WO2021008466A1 - 一种通信方法及装置 - Google Patents
一种通信方法及装置 Download PDFInfo
- Publication number
- WO2021008466A1 WO2021008466A1 PCT/CN2020/101454 CN2020101454W WO2021008466A1 WO 2021008466 A1 WO2021008466 A1 WO 2021008466A1 CN 2020101454 W CN2020101454 W CN 2020101454W WO 2021008466 A1 WO2021008466 A1 WO 2021008466A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- identity
- proxy function
- permanent
- network
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 230000006854 communication Effects 0.000 title claims abstract description 65
- 238000004891 communication Methods 0.000 title claims abstract description 64
- 238000012545 processing Methods 0.000 claims abstract description 70
- 230000006870 function Effects 0.000 claims description 234
- 238000003672 processing method Methods 0.000 claims description 112
- 238000007726 management method Methods 0.000 claims description 54
- 230000008569 process Effects 0.000 claims description 52
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013523 data management Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 description 57
- 238000010586 diagram Methods 0.000 description 23
- 238000013461 design Methods 0.000 description 21
- 238000012790 confirmation Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 10
- 230000004048 modification Effects 0.000 description 10
- 125000004122 cyclic group Chemical group 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 9
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 5
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
Definitions
- the embodiments of the present application relate to the field of communication technologies, and in particular, to a communication method and device.
- the mobile communication network will not only serve individual consumers, but more importantly, it will serve vertical industries, such as electric power, intelligent transportation, and factory parks.
- vertical industries such as electric power, intelligent transportation, and factory parks.
- the construction and management of the network may have to rely on operators to build, and for vertical industries, the user’s account signing data (such as the permanent identity of the terminal device) Identification) belongs to private data, and private data needs to be managed and protected by the industry network.
- the permanent identity of the terminal device is transparent in the operator network and the vertical industry network, which cannot meet the needs of industry privacy protection.
- the embodiments of the present application provide a communication method and device to solve the problem that the existing deployment method cannot meet the privacy protection requirements of the industry.
- an embodiment of the present application provides a communication method, which includes: in the registration process of the first terminal device, the proxy function receives the first to be sent from the security anchor SEAF to the access and mobility management function AMF.
- the permanent identity of the terminal device, the SEAF and the proxy function are located in the vertical industry network, and the AMF is located in the operator network; the proxy function obfuscates the permanent identity of the first terminal device to obtain The first temporary identity of the first terminal device; the proxy function sends the first temporary identity of the first terminal device to the AMF, and the first temporary identity is on the network included in the operator network
- the meta is used as the permanent identity of the first terminal device.
- the network elements included in the operator network include AMF, and, for example, SMF, UPF, PCF, etc. may also be included.
- AMF Access Management Function
- the operator network and the vertical industry network are separated by the proxy function, and the permanent identity of the first terminal device is obfuscated through the proxy function, so that the temporary information of the first terminal device obtained by the obfuscation process on the operator network
- the identity is used as a permanent identity of the first terminal device, thereby improving the security of the permanent identity.
- the method further includes: a proxy function receiving a first message from a network element of an operator network, the first message carrying the first temporary identity of the first terminal device, and the operator
- the network element of the business network is the AMF or the session management function SMF; the proxy function converts the first temporary identity to obtain the permanent identity of the first terminal device; the proxy function manages the network to the industry
- the network element of forwards the first message carrying the permanent identity of the first terminal device, and the network element of the industry management network is the SEAF, the authentication service function AUSF, or the unified data management function UDM.
- the proxy function performs conversion processing on the first temporary identity to obtain the permanent identity of the first terminal device, which may be specifically de-obfuscating the first temporary identity to obtain the permanent identity of the first terminal device Logo. It may also be that the corresponding relationship between the first temporary identity and the permanent identity is stored in the proxy function, and the first temporary identity is converted to the permanent identity according to the object relationship.
- the first message may be a service request message sent by a network element in the operator network to a network element in the industry management network, for example, a service request initiated by AMF or SMF to AUSF or UDM or SEAF in the industry management network Message; the first message can also be a response message sent from a network element in the operator network to a network element in the industry management network, and the response message is a service in response to a network element (such as AUSF or UDM or SEAF) from the industry management network
- the requested message may be a session establishment request, a session modification request, or a session deletion request.
- the proxy function converts the temporary identity in the service message from the operator's network to the permanent identity, so that the temporary identity is only used in the operator's network, which improves the security of the permanent identity. And do not change the existing process.
- the proxy function receives a second message from a network element of the industry management network (such as AUSF or UDM or SEAF), and the second message carries the permanent information of the first terminal device.
- a network element of the industry management network such as AUSF or UDM or SEAF
- the proxy function obfuscates the permanent identity of the first terminal device in the second message to obtain the first temporary identity of the first terminal device
- the proxy function reports to the AMF Or the SMF forwards the second message that carries the first temporary identity of the first terminal device.
- the permanent identity of the first terminal device is obfuscated through the proxy function, so that the network element in the operator network uses the temporary identity of the first terminal device obtained by the obfuscation process as the permanent identity of the first terminal device Logo to use, thereby improving the security of permanent identity.
- the second message may be a service request message sent by a network element in the industry management network to a network element of an operator network, for example, a request message initiated by AUSF or UDM or SEAF to AMF or SMF; the second message is also It can be a response message or a notification message sent by a network element in the industry management network to a network element of the operator’s network.
- the response message is a message in response to a service request from the operator’s network.
- the notification message can be based on the network of the operator’s network. Event notifications triggered by events subscribed in advance to the network elements of the industry management network such as UDM.
- the proxy function obfuscates the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device, including: The mobile user identification code MSIN in the permanent identity is obfuscated to obtain the first temporary identity of the first terminal device, and the first temporary identity of the first terminal device includes the MSIN after the obfuscation processing.
- the proxy function obfuscates the SUPI of the first terminal device
- the MCC and MNC in the SUPI remain unchanged, and only the MSIN in the SUPI is obfuscated, so that the temporary identity identifier obtained by the obfuscation process includes the confusion MSIN after processing. Therefore, when the network element of the operator network uses the temporary identity, it can select the network or address according to the MCC and MNC, and the obfuscation processing method provided in the embodiment of the present application does not affect the existing processing flow.
- the proxy function obfuscates the MSIN in the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device.
- the following types of confusion can be used but not limited to Processing method:
- the first obfuscation processing method the proxy function cyclically shifts the MSIN in the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device.
- the second obfuscation processing method the proxy function exchanges at least two parts included in the MSIN of the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device, or,
- the third obfuscation processing method uses the first secret key to encrypt the MSIN in the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device.
- the proxy function when it performs obfuscation processing on the permanent identity to obtain the first temporary identity of the first terminal device, it uses a pre-configured first obfuscation processing method to perform the permanent identity Obfuscation processing obtains the first temporary identity identifier of the first terminal device; the proxy function is determined to adopt the first obfuscation processing method as the method of obfuscation processing the permanent identity identifier of the first terminal device to reach the first preset When the duration is long, the proxy function uses a pre-configured second obfuscation processing method to obfuscate the permanent identity to obtain the second temporary identity of the first terminal device; then, sends a first update message to the AMF, and The first update message carries the second temporary identity of the first terminal device, and the first update message is used to instruct the AMF to use the first terminal device as the permanent identity of the first terminal device.
- the first temporary identity is updated to the second temporary identity of the first terminal device.
- other relevant network elements such as SMF, UPF, etc.
- the first obfuscation processing method and the second obfuscation processing method can be different types of the first obfuscation processing method-the third obfuscation processing method, or different methods of the same type, for example, both are the first obfuscation processing method.
- the number of bits of cyclic shift is different.
- the proxy function performs obfuscation processing on the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device, including: the proxy function uses a third obfuscation The processing method performs obfuscation processing on the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device; wherein, the third obfuscation processing method is to perform the obfuscation processing on the first terminal within a second preset time period.
- the third obfuscation processing method and the fourth obfuscation processing method can be different types of the first obfuscation processing method-the third obfuscation processing method, or different methods in the same one, for example, both are the first obfuscation processing method.
- the number of bits of cyclic shift is different.
- the proxy function is specifically configured to use a third obfuscation processing method to obfuscate the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device;
- the third obfuscation processing method is a method used to obfuscate the permanent identity of any terminal device included in the first terminal device group, and the first terminal device group includes the first terminal device;
- the method further includes: the proxy function receives a trigger instruction for updating the obfuscation processing mode sent by the management network element; and the proxy function updates the obfuscation processing method used for the permanent identity of the first terminal device group to The fourth pre-configured obfuscation processing method.
- the proxy function uses the fourth obfuscation processing The permanent identity of the first terminal device is obfuscated to obtain the third temporary identity of the first terminal device; the proxy function sends a second update message to the AMF, and the second update message carries all The third temporary identity of the first terminal device, and the second update message is used to instruct the AMF to update the first temporary identity of the first terminal device used as the permanent identity of the first terminal device to The third temporary identity of the first terminal device.
- other relevant network elements such as SMF, UPF, etc., that are updated to the operator's network may also be notified by AMF.
- the embodiments of the present application also provide a communication device, which is applied to the proxy function, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
- the device has the function of implementing the agent function in the method example of the first aspect.
- the function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method examples of the first aspect. For details, please refer to the detailed description in the method examples. Do repeat.
- the embodiments of the present application also provide a communication device, the communication device is applied to the proxy function, and the beneficial effects can be referred to the description of the first aspect.
- the structure of the communication device includes a processor and a memory, and the processor is configured to support the proxy function to perform the corresponding function in the method of the first aspect.
- the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
- the structure of the communication device also includes a communication interface for communicating with other devices.
- an embodiment of the present application provides a communication system, where the communication system is applied to a vertical industry network, and the communication system includes a proxy function and a security anchor SEAF;
- SEAF is used to send the permanent identity of the first terminal device to the proxy function during the registration process of the first terminal device
- the proxy function is used to obtain the first temporary identity of the first terminal device after receiving the permanent identity of the first terminal device from SEAF, obfuscating the permanent identity of the first terminal device , And send the first temporary identity of the first terminal device to the mobility management function AMF located in the operator network, where the first temporary identity is used as the permanent identity of the first terminal device in the AMF Logo use.
- the proxy function is also used to receive the hidden identity of the first terminal device sent by the AMF, and send the hidden identity of the first terminal device to the SEAF ;
- the communication system also includes a unified data management function UDM;
- the SEAF is further configured to send the hidden identity of the first terminal device to the UDM after receiving the hidden identity of the first terminal device sent by the proxy function;
- the UDM is used to parse the hidden identity of the first terminal device to obtain the permanent identity of the first terminal device, and send the permanent identity of the first terminal device to the SEAF.
- AUSF authentication service functions
- UDM located in the vertical industry network
- the proxy function is also used to receive a first message from AMF or SMF.
- the first message is used to request a service from the AUSF or UDM.
- the first message carries the first temporary information of the first terminal device. Identity; the first temporary identity is de-obfuscated to obtain the permanent identity of the first terminal device; it is forwarded and carried to the authentication service function AUSF or the unified data management function UDM or SEAF in the vertical industry network
- the first message identified by the permanent identity of the first terminal device.
- the proxy function is also used to receive a second message from the AUSF, UDM, or SEAF, where the second message carries the permanent identity of the first terminal device;
- the permanent identity of the first terminal device in the second message is obfuscated to obtain the first temporary identity of the first terminal device; and the first temporary identity of the first terminal device is forwarded to the AMF or SMF.
- the second message identified by the temporary identity.
- the proxy function is specifically used to obfuscate the mobile user identification code MSIN in the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device.
- the first temporary identity identifier of a terminal device includes the obfuscated MSIN.
- the proxy function is specifically used for:
- the proxy function is specifically configured to use a pre-configured first obfuscation processing method to obfuscate the permanent identity to obtain the first temporary identity of the first terminal device;
- the proxy function is also used for adopting the second pre-configured obfuscation processing method when it is determined that the first obfuscation processing method is used as the obfuscation processing method for the permanent identity of the first terminal device for the first preset duration Obfuscate the permanent identity to obtain the second temporary identity of the first terminal device; send a first update message to the AMF, and the first update message carries the second temporary identity of the first terminal device The first update message is used to instruct the AMF to update the first temporary identity of the first terminal device used as the permanent identity of the first terminal device to the second temporary identity of the first terminal device Identification.
- the proxy function is specifically configured to use a third obfuscation processing method to obfuscate the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device;
- the third obfuscation processing method is a method used to obfuscate the permanent identity of any terminal device included in the first terminal device group within a second preset time period, and the first terminal device group includes all The first terminal device;
- the proxy function is also used to update the third obfuscation processing method adopted for the first terminal device group to the pre-configured first when it is determined that the time for using the third obfuscation processing method exceeds a second preset duration.
- the proxy function is specifically configured to use a third obfuscation processing method to obfuscate the permanent identity of the first terminal device to obtain the first temporary identity of the first terminal device;
- the third obfuscation processing method is a method used to obfuscate the permanent identity of any terminal device included in the first terminal device group, and the first terminal device group includes the first terminal device;
- the proxy function is also used to receive a trigger instruction for updating the obfuscation processing mode sent by the management network element; to update the obfuscation processing method used for the permanent identity of the first terminal device group to the pre-configured fourth Obfuscation.
- the proxy function is also used to update the third obfuscation processing method adopted for the first terminal device group to a pre-configured fourth obfuscation processing method, and then use the fourth obfuscation processing method.
- Processing method obfuscates the permanent identity of the first terminal device to obtain the third temporary identity of the first terminal device; and sends a second update message to the AMF, and the second update message carries the first A third temporary identity of the terminal device, the second update message is used to instruct the AMF to update the first temporary identity of the first terminal device used as the permanent identity of the first terminal device to the The third temporary identity of the first terminal device.
- this application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the method described in the first aspect.
- the present application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method described in the first aspect.
- the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the method described in the first aspect.
- FIG. 1 is a schematic diagram of a scenario applied in an embodiment of this application
- FIG. 2 is a schematic diagram of a communication architecture provided by an embodiment of this application.
- FIG. 3 is a schematic diagram of another communication architecture provided by an embodiment of this application.
- FIG. 4 is a schematic flow diagram of a communication method for a registration process provided by an embodiment of the application.
- Figure 5 is a schematic diagram of the SUCI format provided by an embodiment of the application.
- FIG. 6 is a schematic diagram of the IMSI format provided by an embodiment of the application.
- FIG. 7A and FIG. 7B are schematic diagrams of the communication method in the process of requesting service provided by an embodiment of the application;
- FIG. 8 is a schematic diagram of a PDU session establishment process provided by an embodiment of the application.
- Figure 9 is a schematic diagram of a PDU session modification process provided by an embodiment of the application.
- FIG. 10 is a schematic diagram of a deregistration process provided by an embodiment of the application.
- FIG. 11 is a schematic structural diagram of a communication device provided by an embodiment of this application.
- FIG. 12 is a schematic structural diagram of a communication device 1200 provided by an embodiment of this application.
- system and “network” in this article are often used interchangeably in this article.
- the term “and/or” in this article is only an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone B these three situations.
- the character “/” in this text generally indicates that the associated objects before and after are in an "or” relationship.
- the term “at least one” referred to in this application refers to one, or more than one, that includes one, two, three and more; “multiple” refers to two, or more than two, that includes two, Three and more.
- At least one item (a) or similar expressions refers to any combination of these items, including any combination of a single item (a) or plural items (a).
- at least one item (a) of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple .
- B corresponding to A means that B is associated with A, and B can be determined according to A.
- determining B according to A does not mean that B is determined only according to A, and B can also be determined according to A and/or other information.
- the ordinal numbers such as “first” and “second” mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority, or order of multiple objects. Importance.
- the terms “including” and “having” in the embodiments of the present application, claims and drawings are not exclusive. For example, a process, method, system, product, or device that includes a series of steps or modules is not limited to the listed steps or modules, and may also include unlisted steps or modules.
- Figure 1 shows a possible communication network deployment in the case of deploying a vertical industry network.
- functions such as user account opening data management and user authentication services related to user privacy data can be deployed in vertical industry networks (or called In the industry management network, which can also be referred to as the industry network for short), the industry network manages user privacy data by itself.
- Figure 2 shows a schematic diagram of a possible communication network system architecture in the case of deploying a vertical industry network.
- Terminal equipment which can also be called user equipment (UE)
- UE can be mobile equipment, such as mobile phones, tablets, computers with wireless transceiver functions, wireless terminals in industrial control, and unmanned Wireless terminal in self-driving, wireless terminal in remote medical surgery, wireless terminal in smart grid, wireless terminal in transportation safety, smart city (smart city) Wireless terminals in smart homes, wireless terminals in smart homes, etc.
- the network architecture also includes a radio access network (RAN), and the main function of the RAN is to control users to access the mobile communication network through wireless.
- RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
- RAN includes radio access equipment under various standards, such as evolved Node B (eNB), radio network controller (RNC) or Node B (NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (BBU), wireless fidelity (wireless Fidelity, WIFI) system access point (access point, AP), wireless relay node, wireless backhaul node, transmission point (transmission and reception point, TRP or transmission point, TP), etc., can also be 5G (NR )
- eNB evolved Node
- the network architecture may also include access and mobility management function (AMF), session management function (SMF), and user plane function (UPF) located in the operator’s network. ), policy control function (PCF), etc.
- the network architecture can also include unified data management (UDM), authentication server function (authentication server function, AUSF), etc. located in the vertical industry management network .
- the AMF is responsible for UE access management and mobility management, such as registration management, connection management, mobility management, reachability management, etc.; in practical applications, it includes the mobility management entity in the LTE network framework. , MME) in the mobility management function, and joined the access management function.
- MME mobility management entity
- PCF policy control and is connected to SMF.
- SMF is used for session management to provide service continuity.
- UPF is responsible for user plane processing.
- the network architecture may also include a security anchor function (SEAF), the SEAF network element is used to complete the authentication of the UE, and the SEAF can be deployed in combination with the AMF, as shown in FIG. 2.
- SEAF security anchor function
- the AUSF has an authentication service function, which is used to terminate the authentication function requested by the SEAF network element. In the authentication process, it receives the authentication vector sent by UDM and processes the authentication vector, and sends the processed authentication vector To SEAF.
- the UDM network element can store the user's subscription information, generate authentication parameters, and so on.
- the subscription permanent identifier (SUPI) of the terminal equipment has the opportunity to be transmitted in plain text on the air interface, leading to security risks such as user tracking.
- a concealed identity (subscription concealed identifier, SUCI) is introduced to protect the SUPI of the UE.
- the UE initiates the 5G network registration process, the UE encrypts SUPI to obtain SUCI, and sends SUCI to the AMF on the core network side.
- AMF initiates an authentication request to AUSF based on SUCI to request identity authentication for the UE, and AUSF requests UDM to The authentication vector for UE identity authentication, UDM decrypts SUCI to obtain SUPI, and generates an authentication vector for identity authentication of UE, and feeds back the authentication vector and SUPI to AUSF, so that AUSF can access the UE based on the authentication vector.
- the identity is authenticated. After the UE is successfully authenticated, the SUPI of the UE is returned to the AMF, and the interaction between the network elements of the 5G core network is involved in the session management and mobility management of the user. SUPI is used as the user Logo.
- the embodiment of the present application provides a communication method and device that provides a permanent identity for the UE.
- the identity is protected so that the permanent identity of the UE is only visible in the vertical industry network, but not in the operator's network.
- the vertical industry network in the embodiments of the present application may be a third-party network different from the operator network, and may be referred to as an industry network for short.
- Industry networks such as enterprise park networks, stadium networks, power system networks, intelligent transportation networks, etc.
- the SEAF and AMF can be deployed separately. SEAF is deployed in vertical industry networks.
- Figure 3 is a schematic diagram of the communication network architecture provided by this embodiment of the application.
- the network elements included in the operator network may include AMF, SMF, UPF, or PCF, etc.
- the network elements included in the industry network may include SEAF, UDM, or AUSF etc.
- a new function is introduced in the embodiments of this application. This function can be called a proxy function (Proxy) or a privacy proxy (privacy proxy). Of course, it can also be called another name. This application does not specifically limit this function. In the application embodiment, the proxy function is taken as an example.
- the proxy function is deployed in the middle of the control plane communication between the industry network and the operator network, and all industry networks and the control plane communication of the operator network need to pass through the proxy function.
- the proxy function and the SEAF can be deployed together, or deployed separately. In the embodiment of the present application, the separate deployment is taken as an example for description.
- the proxy function is specifically used to obfuscate the SUPI of the terminal device carried in the message sent to the operator network in the industry network to obtain the temporary identity of the terminal device.
- the proxy function also carries the message sent from the operator network to the industry network
- the temporary identity of the terminal device is converted to SUPI.
- SUPI* is used as the permanent identity of the terminal equipment in each network element of the operator’s network, that is, the true identity of the terminal equipment SUPI is used in the industry network, and each network element in the operator’s network is used as SUPI* after obfuscation of SUPI.
- the proxy function receives the SUPI from the first terminal device of SEAF, and then obfuscates the SUPI to obtain the SUPI* of the first terminal device. Send SUPI* to AMF.
- AMF uses SUPI* as the permanent identity of the first terminal device.
- the proxy function will be the first The SUPI* in the message is unobfuscated as SUPI, and the first message carrying SUPI is forwarded to the network element in the industry network, and then SUPI is used as the user identifier in the industry network.
- the first message may be a service request message sent by a network element in the operator network to a network element in the industry network, for example, a service request message initiated by AMF or SMF to AUSF or UDM or SEAF in the industry network;
- the first message may also be a response message sent by a network element in the operator network to a network element in the industry network, and the response message is in response to a service request or service notification from a network element in the industry network (such as AUSF or UDM or SEAF) News.
- the service request message may be a session establishment request, a session modification request, or a session deletion request.
- the service notification may be a notification of a user subscription data change event.
- the proxy function first converts the SUPI in the second message to SUPI*, and then will carry SUPI*
- the second message is forwarded to the network element in the operator's network.
- the second message may be a service request message sent by a network element in the industry network to a network element of an operator network, for example, a request message initiated by AUSF or UDM or SEAF to AMF or SMF; the second message may also be It is a response message or notification message sent by a network element in the industry network to a network element of the operator's network.
- the response message is a message in response to a service request from the operator's network.
- the notification message can be based on the network element of the operator's network. Event notifications triggered by events subscribed in advance by network elements of industry networks such as UDM.
- FIG. 4 take the communication process of the first terminal device registered in the network as an example.
- S401 During the UE registration process, the UE sends a registration request (registration request) message to the AMF, carrying the SUCI.
- SUCI is generated based on SUPI.
- FIG. 5 is a schematic diagram of the format of SUCI, the SUCI includes the following information 1)-6).
- SUPI Type can have 7 values, which are used to identify 7 types of SUPI encrypted in SUCI.
- SUPI type has two values. When the value of SUPI type is 0, it means that SUPI is the international mobile subscriber identification number (IMSI). When the value of SUPI type is 1, it means that SUPI is a network specific indication. Character (network specific identifier). When the value of SUPI type is 2 to 7, there is no clear regulation at present, and it will be used in the future.
- IMSI international mobile subscriber identification number
- Character network specific identifier
- IMSI consists of three parts, namely MCC (mobile country code), MNC (mobile network code, mobile network code), and mobile subscriber identification number (mobile subscriber identification number, MSIN).
- MCC mobile country code
- MNC mobile network code, mobile network code
- MSIN mobile subscriber identification number
- MCC is used to uniquely identify the country to which the mobile client belongs, and can consist of three decimal numbers (000-999). For example, the MCC in my country is 460.
- the MNC is used to identify which operator the UE belongs to.
- the combination of MCC and MNC is used to uniquely indicate the network operator of the UE.
- MSIN is used to identify mobile users in a mobile communication network.
- IMSI is a sign that distinguishes mobile users, and it can be configured in the universal subscriber identity module (USIM) card of the UE.
- USIM universal subscriber identity module
- the Home network Identifier can be composed of 2 parts, namely MCC and MNC.
- SUPI type indicates that SUPI is a Network Specific Identifier (NSI)
- NSSI Network Specific Identifier
- Home Network Identifier can be a specific character string.
- Routing Indicator (Routing Indicator) consists of 1 to 4 decimal arrays.
- the Routing Indicator and Home Network Identifier work together to indicate the AUSF and UDM serving this UE.
- the Routing Indicator can be configured in the global subscriber identity module (Universal Subscriber Identity Module, USIM) card of the UE. If this value is not configured in the USIM card, the Routing Indicator is the default value of 0.
- USIM Universal Subscriber Identity Module
- the protection scheme identifier (Protection Scheme Identifier) is used to indicate the adopted security protection mechanism, and its value can have the following 3 types: 0x0, 0x1 and 0x2.
- the Protection Scheme Identifier value is 0x0, it means NULL-SCHEME.
- the output result of the NULL-SCHEME operation is the same as the value of the operation input, that is, no encryption operation is performed. For example, if the value of the operation input is SUPI, then the NULL-SCHEME output is also SUPI.
- the Protection Scheme Identifier value is 0x1, it means that the Profile ⁇ A> security protection mechanism is used.
- the Protection Scheme Identifier value is 0x2, it means that the Profile ⁇ B> security protection mechanism is used.
- the UE can choose one of these methods to convert SUPI encryption to SUCI. If Profile ⁇ A> and Profile ⁇ B> are not configured in the UE, the UE can select NULL-SCHEME, that is, no encryption operation is performed on SUPI.
- Home Network Public Key Identifier which represents the public key used by the UE.
- the UE shall use the public key and Profile ⁇ A> or Profile ⁇ B> to encrypt and convert SUPI into SUCI.
- Scheme Output used to represent the output result of the safety protection mechanism, which can be represented by a string.
- Scheme Output can be obtained by encrypting the input of the security protection mechanism (Protection Scheme input) through the public key determined by the Home Network Public Key Identifier and the security protection mechanism determined by the Protection Scheme Identifier.
- Protection Scheme input when SUPI is IMSI, it may be a mobile subscriber identification number (mobile subscriber identification number, MSIN). MSIN identifies users under the operator.
- S402 The AMF forwards the registration request message to SEAF, and the registration request message passes through the proxy function.
- S403 The proxy function, after receiving the registration request message, determines that the registration request message does not carry SUPI, and transparently transmits the registration request message to the SEAF.
- the proxy function can determine whether the received message carries SUPI or confused SUPI* according to the message name or message type. Or the proxy function can also parse the received message to determine whether the received message carries SUPI or SUPI*.
- S404 The SEAF sends an authentication request message 1 to AUSF, and the authentication request message 1 carries the SUCI.
- the authentication request message 1 may be Nausf_UEAuthentication_Authenticate Request.
- the authentication request message 1 carries SUCI.
- the AUSF After receiving the authentication request message 1, the AUSF sends the authentication request message 2 to the UDM.
- the authentication request message 2 carries the SUCI and is used to apply to the UDM for the authentication vector according to the SUCI.
- the authentication request message 2 may be Nudm_UEAuthentication_Get Request.
- the specific process for UDM to obtain SUPI can include A1-A4:
- UDM will determine which security protection mechanism the UE uses according to the Protection Scheme Identifier in the SUCI.
- UDM will determine which pair of public and private keys the UE uses according to Home Network Public Key Identifier in SUCI.
- UDM decrypts Scheme Output and verifies integrity protection according to the determined security protection mechanism and private key. If the integrity protection verification is successful, the result after decryption is to recover the UE's identity information.
- the identity information of the UE in the case that SUPI is IMSI, the result of the analysis from Scheme Output is MSIN.
- UDM then obtains the final SUPI according to the SUPI type. For example, UDM determines the type of SUPI obtained according to the SUPI type. If the SUPI type is IMSI, it can be determined that the output result of the decryption Scheme Output represents MSIN. UDM then composes IMSI together with MSIN to obtain SUPI according to the MCC and MMC in the Home network Identifier.
- UDM obtains the authentication vector of the first terminal device according to SUPI, and the authentication vector is used to authenticate the identity of the first terminal device.
- the UDM sends an authentication response message 2 to AUSF.
- the authentication response message 2 carries SUPI, and the authentication response message may also carry an authentication vector.
- the authentication response message 2 may be Nudm_UEAuthentication_Get Response.
- S408 AUSF performs two-way authentication with the first terminal device according to the obtained authentication vector.
- the AUSF After the authentication is passed, the AUSF returns an authentication response message 1 to the SEAF, and the authentication response message 1 carries SUPI and K SEAF .
- K SEAF is derived from K AUSF during the two-way authentication process, and K AUSF is generated based on the information included in the authentication vector.
- the specific two-way authentication process and key derivation mechanism follow the existing protocol. The embodiment of this application does not Repeat it again.
- SEAF derives K AMF based on the obtained SUPI and K SEAF .
- S411 The SEAF sends a registration response message to the AMF through the proxy function, and the registration response message carries SUPI.
- S412 The authentication response message passes through the proxy function, and the proxy function determines that the registration response message carries SUPI, and obfuscates the SUPI in the registration response message to obtain SUPI*.
- the proxy function can save the corresponding relationship between SUPI and SUPI* after obtaining SUPI* by obfuscating SUPI.
- SUPI confusion processing will be exemplified later, and the description will not be repeated here.
- the proxy function forwards the registration response message to the AMF, and the registration response message carries SUPI*.
- AMF After AMF receives the registration response message, AMF can distribute SUPI* to other core network elements deployed on the operator’s network, such as SMF, PCF, and PCF in accordance with the 3rd generation partnership project (3GPP) protocol process.
- 3GPP 3rd generation partnership project
- UPF, etc., AMF and these network elements use SUPI* as the permanent identity of the first terminal device to perform subsequent service requests.
- FIG. 7A and FIG. 7B a schematic flow diagram of the communication method in the process of performing subsequent services after successful registration provided by this embodiment of the application.
- Figure 7A takes as an example a request initiated by a network element in an operator network to a network element in an industry network.
- FIG. 7B is an example of service notification of an event initiated by a network element in the operator network to a network element in the operator network. It should be understood that the registration request is also a type of service request.
- service-based architecture is used as the basic network architecture of 5G.
- service-oriented architecture two types of service interfaces can be used to communicate between network elements, namely the request and response (Request-Repsponse) service interface, or the subscription and notification (Subscribe-Notify) service interface.
- the first terminal device interacts with the AMF to complete the registration management process or interacts with the SMF to complete the protocol data unit (PDU) session management process, it needs to initiate a service request to the SEAF, AUSF or UDM network element located in the industry network or Service subscription and receive service response or service notification.
- SEAF, AUSF or UDM can send service notifications to SMF or AMF based on service subscription (for example, when session management data is updated, UDM is triggered to send notifications to SMF).
- the session management mentioned in the embodiments of this application may be session establishment, session modification or session deletion, for example.
- the service request message may be a session establishment request message, or a session modification request message, or a session deletion request message.
- the communication method includes:
- AMF initiates a service request message to the industry network through SMF based on SUPI*, and the service request message carries the SUPI* of the first terminal device.
- the service request message is used to request service from the network element in the industry network.
- the network element in the industry network may be AUSF or UDM. UDM is taken as an example in FIG. 7A.
- other network elements may be deployed in the industry network in the future, and the network elements in the industry network may also include other network elements deployed in the industry network in the future.
- the AMF may initiate a service request message to the industry network through the SMF.
- the first terminal device such as a non-access stratum (NAS)
- NAS non-access stratum
- the proxy function in the industry network converts the SUPI* of the first terminal device included in the service request message into the SUPI of the first terminal device.
- SUPI* is converted to SUPI.
- One way is to de-obfuscate SUPI* according to a pre-configured obfuscation processing manner to obtain SUPI.
- Another way is that if the proxy function saves the corresponding relationship between the SUPI and SUPI* of the first terminal device during the registration process, the SUPI* of the first terminal device in the service request message can be replaced with the SUPI* of the first terminal device according to the saved correspondence SUPI.
- the proxy function forwards the service response message carrying the SUPI of the first terminal device to the UDM. After the industry network finishes executing the service based on the SUPI of the first terminal device, S704 is executed.
- UDM sends a service response message to SMF through the proxy function.
- the service response message carries the SUPI of the first terminal device
- the proxy function converts the SUPI of the first terminal device in the service response message into the SUPI* of the first terminal device.
- the proxy function forwards the service response message carrying the SUPI* of the first terminal device to the SMF.
- SUPI is converted to SUPI*.
- One way is to perform obfuscation processing on SUPI according to a pre-configured obfuscation processing method to obtain SUPI*.
- Another way is to replace the SUPI of the first terminal device with SUPI* in the service request message according to the saved corresponding relationship if the proxy function stores the SUPI and SUPI* of the first terminal device during the registration process .
- the service response message does not carry the SUPI of the first terminal device.
- the proxy function executes S705a and transparently transmits the service response message to the SMF.
- the communication method includes:
- UDM initiates a service notification message to a network element (take SMF as an example) in the operator network, and the service notification message carries the SUPI of the first terminal device.
- the service notification may be a service notification of a subscription event or the like.
- the proxy function in the industry network converts the SUPI of the first terminal device included in the service notification message into the SUPI* of the first terminal device.
- SUPI is converted to SUPI*.
- One way is to de-obfuscate SUPI according to a pre-configured obfuscation processing mode to obtain SUPI*.
- the proxy function saves the correspondence between the SUPI and SUPI* of the first terminal device, the SUPI of the first terminal device in the service request message can be replaced with SUPI according to the saved correspondence *.
- the proxy function forwards the service notification message carrying the SUPI* of the first terminal device to the SMF.
- S704b The SMF sends a service notification confirmation message to the UDM through the proxy function.
- the service notification confirmation message carries the SUPI* of the first terminal device
- the proxy function executes S705b to convert the SUPI* of the first terminal device in the service response message to the SUPI* of the first terminal device. . S706b.
- the proxy function forwards the service notification confirmation message carrying the SUPI of the first terminal device to the UDM.
- the service notification confirmation message does not carry the SUPI* of the first terminal device.
- the proxy function transparently transmits the service response message to UDM.
- the first terminal device initiates a PDU session establishment request message to the AMF.
- the PDU session establishment request message may be PDU session establishment request.
- the AMF After receiving the PDU session establishment request message, the AMF sends a session context establishment request message to the SMF, and the session context establishment request message carries SUPI*.
- the SMF sends a session registration request message to the UDM in the industry network, where the session registration request message is used to register session related information with the UDM.
- the session registration request message carries SUPI*.
- the session registration request message may also carry a data network name (DNN), a PDU session ID (PDU session ID), and so on.
- the session registration request message may be Nudm_UECM_Registration request.
- S804 The agent function of the industry network receives the SUPI* in the session registration request message and converts it to SUPI.
- S805 The proxy function forwards the session registration request message carrying SUPI to the UDM.
- the UDM obtains the session context according to SUPI, and returns a session registration response message to the SMF through the proxy function.
- the session registration response message may be Nudm_UECM_Registration response.
- the proxy function After receiving the session registration response message, the proxy function determines that SUPI is not included in the session registration response message, and transparently transmits the session registration response message to the SMF.
- the session registration response message may also carry SUPI.
- the proxy function converts the SUPI in the session registration response message to SUPI* after receiving the session registration response message.
- the proxy function forwards the session registration response message carrying SUPI* to the SMF.
- UDM initiates a user data update notification message to SMF.
- UDM determines that there is a certain change in user subscription data, it initiates a user data update notification message to SMF.
- the user data update notification message may carry information about the changed user subscription data, and may also carry the first terminal device SUPI.
- the user data update notification message may be Nudm_SDM_Notification.
- the proxy function After receiving the user data update notification message sent by UDM to SMF, the proxy function determines that the user data update notification message carries SUPI, and converts the SUPI of the first terminal device to SUPI*;
- S903 The proxy function forwards the user data update notification message converted to SUPI* to the SMF.
- the SMF can send a user data update confirmation message to UDM, and the user data update confirmation message can carry SUPI*.
- the user data update confirmation message can be Nudm_SDM_Notification ACK.
- S905 When receiving the user data update confirmation message sent by SMF to UDM, the proxy function determines that the user data update confirmation message carries SUPI*, and converts SUPI* to SUPI;
- S906 The proxy function forwards the user data update confirmation message converted to SUPI to UDM.
- the AMF sends a PDU session context release request message to the SMF, and the PDU session context release request message carries SUPI*.
- the PDU session context release request message may be Nsmf_PDUSession_ReleaseSMContext Request.
- the SMF sends a de-registration notification message to the UDM.
- the de-registration notification message may be Nudm_SDM_unsubscribe or Nudm_UECM_Deregistration.
- the proxy function After receiving the de-registration notification message, the proxy function determines that the de-registration notification message carries SUPI*, and converts the SUPI* in the de-registration notification message to SUPI.
- S1005 The proxy function forwards the de-registration notification message carrying SUPI to UDM.
- UDM completes the corresponding operation according to the deregistration notification message.
- the proxy function After receiving the deregistration notification response message, the proxy function determines that the deregistration notification response message does not include SUPI, and transparently transmits the deregistration notification response message to the SMF.
- the de-registration notification response message may also carry SUPI.
- the proxy function converts the SUPI in the de-registration notification response message to SUPI*.
- the proxy function forwards the de-registration notification response message carrying SUPI* to the SMF.
- SUPI as IMSI as an example.
- the proxy function obfuscates the SUPI of the first terminal device, it can leave the MCC and MNC in the IMSI unchanged, and only obfuscate the MSIN in the IMSI, so that the SUPI* obtained by the obfuscation process includes the MSIN after the obfuscation process. . Therefore, when the network element of the operator's network uses SUPI*, the network or addressing can be selected according to the MCC and MNC, and the obfuscation processing method provided in the embodiment of the present application does not affect the existing processing flow.
- Example 1 Perform a cyclic shift on MSIN, such as cyclic shift by M bits, where M is an integer greater than or equal to 1.
- Example 2 Perform exchange processing on at least two parts included in MSIN.
- MSIN includes 10 numbers. Divide MSIN into several parts, each part can include one number or multiple numbers. For example, if a number is used as a part, the 5th number and the 10th number can be exchanged, or the 5th, 7th, and 10th numbers can be exchanged.
- the first part and the second part swap positions. The first part includes the 5th and 6th numbers, and the second part includes the 8th, 9th, and 10th numbers.
- Example 3 Use the first secret key to encrypt the MSIN in the IMSI. For example, using symmetric encryption.
- MSIN can be processed in segments, and different obfuscation methods can be used for different segments.
- MSIN is divided into two sections, the first section uses a cyclic shift by 1 bit, and the second section uses symmetric encryption.
- the number of cyclically shifted bits does not belong to different obfuscation processing methods.
- the exchange processing obfuscation method the exchanged parts belong to different obfuscation processing methods when the positions are different.
- the secret key when the secret key is different, it can also be considered as a different obfuscation processing method.
- an update strategy for obfuscation can be defined.
- the obfuscation can be updated automatically at regular intervals, or the administrator can trigger the update of the obfuscation through the management device.
- the management device may configure a set of obfuscation processing methods in the agent function, the set includes multiple obfuscation processing methods, and the indexes of different obfuscation processing methods are different.
- the obfuscation processing method is automatically updated at a fixed time, it can be updated cyclically according to the size of the index.
- the processing method is updated to the exchange processing method.
- obfuscation processing methods can be configured for different terminal equipment, or different obfuscation processing methods can be configured for different terminal equipment groups. Of course, it can also be in the same time period. Configure the same obfuscation method for all terminal devices.
- the following exemplarily describes the update obfuscation processing manner by taking the foregoing first terminal device as an example.
- different terminal devices are configured with timers that are periodically updated.
- the timer is started.
- the update operation is performed when the timer expires and the timer is restarted.
- the agent function When the agent function performs obfuscation processing on the SUPI of the terminal device to obtain SUPI*, the pre-configured first obfuscation processing method may be used to perform obfuscation processing on SUPI to obtain SUPI*.
- the proxy function determines that the first obfuscation processing method is adopted as the method to obfuscate the SUPI of the first terminal device for a first preset time period
- the proxy function updates the first obfuscation processing method, and may adopt The pre-configured second obfuscation processing method performs obfuscation processing on the SUPI to obtain SUPI*1.
- the proxy function After the proxy function updates the obfuscation processing mode and re-obfuscates the SUPI of the first terminal device, it can send the obfuscated SUPI*1 to the AMF, so that the AMF uses the updated SUPI*1 as the user identity identifier.
- the proxy function may send a first update message to the AMF, the first update message carries the SUPI*1 of the first terminal device, and the first update message is used to indicate that the AMF will serve as the The SUPI* used by the SUPI of the first terminal device is updated to SUPI*1.
- AMF can send the updated SUPI*1 to other network elements in the operator's network, such as SMF, UPF, etc., to synchronize the changed SUPI*.
- the AMF may feed back the first update response to the proxy function, thereby confirming that both parties use the updated SUPI*1 for subsequent signaling interactions.
- a timer for regular update is configured for different terminal device groups, the update operation is performed when the timer expires, and the timer is restarted.
- the first terminal device group including the first terminal device Take the first terminal device group including the first terminal device as an example.
- the method used by the proxy function to obfuscate the permanent identity of each terminal device included in the first terminal device group is the third obfuscation processing manner.
- the proxy function determines that the third obfuscation processing method is adopted as the method for obfuscation processing of the SUPI of each terminal device included in the first terminal device group for the second preset time period, the proxy function confuses the third The processing method is updated and can be updated to the fourth confusion processing method.
- the proxy function uses the fourth obfuscation processing method to re-obfuscate the permanent identities of each terminal device included in the first terminal device group, and send the temporary identities of each terminal device obtained by the obfuscation processing to the AMF.
- the following still takes the first terminal device included in the first terminal device group as an example.
- the proxy function uses the fourth obfuscation processing method to obfuscate the SUPI of the first terminal device to obtain the SUPI*2 of the first terminal device; the proxy function sends a second update message to the AMF, and the The second update message carries the SUPI*2 of the first terminal device, and the second update message is used to instruct the AMF to update the SUPI* of the first terminal device used as the SUPI of the first terminal device to SUPI*2.
- different obfuscation processing methods are adopted for different terminal device groups.
- the management device triggers the update of the obfuscation processing method.
- the method used when the proxy function performs obfuscation processing on the permanent identity including the first terminal device group is the third obfuscation processing method, and the first terminal device group includes the first terminal device.
- the proxy function receives a trigger instruction for updating the obfuscation processing mode sent by the management network element; the proxy function updates the third obfuscation processing method used in the obfuscation processing on the permanent identity of the first terminal device group to the pre-obfuscation processing method. Configure the fourth obfuscation processing method.
- the proxy function uses the fourth obfuscation processing method to re-obfuscate the permanent identities of each terminal device included in the first terminal device group, and sends the temporary identities of each terminal device obtained by the obfuscation processing to the AMF.
- the following still takes the first terminal device included in the first terminal device group as an example.
- the proxy function uses the fourth obfuscation processing method to obfuscate the SUPI of the first terminal device to obtain the SUPI*2 of the first terminal device; the proxy function sends a second update message to the AMF, and the The second update message carries the SUPI*2 of the first terminal device, and the second update message is used to instruct the AMF to update the SUPI* of the first terminal device used as the SUPI of the first terminal device to SUPI*2.
- the fourth example uses the same obfuscation processing method for all terminal devices in the same time period.
- the timer for regular update can be configured, the update operation is performed when the timer expires, and the timer is restarted.
- the method used by the proxy function to obfuscate the permanent identities of all terminal devices including the first terminal device within the third preset time period is the fifth obfuscation method, and the proxy function is determining When the time for using the fifth obfuscation processing method exceeds the third preset duration, the fifth obfuscation processing method used is updated to the pre-configured sixth obfuscation processing method.
- the proxy function adopts the fifth obfuscation processing method to re-obfuscate the permanent identities of all terminal devices, and sends the temporary identities of each terminal device obtained by the obfuscation processing to the AMF.
- the proxy function uses the fifth obfuscation processing method when the agent function obfuscates the permanent identities of all terminal devices.
- the adopted fifth obfuscation processing mode is updated to the pre-configured sixth obfuscation processing mode.
- an embodiment of the present application also provides a communication device, which is applied to the proxy function, and is used to execute the proxy function execution method described in the method embodiment shown in FIG. 4 to FIG. 10
- the communication device includes a receiving unit 1101, a processing unit 1102, and a sending unit 1103.
- the receiving unit 1101 receives the permanent identity of the first terminal device to be sent to the access and mobility management function AMF from the security anchor SEAF, and the processing unit 1102 is configured to The permanent identity of the first terminal device is obfuscated to obtain the first temporary identity of the first terminal device; the sending unit 1103 is configured to send the first temporary identity of the first terminal device to the AMF, and The first temporary identity is used in the AMF as the permanent identity of the first terminal device.
- the receiving unit 1101 is further configured to receive a first message from AMF or a session management function SMF, where the first message carries the first temporary identity of the first terminal device;
- the processing unit 1102 is further configured to de-obfuscate the first temporary identity to obtain the permanent identity of the first terminal device;
- the sending unit 1103 forwards the permanent identity of the first terminal device to the AUSF or UDM The first message identified.
- the receiving unit 1101 is further configured to receive a second message from the AUSF or UDM, the second message carrying the permanent identity of the first terminal device; the processing The unit 1102 is also used to obfuscate the permanent identity of the first terminal device in the second message to obtain the first temporary identity of the first terminal device; the sending unit 1103 is also used to send a message to the AMF or SMF Forward the second message carrying the first temporary identity identifier of the first terminal device.
- the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
- the functional units in the various embodiments of this application can be integrated into one process. In the device, it can also exist alone physically, or two or more units can be integrated into a module.
- the above-mentioned integrated unit can be realized in the form of hardware or software function module.
- the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
- the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including a number of instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
- both the agent function and the AMF can be presented in the form of dividing each functional module in an integrated manner.
- the "module” here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
- the communication device 1200 shown in FIG. 12 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
- the memory 1202 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as read only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory 1202 may be a combination of the above-mentioned memories.
- connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application.
- the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure.
- the bus 1204 is represented by a thick line in the figure.
- the connection mode between other components is only for schematic illustration, and is not quoted. Is limited.
- the bus 1204 can be divided into an address bus, a data bus, and a control bus. For ease of representation, only one thick line is used to represent in FIG. 12, but it does not mean that there is only one bus or one type of bus.
- the processor 1201 may have a data transceiver function and can communicate with other devices.
- an independent data transceiver module such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data can be transmitted through the communication interface 1203.
- the communication device 1200 in FIG. 12 may be applied to a proxy function, and the processor 1201 may invoke a computer-executed instruction stored in the memory 1202 so that the proxy function can execute the method executed by the proxy function in any of the foregoing method embodiments.
- the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 11 can all be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202.
- the function/implementation process of the processing unit in FIG. 11 may be implemented by the processor 1201 in FIG. 12 calling computer execution instructions stored in the memory 1202, and the function/implementation process of the sending unit and the receiving unit in FIG.
- the communication interface 1203 in 12 is implemented.
- the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
- a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
- the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
- These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
- the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供一种通信方法及装置,用以解决现有部署方式无法满足行业隐私保护需求的问题。通过在行业管理网络中部署代理功能,代理功能负责将来自行业管理网络中发往运营商网络的消息中的终端设备的永久身份标识混淆处理为临时身份标识,将来自运营商网络发往行业管理网络的消息中的终端设备的临时身份标识转换为永久身份标识,从而在运营商网络内将混淆处理得到的临时身份标识作为终端设备的永久身份标识来使用,可以提高终端设备的永久身份标识的安全性。
Description
相关申请的交叉引用
本申请要求在2019年07月12日提交中国专利局、申请号为201910631030.5、申请名称为“一种通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请实施例涉及通信技术领域,尤其涉及一种通信方法及装置。
在第五代(5rd-generation,5G)移动通信网络中,移动通信网络将不仅仅服务于个人消费者,更重要的是将服务于垂直行业,例如电力、智能交通、工厂园区。在垂直行业场景下,由于垂直行业对于业务可靠性、安全、性能的要求与面向消费者的业务要求有较大差异,从而需要为垂直行业单独建网。考虑大多数行业没有无线蜂窝网络的网络规划、建网以及网络维护能力,网络的建设和管理可能要依托运营商构建,而对于垂直行业来说,用户的开户签约数据(比如终端设备的永久身份标识)属于隐私数据,隐私数据需要由行业网络进行管理和保护。而现有部署方式中,终端设备的永久身份标识在运营商网络和垂直行业网络均为透明的,无法满足行业隐私保护的需求。
发明内容
本申请实施例提供一种通信方法及装置,用以解决现有部署方式无法满足行业隐私保护需求的问题。
第一方面,本申请实施例提供一种通信方法,包括:在第一终端设备的注册过程中,代理功能接收来自安全锚点SEAF的待向接入和移动管理功能AMF发送的所述第一终端设备的永久身份标识,所述SEAF和所述代理功能位于垂直行业网络中,所述AMF位于运营商网络中;所述代理功能对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能向所述AMF发送所述第一终端设备的第一临时身份标识,所述第一临时身份标识在所述运营商网络包括的网元中作为所述第一终端设备的永久身份标识使用。所述运营商网络包括的网元包含AMF,示例性地,还可以包含SMF、UPF、PCF等。上述方案,将运营商网络和垂直行业网络通过代理功能隔开,通过代理功能对第一终端设备的永久身份标识进行混淆处理,从而使得在运营商网络采用混淆处理得到的第一终端设备的临时身份标识作为第一终端设备的永久身份标识来使用,从而提高永久身份标识的安全性。
在一种可能的设计中,还包括:代理功能接收来自运营商网络的网元的第一消息,所述第一消息携带所述第一终端设备的所述第一临时身份标识,所述运营商网络的网元为所述AMF或者会话管理功能SMF;所述代理功能对所述第一临时身份标识进行转换处理得到所述第一终端设备的永久身份标识;所述代理功能向行业管理网络的网元转发携带所述 第一终端设备的永久身份标识的所述第一消息,所述行业管理网络的网元为所述SEAF、鉴权服务功能AUSF或者统一数据管理功能UDM。
所述代理功能对所述第一临时身份标识进行转换处理得到所述第一终端设备的永久身份标识,具体可以是对第一临时身份标识进行解混淆处理得到所述第一终端设备的永久身份标识。还可以是代理功能中存储第一临时身份标识和永久身份标识的对应关系,根据对象关系将第一临时身份标识转换永久身份标识。
示例性地,第一消息可以是由运营商网络中的网元发往行业管理网络的网元的服务请求消息,比如,AMF或者SMF向行业管理网络中的AUSF或者UDM或者SEAF发起的服务请求消息;第一消息也可以是由运营商网络中网元发往行业管理网络的网元的响应消息,响应消息是响应于来自的行业管理网络的网元(比如AUSF或者UDM或者SEAF)的服务请求的消息。例如,服务请求消息可以是会话建立请求、会话修改请求或者会话删除请求等。
上述设计中,代理功能将来自运营商网络的服务消息中的临时身份标识转换永久身份标识,使得临时身份标识仅在运营商网络中使用,提高了永久身份标识的安全性。并且不改变现有流程。
在一种可能的设计中,还包括:所述代理功能接收来自行业管理网络的网元(比如AUSF或者UDM或者SEAF)的第二消息,所述第二消息携带所述第一终端设备的永久身份标识;所述代理功能对所述第二消息中的所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能向所述AMF或者SMF转发携带所述第一终端设备的第一临时身份标识的所述第二消息。上述方案,通过代理功能对第一终端设备的永久身份标识进行混淆处理,从而使得在运营商网络中的网元采用混淆处理得到的第一终端设备的临时身份标识作为第一终端设备的永久身份标识来使用,从而提高永久身份标识的安全性。
示例性地,第二消息可以是由行业管理网络中的网元发往运营商网络的网元的服务请求消息,比如,AUSF或者UDM或者SEAF向AMF或者SMF发起的请求消息;第二消息也可以是由行业管理网络中的网元发往运营商网络的网元的响应消息或者通知消息,响应消息是响应于来自运营商网络的服务请求的消息,通知消息可以是根据运营商网络的网元向UDM等行业管理网络的网元提前订阅的事件触发的事件通知。
在一种可能的设计中,所述代理功能对第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能对第一终端设备的永久身份标识中的移动用户识别码MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,所述第一终端设备的第一临时身份标识包括混淆处理后的MSIN。上述设计中,所述代理功能在对第一终端设备的SUPI进行混淆处理时,保留SUPI中的MCC和MNC不变,仅对SUPI中MSIN进行混淆处理,从而混淆处理得到的临时身份标识包括混淆处理后的MSIN。从而运营商网络的网元在使用临时身份标识时,可以根据MCC和MNC选择网络或者寻址,本申请实施例提供的混淆处理方法不影响现有的处理流程。
在一种可能的设计中,所述代理功能对第一终端设备的永久身份标识中的MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,可以采用但不仅限于如下几种混淆处理方式:
第一种混淆处理方式:所述代理功能对第一终端设备的永久身份标识中的MSIN进行 循环移位得到所述第一终端设备的第一临时身份标识。
第二种混淆处理方式:所述代理功能对第一终端设备的永久身份标识中的MSIN包括的至少两部分进行交换处理得到所述第一终端设备的第一临时身份标识,或者,
第三种混淆处理方式:所述代理功能使用第一秘钥对第一终端设备的永久身份标识中的MSIN进行加密处理得到所述第一终端设备的第一临时身份标识。
在一种可能的设计中,所述代理功能对永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识时,采用预配置的第一混淆处理方式对所述永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能在确定采用第一混淆处理方式作为对所述第一终端设备的永久身份标识进行混淆处理的方式达到第一预设时长时,所述代理功能采用预配置的第二混淆处理方式对所述永久身份标识进行混淆处理得到第一终端设备的第二临时身份标识;然后向所述AMF发送第一更新消息,所述第一更新消息中携带所述第一终端设备的第二临时身份标识,所述第一更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第二临时身份标识。示例性地,还可以由AMF通知更新到运营商网络的其他相关网元,例如SMF、UPF等。第一混淆处理方式和第二混淆处理方式可以是第一种混淆处理方式-第三种混淆处理方式中的不同种,可以是同一种中的不同方式,比如均为第一种混淆处理方式,循环移位的位数不同。通过上述设计更新混淆处理方式,可以进一步提高永久身份标识的安全性。
在一种可能的设计中,所述代理功能对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为第二预设时长内对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;所述方法还包括:所述代理功能在确定使用所述第三混淆处理方式的时间超过第二预设时长时,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式。第三混淆处理方式和第四混淆处理方式可以是第一种混淆处理方式-第三种混淆处理方式中的不同种,可以是同一种中的不同方式,比如均为第一种混淆处理方式,循环移位的位数不同。
在一种可能的设计中,所述代理功能,具体用于采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;所述方法还包括:所述代理功能接收管理网元发送的用于更新混淆处理方式的触发指令;所述代理功能将对所述第一终端设备组的永久身份标识进行混淆处理使用的方式更新为预配置的第四混淆处理方式。
在一种可能的设计中,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式后,还包括:所述代理功能使用所述第四混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到第一终端设备的第三临时身份标识;所述代理功能向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的第三临时身份标识,所述第二更新消息用于指示AMF将作为所述第一终端设备的永久身份 标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第三临时身份标识。示例性地,还可以由AMF通知更新到运营商网络的其他相关网元,例如SMF、UPF等。
第二方面,本申请实施例还提供了一种通信装置,所述通信装置应用于代理功能,有益效果可以参见第一方面的描述此处不再赘述。该装置具有实现上述第一方面的方法实例中代理功能所执行的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第三方面,本申请实施例还提供了一种通信装置,所述通信装置应用于代理功能,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述代理功能执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第四方面,本申请实施例提供一种通信系统,所述通信系统应用于垂直行业网络中,所述通信系统包括代理功能和安全锚点SEAF;
SEAF,用于在第一终端设备的注册过程中,向代理功能发送所述第一终端设备的永久身份标识;
所述代理功能,用于接收来自SEAF的所述第一终端设备的永久身份标识后,对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,并向位于运营商网络中的移动性管理功能AMF发送所述第一终端设备的第一临时身份标识,所述第一临时身份标识在所述AMF中作为所述第一终端设备的永久身份标识使用。
在一种可能的设计中,所述代理功能,还用于接收所述AMF发送的所述第一终端设备的隐藏身份标识,并将所述第一终端设备的隐藏身份标识发送给所述SEAF;
所述通信系统还包括统一数据管理功能UDM;
所述SEAF,还用于在接收到所述代理功能发送的所述第一终端设备的隐藏身份标识后,将所述第一终端设备的隐藏身份标识发送给所述UDM;
所述UDM,用于对所述第一终端设备的隐藏身份标识进行解析得到所述第一终端设备的永久身份标识,并将所述第一终端设备的永久身份标识发送给所述SEAF。
在一种可能的设计中,还包括位于所述垂直行业网络中的鉴权服务功能AUSF和UDM;
代理功能,还用于接收来自AMF或者SMF的第一消息,所述第一消息用于向所述AUSF或者UDM请求服务,所述第一消息携带所述第一终端设备的所述第一临时身份标识;对所述第一临时身份标识进行解混淆处理得到所述第一终端设备的永久身份标识;向所述垂直行业网络中的鉴权服务功能AUSF或者统一数据管理功能UDM或者SEAF转发携带所述第一终端设备的永久身份标识的所述第一消息。
在一种可能的设计中,所述代理功能,还用于接收来自所述AUSF或者UDM或者SEAF的第二消息,所述第二消息携带所述第一终端设备的永久身份标识;对所述第二消息中的所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;并向所述AMF或者SMF转发携带所述第一终端设备的第一临时身份标识的所述第二消息。
在一种可能的设计中,所述代理功能,具体用于对第一终端设备的永久身份标识中移动用户识别码MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,所述第一终端设备的第一临时身份标识包括混淆处理后的MSIN。
在一种可能的设计中,所述代理功能,具体用于:
对第一终端设备的永久身份标识中MSIN进行循环移位得到所述第一终端设备的第一临时身份标识,或者,
对第一终端设备的永久身份标识中MSIN包括的至少两部分进行交换处理得到所述第一终端设备的第一临时身份标识,或者,
使用第一秘钥对第一终端设备的永久身份标识中MSIN进行加密处理得到所述第一终端设备的第一临时身份标识。
在一种可能的设计中,所述代理功能,具体用于采用预配置的第一混淆处理方式对所述永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;
所述代理功能,还用于在确定采用第一混淆处理方式作为对所述第一终端设备的永久身份标识进行混淆处理的方式达到第一预设时长时,采用预配置的第二混淆处理方式对所述永久身份标识进行混淆处理得到第一终端设备的第二临时身份标识;向所述AMF发送第一更新消息,所述第一更新消息中携带所述第一终端设备的第二临时身份标识,所述第一更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第二临时身份标识。
在一种可能的设计中,所述代理功能,具体用于采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为在第二预设时长内对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;
所述代理功能,还用于在确定使用所述第三混淆处理方式的时间超过第二预设时长时,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式。
在一种可能的设计中,所述代理功能,具体用于采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;
所述代理功能,还用于接收管理网元发送的用于更新混淆处理方式的触发指令;将对所述第一终端设备组的永久身份标识进行混淆处理使用的方式更新为预配置的第四混淆处理方式。
在一种可能的设计中,所述代理功能,还用于将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式后,使用所述第四混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到第一终端设备的第三临时身份标识;并向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的第三临时身份标识,所述第二更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第三临时身份标识。
第五方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面所述的方法。
第六方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时, 使得计算机执行上述第一方面所述的方法。
第七方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述第一方面所述的方法。
图1为本申请实施例所应用的一种场景示意图;
图2为本申请实施例提供一种通信架构示意图;
图3为本申请实施例提供的另一种通信架构示意图;
图4为本申请实施例提供的注册过程的通信方法流程示意图;
图5为本申请实施例提供的SUCI格式示意图;
图6为本申请实施例提供的IMSI格式示意图;
图7A和图7B为本申请实施例提供的请求服务过程中的通信方法流程示意图;
图8为本申请实施例提供的PDU会话建立流程示意图;
图9为本申请实施例提供的PDU会话修改流程示意图;
图10为本申请实施例提供的解注册流程示意图;
图11为本申请实施例提供的通信装置结构示意图;
图12为本申请实施例提供的通信装置1200结构示意图。
应理解,说明书通篇中提到的“一个实施例”、“一个实现方式”、“一个实施方式”或“一示例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”、“一个实现方式”、“一个实施方式”或“在一示例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。
另外,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。本申请涉及的术语“至少一个”,是指一个,或一个以上,即包括一个、两个、三个及以上;“多个”,是指两个,或两个以上,即包括两个、三个及以上。另外,需要理解的是,在本申请的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。应理解,在本申请实施例中,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。以及,除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词是用于对多个对象进行区分,不用于限定多个对象的顺序、 时序、优先级或者重要程度。此外,本申请实施例和权利要求书及附图中的术语“包括”和“具有”不是排他的。例如,包括了一系列步骤或模块的过程、方法、系统、产品或设备没有限定于已列出的步骤或模块,还可以包括没有列出的步骤或模块。
由于垂直行业隐私保护的需求,一种可能的通信网络部署可以如图1所示,其中,与用户隐私数据相关的用户开户数据管理、用户认证服务等功能可以部署在垂直行业网络(或者称为行业管理网络,也可以简称为行业网络)中,由行业网络自行管理用户隐私数据。图2所示,为部署垂直行业网络的情况下,一种可能的通信网络系统架构示意图。终端设备,也可以称为用户设备(user equipment,UE),可以是移动设备,比如手机,平板电脑(pad)、带无线收发功能的电脑、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。
网络架构还包括无线接入网(radio access network,RAN),所述RAN的主要功能是控制用户通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。RAN中包括各种制式下的无线接入设备,例如演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)或节点B(Node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved NodeB,或home Node B,HNB)、基带单元(baseband unit,BBU),无线保真(wireless fidelity,WIFI)系统中的接入点(access point,AP)、无线中继节点、无线回传节点、传输点(transmission and reception point,TRP或者transmission point,TP)等,还可以为5G(NR)系统中的gNB或传输点(TRP或TP),5G系统中的基站的一个或一组(包括多个天线面板)天线面板,或者,还可以为构成gNB或传输点的网络节点,如基带单元(BBU),或在集中式-分布式(central unit-distributed,CU-DU)架构下的DU等。
网络架构中还可以包括位于运营商网络中的接入和移动管理功能(access and mobility management function,AMF)、会话管理功能(session management function,SMF)、和用户面管理功能(user plane function,UPF)、策略控制功能实体(policy control function,PCF)等,网络架构还可以包括位于垂直行业管理网络中的统一数据管理(unified data management,UDM)、鉴权服务功能(authentication server function,AUSF)等。
所述AMF负责UE的接入管理和移动性管理,如注册管理,连接管理,移动管理,可达性管理等;在实际应用中,其包括了LTE中网络框架中移动性管理实体(mobility management entity,MME)里的移动性管理功能,并加入了接入管理功能。PCF负责策略控制,并与SMF相连。SMF用于会话管理,提供服务连续性。UPF负责用户面处理。
网络架构中还可以包括安全锚点(security anchor function,SEAF)、所述SEAF网元用于完成对UE的认证,SEAF可以与AMF合并部署,参见图2所示。所述AUSF具有鉴权服务功能,用于终结所述SEAF网元请求的认证功能,在认证过程中,接收UDM发送的鉴权向量并对鉴权向量进行处理,将处理后的鉴权向量发送给SEAF。所述UDM网元可存储用户的签约信息,生成认证参数等。
由于4G网络里,终端设备的永久身份标识(subscription permanent identifier,SUPI) 在空口存在明文传递的机会,导致存在用户被跟踪等安全风险,而在5G网络中,为了保护UE的SUPI在空口不可见,引入了隐藏身份标识(subscription concealed identifier,SUCI),来对UE的SUPI进行保护。UE发起5G网络注册过程时,UE对SUPI进行加密处理得到SUCI,并向核心网侧的AMF发送SUCI,AMF基于SUCI向AUSF发起认证请求,用于请求对UE进行身份认证,AUSF向UDM请求对UE进行身份认证的鉴权向量,UDM对SUCI进行解密得到SUPI,并生成用于对UE进行身份认证的鉴权向量,并向AUSF反馈鉴权向量和SUPI,从而AUSF基于鉴权向量对UE的身份进行认证,对UE的认证成功后,将UE的SUPI返回给AMF,其后该用户的会话管理、移动性管理过程中涉及在5G核心网的网元之间的交互,都以SUPI作为用户标识。
从上可以看出,用户永久身份标识SUPI在运营商网络中是可见的,并不满足垂直行业的隐私保护需求,基于此,本申请实施例提供一种通信方法及装置,对UE的永久身份标识进行保护,使得UE的永久身份标识仅在垂直行业网络中可见,而在运营商网络中不可见。
应理解的是,本申请实施例中的垂直行业网络可以是区别于运营商网络的第三方网络,可以简称为行业网络,当然也可以有其它的命名方式,本申请对此不作具体限定。行业网络,比如可以是企业园区网络、场馆网络、电力系统网络、智能交通网络等。
在本申请实施例中可以采用SEAF和AMF分开部署的方式。SEAF部署在垂直行业网络中。参见图3所示,为本申请实施例提供的通信网络架构示意图,运营商网络中包括的网元可以包含AMF、SMF、UPF或者PCF等,行业网络中包括的网元可以包含SEAF、UDM或者AUSF等。本申请实施例中引入一个新功能,该功能可以称为代理功能(Proxy),也可以称为隐私代理(privacy proxy),当然也可以称呼为其它的名字,本申请对此不作具体限定,本申请实施例中以代理功能为例。代理功能部署在行业网络和运营商网络的控制面通信的中间,所有行业网络和运营商网络控制面通信都需要经过该代理功能。代理功能和SEAF可以合并部署,也可以分开单独部署,本申请实施例中以,分开单独部署为例进行说明。
代理功能,具体用于对行业网络中发往运营商网络的消息中携带的终端设备的SUPI进行混淆处理得到终端设备的临时身份标识,代理功能还将运营商网络发往行业网络的消息中携带的终端设备的临时身份标识转换为SUPI。为了描述方便,本申请实施将SUPI混淆处理得到的终端设备的临时身份标识例称为SUPI*。SUPI*在运营商网络中的各个网元中被作为终端设备的永久身份标识来使用,也就是行业网络中使用的是终端设备真正的标识SUPI,而在运营商网络中的各个网元使用是经过对SUPI混淆处理后的SUPI*。
以第一终端设备为例,具体的,在第一终端设备的注册过程中,代理功能接收来自SEAF的第一终端设备的SUPI后,对SUPI进行混淆处理得到第一终端设备的SUPI*,然后将SUPI*发送给AMF。AMF将SUPI*作为第一终端设备的永久身份标识来使用。在后续服务管理过程中,比如会话管理过程中或者其它服务请求过程中,运营商网络中的网元,比如AMF或SMF,向行业网络发送携带SUPI*的第一消息时,代理功能将第一消息中的SUPI*解混淆为SUPI,并将携带SUPI的第一消息转发到行业网络中的网元,进而在行业网络中使用SUPI作为用户标识符。示例性地,第一消息可以是由运营商网络中的网元发往行业网络的网元的服务请求消息,比如,AMF或者SMF向行业网络中的AUSF或者UDM或者SEAF发起的服务请求消息;第一消息也可以是由运营商网络中网元发往行业网络的 网元的响应消息,响应消息是响应于来自的行业网络的网元(比如AUSF或者UDM或者SEAF)的服务请求或者服务通知的消息。例如,服务请求消息可以是会话建立请求、会话修改请求或者会话删除请求等。例如服务通知可以是用户签约数据变更事件通知。
同样,在行业网络中的网元,比如AUSF或者UDM或者SEAF,向运营商网络发送携带SUPI的第二消息时,代理功能先将第二消息中的SUPI转换为SUPI*,然后将携带SUPI*的第二消息转发给运营商网络中的网元。示例性地,第二消息可以是由行业网络中的网元发往运营商网络的网元的服务请求消息,比如,AUSF或者UDM或者SEAF向AMF或者SMF发起的请求消息;第二消息也可以是由行业网络中的网元发往运营商网络的网元的响应消息或者通知消息,响应消息是响应于来自运营商网络的服务请求的消息,通知消息可以是根据运营商网络的网元向UDM等行业网络的网元提前订阅的事件触发的事件通知。
下面结合附图对本申请实施例提供的方案进行详细说明。
参见图4所示,以第一终端设备的注册到网络中的通信过程为例。
S401,在UE注册过程中,UE向AMF发送注册请求(registration request)消息,携带SUCI。SUCI是基于SUPI生成的。示例性地,参见图5所示,为SUCI的格式示意图,SUCI中包括如下1)-6)的信息。
1)SUPI Type可以有7个值,用于标识SUCI中加密的SUPI的7种类型。目前,SUPI type有2个值,当SUPI type的值为0时表示SUPI为国际移动用户识别码(international mobile subscriber identification number,IMSI),当SUPI type的值为1时,表示SUPI为网络特定指示符(network specific identifier)。当SUPI type的值为2到7,目前未做明确规定,留在将来使用。
参见图6所示为IMSI的格式示意图。IMSI由三部分构成,分别为MCC(mobile country code,移动国家代码)、MNC(mobile network code,移动网络代码)以及移动用户识别号码(mobile subscriber identification number,MSIN)。MCC用于唯一地标识移动客户属于的国家,可以由三位十进制数组成(000-999),例如我国的MCC为460。MNC用于标识UE属于哪个运营商。MCC和MNC相结合用于唯一地表示UE的网络运营商。MSIN用于识别某一移动通信网中的移动用户。IMSI是区别移动用户的标志,可以在UE的全球用户身份模块(universal subscriber identity module,USIM)卡中配置。
2)归属网络指示符(Home network Identifier)。
当SUPI type表示SUPI为IMSI时,Home network Identifier可以由2部分组成,分别是MCC和MNC。当SUPI type表示SUPI为网络特殊标识符(Network Specific Identifier,NSI)时,Home Network Identifier可以是一个特定字符串。
3)路由指示符(Routing Indicator)由1到4个十进制数组组成。Routing Indicator与Home Network Identifier一起作用来指示为这个UE服务的AUSF和UDM。Routing Indicator可以配置在UE的全球用户身份模块(universal subscriber identity module,USIM)卡中配置。如果USIM卡中未配置该值,则Routing Indicator为默认值0。
4)保护方式指示符(Protection Scheme Identifier)用于指示采用的安全保护机制,其值可以有如下3种:0x0、0x1和0x2。Protection Scheme Identifier值为0x0时,表示NULL-SCHEME。NULL-SCHEME的运算输出结果与运算输入的值相同,也就是不进行任何加密运算,比如,如果运算输入的值为SUPI,那么NULL-SCHEME输出也为SUPI。 Protection Scheme Identifier值为0x1时,表示使用Profile<A>安全保护机制。Protection Scheme Identifier值为0x2时,表示使用Profile<B>安全保护机制。如果UE中配置有Profile<A>和Profile<B>,UE可以选择其中一种方式,将SUPI加密转换为SUCI。如果UE中未配置Profile<A>和Profile<B>,UE可以选择NULL-SCHEME,也就是不对SUPI进行加密运算。
5)归属网络公钥指示符(Home Network Public Key Identifier),其表示UE使用的公钥。UE要使用公钥和Profile<A>或Profile<B>对SUPI进行加密转换为SUCI。UE中可能预配置有多个公钥,则UE可以在配置的多个公钥中选择一个公钥,然后将该公钥的标识(比如ID)作为Home Network Public Key Identifier的值。如果使用了NULL-SCHEME,则Home Network Public Key Identifier的值为0。
6)Scheme Output,用于表示安全保护机制的输出结果,其可以由一个字符串表示。Scheme Output可以是通过由Home Network Public Key Identifier确定的公钥和Protection Scheme Identifier确定的安全保护机制,对安全保护机制的输入(Protection Scheme的输入)进行加密得到输出结果。对于Protection Scheme的输入(Scheme Input),在SUPI为IMSI的情况下,可以是移动用户识别号码(mobile subscriber identification number,MSIN)。MSIN标识运营商下的用户。
S402,AMF将注册请求消息转发给SEAF,该注册请求消息会经过代理功能。
S403,代理功能,接收到该注册请求消息后,确定该注册请求消息中不携带SUPI,将该注册请求消息透传给SEAF。
示例性的,代理功能可以根据消息名称或者消息类型判断接收到的消息中是否携带SUPI或者混淆后的SUPI*。或者代理功能还可以对接收到的消息进行解析,确定所接收的消息中是否携带SUPI或者SUPI*。
S404,SEAF向AUSF发送认证请求消息1,认证请求消息1中携带SUCI。
示例性地,认证请求消息1可以是Nausf_UEAuthentication_Authenticate Request。认证请求消息1中携带有SUCI。
S405,AUSF接收到认证请求消息1后,向UDM发送认证请求消息2,认证请求消息2携带SUCI,用于根据SUCI向UDM申请获取鉴权向量。示例性地,认证请求消息2可以是Nudm_UEAuthentication_Get Request。
S406,UDM接收到认证请求消息2后,从SUCI获得SUPI。
UDM获得SUPI的具体流程可以包括A1-A4:
A1,UDM会根据SUCI中的Protection Scheme Identifier确定UE使用的是哪种安全保护机制。
A2,UDM会根据SUCI中的Home Network Public Key Identifier确定UE使用的是哪一对公私钥。
A3,UDM根据确定的安全保护机制和私钥对Scheme Output进行解密和完整性保护验证。如果完整性保护验证成功,则解密后的结果就是恢复出UE的身份信息。UE的身份信息,在SUPI为IMSI的情况下,从Scheme Output解析的结果为MSIN。
A4,UDM再根据SUPI type,获取最终的SUPI。比如,UDM根据SUPI type确定获得的SUPI的类型。如果SUPI type是IMSI,则可以确定解密Scheme Output的输出结果代表MSIN。然后UDM再根据Home network Identifier中的MCC和MMC,与MSIN一 起组成IMSI得到SUPI。
示例性地,UDM根据SUPI获取第一终端设备的鉴权向量,鉴权向量用于认证第一终端设备的身份。
S407,UDM向AUSF发送认证响应消息2,认证响应消息2中携带SUPI,认证响应消息中还可以携带鉴权向量。示例性地,认证响应消息2可以是Nudm_UEAuthentication_Get Response。
S408,AUSF根据获取的鉴权向量与第一终端设备进行双向认证。
S409,认证通过后,AUSF向SEAF返回认证响应消息1,认证响应消息1携带SUPI和K
SEAF。其中,K
SEAF是在双向认证过程从K
AUSF中派生获得的,K
AUSF是基于鉴权向量包括的信息生成的,具体的双向认证过程和密钥派生机制遵循现有协议,本申请实施例不再赘述。
S410,SEAF根据获取的SUPI和K
SEAF,派生K
AMF。
S411,SEAF通过代理功能向AMF发送注册响应消息,注册响应消息中携带SUPI。
S412,认证响应消息经过代理功能,代理功能判断该注册响应消息中携带SUPI,对注册响应消息中的SUPI进行混淆处理得到SUPI*。
示例性地,代理功能在对SUPI混淆处理得到SUPI*后,可以保存SUPI与SUPI*的对应关系。当然为了提高安全性,也可以不保存。后续会对SUPI混淆处理得到SUPI*的方式进行示例性说明,此处不再重复描述。
S413、代理功能转发注册响应消息给AMF,注册响应消息携带SUPI*。
AMF在接收到注册响应消息后,AMF可以按照第三代合作伙伴计划(3rd generation partnership project,3GPP)协议流程将SUPI*分发到部署在运营商网络的其他核心网网元,例如SMF,PCF、UPF等,AMF和这些网元以SUPI*作为第一终端设备的永久身份标识进行执行后续服务请求。
参见图7A和图7B所示,为本申请实施例提供的在注册成功后,执行后续服务过程中的通信方法流程示意图。图7A以由运营商网络中的网元向行业网络中的网元发起请求为例。图7B为由运营商网络中的网元向运营商网络中的网元发起事件的服务通知为例。应理解的是,注册请求也为服务请求的一种。
在3GPP R15版本中,服务化架构(service-based architecture,SBA)作为5G的基础网络架构。在服务化架构中,网元间可以通过两种类型的服务接口来通信,分别为请求和响应(Request-Repsponse)的服务接口,或者订阅和通知(Subscribe-Notify)的服务接口。第一终端设备和AMF交互完成注册管理过程或者和SMF交互完成协议数据单元(protocol data unit,PDU)会话管理过程中,都需要向位于行业网络内的SEAF、AUSF或者UDM网元发起服务请求或者服务订阅,并接收服务响应或者服务通知。SEAF、AUSF或者UDM可以根据服务订阅向SMF或者AMF发送服务通知(比如会话管理的数据更新时,触发UDM向SMF发送通知)。本申请实施例中提及的会话管理,比如可以是会话建立、会话修改或者会话删除。示例性地,服务请求消息可以是会话建立请求消息、或者会话修改请求消息或者是会话删除请求消息。
参见图7A所示,通信方法包括:
S701a,AMF基于SUPI*通过SMF向行业网络发起服务请求消息,服务请求消息中携 带第一终端设备的SUPI*。服务请求消息用于向行业网络中的网元请求服务,行业网络中的网元可以是AUSF或者UDM,图7A中以UDM为例。当然未来还可能在行业网络中部署其它网元,则行业网络中的网元还可以包括未来行业网络中部署的其它网元。
示例性地,AMF可以在接收到来自第一终端设备的请求服务的消息时,比如非接入层(non-access stratum,NAS),从而通过SMF向行业网络发起服务请求消息。
S702a,行业网络中的代理功能在接收到服务请求消息后,将服务请求消息中包括的第一终端设备的SUPI*转换为第一终端设备的SUPI。
示例性地,本申请实施例中将SUPI*转换为SUPI,一种方式是,根据预配置的混淆处理方式对SUPI*进行解混淆处理得到SUPI。另一种方式是,若在注册过程中,代理功能保存有第一终端设备的SUPI与SUPI*的对应关系,则可以根据保存的对应关系将服务请求消息中第一终端设备的SUPI*替换为SUPI。
S703a,所述代理功能向所述UDM转发携带所述第一终端设备的SUPI的所述服务响应消息。在由行业网络基于第一终端设备的SUPI执行完服务后,执行S704。
S704a,UDM通过代理功能向SMF发送服务响应消息。
一种示例中,服务响应消息携带第一终端设备的SUPI,所述代理功能将服务响应消息中的所述第一终端设备的SUPI转换为所述第一终端设备的SUPI*。所述代理功能向所述SMF转发携带所述第一终端设备的SUPI*的所述服务响应消息。
示例性地,本申请实施例中将SUPI转换为SUPI*,一种方式是,根据预配置的混淆处理方式对SUPI进行混淆处理得到SUPI*。另一种方式是,若在注册过程中,代理功能保存有第一终端设备的SUPI与SUPI*的对应关系,则根据保存的对应关系将服务请求消息中第一终端设备的SUPI替换为SUPI*。
另一种示例中,服务响应消息未携带第一终端设备的SUPI。代理功能执行S705a,将服务响应消息透传给SMF。
参见图7B所示,以行业网络中网元为UDM为例,通信方法包括:
S701b,UDM向运营商网络中的网元(以SMF为例)发起服务通知消息,服务通知消息中携带第一终端设备的SUPI。示例性地,服务通知可以是订阅事件的服务通知等。
S702b,行业网络中的代理功能在接收到服务通知消息后,将服务通知消息中包括的第一终端设备的SUPI转换为第一终端设备的SUPI*。
示例性地,本申请实施例中将SUPI转换为SUPI*,一种方式是,根据预配置的混淆处理方式对SUPI进行解混淆处理得到SUPI*。另一种方式是,若在注册过程中,代理功能保存有第一终端设备的SUPI与SUPI*的对应关系,则可以根据保存的对应关系将服务请求消息中第一终端设备的SUPI替换为SUPI*。
S703b,所述代理功能向所述SMF转发携带所述第一终端设备的SUPI*的所述服务通知消息。
S704b,SMF通过代理功能向UDM发送服务通知确认消息。
一种示例中,服务通知确认消息携带第一终端设备的SUPI*,所述代理功能执行S705b,将服务响应消息中的所述第一终端设备的SUPI*转换为所述第一终端设备的SUPI。S706b,所述代理功能向所述UDM转发携带所述第一终端设备的SUPI的所述服务通知确认消息。
另一种示例中,服务通知确认消息未携带第一终端设备的SUPI*。代理功能将服务响 应消息透传给UDM。
如下以后续服务为会话建立为例对本申请实施例提供的方案进行详细说明,具体的,参见图8所示。
S801,第一终端设备向AMF发起PDU会话建立请求消息。示例性地,PDU会话建立请求消息可以为PDU session establishment request。
S802,AMF接收到PDU会话建立请求消息后,向SMF发送建立会话上下文请求消息,建立会话上下文请求消息中携带SUPI*。
S803,SMF向行业网络中的UDM发送会话注册请求消息,会话注册请求消息用于向UDM注册会话相关信息。会话注册请求消息携带SUPI*。会话注册请求消息还可以携带数据网络名称(data network name,DNN),PDU会话标识(PDU session ID)等。示例性地,会话注册请求消息可以为Nudm_UECM_Registration request。
S804,行业网络的代理功能接收到会话注册请求消息中的SUPI*转换为SUPI。
S805,代理功能向UDM转发携带SUPI的会话注册请求消息。
S806,UDM根据SUPI获取会话上下文,并通过代理功能向SMF返回会话注册应答消息。会话注册应答消息可以是Nudm_UECM_Registration response。
S807,代理功能在接收到会话注册应答消息后,确定会话注册应答消息中不包括SUPI,将该会话注册应答消息透传给SMF。
可选地,会话注册应答消息也可以携带SUPI,在该情况下,代理功能接收到会话注册应答消息后,将会话注册应答消息中的SUPI转换为SUPI*。代理功能将携带SUPI*的会话注册应答消息转发给SMF。
如下以后续服务为会话修改过程中(同时会话修改过程是由UDM根据用户签约数据变化事件向SMF发起更新通知触发)为例对本申请实施例提供的方案进行详细说明,具体的,参见图9所示。
S901,UDM向SMF发起用户数据更新通知消息。示例性地,UDM在确定用户签约数据发生某种变化时,向SMF发起用户数据更新通知消息,该用户数据更新通知消息中可以携带变化的用户签约数据的相关信息,还可以携带第一终端设备的SUPI。示例性地,用户数据更新通知消息可以为Nudm_SDM_Notification。
S902,代理功能接收到UDM发往SMF的用户数据更新通知消息后,确定用户数据更新通知消息携带SUPI,将第一终端设备的SUPI转换为SUPI*;
S903,代理功能将转换为SUPI*的用户数据更新通知消息转发给SMF。
S904,SMF在接收到用户数据更新通知消息后,可以向UDM发送用户数据更新确认消息,用户数据更新确认消息中可以携带SUPI*。用户数据更新确认消息可以为Nudm_SDM_Notification ACK。
S905,代理功能接收到SMF发送给UDM的用户数据更新确认消息时,确定用户数据更新确认消息中携带SUPI*,将SUPI*转换为SUPI;
S906,代理功能将转换为SUPI的用户数据更新确认消息转发给UDM。
如下以后续服务为第一终端设备解注册为例对本申请实施例提供的方案进行详细说 明,具体的,参见图10所示。
S1001,在第一终端设备解注册过程中,第一终端设备向AMF发送解注册请求(Deregistration request)消息。
S1002,AMF向SMF发送PDU会话上下文释放请求消息,该PDU会话上下文释放请求消息中携带SUPI*。PDU会话上下文释放请求消息可以是Nsmf_PDUSession_ReleaseSMContext Request。
S1003,SMF向UDM发送解注册通知消息,解注册通知消息可以是Nudm_SDM_unsubscribe或者Nudm_UECM_Deregistration。
S1004,代理功能接收到该解注册通知消息后,确定该解注册通知消息中携带SUPI*,将解注册通知消息中SUPI*转换为SUPI。
S1005,代理功能将携带SUPI的解注册通知消息转发给UDM。UDM根据解注册通知消息完成相应操作。
S1006,UDM通过代理功能向SMF发送解注册通知响应消息。
S1007,代理功能在接收到解注册通知响应消息后,确定解注册通知响应消息中不包括SUPI,将该解注册通知响应消息透传给SMF。
可选地,解注册通知响应消息也可以携带SUPI,在该情况下,代理功能接收到解注册通知响应消息后,将解注册通知响应消息中的SUPI转换为SUPI*。代理功能将携带SUPI*的解注册通知响应消息转发给SMF。
如下示例性地描述本申请实施例提供的对SUPI混淆处理得到SUPI*的方式进行描述。以SUPI是IMSI为例进行说明。所述代理功能在对第一终端设备的SUPI进行混淆处理时,可以保留IMSI中的MCC和MNC不变,仅对IMSI中MSIN进行混淆处理,从而混淆处理得到的SUPI*包括混淆处理后的MSIN。从而运营商网络的网元在使用SUPI*时,可以根据MCC和MNC选择网络或者寻址,本申请实施例提供的混淆处理方法不影响现有的处理流程。
本申请实施例如下示例性的描述几种混淆处理方式:
示例1,对MSIN进行循环移位,比如循环移M位,M为大于或者等于1的整数。
示例2,对MSIN包括的至少两部分进行交换处理。比如MSIN包括10个数字。将MSIN划分为几个部分,每部分可以包括一个数字或者多个数字。比如一个数字作为一部分,可以将第5个数字与第10个数字交换位置,或者将5个数字、第7个数字以及第10个数字三个交换位置等。比如,第一部分和第二部分交换位置,第一部分包括第5个数字和第6个数字,第二部分包括第8个数字、第9个数字和第10个数字。
示例3,使用第一秘钥对IMSI中MSIN进行加密处理。比如采用对称加密方式。
示例4,可以将MSIN进行分段处理,针对不同的段采用不同的混淆处理方式。比如MSIN被分为两段,第一段采用循环移1位,第二段采用对称加密方式。
本申请实施例中,在采用循环移位的混淆处理方式时,循环移动的位数不同时属于不同的混淆处理方式。在采用交换处理的混淆处理方式,所交换的部分所在的位置不同时属于不同的混淆处理方式在次用加密处理方式时,在秘钥不同时,也可以认为是不同的混淆处理方式。
作为一种示例,为了提高SUPI的安全性,可以定义混淆处理方式更新策略,比如可 以定时自动更新混淆处理方式,也可以由管理者通过管理设备触发更新混淆处理方式。可选地,可以由管理设备在代理功能中配置混淆处理方式集合,集合中包括多种混淆处理方式,并且不同的混淆处理方式的索引不同。在采用定时自动更新混淆处理方式时可以按照索引的大小顺序循环更新。比如,可以更新循环移位的位数、或者更新所交换的数字位,或者更新对称加密秘钥等,也可以由加密处理方式更新到循环移位的混淆处理方式,或者由循环移位的混淆处理方式更新到交换处理方式等。
在对终端设备的SUPI采用混淆处理方式转换为SUPI*,可以针对不同的终端设备配置不同的混淆处理方式,或者针对不同的终端设备组配置不同的混淆处理方式,当然还可以在同一时间段内对所有的终端设备配置相同的混淆处理方式。
如下以上述第一终端设备为例对更新混淆处理方式进行示例性说明。
第一种示例,针对不同的终端设备分别配置定时更新的定时器,终端设备注册成功时,即开启定时器。定时器超时执行更新操作,并重启定时器。
所述代理功能对终端设备的SUPI进行混淆处理得到SUPI*时,可以采用预配置的第一混淆处理方式对SUPI进行混淆处理得到SUPI*。
所述代理功能在确定采用第一混淆处理方式作为对所述第一终端设备的SUPI进行混淆处理的方式达到第一预设时长时,所述代理功能对第一混淆处理方式进行更新,可以采用预配置的第二混淆处理方式对所述SUPI进行混淆处理得到SUPI*1。
代理功能在更新混淆处理方式,对第一终端设备的SUPI重新进行混淆后,可以将混淆后的SUPI*1发送给AMF,从而AMF将更新后的SUPI*1作为用户身份标识符来使用。比如,所述代理功能可以向所述AMF发送第一更新消息,所述第一更新消息中携带所述第一终端设备的SUPI*1,所述第一更新消息用于指示AMF将作为所述第一终端设备的SUPI使用的所述SUPI*更新为SUPI*1。AMF可以更新后的SUPI*1发送给运营商网络中的其它网元,比如SMF、UPF等,用来同步变化后的SUPI*。可选地,AMF在获得SUPI*1后,可以向代理功能反馈第一更新响应,从而确认双方采用更新后的SUPI*1进行后续的信令交互。
第二种示例中,针对不同的终端设备组分别配置定时更新的定时器,定时器超时执行更新操作,并重启定时器。以包括第一终端设备的第一终端设备组为例。
比如,所述代理功能对包括第一终端设备组包括的各个终端设备的永久身份标识进行混淆处理时使用的方式为第三混淆处理方式。在所述代理功能在确定采用第三混淆处理方式作为对所述第一终端设备组包括的各个终端设备的SUPI进行混淆处理的方式达到第二预设时长时,所述代理功能对第三混淆处理方式进行更新,可以更新为第四混淆处理方式。代理功能采用第四混淆处理方式对第一终端设备组中包括的各个终端设备的永久身份标识重新分别进行混淆处理,并混淆处理得到的各个终端设备的临时身份标识发送给AMF。如下依然以第一终端设备组包括的第一终端设备为例。
所述代理功能使用所述第四混淆处理方式对所述第一终端设备的SUPI进行混淆处理得到第一终端设备的SUPI*2;所述代理功能向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的SUPI*2,所述第二更新消息用于指示AMF将作为所述第一终端设备的SUPI使用的所述第一终端设备的SUPI*更新为SUPI*2。
第三种示例,针对不同的终端设备组采用不同的混淆处理方式。由管理设备触发更新混淆处理方式。所述代理功能对包括第一终端设备组的永久身份标识进行混淆处理时使用 的方式为第三混淆处理方式,所述第一终端设备组包括所述第一终端设备。
所述代理功能接收管理网元发送的用于更新混淆处理方式的触发指令;所述代理功能将对所述第一终端设备组的永久身份标识进行混淆处理采用的第三混淆处理方式更新为预配置的第四混淆处理方式。
代理功能采用第四混淆处理方式对第一终端设备组中包括的各个终端设备的永久身份标识重新分别进行混淆处理,并将混淆处理得到的各个终端设备的临时身份标识发送给AMF。如下依然以第一终端设备组包括的第一终端设备为例。
所述代理功能使用所述第四混淆处理方式对所述第一终端设备的SUPI进行混淆处理得到第一终端设备的SUPI*2;所述代理功能向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的SUPI*2,所述第二更新消息用于指示AMF将作为所述第一终端设备的SUPI使用的所述第一终端设备的SUPI*更新为SUPI*2。
第四种示例,针对所有的终端设备在同一时间段采用相同的混淆处理方式。可以配置定时更新的定时器,定时器超时执行更新操作,并重启定时器。
比如所述代理功能在第三预设时长内对包括所述第一终端设备在内的所有终端设备的永久身份标识进行混淆处理时使用的方式为第五混淆处理方式,所述代理功能在确定使用所述第五混淆处理方式的时间超过第三预设时长时,将采用的第五混淆处理方式更新为预配置的第六混淆处理方式。代理功能采用第五混淆处理方式对所有终端设备的永久身份标识重新分别进行混淆处理,并将混淆处理得到的各个终端设备的临时身份标识发送给AMF。
另外,还可以针对所有终端设备配置一种混淆处理方式,由管理设备来触发更新,比如,所述代理功能对所有终端设备的永久身份标识进行混淆处理时使用的方式为第五混淆处理方式,当接收到管理设备发送的触发更新混淆方式的触发指令时,将采用的第五混淆处理方式更新为预配置的第六混淆处理方式。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,应用于代理功能,用于执行上述如图4~图10所示的方法实施例中所述代理功能执行的方法,相关特征可参见上述方法实施例,此处不再赘述。作为一种示例,如图11所示,所述通信装置包括接收单元1101和处理单元1102和发送单元1103。在第一终端设备的注册过程中,接收单元1101接收来自安全锚点SEAF的待向接入和移动管理功能AMF发送的所述第一终端设备的永久身份标识,处理单元1102用于对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;发送单元1103用于向所述AMF发送所述第一终端设备的第一临时身份标识,所述第一临时身份标识在所述AMF中作为所述第一终端设备的永久身份标识使用。
在一种可能的实现方式中,接收单元1101,还用于接收来自AMF或者会话管理功能SMF的第一消息,所述第一消息携带所述第一终端设备的所述第一临时身份标识;处理单元1102还用于对所述第一临时身份标识进行解混淆处理得到所述第一终端设备的永久身份标识;发送单元1103向所述AUSF或者UDM转发携带所述第一终端设备的永久身份标识的所述第一消息。
在一种可能的实现方式中,所述接收单元1101,还用于接收来自所述AUSF或者UDM的第二消息,所述第二消息携带所述第一终端设备的永久身份标识;所述处理单元1102还用于对第二消息中的所述第一终端设备的永久身份标识进行混淆处理得到所述第一终 端设备的第一临时身份标识;发送单元1103还用于向所述AMF或者SMF转发携带所述第一终端设备的第一临时身份标识的所述第二消息。
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,所述代理功能和AMF均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
在一个简单的实施例中,如图12所示的通信装置1200,包括至少一个处理器1201、存储器1202,可选的,还可以包括通信接口1203。存储器1202可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1202是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以是上述存储器的组合。
本申请实施例中不限定上述处理器1201以及存储器1202之间的具体连接介质。本申请实施例在图中以存储器1202和处理器1201之间通过总线1204连接,总线1204在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1204可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1201可以具有数据收发功能,能够与其他设备进行通信,在如图12装置中,也可以设置独立的数据收发模块,例如通信接口1203,用于收发数据;处理器1201在与其他设备进行通信时,可以通过通信接口1203进行数据传输。
图12中通信装置1200可以应用于代理功能,处理器1201可以通过调用存储器1202中存储的计算机执行指令,使得所述代理功能可以执行上述任一方法实施例中的所述代理功能执行的方法。
具体的,图11的发送单元、接收单元和处理单元的功能/实现过程均可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图11中的处理单元的功能/实现过程可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图11的发送单元和接收单元的功能/实现过程可以通过图12中的通信接口1203来实现。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产 品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。
Claims (22)
- 一种通信方法,其特征在于,包括:在第一终端设备的注册过程中,代理功能接收来自安全锚点SEAF的待向接入和移动管理功能AMF发送的所述第一终端设备的永久身份标识,所述SEAF和所述代理功能位于垂直行业网络中,所述AMF位于运营商网络中;所述代理功能对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能向所述AMF发送所述第一终端设备的第一临时身份标识,所述第一临时身份标识在所述运营商网络包括的网元中作为所述第一终端设备的永久身份标识使用。
- 如权利要求1所述的方法,其特征在于,还包括:代理功能接收来自运营商网络的网元的第一消息,所述第一消息携带所述第一终端设备的所述第一临时身份标识,所述运营商网络的网元为所述AMF或者会话管理功能SMF;所述代理功能对所述第一临时身份标识进行解混淆处理得到所述第一终端设备的永久身份标识;所述代理功能向行业管理网络的网元转发携带所述第一终端设备的永久身份标识的所述第一消息,所述行业管理网络的网元为所述SEAF、鉴权服务功能AUSF或者统一数据管理功能UDM。
- 如权利要求1或2所述的方法,其特征在于,还包括:所述代理功能接收来自所述行业管理网络的网元的第二消息,所述第二消息携带所述第一终端设备的永久身份标识,所述行业管理网络的网元为所述SEAF、AUSF或者UDM;所述代理功能对所述第二消息中的所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能向运营商网络的网元转发携带所述第一终端设备的第一临时身份标识的所述第二消息,所述运营商网络的网元为所述AMF或者SMF。
- 如权利要求1或3所述的方法,其特征在于,所述代理功能对第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能对第一终端设备的永久身份标识中的移动用户识别码MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,所述第一终端设备的第一临时身份标识包括混淆处理后的MSIN。
- 如权利要求4所述的方法,其特征在于,所述代理功能对第一终端设备的永久身份标识中的MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能对第一终端设备的永久身份标识中的MSIN进行循环移位得到所述第一终端设备的第一临时身份标识,或者,所述代理功能对第一终端设备的永久身份标识中的MSIN包括的至少两部分进行交换处理得到所述第一终端设备的第一临时身份标识,或者,所述代理功能使用第一秘钥对第一终端设备的永久身份标识中的MSIN进行加密处理得到所述第一终端设备的第一临时身份标识。
- 如权利要求1-5任一项所述的方法,其特征在于,所述代理功能对永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能采用预配置的第一混淆处理方式对所述永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述方法还包括:所述代理功能在确定采用第一混淆处理方式作为对所述第一终端设备的永久身份标识进行混淆处理的方式达到第一预设时长时,所述代理功能采用预配置的第二混淆处理方式对所述永久身份标识进行混淆处理得到第一终端设备的第二临时身份标识;所述代理功能向所述AMF发送第一更新消息,所述第一更新消息中携带所述第一终端设备的第二临时身份标识,所述第一更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第二临时身份标识。
- 如权利要求1-5任一项所述的方法,其特征在于,所述代理功能对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为第二预设时长内对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;所述方法还包括:所述代理功能在确定使用所述第三混淆处理方式的时间超过第二预设时长时,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式。
- 如权利要求1-5任一项所述的方法,其特征在于,所述代理功能对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,包括:所述代理功能采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为对包括第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理时使用的方式,所述第一终端设备组包括所述第一终端设备;所述方法还包括:所述代理功能接收管理网元发送的用于更新混淆处理方式的触发指令;所述代理功能将对所述第一终端设备组的永久身份标识进行混淆处理使用的方式更新为预配置的第四混淆处理方式。
- 如权利要求7或8所述的方法,其特征在于,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式后,还包括:所述代理功能使用所述第四混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到第一终端设备的第三临时身份标识;所述代理功能向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的第三临时身份标识,所述第二更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第三临时身份标识。
- 一种通信装置,其特征在于,包括通信接口、处理器和存储器;所述存储器用于存储计算机执行指令;所述处理器用于执行所述存储器所存储的计算机执行指令,以使所述通信装置通过所述通信接口收发消息,并实现如权利要求1至9任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,所述存储介质存储有计算机指令,当所述计算机指令被通信装置执行时,使得所述通信装置执行如权利要求1至9中任一项所述的方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机指令,当所述计算机指令被通信装置执行时,使得所述通信装置执行如权利要求1至9中任一项所述的方法。
- 一种通信系统,其特征在于,所述通信系统应用于垂直行业网络中,所述通信系统包括代理功能和安全锚点SEAF;SEAF,用于在第一终端设备的注册过程中,向代理功能发送所述第一终端设备的永久身份标识;所述代理功能,用于接收来自SEAF的所述第一终端设备的永久身份标识后,对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识,并向位于运营商网络中的移动性管理功能AMF发送所述第一终端设备的第一临时身份标识,所述第一临时身份标识在所述运营商网络包括的网元中作为所述第一终端设备的永久身份标识使用。
- 如权利要求13所述的通信系统,其特征在于,所述代理功能,还用于接收所述AMF发送的所述第一终端设备的隐藏身份标识,并将所述第一终端设备的隐藏身份标识发送给所述SEAF;所述通信系统还包括统一数据管理功能UDM;所述SEAF,还用于在接收到所述代理功能发送的所述第一终端设备的隐藏身份标识后,将所述第一终端设备的隐藏身份标识发送给所述UDM;所述UDM,用于对所述第一终端设备的隐藏身份标识进行解析得到所述第一终端设备的永久身份标识,并将所述第一终端设备的永久身份标识发送给所述SEAF。
- 如权利要求13或14所述的通信系统,其特征在于,还包括位于所述垂直行业网络中的鉴权服务功能AUSF和UDM;代理功能,还用于接收来自AMF或者运营商网络的SMF的第一消息,所述第一消息携带所述第一终端设备的所述第一临时身份标识;对所述第一临时身份标识进行解混淆处理得到所述第一终端设备的永久身份标识;向所述垂直行业网络中的鉴权服务功能AUSF或者统一数据管理功能UDM或者所述SEAF转发携带所述第一终端设备的永久身份标识的所述第一消息。
- 如权利要求15所述的通信系统,其特征在于,所述代理功能,还用于接收来自所述AUSF或者UDM或者SEAF的第二消息,所述第二消息携带所述第一终端设备的永久身份标识;对第二消息中的所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;并向所述AMF或者SMF转发携带所述第一终端设备的第一临时身份标识的所述第二消息。
- 如权利要求13或16所述的通信系统,其特征在于,所述代理功能,具体用于对第一终端设备的永久身份标识中移动用户识别码MSIN进行混淆处理得到所述第一终端设备的第一临时身份标识,所述第一终端设备的第一临时身份标识包括混淆处理后的MSIN。
- 如权利要求17所述的通信系统,其特征在于,所述代理功能,具体用于:对第一终端设备的永久身份标识中MSIN进行循环移位得到所述第一终端设备的第一临时身份标识,或者,对第一终端设备的永久身份标识中MSIN包括的至少两部分进行交换处理得到所述第一终端设备的第一临时身份标识,或者,使用第一秘钥对第一终端设备的永久身份标识中MSIN进行加密处理得到所述第一终端设备的第一临时身份标识。
- 如权利要求13-18任一项所述的通信系统,其特征在于,所述代理功能,具体用于采用预配置的第一混淆处理方式对所述永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;所述代理功能,还用于在确定采用第一混淆处理方式作为对所述第一终端设备的永久身份标识进行混淆处理的方式达到第一预设时长时,采用预配置的第二混淆处理方式对所述永久身份标识进行混淆处理得到第一终端设备的第二临时身份标识;向所述AMF发送第一更新消息,所述第一更新消息中携带所述第一终端设备的第二临时身份标识,所述第一更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第二临时身份标识。
- 如权利要求13-18任一项所述的通信系统,其特征在于,所述代理功能,具体用于采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为在第二预设时长内对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;所述代理功能,还用于在确定使用所述第三混淆处理方式的时间超过第二预设时长时,将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式。
- 如权利要求13-18任一项所述的通信系统,其特征在于,所述代理功能,具体用于采用第三混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到所述第一终端设备的第一临时身份标识;其中,所述第三混淆处理方式为对第一终端设备组包括的任一终端设备的永久身份标识进行混淆处理所使用的方式,所述第一终端设备组包括所述第一终端设备;所述代理功能对包括第一终端设备组的永久身份标识进行混淆处理时使用的方式为第三混淆处理方式,所述第一终端设备组包括所述第一终端设备;所述代理功能,还用于接收管理网元发送的用于更新混淆处理方式的触发指令;将对所述第一终端设备组的永久身份标识进行混淆处理使用的方式更新为预配置的第四混淆处理方式。
- 如权利要求20或21所述的通信系统,其特征在于,所述代理功能,还用于将针对所述第一终端设备组采用的第三混淆处理方式更新为预配置的第四混淆处理方式后,使用所述第四混淆处理方式对所述第一终端设备的永久身份标识进行混淆处理得到第一终端设备的第三临时身份标识;并向所述AMF发送第二更新消息,所述第二更新消息中携带所述第一终端设备的第三临时身份标识,所述第二更新消息用于指示AMF将作为所述第一终端设备的永久身份标识使用的所述第一终端设备的第一临时身份标识更新为所述第一终端设备的第三临时身份标识。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910631030.5A CN112218287B (zh) | 2019-07-12 | 2019-07-12 | 一种通信方法及装置 |
CN201910631030.5 | 2019-07-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021008466A1 true WO2021008466A1 (zh) | 2021-01-21 |
Family
ID=74047862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/101454 WO2021008466A1 (zh) | 2019-07-12 | 2020-07-10 | 一种通信方法及装置 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112218287B (zh) |
WO (1) | WO2021008466A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022174729A1 (zh) * | 2021-02-20 | 2022-08-25 | 华为技术有限公司 | 保护身份标识隐私的方法与通信装置 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114980090A (zh) * | 2021-02-19 | 2022-08-30 | 中国电信股份有限公司 | 二次认证方法、网元和系统、计算机装置和存储介质 |
CN115175169B (zh) * | 2021-04-06 | 2024-07-02 | 维沃移动通信有限公司 | 信息处理方法、终端及网络侧设备 |
CN117178578A (zh) * | 2021-05-14 | 2023-12-05 | 华为技术有限公司 | 一种网络管理的方法及相关设备 |
CN117062054A (zh) * | 2022-05-06 | 2023-11-14 | 华为技术有限公司 | 通信方法和装置 |
CN117098117A (zh) * | 2022-05-12 | 2023-11-21 | 华为技术有限公司 | 通信方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018208949A1 (en) * | 2017-05-09 | 2018-11-15 | Intel IP Corporation | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
WO2018210715A1 (en) * | 2017-05-16 | 2018-11-22 | Nokia Technologies Oy | Privacy protection capabilities |
CN109691058A (zh) * | 2016-07-18 | 2019-04-26 | 瑞典爱立信有限公司 | 使用秘密标识符的与用户设备有关的操作 |
CN109803251A (zh) * | 2017-11-16 | 2019-05-24 | 诺基亚技术有限公司 | 用于通信系统中的隐私管理实体选择的方法和装置 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11792172B2 (en) * | 2017-05-05 | 2023-10-17 | Nokia Technologies Oy | Privacy indicators for controlling authentication requests |
CN109511115B (zh) * | 2017-09-14 | 2020-09-29 | 华为技术有限公司 | 一种授权方法和网元 |
CN107580324B (zh) * | 2017-09-22 | 2020-05-08 | 中国电子科技集团公司第三十研究所 | 一种用于移动通信系统imsi隐私保护的方法 |
CN109041054B (zh) * | 2018-07-27 | 2021-04-13 | 中国电子科技集团公司第三十研究所 | 一种网络侧发起号码变更的隐私保护方法 |
-
2019
- 2019-07-12 CN CN201910631030.5A patent/CN112218287B/zh active Active
-
2020
- 2020-07-10 WO PCT/CN2020/101454 patent/WO2021008466A1/zh active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109691058A (zh) * | 2016-07-18 | 2019-04-26 | 瑞典爱立信有限公司 | 使用秘密标识符的与用户设备有关的操作 |
WO2018208949A1 (en) * | 2017-05-09 | 2018-11-15 | Intel IP Corporation | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
WO2018210715A1 (en) * | 2017-05-16 | 2018-11-22 | Nokia Technologies Oy | Privacy protection capabilities |
CN109803251A (zh) * | 2017-11-16 | 2019-05-24 | 诺基亚技术有限公司 | 用于通信系统中的隐私管理实体选择的方法和装置 |
Non-Patent Citations (1)
Title |
---|
ERICSSON: "3GPP TSG SA WG3 (Security) Meeting #89 S3-173098", CLAUSES 6.1.3 AND 6.7.2 (AUTH PROCEDURES AND NAS SMC, SUPI FROM UE FOR LI), 1 December 2017 (2017-12-01), XP051380359, DOI: 20200922104347A * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022174729A1 (zh) * | 2021-02-20 | 2022-08-25 | 华为技术有限公司 | 保护身份标识隐私的方法与通信装置 |
Also Published As
Publication number | Publication date |
---|---|
CN112218287B (zh) | 2023-05-12 |
CN112218287A (zh) | 2021-01-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021008466A1 (zh) | 一种通信方法及装置 | |
US10880747B2 (en) | Network slice allocation method, device, and system | |
CN113016202B (zh) | 用于基站的装置、方法和计算机可读存储介质 | |
US20210289351A1 (en) | Methods and systems for privacy protection of 5g slice identifier | |
US11375367B2 (en) | System and method for deriving a profile for a target endpoint device | |
KR101877733B1 (ko) | 기기간 통신 환경에서 그룹 통신을 보안하는 방법 및 시스템 | |
CN108809635B (zh) | 锚密钥生成方法、设备以及系统 | |
TW201703556A (zh) | 網路安全架構 | |
JP6917469B2 (ja) | セキュリティ確立方法、端末装置及びネットワーク装置 | |
WO2019096075A1 (zh) | 一种消息保护的方法及装置 | |
US20210218721A1 (en) | Cross-interface correlation of traffic | |
US20130189955A1 (en) | Method for context establishment in telecommunication networks | |
JP2022543167A (ja) | セキュリティ保護モードを決定するための方法および装置 | |
CN111866858A (zh) | 一种注册方法及通信装置 | |
WO2021031053A1 (zh) | 一种通信方法、装置及系统 | |
WO2021196051A1 (zh) | 一种通信方法、装置及系统 | |
WO2022027476A1 (zh) | 密钥管理方法及通信装置 | |
JPWO2019065955A1 (ja) | セキュリティ確立方法、端末装置及びネットワーク装置 | |
WO2023071885A1 (zh) | 一种通信方法及通信装置 | |
WO2022067827A1 (zh) | 一种密钥推衍方法及其装置、系统 | |
EP4231751A1 (en) | Wireless communication method, device, and system | |
US20200045536A1 (en) | Communication method, apparatus, and system | |
CN116321108A (zh) | 国际移动用户识别码传输方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20840306 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20840306 Country of ref document: EP Kind code of ref document: A1 |