WO2020248624A1 - Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès - Google Patents

Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès Download PDF

Info

Publication number
WO2020248624A1
WO2020248624A1 PCT/CN2020/076975 CN2020076975W WO2020248624A1 WO 2020248624 A1 WO2020248624 A1 WO 2020248624A1 CN 2020076975 W CN2020076975 W CN 2020076975W WO 2020248624 A1 WO2020248624 A1 WO 2020248624A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
group list
group
access
list
Prior art date
Application number
PCT/CN2020/076975
Other languages
English (en)
Chinese (zh)
Inventor
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020248624A1 publication Critical patent/WO2020248624A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • H04W4/08User group management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers

Definitions

  • This application relates to the field of communications, in particular to a communication method, user equipment, access network equipment and network equipment.
  • a group allows a group of subscribers in one or more specific cells to access.
  • the access of the group requires the support of user equipment (UE), access network equipment, and core network.
  • UE user equipment
  • core network When the UE accesses the group, the core network and the UE perform information transmission to complete the verification.
  • the signal it is necessary for the signal to realize data interaction between the core network device and the UE to be reliable and effective, without data leakage, and to protect the privacy of the UE.
  • This application provides a communication method, network equipment, user equipment, and access network equipment, which can avoid data leakage and protect the privacy of the UE.
  • a communication method including: a first network device receives an encrypted first group list sent by a user equipment UE, the first group list includes one or more of which the UE requests access The identification of the group; the first network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list saved by the unified data management UDM; The first network device determines a second group list according to the first group list and the subscription group list, and the second group list includes the identifier of the group to which the UE is allowed to access; In the second group list, the first network device sends the second group list to the access network device.
  • the first network device receives and decrypts the request to access the group list sent by the UE in an encrypted manner, thereby avoiding data leakage and protecting the privacy of the UE.
  • the first network device sends the identifier of the group that the UE is allowed to access to the access network device, and the access network device can prepare for data transmission after the UE accesses the group.
  • the first network device receiving the encrypted first group list sent by the UE includes: the first network device receives the UE through the non-access stratum NAS security Mode SM completes the encrypted first group list sent by the message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by a NAS security context.
  • the first network device receives the encrypted first group list, and realizes the encrypted transmission of the first group list without adding additional procedures.
  • the receiving UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
  • the method further includes: when the second group list does not exist, the first network device determines the relationship between the UE and the first network device.
  • a message verification code is calculated by calculating the shared key of, and the first network device sends a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
  • the UE can verify the registration rejection message to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.
  • the method includes: the first network device receives a third group list sent by the access network device, and the third group list includes the access network device.
  • the first access network device verifies the group list supported by the access network device, the group list that the UE requests to access, and the subscription group list to ensure the accuracy of the groups that the UE is allowed to access.
  • the method includes: the first network device receives access group request information sent by the access network device, and the access group request information is used to instruct the UE Request access to the group.
  • a communication method including: a user equipment UE encrypts a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, the first group list
  • the identifier includes one or more groups that the UE requests to access; the UE sends the encrypted first group list.
  • the UE sends a request to access the group list in an encrypted manner, avoiding data leakage and protecting the privacy of the UE.
  • the UE sending the encrypted first group list includes: the UE sending the encrypted first network device through a NAS security mode SM complete message Or, the UE sends the encrypted first group list through an uplink NAS message protected by a NAS security context.
  • the UE sends the encrypted first group list through the NAS SM completion message or the uplink NAS message protected by the NAS security context, which realizes the encrypted transmission of the first group list without adding additional procedures.
  • the UE sends the encrypted first group list through the NAS SM completion message, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.
  • the method further includes: the UE receiving a registration rejection message sent by the first network device, the registration rejection message including a message verification code, and the UE according to the message The verification code verifies the registration rejection message.
  • the UE verifies the registration rejection message according to the message verification code, so as to prevent the UE from being unable to access the group due to a forged or modified registration rejection message.
  • the method includes: the UE sends access group request information to the access network device, and the access group request information is used to instruct the UE to request access to the group group.
  • a communication method including: an access network device receives an encrypted first group list sent by a user equipment UE, and the first closed access service identification group includes one or more of which the UE requests access.
  • the identifier of a group service the access network device sends the encrypted first group list; the access network device receives a second group list sent by the first network device, the second group list It includes the identification of one or more groups that the UE is allowed to access; the access network device sends the quality of service QoS of the one or more groups to the UE.
  • the method includes: the access network device receives the access group request information sent by the UE, and the access group request information is used to instruct the UE to request access. Join the group.
  • the access network device receives the identifier of the group that the UE is allowed to access sent by the network device, and prepares for subsequent UE access to the group, which can reduce the system delay.
  • a network device including: a transceiver module, a decryption module, and a determination module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, the first group list including the The identification of one or more groups to which the UE requests access; a decryption module, used to decrypt the encrypted first group list to obtain the first closed access service identification group; a determining module, used to determine unified data
  • the management UDM network element determines the saved subscription group list; the determining module is further configured to determine a second group list according to the first group list and the subscription group list, the second group list includes the permission The identifier of the group to which the UE accesses; the transceiver module is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.
  • the transceiver module is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
  • the user equipment further includes a calculation module, which is configured to: when the second group list does not exist, determine the relationship between the UE and the first network device The shared key between the two is calculated to obtain a message verification code; the transceiver module is further configured to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
  • the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device
  • the identification of the supported groups is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
  • a user equipment including: an encryption module and a transceiver module; the encryption module is used to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list,
  • the first group list includes the identities of one or more groups that the UE requests to access;
  • the transceiver module is configured to send the encrypted first group list.
  • the transceiver module is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the transceiver module is configured to:
  • the encrypted first group list is sent through an uplink NAS message protected by the NAS security context.
  • the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code; the user equipment further includes a verification module , The verification module is used to verify the registration rejection message according to the message verification code.
  • an access network device which is characterized by comprising: a transceiver module and a generating module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service
  • the identification group includes the identification of one or more group services that the UE requests to access; the transceiver module is also used to send the encrypted first group list; the transceiver module is also used to receive the information sent by the first network device A second group list, where the second group list includes the identifiers of one or more groups that the UE is allowed to access; the generating module is configured to generate the one or more groups according to the identifiers of the one or more groups The quality of service QoS information of multiple groups; the transceiver module is further configured to send the quality of service QoS information to the UE.
  • a network device including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes the UE The identification of one or more groups that request access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identification group; the processor is further configured to: It is determined that the unified data management UDM network element determines the saved subscription group list; the processor is further configured to determine a second group list according to the first group list and the subscription group list, and the second group The list includes the identification of the group that the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.
  • the communication interface is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
  • the processor when the second group list does not exist, is further configured to: according to the shared key between the UE and the first network device A message verification code is calculated; the communication interface is further used to send a registration rejection message to the access network device, and the message verification code is used by the UE to verify the registration rejection message.
  • the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device With an identifier of a supported group, the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.
  • a user equipment including: a processor and a communication interface; the processor is configured to encrypt a first group list using a non-access stratum NAS security context to obtain an encrypted first group list
  • the first group list includes the identities of one or more groups that the UE requests to access; the communication interface is used to send the encrypted first group list.
  • the communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication The interface is used to send the encrypted first group list through an uplink NAS message protected by a NAS security context.
  • the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code, and the message verification code is used for all The UE verifies the registration rejection message.
  • an access network device including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identification group Includes the identification of one or more group services that the UE requests to access; the communication interface is also used to send the encrypted first group list; the communication interface is also used to receive the first network device The sent second group list, the second group list includes the identification of one or more groups that the UE is allowed to access; the communication interface is also used to send the one or more groups to the UE QoS for each group.
  • a communication system including the aforementioned access network equipment, network equipment, and user equipment.
  • a computer program storage medium has program instructions, and when the program instructions are executed, the method described above is executed.
  • a chip in a twelfth aspect, includes at least one processor, and when a program instruction is executed by the at least one processor, the method described above is executed.
  • FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
  • Fig. 2 is a schematic flowchart of a method for a terminal device to access a group.
  • Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of establishing an access layer security mode.
  • Figure 5 is a schematic flow chart for establishing a non-access layer security mode.
  • Figure 6 is a schematic flow chart of authentication.
  • FIG. 7 is a schematic flowchart of a communication method provided by another embodiment of the present application.
  • FIG. 8 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 9 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 10 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 11 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 12 is a schematic flowchart of a communication method according to another embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
  • FIG. 16 is a schematic structural diagram of a user equipment according to another embodiment of the present application.
  • FIG. 17 is a schematic structural diagram of a network device provided by another embodiment of the present application.
  • FIG. 18 is a schematic structural diagram of an access network device according to another embodiment of the present application.
  • GSM global system for mobile communications
  • CDMA code division multiple access
  • WCDMA broadband code division multiple access
  • GPRS general packet radio service
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD LTE Time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX worldwide interoperability for microwave access
  • the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application.
  • the provided method can be used for communication.
  • the execution subject of the method provided in the embodiments of the present application may be a terminal or a network device, or a functional module in a UE or a network device that can call and execute the program.
  • FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
  • the network architecture shown in Figure 1 may specifically include the following network elements:
  • User equipment it can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device.
  • the UE can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the future 5G network or terminals in the future evolution of the public land mobile network (PLMN) Devices, etc., can also be end devices, logical entities, smart devices, such as mobile phones, smart terminals and other terminal devices, or servers, gateways, base stations, controllers and other communication devices, or Internet of Things devices, such as sensors, electricity meters, water meters, etc. Internet of things (IoT) devices.
  • the UE may also be a wired device, such as
  • Access network Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and service requirements.
  • the access network may be an access network using different access technologies.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project, 3GPP
  • 3GPP 3rd Generation Partnership Project
  • non-3GPP non-third-generation cooperation Partnership Project
  • the 3GPP access technology refers to the access technology that complies with the 3GPP standard specifications.
  • the access network that adopts the 3GPP access technology is called the radio access network (Radio Access Network, RAN).
  • the access network equipment in the 5G system is called Next generation Node Base station (gNB).
  • gNB Next generation Node Base station
  • a non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.
  • AP access point
  • An access network that implements access network functions based on wired communication technology can be called a wired access network.
  • An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN).
  • the wireless access network can manage wireless resources, provide access services for the terminal, and complete the forwarding of control signals and user data between the terminal and the core network.
  • the radio access network can be, for example, a base station (NodeB), an evolved NodeB (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the access network device can be a relay station, access point, in-vehicle device, wearable device, and network in the future 5G network Equipment or network equipment in the future evolved PLMN network, etc.
  • the embodiment of the present application does not limit the specific technology and specific device form adopted by the radio access network device.
  • Access and mobility management function (AMF) entities mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, for example, lawful interception, or access authorization (or authentication) functions. In the embodiment of the present application, it can be used to realize the functions of accessing and mobility management network elements.
  • MME mobility management entity
  • Session management function (SMF) entity Mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.
  • IP Internet Protocol
  • User plane function (UPF) entity namely, data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc.
  • User data can be connected to the data network (DN) through this network element. In the embodiment of this application, it can be used to realize the function of the user plane gateway.
  • DN data network
  • Data network A network used to provide data transmission.
  • DN Data network
  • An operator s business network, an Internet network, a third-party business network, etc.
  • Authentication server function authentication server function, AUSF
  • AUSF authentication server function
  • Network exposure function (NEF) entity used to safely open services and capabilities provided by 3GPP network functions to the outside.
  • Network storage function (NF) repository function (NRF) entity used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.
  • PCF Policy control function
  • Unified data management (UDM) entity used to process user identification, access authentication, registration, or mobility management, etc.
  • Application function (AF) entity used to route data affected by applications, access network open function network elements, or interact with policy frameworks for policy control, etc.
  • the N1 interface is the reference point between the terminal and the AMF entity;
  • the N2 interface is the reference point between the AN and AMF entities, used for non-access stratum (NAS) message transmission, etc.;
  • N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.;
  • the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information;
  • N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.
  • the name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application.
  • the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.
  • the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.
  • AMF network element, SMF network element, UPF network element, NSSF network element, NEF network element, AUSF network element, NRF network element, PCF network element, and UDM network element shown in Figure 1 can all be understood as The network elements used to implement different functions in the core network, for example, can be combined into network slices on demand. These core network elements may be independent devices, or they may be integrated in the same device to implement different functions, which is not limited in this application.
  • a device that performs the functions of a core network element can also be called a core network device or a network device.
  • Authentication and key agreement (authentication and key agreement, AKA): The user can perform the AKA process with the network during the startup and registration process. Through the AKA process, two-way authentication between the terminal and the network can be realized, so that the key of the terminal and the network can reach an agreement, so as to ensure the secure communication between the two.
  • KSEAF the key sent by AUSF to SEAF during UE registration; SEAF calculates KAMF, and then sends KAMF to AMF. SEAF and AMF can be deployed independently or combined.
  • Key KAMF the key KAMF obtained by the UE and AMF respectively during the UE registration process.
  • the key KAMF is determined according to the key KSEAF.
  • KAMF is related to the key set identifier (KSI in 5G, ngKSI) in 5G.
  • the UE and the AMF may respectively pre-store a one-to-one correspondence between at least one KAMF and at least one ngKSI. Therefore, each ngKSI can be used to uniquely indicate a KAMF.
  • KAMF can be used to subsequently generate the key KgNB.
  • Key KgNB the key derived from the key KAMF, that is, the key KgNB that can be determined according to the key KAMF.
  • the key KgNB can be generated based on algorithms such as key derivation function (KDF), KAMF, and the like.
  • Encryption key the parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiving end can decrypt the cipher text according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.
  • Integrity protection key the parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
  • the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
  • Security capabilities including but not limited to: security algorithms, security parameters, keys, etc.
  • the security capability may include, for example, the security capability of the UE and the security capability of the user plane gateway.
  • Security algorithm the algorithm used in data security protection. For example, it may include: encryption/decryption algorithms, integrity protection algorithms, etc.
  • Security context information that can be used to implement data encryption and decryption and/or integrity protection.
  • the security context may include, for example, encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.
  • Ordinary cells can allow all legitimate subscribers (and roaming users) of the operator to access.
  • the group allows a group of subscribers in one or more specific cells to access. In other words, the users who can access the group are limited and conditional.
  • the same user can belong to multiple groups, that is, can access multiple groups.
  • Each group corresponds to a group ID.
  • Group access requires the support of UE, access network equipment and core network.
  • the embodiments of this application are applicable to scenarios where the UE needs to access a group.
  • the group may be, for example, a closed access group (CG) or a closed subscriber group (CSG).
  • CG closed access group
  • CSG closed subscriber group
  • CAG closed subscriber group
  • Fig. 2 is a schematic flowchart of a method for a UE to access a group.
  • the user identity decryption function (subscription identifier de-concealing function, SIDF) network element can be configured in a unified data management function (unified data management, UDM) network element, or it can be deployed independently.
  • UDM network elements can provide the user identity decryption function through the SIDF deployed by themselves or by calling the SIDF.
  • the UE is configured with a list 1, and the list 1 may be referred to as an allowed CAG identification (identification, ID) list (allowed CAG ID list).
  • List 1 includes the identification of the CAG that the UE can access.
  • the access network device sends List 2 to the UE.
  • List 2 is a list of CAG IDs supported by the cell, and List 2 includes the IDs of CAGs supported by the cell.
  • the access network device sends list 2 by broadcasting.
  • the broadcast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the information broadcast by the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
  • the access network device can also send list 2 through unicast.
  • the unicast content may not be encrypted, that is, all devices within the coverage of the access network device can obtain the unicast information of the access network device. Therefore, all devices within the coverage of the access network device can obtain List 2.
  • the UE matches List 1 and List 2, and obtains the CAG ID contained in both List 1 and List 2, that is, the matched CAG ID (selected matching CAG ID).
  • the UE obtains a first matching group, and the first matching group includes one or more matching CAG IDs.
  • List 1 includes CAG IDs in the first matching group, and List 2 all include CAG IDs in the first matching group. In other words, both List 1 and List 2 include the first matching group.
  • step 103 the UE sends registration request (registration request, RR) information and the first matching group to the access network device.
  • the RR information includes Subscriber Concealed Identifier (SUCI).
  • the SUCI is obtained by encrypting the user's permanent identifier (subscription permanent identifier, SUPI) according to the public key corresponding to the home network public key identifier (home network public key identifier).
  • the home network public key identifier is used to indicate the public key and/or private key used for SUPI encryption and SUCI decryption. That is, the UE uses a protection scheme with the original public key (ie, the home network public key) to generate the SUCI.
  • the UDM stores the private key corresponding to the home network public key identifier. Algorithms for user privacy should be executed in the UDM's secure environment.
  • SIDF is used to decrypt SUCI to get SUPI.
  • SIDF will use the home network private key stored securely in the home operator's network to decrypt SUCI. Decryption should be done in UDM.
  • the access authority to SIDF should be defined so that only network elements of the home network are allowed to request SIDF.
  • the first matching group is sent through a radio resource control (radio resource control, RRC) layer.
  • RRC radio resource control
  • step 104 the access network device sends the RR information and the second matching group to the access and mobility management function (AMF) network element.
  • AMF access and mobility management function
  • the second matching group may be the same as the first matching group.
  • the access network device may match the first matching group with List 2 to obtain the second matching group.
  • the second matching group includes one or more CAG IDs. Both the first matching group and List 2 include the second matching group.
  • the RR information and the second matching group are sent through the N2 interface between the access network device and the AMF network element.
  • AMF sends an authentication request message to the unified data management function (UDM)/(subscription identifier de-concealing function, SIDF) network element to the authentication server function (authentication server function, AUSF), where Carry SUCI.
  • UDM unified data management function
  • SIDF subscription identifier de-concealing function
  • the UDM/SIDF network element determines the SUPI of the UE according to the SUCI.
  • step 105 authentication and security procedures are performed.
  • the UDM/SIDF network element generates an authentication vector and sends it to the AUSF network element.
  • the AUSF network element sends the key KSEAF to the SEAF network element.
  • the SEAF network element generates the key KAMF according to the key KSEAF, and sends the key KAMF to the AMF network element.
  • the SEAF network element can also be deployed in the equipment where the AMF network element is located.
  • the SEAF network element sends a key set identifier (KSI) to the UE.
  • the KSI may be a 5G key set identifier (key set identifier in 5G, ngKSI).
  • the UE can determine the key KAMF through the KSI.
  • NAS non-access stratum
  • AS access stratum
  • the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
  • the contract data may also be called contract information.
  • the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access. List 3 includes one or more CAG IDs.
  • step 106 the AMF network element receives list 3 sent by the UDM/SIDF network element.
  • the AMF network element matches the second matching group with List 3.
  • AMF checks whether the second matching group and List 3 include at least one CAG ID.
  • step 108a If there is a target CAG ID, proceed to step 108a.
  • step 108a the AMF sends registration acceptance information to the UE.
  • step 108b If there is no target CAG ID, proceed to step 108b.
  • step 108b the AMF sends registration rejection information to the UE.
  • step 108b the UE deletes the CAG ID corresponding to the first matching group from the list 1.
  • the UE can perform the corresponding CAG service.
  • the CAG service that the UE wants to perform is related to the type of UE, and each CAG service can only be accessed and used by a specific UE. Therefore, the CAG service that the UE wants to perform involves privacy.
  • the attacker obtains the CAG ID that the UE requests to access by tapping the air interface, thereby leaking privacy.
  • an embodiment of the present application provides a communication method.
  • the CAG ID that the UE requests to access is sent in an encrypted manner. In this way, the possibility of privacy leakage can be reduced.
  • Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • step 201 the UE generates an encrypted first group list.
  • the group list can also be called a group identification set.
  • the first group list includes the identities of one or more groups to which the UE requests access.
  • the group may be CAG, CSG, etc., for example.
  • the identity of one or more groups that the UE requests to access may be all or part of the identity of the second group list configured for the UE.
  • step 202 the UE sends the encrypted first group list.
  • the UE may send the encrypted first group list to the AMF network element.
  • the UE may establish a NAS security context with an AMF network element, that is, establish a NAS security mode.
  • AMF network element that is, establish a NAS security mode.
  • the establishment of NAS security context can be seen in Figure 4.
  • the UE may send the first group group to the AMF network element through the NAS SM complete message in the NAS security context establishment process.
  • the UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through the NAS message protected by the NAS security context.
  • the UE can authenticate with the AMF network element to obtain a shared key.
  • the UE can establish a NAS security context with the AMF network element according to the shared key.
  • the establishment of NAS security context can be seen in Figure 4.
  • the AMF can decrypt the encrypted first group list sent by the UE.
  • AMF can decrypt the encrypted first group list through the confidentiality algorithm.
  • the UE may encrypt the first group list with the AMF public key.
  • the UE may send the encrypted first group list to the AMF network element.
  • the AMF public key may be sent by the AMF to the UE, or may be pre-configured by the UE.
  • the AMF network element is configured with an AMF private key corresponding to the AMF public key.
  • the AMF network element can decrypt the encrypted first group list according to the AMF private key.
  • the UE may send the encrypted first group list to the UDM network element.
  • the UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.
  • the UE may send the encrypted first group list and the home network public key identifier to the UDM network element.
  • the home network public key identifier is used to indicate the home network key.
  • the UDM network element receives the encrypted first group list and the home network public key identifier.
  • the UDM network element can determine the home network private key according to the home network public key identifier.
  • the UDM network element can decrypt the encrypted first group list according to the private key of the home network.
  • the UE may send the encrypted first group list to the access network device.
  • the UE may establish an AS security context with the access network device, that is, establish an AS security mode.
  • AS security context can be seen in Figure 5.
  • the UE may send the first group list to the access network device through the AS SM complete message in the AS security context establishment process.
  • the UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through the AS message protected by the AS security context.
  • AMF distributes KgNB to access network equipment.
  • the UE generates KgNB according to KAMF. After that, the UE and the access network device can establish the access layer AS security mode SM.
  • the access network device may decrypt the encrypted first group list sent by the UE.
  • the access network device can decrypt the encrypted first group list through the confidentiality algorithm.
  • the access network device can decrypt the received encrypted first group list.
  • the access network device can decrypt the encrypted first group list through the confidentiality algorithm.
  • the UE may encrypt the first group list through the public key of the access network device.
  • the UE may send the encrypted first group list to the access network device.
  • the public key of the access network device may be sent by the access network device to the UE, or may be pre-configured by the UE.
  • the access network device is configured with an AMF private key corresponding to the public key of the access network device.
  • the access network device can decrypt the encrypted first group list according to the private key of the access network device.
  • the UE may receive a registration rejection message sent by the AMF network element.
  • the registration rejection message includes a message verification code, and the message verification code is used by the UE to verify the registration rejection message.
  • the registration rejection message can also include a rejection code.
  • the rejection code can be used to indicate the rejection of UE registration, or the rejection code can be used to indicate the reason for rejection of UE registration.
  • the reason for rejecting the UE registration may be that the AMF network element verification fails, or the UE authentication fails.
  • the verification failure of the AMF network element means that the AMF network element determines that the second group list does not exist.
  • the second group list includes the identifiers of the same group in the subscription group list saved by the UDM and the first group list.
  • the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
  • step 201 to step 202 the UE sends the first group list in an encrypted manner, which can avoid leakage.
  • Figure 4 is a schematic flow chart for establishing a NAS security context.
  • step 301a the AMF network element activates integrity protection.
  • the AMF network element sends a NAS SM command message to the UE.
  • the NAS SM command message includes an integrity algorithm, an encryption algorithm, a NAS message authentication code (message authentication code, MAC), UE security capabilities, KSI, etc.
  • the NAS MAC can be used to verify the integrity of the NAS SM command message.
  • step 301c the AMF network element starts uplink decryption
  • step 302a the UE verifies the integrity of the NAS SM completion message. If the verification is successful, the UE starts uplink encryption, downlink decryption and integrity protection
  • the UE sends a NAS security mode complete message to the AMF network element.
  • the NAS security mode completion message includes NAS MAC.
  • the NAS MAC can be used to verify the integrity of the NAS SM completion message.
  • step 301d the AMF network element starts downlink encryption.
  • the AMF network element triggers the NAS SMC process and sends a NAS security mode instruction to the UE; the UE sends a NAS security mode completion message.
  • the AMF network element sends a NAS SM command message to the UE, with only integrity protection.
  • the UE sends a NAS security mode completion message to the AMF network element, which has confidentiality and integrity protection.
  • the UE and the AMF share the NAS security context.
  • the UE and the AMF network element can protect the message to be sent through the NAS security context, and protect the NAS message through the NAS security context with integrity and confidentiality protection.
  • the NAS security context is established.
  • FIG. 4 only briefly describes the processing flow of the NAS SMC. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
  • Figure 5 is a schematic flow chart for establishing an AS security context.
  • the RAN receives the key KgNB.
  • the key KgNB is determined by the AMF network element according to the key KAMF.
  • AMF shall generate the key KgNB and send the key to the RAN.
  • step 401a the RAN initiates RRC integrity protection.
  • the RAN sends an AS SM command message to the UE.
  • the AS SM command message includes an integrity algorithm, an encryption algorithm, and MAC-I, where the MAC-I is determined according to the key KgNB.
  • step 401c the RAN initiates RRC downlink ciphering.
  • step 402a the UE verifies the integrity of the AS SM command message.
  • the UE verifies the integrity of the AS SM command message according to the MAC-I. If the verification is successful, the UE starts RRC integrity protection and RRC downlink decryption. The UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.
  • the UE sends an AS SM complete message to the RAN.
  • the AS SM completion message includes MAC-I, which is determined according to the key KgNB.
  • the RAN can decrypt the AS SM completion message and verify the integrity of the AS SM completion message.
  • step 402c the UE starts RRC uplink encryption.
  • step 401d the RAN initiates RRC uplink decryption.
  • the RAN triggers the AS SMC process and sends an AS security mode command message to the UE.
  • the UE sends an AS security mode complete message to the RAN.
  • the message in step 401b only performs integrity protection, and the message in step 402b performs confidentiality and integrity protection at the same time.
  • the integrity and confidentiality of the message transmitted between the UE and the RAN in the AS security mode can be protected.
  • the UE and the access network device share the AS security context, the UE and the access network device can send AS messages through the AS security context protection, and the AS messages protected by the AS security context have integrity and confidentiality protection.
  • the AS security context is established.
  • FIG. 5 only briefly describes the processing flow of AS security context establishment. Specifically, other processing procedures and/or parameters can be added in the application, or some of the processing procedures and/or parameters described above can be reduced.
  • Fig. 6 is a schematic flowchart of an authentication method. Authentication authentication can also be called identity authentication.
  • the process of authentication can refer to
  • step 501 the UDM/ARPF network element generates an authentication vector.
  • the UDM/ARPF network element sends a first authentication reply message to the AUSF network element.
  • the first authentication reply message may be a Nudm_UEAuthentication_Get Response message.
  • the first authentication reply message includes an authentication vector.
  • step 503 the UE performs mutual authentication with the AUSF network element.
  • step 504 AUSF generates and sends the key KSEAF to the SEAF network element.
  • step 505 the SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE.
  • the KSI is used to indicate the key KAMF.
  • the SEAF network element can be deployed independently from the AMF network element, or it can be deployed separately.
  • the SEAF network element can send KAMF to the AMF network element.
  • Figure 6 shows only one authentication method, which also includes other authentication methods, such as 5G authentication and key agreement; it is also possible that authentication includes both UE and AMF authentication, UE and AUSF authentication, etc., which is not done in this application embodiment limit.
  • FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the first network device includes an AMF network element.
  • the first network device may also include SMF network elements, AUSF network elements, SEAF network elements, UDM network elements, and other network function (network function, NF) network elements, which are not limited in the embodiment of this application.
  • the UE encrypts the first group list by using the NAS security context to obtain an encrypted first group list.
  • the first group list includes identities of one or more groups to which the UE requests access.
  • the first group list may include all or part of the identities in the UE group list configured for the UE.
  • the UE may use the UE group list as the first group list.
  • the UE receives the access network group list sent by the access network device, and the access network group list includes the identifier of the group supported by the access network device.
  • the UE may determine the first group list according to the access network group list and the UE group list, and the first group list includes the identifiers of the same group in the access network group list and the UE group list.
  • step 1102 the UE sends the encrypted first group list.
  • the UE may establish a NAS security context with the AMF.
  • the UE may send the encrypted first group list through the NAS message protected by the NAS security context.
  • the UE sends the encrypted first group list to the first network device through a NAS SM complete message.
  • the first network device receives the encrypted first group list.
  • the first network device decrypts the encrypted first group list.
  • the first network device performs verification.
  • the AMF determines the second group list according to the first group list and the contracted group list.
  • the second group list includes the identifiers of the same group in the first group list and the contracted group list.
  • the second group list includes identities of groups that the UE is allowed to access. That is, the identity of the same group is used as the identity of the group that the UE is allowed to access.
  • the first network device determines the list of subscription groups saved by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element.
  • the first network device includes a UDM network element, and the first network device can obtain a list of subscription groups saved by the UDM network element.
  • step 1104 is performed.
  • the first network device sends the second group list to the access network device.
  • the access network device receives the second group list, and obtains the identifier of the group that is allowed to access the UE.
  • step 1105 may be performed.
  • the access network device sends the radio resource allocation information and/or quality of service (QoS) information of the group corresponding to each identifier in the second group list to the UE.
  • QoS quality of service
  • the first network device sends a registration rejection message to the UE.
  • AMF can send registration rejection messages in the following ways.
  • the first network device may send a registration rejection message to the UE through a NAS message.
  • whether the AMF and the UE establish the NAS security context is not limited in the embodiment of the present application.
  • the first network device may send a registration rejection message to the UE through the NAS security context. That is, the registration rejection message may be a NAS message protected by the NAS security context.
  • the first network device may calculate the message verification code according to the shared key between the UE and the AMF.
  • the first network device may send a registration rejection message to the UE, and the registration rejection message includes a message verification code.
  • the message verification code is used by the UE to verify the registration rejection message.
  • the first network device may also calculate a digital signature according to the AMF private key.
  • the first network device may send a registration rejection message to the UE, and the registration rejection message includes the digital signature.
  • the UE decrypts the digital signature according to the AMF public key.
  • the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request access to the group.
  • the UE sends the identification of the group requested to be accessed in an encrypted manner, which can avoid leakage of UE privacy.
  • the group may be CAG, CSG, etc., for example.
  • the following takes the UE request to access CAG as an example for description.
  • FIG. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the UE may send the first matching group to the AMF network element through the encrypted NAS message.
  • the UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list).
  • List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1.
  • List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
  • the access network device broadcasts system information.
  • the system information includes List 2, which is a list of CAG IDs supported by the cell.
  • the cell is the cell where the UE is located in one or more cells covered by the access network device.
  • the broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
  • the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell.
  • the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
  • the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID.
  • the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
  • the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
  • the UE sends a registration request (registration request, RR) message to the access network device, where the registration request message includes SUCI.
  • the registration request message may be a control plane message.
  • the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
  • SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
  • the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
  • the protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI.
  • the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
  • the UE sends the first indication information to the access network device.
  • the first indication information is used to indicate that the UE requests to access the CAG.
  • the first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
  • the first indication information is carried in a registration request message or other messages.
  • the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
  • RRC radio resource control
  • the first indication information may take multiple forms.
  • the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
  • the access network device forwards the registration request message to the AMF network element.
  • the registration request message includes SUCI.
  • the forwarded registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the forwarded registration request message may be an N2 message.
  • the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
  • the second indication information indicates that the UE requests to access the CAG service.
  • the second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE's request to access the CAG.
  • the second indication information may be carried in the forwarded registration request message.
  • the second indication information may also be carried in other messages.
  • the access network device may send List 2 to the AMF network element.
  • the second indication information may include List 2.
  • the access network device may send List 2 to the AMF network element.
  • the AMF network element sends SUCI to AUSF.
  • the SUCI may be carried in the first identity authentication request message.
  • the first authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
  • the AMF may receive the second indication information and/or List 2.
  • the AUSF network element sends SUCI to the UDM/SIDF network element.
  • SUCI can be carried in the second identity authentication request message.
  • the second authentication request message may be a Nudm_UEAuthentication_Get Request message.
  • the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
  • Step 608 is an authentication process, which is used for identity authentication of the UE.
  • the UDM/SIDF network element sends the authentication vector to the AUSF network element.
  • the authentication vector can be carried in the authentication reply message.
  • the authentication reply message may be a Nudm_UEAuthentication_Get Response message.
  • the UE and the AUSF network element perform mutual authentication.
  • the AUSF generates and sends the key KSEAF to the SEAF network element.
  • the SEAF network element generates the key KAMF according to the key KSEAF.
  • SEAF sends KSI to UE, KSI is used to indicate the key KAMF.
  • the UE can determine the key KAMF according to the KSI.
  • SEAF sends KAMF to AMF.
  • SEAF can be deployed independently from AMF, or separately.
  • the embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
  • the AMF network element and the UE share the key KAMF.
  • steps 609-610 the AMF network element and the UE perform a non-access stratum security mode command (NAS SMC) process.
  • NAS SMC non-access stratum security mode command
  • the UE and the AMF network element can determine the integrity key and the confidentiality key between the UE and the AMF network element, so as to protect the integrity and confidentiality of the message between the UE and the AMF network element .
  • Confidentiality protection that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
  • step 609 the AMF network element sends a NAS security mode instruction message to the UE.
  • the NAS safe mode command message has integrity protection. The integrity protection is the prior art and will not be repeated here.
  • step 610 the UE sends a NAS security mode complete message to the AMF network element.
  • the NAS security mode completion message may include the first matching group.
  • the NAS security mode completion message is confidential and integrity protected. Therefore, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.
  • the NAS security context is established. Sending the first matching group through the NAS SMC completion message, or sending the first matching group in the NAS message protected by the NAS security context, can encrypt the first matching group without adding additional processing procedures.
  • the UE and the AMF network element establish a security context through the NAS SMC process, and the message between the AMF network element and the UE can be encrypted for transmission.
  • the messages between the AMF network element and the UE can have integrity protection and confidentiality protection.
  • step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish a security context through the NAS SMC procedure.
  • step 611 the UE sends the first matching group to the AMF through an uplink (UL) NAS message.
  • the first matching group is sent through NAS security protection.
  • the AMF network element receives the list 3 sent by the UDM network element.
  • List 3 includes the CAG ID that the network side allows the UE to access.
  • the AMF network element can receive the subscription data sent by the UDM network element, and the subscription data includes List 3.
  • the AMF network element may send a request message to the UDM network element to obtain the SUPI corresponding subscription data from the UDM.
  • the request message includes SUPI.
  • the subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
  • the AMF matches List 3 with the first matching group to determine whether there is a second matching group.
  • List 3 includes CAG IDs in the second matching group
  • the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
  • the AMF matches List 2, List 3, and the first matching group to determine whether there is a second matching group.
  • List 2 includes CAG IDs in the second matching group
  • List 3 includes CAG IDs in the second matching group
  • the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
  • steps 601-602 may not be performed.
  • the UE may use List 1 as the first matching group.
  • the access network device Since the first matching group is sent to the AMF network element through a NAS message, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all lists The CAG ID in 2. Therefore, the AMF network element can generate the second matching group according to List 2.
  • the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2.
  • the access network device may not send List 2 to the AMF network element.
  • List 2 is used as the second indication information to instruct the UE to request access to the CAG service.
  • the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3.
  • the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
  • the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
  • the AMF may send the second matching group to the access network device.
  • the second matching group can be sent through N2 messages.
  • the second matching group includes the identification of the CAG that the UE is allowed to access.
  • the access network device receives the second matching group to obtain the CAG ID that allows the UE to access.
  • the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending each CAG ID in the second matching group to the UE Corresponding CAG resource configuration information, etc.
  • the access network device sends to the UE the policy information corresponding to the CAG ID in the second matching group, such as QoS information of each CAG.
  • the policy information is used to indicate the relevant parameters for data transmission after the UE accesses the CAG.
  • the access network device does not limit the specific operation of the CAG ID in the second matching group.
  • the AMF network element sends a registration response message to the UE.
  • the registration response message may be a registration acceptance message or a registration rejection message.
  • the AMF network element sends a registration acceptance message to the UE.
  • the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
  • the AMF network element sends a registration rejection message to the UE.
  • the registration rejection message includes verification failure indication information.
  • the verification failure indication information may be used to indicate the reason for the registration rejection, for example, the CAG ID verification fails or the UE identity authentication fails.
  • the AMF sends to the UE information about whether to allow the UE to access the CAG through other downlink NAS messages. .
  • the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.
  • the protection indication information is used to instruct the UE to encrypt the first matching group, and send the first matching group in an encrypted manner.
  • the UE performs a registration procedure. During this registration access process, the registration reception message includes protection indication information. In the subsequent process of the UE accessing the CAG, the registration rejection message is protected in the above manner.
  • the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
  • the UE may send the first indication information to the AMF network element through a NAS message other than the RR message.
  • the AMF determines the flow of the UE requesting to access the CAG through the first indication information.
  • the base station does not broadcast list 2, or the UE does not match the base station broadcast list 2 with list 1; the UE sends encrypted list 1 to AMF through NAS messages.
  • the subsequent operations are the same as the following procedures, except that the first matching group is listed in List 1.
  • the UE encrypts the first matching group based on the public key of the AMF to obtain the ciphertext of the first matching group. And by sending the ciphertext of the first matching group to the AMF through the NAS message, for example, through the RR message and the SUCI to the AMF; or through other NAS messages to the AMF. AMF decrypts the ciphertext of the first matching group through the AMF's private key to obtain the first matching group.
  • the subsequent determination process is the same as the above-mentioned embodiment.
  • the process by which the UE obtains the public key of the AMF may be preset or distributed to the UE by the AMF in the previous registration process; there is no restriction.
  • FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element, the UDM network element decrypts the encrypted first matching group, and decrypts the decrypted first matching group Send to AMF.
  • the UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list).
  • List 1 includes the identification of the CAG configured to the UE. That is, List 1 shows the CAG that the UE supports to access. There is no restriction on how the specific UE obtains List 1.
  • List 1 may include the CAG ID that the UE can obtain from the operator, may include the CAG ID configured by the network management, and may include the CAG ID configured by the UE when it leaves the factory.
  • the access network device broadcasts system information, and the system information includes List 2, which is a list of CAG IDs supported by the cell covered by the access network device.
  • the broadcast content is not encrypted and protected, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
  • the access network device unicasts system information, and the system information includes List 2, and List 2 is a list of CAG IDs supported by the cell.
  • the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
  • the UE matches List 1 and List 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID.
  • the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
  • the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
  • the UE sends a registration request message to the access network device, and the registration request message includes SUCI.
  • the registration request message may be a control plane message.
  • the registration request message also includes the encrypted first matching group.
  • the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
  • SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
  • the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
  • the protection scheme identifier is used to indicate the protection scheme adopted by the above SUCI, that is, the scheme for encrypting the SUPI.
  • the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
  • the UE Before step 703, the UE encrypts the first matching group according to the home network public key to obtain the encrypted first matching group.
  • the UE encrypts the first matching group according to the home network public key, which may also be referred to as the UE encapsulating the first matching group.
  • the UE may use the same encryption method as the SUCI to encrypt the first matching group.
  • the UE can jointly encrypt the SUPI and the first matching group and encapsulate them in one message.
  • the SUCI and the encrypted first matching group can be carried in the same message.
  • the UE may separately encrypt the SUPI and the first matching group.
  • the encrypted first matching group includes one or more of information such as a routing indicator, a protection scheme identifier, and a home network public key identifier.
  • the SUCI and the encrypted first matching group can be carried in the same or different messages.
  • the UE may also use an encryption method different from that of SUCI to encrypt the first matching group.
  • the first matching group of SUCI and encryption may correspond to different home network keys, that is, to different home network public key identifiers.
  • the encrypted first matching group includes one or more of routing indicator, protection scheme identifier, home network public key identifier, and other information.
  • the SUCI and the encrypted first matching group can be carried in the same or different messages.
  • the home network key includes the home network public key and the home network private key.
  • the UE and the UDM network element include the corresponding relationship with the home network public key identifier, the home network public key, and the home network private key.
  • the UE sends the first indication information to the access network device.
  • the first indication information is used to indicate that the UE requests to access the CAG service.
  • the first indication information is carried in a registration request message or other messages.
  • the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
  • RRC radio resource control
  • the first indication information may take multiple forms.
  • the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
  • the access network device sends a registration request message to the AMF network element.
  • the registration request message includes the SUCI and the encrypted first matching group.
  • the registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
  • the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
  • the second indication information indicates that the UE requests to access the CAG service.
  • the second indication information may be carried in the registration request message.
  • the second indication information may also be carried in other messages.
  • the access network device may send List 2 to the AMF network element.
  • the second indication information may include List 2.
  • the AMF network element sends the encrypted first matching group and SUCI to AUSF.
  • the SUCI may be carried in the first identity authentication request message.
  • the encrypted first matching group may be carried in the first identity authentication request message or other messages.
  • the first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
  • the AMF may receive the second indication information and/or List 2.
  • the AUSF network element sends the encrypted first matching group and SUCI to the UDM/SIDF network element.
  • the SUCI may be carried in the second authentication request message.
  • the encrypted first matching group may be carried in the second authentication request message or other messages.
  • the second authentication request message type may be Nudm_UEAuthentication_Get Request message.
  • the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
  • the UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
  • the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
  • the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
  • the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
  • the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
  • the UDM/SIDF network element matches the first matching group with List 3 to obtain the third matching group.
  • the third matching group includes the same CAG ID in the first matching group and List 3.
  • the UDM/SIDF network element determines that there is no third matching group, the UE authentication process and step 614 are not performed. If there is no third matching group and the verification fails, there is no need to perform subsequent UE authentication procedures, which saves system signaling overhead.
  • the UDM/SIDF network element can reject the registration of the UE.
  • UDM can send rejection indication information to AMF network element through or without AUSF network element.
  • the UDM network element may send the first rejection indication information to the AMF network element through or without the AUSF network element.
  • the first rejection indication information may include the reason for registration rejection. That is, the first rejection indication information may be used to indicate that there is no third matching group, that is, the verification fails, and there is no CAG that allows the UE to access.
  • the AMF network element receives the rejection indication information sent by the UDM network element, and determines that there is no second matching group, that is, there is no CAG that allows the UE to access.
  • step 615 the AMF network element sends a registration rejection message to the UE.
  • Steps 709-710 are steps in the authentication process, which is used for identity authentication of the UE.
  • the UDM/SIDF network element sends the authentication vector to the AUSF network element.
  • the authentication vector may be carried in the first authentication reply message.
  • the first authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
  • the AUSF network element sends an authentication vector to the AMF network element.
  • the authentication vector may be carried in the second authentication reply message.
  • the second authentication reply message may be a Nudm_UEAuthentication_GetReSponse message.
  • the UDM/SIDF network element may send the third matching group to the AMF network element.
  • the UDM/SIDF network element may send the third matching group to the AUSF network element.
  • the AUSF network element sends the third matching group to the AMF network element.
  • the third matching group can be forwarded by the AUSF network element and sent to the AMF network element.
  • the third matching group may be carried in the first authentication reply message or other messages.
  • the third matching group may be carried in the second authentication reply message or other messages.
  • UDM/SIDF can also send the third matching group to the AMF network element through other messages, without being forwarded by other network elements.
  • the UE and the AUSF network element perform mutual authentication. After successful authentication, AUSF generates and sends the key KSEAF to the SEAF network element.
  • the SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE.
  • the KSI is used to indicate the key KAMF.
  • the UE can determine the key KAMF according to the KSI.
  • SEAF sends KAMF to AMF.
  • SEAF can be deployed independently from AMF, or separately.
  • the embodiment of the application does not limit the specific details and flow of the authentication steps between the UE and the AUSF network element.
  • the AMF network element and the UE share the key KAMF.
  • the UE and the AMF can establish the NAS security context, and the UE and the access network device can establish the AS security context.
  • the AMF network element receives the third matching group sent by the UDM network element.
  • the AMF network element determines the second matching group according to the third matching group.
  • the AMF network element may use the third matching group as the second matching group.
  • the AMF network element may match the third matching group with List 2 to determine the second matching group.
  • the second matching group includes the same CAG ID of the third matching group as in List 2.
  • the access network device Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all CAG ID in List 2. Therefore, the AMF network element can generate the second matching group according to List 2.
  • the AMF network element is pre-configured with a CAG ID supported by the access network device, that is, the AMF is pre-configured with List 2.
  • the access network device may not send List 2 to the AMF network element.
  • the list 2 sent by the access network device to the AMF network element may be used as the second indication information to instruct the UE to request access to the CAG service.
  • the AMF may no longer perform matching on List 2. That is, AMF can perform matching on the first matching group and list 3.
  • the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to indicate that the UE requests to access the CAG service.
  • step 614 If there is a second matching group, go to step 614.
  • the AMF network element may send the second matching group to the access network device.
  • the second matching group can be sent through N2 messages.
  • the second matching group includes the identification of the CAG that the UE is allowed to access.
  • the access network device obtains the CAG ID that allows the UE to access.
  • the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group.
  • the embodiment of the present application does not limit the specific operation of the access network device.
  • the AMF network element sends a registration reply message to the UE.
  • the registration reply message can be a registration acceptance message or a registration rejection message.
  • the AMF network element determines that there is a second matching group and the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE.
  • the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
  • the AMF network element sends a registration rejection message to the UE.
  • the registration rejection message includes second rejection indication information, and the second rejection indication information is used to indicate the reason for the registration failure, for example, the CAG ID verification fails or the authentication fails.
  • the registration reply message may be a downlink NAS message.
  • the UE sends the first matching group in an encrypted manner, which can avoid information leakage.
  • the UDM/SIDF network element Before performing the authentication process of the UE, the UDM/SIDF network element verifies whether the UE can access the CAG, that is, matches the first matching group with the list 3.
  • the first matching group and list 3 may be matched by the AMF for verification.
  • the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.
  • the UDM/SIDF network element decrypts the SUCI to obtain SUPI, executes the authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
  • the UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.
  • the UDM/SIDF network element decrypts one piece of information corresponding to SUPI and the first matching group to obtain SUPI and the first matching group.
  • the UDM/SIDF network element determines the subscription data of the UE according to SUPI.
  • the subscription data of the UE includes List 3, and List 3 includes the CAG ID that the network side allows the UE to access.
  • step 707 the authentication process is used for the identity authentication of the UE.
  • the UDM/SIDF network element sends the first matching group and list 3 to the AMF network element.
  • the UDM/SIDF network element may send the first matching group and list 3 to the AMF network element.
  • the first matching group and/or list 3 may be carried in the first identity authentication reply message or other messages.
  • the UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element.
  • the AUSF network element sends the first matching group and list 3 to the AMF network element.
  • the first matching group and list 3 can be forwarded by the AUSF network element and sent to the AMF network element.
  • the first matching group and/or list 3 may be carried in the second authentication reply message or other messages.
  • the AMF network element performs matching according to the first matching group and List 3 to determine the second matching group.
  • the second matching group includes the same CAG ID of the first matching group and List 3 China.
  • AMF may use the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
  • the AMF may also use the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.
  • step 614 if the UE is allowed to access, the AMF may send the second matching group to the access network device.
  • the AMF network element sends a registration reply message to the UE.
  • the registration reply message can be a registration acceptance message or a registration rejection message.
  • the UE may not match List 2 with List 1, and the base station may not broadcast List 2.
  • the UE sends the encrypted list 1 to the AMF network element through the NAS message.
  • the subsequent operation is the same as the above process.
  • the difference of this method is that the first matching group is now List 1. That is to say, for the case where AMF matches the third matching group with List 2, steps 601-602 may not be performed.
  • the UE may use List 1 as the first matching group.
  • FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the UE may send the first matching group to the network element of the access network device through the encrypted AS message.
  • the UE is configured with List 1.
  • List 1 includes the CAG ID that the UE supports to access.
  • the access network device sends List 2 to the UE.
  • Table 2 includes CAG IDs supported by the cells covered by the access network equipment.
  • the cell is the cell where the UE is located among one or more cells covered by the access network equipment.
  • the broadcast content may not be encrypted, and all devices within the coverage of the access network device can obtain the information broadcast by the access network device.
  • the access network device unicasts system information, and the system information includes List 2, and List 2 includes CAG IDs supported by the cell.
  • the unicast content may not be encrypted, and all devices within the coverage area of the access network device can obtain the unicast information of the access network device.
  • the UE matches List 1 and List 2 to obtain a first matching group.
  • the first matching group includes the same CAG ID in List 1 and List 2.
  • the UE matches List 1 and List 2, that is, the UE determines the first matching group, and the first matching group includes at least one CAG ID.
  • the CAG ID in the first matching group belongs to both list 1 and list 2 at the same time.
  • the CAG ID in the first matching group may be referred to as a matched CAG ID (selected matching CAG ID).
  • step 603 the UE sends a registration request message to the access network device, and the registration request message includes SUCI.
  • the UE calculates SUCI, which is an encapsulation of the permanent identity SUPI, so that the attacker cannot obtain SUPI through eavesdropping on the air interface.
  • SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.
  • the SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier and other information. Among them, the routing indicator and the home network public key identifier are not encrypted.
  • the protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme to encrypt SUPI.
  • the routing indicator can be used to indicate UDM network elements that can provide services for the UE.
  • the UE sends the first indication information to the access network device.
  • the first indication information is used to indicate that the UE requests to access the CAG.
  • the first indication information that the UE may send to the access network device is used to instruct the UE to request access to the CAG. Since the information related to UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a procedure corresponding to the UE's request to access the CAG.
  • the first indication information is carried in a registration request message or other messages.
  • the first indication information may be sent through a radio resource control (radio resource control, RRC) message.
  • RRC radio resource control
  • the first indication information may take multiple forms.
  • the first indication information may include List 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.
  • the access network device sends a registration request message to the AMF network element.
  • the registration request message includes SUCI.
  • the registration request message can be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message can be an N2 message.
  • the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element.
  • the second indication information indicates that the UE requests to access the CAG service.
  • the second indication information may be carried in the registration request message.
  • the second indication information may also be carried in other messages.
  • the access network device may send List 2 to the AMF network element.
  • the second indication information may include List 2.
  • the AMF network element sends SUCI to AUSF.
  • the SUCI may be carried in the first identity authentication request message.
  • the first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.
  • the AMF may receive the second indication information and/or List 2.
  • the AUSF network element sends SUCI to the UDM/SIDF network element.
  • SUCI can be carried in the second identity authentication request message.
  • the second identity authentication request message type may be a Nudm_UEAuthentication_Get Request message.
  • the UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.
  • Step 608 is an authentication process, which is used for identity authentication of the UE.
  • the UDM/SIDF network element sends the authentication vector to the AUSF network element.
  • the authentication vector can be carried in the identity authentication reply message.
  • the identity authentication reply message may be a Nudm_UEAuthentication_Get Response message.
  • the UE and the AUSF network element perform mutual authentication.
  • the AUSF generates and sends the key KSEAF to the SEAF network element.
  • the SEAF network element generates the key KAMF according to the key KSEAF, and sends KSI to the UE.
  • the KSI is used to indicate the key KAMF.
  • the UE can determine the key KAMF according to the KSI.
  • SEAF sends KAMF to AMF.
  • SEAF can be deployed independently from AMF, or separately.
  • the embodiment of the application does not limit the specific details and procedures of the authentication steps between the UE and the AUSF network element.
  • the AMF network element and the UE share the key KAMF.
  • the access network device and the UE establish an access layer security mode (access stratum security mode, NAS SM).
  • access layer security mode access stratum security mode
  • the AMF calculates and sends the key KgNB to the access network device.
  • the key KgNB is determined based on the key KAMF.
  • the UE and the access network device can determine the integrity key and the confidentiality key between the UE and the access network device, so as to protect the integrity and confidentiality of the message between the UE and the access network device sexual protection. Confidentiality protection is carried out, that is, the information sending end encrypts the information, and the information receiving end decrypts the information.
  • step 809 the access network device sends an AS security mode instruction message to the UE.
  • the AS security mode command message has integrity protection.
  • step 810a the UE sends an AS security mode complete message to the access network device.
  • the AS security mode completes the message with confidentiality and integrity protection.
  • the AS security mode completion message may include the first matching group. Therefore, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.
  • the UE and the access network device network element establish a security context through the AS SMC process, and the message between the access network device and the UE can be encrypted for transmission.
  • the message between the AMF network element and the UE can have integrity protection and confidentiality protection.
  • Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC procedure.
  • step 810b the UE sends the first matching group transmission to the AMF through an uplink (UL) AS message.
  • the first matching group is sent under the protection of the AS security context.
  • the access network device decrypts the first matching group received through the AS security mode completion message or the uplink AS message protected by the AS security context.
  • the access network device performs decryption according to the AS security context to obtain the decrypted first matching group.
  • the access network device may check the first matching group.
  • the access network device may match the first matching group with List 2.
  • the access network device may remove CAG IDs outside of List 2 in the first matching group to obtain a new first matching group.
  • the access network device receives the first matching group sent by the UE.
  • the access network device determines whether the CAG ID in the first matching group is in the list 2 of CAG IDs supported by the access network device. If the first matching group belongs to list 2, that is, the first matching group is in list 2, the access network device sends the first matching group to the AMF network element. Otherwise, the access network device does not send the first matching group; optionally, the access network device rejects the UE's access.
  • the AMF network element may match the first matching group with the list 2.
  • AMF network elements can be pre-configured with List 2.
  • the AMF network element may receive List 2 sent by the access network device.
  • the access network device sends List 2 to the AMF network element.
  • the AMF network element can match List 2, List 3, and the first matching group. That is, the AMF network element can determine the second matching group, and the second matching group includes the same CAG ID in List 2, List 3, and the first matching group.
  • neither the access network device nor the AMF may perform matching between the first matching group and the list 2.
  • the UE sends the decrypted first matching group to the AMF network element.
  • the decrypted first matching group may be the first matching group after verification.
  • the second matching group can be sent through N2 messages.
  • the second matching group includes the identification of the CAG that the UE is allowed to access.
  • the AMF network element receives the list 3 sent by the UDM network element.
  • List 3 includes the CAG ID that the network side allows the UE to access.
  • the AMF network element can receive the subscription data sent by the UDM network element.
  • the subscription data includes List 3
  • the AMF network element may send a subscription data request to the UDM network element, and obtain the subscription data corresponding to the UE from the UDM network element.
  • the subscription data includes List 3, and List 3 includes CAG IDs that the network side allows the UE to access.
  • the AMF matches List 3 with the first matching group to determine whether there is a second matching group.
  • List 3 includes CAG IDs in the second matching group
  • the first matching group includes CAG IDs in the second matching group. That is, the AMF uses the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.
  • the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.
  • the AMF network element sends a registration reply message to the UE.
  • the registration reply message can be a registration acceptance message or a registration rejection message.
  • the AMF network element sends a registration acceptance message to the UE.
  • the AMF network element sends the second matching group to the UE, that is, the CAG ID that allows the UE to access.
  • the AMF network element sends a registration rejection message to the UE.
  • the registration rejection message includes verification failure indication information, and the verification failure indication information is used to indicate that the CAG ID verification fails.
  • the verification failure indication information may indicate the reason for the registration rejection, that is, the CAG ID verification failed.
  • the registration reply message may be a downlink NAS message sent by the AMF to the UE.
  • the access network device may also encrypt the first matching group according to other public keys of the access network device.
  • the UE may pre-configure the public key of the access network device, and the UE may receive the public key sent by the access network device.
  • the access network device may broadcast the public key of the access network device.
  • the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.
  • the UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through the AS SMC completion message, which may cause information leakage. At the same time, the impact on the process of UE access to CAG is small.
  • FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the UE When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
  • the AMF needs to send a registration rejection message to the UE.
  • the AMF network element determines that there is no CAG ID that allows the UE to access, and the AMF network element sends a registration rejection message to the UE.
  • the UDM network element determines that there is no CAG ID that allows the UE to access, and the UDM network element sends a verification failure message to the AMF network element.
  • the AMF network element sends a registration rejection message to the UE according to the verification failure information.
  • the UE and the AMF network element share the key KAMF.
  • the security context between the UE and the AMF network element is established, that is, the NAS protection context.
  • the AMF network element can send a registration rejection message to the UE through the NAS message protected by the NAS security context. Messages protected by the NAS security context have confidentiality protection, which can prevent attackers from attacking. Alternatively, the AMF network element may send a registration rejection message to the UE through steps 901-902.
  • the AMF network element can also send a registration rejection message to the UE through steps 901-902.
  • step 901 UE identity authentication is performed.
  • the UE and the AMF network element share the key KAMF.
  • step 901 the AMF network element determines that the check fails and calculates the MAC.
  • the AMF network element may receive a verification failure message sent by UDM.
  • the AMF network element may determine that the verification fails according to the verification failure message.
  • the AMF network element may perform verification and determine that the verification fails.
  • AMF checks see Figure 2, Figure 7, Figure 9.
  • the AMF network element first calculates the MAC based on the key KAMF.
  • MAC can also be called message authentication code, file message authentication code, message authentication code, and information authentication code. It is a small piece of information generated after a specific algorithm to check the integrity of a certain piece of message.
  • MAC can be used for authentication.
  • MAC can be used to check whether the content has been changed during message delivery. At the same time, MAC can be used as the identity verification of the source of the message to confirm the source of the message.
  • the AMF network element calculates according to the message verification code function to obtain the MAC.
  • the input parameters of the message verification code function include the key KAMF, and the input parameters of the message verification code function can also include at least one of the following parameters: rejection indication information, ngKSI, NAS uplink counter, NAS downlink counter, first matching group, defense architecture Dimensionality reduction attack parameters (ABBA, anti-bidding down between architectures), AMF ID, AMF set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network identification, etc.
  • the fresh parameter randomly selected by the AMF may be, for example, a non-repeated random number (number used once or number once, nonce) and other random numbers that are used once.
  • the service network identifier is the service network where the AMF is located.
  • the first matching group includes the CAG ID that the UE requests to access.
  • the rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG to which the UE requests access fails, or the registration request of the UE is rejected.
  • the reason for registration rejection can also be other verification failures, authentication failures, etc.
  • step 902 the AMF network element sends a registration rejection message to the UE.
  • the registration rejection message includes the MAC.
  • the registration rejection message may also include rejection indication information.
  • the registration rejection message can also be ngKSI, which is used to indicate KAMF.
  • the registration rejection message may also include at least one of the multiple input parameters of the message verification code function except KAMF.
  • the registration rejection message may include at least one of the following parameters: NAS uplink counter, NAS downlink counter, first matching group, anti-bidding down between architectures (ABBA), AMF ID, AMF Set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network ID, etc.
  • the first matching group is determined by the UE according to the CAG ID list 1 configured for the UE and the CAG ID list 2 supported by the access network device.
  • the first matching group includes the same CAG IDs in the list 1 and the list 2.
  • the AMF network element may also send the input parameters of the message verification code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends ngKSI to the UE.
  • the UE may also store the input parameters of the message verification code function. After determining the first matching group, the UE saves the first matching group. The UE may also store SUCI, SUPI, etc. AMF can send the UE unsaved parameters among the input parameters of the message verification code function.
  • the UE verifies the MAC.
  • the UE calculates the MAC according to the message verification code function and the input parameters of the message verification code function.
  • the UE determines whether the verification is passed according to the calculated MAC and the MAC in the registration rejection message.
  • the UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the verification passes.
  • the UE may delete the first matching group from the CAG ID list 1 configured for the UE.
  • the UE determines that the calculated MAC is different from the MAC in the registration rejection message, and the verification fails.
  • the UE determines that the registration rejection message is a forged message.
  • the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, preventing an attacker from modifying and forging the registration rejection message.
  • FIG. 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the UE When the UE accesses the CAG, after the UE receives the registration rejection message, it will delete the CAG ID in the first matching group from List 1. If the attacker can forge the registration rejection message, then the attacker may cause the UE to clear List 1 by forging multiple rejection messages. After List 1 is cleared, the UE cannot use the CAG service.
  • the AMF/UDM network element determines that the verification fails, and steps 1001-1003 are performed.
  • step 1001 the AMF/UDM network element calculates a digital signature.
  • step 1002 the AMF/UDM network element sends the digital signature to the UE.
  • UDM verification fails, and the digital signature can be calculated based on the private key of the home network and the rejection indication information.
  • UDM performs verification, see Figure 9.
  • UDM calculates the digital signature according to the digital signature function.
  • the input parameters of the digital signature function include the home network private key.
  • the input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), and service network identification (the service network where the AMF is located), Home network identification and rejection indication information.
  • the first matching group includes the CAG ID that the UE requests to access.
  • the rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG that the UE requests to access fails, or the authentication authentication fails.
  • the UDM network element sends a digital signature to the UE.
  • the digital signature can be forwarded by the AMF network element and/or the AUSF network element, etc.
  • the UDM network element may send rejection indication information to the AMF network element to indicate that the verification fails.
  • the AMF sends a registration rejection message to the UE, which carries the digital signature sent by the UDM.
  • the UE receives the registration rejection message.
  • the UE can verify the digital signature according to the rejection indication information corresponding to the possible rejection reasons, that is, verify the correctness of the digital signature.
  • the UE may verify the digital signature according to the received rejection indication information.
  • the UDM network element may also send a key identifier for signing to the UE through AMF and/or AUSF.
  • the UDM network element may also send a public key identifier, so that the UE can determine the public key used for digital signature calculation according to the public key identifier.
  • the UDM network element may also send an algorithm indication, and the UE may determine the algorithm used for digital signature calculation according to the algorithm indication.
  • the parameters sent by the UDM network element may also include at least one of the following parameters: SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, random number, etc.), service network identification (the service network where the AMF is located), Home network identification and rejection indication information, etc.
  • the UDM and/or AMF network element can also send other unsaved parameters of the UE, so that the UE can correctly verify the MAC.
  • a digital signature can be calculated for the rejection indication information based on the AMF's private key.
  • the AMF network element performs verification, see Figure 2, Figure 8, Figure 10. If the AMF verification fails, the AMF can calculate the digital signature based on the AMF's private key and rejection indication information.
  • the AMF calculates the digital signature according to the digital signature function.
  • the input parameters of the digital signature function include the private key saved by the AMF.
  • the input parameters of the digital signature function can also include at least one of the following parameters, the first matching group, SUCI, SUPI, AMF randomly selected fresh parameters (nonce, random number, etc.), service network identification (the service network where the AMF is located), AMF public key identification and rejection instructions;
  • step 1002 the AMF network element sends a registration rejection message to the UE.
  • the registration rejection message includes a digital signature.
  • the registration rejection message may also include rejection indication information.
  • the registration rejection message may also include a key identifier for calculating the digital signature, and the UE can determine the AMF public key corresponding to the key identifier according to the key identifier, thereby verifying the digital signature.
  • the registration rejection message may also include at least one of the multiple input parameters of the digital signature function except the AMF public key.
  • the registration rejection message may include at least one of the following parameters: the first matching group, SUCI, SUPI, UDM randomly selected freshness parameters (nonce, random number, etc.), AMF randomly selected freshness parameters (nonce, random number, etc.) , The service network identifier (the service network where the AMF is located), the AMF public key identifier and rejection indication information.
  • step 1003 the UE verifies the correctness of the digital signature.
  • the UE receives the digital signature.
  • the UE verifies the digital signature. If the verification passes, it is determined that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.
  • the UE stores the public key of the home network. There is no restriction on the specific way of obtaining the home network public key.
  • the UE can delete the first matching group from the CAG ID list 1 configured for the UE.
  • the UE determines that the registration rejection message is a forged message.
  • the AMF/UDM network element sends a digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, prevent attackers from modifying and forging the registration rejection message, and complete the protection of the rejection indication information.
  • FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
  • the user equipment 1300 includes an encryption module 1310 and a transceiver module 1320.
  • the encryption module 1310 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access Logo.
  • the transceiver module 1320 is configured to send the encrypted first group list.
  • the transceiver module 1320 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
  • the transceiver module 1320 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
  • the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
  • the user equipment 1300 further includes a verification module configured to verify the registration rejection message according to the message verification code.
  • FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • the network device 1400 includes: a transceiver module 1410, a decryption module 1420, and a determination module 1430.
  • the transceiver module 1410 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.
  • the decryption module 1420 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
  • the determining module 1430 is configured to determine the list of subscription groups that the UDM network element determines to save.
  • the determining module 1430 is further configured to determine a second group list according to the first group list and the subscription group list, the second group list including the identifier of the group that the UE is allowed to access.
  • the transceiver module 1410 is further configured to, when there is a second group list, the first network device sends the second group list to the access network device.
  • the transceiver module 1410 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
  • the user equipment 1400 further includes a calculation module configured to, when the second group list does not exist, calculate the message verification code according to the shared key between the UE and the first network device.
  • the transceiver module 1410 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
  • the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes the identities of the groups supported by the access network device.
  • the determining module 1430 is configured to determine the second group list according to the first group list, the third group list, and the contracted group list.
  • FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
  • the access network device 1500 includes: a transceiver module 1510 and a generating module 1520.
  • the transceiver module 1510 is configured to receive the encrypted first group list sent by the user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access.
  • the transceiver module 1510 is also configured to send the encrypted first group list.
  • the transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access.
  • the generating module 1520 is configured to generate the quality of service QoS information of one or more groups according to the identities of one or more groups.
  • the transceiver module 1510 is further configured to send quality of service QoS information to the UE.
  • FIG. 16 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • the network device 1600 is characterized in that it includes a processor 1610 and a communication interface 1620.
  • the communication interface 1620 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes the identities of one or more groups that the UE requests to access.
  • the processor 1610 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.
  • the processor 1610 is further configured to determine the list of subscription groups that the UDM network element determines to save.
  • the processor 1610 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes the identifier of the group that the UE is allowed to access.
  • the communication interface 1620 is configured to send the second group list to the access network device when the second group list exists.
  • the communication interface 1620 is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.
  • the processor 1610 is further configured to, when there is no second group list, calculate the message verification code according to the shared key between the UE and the first network device.
  • the communication interface 1620 is also used to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.
  • the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes the identifier of the group supported by the access network device.
  • the processor 1610 is configured to determine the second group list according to the first group list, the third group list, and the contract group list.
  • FIG. 17 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.
  • the user equipment 1700 includes: a processor 1710 and a communication interface 1720;
  • the processor 1710 is configured to encrypt the first group list using the non-access stratum NAS security context to obtain an encrypted first group list, the first group list including one or more groups that the UE requests to access The logo;
  • the communication interface 1720 is used to send the encrypted first group list.
  • the communication interface 1720 is configured to send the encrypted first group list to the first network device through the NAS security mode SM completion message.
  • the communication interface 1720 is configured to send the encrypted first group list through the uplink NAS message protected by the NAS security context.
  • the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.
  • the processor 1710 is further configured to verify the registration rejection message according to the message verification code.
  • FIG. 18 is a schematic structural diagram of an access network device provided by an embodiment of the present application.
  • the access network device 1800 includes a communication interface 1810.
  • the communication interface 1810 is configured to receive an encrypted first group list sent by a user equipment UE, and the first closed access service identifier group includes one or more group service identifiers that the UE requests to access;
  • the communication interface 1810 is also used to send the encrypted first group list
  • the communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;
  • the communication interface 1810 is further configured to send the quality of service QoS information of the one or more groups to the UE.
  • the access network device 1800 includes a processor configured to generate the quality of service QoS information of the one or more groups according to the second group list.
  • the embodiment of the present application provides a computer program storage medium having program instructions, and when the program instructions are executed, the first network device, the access network device, and the user in the above method The function of any one of the devices is realized.
  • An embodiment of the present application provides a chip that includes at least one processor. When program instructions are executed by the at least one processor, the first network device, the access network device, and the The function of any one of the user equipment is realized.
  • An embodiment of the present application provides a communication system, including the above-mentioned first network device, user equipment, and access network device.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé de communication comprenant les étapes au cours desquelles : un premier dispositif de réseau reçoit une première liste de groupes chiffrée envoyée par un équipement utilisateur (UE), la première liste de groupes contenant les identifiants d'un ou plusieurs groupes auxquels l'UE demande d'accéder ; le premier dispositif de réseau déchiffre la première liste de groupes chiffrée de façon à obtenir un premier groupe d'identification de service d'accès fermé ; le premier dispositif de réseau détermine une liste de groupes d'abonnement stockée par la gestion de données unifiée (UDM) ; le premier dispositif de réseau détermine une seconde liste de groupes en fonction de la première liste de groupes et de la liste de groupes d'abonnement, la seconde liste de groupes contenant un identifiant d'un groupe auquel l'UE est autorisé à accéder ; et, lorsque la seconde liste de groupes est établie, le premier dispositif de réseau l'envoie au dispositif de réseau d'accès. Le premier dispositif de réseau reçoit une liste de groupes auxquels l'UE demande d'accéder envoyée par l'UE selon un mode de chiffrement et la déchiffre, ce qui évite une fuite de données et protège la confidentialité de l'UE.
PCT/CN2020/076975 2019-06-13 2020-02-27 Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès WO2020248624A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910511766.9 2019-06-13
CN201910511766.9A CN112087724A (zh) 2019-06-13 2019-06-13 一种通信方法、网络设备、用户设备和接入网设备

Publications (1)

Publication Number Publication Date
WO2020248624A1 true WO2020248624A1 (fr) 2020-12-17

Family

ID=73733715

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/076975 WO2020248624A1 (fr) 2019-06-13 2020-02-27 Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès

Country Status (2)

Country Link
CN (1) CN112087724A (fr)
WO (1) WO2020248624A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116746182A (zh) * 2021-01-08 2023-09-12 华为技术有限公司 安全通信方法及设备
CN114980076A (zh) * 2021-02-20 2022-08-30 华为技术有限公司 保护身份标识隐私的方法与通信装置
WO2022193220A1 (fr) * 2021-03-18 2022-09-22 Zte Corporation Procédé, dispositif et système de réattribution de dispositif de réseau central dans un réseau sans fil
CN115314841B (zh) * 2021-05-06 2024-07-30 华为技术有限公司 通信方法及通信装置
CN115811728A (zh) * 2021-09-14 2023-03-17 华为技术有限公司 一种网元的选择方法、通信装置及通信系统
CN114785544B (zh) * 2022-03-12 2024-07-02 海南电网有限责任公司 一种提升网络系统中管理面系统安全接入业务面系统的方法
CN117061141A (zh) * 2022-05-07 2023-11-14 维沃移动通信有限公司 隐私保护信息处理方法、装置及通信设备
CN117221884B (zh) * 2023-11-08 2024-02-23 深圳简谱技术有限公司 基站系统信息管理方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008152611A1 (fr) * 2007-06-15 2008-12-18 Nokia Corporation Dispositif, procédé et progiciel produisant un conteneur transparent
CN101945390A (zh) * 2009-07-08 2011-01-12 华为技术有限公司 一种准入控制方法及装置
CN104469977A (zh) * 2014-09-10 2015-03-25 北京佰才邦技术有限公司 移动通信方法、装置和系统
CN109716809A (zh) * 2016-09-23 2019-05-03 高通股份有限公司 用于高效分组处理的接入阶层安全性
CN110536293A (zh) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 访问闭合访问组的方法、装置和系统

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8072953B2 (en) * 2007-04-24 2011-12-06 Interdigital Technology Corporation Wireless communication method and apparatus for performing home Node-B identification and access restriction
US8082000B2 (en) * 2009-05-12 2011-12-20 Motorola Mobility, Inc. Method of selecting a private cell for providing communication to a communication device and a communication device
CN102045648A (zh) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 闭合用户组白列表的发送方法、装置及系统
CN102056109A (zh) * 2010-12-28 2011-05-11 北京握奇数据系统有限公司 一种短信息群发送与群回复的方法和一种电信智能卡
US9986420B2 (en) * 2014-07-08 2018-05-29 Alcatel-Lucent Usa Inc. Validating cell access mode
CN109788474A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种消息保护的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008152611A1 (fr) * 2007-06-15 2008-12-18 Nokia Corporation Dispositif, procédé et progiciel produisant un conteneur transparent
CN101945390A (zh) * 2009-07-08 2011-01-12 华为技术有限公司 一种准入控制方法及装置
CN104469977A (zh) * 2014-09-10 2015-03-25 北京佰才邦技术有限公司 移动通信方法、装置和系统
CN109716809A (zh) * 2016-09-23 2019-05-03 高通股份有限公司 用于高效分组处理的接入阶层安全性
CN110536293A (zh) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 访问闭合访问组的方法、装置和系统

Also Published As

Publication number Publication date
CN112087724A (zh) 2020-12-15

Similar Documents

Publication Publication Date Title
WO2020248624A1 (fr) Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès
CN110830991B (zh) 安全会话方法和装置
US11057775B2 (en) Key configuration method, security policy determining method, and apparatus
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
US10455414B2 (en) User-plane security for next generation cellular networks
US10694376B2 (en) Network authentication method, network device, terminal device, and storage medium
CN107018676B (zh) 用户设备与演进分组核心之间的相互认证
US9240881B2 (en) Secure communications for computing devices utilizing proximity services
KR101508576B1 (ko) 홈 노드-b 장치 및 보안 프로토콜
RU2708951C2 (ru) Способ и устройство для связывания аутентификации абонента и аутентификации устройства в системах связи
WO2019062996A1 (fr) Procédé, appareil, et système de protection de sécurité
JP5480890B2 (ja) 制御信号の暗号化方法
JP2022502908A (ja) Nasメッセージのセキュリティ保護のためのシステム及び方法
JP2023539174A (ja) スライシングされたセルラーネットワークにおけるリレー選択のプライバシー
US20200228977A1 (en) Parameter Protection Method And Device, And System
US10027636B2 (en) Data transmission method, apparatus, and system
US11082843B2 (en) Communication method and communications apparatus
WO2012083873A1 (fr) Procédé, appareil et système de génération de clé
WO2022134089A1 (fr) Procédé et appareil de génération de contexte de sécurite, et support de stockage lisible par ordinateur
WO2022228455A1 (fr) Procédé de communication et appareil associé
WO2020147602A1 (fr) Procédé, appareil et système d'authentification
Rani et al. Study on threats and improvements in LTE Authentication and Key Agreement Protocol
CN116325840A (zh) 一种密钥推衍方法及其装置、系统
KR20100053407A (ko) 보안정보 공유방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20822940

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20822940

Country of ref document: EP

Kind code of ref document: A1