WO2021057456A1

WO2021057456A1 - Method and device for use in registration

Info

Publication number: WO2021057456A1
Application number: PCT/CN2020/113777
Authority: WO
Inventors: 邓娟
Original assignee: 华为技术有限公司
Priority date: 2019-09-29
Filing date: 2020-09-07
Publication date: 2021-04-01

Abstract

Provided in the embodiments of the present application are a method and device for use in registration. The method for use in registration is applicable in a scenario where an access and mobility management function (AMF) redirection has taken place. The method comprises: a first AMF selected during an AMF redirection to serve a UE determines to protect a first message and transmits the protected first message to the UE, the first message comprising an authentication request message. The user equipment is thus prevented from discarding the authentication request message, and the probability of a successful registration of the user equipment is increased.

Description

Method and device for registration

This application claims the priority of the Chinese patent applications filed with the Chinese Patent Office on September 29, 2019 and November 8, 2019, with application numbers 201910932460.0, 201911089396.0, and application names "Methods and devices for registration" , Its entire content is incorporated into this application by reference.

Technical field

This application relates to the field of communications, and more specifically, to a method and device for registration.

Background technique

The 5th generation (5G) communication protocol defines the process of redirection of the access management function (access and mobility management function, AMF) of the user equipment during the registration process. In the registration process, the user equipment first sends the 5G global unique temporary user equipment identity (5th generation globally unique user equipment) carrying the user equipment to the (radio) access network ((R)AN), 5G-GUTI) or concealed identifier (subscriber concealed identifier, SUCI) registration request message. Secondly (R) AN, after receiving the registration request message of the user equipment, chooses to send the registration request message to the initial AMF (initial AMF), and the initial AMF finds the second AMF (old AMF) that served the user equipment last time according to 5G-GUTI , And obtain the context of the user equipment from the second AMF, where the context of the user equipment includes the NAS security context of the user equipment. Finally, the initial AMF initiates AMF redirection based on certain trigger conditions and redirects to the first AMF. The first AMF (target AMF) can obtain the context of the user equipment from the initial AMF.

In an AMF redirection procedure specified in the current protocol, the initial AMF can directly forward the complete registration request message to the first AMF. In this case, if the first AMF sends an authentication request message to the user equipment, the user equipment may discard the authentication request message, thereby causing the registration of the user equipment to fail.

Summary of the invention

This application provides a method and device for registration. The method for registration is used in a scenario where AMF redirection occurs, when the first AMF receives a first instruction from the initial AMF to protect the authentication request message When information, the protected authentication request message is sent to the user equipment, so as to prevent the user equipment from discarding the authentication request message and improve the chance of successful registration of the user equipment.

In a first aspect, a method for registration is provided, which includes: a first access and mobility management function AMF receives first indication information from an initial AMF; and the first AMF performs processing on the first message according to the first indication information. Protection; the first AMF sends the first message of protection to the user equipment UE, where the first AMF is the target AMF selected to serve the UE when the AMF is redirected, and the first message is one of the following messages: Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,

The first access and mobility management function AMF receives the first indication information from the initial AMF; the first AMF does not perform the main authentication according to the first indication information, or skips the main authentication process to perform other processes in the registration process, or use Received KAMF. The first AMF uses the received NAS security context or KAMF to protect the N1 message

In the method for registration provided in the embodiments of the present application, the first indication information may be sent to the first AMF through the initial AMF, so that the first AMF sends a protected authentication request message to the UE, thereby preventing the user equipment from discarding the authentication request message and improving The probability of successful user device registration. Alternatively, in the method for registration provided in the embodiment of the present application, the initial AMF may send the first indication information to the first AMF to indicate that the first AMF does not perform the main authentication process, so that the first AMF sends the N1 message of protection to the UE.

The "protected first message" involved in the embodiments of this application includes the first message with integrity protection, or the first message with integrity and encryption protection, where the first message is protected in the case of a NAS SMC message The first message is the first message with integrity protection. When the first message is an N1 message other than the NAS SMC message, the protected first message is the first message with integrity and encryption protection. For ease of description, the following Referred to as the first message of protection.

With reference to the first aspect, in some implementations of the first aspect, the first AMF receiving the first indication information from the initial AMF includes: the first AMF receives a first service operation from the initial AMF, and the first service The operation includes the first indication information.

In the method for registration provided in the embodiment of the present application, the initial AMF sending the first indication information to the first AMF may be by sending the first service operation to the first AMF, and carrying the first indication information in the first service operation. As a possible implementation, the first service operation is the Namf_Communication_N1MessageNotify service operation.

It should be understood that this application does not limit that the first indication information must be carried in the first service operation, and it provides a flexible and optional solution for the initial AMF to send the first indication information to the first AMF.

When the foregoing first indication information is carried in the existing initial AMF and first AMF signaling, the signaling overhead can be saved from the perspective of signaling overhead.

With reference to the first aspect, in some implementations of the first aspect, the first service operation further includes a non-access stratum NAS security context; the protection of the first message by the first AMF includes: the first AMF uses the The NAS security context protects the first message.

In the method for registration provided in the embodiments of the present application, the first service operation sent by the initial AMF to the first AMF may also include the NAS security context, so that the first AMF can use the received NAS security context to protect the first message, which is The first AMF protects the first message and provides a feasible solution.

With reference to the first aspect, in some implementations of the first aspect, the first indication information is used to indicate at least one of the following situations: the UE and the initial AMF perform NAS message security interaction, the first An AMF should use the received NAS security context to protect the first message, a security context is established between the UE and the initial AMF, a security association is established between the UE and the initial AMF, and a security association is established between the UE and the initial AMF. Security protection is activated, NAS SMC has been successfully performed between the UE and the initial AMF, the first AMF should use the received KAMF, the first AMF does not perform the main authentication process, and the first AMF skips the main authentication process to register Other processes in the AMF or the first AMF should use the received KAMF.

In the method for registration provided in the embodiments of the present application, the first indication information indicates that the first AMF protects the first message. The first message may be used to indicate that the UE and the initial AMF have performed NAS message security interaction, and/or the first message It can be used for the first AMF to use the received NAS security context to protect the first message, and provide a flexible and optional solution for the specific indication form of the first indication information. or,

The first indication information indicates that the first AMF does not perform the master authentication, and different indication manners can also be used.

In a second aspect, a method for registration is provided, which includes: the initial access and mobility management function AMF determines to send first indication information to a first AMF, and the first indication information is used to indicate that the first AMF responds to the first AMF. The message is protected; the initial AMF sends the first indication information to the first AMF, where the first AMF is the target AMF selected to serve the UE during the AMF redirection, and the first message is the following message One type: authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,

The initial access and mobility management function AMF determines to send first indication information to the first AMF. The first indication information is used to instruct the first AMF not to perform the main authentication or skip the main authentication process to perform other processes in the registration process, Or use the received KAMF. The initial AMF sends the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when the AMF redirection is performed.

In the method for registration provided in the embodiments of this application, the initial AMF can send the first indication information to the first AMF, so that the first AMF sends a protected authentication request message to the UE, thereby preventing the user equipment from discarding the authentication request message and improving The probability of successful user device registration. or,

The initial AMF may send the first indication information to the first AMF, so that the first AMF does not perform the main authentication process, and provides a visibility solution for the first AMF not to perform the main authentication.

With reference to the second aspect, in some implementations of the second aspect, the initial AMF determining to send the first indication information to the first AMF includes: the initial AMF determining to send the first indication information to the first AMF based on a first preset condition , Wherein the first preset condition includes at least one of the following conditions: a security exchange of NAS messages is performed between the UE and the initial AMF, a security context is established between the UE and the initial AMF, the UE and NAS SMC is successfully performed between the initial AMF, security association is activated between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, and master authentication is performed between the UE and the initial AMF , The initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF. The initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; where the second AMF is the last service The AMF of the UE.

In the method for registration provided in the embodiments of the present application, the initial AMF determines to send the first instruction information to the first AMF, which may be determined to send the first instruction to an AMF only when the initial AMF determines that certain first preset conditions are met. The information provides a feasible solution for how the initial AMF determines to send the first instruction information.

With reference to the second aspect, in some implementations of the second aspect, the initial AMF sending the first indication information to the first AMF includes: the initial AMF sending a first service operation to the first AMF, and the first service The operation includes the first indication information.

In the method for registration provided in the embodiment of the present application, the initial AMF sending the first indication information to the first AMF may be by sending the first service operation to the first AMF, and carrying the first indication information in the first service operation. A flexible and optional solution is provided for the initial AMF to send the first indication information to the first AMF. As a possible implementation, the first service operation is the Namf_Communication_N1MessageNotify service operation.

With reference to the second aspect, in some implementation manners of the second aspect, the first service operation further includes a NAS security context.

With reference to the second aspect, in some implementations of the second aspect, the first indication information is used to indicate at least one of the following situations: the UE and the initial AMF perform NAS message security interaction, the first The AMF shall use the NAS security context to protect the first message, the security context is established between the UE and the initial AMF, the security association is established between the UE and the initial AMF, and the security protection is activated between the UE and the initial AMF , NAS SMC has been successfully performed between the UE and the initial AMF, the first AMF should use the received KAMF, the first AMF does not perform the main authentication process, and the first AMF skips the main authentication process to perform other processes in the registration In the case, or the first AMF should use the received KAMF.

In the method for registration provided in the embodiment of the application, the first indication information indicating that the first AMF protects the first message may be received by indicating that the UE and the initial AMF have performed NAS message security interaction and/or using the first AMF The NAS security context protects the first message, and provides a flexible and optional solution for the specific indication form of the first indication information. or,

In a third aspect, a method for registration is provided, including: a user equipment UE accepts a first message protected by a first AMF, where the first AMF is selected to serve the UE when performing the AMF redirection The first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.

In the method for registration provided by the embodiment of the present application, the UE receives the protected authentication request message, thereby preventing the user equipment from discarding the authentication request message and increasing the probability of successful registration of the user equipment.

In a fourth aspect, a method for registration is provided, including: user equipment UE receives second indication information from the initial access and mobility management function AMF, the second indication information is used to instruct the UE to accept unprotected The first message; the UE accepts the unprotected first message from the first AMF according to the second indication information, where the first AMF is the target AMF selected to serve the UE during the AMF redirection, The first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.

The method for registration provided in the embodiment of the present application can send the second indication information to the UE through the initial AMF, so that the UE accepts the unprotected authentication request message, thereby preventing the user equipment from discarding the authentication request message and improving the successful registration of the user equipment. probability.

In a fifth aspect, a method for registration is provided, including: the initial access and mobility management function AMF determines to send second indication information to the user equipment UE based on a second preset condition, and the second indication information is used to indicate the The UE accepts the unprotected first message, which is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access stratum security mode command message NAS SMC; the initial AMF sends the The UE sends the second indication information.

With reference to the fifth aspect, in some implementations of the fifth aspect, the initial AMF determines to send the second indication information to the UE based on a second preset condition, where the preset condition includes at least one of the following conditions: the initial AMF Security interaction of NAS messages with the UE, the initial AMF determines to perform AMF redirection, the security context is established between the UE and the initial AMF, the NAS SMC is successfully performed between the UE and the initial AMF, and the UE The security association with the initial AMF is activated, the security protection is activated between the UE and the initial AMF, the primary authentication is performed between the UE and the initial AMF, and the initial AMF selects the security algorithm selected by the second AMF Different security algorithms, the initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; where the second AMF is the AMF that served the UE last time.

In a sixth aspect, a method for registration is provided, including: a first access and mobility management function AMF receives a first service operation sent by an initial AMF; the first AMF protects the first message; the first AMF The protected first message is sent to the user equipment UE, where the first AMF is the target AMF selected to serve the UE when the AMF redirection is performed, and the first message is one of the following messages: an authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,

The first access and mobility management function AMF receives the first service operation sent by the initial AMF; the first AMF skips the main authentication process; the first AMF sends a protected N1 message to the user equipment UE, where the first AMF is The target AMF serving the UE is selected when performing the AMF redirection.

The method for registration provided in the embodiment of the present application may send a protected authentication request message to the UE after the first AMF determines that the AMF redirection occurs, thereby preventing the user equipment from discarding the authentication request message and increasing the probability of successful user equipment registration. Alternatively, the method for registration provided in the embodiment of the present application may send a first service operation instruction to the first AMF through the initial AMF to indicate that the first AMF does not perform the main authentication process, and the first AMF may jump after determining that the AMF redirection occurs. After the main authentication process is passed, other processes in the registration are performed, or the first AMF may not perform the main authentication after determining that the AMF redirection occurs, and the first AMF uses the received NAS security context to protect the N1 message.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, after the first AMF receives the first service operation sent by the initial AMF, the method for registration further includes: the first AMF according to the above-mentioned first service operation The operation determined that an AMF redirection occurred.

In the method for registration provided by the embodiment of the present application, the first AMF can determine whether an AMF redirection has occurred according to the IE(s) carried in the first service operation. For example, if the message type carrying N1 in the first service operation includes 5GMM, it is determined that AMF redirection has occurred; for example, if the first service operation carries the registration context container (Registration Context Container) type IE, it is determined that it has occurred. AMF redirection.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, that the first AMF protects the first message includes: the first AMF protects the first message using the received NAS security context.

As a possible implementation manner, the received NAS security context is the NAS security context carried in the first operation service sent by the initial AMF received by the first AMF.

In the method for registration provided in the embodiments of the present application, the first AMF may use the received NAS security context to protect the first message, and provide a feasible solution for the first AMF to protect the first message.

In a seventh aspect, a method for registration is provided, including: user equipment UE accepts a first message protected from a first AMF, where the first AMF is selected to serve the UE when performing the AMF redirection The first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.

In an eighth aspect, a device for registration is provided. The device for registration includes a processor for implementing the function of the first AMF in the methods described in the first and seventh aspects.

Optionally, the device for registration may further include a memory coupled with the processor, and the processor is configured to implement the function of the first AMF in the methods described in the first aspect and the seventh aspect. In a possible implementation, the memory is used to store program instructions and data. The memory is coupled with the processor, and the processor can call and execute the program instructions stored in the memory to implement the function of the first AMF in the methods described in the first aspect and the seventh aspect.

Optionally, the apparatus for registration may further include a communication interface, and the communication interface is used for the apparatus for registration to communicate with other devices. When the device for registration is user equipment, the communication interface may be a transceiver, an input/output interface, or a circuit.

In a possible design, the device for registration includes: a processor and a communication interface,

The processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the first aspect and the seventh aspect;

The processor communicates with the outside by using the communication interface.

It can be understood that the exterior may be an object other than the processor, or an object other than the device.

In another possible design, the device for registration is a chip or a chip system. The communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip or chip system. The processor may also be embodied as a processing circuit or a logic circuit.

In a ninth aspect, a device for registration is provided. The device for registration includes a processor for implementing the function of the initial AMF in the methods described in the second and fifth aspects.

Optionally, the device for registration may further include a memory, the memory is coupled to the processor, and the processor is configured to implement the function of the initial AMF in the methods described in the second aspect and the fifth aspect. In a possible implementation, the memory is used to store program instructions and data. The memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the function of the initial AMF in the methods described in the second and fifth aspects.

Optionally, the apparatus for registration may further include a communication interface, and the communication interface is used for the apparatus for registration to communicate with other devices. When the device for registration is the initial AMF, the communication interface may be a transceiver, an input/output interface, or a circuit.

The processor communicates with the outside by using the communication interface;

The processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the second aspect and the fifth aspect.

In a tenth aspect, a device for registration is provided. The device for registration includes a processor, configured to implement the functions of the user equipment in the methods described in the third, fourth, and eighth aspects.

Optionally, the apparatus for registration may further include a memory, the memory is coupled to the processor, and the processor is configured to implement the user equipment in the methods described in the third, fourth, and eighth aspects above. Function. In a possible implementation, the memory is used to store program instructions and data. The memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the functions of the user equipment in the methods described in the third, fourth, and eighth aspects above .

The processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the third aspect, the fourth aspect, and the eighth aspect.

In an eleventh aspect, the present application provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the above aspects.

In the twelfth aspect, this application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.

In a thirteenth aspect, a communication system is provided, including the device for registration shown in the eighth aspect, the device for registration shown in the ninth aspect, and the device for registration shown in the tenth aspect.

In a fourteenth aspect, a chip system is provided, including a memory and a processor, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory so that the communication device installed with the chip system executes The method in any one of the possible implementation manners of the foregoing first to seventh aspects.

Description of the drawings

Figure 1 is a network architecture suitable for embodiments of the present application.

Figure 2 is a schematic diagram of a registration process in which AMF redirection occurs.

Fig. 3 is a schematic flowchart of a method for registration provided in an embodiment of the present application.

Fig. 4 is a schematic flowchart of another method for registration provided in an embodiment of the present application.

FIG. 5 is a schematic diagram of the device 10 for registration proposed in this application.

FIG. 6 is a schematic structural diagram of a user equipment 20 applicable to an embodiment of the present application.

FIG. 7 is a schematic diagram of the device 30 for registration proposed in this application.

FIG. 8 is a schematic structural diagram of an initial AMF 40 applicable to an embodiment of the present application.

FIG. 9 is a schematic diagram of the device 50 for registration proposed in the present application.

FIG. 10 is a schematic structural diagram of a first AMF 60 applicable to an embodiment of the present application.

FIG. 11 is a schematic flowchart of yet another method for registration provided in an embodiment of the present application.

detailed description

The technical solution in this application will be described below in conjunction with the accompanying drawings.

Figure 1 is a network architecture suitable for embodiments of the present application. As shown in Figure 1, each part involved in the network architecture will be described separately below.

1. User equipment 110: It can include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems, as well as various forms of terminals, mobile stations (mobile first AMFtion, MS), terminal (terminal), user equipment (UE), soft terminal, etc. For example, water meters, electricity meters, sensors, etc.

Exemplarily, the user equipment in the embodiments of the present application may refer to an access terminal, a user unit, a user station, a mobile station, a mobile station, a relay station, a remote station, a remote terminal, a mobile device, a user terminal, and a terminal device. (terminal equipment), wireless communication equipment, user agent or user device. The user equipment can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (personal digital assistant AMFnt, PDA), Handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, user equipment in the future 5G network, or public land mobile network (PLMN) that will evolve in the future The user equipment in) or the user equipment in the future Internet of Vehicles, etc., are not limited in the embodiment of the present application.

As an example and not a limitation, in the embodiments of the present application, wearable devices can also be referred to as wearable smart devices. It is a general term for using wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, Gloves, watches, clothing and shoes, etc. A wearable device is a portable device that is directly worn on the body or integrated into the user's clothes or accessories. Wearable devices are not only a kind of hardware device, but also realize powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-sized, complete or partial functions that can be achieved without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, and need to cooperate with other devices such as smart phones. Use, such as all kinds of smart bracelets and smart jewelry for physical sign monitoring.

In addition, in the embodiments of this application, the user equipment may also be the user equipment in the Internet of Things (IoT) system. The IoT is an important part of the development of information technology in the future, and its main technical feature is to pass items through communication technology. Connect with the network to realize the intelligent network of human-machine interconnection and interconnection of things. In the embodiments of the present application, the IOT technology can achieve massive connections, deep coverage, and power saving of the terminal through, for example, narrowband (narrowband, NB) technology. In addition, in the embodiments of the present application, user equipment may also include sensors such as smart printers, train detectors, gas stations, etc. The main functions include collecting data (part of user equipment), receiving control information and downlink data from access network equipment, and Send electromagnetic waves to transmit uplink data to the access network equipment.

2. (Wireless) access network equipment (radio access network, (R)AN) 120: Used to provide network access functions for authorized user equipment in a specific area, and can use different quality devices according to the level of user equipment and service requirements. Transmission tunnel.

(R)AN can manage wireless resources, provide access services for user equipment, and then complete the forwarding of control signals and user equipment data between the user equipment and the core network. (R)AN can also be understood as a base station in a traditional network.

Exemplarily, the access network device in the embodiment of the present application may be any communication device with a wireless transceiving function that is used to communicate with user equipment. The access network equipment includes but is not limited to: evolved Node B (eNB), radio network controller (RNC), node B (Node B, NB), base station controller (base first) AMFtion controller, BSC), base transceiver station (base transceiver first AMFtion, BTS), home base station (home evolved NodeB, HeNB, or home NodeB, HNB), baseband unit (BBU), wireless fidelity (wireless) fidelity, WIFI) system access point (access point, AP), wireless relay node, wireless backhaul node, transmission point (transmission point, TP) or transmission and reception point (transmission and reception point, TRP), etc., also It can be 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one or a group of antenna panels (including multiple antenna panels) of the base station in the 5G system, or it can also constitute gNB Or a network node of a transmission point, such as a baseband unit (BBU), or a distributed unit (DU), etc.

In some deployments, the gNB may include a centralized unit (CU) and a DU. The gNB may also include an active antenna unit (AAU). The CU implements some of the functions of the gNB, and the DU implements some of the functions of the gNB. For example, the CU is responsible for processing non-real-time protocols and services, and implements radio resource control (radio resource control, RRC) and packet data convergence protocol (packet data convergence protocol, PDCP) layer functions. The DU is responsible for processing the physical layer protocol and real-time services, and realizes the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer. AAU realizes some physical layer processing functions, radio frequency processing and related functions of active antennas. Since the information of the RRC layer will eventually become the information of the PHY layer, or be transformed from the information of the PHY layer, under this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by the DU , Or, sent by DU+AAU. It can be understood that the access network device may be a device that includes one or more of a CU node, a DU node, and an AAU node. In addition, the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make a limit.

3. User plane network element 130: used for packet routing and forwarding and quality of service (QoS) processing of user plane data, etc.

In a 5G communication system, the user plane network element may be a user plane function (UPF) network element. In the future communication system, the user plane network element may still be a UPF network element, or may also have other names, which is not limited in this application.

4. Data network network element 140: used to provide a network for transmitting data.

In a 5G communication system, the data network element may be a data network (DN) network element. In the future communication system, the data network network element may still be a DN network element, or may also have other names, which is not limited by this application.

5. Access management network element 150: Mainly used for mobility management and access management, etc., and can be used to implement other functions other than session management in the mobility management entity (mobility management entity, MME) function, for example, legal Monitoring and access authorization/authentication functions.

In a 5G communication system, the access management network element may be an access and mobility management function (AMF). In the future communication system, the access management network element may still be AMF, or may also have other names, which is not limited in this application.

6. Session management network element 160: Mainly used for session management, Internet Protocol (IP) address allocation and management of user equipment, selection of end points that can manage user plane functions, policy control and charging function interfaces, and downlink Data notification, etc.

In a 5G communication system, the session management network element may be a session management function (session management function, SMF) network element. In the future communication system, the session management network element may still be an SMF network element, or may also have other names, which is not limited in this application.

7. Policy control network element 170: A unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).

In a 4G communication system, the policy control network element may be a policy and charging rules function (PCRF) network element. In a 5G communication system, the policy control network element may be a policy control function (PCF) network element. In the future communication system, the policy control network element may still be a PCF network element, or may also have other names, which is not limited in this application.

8. Authentication server 180: used for authentication services, generating keys to realize two-way authentication of user equipment, and supporting a unified authentication framework.

In a 5G communication system, the authentication server may be an authentication server function (authentication server function, AUSF) network element. In the future communication system, the authentication server function network element may still be an AUSF network element, or may also have other names, which is not limited in this application.

9. Data management network element 190: used to process user equipment identification, access authentication, registration, and mobility management.

In a 5G communication system, the data management network element may be a unified data management (UDM) network element; in a 4G communication system, the data management network element may be a home subscriber server (HSS) network In the future communication system, the unified data management can still be the UDM network element, or it can have other names, which is not limited in this application.

10. Application network element 1100: used for data routing affected by applications, access to network open function network elements, and interaction with the policy framework for policy control, etc.

In a 5G communication system, the application network element may be an application function (AF) network element. In the future communication system, the application network element may still be an AF network element, or may also have other names, which is not limited by this application.

11. Network slice selection network element 1200: used to implement access mapping between user equipment and network slices, and provide appropriate network slice access for user equipment.

In a 5G communication system, the application network element may be a network slice selection function (NSSF) network element. In the future communication system, the application network element may still be an NSSF network element, or may have other names, which is not limited by this application.

It should also be understood that FIG. 1 is only an example and does not constitute any limitation to the protection scope of the present application. The method for registration provided by the embodiment of the present application may also involve a network element not shown in FIG. 1. For example, the method for registration provided by the embodiment of the present application also relates to a network storage network element, where the network storage network element It is used to maintain real-time information of all network functions and services in the network.

In a 5G communication system, the network storage network element may be a network repository function (NRF) network element. In the future communication system, the network storage network element may still be an NRF network element, or may also have other names, which is not limited by this application.

It is understandable that the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform). For the convenience of description, in the follow-up of this application, the access management network element is the AMF, the data management network element is the UDM network element, the session management network element is the SMF network element, and the user plane network element is the UPF network element.

Further, the AMF network element is abbreviated as AMF, the UDM network element is abbreviated as UDM, the SMF network element is abbreviated as SMF, and the UPF network element is abbreviated as UPF. That is, the AMF described later in this application can be replaced with an access management network element, UDM can be replaced with a data management network element, SMF can be replaced with a session management network element, and UPF can be replaced with a user plane network element.

For convenience of description, in the embodiments of the present application, the device is an AMF entity and a UDM entity as examples to describe the method for registration. For the implementation method of the device being a chip in the AMF entity and a chip in the UDM entity, please refer to the device The specific descriptions of the AMF entity and UDM entity are respectively, and the introduction will not be repeated.

In the network architecture shown in Figure 1, the user equipment is connected to the AMF through the N1 interface, the RAN is connected to the AMF through the N2 interface, and the RAN is connected to the UPF through the N3 interface. The UPFs are connected through the N9 interface, and the UPFs are interconnected through the N6 interface DN. SMF controls UPF through the N4 interface. AMF interfaces with SMF through N11 interface. AMF obtains user equipment subscription data from the UDM unit through the N8 interface, and SMF obtains user equipment subscription data from the UDM unit through the N10 interface.

It should be understood that the foregoing network architecture applied to the embodiments of the present application is only an example, and the network architecture applicable to the embodiments of the present application is not limited to this. Any network architecture that can implement the functions of the foregoing various network elements is applicable to the present application. Application examples.

For example, in some network architectures, network function network element entities such as AMF, SMF network elements, PCF network elements, BSF network elements, and UDM network elements are all called network function (NF) network elements; or In some network architectures, a collection of network elements such as AMF, SMF network elements, PCF network elements, BSF network elements, and UDM network elements can all be called control plane function network elements.

The technical solutions of the embodiments of this application can be applied to various communication systems, such as: long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex) , TDD) system, universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5G) system, new wireless (new) radio, NR) or future networks, etc. The 5G mobile communication system described in this application includes 5G mobile communication systems with non-independent networking (non-first AMFndalone, NSA) or independent networking (first AMFndalone, SA) 5G mobile communication system. The technical solution provided in this application can also be applied to future communication systems, such as the sixth-generation mobile communication system. The communication system can also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, and a device-to-device (D2D) communication system. Internet of Things (IoT) communication system or other communication systems.

In the embodiment of the present application, the user equipment or the access network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer. The hardware layer includes hardware such as a central processing unit (CPU), a memory management unit (MMU), and memory (also referred to as main memory). The operating system may be any one or more computer operating systems that implement business processing through processes, for example, Linux operating systems, Unix operating systems, Android operating systems, iOS operating systems or windows operating systems. The application layer includes applications such as browsers, address books, word processing software, and instant messaging software. Moreover, the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the codes of the methods provided in the embodiments of the application can be provided in accordance with the embodiments of the application. For example, the execution subject of the method provided in the embodiments of the present application may be user equipment or access network equipment, or a functional module in the user equipment or access network equipment that can call and execute programs.

In addition, various aspects or features of the present application can be implemented as methods, devices, or products using standard programming and/or engineering techniques. The term "article of manufacture" used in this application encompasses a computer program accessible from any computer-readable device, carrier, or medium. For example, computer-readable media may include, but are not limited to: magnetic storage devices (for example, hard disks, floppy disks, or tapes, etc.), optical disks (for example, compact discs (CD), digital versatile discs (DVD)) Etc.), smart cards and flash memory devices (for example, erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.). In addition, various storage media described herein may represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable storage medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing, and/or carrying instructions and/or data.

The embodiments of the present application mainly relate to AMF, UE, (R)AN, AUSF, UDM, and NSSF in the network architecture shown in FIG. 1 and also relate to NRF not shown in FIG. 1. Among them, for AMF, this application involves initial AMF (initial AMF), second AMF (old AMF), and first AMF (target AMF).

Specifically, the second AMF involved in this application refers to the AMF that served the UE last time, that is, the AMF that served the UE before the current registration time, and it can also be referred to as the AMF that the UE visited last time; in this application The initial AMF involved refers to the AMF selected by the (R)AN when the current UE initiates the registration request; the first AMF involved in this application refers to the initial AMF after the initial AMF decides to perform AMF redirection, except for the initial AMF selected The other AMF that provides services for the UE.

The AUSF involved in this application is mainly used for master authentication; the UDM involved in this application is mainly used to provide user equipment subscription information, and the subscription information includes the network slice selection subscription data of the user equipment; NSSF is mainly used to provide the AMF set or AMF address list that can serve the requested network slice selection assistance information (network slice selection assistance information, NSSAI) requested by the user equipment; the NRF involved in this application is mainly used to provide the first The address of AMF.

For ease of description, in the embodiment of the present application, the AMF key included in the NAS security context established between the UE and the second AMF is marked as Kamf, which may also be referred to as the first key, or the old key; The identifier corresponding to the Kamf is denoted as ngKSI, and the ngKSI is also referred to as the first key identifier or the old key identifier; the NAS security context may also be referred to as the old NAS security context.

After the primary authentication of the initial AMF and the UE, the key generated by the activated and used primary authentication is recorded as Kamf_new, and the key identifier is recorded as ngKSI_new. This Kamf_new can also be called the second key, and the ngKSI_new can also be called the first key. Two key identifier;

The key generated after the key derivation of Kamf_new is recorded as Kamf_new', and this Kamf_new' can also be referred to as the third key. Specifically, the key generated after the key deduction is consistent with the key identifier corresponding to the deduced key, and the key identifier corresponding to the Kamf_new′ is also ngKSI_new, which is called the second key identifier;

The key generated after the key derivation of Kamf is recorded as Kamf', and this Kamf' can also be called the fourth key. Specifically, if the key generated after the key deduction is consistent with the key identifier corresponding to the deduced key, the key identifier corresponding to the Kamf' is also ngKSI;

The key generated after the key derivation of Kamf' is denoted as Kamf", and this Kamf" may also be referred to as the fifth key. Specifically, if the key generated after the key deduction is consistent with the key identifier corresponding to the deduced key, the key identifier corresponding to the Kamf" is also ngKSI;

The key generated after the key derivation of Kamf" is denoted as Kamf"'. This Kamf"' can also be called the sixth key. Specifically, the key generated after the key derivation corresponds to the deduced key If the key identifiers are the same, the key identifier corresponding to the Kamf″ is also ngKSI;

The key generated after the key derivation of Kamf_new' is recorded as Kamf_new", and this Kamf_new" can also be referred to as the seventh key. Specifically, if the key generated after the key derivation is consistent with the key identifier corresponding to the deduced key, the key identifier corresponding to the "Kamf_new" is also ngKSI_new.

It should be understood that in the embodiments of this application, the mechanism and parameters used for the key derivation to generate a new key are not restricted, and only the new key generated by the key derivation cannot be used for keying. The deduction gets the deduced key; or, it can be said that the new key and the deduced key are isolated.

As a possible implementation, the key derivation described in this application can be a horizontal key derivation defined in the existing protocol;

As another possible implementation manner, the key deduction described in this application may be a key deduction manner agreed between different network elements.

It should be understood that the embodiments of this application do not involve changes in the structure of network elements, but only by adding other signaling between network elements and/or adding information elements in the signaling of interaction between existing network elements The (information element, IE) achieves the purpose that needs to be achieved in the registration process for AMF redirection provided in the embodiments of the present application.

First, in order to facilitate the understanding of the method in the registration process for AMF redirection provided in the embodiments of this application, the following briefly introduces the registration failure that may occur in the registration process for AMF redirection defined in the existing protocol with reference to FIG. 2. Scenes. Figure 2 is a schematic diagram of a registration process in which AMF redirection occurs. The executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.

The registration process of the AMF redirection includes the following steps.

S1: The UE sends a registration request (registration request, RR) message to the initial AMF, and the RR message carries the UE's 5G-GUTI or SUCI;

It should be understood that the UE involved in the embodiment of this application sends an RR message to the initial AMF, which means that the UE sends an RR message to the (R)AN, and the (R)AN sends the RR message to the initial AMF. The (R) AN plays a role of transparent transmission. For the sake of brevity of description, it is directly described in the embodiments of this application and in the drawings as that the UE sends an RR message to the initial AMF.

A possible implementation method. If the UE does not have a non-access stratum (NAS) security context, the UE should include the plaintext IE(s) in the RR message, and the plaintext IE(s) should not include the UE’s requested NSSAI;

In another possible implementation manner, the UE has a NAS security context, and the UE should include plaintext IE(s) and NAS container (container) in the RR message. The NAS container includes a complete RR message, and the complete RR message includes the requested NSSAI of the UE.

Optionally, if the RR message received by the initial AMF carries the 5G-GUTI of the UE, the initial AMF requests the UE context from the second AMF. That is, the registration process shown in FIG. 2 also includes S2: the initial AMF invokes the sixth service operation of the second AMF. Specifically, after the initial AMF receives the RR message sent by the UE, the initial AMF determines the second AMF that served the UE last time according to the 5G-GUTI in the RR message, and calls the sixth service operation to the second AMF. The service operation can be called Namf_Communication_UEContextTransfer, which is used to request the UE context from the second AMF; wherein, the UE context includes the UE's NAS security context, and the UE's NAS security context includes the AMF key established between the UE and the second AMF The identifier corresponding to the AMF key.

S3. The second AMF sends a sixth service operation response to the initial AMF, where the sixth service operation response includes the context of the UE.

Specifically, the second AMF sends a sixth service operation response to the initial AMF after successfully authenticating the UE. The second AMF authentication of the UE refers to verifying the integrity protection of the RR message. The sixth service operation response may be called Namf_Communication_UEContextTransfer Response. Specifically, the sixth service operation response includes Kamf or Kamf', and the key identifier ngKSI corresponding to Kamf or Kamf'.

It should be understood that the verification of the integrity protection of a certain message involved in the embodiments of this application includes: the message receiver uses the agreed algorithm (and key) to calculate the message verification code for the received message, and then follow the received message Verification code for comparison.

The UE context included in the sixth service operation response includes the following security-related contexts:

1) The sixth service operation response includes Kamf and ngKSI.

Specifically, when the sixth service operation response includes Kamf, it means that the second AMF directly carries the AMF key used between the UE and the second AMF in the sixth service operation response to notify the initial AMF.

The key identifier corresponding to Kamf mentioned above is denoted as ngKSI. The key and the key identifier can be collectively referred to as key information. The sixth service operation response message may also carry the ngKSI.

2) The sixth service operation response includes Kamf' and ngKSI.

When the sixth service operation response includes Kamf', it means that the second AMF performs horizontal KAMF deduction according to the key Kamf used by the UE and the second AMF, and generates a new key, which is recorded as Kamf'. It should be understood that the embodiments of this application do not limit how the second AMF obtains the aforementioned Kamf', and it may be the method of level KAMF deduction specified in the existing agreement, or it may be obtained through other agreed deduction algorithms and parameters. The Kamf' mentioned above is not repeated in this application.

The key identifier corresponding to Kamf' mentioned above is denoted as ngKSI. The sixth service operation response message may also carry the ngKSI.

Specifically, in this case, the sixth service operation response also includes a key derivation instruction, and the key derivation instruction is used to indicate that the key Kamf' included in the sixth service operation response is to perform key derivation via the second AMF. The key deduction instruction can be called keyAMFHDerivationInd.

3) When the context of the UE stored locally in the second AMF includes the uplink NAS COUNT value and/or the downlink NAS COUNT value, the sixth service operation response may also include the uplink NAS COUNT value Value and/or downlink NAS COUNT value.

4) When the second AMF locally stores the full security and/or encryption algorithm used by the UE and the second AMF, the sixth service operation response may also include the full security and/or encryption algorithm.

5) When the second AMF locally stores the UE's security capabilities (UE security capabilities), the sixth service operation response may also include the UE's security capabilities. Among them, the security capabilities of the UE include full security and/or encryption algorithms implemented on the UE.

Optionally, if the RR message received by the initial AMF carries the UE's SUCI, the initial AMF initiates a primary authentication (primary authentication) process, and/or,

If the RR message received by the initial AMF carries the 5G-GUTI of the UE, but the initial AMF fails to obtain the context of the UE from the second AMF, the primary authentication process is initiated initially, and/or,

If the RR message received by the initial AMF carries the 5G-GUTI of the UE, and the initial AMF successfully obtains the UE context from the second AMF, the initial AMF decides that it needs to initiate the main authentication process according to the local policy. That is, the registration process shown in FIG. 2 also includes S4: the initial AMF initiates the main authentication process, and both the UE and the initial AMF obtain Kamf_new and its corresponding identifier ngKSI_new.

Specifically, when the initial AMF initiates the main authentication process, in order to make the AMF key on the UE side start to use the Kamf_new generated by the main authentication, the initial AMF initiates a non-access stratum security mode command message (NAS SMC). ),and / or,

If the second AMF performs key derivation, the above-mentioned sixth service operation response includes keyAMFHDerivationInd, Kamf′ and ngKSI, and the initial AMF needs to initiate the above-mentioned NAS SMC process, and/or,

If the second AMF does not perform key derivation, the above-mentioned sixth service operation response includes Kamf, or Kamf and ngKSI. The initial AMF decides to use Kamf and ngKSI, but the initial AMF chooses a new security algorithm, and the initial AMF needs to initiate the above NAS SMC process.

That is, the registration process shown in Figure 2 may also include S5: the initial AMF sends a non-access stratum security mode command (NAS SMC) message to the UE. Unless otherwise specified, the following NAS SMC message refers to the non-access layer security mode command NAS SMC message. Special instructions are required when NAS SMC refers to the non-access layer security mode control.

Optionally, the NAS SMC message carries an indication of requesting a complete initial NAS message. Since this application mainly relates to the UE registration process, the instruction for requesting a complete initial NAS message refers to an instruction for requesting a complete registration request message. When no special explanation is given below, the instruction for requesting a complete initial NAS message refers to Instructions for requesting a complete registration request message.

S6. The UE sends a NAS security mode complete (non-access stratum security mode complete, NAS SMP) message to the initial AMF.

Optionally, the UE requests a complete initial NAS message according to the indication in the NAS SMC message, and the UE carries a complete complete initial NAS message in the NAS security mode completion message. In this embodiment of the application, the complete initial NAS message mainly refers to complete registration Request message.

The complete initial NAS message carries the aforementioned requested NSSAI.

Optionally, if the initial AMF needs the UE's subscription information to decide whether to perform AMF redirection, and the second AMF does not provide the UE's slice selection subscription information, then the initial AMF needs to obtain the UE's slice selection subscription information from the UDM, as shown in Figure The registration process shown in 2 also includes S7: the initial AMF invokes the second service operation of the UDM. The second service operation may be referred to as the Nudm_SDM_Get service operation, which is used to request the UE's slice selection subscription information from the UDM.

S8. The UDM sends a second service operation response to the initial AMF. The second service operation response includes the slice selection subscription information of the UE.

Optionally, if the initial AMF needs to perform slice selection (for example, the initial AMF cannot serve some or all of the single network slice selection assistance information (single-NSSAI, S-NSSAI) in the requested NSSAI of the UE), then the initial AMF needs to be selected from The NSSF obtains the requested NSSAI AMF information that can serve the aforementioned UE.

That is, the registration process shown in Figure 2 may also include S9: the initial AMF calls the third service operation of the NSSF. This third service operation may be called the Nnssf_NSSelection_Get service, which is used to request the requested AMF service of the NSSAI from the NSSF. information.

S10. The NSSF sends a third service operation response to the initial AMF. The third service operation response includes the slice selection subscription information of the UE.

After the initial AMF determines that AMF redirection is required, the initial AMF decides to retransmit the RR message to the first AMF. That is, the registration process shown in FIG. 2 also includes S11: the initial AMF invokes the fourth service operation of the second AMF. The fourth service operation indicates that the UE registration at the initial AMF failed.

Specifically, the fourth service operation may be called Namf_Communication_RegistrationStatusUpdate, and the registration status of the UE carried in the fourth service operation is "NOT_TRANSFERRED". After the second AMF receives the call of the second service operation of the initial AMF, it has never received the Namf_Communication_UEContextTransfer call sent by the initial AMF in S2.

Optionally, if the initial AMF decides to perform NAS reroute (direct NAS reroute or reroute NAS via RAN), and the initial AMF does not have the address of the first AMF, then the initial AMF needs to obtain the address of the first AMF from the NRF, as shown in Figure 2 The registration process shown further includes S12: the initial AMF invokes the fifth service operation of the NRF. The fifth service operation may be referred to as the Nnrf_NFDiscovery_Request service operation, which is used to obtain the address of the first AMF.

S13. The NRF sends a fifth service operation response to the initial AMF, where the fifth service operation response includes the address of the first AMF.

Optionally, if the initial AMF decides to forward the NAS message (i.e. RR message) directly to the first AMF (i.e. direct NAS reroute) based on the local policy and the subscription information of the UE, then the initial AMF needs Send the complete registration request message and the UE context to the first AMF.

That is, the registration process shown in FIG. 2 may also include S14: the initial AMF invokes the first service operation of the first AMF. The first service operation may be called the Namf_Communication_N1MessgeNotify service operation, which is used to send the complete registration request message to the first AMF. And/or the context of the UE. The context of the UE includes the NAS security-related context of the UE. For ease of description, the security-related context of the UE is referred to as the NAS security context of the UE in the following for short.

Before the initial AMF invokes the first service operation of the first AMF, the initial AMF decides whether to perform horizontal KAMF deduction according to the local policy. If the initial AMF does not perform horizontal KAMF deduction according to the local policy, the initial AMF sends the current security context to the first AMF; if The initial AMF performs horizontal KAMF deduction according to the local policy, then the initial AMF generates a new KAMF or a new security context or a new NAS security context according to the current KAMF, and the initial AMF sends a new KAMF or a new security context or a new NAS security context to the first AMF NAS security context, and the initial AMF sends a horizontal KAMF deduction instruction to the first AMF. This level of KAMF deduction instruction can be called keyAmfHDerivationInd.

The initial AMF sends the current security context, or new KAMF, or new security context or level KAMF deduction indication in the first service operation.

In this application, the current security context includes the current NAS security context. The current NAS security context includes the current KAMF. The initial AMF generates a new KAMF based on the current KAMF, which is also called deduced KAMF. The initial AMF generates a new security context based on the current KAMF, which is also called a deduced security context. The initial AMF generates a new NAS security context based on the current KAMF, also known as the deduced NAS security context, including the deduced KAMF. The new security context generated by the initial AMF according to the current KAMF includes the new NAS security context generated by the initial AMF according to the current KAMF. The horizontal KAMF deduction instruction is also called the KAMF level deduction instruction, which is used to instruct the generation of a new KAMF, or horizontal KAMF deduction.

Specifically, the registration process shown in FIG. 2 can be seen from the description of step S14 above, after the first AMF receives the first service operation, the first N1 message sent by the first AMF to the UE includes the following possibilities:

Possibility 1. If the first AMF decides to initiate the primary authentication (for example, the first AMF does not receive the UE's NAS security context, or the first AMF receives the UE's NAS context but decides not to use the received KAMF), then the first AMF sends an authentication request message to the UE;

Possibility 2. If the UE context is carried in the first service operation, and the first AMF decides to use the received KAMF, the first AMF selects a new encryption and/or full protection algorithm, or the first AMF receives a horizontal KAMF deduction instruction, then The first AMF sends a NAS SMC message to the UE;

Possibility 3. If the UE context is carried in the first service operation, and the first AMF decides to use the received key and the received encryption and/or full security algorithm (the security algorithm used between the UE and the second AMF), Then the first AMF sends other N1 messages to the UE.

In the case shown in the foregoing possibility 1, the authentication request message sent by the first AMF to the UE may be discarded by the UE. For example, before the initial AMF sends the aforementioned first service operation to the first AMF, a new NAS security context is established between the initial AMF and the UE, or NAS SMC is successfully performed between the initial AMF and the UE, or the initial AMF and the UE NAS security protection is activated between the UEs, or the initial AMF and the UE perform a secure exchange of NAS messages, the authentication request message sent by the first AMF to the UE may be discarded by the UE, because the initial AMF between the UE and the initial AMF Having established a new NAS security context through the NAS SMC process, the UE can only process N1 messages or NAS SMC messages protected by the new NAS security context. When the first AMF decides to perform the primary authentication, when the first AMF sends an authentication request message to the UE, the current protocol does not define that the message is to be protected. Then the UE receives an authentication request message that is not protected, and will discard the authentication request message. The authentication request message eventually leads to registration failure.

In addition, in order to facilitate the understanding of the embodiments of the present application, the following descriptions are made.

First, in this application, "used to indicate" can include both used for direct indication and used for indirect indication. When describing a certain indication information for indicating A, the indication information may directly indicate A or indirectly indicate A, but it does not mean that A must be carried in the indication information.

The information indicated by the instruction information is called the information to be indicated. In the specific implementation process, there are many ways to indicate the information to be indicated. For example, but not limited to, the information to be indicated can be directly indicated, such as the information to be indicated or the information to be indicated. Indicates the index of the information, etc. The information to be indicated can also be indicated indirectly by indicating other information, where there is an association relationship between the other information and the information to be indicated. It is also possible to indicate only a part of the information to be indicated, while other parts of the information to be indicated are known or agreed in advance. For example, it is also possible to realize the indication of specific information by means of the pre-arranged order (for example, stipulated in the agreement) of the various information, thereby reducing the indication overhead to a certain extent. At the same time, it can also identify the common parts of each information and uniformly indicate, so as to reduce the instruction overhead caused by separately indicating the same information.

Second, the first, second, and various digital numbers (for example, "#1", "#2", etc.) shown in this application are only for convenience of description, and are used for distinguishing objects, and are not used to limit the text. Apply for the scope of the embodiment. For example, distinguish the second AMF from the first AMF, and so on. It is not used to describe a specific order or sequence. It should be understood that the objects described in this way can be interchanged under appropriate circumstances, so as to be able to describe solutions other than the embodiments of the present application.

Third, in this application, "pre-defined" may include pre-defined, for example, protocol definition. Among them, "pre-defined" can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate related information in the device (for example, including user equipment and access network equipment). Not limited.

Fourth, the "saving" involved in the embodiments of the present application may refer to storing in one or more memories. The one or more memories may be separate settings, or may be integrated in an encoder or decoder, a processor, or a communication device. The one or more memories may also be partly provided separately, and partly integrated in a decoder, a processor, or a communication device. The type of the memory can be any form of storage medium, which is not limited in this application.

Fifth, the “protocols” involved in the embodiments of this application may refer to standard protocols in the communications field, for example, may include LTE protocol, new radio (NR) protocol, and related protocols applied to future communication systems. The application is not limited.

Sixth, in order to facilitate understanding, a brief description of the main parameters involved in the implementation of the application in the following text:

Kamf: the AMF key included in the NAS security context established between the UE and the second AMF;

Kamf′: the AMF key generated after the key derivation of Kamf;

KAMF: AMF key, which can refer to the aforementioned Kamf or Kamf' or other AMF keys.

In order to solve the problem of registration failure in the registration process shown in FIG. 2, this application provides a method for registration, which prevents the UE from discarding the authentication request message by causing the first AMF to send a protected authentication request message , Improve the chance of successful registration. The method for registration provided in the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

It should be understood that the method provided in the embodiments of the present application can be applied to the network architecture shown in FIG. 1, and can be specifically applied in a scenario where AMF redirection occurs.

It should also be understood that the embodiments shown below do not specifically limit the specific structure of the execution body of the method provided by the embodiments of the present application, as long as the program that records the code of the method provided by the embodiments of the present application can be executed according to the present application. The method provided in the application embodiment only needs to communicate. For example, the execution subject of the method provided in the embodiment of the application may be the user equipment or the access network device, or the user equipment or the access network device can call and execute the program. Functional modules.

Hereinafter, without loss of generality, the method for registration provided in the embodiments of the present application will be described in detail by taking the interaction between the user equipment and the network equipment as an example. Among them, network equipment includes access network equipment and core network equipment.

Fig. 3 is a schematic flowchart of a method for registration provided in an embodiment of the present application. The executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.

The method for registration includes some or all of the following steps.

S310: The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.

Optionally, if the RR message received by the initial AMF carries the 5G-GUTI of the UE, the initial AMF requests the UE context from the second AMF.

That is, the registration process shown in FIG. 3 may also include S320: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.

S330: The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.

Optionally, when the initial AMF decides to initiate the main authentication process, the registration process shown in FIG. 3 further includes S340: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.

S350: The initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.

S360: The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.

S370, the initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.

S380. The UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.

S390, the initial AMF invokes the third service operation of the NSSF, which is similar to S9 in FIG. 2 and will not be repeated here.

S391: The NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.

S392: The initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.

S393, the initial AMF invokes the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.

In S394, the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.

S395: The initial AMF invokes a first service operation of the first AMF, and the first service operation is used to indicate that an AMF redirection occurs.

The difference from the registration process shown in FIG. 2 is that in this embodiment, after the first AMF receives the above-mentioned first service operation, the first AMF protects the first message, or the first AMF does not perform primary authentication.

Specifically, the first AMF protects the first message or the first AMF does not perform primary authentication includes the following two situations:

Case 1: The first AMF receives the first indication information.

As a possible implementation manner: the first indication information is used to instruct the first AMF to protect the first message. In this implementation manner, the first AMF determines that the first message should be protected according to the first indication information.

As a possible implementation, the first indication information is used to instruct the first AMF to use the received KAMF, or to instruct the first AMF to use the received security context, or to instruct the first AMF not to perform primary authentication or the first AMF Skip the main authentication process and proceed to other processes in the registration. In this implementation manner, the first AMF does not perform the main authentication, or the first AMF uses the received KAMF, or the first AMF skips the main authentication and performs other processes in the registration process. In this implementation manner, the first AMF still uses the received NAS security context to protect the N1 message.

Wherein, the first message is an authentication request message, or the first message is an N1 message, or the first message is an N1 message other than the NAS SMC message.

It should be understood that the method for registration provided in the embodiment of the present application is mainly to prevent the UE from discarding the unprotected authentication request message sent by the first AMF when the AMF redirection occurs, and the registration fails. Therefore, it can be understood that the foregoing first message includes an authentication request message, and other messages may also be within the scope covered by the first message, and the other messages are not necessarily limited to N1 messages. The first message involved in the embodiment of the present application includes an authentication request message, and it is understood that the first message may be an authentication request message.

As a possible implementation manner, the first indication information is carried in the foregoing first service operation. That is, an IE is newly added to the first service operation shown in FIG. 2, and the newly added IE is the above-mentioned first indication information;

As another possible implementation manner, the first indication information is the newly added initial AMF and the signaling between the first AMF, and is sent to the first AMF before the first AMF sends the above-mentioned first message.

From the perspective of saving signaling overhead, you can choose to carry the first indication information in the above-mentioned first service operation and send it to the first AMF, which is equivalent to adding IE to the original signaling between the initial AMF and the first AMF. , There is no need to add a new signaling.

In this case, before the initial AMF sends the first indication information to the first AMF, the initial AMF determines that the first indication information needs to be sent to the first AMF. That is, the method flow shown in FIG. 3 further includes S396: the initial AMF determines to send the first indication information to the first AMF. An AMF sends the first indication information.

Specifically, when the first preset condition is met, the initial AMF sends the first indication information to the first AMF. Correspondingly, the first AMF receives the first indication information.

The first preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE, NAS SMC is successfully carried out between the initial AMF and the UE, a security association is established between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, or the UE A new NAS security context is established with the initial AMF, and the initial AMF performs horizontal KAMF deduction; the primary authentication is performed between the UE and the initial AMF, and the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF , This initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF.

When the first preset condition is not met, the initial AMF does not send the first indication information to the first AMF. Then the first AMF did not receive the first information indication.

As a possible implementation, if the first AMF does not receive the first indication information, the first AMF decides whether to perform the main authentication according to the local policy, and if the first AMF decides to perform the main authentication, the first AMF sends the unprotected The authentication request message, or the first AMF uses the received security context to protect the authentication request message, and sends a protected authentication request message.

Further, the first indication information may be used to indicate at least one of the following situations:

The security exchange of NAS messages is carried out between the initial AMF and the UE, a security association is established between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, a new NAS security context is established between the UE and the initial AMF, The NAS SMC process is successfully carried out between the initial AMF and the UE, the first AMF should use the received NAS security context to protect the first message, the first AMF does not perform the main authentication process, and the first AMF skips the main authentication process to register. Other processes or the first AMF use the received KAMF.

Specifically, the context of the UE in the first service operation described above includes the NAS security context. The NAS security context may be a NAS security context after horizontal deduction.

After the first AMF receives the above-mentioned first indication information, the method flow shown in FIG. 3 further includes S397: the first AMF protects the first message according to the first indication information. The protected first message is sent to the UE. The method flow shown in FIG. 3 further includes S301: the first AMF sends the protected first message to the UE.

Optionally, the first indication information is used to instruct the first AMF to use the received KAMF, or the first AMF does not perform the main authentication process, or the first AMF skips the main authentication process to perform other processes in the registration, as shown in FIG. The method flow shown in 3 may further include, S302: the first AMF does not perform the main authentication according to the first instruction information, or it may be described as the first AMF skips other processes in the main authentication for registration according to the first instruction information, or the first An AMF uses the received KAMF. The first AMF still uses the received NAS security context to protect the N1 message.

Specifically, the first AMF protects the first message according to the first indication information, including any one of the following possibilities:

When the first AMF decides to initiate the master authentication according to the local policy, the first AMF uses the received NAS security context to protect the authentication request message, the first AMF uses the received KAMF and security algorithm to protect the authentication request message, or the first AMF uses the received Calculate the NAS key with the received KAMF and the received security algorithm, and use the calculated NAS key and the received algorithm to protect the authentication request message.

When the first AMF decides not to perform the main authentication or skip the main authentication according to the first indication information, the first AMF uses the received NAS security context or KAMF to protect the N1 message.

When the first AMF decides to use the received KAMF according to the local policy, the first AMF shall use the received NAS security context to protect the N1 message, and the first AMF shall use the received NAS security context to protect the N1 message except the NAS SMC message , The first AMF uses the received KAMF and security algorithm to protect the N1 message, the first AMF uses the received KAMF and security algorithm to protect the N1 messages other than the NAS SMC message, and the first AMF uses the received KAMF and the received Security algorithm, calculate the NAS key, and use the calculated NAS key and the received algorithm to protect the N1 message, or the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key and use the calculation The obtained NAS key and the received algorithm protect the N1 message except the NAS SMC message.

Case 2: After the first AMF receives the first service operation, the first AMF may also protect the first message.

As a possible implementation manner, the first AMF protects the first message according to the operation of receiving the first service.

As a possible implementation manner, the first AMF judges whether AMF redirection occurs according to the received first service operation, and if the redirection occurs, the first message is protected.

As a possible implementation manner, the first AMF uses the received KAMF according to receiving the first service operation, or does not perform the main authentication, or skips the main authentication to perform other processes in the registration process. In this implementation manner, the first AMF still uses the received NAS security context to protect the N1 message.

As a possible implementation manner, the first AMF determines whether AMF redirection occurs according to the received first service operation. If an AMF redirection occurs, the first AMF uses the received KAMF, or does not perform the main authentication, or skips the main authentication to perform other processes in the registration process. In this implementation manner, the first AMF still uses the received NAS security context to protect the N1 message.

The first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.

In case 2, the method flow shown in FIG. 3 further includes S398: the first AMF protects the first message. The protected first message is sent to the UE. The method flow shown in FIG. 3 further includes S301: the first AMF sends the protected first message to the UE.

Optionally, when the first AMF uses the received KAMF according to the operation of receiving the first service, does not perform the primary authentication, or skips the primary authentication, the method flow shown in FIG. 3 may further include: S303: the first AMF according to The first service operation does not perform the main authentication, or it may be described as the first AMF skipping the main authentication to perform other processes in the registration according to the first service operation, or the first AMF uses the received KAMF. And the first AMF still uses the received NAS security context to protect the N1 message.

Specifically, the first AMF protects the first message, including any one of the following possibilities:

When the first AMF decides to initiate the master authentication according to the local policy, the first AMF uses the received KAMF protection authentication request message, the first AMF uses the received NAS security context protection authentication request message, and the first AMF uses the received KAMF and The security algorithm protects the authentication request message, or the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key, and uses the calculated NAS key and the received algorithm to protect the authentication request message.

When the first AMF decides not to perform the main authentication or skip the main authentication according to the first service operation, the first AMF uses the received NAS security context or KAMF protection to send a NAS SMC message or other N1 message to the UE.

When the first AMF decides not to initiate the master authentication according to the local policy, that is, when the first AMF sends a NAS SMC message or other N1 message to the UE, the first AMF uses the received NAS security context to protect the N1 message, and the first AMF uses the received The received NAS security context protects N1 messages other than the NAS SMC message, the first AMF uses the received KAMF and security algorithm to protect the N1 message, and the first AMF uses the received KAMF and security algorithm to protect all other than the NAS SMC message. N1 message, the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key, and uses the calculated NAS key and the received algorithm to protect the N1 message, or the first AMF uses the received KAMF Calculate the NAS key with the received security algorithm, and use the calculated NAS key and the received algorithm to protect the N1 message except the NAS SMC message.

As a possible implementation manner, after receiving the first service operation, the first AMF determines that AMF redirection occurs, and then the first AMF protects the first message. The method flow shown in FIG. 3 also includes S399: the first AMF judges that AMF redirection has occurred.

Optionally, the first AMF may determine whether AMF redirection has occurred according to the IE(s) carried in the first service operation. For example, if the message type carrying N1 in the first service operation includes 5GMM, it is determined that AMF redirection has occurred; for example, if the first service operation carries the registration context container (Registration Context Container) type IE, it is determined that it has occurred. AMF redirection.

As a possible implementation, the first AMF may skip the main authentication process after determining that the AMF redirection occurs, and perform other processes in the registration, or the first AMF may not perform the main authentication after determining that the AMF redirection occurs , And the first AMF uses the received NAS security context to protect the first message, or the first AMF uses the received KAMF.

It should be understood that the above-mentioned first AMF judgment that AMF redirection occurs is only an example, and does not constitute any limitation to the scope of protection of this application. You can refer to the current agreement or future agreement for determining whether AMF redirection occurs, and I will not repeat it here. .

The method flow shown in FIG. 3 causes the first AMF to send the protected authentication request message, so as to prevent the UE from discarding the received unprotected authentication request message.

Fig. 4 is a schematic flowchart of another method for registration provided in an embodiment of the present application. The executive body includes UE, (R)AN, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.

The method for registration includes some or all of the following steps.

S410: The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.

Optionally, if the RR message received by the initial AMF carries the 5G-GUTI of the UE, the initial AMF requests the UE context from the second AMF. That is, the registration process shown in FIG. 3 also includes S420: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.

S430: The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.

Optionally, in the case where the initial AMF decides to initiate the main authentication process, the registration process shown in FIG. 3 further includes S440: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.

S450: The initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.

S460: The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.

S470: The initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.

S480. The UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.

The difference between the registration process shown in Figure 2 is that in the process of the registration method shown in Figure 4, the initial AMF determines to send the second indication information to the UE to instruct the UE to accept the unprotected authentication request message. To avoid that the registration process shown in FIG. 2 summarizes the UE discarding the unprotected authentication request message sent by the first AMF, the registration process shown in FIG. 4 further includes S481: the initial AMF sends second indication information to the UE. The second indication information is used to instruct the UE to accept the unprotected authentication request message, it can also be understood as the second indication information is used to instruct the UE to process the unprotected authentication request message, and it can also be understood as the second indication information is used to Instruct the UE not to discard unprotected authentication request messages.

The initial AMF determining to send the second indication information to the UE includes the initial AMF determining to send the second indication information to the UE based on a second preset condition, that is, when at least one of the following second preset conditions is met, the initial AMF determines Send the second indication information to the UE:

The initial AMF decides to initiate AMF redirection, the initial AMF decides to initiate AMF redirection through the RAN, the security exchange of NAS messages between the initial AMF and the UE before the AMF redirection, and the success between the initial AMF and the UE before the AMF redirection Performed NAS SMC, established security association between UE and initial AMF before AMF redirection, activated security protection between UE and initial AMF before AMF redirection, established between UE and initial AMF before AMF redirection The new NAS security context, the primary authentication between the UE and the initial AMF before the AMF redirection, the initial AMF selected a security algorithm different from the security algorithm selected by the second AMF before the AMF redirection, or the AMF redirection Previously, the initial AMF used the KAMF derived from the horizontal KAMF received from the second AMF.

It should be understood that this application does not limit how the initial AMF sends the second indication information to the UE. The second indication information can be added to the existing message, or it can be a new piece of signaling for transmission. The second indication information.

For example, when the initial AMF sends the second indication information, the initial AMF may send an N1 message to the UE, and the N1 message is used to instruct the UE to receive an unprotected authentication request message; for example, the initial AMF sends the second indication information, which may be the initial AMF sends an N1 message to the UE (for example, a configuration update command message, a NAS SMC message, a 5GMM status message, or a downlink NAS transport message, etc.), and the N1 message carries the second indication information .

Similar to the registration process shown in Fig. 2, the method process for registration shown in Fig. 4 should also include S490. The initial AMF invokes the third service operation of the NSSF, which is similar to S9 in Fig. 2 and will not be repeated here.

In S491, the NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.

S492: The initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.

S493, the initial AMF calls the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.

In S494, the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.

S495: The initial AMF invokes the first service operation of the first AMF, which is similar to S14 in FIG. 2 and will not be repeated here.

It should be understood that the foregoing S481 may be a step that occurs at any time after the foregoing S460 and before S493.

Specifically, unlike the registration process shown in FIG. 2, since the UE receives the above-mentioned second indication information in advance, after S495, when the UE receives the unprotected authentication request message sent by the first AMF, the UE The authentication request message will not be discarded. The method flow for registration shown in FIG. 4 should also include S496: the UE receives the unprotected first message from the first AMF. The first message includes the authentication request message, which can avoid The registration fails due to the UE discarding the unprotected authentication request message.

FIG. 11 is a schematic flowchart of yet another method for registration provided in an embodiment of the present application. The executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.

The method for registration includes some or all of the following steps.

S510: The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.

That is, the registration process shown in FIG. 11 may also include S520: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.

S530: The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.

Optionally, when the initial AMF decides to initiate the main authentication process, the registration process shown in FIG. 11 also includes S540: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.

S550: The initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.

S560: The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.

S570: The initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.

In S580, the UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.

S590, the initial AMF invokes the third service operation of the NSSF, which is similar to S9 in FIG. 2 and will not be repeated here.

In S591, the NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.

S592: The initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.

In S593, the initial AMF invokes the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.

In S594, the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.

S595: The initial AMF invokes a first service operation of the first AMF, and the first service operation is used to notify the N1 message received by the first AMF. When the initial AMF saves the complete registration request message and/or the context of the UE, the initial AMF sends the complete registration request message and/or the context of the UE to the first AMF through the first service operation.

The difference from the registration process shown in Figure 2 is that in this embodiment, before the initial AMF invokes the first service operation of the first AMF, the initial AMF decides whether to perform horizontal KAMF deduction, that is, the method flow shown in Figure 11 also Including S596: The initial AMF decides whether to perform horizontal KAMF deduction.

If the initial AMF decides not to perform horizontal KAMF deduction, the initial AMF sends the current security context to the first AMF, including the current KAMF;

If the initial AMF decides to perform horizontal KAMF deduction, the initial AMF generates a new KAMF or a new security context or a new NAS security context according to the current KAMF, and the initial AMF sends a new KAMF or a new security context or a new NAS to the first AMF Security context, and the initial AMF sends a horizontal KAMF deduction instruction to the first AMF. This level of KAMF deduction instruction can be called keyAmfHDerivationInd.

Optionally, the initial AMF sends the UE’s security context to the first AMF through the first service operation, including the current security context or new KAMF or new security context or horizontal KAMF deduction indication; Messages other than the first service operation send the UE’s security context to the first AMF, including the current security context or new KAMF or new security context or level KAMF deduction instructions. This application provides information on how the initial AMF sends the UE to the first AMF. The specific method of the security context is not limited.

The initial AMF decision whether to perform horizontal KAMF deduction can be any of the following three ways:

Method 1: The initial AMF does not perform horizontal KAMF deduction, that is, the initial AMF sends the current security context to the first AMF;

Method 2: The initial AMF determines whether to perform horizontal KAMF deduction according to the local strategy, that is, the initial AMF determines to perform the horizontal KAMF deduction according to the local strategy, or the initial AMF determines not to perform the horizontal KAMF deduction according to the local strategy;

Method 3: The initial AMF judges whether to perform horizontal KAMF deduction according to the fourth preset condition, that is, if the initial AMF judges that the fourth preset condition is satisfied, the initial AMF does not perform horizontal KAMF deduction, that is, the initial AMF sends the current security context to the first 1. AMF; if the initial AMF determines that the fourth preset condition is not met, the initial AMF determines whether to perform horizontal KAMF deduction according to the local strategy, that is, the initial AMF determines the level KAMF deduction according to the local strategy, or the initial AMF determines not to perform the level according to the local strategy Deduced by KAMF. The fourth preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the received from the second AMF The received KAMF generated after the horizontal KAMF deduction; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF;

Different from the registration process shown in Figure 2, in this embodiment, after the first AMF receives the first service operation described above, the first AMF executes any one of the following options:

Option 1: The first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.

It should be understood that the first AMF does not perform the main authentication, or the first AMF uses the received KAMF or security context, which means that the first AMF skips the main authentication and performs other processes in the registration process. Regarding this option, the method flow shown in FIG. 11 also includes S5951: the first AMF skips the primary authentication or the first AMF uses the received KAMF or security context. The first AMF protects the third message based on the received KAMF or security context, and sends the third message to the UE. The method flow shown in FIG. 11 further includes S5952: the first AMF sends the third message to the UE. Specifically, the first AMF generates a NAS encryption and decryption key and a NAS integrity key according to the received KAMF or security context, and uses the generated NAS encryption and decryption key and/or NAS integrity key to perform the third message protection. Under this option, the third message is any N1 message that does not include the authentication request.

In this embodiment, the first AMF does not perform primary authentication, that is, the first AMF uses the received KAMF or security context.

Option 2: The first AMF protects the authentication request message, and/or the first AMF sends an authentication request message with security protection, and/or the first AMF sends an N1 message with security protection, including the authentication request message. The method flow shown in FIG. 11 further includes S5953: the first AMF protection authentication request message. S5954: The first AMF sends a security-protected authentication request message to the UE, where the first AMF sends a security-protected authentication request message to the UE, which can be understood as the first AMF sending a security-protected N1 message to the UE. The N1 message Including authentication request message.

It should be understood that the first AMF protects the authentication request message, that is, the first AMF sends a security-protected authentication request message based on the received KAMF or security context protection authentication request message. Specifically, the first AMF is based on the received KAMF Or the security context generates the NAS encryption and decryption key and the NAS integrity key, and uses the generated NAS encryption and decryption key and/or the NAS integrity key to protect the authentication request message, and sends the authentication request message with security protection.

It should be understood that the first AMF sends a security-protected authentication request message, that is, the first AMF protects the authentication request message based on the received KAMF or security context, and sends a security-protected authentication request message. Specifically, the first AMF is based on The received KAMF or security context generates NAS encryption and decryption keys and NAS integrity keys, and uses the generated NAS encryption and decryption keys and/or NAS integrity keys to protect the authentication request message, and sends a securely protected Authentication request message.

It should be understood that, in this embodiment, the first AMF sends a security-protected N1 message, including an authentication request message, that is, the first AMF authenticates the N1 message based on the received KAMF or security context protection, and sends a security-protected N1 message Specifically, the first AMF generates a NAS encryption and decryption key and a NAS integrity key according to the received KAMF or security context, and uses the generated NAS encryption and decryption key and/or NAS integrity key to perform the N1 message Protect, and send a secure N1 message. The N1 message here includes an authentication request message.

Option 3: The first AMF sends an authentication request message without security protection, or the first AMF initiates a NAS SMC. The method process shown in FIG. 11 also includes S5955: the first AMF initiates the NAS SMC. S5956: The first AMF sends an authentication request message without security protection to the UE.

Option 4: The first AMF does not perform the main authentication; or the first AMF protects the authentication request message; or the first AMF sends the N1 message with security protection, including the authentication request message. The method flow shown in FIG. 11 further includes S5956: the first AMF protects the authentication request message or the first AMF does not perform the main authentication. S5957: The first AMF sends a security-protected authentication request message to the UE, where the first AMF sends a security-protected authentication request message to the UE, which can be understood as the first AMF sending a security-protected N1 message to the UE. The N1 message Including authentication request message.

It should be understood that in this embodiment, the first AMF does not perform primary authentication, that is, the first AMF uses the received KAMF or security context, which means that the first AMF skips the primary authentication and performs other processes in the registration process. In this implementation, the first AMF protects the third message based on the received KAMF or security context; specifically, the first AMF generates the NAS encryption and decryption key and the NAS integrity key according to the received KAMF or security context , And use the generated NAS encryption key and/or NAS integrity key to protect the third message. Under this option, the third message is any N1 message that does not include the authentication request.

The first AMF protection authentication request message, that is, the first AMF is based on the received KAMF or security context protection authentication request message and sends a security protected authentication request message. Specifically, the first AMF is based on the received KAMF or security context Generate NAS encryption and decryption keys and NAS integrity keys, and use the generated NAS encryption and decryption keys and/or NAS integrity keys to protect the authentication request message, and send the authentication request message with security protection.

As a possible implementation manner of option one: after the first AMF receives the above-mentioned first service operation, the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.

As another possible implementation manner of option one: after the first AMF receives the above-mentioned first service operation, it determines whether AMF redirection or direct non-access stratum rerouting (also referred to as direct NAS reroute) occurs. If AMF redirection or direct non-access layer rerouting occurs, the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context. The first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.

As yet another possible implementation of option 1: If the first AMF receives the horizontal KAMF deduction instruction sent by the initial AMF, the first AMF will not perform the master authentication according to the horizontal KAMF deduction instruction, or use the received KAMF or Security context.

If the first AMF does not receive the horizontal KAMF deduction instruction sent by the initial AMF, the first AMF can perform any one of the following operations:

Operation 1: The first AMF still does not perform master authentication, or uses the received KAMF or security context;

Operation 2: If the first AMF performs the main authentication according to the local policy, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send the authentication request message with security protection; if the first AMF does not comply with the local policy For master authentication, the first AMF should protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;

Operation 3: The first AMF shall protect the N1 message, including the authentication request message, based on the received KAMF or security context, and send the N1 message with security protection, including the authentication request message with security protection.

As a possible implementation of Option 1: If the first AMF receives the tenth indication information sent by the initial AMF, the first AMF does not perform the primary authentication according to the tenth indication information, or uses the received KAMF or Security context. The tenth indication information is used to indicate that the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.

In this implementation manner, it further includes that in S595, before the initial AMF invokes the first service operation of the first AMF, the initial AMF determines to send tenth indication information to the first AMF (that is, the method flow shown in FIG. 11 also includes S5961: initial The AMF determines to send tenth indication information to the first AMF). Specifically, when the initial AMF determines that the tenth preset condition is satisfied, the initial AMF sends tenth indication information to the first AMF. Correspondingly, the first AMF receives the tenth indication information. Optionally, the initial AMF uses the first service operation to send tenth indication information to the first AMF. The tenth preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the initial AMF performs horizontal KAMF deduction; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; The initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; the initial AMF receives the horizontal KAMF derivation instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF .

When the tenth preset condition is not met, the initial AMF does not send the tenth indication information to the first AMF. Then the first AMF does not receive the tenth indication information. If the first AMF does not receive the tenth indication information, the first AMF may perform any one of the following operations:

Operation 1: If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection, or the first AMF should protect the authentication request message based on the received KAMF or security context, and send a security protected authentication request message Authentication request message;

Operation 2: If the first AMF decides not to perform the master authentication, the first AMF sends an N1 message without security protection or the first AMF shall protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;

Operation 3: The first AMF should send an N1 message without security protection, including an authentication request message.

Operation 4: The first AMF shall protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection, including the authentication request message.

If the first AMF does not receive the tenth indication information, the first AMF may also perform any one of the following operations:

Operation 1: If the first AMF decides to perform the master authentication and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection; or the first AMF should be based on the received KAMF or security Context protection authentication request message, and sending a security-protected authentication request message;

Operation 2: If the first AMF receives a horizontal KAMF deduction instruction, the first AMF should not perform the master authentication, or the first AMF should use the received KAMF or security context, or the first AMF should perform NASSMC.

Operation 3: If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection.

Operation 1: If the first AMF decides to perform primary authentication, and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send a security-protected authentication request news;

Operation 2: If the first AMF decides to perform primary authentication, and the first AMF receives a horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection;

The tenth indication information can also be used to indicate any one or more of the following:

The security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; The NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ; The initial AMF performs horizontal KAMF deduction; the initial AMF generates a new KAMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF does not perform the main authentication process; the first AMF skips the main authentication The process performs other processes in the registration; the first AMF uses the received KAMF or security context.

As a possible implementation of option two: if the first AMF receives the ninth indication information sent by the initial AMF, when the first AMF decides to perform the primary authentication, the first AMF should protect the authentication according to the ninth indication information The request message, specifically, the first AMF sends a security-protected authentication request message based on the received KAMF or security context protection authentication request message, or the first AMF should send a security-protected N1 message according to the ninth instruction information, Including authentication request message. The ninth indication information is used to indicate the first AMF protection authentication request message.

In this implementation manner, it also includes that before the initial AMF invokes the first service operation of the first AMF in S595, the initial AMF determines to send the ninth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5962: The initial AMF determines to send the ninth indication information to the first AMF). Specifically, when the initial AMF determines that the ninth preset condition is satisfied, the initial AMF sends the ninth indication information to the first AMF. Correspondingly, the first AMF receives the ninth indication information. Optionally, the initial AMF uses the first service operation to send the ninth indication information to the first AMF. The ninth preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2. KAMF generated after deduction from horizontal KAMF received at AMF. The initial AMF receives the horizontal KAMF derivation instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF.

When the ninth preset condition is not met, the initial AMF does not send the ninth indication information to the first AMF. Then the first AMF does not receive the ninth indication information. If the first AMF does not receive the ninth indication information, the first AMF may perform any one of the following operations:

Operation 1: If the first AMF decides to perform master authentication, the first AMF should send an authentication request message without security protection;

Operation 4: If the first AMF decides to perform the main authentication and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection, or the first AMF should be based on the received KAMF or security Context protects the authentication request message, and sends a security-protected authentication request message.

Operation 5: If the first AMF decides to perform the master authentication, and the first AMF receives a horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection.

The ninth indication information can also be used to indicate any one or more of the following:

The first AMF should protect the authentication request message; the first AMF should send a security protection authentication request message; the first AMF should protect the authentication request message; the first AMF should send a security protected N1 message, including the authentication request message.

The security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; The NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ; The initial AMF selects a different security algorithm from the security algorithm selected by the second AMF.

As a possible implementation of option two: after the first AMF receives the above-mentioned first service operation, it determines whether AMF redirection or direct non-access layer rerouting (also referred to as direct NAS reroute) occurs. If AMF redirection or direct non-access layer rerouting occurs, when the first AMF decides to perform primary authentication, the first AMF should protect the authentication request message. Specifically, the first AMF is based on the received KAMF or security context protection Authentication request message, and send a security-protected authentication request message, or the first AMF should send a security-protected N1 message, including the authentication request message. The first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.

As another possible implementation of option two: after the first AMF receives the above-mentioned first service operation, if the first AMF decides to perform the primary authentication, the first AMF should protect the authentication request message, or the first AMF AMF shall send N1 messages with security protection, including authentication request messages. The first AMF should protect the authentication request message, that is, the first AMF protects the authentication request message based on the received KAMF or security context, and sends the authentication request message with security protection; the first AMF should send the N1 message with security protection, that is, the first AMF An AMF protects the N1 message based on the received KAMF or security context, and sends the N1 message with security protection.

As a possible implementation of option three: if the first AMF receives the eighth indication information sent by the initial AMF, when the first AMF decides to perform the primary authentication, the first AMF should send no The authentication request message for security protection, or the first AMF should initiate the NAS SMC according to the eighth instruction information. The eighth indication information is used to instruct the first AMF to send an authentication request message without security protection. The eighth indication information may be a horizontal KAMF deduction indication.

In this implementation manner, it also includes that before the initial AMF invokes the first service operation of the first AMF in S595, the initial AMF determines to send eighth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5963: The initial AMF sends the eighth indication information to the first AMF). Specifically, when the initial AMF determines that the eighth preset condition is satisfied, the initial AMF sends the eighth indication information to the first AMF. Correspondingly, the first AMF receives the eighth indication information. Optionally, the initial AMF uses the first service operation to send eighth indication information to the first AMF. The eighth preset condition is any one or more of the following conditions: the initial AMF performs horizontal KAMF deduction, or the initial AMF generates a new KAMF.

When the eighth preset condition is not met, the initial AMF does not send the eighth indication information to the first AMF. Then the first AMF does not receive the eighth indication information. If the first AMF does not receive the eighth indication information, the first AMF may perform any one of the following operations:

Operation 1: If the first AMF decides to perform the master authentication, the first AMF should protect the authentication request message based on the received KAMF or security context, and send the authentication request information with security protection.

Operation 2: If the first AMF decides not to perform the master authentication, the first AMF should protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;

Operation 3: The first AMF should send the N1 message with security protection based on the received KAMF or the N1 message protected by the security context, including the authentication request message.

The eighth indication information can also be used to indicate any one or more of the following:

The initial AMF performs horizontal KAMF deduction; the initial AMF generates a new KAMF; the first AMF should send an authentication request message without security protection; the first AMF should initiate NAS SMC.

As a possible implementation of option four: if the first AMF receives a horizontal KAMF deduction instruction, the first AMF shall not perform primary authentication, or the first AMF shall use the received KAMF or security context, or the first AMF shall use the received KAMF or security context. AMF initiated NAS SMC. Otherwise, if the first AMF does not receive the horizontal KAMF deduction instruction, but receives the seventh instruction information, then:

If the first AMF decides to initiate the primary authentication, according to the seventh instruction information, the first AMF should send a security-protected authentication request message, or,

According to the seventh instruction information, the first AMF should send the N1 message with security protection, including the authentication request message.

The seventh indication information is used to instruct the first AMF to send an authentication request message with security protection, or the first AMF to send an N1 message with security protection.

In this implementation manner, it also includes that before the initial AMF invokes the first service operation of the first AMF in S595, the initial AMF determines to send seventh indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5964: The initial AMF determines to send the seventh indication information to the first AMF). Specifically, when the initial AMF determines that the seventh preset condition is satisfied, the initial AMF sends the seventh indication information to the first AMF. Correspondingly, the first AMF receives the seventh indication information. Optionally, the initial AMF uses the first service operation to send the seventh indication information to the first AMF. The seventh preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2. The KAMF generated by the horizontal KAMF deduction received at the AMF; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF.

When the seventh preset condition is not met, the initial AMF does not send the seventh indication information to the first AMF. Then the first AMF does not receive the seventh indication information. If the first AM does not receive the seventh indication information, nor does it receive the horizontal KAMF deduction instruction, the first AMF can perform any one of the following operations:

Operation 1: If the first AMF decides to perform the main authentication, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send the authentication request message with security protection, or the first AMF shall send the authentication without security protection Request message.

Operation 2: If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection news.

Operation 4: The first AMF should send an N1 message without security protection, including an authentication request message.

The seventh indication information can also be used to indicate any one or more of the following:

The security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; The NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ; The initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF should send a security-protected authentication request message; the first AMF should protect the authentication request message; the first AMF should send a security-protected N1 Message, including authentication request message.

As another possible implementation of option four: if the sixth indication information and the horizontal KAMF deduction indication received by the first AMF, the first AMF should not perform the primary authentication, or the first AMF should use the received KAMF or Security context. Otherwise, if the first AMF does not receive the horizontal KAMF deduction instruction, but receives the sixth instruction information, if the first AMF decides to initiate the primary authentication, according to the sixth instruction information, the first AMF should send an authentication request message with security protection; or,

According to the sixth instruction information, the first AMF should send an N1 message with security protection, and the N1 message includes an authentication request message.

The sixth indication information is used to instruct the first AMF to send an authentication request message with security protection.

In this implementation manner, it also includes that before the initial AMF invokes the first service operation of the first AMF in S595, the initial AMF determines to send the sixth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5964: The initial AMF determines to send the sixth indication information to the first AMF). Specifically, when the initial AMF determines that the sixth preset condition is satisfied, the initial AMF sends the sixth indication information to the first AMF. Correspondingly, the first AMF receives the sixth indication information. Optionally, the initial AMF uses the first service operation to send the sixth indication information to the first AMF. The sixth preset condition is any one or more of the following conditions:

The security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2. The KAMF generated by the horizontal KAMF deduction received at the AMF; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF and security context received from the second AMF.

When the sixth preset condition is not met, the initial AMF does not send the sixth indication information to the first AMF. Then the first AMF does not receive the sixth indication information. If the first AMF does not receive the sixth indication information, but receives the horizontal KAMF derivation instruction, the first AMF may perform any one of the following operations:

Operation 1: If the first AMF decides to perform master authentication, the first AMF should send an authentication request message without security protection.

Operation 2: If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection Message, or the first AMF initiates NAS SMC;

If the first AMF does not receive the sixth indication information, nor does it receive the horizontal KAMF derivation instruction, the first AMF may perform any one of the following operations:

Operation 1: If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection, or the first AMF should protect the authentication request message based on the received KAMF or security context, and send a security protected authentication request message Authentication message.

Operation 2: If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection news;

Operation 4: The first AMF should send a N1 message with security protection, including an authentication request message.

The sixth indication information can also be used to indicate any one or more of the following:

The security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF; The NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF and decides to use the received KAMF or security context; the initial AMF decides to use The KAMF generated by the horizontal KAMF deduction received from the second AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF should send an authentication request message with security protection; the first AMF should Protect the authentication request message; the first AMF should send a protected N1 message, including the authentication request message.

The method flow shown in FIG. 11 prevents the UE from discarding the received unprotected authentication request message by making the first AMF not to do the main authentication or to protect the authentication request message.

It should also be understood that, in the foregoing method embodiments, the size of the sequence numbers of the foregoing processes does not mean the order of execution. The execution order of the processes should be determined by their functions and internal logic, and should not correspond to the implementation process of the embodiments of this application. Constitute any limitation.

The method for registration provided by the embodiment of the present application is described in detail above with reference to FIGS. 3, 4, and 11, and the device for registration provided by the embodiment of the present application is described in detail below with reference to FIGS. 5-10.

Referring to FIG. 5, FIG. 5 is a schematic diagram of the device 10 for registration proposed in the present application. As shown in FIG. 5, the device 10 includes a receiving unit 110 and a processing unit 120.

The receiving unit 110 is configured to receive the protected first message from the first AMF;

The processing unit 120 is configured to process the protected first message, where the first AMF is a target AMF selected to serve the UE during AMF redirection, and the first message is one of the following messages :

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.

For ease of description, the device 10 for registration receives and processes the protected first message can be described as the device 10 for registration accepts the protected first message.

In the embodiments of this application, there is no restriction on how the processing unit of the UE processes the received protected first message. You can refer to the relevant regulations in the current protocol, for example, refer to how the UE processes the protected message specified in the current protocol to obtain The information in the message will not be repeated here.

The apparatus 10 completely corresponds to the user equipment in the method embodiment, and the apparatus 10 may be the user equipment in the method embodiment, or a chip or functional module inside the user equipment in the method embodiment. The corresponding units of the apparatus 10 are used to execute the corresponding steps executed by the user equipment in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.

Wherein, the receiving unit 110 in the apparatus 10 executes the steps of receiving by the user equipment in the method embodiment. For example, perform step S350 of receiving the NAS security mode command message sent by the initial AMF in Figure 3, perform step S301 of receiving the protected first message sent by the first AMF in Figure 3, and perform the NAS security sent by the initial AMF in Figure 4 Step S450 of the mode command message, perform step S496 of receiving the unprotected first message sent by the first AMF in FIG. 4, perform step S481 of receiving the second indication information sent by the initial AMF in FIG. 4, perform the receiving in FIG. 11 Step S550 of the NAS security mode command message sent by the initial AMF, step S5952 of receiving the third message sent by the first AMF in FIG. 11, and step S5954 of receiving the authentication request message with security protection sent by the first AMF in FIG. 11 And S5957, perform step S5956 in FIG. 11 of receiving the authentication request message without security protection sent by the first AMF.

The processing unit 120 in the device 10 executes the steps implemented or processed inside the user equipment in the method embodiment. For example, step S340 of performing primary authentication with the initial AMF in FIG. 3, step S440 of performing primary authentication with the initial AMF in FIG. 4, and step S540 of performing primary authentication with the initial AMF in FIG. 11 are executed.

The device for registration shown in the device 10 may also include a sending unit (not shown in FIG. 5), and the sending unit is used to perform the function of sending messages to other devices. For example, execute step S310 of sending an RR message to the initial AMF in Figure 3, execute step S360 of sending a NAS security mode complete message to the initial AMF in Figure 3, execute step S410 of sending an RR message to the initial AMF in Figure 4, Perform step S460 of sending a NAS security mode complete message to the initial AMF in FIG. 4.

The receiving unit 110 and the sending unit may constitute a transceiver unit, and have the functions of receiving and sending at the same time. Wherein, the processing unit 120 may be a processor. The sending unit may be a receiver. The receiving unit 110 may be a transmitter. The receiver and transmitter can be integrated to form a transceiver.

Referring to FIG. 6, FIG. 6 is a schematic structural diagram of a user equipment 20 applicable to an embodiment of the present application. The user equipment 20 can be applied to the system shown in FIG. 1. For ease of description, FIG. 6 only shows the main components of the user equipment. As shown in FIG. 6, the user equipment 20 includes a processor, a memory, a control circuit, an antenna, and an input and output device. The processor is used to control the antenna and the input and output devices to send and receive signals, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory to execute the corresponding method executed by the user equipment in the method for registration proposed in this application. Process and/or operation. I won't repeat them here.

Those skilled in the art can understand that, for ease of description, FIG. 6 only shows a memory and a processor. In actual user equipment, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, etc., which is not limited in the embodiment of the present application.

Refer to FIG. 7, which is a schematic diagram of the device 30 for registration proposed in the present application. As shown in FIG. 7, the device 30 includes a processing unit 310 and a sending unit 320.

The processing unit 310 is configured to determine to send first indication information to the first AMF, where the first indication information is used to instruct the first AMF to protect the first message;

The sending unit 320 is configured to send the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is One of the following messages:

The device 30 completely corresponds to the initial AMF in the method embodiment, and the device 30 may be the initial AMF in the method embodiment, or a chip or functional module inside the initial AMF in the method embodiment. The corresponding units of the device 30 are used to execute the corresponding steps performed by the initial AMF in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.

Wherein, the processing unit 310 in the device 30 executes the internal implementation or processing steps of the initial AMF in the method embodiment. For example, perform step S396 in FIG. 3 for determining whether to send the first instruction information to the first AMF, perform step S596 in FIG. 11 for determining whether to perform horizontal KAMF deduction, and perform the determination in FIG. 11 for determining whether to send the tenth instruction information to the first AMF. Step S5961, perform step S5962 in FIG. 11 where it is determined to send the ninth instruction information to the first AMF, perform step S5963 in FIG. 11 where it is determined to send the eighth instruction information to the first AMF, perform the determination in FIG. Step S5964 in which the AMF sends the sixth or seventh indication information.

The sending unit 320 in the device 30 executes the steps of initial AMF sending in the method embodiment. For example, perform step S320 of sending a sixth service operation to the second AMF in FIG. 3, perform step S350 of sending a NAS security mode command message to the UE in FIG. 3, and perform step S370 of sending a second service operation to UDM in FIG. 3. Perform step S390 of sending the third service operation to NSSF in FIG. 3, perform step S392 of sending the fourth service operation to the second AMF in FIG. 3, perform step S393 of sending the fifth service operation to NRF in FIG. 3, and perform FIG. 3 Step S395 of sending the first service operation to the first AMF in Figure 4, step S420 of sending the sixth service operation to the second AMF in Figure 4, step S450 of sending a NAS security mode command message to the UE in Figure 4, and step S450 in Figure 4 for sending a NAS security mode command message to the UE. Step S470 of sending the second service operation to UDM, step S490 of sending the third service operation to NSSF in FIG. 4, step S492 of sending the fourth service operation to the second AMF in FIG. 4, and sending to NRF in FIG. 4 Step S493 of the fifth service operation, execute S495 of sending the first service operation to the first AMF in FIG. 4, execute S481 of sending the second indication information to the UE in FIG. 4, and execute the sixth service sending to the second AMF in FIG. 11 Step S520 of operation, step S550 of sending a NAS security mode command message to the UE in FIG. 11, step S570 of sending a second service operation to UDM in FIG. 11, and step S590 of sending a third service operation to NSSF in FIG. 11 Execute step S592 of sending the fourth service operation to the second AMF in FIG. 11, execute step S593 of sending the fifth service operation to the NRF in FIG. 11, and execute S595 of sending the first service operation to the first AMF in FIG. 11.

The device for registration shown in the device 30 may also include a receiving unit (not shown in FIG. 7), and the receiving unit is used to perform the function of receiving messages sent by other devices. For example, perform step S310 of receiving the RR message sent by the UE in Figure 3, perform step S360 of receiving the NAS security mode complete message sent by the UE in Figure 3, and perform the step of receiving the sixth service operation response sent by the second AMF in Figure 3 S330. Perform step S380 of receiving the second service operation response sent by UDM in FIG. 3, perform step S391 of receiving the third service operation response sent by NSSF in FIG. 3, and perform step S391 of receiving the fifth service operation response sent by NRF in FIG. 3 Step S394, perform step S410 of receiving the RR message sent by the UE in FIG. 4, perform step S460 of receiving the NAS security mode complete message sent by the UE in FIG. 4, and perform the sixth service operation response sent by the second AMF in FIG. 4 Step S430, perform step S480 of receiving the second service operation response sent by UDM in FIG. 4, perform step S491 of receiving the third service operation response sent by NSSF in FIG. 4, and perform the fifth service operation response sent by NRF in FIG. 4 Step S494 of Figure 11, step S510 of receiving the RR message sent by the UE, step S560 of Figure 11 receiving the NAS security mode complete message sent by the UE, and step S560 of Figure 11 receiving the sixth service operation response sent by the second AMF Step S530 of Figure 11, step S580 of receiving the second service operation response sent by UDM, step S591 of Figure 11 receiving the third service operation response sent by NSSF, and step S591 of Figure 11 receiving the fifth service operation sent by NRF Respond to step S594.

The receiving unit and the sending unit 320 may constitute a transceiver unit, and have the functions of receiving and sending at the same time. Wherein, the processing unit 310 may be a processor. The sending unit 320 may be a receiver. The receiving unit may be a transmitter. The receiver and transmitter can be integrated to form a transceiver.

As shown in FIG. 8, the embodiment of the present application also provides an initial AMF 40. The initial AMF 40 includes a processor 410, a memory 420, and a transceiver 430. The memory 420 stores instructions or programs, and the processor 430 is configured to The instructions or programs stored in the memory 420 are executed. When the instructions or programs stored in the memory 420 are executed, the transceiver 430 is used to execute the operations performed by the sending unit 320 in the apparatus 30 shown in FIG. 7.

Refer to FIG. 9, which is a schematic diagram of the device 50 for registration proposed in the present application. As shown in FIG. 9, the device 50 includes a receiving unit 510, a processing unit 520, and a sending unit 530.

The receiving unit 510 is configured to receive the first indication information from the initial AMF;

The processing unit 520 is configured to protect the first message according to the first indication information;

The sending unit 530 is configured to send the protected first message to the user equipment UE, where the means for registration is the target AMF that is selected to serve the UE during AMF redirection, and the first message One of the following messages:

The device 50 completely corresponds to the first AMF in the method embodiment, and the device 50 may be the first AMF in the method embodiment, or a chip or functional module inside the first AMF in the method embodiment. The corresponding units of the device 50 are used to execute the corresponding steps performed by the first AMF in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.

Wherein, the receiving unit 510 in the device 50 performs the first AMF receiving step in the method embodiment. For example, step S395 of receiving the first service operation sent by the initial AMF in FIG. 3 and step S495 of receiving the first service operation sent by the initial AMF in FIG. 4 are executed.

The processing unit 520 executes the steps implemented or processed internally by the first AMF in the method embodiment. For example, execute step S399 in FIG. 3 to determine that AMF redirection has occurred, execute step S398 in FIG. 3 to protect the first message, execute step S302 in FIG. 3 that does not perform primary authentication according to the first instruction information, execute FIG. Step S303 of not performing primary authentication according to the first service operation in Figure 11, perform step S5951 of skipping primary authentication in Figure 11, perform step S5953 of protecting authentication request message in Figure 11, perform step S5955 of initiating primary authentication in Figure 11, perform In FIG. 11, step S5956 of the master authentication or protection authentication request message is skipped.

The sending unit 530 executes the steps of sending the first AMF in the method embodiment. For example, execute step S301 of sending a protected first message to the UE in FIG. 3, execute step S496 of sending an unprotected first message to the UE in FIG. 4, execute step S5952 of sending a third message to the UE in FIG. 11, execute Steps S5954 and S5957 of sending an authentication request message with security protection to the UE in FIG. 11, and step S5956 of sending an authentication request message without security protection to the UE in FIG. 11 are performed.

The receiving unit 510 and the sending unit 530 may constitute a transceiver unit, and have the functions of receiving and sending at the same time. Wherein, the processing unit 520 may be a processor. The transmitting unit 530 may be a receiver. The receiving unit 510 may be a transmitter. The receiver and transmitter can be integrated to form a transceiver.

As shown in FIG. 10, an embodiment of the present application also provides a first AMF 60. The first AMF 60 includes a processor 610, a memory 620, and a transceiver 630. The memory 620 stores instructions or programs, and the processor 630 It is used to execute instructions or programs stored in the memory 620. When the instructions or programs stored in the memory 620 are executed, the transceiver 630 is used to execute the operations performed by the receiving unit 510 and the sending unit 530 in the apparatus 50 shown in FIG. 9.

An embodiment of the present application also provides a communication system, which includes the aforementioned initial AMF, the first AMF, and one or more user equipments.

The present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium. When the instructions run on a computer, the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the initial AMF.

The present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium. When the instructions run on a computer, the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the first AMF.

The present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium. When the instructions run on a computer, the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the user equipment in the.

This application also provides a computer program product containing instructions. When the computer program product runs on a computer, the computer executes the steps of the initial AMF execution in the methods shown in FIG. 3, FIG. 4, and FIG. 11.

This application also provides a computer program product containing instructions. When the computer program product runs on a computer, the computer executes the steps performed by the first AMF in the methods shown in FIG. 3, FIG. 4, and FIG. 11.

This application also provides a computer program product containing instructions. When the computer program product runs on a computer, the computer executes the steps performed by the user equipment in the methods shown in FIG. 3, FIG. 4, and FIG. 11.

The application also provides a chip including a processor. The processor is used to read and run the computer program stored in the memory to execute the corresponding operation and/or process executed by the user equipment in the method for registration provided in this application. Optionally, the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory. Further optionally, the chip further includes a communication interface, and the processor is connected to the communication interface. The communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information. The communication interface can be an input and output interface.

The application also provides a chip including a processor. The processor is used to call and run a computer program stored in the memory to execute the corresponding operation and/or process performed by the initial AMF in the method for registration provided in this application. Optionally, the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory. Further optionally, the chip further includes a communication interface, and the processor is connected to the communication interface. The communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information. The communication interface can be an input and output interface.

The application also provides a chip including a processor. The processor is used to call and run the computer program stored in the memory to execute the corresponding operation and/or process performed by the first AMF in the method for registration provided in this application. Optionally, the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory. Further optionally, the chip further includes a communication interface, and the processor is connected to the communication interface. The communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information. The communication interface can be an input and output interface.

A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

It should be understood that the aforementioned chip can also be replaced with a chip system, which will not be repeated here.

The terms "including" and "having" and any variations of them in this application are intended to cover non-exclusive inclusions. For example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to clearly listed Instead, those steps or units listed may include other steps or units that are not clearly listed or are inherent to these processes, methods, products, or equipment.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

In addition, the term "and/or" in this application is only an association relationship that describes associated objects, which means that there can be three types of relationships, for example, A and/or B, which can mean that A alone exists, and both A and B exist. , There are three cases of B alone. In addition, the character "/" in this document generally means that the associated objects before and after are in an "or" relationship; the term "at least one" in this application can mean "one" and "two or more", for example, A At least one of, B and C can mean: A alone exists, B alone exists, C alone exists, A and B exist alone, A and C exist at the same time, C and B exist at the same time, A and B and C exist at the same time, this Seven situations.

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A method for registration, which is characterized in that it includes:

The first access and mobility management function AMF receives the first indication information from the initial AMF;

The first AMF protects the first message according to the first indication information;

The first AMF sends the protected first message to the user equipment UE, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is the following message One of:

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
The method according to claim 1, wherein the receiving, by the first AMF, the first indication information from the initial AMF comprises:

The first AMF receives a first service operation from the initial AMF, and the first service operation includes the first indication information.
The method according to claim 2, wherein the first service operation further includes a non-access stratum NAS security context;

The protection of the first message by the first AMF includes:

The first AMF uses the NAS security context to protect the first message.
The method according to any one of claims 1-3, wherein the first indication information is used to indicate at least one of the following situations:

The UE and the initial AMF perform a security exchange of NAS messages, the first AMF uses the received NAS security context to protect the first message, and the UE and the initial AMF establish a security context .
A method for registration, which is characterized in that it includes:

The initial access and mobility management function AMF determines to send first indication information to the first AMF, where the first indication information is used to instruct the first AMF to protect the first message;

The initial AMF sends the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is the following message One of:

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
The method according to claim 5, wherein the initial AMF determining to send the first indication information to the first AMF comprises:

The initial AMF determines to send the first indication information to the first AMF based on a first preset condition, where the first preset condition includes a secure interaction of NAS messages or a security exchange between the UE and the initial AMF. A security context is established between the UE and the initial AMF.
The method according to claim 5 or 6, wherein the initial AMF sending the first indication information to the first AMF comprises:

The initial AMF sends a first service operation to the first AMF, and the first service operation includes the first indication information.
The method according to claim 7, wherein the first service operation further includes a NAS security context.
The method according to any one of claims 5-8, wherein the first indication information is used to indicate at least one of the following situations:

A security exchange of NAS messages is performed between the UE and the initial AMF, the first AMF uses the NAS security context to protect the first message, and a security context is established between the UE and the initial AMF.
A method for registration, which is characterized in that it includes:

The user equipment UE accepts the first message protected from the first AMF, where the first AMF is the target AMF selected to serve the UE during AMF redirection, and the first message is one of the following messages :

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
A method for registration, characterized in that the method includes:

The initial access and mobility management function AMF judges whether to perform the level deduction of the first key according to the local policy;

If the initial AMF determines not to perform the horizontal derivation of the first key, the first security context is sent to the first AMF, or

If the initial AMF determines to perform the horizontal derivation of the first key, then send the instruction information for performing the horizontal derivation of the first key to the first AMF.
The method according to claim 11, wherein the first security context is generated after the initial AMF and the UE are authenticated, and the first key is included in the first security context.
The method according to claim 11, wherein the first security context is obtained by the initial AMF from a second AMF, and the first key is included in the first security context.
The method according to claim 11, wherein the method further comprises:

If the initial AMF determines to perform the level derivation of the key KAMF, a second security context is sent to the first AMF, and the second security context is obtained according to the first security context.
The method according to claim 14, wherein the second security context further comprises a second key derived based on the first key.
A method for registration, characterized in that the method includes:

The first access and mobility management function AMF receives the first security context from the initial AMF;

If the first AMF does not receive the instruction information to perform the level derivation of the first key and if the first AMF decides to perform the main authentication, the first AMF uses the first security context to protect the authentication request message and sends Security-protected certification request information, or

If the first AMF receives the instruction information to perform the horizontal derivation of the first key, the first AMF performs the non-access stratum security mode command NAS SMC,

Wherein, the first key is included in the first security context.
The method according to claim 16, wherein the method further comprises:

The first AMF receives the second security context from the initial AMF.
The method according to claim 17, wherein the first AMF to perform NAS SMC includes:

The first AMF uses the second security context to perform the NAS SMC.
The method according to claim 17 or 18, wherein the second security context further comprises a second key derived based on the first key.
A device for registration, characterized in that it comprises:

The receiving unit is configured to receive the first indication information from the initial AMF;

A processing unit, configured to protect the first message according to the first indication information;

The sending unit is configured to send the protected first message to the user equipment UE, where the means for registration is the target AMF that is selected to serve the UE during AMF redirection, and the first message is One of the following messages:

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
The apparatus according to claim 20, wherein the receiving unit receiving the first indication information from the initial AMF comprises:

The receiving unit receives a first service operation from the initial AMF, and the first service operation includes the first indication information.
The apparatus according to claim 21, wherein the first service operation further includes a non-access stratum NAS security context;

The processing unit protecting the first message includes:

The processing unit uses the NAS security context to protect the first message.
The device according to any one of claims 20-22, wherein the first indication information is used to indicate at least one of the following situations:

The UE and the initial AMF perform a security exchange of NAS messages, the first AMF uses the received NAS security context to protect the first message, and the UE and the initial AMF establish a security context .
A device for registration, characterized in that it comprises:

A processing unit, configured to determine to send first indication information to the first AMF, where the first indication information is used to instruct the first AMF to protect the first message;

The sending unit is configured to send the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is the following One type of message:

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
The apparatus according to claim 24, wherein the determining by the processing unit to send the first indication information to the first AMF comprises:

The processing unit determines to send the first indication information to the first AMF based on a first preset condition, where the first preset condition includes that the UE and the initial AMF perform NAS message security interaction or all A security context is established between the UE and the initial AMF.
The device according to claim 24 or 25, wherein the sending unit sending the first indication information to the first AMF comprises:

The sending unit sends a first service operation to the first AMF, where the first service operation includes the first indication information.
The apparatus according to claim 26, wherein the first service operation further includes a NAS security context.
The device according to any one of claims 24-27, wherein the first indication information is used to indicate at least one of the following conditions:

A security exchange of NAS messages is performed between the UE and the initial AMF, the first AMF uses the NAS security context to protect the first message, and the UE and the initial AMF establish a security context.
A device for registration, characterized in that it comprises:

A processing unit, configured to accept a first message protected by a first AMF, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is a message of One:

Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC.
A device for registration, characterized in that it comprises:

The processing unit is used to determine whether to perform the level deduction of the first key according to the local strategy;

The sending unit is configured to send the first security context to the first AMF when the device determines not to perform the horizontal derivation of the first key, or

When the device determines to perform the horizontal derivation of the first key, it sends instruction information for performing the horizontal derivation of the first key to the first AMF.
The device according to claim 30, wherein the first security context is generated after the device and the UE are authenticated, and the first key is included in the first security context.
The device of claim 30, wherein the first security context is obtained by the device from a second AMF, and the first key is included in the first security context.
The device according to claim 30, wherein the processing module is further configured to:

Determine the level of key KAMF deduction, and

The sending module is further configured to send a second security context to the first AMF, where the second security context is obtained according to the first security context.
The device according to claim 33, wherein the second security context further comprises a second key derived based on the first key.
A device for registration, characterized in that it comprises:

The receiving module is used to receive the first security context from the initial AMF;

The processing module is configured to use the first security context to protect the authentication request message if the device does not receive the instruction information to perform the level deduction of the first key and if the device decides to perform the primary authentication, and send the security Protected certification request information, or

When the first AMF receives the instruction information to perform the horizontal derivation of the first key, perform the non-access layer security mode command NAS SMC,

Wherein, the first key is included in the first security context.
The device according to claim 35, wherein the receiving module is further configured to:

Receiving the second security context from the initial AMF.
The device according to claim 36, wherein the processing module is specifically configured to:

Use the second security context to perform the NAS SMC.
The device according to claim 37, wherein the second security context further comprises a second key derived based on the first key.
A communication device, characterized in that it comprises:

A memory, the memory is used to store a computer program;

Transceiver, the transceiver is used to perform transceiving steps;

A processor, the processor is configured to call and run the computer program from the memory, so that the communication device executes the method according to any one of claims 1-19.
A computer-readable storage medium, comprising: the computer-readable medium stores a computer program; when the computer program is run on a computer, the computer executes any one of claims 1-19 method.
A communication system, characterized in that it comprises:

The device for registration according to any one of claims 20-23, the device for registration according to any one of claims 24-28, and the device for registration according to claim 29, claims The device for registration according to any one of 30-34 and the device for registration according to any one of claims 35-38.
A method for registration, characterized in that the method includes:

The initial AMF judges whether to perform the level deduction of the first key according to the local policy;

If the initial AMF determines not to perform the horizontal derivation of the first key, then send the first security context to the first AMF;

If the first AMF does not receive the instruction information to perform the level derivation of the first key and if the first AMF decides to perform the main authentication, the first AMF uses the first security context to protect the authentication request message and sends Security-protected authentication request information.
The method according to claim 42, wherein the first security context is generated after the initial AMF and UE are authenticated, and the first key is included in the first security context.
The method of claim 42, wherein the first security context is obtained by the initial AMF from a second AMF; and the first key is included in the first security context.
The method according to any one of claims 42 to 44, wherein the method further comprises:

If the initial AMF determines to perform the horizontal derivation of the first key, sending instruction information for performing the horizontal derivation of the first key to the first AMF;

If the first AMF receives the instruction information to perform the horizontal derivation of the first key, the first AMF performs the non-access stratum security mode command NAS SMC.
The method according to any one of claims 42 to 45, wherein the method further comprises:

If the initial AMF determines to perform the level derivation of the key KAMF, send a second security context to the first AMF; the second security context is obtained according to the first security context;

The first AMF to perform NAS SMC includes:

The first AMF uses the second security context to perform NAS SMC.
The method of claim 46, wherein the second security context further comprises a second key derived based on the first key.
A system for registration, characterized in that the system includes:

The initial AMF is used to determine whether to perform the horizontal derivation of the first key according to the local policy; if the initial AMF determines that the horizontal derivation of the first key is not to be performed, the first security context is sent to the first AMF;

The first AMF is configured to use the first security context protection authentication if the first AMF does not receive the instruction information for performing the level derivation of the first key and if the first AMF decides to perform the primary authentication Request a message and send a security-protected authentication request message.
The system according to claim 48, wherein the first security context is generated after the initial AMF and UE are authenticated, and the first key is included in the first security context.
The system of claim 48, wherein the first security context is obtained by the initial AMF from a second AMF; and the first key is included in the first security context.
The system according to any one of claims 48 to 50, wherein the initial AMF is further configured to send to the first AMF to perform the first key horizontal derivation if the initial AMF determines to perform the first key level derivation A key level deduction instruction information;

The first AMF is also used to perform the non-access stratum security mode command NAS SMC if the instruction information for performing the horizontal derivation of the first key is received.
The system according to any one of claims 48 to 51, wherein the initial AMF is further configured to send the second security context to the first AMF if the initial AMF determines to perform the level derivation of the key KAMF; The second security context is obtained according to the first security context;

The first AMF is specifically used to perform NAS SMC using the second security context.
The system according to claim 52, wherein the second security context further comprises a second key derived based on the first key.