WO2021027916A1 - Method, device and system for accessing closed access group - Google Patents

Method, device and system for accessing closed access group Download PDF

Info

Publication number
WO2021027916A1
WO2021027916A1 PCT/CN2020/109116 CN2020109116W WO2021027916A1 WO 2021027916 A1 WO2021027916 A1 WO 2021027916A1 CN 2020109116 W CN2020109116 W CN 2020109116W WO 2021027916 A1 WO2021027916 A1 WO 2021027916A1
Authority
WO
WIPO (PCT)
Prior art keywords
cag
terminal
access
list
amf
Prior art date
Application number
PCT/CN2020/109116
Other languages
French (fr)
Chinese (zh)
Inventor
彭锦
游世林
林兆骥
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021027916A1 publication Critical patent/WO2021027916A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • This application relates to a wireless communication network, for example, to a method, device, and system for accessing a closed access group.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • 3GPP has formulated various mobile network specifications. Among them, in order to support private networks through public networks, 3GPP has defined a Closed Access Group (CAG) mechanism.
  • CAG Closed Access Group
  • a closed access group includes a group of users who can visit one or more CAG cells.
  • a closed access group has a closed access group identity (CG ID). Using the closed access group mechanism, access control can be performed on the terminal to access the private network.
  • CG ID closed access group identity
  • the solution for access control to the private network is to configure the CAG ID that allows access in the mobile terminal.
  • the network carries a list of CAG IDs supported by the cell in the broadcast system message. After the terminal receives the broadcast message, it selects the matching CAG ID as the request CAG ID of the visit. The terminal carries the CAG ID requested for access in the registration request message sent to the network to complete the registration process.
  • the CAG ID in the registration request message is carried in plain text and sent through the air interface, which is easy to be intercepted and leaked, which may affect the security of the private network.
  • the present application provides a method, device and system for accessing a closed access group to improve the security of the closed access group.
  • the embodiment of the present application provides a method for accessing a closed access group, including:
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • the embodiment of the present application provides a method for accessing a closed access group, including:
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal;
  • CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • the embodiment of the present application provides a method for accessing a closed access group, including:
  • the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • the embodiment of the present application provides a method for accessing a closed access group, including:
  • the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal;
  • the 5G-GUTI of the terminal judge whether the current AMF is a historical AMF that has served the terminal;
  • the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF
  • the first CAG ID list is obtained from the terminal's home network according to the SUPI of the terminal, and the first encrypted CAG ID requested to be accessed Decrypt it into the CAG ID of the request;
  • CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • An embodiment of the present application provides an apparatus for accessing a closed access group, including:
  • the encryption module is set to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access;
  • the sending module is configured to send a registration request message.
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • An embodiment of the present application provides an apparatus for accessing a closed access group, including:
  • the receiving module is configured to receive the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal;
  • the decryption module is set to parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID requesting access to the CAG ID requesting access;
  • the obtaining module is configured to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
  • the judging module is configured to judge whether the CAG ID requested to access and the first CAG ID list match, and if they match, send a registration acceptance message to the terminal.
  • An embodiment of the present application provides an apparatus for accessing a closed access group, including:
  • the encryption module is set to encrypt the CAG ID that requests access to obtain the first encrypted CAG ID that requests access;
  • the sending module is configured to send a registration request message, and the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • An embodiment of the present application provides an apparatus for accessing a closed access group, including:
  • the receiving module is configured to receive a registration request message sent by the terminal, and the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal;
  • the decryption module is set to determine whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal;
  • the obtaining module is set to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF that has served the terminal once, and the SUPI of the terminal is stored in the current AMF, and the first encrypted The CAG ID requesting access is decrypted into the CAG ID requesting access;
  • the judging module is configured to judge whether the CAG ID requested to access and the first CAG ID list match, and if they match, send a registration acceptance message to the terminal.
  • the embodiment of the present application provides a system for accessing a closed access group, including a terminal and a network device;
  • the terminal includes a device for accessing a closed access group as shown in the embodiment in FIG. 11;
  • the network equipment includes a device for accessing a closed access group as shown in the embodiment of FIG. 12.
  • the embodiment of the present application provides a system for accessing a closed access group, including a terminal and a network device;
  • the terminal includes a device for accessing a closed access group as shown in the embodiment in FIG. 13;
  • the network equipment includes the device for accessing the closed access group as shown in the embodiment of FIG. 14.
  • FIG. 1 is a schematic diagram of a private network access control process provided by an embodiment of this application
  • FIG. 2 is a flowchart of a method for accessing a closed access group according to an embodiment
  • FIG. 3 is a flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 4 is a flowchart of another method for accessing a closed access group provided by an embodiment
  • FIG. 5 is a flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 6 is a flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 7 is a flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 8 is a flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 9 is an interaction flowchart of a method for accessing a closed access group according to an embodiment
  • FIG. 10 is an interaction flowchart of another method for accessing a closed access group according to an embodiment
  • FIG. 11 is a schematic structural diagram of an apparatus for accessing a closed access group according to an embodiment
  • FIG. 12 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment
  • FIG. 13 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment
  • FIG. 14 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment
  • FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment.
  • FIG. 1 is a schematic diagram of a private network access control process provided by an embodiment of this application.
  • traditional private network access is mainly determined by the access and mobility management function (AMF) in the network.
  • AMF access and mobility management function
  • UDM Unified Data Management
  • SIDF Subscription Identifier De-concealing Function
  • AUSF Authentication Server Function
  • AMF, UDM or SIDF, AUSF are network elements that implement authentication and security verification in the network, which can be physical devices deployed in the network, or functional modules deployed in any one or more physical network elements in the network .
  • a list of CAG IDs allowed to be accessed is configured on the terminal.
  • the list of allowed CAG IDs indicates that the terminal can only access the private network corresponding to the CAG ID in the list, for example, the allowed access
  • the list of CAG IDs is ⁇ 2,3,4,5 ⁇ .
  • the base station in the network carries the CAG ID list supported by the cell in the broadcast system message, and the CAG ID list supported by the cell indicates the private network that the terminal in the cell is allowed to access.
  • a terminal that accesses the network through the base station can receive the broadcast system message, thereby obtaining a list of CAG IDs supported by the cell.
  • the list of CAG IDs supported by the cell is, for example, ⁇ 1,2,3 ⁇ .
  • step S1030 when the terminal receives the broadcast system message, it compares the CAG ID list that it has configured to allow access with the CAG ID list supported by the received cell, and selects one of the CAG IDs that match as the request CAG ID of the visit. For example, after comparing here, the matching CAG ID is ⁇ 2,3 ⁇ , and ⁇ 2 ⁇ is selected as the CAG ID for requesting access.
  • step S1040 after determining the CAG ID requesting access, the terminal can start the access process in the private network corresponding to the CAG ID requesting access.
  • the terminal sends a registration request message to the network.
  • the registration request message carries the CAG ID requested to be accessed in plain text, and the registration request message also carries the user hidden identifier (SUCI) of the terminal.
  • the base station After receiving the registration request message sent by the terminal, the base station sends the registration request message to the AMF to realize the authentication and security verification of the terminal's access to the private network.
  • SUCI user hidden identifier
  • each network element AMF, AUSF, UDM, or SIDF that implements terminal authentication and security verification in the network performs authentication and security verification procedures for the terminal, where UDM or SIDF parses the terminal’s SUCI into the terminal’s permanent user Identifier (Subscription Permanent Identifier, SUPI) and returns the SUPI of the terminal to the AMF.
  • UDM or SIDF parses the terminal’s SUCI into the terminal’s permanent user Identifier (Subscription Permanent Identifier, SUPI) and returns the SUPI of the terminal to the AMF.
  • SUPI Subscribescription Permanent Identifier
  • step S1060 the AMF sends a request message to the home network of the terminal to obtain a list of CAG IDs allowed to be accessed in the home network.
  • the request message includes the SUPI of the terminal.
  • the home network returns to the AMF a list of CAG IDs that are allowed to be accessed, here, for example, ⁇ 2,3,4,5 ⁇ .
  • step S1070 the AFM determines whether the terminal is allowed to access the CAG requested to access, that is, the AMF determines whether the CAG ID requested for access in the registration request message is included in the CAG ID list that is allowed to be accessed from the home network, and if so, it can be accessed. Otherwise it cannot be accessed.
  • the CAG ID requested to access is ⁇ 2 ⁇ , which is included in the CAG ID list ⁇ 2,3,4,5 ⁇ that is allowed to access obtained from the home network, so the terminal is allowed to access the private network.
  • step S1080 the AMF feeds back a registration acceptance message to the terminal, that is, allows the terminal to access the private network.
  • step S1070 the AMF determines that the terminal does not allow access to the CAG requested to be accessed, then in step S1090, the AMF sends a registration rejection message to the terminal.
  • FIG. 2 is a flowchart of a method for accessing a closed access group according to an embodiment. As shown in FIG. 2, the method provided in this embodiment includes the following steps.
  • Step S2010 encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access.
  • the method for accessing a closed access group is applied to a terminal device in a mobile communication system, referred to as a terminal.
  • a terminal When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
  • the terminal when the terminal needs to access a closed access group, after determining the CAG ID requesting access, first encrypt the CAG ID requesting access to obtain the encrypted CAG ID requesting access.
  • the encryption method used for encrypting the CAG ID can adopt any encryption method, and it corresponds to the decryption method in the network element that performs authentication and security verification on the terminal.
  • the secret key used to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and securely verify the terminal.
  • Step S2020 Send a registration request message.
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • the terminal can send a registration request message.
  • the registration request message includes the encrypted CAG ID requesting access and the terminal's SUCI.
  • the terminal sends a registration request message through the air interface, and the base station accessed by the terminal or the serving base station of the cell where the terminal is located will receive the registration request message.
  • the base station that receives the registration request message will send the registration request message to the network elements that perform authentication and security verification on the terminal, including AMF, AUSF, UDM/SIDF, etc.
  • the above-mentioned network elements can determine the home network of the terminal according to the SUCI of the terminal, and decrypt the encrypted CAG ID of the request to access, obtain the CAG ID of the terminal, and then follow the step S1050-step in the embodiment shown in FIG. 1 S1090 performs authentication and security verification on the terminal to determine whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed.
  • the terminal When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
  • a registration request message is sent.
  • the registration request message includes the encrypted CAG ID requesting access and
  • the SUCI of the terminal provides a closed access group access method that protects the closed access group. Since the CAG ID requested for access is encrypted, the CAG ID leakage caused by the registration request message sent through the air interface is avoided. Improved the security of access to CAG.
  • the method for encrypting the CAG ID that requests access may be to use the public key of the terminal's home network to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access. Then after the terminal sends the registration request message, since the registration request message includes both the encrypted CAG ID for requesting access and the SUCI of the terminal, the network element that has received the registration request message can authenticate and verify the security of the terminal according to the terminal’s When SUCI knows the terminal’s home network, the network element that authenticates and secures the terminal can obtain the public key of the terminal’s home network. Therefore, the obtained public key can be used to decrypt the encrypted CAG ID that requests access to obtain the request CAG ID of the visit.
  • the method for encrypting the CAG ID requested to access may be to use the public key of the home network to jointly encrypt the CAG ID requested to access and the SUCI of the terminal to obtain the extended SUCI of the terminal. Then after the terminal sends the registration request message, the network element that authenticates and secures the terminal after receiving the registration request message can learn the home network of the terminal according to the relevant information of the terminal, then the network element that authenticates and secures the terminal is The public key of the terminal's home network can be obtained, so the extended SUCI can be decrypted with the obtained public key, and the CAG ID of the requesting access and the SUCI of the terminal can be obtained.
  • FIG. 3 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 3, the method provided by this embodiment includes the following steps.
  • Step S3010 Receive the system broadcast message carrying the first CAG ID list.
  • the terminal When the terminal needs to access the CAG, it first needs to determine the CAG that the terminal is allowed to access.
  • the base station broadcasts a system broadcast message carrying the first CAG ID list, and a terminal accessing the base station or a terminal located within the coverage of the base station will receive the system broadcast message.
  • the first CAG ID list includes at least one CAG ID that the terminal is allowed to access.
  • Step S3020 Match the second CAG ID list configured by itself and the first CAG ID list, and determine the CAG ID that the terminal requests to access.
  • a CAG ID list is also configured, called a second CAG ID list, and the second CAG ID list includes the ID of at least one CAG that the terminal is allowed to access.
  • the second CAG ID list is preset on the terminal, and may be pre-configured in the terminal, or configured by the network device for the terminal when the terminal is registered in the network.
  • the terminal matches the first CAG ID list and the second CAG ID list to determine the CAG ID that the terminal requests to access.
  • the method for matching the second CAG ID list configured by itself and the first CAG ID list may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested. There may be one or more identical CAG IDs in the first CAG ID list and the second CAG ID list, or the first CAG ID list and the second CAG ID list do not have the same CAG ID. If the first CAG ID list and the second CAG ID list do not have the same CAG ID, the terminal will not be allowed to access the CAG. Therefore, the terminal will not be able to determine the CAG ID requested to access, and therefore the terminal will not proceed with the subsequent process.
  • first CAG ID list and the second CAG ID list have only one CAG ID that is the same, then this same CAG ID can be used as the CAG ID for requesting access. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, then one of the two or more identical CAG IDs can be selected as the CAG ID requested for access, or According to a preset rule, one is selected from two or more identical CAG IDs as the CAG ID for requesting access.
  • a second CAG ID list Before receiving the system broadcast message carrying the first CAG ID list, a second CAG ID list may also be configured in the terminal, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
  • Step S3030 Encrypt the CAG ID requesting access to obtain the encrypted CAG ID requesting access.
  • Step S3040 Send a registration request message.
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • Step S3030 and step S3040 are similar to step S2010 and step S2020, and will not be repeated here.
  • Fig. 4 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 4, the method provided by this embodiment includes the following steps.
  • Step S4010 Receive a registration request message sent by the terminal.
  • the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • the method for accessing a closed access group is applied to network devices in a mobile communication system.
  • These network devices are network elements that authenticate and securely verify terminals, including but not limited to one of AMF, AUSF, UDM/SIDF Or more.
  • the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
  • the network element that authenticates and secures the terminal receives the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
  • the SUCI of the terminal can be parsed to obtain the SUPI of the terminal, so as to know the home network of the terminal, and the encrypted CAG ID of the request for access can be decrypted to obtain the CAG ID of the request for access, then the network for authentication and security verification of the terminal
  • the yuan can authenticate and verify the security of the terminal through the SUPI of the terminal and the CAG ID that requests access, and determine whether the terminal can access the CAG corresponding to the CAG ID that requests access.
  • the encryption method used by the terminal for the CAG ID of the encrypted request to access can adopt any encryption method, and it corresponds to the decryption method in the network element that authenticates and secures the terminal.
  • the secret key used by the terminal to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and secures the terminal.
  • Step S4020 parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID requesting access into the CAG ID requesting access.
  • the network element that performs authentication and security verification on the terminal can decrypt the encrypted CAG ID requesting access into the CAG ID requesting access, and analyze the terminal's SUCI. For example, UDM/SIDF parses the terminal’s SUCI into the terminal’s SUPI, and UDM/SIDF decrypts the encrypted CAG ID requesting access into the CAG ID requesting access, and then UDM/SIDF combines the terminal’s SUPI and the CAG ID requesting access. Send to AMF.
  • the method for the terminal to encrypt the CAG ID that requests access may be to use the public key of the terminal's home network to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access. Then the UDM or SIDF that receives the registration request message parses the SUCI of the terminal into the SUPI of the terminal. After obtaining the SUPI of the terminal, the home network can be determined, so that the public key of the home network of the terminal can be used to decrypt the encrypted CAG ID that requests access It is the CAG ID that requested access.
  • Step S4030 Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • the network element that performs authentication and security verification of the terminal can determine the home network of the terminal according to the SUPI of the terminal, and then can obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • the first CAG ID list includes at least one CAG ID that the terminal is allowed to access.
  • the AMF that receives the SUPI of the terminal and the CAG ID requested to access from the UDM/SIDF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • obtaining the first CAG ID list from the terminal's home network according to the terminal's SUPI includes: sending a CAG ID list request message to the terminal's home network, the CAG ID list request message includes SUPI; the receiving terminal's home network The first CAG ID list sent.
  • Step S4040 It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • the network element that authenticates and verifies the security of the terminal determines whether the CAG ID requested for access matches the first CAG ID list, and if they match, it is determined that the terminal can access the CAG corresponding to the CAG ID requested to access, so it can send registration acceptance to the terminal news.
  • the AMF determines whether the CAG ID requested for access matches the first CAG ID list, and if there is a match, it sends a registration acceptance message to the terminal.
  • judging whether the CAG ID requested for access matches the first CAG ID list may be judging whether the CAG ID requested for access is the same as any CAG ID in the first CAG ID list, and if they are the same, it is determined to request access The CAG ID matches the first CAG ID list. If the CAG ID requested for access is not the same as any CAG ID in the first CAG ID list, it is determined that the CAG ID requested for access does not match the first CAG ID list.
  • a registration rejection message is sent to the terminal.
  • Fig. 5 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 5, the method provided by this embodiment includes the following steps.
  • Step S5010 Receive a registration request message sent by the terminal.
  • the registration request message includes the extended SUCI of the terminal.
  • the extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID for access and the SUCI of the terminal.
  • the received registration request message sent by the terminal includes the encrypted CAG ID for requesting access and the SUCI of the terminal, and in this embodiment, the received registration request message sent by the terminal Included is the extended SUCI of the terminal.
  • the extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal.
  • step S5020 the UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal.
  • UDM or SIDF After UDM or SIDF receives the extended SUCI, it can know the home network of the terminal according to the relevant information of the terminal, then UDM or SIDF can obtain the public key of the home network of the terminal, so UDM or SIDF can use the obtained public key to extend Decrypt the SUCI to obtain the CAG ID of the requesting access and the SUCI of the terminal. Then UDM or SIDF can also parse the terminal's SUCI into the terminal's SUPI.
  • step S5030 the UDM or SIDF sends the SUPI of the terminal and the CAG ID that requests access to the AMF.
  • Step S5040 The AMF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • step S5050 the AMF judges whether the CAG ID requested for access matches the first CAG ID list, and if they match, sends a registration acceptance message to the terminal.
  • Step S5030-Step S5050 are similar to the authentication and security verification process in the embodiment shown in FIG. 1, and will not be repeated here.
  • Fig. 6 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 6, the method provided by this embodiment includes the following steps.
  • Step S6010 encrypt the CAG ID requesting access to obtain the first encrypted CAG ID requesting access.
  • the method for accessing a closed access group is applied to a terminal device in a mobile communication system, referred to as a terminal.
  • a terminal When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
  • the terminal when the terminal needs to access the closed access group, after determining the CAG ID requesting access, first encrypt the CAG ID requesting access to obtain the first encrypted CAG requesting access ID.
  • the encryption method used for encrypting the CAG ID can adopt any encryption method, and it corresponds to the decryption method in the network element that performs authentication and security verification on the terminal.
  • the secret key used to encrypt the CAG ID can also be one or more possible ways, and it corresponds to the secret key in the network element that authenticates and verifies the security of the terminal.
  • Step S6020 Send a registration request message.
  • the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • the terminal can send a registration request message.
  • the registration request message includes the first encrypted CAG ID requesting access and the terminal’s fifth-generation mobile communication system globally unique temporary user equipment identifier. (the 5th Generation mobile communication system Globally Unique Temporary UE Identity, 5G-GUTI).
  • the terminal sends a registration request message through the air interface, and the base station accessed by the terminal or the serving base station of the cell where the terminal is located will receive the registration request message.
  • the base station that receives the registration request message will send the registration request message to the network elements that perform authentication and security verification on the terminal, including AMF, AUSF, UDM/SIDF, etc.
  • the above-mentioned network elements can determine whether the current network elements are network elements that once served the terminal according to the 5G-GUTI of the terminal. If so, because the network elements that once served the terminal store various information related to the terminal, each network The meta can directly use various information related to the terminal to determine the terminal’s home network, the terminal encrypts the first encrypted CAG ID that requests access, and other related information to decrypt the first encrypted CAG ID that requests access to obtain the requested access CAG ID, and obtain the first CAG ID list that the terminal is allowed to access. Then it is determined whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
  • a registration request message is sent, and the registration request message includes the first encrypted access request.
  • the CAG ID and the 5G-GUTI of the terminal provide a closed access group access method that protects the closed access group. Because the CAG ID that requests access is encrypted, it avoids the registration request message sent through the air interface. The leak of CAG ID improves the security of access to CAG.
  • encrypting the CAG ID of the request to access to obtain the first encrypted CAG ID of the request to access includes: using the encryption key in the security context corresponding to the terminal's 5G-GUTI to the CAG ID of the request to access Encryption is performed to obtain the first encrypted CAG ID that requests access. Then, after the terminal sends the registration request message, since the registration request message includes both the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal, the network element that receives the registration request message and authenticates and secures the terminal, According to the 5G-GUTI of the terminal, it is possible to know whether the current network element is a network element that once served the terminal.
  • the network element that once served the terminal stores various information related to the terminal, including the 5G-GUTI of the terminal
  • the encryption key in the corresponding security context so the network element that authenticates and secures the terminal can directly use the encryption key in the security context corresponding to the 5G-GUTI of the terminal to perform the first encrypted CAG ID for access Decrypt and obtain the CAG ID requested to access.
  • FIG. 7 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 7, the method provided by this embodiment includes the following steps.
  • Step S7010 Encrypt the CAG ID requesting access to obtain the first encrypted CAG ID requesting access.
  • Step S7020 Send a registration request message.
  • the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • Step S7010 and step S7020 are the same as step S6010 and step S6020, and will not be repeated here.
  • Step S7030 Receive the identification request message sent by the AMF.
  • the terminal After the terminal sends the registration request message, if the network element that received the registration request message is a network element that once served the terminal, it may save information related to the terminal, so the first encrypted CAG ID that requests access can be performed Decrypt. If the network element receiving the registration request message has not served the terminal, or even if the network element receiving the registration request message has served the terminal but has not saved the relevant information of the terminal, then the CAG that requests access to the first encryption cannot be accessed. ID for decryption. Then the terminal will receive the identification request message sent by the AMF. The identification request message is received after the first encrypted CAG ID requested to be accessed cannot be decrypted through the 5G-GUTI of the terminal.
  • Step S7040 Use the public key of the home network to encrypt the CAG ID that requests access to obtain the second encrypted CAG ID that requests access.
  • the terminal After the terminal receives the identification request message, it can use the public key of the home network to encrypt the CAG ID that requests access to obtain the second encrypted CAG ID that requests access.
  • Step S7050 Send an identification response message to the AMF.
  • the identification response message includes the second encrypted CAG ID that requests access and the SUCI of the terminal.
  • the terminal sends an identification response message to the AMF, and the identification response message includes the second encrypted CAG ID for requesting access and the SUCI of the terminal. Since the identification response message includes both the second encrypted CAG ID and the terminal's SUCI, the AMF that receives the identification response message can learn the terminal's home network according to the terminal's SUCI, and the AMF can obtain the terminal's home network information. The public key, so the obtained public key can be used to decrypt the second encrypted CAG ID requesting access to obtain the CAG ID requesting access. In addition, the AMF can also obtain the first CAG ID list that the terminal is allowed to access according to the SUCI of the terminal.
  • the terminal determines whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed.
  • the terminal When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
  • the terminal after the terminal receives the identity request message sent by the AMF, it can also use the public key of the home network to encrypt the CAG ID of the requesting access and the SUCI of the terminal to obtain the extended SUCI of the terminal; then the terminal sends the AMF to the AMF.
  • An identification response message is sent, and the identification response message includes the extended SUCI of the terminal.
  • the AMF that receives the identification request message can learn the home network of the terminal according to the relevant information of the terminal, then the AMF can obtain the public key of the home network of the terminal, so the obtained public key pair can be used
  • the extended SUCI is decrypted to obtain the CAG ID of the requesting access and the SUCI of the terminal.
  • the AMF can also obtain the first CAG ID list that the terminal is allowed to access according to the SUCI of the terminal. Then it is determined whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
  • the method before encrypting the CAG ID requesting access to obtain the first encrypted CAG ID requesting access, the method further includes: receiving a system broadcast message carrying the first CAG ID list; configuring the second CAG ID for itself The ID list and the first CAG ID list are matched to determine the CAG ID that requests access.
  • the first CAG ID list includes at least one CAG ID that the terminal is allowed to access.
  • matching the second CAG ID list configured by itself and the first CAG ID list, and determining the CAG ID requesting access includes: matching the second CAG ID list configured by itself and the first CAG ID list , It is determined that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested.
  • the method for matching the second CAG ID list configured by itself and the first CAG ID list may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested. There may be one or more identical CAG IDs in the first CAG ID list and the second CAG ID list, or the first CAG ID list and the second CAG ID list do not have the same CAG ID.
  • the terminal will not be allowed to access the CAG. Therefore, the terminal will not be able to determine the CAG ID requested to access, and therefore the terminal will not proceed with the subsequent process. If the first CAG ID list and the second CAG ID list have only one CAG ID that is the same, then this same CAG ID can be used as the CAG ID for requesting access. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, then one of the two or more identical CAG IDs can be selected as the CAG ID requested for access, or According to a preset rule, one is selected from two or more identical CAG IDs as the CAG ID for requesting access.
  • a second CAG ID list may also be configured in the terminal, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
  • FIG. 8 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 8, the method provided by this embodiment includes the following steps.
  • Step S8010 Receive a registration request message sent by the terminal.
  • the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • the method for accessing a closed access group is applied to network devices in a mobile communication system.
  • These network devices are network elements that authenticate and securely verify terminals, including but not limited to one of AMF, AUSF, UDM/SIDF Or more.
  • the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
  • the network element that authenticates and secures the terminal receives the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
  • the network element that performs authentication and security verification on the terminal can determine whether the current network element is a network element that once served the terminal according to the 5G-GUTI of the terminal.
  • the encryption method used by the terminal for the CAG ID requested to access the first encryption can adopt any encryption method, and corresponds to the decryption method in the network element that authenticates and secures the terminal.
  • the secret key used by the terminal to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and secures the terminal.
  • Step S8020 Determine whether the current AMF is a historical AMF that has once served the terminal according to the 5G-GUTI of the terminal.
  • the network element that performs authentication and security verification of the terminal After receiving the 5G-GUTI of the terminal and the first encrypted CAG ID, the network element that performs authentication and security verification of the terminal first determines whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal. Since the terminal-related information is stored in the historical AMF that has once served the terminal, it can be determined whether the current AMF is the historical AMF that has once served the terminal according to the 5G-GUTI of the terminal.
  • Step S8030 if the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF, the first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal, and the first encrypted request is accessed The CAG ID is decrypted into the CAG ID that requested access.
  • the SUPI of the terminal may or may not be saved in the current AMF. If the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF, the current AMF can obtain the first CAG ID list from the terminal's home network according to the SUPI of the terminal, and request the first encryption The CAG ID of the visit is decrypted into the CAG ID of the request.
  • the secret key and encryption method used by the current AMF to decrypt the first encrypted CAG ID requested to access may be preset in the terminal and the AMF, or may be saved when the current AMF is previously serving the terminal.
  • the security context of the terminal is stored in the current AMF, and the encryption key is included in the security context. Then the terminal can use the encryption key in the security context to encrypt the CAG ID that requests access to obtain the first encrypted CAG ID that requests access.
  • the current AMF may also use the stored encryption key in the security context of the terminal to decrypt the first encrypted CAG ID requesting access to obtain the CAG ID requesting access.
  • Step S8040 Determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
  • step S4040 This step is the same as step S4040 and will not be repeated here.
  • Step S8050 if the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal.
  • the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF cannot decrypt the first encrypted CAG ID sent by the terminal to request access. Therefore, the current AMF sends an identification request message to the terminal, requesting the terminal to send the CAG ID that requests access again.
  • Step S8060 Receive an identification response message sent by the terminal.
  • the identification response message includes the CAG ID of the second encrypted access request that is encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
  • the terminal After the terminal receives the identification request message, in order to ensure the security of the CAG ID, the terminal can use the public key of the home network to encrypt the CAG ID requested for access to obtain the second encrypted CAG ID requested for access. Then the current AFM will receive the identification response message sent by the terminal, and the identification response message includes the CAG ID of the second encrypted access request encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
  • step S8070 the UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the terminal's home network to decrypt the second encrypted CAG ID requesting access to the CAG ID requesting access.
  • Step S8080 Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • Step S8090 It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • Step S8070-step S8090 are similar to step S4020-step S4040 in the embodiment shown in FIG. 4, and will not be repeated here.
  • the identification response message includes the extended SUCI obtained after the terminal uses the public key of the home network to jointly encrypt the CAG ID that the terminal requests to access and the SUCI of the terminal.
  • the extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal.
  • UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal.
  • UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • Step S8100 if the current AMF has not served the terminal, the current AMF determines the historical AMF that has served the terminal according to the 5G-GUTI of the terminal, and sends the context transmission request message of the terminal to the historical AMF.
  • the context transmission request message of the terminal includes the terminal’s 5G-GUTI.
  • the current AMF If the current AMF has not served the terminal, the relevant information of the terminal will not be stored in the current AMF. Then, since the current AMF has also received the 5G-GUTI of the terminal, the current AMF can determine the historical AMF that has served the terminal according to the 5G-GUTI of the terminal. Then the current AMF sends the context transmission request message of the terminal to the historical AMF, and the context transmission request message of the terminal includes the 5G-GUTI of the terminal.
  • Step S8110 The current AMF receives the context transmission response message sent by the historical AMF, and the context transmission response message includes the security context of the terminal and the first CAG ID list.
  • the current AMF After the current AMF receives the context transmission response message sent by the historical AMF, it can learn the security context of the terminal and can obtain the first CAG ID list.
  • Step S8120 The current AMF uses the private key in the security context of the terminal to decrypt the first encrypted CAG ID requesting access into the CAG ID requesting access.
  • Step S8130 It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • the current AMF can receive the security context of the terminal sent by the historical AMF, and the current AMF can directly use the key pair in the received security context.
  • the encrypted CAG ID requesting access is decrypted.
  • the historical AMF serving the terminal does not store related information about the terminal, the current AMF needs to be processed in other ways.
  • Step S8140 If the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal.
  • the current AMF will send an identification request message to the terminal, requesting the terminal to resend the CAG ID that the current AMF can decrypt.
  • Step S8150 Receive an identification response message sent by the terminal.
  • the identification response message includes the CAG ID of the second encrypted access request encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
  • step S8160 the UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the terminal's home network to decrypt the second encrypted CAG ID requesting access to the CAG ID requesting access.
  • Step S8170 Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
  • Step S8180 Determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
  • Step S8150-step S8180 are the same as step S8060-step S8090, and will not be repeated here.
  • the identification response message includes the extended SUCI obtained after the terminal uses the public key of the home network to jointly encrypt the CAG ID that the terminal requests to access and the SUCI of the terminal.
  • the extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal.
  • UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal.
  • UDM or SIDF parses the SUCI of the terminal into SUPI of the terminal, and obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • judging whether the CAG ID requested for access matches the first CAG ID list includes: judging whether the CAG ID requested for access is the same as any CAG ID in the first CAG ID list, and if they are the same, determining the request The visited CAG ID matches the first CAG ID list.
  • the terminal after judging whether the CAG ID requested for access matches the first CAG ID list, it further includes: if there is no match, sending a registration rejection message to the terminal.
  • FIG. 9 is an interaction flowchart of a method for accessing a closed access group provided by an embodiment. As shown in FIG. 9, the method provided in this embodiment includes the following steps.
  • Step S9010 Configure a list of CAG IDs allowed to be accessed on the mobile terminal, for example ⁇ 2,3,4,5 ⁇ .
  • Step S9020 The network carries a list of CAG IDs supported by the cell in the broadcast system message, such as ⁇ 1,2,3 ⁇ .
  • Step S9030 After receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID for requesting access, for example, selects 2 from ⁇ 2, 3 ⁇ .
  • Step S9040 The terminal uses the public key of the home network to encrypt the CAG ID requesting access to obtain the encrypted CAG ID for the access request; the terminal can also use the public key of the home network to encrypt the CAG ID requesting access together with SUPI to obtain an extended SUCI: The terminal sends a registration request message to the network, which carries the encrypted CAG ID for requesting access, and the request message also carries SUCI; in the case of common encryption, the request message carries the extended SUCI(2).
  • Step S9050 Authentication and security process, where UDM/SIDF parses SUCI into SUPI, UDM/SIDF also parses the encrypted CAG ID that requests access to CAG ID that requests access; UDM/SIDF parses SUPI and CAG ID that requests access Return to AMF.
  • Step S9060 The AMF obtains the list of CAG IDs allowed to be accessed from the home network, and the request message carries the SUPI parameter, such as ⁇ 2, 3, 4, 5 ⁇ .
  • Step S9070 Access Control: The AMF determines whether the terminal is allowed to access the CAG, and the AMF determines whether the CAG ID received from the registration message is included in the list of CAG IDs that are allowed to be accessed from the home network. If so, it can be accessed, such as If not, it cannot be accessed. For example, if 2 is in ⁇ 2,3,4,5 ⁇ , it can be accessed.
  • Step S9080 If it is accessible, the AMF returns a registration acceptance message to the terminal.
  • Step S9090 If the access is not available, the AMF returns a registration rejection message to the terminal.
  • FIG. 10 is an interaction flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 10, the method provided by this embodiment includes the following steps.
  • Step S10010 Configure a list of CAG IDs allowed to be accessed on the mobile terminal, such as ⁇ 2,3,4,5 ⁇ .
  • Step S10020 The network carries a list of CAG IDs supported by the cell in the broadcast system message, such as ⁇ 1,2,3 ⁇ .
  • Step S10030 After receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID for requesting access, for example, 2 is selected from ⁇ 2, 3 ⁇ .
  • Step S10040 If the terminal has the temporary user identification 5G-GUTI and the security context of the visited network requesting registration, the terminal uses the encryption key in the security context to encrypt the CAG ID requested to access to obtain the encrypted CAG ID requesting access ; The terminal sends a registration request message to the network, which carries the encrypted CAG ID requesting access, and the request message also carries 5G-GUTI.
  • Step S10050 If the current AMF (new AMF) of the received registration message is the historical AMF (old AMF) that served the terminal last time, and the SUPI and security context of the terminal still exist, then the encryption key in the security context is used The key decrypts and encrypts the CAG ID of the requested access to obtain the CAG ID of the requested access; if the new AMF is not the old AMF that served the terminal last time, the new AMF sends a terminal context transmission request message to the old AMF, and the message carries 5G-GUTI.
  • Step S10060 The old AMF returns the SUPI and security context of the terminal to the new AMF.
  • the new AMF can use the encryption key in the security context to decrypt the encrypted CAG ID of the access request to obtain the CAG ID of the request access; the return message also includes A list of CAG IDs that are allowed to be accessed, for example ⁇ 2,3,4,5 ⁇ .
  • Step S10070 If the SUPI and context of the terminal are not stored on the old AMF, the new AMF sends an identification request message to the terminal.
  • Step S10080 The terminal uses the public key of the home network to encrypt the CAG ID requesting access to obtain the encrypted CAG ID of the request access; the terminal can also use the public key of the home network to encrypt the CAG ID requesting access together with SUPI to obtain an extended SUCI: The terminal returns an identification response message to the new AMF, which carries the encrypted CAG ID for requesting access, and the request message also carries SUCI; in the case of common encryption, the request message carries the extended SUCI(2).
  • Step S10090 Authentication and security process. If step S10060 successfully returns SUPI, it does not need to include SUCI analysis and CAG ID analysis; if step S10060 is unsuccessful, UDM/SIDF will parse SUCI into SUPI, UDM during this step /SIDF also parses the encrypted CAG ID of the requested access into the CAG ID of the requested access; UDM/SIDF returns the SUPI and the CAG ID of the requested access to AMF.
  • Step S10100 If step S10060 is unsuccessful, the AMF obtains a list of CAG IDs allowed to be accessed from the home network, and the request message carries the SUPI parameter, such as ⁇ 2,3,4,5 ⁇ .
  • Step S10110 Access Control: The AMF determines whether the terminal is allowed to access the CAG, and the AMF determines whether the CAG ID received from the registration message is included in the CAG ID list that is allowed to be accessed from the home network. If so, it can be accessed, such as If not, it cannot be accessed. For example, if 2 is in ⁇ 2,3,4,5 ⁇ , it can be accessed.
  • Step S10120 If it is accessible, the AMF returns a registration acceptance message to the terminal.
  • Step S10130 If access is not available, the AMF returns a registration rejection message to the terminal.
  • FIG. 11 is a schematic structural diagram of an apparatus for accessing a closed access group provided by an embodiment.
  • the apparatus for accessing a closed access group provided by this embodiment includes: an encryption module 111, which is set to CAG for requesting access The ID is encrypted to obtain the encrypted CAG ID requesting access; the sending module 112 is configured to send a registration request message, and the registration request message includes the encrypted CAG ID requesting access and the SUCI of the terminal.
  • the apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 2.
  • the implementation principle and technical effect of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
  • FIG. 12 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment.
  • the apparatus for accessing a closed access group provided by this embodiment includes: a receiving module 121, which is configured to receive information sent by a terminal Registration request message.
  • the registration request message includes the encrypted CAG ID of the request to access and the SUCI of the terminal; the decryption module 122 is set to parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID of the request to access into the request for access
  • the acquiring module 123 is configured to acquire the first CAG ID list from the terminal’s home network according to the SUPI of the terminal; the determining module 124 is configured to determine whether the CAG ID requested for access matches the first CAG ID list, and if it matches, Send a registration acceptance message to the terminal.
  • the apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 4.
  • the implementation principles and technical effects of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
  • FIG. 13 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment.
  • the apparatus for accessing a closed access group provided by this embodiment includes: an encryption module 131, which is configured to request access to The CAG ID is encrypted to obtain the first encrypted CAG ID requesting access; the sending module 132 is configured to send a registration request message, and the registration request message includes the first encrypted CAG ID requesting access and the 5G-GUTI of the terminal.
  • the apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 6.
  • the implementation principles and technical effects of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
  • FIG. 14 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment.
  • the apparatus for accessing a closed access group provided by this embodiment includes: a receiving module 141, which is configured to receive information sent by a terminal The registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal; the decryption module 142 is configured to determine whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal;
  • the obtaining module 143 is configured to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF that used to serve the terminal, and the SUPI of the terminal is stored in the current AMF, and encrypt the first
  • the CAG ID requested for access is decrypted into the CAG ID requested for access; the determining module 144 is configured to determine whether the CAG ID requested for access matches the first CAG ID list, and if they match
  • the apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 8.
  • the implementation principle and technical effect of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
  • An embodiment of the present application also provides a system for accessing a closed access group, including a terminal and a network device.
  • the terminal includes the device for accessing the closed access group as shown in the embodiment of FIG. 11, and the network device includes the access device as shown in the embodiment of FIG. Close the device of the access group.
  • An embodiment of the present application also provides a system for accessing a closed access group, including a terminal and a network device.
  • the terminal includes the device for accessing the closed access group as shown in the embodiment of FIG. 13, and the network device includes the access device as shown in the embodiment of FIG. Close the device of the access group.
  • FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment.
  • the terminal includes a processor 151, a memory 152, a transmitter 153, and a receiver 154; the number of processors 151 in the terminal may be one or There are multiple.
  • One processor 151 is taken as an example in FIG. 15; the processor 151 and the memory 152, the transmitter 1543 and the receiver 154 in the terminal can be connected by a bus or other methods.
  • the memory 152 can be configured to store software programs, computer-executable programs, and modules, such as those corresponding to the method of accessing the closed access group in the embodiments of Figure 2- Figure 3 or Figure 6- Figure 7 of this application
  • Program instructions/modules for example, access the encryption module 111 and the sending module 112 in the closed access group device or access the encryption module 131 and the sending module 132 in the closed access group device).
  • the processor 151 runs the software programs, instructions, and modules stored in the memory 152 to terminal at least one functional application and data processing, that is, to implement the closed access group method of FIGS. 2 to 3 or 6 to 7.
  • the memory 152 may mainly include a program storage area and a data storage area.
  • the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created according to the use of the terminal, etc.
  • the memory 152 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other non-volatile solid-state storage devices.
  • the transmitter 153 is a module or a combination of devices capable of transmitting radio frequency signals into space, for example, a combination of radio frequency transmitters, antennas, and other devices.
  • the receiver 154 is a module or a combination of devices capable of receiving radio frequency signals from space, for example, a combination of radio frequency receivers, antennas, and other devices.
  • the embodiment of the present application also provides a storage medium containing computer-executable instructions.
  • the computer-executable instructions When executed by a computer processor, they are used to execute a method for accessing a closed access group.
  • the method includes: requesting access to the CAG ID Encryption is performed to obtain the encrypted CAG ID requesting access; a registration request message is sent, and the registration request message includes the encrypted CAG ID requesting access and the SUCI of the terminal.
  • An embodiment of the present application also provides a storage medium containing computer-executable instructions.
  • the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group.
  • the method includes: receiving a registration request sent by a terminal Message, the registration request message includes the encrypted CAG ID requesting access and the terminal's SUCI; the terminal's SUCI is parsed into the terminal's SUPI, and the encrypted CAG ID for requesting access is decrypted into the CAG ID for requesting access; according to the terminal's SUPI Obtain the first CAG ID list from the terminal's home network; determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
  • the embodiment of the present application also provides a storage medium containing computer-executable instructions.
  • the computer-executable instructions When executed by a computer processor, they are used to execute a method for accessing a closed access group.
  • the method includes: requesting access to the CAG ID Encryption is performed to obtain the first encrypted CAG ID requesting access; a registration request message is sent, and the registration request message includes the first encrypted CAG ID requesting access and the 5G-GUTI of the terminal.
  • An embodiment of the present application also provides a storage medium containing computer-executable instructions.
  • the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group.
  • the method includes: receiving a registration request sent by a terminal Message, the registration request message includes the first encrypted CAG ID and the terminal’s 5G-GUTI; according to the terminal’s 5G-GUTI, it is judged whether the current AMF is a historical AMF that has served the terminal; if the current AMF is a terminal that has served According to the historical AMF of the terminal, and the SUPI of the terminal is stored in the current AMF, the first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal, and the first encrypted CAG ID requesting access is decrypted into the CAG ID requesting access; It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
  • the term user terminal encompasses any suitable type of wireless user equipment, such as mobile phones, portable data processing devices, portable web browsers, or vehicular mobile stations.
  • the various embodiments of the present application can be implemented in hardware or dedicated circuits, software, logic or any combination thereof.
  • some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software that may be executed by a controller, microprocessor or other computing device, although the application is not limited thereto.
  • Computer program instructions can be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or written in any combination of one or more programming languages Source code or object code.
  • ISA Instruction Set Architecture
  • the block diagram of any logical flow in the drawings of the present application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions.
  • the computer program can be stored on the memory.
  • the memory can be of any type suitable for the local technical environment and can be implemented by any suitable data storage technology, such as but not limited to read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), optical Memory devices and systems (Digital Video Disc (DVD) or Compact Disc (CD)), etc.
  • Computer-readable media may include non-transitory storage media.
  • the data processor can be any type suitable for the local technical environment, such as but not limited to general-purpose computers, special-purpose computers, microprocessors, digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (ASICs) ), programmable logic devices (Field-Programmable Gate Array, FPGA) and processors based on multi-core processor architecture.
  • DSP Digital Signal Processing
  • ASICs application specific integrated circuits
  • FPGA Field-Programmable Gate Array
  • FPGA Field-Programmable Gate Array

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method, device and system for accessing a closed access group. The method for accessing a closed access group comprises: performing encryption on a CAG ID requested to access, and obtaining an encrypted CAG ID requested to access; and sending a registration request message, the registration request message comprising the encrypted CAG ID requested to access and the SUCI of the terminal.

Description

访问闭合访问组的方法、装置和系统Method, device and system for accessing closed access group
本申请要求在2019年08月15日提交中国专利局、申请号为201910754388.7的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office with application number 201910754388.7 on August 15, 2019. The entire content of this application is incorporated into this application by reference.
技术领域Technical field
本申请涉及无线通信网络,例如涉及一种访问闭合访问组的方法、装置和系统。This application relates to a wireless communication network, for example, to a method, device, and system for accessing a closed access group.
背景技术Background technique
第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)制定了各种移动网络的规范,其中,为了通过公共网络支持私有网络,3GPP定义了闭合访问组(Closed Access Group,CAG)机制。The 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) has formulated various mobile network specifications. Among them, in order to support private networks through public networks, 3GPP has defined a Closed Access Group (CAG) mechanism.
一个闭合访问组包括了一组可以访问一个或多个CAG小区的用户。一个闭合访问组有一个闭合访问组标识(Closed Access Group Identity,CAG ID)。使用闭合访问组机制,可以对用终端访问私有网络进行访问控制。A closed access group includes a group of users who can visit one or more CAG cells. A closed access group has a closed access group identity (CG ID). Using the closed access group mechanism, access control can be performed on the terminal to access the private network.
对私有网络进行访问控制的方案是在移动终端中配置允许访问的CAG ID,网络在广播的系统消息中携带小区支持的CAG ID列表,终端接收到广播消息后,选择出匹配的CAG ID作为请求访问的CAG ID。终端在向网络发送的注册请求消息中携带请求访问的CAG ID,完成注册过程。The solution for access control to the private network is to configure the CAG ID that allows access in the mobile terminal. The network carries a list of CAG IDs supported by the cell in the broadcast system message. After the terminal receives the broadcast message, it selects the matching CAG ID as the request CAG ID of the visit. The terminal carries the CAG ID requested for access in the registration request message sent to the network to complete the registration process.
但注册请求消息中的CAG ID是明文携带且通过空口发送的,容易被截获而泄露,从而可能对私有网络的安全性产生影响。However, the CAG ID in the registration request message is carried in plain text and sent through the air interface, which is easy to be intercepted and leaked, which may affect the security of the private network.
发明内容Summary of the invention
本申请提供一种访问闭合访问组的方法、装置和系统,用于提高闭合访问组的安全性。The present application provides a method, device and system for accessing a closed access group to improve the security of the closed access group.
本申请实施例提供一种访问闭合访问组的方法,包括:The embodiment of the present application provides a method for accessing a closed access group, including:
对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;Encrypt the CAG ID requesting access to obtain the encrypted CAG ID requesting access;
发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。Send a registration request message. The registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
本申请实施例提供一种访问闭合访问组的方法,包括:The embodiment of the present application provides a method for accessing a closed access group, including:
接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的 CAG ID和终端的SUCI;Receive the registration request message sent by the terminal, the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal;
将终端的SUCI解析为终端的SUPI,并将加密的请求访问的CAG ID解密为请求访问的CAG ID;Analyze the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID that requests access to the CAG ID that requests access;
根据终端的SUPI从终端的归属网络获取第一CAG ID列表;Obtain the first CAG ID list from the terminal's home network according to the SUPI of the terminal;
判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
本申请实施例提供一种访问闭合访问组的方法,包括:The embodiment of the present application provides a method for accessing a closed access group, including:
对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID;Encrypt the CAG ID requesting access to obtain the first encrypted CAG ID requesting access;
发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。Send a registration request message, and the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
本申请实施例提供一种访问闭合访问组的方法,包括:The embodiment of the present application provides a method for accessing a closed access group, including:
接收终端发送的注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI;Receive a registration request message sent by the terminal, where the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal;
根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF;According to the 5G-GUTI of the terminal, judge whether the current AMF is a historical AMF that has served the terminal;
若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,则根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID;If the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF, the first CAG ID list is obtained from the terminal's home network according to the SUPI of the terminal, and the first encrypted CAG ID requested to be accessed Decrypt it into the CAG ID of the request;
判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
本申请实施例提供一种访问闭合访问组的装置,包括:An embodiment of the present application provides an apparatus for accessing a closed access group, including:
加密模块,设置为对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;The encryption module is set to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access;
发送模块,设置为发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。The sending module is configured to send a registration request message. The registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
本申请实施例提供一种访问闭合访问组的装置,包括:An embodiment of the present application provides an apparatus for accessing a closed access group, including:
接收模块,设置为接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI;The receiving module is configured to receive the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal;
解密模块,设置为将终端的SUCI解析为终端的SUPI,并将加密的请求访问的CAG ID解密为请求访问的CAG ID;The decryption module is set to parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID requesting access to the CAG ID requesting access;
获取模块,设置为根据终端的SUPI从终端的归属网络获取第一CAG ID列 表;The obtaining module is configured to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
判断模块,设置为判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。The judging module is configured to judge whether the CAG ID requested to access and the first CAG ID list match, and if they match, send a registration acceptance message to the terminal.
本申请实施例提供一种访问闭合访问组的装置,包括:An embodiment of the present application provides an apparatus for accessing a closed access group, including:
加密模块,设置为对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID;The encryption module is set to encrypt the CAG ID that requests access to obtain the first encrypted CAG ID that requests access;
发送模块,设置为发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。The sending module is configured to send a registration request message, and the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
本申请实施例提供一种访问闭合访问组的装置,包括:An embodiment of the present application provides an apparatus for accessing a closed access group, including:
接收模块,设置为接收终端发送的注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI;The receiving module is configured to receive a registration request message sent by the terminal, and the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal;
解密模块,设置为根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF;The decryption module is set to determine whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal;
获取模块,设置为若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,则根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID;The obtaining module is set to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF that has served the terminal once, and the SUPI of the terminal is stored in the current AMF, and the first encrypted The CAG ID requesting access is decrypted into the CAG ID requesting access;
判断模块,设置为判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。The judging module is configured to judge whether the CAG ID requested to access and the first CAG ID list match, and if they match, send a registration acceptance message to the terminal.
本申请实施例提供一种访问闭合访问组的系统,包括终端和网络设备;The embodiment of the present application provides a system for accessing a closed access group, including a terminal and a network device;
终端包括如图11实施例所示的访问闭合访问组的装置;The terminal includes a device for accessing a closed access group as shown in the embodiment in FIG. 11;
网络设备包括如图12实施例所示的访问闭合访问组的装置。The network equipment includes a device for accessing a closed access group as shown in the embodiment of FIG. 12.
本申请实施例提供一种访问闭合访问组的系统,包括终端和网络设备;The embodiment of the present application provides a system for accessing a closed access group, including a terminal and a network device;
终端包括如图13实施例所示的访问闭合访问组的装置;The terminal includes a device for accessing a closed access group as shown in the embodiment in FIG. 13;
网络设备包括如图14实施例所示的访问闭合访问组的装置。The network equipment includes the device for accessing the closed access group as shown in the embodiment of FIG. 14.
附图说明Description of the drawings
图1为本申请实施例提供的一种私有网络访问控制流程示意图;FIG. 1 is a schematic diagram of a private network access control process provided by an embodiment of this application;
图2为一实施例提供的一种访问闭合访问组的方法的流程图;FIG. 2 is a flowchart of a method for accessing a closed access group according to an embodiment;
图3为一实施例提供的另一种访问闭合访问组的方法的流程图;FIG. 3 is a flowchart of another method for accessing a closed access group according to an embodiment;
图4为一实施例提供的另一种访问闭合访问组的方法的流程图;4 is a flowchart of another method for accessing a closed access group provided by an embodiment;
图5为一实施例提供的另一种访问闭合访问组的方法的流程图;FIG. 5 is a flowchart of another method for accessing a closed access group according to an embodiment;
图6为一实施例提供的另一种访问闭合访问组的方法的流程图;FIG. 6 is a flowchart of another method for accessing a closed access group according to an embodiment;
图7为一实施例提供的另一种访问闭合访问组的方法的流程图;FIG. 7 is a flowchart of another method for accessing a closed access group according to an embodiment;
图8为一实施例提供的另一种访问闭合访问组的方法的流程图;FIG. 8 is a flowchart of another method for accessing a closed access group according to an embodiment;
图9为一实施例提供的一种访问闭合访问组的方法的交互流程图;FIG. 9 is an interaction flowchart of a method for accessing a closed access group according to an embodiment;
图10为一实施例提供的另一种访问闭合访问组的方法的交互流程图;FIG. 10 is an interaction flowchart of another method for accessing a closed access group according to an embodiment;
图11为一实施例提供的一种访问闭合访问组的装置的结构示意图;FIG. 11 is a schematic structural diagram of an apparatus for accessing a closed access group according to an embodiment;
图12为一实施例提供的另一种访问闭合访问组的装置的结构示意图;FIG. 12 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment;
图13为一实施例提供的另一种访问闭合访问组的装置的结构示意图;FIG. 13 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment;
图14为一实施例提供的另一种访问闭合访问组的装置的结构示意图;FIG. 14 is a schematic structural diagram of another device for accessing a closed access group according to an embodiment;
图15为一实施例提供的一种终端的结构示意图。FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment.
具体实施方式detailed description
下文中将结合附图对本申请的实施例进行说明。Hereinafter, the embodiments of the present application will be described with reference to the drawings.
图1为本申请实施例提供的一种私有网络访问控制流程示意图,如图1所示,传统的私有网络访问,主要由网络中的接入和移动性管理功能(Access and Mobility Management Function,AMF)、统一数据管理(Unified Data Management,UDM)或订阅标识符隐藏功能(Subscription Identifier De-concealing Function,SIDF)、鉴权服务器功能(AUthentication Server Function,AUSF)完成对移动终端(简称终端)的认证和安全验证。其中,AMF、UDM或SIDF、AUSF为网络中实现认证和安全验证的网元,可以为部署于网络中的实体设备,也可以是部署于网络中任一个或多个实体网元中的功能模块。Figure 1 is a schematic diagram of a private network access control process provided by an embodiment of this application. As shown in Figure 1, traditional private network access is mainly determined by the access and mobility management function (AMF) in the network. ), Unified Data Management (UDM), Subscription Identifier De-concealing Function (SIDF), Authentication Server Function (AUthentication Server Function, AUSF) complete the authentication of the mobile terminal (terminal for short) And security verification. Among them, AMF, UDM or SIDF, AUSF are network elements that implement authentication and security verification in the network, which can be physical devices deployed in the network, or functional modules deployed in any one or more physical network elements in the network .
如图1所示,在步骤S1010中,在终端上配置允许访问的CAG ID列表,允许访问的CAG ID列表表示终端仅能访问该列表中的CAG ID对应的私有网络,例如这里的允许访问的CAG ID列表为{2,3,4,5}。As shown in Figure 1, in step S1010, a list of CAG IDs allowed to be accessed is configured on the terminal. The list of allowed CAG IDs indicates that the terminal can only access the private network corresponding to the CAG ID in the list, for example, the allowed access The list of CAG IDs is {2,3,4,5}.
在步骤S1020中,网络中的基站在广播的系统消息中携带小区支持的CAG ID列表,小区支持的CAG ID列表表示允许小区内的终端访问的私有网络。通过该基站接入网络的终端即可接收到该广播的系统消息,从而获取到小区支持的CAG ID列表。小区支持的CAG ID列表例如为{1,2,3}。In step S1020, the base station in the network carries the CAG ID list supported by the cell in the broadcast system message, and the CAG ID list supported by the cell indicates the private network that the terminal in the cell is allowed to access. A terminal that accesses the network through the base station can receive the broadcast system message, thereby obtaining a list of CAG IDs supported by the cell. The list of CAG IDs supported by the cell is, for example, {1,2,3}.
在步骤S1030中,当终端接收到广播的系统消息,将自身配置的允许访问的CAG ID列表和接收到的小区支持的CAG ID列表进行比较,选择出匹配的 CAG ID中的一个CAG ID作为请求访问的CAG ID。例如在这里进行比较后,匹配的CAG ID为{2,3},从中选择{2}作为请求访问的CAG ID。In step S1030, when the terminal receives the broadcast system message, it compares the CAG ID list that it has configured to allow access with the CAG ID list supported by the received cell, and selects one of the CAG IDs that match as the request CAG ID of the visit. For example, after comparing here, the matching CAG ID is {2,3}, and {2} is selected as the CAG ID for requesting access.
在步骤S1040中,在确定请求访问的CAG ID后,终端即可开始在请求访问的CAG ID对应的私有网络中的接入流程。终端向网络发送注册请求消息,注册请求消息中明文携带请求访问的CAG ID,注册请求消息中还携带终端的用户隐藏标识(SUbscription Concealed Identifier,SUCI)。基站在接收到终端发送的注册请求消息后,将注册请求消息发送给AMF,以实现对终端访问私有网络的认证和安全验证。In step S1040, after determining the CAG ID requesting access, the terminal can start the access process in the private network corresponding to the CAG ID requesting access. The terminal sends a registration request message to the network. The registration request message carries the CAG ID requested to be accessed in plain text, and the registration request message also carries the user hidden identifier (SUCI) of the terminal. After receiving the registration request message sent by the terminal, the base station sends the registration request message to the AMF to realize the authentication and security verification of the terminal's access to the private network.
在步骤S1050中,网络中实现对终端进行认证和安全验证的各网元AMF、AUSF、UDM或SIDF对终端进行认证和安全验证流程,其中,UDM或SIDF将终端的SUCI解析为终端的用户永久标识(SUbscription Permanent Identifier,SUPI)并将终端的SUPI返回给AMF。In step S1050, each network element AMF, AUSF, UDM, or SIDF that implements terminal authentication and security verification in the network performs authentication and security verification procedures for the terminal, where UDM or SIDF parses the terminal’s SUCI into the terminal’s permanent user Identifier (Subscription Permanent Identifier, SUPI) and returns the SUPI of the terminal to the AMF.
在步骤S1060中,AMF向终端的归属网络发送请求消息,以获取归属网络中允许访问的CAG ID列表,请求消息中包括终端的SUPI。归属网络向AMF返回允许访问的CAG ID列表,在这里例如为{2,3,4,5}。In step S1060, the AMF sends a request message to the home network of the terminal to obtain a list of CAG IDs allowed to be accessed in the home network. The request message includes the SUPI of the terminal. The home network returns to the AMF a list of CAG IDs that are allowed to be accessed, here, for example, {2,3,4,5}.
步骤S1070,AFM判断终端是否允许访问请求访问的CAG,也就是AMF判断注册请求消息中的请求访问的CAG ID是否包括在从归属网络获取的允许访问的CAG ID列表中,若是则可以访问,若否则不可以访问。在这里,请求访问的CAG ID为{2},包括在从归属网络获取的允许访问的CAG ID列表{2,3,4,5}中,因此允许终端访问私有网络。In step S1070, the AFM determines whether the terminal is allowed to access the CAG requested to access, that is, the AMF determines whether the CAG ID requested for access in the registration request message is included in the CAG ID list that is allowed to be accessed from the home network, and if so, it can be accessed. Otherwise it cannot be accessed. Here, the CAG ID requested to access is {2}, which is included in the CAG ID list {2,3,4,5} that is allowed to access obtained from the home network, so the terminal is allowed to access the private network.
步骤S1080,AMF向终端反馈注册接受消息,也即允许终端访问私有网络。In step S1080, the AMF feeds back a registration acceptance message to the terminal, that is, allows the terminal to access the private network.
若在步骤S1070中,AMF判断终端不允许访问请求访问的CAG,那么在步骤S1090中,AMF向终端发送注册拒绝消息。If in step S1070, the AMF determines that the terminal does not allow access to the CAG requested to be accessed, then in step S1090, the AMF sends a registration rejection message to the terminal.
从图1所示实施例中可以看出,终端在请求访问私有网络时,将请求访问的CAG ID通过明文携带在注册请求消息中,而注册请求消息又是通过空口发送的,从而可能导致CAG ID泄露,进而可能影响私有网络的安全性。It can be seen from the embodiment shown in Figure 1 that when the terminal requests access to the private network, the CAG ID requested for access is carried in the registration request message in plain text, and the registration request message is sent through the air interface, which may cause CAG ID leakage may affect the security of private networks.
图2为一实施例提供的一种访问闭合访问组的方法的流程图,如图2所示,本实施例提供的方法包括如下步骤。FIG. 2 is a flowchart of a method for accessing a closed access group according to an embodiment. As shown in FIG. 2, the method provided in this embodiment includes the following steps.
步骤S2010,对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID。Step S2010: encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access.
本实施例提供的访问闭合访问组的方法应用于移动通信系统中的终端设备,简称终端。当终端需要访问私有网络,即闭合访问组时,需要向网络中的认证和安全验证设备发送请求访问的CAG ID,而由于CAG ID是通过明文发送 的,且承载CAG ID的注册请求消息是通过空口发送的,因此CAG ID容易泄露,进而影响闭合访问组的安全。The method for accessing a closed access group provided in this embodiment is applied to a terminal device in a mobile communication system, referred to as a terminal. When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
而为了解决上述问题,在本实施例中,当终端需要访问闭合访问组时,在确定了请求访问的CAG ID后,首先对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID。对CAG ID进行加密所使用加密方式可以采用任一种加密方式,且与对终端进行认证和安全验证的网元中的解密方式所对应。对CAG ID进行加密所使用的秘钥也可以为一种或多种可能的方式,且与对终端进行认证和安全验证的网元中的秘钥所对应。In order to solve the above problem, in this embodiment, when the terminal needs to access a closed access group, after determining the CAG ID requesting access, first encrypt the CAG ID requesting access to obtain the encrypted CAG ID requesting access. The encryption method used for encrypting the CAG ID can adopt any encryption method, and it corresponds to the decryption method in the network element that performs authentication and security verification on the terminal. The secret key used to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and securely verify the terminal.
步骤S2020,发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。Step S2020: Send a registration request message. The registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
在得到加密的请求访问的CAG ID后,终端即可发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。终端通过空口发送注册请求消息,终端接入的基站或者终端所处小区的服务基站将接收到该注册请求消息。而接收到注册请求消息的基站会把注册请求消息发送给对终端进行认证和安全验证的网元,包括AMF、AUSF、UDM/SIDF等。上述各网元可以根据终端的SUCI确定终端的归属网络,并将加密的请求访问的CAG ID进行解密后,获取终端的CAG ID,然后即可根据图1所示实施例中的步骤S1050-步骤S1090对终端进行认证和安全验证,从而确定终端是否能够访问请求访问的CAG ID所对应的CAG。当允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册接受消息,而不允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册拒绝消息。After obtaining the encrypted CAG ID requesting access, the terminal can send a registration request message. The registration request message includes the encrypted CAG ID requesting access and the terminal's SUCI. The terminal sends a registration request message through the air interface, and the base station accessed by the terminal or the serving base station of the cell where the terminal is located will receive the registration request message. The base station that receives the registration request message will send the registration request message to the network elements that perform authentication and security verification on the terminal, including AMF, AUSF, UDM/SIDF, etc. The above-mentioned network elements can determine the home network of the terminal according to the SUCI of the terminal, and decrypt the encrypted CAG ID of the request to access, obtain the CAG ID of the terminal, and then follow the step S1050-step in the embodiment shown in FIG. 1 S1090 performs authentication and security verification on the terminal to determine whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
本实施例提供的访问闭合访问组的方法,在对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID后,发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI,提供了一种对闭合访问组进行了保护的闭合访问组访问方法,由于对请求访问的CAG ID进行了加密,因此避免了通过空口发送的注册请求消息导致的CAG ID的泄露,提高了访问CAG的安全性。In the method for accessing a closed access group provided in this embodiment, after encrypting the CAG ID requesting access to obtain the encrypted CAG ID requesting access, a registration request message is sent. The registration request message includes the encrypted CAG ID requesting access and The SUCI of the terminal provides a closed access group access method that protects the closed access group. Since the CAG ID requested for access is encrypted, the CAG ID leakage caused by the registration request message sent through the air interface is avoided. Improved the security of access to CAG.
在一实施例中,对请求访问的CAG ID进行加密的方法可以是使用终端归属网络的公钥对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID。那么当终端发送注册请求消息后,由于注册请求消息中同时包括加密的请求访问的CAG ID和终端的SUCI,因此接收到注册请求消息的对终端进行认证和安全验证的网元,可以根据终端的SUCI获知终端的归属网络,那么对终端进行认证和安全验证的网元即可获取终端的归属网络的公钥,因此可以使用获取到的公钥对加密的请求访问的CAG ID进行解密,获取请求访问的CAG ID。In an embodiment, the method for encrypting the CAG ID that requests access may be to use the public key of the terminal's home network to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access. Then after the terminal sends the registration request message, since the registration request message includes both the encrypted CAG ID for requesting access and the SUCI of the terminal, the network element that has received the registration request message can authenticate and verify the security of the terminal according to the terminal’s When SUCI knows the terminal’s home network, the network element that authenticates and secures the terminal can obtain the public key of the terminal’s home network. Therefore, the obtained public key can be used to decrypt the encrypted CAG ID that requests access to obtain the request CAG ID of the visit.
在一实施例中,对请求访问的CAG ID进行加密的方法可以是使用归属网络的公钥对请求访问的CAG ID和终端的SUCI共同进行加密,得到终端的扩展的SUCI。那么当终端发送注册请求消息后,接收到注册请求消息的对终端进行认证和安全验证的网元,可以根据终端的相关信息获知终端的归属网络,那么对终端进行认证和安全验证的网元即可获取终端的归属网络的公钥,因此可以使用获取到的公钥对扩展的SUCI进行解密,获取请求访问的CAG ID和终端的SUCI。In an embodiment, the method for encrypting the CAG ID requested to access may be to use the public key of the home network to jointly encrypt the CAG ID requested to access and the SUCI of the terminal to obtain the extended SUCI of the terminal. Then after the terminal sends the registration request message, the network element that authenticates and secures the terminal after receiving the registration request message can learn the home network of the terminal according to the relevant information of the terminal, then the network element that authenticates and secures the terminal is The public key of the terminal's home network can be obtained, so the extended SUCI can be decrypted with the obtained public key, and the CAG ID of the requesting access and the SUCI of the terminal can be obtained.
图3为一实施例提供的另一种访问闭合访问组的方法的流程图,如图3所示,本实施例提供的方法包括如下步骤。FIG. 3 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 3, the method provided by this embodiment includes the following steps.
步骤S3010,接收携带有第一CAG ID列表的系统广播消息。Step S3010: Receive the system broadcast message carrying the first CAG ID list.
在终端需要访问CAG时,首先需要确定允许终端访问的CAG。基站广播携带有第一CAG ID列表的系统广播消息,接入基站的终端或者位于基站覆盖范围内的终端将接收到该系统广播消息。第一CAG ID列表中包括至少一个允许终端访问的CAG的ID。When the terminal needs to access the CAG, it first needs to determine the CAG that the terminal is allowed to access. The base station broadcasts a system broadcast message carrying the first CAG ID list, and a terminal accessing the base station or a terminal located within the coverage of the base station will receive the system broadcast message. The first CAG ID list includes at least one CAG ID that the terminal is allowed to access.
步骤S3020,对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配,确定终端请求访问的CAG ID。Step S3020: Match the second CAG ID list configured by itself and the first CAG ID list, and determine the CAG ID that the terminal requests to access.
在终端上,也配置有一个CAG ID列表,称为第二CAG ID列表,第二CAG ID列表中包括终端允许访问的至少一个CAG的ID。第二CAG ID列表是预先设置于终端上的,可以是在终端中预先配置的,也可以是在终端在网络中注册时由网络设备为终端配置的。终端将第一CAG ID列表和第二CAG ID列表进行匹配,从而确定终端请求访问的CAG ID。On the terminal, a CAG ID list is also configured, called a second CAG ID list, and the second CAG ID list includes the ID of at least one CAG that the terminal is allowed to access. The second CAG ID list is preset on the terminal, and may be pre-configured in the terminal, or configured by the network device for the terminal when the terminal is registered in the network. The terminal matches the first CAG ID list and the second CAG ID list to determine the CAG ID that the terminal requests to access.
对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配的方法可以是确定第二CAG ID列表和第一CAG ID列表中一个相同的CAG ID为请求访问的CAG ID。第一CAG ID列表和第二CAG ID列表中相同的CAG ID可能为一个或多个,或者第一CAG ID列表和第二CAG ID列表中没有相同的CAG ID。若第一CAG ID列表和第二CAG ID列表中没有相同的CAG ID,那么将不允许终端访问CAG,因此终端将无法确定出请求访问的CAG ID,因此终端也就不会进行后续流程。若第一CAG ID列表和第二CAG ID列表只有一个相同的CAG ID,那么即可将这一个相同的CAG ID作为请求访问的CAG ID。若第一CAG ID列表和第二CAG ID列表有两个或两个以上相同的CAG ID,那么可以从两个或两个以上的相同的CAG ID中任选一个作为请求访问的CAG ID,或者根据预设的规则从两个或两个以上的相同的CAG ID中选则一个作为请求访问的CAG ID。The method for matching the second CAG ID list configured by itself and the first CAG ID list may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested. There may be one or more identical CAG IDs in the first CAG ID list and the second CAG ID list, or the first CAG ID list and the second CAG ID list do not have the same CAG ID. If the first CAG ID list and the second CAG ID list do not have the same CAG ID, the terminal will not be allowed to access the CAG. Therefore, the terminal will not be able to determine the CAG ID requested to access, and therefore the terminal will not proceed with the subsequent process. If the first CAG ID list and the second CAG ID list have only one CAG ID that is the same, then this same CAG ID can be used as the CAG ID for requesting access. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, then one of the two or more identical CAG IDs can be selected as the CAG ID requested for access, or According to a preset rule, one is selected from two or more identical CAG IDs as the CAG ID for requesting access.
在接收携带有第一CAG ID列表的系统广播消息之前,还可以在终端中配置第二CAG ID列表,第二CAG ID列表中包括至少一个允许访问的CAG ID。Before receiving the system broadcast message carrying the first CAG ID list, a second CAG ID list may also be configured in the terminal, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
步骤S3030,对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID。Step S3030: Encrypt the CAG ID requesting access to obtain the encrypted CAG ID requesting access.
步骤S3040,发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。Step S3040: Send a registration request message. The registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
步骤S3030和步骤S3040与步骤S2010和步骤S2020类似,此处不再赘述。Step S3030 and step S3040 are similar to step S2010 and step S2020, and will not be repeated here.
图4为一实施例提供的另一种访问闭合访问组的方法的流程图,如图4所示,本实施例提供的方法包括如下步骤。Fig. 4 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 4, the method provided by this embodiment includes the following steps.
步骤S4010,接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。Step S4010: Receive a registration request message sent by the terminal. The registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal.
本实施例提供的访问闭合访问组的方法应用于移动通信系统中的网络设备,这些网络设备是对终端进行认证和安全验证的网元,包括但不限于AMF、AUSF、UDM/SIDF中的一个或多个。当终端需要访问私有网络,即闭合访问组时,需要向网络中的认证和安全验证设备发送请求访问的CAG ID,而由于CAG ID是通过明文发送的,且承载CAG ID的注册请求消息是通过空口发送的,因此CAG ID容易泄露,进而影响闭合访问组的安全。The method for accessing a closed access group provided in this embodiment is applied to network devices in a mobile communication system. These network devices are network elements that authenticate and securely verify terminals, including but not limited to one of AMF, AUSF, UDM/SIDF Or more. When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
而为了解决上述问题,在本实施例中,对终端进行认证和安全验证的网元接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。其中,通过终端的SUCI可以解析后获得终端的SUPI,从而获知终端的归属网络,而加密的请求访问的CAG ID可以在解密后获取请求访问的CAG ID,那么对终端进行认证和安全验证的网元就可以通过终端的SUPI和请求访问的CAG ID对终端进行认证和安全验证,判断终端是否能够访问请求访问的CAG ID对应的CAG。其中,终端对加密的请求访问的CAG ID所使用加密方式可以采用任一种加密方式,且与对终端进行认证和安全验证的网元中的解密方式所对应。终端对CAG ID进行加密所使用的秘钥也可以为一种或多种可能的方式,且与对终端进行认证和安全验证的网元中的秘钥所对应。In order to solve the above problem, in this embodiment, the network element that authenticates and secures the terminal receives the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the SUCI of the terminal. Among them, the SUCI of the terminal can be parsed to obtain the SUPI of the terminal, so as to know the home network of the terminal, and the encrypted CAG ID of the request for access can be decrypted to obtain the CAG ID of the request for access, then the network for authentication and security verification of the terminal The yuan can authenticate and verify the security of the terminal through the SUPI of the terminal and the CAG ID that requests access, and determine whether the terminal can access the CAG corresponding to the CAG ID that requests access. Wherein, the encryption method used by the terminal for the CAG ID of the encrypted request to access can adopt any encryption method, and it corresponds to the decryption method in the network element that authenticates and secures the terminal. The secret key used by the terminal to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and secures the terminal.
步骤S4020,将终端的SUCI解析为终端的SUPI,并将加密的请求访问的CAG ID解密为请求访问的CAG ID。Step S4020: parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID requesting access into the CAG ID requesting access.
对终端进行认证和安全验证的网元在接收到终端的SUCI和加密的CAG ID后,即可将加密的请求访问的CAG ID解密为请求访问的CAG ID,并对终端的SUCI进行解析。例如,UDM/SIDF将终端的SUCI解析为终端的SUPI,并且由UDM/SIDF将加密的请求访问的CAG ID解密为请求访问的CAG ID,然后 UDM/SIDF将终端的SUPI和请求访问的CAG ID发送给AMF。After receiving the terminal's SUCI and the encrypted CAG ID, the network element that performs authentication and security verification on the terminal can decrypt the encrypted CAG ID requesting access into the CAG ID requesting access, and analyze the terminal's SUCI. For example, UDM/SIDF parses the terminal’s SUCI into the terminal’s SUPI, and UDM/SIDF decrypts the encrypted CAG ID requesting access into the CAG ID requesting access, and then UDM/SIDF combines the terminal’s SUPI and the CAG ID requesting access. Send to AMF.
在一实施例中,终端对请求访问的CAG ID进行加密的方法可以是使用终端归属网络的公钥对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID。那么接收到注册请求消息的UDM或SIDF将终端的SUCI解析为终端的SUPI,在得到终端的SUPI后可以确定的归属网络,从而可以使用终端归属网络的公钥将加密的请求访问的CAG ID解密为请求访问的CAG ID。In an embodiment, the method for the terminal to encrypt the CAG ID that requests access may be to use the public key of the terminal's home network to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access. Then the UDM or SIDF that receives the registration request message parses the SUCI of the terminal into the SUPI of the terminal. After obtaining the SUPI of the terminal, the home network can be determined, so that the public key of the home network of the terminal can be used to decrypt the encrypted CAG ID that requests access It is the CAG ID that requested access.
步骤S4030,根据终端的SUPI从终端的归属网络获取第一CAG ID列表。Step S4030: Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
对终端进行认证和安全验证的网元在得到终端的SUPI后,可以根据终端的SUPI确定终端的归属网络,然后可以根据终端的SUPI从终端的归属网络获取第一CAG ID列表。第一CAG ID列表中包括至少一个允许终端访问的CAG的ID。例如,从UDM/SIDF接收到终端的SUPI和请求访问的CAG ID的AMF根据终端的SUPI从终端的归属网络获取第一CAG ID列表。After obtaining the SUPI of the terminal, the network element that performs authentication and security verification of the terminal can determine the home network of the terminal according to the SUPI of the terminal, and then can obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. The first CAG ID list includes at least one CAG ID that the terminal is allowed to access. For example, the AMF that receives the SUPI of the terminal and the CAG ID requested to access from the UDM/SIDF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
在一实施例中,根据终端的SUPI从终端的归属网络获取第一CAG ID列表,包括:向终端的归属网络发送CAG ID列表请求消息,CAG ID列表请求消息中包括SUPI;接收终端的归属网络发送的第一CAG ID列表。In an embodiment, obtaining the first CAG ID list from the terminal's home network according to the terminal's SUPI includes: sending a CAG ID list request message to the terminal's home network, the CAG ID list request message includes SUPI; the receiving terminal's home network The first CAG ID list sent.
步骤S4040,判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Step S4040: It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
接着对终端进行认证和安全验证的网元判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则确定终端能够访问请求访问的CAG ID对应的CAG,因此即可向终端发送注册接受消息。例如,AMF判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Then the network element that authenticates and verifies the security of the terminal determines whether the CAG ID requested for access matches the first CAG ID list, and if they match, it is determined that the terminal can access the CAG corresponding to the CAG ID requested to access, so it can send registration acceptance to the terminal news. For example, the AMF determines whether the CAG ID requested for access matches the first CAG ID list, and if there is a match, it sends a registration acceptance message to the terminal.
在一实施例中,判断请求访问的CAG ID和第一CAG ID列表是否匹配可以是判断请求访问的CAG ID是否与第一CAG ID列表中的任一CAG ID相同,若相同,则确定请求访问的CAG ID和第一CAG ID列表匹配。若请求访问的CAG ID与第一CAG ID列表中的任一CAG ID均不相同,则确定请求访问的CAG ID和第一CAG ID列表不匹配。In an embodiment, judging whether the CAG ID requested for access matches the first CAG ID list may be judging whether the CAG ID requested for access is the same as any CAG ID in the first CAG ID list, and if they are the same, it is determined to request access The CAG ID matches the first CAG ID list. If the CAG ID requested for access is not the same as any CAG ID in the first CAG ID list, it is determined that the CAG ID requested for access does not match the first CAG ID list.
在一实施例中,若判断请求访问的CAG ID和第一CAG ID列表不匹配,那么则向终端发送注册拒绝消息。In an embodiment, if it is determined that the CAG ID requested for access does not match the first CAG ID list, then a registration rejection message is sent to the terminal.
图5为一实施例提供的另一种访问闭合访问组的方法的流程图,如图5所示,本实施例提供的方法包括如下步骤。Fig. 5 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 5, the method provided by this embodiment includes the following steps.
步骤S5010,接收终端发送的注册请求消息,注册请求消息中包括终端的扩展的SUCI,终端的扩展的SUCI是使用终端归属网络的公钥对请求访问的CAG ID和终端的SUCI共同加密得到的。Step S5010: Receive a registration request message sent by the terminal. The registration request message includes the extended SUCI of the terminal. The extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID for access and the SUCI of the terminal.
图4所示实施例中,接收到的终端发送的注册请求消息中包括的是加密的请求访问的CAG ID和终端的SUCI,而在本实施例中,接收到的终端发送的注册请求消息中包括的是终端的扩展的SUCI。终端的扩展的SUCI是使用终端归属网络的公钥对请求访问的CAG ID和终端的SUCI共同加密得到的。In the embodiment shown in FIG. 4, the received registration request message sent by the terminal includes the encrypted CAG ID for requesting access and the SUCI of the terminal, and in this embodiment, the received registration request message sent by the terminal Included is the extended SUCI of the terminal. The extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal.
步骤S5020,UDM或SIDF使用终端归属网络的公钥将终端的扩展的SUCI解密为请求访问的CAG ID和终端的SUCI,并将终端的SUCI解析为终端的SUPI。In step S5020, the UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal.
UDM或SIDF接收到扩展的SUCI后,可以根据终端的相关信息获知终端的归属网络,那么UDM或SIDF即可获取终端的归属网络的公钥,因此UDM或SIDF可以使用获取到的公钥对扩展的SUCI进行解密,获取请求访问的CAG ID和终端的SUCI。然后UDM或SIDF还可以将终端的SUCI解析为终端的SUPI。After UDM or SIDF receives the extended SUCI, it can know the home network of the terminal according to the relevant information of the terminal, then UDM or SIDF can obtain the public key of the home network of the terminal, so UDM or SIDF can use the obtained public key to extend Decrypt the SUCI to obtain the CAG ID of the requesting access and the SUCI of the terminal. Then UDM or SIDF can also parse the terminal's SUCI into the terminal's SUPI.
步骤S5030,UDM或SIDF将终端的SUPI和请求访问的CAG ID发送给AMF。In step S5030, the UDM or SIDF sends the SUPI of the terminal and the CAG ID that requests access to the AMF.
步骤S5040,AMF根据终端的SUPI从终端的归属网络获取第一CAG ID列表。Step S5040: The AMF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
步骤S5050,AMF判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。In step S5050, the AMF judges whether the CAG ID requested for access matches the first CAG ID list, and if they match, sends a registration acceptance message to the terminal.
步骤S5030-步骤S5050与图1所示实施例中的认证和安全验证流程类似,此处不再赘述。Step S5030-Step S5050 are similar to the authentication and security verification process in the embodiment shown in FIG. 1, and will not be repeated here.
图6为一实施例提供的另一种访问闭合访问组的方法的流程图,如图6所示,本实施例提供的方法包括如下步骤。Fig. 6 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in Fig. 6, the method provided by this embodiment includes the following steps.
步骤S6010,对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID。Step S6010: encrypt the CAG ID requesting access to obtain the first encrypted CAG ID requesting access.
本实施例提供的访问闭合访问组的方法应用于移动通信系统中的终端设备,简称终端。当终端需要访问私有网络,即闭合访问组时,需要向网络中的认证和安全验证设备发送请求访问的CAG ID,而由于CAG ID是通过明文发送的,且承载CAG ID的注册请求消息是通过空口发送的,因此CAG ID容易泄露,进而影响闭合访问组的安全。The method for accessing a closed access group provided in this embodiment is applied to a terminal device in a mobile communication system, referred to as a terminal. When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
而为了解决上述问题,在本实施例中,当终端需要访问闭合访问组时,在确定了请求访问的CAG ID后,首先对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID。对CAG ID进行加密所使用加密方式可以采用任一种加密方式,且与对终端进行认证和安全验证的网元中的解密方式所对应。对CAG ID进行加密所使用的秘钥也可以为一种或多种可能的方式,且与对终端进 行认证和安全验证的网元中的秘钥所对应。In order to solve the above problem, in this embodiment, when the terminal needs to access the closed access group, after determining the CAG ID requesting access, first encrypt the CAG ID requesting access to obtain the first encrypted CAG requesting access ID. The encryption method used for encrypting the CAG ID can adopt any encryption method, and it corresponds to the decryption method in the network element that performs authentication and security verification on the terminal. The secret key used to encrypt the CAG ID can also be one or more possible ways, and it corresponds to the secret key in the network element that authenticates and verifies the security of the terminal.
步骤S6020,发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。Step S6020: Send a registration request message. The registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
在得到第一加密的请求访问的CAG ID后,终端即可发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的第五代移动通信系统全局唯一临时用户设备标识(the 5th Generation mobile communication system Globally Unique Temporary UE Identity,5G-GUTI)。终端通过空口发送注册请求消息,终端接入的基站或者终端所处小区的服务基站将接收到该注册请求消息。而接收到注册请求消息的基站会把注册请求消息发送给对终端进行认证和安全验证的网元,包括AMF、AUSF、UDM/SIDF等。上述各网元可以根据终端的5G-GUTI确定当前各网元是否为曾经为终端服务的网元,若是则由于曾经为终端服务的网元中保存有与终端相关的各种信息,因此各网元可以直接使用与终端相关的各种信息确定终端的归属网络、终端加密第一加密的请求访问的CAG ID的秘钥等相关信息对第一加密的请求访问的CAG ID进行解密获取请求访问的CAG ID,并获取允许终端访问的第一CAG ID列表。然后确定终端是否能够访问请求访问的CAG ID所对应的CAG。当允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册接受消息,而不允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册拒绝消息。After obtaining the first encrypted CAG ID requesting access, the terminal can send a registration request message. The registration request message includes the first encrypted CAG ID requesting access and the terminal’s fifth-generation mobile communication system globally unique temporary user equipment identifier. (the 5th Generation mobile communication system Globally Unique Temporary UE Identity, 5G-GUTI). The terminal sends a registration request message through the air interface, and the base station accessed by the terminal or the serving base station of the cell where the terminal is located will receive the registration request message. The base station that receives the registration request message will send the registration request message to the network elements that perform authentication and security verification on the terminal, including AMF, AUSF, UDM/SIDF, etc. The above-mentioned network elements can determine whether the current network elements are network elements that once served the terminal according to the 5G-GUTI of the terminal. If so, because the network elements that once served the terminal store various information related to the terminal, each network The meta can directly use various information related to the terminal to determine the terminal’s home network, the terminal encrypts the first encrypted CAG ID that requests access, and other related information to decrypt the first encrypted CAG ID that requests access to obtain the requested access CAG ID, and obtain the first CAG ID list that the terminal is allowed to access. Then it is determined whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
本实施例提供的访问闭合访问组的方法,在对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID后,发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI,提供了一种对闭合访问组进行了保护的闭合访问组访问方法,由于对请求访问的CAG ID进行了加密,因此避免了通过空口发送的注册请求消息导致的CAG ID的泄露,提高了访问CAG的安全性。In the method for accessing a closed access group provided in this embodiment, after encrypting the CAG ID requesting access to obtain the first encrypted CAG ID requesting access, a registration request message is sent, and the registration request message includes the first encrypted access request The CAG ID and the 5G-GUTI of the terminal provide a closed access group access method that protects the closed access group. Because the CAG ID that requests access is encrypted, it avoids the registration request message sent through the air interface. The leak of CAG ID improves the security of access to CAG.
在一实施例中,对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID,包括:使用与终端的5G-GUTI对应的安全上下文中的加密秘钥对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID。那么当终端发送注册请求消息后,由于注册请求消息中同时包括第一加密的请求访问的CAG ID和终端的5G-GUTI,因此接收到注册请求消息的对终端进行认证和安全验证的网元,可以根据终端的5G-GUTI获知当前各网元是否为曾经为终端服务的网元,若是则由于曾经为终端服务的网元中保存有与终端相关的各种信息,包括与终端的5G-GUTI对应的安全上下文中的加密秘钥,因此对终端进行认证和安全验证的网元可以直接使用与终端的5G-GUTI对应的安全上下文中的加密秘钥对第一加密的请求访问的CAG ID进行解密获取请求访问的CAG ID。In one embodiment, encrypting the CAG ID of the request to access to obtain the first encrypted CAG ID of the request to access includes: using the encryption key in the security context corresponding to the terminal's 5G-GUTI to the CAG ID of the request to access Encryption is performed to obtain the first encrypted CAG ID that requests access. Then, after the terminal sends the registration request message, since the registration request message includes both the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal, the network element that receives the registration request message and authenticates and secures the terminal, According to the 5G-GUTI of the terminal, it is possible to know whether the current network element is a network element that once served the terminal. If so, the network element that once served the terminal stores various information related to the terminal, including the 5G-GUTI of the terminal The encryption key in the corresponding security context, so the network element that authenticates and secures the terminal can directly use the encryption key in the security context corresponding to the 5G-GUTI of the terminal to perform the first encrypted CAG ID for access Decrypt and obtain the CAG ID requested to access.
图7为一实施例提供的另一种访问闭合访问组的方法的流程图,如图7所示,本实施例提供的方法包括如下步骤。FIG. 7 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 7, the method provided by this embodiment includes the following steps.
步骤S7010,对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID。Step S7010: Encrypt the CAG ID requesting access to obtain the first encrypted CAG ID requesting access.
步骤S7020,发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。Step S7020: Send a registration request message. The registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
步骤S7010和步骤S7020与步骤S6010和步骤S6020相同,此处不再赘述。Step S7010 and step S7020 are the same as step S6010 and step S6020, and will not be repeated here.
步骤S7030,接收AMF发送的标识请求消息。Step S7030: Receive the identification request message sent by the AMF.
在终端发送了注册请求消息后,若接收到注册请求消息的网元为曾经为终端服务的网元,那么可能保存有与终端相关的信息,因此可以对第一加密的请求访问的CAG ID进行解密。而若接收到注册请求消息的网元未曾为终端服务,或者即使接收到注册请求消息的网元曾为终端服务但并未保存终端的相关信息,那么就无法对第一加密的请求访问的CAG ID进行解密。那么终端将接收到AMF发送的标识请求消息。标识请求消息是由于无法通过终端的5G-GUTI对第一加密的请求访问的CAG ID进行解密后接收的。After the terminal sends the registration request message, if the network element that received the registration request message is a network element that once served the terminal, it may save information related to the terminal, so the first encrypted CAG ID that requests access can be performed Decrypt. If the network element receiving the registration request message has not served the terminal, or even if the network element receiving the registration request message has served the terminal but has not saved the relevant information of the terminal, then the CAG that requests access to the first encryption cannot be accessed. ID for decryption. Then the terminal will receive the identification request message sent by the AMF. The identification request message is received after the first encrypted CAG ID requested to be accessed cannot be decrypted through the 5G-GUTI of the terminal.
步骤S7040,使用归属网络的公钥对请求访问的CAG ID进行加密,得到第二加密的请求访问的CAG ID。Step S7040: Use the public key of the home network to encrypt the CAG ID that requests access to obtain the second encrypted CAG ID that requests access.
当终端接收到标识请求消息后,即可使用归属网络的公钥对请求访问的CAG ID进行加密,得到第二加密的请求访问的CAG ID。After the terminal receives the identification request message, it can use the public key of the home network to encrypt the CAG ID that requests access to obtain the second encrypted CAG ID that requests access.
步骤S7050,向AMF发送标识响应消息,标识响应消息中包括第二加密的请求访问的CAG ID和终端的SUCI。Step S7050: Send an identification response message to the AMF. The identification response message includes the second encrypted CAG ID that requests access and the SUCI of the terminal.
然后终端向AMF发送标识响应消息,标识响应消息中包括第二加密的请求访问的CAG ID和终端的SUCI。由于标识响应消息中同时包括第二加密的请求访问的CAG ID和终端的SUCI,因此接收到标识响应消息的AMF可以根据终端的SUCI获知终端的归属网络,那么AMF即可获取终端的归属网络的公钥,因此可以使用获取到的公钥对第二加密的请求访问的CAG ID进行解密,获取请求访问的CAG ID。另外AMF还可以根据终端的SUCI获取允许终端访问的第一CAG ID列表。然后确定终端是否能够访问请求访问的CAG ID所对应的CAG。当允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册接受消息,而不允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册拒绝消息。Then the terminal sends an identification response message to the AMF, and the identification response message includes the second encrypted CAG ID for requesting access and the SUCI of the terminal. Since the identification response message includes both the second encrypted CAG ID and the terminal's SUCI, the AMF that receives the identification response message can learn the terminal's home network according to the terminal's SUCI, and the AMF can obtain the terminal's home network information. The public key, so the obtained public key can be used to decrypt the second encrypted CAG ID requesting access to obtain the CAG ID requesting access. In addition, the AMF can also obtain the first CAG ID list that the terminal is allowed to access according to the SUCI of the terminal. Then it is determined whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
在一实施例中,终端接收到AMF发送的标识请求消息后,还可以使用归属网络的公钥对请求访问的CAG ID和终端的SUCI共同进行加密,得到终端的扩 展的SUCI;然后终端向AMF发送标识响应消息,标识响应消息中包括终端的扩展的SUCI。那么当终端发送标识请求消息后,接收到标识请求消息的AMF可以根据终端的相关信息获知终端的归属网络,那么AMF即可获取终端的归属网络的公钥,因此可以使用获取到的公钥对扩展的SUCI进行解密,获取请求访问的CAG ID和终端的SUCI。另外AMF还可以根据终端的SUCI获取允许终端访问的第一CAG ID列表。然后确定终端是否能够访问请求访问的CAG ID所对应的CAG。当允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册接受消息,而不允许终端访问请求访问的CAG ID所对应的CAG,则终端将接收到注册拒绝消息。In one embodiment, after the terminal receives the identity request message sent by the AMF, it can also use the public key of the home network to encrypt the CAG ID of the requesting access and the SUCI of the terminal to obtain the extended SUCI of the terminal; then the terminal sends the AMF to the AMF. An identification response message is sent, and the identification response message includes the extended SUCI of the terminal. Then after the terminal sends the identification request message, the AMF that receives the identification request message can learn the home network of the terminal according to the relevant information of the terminal, then the AMF can obtain the public key of the home network of the terminal, so the obtained public key pair can be used The extended SUCI is decrypted to obtain the CAG ID of the requesting access and the SUCI of the terminal. In addition, the AMF can also obtain the first CAG ID list that the terminal is allowed to access according to the SUCI of the terminal. Then it is determined whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to be accessed, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration rejection message.
在一实施例中,对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID之前,还包括:接收携带有第一CAG ID列表的系统广播消息;对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配,确定请求访问的CAG ID。第一CAG ID列表中包括至少一个允许终端访问的CAG的ID。In an embodiment, before encrypting the CAG ID requesting access to obtain the first encrypted CAG ID requesting access, the method further includes: receiving a system broadcast message carrying the first CAG ID list; configuring the second CAG ID for itself The ID list and the first CAG ID list are matched to determine the CAG ID that requests access. The first CAG ID list includes at least one CAG ID that the terminal is allowed to access.
在一实施例中,对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配,确定请求访问的CAG ID,包括:对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配,确定第二CAG ID列表和第一CAG ID列表中一个相同的CAG ID为请求访问的CAG ID。对自身配置的第二CAG ID列表和第一CAG ID列表进行匹配的方法可以是确定第二CAG ID列表和第一CAG ID列表中一个相同的CAG ID为请求访问的CAG ID。第一CAG ID列表和第二CAG ID列表中相同的CAG ID可能为一个或多个,或者第一CAG ID列表和第二CAG ID列表中没有相同的CAG ID。若第一CAG ID列表和第二CAG ID列表中没有相同的CAG ID,那么将不允许终端访问CAG,因此终端将无法确定出请求访问的CAG ID,因此终端也就不会进行后续流程。若第一CAG ID列表和第二CAG ID列表只有一个相同的CAG ID,那么即可将这一个相同的CAG ID作为请求访问的CAG ID。若第一CAG ID列表和第二CAG ID列表有两个或两个以上相同的CAG ID,那么可以从两个或两个以上的相同的CAG ID中任选一个作为请求访问的CAG ID,或者根据预设的规则从两个或两个以上的相同的CAG ID中选则一个作为请求访问的CAG ID。In an embodiment, matching the second CAG ID list configured by itself and the first CAG ID list, and determining the CAG ID requesting access, includes: matching the second CAG ID list configured by itself and the first CAG ID list , It is determined that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested. The method for matching the second CAG ID list configured by itself and the first CAG ID list may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID for which access is requested. There may be one or more identical CAG IDs in the first CAG ID list and the second CAG ID list, or the first CAG ID list and the second CAG ID list do not have the same CAG ID. If the first CAG ID list and the second CAG ID list do not have the same CAG ID, the terminal will not be allowed to access the CAG. Therefore, the terminal will not be able to determine the CAG ID requested to access, and therefore the terminal will not proceed with the subsequent process. If the first CAG ID list and the second CAG ID list have only one CAG ID that is the same, then this same CAG ID can be used as the CAG ID for requesting access. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, then one of the two or more identical CAG IDs can be selected as the CAG ID requested for access, or According to a preset rule, one is selected from two or more identical CAG IDs as the CAG ID for requesting access.
另外,在接收携带有第一CAG ID列表的系统广播消息之前,还可以在终端中配置第二CAG ID列表,第二CAG ID列表中包括至少一个允许访问的CAG ID。In addition, before receiving the system broadcast message carrying the first CAG ID list, a second CAG ID list may also be configured in the terminal, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
图8为一实施例提供的另一种访问闭合访问组的方法的流程图,如图8所示,本实施例提供的方法包括如下步骤。FIG. 8 is a flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 8, the method provided by this embodiment includes the following steps.
步骤S8010,接收终端发送的注册请求消息,注册请求消息中包括第一加密 的请求访问的CAG ID和终端的5G-GUTI。Step S8010: Receive a registration request message sent by the terminal. The registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.
本实施例提供的访问闭合访问组的方法应用于移动通信系统中的网络设备,这些网络设备是对终端进行认证和安全验证的网元,包括但不限于AMF、AUSF、UDM/SIDF中的一个或多个。当终端需要访问私有网络,即闭合访问组时,需要向网络中的认证和安全验证设备发送请求访问的CAG ID,而由于CAG ID是通过明文发送的,且承载CAG ID的注册请求消息是通过空口发送的,因此CAG ID容易泄露,进而影响闭合访问组的安全。The method for accessing a closed access group provided in this embodiment is applied to network devices in a mobile communication system. These network devices are network elements that authenticate and securely verify terminals, including but not limited to one of AMF, AUSF, UDM/SIDF Or more. When the terminal needs to access the private network, that is, when the access group is closed, it needs to send the CAG ID requesting access to the authentication and security verification device in the network, and because the CAG ID is sent in plain text, and the registration request message carrying the CAG ID is passed It is sent over the air interface, so the CAG ID is easy to leak, which affects the security of the closed access group.
而为了解决上述问题,在本实施例中,对终端进行认证和安全验证的网元接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的5G-GUTI。其中,对终端进行认证和安全验证的网元可以根据终端的5G-GUTI确定当前各网元是否为曾经为终端服务的网元。其中,终端对第一加密的请求访问的CAG ID所使用加密方式可以采用任一种加密方式,且与对终端进行认证和安全验证的网元中的解密方式所对应。终端对CAG ID进行加密所使用的秘钥也可以为一种或多种可能的方式,且与对终端进行认证和安全验证的网元中的秘钥所对应。To solve the above problem, in this embodiment, the network element that authenticates and secures the terminal receives the registration request message sent by the terminal, and the registration request message includes the encrypted CAG ID for requesting access and the 5G-GUTI of the terminal. Among them, the network element that performs authentication and security verification on the terminal can determine whether the current network element is a network element that once served the terminal according to the 5G-GUTI of the terminal. Wherein, the encryption method used by the terminal for the CAG ID requested to access the first encryption can adopt any encryption method, and corresponds to the decryption method in the network element that authenticates and secures the terminal. The secret key used by the terminal to encrypt the CAG ID may also be one or more possible ways, and correspond to the secret key in the network element that authenticates and secures the terminal.
步骤S8020,根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF。Step S8020: Determine whether the current AMF is a historical AMF that has once served the terminal according to the 5G-GUTI of the terminal.
对终端进行认证和安全验证的网元在接收到终端的5G-GUTI和第一加密的CAG ID后,首先根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF。由于曾经为终端服务的历史AMF中会保存有与终端相关的信息,因此可以根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF。After receiving the 5G-GUTI of the terminal and the first encrypted CAG ID, the network element that performs authentication and security verification of the terminal first determines whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal. Since the terminal-related information is stored in the historical AMF that has once served the terminal, it can be determined whether the current AMF is the historical AMF that has once served the terminal according to the 5G-GUTI of the terminal.
步骤S8030,若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,则根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID。Step S8030, if the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF, the first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal, and the first encrypted request is accessed The CAG ID is decrypted into the CAG ID that requested access.
若当前AMF为曾经为终端服务的历史AMF,那么当前AMF中可能保存有终端的SUPI,也可能未保存终端的SUPI。若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,那么当前AMF则可以根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID。当前AMF对第一加密的请求访问的CAG ID进行解密所使用的秘钥和加密方式可以是在终端和AMF中预设的,也可以是当前AMF之前为终端进行服务时保存下来的。例如当前AMF中存储有终端的安全上下文,在安全上下文中包括加密秘钥,那么终端可以使用安全上下文中的加密秘钥对请求访问的CAG ID进行加密得到第一加密的请求访问的CAG  ID,当前AMF也可以使用存储的终端的安全上下文中的加密秘钥对第一加密的请求访问的CAG ID进行解密得到请求访问的CAG ID。If the current AMF is a historical AMF that has served the terminal, the SUPI of the terminal may or may not be saved in the current AMF. If the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is stored in the current AMF, the current AMF can obtain the first CAG ID list from the terminal's home network according to the SUPI of the terminal, and request the first encryption The CAG ID of the visit is decrypted into the CAG ID of the request. The secret key and encryption method used by the current AMF to decrypt the first encrypted CAG ID requested to access may be preset in the terminal and the AMF, or may be saved when the current AMF is previously serving the terminal. For example, the security context of the terminal is stored in the current AMF, and the encryption key is included in the security context. Then the terminal can use the encryption key in the security context to encrypt the CAG ID that requests access to obtain the first encrypted CAG ID that requests access. The current AMF may also use the stored encryption key in the security context of the terminal to decrypt the first encrypted CAG ID requesting access to obtain the CAG ID requesting access.
步骤S8040,判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Step S8040: Determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
本步骤与步骤S4040相同,此处不再赘述。This step is the same as step S4040 and will not be repeated here.
步骤S8050,若当前AMF为曾经为终端服务的历史AMF,且当前AMF中未存储终端的SUPI,则当前AMF向终端发送标识请求消息。Step S8050, if the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal.
若当前AMF为曾经为终端服务的历史AMF,而当前AMF中未保存有终端的SUPI,那么当前AMF则无法对终端发送的第一加密的请求访问的CAG ID进行解密。因此当前AMF向终端发送标识请求消息,请求终端再次发送请求访问的CAG ID。If the current AMF is a historical AMF that has served the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF cannot decrypt the first encrypted CAG ID sent by the terminal to request access. Therefore, the current AMF sends an identification request message to the terminal, requesting the terminal to send the CAG ID that requests access again.
步骤S8060,接收终端发送的标识响应消息,标识响应消息中包括终端使用归属网络的公钥进行加密的第二加密的请求访问的CAG ID和终端的SUCI。Step S8060: Receive an identification response message sent by the terminal. The identification response message includes the CAG ID of the second encrypted access request that is encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
终端接收到标识请求消息后,为了保证CAG ID的安全,可以使用终端使用归属网络的公钥对请求访问的CAG ID的进行加密,得到第二加密的请求访问的CAG ID。那么当前AFM将接收到终端发送的标识响应消息,标识响应消息中包括终端使用归属网络的公钥进行加密的第二加密的请求访问的CAG ID和终端的SUCI。After the terminal receives the identification request message, in order to ensure the security of the CAG ID, the terminal can use the public key of the home network to encrypt the CAG ID requested for access to obtain the second encrypted CAG ID requested for access. Then the current AFM will receive the identification response message sent by the terminal, and the identification response message includes the CAG ID of the second encrypted access request encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
步骤S8070,UDM或SIDF将终端的SUCI解析为终端的SUPI,并使用终端归属网络的公钥将第二加密的请求访问的CAG ID解密为请求访问的CAG ID。In step S8070, the UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the terminal's home network to decrypt the second encrypted CAG ID requesting access to the CAG ID requesting access.
步骤S8080,根据终端的SUPI从终端的归属网络获取第一CAG ID列表。Step S8080: Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
步骤S8090,判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Step S8090: It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
步骤S8070-步骤S8090与图4所示实施例中的步骤S4020-步骤S4040类似,此处不再赘述。Step S8070-step S8090 are similar to step S4020-step S4040 in the embodiment shown in FIG. 4, and will not be repeated here.
在一实施例中,标识响应消息中包括终端使用归属网络的公钥对终端请求访问的CAG ID和终端的SUCI共同进行加密后得到的扩展的SUCI。终端的扩展的SUCI是使用终端归属网络的公钥对请求访问的CAG ID和终端的SUCI共同加密得到的。那么UDM或SIDF使用终端归属网络的公钥将终端的扩展的SUCI解密为请求访问的CAG ID和终端的SUCI,并将终端的SUCI解析为终端的SUPI。UDM或SIDF将终端的SUCI解析为终端的SUPI,并根据终端的SUPI 从终端的归属网络获取第一CAG ID列表。判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。In an embodiment, the identification response message includes the extended SUCI obtained after the terminal uses the public key of the home network to jointly encrypt the CAG ID that the terminal requests to access and the SUCI of the terminal. The extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal. Then UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal. UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
步骤S8100,若当前AMF未曾为终端服务,则当前AMF根据终端的5G-GUTI确定曾经为终端服务的历史AMF,并向历史AMF发送终端的上下文传输请求消息,终端的上下文传输请求消息包括终端的5G-GUTI。Step S8100, if the current AMF has not served the terminal, the current AMF determines the historical AMF that has served the terminal according to the 5G-GUTI of the terminal, and sends the context transmission request message of the terminal to the historical AMF. The context transmission request message of the terminal includes the terminal’s 5G-GUTI.
若当前AMF未曾为终端服务,那么当前AMF中将未存储终端的相关信息。那么由于当前AMF还接收到了终端的5G-GUTI,因此当前AMF可以根据终端的5G-GUTI确定曾经为终端服务的历史AMF。然后当前AMF向历史AMF发送终端的上下文传输请求消息,终端的上下文传输请求消息包括终端的5G-GUTI。If the current AMF has not served the terminal, the relevant information of the terminal will not be stored in the current AMF. Then, since the current AMF has also received the 5G-GUTI of the terminal, the current AMF can determine the historical AMF that has served the terminal according to the 5G-GUTI of the terminal. Then the current AMF sends the context transmission request message of the terminal to the historical AMF, and the context transmission request message of the terminal includes the 5G-GUTI of the terminal.
步骤S8110,当前AMF接收历史AMF发送的上下文传输响应消息,上下文传输响应消息中包括终端的安全上下文和第一CAG ID列表。Step S8110: The current AMF receives the context transmission response message sent by the historical AMF, and the context transmission response message includes the security context of the terminal and the first CAG ID list.
当前AMF在接收到历史AMF发送的上下文传输响应消息后,即可获知终端的安全上下文,并且可以获取第一CAG ID列表。After the current AMF receives the context transmission response message sent by the historical AMF, it can learn the security context of the terminal and can obtain the first CAG ID list.
步骤S8120,当前AMF使用终端的安全上下文中的私钥将第一加密的请求访问的CAG ID解密为请求访问的CAG ID。Step S8120: The current AMF uses the private key in the security context of the terminal to decrypt the first encrypted CAG ID requesting access into the CAG ID requesting access.
步骤S8130,判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Step S8130: It is judged whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
为终端服务的历史AMF中若存储了终端对应的安全上下文,则当前AMF则可以接收到历史AMF发送的终端的安全上下文,那么当前AMF可以直接使用接收到的安全上下文中的秘钥对第一加密的请求访问的CAG ID进行解密。而若为终端服务的历史AMF中也并未存储终端的相关信息,那么当前AMF就需要通过其他方式进行处理。If the security context corresponding to the terminal is stored in the historical AMF serving the terminal, the current AMF can receive the security context of the terminal sent by the historical AMF, and the current AMF can directly use the key pair in the received security context. The encrypted CAG ID requesting access is decrypted. And if the historical AMF serving the terminal does not store related information about the terminal, the current AMF needs to be processed in other ways.
步骤S8140,若当前AMF未接收到历史AMF发送的终端的上下文传输响应消息,则当前AMF向终端发送标识请求消息。Step S8140: If the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal.
若当前AMF未接收到历史AMF发送的终端的上下文传输响应消息,那么当前AMF将向终端发送标识请求消息,请求终端重新发送当前AMF能够解密的CAG ID。If the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF will send an identification request message to the terminal, requesting the terminal to resend the CAG ID that the current AMF can decrypt.
步骤S8150,接收终端发送的标识响应消息,标识响应消息中包括终端使用归属网络的公钥进行加密的第二加密的请求访问的CAG ID和终端的SUCI。Step S8150: Receive an identification response message sent by the terminal. The identification response message includes the CAG ID of the second encrypted access request encrypted by the terminal using the public key of the home network and the SUCI of the terminal.
步骤S8160,UDM或SIDF将终端的SUCI解析为终端的SUPI,并使用终端归属网络的公钥将第二加密的请求访问的CAG ID解密为请求访问的CAG  ID。In step S8160, the UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the terminal's home network to decrypt the second encrypted CAG ID requesting access to the CAG ID requesting access.
步骤S8170,根据终端的SUPI从终端的归属网络获取第一CAG ID列表。Step S8170: Obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.
步骤S8180,判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。Step S8180: Determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
步骤S8150-步骤S8180与步骤S8060-步骤S8090相同,此处不再赘述。Step S8150-step S8180 are the same as step S8060-step S8090, and will not be repeated here.
在一实施例中,标识响应消息中包括终端使用归属网络的公钥对终端请求访问的CAG ID和终端的SUCI共同进行加密后得到的扩展的SUCI。终端的扩展的SUCI是使用终端归属网络的公钥对请求访问的CAG ID和终端的SUCI共同加密得到的。那么UDM或SIDF使用终端归属网络的公钥将终端的扩展的SUCI解密为请求访问的CAG ID和终端的SUCI,并将终端的SUCI解析为终端的SUPI。UDM或SIDF将终端的SUCI解析为终端的SUPI,并根据终端的SUPI从终端的归属网络获取第一CAG ID列表。判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。In an embodiment, the identification response message includes the extended SUCI obtained after the terminal uses the public key of the home network to jointly encrypt the CAG ID that the terminal requests to access and the SUCI of the terminal. The extended SUCI of the terminal is obtained by using the public key of the terminal's home network to jointly encrypt the CAG ID of the requesting access and the SUCI of the terminal. Then UDM or SIDF uses the public key of the terminal's home network to decrypt the extended SUCI of the terminal into the CAG ID of the requesting access and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal. UDM or SIDF parses the SUCI of the terminal into SUPI of the terminal, and obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
在一实施例中,判断请求访问的CAG ID和第一CAG ID列表是否匹配,包括:判断请求访问的CAG ID是否与第一CAG ID列表中的任一CAG ID相同,若相同,则确定请求访问的CAG ID和第一CAG ID列表匹配。In one embodiment, judging whether the CAG ID requested for access matches the first CAG ID list includes: judging whether the CAG ID requested for access is the same as any CAG ID in the first CAG ID list, and if they are the same, determining the request The visited CAG ID matches the first CAG ID list.
在一实施例中,判断请求访问的CAG ID和第一CAG ID列表是否匹配之后,还包括:若不匹配则向终端发送注册拒绝消息。In an embodiment, after judging whether the CAG ID requested for access matches the first CAG ID list, it further includes: if there is no match, sending a registration rejection message to the terminal.
图9为一实施例提供的一种访问闭合访问组的方法的交互流程图,如图9所示,本实施例提供的方法包括如下步骤。FIG. 9 is an interaction flowchart of a method for accessing a closed access group provided by an embodiment. As shown in FIG. 9, the method provided in this embodiment includes the following steps.
步骤S9010:在移动终端上配置允许访问的CAG ID列表,例如{2,3,4,5}。Step S9010: Configure a list of CAG IDs allowed to be accessed on the mobile terminal, for example {2,3,4,5}.
步骤S9020:网络在广播的系统消息中携带小区支持的CAG ID列表,例如{1,2,3}。Step S9020: The network carries a list of CAG IDs supported by the cell in the broadcast system message, such as {1,2,3}.
步骤S9030:终端接收到该消息后,比较两个列表,选择出匹配的CAG ID中的一个CAG ID作为请求访问的CAG ID,例如从{2,3}中选择出2。Step S9030: After receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID for requesting access, for example, selects 2 from {2, 3}.
步骤S9040:终端用归属网络的公钥对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;终端也可以用归属网络的公钥对请求访问的CAG ID和SUPI一起加密得到扩展的SUCI;终端向网络发送注册请求消息,其中携带加密的请求访问的CAG ID,请求消息中还携带SUCI;在共同加密时,请求消息中携带扩展的SUCI(2)。Step S9040: The terminal uses the public key of the home network to encrypt the CAG ID requesting access to obtain the encrypted CAG ID for the access request; the terminal can also use the public key of the home network to encrypt the CAG ID requesting access together with SUPI to obtain an extended SUCI: The terminal sends a registration request message to the network, which carries the encrypted CAG ID for requesting access, and the request message also carries SUCI; in the case of common encryption, the request message carries the extended SUCI(2).
步骤S9050:认证和安全过程,其中,UDM/SIDF将SUCI解析为SUPI,UDM/SIDF也将加密的请求访问的CAG ID解析为请求访问的CAG ID; UDM/SIDF将SUPI和请求访问的CAG ID返回给AMF。Step S9050: Authentication and security process, where UDM/SIDF parses SUCI into SUPI, UDM/SIDF also parses the encrypted CAG ID that requests access to CAG ID that requests access; UDM/SIDF parses SUPI and CAG ID that requests access Return to AMF.
步骤S9060:AMF向归属网络获取允许访问的的CAG ID列表,请求消息中携带SUPI参数,例如{2,3,4,5}。Step S9060: The AMF obtains the list of CAG IDs allowed to be accessed from the home network, and the request message carries the SUPI parameter, such as {2, 3, 4, 5}.
步骤S9070(访问控制):AMF判断终端是否允许访问该CAG,AMF判断从注册消息中收到的CAG ID是否包括在从归属网络获取的允许访问的CAG ID列表中,如是,则可以访问,如否,则不可以访问,例如2在{2,3,4,5}中,可以访问。Step S9070 (Access Control): The AMF determines whether the terminal is allowed to access the CAG, and the AMF determines whether the CAG ID received from the registration message is included in the list of CAG IDs that are allowed to be accessed from the home network. If so, it can be accessed, such as If not, it cannot be accessed. For example, if 2 is in {2,3,4,5}, it can be accessed.
步骤S9080:如可以访问,AMF向终端返回注册接受消息。Step S9080: If it is accessible, the AMF returns a registration acceptance message to the terminal.
步骤S9090:如不可以访问,AMF向终端返回注册拒绝消息。Step S9090: If the access is not available, the AMF returns a registration rejection message to the terminal.
图10为一实施例提供的另一种访问闭合访问组的方法的交互流程图,如图10所示,本实施例提供的方法包括如下步骤。FIG. 10 is an interaction flowchart of another method for accessing a closed access group provided by an embodiment. As shown in FIG. 10, the method provided by this embodiment includes the following steps.
步骤S10010:在移动终端上配置允许访问的CAG ID列表,例如{2,3,4,5}。Step S10010: Configure a list of CAG IDs allowed to be accessed on the mobile terminal, such as {2,3,4,5}.
步骤S10020:网络在广播的系统消息中携带小区支持的CAG ID列表,例如{1,2,3}。Step S10020: The network carries a list of CAG IDs supported by the cell in the broadcast system message, such as {1,2,3}.
步骤S10030:终端接收到该消息后,比较两个列表,选择出匹配的CAG ID中的一个CAG ID作为请求访问的CAG ID,例如从{2,3}中选择出2。Step S10030: After receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID for requesting access, for example, 2 is selected from {2, 3}.
步骤S10040:如果终端有请求注册的拜访网络的临时用户标识5G-GUTI和安全上下文,则终端用该安全上下文中的加密密钥对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;终端向网络发送注册请求消息,其中携带加密的请求访问的CAG ID,请求消息中还携带5G-GUTI。Step S10040: If the terminal has the temporary user identification 5G-GUTI and the security context of the visited network requesting registration, the terminal uses the encryption key in the security context to encrypt the CAG ID requested to access to obtain the encrypted CAG ID requesting access ; The terminal sends a registration request message to the network, which carries the encrypted CAG ID requesting access, and the request message also carries 5G-GUTI.
步骤S10050:如果接收到注册消息的当前AMF(new AMF)就是上次服务该终端的历史AMF(old AMF),且仍然存有该终端的SUPI和安全上下文,则使用该安全上下文中的加密密钥解密加密的请求访问的CAG ID,得到请求访问的CAG ID;如果new AMF不是上次服务该终端的old AMF,则new AMF向old AMF发送终端上下文传输请求消息,消息中携带5G-GUTI。Step S10050: If the current AMF (new AMF) of the received registration message is the historical AMF (old AMF) that served the terminal last time, and the SUPI and security context of the terminal still exist, then the encryption key in the security context is used The key decrypts and encrypts the CAG ID of the requested access to obtain the CAG ID of the requested access; if the new AMF is not the old AMF that served the terminal last time, the new AMF sends a terminal context transmission request message to the old AMF, and the message carries 5G-GUTI.
步骤S10060:old AMF向new AMF返回该终端的SUPI和安全上下文,new AMF可以使用该安全上下文中的加密密钥解密加密的请求访问的CAG ID,得到请求访问的CAG ID;返回消息中还包括允许访问的的CAG ID列表,例如{2,3,4,5}。Step S10060: The old AMF returns the SUPI and security context of the terminal to the new AMF. The new AMF can use the encryption key in the security context to decrypt the encrypted CAG ID of the access request to obtain the CAG ID of the request access; the return message also includes A list of CAG IDs that are allowed to be accessed, for example {2,3,4,5}.
步骤S10070:如果old AMF上没有存储终端的SUPI和上下文,new AMF向终端发送标识请求消息。Step S10070: If the SUPI and context of the terminal are not stored on the old AMF, the new AMF sends an identification request message to the terminal.
步骤S10080:终端用归属网络的公钥对请求访问的CAG ID进行加密,得 到加密的请求访问的CAG ID;终端也可以用归属网络的公钥对请求访问的CAG ID和SUPI一起加密得到扩展的SUCI;终端向new AMF返回标识响应消息,其中携带加密的请求访问的CAG ID,请求消息中还携带SUCI;在共同加密时,请求消息中携带扩展的SUCI(2)。Step S10080: The terminal uses the public key of the home network to encrypt the CAG ID requesting access to obtain the encrypted CAG ID of the request access; the terminal can also use the public key of the home network to encrypt the CAG ID requesting access together with SUPI to obtain an extended SUCI: The terminal returns an identification response message to the new AMF, which carries the encrypted CAG ID for requesting access, and the request message also carries SUCI; in the case of common encryption, the request message carries the extended SUCI(2).
步骤S10090:认证和安全过程,如果步骤S10060成功返回了SUPI,则其中无须包括SUCI解析和CAG ID解析;如果步骤S10060不成功,则在本步骤的过程中UDM/SIDF将SUCI解析为SUPI,UDM/SIDF也将加密的请求访问的CAG ID解析为请求访问的CAG ID;UDM/SIDF将SUPI和请求访问的CAG ID返回给AMF。Step S10090: Authentication and security process. If step S10060 successfully returns SUPI, it does not need to include SUCI analysis and CAG ID analysis; if step S10060 is unsuccessful, UDM/SIDF will parse SUCI into SUPI, UDM during this step /SIDF also parses the encrypted CAG ID of the requested access into the CAG ID of the requested access; UDM/SIDF returns the SUPI and the CAG ID of the requested access to AMF.
步骤S10100:如果步骤S10060不成功,则AMF向归属网络获取允许访问的的CAG ID列表,请求消息中携带SUPI参数,例如{2,3,4,5}。Step S10100: If step S10060 is unsuccessful, the AMF obtains a list of CAG IDs allowed to be accessed from the home network, and the request message carries the SUPI parameter, such as {2,3,4,5}.
步骤S10110(访问控制):AMF判断终端是否允许访问该CAG,AMF判断从注册消息中收到的CAG ID是否包括在从归属网络获取的允许访问的CAG ID列表中,如是,则可以访问,如否,则不可以访问,例如2在{2,3,4,5}中,可以访问。Step S10110 (Access Control): The AMF determines whether the terminal is allowed to access the CAG, and the AMF determines whether the CAG ID received from the registration message is included in the CAG ID list that is allowed to be accessed from the home network. If so, it can be accessed, such as If not, it cannot be accessed. For example, if 2 is in {2,3,4,5}, it can be accessed.
步骤S10120:如可以访问,AMF向终端返回注册接受消息。Step S10120: If it is accessible, the AMF returns a registration acceptance message to the terminal.
步骤S10130:如不可以访问,AMF向终端返回注册拒绝消息。Step S10130: If access is not available, the AMF returns a registration rejection message to the terminal.
图11为一实施例提供的一种访问闭合访问组的装置的结构示意图,如图11所示,本实施例提供的访问闭合访问组的装置包括:加密模块111,设置为对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;发送模块112,设置为发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。FIG. 11 is a schematic structural diagram of an apparatus for accessing a closed access group provided by an embodiment. As shown in FIG. 11, the apparatus for accessing a closed access group provided by this embodiment includes: an encryption module 111, which is set to CAG for requesting access The ID is encrypted to obtain the encrypted CAG ID requesting access; the sending module 112 is configured to send a registration request message, and the registration request message includes the encrypted CAG ID requesting access and the SUCI of the terminal.
本实施例提供的访问闭合访问组的装置用于实现图2所示实施例的访问闭合访问组的方法,本实施例提供的访问闭合访问组的装置实现原理和技术效果类似,此处不再赘述。The apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 2. The implementation principle and technical effect of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
图12为一实施例提供的另一种访问闭合访问组的装置的结构示意图,如图12所示,本实施例提供的访问闭合访问组的装置包括:接收模块121,设置为接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI;解密模块122,设置为将终端的SUCI解析为终端的SUPI,并将加密的请求访问的CAG ID解密为请求访问的CAG ID;获取模块123,设置为根据终端的SUPI从终端的归属网络获取第一CAG ID列表;判断模块124,设置为判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。FIG. 12 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment. As shown in FIG. 12, the apparatus for accessing a closed access group provided by this embodiment includes: a receiving module 121, which is configured to receive information sent by a terminal Registration request message. The registration request message includes the encrypted CAG ID of the request to access and the SUCI of the terminal; the decryption module 122 is set to parse the SUCI of the terminal into the SUPI of the terminal, and decrypt the encrypted CAG ID of the request to access into the request for access The acquiring module 123 is configured to acquire the first CAG ID list from the terminal’s home network according to the SUPI of the terminal; the determining module 124 is configured to determine whether the CAG ID requested for access matches the first CAG ID list, and if it matches, Send a registration acceptance message to the terminal.
本实施例提供的访问闭合访问组的装置用于实现图4所示实施例的访问闭合访问组的方法,本实施例提供的访问闭合访问组的装置实现原理和技术效果类似,此处不再赘述。The apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 4. The implementation principles and technical effects of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
图13为一实施例提供的另一种访问闭合访问组的装置的结构示意图,如图13所示,本实施例提供的访问闭合访问组的装置包括:加密模块131,设置为对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID;发送模块132,设置为发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。FIG. 13 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment. As shown in FIG. 13, the apparatus for accessing a closed access group provided by this embodiment includes: an encryption module 131, which is configured to request access to The CAG ID is encrypted to obtain the first encrypted CAG ID requesting access; the sending module 132 is configured to send a registration request message, and the registration request message includes the first encrypted CAG ID requesting access and the 5G-GUTI of the terminal.
本实施例提供的访问闭合访问组的装置用于实现图6所示实施例的访问闭合访问组的方法,本实施例提供的访问闭合访问组的装置实现原理和技术效果类似,此处不再赘述。The apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 6. The implementation principles and technical effects of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
图14为一实施例提供的另一种访问闭合访问组的装置的结构示意图,如图14所示,本实施例提供的访问闭合访问组的装置包括:接收模块141,设置为接收终端发送的注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI;解密模块142,设置为根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF;获取模块143,设置为若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,则根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID;判断模块144,设置为判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。FIG. 14 is a schematic structural diagram of another apparatus for accessing a closed access group provided by an embodiment. As shown in FIG. 14, the apparatus for accessing a closed access group provided by this embodiment includes: a receiving module 141, which is configured to receive information sent by a terminal The registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal; the decryption module 142 is configured to determine whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal; The obtaining module 143 is configured to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF that used to serve the terminal, and the SUPI of the terminal is stored in the current AMF, and encrypt the first The CAG ID requested for access is decrypted into the CAG ID requested for access; the determining module 144 is configured to determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
本实施例提供的访问闭合访问组的装置用于实现图8所示实施例的访问闭合访问组的方法,本实施例提供的访问闭合访问组的装置实现原理和技术效果类似,此处不再赘述。The apparatus for accessing a closed access group provided in this embodiment is used to implement the method for accessing a closed access group in the embodiment shown in FIG. 8. The implementation principle and technical effect of the apparatus for accessing a closed access group provided in this embodiment are similar, and will not be omitted here. Repeat.
本申请实施例还提供一种访问闭合访问组的系统,包括终端和网络设备,终端包括如图11实施例所示的访问闭合访问组的装置,网络设备包括如图12实施例所示的访问闭合访问组的装置。An embodiment of the present application also provides a system for accessing a closed access group, including a terminal and a network device. The terminal includes the device for accessing the closed access group as shown in the embodiment of FIG. 11, and the network device includes the access device as shown in the embodiment of FIG. Close the device of the access group.
本申请实施例还提供一种访问闭合访问组的系统,包括终端和网络设备,终端包括如图13实施例所示的访问闭合访问组的装置,网络设备包括如图14实施例所示的访问闭合访问组的装置。An embodiment of the present application also provides a system for accessing a closed access group, including a terminal and a network device. The terminal includes the device for accessing the closed access group as shown in the embodiment of FIG. 13, and the network device includes the access device as shown in the embodiment of FIG. Close the device of the access group.
图15为一实施例提供的一种终端的结构示意图,如图15所示,该终端包括处理器151、存储器152、发送器153和接收器154;终端中处理器151的数量可以是一个或多个,图15中以一个处理器151为例;终端中的处理器151和 存储器152、发送器1543和接收器154;可以通过总线或其他方式连接,图15中以通过总线连接为例。FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment. As shown in FIG. 15, the terminal includes a processor 151, a memory 152, a transmitter 153, and a receiver 154; the number of processors 151 in the terminal may be one or There are multiple. One processor 151 is taken as an example in FIG. 15; the processor 151 and the memory 152, the transmitter 1543 and the receiver 154 in the terminal can be connected by a bus or other methods.
存储器152作为一种计算机可读存储介质,可设置为存储软件程序、计算机可执行程序以及模块,如本申请图2-图3或图6-图7实施例中的访问闭合访问组方法对应的程序指令/模块(例如,访问闭合访问组装置中的加密模块111和发送模块112或者访问闭合访问组装置中的加密模块131和发送模块132)。处理器151通过运行存储在存储器152中的软件程序、指令以及模块,从而终端至少一种功能应用以及数据处理,即实现图2-图3或图6-图7的访问闭合访问组方法。The memory 152, as a computer-readable storage medium, can be configured to store software programs, computer-executable programs, and modules, such as those corresponding to the method of accessing the closed access group in the embodiments of Figure 2-Figure 3 or Figure 6-Figure 7 of this application Program instructions/modules (for example, access the encryption module 111 and the sending module 112 in the closed access group device or access the encryption module 131 and the sending module 132 in the closed access group device). The processor 151 runs the software programs, instructions, and modules stored in the memory 152 to terminal at least one functional application and data processing, that is, to implement the closed access group method of FIGS. 2 to 3 or 6 to 7.
存储器152可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端的使用所创建的数据等。此外,存储器152可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。The memory 152 may mainly include a program storage area and a data storage area. The program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created according to the use of the terminal, etc. In addition, the memory 152 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other non-volatile solid-state storage devices.
发送器153为能够将射频信号发射至空间中的模块或器件组合,例如包括射频发射机、天线以及其他器件的组合。接收器154为能够从空间中接收将射频信号的模块或器件组合,例如包括射频接收机、天线以及其他器件的组合。The transmitter 153 is a module or a combination of devices capable of transmitting radio frequency signals into space, for example, a combination of radio frequency transmitters, antennas, and other devices. The receiver 154 is a module or a combination of devices capable of receiving radio frequency signals from space, for example, a combination of radio frequency receivers, antennas, and other devices.
本申请实施例还提供一种包含计算机可执行指令的存储介质,计算机可执行指令在由计算机处理器执行时用于执行一种访问闭合访问组的方法,该方法包括:对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID;发送注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI。The embodiment of the present application also provides a storage medium containing computer-executable instructions. When the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group. The method includes: requesting access to the CAG ID Encryption is performed to obtain the encrypted CAG ID requesting access; a registration request message is sent, and the registration request message includes the encrypted CAG ID requesting access and the SUCI of the terminal.
本申请实施例还提供一种包含计算机可执行指令的存储介质,计算机可执行指令在由计算机处理器执行时用于执行一种访问闭合访问组的方法,该方法包括:接收终端发送的注册请求消息,注册请求消息中包括加密的请求访问的CAG ID和终端的SUCI;将终端的SUCI解析为终端的SUPI,并将加密的请求访问的CAG ID解密为请求访问的CAG ID;根据终端的SUPI从终端的归属网络获取第一CAG ID列表;判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。An embodiment of the present application also provides a storage medium containing computer-executable instructions. When the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group. The method includes: receiving a registration request sent by a terminal Message, the registration request message includes the encrypted CAG ID requesting access and the terminal's SUCI; the terminal's SUCI is parsed into the terminal's SUPI, and the encrypted CAG ID for requesting access is decrypted into the CAG ID for requesting access; according to the terminal's SUPI Obtain the first CAG ID list from the terminal's home network; determine whether the CAG ID requested for access matches the first CAG ID list, and if they match, send a registration acceptance message to the terminal.
本申请实施例还提供一种包含计算机可执行指令的存储介质,计算机可执行指令在由计算机处理器执行时用于执行一种访问闭合访问组的方法,该方法包括:对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID;发送注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI。The embodiment of the present application also provides a storage medium containing computer-executable instructions. When the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group. The method includes: requesting access to the CAG ID Encryption is performed to obtain the first encrypted CAG ID requesting access; a registration request message is sent, and the registration request message includes the first encrypted CAG ID requesting access and the 5G-GUTI of the terminal.
本申请实施例还提供一种包含计算机可执行指令的存储介质,计算机可执行指令在由计算机处理器执行时用于执行一种访问闭合访问组的方法,该方法包括:接收终端发送的注册请求消息,注册请求消息中包括第一加密的请求访问的CAG ID和终端的5G-GUTI;根据终端的5G-GUTI判断当前AMF是否为曾经为终端服务的历史AMF;若当前AMF为曾经为终端服务的历史AMF,且当前AMF中存储有终端的SUPI,则根据终端的SUPI从终端的归属网络获取第一CAG ID列表,并将第一加密的请求访问的CAG ID解密为请求访问的CAG ID;判断请求访问的CAG ID和第一CAG ID列表是否匹配,若匹配则向终端发送注册接受消息。An embodiment of the present application also provides a storage medium containing computer-executable instructions. When the computer-executable instructions are executed by a computer processor, they are used to execute a method for accessing a closed access group. The method includes: receiving a registration request sent by a terminal Message, the registration request message includes the first encrypted CAG ID and the terminal’s 5G-GUTI; according to the terminal’s 5G-GUTI, it is judged whether the current AMF is a historical AMF that has served the terminal; if the current AMF is a terminal that has served According to the historical AMF of the terminal, and the SUPI of the terminal is stored in the current AMF, the first CAG ID list is obtained from the home network of the terminal according to the SUPI of the terminal, and the first encrypted CAG ID requesting access is decrypted into the CAG ID requesting access; It is determined whether the CAG ID requested for access matches the first CAG ID list, and if they match, a registration acceptance message is sent to the terminal.
术语用户终端涵盖任何适合类型的无线用户设备,例如移动电话、便携数据处理装置、便携网络浏览器或车载移动台。The term user terminal encompasses any suitable type of wireless user equipment, such as mobile phones, portable data processing devices, portable web browsers, or vehicular mobile stations.
一般来说,本申请的多种实施例可以在硬件或专用电路、软件、逻辑或其任何组合中实现。例如,一些方面可以被实现在硬件中,而其它方面可以被实现在可以被控制器、微处理器或其它计算装置执行的固件或软件中,尽管本申请不限于此。In general, the various embodiments of the present application can be implemented in hardware or dedicated circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software that may be executed by a controller, microprocessor or other computing device, although the application is not limited thereto.
本申请的实施例可以通过移动装置的数据处理器执行计算机程序指令来实现,例如在处理器实体中,或者通过硬件,或者通过软件和硬件的组合。计算机程序指令可以是汇编指令、指令集架构(InstructionSet Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码。The embodiments of the present application may be implemented by executing computer program instructions by a data processor of a mobile device, for example, in a processor entity, or by hardware, or by a combination of software and hardware. Computer program instructions can be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or written in any combination of one or more programming languages Source code or object code.
本申请附图中的任何逻辑流程的框图可以表示程序步骤,或者可以表示相互连接的逻辑电路、模块和功能,或者可以表示程序步骤与逻辑电路、模块和功能的组合。计算机程序可以存储在存储器上。存储器可以具有任何适合于本地技术环境的类型并且可以使用任何适合的数据存储技术实现,例如但不限于只读存储器(Read-Only Memory,ROM)、随机访问存储器(Random Access Memory,RAM)、光存储器装置和系统(数码多功能光碟(Digital Video Disc,DVD)或光盘(Compact Disc,CD))等。计算机可读介质可以包括非瞬时性存储介质。数据处理器可以是任何适合于本地技术环境的类型,例如但不限于通用计算机、专用计算机、微处理器、数字信号处理器(Digital Signal Processing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑器件(Field-Programmable Gate Array,FPGA)以及基于多核处理器架构的处理器。The block diagram of any logical flow in the drawings of the present application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions. The computer program can be stored on the memory. The memory can be of any type suitable for the local technical environment and can be implemented by any suitable data storage technology, such as but not limited to read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), optical Memory devices and systems (Digital Video Disc (DVD) or Compact Disc (CD)), etc. Computer-readable media may include non-transitory storage media. The data processor can be any type suitable for the local technical environment, such as but not limited to general-purpose computers, special-purpose computers, microprocessors, digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (ASICs) ), programmable logic devices (Field-Programmable Gate Array, FPGA) and processors based on multi-core processor architecture.

Claims (34)

  1. 一种访问闭合访问组的方法,包括:A method of accessing a closed access group includes:
    对请求访问的闭合访问组标识CAG ID进行加密,得到加密的请求访问的CAG ID;Encrypt the CAG ID of the closed access group requesting access to obtain the encrypted CAG ID of the requesting access;
    发送注册请求消息,所述注册请求消息中包括所述加密的请求访问的CAG ID和终端的用户隐藏标识SUCI。Send a registration request message, and the registration request message includes the encrypted CAG ID for requesting access and the user hidden identifier SUCI of the terminal.
  2. 根据权利要求1所述的方法,其中,所述对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID,包括:The method according to claim 1, wherein said encrypting the CAG ID requesting access to obtain the encrypted CAG ID requesting access comprises:
    使用归属网络的公钥对所述请求访问的CAG ID进行加密,得到所述加密的请求访问的CAG ID。Use the public key of the home network to encrypt the CAG ID that requests access to obtain the encrypted CAG ID that requests access.
  3. 根据权利要求1所述的方法,其中,所述对请求访问的CAG ID进行加密,得到加密的请求访问的CAG ID,包括:The method according to claim 1, wherein said encrypting the CAG ID requesting access to obtain the encrypted CAG ID requesting access comprises:
    使用归属网络的公钥对所述请求访问的CAG ID和所述终端的SUCI共同进行加密,得到所述终端的扩展的SUCI;Use the public key of the home network to jointly encrypt the CAG ID of the access request and the SUCI of the terminal to obtain the extended SUCI of the terminal;
    所述发送注册请求消息,所述注册请求消息中包括所述加密的请求访问的CAG ID和所述终端的SUCI,包括:The sending of the registration request message, the registration request message including the encrypted CAG ID for requesting access and the SUCI of the terminal, includes:
    发送所述注册请求消息,所述注册请求消息中包括所述终端的扩展的SUCI。Send the registration request message, and the registration request message includes the extended SUCI of the terminal.
  4. 根据权利要求1~3中任一项所述的方法,在所述对请求访问的CAG ID进行加密之前,还包括:The method according to any one of claims 1 to 3, before said encrypting the CAG ID requested for access, further comprising:
    接收携带有第一CAG ID列表的系统广播消息;Receive the system broadcast message carrying the first CAG ID list;
    对自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述终端的请求访问的CAG ID。Match the second CAG ID list configured by itself and the first CAG ID list, and determine the CAG ID requested to be accessed by the terminal.
  5. 根据权利要求4所述的方法,其中,所述对自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述终端的请求访问的CAG ID,包括:The method according to claim 4, wherein the matching the second CAG ID list configured by itself and the first CAG ID list to determine the CAG ID requested to be accessed by the terminal comprises:
    对所述自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述第二CAG ID列表和所述第一CAG ID列表中一个相同的CAG ID为所述请求访问的CAG ID。Match the second CAG ID list configured by itself and the first CAG ID list, and determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the one requested to access CAG ID.
  6. 根据权利要求4所述的方法,在所述接收携带有第一CAG ID列表的系统广播消息之前,还包括:The method according to claim 4, before said receiving the system broadcast message carrying the first CAG ID list, further comprising:
    配置所述第二CAG ID列表,所述第二CAG ID列表中包括至少一个允许访问的CAG ID。The second CAG ID list is configured, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
  7. 一种访问闭合访问组的方法,包括:A method of accessing a closed access group includes:
    接收终端发送的注册请求消息,所述注册请求消息中包括加密的请求访问的闭合访问组标识CAG ID和所述终端的用户隐藏标识符SUCI;Receiving a registration request message sent by a terminal, where the registration request message includes an encrypted closed access group identification CAG ID for requesting access and a user hidden identifier SUCI of the terminal;
    将所述终端的SUCI解析为所述终端的用户永久标识SUPI,并将所述加密的请求访问的CAG ID解密为解密的请求访问的CAG ID;Parse the SUCI of the terminal into the user permanent identification SUPI of the terminal, and decrypt the encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;Acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  8. 根据权利要求7所述的方法,其中,所述将所述SUCI解析为SUPI,并将所述加密的请求访问的CAG ID解密为解密的请求访问的CAG ID,包括:The method according to claim 7, wherein the parsing the SUCI into SUPI and decrypting the encrypted CAG ID requesting access into the decrypted CAG ID requesting access comprises:
    统一数据管理UDM或订阅标识符隐藏功能SIDF将所述终端的SUCI解析为所述终端的SUPI,并将所述加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID;The unified data management UDM or subscription identifier hiding function SIDF parses the SUCI of the terminal into the SUPI of the terminal, and decrypts the encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    所述UDM或所述SIDF将所述终端的SUPI和所述解密的请求访问的CAG ID发送给移动性管理功能AMF;The UDM or the SIDF sends the SUPI of the terminal and the decrypted CAG ID requesting access to the mobility management function AMF;
    所述根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表,包括:The acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal includes:
    所述AMF根据所述终端的SUPI从所述终端的归属网络获取所述第一CAG ID列表;The AMF obtains the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    所述判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息,包括:Said determining whether the decrypted CAG ID requested to access and the first CAG ID list match, and if the decrypted CAG ID requesting access matches the first CAG ID list, report to the terminal Send registration acceptance message, including:
    所述AMF判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送所述注册接受消息。The AMF judges whether the decrypted CAG ID requested for access matches the first CAG ID list, and in the case that the decrypted CAG ID requested for access matches the first CAG ID list, the The terminal sends the registration acceptance message.
  9. 根据权利要求8所述的方法,其中,所述UDM或所述SIDF将所述终端的SUCI解析为所述终端的SUPI,并将所述加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID,包括:The method according to claim 8, wherein the UDM or the SIDF parses the SUCI of the terminal into the SUPI of the terminal, and decrypts the encrypted CAG ID requesting access into the decrypted request Visited CAG ID, including:
    所述UDM或所述SIDF将所述终端的SUCI解析为所述终端的SUPI,并使用所述终端的归属网络的公钥将所述加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID。The UDM or the SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the home network of the terminal to decrypt the encrypted CAG ID of the access request into the decrypted access request The CAG ID.
  10. 根据权利要求8所述的方法,其中,所述接收终端发送的注册请求消息, 所述注册请求消息中包括加密的请求访问的CAG ID和所述终端的SUCI,包括:The method according to claim 8, wherein the receiving the registration request message sent by the terminal, the registration request message including the encrypted CAG ID for requesting access and the SUCI of the terminal, including:
    接收所述终端发送的所述注册请求消息,所述注册请求消息中包括所述终端的扩展的SUCI,所述终端的扩展的SUCI是使用所述终端的归属网络的公钥对所述解密的请求访问的CAG ID和所述终端的SUCI共同加密得到的;Receiving the registration request message sent by the terminal, the registration request message including the extended SUCI of the terminal, the extended SUCI of the terminal is decrypted by using the public key of the home network of the terminal The CAG ID requesting access and the SUCI of the terminal are jointly encrypted;
    所述UDM或SIDF将所述终端的SUCI解析为所述终端的SUPI,并将所述加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID,包括:The UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and decrypts the encrypted CAG ID requesting access into the decrypted CAG ID requesting access, including:
    所述UDM或所述SIDF使用所述终端的归属网络的公钥将所述终端的扩展的SUCI解密为所述解密的请求访问的CAG ID和所述终端的SUCI,并将所述终端的SUCI解析为所述终端的SUPI。The UDM or the SIDF uses the public key of the home network of the terminal to decrypt the extended SUCI of the terminal into the CAG ID of the decrypted access request and the SUCI of the terminal, and the SUCI of the terminal Resolve to the SUPI of the terminal.
  11. 根据权利要求7~10中任一项所述的方法,其中,所述判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,包括:The method according to any one of claims 7 to 10, wherein the judging whether the decrypted CAG ID requested for access matches the first CAG ID list comprises:
    判断所述解密的请求访问的CAG ID是否与所述第一CAG ID列表中的一个CAG ID相同,在所述解密的请求访问的CAG ID与所述第一CAG ID列表中的一个CAG ID相同的情况下,确定所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配。Determine whether the CAG ID of the decrypted access request is the same as a CAG ID in the first CAG ID list, and the CAG ID of the decrypted access request is the same as a CAG ID in the first CAG ID list In the case of, it is determined that the decrypted CAG ID requested for access matches the first CAG ID list.
  12. 根据权利要求7~10中任一项所述的方法,其中,所述根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表,包括:The method according to any one of claims 7 to 10, wherein the obtaining the first CAG ID list from the home network of the terminal according to the SUPI of the terminal comprises:
    向所述终端的归属网络发送CAG ID列表请求消息,所述CAG ID列表请求消息中包括所述终端的SUPI;Sending a CAG ID list request message to the home network of the terminal, where the CAG ID list request message includes the SUPI of the terminal;
    接收所述终端的归属网络发送的所述第一CAG ID列表。Receiving the first CAG ID list sent by the home network of the terminal.
  13. 根据权利要求7~10中任一项所述的方法,在所述判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配之后,还包括:The method according to any one of claims 7 to 10, after determining whether the decrypted CAG ID requested for access matches the first CAG ID list, further comprising:
    在所述解密的请求访问的CAG ID和所述第一CAG ID列表不匹配的情况下,向所述终端发送注册拒绝消息。In the case that the decrypted CAG ID requested for access does not match the first CAG ID list, a registration rejection message is sent to the terminal.
  14. 一种访问闭合访问组的方法,包括:A method of accessing a closed access group includes:
    对请求访问的闭合访问组标识CAG ID进行加密,得到第一加密的请求访问的CAG ID;Encrypt the CAG ID of the closed access group requesting access to obtain the first encrypted CAG ID of the requesting access;
    发送注册请求消息,所述注册请求消息中包括所述第一加密的请求访问的CAG ID和所述终端的第五代移动通信系统全局唯一临时用户设备标识5G-GUTI。Send a registration request message, where the registration request message includes the first encrypted CAG ID for requesting access and the fifth-generation mobile communication system globally unique temporary user equipment identifier 5G-GUTI of the terminal.
  15. 根据权利要求14所述的方法,其中,所述对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID,包括:The method according to claim 14, wherein said encrypting the CAG ID requesting access to obtain the first encrypted CAG ID requesting access comprises:
    使用与所述终端的5G-GUTI对应的安全上下文中的加密秘钥对所述请求访问的CAG ID进行加密,得到所述第一加密的请求访问的CAG ID。Use the encryption key in the security context corresponding to the 5G-GUTI of the terminal to encrypt the CAG ID that requests access to obtain the first encrypted CAG ID that requests access.
  16. 根据权利要求14所述的方法,在所述发送注册请求消息之后,还包括:The method according to claim 14, after the sending the registration request message, further comprising:
    接收移动性管理功能AMF发送的标识请求消息;Receive the identification request message sent by the mobility management function AMF;
    使用归属网络的公钥对所述请求访问的CAG ID进行加密,得到第二加密的请求访问的CAG ID;Use the public key of the home network to encrypt the CAG ID that requests access to obtain the second encrypted CAG ID that requests access;
    向所述AMF发送标识响应消息,所述标识响应消息中包括所述第二加密的请求访问的CAG ID和所述终端的用户隐藏标识SUCI。An identification response message is sent to the AMF, where the identification response message includes the second encrypted CAG ID for requesting access and the user hidden identifier SUCI of the terminal.
  17. 根据权利要求14所述的方法,在所述发送注册请求消息之后,还包括:The method according to claim 14, after the sending the registration request message, further comprising:
    接收AMF发送的标识请求消息;Receive the identification request message sent by AMF;
    使用归属网络的公钥对所述请求访问的CAG ID和所述终端的SUCI共同进行加密,得到所述终端的扩展的SUCI;Use the public key of the home network to jointly encrypt the CAG ID of the access request and the SUCI of the terminal to obtain the extended SUCI of the terminal;
    向所述AMF发送标识响应消息,所述标识响应消息中包括所述终端的扩展的SUCI。Send an identification response message to the AMF, where the identification response message includes the extended SUCI of the terminal.
  18. 根据权利要求14~17中任一项所述的方法,在所述对请求访问的CAG ID进行加密,得到第一加密的请求访问的CAG ID之前,还包括:The method according to any one of claims 14 to 17, before encrypting the CAG ID requesting access to obtain the first encrypted CAG ID requesting access, further comprising:
    接收携带有第一CAG ID列表的系统广播消息;Receive the system broadcast message carrying the first CAG ID list;
    对自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述请求访问的CAG ID。Match the second CAG ID list configured by itself and the first CAG ID list, and determine the CAG ID for which access is requested.
  19. 根据权利要求18所述的方法,其中,所述对自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述请求访问的CAG ID,包括:The method according to claim 18, wherein the matching the second CAG ID list configured by itself and the first CAG ID list to determine the CAG ID for which access is requested comprises:
    对所述自身配置的第二CAG ID列表和所述第一CAG ID列表进行匹配,确定所述第二CAG ID列表和所述第一CAG ID列表中一个相同的CAG ID为所述请求访问的CAG ID。Match the second CAG ID list configured by itself and the first CAG ID list, and determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the one requested to access CAG ID.
  20. 根据权利要求18所述的方法,在所述接收携带有第一CAG ID列表的系统广播消息之前,还包括:The method according to claim 18, before said receiving the system broadcast message carrying the first CAG ID list, further comprising:
    配置所述第二CAG ID列表,所述第二CAG ID列表中包括至少一个允许访问的CAG ID。The second CAG ID list is configured, and the second CAG ID list includes at least one CAG ID that is allowed to be accessed.
  21. 一种访问闭合访问组的方法,包括:A method of accessing a closed access group includes:
    接收终端发送的注册请求消息,所述注册请求消息中包括第一加密的请求访问的闭合访问组标识CAG ID和所述终端的第五代移动通信系统全局唯一临 时用户设备标识5G-GUTI;Receiving a registration request message sent by a terminal, the registration request message including the first encrypted closed access group identification CAG ID for requesting access and the fifth-generation mobile communication system globally unique temporary user equipment identification 5G-GUTI of the terminal;
    根据所述终端的5G-GUTI判断当前移动性管理功能AMF是否为为所述终端服务的历史AMF;Judging whether the current mobility management function AMF is a historical AMF serving the terminal according to the 5G-GUTI of the terminal;
    在所述当前AMF为为所述终端服务的历史AMF,且所述当前AMF中存储有所述终端的用户永久标识SUPI的情况下,根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表,并将所述第一加密的请求访问的CAG ID解密为解密的请求访问的CAG ID;In the case that the current AMF is a historical AMF serving the terminal, and the permanent user identification SUPI of the terminal is stored in the current AMF, the second terminal is obtained from the home network of the terminal according to the SUPI of the terminal. A CAG ID list, and decrypt the first encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  22. 根据权利要求21所述的方法,在所述根据所述终端的5G-GUTI判断当前AMF是否为为所述终端服务的历史AMF之后,还包括:The method according to claim 21, after judging whether the current AMF is a historical AMF serving the terminal according to the 5G-GUTI of the terminal, further comprising:
    在所述当前AMF为为所述终端服务的历史AMF,且所述当前AMF中未存储所述终端的SUPI的情况下,所述当前AMF向所述终端发送标识请求消息;In a case where the current AMF is a historical AMF serving the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal;
    接收所述终端发送的标识响应消息,所述标识响应消息中包括所述终端使用归属网络的公钥进行加密的第二加密的请求访问的CAG ID和所述终端的用户隐藏标识SUCI;Receiving an identification response message sent by the terminal, where the identification response message includes a second encrypted CAG ID that is encrypted by the terminal using the public key of the home network and the user hidden identifier SUCI of the terminal;
    统一数据管理UDM或订阅标识符隐藏功能SIDF将所述终端的SUCI解析为所述终端的SUPI,并使用所述终端的归属网络的公钥将所述第二加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID;The unified data management UDM or the subscription identifier hiding function SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the home network of the terminal to decrypt the second encrypted CAG ID that requests access to The decrypted CAG ID that requests access;
    根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;Acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  23. 根据权利要求21所述的方法,在所述根据所述终端的5G-GUTI判断当前AMF是否为为所述终端服务的历史AMF之后,还包括:The method according to claim 21, after judging whether the current AMF is a historical AMF serving the terminal according to the 5G-GUTI of the terminal, further comprising:
    在所述当前AMF为为所述终端服务的历史AMF,且所述当前AMF中未存储所述终端的SUPI的情况下,所述当前AMF向所述终端发送标识请求消息;In a case where the current AMF is a historical AMF serving the terminal, and the SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal;
    接收所述终端发送的标识响应消息,所述标识响应消息中包括所述终端使用归属网络的公钥对所述终端的请求访问的CAG ID和所述终端的SUCI共同进行加密后得到的扩展的SUCI;Receive an identification response message sent by the terminal, where the identification response message includes the extended CAG ID that the terminal requests to access the terminal using the public key of the home network and the SUCI of the terminal are jointly encrypted SUCI;
    UDM或SIDF使用所述终端的归属网络的公钥将所述终端的扩展的SUCI 解密为所述解密的请求访问的CAG ID和所述终端的SUCI,并将所述终端的SUCI解析为所述终端的SUPI;UDM or SIDF uses the public key of the terminal’s home network to decrypt the extended SUCI of the terminal into the decrypted CAG ID of the access request and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal;
    根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;Acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  24. 根据权利要求21所述的方法,在所述根据所述终端的5G-GUTI判断当前AMF是否为为所述终端服务的历史AMF之后,还包括:The method according to claim 21, after judging whether the current AMF is a historical AMF serving the terminal according to the 5G-GUTI of the terminal, further comprising:
    在所述当前AMF不是为所述终端服务的历史AMF的情况下,所述当前AMF根据所述终端的5G-GUTI确定为所述终端服务的历史AMF,并向所述历史AMF发送所述终端的上下文传输请求消息,所述终端的上下文传输请求消息包括所述终端的5G-GUTI;In the case that the current AMF is not the historical AMF serving the terminal, the current AMF is determined to be the historical AMF served by the terminal according to the 5G-GUTI of the terminal, and sends the terminal to the historical AMF The context transmission request message of the terminal includes the 5G-GUTI of the terminal;
    所述当前AMF接收所述历史AMF发送的上下文传输响应消息,所述上下文传输响应消息中包括所述终端的安全上下文和所述第一CAG ID列表;Receiving, by the current AMF, a context transmission response message sent by the historical AMF, the context transmission response message including the security context of the terminal and the first CAG ID list;
    所述当前AMF使用所述终端的安全上下文中的私钥将所述第一加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID;The current AMF uses the private key in the security context of the terminal to decrypt the first encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    判断所述解密请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the CAG ID of the decryption request access matches the first CAG ID list, and if the CAG ID of the decryption request access matches the first CAG ID list, send a registration acceptance to the terminal news.
  25. 根据权利要求24所述的方法,在所述在所述当前AMF不是为所述终端服务的历史AMF的情况下,所述当前AMF根据所述终端的5G-GUTI确定为所述终端服务的历史AMF,并向所述历史AMF发送所述终端的上下文传输请求消息之后,还包括:The method according to claim 24, in the case where the current AMF is not a historical AMF serving the terminal, the current AMF is determined to be the historical AMF served by the terminal according to the 5G-GUTI of the terminal AMF, and after sending the context transmission request message of the terminal to the historical AMF, it further includes:
    在所述当前AMF未接收到所述历史AMF发送的所述终端的上下文传输响应消息的情况下,所述当前AMF向所述终端发送标识请求消息;In the case that the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal;
    接收所述终端发送的标识响应消息,所述标识响应消息中包括所述终端使用归属网络的公钥进行加密的第二加密的请求访问的CAG ID和所述终端的SUCI;Receiving an identification response message sent by the terminal, where the identification response message includes a second encrypted CAG ID that is encrypted by the terminal using the public key of the home network and the SUCI of the terminal;
    UDM或SIDF将所述终端的SUCI解析为所述终端的SUPI,并使用所述终端的归属网络的公钥将所述第二加密的请求访问的CAG ID解密为所述解密的请求访问的CAG ID;UDM or SIDF parses the SUCI of the terminal into the SUPI of the terminal, and uses the public key of the home network of the terminal to decrypt the second encrypted CAG ID that requests access to the decrypted CAG that requests access ID;
    根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;Acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  26. 根据权利要求24所述的方法,在所述在所述当前AMF不是为所述终端服务的历史AMF的情况下,所述当前AMF根据所述终端的5G-GUTI确定为所述终端服务的历史AMF,并向所述历史AMF发送所述终端的上下文传输请求消息之后,还包括:The method according to claim 24, in the case where the current AMF is not a historical AMF serving the terminal, the current AMF is determined to be the historical AMF served by the terminal according to the 5G-GUTI of the terminal AMF, and after sending the context transmission request message of the terminal to the historical AMF, it further includes:
    在所述当前AMF未接收到所述历史AMF发送的所述终端的上下文传输响应消息的情况下,所述当前AMF向所述终端发送标识请求消息;In the case that the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal;
    接收所述终端发送的标识响应消息,所述标识响应消息中包括所述终端使用归属网络的公钥对所述终端的请求访问的CAG ID和所述终端的SUCI共同进行加密后得到的扩展的SUCI;Receive an identification response message sent by the terminal, where the identification response message includes the extended CAG ID that the terminal requests to access the terminal using the public key of the home network and the SUCI of the terminal are jointly encrypted SUCI;
    UDM或SIDF使用所述终端的归属网络的公钥将所述终端的扩展的SUCI解密为所述解密的请求访问的CAG ID和所述终端的SUCI,并将所述终端的SUCI解析为所述终端的SUPI;UDM or SIDF uses the public key of the home network of the terminal to decrypt the extended SUCI of the terminal into the decrypted CAG ID of the access request and the SUCI of the terminal, and parse the SUCI of the terminal into the SUPI of the terminal;
    根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;Acquiring the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。Determine whether the decrypted CAG ID that requests access matches the first CAG ID list, and if the decrypted CAG ID that requests access matches the first CAG ID list, send a registration to the terminal Accept the message.
  27. 根据权利要求21~26中任一项所述的方法,其中,所述判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,包括:The method according to any one of claims 21 to 26, wherein the judging whether the decrypted CAG ID requested for access matches the first CAG ID list comprises:
    判断所述解密的请求访问的CAG ID是否与所述第一CAG ID列表中的一个CAG ID相同,在所述解密的请求访问的CAG ID与所述第一CAG ID列表中的一个CAG ID相同的情况下,确定所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配。Determine whether the CAG ID of the decrypted access request is the same as a CAG ID in the first CAG ID list, and the CAG ID of the decrypted access request is the same as a CAG ID in the first CAG ID list In the case of, it is determined that the decrypted CAG ID requested for access matches the first CAG ID list.
  28. 根据权利要求21~26中任一项所述的方法,在所述判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配之后,还包括:The method according to any one of claims 21 to 26, after the judging whether the decrypted CAG ID requested to access and the first CAG ID list match, further comprising:
    在所述解密的请求访问的CAG ID和所述第一CAG ID列表不匹配的情况下,向所述终端发送注册拒绝消息。In the case that the decrypted CAG ID requested for access does not match the first CAG ID list, a registration rejection message is sent to the terminal.
  29. 一种访问闭合访问组的装置,包括:A device for accessing a closed access group, including:
    加密模块,设置为对请求访问的闭合访问组标识CAG ID进行加密,得到加密的请求访问的CAG ID;The encryption module is set to encrypt the CAG ID of the closed access group requesting access to obtain the encrypted CAG ID of the requesting access;
    发送模块,设置为发送注册请求消息,所述注册请求消息中包括所述加密的请求访问的CAG ID和终端的用户隐藏标识SUCI。The sending module is configured to send a registration request message, and the registration request message includes the encrypted CAG ID for requesting access and the user hidden identifier SUCI of the terminal.
  30. 一种访问闭合访问组的装置,包括:A device for accessing a closed access group, including:
    接收模块,设置为接收终端发送的注册请求消息,所述注册请求消息中包括加密的请求访问的闭合访问组标识CAG ID和所述终端的用户隐藏标识符SUCI;A receiving module, configured to receive a registration request message sent by a terminal, the registration request message including the encrypted closed access group identification CAG ID for requesting access and the user hidden identifier SUCI of the terminal;
    解密模块,设置为将所述终端的SUCI解析为所述终端的用户永久标识SUPI,并将所述加密的请求访问的CAG ID解密为解密的请求访问的CAG ID;The decryption module is configured to parse the SUCI of the terminal into the permanent user identification SUPI of the terminal, and decrypt the encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    获取模块,设置为根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表;An obtaining module, configured to obtain the first CAG ID list from the home network of the terminal according to the SUPI of the terminal;
    判断模块,设置为判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配则向所述终端发送注册接受消息。The judging module is configured to judge whether the decrypted CAG ID requested to access and the first CAG ID list match, and when the decrypted CAG ID requested to access matches the first CAG ID list, it will report to the terminal Send a registration acceptance message.
  31. 一种访问闭合访问组的装置,包括:A device for accessing a closed access group, including:
    加密模块,设置为对请求访问的闭合访问组标识CAG ID进行加密,得到第一加密的请求访问的CAG ID;The encryption module is set to encrypt the CAG ID of the closed access group requesting access to obtain the first encrypted CAG ID of the requesting access;
    发送模块,设置为发送注册请求消息,所述注册请求消息中包括所述第一加密的请求访问的CAG ID和所述终端的第五代移动通信系统全局唯一临时用户设备标识5G-GUTI。The sending module is configured to send a registration request message. The registration request message includes the first encrypted CAG ID for requesting access and the fifth-generation mobile communication system globally unique temporary user equipment identifier 5G-GUTI of the terminal.
  32. 一种访问闭合访问组的装置,包括:A device for accessing a closed access group, including:
    接收模块,设置为接收终端发送的注册请求消息,所述注册请求消息中包括第一加密的请求访问的闭合访问组标识CAG ID和所述终端的第五代移动通信系统全局唯一临时用户设备标识5G-GUTI;The receiving module is configured to receive a registration request message sent by the terminal, the registration request message including the first encrypted closed access group identification CAG ID for requesting access and the fifth-generation mobile communication system globally unique temporary user equipment identification of the terminal 5G-GUTI;
    解密模块,设置为根据所述终端的5G-GUTI判断当前移动性管理功能AMF是否为为所述终端服务的历史AMF;The decryption module is configured to determine whether the current mobility management function AMF is a historical AMF serving the terminal according to the 5G-GUTI of the terminal;
    获取模块,设置为在所述当前AMF为为所述终端服务的历史AMF,且所述当前AMF中存储有所述终端的用户永久标识SUPI的情况下,根据所述终端的SUPI从所述终端的归属网络获取第一CAG ID列表,并将所述第一加密的请求访问的CAG ID解密为解密的请求访问的CAG ID;The acquiring module is configured to, when the current AMF is a historical AMF serving the terminal, and the user permanent identity SUPI of the terminal is stored in the current AMF, from the terminal according to the SUPI of the terminal Acquires the first CAG ID list, and decrypts the first encrypted CAG ID requesting access into the decrypted CAG ID requesting access;
    判断模块,设置为判断所述解密的请求访问的CAG ID和所述第一CAG ID列表是否匹配,在所述解密的请求访问的CAG ID和所述第一CAG ID列表匹配的情况下,向所述终端发送注册接受消息。The judging module is configured to judge whether the decrypted CAG ID requested to access matches the first CAG ID list, and when the decrypted CAG ID requested to access matches the first CAG ID list, The terminal sends a registration acceptance message.
  33. 一种访问闭合访问组的系统,包括终端和网络设备;A system for accessing closed access groups, including terminals and network equipment;
    所述终端包括如权利要求29所述的访问闭合访问组的装置;The terminal includes the device for accessing a closed access group according to claim 29;
    所述网络设备包括如权利要求30所述的访问闭合访问组的装置。The network device includes the device for accessing a closed access group according to claim 30.
  34. 一种访问闭合访问组的系统,包括终端和网络设备;A system for accessing closed access groups, including terminals and network equipment;
    所述终端包括如权利要求31所述的访问闭合访问组的装置;The terminal includes the device for accessing a closed access group according to claim 31;
    所述网络设备包括如权利要求32所述的访问闭合访问组的装置。The network device includes the device for accessing a closed access group according to claim 32.
PCT/CN2020/109116 2019-08-15 2020-08-14 Method, device and system for accessing closed access group WO2021027916A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910754388.7A CN110536293A (en) 2019-08-15 2019-08-15 The methods, devices and systems of access closure access group
CN201910754388.7 2019-08-15

Publications (1)

Publication Number Publication Date
WO2021027916A1 true WO2021027916A1 (en) 2021-02-18

Family

ID=68663523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/109116 WO2021027916A1 (en) 2019-08-15 2020-08-14 Method, device and system for accessing closed access group

Country Status (2)

Country Link
CN (1) CN110536293A (en)
WO (1) WO2021027916A1 (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11968533B2 (en) 2019-03-29 2024-04-23 Interdigital Patent Holdings, Inc. Methods and apparatus for secure access control in wireless communications
CN112087724A (en) * 2019-06-13 2020-12-15 华为技术有限公司 Communication method, network equipment, user equipment and access network equipment
CN110536293A (en) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 The methods, devices and systems of access closure access group
CN112822757B (en) * 2019-10-30 2022-09-06 中国电信股份有限公司 Communication method, system, base station and terminal
KR20210095458A (en) * 2020-01-23 2021-08-02 삼성전자주식회사 Apparatus and method for providing security in wireless communication system
EP3866552B1 (en) * 2020-02-17 2022-09-28 NTT DoCoMo, Inc. Communication terminal, method for configuring a communication terminal, access management component and method for access management of a non-public network
CN111405557B (en) * 2020-03-19 2022-03-15 中国电子科技集团公司第三十研究所 Method and system for enabling 5G network to flexibly support multiple main authentication algorithms
CN113453311B (en) * 2020-03-27 2022-12-13 华为技术有限公司 Method and device for processing information of closed access group
CN113543127B (en) * 2020-03-31 2023-02-17 大唐移动通信设备有限公司 Key generation method, device, equipment and computer readable storage medium
CN113498028B (en) * 2020-04-08 2022-11-08 维沃移动通信有限公司 CAG processing method and related equipment
CN113518316B (en) * 2020-04-09 2023-04-07 维沃移动通信有限公司 CAG information processing method and device and communication equipment
CN113543162B (en) * 2020-04-15 2023-07-14 华为技术有限公司 Communication method and device
CN113573370B (en) * 2020-04-29 2022-09-13 中国移动通信有限公司研究院 Information processing method, network equipment, terminal and storage medium
US20230209441A1 (en) * 2020-05-21 2023-06-29 Samsung Electronics Co., Ltd. Method and system for handling ue with cag subscription in wireless network
CN113973344A (en) * 2020-07-22 2022-01-25 中国电信股份有限公司 Non-public network access control method, base station and communication system
CN114071648B (en) * 2020-08-04 2023-04-07 中移(成都)信息通信科技有限公司 Information configuration method, device, equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018085784A1 (en) * 2016-11-07 2018-05-11 Intel IP Corporation Systems, methods, and devices for handling stickiness of ue-specific ran-cn association
CN109842880A (en) * 2018-08-23 2019-06-04 华为技术有限公司 Method for routing, apparatus and system
CN110536293A (en) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 The methods, devices and systems of access closure access group

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2489391A (en) * 2011-01-21 2012-10-03 Ubiquisys Ltd A femtocell base station identifies other base stations that a user device is authorised to access
CN104125565A (en) * 2013-04-23 2014-10-29 中兴通讯股份有限公司 Method for realizing terminal authentication based on OMA DM, terminal and server
WO2019088599A1 (en) * 2017-10-31 2019-05-09 엘지전자 주식회사 Method for protecting data encrypted by home network key in wireless communication system and device therefor
CN110035433B (en) * 2018-01-11 2024-03-19 华为技术有限公司 Verification method and device adopting shared secret key, public key and private key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018085784A1 (en) * 2016-11-07 2018-05-11 Intel IP Corporation Systems, methods, and devices for handling stickiness of ue-specific ran-cn association
CN109842880A (en) * 2018-08-23 2019-06-04 华为技术有限公司 Method for routing, apparatus and system
CN110536293A (en) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 The methods, devices and systems of access closure access group

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on enhancement of 5G System (5GS) for vertical and Local Area Network (LAN) services (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 23.734, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V16.2.0, 11 June 2019 (2019-06-11), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 117, XP051753966 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security for 5GS enhanced support of Vertical and LAN Services; (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.819, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V1.1.0, 9 July 2019 (2019-07-09), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 31, XP051754610 *

Also Published As

Publication number Publication date
CN110536293A (en) 2019-12-03

Similar Documents

Publication Publication Date Title
WO2021027916A1 (en) Method, device and system for accessing closed access group
CN110798833B (en) Method and device for verifying user equipment identification in authentication process
WO2018077232A1 (en) Network authentication method, and related device and system
US9049184B2 (en) System and method for provisioning a unique device credentials
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
JP6033291B2 (en) Service access authentication method and system
US20110271330A1 (en) Solutions for identifying legal user equipments in a communication network
EP2865155B1 (en) Manipulation and restoration of authentication challenge parameters in network authentication procedures
KR20160078426A (en) Method and apparatus to identity verification using asymmetric keys in wireless direct communication network
US20190246275A1 (en) Operation related to user equipment using secret identifier
CN108353279B (en) Authentication method and authentication system
CN109890029B (en) Automatic network distribution method of intelligent wireless equipment
US20220338115A1 (en) Indicating a network for a remote unit
US20220191043A1 (en) Systems and methods for key management
US20220104165A1 (en) Indicating a network for a remote unit
JP2023162296A (en) Non-3GPP device access to core network
CN109561431B (en) WLAN access control system and method based on multi-password identity authentication
CN112512048B (en) Mobile network access system, method, storage medium and electronic device
WO2016086739A1 (en) Method for device having wlan function to access network and device for implementing method
CN111770488B (en) EHPLMN updating method, related equipment and storage medium
JP2023509806A (en) MOBILE NETWORK ACCESS SYSTEM, METHOD, STORAGE MEDIUM AND ELECTRONIC DEVICE
JP2023506791A (en) Privacy information transmission method, device, computer equipment and computer readable medium
WO2024021580A1 (en) Security authentication method for user terminal to access network, apparatus, and electronic device
US20240007444A1 (en) Network exposure function (nef) for suci-based ue-initiated service authorization
WO2023223118A1 (en) Subscription identification in networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20852140

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20852140

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20852140

Country of ref document: EP

Kind code of ref document: A1