspondence in Table 1 and RAND1 to generate allowed T-NSSAI3.
  • the UE can use the following method to generate allowed T-S-NSSAIs.
  • the UE can derive K_gNB according to K_AMF, generate a first RAND according to the second RAND and K_gNB, and then generate allowed T-S-NSSAIs according to allowed S-NSSAIs, the stored first function, and the first RAND.
  • the UE can derive K_gNB according to K_AMF, generate the first RAND according to the second RAND and K_gNB, and then generate allowed TS according to allowed S-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND -NSSAIs.
  • Step 302 The UE sends a registration request message 2 to the NG-RAN.
  • the NG-RAN receives a registration request message 2 from the UE.
  • the registration request message 2 includes allowed T-S-NSSAIs.
  • the UE Compared with the prior art carrying unencrypted allowed S-NSSAIs in the registration request message, using the method of this application, the UE carries the encrypted allowed TS-NSSAIs in the registration request message when initiating the registration process, which can achieve protection The purpose of allowed S-NSSAIs.
  • allowed S-NSSAIs can be encrypted separately at the AS layer, without the need to enable the AS layer encryption function, which can save network resources.
  • Step 303 NG-RAN generates allowed S-NSSAIs according to allowed T-S-NSSAIs.
  • the NG-RAN can adopt a corresponding decryption method.
  • the NG-RAN can generate allowed S-NSSAIs according to the allowed T-S-NSSAIs, the stored first function, and the first RAND.
  • NG-RAN can generate allowed S-NSSAIs by using the inverse operation of the operation performed when the UE generates allowed T-S-NSSAIs according to allowed T-S-NSSAIs, the stored first function, and the first RAND.
  • the NG-RAN can generate allowed S-NSSAIs according to the allowed TS-NSSAIs, the inverse function of the stored first function, and the first RAND.
  • the NG-RAN can generate allowed S-NSSAIs according to allowed TS-NSSAIs, f -1 and the first RAND:
  • the NG-RAN can generate allowed S-NSSAIs according to the allowed T-S-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND. For example, taking the correspondence between multiple RANDs and multiple first mappings as shown in Table 1, allowed TS-NSSAIs is allowed T-NSSAI 3, and the first RAND is RAND1 in Table 1, as an example, NG-RAN can Generate allowed NSSAI 3 according to allowed T-NSSAI3, the correspondence in Table 1, and RAND1.
  • the NG-RAN can generate the first RAND according to the second RAND and K_gNB, and then can generate allowed S-NSSAIs according to the allowed T-S-NSSAIs, the stored first function, and the first RAND.
  • the NG-RAN can generate the first RAND according to the second RAND and K_gNB, and then according to the allowed TS-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND generates allowed S-NSSAIs.
  • Step 304 The NG-RAN sends a registration request message 3 to the AMF, and the registration request message 3 includes allowed S-NSSAIs.
  • FIG. 6b is only for illustration, and in actual applications, FIG. 6b may also include more or fewer steps, which is not limited in this application.
  • FIG. 6c it is a schematic flow diagram of a communication method provided by an embodiment of this application.
  • the mobility management network element is AMF
  • the access network device is NG-RAN.
  • Step 401 AMF generates a third RAND.
  • Step 402 The AMF sends a configuration update command (UE configuration update command) 1 to the UE.
  • the command 1 includes a third RAND, and the third RAND is used to update the first RAND or the second RAND.
  • a timer may be set by the network side, and after the timer expires, the above update procedure is initiated.
  • Step 403 The AMF sends an update radio access message (update RAN) 1 to the NG-RAN.
  • the update radio access message 1 includes a third RAND, and the third RAND is used to update the first RAND or the second RAND.
  • the UE can generate new allowed TS-NSSAIs based on the allowed S-NSSAIs, the first function, and the third RAND, and then can use the new allowed TS-NSSAIs and older ones. allowed TS-NSSAIs.
  • the UE initiates the registration process again, it can carry the new allowed TS-NSSAIs in the registration request message sent to NG-RAN. Accordingly, NG-RAN can use the above decryption method to decrypt the new allowed TS-NSSAIs using the third RAND .
  • FIG. 6c is only for illustration, and in actual applications, FIG. 6c may also include more or fewer steps, which is not limited in this application.
  • the method for the UE to receive the first slice selection assistance information from the AMF is described as an example.
  • the method can include the following three processes.
  • FIG. 7a it is a schematic flow diagram of a communication method provided by an embodiment of this application.
  • the mobility management network element is AMF and the access network device is NG-RAN.
  • the method includes the following steps:
  • Step 501 The UE sends a registration request message 4 to the AMF, and the AMF receives the registration request message 4 from the UE.
  • the registration request message 4 includes requested S-NSSAIs.
  • the UE may send a registration request message 4 to the AMF via NG-RAN.
  • Step 502 AMF determines allowed S-NSSAIs based on requested S-NSSAIs, generates allowed TS-NSSAIs based on allowed S-NSSAIs, and generates corresponding relationships based on allowed S-NSSAIs and allowed TS-NSSAIs ⁇ allowed TS-NSSAIs, allowed S- NSSAIs ⁇ .
  • the AMF can send the requested S-NSSAIs to the UDM or NSSF, and the UDM or NSSF will determine the allowed S-NSSAIs based on the requested S-NSSAIs, and send the determined allowed S-NSSAIs To AMF.
  • AMF can use but not limited to the following methods to generate allowed T-S-NSSAIs:
  • Method 1 AMF generates a first RAND, and AMF generates allowed T-S-NSSAIs according to allowed S-NSSAIs, stored first functions, and first RAND.
  • AMF can generate allowed T-S-NSSAIs according to allowed S-NSSAIs, f and the first RAND:
  • Method 2 AMF generates a first RAND, and AMF generates allowed T-S-NSSAIs according to allowed S-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND. For example, taking the correspondence between multiple RANDs and multiple first mappings as shown in Table 1, allowed S-NSSAIs is allowed NSSAI 3, and the first RAND is RAND1 in Table 1, as an example, AMF can be based on allowed NSSAI 3 , Correspondence in Table 1 and RAND1 to generate allowed T-NSSAI 3.
  • Step 503 The AMF sends a registration acceptance message 4 to the UE, and the UE receives a registration acceptance message 4 from the AMF.
  • the registration acceptance message 4 includes the corresponding relationship ⁇ allowed T-S-NSSAIs, allowed S-NSSAIs ⁇ .
  • Step 504 AMF sends a key transfer message (key transfer) 2 to the NG-RAN, and the NG-RAN receives a key transfer message 2 from AMF.
  • the key transfer message 2 includes the first RAND and K_gNB.
  • FIG. 7a is only for illustration, and in actual applications, FIG. 7a may also include more or fewer steps, which is not limited in this application.
  • Fig. 7a describes the process for the UE to obtain the corresponding relationship ⁇ allowed T-S-NSSAIs, allowed S-NSSAIs ⁇ .
  • the following describes the process for the UE to use the corresponding relationship ⁇ allowed T-S-NSSAIs, allowed S-NSSAIs ⁇ with reference to Fig. 7b.
  • the mobility management network element is AMF
  • the access network device is NG-RAN.
  • Step 601 The UE determines the allowed T-S-NSSAIs used to initiate the registration request according to the corresponding relationship ⁇ allowed T-S-NSSAIs, allowed S-NSSAIs ⁇ .
  • Step 602 The UE sends a registration request message 5 to the NG-RAN.
  • the NG-RAN receives a registration request message 5 from the UE.
  • the registration request message 5 includes allowed T-S-NSSAIs.
  • the UE Compared with the prior art carrying unencrypted allowed S-NSSAIs in the registration request message, using the method of this application, the UE carries the encrypted allowed TS-NSSAIs in the registration request message when initiating the registration process, which can achieve protection The purpose of allowed S-NSSAIs.
  • allowed S-NSSAIs can be encrypted separately at the AS layer, without the need to enable the AS layer encryption function, which can save network resources.
  • Step 603 NG-RAN generates allowed S-NSSAIs according to allowed T-S-NSSAIs.
  • NG-RAN can adopt a corresponding decryption method.
  • NG-RAN can generate allowed S-NSSAIs according to the first function stored in allowed T-S-NSSAIs and the first RAND. For example, the NG-RAN can generate allowed S-NSSAIs based on allowed T-S-NSSAIs, stored first functions, and first RANDs, using AMF to generate allowed T-S-NSSAIs.
  • NG-RAN can generate allowed S-NSSAIs based on the allowed TS-NSSAIs, the inverse function of the stored first function, and the first RAND. For example, taking the inverse function of the first function as the public encryption function f -1 as an example, NG-RAN can generate allowed S-NSSAIs according to allowed TS-NSSAIs, f -1 and the first RAND:
  • NG-RAN can generate allowed S-NSSAIs according to allowed T-S-NSSAIs, the correspondence between multiple RANDs and multiple first mappings, and the first RAND. For example, if the correspondence between multiple RANDs and multiple first mappings is the correspondence in Table 1, allowed TS-NSSAIs is allowed T-NSSAI 3, and the first RAND is RAND1 in Table 1, the UE can follow the allowed T-NSSAI 3, the correspondence in Table 1, and RAND1 generates allowed NSSAI 3.
  • Step 604 The NG-RAN sends a registration request message 6 to the AMF, and the registration request message 6 includes allowed S-NSSAIs.
  • FIG. 7b is only for illustration, and in actual applications, FIG. 7b may also include more or fewer steps, which is not limited in this application.
  • Fig. 7c a schematic flow diagram of a communication method provided by an embodiment of this application.
  • the mobility management network element is AMF and the access network device is NG-RAN.
  • the method includes the following steps:
  • Step 701 AMF generates a first RAND' for updating the first RAND, and generates allowed TS-NSSAIs' according to the first RAND', allowed S-NSSAIs and the first function, or according to the first RAND', allowed S- NSSAIs and the inverse function of the first function generate allowed TS-NSSAIs', or generate allowed TS-NSSAIs according to the first RAND', allowed S-NSSAIs, and the correspondence between multiple RANDs and multiple first mappings, and according to allowed S-NSSAIs and allowed TS-NSSAIs' generate new correspondence ⁇ allowed TS-NSSAIs', allowed S-NSSAIs ⁇ .
  • Step 702 The AMF sends a configuration update command (UE configuration update command) 2 to the UE.
  • the command 2 includes the new correspondence ⁇ allowed T-S-NSSAIs', allowed S-NSSAIs ⁇ .
  • the network side can set a timer, and after the timer expires, the update procedure is initiated.
  • Step 703 The AMF sends an update radio access message (update RAN) 2 to the NG-RAN, and the update radio access message 2 includes the first RAND'.
  • the UE can update the old one according to the new correspondence ⁇ allowed TS-NSSAIs', allowed S-NSSAIs ⁇ Correspondence ⁇ allowed TS-NSSAIs, allowed S-NSSAIs ⁇ .
  • the UE initiates the registration process again, it can carry allowed T-S-NSSAIs’ in the registration request message sent to NG-RAN. Accordingly, NG-RAN can use the above decryption method to decrypt the allowed T-S-NSSAIs’ using the first RAND’.
  • FIG. 7c is only for illustration, and in actual applications, FIG. 7c may also include more or fewer steps, which is not limited in this application.
  • each network element described above includes hardware structures and/or software modules corresponding to each function.
  • the present invention can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
  • the embodiments of the present application can divide the access network equipment, terminal equipment, and mobility management network elements into functional units according to the foregoing method examples.
  • each functional unit can be divided corresponding to each function, or two or more Functions are integrated in a processing unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • a device for implementing any of the above methods.
  • a device is provided that includes a unit for implementing each step performed by an access network device in any of the above methods. (Or means).
  • another device is also provided, including a unit (or means) for implementing each step executed by the terminal in any of the above methods.
  • another device is also provided, including a unit (or means) for implementing each step executed by the core network device in any of the above methods.
  • the embodiment of the present application provides a communication device 800.
  • the communication device 800 can be applied to terminal equipment.
  • FIG. 8 is a schematic structural diagram of a communication device 800 provided by an embodiment of the application.
  • the communication device 800 may include an acquiring unit 801 and a sending unit 802.
  • the communication device 800 may further include a processing unit 803 and a receiving unit 804.
  • the obtaining unit 801 can be used to obtain the first slice selection auxiliary information
  • the first slice selection auxiliary information is obtained by encrypting the second slice selection auxiliary information
  • the sending unit 802 can be used to send the first registration request message to the access network device.
  • the first registration request message includes the first slice selection auxiliary information.
  • the processing unit 803 may be configured to generate the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • the processing unit 803 is specifically configured to generate the first slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first random number RAND.
  • the receiving unit 804 may be used to receive the first RAND from the mobility management network element.
  • the receiving unit 804 may be configured to receive the second RAND from the mobility management network element, and the processing unit 803 may be configured to generate the first RAND according to the second RAND and the first key.
  • the processing unit 803 may also be used to derive the first key according to the locally stored second key.
  • the receiving unit 804 may also be used to receive a third RAND from the mobility management network element, and the third RAND is used to update the first RAND or the second RAND;
  • the processing unit 803 may also be configured to generate third slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the third RAND;
  • the processing unit 803 may also be configured to generate fourth slice selection auxiliary information according to the second slice selection auxiliary information, the first function, the first key, and the third RAND;
  • the processing unit 803 may also be configured to use the fourth slice selection auxiliary information to update the first slice selection auxiliary information.
  • the receiving unit 804 may also be used to receive the first slice selection auxiliary information from the mobility management network element.
  • the receiving unit 804 is specifically configured to receive the first correspondence from the mobility management network element, and the first correspondence includes the correspondence between the first slice selection auxiliary information and the second slice selection auxiliary information.
  • the receiving unit 804 may also be configured to receive third slice selection auxiliary information from the mobility management network element, and the third slice selection auxiliary information is used to update the first slice selection auxiliary information;
  • the processing unit 803 may also be configured to use the third slice selection auxiliary information to update the first slice selection auxiliary information.
  • the receiving unit 804 may also be configured to receive a second correspondence from the mobility management network element, and the second correspondence includes the correspondence between the second slice selection auxiliary information and the third slice selection auxiliary information.
  • the first function includes an encryption function, or the first function includes a plurality of RANDs and a plurality of first mappings, each first mapping includes a plurality of first slice selection auxiliary information and The mapping relationship between multiple second slice selection auxiliary information and/or the mapping relationship between multiple third slice selection auxiliary information and multiple second slice selection auxiliary information and/or the multiple fourth slice selection auxiliary information and multiple second slice selection auxiliary information The mapping relationship of slice selection auxiliary information.
  • FIG. 9 is a schematic structural diagram of a communication device 900 provided by an embodiment of the application.
  • the communication device 900 may include a receiving unit 901, a processing unit 902, and a sending unit 903.
  • the receiving unit 901 may be configured to receive a first registration request message from a terminal device, the first registration request message includes first slice selection auxiliary information, and the first slice selection auxiliary information is encrypted by the second slice selection auxiliary information.
  • the second slice selection auxiliary information is the slice selection auxiliary information that the terminal device is allowed to access.
  • the processing unit 902 may be used to generate second slice selection auxiliary information according to the first slice selection auxiliary information, and the sending unit 903 may be used to send the mobility management network element Send a second registration request message, where the second registration request message includes second slice selection auxiliary information.
  • the processing unit 902 may be specifically configured to generate second slice selection auxiliary information according to the first slice selection auxiliary information, the first function, and the first random number RAND; or, according to the first slice selection auxiliary information
  • the inverse function of the first function and the first random number RAND generate the second slice selection auxiliary information.
  • the receiving unit 901 is further configured to receive the first RAND from the mobility management network element;
  • the processing unit 902 may be configured to generate the first RAND according to the second RAND and the first key.
  • the receiving unit 901 is further configured to receive a third RAND from the mobility management network element, and the third RAND is used to update the first RAND or the second RAND.
  • the first function includes an encryption function, or the first function includes a plurality of RANDs and a plurality of first mappings, each first mapping includes a plurality of first slice selection auxiliary information and The multiple second slices select the mapping relationship of the auxiliary information.
  • FIG. 10 is a schematic structural diagram of a communication device 1000 provided by an embodiment of the application.
  • the communication device 1000 may include a receiving unit 1001 and a sending unit 1002.
  • the communication device 1000 may further include a processing unit 1003 and a storage unit 1004.
  • the receiving unit 1001 can be used to receive a registration request message from a terminal device, the registration request message includes the selection assistance information of the slice requesting access; the sending unit 1002 can be used to send a registration acceptance message to the terminal device after the security context is established, and register
  • the acceptance message includes the first slice selection auxiliary information, the first slice selection auxiliary information is obtained by encrypting the second slice selection auxiliary information, and the second slice selection auxiliary information is the slice selection auxiliary information that the terminal device is allowed to access.
  • the processing unit 1003 may be configured to determine the second slice selection auxiliary information according to the selection auxiliary information of the slice to be accessed; and to generate the first slice selection auxiliary information according to the second slice selection auxiliary information.
  • the processing unit 1003 is further configured to generate a first random number RAND, and generate first slice selection auxiliary information according to the second slice selection auxiliary information, the first function, and the first RAND.
  • the processing unit 1003 is further configured to generate a first corresponding relationship according to the first slice selection auxiliary information and the second slice selection auxiliary information; the storage unit 1004 is configured to store the first corresponding relationship, the first corresponding relationship The corresponding relationship between the first slice selection auxiliary information and the second slice selection auxiliary information is included.
  • the registration acceptance message includes a first corresponding relationship
  • the first slice selection auxiliary information includes the first corresponding relationship
  • the sending unit 1002 may be used to send the first RAND to the access network device accessed by the terminal device.
  • the processing unit 1003 is also used to generate a second RAND, which is used to update the first RAND; generates a third slice selection assistant according to the second slice selection auxiliary information, the first function, and the second RAND Information, the third slice selection auxiliary information is used to update the first slice selection auxiliary information; the sending unit 1002 is also used to send the third slice selection auxiliary information to the terminal device.
  • the processing unit 1003 is further configured to generate a second corresponding relationship according to the second slice selection auxiliary information and the third slice selection auxiliary information; the storage unit 1004 is further configured to store the second corresponding relationship, the second corresponding relationship The corresponding relationship between the second slice selection auxiliary information and the third slice selection auxiliary information is included; the sending unit 1002 is further configured to send the second corresponding relationship to the terminal device.
  • the sending unit 1002 is further configured to send the second RAND to the access network device accessed by the terminal device.
  • the first function includes an encryption function, or the first function includes a plurality of RANDs and a plurality of first mappings, each first mapping includes a plurality of first slice selection auxiliary information and The mapping relationship between the multiple second slice selection auxiliary information and/or the mapping relationship between the multiple third slice selection auxiliary information and the multiple second slice selection auxiliary information.
  • each unit in the device can be implemented in the form of software called by processing elements; they can also be implemented in the form of hardware; part of the units can be implemented in the form of software called by the processing elements, and some of the units can be implemented in the form of hardware.
  • each unit can be a separately established processing element, or it can be integrated in a certain chip of the device for implementation.
  • it can also be stored in the memory in the form of a program, which is called and executed by a certain processing element of the device.
  • all or part of these units can be integrated together or implemented independently.
  • the processing element here can also become a processor, which can be an integrated circuit with signal processing capabilities.
  • each step of the above method or each of the above units may be implemented by an integrated logic circuit of hardware in a processor element or implemented in a form of being called by software through a processing element.
  • the unit in any of the above devices may be one or more integrated circuits configured to implement the above methods, for example: one or more application specific integrated circuits (ASIC), or, one or Multiple microprocessors (digital singnal processors, DSP), or, one or more field programmable gate arrays (FPGA), or a combination of at least two of these integrated circuits.
  • ASIC application specific integrated circuits
  • DSP digital singnal processors
  • FPGA field programmable gate arrays
  • the unit in the device can be implemented in the form of a processing element scheduler
  • the processing element can be a general-purpose processor, such as a central processing unit (CPU) or other processors that can call programs.
  • CPU central processing unit
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • the above receiving unit is an interface circuit of the device for receiving signals from other devices.
  • the receiving unit is an interface circuit used by the chip to receive signals from other chips or devices.
  • the above unit for sending is an interface circuit of the device for sending signals to other devices.
  • the sending unit is an interface circuit used by the chip to send signals to other chips or devices.
  • FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the application. It may be the terminal device in the above embodiment, and is used to implement the operation of the terminal device in the above embodiment.
  • the terminal device includes an antenna 1101, a radio frequency part 1102, and a signal processing part 1103.
  • the antenna 1101 is connected to the radio frequency part 1102.
  • the radio frequency part 1102 receives the information sent by the network device through the antenna 1101, and sends the information sent by the network device to the signal processing part 1103 for processing.
  • the signal processing part 1103 processes the information of the terminal equipment and sends it to the radio frequency part 1102, and the radio frequency part 1102 processes the information of the terminal equipment and sends it to the network equipment via the antenna 1101.
  • the signal processing part 1103 may include a modem subsystem, which is used to process data at various communication protocol layers; it may also include a central processing subsystem, which is used to process terminal equipment operating systems and application layers; in addition, it may also Including other subsystems, such as multimedia subsystems, peripheral subsystems, etc., where the multimedia subsystem is used to control the terminal device camera, screen display, etc., and the peripheral subsystem is used to realize the connection with other devices.
  • the modem subsystem can be a separate chip.
  • the above apparatus for terminal equipment may be located in the modem subsystem.
  • the modem subsystem may include one or more processing elements 11031, for example, including a main control CPU and other integrated circuits.
  • the modem subsystem may also include a storage element 11032 and an interface circuit 11033.
  • the storage element 11032 is used to store data and programs, but the program used to execute the method performed by the terminal device in the above method may not be stored in the storage element 11032, but stored in a memory outside the modem subsystem, When in use, the modem subsystem is loaded and used.
  • the interface circuit 11033 is used to communicate with other subsystems.
  • the above apparatus for terminal equipment may be located in a modem subsystem, which may be implemented by a chip.
  • the chip includes at least one processing element and an interface circuit, wherein the processing element is used to perform any of the above terminal equipment executions.
  • the interface circuit is used to communicate with other devices.
  • the unit for the terminal device to implement each step in the above method can be implemented in the form of a processing element scheduler.
  • a device applied to the terminal device includes a processing element and a storage element, and the processing element calls the program stored by the storage element to Perform the method performed by the terminal device in the above method embodiment.
  • the storage element may be a storage element whose processing element is on the same chip, that is, an on-chip storage element.
  • the program for executing the method executed by the terminal device in the above method may be a storage element on a different chip from the processing element, that is, an off-chip storage element.
  • the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal device in the above method embodiment.
  • the unit applied to the terminal equipment to implement each step in the above method may be configured as one or more processing elements, and these processing elements are arranged on the modem subsystem, where the processing elements may be It is an integrated circuit, for example: one or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
  • the units of the terminal device that implement each step in the above method can be integrated together and implemented in the form of a system-on-a-chip (SOC), and the SOC chip is used to implement the above method.
  • SOC system-on-a-chip
  • the chip can integrate at least one processing element and a storage element, and the processing element can call the stored program of the storage element to implement the method executed by the above terminal device; or, the chip can integrate at least one integrated circuit to implement the above terminal The method executed by the device; or, it can be combined with the above implementations.
  • the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
  • the above apparatus applied to a terminal device may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any method performed by the terminal device provided in the above method embodiments.
  • the processing element can execute part or all of the steps executed by the terminal device in the first way: calling the program stored in the storage element; or in the second way: combining instructions through the integrated logic circuit of the hardware in the processor element Part or all of the steps performed by the terminal device are executed in a manner; of course, part or all of the steps executed by the terminal device can also be executed in combination with the first and second methods.
  • the processing element here is the same as the above description, and may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • a general-purpose processor such as a CPU
  • integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • the storage element can be a memory or a collective term for multiple storage elements.
  • FIG. 12 is a schematic structural diagram of an access network device provided by an embodiment of this application. It is used to implement the operation of the access network device in the above embodiment.
  • the access network equipment includes: an antenna 1201, a radio frequency device 1202, and a baseband device 1203.
  • the antenna 1201 is connected to the radio frequency device 1202.
  • the radio frequency device 1202 receives the information sent by the terminal device through the antenna 1201, and sends the information sent by the terminal device to the baseband device 1203 for processing.
  • the baseband device 1203 processes the information of the terminal device and sends it to the radio frequency device 1202.
  • the radio frequency device 1202 processes the information of the terminal device and sends it to the terminal device via the antenna 1201.
  • the baseband device 1203 may include one or more processing elements 12031, for example, a main control CPU and other integrated circuits.
  • the baseband device 1203 may also include a storage element 12032 and an interface circuit 12033.
  • the storage element 12032 is used to store programs and data; the interface circuit 12033 is used to exchange information with the radio frequency device 1202.
  • the interface circuit is, for example, a common public radio interface, CPRI).
  • the above device applied to the access network device may be located in the baseband device 1203.
  • the above device applied to the access network device may be a chip on the baseband device 1203.
  • the chip includes at least one processing element and an interface circuit. In performing each step of any method performed by the above access network equipment, the interface circuit is used to communicate with other devices.
  • the unit for the access network device to implement each step in the above method can be implemented in the form of a processing element scheduler.
  • the device applied to the access network device includes a processing element and a storage element, and the processing element calls the storage element to store To execute the method executed by the access network device in the above method embodiment.
  • the storage element may be a storage element with the processing element on the same chip, that is, an on-chip storage element, or a storage element on a different chip from the processing element, that is, an off-chip storage element.
  • the unit applied to the device of the access network device to implement each step in the above method may be configured as one or more processing elements, and these processing elements are provided on the baseband device, where the processing elements may be Integrated circuits, for example: one or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
  • the units for the access network equipment to implement each step in the above method can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • the baseband device includes the SOC chip for implementing the above method.
  • At least one processing element and storage element can be integrated in the chip, and the processing element can call the stored program of the storage element to implement the method executed by the above access network device; or, at least one integrated circuit can be integrated in the chip to implement The method executed by the above access network device; or, it can be combined with the above implementation.
  • the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
  • the above apparatus applied to the access network device may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any method executed by the access network device provided in the above method embodiments.
  • the processing element can execute part or all of the steps executed by the access network device in the first way: calling the program stored in the storage element; or in the second way: through the integrated logic circuit of the hardware in the processor element Part or all of the steps executed by the access network device are executed in a manner of combining instructions; of course, part or all of the steps executed by the above access network device may also be executed in combination with the first method and the second manner.
  • the processing element here is the same as the above description, and may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • a general-purpose processor such as a CPU
  • integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
  • the storage element can be a memory or a collective term for multiple storage elements.
  • FIG. 13 is a schematic structural diagram of a mobility management network element provided by an embodiment of the application. It may be the mobility management network element in the above embodiment, and is used to implement the operation of the mobility management network element in the above embodiment.
  • the mobility management network element includes: a processor 1310, a memory 1320, and an interface 1330, and the processor 1310, a memory 1320, and the interface 1330 are connected in signal.
  • the functions of each unit may be implemented by the processor 1310 calling a program stored in the memory 1320.
  • the processor here may be an integrated circuit with signal processing capability, such as a CPU.
  • the functions of the above units can be realized by one or more integrated circuits configured to implement the above methods. For example: one or more ASICs, or, one or more microprocessors DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. Or, the above implementations can be combined.
  • At least one (piece, species) of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or Multiple.
  • Multiple refers to two or more, and other measure words are similar.
  • "a device” means to one or more such devices.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)), etc.
  • the various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions.
  • the general-purpose processor may be a microprocessor, and optionally, the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
  • the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration achieve.
  • the steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two.
  • the software unit can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM or any other storage medium in the field.
  • the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium.
  • the storage medium may also be integrated into the processor.
  • the processor and the storage medium can be arranged in the ASIC.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种通信方法及装置,以期在不改变现有安全协议流程的前提下有效保护AS层NSSAI,所述方法包括:终端设备获取第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息,终端设备向接入网设备发送注册请求消息,注册请求消息包括第一切片选择辅助信息。

Description

一种通信方法及装置 技术领域
本申请涉及无线通信技术领域,尤其涉及一种通信方法及装置。
背景技术
终端设备请求接入切片时需要向基站发送网络切片选择辅助信息(network slice selection assistance information,NSSAI),该NSSAI可包括所要接入切片的服务/切片类型(service/slicetypes,SST)和切片区分(slice differentiator,SD);基站收到NSSAI后,可根据NSSAI与本地政策选择合适的接入与移动性管理功能(access and mobility management function,AMF)网元为终端设备提供切片服务;另外,基站还会根据终端设备通过接入层(access stratum,AS)发送的NSSAI做AMF拥塞控制。
如果AS层没有隐私保护的方法,将会导致隐私泄露和潜在威胁。因此,如何在不改变现有安全协议流程的前提下设计出有效的AS层保护NSSAI的方法,是亟需解决的问题。
发明内容
本申请提供一种通信方法及装置,以期在不改变现有安全协议流程的前提下有效保护AS层NSSAI。
第一方面,提供一种通信方法,该方法包括:终端设备获取第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息,终端设备向接入网设备发送注册请求消息,注册请求消息包括第一切片选择辅助信息。
该方法可由第一通信装置执行,第一通信装置可以是终端设备或能够支持终端设备实现该方法所需的功能的通信装置,当然还可以是其他通信装置,例如芯片系统。这里以第一通信装置是终端设备为例。
采用上述方法,终端设备可通过注册请求消息向接入网设备发送加密后的切片选择辅助信息,可实现在不改变现有安全协议流程的前提下,有效保护AS层切片选择辅助信息。
在一种可能的实施方式中,终端设备可采用但不限于通过如下方式获取第一切片选择辅助信息。
方式一,终端设备根据第二切片选择辅助信息生成第一切片选择辅助信息。
方式二,终端设备接收来自移动性管理网元的第一切片选择辅助信息。
本申请实施例下面分别对方式一和方式二进行说明。
基于方式一,在一种可能的实施方式中,终端设备根据第二切片选择辅助信息、第一函数以及第一随机数(RAND)生成第一切片选择辅助信息。
基于方式一,在一种可能的实施方式中,终端设备根据第二切片选择辅助信息、第一函数以及第一RAND生成第一切片选择辅助信息之前,还可以采用但不限于如下方式获取第一RAND。
方式1,终端设备接收来自移动性管理网元的第一RAND。
方式2,终端设备接收来自移动性管理网元的第二RAND,并根据第二RAND以及第 一密钥生成第一RAND。
基于方式2,在一种可能的实施方式中,终端设备根据第二RAND以及第一密钥生成第一RAND之前,可以根据本地存储的第二密钥推衍得到第一密钥。
基于方式一,在一种可能的实施方式中,终端设备还可以接收来自移动性管理网元的第三RAND,第三RAND用于更新第一RAND或第二RAND。基于该实施,当第三RAND用于更新第一RAND时,终端设备根据第二切片选择辅助信息、第一函数以及第三RAND生成第三切片选择辅助信息,或者,当第三RAND用于更新第二RAND时,终端设备根据第二切片选择辅助信息、第一函数、第一密钥以及第三RAND生成第四切片选择辅助信息,终端设备使用第四切片选择辅助信息更新第一切片选择辅助信息。
基于方式二,在一种可能的实施方式中,终端设备接收来自移动性管理网元的第一对应关系,第一对应关系包括第一切片选择辅助信息与第二切片选择辅助信息的对应关系。
基于方式二,在一种可能的实施方式中,终端设备还可以接收来自移动性管理网元的第三切片选择辅助信息,第三切片选择辅助信息用于更新第一切片选择辅助信息,终端设备使用第三切片选择辅助信息更新第一切片选择辅助信息。
基于方式二,在一种可能的实施方式中,终端设备可以接收来自移动性管理网元的第二对应关系,第二对应关系包括第二切片选择辅助信息与第三切片选择辅助信息的对应关系。
在一种可能的实施方式中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第三切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第四切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
第二方面,提供一种通信方法,该方法包括:接入网设备接收来自终端设备的第一注册请求消息,第一注册请求消息包括第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息,接入网设备根据第一切片选择辅助信息生成第二切片选择辅助信息,并向移动性管理网元发送第二注册请求消息,第二注册请求消息包括第二切片选择辅助信息。
该方法可由第二通信装置执行,第二通信装置可以是接入网设备或能够支持接入网设备实现该方法所需的功能的通信装置,当然还可以是其他通信装置,例如芯片系统。这里以第二通信装置是接入网设备为例。
采用上述方法,终端设备在通过AS层向接入网设备发送切片选择辅助信息时,可发送加密后的切片选择辅助信息,接入网设备在接收到加密后的切片选择辅助信息后,可对切片选择辅助信息进行解密,并向移动性管理网元发送解密后的切片选择辅助信息,这样,可达到AS层保护切片选择辅助信息的目的,进而可防止用户隐私、切片信息的泄露,与此同时,也不降低切片选择辅助信息在接入网设备的可用性。
在一种可能的实施方式中,接入网设备可以根据第一切片选择辅助信息、第一函数以及第一RAND生成第二切片选择辅助信息。
在一种可能的实施方式中,接入网设备根据第一切片选择辅助信息、第一函数以及第一RAND生成第二切片选择辅助信息之前,还可以采用但不限于通过如下方法获取第一RAND。
方法1,接入网设备从移动性管理网元接收第一RAND。
方法2,接入网设备从移动性管理网元接收第二RAND和第一密钥,并根据第二RAND以及第一密钥生成第一RAND。
在一种可能的实施方式中,接入网设备还可以接收来自移动性管理网元的第三RAND,第三RAND用于更新第一RAND或第二RAND。
在一种可能的实施方式中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
第三方面,提供一种通信方法,该方法包括:移动性管理网元接收来自终端设备的注册请求消息,注册请求消息包括请求接入的切片的选择辅助信息,移动性管理网元建立安全上下文后,向终端设备发送注册接受消息,注册接受消息包括第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息。
该方法可由第三通信装置执行,第三通信装置可以是移动性管理网元或能够支持移动性管理网元实现该方法所需的功能的通信装置,当然还可以是其他通信装置,例如芯片系统。这里以第三通信装置是移动性管理网元为例。
采用上述方法,移动性管理网元在向终端设备发送允许接入的切片选择辅助信息时,发送加密以后的切片选择辅助信息,以便,后续终端设备再次发起注册请求时,可通过AS层向接入网设备发送加密后的切片选择辅助信息,可达到AS层保护切片选择辅助信息的目的,进而可防止用户隐私、切片信息的泄露。
在一种可能的实施方式中,移动性管理网元向终端设备发送注册接受消息之前,还可以根据请求接入的切片的选择辅助信息,确定第二切片选择辅助信息,并根据第二切片选择辅助信息生成第一切片选择辅助信息。
在一种可能的实施方式中,移动性管理网元可以但不限于采用如下方式根据第二切片选择辅助信息生成第一切片选择辅助信息:移动性管理网元生成第一RAND,并根据第二切片选择辅助信息、第一函数以及第一RAND生成第一切片选择辅助信息。
在一种可能的实施方式中,移动性管理网元还可以根据第一切片选择辅助信息和第二切片选择辅助信息生成第一对应关系,并存储第一对应关系,第一对应关系包括第一切片选择辅助信息与第二切片选择辅助信息的对应关系。
在一种可能的实施方式中,注册接受消息包括第一对应关系,第一切片选择辅助信息包含于第一对应关系。
在一种可能的实施方式中,移动性管理网元还可以向终端设备所接入的接入网设备发送第一RAND。
在一种可能的实施方式中,移动性管理网元还可以生成第二RAND,第二RAND用于更新第一RAND,移动性管理网元根据第二切片选择辅助信息、第一函数以及第二RAND生成第三切片选择辅助信息,第三切片选择辅助信息用于更新第一切片选择辅助信息,移动性管理网元向终端设备发送第三切片选择辅助信息。
在一种可能的实施方式中,移动性管理网元还可以根据第二切片选择辅助信息和第三切片选择辅助信息生成第二对应关系,并存储第二对应关系,第二对应关系包括第二切片选择辅助信息与第三切片选择辅助信息的对应关系。基于该实施,移动性管理网元还可以向终端设备发送第二对应关系。
在一种可能的实施方式中,移动性管理网元可以向终端设备所接入的接入网设备发送第二RAND。
在一种可能的实施方式中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第三切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
第四方面,提供一种通信方法,该方法包括:移动性管理网元生成第一RAND或第二RAND,移动性管理网元向终端设备发送第一RAND或第二RAND。
该方法可由第三通信装置执行,第三通信装置可以是移动性管理网元或能够支持移动性管理网元实现该方法所需的功能的通信装置,当然还可以是其他通信装置,例如芯片系统。这里以第三通信装置是移动性管理网元为例。
采用上述方法,移动性管理网元可以向终端设备发送第一RAND或第二RAND,使得终端设备可以根据第一RAND或第二RAND生成加密的切片选择辅助信息,这样,后续终端设备可通过AS层向接入网设备发送加密后的切片选择辅助信息,可达到AS层保护切片选择辅助信息的目的,进而可防止用户隐私、切片信息的泄露。
在一种可能的实施方式中,移动性管理网元还可以向终端设备所接入的接入网设备发送第一RAND;或者,移动性管理网元向终端设备所接入的接入网设备发送第二RAND和第一密钥。
在一种可能的实施方式中,移动性管理网元还可以向终端设备或终端设备所接入的接入网设备发送第三RAND,第三RAND用于更新第一RAND或第二RAND。
第五方面,本申请提供一种通信装置,该装置具有实现上述任意方面或任意方面中的实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第六方面,本申请提供一种通信装置,包括:处理器和存储器;该存储器用于存储计算机执行指令,当该装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该装置执行如上述任意方面或任意方面中的实现方法。
第七方面,本申请提供一种通信装置,包括:包括用于执行以上任意方面各个步骤的单元或手段(means)。
第八方面,本申请提供一种通信装置,包括处理器和接口电路,所述处理器用于通过接口电路与其它装置通信,并执行以上任意方面提供的任意方法。该处理器包括一个或多个。
第九方面,本申请提供一种通信装置,包括处理器,用于与存储器相连,用于调用所述存储器中存储的程序,以执行上述任意方面的任意实现方式中的方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器包括一个或多个。
第十方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得处理器执行上述任意方面所述的方法。
第十一方面,本申请还提供一种包括指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述任意方面所述的方法。
第十二方面,本申请还提供一种芯片系统,包括:处理器,用于执行上述各方面所述的方法。
第十三方面,本申请还提供一种通信系统,包括用于执行上述第一方面或第一方面任一实现方法的终端设备、用于执行上述第二方面或第二方面任一实现方法的接入网设备、用于执行上述第三方面或第三方面任一实现方法的移动性管理网元,或用于执行上述第四方面或第四方面任一实现方法的移动性管理网元中至少两项。
附图说明
图1为本申请实施例提供的一种网络架构示意图;
图2为本申请实施例提供的一种通信方法流程示意图;
图3为本申请实施例提供的一种生成第一切片选择辅助信息的示意图;
图4为本申请实施例提供的一种生成第一RAND的示意图;
图5为本申请实施例提供的一种生成第二切片选择辅助信息的示意图;
图6a为本申请实施例提供的另一种通信方法流程示意图;
图6b为本申请实施例提供的又一种通信方法流程示意图;
图6c为本申请实施例提供的又一种通信方法流程示意图;
图7a为本申请实施例提供的又一种通信方法流程示意图;
图7b为本申请实施例提供的又一种通信方法流程示意图;
图7c为本申请实施例提供的又一种通信方法流程示意图;
图8为本申请实施例提供的一种通信装置结构示意图;
图9为本申请实施例提供的又一种通信装置结构示意图;
图10为本申请实施例提供的又一种通信装置结构示意图;
图11为本申请实施例提供的一种终端设备的结构示意图;
图12为本申请实施例提供的一种接入网设备的结构示意图;
图13为本申请实施例提供的一种移动性管理网元的结构示意图。
具体实施方式
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是指两个或两个以上,“至少一个”的含义是指一个或两个以上。另外,需要理解的是,在本申请实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。
如图1所示,为基于服务化架构的第五代(the 5th generation,5G)网络架构示意图。图1所示的5G网络架构中可包括三部分,分别是终端设备部分、数据网络(data network,DN)和运营商网络部分。
其中,运营商网络也可称为移动通信网络,主要是移动网络运营商(mobile network operator,MNO)为用户提供移动宽带接入服务的网络。本申请实施例所描述的运营商网络具体可为符合第三代合作伙伴项目(3rd generation partnership project,3GPP)标准要求的网络,简称3GPP网络。通常3GPP网络由运营商来运营,包括但不限于5G网络、第四代移动通信技术(4th-generation,4G)网络、第三代移动通信技术(3rd-generation,3G) 网络和第二代无线电话技术(2-generation wireless telephone technology,2G)网络等。本申请图1中以运营商网络为5G网络为例示意。
5G运营商网络可包括网络开放功能(network exposure function,NEF)网元、网络存储功能(network function repository function,NRF)网元、策略控制功能(policy control function,PCF)网元、统一数据管理(unified data management,UDM)网元、应用功能(application function,AF)网元、认证服务器功能(authentication server function,AUSF)网元、接入与移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、(无线)接入网((radio)access network,(R)AN)以及用户面功能(user plane function,UPF)网元等。上述运营商网络中,除(无线)接入网之外的部分,称为核心网络。为了方便描述,本申请实施例后续描述将以AN为例进行说明。
本申请的终端设备可以提供通话和/或数据服务,可以是有线或无线终端设备。无线终端设备可以为移动电话、计算机、平板电脑、个人数码助理(personal digital assistant,PDA)、移动互联网设备(mobile Internet device,MID)、可穿戴设备和电子书阅读器(e-book reader)等。再如,无线终端设备可以为移动站(mobile station)、接入点(access point)。用户设备(user equipment,UE)为终端设备的一种,是在长期演进(long term evolution,LTE)系统中的称谓。为方便起见,后续的描述中将以终端设备为例进行说明。
上述终端设备可通过运营商网络提供的接口(例如N1等)与运营商网络建立连接,使用运营商网络提供的数据和/或语音等服务。终端设备还可通过运营商网络访问DN,使用DN上部署的运营商业务,和/或第三方提供的业务。其中,上述第三方可为运营商网络和终端设备之外的服务方,可为终端设备提供其它数据和/或语音等服务。其中,上述第三方的具体表现形式,具体可根据实际应用场景确定,在此不做限制。
AN是运营商网络的子网络,是运营商网络中业务节点与终端设备之间的实施系统。终端设备要接入运营商网络,首先是经过AN,进而可通过AN与运营商网络的业务节点连接。本申请中的AN设备,是一种为终端设备提供无线通信功能的设备,接入网设备包括但不限于:5G中的下一代基站(g nodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(baseBand unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心等。
AMF网元是由运营商网络提供的控制面网元,负责终端设备接入运营商网络的接入控制和移动性管理,例如包括移动状态管理,分配用户临时身份标识,认证和授权用户等功能。
SMF网元是由运营商网络提供的控制面网元,负责管理终端设备的协议数据单元(protocol data unit,PDU)会话。PDU会话是一个用于传输PDU的通道,终端设备需要通过PDU会话与DN互相传送PDU。PDU会话由SMF网元负责建立、维护和删除等。SMF网元包括会话管理(如会话建立、修改和释放,包含UPF和AN之间的隧道维护)、UPF网元的选择和控制、业务和会话连续性(service and session continuity,SSC)模式选择、漫游等会话相关的功能。
UPF网元是由运营商提供的网关,是运营商网络与DN通信的网关。UPF网元包括数据包路由和传输、包检测、业务用量上报、服务质量(quality of service,QoS)处理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。
DN,也可以称为分组数据网络(packet data network,PDN),是位于运营商网络之外的网络,运营商网络可以接入多个DN,DN上可部署多种业务,可为终端设备提供数据和/或语音等服务。例如,DN是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备,DN中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,DN是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。
UDM网元是由运营商提供的控制面网元,负责存储运营商网络中签约用户的用户永久标识符(subscriber permanent identifier,SUPI)、信任状(credential)、安全上下文(security context)、签约数据等信息。UDM网元所存储的这些信息可用于终端设备接入运营商网络的认证和授权。其中,上述运营商网络的签约用户具体可为使用运营商网络提供的业务的用户,例如使用中国电信的手机芯卡的用户,或者使用中国移动的手机芯卡的用户等。上述签约用户的SUPI可为该手机芯卡的号码等。上述签约用户的信任状、安全上下文可为该手机芯卡的加密密钥或者跟该手机芯卡加密相关的信息等存储的小文件,用于认证和/或授权。上述安全上下文可为存储在用户本地终端(例如手机)上的数据(cookie)或者令牌(token)等。上述签约用户的签约数据可为该手机芯卡的配套业务,例如该手机芯卡的流量套餐或者使用网络等。需要说明的是,永久标识符、信任状、安全上下文、认证数据(cookie)、以及令牌等同认证、授权相关的信息,在本发明本申请文件中,为了描述方便起见不做区分、限制。如果不做特殊说明,本申请实施例将以用安全上下文为例进行来描述,但本申请实施例同样适用于其他表述方式的认证、和/或授权信息。
AUSF网元是由运营商提供的控制面网元,通常用于一级认证,即终端设备(签约用户)与运营商网络之间的认证。AUSF网元接收到签约用户发起的认证请求之后,可通过UDM网元中存储的认证信息和/或授权信息对签约用户进行认证和/或授权,或者通过UDM网元生成签约用户的认证和/或授权信息。AUSF网元可向签约用户反馈认证信息和/或授权信息。
NEF网元是由运营商提供的控制面网元。NEF网元以安全的方式对第三方开放运营商网络的对外接口。在SMF网元需要与第三方的网元通信时,NEF网元可作为SMF网元与第三方的网元通信的中继。NEF网元作为中继时,可作为签约用户的标识信息的翻译,以及第三方的网元的标识信息的翻译。比如,NEF将签约用户的SUPI从运营商网络发送到第三方时,可以将SUPI翻译成其对应的外部身份标识(identity,ID)。反之,NEF网元将外部ID(第三方的网元ID)发送到运营商网络时,可将其翻译成SUPI。
PCF网元是由运营商提供的控制面功能,用于向SMF网元提供PDU会话的策略。策略可以包括计费相关策略、QoS相关策略和授权相关策略等。
网络切片选择功能(network slice selection function,NSSF)网元(图中未示出),负责确定网络切片实例(network slice instance,NSI),选择AMF网元等。
需要说明的是,本申请实施例中所涉及的网元还可以称为功能或功能实体,本申请不做限制。例如,移动性管理网元还可以称为移动性管理功能或移动性管理功能实体,会话 管理功能网元可以称为会话管理功能或会话管理功能实体等。
图1中Nnef、Nausf、Nnrf、Npcf、Nudm、Naf、Namf、Nsmf、N1、N2、N3、N4,以及N6为接口序列号。这些接口序列号的含义可参见3GPP标准协议中定义的含义,在此不做限制。
本申请中移动性管理网元可以是图1所示的AMF网元,也可以是未来通信系统中的具有上述AMF网元的功能的网元。或者,本申请中移动性管理网元还可以是LTE中的移动性管理实体(mobility management entity,MME)等。本申请中接入网设备可以是5G网络中的下一代无线接入网络(next generation radio access networks,NG-RAN)。NG-RAN包括但不限于:5G中的gNB、RNC或TRP等。在未来通信(例如6G或者其他的网络)中,接入网设备仍可以是NG-RAN,或有其它的名称,本申请不做限定。或者,本申请中接入网设备还可以是LTE中的eNB或NB等。
为方便说明,本申请后续,以移动性管理网元为AMF为例、以接入网设备为NG-RAN为例、以终端设备为UE为例进行说明,即本申请后续所描述的AMF均可替换为移动性管理网元,UE均可替换为终端设备,NG-RAN均可替换为接入网设备。
为便于理解本申请内容,下面对本申请涉及的一些通信术语进行解释说明。需要说明的是,该部分内容也作为本申请发明内容的一部分。
本申请中的“切片”也可以称为“网络切片”,或称为“网络切片实例”,三者具有相同的含义。
目前,多种多样的场景对3GPP生态系统提出了不同的需求,如计费、策略、安全、移动性等需求。3GPP强调了网络切片之间不相互影响,例如突发的大量的抄表业务不应该影响正常的移动宽带业务。为了满足多样性需求和切片间的隔离,需要业务间相对独立的管理和运维,并提供量身定做的业务功能和分析能力。不同类型业务的实例部署在不同的网络切片上,相同业务类型的不同实例也可部署在不同的网络切片上。
5G网络中的切片是一个虚拟的专用网络,它是由一组网络功能、子网络所构成。比如,图1中的AN、AMF、SMF、UPF可以组成一个切片。图1中的每种网络功能只示意性地画出了一个,而在实际网络部署中,每种网络功能或子网络可以有多个、数十个或上百个。运营商网络中可以部署很多网络切片,每个切片可以有不同的性能来满足不同应用、不同垂直行业的需求。运营商可以根据不同垂直行业客户的需求,“量身定做”一个切片。运营商也可以允许一些行业客户享有较大的自主权,参与切片的部分管理、控制功能。其中,切片级的认证就是由行业客户参与的一种网络控制功能,即对终端用户接入切片进行认证和授权。
当网络部署了网络切片,用户初始附着(或称为注册)到网络时,会触发网络切片的选择过程。网络切片的选择过程取决于用户的签约数据,本地配置信息,漫游协议,运营商的策略等。在网络切片的选择过程中,需要综合考虑以上参数,才能为UE选择最佳的切片类型,当为UE选择最佳的切片类型之后,UE便可访问切片服务。
当UE需要接入到网络切片时,UE可以提供请求的网络切片信息给核心网,用于核心网为UE选择网络切片实例。其中,所述网络切片信息可以为请求的网络切片选择辅助信息(requested network slice selection assistance information,requested NSSAI)。requested NSSAI由一个或多个单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)构成,每个S-NSSAI用于标识一个单网络切片类型,也可以理解 为,S-NSSAI用于标识单网络切片,或者可以理解为S-NSSAI是单网络切片的标识信息。由于NSSAI由一个或多个S-NSSAI组成,在以下的描述中,NSSAI可替换为S-NSSAIs或S-NSSAI。
UE注册到网络之后,核心网网元(如AMF或NSSF或UDM)根据UE的签约数据、UE的NSSAI(比如UE的requested NSSAI或requested S-NSSAIs或requested S-NSSAI)、漫游协议以及本地配置等信息综合判断,为UE选择允许接入的网络切片,并可向UE发送允许接入的网络切片选择辅助信息(allowed network slice selection assistance information,allowed NSSAI)。其中,允许接入的网络切片选择辅助信息可以用allowed NSSAI或allowed S-NSSAIs或allowed S-NSSAI来表示,allowed S-NSSAI为当前运营商网络允许接入的S-NSSAI。以下为方便描述,以允许接入的网络切片选择辅助信息用allowed S-NSSAIs表示为例进行说明。
UE接收到allowed S-NSSAIs之后,可以请求接入这些切片,向NG-RAN(例如gNB)发送所述allowed S-NSSAIs,NG-RAN收到所述allowed S-NSSAIs后,可根据所述allowed S-NSSAIs选择合适的AMF为UE提供切片服务;此外,NG-RAN还会根据UE通过接入层(access stratum,AS)发送的allowed S-NSSAIs做AMF拥塞控制。
如果AS层没有隐私保护的方法,将会导致隐私泄露和潜在威胁。例如,窃听者可以通过截取AS层的allowed S-NSSAIs判断某个区域是否存在警察局;又例如,窃听者也可以通过截取AS层的allowed S-NSSAIs判断某个用户最近接入的切片类型推断此用户近期行为。因此,如何在不改变现有安全协议流程的前提下设计出有效的AS层保护allowed S-NSSAIs的方法,是亟需解决的问题。
为解决上述问题,本申请提供多种通信方法,以实现在不改变现有安全协议流程的前提下,有效的保护AS层allowed S-NSSAIs,下面具体说明。
基于图1所示的网络架构,如图2所示,为本申请提供的一种通信方法流程示意图,图2中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤101:UE获取第一切片选择辅助信息;
其中,第一切片选择辅助信息由第二切片选择辅助信息加密得到,或者第一切片选择辅助信息由第二切片选择辅助信息作为输入运算得到。
其中,第二切片选择辅助信息为允许UE接入的切片的选择辅助信息。示例性地,第二切片选择辅助信息可以为allowed S-NSSAIs或allowed NSSAI。当第二切片选择辅助信息为allowed S-NSSAIs或allowed NSSAI时,为便于描述,相应的可将第一切片选择辅助信息描述为允许UE接入的切片的临时选择辅助信息allowed T-S-NSSAIs或allowed T-NSSAI。
本申请实施例中,UE可通过但不限于如下两种方式获取第一切片选择辅助信息。
第一种方式,UE根据第二切片选择辅助信息生成第一切片选择辅助信息。
基于第一种方式,UE可采用但不限于如下方式根据第二切片选择辅助信息生成第一切片选择辅助信息。
方式1:UE根据第二切片选择辅助信息、第一函数以及第一随机数(RAND)生成第一切片选择辅助信息。其中,第一函数可以是预先存储在UE的公开函数。例如,以第二切片选择辅助信息为allowed S-NSSAIs、第一函数为f为例,UE可根据allowed S-NSSAIs、 f以及第一RAND生成第一切片选择辅助信息(可记为allowed T-S-NSSAIs),可表示为:allowed T-S-NSSAIs=f 第一RAND(allowed S-NSSAIs)。又例如,如图3所示,以第一函数为128比特新空口加密算法一(128-NEA1)为例,UE可采用但不限于如下方式生成第一切片选择辅助信息:UE将第一RAND输入128-NEA1,生成密钥流块(KEYStream Block),将KEYStream Block与第二切片选择辅助信息异或生成第一切片选择辅助信息。
可选的,基于方式1,第一函数可以为加密函数。
基于方式1,一种可能的实现中,UE根据第二切片选择辅助信息、第一函数以及第一RAND生成第一切片选择辅助信息之前,还可以采用但不限于如下方式获取第一RAND。
方式1a,UE接收来自AMF的第一RAND。
方式1b,UE接收来自AMF的第二RAND,并根据第二RAND以及第一密钥生成第一RAND。示例性地,第一密钥可以为基站基础根密钥K_gNB。例如,如图4所示,以第一密钥为K_gNB为例,UE可依据K_gNB与AMF选定的特定标准所支持的第一算法,如128-NEA1,根据第二RAND以及第一密钥生成第一RAND。
可选的,UE可通过注册接受消息从AMF接收第一RAND或第二RAND。
基于上述方式1b,一种可能的实现中,UE根据第二RAND以及第一密钥生成第一RAND之前,还可以根据本地存储的第二密钥推衍得到第一密钥。例如,以第一密钥为K_gNB为例,UE可根据本地存储的AMF基础根密钥K_AMF推衍得到K_gNB。
基于上述方式1a,一种可能的实现中,AMF可发起对第一RAND的更新流程。示例性地,AMF向UE发送第三RAND,相应的,UE接收来自AMF的第三RAND,第三RAND用于更新第一RAND,UE接收到第三RAND后,可根据第二切片选择辅助信息、第一函数以及第三RAND生成第三切片选择辅助信息,进而可使用第三切片选择辅助信息更新第一切片选择辅助信息。
基于上述方式1b,一种可能的实现中,AMF可发起对第二RAND的更新流程。示例性地,AMF向UE发送第三RAND,相应的,UE接收来自AMF的第三RAND,第三RAND用于更新第二RAND,UE接收到第三RAND后,可根据第二切片选择辅助信息、第一函数、第一密钥以及第三RAND生成第四切片选择辅助信息,进而可使用第四切片选择辅助信息更新第一切片选择辅助信息。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第三RAND。
方式2:UE根据第二切片选择辅助信息、第一RAND以及多个RAND与多个第一映射的对应关系生成第一切片选择辅助信息,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系。基于方式2,多个RAND与多个第一映射的对应关系可以理解为本申请中的第一函数,即,第一函数由多个RAND与多个第一映射的对应关系形成,可以理解为在方式2中第一函数为映射关系或对应关系。多个RAND与多个第一映射的对应关系可以预先存储在UE中。
基于方式2,一种可能的实现中,UE根据第二切片选择辅助信息、第一RAND以及多个RAND与多个第一映射的对应关系生成第一切片选择辅助信息之前,还可以采用上述方式1a或方式1b获取第一RAND。
结合上述方式2和方式1a,一种可能的实现中,AMF可发起对第一RAND的更新流程。示例性地,AMF向UE发送第三RAND,相应的,UE接收来自AMF的第三RAND, 第三RAND用于更新第一RAND,UE接收到第三RAND后,可根据第二切片选择辅助信息、多个RAND与多个第一映射的对应关系以及第三RAND生成第五切片选择辅助信息,进而可使用第五切片选择辅助信息更新第一切片选择辅助信息。
结合上述方式2和方式1b,一种可能的实现中,AMF可发起对第二RAND的更新流程。示例性地,AMF向UE发送第三RAND,相应的,UE接收来自AMF的第三RAND,第三RAND用于更新第二RAND,UE接收到第三RAND后,可根据第二切片选择辅助信息、第一函数、第一密钥以及第三RAND生成第六切片选择辅助信息,进而可使用第六切片选择辅助信息更新第一切片选择辅助信息。
基于方式1或方式2,一种可能的实现中,AMF可根据第一周期周期性发起对第一RAND或第二RAND的更新。例如,第一周期可由定时器控制,当定时器超时后,AMF可发起对第一RAND或第二RAND的更新流程。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第三RAND。
基于方式2,一种可能的实现中,多个RAND与多个第一映射的对应关系可以是列表的形式,参见表1所示,为本申请实施例提供的一种多个RAND与多个第一映射的对应关系。表1中以第二切片选择辅助信息为allowed NSSAI、第一切片选择辅助信息为allowed T-NSSAI为例示意。
表1
Figure PCTCN2019084657-appb-000001
以表1所示的对应关系为例,对UE根据第二切片选择辅助信息、第一RAND以及多个RAND与多个第一映射的对应关系生成第一切片选择辅助信息进行说明。例如,以第二切片选择辅助信息为allowed NSSAI 1、第一RAND为RAND1为例,UE根据allowed NSSAI1、RAND1以及表1所示的对应关系生成的第一切片选择辅助信息为allowed T-NSSAI 1。又例如,以第二切片选择辅助信息为allowed NSSAI 2、第一RAND为RAND2为例,UE 根据allowed NSSAI 2、RAND2以及表1所示的对应关系生成的第一切片选择辅助信息为allowed T-NSSAI 3。又例如,以第二切片选择辅助信息为allowed NSSAI 3、第一RAND为RAND3为例,UE根据allowed NSSAI 3、RAND3以及表1所示的对应关系生成的第一切片选择辅助信息为allowed T-NSSAI 20。其中,表1仅为多个RAND与多个第一映射的对应关系的一种举例,不做限定。
第二种方式,AMF向UE发送第一切片选择辅助信息,相应的,UE从AMF接收第一切片选择辅助信息。示例性地,UE可通过注册接受消息从AMF接收第一切片选择辅助信息。
对于第二种方式,AMF在向UE发送第一切片选择辅助信息之前,可根据第二切片选择辅助信息生成第一切片选择辅助信息。
AMF可采用但不限于如下方式根据第二切片选择辅助信息生成第一切片选择辅助信息。
方式1),AMF生成第一RAND,并根据第二切片选择辅助信息、第一函数以及第一RAND生成第一切片选择辅助信息。其中,第一函数可以是预先存储在AMF的公开函数。例如,以第二切片选择辅助信息为allowed S-NSSAIs、第一函数为f为例,AMF可根据allowed S-NSSAIs、f以及第一RAND生成第一切片选择辅助信息(可记为allowed T-S-NSSAIs),可表示为:allowed T-S-NSSAIs=f 第一RAND(allowed S-NSSAIs)。
基于方式1),一种可能的实现中,AMF可发起对第一切片选择辅助信息的更新流程。示例性地,AMF生成第一RAND’,第一RAND’用于更新第一RAND,AMF根据第二切片选择辅助信息、第一函数以及第一RAND’生成第七切片选择辅助信息,第七切片选择辅助信息用于更新第一切片选择辅助信息,AMF向UE发送第七切片选择辅助信息,进而UE可使用第七切片选择辅助信息更新第一切片选择辅助信息。例如,以第二切片选择辅助信息为allowed S-NSSAIs、第一函数为f为例,AMF可根据allowed S-NSSAIs、f以及第一RAND’生成第七切片选择辅助信息(可记为allowed T-S-NSSAIs’),可表示为:allowed T-S-NSSAIs’=f 第一RAND’(allowed S-NSSAIs),进而AMF可将allowed T-S-NSSAIs’发送至UE,以使UE采用allowed T-S-NSSAIs’更新第一切片选择辅助信息。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第七切片选择辅助信息。
方式2),AMF生成第一RAND,并根据第二切片选择辅助信息、多个RAND与多个第一映射的对应关系以及第一RAND生成第一切片选择辅助信息。多个RAND与多个第一映射的对应关系可以预先存储在AMF中。例如,以第二切片选择辅助信息为allowed NSSAI 2、多个RAND与多个第一映射的对应关系为表1所示的对应关系、第一RAND为RAND3为例,AMF根据allowed NSSAI 2、表1所示的对应关系以及RAND3生成的第一切片选择辅助信息为allowed T-NSSAI 9。
基于方式2),一种可能的实现中,AMF可发起对第一切片选择辅助信息的更新流程。示例性地,AMF生成第一RAND’,第一RAND’用于更新第一RAND,AMF根据第二切片选择辅助信息、多个RAND与多个第一映射的对应关系以及第一RAND’生成第八切片选择辅助信息,第八切片选择辅助信息用于更新第一切片选择辅助信息,AMF向UE发送第八切片选择辅助信息,进而UE可使用第八切片选择辅助信息更新第一切片选择辅助信息。例如,以第二切片选择辅助信息为allowed NSSAI 2、多个RAND与多个第一映射的对应关系为表1所示的对应关系、第一RAND’为RAND2为例,AMF根据allowed NSSAI 2、表1所示的对应关系以及RAND2生成的第八切片选择辅助信息为allowed T-NSSAI 3,进而可使用allowed T-NSSAI 3更新第一切片选择辅助信息。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第八切片选择辅助信息。
基于方式1)或方式2),AMF可根据第二周期周期性发起对第一切片选择辅助信息的更新流程。例如,第二周期可由定时器控制,当定时器超时后,AMF可发起对第一切片选择辅助信息的更新流程。
基于方式1)或方式2),一种可能的实现中,AMF还可以根据第一切片选择辅助信息和第二切片选择辅助信息生成第一对应关系,并存储第一对应关系,第一对应关系包括第一切片选择辅助信息与第二切片选择辅助信息的对应关系。例如,以第一切片选择辅助信息为allowed T-S-NSSAIs、第二切片选择辅助信息为allowed S-NSSAIs为例,AMF可根据allowed T-S-NSSAIs和allowed S-NSSAIs生成第一对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}。
可选的,AMF可通过向UE发送第一对应关系,实现向UE发送第一切片选择辅助信息。可以理解为,第一切片选择辅助信息承载于或包含于第一对应关系。
可选的,AMF可通过注册接受消息向UE发送第一对应关系。
基于方式1),一种可能的实现中,AMF还可以根据第一切片选择辅助信息和第七切片选择辅助信息生成第二对应关系,并存储第二对应关系,第二对应关系包括第一切片选择辅助信息与第七切片选择辅助信息的对应关系。
可选的,AMF可通过向UE发送第二对应关系,实现向UE发送第七切片选择辅助信息。可以理解为,第七切片选择辅助信息承载于或包含于第二对应关系。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第二对应关系。
基于方式2),一种可能的实现中,AMF还可以根据第一切片选择辅助信息和第八切片选择辅助信息生成第三对应关系,并存储第三对应关系,第三对应关系包括第一切片选择辅助信息与第八切片选择辅助信息的对应关系。
可选的,AMF可通过向UE发送第三对应关系,实现向UE发送第八切片选择辅助信息。可以理解为,第八切片选择辅助信息承载于或包含于第三对应关系。
可选的,AMF可通过UE配置更新命令(UE configuration update command)向UE发送第三对应关系。
步骤102:UE向NG-RAN发送第一注册请求消息,相应的,NG-RAN接收来自UE的第一注册请求消息,第一注册请求消息包括第一切片选择辅助信息。
步骤103:NG-RAN根据第一切片选择辅助信息生成第二切片选择辅助信息。
本申请实施例中,对应于UE根据第二切片选择辅助信息生成第一切片选择辅助信息的两种方式,相应的提供如下三种NG-RAN根据第一切片选择辅助信息生成第二切片选择辅助信息的方式。
方式一,NG-RAN根据第一切片选择辅助信息、第一函数以及第一RAND生成第二切片选择辅助信息。其中,第一函数可以是预先存储在NG-RAN的公开函数。如图5所示,例如,以第一函数为128-NEA1为例,当UE采用如下方式生成第一切片选择辅助信息时:UE将第一RAND输入128-NEA1,生成KEYStream Block,将KEYStream Block与第二切片选择辅助信息异或生成第一切片选择辅助信息,相应的,NG-RAN可采用如下方式生成 第二切片选择辅助信息:NG-RAN将第一RAND输入128-NEA1,生成KEYStream Block,将KEYStream Block与第一切片选择辅助信息异或生成第二切片选择辅助信息。可以理解为,NG-RAN采用UE执行的操作的逆操作生成第二切片选择辅助信息。
方式二,NG-RAN根据第一切片选择辅助信息、第一函数的逆函数以及第一RAND生成第二切片选择辅助信息。其中,第一函数的逆函数可以是预先存储在NG-RAN的公开函数。例如,以第一切片选择辅助信息为allowed T-S-NSSAIs、第一函数为f、第一函数的逆函数为f -1为例,NG-RAN可根据allowed T-S-NSSAIs、f -1以及第一RAND生成第二切片选择辅助信息(可记为allowed S-NSSAIs),可表示为:allowed S-NSSAIs=
Figure PCTCN2019084657-appb-000002
可选的,基于方式一或方式二,第一函数可以为加密函数。
方式三,NG-RAN根据第一切片选择辅助信息、第一RAND以及多个RAND与多个第一映射的对应关系生成第二切片选择辅助信息。多个RAND与多个第一映射的对应关系可以预先存储在NG-RAN中。
例如,以多个RAND与多个第一映射的对应关系为表1所示的对应关系为例,对上述方式三进行说明。例如,以第一切片选择辅助信息为allowed T-NSSAI 3、第一RAND为RAND1为例,UE根据allowed T-NSSAI 3、RAND1以及表1所示的对应关系生成的第二切片选择辅助信息为allowed NSSAI 3。又例如,以第一切片选择辅助信息为allowed T-NSSAI 4、第一RAND为RAND2为例,UE根据allowed T-NSSAI 4、RAND2以及表1所示的对应关系生成的第二切片选择辅助信息为allowed NSSAI 3。又例如,以第一切片选择辅助信息为allowed T-NSSAI 9、第一RAND为RAND3为例,UE根据allowed T-NSSAI9、RAND3以及表1所示的对应关系生成的第二切片选择辅助信息为allowed NSSAI 2。
一种可能的实现中,在执行方式一或方式二或方式三之前,NG-RAN可以采用但不限于如下方式获取第一RAND。
方式a1,NG-RAN接收来自AMF的第一RAND。
方式a2,NG-RAN接收来自AMF的第二RAND和第一密钥,并根据第二RAND以及第一密钥生成第一RAND。示例性地,第一密钥可以为基站基础根密钥K_gNB。当第一密钥为K_gNB时,NG-RAN可采用如图4所示的流程生成第一RAND。
可选的,NG-RAN可通过密钥传输消息(key transfer)从AMF接收第一RAND或接收第二RAND和第一密钥。
基于上述方式a1,一种可能的实现中,AMF可发起对第一RAND的更新流程。示例性地,AMF向NG-RAN发送第三RAND,相应的,NG-RAN接收来自AMF的第三RAND,第三RAND用于更新第一RAND。
基于上述方式a2,一种可能的实现中,AMF可发起对第二RAND的更新流程。示例性地,AMF向NG-RAN发送第三RAND,相应的,NG-RAN接收来自AMF的第三RAND,第三RAND用于更新第二RAND。
可选的,AMF可通过更新无线接入消息(update RAN)向NG-RAN发送第三RAND。
步骤104:NG-RAN向AMF发送第二注册请求消息,第二注册请求消息包括第二切片选择辅助信息。
通过本申请提供的方法,UE在通过AS层向NG-RAN发送切片选择辅助信息时,可发送加密后的切片选择辅助信息,NG-RAN在接收到加密后的切片选择辅助信息后,可对 切片选择辅助信息进行解密,并向AMF发送解密后的切片选择辅助信息,这样,可达到AS层保护切片选择辅助信息的目的,进而可防止用户隐私、切片信息的泄露,与此同时,也不降低切片选择辅助信息在NG-RAN的可用性。此外,本申请的加密方法是针对切片选择辅助信息颗粒度的,无需开启AS层的加密功能,只需要对切片选择辅助信息进行加密即可,算法开销较小,算法选择也更加灵活。
下面针对本申请提供的UE获取第一切片选择辅助信息的两种方法分别进行举例说明。
第一,对UE自身生成第一切片选择辅助信息的方法进行举例说明。
基于图1所示的网络架构,如图6a所示,为本申请实施例提供的一种通信方法流程示意图,图6a中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤201:UE向AMF发送注册请求消息1,AMF接收来自UE的注册请求消息1,注册请求消息1包括requested S-NSSAIs。示例性地,UE可通过NG-RAN向AMF发送注册请求消息1。
步骤202:AMF生成第一RAND或第二RAND,并根据requested S-NSSAIs确定allowed S-NSSAIs。
可选的,AMF在接收到requested S-NSSAIs之后,可向UDM或NSSF发送requested S-NSSAIs,由UDM或NSSF根据requested S-NSSAIs确定allowed S-NSSAIs,并将确定出的allowed S-NSSAIs发送至AMF。
步骤203:AMF向UE发送注册接受消息1,UE接收来自AMF的注册接受消息1,注册接受消息1包括第一RAND和allowed S-NSSAIs,或者注册接受消息1包括第二RAND和allowed S-NSSAIs。
步骤204:AMF向NG-RAN发送密钥传输消息(key transfer)1,NG-RAN接收来自AMF的密钥传输消息1,密钥传输消息1包括第一RAND和K_gNB,或包括第二RAND和K_gNB。
需要说明的是,图6a仅作为示意,在实际应用中图6a还可包括更多或更少的步骤,本申请不做限定。
图6a中描述UE获取第一RAND或第二RAND的流程,下面结合图6b描述UE根据获取到的allowed S-NSSAIs生成并使用allowed T-S-NSSAIs的流程。
基于图1所示的网络架构,如图6b所示,为本申请实施例提供的一种通信方法流程示意图,图6b中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤301:UE根据allowed S-NSSAIs生成allowed T-S-NSSAIs。
若UE在步骤203中接收到第一RAND,则UE可采用如下方法生成allowed T-S-NSSAIs。
方法1,UE根据allowed S-NSSAIs、存储的第一函数以及第一RAND生成allowed T-S-NSSAIs。例如,以第一函数为公开的加密函数f为例,UE可根据allowed S-NSSAIs、f以及第一RAND生成allowed T-S-NSSAIs:
allowed T-S-NSSAIs=f 第一RAND(allowed S-NSSAIs)。
方法2,UE根据allowed S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed T-S-NSSAIs。例如,以多个RAND与多个第一映射的对应关系为表1中的对应关系、allowed S-NSSAIs为allowed NSSAI 3、第一RAND为表1中的RAND1 为例,UE可根据allowed NSSAI 3、表1中的对应关系以及RAND1生成allowed T-NSSAI3。
若UE在步骤203中接收到第二RAND,则UE可采用如下方法生成allowed T-S-NSSAIs。
方法a,UE可根据K_AMF推衍得到K_gNB,根据第二RAND以及K_gNB生成第一RAND,进而可根据allowed S-NSSAIs、存储的第一函数以及第一RAND生成allowed T-S-NSSAIs。
方法b,UE可根据K_AMF推衍得到K_gNB,根据第二RAND以及K_gNB生成第一RAND,进而可根据allowed S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed T-S-NSSAIs。
步骤302:UE向NG-RAN发送注册请求消息2,相应的,NG-RAN接收来自UE的注册请求消息2,注册请求消息2包括allowed T-S-NSSAIs。
相比现有技术中在注册请求消息中携带未加密的allowed S-NSSAIs,采用本申请的方法,UE在发起注册流程时,在注册请求消息中携带加密后的allowed T-S-NSSAIs,可达到保护allowed S-NSSAIs的目的。此外,将本申请的方法应用于AS层时,可在AS层单独对allowed S-NSSAIs进行加密,无需开启AS层的加密功能,可节省网络资源。
步骤303:NG-RAN根据allowed T-S-NSSAIs生成allowed S-NSSAIs。
可以理解,对应于UE使用的加密方法,NG-RAN可采用相应的解密方法。
若UE采用方法1生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs、存储的第一函数以及第一RAND生成allowed S-NSSAIs。例如,NG-RAN可根据allowed T-S-NSSAIs、存储的第一函数以及第一RAND,采用UE生成allowed T-S-NSSAIs时执行的操作的逆操作,生成allowed S-NSSAIs。
或者,若UE采用方法1生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs、存储的第一函数的逆函数以及第一RAND生成allowed S-NSSAIs。例如,以第一函数的逆函数为公开的加密函数f -1为例,NG-RAN可根据allowed T-S-NSSAIs、f -1以及第一RAND生成allowed S-NSSAIs:
allowed
Figure PCTCN2019084657-appb-000003
若UE采用方法2生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed S-NSSAIs。例如,以多个RAND与多个第一映射的对应关系为表1中的对应关系、allowed T-S-NSSAIs为allowed T-NSSAI 3、第一RAND为表1中的RAND1为例,NG-RAN可根据allowed T-NSSAI3、表1中的对应关系以及RAND1生成allowed NSSAI 3。
若UE采用方法a生成allowed T-S-NSSAIs,则NG-RAN可根据第二RAND以及K_gNB生成第一RAND,进而可根据allowed T-S-NSSAIs、存储的第一函数以及第一RAND生成allowed S-NSSAIs。
若UE采用方法b生成allowed T-S-NSSAIs,则NG-RAN可根据第二RAND以及K_gNB生成第一RAND,进而可根据allowed T-S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed S-NSSAIs。
步骤304:NG-RAN向AMF发送注册请求消息3,注册请求消息3包括allowed S-NSSAIs。
需要说明的是,图6b仅作为示意,在实际应用中图6b还可包括更多或更少的步骤, 本申请不做限定。
下面结合图6c描述RAND更新流程。
基于图1所示的网络架构,如图6c所示,为本申请实施例提供的一种通信方法流程示意图,图6c中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤401:AMF生成第三RAND。
步骤402:AMF向UE发送配置更新命令(UE configuration update command)1,该命令1中包括第三RAND,第三RAND用于更新第一RAND或第二RAND。
可选的,当UE处于连接态(connected)时,可由网络侧设置定时器,待定时器超时后,发起上述更新流程。
步骤403:AMF向NG-RAN发送更新无线接入消息(update RAN)1,该更新无线接入消息1中包括第三RAND,第三RAND用于更新第一RAND或第二RAND。
需要说明的是,UE接收到AMF发送的第三RAND之后,可根据allowed S-NSSAIs、第一函数以及第三RAND生成新的allowed T-S-NSSAIs,进而可使用新的allowed T-S-NSSAIs更老的allowed T-S-NSSAIs。当UE再次发起注册流程时,可在向NG-RAN发送的注册请求消息中携带新的allowed T-S-NSSAIs,相应的,NG-RAN可采用上述解密方法使用第三RAND解密新的allowed T-S-NSSAIs。
需要说明的是,图6c仅作为示意,在实际应用中图6c还可包括更多或更少的步骤,本申请不做限定。
第二,对UE从AMF接收第一切片选择辅助信息的方法进行举例说明。该方法可包括如下三个流程。
基于图1所示的网络架构,如图7a所示,为本申请实施例提供的一种通信方法流程示意图,图7a中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤501:UE向AMF发送注册请求消息4,AMF接收来自UE的注册请求消息4,注册请求消息4包括requested S-NSSAIs。示例性地,UE可通过NG-RAN向AMF发送注册请求消息4。
步骤502:AMF根据requested S-NSSAIs确定allowed S-NSSAIs,并根据allowed S-NSSAIs生成allowed T-S-NSSAIs,并根据allowed S-NSSAIs以及allowed T-S-NSSAIs生成对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}。
可选的,AMF在接收到requested S-NSSAIs之后,可向UDM或NSSF发送requested S-NSSAIs,由UDM或NSSF根据requested S-NSSAIs确定allowed S-NSSAIs,并将确定出的allowed S-NSSAIs发送至AMF。
AMF可采用但不限于如下方法生成allowed T-S-NSSAIs:
方法1,AMF生成第一RAND,AMF根据allowed S-NSSAIs、存储的第一函数以及第一RAND生成allowed T-S-NSSAIs。例如,以第一函数为公开的加密函数f为例,AMF可根据allowed S-NSSAIs、f以及第一RAND生成allowed T-S-NSSAIs:
allowed T-S-NSSAIs=f 第一RAND(allowed S-NSSAIs)。
方法2,AMF生成第一RAND,AMF根据allowed S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed T-S-NSSAIs。例如,以多个RAND与多个第一映射的对应关系为表1中的对应关系、allowed S-NSSAIs为allowed NSSAI 3、第一RAND为表1中的RAND1为例,AMF可根据allowed NSSAI 3、表1中的对应关系以及RAND1生成allowed T-NSSAI 3。
步骤503:AMF向UE发送注册接受消息4,UE接收来自AMF的注册接受消息4,注册接受消息4包括对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}。
步骤504:AMF向NG-RAN发送密钥传输消息(key transfer)2,NG-RAN接收来自AMF的密钥传输消息2,密钥传输消息2包括第一RAND和K_gNB。
需要说明的是,图7a仅作为示意,在实际应用中图7a还可包括更多或更少的步骤,本申请不做限定。
图7a中描述UE获取对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}的流程,下面结合图7b描述UE使用对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}的流程。
基于图1所示的网络架构,如图7b所示,为本申请实施例提供的一种通信方法流程示意图,图7b中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤601:UE根据对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}确定用于发起注册请求的allowed T-S-NSSAIs。
步骤602:UE向NG-RAN发送注册请求消息5,相应的,NG-RAN接收来自UE的注册请求消息5,注册请求消息5包括allowed T-S-NSSAIs。
相比现有技术中在注册请求消息中携带未加密的allowed S-NSSAIs,采用本申请的方法,UE在发起注册流程时,在注册请求消息中携带加密后的allowed T-S-NSSAIs,可达到保护allowed S-NSSAIs的目的。此外,将本申请的方法应用于AS层时,可在AS层单独对allowed S-NSSAIs进行加密,无需开启AS层的加密功能,可节省网络资源。
步骤603:NG-RAN根据allowed T-S-NSSAIs生成allowed S-NSSAIs。
可以理解,对应于AMF使用的加密方法,NG-RAN可采用相应的解密方法。
若AMF采用方法1生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs存储的第一函数以及第一RAND生成allowed S-NSSAIs。例如,NG-RAN可根据allowed T-S-NSSAIs、存储的第一函数以及第一RAND,采用AMF生成allowed T-S-NSSAIs时执行的操作的逆操作,生成allowed S-NSSAIs。
或者,若AMF采用方法1生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs、存储的第一函数的逆函数以及第一RAND生成allowed S-NSSAIs。例如,以第一函数的逆函数为公开的加密函数f -1为例,NG-RAN可根据allowed T-S-NSSAIs、f -1以及第一RAND生成allowed S-NSSAIs:
allowed
Figure PCTCN2019084657-appb-000004
若AMF采用方法2生成allowed T-S-NSSAIs,则NG-RAN可根据allowed T-S-NSSAIs、多个RAND与多个第一映射的对应关系以及第一RAND生成allowed S-NSSAIs。例如,以多个RAND与多个第一映射的对应关系为表1中的对应关系、allowed T-S-NSSAIs为allowed T-NSSAI 3、第一RAND为表1中的RAND1为例,UE可根据allowed T-NSSAI 3、表1中的对应关系以及RAND1生成allowed NSSAI 3。
步骤604:NG-RAN向AMF发送注册请求消息6,注册请求消息6包括allowed S-NSSAIs。
需要说明的是,图7b仅作为示意,在实际应用中图7b还可包括更多或更少的步骤,本申请不做限定。
下面结合图7c描述对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}的更新流程。
基于图1所示的网络架构,如图7c所示,为本申请实施例提供的一种通信方法流程示意图,图7c中以移动性管理网元为AMF、以接入网设备为NG-RAN、以终端设备为UE为例进行示意说明,该方法包括以下步骤:
步骤701:AMF生成用于更新第一RAND的第一RAND’,并根据第一RAND’、allowed S-NSSAIs以及第一函数生成allowed T-S-NSSAIs’,或,根据第一RAND’、allowed S-NSSAIs以及第一函数的逆函数生成allowed T-S-NSSAIs’,或,根据第一RAND’、allowed S-NSSAIs以及多个RAND与多个第一映射的对应关系生成allowed T-S-NSSAIs’,并根据allowed S-NSSAIs以及allowed T-S-NSSAIs’生成新的对应关系{allowed T-S-NSSAIs’,allowed S-NSSAIs}。
步骤702:AMF向UE发送配置更新命令(UE configuration update command)2,该命令2中包括新的对应关系{allowed T-S-NSSAIs’,allowed S-NSSAIs}。
可选的,当UE处于连接态(connected)时,可由网络侧设置定时器,待定时器超时后,发起该更新流程。
步骤703:AMF向NG-RAN发送更新无线接入消息(update RAN)2,该更新无线接入消息2中包括第一RAND’。
需要说明的是,UE接收到AMF发送的新的对应关系{allowed T-S-NSSAIs’,allowed S-NSSAIs}之后,可根据新的对应关系{allowed T-S-NSSAIs’,allowed S-NSSAIs}更新老的对应关系{allowed T-S-NSSAIs,allowed S-NSSAIs}。当UE再次发起注册流程时,可在向NG-RAN发送的注册请求消息中携带allowed T-S-NSSAIs’,相应的,NG-RAN可采用上述解密方法使用第一RAND’解密allowed T-S-NSSAIs’。
需要说明的是,图7c仅作为示意,在实际应用中图7c还可包括更多或更少的步骤,本申请不做限定。
上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是,上述实现各网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
本申请实施例可以根据上述方法示例对接入网设备、终端设备以及移动性管理网元进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
基于相同的发明构思,本申请实施例还提供用于实现以上任一种方法的装置,例如, 提供一种装置包括用以实现以上任一种方法中接入网设备所执行的各个步骤的单元(或手段)。再如,还提供另一种装置,包括用以实现以上任一种方法中终端所执行的各个步骤的单元(或手段)。再如,还提供另一种装置,包括用以实现以上任一种方法中核心网设备所执行的各个步骤的单元(或手段)。
本申请实施例提供一种通信装置800。该通信装置800可以应用于终端设备。图8所示为本申请实施例提供的一种通信装置800的结构示意图,参阅图8所示,该通信装置800可包括获取单元801和发送单元802。在实施中,通信装置800还可包括处理单元803和接收单元804。其中,获取单元801可用于获取第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,发送单元802可用于向接入网设备发送第一注册请求消息,所述第一注册请求消息包括所述第一切片选择辅助信息。
在一种可能的设计中,处理单元803可用于根据第二切片选择辅助信息生成第一切片选择辅助信息。
在一种可能的设计中,处理单元803具体用于根据第二切片选择辅助信息、第一函数以及第一随机数RAND生成第一切片选择辅助信息。
在一种可能的设计中,接收单元804可用于接收来自移动性管理网元的第一RAND。或者,接收单元804可用于接收来自移动性管理网元的第二RAND,处理单元803可用于根据第二RAND以及第一密钥生成第一RAND。
在一种可能的设计中,处理单元803还可用于根据本地存储的第二密钥推衍得到第一密钥。
在一种可能的设计中,接收单元804还可用于接收来自移动性管理网元的第三RAND,第三RAND用于更新第一RAND或第二RAND;
当第三RAND用于更新第一RAND时,处理单元803还可用于根据第二切片选择辅助信息、第一函数以及第三RAND生成第三切片选择辅助信息;
或者,
当第三RAND用于更新第二RAND时,处理单元803还可用于根据第二切片选择辅助信息、第一函数、第一密钥以及第三RAND生成第四切片选择辅助信息;
处理单元803还可用于使用第四切片选择辅助信息更新第一切片选择辅助信息。
在一种可能的设计中,接收单元804还可用于接收来自移动性管理网元的第一切片选择辅助信息。
在一种可能的设计中,接收单元804具体用于接收来自移动性管理网元的第一对应关系,第一对应关系包括第一切片选择辅助信息与第二切片选择辅助信息的对应关系。
在一种可能的设计中,接收单元804还可用于接收来自移动性管理网元的第三切片选择辅助信息,第三切片选择辅助信息用于更新第一切片选择辅助信息;
处理单元803还可用于使用第三切片选择辅助信息更新第一切片选择辅助信息。
在一种可能的设计中,接收单元804还可用于接收来自移动性管理网元的第二对应关系,第二对应关系包括第二切片选择辅助信息与第三切片选择辅助信息的对应关系。
在一种可能的设计中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第三切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第四切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
本申请实施例提供一种通信装置900。该通信装置900可以应用于接入网设备。图9所示为本申请实施例提供的一种通信装置900的结构示意图,参阅图9所示,该通信装置900可包括接收单元901、处理单元902以及发送单元903。其中,接收单元901可用于接收来自终端设备的第一注册请求消息,第一注册请求消息包括第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息,处理单元902可用于根据第一切片选择辅助信息生成第二切片选择辅助信息,发送单元903可用于向移动性管理网元发送第二注册请求消息,第二注册请求消息包括第二切片选择辅助信息。
在一种可能的设计中,处理单元902具体可用于根据第一切片选择辅助信息、第一函数以及第一随机数RAND生成第二切片选择辅助信息;或者,根据第一切片选择辅助信息、第一函数的逆函数以及第一随机数RAND生成第二切片选择辅助信息。
在一种可能的设计中,接收单元901还用于从移动性管理网元接收第一RAND;
或者,从移动性管理网元接收第二RAND和第一密钥;
处理单元902可用于根据第二RAND以及第一密钥生成第一RAND。
在一种可能的设计中,接收单元901还用于接收来自移动性管理网元的第三RAND,第三RAND用于更新第一RAND或第二RAND。
在一种可能的设计中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
本申请实施例提供一种通信装置1000。该通信装置1000可以应用于移动性管理网元。图10所示为本申请实施例提供的一种通信装置1000的结构示意图,参阅图10所示,该通信装置1000可包括接收单元1001和发送单元1002。在实施中,通信装置1000还可包括处理单元1003和存储单元1004。其中,接收单元1001可用于接收来自终端设备的注册请求消息,注册请求消息包括请求接入的切片的选择辅助信息;发送单元1002可用于在建立安全上下文后,向终端设备发送注册接受消息,注册接受消息包括第一切片选择辅助信息,第一切片选择辅助信息由第二切片选择辅助信息加密得到,第二切片选择辅助信息为允许终端设备接入的切片的选择辅助信息。
在一种可能的设计中,处理单元1003可用于根据请求接入的切片的选择辅助信息,确定第二切片选择辅助信息;根据第二切片选择辅助信息生成第一切片选择辅助信息。
在一种可能的设计中,处理单元1003还用于生成第一随机数RAND,根据第二切片选择辅助信息、第一函数以及第一RAND生成第一切片选择辅助信息。
在一种可能的设计中,处理单元1003还用于根据第一切片选择辅助信息和第二切片选择辅助信息生成第一对应关系;存储单元1004用于存储第一对应关系,第一对应关系包括第一切片选择辅助信息与第二切片选择辅助信息的对应关系。
在一种可能的设计中,注册接受消息包括第一对应关系,第一切片选择辅助信息包含于第一对应关系。
在一种可能的设计中,发送单元1002可用于向终端设备所接入的接入网设备发送第一RAND。
在一种可能的设计中,处理单元1003还用于生成第二RAND,第二RAND用于更新第一RAND;根据第二切片选择辅助信息、第一函数以及第二RAND生成第三切片选择辅 助信息,第三切片选择辅助信息用于更新第一切片选择辅助信息;发送单元1002还用于向终端设备发送第三切片选择辅助信息。
在一种可能的设计中,处理单元1003还用于根据第二切片选择辅助信息和第三切片选择辅助信息生成第二对应关系;存储单元1004还用于存储第二对应关系,第二对应关系包括第二切片选择辅助信息与第三切片选择辅助信息的对应关系;发送单元1002还用于向终端设备发送第二对应关系。
在一种可能的设计中,发送单元1002还用于向终端设备所接入的接入网设备发送第二RAND。
在一种可能的设计中,第一函数包括加密函数,或者,第一函数包括多个RAND与多个第一映射的对应关系,每个第一映射包括多个第一切片选择辅助信息与多个第二切片选择辅助信息的映射关系和/或多个第三切片选择辅助信息与多个第二切片选择辅助信息的映射关系。
应理解以上装置中单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。且装置中的单元可以全部以软件通过处理元件调用的形式实现;也可以全部以硬件的形式实现;还可以部分单元以软件通过处理元件调用的形式实现,部分单元以硬件的形式实现。例如,各个单元可以为单独设立的处理元件,也可以集成在装置的某一个芯片中实现,此外,也可以以程序的形式存储于存储器中,由装置的某一个处理元件调用并执行该单元的功能。此外这些单元全部或部分可以集成在一起,也可以独立实现。这里的处理元件又可以成为处理器,可以是一种具有信号的处理能力的集成电路。在实现过程中,上述方法的各步骤或以上各个单元可以通过处理器元件中的硬件的集成逻辑电路实现或者以软件通过处理元件调用的形式实现。
在一个例子中,以上任一装置中的单元可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个特定集成电路(application specific integrated circuit,ASIC),或,一个或多个微处理器(digital singnal processor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA),或这些集成电路形式中至少两种的组合。再如,当装置中的单元可以通过处理元件调度程序的形式实现时,该处理元件可以是通用处理器,例如中央处理器(central processing unit,CPU)或其它可以调用程序的处理器。再如,这些单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现。
以上用于接收的单元是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该接收单元是该芯片用于从其它芯片或装置接收信号的接口电路。以上用于发送的单元是一种该装置的接口电路,用于向其它装置发送信号。例如,当该装置以芯片的方式实现时,该发送单元是该芯片用于向其它芯片或装置发送信号的接口电路。
请参考图11,其为本申请实施例提供的一种终端设备的结构示意图。其可以为以上实施例中的终端设备,用于实现以上实施例中终端设备的操作。如图11所示,该终端设备包括:天线1101、射频部分1102、信号处理部分1103。天线1101与射频部分1102连接。在下行方向上,射频部分1102通过天线1101接收网络设备发送的信息,将网络设备发送的信息发送给信号处理部分1103进行处理。在上行方向上,信号处理部分1103对终端设备的信息进行处理,并发送给射频部分1102,射频部分1102对终端设备的信息进行处理后经过天线1101发送给网络设备。
信号处理部分1103可以包括调制解调子系统,用于实现对数据各通信协议层的处理;还可以包括中央处理子系统,用于实现对终端设备操作系统以及应用层的处理;此外,还可以包括其它子系统,例如多媒体子系统,周边子系统等,其中多媒体子系统用于实现对终端设备相机,屏幕显示等的控制,周边子系统用于实现与其它设备的连接。调制解调子系统可以为单独设置的芯片。可选地,以上用于终端设备的装置可以位于该调制解调子系统。
调制解调子系统可以包括一个或多个处理元件11031,例如,包括一个主控CPU和其它集成电路。此外,该调制解调子系统还可以包括存储元件11032和接口电路11033。存储元件11032用于存储数据和程序,但用于执行以上方法中终端设备所执行的方法的程序可能不存储于该存储元件11032中,而是存储于调制解调子系统之外的存储器中,使用时调制解调子系统加载使用。接口电路11033用于与其它子系统通信。以上用于终端设备的装置可以位于调制解调子系统,该调制解调子系统可以通过芯片实现,该芯片包括至少一个处理元件和接口电路,其中处理元件用于执行以上终端设备执行的任一种方法的各个步骤,接口电路用于与其它装置通信。在一种实现中,终端设备实现以上方法中各个步骤的单元可以通过处理元件调度程序的形式实现,例如应用于终端设备的装置包括处理元件和存储元件,处理元件调用存储元件存储的程序,以执行以上方法实施例中终端设备执行的方法。存储元件可以为处理元件处于同一芯片上的存储元件,即片内存储元件。
在另一种实现中,用于执行以上方法中终端设备所执行的方法的程序可以在与处理元件处于不同芯片上的存储元件,即片外存储元件。此时,处理元件从片外存储元件调用或加载程序于片内存储元件上,以调用并执行以上方法实施例中终端设备执行的方法。
在又一种实现中,应用于终端设备的装置实现以上方法中各个步骤的单元可以是被配置成一个或多个处理元件,这些处理元件设置于调制解调子系统上,这里的处理元件可以为集成电路,例如:一个或多个ASIC,或,一个或多个DSP,或,一个或者多个FPGA,或者这些类集成电路的组合。这些集成电路可以集成在一起,构成芯片。
终端设备实现以上方法中各个步骤的单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现,该SOC芯片,用于实现以上方法。该芯片内可以集成至少一个处理元件和存储元件,由处理元件调用存储元件的存储的程序的形式实现以上终端设备执行的方法;或者,该芯片内可以集成至少一个集成电路,用于实现以上终端设备执行的方法;或者,可以结合以上实现方式,部分单元的功能通过处理元件调用程序的形式实现,部分单元的功能通过集成电路的形式实现。
可见,以上应用于终端设备的装置可以包括至少一个处理元件和接口电路,其中至少一个处理元件用于执行以上方法实施例所提供的任一种终端设备执行的方法。处理元件可以以第一种方式:即调用存储元件存储的程序的方式执行终端设备执行的部分或全部步骤;也可以以第二种方式:即通过处理器元件中的硬件的集成逻辑电路结合指令的方式执行终端设备执行的部分或全部步骤;当然,也可以结合第一种方式和第二种方式执行终端设备执行的部分或全部步骤。
这里的处理元件同以上描述,可以是通用处理器,例如CPU,还可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。
存储元件可以是一个存储器,也可以是多个存储元件的统称。
请参考图12,其为本申请实施例提供的一种接入网设备的结构示意图。用于实现以上实施例中接入网设备的操作。如图12所示,该接入网设备包括:天线1201、射频装置1202、基带装置1203。天线1201与射频装置1202连接。在上行方向上,射频装置1202通过天线1201接收终端设备发送的信息,将终端设备发送的信息发送给基带装置1203进行处理。在下行方向上,基带装置1203对终端设备的信息进行处理,并发送给射频装置1202,射频装置1202对终端设备的信息进行处理后经过天线1201发送给终端设备。
基带装置1203可以包括一个或多个处理元件12031,例如,包括一个主控CPU和其它集成电路。此外,该基带装置1203还可以包括存储元件12032和接口电路12033,存储元件12032用于存储程序和数据;接口电路12033用于与射频装置1202交互信息,该接口电路例如为通用公共无线接口(common public radio interface,CPRI)。以上应用于接入网设备的装置可以位于基带装置1203,例如,以上应用于接入网设备的装置可以为基带装置1203上的芯片,该芯片包括至少一个处理元件和接口电路,其中处理元件用于执行以上接入网设备执行的任一种方法的各个步骤,接口电路用于与其它装置通信。在一种实现中,接入网设备实现以上方法中各个步骤的单元可以通过处理元件调度程序的形式实现,例如应用于接入网设备的装置包括处理元件和存储元件,处理元件调用存储元件存储的程序,以执行以上方法实施例中接入网设备执行的方法。存储元件可以为处理元件处于同一芯片上的存储元件,即片内存储元件,也可以为与处理元件处于不同芯片上的存储元件,即片外存储元件。
在另一种实现中,应用于接入网设备的装置实现以上方法中各个步骤的单元可以是被配置成一个或多个处理元件,这些处理元件设置于基带装置上,这里的处理元件可以为集成电路,例如:一个或多个ASIC,或,一个或多个DSP,或,一个或者多个FPGA,或者这些类集成电路的组合。这些集成电路可以集成在一起,构成芯片。
接入网设备实现以上方法中各个步骤的单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现,例如,基带装置包括该SOC芯片,用于实现以上方法。该芯片内可以集成至少一个处理元件和存储元件,由处理元件调用存储元件的存储的程序的形式实现以上接入网设备执行的方法;或者,该芯片内可以集成至少一个集成电路,用于实现以上接入网设备执行的方法;或者,可以结合以上实现方式,部分单元的功能通过处理元件调用程序的形式实现,部分单元的功能通过集成电路的形式实现。
可见,以上应用于接入网设备的装置可以包括至少一个处理元件和接口电路,其中至少一个处理元件用于执行以上方法实施例所提供的任一种接入网设备执行的方法。处理元件可以以第一种方式:即调用存储元件存储的程序的方式执行接入网设备执行的部分或全部步骤;也可以以第二种方式:即通过处理器元件中的硬件的集成逻辑电路结合指令的方式执行接入网设备执行的部分或全部步骤;当然,也可以结合第一种方式和第二种方式执行以上接入网设备执行的部分或全部步骤。
这里的处理元件同以上描述,可以是通用处理器,例如CPU,还可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。
存储元件可以是一个存储器,也可以是多个存储元件的统称。
请参考图13,其为本申请实施例提供的一种移动性管理网元的结构示意图。其可以为以上实施例中的移动性管理网元,用于实现以上实施例中移动性管理网元的操作。如图13 所示,该移动性管理网元包括:处理器1310,存储器1320,和接口1330,处理器1310、存储器1320和接口1330信号连接。各个单元的功能可以通过处理器1310调用存储器1320中存储的程序来实现。这里的处理器可以是一种具有信号的处理能力的集成电路,例如CPU。或者以上各个单元的功能可以通过配置成实施以上方法的一个或多个集成电路来实现。例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。或者,可以结合以上实现方式。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。“至少一个”、“任意一个”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个、种),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。“多个”是指两个或两个以上,其它量词与之类似。此外,对于单数形式“a”,“an”和“the”出现的元素(element),除非上下文另有明确规定,否则其不意味着“一个或仅一个”,而是意味着“一个或多于一个”。例如,“a device”意味着对一个或多个这样的device。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒 介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。

Claims (29)

  1. 一种通信方法,其特征在于,包括:
    终端设备获取第一切片选择辅助信息,所述第一切片选择辅助信息由第二切片选择辅助信息加密得到,所述第二切片选择辅助信息为允许所述终端设备接入的切片的选择辅助信息;
    所述终端设备向接入网设备发送第一注册请求消息,所述第一注册请求消息包括所述第一切片选择辅助信息。
  2. 根据权利要求1所述的方法,其特征在于,所述终端设备获取第一切片选择辅助信息,包括:
    所述终端设备根据所述第二切片选择辅助信息生成所述第一切片选择辅助信息。
  3. 根据权利要求2所述的方法,其特征在于,所述终端设备根据所述第二切片选择辅助信息生成所述第一切片选择辅助信息,包括:
    所述终端设备根据所述第二切片选择辅助信息、第一函数以及第一随机数RAND生成所述第一切片选择辅助信息。
  4. 根据权利要求3所述的方法,其特征在于,所述终端设备根据所述第二切片选择辅助信息、第一函数以及第一RAND生成所述第一切片选择辅助信息之前,还包括:
    所述终端设备接收来自移动性管理网元的所述第一RAND;或者,
    所述终端设备接收来自移动性管理网元的第二RAND;
    所述终端设备根据所述第二RAND以及第一密钥生成所述第一RAND。
  5. 根据权利要求4所述的方法,其特征在于,所述终端设备根据所述第二RAND以及第一密钥生成所述第一RAND之前,还包括:
    所述终端设备根据本地存储的第二密钥推衍得到所述第一密钥。
  6. 根据权利要求4或5所述的方法,其特征在于,还包括:
    所述终端设备接收来自移动性管理网元的第三RAND,所述第三RAND用于更新所述第一RAND或所述第二RAND;
    当所述第三RAND用于更新所述第一RAND时,所述终端设备根据所述第二切片选择辅助信息、所述第一函数以及所述第三RAND生成第三切片选择辅助信息;或者,
    当所述第三RAND用于更新所述第二RAND时,所述终端设备根据所述第二切片选择辅助信息、所述第一函数、所述第一密钥以及所述第三RAND生成第四切片选择辅助信息;
    所述终端设备使用所述第四切片选择辅助信息更新所述第一切片选择辅助信息。
  7. 根据权利要求1所述的方法,其特征在于,所述终端设备获取第一切片选择辅助信息,包括:
    所述终端设备接收来自移动性管理网元的所述第一切片选择辅助信息。
  8. 根据权利要求7所述的方法,其特征在于,所述终端设备接收来自移动性管理网元的所述第一切片选择辅助信息,包括:
    所述终端设备接收来自所述移动性管理网元的第一对应关系,所述第一对应关系包括所述第一切片选择辅助信息与所述第二切片选择辅助信息的对应关系。
  9. 根据权利要求7或8所述的方法,其特征在于,还包括:
    所述终端设备接收来自所述移动性管理网元的第三切片选择辅助信息,所述第三切片选择辅助信息用于更新所述第一切片选择辅助信息;
    所述终端设备使用所述第三切片选择辅助信息更新所述第一切片选择辅助信息。
  10. 根据权利要求9所述的方法,其特征在于,所述终端设备接收来自所述移动性管理网元的第三切片选择辅助信息,包括:
    所述终端设备接收来自所述移动性管理网元的第二对应关系,所述第二对应关系包括所述第二切片选择辅助信息与所述第三切片选择辅助信息的对应关系。
  11. 根据权利要求6或9或10所述的方法,其特征在于,所述第一函数包括加密函数,或者,所述第一函数包括多个RAND与多个第一映射的对应关系,每个所述第一映射包括多个所述第一切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系和/或多个所述第三切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系和/或多个所述第四切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系。
  12. 一种通信方法,其特征在于,包括:
    接入网设备接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括第一切片选择辅助信息,所述第一切片选择辅助信息由第二切片选择辅助信息加密得到,所述第二切片选择辅助信息为允许所述终端设备接入的切片的选择辅助信息;
    所述接入网设备根据所述第一切片选择辅助信息生成所述第二切片选择辅助信息;
    所述接入网设备向移动性管理网元发送第二注册请求消息,所述第二注册请求消息包括所述第二切片选择辅助信息。
  13. 根据权利要求12所述的方法,其特征在于,所述接入网设备根据所述第一切片选择辅助信息生成所述第二切片选择辅助信息,包括:
    所述接入网设备根据所述第一切片选择辅助信息、第一函数以及第一随机数RAND生成所述第二切片选择辅助信息;或者,
    所述接入网设备根据所述第一切片选择辅助信息、第一函数的逆函数以及第一随机数RAND生成所述第二切片选择辅助信息。
  14. 根据权利要求13所述的方法,其特征在于,所述接入网设备根据所述第一切片选择辅助信息、第一函数以及第一RAND生成所述第二切片选择辅助信息之前,还包括:
    所述接入网设备从所述移动性管理网元接收所述第一RAND;或者,
    所述接入网设备从所述移动性管理网元接收第二RAND和第一密钥,并根据所述第二RAND以及所述第一密钥生成所述第一RAND。
  15. 根据权利要求13或14所述的方法,其特征在于,还包括:
    所述接入网设备接收来自所述移动性管理网元的第三RAND,所述第三RAND用于更新所述第一RAND或所述第二RAND。
  16. 根据权利要求13至15任一项所述的方法,其特征在于,所述第一函数包括加密函数,或者,所述第一函数包括多个RAND与多个第一映射的对应关系,每个所述第一映射包括多个所述第一切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系。
  17. 一种通信方法,其特征在于,包括:
    移动性管理网元接收来自终端设备的注册请求消息,所述注册请求消息包括请求接入的切片的选择辅助信息;
    所述移动性管理网元建立安全上下文后,向所述终端设备发送注册接受消息,所述注 册接受消息包括第一切片选择辅助信息,所述第一切片选择辅助信息由第二切片选择辅助信息加密得到,所述第二切片选择辅助信息为允许所述终端设备接入的切片的选择辅助信息。
  18. 根据权利要求17所述的方法,其特征在于,向所述终端设备发送注册接受消息之前,还包括:
    所述移动性管理网元根据所述请求接入的切片的选择辅助信息,确定所述第二切片选择辅助信息;
    所述移动性管理网元根据所述第二切片选择辅助信息生成所述第一切片选择辅助信息。
  19. 根据权利要求18所述的方法,其特征在于,所述移动性管理网元根据所述第二切片选择辅助信息生成所述第一切片选择辅助信息,包括:
    所述移动性管理网元生成第一随机数RAND;
    所述移动性管理网元根据所述第二切片选择辅助信息、第一函数以及所述第一RAND生成所述第一切片选择辅助信息。
  20. 根据权利要求19所述的方法,其特征在于,还包括:
    所述移动性管理网元根据所述第一切片选择辅助信息和所述第二切片选择辅助信息生成第一对应关系,并存储所述第一对应关系,所述第一对应关系包括所述第一切片选择辅助信息与所述第二切片选择辅助信息的对应关系。
  21. 根据权利要求20所述的方法,其特征在于,所述注册接受消息包括所述第一对应关系,所述第一切片选择辅助信息包含于所述第一对应关系。
  22. 根据权利要求19至21任一项所述的方法,其特征在于,还包括:
    所述移动性管理网元向所述终端设备所接入的接入网设备发送所述第一RAND。
  23. 根据权利要求19至22任一项所述的方法,其特征在于,还包括:
    所述移动性管理网元生成第二RAND,所述第二RAND用于更新所述第一RAND;
    所述移动性管理网元根据所述第二切片选择辅助信息、所述第一函数以及所述第二RAND生成第三切片选择辅助信息,所述第三切片选择辅助信息用于更新所述第一切片选择辅助信息;
    所述移动性管理网元向所述终端设备发送所述第三切片选择辅助信息。
  24. 根据权利要求23所述的方法,其特征在于,还包括:
    所述移动性管理网元根据所述第二切片选择辅助信息和所述第三切片选择辅助信息生成第二对应关系,并存储所述第二对应关系,所述第二对应关系包括所述第二切片选择辅助信息与所述第三切片选择辅助信息的对应关系;
    所述移动性管理网元向所述终端设备发送所述第三切片选择辅助信息,包括:
    所述移动性管理网元向所述终端设备发送所述第二对应关系。
  25. 根据权利要求23或24所述的方法,其特征在于,还包括:
    所述移动性管理网元向所述终端设备所接入的接入网设备发送所述第二RAND。
  26. 根据权利要求23至25任一项所述的方法,其特征在于,所述第一函数包括加密函数,或者,所述第一函数包括多个RAND与多个第一映射的对应关系,每个所述第一映射包括多个所述第一切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系和/或多个所述第三切片选择辅助信息与多个所述第二切片选择辅助信息的映射关系。
  27. 一种通信装置,用于终端设备,其特征在于,包括:用于执行如权利要求1至11任一项中各步骤的单元。
  28. 一种通信装置,用于接入网设备,其特征在于,包括:用于执行如权利要求12至16任一项中各步骤的单元。
  29. 一种通信装置,用于移动性管理网元,其特征在于,包括:用于执行如权利要求17至26任一项中各步骤的单元。
PCT/CN2019/084657 2019-04-26 2019-04-26 一种通信方法及装置 WO2020215331A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP19926409.4A EP3952374B1 (en) 2019-04-26 2019-04-26 Communication method and apparatus
CN201980088829.2A CN113302958B (zh) 2019-04-26 2019-04-26 一种通信方法及装置
PCT/CN2019/084657 WO2020215331A1 (zh) 2019-04-26 2019-04-26 一种通信方法及装置
US17/452,185 US11956715B2 (en) 2019-04-26 2021-10-25 Communications method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084657 WO2020215331A1 (zh) 2019-04-26 2019-04-26 一种通信方法及装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/452,185 Continuation US11956715B2 (en) 2019-04-26 2021-10-25 Communications method and apparatus

Publications (1)

Publication Number Publication Date
WO2020215331A1 true WO2020215331A1 (zh) 2020-10-29

Family

ID=72940821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/084657 WO2020215331A1 (zh) 2019-04-26 2019-04-26 一种通信方法及装置

Country Status (4)

Country Link
US (1) US11956715B2 (zh)
EP (1) EP3952374B1 (zh)
CN (1) CN113302958B (zh)
WO (1) WO2020215331A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230023278A1 (en) * 2019-12-19 2023-01-26 Telefonaktiebolaget Lm Ericsson (Publ) Slice and/or subscriber identification module device lock
CN116781436A (zh) * 2022-03-11 2023-09-19 中国移动通信有限公司研究院 计费方法、装置、设备及可读存储介质
WO2024077426A1 (en) * 2022-10-10 2024-04-18 Huawei Technologies Co., Ltd. Systems and methods for accessing network services in a wireless communication network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231125A1 (en) * 2017-06-16 2018-12-20 Telefonaktiebolaget Lm Ericsson (Publ) Network, network nodes, wireless communication devices and method therein for handling network slices in a wireless communication network
WO2018236819A1 (en) * 2017-06-19 2018-12-27 Idac Holdings, Inc. SYSTEMS AND METHODS FOR PROTECTING THE CONFIDENTIALITY OF A 5G WAFER IDENTIFIER
WO2019004929A2 (zh) * 2017-06-29 2019-01-03 华为国际有限公司 网络切片分配方法、设备及系统
CN109417709A (zh) * 2016-07-05 2019-03-01 三星电子株式会社 用于在移动无线网络系统中认证接入的方法和系统

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10193689B2 (en) * 2010-05-19 2019-01-29 International Business Machines Corporation Storing access information in a dispersed storage network
CN107666666B (zh) * 2016-07-27 2022-11-08 中兴通讯股份有限公司 密钥的衍生方法及装置
JPWO2018079690A1 (ja) * 2016-10-26 2019-09-19 日本電気株式会社 システム、ネットワーク装置、端末、及び方法
EP3641424B1 (en) 2017-06-17 2022-05-04 LG Electronics Inc. Method for registering a user equipment with a network slice in a wireless communication system and user equipment therefor
US11924642B2 (en) * 2017-06-23 2024-03-05 Nec Corporation Privacy considerations for network slice selection
CN109429214B (zh) * 2017-07-17 2020-10-16 华为技术有限公司 业务会话建立方法、设备及系统
US11228562B2 (en) * 2017-09-29 2022-01-18 Telefonaktiebolaget Lm Ericsson (Publ) Creating a pseudonym for requesting a network slice
US11350272B2 (en) * 2018-11-01 2022-05-31 Qualcomm Incorporated Encrypting network slice selection assistance information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109417709A (zh) * 2016-07-05 2019-03-01 三星电子株式会社 用于在移动无线网络系统中认证接入的方法和系统
WO2018231125A1 (en) * 2017-06-16 2018-12-20 Telefonaktiebolaget Lm Ericsson (Publ) Network, network nodes, wireless communication devices and method therein for handling network slices in a wireless communication network
WO2018236819A1 (en) * 2017-06-19 2018-12-27 Idac Holdings, Inc. SYSTEMS AND METHODS FOR PROTECTING THE CONFIDENTIALITY OF A 5G WAFER IDENTIFIER
WO2019004929A2 (zh) * 2017-06-29 2019-01-03 华为国际有限公司 网络切片分配方法、设备及系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3952374A4 *

Also Published As

Publication number Publication date
US20220046532A1 (en) 2022-02-10
EP3952374B1 (en) 2024-06-05
EP3952374A4 (en) 2022-04-13
US11956715B2 (en) 2024-04-09
CN113302958A (zh) 2021-08-24
EP3952374A1 (en) 2022-02-09
CN113302958B (zh) 2023-01-06

Similar Documents

Publication Publication Date Title
WO2020220747A1 (zh) 一种tsn业务的处理方法、装置及系统
US11689920B2 (en) System and method for security protection of NAS messages
US9882894B2 (en) Secure authentication service
WO2021017550A1 (zh) 一种事件报告的发送方法、装置及系统
US11510052B2 (en) Identity information processing method, device, and system
WO2020177523A1 (zh) 终端设备的注册方法及装置
CN110891269B (zh) 一种数据保护方法、设备及系统
US20200228977A1 (en) Parameter Protection Method And Device, And System
WO2018201946A1 (zh) 锚密钥生成方法、设备以及系统
WO2020207156A1 (zh) 认证方法、装置及设备
US11956715B2 (en) Communications method and apparatus
WO2019096075A1 (zh) 一种消息保护的方法及装置
WO2020029729A1 (zh) 一种通信方法和装置
WO2020253408A1 (zh) 二级认证的方法和装置
WO2013174267A1 (zh) 无线局域网络的安全建立方法及系统、设备
WO2021190273A1 (zh) 一种通信方法、装置及系统
WO2019169679A1 (zh) 终端信息的传递方法及相关产品
WO2021000938A1 (zh) 一种同步pdu会话状态的方法、装置、系统及芯片
WO2020220799A1 (zh) 一种通信方法、装置及系统
WO2022222745A1 (zh) 一种通信方法及装置
WO2021218851A1 (zh) 一种安全通信方法及装置
WO2021254172A1 (zh) 一种通信方法以及相关装置
WO2021063298A1 (zh) 实现外部认证的方法、通信装置及通信系统
WO2020248709A1 (zh) 一种mdbv的确定方法、装置及系统
US11330038B2 (en) Systems and methods for utilizing blockchain for securing browsing behavior information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19926409

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019926409

Country of ref document: EP

Effective date: 20211105