WO2020248624A1

WO2020248624A1 - Communication method, network device, user equipment and access network device

Info

Publication number: WO2020248624A1
Application number: PCT/CN2020/076975
Authority: WO
Inventors: 张博
Original assignee: 华为技术有限公司
Priority date: 2019-06-13
Filing date: 2020-02-27
Publication date: 2020-12-17
Also published as: CN112087724A

Abstract

The present application provides a communication method, comprising: a first network device receiving an encrypted first group list sent by user equipment (UE), the first group list comprising identifiers of one or more groups to which the UE requests to access; the first network device decrypting the encrypted first group list, so as to obtain a first closed access service identification group; the first network device determining a subscription group list stored by the unified data management (UDM); the first network device determining a second group list according to the first group list and the subscription group list, the second group list comprising an identifier of a group to which the UE is allowed to access; and when the second group list exists, the first network device sending the second group list to the access network device. The first network device receives a list of groups, to which the UE requests to access, sent by the UE in an encryption manner and decrypts same, thereby avoiding data leakage and protecting the privacy of the UE.

Description

Communication method, network equipment, user equipment and access network equipment

This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910511766.9, and the application name is "a communication method, network equipment, user equipment, and access network equipment" on June 13, 2019. All of them The content is incorporated in this application by reference.

Technical field

This application relates to the field of communications, in particular to a communication method, user equipment, access network equipment and network equipment.

Background technique

A group allows a group of subscribers in one or more specific cells to access. The access of the group requires the support of user equipment (UE), access network equipment, and core network. When the UE accesses the group, the core network and the UE perform information transmission to complete the verification. In the process of information transmission, it is necessary for the signal to realize data interaction between the core network device and the UE to be reliable and effective, without data leakage, and to protect the privacy of the UE.

Summary of the invention

This application provides a communication method, network equipment, user equipment, and access network equipment, which can avoid data leakage and protect the privacy of the UE.

In a first aspect, a communication method is provided, including: a first network device receives an encrypted first group list sent by a user equipment UE, the first group list includes one or more of which the UE requests access The identification of the group; the first network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list saved by the unified data management UDM; The first network device determines a second group list according to the first group list and the subscription group list, and the second group list includes the identifier of the group to which the UE is allowed to access; In the second group list, the first network device sends the second group list to the access network device.

The first network device receives and decrypts the request to access the group list sent by the UE in an encrypted manner, thereby avoiding data leakage and protecting the privacy of the UE. The first network device sends the identifier of the group that the UE is allowed to access to the access network device, and the access network device can prepare for data transmission after the UE accesses the group.

With reference to the first aspect, in some possible implementations, the first network device receiving the encrypted first group list sent by the UE includes: the first network device receives the UE through the non-access stratum NAS security Mode SM completes the encrypted first group list sent by the message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by a NAS security context.

Through the NAS SM completion message or the uplink NAS message protected by the NAS security context, the first network device receives the encrypted first group list, and realizes the encrypted transmission of the first group list without adding additional procedures. The receiving UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.

With reference to the first aspect, in some possible implementation manners, the method further includes: when the second group list does not exist, the first network device determines the relationship between the UE and the first network device. A message verification code is calculated by calculating the shared key of, and the first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.

Through the message verification code sent by the first network device, the UE can verify the registration rejection message to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.

With reference to the first aspect, in some possible implementations, the method includes: the first network device receives a third group list sent by the access network device, and the third group list includes the access network device. The identification of the group supported by the network access device, the first network device determining the second group list according to the first group list and the subscription group list, including: the first network device according to the The first group list, the third group list, and the subscription group list determine the second group list.

The first access network device verifies the group list supported by the access network device, the group list that the UE requests to access, and the subscription group list to ensure the accuracy of the groups that the UE is allowed to access.

With reference to the first aspect, in some possible implementation manners, the method includes: the first network device receives access group request information sent by the access network device, and the access group request information is used to instruct the UE Request access to the group.

In a second aspect, a communication method is provided, including: a user equipment UE encrypts a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, the first group list The identifier includes one or more groups that the UE requests to access; the UE sends the encrypted first group list.

The UE sends a request to access the group list in an encrypted manner, avoiding data leakage and protecting the privacy of the UE.

With reference to the second aspect, in some possible implementation manners, the UE sending the encrypted first group list includes: the UE sending the encrypted first network device through a NAS security mode SM complete message Or, the UE sends the encrypted first group list through an uplink NAS message protected by a NAS security context.

The UE sends the encrypted first group list through the NAS SM completion message or the uplink NAS message protected by the NAS security context, which realizes the encrypted transmission of the first group list without adding additional procedures. The UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.

With reference to the second aspect, in some possible implementations, the method further includes: the UE receiving a registration rejection message sent by the first network device, the registration rejection message including a message verification code, and the UE according to the message The verification code verifies the registration rejection message.

The UE verifies the registration rejection message according to the message verification code, so as to prevent the UE from being unable to access the group due to a forged or modified registration rejection message.

With reference to the second aspect, in some possible implementations, the method includes: the UE sends access group request information to the access network device, and the access group request information is used to instruct the UE to request access to the group group.

In a third aspect, a communication method is provided, including: an access network device receives an encrypted first group list sent by a user equipment UE, and the first closed access service identification group includes one or more of which the UE requests access. The identifier of a group service; the access network device sends the encrypted first group list; the access network device receives a second group list sent by the first network device, the second group list It includes the identification of one or more groups that the UE is allowed to access; the access network device sends the quality of service QoS of the one or more groups to the UE.

With reference to the third aspect, in some possible implementations, the method includes: the access network device receives the access group request information sent by the UE, and the access group request information is used to instruct the UE to request access. Join the group.

In the process of the UE accessing the group, the access network device receives the identifier of the group that the UE is allowed to access sent by the network device, and prepares for subsequent UE access to the group, which can reduce the system delay.

In a fourth aspect, a network device is provided, including: a transceiver module, a decryption module, and a determination module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, the first group list including the The identification of one or more groups to which the UE requests access; a decryption module, used to decrypt the encrypted first group list to obtain the first closed access service identification group; a determining module, used to determine unified data The management UDM network element determines the saved subscription group list; the determining module is further configured to determine a second group list according to the first group list and the subscription group list, the second group list includes the permission The identifier of the group to which the UE accesses; the transceiver module is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.

With reference to the fourth aspect, in some possible implementation manners, the transceiver module is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.

With reference to the fourth aspect, in some possible implementation manners, the user equipment further includes a calculation module, which is configured to: when the second group list does not exist, determine the relationship between the UE and the first network device The shared key between the two is calculated to obtain a message verification code; the transceiver module is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.

With reference to the fourth aspect, in some possible implementations, the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device The identification of the supported groups, the determining module is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.

In a fifth aspect, a user equipment is provided, including: an encryption module and a transceiver module; the encryption module is used to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list, The first group list includes the identities of one or more groups that the UE requests to access; the transceiver module is configured to send the encrypted first group list.

With reference to the fifth aspect, in some possible implementation manners, the transceiver module is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the transceiver module is configured to: The encrypted first group list is sent through an uplink NAS message protected by the NAS security context.

With reference to the fifth aspect, in some possible implementations, the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code; the user equipment further includes a verification module , The verification module is used to verify the registration rejection message according to the message verification code.

In a sixth aspect, an access network device is provided, which is characterized by comprising: a transceiver module and a generating module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service The identification group includes the identification of one or more group services that the UE requests to access; the transceiver module is also used to send the encrypted first group list; the transceiver module is also used to receive the information sent by the first network device A second group list, where the second group list includes the identifiers of one or more groups that the UE is allowed to access; the generating module is configured to generate the one or more groups according to the identifiers of the one or more groups The quality of service QoS information of multiple groups; the transceiver module is further configured to send the quality of service QoS information to the UE.

In a seventh aspect, a network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes the UE The identification of one or more groups that request access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group; the processor is further configured to: It is determined that the unified data management UDM network element determines the saved subscription group list; the processor is further configured to determine a second group list according to the first group list and the subscription group list, and the second group The list includes the identification of the group that the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.

With reference to the seventh aspect, in some possible implementation manners, the communication interface is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.

With reference to the seventh aspect, in some possible implementation manners, when the second group list does not exist, the processor is further configured to: according to the shared key between the UE and the first network device A message verification code is calculated; the communication interface is further used to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.

With reference to the seventh aspect, in some possible implementation manners, the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device With an identifier of a supported group, the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.

In an eighth aspect, a user equipment is provided, including: a processor and a communication interface; the processor is configured to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list The first group list includes the identities of one or more groups that the UE requests to access; the communication interface is used to send the encrypted first group list.

With reference to the eighth aspect, in some possible implementation manners, the communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication The interface is used to send the encrypted first group list through an uplink NAS message protected by a NAS security context.

With reference to the eighth aspect, in some possible implementation manners, the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code, and the message verification code is used for all The UE verifies the registration rejection message.

In a ninth aspect, an access network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identification group Includes the identification of one or more group services that the UE requests to access; the communication interface is also used to send the encrypted first group list; the communication interface is also used to receive the first network device The sent second group list, the second group list includes the identification of one or more groups that the UE is allowed to access; the communication interface is also used to send the one or more groups to the UE QoS for each group.

In a tenth aspect, a communication system is provided, including the aforementioned access network equipment, network equipment, and user equipment.

In an eleventh aspect, a computer program storage medium is provided, the computer program storage medium has program instructions, and when the program instructions are executed, the method described above is executed.

In a twelfth aspect, a chip is provided, the chip includes at least one processor, and when a program instruction is executed by the at least one processor, the method described above is executed.

Description of the drawings

FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.

Fig. 2 is a schematic flowchart of a method for a terminal device to access a group.

Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.

Figure 4 is a schematic flow chart of establishing an access layer security mode.

Figure 5 is a schematic flow chart for establishing a non-access layer security mode.

Figure 6 is a schematic flow chart of authentication.

FIG. 7 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the present application.

FIG. 9 is a schematic flowchart of a communication method according to another embodiment of the present application.

FIG. 10 is a schematic flowchart of a communication method according to another embodiment of the present application.

FIG. 11 is a schematic flowchart of a communication method according to another embodiment of the present application.

FIG. 12 is a schematic flowchart of a communication method according to another embodiment of the present application.

FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.

FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.

FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.

FIG. 16 is a schematic structural diagram of a user equipment according to another embodiment of the present application.

FIG. 17 is a schematic structural diagram of a network device provided by another embodiment of the present application.

FIG. 18 is a schematic structural diagram of an access network device according to another embodiment of the present application.

Detailed ways

The technical solution in this application will be described below in conjunction with the drawings.

The technical solutions of the embodiments of this application can be applied to various communication systems, such as: global system for mobile communications (GSM) system, code division multiple access (CDMA) system, broadband code division multiple access (wideband code division multiple access, WCDMA) system, general packet radio service (GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE Time division duplex (TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, the future fifth generation (5th generation, 5G) system or new radio (NR), etc.

It should be understood that the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application. The provided method can be used for communication. For example, the execution subject of the method provided in the embodiments of the present application may be a terminal or a network device, or a functional module in a UE or a network device that can call and execute the program.

In order to facilitate the understanding of the embodiment of the present application, first, an application scenario of the embodiment of the present application is described in detail with reference to FIG. 1.

FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. The network architecture shown in Figure 1 may specifically include the following network elements:

1. User equipment (UE): it can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device. The UE can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the future 5G network or terminals in the future evolution of the public land mobile network (PLMN) Devices, etc., can also be end devices, logical entities, smart devices, such as mobile phones, smart terminals and other terminal devices, or servers, gateways, base stations, controllers and other communication devices, or Internet of Things devices, such as sensors, electricity meters, water meters, etc. Internet of things (IoT) devices. The UE may also be a wired device, such as a computer, a laptop, and so on. The embodiment of the application does not limit this.

2. Access network (AN): Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and service requirements. The access network may be an access network using different access technologies. There are currently two types of wireless access technologies: 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) access technologies (such as those used in 3G, 4G or 5G systems) and non-third-generation cooperation Partnership Project (non-3GPP) access technology. The 3GPP access technology refers to the access technology that complies with the 3GPP standard specifications. The access network that adopts the 3GPP access technology is called the radio access network (Radio Access Network, RAN). Among them, the access network equipment in the 5G system is called Next generation Node Base station (gNB). A non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.

An access network that implements access network functions based on wired communication technology can be called a wired access network.

An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN). The wireless access network can manage wireless resources, provide access services for the terminal, and complete the forwarding of control signals and user data between the terminal and the core network.

The radio access network can be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the access network device can be a relay station, access point, in-vehicle device, wearable device, and network in the future 5G network Equipment or network equipment in the future evolved PLMN network, etc. The embodiment of the present application does not limit the specific technology and specific device form adopted by the radio access network device.

3. Access and mobility management function (AMF) entities: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, for example, lawful interception, or access authorization (or authentication) functions. In the embodiment of the present application, it can be used to realize the functions of accessing and mobility management network elements.

4. Session management function (SMF) entity: Mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.

5. User plane function (UPF) entity: namely, data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc. User data can be connected to the data network (DN) through this network element. In the embodiment of this application, it can be used to realize the function of the user plane gateway.

6. Data network (DN): A network used to provide data transmission. For example, an operator’s business network, an Internet network, a third-party business network, etc.

7. Authentication server function (authentication server function, AUSF) entity: mainly used for user authentication.

8. Network exposure function (NEF) entity: used to safely open services and capabilities provided by 3GPP network functions to the outside.

9. Network storage function (NF) repository function (NRF) entity: used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.

10. Policy control function (PCF) entity: a unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).

11. Unified data management (UDM) entity: used to process user identification, access authentication, registration, or mobility management, etc.

12. Application function (AF) entity: used to route data affected by applications, access network open function network elements, or interact with policy frameworks for policy control, etc.

In this network architecture, the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and AMF entities, used for non-access stratum (NAS) message transmission, etc.; N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.; the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information; N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.

The name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.

It should be understood that the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.

It should also be understood that the AMF network element, SMF network element, UPF network element, NSSF network element, NEF network element, AUSF network element, NRF network element, PCF network element, and UDM network element shown in Figure 1 can all be understood as The network elements used to implement different functions in the core network, for example, can be combined into network slices on demand. These core network elements may be independent devices, or they may be integrated in the same device to implement different functions, which is not limited in this application. A device that performs the functions of a core network element can also be called a core network device or a network device.

The above naming is only used to distinguish different functions, and does not mean that these network elements are independent physical devices. This application does not limit the specific form of the above network elements. For example, they can be integrated in the same physical device or separately It is a different physical device. In addition, the above-mentioned naming is only to facilitate the distinction between different functions, and should not constitute any limitation to this application. This application does not exclude the possibility of adopting other naming in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above-mentioned network elements may use the terminology in 5G, or may adopt other names. Here is a unified description, and will not be repeated here.

For ease of understanding, before describing the embodiments of the present application, a brief introduction of several terms involved in the present application will be given first.

1. Authentication and key agreement (authentication and key agreement, AKA): The user can perform the AKA process with the network during the startup and registration process. Through the AKA process, two-way authentication between the terminal and the network can be realized, so that the key of the terminal and the network can reach an agreement, so as to ensure the secure communication between the two.

2. Key KSEAF: the key sent by AUSF to SEAF during UE registration; SEAF calculates KAMF, and then sends KAMF to AMF. SEAF and AMF can be deployed independently or combined.

3. Key KAMF: the key KAMF obtained by the UE and AMF respectively during the UE registration process. The key KAMF is determined according to the key KSEAF. KAMF is related to the key set identifier (KSI in 5G, ngKSI) in 5G. For example, the UE and the AMF may respectively pre-store a one-to-one correspondence between at least one KAMF and at least one ngKSI. Therefore, each ngKSI can be used to uniquely indicate a KAMF. KAMF can be used to subsequently generate the key KgNB.

4. Key KgNB: the key derived from the key KAMF, that is, the key KgNB that can be determined according to the key KAMF. For example, the key KgNB can be generated based on algorithms such as key derivation function (KDF), KAMF, and the like.

It should also be understood that the names of the intermediate keys and root keys listed above are only named for easy distinction and should not constitute any limitation to this application. This application does not exclude the use of other names to replace the aforementioned intermediate keys or root secrets. Key to achieve the same or similar functions.

5. Encryption key: the parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiving end can decrypt the cipher text according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.

6. Integrity protection key: the parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.

7. Security capabilities: including but not limited to: security algorithms, security parameters, keys, etc. In the embodiment of the present application, the security capability may include, for example, the security capability of the UE and the security capability of the user plane gateway.

8. Security algorithm: the algorithm used in data security protection. For example, it may include: encryption/decryption algorithms, integrity protection algorithms, etc.

9. Security context: information that can be used to implement data encryption and decryption and/or integrity protection. The security context may include, for example, encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.

Ordinary cells can allow all legitimate subscribers (and roaming users) of the operator to access. The group allows a group of subscribers in one or more specific cells to access. In other words, the users who can access the group are limited and conditional. The same user can belong to multiple groups, that is, can access multiple groups. Each group corresponds to a group ID. Group access requires the support of UE, access network equipment and core network.

The embodiments of this application are applicable to scenarios where the UE needs to access a group. The group may be, for example, a closed access group (CG) or a closed subscriber group (CSG). The following uses CAG as an example for description.

Fig. 2 is a schematic flowchart of a method for a UE to access a group.

The user identity decryption function (subscription identifier de-concealing function, SIDF) network element can be configured in a unified data management function (unified data management, UDM) network element, or it can be deployed independently. In other words, UDM network elements can provide the user identity decryption function through the SIDF deployed by themselves or by calling the SIDF.

The UE is configured with a list 1, and the list 1 may be referred to as an allowed CAG identification (identification, ID) list (allowed CAG ID list). List 1 includes the identification of the CAG that the UE can access.

In step 101, the access network device sends List 2 to the UE. List 2 is a list of CAG IDs supported by the cell, and List 2 includes the IDs of CAGs supported by the cell.

The access network device sends list 2 by broadcasting. The broadcast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the information broadcast by the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.

The access network device can also send list 2 through unicast. The unicast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the unicast information of the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.

In step 102, the UE matches List 1 and List 2, and obtains the CAG ID contained in both List 1 and List 2, that is, the matched CAG ID (selected matching CAG ID). The UE obtains a first matching group, and the first matching group includes one or more matching CAG IDs. List 1 includes CAG IDs in the first matching group, and List 2 all include CAG IDs in the first matching group. In other words, both List 1 and List 2 include the first matching group.

In step 103, the UE sends registration request (registration request, RR) information and the first matching group to the access network device.

The RR information includes Subscriber Concealed Identifier (SUCI). The SUCI is obtained by encrypting the user's permanent identifier (subscription permanent identifier, SUPI) according to the public key corresponding to the home network public key identifier (home network public key identifier). The home network public key identifier is used to indicate the public key and/or private key used for SUPI encryption and SUCI decryption. That is, the UE uses a protection scheme with the original public key (ie, the home network public key) to generate the SUCI.

The UDM stores the private key corresponding to the home network public key identifier. Algorithms for user privacy should be executed in the UDM's secure environment.

SIDF is used to decrypt SUCI to get SUPI. When the home network public key is used for SUPI encryption, SIDF will use the home network private key stored securely in the home operator's network to decrypt SUCI. Decryption should be done in UDM. The access authority to SIDF should be defined so that only network elements of the home network are allowed to request SIDF.

The first matching group is sent through a radio resource control (radio resource control, RRC) layer.

In step 104, the access network device sends the RR information and the second matching group to the access and mobility management function (AMF) network element.

The second matching group may be the same as the first matching group.

Before step 104, optionally, the access network device may match the first matching group with List 2 to obtain the second matching group. The second matching group includes one or more CAG IDs. Both the first matching group and List 2 include the second matching group. Through the matching of access network equipment, the probability of UE access to CAG registration error can be reduced.

The RR information and the second matching group are sent through the N2 interface between the access network device and the AMF network element.

Before step 105, AMF sends an authentication request message to the unified data management function (UDM)/(subscription identifier de-concealing function, SIDF) network element to the authentication server function (authentication server function, AUSF), where Carry SUCI. UDM before AUSF sends the request, which carries SUCI

The UDM/SIDF network element determines the SUPI of the UE according to the SUCI.

In step 105, authentication and security procedures are performed.

For the authentication process and security process, please refer to the technical specification (TS) 33.501 V15.4.0 (2019-03) of the 3rd generation partnership project (3GPP). In the identity authentication process, the UDM/SIDF network element generates an authentication vector and sends it to the AUSF network element.

In the authentication process, after the authentication process between the AUSF network element, the SEAF network element and the UE, the AUSF network element sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends the key KAMF to the AMF network element. The SEAF network element can also be deployed in the equipment where the AMF network element is located. The SEAF network element sends a key set identifier (KSI) to the UE. The KSI may be a 5G key set identifier (key set identifier in 5G, ngKSI). The UE can determine the key KAMF through the KSI. Through the above method, the UE and the AMF network element realize the sharing of the key KAMF. The foregoing provides an authentication implementation method, which does not exclude further evolution of the authentication method and other mutual authentication mechanisms. This patent does not go into details.

After the authentication process, the non-access stratum (NAS) security mode command (SMC) and the access stratum (AS) security mode command (security mode command, SMC) can be performed after the authentication process. ).

Before step 106, the UDM/SIDF network element determines the subscription data of the UE according to SUPI. The contract data may also be called contract information. The subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access. List 3 includes one or more CAG IDs.

In step 106, the AMF network element receives list 3 sent by the UDM/SIDF network element.

In step 107, the AMF network element matches the second matching group with List 3. AMF checks whether the second matching group and List 3 include at least one CAG ID. The at least one CAG ID that is the same as the target CAG ID

If there is a target CAG ID, proceed to step 108a.

In step 108a, the AMF sends registration acceptance information to the UE.

If there is no target CAG ID, proceed to step 108b.

In step 108b, the AMF sends registration rejection information to the UE.

After step 108b, the UE deletes the CAG ID corresponding to the first matching group from the list 1.

Through the above method, the UE can perform the corresponding CAG service.

The CAG service that the UE wants to perform is related to the type of UE, and each CAG service can only be accessed and used by a specific UE. Therefore, the CAG service that the UE wants to perform involves privacy. When the UE sends the first matching group to the access network device, the attacker obtains the CAG ID that the UE requests to access by tapping the air interface, thereby leaking privacy.

In order to solve the foregoing problem, an embodiment of the present application provides a communication method. The CAG ID that the UE requests to access is sent in an encrypted manner. In this way, the possibility of privacy leakage can be reduced.

In step 201, the UE generates an encrypted first group list.

The group list can also be called a group identification set. The first group list includes the identities of one or more groups to which the UE requests access. The group may be CAG, CSG, etc., for example.

The identity of one or more groups that the UE requests to access may be all or part of the identity of the second group list configured for the UE.

In step 202, the UE sends the encrypted first group list.

The UE may send the encrypted first group list to the AMF network element.

In some embodiments, the UE may establish a NAS security context with an AMF network element, that is, establish a NAS security mode. The establishment of NAS security context can be seen in Figure 4.

The UE may send the first group group to the AMF network element through the NAS SM complete message in the NAS security context establishment process. The UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through the NAS message protected by the NAS security context.

The UE can authenticate with the AMF network element to obtain a shared key. Refer to Figure 6 for UE authentication. The UE can establish a NAS security context with the AMF network element according to the shared key. The establishment of NAS security context can be seen in Figure 4.

The AMF can decrypt the encrypted first group list sent by the UE. AMF can decrypt the encrypted first group list through the confidentiality algorithm.

In other embodiments, the UE may encrypt the first group list with the AMF public key. The UE may send the encrypted first group list to the AMF network element. The AMF public key may be sent by the AMF to the UE, or may be pre-configured by the UE.

The AMF network element is configured with an AMF private key corresponding to the AMF public key. The AMF network element can decrypt the encrypted first group list according to the AMF private key.

The UE may send the encrypted first group list to the UDM network element.

The UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.

The UE may send the encrypted first group list and the home network public key identifier to the UDM network element. The home network public key identifier is used to indicate the home network key.

The UDM network element receives the encrypted first group list and the home network public key identifier. The UDM network element can determine the home network private key according to the home network public key identifier. The UDM network element can decrypt the encrypted first group list according to the private key of the home network.

The UE may send the encrypted first group list to the access network device.

In some embodiments, the UE may establish an AS security context with the access network device, that is, establish an AS security mode. The establishment of AS security context can be seen in Figure 5.

The UE may send the first group list to the access network device through the AS SM complete message in the AS security context establishment process. The UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through the AS message protected by the AS security context.

AMF distributes KgNB to access network equipment. The UE generates KgNB according to KAMF. After that, the UE and the access network device can establish the access layer AS security mode SM.

The access network device may decrypt the encrypted first group list sent by the UE. The access network device can decrypt the encrypted first group list through the confidentiality algorithm.

The access network device can decrypt the received encrypted first group list. The access network device can decrypt the encrypted first group list through the confidentiality algorithm. In other embodiments, the UE may encrypt the first group list through the public key of the access network device. The UE may send the encrypted first group list to the access network device. The public key of the access network device may be sent by the access network device to the UE, or may be pre-configured by the UE. The access network device is configured with an AMF private key corresponding to the public key of the access network device. The access network device can decrypt the encrypted first group list according to the private key of the access network device.

Optionally, the UE may receive a registration rejection message sent by the AMF network element. The registration rejection message includes a message verification code, and the message verification code is used by the UE to verify the registration rejection message. The registration rejection message can also include a rejection code. The rejection code can be used to indicate the rejection of UE registration, or the rejection code can be used to indicate the reason for rejection of UE registration. The reason for rejecting the UE registration may be that the AMF network element verification fails, or the UE authentication fails. The verification failure of the AMF network element means that the AMF network element determines that the second group list does not exist. The second group list includes the identifiers of the same group in the subscription group list saved by the UDM and the first group list.

Optionally, the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.

Through step 201 to step 202, the UE sends the first group list in an encrypted manner, which can avoid leakage.

Figure 4 is a schematic flow chart for establishing a NAS security context.

In step 301a, the AMF network element activates integrity protection.

In step 301b, the AMF network element sends a NAS SM command message to the UE. The NAS SM command message includes an integrity algorithm, an encryption algorithm, a NAS message authentication code (message authentication code, MAC), UE security capabilities, KSI, etc. The NAS MAC can be used to verify the integrity of the NAS SM command message.

In step 301c, the AMF network element starts uplink decryption

In step 302a, the UE verifies the integrity of the NAS SM completion message. If the verification is successful, the UE starts uplink encryption, downlink decryption and integrity protection

In step 302b, the UE sends a NAS security mode complete message to the AMF network element. The NAS security mode completion message includes NAS MAC. The NAS MAC can be used to verify the integrity of the NAS SM completion message.

In step 301d, the AMF network element starts downlink encryption.

The AMF network element triggers the NAS SMC process and sends a NAS security mode instruction to the UE; the UE sends a NAS security mode completion message. In step 301b, the AMF network element sends a NAS SM command message to the UE, with only integrity protection. In step 302b, the UE sends a NAS security mode completion message to the AMF network element, which has confidentiality and integrity protection. After that, the UE and the AMF share the NAS security context. The UE and the AMF network element can protect the message to be sent through the NAS security context, and protect the NAS message through the NAS security context with integrity and confidentiality protection. Through steps 301a-302d, the NAS security context is established.

It should be noted that, for ease of understanding, FIG. 4 only briefly describes the processing flow of the NAS SMC. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.

Figure 5 is a schematic flow chart for establishing an AS security context.

Before step 401a, the RAN receives the key KgNB. The key KgNB is determined by the AMF network element according to the key KAMF. AMF shall generate the key KgNB and send the key to the RAN.

In step 401a, the RAN initiates RRC integrity protection.

In step 401b, the RAN sends an AS SM command message to the UE. The AS SM command message includes an integrity algorithm, an encryption algorithm, and MAC-I, where the MAC-I is determined according to the key KgNB.

In step 401c, the RAN initiates RRC downlink ciphering.

In step 402a, the UE verifies the integrity of the AS SM command message. The UE verifies the integrity of the AS SM command message according to the MAC-I. If the verification is successful, the UE starts RRC integrity protection and RRC downlink decryption. The UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.

In step 402b, the UE sends an AS SM complete message to the RAN. The AS SM completion message includes MAC-I, which is determined according to the key KgNB. According to the MAC-I, the RAN can decrypt the AS SM completion message and verify the integrity of the AS SM completion message.

In step 402c, the UE starts RRC uplink encryption.

In step 401d, the RAN initiates RRC uplink decryption.

The RAN triggers the AS SMC process and sends an AS security mode command message to the UE. The UE sends an AS security mode complete message to the RAN. Wherein, the message in step 401b only performs integrity protection, and the message in step 402b performs confidentiality and integrity protection at the same time. According to the key KgNB, the integrity and confidentiality of the message transmitted between the UE and the RAN in the AS security mode can be protected. After that, the UE and the access network device share the AS security context, the UE and the access network device can send AS messages through the AS security context protection, and the AS messages protected by the AS security context have integrity and confidentiality protection. Through steps 401a-402d, the AS security context is established.

It should be noted that, for ease of understanding, FIG. 5 only briefly describes the processing flow of AS security context establishment. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.

Fig. 6 is a schematic flowchart of an authentication method. Authentication authentication can also be called identity authentication.

In the communication network, when the UE requests access to the service provided by the service provider, it is checked whether the UE has the access authority. The process of authentication can refer to

In step 501, the UDM/ARPF network element generates an authentication vector.

In step 502, the UDM/ARPF network element sends a first authentication reply message to the AUSF network element. The first authentication reply message may be a Nudm_UEAuthentication_Get Response message. The first authentication reply message includes an authentication vector.

In step 503, the UE performs mutual authentication with the AUSF network element.

In step 504, AUSF generates and sends the key KSEAF to the SEAF network element.

In step 505, the SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE. The KSI is used to indicate the key KAMF.

The SEAF network element can be deployed independently from the AMF network element, or it can be deployed separately. The SEAF network element can send KAMF to the AMF network element.

Figure 6 shows only one authentication method, which also includes other authentication methods, such as 5G authentication and key agreement; it is also possible that authentication includes both UE and AMF authentication, UE and AUSF authentication, etc., which is not done in this application embodiment limit.

FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The first network device includes an AMF network element. The first network device may also include SMF network elements, AUSF network elements, SEAF network elements, UDM network elements, and other network function (network function, NF) network elements, which are not limited in the embodiment of this application.

In step 1101, the UE encrypts the first group list by using the NAS security context to obtain an encrypted first group list. The first group list includes identities of one or more groups to which the UE requests access.

The first group list may include all or part of the identities in the UE group list configured for the UE.

The UE may use the UE group list as the first group list.

Before step 1101, the UE receives the access network group list sent by the access network device, and the access network group list includes the identifier of the group supported by the access network device. The UE may determine the first group list according to the access network group list and the UE group list, and the first group list includes the identifiers of the same group in the access network group list and the UE group list.

In step 1102, the UE sends the encrypted first group list.

Before step 1102, the UE may establish a NAS security context with the AMF. The UE may send the encrypted first group list through the NAS message protected by the NAS security context.

Alternatively, in the process of establishing the NAS security context between the UE and the AMF, after the UE establishes the NAS security context, the UE sends the encrypted first group list to the first network device through a NAS SM complete message.

The first network device receives the encrypted first group list. The first network device decrypts the encrypted first group list.

In step 1103, the first network device performs verification. The AMF determines the second group list according to the first group list and the contracted group list. The second group list includes the identifiers of the same group in the first group list and the contracted group list. The second group list includes identities of groups that the UE is allowed to access. That is, the identity of the same group is used as the identity of the group that the UE is allowed to access.

Before step 1103, the first network device determines the list of subscription groups saved by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element. The first network device includes a UDM network element, and the first network device can obtain a list of subscription groups saved by the UDM network element.

When the second group list exists, step 1104 is performed.

In step 1104, the first network device sends the second group list to the access network device. The access network device receives the second group list, and obtains the identifier of the group that is allowed to access the UE.

Optionally, after step 1104, step 1105 may be performed.

In step 1105, the access network device sends the radio resource allocation information and/or quality of service (QoS) information of the group corresponding to each identifier in the second group list to the UE.

When there is no second group list, proceed to step 1106.

In step 1106, the first network device sends a registration rejection message to the UE. In order to prevent attackers from modifying or forging registration rejection messages, AMF can send registration rejection messages in the following ways.

The first network device may send a registration rejection message to the UE through a NAS message. Before step 1106, whether the AMF and the UE establish the NAS security context is not limited in the embodiment of the present application. In the case of establishing the NAS security context, the first network device may send a registration rejection message to the UE through the NAS security context. That is, the registration rejection message may be a NAS message protected by the NAS security context.

Referring to FIG. 11, the first network device may calculate the message verification code according to the shared key between the UE and the AMF. The first network device may send a registration rejection message to the UE, and the registration rejection message includes a message verification code. The message verification code is used by the UE to verify the registration rejection message.

Referring to Fig. 12, the first network device may also calculate a digital signature according to the AMF private key. The first network device may send a registration rejection message to the UE, and the registration rejection message includes the digital signature. The UE decrypts the digital signature according to the AMF public key.

Through steps 1101-1106, the UE sends the identification of the group requested to be accessed in an encrypted manner, which can avoid leakage of UE privacy.

The group may be CAG, CSG, etc., for example. The following takes the UE request to access CAG as an example for description.

FIG. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may send the first matching group to the AMF network element through the encrypted NAS message.

The UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list). List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1. For example, List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.

In step 601, the access network device broadcasts system information. The system information includes List 2, which is a list of CAG IDs supported by the cell. The cell is the cell where the UE is located in one or more cells covered by the access network device. The broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.

Optionally, in step 601, the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell. The unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.

In step 602, the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID. The CAG ID in the first matching group belongs to both list 1 and list 2 at the same time. The CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).

In step 603, the UE sends a registration request (registration request, RR) message to the access network device, where the registration request message includes SUCI. The registration request message may be a control plane message.

Before step 603, the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.

SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI. The routing indicator can be used to indicate UDM network elements that can provide services for the UE.

Optionally, the UE sends the first indication information to the access network device. The first indication information is used to indicate that the UE requests to access the CAG.

The first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.

Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take multiple forms. For example, the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.

In step 604, the access network device forwards the registration request message to the AMF network element. The registration request message includes SUCI. The forwarded registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the forwarded registration request message may be an N2 message.

Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.

The second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE's request to access the CAG.

The second indication information may be carried in the forwarded registration request message. The second indication information may also be carried in other messages.

Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include List 2. For example, if the access network device receives the first indication information, the access network device sends List 2 to the AMF network element.

In step 605, the AMF network element sends SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The first authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

Optionally, the AMF may receive the second indication information and/or List 2.

In step 606, the AUSF network element sends SUCI to the UDM/SIDF network element. SUCI can be carried in the second identity authentication request message. The second authentication request message may be a Nudm_UEAuthentication_Get Request message.

In step 607, the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.

Step 608 is an authentication process, which is used for identity authentication of the UE.

Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector can be carried in the authentication reply message. The authentication reply message may be a Nudm_UEAuthentication_Get Response message.

The UE and the AUSF network element perform mutual authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF. SEAF sends KSI to UE, KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.

Through the above steps, the AMF network element and the UE share the key KAMF.

In steps 609-610, the AMF network element and the UE perform a non-access stratum security mode command (NAS SMC) process.

According to the key K _AMF , the UE and the AMF network element can determine the integrity key and the confidentiality key between the UE and the AMF network element, so as to protect the integrity and confidentiality of the message between the UE and the AMF network element . Confidentiality protection, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.

In step 609, the AMF network element sends a NAS security mode instruction message to the UE. The NAS safe mode command message has integrity protection. The integrity protection is the prior art and will not be repeated here.

In step 610, the UE sends a NAS security mode complete message to the AMF network element.

Optionally, the NAS security mode completion message may include the first matching group. The NAS security mode completion message is confidential and integrity protected. Therefore, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.

When the UE accesses the CAG, the NAS security context is established. Sending the first matching group through the NAS SMC completion message, or sending the first matching group in the NAS message protected by the NAS security context, can encrypt the first matching group without adding additional processing procedures.

Through steps 609-610, the UE and the AMF network element establish a security context through the NAS SMC process, and the message between the AMF network element and the UE can be encrypted for transmission. Through the NAS security mode, the messages between the AMF network element and the UE can have integrity protection and confidentiality protection.

In the case that the NAS security mode completion message does not include the first matching group, step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish a security context through the NAS SMC procedure.

In step 611, the UE sends the first matching group to the AMF through an uplink (UL) NAS message. In other words, the first matching group is sent through NAS security protection.

In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes the CAG ID that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element, and the subscription data includes List 3.

Before step 612, the AMF network element may send a request message to the UDM network element to obtain the SUPI corresponding subscription data from the UDM. Optionally, the request message includes SUPI. The subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.

In step 613, the AMF matches List 3 with the first matching group to determine whether there is a second matching group. List 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.

Optionally, the AMF matches List 2, List 3, and the first matching group to determine whether there is a second matching group. List 2 includes CAG IDs in the second matching group, List 3 includes CAG IDs in the second matching group, and the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.

For the case where AMF matches List 2, List 3, and the first matching group, steps 601-602 may not be performed. The UE may use List 1 as the first matching group.

Since the first matching group is sent to the AMF network element through a NAS message, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all lists The CAG ID in 2. Therefore, the AMF network element can generate the second matching group according to List 2.

Optionally, the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2. At this time, in step 604, the access network device may not send List 2 to the AMF network element. Or List 2 is used as the second indication information to instruct the UE to request access to the CAG service.

Since the first matching group is obtained by the UE having performed matching, in order to reduce the amount of calculation, the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.

If there is a second matching group, the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.

In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access. The access network device receives the second matching group to obtain the CAG ID that allows the UE to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending each CAG ID in the second matching group to the UE Corresponding CAG resource configuration information, etc. Optionally, the access network device sends to the UE the policy information corresponding to the CAG ID in the second matching group, such as QoS information of each CAG. The policy information is used to indicate the relevant parameters for data transmission after the UE accesses the CAG. In the embodiment of this application, the access network device does not limit the specific operation of the CAG ID in the second matching group.

In step 615, the AMF network element sends a registration response message to the UE. The registration response message may be a registration acceptance message or a registration rejection message.

If the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information. The verification failure indication information may be used to indicate the reason for the registration rejection, for example, the CAG ID verification fails or the UE identity authentication fails.

Optionally, the AMF sends to the UE information about whether to allow the UE to access the CAG through other downlink NAS messages. .

Optionally, before step 610, further, before step 603, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group. In other words, the protection indication information is used to instruct the UE to encrypt the first matching group, and send the first matching group in an encrypted manner. For example, before step 603, the UE performs a registration procedure. During this registration access process, the registration reception message includes protection indication information. In the subsequent process of the UE accessing the CAG, the registration rejection message is protected in the above manner.

Through steps 601-615, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.

In some embodiments, the UE may send the first indication information to the AMF network element through a NAS message other than the RR message. The AMF determines the flow of the UE requesting to access the CAG through the first indication information.

In some embodiments, it is also possible that the base station does not broadcast list 2, or the UE does not match the base station broadcast list 2 with list 1; the UE sends encrypted list 1 to AMF through NAS messages. The subsequent operations are the same as the following procedures, except that the first matching group is listed in List 1.

In some embodiments, it is also possible that the UE encrypts the first matching group based on the public key of the AMF to obtain the ciphertext of the first matching group. And by sending the ciphertext of the first matching group to the AMF through the NAS message, for example, through the RR message and the SUCI to the AMF; or through other NAS messages to the AMF. AMF decrypts the ciphertext of the first matching group through the AMF's private key to obtain the first matching group. The subsequent determination process is the same as the above-mentioned embodiment. Here, the process by which the UE obtains the public key of the AMF may be preset or distributed to the UE by the AMF in the previous registration process; there is no restriction.

FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element, the UDM network element decrypts the encrypted first matching group, and decrypts the decrypted first matching group Send to AMF.

In step 601, the access network device broadcasts system information, and the system information includes List 2, which is a list of CAG IDs supported by the cell covered by the access network device. The broadcast content is not encrypted and protected, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.

Optionally, in step 601, the access network device unicasts system information, and the system information includes List 2, and List 2 is a list of CAG IDs supported by the cell. The unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.

In step 703, the UE sends a registration request message to the access network device, and the registration request message includes SUCI. The registration request message may be a control plane message.

The registration request message also includes the encrypted first matching group.

Before step 703, the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.

SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the above SUCI, that is, the scheme for encrypting the SUPI. The routing indicator can be used to indicate UDM network elements that can provide services for the UE.

Before step 703, the UE encrypts the first matching group according to the home network public key to obtain the encrypted first matching group. The UE encrypts the first matching group according to the home network public key, which may also be referred to as the UE encapsulating the first matching group.

The UE may use the same encryption method as the SUCI to encrypt the first matching group. The UE can jointly encrypt the SUPI and the first matching group and encapsulate them in one message. In other words, the SUCI and the encrypted first matching group can be carried in the same message. Alternatively, the UE may separately encrypt the SUPI and the first matching group. Optionally, the encrypted first matching group includes one or more of information such as a routing indicator, a protection scheme identifier, and a home network public key identifier. The SUCI and the encrypted first matching group can be carried in the same or different messages.

The UE may also use an encryption method different from that of SUCI to encrypt the first matching group. For example, the first matching group of SUCI and encryption may correspond to different home network keys, that is, to different home network public key identifiers. The encrypted first matching group includes one or more of routing indicator, protection scheme identifier, home network public key identifier, and other information. The SUCI and the encrypted first matching group can be carried in the same or different messages. The home network key includes the home network public key and the home network private key. The UE and the UDM network element include the corresponding relationship with the home network public key identifier, the home network public key, and the home network private key.

Optionally, the UE sends the first indication information to the access network device. The first indication information is used to indicate that the UE requests to access the CAG service.

In step 704, the access network device sends a registration request message to the AMF network element. The registration request message includes the SUCI and the encrypted first matching group. The registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.

The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.

Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include List 2.

In step 705, the AMF network element sends the encrypted first matching group and SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The encrypted first matching group may be carried in the first identity authentication request message or other messages. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

In step 706, the AUSF network element sends the encrypted first matching group and SUCI to the UDM/SIDF network element. The SUCI may be carried in the second authentication request message. The encrypted first matching group may be carried in the second authentication request message or other messages. The second authentication request message type may be Nudm_UEAuthentication_Get Request message.

In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.

The UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm. The UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.

Alternatively, the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.

The UDM/SIDF network element determines the subscription data of the UE according to SUPI. The subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.

The UDM/SIDF network element matches the first matching group with List 3 to obtain the third matching group. The third matching group includes the same CAG ID in the first matching group and List 3.

If the UDM/SIDF network element determines that there is no third matching group, the UE authentication process and step 614 are not performed. If there is no third matching group and the verification fails, there is no need to perform subsequent UE authentication procedures, which saves system signaling overhead.

The UDM/SIDF network element can reject the registration of the UE. UDM can send rejection indication information to AMF network element through or without AUSF network element.

Before step 615, the UDM network element may send the first rejection indication information to the AMF network element through or without the AUSF network element. The first rejection indication information may include the reason for registration rejection. That is, the first rejection indication information may be used to indicate that there is no third matching group, that is, the verification fails, and there is no CAG that allows the UE to access.

The AMF network element receives the rejection indication information sent by the UDM network element, and determines that there is no second matching group, that is, there is no CAG that allows the UE to access.

In step 615, the AMF network element sends a registration rejection message to the UE.

If the UDM/SIDF network element determines that there is a third matching group, perform steps 709-710. Steps 709-710 are steps in the authentication process, which is used for identity authentication of the UE.

Specifically, in step 709, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector may be carried in the first authentication reply message. The first authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.

In step 710, the AUSF network element sends an authentication vector to the AMF network element. The authentication vector may be carried in the second authentication reply message. The second authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.

The UDM/SIDF network element may send the third matching group to the AMF network element.

The UDM/SIDF network element may send the third matching group to the AUSF network element. The AUSF network element sends the third matching group to the AMF network element. In other words, the third matching group can be forwarded by the AUSF network element and sent to the AMF network element. The third matching group may be carried in the first authentication reply message or other messages. The third matching group may be carried in the second authentication reply message or other messages.

UDM/SIDF can also send the third matching group to the AMF network element through other messages, without being forwarded by other network elements.

The UE and the AUSF network element perform mutual authentication. After successful authentication, AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE. The KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and flow of the authentication steps between the UE and the AUSF network element.

Through the above steps, the AMF network element and the UE share the key KAMF.

After the authentication process, according to the key KAMF, the UE and the AMF can establish the NAS security context, and the UE and the access network device can establish the AS security context.

Before step 614, the AMF network element receives the third matching group sent by the UDM network element. The AMF network element determines the second matching group according to the third matching group.

The AMF network element may use the third matching group as the second matching group.

The AMF network element may match the third matching group with List 2 to determine the second matching group. The second matching group includes the same CAG ID of the third matching group as in List 2.

Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all CAG ID in List 2. Therefore, the AMF network element can generate the second matching group according to List 2.

Optionally, the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2. At this time, in step 704, the access network device may not send List 2 to the AMF network element. Or the list 2 sent by the access network device to the AMF network element may be used as the second indication information to instruct the UE to request access to the CAG service.

If there is a second matching group, go to step 614.

In step 614, the AMF network element may send the second matching group to the access network device. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access. The access network device obtains the CAG ID that allows the UE to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group. The embodiment of the present application does not limit the specific operation of the access network device.

In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.

If the AMF network element determines that there is a second matching group and the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes second rejection indication information, and the second rejection indication information is used to indicate the reason for the registration failure, for example, the CAG ID verification fails or the authentication fails.

Optionally, the registration reply message may be a downlink NAS message.

Through the above steps, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.

Before performing the authentication process of the UE, the UDM/SIDF network element verifies whether the UE can access the CAG, that is, matches the first matching group with the list 3.

In some embodiments, the first matching group and list 3 may be matched by the AMF for verification.

After step 707, the authentication process is used for the identity authentication of the UE.

The UDM/SIDF network element sends the first matching group and list 3 to the AMF network element.

The UDM/SIDF network element may send the first matching group and list 3 to the AMF network element. The first matching group and/or list 3 may be carried in the first identity authentication reply message or other messages.

The UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element. The AUSF network element sends the first matching group and list 3 to the AMF network element. In other words, the first matching group and list 3 can be forwarded by the AUSF network element and sent to the AMF network element. The first matching group and/or list 3 may be carried in the second authentication reply message or other messages.

Before step 614, the AMF network element performs matching according to the first matching group and List 3 to determine the second matching group. The second matching group includes the same CAG ID of the first matching group and List 3 China.

AMF may use the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group. The AMF may also use the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.

In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device.

In some embodiments, the UE may not match List 2 with List 1, and the base station may not broadcast List 2. The UE sends the encrypted list 1 to the AMF network element through the NAS message. The subsequent operation is the same as the above process. Compared with the above process, the difference of this method is that the first matching group is now List 1. That is to say, for the case where AMF matches the third matching group with List 2, steps 601-602 may not be performed. The UE may use List 1 as the first matching group.

FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may send the first matching group to the network element of the access network device through the encrypted AS message.

The UE is configured with List 1. List 1 includes the CAG ID that the UE supports to access.

In step 601, the access network device sends List 2 to the UE. Table 2 includes CAG IDs supported by the cells covered by the access network equipment. The cell is the cell where the UE is located among one or more cells covered by the access network equipment. The broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.

In step 602, the UE matches List 1 and List 2 to obtain a first matching group. The first matching group includes the same CAG ID in List 1 and List 2. The UE matches List 1 and List 2, that is, the UE determines the first matching group, and the first matching group includes at least one CAG ID. The CAG ID in the first matching group belongs to both list 1 and list 2 at the same time. The CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).

In step 603, the UE sends a registration request message to the access network device, and the registration request message includes SUCI.

In step 604, the access network device sends a registration request message to the AMF network element. The registration request message includes SUCI. The registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.

In step 605, the AMF network element sends SUCI to AUSF. The SUCI may be carried in the first identity authentication request message. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

In step 606, the AUSF network element sends SUCI to the UDM/SIDF network element. SUCI can be carried in the second identity authentication request message. The second identity authentication request message type may be a Nudm_UEAuthentication_Get Request message.

Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector can be carried in the identity authentication reply message. The identity authentication reply message may be a Nudm_UEAuthentication_Get Response message.

The UE and the AUSF network element perform mutual authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE. The KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently from AMF, or separately. The embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.

Through the above steps, the AMF network element and the UE share the key KAMF.

In steps 809-810a, the access network device and the UE establish an access layer security mode (access stratum security mode, NAS SM).

Before step 809, the AMF calculates and sends the key KgNB to the access network device. The key KgNB is determined based on the key KAMF. According to the key KgNB, the UE and the access network device can determine the integrity key and the confidentiality key between the UE and the access network device, so as to protect the integrity and confidentiality of the message between the UE and the access network device Sexual protection. Confidentiality protection is carried out, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.

In step 809, the access network device sends an AS security mode instruction message to the UE. The AS security mode command message has integrity protection.

In step 810a, the UE sends an AS security mode complete message to the access network device. The AS security mode completes the message with confidentiality and integrity protection.

Optionally, the AS security mode completion message may include the first matching group. Therefore, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.

Through steps 809-810a, the UE and the access network device network element establish a security context through the AS SMC process, and the message between the access network device and the UE can be encrypted for transmission. Through the AS security mode, the message between the AMF network element and the UE can have integrity protection and confidentiality protection.

It is also possible that when the AS security mode completion message does not include the first matching group, the first matching group is sent through step 810b. Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC procedure.

In step 810b, the UE sends the first matching group transmission to the AMF through an uplink (UL) AS message. In other words, the first matching group is sent under the protection of the AS security context.

Before step 814, the access network device decrypts the first matching group received through the AS security mode completion message or the uplink AS message protected by the AS security context. The access network device performs decryption according to the AS security context to obtain the decrypted first matching group.

In some embodiments, before step 814, the access network device may check the first matching group.

Optionally, the access network device may match the first matching group with List 2. The access network device may remove CAG IDs outside of List 2 in the first matching group to obtain a new first matching group.

Optionally, the access network device receives the first matching group sent by the UE. The access network device determines whether the CAG ID in the first matching group is in the list 2 of CAG IDs supported by the access network device. If the first matching group belongs to list 2, that is, the first matching group is in list 2, the access network device sends the first matching group to the AMF network element. Otherwise, the access network device does not send the first matching group; optionally, the access network device rejects the UE's access.

In some other embodiments, the AMF network element may match the first matching group with the list 2.

AMF network elements can be pre-configured with List 2. Alternatively, the AMF network element may receive List 2 sent by the access network device. For example, in step 604, the access network device sends List 2 to the AMF network element. The AMF network element can match List 2, List 3, and the first matching group. That is, the AMF network element can determine the second matching group, and the second matching group includes the same CAG ID in List 2, List 3, and the first matching group.

Or, neither the access network device nor the AMF may perform matching between the first matching group and the list 2.

In step 814, the UE sends the decrypted first matching group to the AMF network element. The decrypted first matching group may be the first matching group after verification. The second matching group can be sent through N2 messages. The second matching group includes the identification of the CAG that the UE is allowed to access.

In step 612, the AMF network element receives the list 3 sent by the UDM network element. List 3 includes the CAG ID that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element. The subscription data includes List 3

The embodiment of the present application does not limit the sequence of step 814 and step 612.

Optionally, before step 612, the AMF network element may send a subscription data request to the UDM network element, and obtain the subscription data corresponding to the UE from the UDM network element. The subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information, and the verification failure indication information is used to indicate that the CAG ID verification fails. The verification failure indication information may indicate the reason for the registration rejection, that is, the CAG ID verification failed.

Optionally, the registration reply message may be a downlink NAS message sent by the AMF to the UE.

In other embodiments, the access network device may also encrypt the first matching group according to other public keys of the access network device. The UE may pre-configure the public key of the access network device, and the UE may receive the public key sent by the access network device. For example, the access network device may broadcast the public key of the access network device.

Optionally, before step 810a, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.

The UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through the AS SMC completion message, which may cause information leakage. At the same time, the impact on the process of UE access to CAG is small.

FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.

When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.

If the verification of the AMF network element or UDM network element fails, that is, there is no CAG ID that allows the UE to access, the AMF needs to send a registration rejection message to the UE.

The AMF network element determines that there is no CAG ID that allows the UE to access, and the AMF network element sends a registration rejection message to the UE.

The UDM network element determines that there is no CAG ID that allows the UE to access, and the UDM network element sends a verification failure message to the AMF network element. The AMF network element sends a registration rejection message to the UE according to the verification failure information.

After the UE identity authentication is completed, the UE and the AMF network element share the key KAMF.

If after the establishment of the NAS SM is completed, the security context between the UE and the AMF network element is established, that is, the NAS protection context. The AMF network element can send a registration rejection message to the UE through the NAS message protected by the NAS security context. Messages protected by the NAS security context have confidentiality protection, which can prevent attackers from attacking. Alternatively, the AMF network element may send a registration rejection message to the UE through steps 901-902.

In addition, regardless of whether the NAS security context is established, the AMF network element can also send a registration rejection message to the UE through steps 901-902.

Before step 901, UE identity authentication is performed. The UE and the AMF network element share the key KAMF.

In step 901, the AMF network element determines that the check fails and calculates the MAC.

Before step 901, the AMF network element may receive a verification failure message sent by UDM. The AMF network element may determine that the verification fails according to the verification failure message. Alternatively, the AMF network element may perform verification and determine that the verification fails. AMF checks, see Figure 2, Figure 7, Figure 9.

The AMF network element first calculates the MAC based on the key KAMF.

MAC can also be called message authentication code, file message authentication code, message authentication code, and information authentication code. It is a small piece of information generated after a specific algorithm to check the integrity of a certain piece of message. MAC can be used for authentication. MAC can be used to check whether the content has been changed during message delivery. At the same time, MAC can be used as the identity verification of the source of the message to confirm the source of the message.

The AMF network element calculates according to the message verification code function to obtain the MAC.

The input parameters of the message verification code function include the key KAMF, and the input parameters of the message verification code function can also include at least one of the following parameters: rejection indication information, ngKSI, NAS uplink counter, NAS downlink counter, first matching group, defense architecture Dimensionality reduction attack parameters (ABBA, anti-bidding down between architectures), AMF ID, AMF set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network identification, etc. The fresh parameter randomly selected by the AMF may be, for example, a non-repeated random number (number used once or number once, nonce) and other random numbers that are used once. The service network identifier is the service network where the AMF is located. The first matching group includes the CAG ID that the UE requests to access. The rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG to which the UE requests access fails, or the registration request of the UE is rejected. The reason for registration rejection can also be other verification failures, authentication failures, etc.

In step 902, the AMF network element sends a registration rejection message to the UE.

The registration rejection message includes the MAC.

The registration rejection message may also include rejection indication information.

The registration rejection message can also be ngKSI, which is used to indicate KAMF.

The registration rejection message may also include at least one of the multiple input parameters of the message verification code function except KAMF. For example, the registration rejection message may include at least one of the following parameters: NAS uplink counter, NAS downlink counter, first matching group, anti-bidding down between architectures (ABBA), AMF ID, AMF Set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network ID, etc. The first matching group is determined by the UE according to the CAG ID list 1 configured for the UE and the CAG ID list 2 supported by the access network device. The first matching group includes the same CAG IDs in the list 1 and the list 2.

The AMF network element may also send the input parameters of the message verification code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends ngKSI to the UE.

The UE may also store the input parameters of the message verification code function. After determining the first matching group, the UE saves the first matching group. The UE may also store SUCI, SUPI, etc. AMF can send the UE unsaved parameters among the input parameters of the message verification code function.

After step 902, the UE verifies the MAC. The UE calculates the MAC according to the message verification code function and the input parameters of the message verification code function.

The UE determines whether the verification is passed according to the calculated MAC and the MAC in the registration rejection message.

The UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the verification passes. The UE may delete the first matching group from the CAG ID list 1 configured for the UE.

The UE determines that the calculated MAC is different from the MAC in the registration rejection message, and the verification fails. The UE determines that the registration rejection message is a forged message.

Through steps 901-902, the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, preventing an attacker from modifying and forging the registration rejection message.

FIG. 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The AMF/UDM network element determines that the verification fails, and steps 1001-1003 are performed.

In step 1001, the AMF/UDM network element calculates a digital signature.

In step 1002, the AMF/UDM network element sends the digital signature to the UE.

In the case of UDM verification, the UDM verification fails, and the digital signature can be calculated based on the private key of the home network and the rejection indication information. UDM performs verification, see Figure 9.

Optionally, UDM calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the home network private key. The input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), and service network identification (the service network where the AMF is located), Home network identification and rejection indication information. The first matching group includes the CAG ID that the UE requests to access. The rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG that the UE requests to access fails, or the authentication authentication fails.

The UDM network element sends a digital signature to the UE. The digital signature can be forwarded by the AMF network element and/or the AUSF network element, etc.

Optionally, the UDM network element may send rejection indication information to the AMF network element to indicate that the verification fails. The AMF sends a registration rejection message to the UE, which carries the digital signature sent by the UDM.

The UE receives the registration rejection message. The UE can verify the digital signature according to the rejection indication information corresponding to the possible rejection reasons, that is, verify the correctness of the digital signature. Alternatively, the UE may verify the digital signature according to the received rejection indication information.

Optionally, the UDM network element may also send a key identifier for signing to the UE through AMF and/or AUSF. Optionally, the UDM network element may also send a public key identifier, so that the UE can determine the public key used for digital signature calculation according to the public key identifier.

Optionally, the UDM network element may also send an algorithm indication, and the UE may determine the algorithm used for digital signature calculation according to the algorithm indication.

Optionally, the parameters sent by the UDM network element may also include at least one of the following parameters: SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), service network identification (the service network where the AMF is located), Home network identification and rejection indication information, etc. The UDM and/or AMF network element can also send other unsaved parameters of the UE, so that the UE can correctly verify the MAC.

In the case where the AMF network element is verified and the AMF network element fails the verification, a digital signature can be calculated for the rejection indication information based on the AMF's private key.

The AMF network element performs verification, see Figure 2, Figure 8, Figure 10. If the AMF verification fails, the AMF can calculate the digital signature based on the AMF's private key and rejection indication information.

Optionally, the AMF calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the private key saved by the AMF. The input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, AMF randomly selected fresh parameters (nonce, random number, etc.), service network identification (the service network where the AMF is located), AMF public key identification and rejection instructions;

In step 1002, the AMF network element sends a registration rejection message to the UE.

The registration rejection message includes a digital signature.

The registration rejection message may also include a key identifier for calculating the digital signature, and the UE can determine the AMF public key corresponding to the key identifier according to the key identifier, thereby verifying the digital signature.

The registration rejection message may also include at least one of the multiple input parameters of the digital signature function except the AMF public key. For example, the registration rejection message may include at least one of the following parameters: the first matching group, SUCI, SUPI, UDM randomly selected freshness parameters (nonce, random number, etc.), AMF randomly selected freshness parameters (nonce, random number, etc.) , The service network identifier (the service network where the AMF is located), the AMF public key identifier and rejection indication information.

In step 1003, the UE verifies the correctness of the digital signature.

The UE receives the digital signature. The UE verifies the digital signature. If the verification passes, it is determined that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.

The UE stores the public key of the home network. There is no restriction on the specific way of obtaining the home network public key.

If the verification is passed, the UE can delete the first matching group from the CAG ID list 1 configured for the UE.

If the verification fails, the UE determines that the registration rejection message is a forged message.

Through steps 1001-1003, the AMF/UDM network element sends a digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, prevent attackers from modifying and forging the registration rejection message, and complete the protection of the rejection indication information.

The method embodiments of the embodiments of the present application are described above with reference to FIGS. 1 to 12, and the device embodiments of the embodiments of the present application are described below with reference to FIGS. 13 to 18. It should be understood that the description of the method embodiment and the description of the device embodiment correspond to each other, and therefore, the parts that are not described in detail can refer to the previous method embodiment.

FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1300 includes an encryption module 1310 and a transceiver module 1320.

The encryption module 1310 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access Logo.

The transceiver module 1320 is configured to send the encrypted first group list.

Optionally, the transceiver module 1320 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.

Optionally, the transceiver module 1320 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.

Optionally, the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.

The user equipment 1300 further includes a verification module configured to verify the registration rejection message according to the message verification code.

FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1400 includes: a transceiver module 1410, a decryption module 1420, and a determination module 1430.

The transceiver module 1410 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.

The decryption module 1420 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.

The determining module 1430 is configured to determine the list of subscription groups that the UDM network element determines to save.

The determining module 1430 is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access.

The transceiver module 1410 is further configured to, when there is a second group list, the first network device sends the second group list to the access network device.

Optionally, the transceiver module 1410 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.

Optionally, the user equipment 1400 further includes a calculation module configured to, when the second group list does not exist, calculate the message verification code according to the shared key between the UE and the first network device.

The transceiver module 1410 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

Optionally, the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes the identities of the groups supported by the access network device.

The determining module 1430 is configured to determine the second group list according to the first group list, the third group list, and the contracted group list.

FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1500 includes: a transceiver module 1510 and a generating module 1520.

The transceiver module 1510 is configured to receive the encrypted first group list sent by the user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access.

The transceiver module 1510 is also configured to send the encrypted first group list.

The transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access.

The generating module 1520 is configured to generate the quality of service QoS information of one or more groups according to the identities of one or more groups.

The transceiver module 1510 is further configured to send quality of service QoS information to the UE.

FIG. 16 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1600 is characterized in that it includes a processor 1610 and a communication interface 1620.

The communication interface 1620 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes the identities of one or more groups that the UE requests to access.

The processor 1610 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.

The processor 1610 is further configured to determine the list of subscription groups that the UDM network element determines to save.

The processor 1610 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes the identifier of the group that the UE is allowed to access.

The communication interface 1620 is configured to send the second group list to the access network device when the second group list exists.

Optionally, the communication interface 1620 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.

Optionally, the processor 1610 is further configured to, when there is no second group list, calculate the message verification code according to the shared key between the UE and the first network device.

The communication interface 1620 is also used to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

Optionally, the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes the identifier of the group supported by the access network device.

The processor 1610 is configured to determine the second group list according to the first group list, the third group list, and the contract group list.

FIG. 17 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1700 includes: a processor 1710 and a communication interface 1720;

The processor 1710 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access The logo;

The communication interface 1720 is used to send the encrypted first group list.

Optionally, the communication interface 1720 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.

Optionally, the communication interface 1720 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.

Optionally, the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.

The processor 1710 is further configured to verify the registration rejection message according to the message verification code.

FIG. 18 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1800 includes a communication interface 1810.

The communication interface 1810 is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;

The communication interface 1810 is also used to send the encrypted first group list;

The communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;

The communication interface 1810 is further configured to send the quality of service QoS information of the one or more groups to the UE.

Optionally, the access network device 1800 includes a processor configured to generate the quality of service QoS information of the one or more groups according to the second group list.

The embodiment of the present application provides a computer program storage medium having program instructions, and when the program instructions are executed, the first network device, the access network device, and the user in the above method The function of any one of the devices is realized.

An embodiment of the present application provides a chip that includes at least one processor. When program instructions are executed by the at least one processor, the first network device, the access network device, and the The function of any one of the user equipment is realized.

An embodiment of the present application provides a communication system, including the above-mentioned first network device, user equipment, and access network device.

A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A communication method, characterized in that it comprises:

The first network device receives the encrypted first group list sent by the user equipment UE, where the first group list includes identities of one or more groups to which the UE requests access;

Decrypting the encrypted first group list by the first network device to obtain a first closed access service identification group;

The first network device determines the list of subscription groups saved in the unified data management UDM;

Determining, by the first network device, a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access;

When the second group list exists, the first network device sends the second group list to the access network device.
The method according to claim 1, wherein the first network device receiving the encrypted first group list sent by the UE comprises:

The first network device receives the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message; or, the first network device receives the UE through the NAS security context protection The encrypted first group list sent by the uplink NAS message.
The method according to claim 1 or 2, wherein the method further comprises:

When the second group list does not exist, the first network device calculates a message verification code according to the shared key between the UE and the first network device;

The first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
The method according to any one of claims 1-3, wherein the method comprises:

Receiving, by the first network device, a third group list sent by the access network device, where the third group list includes identities of groups supported by the access network device;

The first network device determines a second group list according to the first group list and the subscription group list, including: the first network device according to the first group list, the third group list The group list and the contracted group list determine the second group list.
A communication method, characterized in that it comprises:

The user equipment UE encrypts the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, and the first group list includes one or more groups to which the UE requests access Group ID;

The UE sends the encrypted first group list.
The method of claim 5, wherein:

The UE sending the encrypted first group list includes: the UE sends the encrypted first group list to the first network device through a NAS security mode SM complete message; or, the UE passes The uplink NAS message protected by the NAS security context sends the encrypted first group list.
The method according to claim 5 or 6, wherein the method comprises:

Receiving, by the UE, a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code,

The UE verifies the registration rejection message according to the message verification code.
A communication method, characterized in that it comprises:

The access network device receives the encrypted first group list sent by the user equipment UE, where the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;

Sending the encrypted first group list by the access network device;

Receiving, by the access network device, a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;

The access network device sends the quality of service QoS information of the one or more groups to the UE.
A network device, characterized by comprising: a processor and a communication interface;

The communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identities of one or more groups that the UE requests to access;

The processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group;

The processor is further configured to determine a list of subscription groups that the unified data management UDM network element determines to save;

The processor is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access;

The communication interface is further configured to send the second group list to the access network device when the second group list exists.
The network device according to claim 9, wherein the communication interface is configured to receive the encrypted first group list sent by the UE through a non-access stratum NAS security mode SM completion message.
The method network device according to claim 9 or 10, characterized in that,

The processor is further configured to: when the second group list does not exist, calculate a message verification code according to the shared key between the UE and the first network device;

The communication interface is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
The network device according to any one of claims 9-11, wherein:

The communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes identities of groups supported by the access network device;

The processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
A user equipment, characterized by comprising: a processor and a communication interface;

The processor is configured to encrypt a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, where the first group list includes one or more of which the UE requests to access Identification of multiple groups;

The communication interface is used to send the encrypted first group list.
The user equipment according to claim 13, wherein:

The communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication interface is configured to use an uplink NAS message protected by a NAS security context Send the encrypted first group list.
The user equipment according to claim 13 or 14, characterized in that:

The communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code,

The processor is further configured to verify the registration rejection message according to the message verification code.
An access network device, characterized by comprising: a processor and a communication interface;

The communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;

The communication interface is also used to send the encrypted first group list;

The communication interface is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;

The communication interface is further configured to send quality of service QoS information of the one or more groups to the UE.
A communication device, characterized by comprising a module for executing the method according to any one of claims 1 to 8.
A computer program storage medium, wherein the computer program storage medium has program instructions, and when the program instructions are executed, the method according to any one of claims 1 to 8 is executed.
A chip, characterized in that the chip includes at least one processor, and when a program instruction is executed by the at least one processor, the method according to any one of claims 1 to 8 is executed.
A communication system, characterized by comprising the network equipment according to any one of claims 9-12, the user equipment according to any one of claims 13-15, and the network equipment according to claim 16. Access network equipment.