WO2021057456A1 - Procédé et dispositif destinés à être utilisés dans l'enregistrement - Google Patents

Procédé et dispositif destinés à être utilisés dans l'enregistrement Download PDF

Info

Publication number
WO2021057456A1
WO2021057456A1 PCT/CN2020/113777 CN2020113777W WO2021057456A1 WO 2021057456 A1 WO2021057456 A1 WO 2021057456A1 CN 2020113777 W CN2020113777 W CN 2020113777W WO 2021057456 A1 WO2021057456 A1 WO 2021057456A1
Authority
WO
WIPO (PCT)
Prior art keywords
amf
message
initial
security context
key
Prior art date
Application number
PCT/CN2020/113777
Other languages
English (en)
Chinese (zh)
Inventor
邓娟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201911089396.0A external-priority patent/CN112654046A/zh
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20848683.7A priority Critical patent/EP3826341A4/fr
Priority to US17/180,032 priority patent/US11606768B2/en
Publication of WO2021057456A1 publication Critical patent/WO2021057456A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • This application relates to the field of communications, and more specifically, to a method and device for registration.
  • the 5th generation (5G) communication protocol defines the process of redirection of the access management function (access and mobility management function, AMF) of the user equipment during the registration process.
  • AMF access and mobility management function
  • the user equipment first sends the 5G global unique temporary user equipment identity (5th generation globally unique user equipment) carrying the user equipment to the (radio) access network ((R)AN), 5G-GUTI) or concealed identifier (subscriber concealed identifier, SUCI) registration request message.
  • R Secondly (R) AN, after receiving the registration request message of the user equipment, chooses to send the registration request message to the initial AMF (initial AMF), and the initial AMF finds the second AMF (old AMF) that served the user equipment last time according to 5G-GUTI , And obtain the context of the user equipment from the second AMF, where the context of the user equipment includes the NAS security context of the user equipment. Finally, the initial AMF initiates AMF redirection based on certain trigger conditions and redirects to the first AMF. The first AMF (target AMF) can obtain the context of the user equipment from the initial AMF.
  • target AMF can obtain the context of the user equipment from the initial AMF.
  • the initial AMF can directly forward the complete registration request message to the first AMF.
  • the user equipment may discard the authentication request message, thereby causing the registration of the user equipment to fail.
  • This application provides a method and device for registration.
  • the method for registration is used in a scenario where AMF redirection occurs, when the first AMF receives a first instruction from the initial AMF to protect the authentication request message When information, the protected authentication request message is sent to the user equipment, so as to prevent the user equipment from discarding the authentication request message and improve the chance of successful registration of the user equipment.
  • a method for registration which includes: a first access and mobility management function AMF receives first indication information from an initial AMF; and the first AMF performs processing on the first message according to the first indication information. Protection; the first AMF sends the first message of protection to the user equipment UE, where the first AMF is the target AMF selected to serve the UE when the AMF is redirected, and the first message is one of the following messages: Authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,
  • the first access and mobility management function AMF receives the first indication information from the initial AMF; the first AMF does not perform the main authentication according to the first indication information, or skips the main authentication process to perform other processes in the registration process, or use Received KAMF.
  • the first AMF uses the received NAS security context or KAMF to protect the N1 message
  • the first indication information may be sent to the first AMF through the initial AMF, so that the first AMF sends a protected authentication request message to the UE, thereby preventing the user equipment from discarding the authentication request message and improving The probability of successful user device registration.
  • the initial AMF may send the first indication information to the first AMF to indicate that the first AMF does not perform the main authentication process, so that the first AMF sends the N1 message of protection to the UE.
  • the "protected first message" involved in the embodiments of this application includes the first message with integrity protection, or the first message with integrity and encryption protection, where the first message is protected in the case of a NAS SMC message
  • the first message is the first message with integrity protection.
  • the protected first message is the first message with integrity and encryption protection.
  • the first AMF receiving the first indication information from the initial AMF includes: the first AMF receives a first service operation from the initial AMF, and the first service The operation includes the first indication information.
  • the initial AMF sending the first indication information to the first AMF may be by sending the first service operation to the first AMF, and carrying the first indication information in the first service operation.
  • the first service operation is the Namf_Communication_N1MessageNotify service operation.
  • this application does not limit that the first indication information must be carried in the first service operation, and it provides a flexible and optional solution for the initial AMF to send the first indication information to the first AMF.
  • the signaling overhead can be saved from the perspective of signaling overhead.
  • the first service operation further includes a non-access stratum NAS security context; the protection of the first message by the first AMF includes: the first AMF uses the The NAS security context protects the first message.
  • the first service operation sent by the initial AMF to the first AMF may also include the NAS security context, so that the first AMF can use the received NAS security context to protect the first message, which is The first AMF protects the first message and provides a feasible solution.
  • the first indication information is used to indicate at least one of the following situations: the UE and the initial AMF perform NAS message security interaction, the first An AMF should use the received NAS security context to protect the first message, a security context is established between the UE and the initial AMF, a security association is established between the UE and the initial AMF, and a security association is established between the UE and the initial AMF.
  • NAS SMC has been successfully performed between the UE and the initial AMF
  • the first AMF should use the received KAMF
  • the first AMF does not perform the main authentication process
  • the first AMF skips the main authentication process to register Other processes in the AMF or the first AMF should use the received KAMF.
  • the first indication information indicates that the first AMF protects the first message.
  • the first message may be used to indicate that the UE and the initial AMF have performed NAS message security interaction, and/or the first message It can be used for the first AMF to use the received NAS security context to protect the first message, and provide a flexible and optional solution for the specific indication form of the first indication information. or,
  • the first indication information indicates that the first AMF does not perform the master authentication, and different indication manners can also be used.
  • a method for registration which includes: the initial access and mobility management function AMF determines to send first indication information to a first AMF, and the first indication information is used to indicate that the first AMF responds to the first AMF.
  • the message is protected; the initial AMF sends the first indication information to the first AMF, where the first AMF is the target AMF selected to serve the UE during the AMF redirection, and the first message is the following message One type: authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,
  • the initial access and mobility management function AMF determines to send first indication information to the first AMF.
  • the first indication information is used to instruct the first AMF not to perform the main authentication or skip the main authentication process to perform other processes in the registration process, Or use the received KAMF.
  • the initial AMF sends the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when the AMF redirection is performed.
  • the initial AMF can send the first indication information to the first AMF, so that the first AMF sends a protected authentication request message to the UE, thereby preventing the user equipment from discarding the authentication request message and improving The probability of successful user device registration.
  • the initial AMF may send the first indication information to the first AMF, so that the first AMF does not perform the main authentication process, and provides a visibility solution for the first AMF not to perform the main authentication.
  • the initial AMF determining to send the first indication information to the first AMF includes: the initial AMF determining to send the first indication information to the first AMF based on a first preset condition , wherein the first preset condition includes at least one of the following conditions: a security exchange of NAS messages is performed between the UE and the initial AMF, a security context is established between the UE and the initial AMF, the UE and NAS SMC is successfully performed between the initial AMF, security association is activated between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, and master authentication is performed between the UE and the initial AMF ,
  • the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF.
  • the initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; where the second AMF is the last service The AMF of the UE.
  • the initial AMF determines to send the first instruction information to the first AMF, which may be determined to send the first instruction to an AMF only when the initial AMF determines that certain first preset conditions are met.
  • the information provides a feasible solution for how the initial AMF determines to send the first instruction information.
  • the initial AMF sending the first indication information to the first AMF includes: the initial AMF sending a first service operation to the first AMF, and the first service The operation includes the first indication information.
  • the initial AMF sending the first indication information to the first AMF may be by sending the first service operation to the first AMF, and carrying the first indication information in the first service operation.
  • a flexible and optional solution is provided for the initial AMF to send the first indication information to the first AMF.
  • the first service operation is the Namf_Communication_N1MessageNotify service operation.
  • the first service operation further includes a NAS security context.
  • the first service operation sent by the initial AMF to the first AMF may also include the NAS security context, so that the first AMF can use the received NAS security context to protect the first message, which is The first AMF protects the first message and provides a feasible solution.
  • the first indication information is used to indicate at least one of the following situations: the UE and the initial AMF perform NAS message security interaction, the first The AMF shall use the NAS security context to protect the first message, the security context is established between the UE and the initial AMF, the security association is established between the UE and the initial AMF, and the security protection is activated between the UE and the initial AMF , NAS SMC has been successfully performed between the UE and the initial AMF, the first AMF should use the received KAMF, the first AMF does not perform the main authentication process, and the first AMF skips the main authentication process to perform other processes in the registration In the case, or the first AMF should use the received KAMF.
  • the first indication information indicating that the first AMF protects the first message may be received by indicating that the UE and the initial AMF have performed NAS message security interaction and/or using the first AMF
  • the NAS security context protects the first message, and provides a flexible and optional solution for the specific indication form of the first indication information.
  • the first indication information indicates that the first AMF does not perform the master authentication, and different indication manners can also be used.
  • a method for registration including: a user equipment UE accepts a first message protected by a first AMF, where the first AMF is selected to serve the UE when performing the AMF redirection
  • the first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.
  • the UE receives the protected authentication request message, thereby preventing the user equipment from discarding the authentication request message and increasing the probability of successful registration of the user equipment.
  • a method for registration including: user equipment UE receives second indication information from the initial access and mobility management function AMF, the second indication information is used to instruct the UE to accept unprotected The first message; the UE accepts the unprotected first message from the first AMF according to the second indication information, where the first AMF is the target AMF selected to serve the UE during the AMF redirection,
  • the first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.
  • the method for registration provided in the embodiment of the present application can send the second indication information to the UE through the initial AMF, so that the UE accepts the unprotected authentication request message, thereby preventing the user equipment from discarding the authentication request message and improving the successful registration of the user equipment. probability.
  • a method for registration including: the initial access and mobility management function AMF determines to send second indication information to the user equipment UE based on a second preset condition, and the second indication information is used to indicate the The UE accepts the unprotected first message, which is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access stratum security mode command message NAS SMC; the initial AMF sends the The UE sends the second indication information.
  • the method for registration provided in the embodiment of the present application can send the second indication information to the UE through the initial AMF, so that the UE accepts the unprotected authentication request message, thereby preventing the user equipment from discarding the authentication request message and improving the successful registration of the user equipment. probability.
  • the initial AMF determines to send the second indication information to the UE based on a second preset condition, where the preset condition includes at least one of the following conditions: the initial AMF Security interaction of NAS messages with the UE, the initial AMF determines to perform AMF redirection, the security context is established between the UE and the initial AMF, the NAS SMC is successfully performed between the UE and the initial AMF, and the UE
  • the security association with the initial AMF is activated, the security protection is activated between the UE and the initial AMF, the primary authentication is performed between the UE and the initial AMF, and the initial AMF selects the security algorithm selected by the second AMF
  • the initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; where the second AMF is the AMF that served the UE last time.
  • a method for registration including: a first access and mobility management function AMF receives a first service operation sent by an initial AMF; the first AMF protects the first message; the first AMF The protected first message is sent to the user equipment UE, where the first AMF is the target AMF selected to serve the UE when the AMF redirection is performed, and the first message is one of the following messages: an authentication request message, N1 message, or N1 message other than the access layer security mode command message NAS SMC. or,
  • the first access and mobility management function AMF receives the first service operation sent by the initial AMF; the first AMF skips the main authentication process; the first AMF sends a protected N1 message to the user equipment UE, where the first AMF is The target AMF serving the UE is selected when performing the AMF redirection.
  • the method for registration provided in the embodiment of the present application may send a protected authentication request message to the UE after the first AMF determines that the AMF redirection occurs, thereby preventing the user equipment from discarding the authentication request message and increasing the probability of successful user equipment registration.
  • the method for registration provided in the embodiment of the present application may send a first service operation instruction to the first AMF through the initial AMF to indicate that the first AMF does not perform the main authentication process, and the first AMF may jump after determining that the AMF redirection occurs. After the main authentication process is passed, other processes in the registration are performed, or the first AMF may not perform the main authentication after determining that the AMF redirection occurs, and the first AMF uses the received NAS security context to protect the N1 message.
  • the method for registration further includes: the first AMF according to the above-mentioned first service operation The operation determined that an AMF redirection occurred.
  • the first AMF can determine whether an AMF redirection has occurred according to the IE(s) carried in the first service operation. For example, if the message type carrying N1 in the first service operation includes 5GMM, it is determined that AMF redirection has occurred; for example, if the first service operation carries the registration context container (Registration Context Container) type IE, it is determined that it has occurred. AMF redirection.
  • the first AMF protects the first message includes: the first AMF protects the first message using the received NAS security context.
  • the received NAS security context is the NAS security context carried in the first operation service sent by the initial AMF received by the first AMF.
  • the first AMF may use the received NAS security context to protect the first message, and provide a feasible solution for the first AMF to protect the first message.
  • a method for registration including: user equipment UE accepts a first message protected from a first AMF, where the first AMF is selected to serve the UE when performing the AMF redirection
  • the first message is one of the following messages: an authentication request message, an N1 message, or an N1 message other than the access layer security mode command message NAS SMC.
  • the UE receives the protected authentication request message, thereby preventing the user equipment from discarding the authentication request message and increasing the probability of successful registration of the user equipment.
  • a device for registration includes a processor for implementing the function of the first AMF in the methods described in the first and seventh aspects.
  • the device for registration may further include a memory coupled with the processor, and the processor is configured to implement the function of the first AMF in the methods described in the first aspect and the seventh aspect.
  • the memory is used to store program instructions and data.
  • the memory is coupled with the processor, and the processor can call and execute the program instructions stored in the memory to implement the function of the first AMF in the methods described in the first aspect and the seventh aspect.
  • the apparatus for registration may further include a communication interface, and the communication interface is used for the apparatus for registration to communicate with other devices.
  • the communication interface may be a transceiver, an input/output interface, or a circuit.
  • the device for registration includes: a processor and a communication interface
  • the processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the first aspect and the seventh aspect;
  • the processor communicates with the outside by using the communication interface.
  • the exterior may be an object other than the processor, or an object other than the device.
  • the device for registration is a chip or a chip system.
  • the communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip or chip system.
  • the processor may also be embodied as a processing circuit or a logic circuit.
  • a device for registration includes a processor for implementing the function of the initial AMF in the methods described in the second and fifth aspects.
  • the device for registration may further include a memory, the memory is coupled to the processor, and the processor is configured to implement the function of the initial AMF in the methods described in the second aspect and the fifth aspect.
  • the memory is used to store program instructions and data.
  • the memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the function of the initial AMF in the methods described in the second and fifth aspects.
  • the apparatus for registration may further include a communication interface, and the communication interface is used for the apparatus for registration to communicate with other devices.
  • the communication interface may be a transceiver, an input/output interface, or a circuit.
  • the device for registration includes: a processor and a communication interface
  • the processor communicates with the outside by using the communication interface
  • the processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the second aspect and the fifth aspect.
  • the exterior may be an object other than the processor, or an object other than the device.
  • the device for registration is a chip or a chip system.
  • the communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip or chip system.
  • the processor may also be embodied as a processing circuit or a logic circuit.
  • a device for registration includes a processor, configured to implement the functions of the user equipment in the methods described in the third, fourth, and eighth aspects.
  • the apparatus for registration may further include a memory, the memory is coupled to the processor, and the processor is configured to implement the user equipment in the methods described in the third, fourth, and eighth aspects above.
  • the memory is used to store program instructions and data.
  • the memory is coupled with the processor, and the processor can call and execute program instructions stored in the memory to implement the functions of the user equipment in the methods described in the third, fourth, and eighth aspects above .
  • the apparatus for registration may further include a communication interface, and the communication interface is used for the apparatus for registration to communicate with other devices.
  • the communication interface may be a transceiver, an input/output interface, or a circuit.
  • the device for registration includes: a processor and a communication interface
  • the processor communicates with the outside by using the communication interface
  • the processor is configured to run a computer program, so that the device for registration implements any one of the methods described in the third aspect, the fourth aspect, and the eighth aspect.
  • the exterior may be an object other than the processor, or an object other than the device.
  • the device for registration is a chip or a chip system.
  • the communication interface may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip or chip system.
  • the processor may also be embodied as a processing circuit or a logic circuit.
  • the present application provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the above aspects.
  • this application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • a communication system including the device for registration shown in the eighth aspect, the device for registration shown in the ninth aspect, and the device for registration shown in the tenth aspect.
  • a chip system including a memory and a processor, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory so that the communication device installed with the chip system executes
  • the method in any one of the possible implementation manners of the foregoing first to seventh aspects.
  • Figure 1 is a network architecture suitable for embodiments of the present application.
  • Figure 2 is a schematic diagram of a registration process in which AMF redirection occurs.
  • Fig. 3 is a schematic flowchart of a method for registration provided in an embodiment of the present application.
  • Fig. 4 is a schematic flowchart of another method for registration provided in an embodiment of the present application.
  • FIG. 5 is a schematic diagram of the device 10 for registration proposed in this application.
  • FIG. 6 is a schematic structural diagram of a user equipment 20 applicable to an embodiment of the present application.
  • FIG. 7 is a schematic diagram of the device 30 for registration proposed in this application.
  • FIG. 8 is a schematic structural diagram of an initial AMF 40 applicable to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of the device 50 for registration proposed in the present application.
  • FIG. 10 is a schematic structural diagram of a first AMF 60 applicable to an embodiment of the present application.
  • FIG. 11 is a schematic flowchart of yet another method for registration provided in an embodiment of the present application.
  • Figure 1 is a network architecture suitable for embodiments of the present application. As shown in Figure 1, each part involved in the network architecture will be described separately below.
  • User equipment 110 It can include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems, as well as various forms of terminals, mobile stations (mobile first AMFtion, MS), terminal (terminal), user equipment (UE), soft terminal, etc. For example, water meters, electricity meters, sensors, etc.
  • the user equipment in the embodiments of the present application may refer to an access terminal, a user unit, a user station, a mobile station, a mobile station, a relay station, a remote station, a remote terminal, a mobile device, a user terminal, and a terminal device.
  • terminal equipment wireless communication equipment, user agent or user device.
  • the user equipment can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (personal digital assistant AMFnt, PDA), Handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, user equipment in the future 5G network, or public land mobile network (PLMN) that will evolve in the future
  • PLMN public land mobile network
  • wearable devices can also be referred to as wearable smart devices. It is a general term for using wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, Gloves, watches, clothing and shoes, etc.
  • a wearable device is a portable device that is directly worn on the body or integrated into the user's clothes or accessories. Wearable devices are not only a kind of hardware device, but also realize powerful functions through software support, data interaction, and cloud interaction.
  • wearable smart devices include full-featured, large-sized, complete or partial functions that can be achieved without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, and need to cooperate with other devices such as smart phones.
  • the user equipment may also be the user equipment in the Internet of Things (IoT) system.
  • IoT Internet of Things
  • the IoT is an important part of the development of information technology in the future, and its main technical feature is to pass items through communication technology. Connect with the network to realize the intelligent network of human-machine interconnection and interconnection of things.
  • the IOT technology can achieve massive connections, deep coverage, and power saving of the terminal through, for example, narrowband (narrowband, NB) technology.
  • user equipment may also include sensors such as smart printers, train detectors, gas stations, etc.
  • the main functions include collecting data (part of user equipment), receiving control information and downlink data from access network equipment, and Send electromagnetic waves to transmit uplink data to the access network equipment.
  • (Wireless) access network equipment (radio access network, (R)AN) 120 Used to provide network access functions for authorized user equipment in a specific area, and can use different quality devices according to the level of user equipment and service requirements. Transmission tunnel.
  • radio access network, (R)AN) 120 Used to provide network access functions for authorized user equipment in a specific area, and can use different quality devices according to the level of user equipment and service requirements. Transmission tunnel.
  • (R)AN can manage wireless resources, provide access services for user equipment, and then complete the forwarding of control signals and user equipment data between the user equipment and the core network.
  • (R)AN can also be understood as a base station in a traditional network.
  • the access network device in the embodiment of the present application may be any communication device with a wireless transceiving function that is used to communicate with user equipment.
  • the access network equipment includes but is not limited to: evolved Node B (eNB), radio network controller (RNC), node B (Node B, NB), base station controller (base first) AMFtion controller, BSC), base transceiver station (base transceiver first AMFtion, BTS), home base station (home evolved NodeB, HeNB, or home NodeB, HNB), baseband unit (BBU), wireless fidelity (wireless) fidelity, WIFI) system access point (access point, AP), wireless relay node, wireless backhaul node, transmission point (transmission point, TP) or transmission and reception point (transmission and reception point, TRP), etc., also It can be 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one or a group of antenna panels (including multiple antenna panels) of the base station in the 5G system, or
  • the gNB may include a centralized unit (CU) and a DU.
  • the gNB may also include an active antenna unit (AAU).
  • the CU implements some of the functions of the gNB, and the DU implements some of the functions of the gNB.
  • the CU is responsible for processing non-real-time protocols and services, and implements radio resource control (radio resource control, RRC) and packet data convergence protocol (packet data convergence protocol, PDCP) layer functions.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • the DU is responsible for processing the physical layer protocol and real-time services, and realizes the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer.
  • RLC radio link control
  • MAC media access control
  • PHY physical
  • AAU realizes some physical layer processing functions, radio frequency processing and related functions of active antennas. Since the information of the RRC layer will eventually become the information of the PHY layer, or be transformed from the information of the PHY layer, under this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by the DU , Or, sent by DU+AAU.
  • the access network device may be a device that includes one or more of a CU node, a DU node, and an AAU node.
  • the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make a limit.
  • User plane network element 130 used for packet routing and forwarding and quality of service (QoS) processing of user plane data, etc.
  • QoS quality of service
  • the user plane network element may be a user plane function (UPF) network element.
  • UPF user plane function
  • the user plane network element may still be a UPF network element, or may also have other names, which is not limited in this application.
  • Data network network element 140 used to provide a network for transmitting data.
  • the data network element may be a data network (DN) network element.
  • DN data network
  • the data network network element may still be a DN network element, or may also have other names, which is not limited by this application.
  • Access management network element 150 Mainly used for mobility management and access management, etc., and can be used to implement other functions other than session management in the mobility management entity (mobility management entity, MME) function, for example, legal Monitoring and access authorization/authentication functions.
  • mobility management entity mobility management entity, MME
  • the access management network element may be an access and mobility management function (AMF).
  • AMF access and mobility management function
  • the access management network element may still be AMF, or may also have other names, which is not limited in this application.
  • Session management network element 160 Mainly used for session management, Internet Protocol (IP) address allocation and management of user equipment, selection of end points that can manage user plane functions, policy control and charging function interfaces, and downlink Data notification, etc.
  • IP Internet Protocol
  • the session management network element may be a session management function (session management function, SMF) network element.
  • SMF session management function
  • the session management network element may still be an SMF network element, or may also have other names, which is not limited in this application.
  • Policy control network element 170 A unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).
  • the policy control network element may be a policy and charging rules function (PCRF) network element.
  • the policy control network element may be a policy control function (PCF) network element.
  • PCF policy control function
  • the policy control network element may still be a PCF network element, or may also have other names, which is not limited in this application.
  • Authentication server 180 used for authentication services, generating keys to realize two-way authentication of user equipment, and supporting a unified authentication framework.
  • the authentication server may be an authentication server function (authentication server function, AUSF) network element.
  • the authentication server function network element may still be an AUSF network element, or may also have other names, which is not limited in this application.
  • Data management network element 190 used to process user equipment identification, access authentication, registration, and mobility management.
  • the data management network element may be a unified data management (UDM) network element; in a 4G communication system, the data management network element may be a home subscriber server (HSS) network In the future communication system, the unified data management can still be the UDM network element, or it can have other names, which is not limited in this application.
  • UDM unified data management
  • HSS home subscriber server
  • Application network element 1100 used for data routing affected by applications, access to network open function network elements, and interaction with the policy framework for policy control, etc.
  • the application network element may be an application function (AF) network element.
  • AF application function
  • the application network element may still be an AF network element, or may also have other names, which is not limited by this application.
  • Network slice selection network element 1200 used to implement access mapping between user equipment and network slices, and provide appropriate network slice access for user equipment.
  • the application network element may be a network slice selection function (NSSF) network element.
  • NSSF network slice selection function
  • the application network element may still be an NSSF network element, or may have other names, which is not limited by this application.
  • FIG. 1 is only an example and does not constitute any limitation to the protection scope of the present application.
  • the method for registration provided by the embodiment of the present application may also involve a network element not shown in FIG. 1.
  • the method for registration provided by the embodiment of the present application also relates to a network storage network element, where the network storage network element It is used to maintain real-time information of all network functions and services in the network.
  • the network storage network element may be a network repository function (NRF) network element.
  • NRF network repository function
  • the network storage network element may still be an NRF network element, or may also have other names, which is not limited by this application.
  • the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • the access management network element is the AMF
  • the data management network element is the UDM network element
  • the session management network element is the SMF network element
  • the user plane network element is the UPF network element.
  • the AMF network element is abbreviated as AMF
  • the UDM network element is abbreviated as UDM
  • the SMF network element is abbreviated as SMF
  • the UPF network element is abbreviated as UPF. That is, the AMF described later in this application can be replaced with an access management network element, UDM can be replaced with a data management network element, SMF can be replaced with a session management network element, and UPF can be replaced with a user plane network element.
  • the device is an AMF entity and a UDM entity as examples to describe the method for registration.
  • the implementation method of the device being a chip in the AMF entity and a chip in the UDM entity, please refer to the device The specific descriptions of the AMF entity and UDM entity are respectively, and the introduction will not be repeated.
  • the user equipment is connected to the AMF through the N1 interface
  • the RAN is connected to the AMF through the N2 interface
  • the RAN is connected to the UPF through the N3 interface.
  • the UPFs are connected through the N9 interface, and the UPFs are interconnected through the N6 interface DN.
  • SMF controls UPF through the N4 interface.
  • AMF interfaces with SMF through N11 interface.
  • AMF obtains user equipment subscription data from the UDM unit through the N8 interface
  • SMF obtains user equipment subscription data from the UDM unit through the N10 interface.
  • network function network element entities such as AMF, SMF network elements, PCF network elements, BSF network elements, and UDM network elements are all called network function (NF) network elements; or
  • NF network function
  • a collection of network elements such as AMF, SMF network elements, PCF network elements, BSF network elements, and UDM network elements can all be called control plane function network elements.
  • the technical solutions of the embodiments of this application can be applied to various communication systems, such as: long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex) , TDD) system, universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5G) system, new wireless (new) radio, NR) or future networks, etc.
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX worldwide interoperability for microwave access
  • 5G mobile communication system described in this application includes 5G mobile communication systems with non-independent networking (non-first AMFndalone, NSA) or independent networking (first AMFndalone, SA) 5G mobile communication system.
  • the technical solution provided in this application can also be applied to future communication systems, such as the sixth-generation mobile communication system.
  • the communication system can also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, and a device-to-device (D2D) communication system.
  • PLMN public land mobile network
  • D2D device-to-device
  • M2M machine-to-machine
  • D2D device-to-device
  • IoT Internet of Things
  • the user equipment or the access network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer.
  • the hardware layer includes hardware such as a central processing unit (CPU), a memory management unit (MMU), and memory (also referred to as main memory).
  • the operating system may be any one or more computer operating systems that implement business processing through processes, for example, Linux operating systems, Unix operating systems, Android operating systems, iOS operating systems or windows operating systems.
  • the application layer includes applications such as browsers, address books, word processing software, and instant messaging software.
  • the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the codes of the methods provided in the embodiments of the application can be provided in accordance with the embodiments of the application.
  • the execution subject of the method provided in the embodiments of the present application may be user equipment or access network equipment, or a functional module in the user equipment or access network equipment that can call and execute programs.
  • various aspects or features of the present application can be implemented as methods, devices, or products using standard programming and/or engineering techniques.
  • article of manufacture used in this application encompasses a computer program accessible from any computer-readable device, carrier, or medium.
  • computer-readable media may include, but are not limited to: magnetic storage devices (for example, hard disks, floppy disks, or tapes, etc.), optical disks (for example, compact discs (CD), digital versatile discs (DVD)) Etc.), smart cards and flash memory devices (for example, erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.).
  • various storage media described herein may represent one or more devices and/or other machine-readable media for storing information.
  • the term "machine-readable storage medium” may include, but is not limited to, wireless channels and various other media capable of storing, containing, and/or carrying instructions and/or data.
  • the embodiments of the present application mainly relate to AMF, UE, (R)AN, AUSF, UDM, and NSSF in the network architecture shown in FIG. 1 and also relate to NRF not shown in FIG. 1.
  • this application involves initial AMF (initial AMF), second AMF (old AMF), and first AMF (target AMF).
  • the second AMF involved in this application refers to the AMF that served the UE last time, that is, the AMF that served the UE before the current registration time, and it can also be referred to as the AMF that the UE visited last time; in this application
  • the initial AMF involved refers to the AMF selected by the (R)AN when the current UE initiates the registration request; the first AMF involved in this application refers to the initial AMF after the initial AMF decides to perform AMF redirection, except for the initial AMF selected The other AMF that provides services for the UE.
  • the AUSF involved in this application is mainly used for master authentication; the UDM involved in this application is mainly used to provide user equipment subscription information, and the subscription information includes the network slice selection subscription data of the user equipment; NSSF is mainly used to provide the AMF set or AMF address list that can serve the requested network slice selection assistance information (network slice selection assistance information, NSSAI) requested by the user equipment; the NRF involved in this application is mainly used to provide the first The address of AMF.
  • NSSAI network slice selection assistance information
  • the AMF key included in the NAS security context established between the UE and the second AMF is marked as Kamf, which may also be referred to as the first key, or the old key;
  • the identifier corresponding to the Kamf is denoted as ngKSI, and the ngKSI is also referred to as the first key identifier or the old key identifier;
  • the NAS security context may also be referred to as the old NAS security context.
  • Kamf_new After the primary authentication of the initial AMF and the UE, the key generated by the activated and used primary authentication is recorded as Kamf_new, and the key identifier is recorded as ngKSI_new.
  • This Kamf_new can also be called the second key, and the ngKSI_new can also be called the first key.
  • the key generated after the key derivation of Kamf_new is recorded as Kamf_new', and this Kamf_new' can also be referred to as the third key.
  • the key generated after the key deduction is consistent with the key identifier corresponding to the deduced key, and the key identifier corresponding to the Kamf_new′ is also ngKSI_new, which is called the second key identifier;
  • the key generated after the key derivation of Kamf is recorded as Kamf', and this Kamf' can also be called the fourth key. Specifically, if the key generated after the key deduction is consistent with the key identifier corresponding to the deduced key, the key identifier corresponding to the Kamf' is also ngKSI;
  • Kamf The key generated after the key derivation of Kamf' is denoted as Kamf", and this Kamf" may also be referred to as the fifth key.
  • the key identifier corresponding to the Kamf" is also ngKSI;
  • Kamf The key generated after the key derivation of Kamf" is denoted as Kamf"'.
  • This Kamf"' can also be called the sixth key.
  • the key generated after the key derivation corresponds to the deduced key If the key identifiers are the same, the key identifier corresponding to the Kamf′′ is also ngKSI;
  • the key generated after the key derivation of Kamf_new' is recorded as Kamf_new", and this Kamf_new" can also be referred to as the seventh key.
  • the key generated after the key derivation is consistent with the key identifier corresponding to the deduced key, the key identifier corresponding to the "Kamf_new" is also ngKSI_new.
  • the mechanism and parameters used for the key derivation to generate a new key are not restricted, and only the new key generated by the key derivation cannot be used for keying.
  • the deduction gets the deduced key; or, it can be said that the new key and the deduced key are isolated.
  • the key derivation described in this application can be a horizontal key derivation defined in the existing protocol
  • the key deduction described in this application may be a key deduction manner agreed between different network elements.
  • the (information element, IE) achieves the purpose that needs to be achieved in the registration process for AMF redirection provided in the embodiments of the present application.
  • Figure 2 is a schematic diagram of a registration process in which AMF redirection occurs.
  • the executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.
  • the registration process of the AMF redirection includes the following steps.
  • the UE sends a registration request (registration request, RR) message to the initial AMF, and the RR message carries the UE's 5G-GUTI or SUCI;
  • the UE involved in the embodiment of this application sends an RR message to the initial AMF, which means that the UE sends an RR message to the (R)AN, and the (R)AN sends the RR message to the initial AMF.
  • the (R) AN plays a role of transparent transmission. For the sake of brevity of description, it is directly described in the embodiments of this application and in the drawings as that the UE sends an RR message to the initial AMF.
  • the UE should include the plaintext IE(s) in the RR message, and the plaintext IE(s) should not include the UE’s requested NSSAI;
  • NAS non-access stratum
  • the UE has a NAS security context, and the UE should include plaintext IE(s) and NAS container (container) in the RR message.
  • the NAS container includes a complete RR message, and the complete RR message includes the requested NSSAI of the UE.
  • the initial AMF requests the UE context from the second AMF. That is, the registration process shown in FIG. 2 also includes S2: the initial AMF invokes the sixth service operation of the second AMF. Specifically, after the initial AMF receives the RR message sent by the UE, the initial AMF determines the second AMF that served the UE last time according to the 5G-GUTI in the RR message, and calls the sixth service operation to the second AMF.
  • the service operation can be called Namf_Communication_UEContextTransfer, which is used to request the UE context from the second AMF; wherein, the UE context includes the UE's NAS security context, and the UE's NAS security context includes the AMF key established between the UE and the second AMF The identifier corresponding to the AMF key.
  • the second AMF sends a sixth service operation response to the initial AMF, where the sixth service operation response includes the context of the UE.
  • the second AMF sends a sixth service operation response to the initial AMF after successfully authenticating the UE.
  • the second AMF authentication of the UE refers to verifying the integrity protection of the RR message.
  • the sixth service operation response may be called Namf_Communication_UEContextTransfer Response.
  • the sixth service operation response includes Kamf or Kamf', and the key identifier ngKSI corresponding to Kamf or Kamf'.
  • the verification of the integrity protection of a certain message involved in the embodiments of this application includes: the message receiver uses the agreed algorithm (and key) to calculate the message verification code for the received message, and then follow the received message Verification code for comparison.
  • the UE context included in the sixth service operation response includes the following security-related contexts:
  • the sixth service operation response includes Kamf and ngKSI.
  • the sixth service operation response includes Kamf
  • the second AMF directly carries the AMF key used between the UE and the second AMF in the sixth service operation response to notify the initial AMF.
  • the key identifier corresponding to Kamf mentioned above is denoted as ngKSI.
  • the key and the key identifier can be collectively referred to as key information.
  • the sixth service operation response message may also carry the ngKSI.
  • the sixth service operation response includes Kamf' and ngKSI.
  • the sixth service operation response includes Kamf'
  • the second AMF performs horizontal KAMF deduction according to the key Kamf used by the UE and the second AMF, and generates a new key, which is recorded as Kamf'.
  • the embodiments of this application do not limit how the second AMF obtains the aforementioned Kamf', and it may be the method of level KAMF deduction specified in the existing agreement, or it may be obtained through other agreed deduction algorithms and parameters.
  • the Kamf' mentioned above is not repeated in this application.
  • the key identifier corresponding to Kamf' mentioned above is denoted as ngKSI.
  • the sixth service operation response message may also carry the ngKSI.
  • the sixth service operation response also includes a key derivation instruction, and the key derivation instruction is used to indicate that the key Kamf' included in the sixth service operation response is to perform key derivation via the second AMF.
  • the key deduction instruction can be called keyAMFHDerivationInd.
  • the sixth service operation response may also include the uplink NAS COUNT value Value and/or downlink NAS COUNT value.
  • the sixth service operation response may also include the full security and/or encryption algorithm.
  • the sixth service operation response may also include the UE's security capabilities.
  • the security capabilities of the UE include full security and/or encryption algorithms implemented on the UE.
  • the initial AMF initiates a primary authentication (primary authentication) process, and/or,
  • the primary authentication process is initiated initially, and/or,
  • the initial AMF decides that it needs to initiate the main authentication process according to the local policy. That is, the registration process shown in FIG. 2 also includes S4: the initial AMF initiates the main authentication process, and both the UE and the initial AMF obtain Kamf_new and its corresponding identifier ngKSI_new.
  • the initial AMF initiates the main authentication process, in order to make the AMF key on the UE side start to use the Kamf_new generated by the main authentication, the initial AMF initiates a non-access stratum security mode command message (NAS SMC). ),and / or,
  • NAS SMC non-access stratum security mode command message
  • the above-mentioned sixth service operation response includes keyAMFHDerivationInd, Kamf′ and ngKSI, and the initial AMF needs to initiate the above-mentioned NAS SMC process, and/or,
  • the above-mentioned sixth service operation response includes Kamf, or Kamf and ngKSI.
  • the initial AMF decides to use Kamf and ngKSI, but the initial AMF chooses a new security algorithm, and the initial AMF needs to initiate the above NAS SMC process.
  • the registration process shown in Figure 2 may also include S5: the initial AMF sends a non-access stratum security mode command (NAS SMC) message to the UE.
  • NAS SMC non-access stratum security mode command
  • the following NAS SMC message refers to the non-access layer security mode command NAS SMC message.
  • Special instructions are required when NAS SMC refers to the non-access layer security mode control.
  • the NAS SMC message carries an indication of requesting a complete initial NAS message. Since this application mainly relates to the UE registration process, the instruction for requesting a complete initial NAS message refers to an instruction for requesting a complete registration request message. When no special explanation is given below, the instruction for requesting a complete initial NAS message refers to Instructions for requesting a complete registration request message.
  • the UE sends a NAS security mode complete (non-access stratum security mode complete, NAS SMP) message to the initial AMF.
  • NAS security mode complete non-access stratum security mode complete, NAS SMP
  • the UE requests a complete initial NAS message according to the indication in the NAS SMC message, and the UE carries a complete complete initial NAS message in the NAS security mode completion message.
  • the complete initial NAS message mainly refers to complete registration Request message.
  • the complete initial NAS message carries the aforementioned requested NSSAI.
  • the initial AMF needs the UE's subscription information to decide whether to perform AMF redirection, and the second AMF does not provide the UE's slice selection subscription information, then the initial AMF needs to obtain the UE's slice selection subscription information from the UDM, as shown in Figure
  • the registration process shown in 2 also includes S7: the initial AMF invokes the second service operation of the UDM.
  • the second service operation may be referred to as the Nudm_SDM_Get service operation, which is used to request the UE's slice selection subscription information from the UDM.
  • the UDM sends a second service operation response to the initial AMF.
  • the second service operation response includes the slice selection subscription information of the UE.
  • the initial AMF needs to perform slice selection (for example, the initial AMF cannot serve some or all of the single network slice selection assistance information (single-NSSAI, S-NSSAI) in the requested NSSAI of the UE), then the initial AMF needs to be selected from The NSSF obtains the requested NSSAI AMF information that can serve the aforementioned UE.
  • slice selection for example, the initial AMF cannot serve some or all of the single network slice selection assistance information (single-NSSAI, S-NSSAI) in the requested NSSAI of the UE.
  • the registration process shown in Figure 2 may also include S9: the initial AMF calls the third service operation of the NSSF.
  • This third service operation may be called the Nnssf_NSSelection_Get service, which is used to request the requested AMF service of the NSSAI from the NSSF. information.
  • the NSSF sends a third service operation response to the initial AMF.
  • the third service operation response includes the slice selection subscription information of the UE.
  • the initial AMF decides to retransmit the RR message to the first AMF. That is, the registration process shown in FIG. 2 also includes S11: the initial AMF invokes the fourth service operation of the second AMF. The fourth service operation indicates that the UE registration at the initial AMF failed.
  • the fourth service operation may be called Namf_Communication_RegistrationStatusUpdate, and the registration status of the UE carried in the fourth service operation is "NOT_TRANSFERRED".
  • the initial AMF needs to obtain the address of the first AMF from the NRF, as shown in Figure 2
  • the registration process shown further includes S12: the initial AMF invokes the fifth service operation of the NRF.
  • the fifth service operation may be referred to as the Nnrf_NFDiscovery_Request service operation, which is used to obtain the address of the first AMF.
  • the NRF sends a fifth service operation response to the initial AMF, where the fifth service operation response includes the address of the first AMF.
  • the initial AMF decides to forward the NAS message (i.e. RR message) directly to the first AMF (i.e. direct NAS reroute) based on the local policy and the subscription information of the UE, then the initial AMF needs Send the complete registration request message and the UE context to the first AMF.
  • NAS message i.e. RR message
  • first AMF i.e. direct NAS reroute
  • the registration process shown in FIG. 2 may also include S14: the initial AMF invokes the first service operation of the first AMF.
  • the first service operation may be called the Namf_Communication_N1MessgeNotify service operation, which is used to send the complete registration request message to the first AMF.
  • the context of the UE includes the NAS security-related context of the UE.
  • the security-related context of the UE is referred to as the NAS security context of the UE in the following for short.
  • the initial AMF decides whether to perform horizontal KAMF deduction according to the local policy. If the initial AMF does not perform horizontal KAMF deduction according to the local policy, the initial AMF sends the current security context to the first AMF; if The initial AMF performs horizontal KAMF deduction according to the local policy, then the initial AMF generates a new KAMF or a new security context or a new NAS security context according to the current KAMF, and the initial AMF sends a new KAMF or a new security context or a new NAS security context to the first AMF NAS security context, and the initial AMF sends a horizontal KAMF deduction instruction to the first AMF.
  • This level of KAMF deduction instruction can be called keyAmfHDerivationInd.
  • the initial AMF sends the current security context, or new KAMF, or new security context or level KAMF deduction indication in the first service operation.
  • the current security context includes the current NAS security context.
  • the current NAS security context includes the current KAMF.
  • the initial AMF generates a new KAMF based on the current KAMF, which is also called deduced KAMF.
  • the initial AMF generates a new security context based on the current KAMF, which is also called a deduced security context.
  • the initial AMF generates a new NAS security context based on the current KAMF, also known as the deduced NAS security context, including the deduced KAMF.
  • the new security context generated by the initial AMF according to the current KAMF includes the new NAS security context generated by the initial AMF according to the current KAMF.
  • the horizontal KAMF deduction instruction is also called the KAMF level deduction instruction, which is used to instruct the generation of a new KAMF, or horizontal KAMF deduction.
  • the registration process shown in FIG. 2 can be seen from the description of step S14 above, after the first AMF receives the first service operation, the first N1 message sent by the first AMF to the UE includes the following possibilities:
  • the first AMF decides to initiate the primary authentication (for example, the first AMF does not receive the UE's NAS security context, or the first AMF receives the UE's NAS context but decides not to use the received KAMF), then the first AMF sends an authentication request message to the UE;
  • the first AMF If the UE context is carried in the first service operation, and the first AMF decides to use the received KAMF, the first AMF selects a new encryption and/or full protection algorithm, or the first AMF receives a horizontal KAMF deduction instruction, then The first AMF sends a NAS SMC message to the UE;
  • the first AMF decides to use the received key and the received encryption and/or full security algorithm (the security algorithm used between the UE and the second AMF), Then the first AMF sends other N1 messages to the UE.
  • the authentication request message sent by the first AMF to the UE may be discarded by the UE.
  • a new NAS security context is established between the initial AMF and the UE, or NAS SMC is successfully performed between the initial AMF and the UE, or the initial AMF and the UE NAS security protection is activated between the UEs, or the initial AMF and the UE perform a secure exchange of NAS messages
  • the authentication request message sent by the first AMF to the UE may be discarded by the UE, because the initial AMF between the UE and the initial AMF Having established a new NAS security context through the NAS SMC process, the UE can only process N1 messages or NAS SMC messages protected by the new NAS security context.
  • the first AMF decides to perform the primary authentication
  • the first AMF sends an authentication request message to the UE
  • the current protocol does not define that the message is to be protected.
  • the UE receives an authentication request message that is not protected, and will discard the authentication request message.
  • the authentication request message eventually leads to registration failure.
  • used to indicate can include both used for direct indication and used for indirect indication.
  • the indication information may directly indicate A or indirectly indicate A, but it does not mean that A must be carried in the indication information.
  • the information indicated by the instruction information is called the information to be indicated.
  • the information to be indicated can be directly indicated, such as the information to be indicated or the information to be indicated. Indicates the index of the information, etc.
  • the information to be indicated can also be indicated indirectly by indicating other information, where there is an association relationship between the other information and the information to be indicated. It is also possible to indicate only a part of the information to be indicated, while other parts of the information to be indicated are known or agreed in advance. For example, it is also possible to realize the indication of specific information by means of the pre-arranged order (for example, stipulated in the agreement) of the various information, thereby reducing the indication overhead to a certain extent. At the same time, it can also identify the common parts of each information and uniformly indicate, so as to reduce the instruction overhead caused by separately indicating the same information.
  • the first, second, and various digital numbers (for example, "#1", “#2”, etc.) shown in this application are only for convenience of description, and are used for distinguishing objects, and are not used to limit the text. Apply for the scope of the embodiment. For example, distinguish the second AMF from the first AMF, and so on. It is not used to describe a specific order or sequence. It should be understood that the objects described in this way can be interchanged under appropriate circumstances, so as to be able to describe solutions other than the embodiments of the present application.
  • pre-defined may include pre-defined, for example, protocol definition.
  • pre-defined can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate related information in the device (for example, including user equipment and access network equipment). Not limited.
  • the "saving" involved in the embodiments of the present application may refer to storing in one or more memories.
  • the one or more memories may be separate settings, or may be integrated in an encoder or decoder, a processor, or a communication device.
  • the one or more memories may also be partly provided separately, and partly integrated in a decoder, a processor, or a communication device.
  • the type of the memory can be any form of storage medium, which is not limited in this application.
  • the “protocols” involved in the embodiments of this application may refer to standard protocols in the communications field, for example, may include LTE protocol, new radio (NR) protocol, and related protocols applied to future communication systems.
  • LTE protocol LTE protocol
  • NR new radio
  • the application is not limited.
  • Kamf the AMF key included in the NAS security context established between the UE and the second AMF;
  • Kamf′ the AMF key generated after the key derivation of Kamf
  • KAMF AMF key, which can refer to the aforementioned Kamf or Kamf' or other AMF keys.
  • this application provides a method for registration, which prevents the UE from discarding the authentication request message by causing the first AMF to send a protected authentication request message , Improve the chance of successful registration.
  • the method for registration provided in the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
  • the embodiments shown below do not specifically limit the specific structure of the execution body of the method provided by the embodiments of the present application, as long as the program that records the code of the method provided by the embodiments of the present application can be executed according to the present application.
  • the method provided in the application embodiment only needs to communicate.
  • the execution subject of the method provided in the embodiment of the application may be the user equipment or the access network device, or the user equipment or the access network device can call and execute the program. Functional modules.
  • network equipment includes access network equipment and core network equipment.
  • Fig. 3 is a schematic flowchart of a method for registration provided in an embodiment of the present application.
  • the executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.
  • the method for registration includes some or all of the following steps.
  • S310 The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.
  • the initial AMF requests the UE context from the second AMF.
  • the registration process shown in FIG. 3 may also include S320: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.
  • S330 The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.
  • the registration process shown in FIG. 3 further includes S340: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.
  • S350 The initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.
  • S360 The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.
  • the UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the third service operation of the NSSF, which is similar to S9 in FIG. 2 and will not be repeated here.
  • S391 The NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.
  • the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes a first service operation of the first AMF, and the first service operation is used to indicate that an AMF redirection occurs.
  • the difference from the registration process shown in FIG. 2 is that in this embodiment, after the first AMF receives the above-mentioned first service operation, the first AMF protects the first message, or the first AMF does not perform primary authentication.
  • the first AMF protects the first message or the first AMF does not perform primary authentication includes the following two situations:
  • Case 1 The first AMF receives the first indication information.
  • the first indication information is used to instruct the first AMF to protect the first message.
  • the first AMF determines that the first message should be protected according to the first indication information.
  • the first indication information is used to instruct the first AMF to use the received KAMF, or to instruct the first AMF to use the received security context, or to instruct the first AMF not to perform primary authentication or the first AMF Skip the main authentication process and proceed to other processes in the registration.
  • the first AMF does not perform the main authentication, or the first AMF uses the received KAMF, or the first AMF skips the main authentication and performs other processes in the registration process.
  • the first AMF still uses the received NAS security context to protect the N1 message.
  • the first message is an authentication request message, or the first message is an N1 message, or the first message is an N1 message other than the NAS SMC message.
  • the method for registration provided in the embodiment of the present application is mainly to prevent the UE from discarding the unprotected authentication request message sent by the first AMF when the AMF redirection occurs, and the registration fails. Therefore, it can be understood that the foregoing first message includes an authentication request message, and other messages may also be within the scope covered by the first message, and the other messages are not necessarily limited to N1 messages.
  • the first message involved in the embodiment of the present application includes an authentication request message, and it is understood that the first message may be an authentication request message.
  • the first indication information is carried in the foregoing first service operation. That is, an IE is newly added to the first service operation shown in FIG. 2, and the newly added IE is the above-mentioned first indication information;
  • the first indication information is the newly added initial AMF and the signaling between the first AMF, and is sent to the first AMF before the first AMF sends the above-mentioned first message.
  • the initial AMF determines that the first indication information needs to be sent to the first AMF. That is, the method flow shown in FIG. 3 further includes S396: the initial AMF determines to send the first indication information to the first AMF. An AMF sends the first indication information.
  • the initial AMF sends the first indication information to the first AMF.
  • the first AMF receives the first indication information.
  • the first preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE, NAS SMC is successfully carried out between the initial AMF and the UE, a security association is established between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, or the UE A new NAS security context is established with the initial AMF, and the initial AMF performs horizontal KAMF deduction; the primary authentication is performed between the UE and the initial AMF, and the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF , This initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF.
  • the initial AMF does not send the first indication information to the first AMF. Then the first AMF did not receive the first information indication.
  • the first AMF decides whether to perform the main authentication according to the local policy, and if the first AMF decides to perform the main authentication, the first AMF sends the unprotected The authentication request message, or the first AMF uses the received security context to protect the authentication request message, and sends a protected authentication request message.
  • the first indication information may be used to indicate at least one of the following situations:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE, a security association is established between the UE and the initial AMF, security protection is activated between the UE and the initial AMF, a new NAS security context is established between the UE and the initial AMF, The NAS SMC process is successfully carried out between the initial AMF and the UE, the first AMF should use the received NAS security context to protect the first message, the first AMF does not perform the main authentication process, and the first AMF skips the main authentication process to register. Other processes or the first AMF use the received KAMF.
  • the context of the UE in the first service operation described above includes the NAS security context.
  • the NAS security context may be a NAS security context after horizontal deduction.
  • the method flow shown in FIG. 3 further includes S397: the first AMF protects the first message according to the first indication information.
  • the protected first message is sent to the UE.
  • the method flow shown in FIG. 3 further includes S301: the first AMF sends the protected first message to the UE.
  • the first indication information is used to instruct the first AMF to use the received KAMF, or the first AMF does not perform the main authentication process, or the first AMF skips the main authentication process to perform other processes in the registration, as shown in FIG.
  • the method flow shown in 3 may further include, S302: the first AMF does not perform the main authentication according to the first instruction information, or it may be described as the first AMF skips other processes in the main authentication for registration according to the first instruction information, or the first An AMF uses the received KAMF.
  • the first AMF still uses the received NAS security context to protect the N1 message.
  • the first AMF protects the first message according to the first indication information, including any one of the following possibilities:
  • the first AMF uses the received NAS security context to protect the authentication request message, the first AMF uses the received KAMF and security algorithm to protect the authentication request message, or the first AMF uses the received Calculate the NAS key with the received KAMF and the received security algorithm, and use the calculated NAS key and the received algorithm to protect the authentication request message.
  • the first AMF uses the received NAS security context or KAMF to protect the N1 message.
  • the first AMF When the first AMF decides to use the received KAMF according to the local policy, the first AMF shall use the received NAS security context to protect the N1 message, and the first AMF shall use the received NAS security context to protect the N1 message except the NAS SMC message ,
  • the first AMF uses the received KAMF and security algorithm to protect the N1 message, the first AMF uses the received KAMF and security algorithm to protect the N1 messages other than the NAS SMC message, and the first AMF uses the received KAMF and the received Security algorithm, calculate the NAS key, and use the calculated NAS key and the received algorithm to protect the N1 message, or the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key and use the calculation
  • the obtained NAS key and the received algorithm protect the N1 message except the NAS SMC message.
  • Case 2 After the first AMF receives the first service operation, the first AMF may also protect the first message.
  • the first AMF protects the first message according to the operation of receiving the first service.
  • the first AMF judges whether AMF redirection occurs according to the received first service operation, and if the redirection occurs, the first message is protected.
  • the first AMF uses the received KAMF according to receiving the first service operation, or does not perform the main authentication, or skips the main authentication to perform other processes in the registration process.
  • the first AMF still uses the received NAS security context to protect the N1 message.
  • the first AMF determines whether AMF redirection occurs according to the received first service operation. If an AMF redirection occurs, the first AMF uses the received KAMF, or does not perform the main authentication, or skips the main authentication to perform other processes in the registration process. In this implementation manner, the first AMF still uses the received NAS security context to protect the N1 message.
  • the first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.
  • registrationCtxtContainer IE registration context container information element
  • the method flow shown in FIG. 3 further includes S398: the first AMF protects the first message.
  • the protected first message is sent to the UE.
  • the method flow shown in FIG. 3 further includes S301: the first AMF sends the protected first message to the UE.
  • the method flow shown in FIG. 3 may further include: S303: the first AMF according to The first service operation does not perform the main authentication, or it may be described as the first AMF skipping the main authentication to perform other processes in the registration according to the first service operation, or the first AMF uses the received KAMF. And the first AMF still uses the received NAS security context to protect the N1 message.
  • the first AMF protects the first message, including any one of the following possibilities:
  • the first AMF uses the received KAMF protection authentication request message, the first AMF uses the received NAS security context protection authentication request message, and the first AMF uses the received KAMF and The security algorithm protects the authentication request message, or the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key, and uses the calculated NAS key and the received algorithm to protect the authentication request message.
  • the first AMF uses the received NAS security context or KAMF protection to send a NAS SMC message or other N1 message to the UE.
  • the first AMF uses the received NAS security context to protect the N1 message, and the first AMF uses the received NAS security context.
  • the received NAS security context protects N1 messages other than the NAS SMC message
  • the first AMF uses the received KAMF and security algorithm to protect the N1 message
  • the first AMF uses the received KAMF and security algorithm to protect all other than the NAS SMC message.
  • the first AMF uses the received KAMF and the received security algorithm to calculate the NAS key, and uses the calculated NAS key and the received algorithm to protect the N1 message, or the first AMF uses the received KAMF Calculate the NAS key with the received security algorithm, and use the calculated NAS key and the received algorithm to protect the N1 message except the NAS SMC message.
  • the first AMF determines that AMF redirection occurs, and then the first AMF protects the first message.
  • the method flow shown in FIG. 3 also includes S399: the first AMF judges that AMF redirection has occurred.
  • the first AMF may determine whether AMF redirection has occurred according to the IE(s) carried in the first service operation. For example, if the message type carrying N1 in the first service operation includes 5GMM, it is determined that AMF redirection has occurred; for example, if the first service operation carries the registration context container (Registration Context Container) type IE, it is determined that it has occurred. AMF redirection.
  • the first AMF may skip the main authentication process after determining that the AMF redirection occurs, and perform other processes in the registration, or the first AMF may not perform the main authentication after determining that the AMF redirection occurs , And the first AMF uses the received NAS security context to protect the first message, or the first AMF uses the received KAMF.
  • the method flow shown in FIG. 3 causes the first AMF to send the protected authentication request message, so as to prevent the UE from discarding the received unprotected authentication request message.
  • Fig. 4 is a schematic flowchart of another method for registration provided in an embodiment of the present application.
  • the executive body includes UE, (R)AN, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.
  • the method for registration includes some or all of the following steps.
  • S410 The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.
  • the initial AMF requests the UE context from the second AMF. That is, the registration process shown in FIG. 3 also includes S420: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.
  • S430 The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.
  • the registration process shown in FIG. 3 further includes S440: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.
  • the initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.
  • S460 The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.
  • S470 The initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.
  • the UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.
  • the registration process shown in Figure 2 The difference between the registration process shown in Figure 2 is that in the process of the registration method shown in Figure 4, the initial AMF determines to send the second indication information to the UE to instruct the UE to accept the unprotected authentication request message.
  • the registration process shown in FIG. 4 further includes S481: the initial AMF sends second indication information to the UE.
  • the second indication information is used to instruct the UE to accept the unprotected authentication request message, it can also be understood as the second indication information is used to instruct the UE to process the unprotected authentication request message, and it can also be understood as the second indication information is used to Instruct the UE not to discard unprotected authentication request messages.
  • the initial AMF determining to send the second indication information to the UE includes the initial AMF determining to send the second indication information to the UE based on a second preset condition, that is, when at least one of the following second preset conditions is met, the initial AMF determines Send the second indication information to the UE:
  • the initial AMF decides to initiate AMF redirection
  • the initial AMF decides to initiate AMF redirection through the RAN
  • the security exchange of NAS messages between the initial AMF and the UE before the AMF redirection
  • Performed NAS SMC established security association between UE and initial AMF before AMF redirection, activated security protection between UE and initial AMF before AMF redirection, established between UE and initial AMF before AMF redirection
  • the new NAS security context the primary authentication between the UE and the initial AMF before the AMF redirection, the initial AMF selected a security algorithm different from the security algorithm selected by the second AMF before the AMF redirection, or the AMF redirection Previously, the initial AMF used the KAMF derived from the horizontal KAMF received from the second AMF.
  • the second indication information can be added to the existing message, or it can be a new piece of signaling for transmission.
  • the second indication information can be added to the existing message, or it can be a new piece of signaling for transmission.
  • the initial AMF may send an N1 message to the UE, and the N1 message is used to instruct the UE to receive an unprotected authentication request message; for example, the initial AMF sends the second indication information, which may be the initial AMF sends an N1 message to the UE (for example, a configuration update command message, a NAS SMC message, a 5GMM status message, or a downlink NAS transport message, etc.), and the N1 message carries the second indication information .
  • the second indication information which may be the initial AMF sends an N1 message to the UE (for example, a configuration update command message, a NAS SMC message, a 5GMM status message, or a downlink NAS transport message, etc.)
  • the N1 message carries the second indication information .
  • the method process for registration shown in Fig. 4 should also include S490.
  • the initial AMF invokes the third service operation of the NSSF, which is similar to S9 in Fig. 2 and will not be repeated here.
  • the NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.
  • S492 The initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.
  • the initial AMF calls the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.
  • the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.
  • S495 The initial AMF invokes the first service operation of the first AMF, which is similar to S14 in FIG. 2 and will not be repeated here.
  • the UE since the UE receives the above-mentioned second indication information in advance, after S495, when the UE receives the unprotected authentication request message sent by the first AMF, the UE The authentication request message will not be discarded.
  • the method flow for registration shown in FIG. 4 should also include S496: the UE receives the unprotected first message from the first AMF.
  • the first message includes the authentication request message, which can avoid The registration fails due to the UE discarding the unprotected authentication request message.
  • FIG. 11 is a schematic flowchart of yet another method for registration provided in an embodiment of the present application.
  • the executive body includes UE, initial AMF, second AMF, first AMF, UDM, NSSF and NRF.
  • the method for registration includes some or all of the following steps.
  • S510 The UE sends an RR message to the initial AMF, which is similar to S1 in FIG. 2 and will not be repeated here.
  • the initial AMF requests the UE context from the second AMF.
  • the registration process shown in FIG. 11 may also include S520: the initial AMF invokes the sixth service operation of the second AMF, which is similar to S2 in FIG. 2 and will not be repeated here.
  • S530 The second AMF sends a sixth service operation response to the initial AMF, which is similar to S3 in FIG. 2 and will not be repeated here.
  • the registration process shown in FIG. 11 also includes S540: the initial AMF initiates the main authentication process, which is similar to S4 in FIG. 2 and will not be repeated here.
  • S550 The initial AMF sends a NAS SMC message to the UE, which is similar to S5 in FIG. 2 and will not be repeated here.
  • S560 The UE sends a NAS SMP message to the initial AMF, which is similar to S6 in FIG. 2 and will not be repeated here.
  • S570 The initial AMF invokes the second service operation of the UDM, which is similar to S7 in FIG. 2 and will not be repeated here.
  • the UDM sends a second service operation response to the initial AMF, which is similar to S8 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the third service operation of the NSSF, which is similar to S9 in FIG. 2 and will not be repeated here.
  • the NSSF sends a third service operation response to the initial AMF, which is similar to S10 in FIG. 2 and will not be repeated here.
  • S592 The initial AMF invokes the fourth service operation of the second AMF, which is similar to S11 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes the fifth service operation of the NRF, which is similar to S12 in FIG. 2 and will not be repeated here.
  • the NRF sends a fifth service operation response to the initial AMF, which is similar to S13 in FIG. 2 and will not be repeated here.
  • the initial AMF invokes a first service operation of the first AMF, and the first service operation is used to notify the N1 message received by the first AMF.
  • the initial AMF saves the complete registration request message and/or the context of the UE, the initial AMF sends the complete registration request message and/or the context of the UE to the first AMF through the first service operation.
  • the initial AMF decides whether to perform horizontal KAMF deduction, that is, the method flow shown in Figure 11 also Including S596: The initial AMF decides whether to perform horizontal KAMF deduction.
  • the initial AMF decides not to perform horizontal KAMF deduction, the initial AMF sends the current security context to the first AMF, including the current KAMF;
  • the initial AMF decides to perform horizontal KAMF deduction, the initial AMF generates a new KAMF or a new security context or a new NAS security context according to the current KAMF, and the initial AMF sends a new KAMF or a new security context or a new NAS to the first AMF Security context, and the initial AMF sends a horizontal KAMF deduction instruction to the first AMF.
  • This level of KAMF deduction instruction can be called keyAmfHDerivationInd.
  • the initial AMF sends the UE’s security context to the first AMF through the first service operation, including the current security context or new KAMF or new security context or horizontal KAMF deduction indication; Messages other than the first service operation send the UE’s security context to the first AMF, including the current security context or new KAMF or new security context or level KAMF deduction instructions.
  • This application provides information on how the initial AMF sends the UE to the first AMF.
  • the specific method of the security context is not limited.
  • the initial AMF decision whether to perform horizontal KAMF deduction can be any of the following three ways:
  • Method 1 The initial AMF does not perform horizontal KAMF deduction, that is, the initial AMF sends the current security context to the first AMF;
  • Method 2 The initial AMF determines whether to perform horizontal KAMF deduction according to the local strategy, that is, the initial AMF determines to perform the horizontal KAMF deduction according to the local strategy, or the initial AMF determines not to perform the horizontal KAMF deduction according to the local strategy;
  • Method 3 The initial AMF judges whether to perform horizontal KAMF deduction according to the fourth preset condition, that is, if the initial AMF judges that the fourth preset condition is satisfied, the initial AMF does not perform horizontal KAMF deduction, that is, the initial AMF sends the current security context to the first 1.
  • AMF if the initial AMF determines that the fourth preset condition is not met, the initial AMF determines whether to perform horizontal KAMF deduction according to the local strategy, that is, the initial AMF determines the level KAMF deduction according to the local strategy, or the initial AMF determines not to perform the level according to the local strategy Deduced by KAMF.
  • the fourth preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the received from the second AMF The received KAMF generated after the horizontal KAMF deduction; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF;
  • the first AMF executes any one of the following options:
  • Option 1 The first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.
  • the method flow shown in FIG. 11 also includes S5951: the first AMF skips the primary authentication or the first AMF uses the received KAMF or security context.
  • the first AMF protects the third message based on the received KAMF or security context, and sends the third message to the UE.
  • the method flow shown in FIG. 11 further includes S5952: the first AMF sends the third message to the UE.
  • the first AMF generates a NAS encryption and decryption key and a NAS integrity key according to the received KAMF or security context, and uses the generated NAS encryption and decryption key and/or NAS integrity key to perform the third message protection.
  • the third message is any N1 message that does not include the authentication request.
  • the first AMF does not perform primary authentication, that is, the first AMF uses the received KAMF or security context.
  • the first AMF protects the authentication request message, and/or the first AMF sends an authentication request message with security protection, and/or the first AMF sends an N1 message with security protection, including the authentication request message.
  • the method flow shown in FIG. 11 further includes S5953: the first AMF protection authentication request message.
  • the N1 message Including authentication request message.
  • the first AMF protects the authentication request message, that is, the first AMF sends a security-protected authentication request message based on the received KAMF or security context protection authentication request message. Specifically, the first AMF is based on the received KAMF Or the security context generates the NAS encryption and decryption key and the NAS integrity key, and uses the generated NAS encryption and decryption key and/or the NAS integrity key to protect the authentication request message, and sends the authentication request message with security protection.
  • the first AMF sends a security-protected authentication request message, that is, the first AMF protects the authentication request message based on the received KAMF or security context, and sends a security-protected authentication request message.
  • the first AMF is based on The received KAMF or security context generates NAS encryption and decryption keys and NAS integrity keys, and uses the generated NAS encryption and decryption keys and/or NAS integrity keys to protect the authentication request message, and sends a securely protected Authentication request message.
  • the first AMF sends a security-protected N1 message, including an authentication request message, that is, the first AMF authenticates the N1 message based on the received KAMF or security context protection, and sends a security-protected N1 message Specifically, the first AMF generates a NAS encryption and decryption key and a NAS integrity key according to the received KAMF or security context, and uses the generated NAS encryption and decryption key and/or NAS integrity key to perform the N1 message Protect, and send a secure N1 message.
  • the N1 message here includes an authentication request message.
  • Option 3 The first AMF sends an authentication request message without security protection, or the first AMF initiates a NAS SMC.
  • the method process shown in FIG. 11 also includes S5955: the first AMF initiates the NAS SMC.
  • S5956 The first AMF sends an authentication request message without security protection to the UE.
  • Option 4 The first AMF does not perform the main authentication; or the first AMF protects the authentication request message; or the first AMF sends the N1 message with security protection, including the authentication request message.
  • the method flow shown in FIG. 11 further includes S5956: the first AMF protects the authentication request message or the first AMF does not perform the main authentication.
  • S5957 The first AMF sends a security-protected authentication request message to the UE, where the first AMF sends a security-protected authentication request message to the UE, which can be understood as the first AMF sending a security-protected N1 message to the UE.
  • the N1 message Including authentication request message.
  • the first AMF does not perform primary authentication, that is, the first AMF uses the received KAMF or security context, which means that the first AMF skips the primary authentication and performs other processes in the registration process.
  • the first AMF protects the third message based on the received KAMF or security context; specifically, the first AMF generates the NAS encryption and decryption key and the NAS integrity key according to the received KAMF or security context , And use the generated NAS encryption key and/or NAS integrity key to protect the third message.
  • the third message is any N1 message that does not include the authentication request.
  • the first AMF protection authentication request message that is, the first AMF is based on the received KAMF or security context protection authentication request message and sends a security protected authentication request message.
  • the first AMF is based on the received KAMF or security context Generate NAS encryption and decryption keys and NAS integrity keys, and use the generated NAS encryption and decryption keys and/or NAS integrity keys to protect the authentication request message, and send the authentication request message with security protection.
  • the first AMF after the first AMF receives the above-mentioned first service operation, the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.
  • the first AMF after the first AMF receives the above-mentioned first service operation, it determines whether AMF redirection or direct non-access stratum rerouting (also referred to as direct NAS reroute) occurs. If AMF redirection or direct non-access layer rerouting occurs, the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context. The first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.
  • registrationCtxtContainer IE registration context container information element
  • option 1 If the first AMF receives the horizontal KAMF deduction instruction sent by the initial AMF, the first AMF will not perform the master authentication according to the horizontal KAMF deduction instruction, or use the received KAMF or Security context.
  • the first AMF can perform any one of the following operations:
  • Operation 1 The first AMF still does not perform master authentication, or uses the received KAMF or security context;
  • Operation 2 If the first AMF performs the main authentication according to the local policy, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send the authentication request message with security protection; if the first AMF does not comply with the local policy For master authentication, the first AMF should protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;
  • the first AMF shall protect the N1 message, including the authentication request message, based on the received KAMF or security context, and send the N1 message with security protection, including the authentication request message with security protection.
  • Option 1 If the first AMF receives the tenth indication information sent by the initial AMF, the first AMF does not perform the primary authentication according to the tenth indication information, or uses the received KAMF or Security context.
  • the tenth indication information is used to indicate that the first AMF does not perform primary authentication, or the first AMF uses the received KAMF or security context.
  • the initial AMF determines to send tenth indication information to the first AMF (that is, the method flow shown in FIG. 11 also includes S5961: initial The AMF determines to send tenth indication information to the first AMF). Specifically, when the initial AMF determines that the tenth preset condition is satisfied, the initial AMF sends tenth indication information to the first AMF. Correspondingly, the first AMF receives the tenth indication information.
  • the initial AMF uses the first service operation to send tenth indication information to the first AMF.
  • the tenth preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the initial AMF performs horizontal KAMF deduction; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; The initial AMF uses the KAMF derived from the horizontal KAMF received from the second AMF; the initial AMF receives the horizontal KAMF derivation instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF .
  • the initial AMF does not send the tenth indication information to the first AMF. Then the first AMF does not receive the tenth indication information. If the first AMF does not receive the tenth indication information, the first AMF may perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection, or the first AMF should protect the authentication request message based on the received KAMF or security context, and send a security protected authentication request message Authentication request message;
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF sends an N1 message without security protection or the first AMF shall protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;
  • Operation 3 The first AMF should send an N1 message without security protection, including an authentication request message.
  • Operation 4 The first AMF shall protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection, including the authentication request message.
  • the first AMF may also perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform the master authentication and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection; or the first AMF should be based on the received KAMF or security Context protection authentication request message, and sending a security-protected authentication request message;
  • Operation 2 If the first AMF receives a horizontal KAMF deduction instruction, the first AMF should not perform the master authentication, or the first AMF should use the received KAMF or security context, or the first AMF should perform NASSMC.
  • Operation 3 If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection.
  • the first AMF may also perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform primary authentication, and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send a security-protected authentication request news;
  • Operation 2 If the first AMF decides to perform primary authentication, and the first AMF receives a horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection;
  • the tenth indication information can also be used to indicate any one or more of the following:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF;
  • the NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ;
  • the initial AMF performs horizontal KAMF deduction; the initial AMF generates a new KAMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF does not perform the main authentication process; the first AMF skips the main authentication
  • the process performs other processes in the registration; the first AMF uses the received KAMF or security context.
  • the first AMF should protect the authentication according to the ninth indication information
  • the request message specifically, the first AMF sends a security-protected authentication request message based on the received KAMF or security context protection authentication request message, or the first AMF should send a security-protected N1 message according to the ninth instruction information, Including authentication request message.
  • the ninth indication information is used to indicate the first AMF protection authentication request message.
  • the initial AMF determines to send the ninth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5962: The initial AMF determines to send the ninth indication information to the first AMF). Specifically, when the initial AMF determines that the ninth preset condition is satisfied, the initial AMF sends the ninth indication information to the first AMF. Correspondingly, the first AMF receives the ninth indication information. Optionally, the initial AMF uses the first service operation to send the ninth indication information to the first AMF.
  • the ninth preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2.
  • the initial AMF receives the horizontal KAMF derivation instruction from the second AMF, and the initial AMF decides to use the KAMF received from the second AMF.
  • the initial AMF does not send the ninth indication information to the first AMF. Then the first AMF does not receive the ninth indication information. If the first AMF does not receive the ninth indication information, the first AMF may perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform master authentication, the first AMF should send an authentication request message without security protection;
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF sends an N1 message without security protection or the first AMF shall protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;
  • Operation 3 The first AMF should send an N1 message without security protection, including an authentication request message.
  • Operation 4 If the first AMF decides to perform the main authentication and the first AMF does not receive the horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection, or the first AMF should be based on the received KAMF or security Context protects the authentication request message, and sends a security-protected authentication request message.
  • Operation 5 If the first AMF decides to perform the master authentication, and the first AMF receives a horizontal KAMF deduction instruction, the first AMF should send an authentication request message without security protection.
  • the ninth indication information can also be used to indicate any one or more of the following:
  • the first AMF should protect the authentication request message; the first AMF should send a security protection authentication request message; the first AMF should protect the authentication request message; the first AMF should send a security protected N1 message, including the authentication request message.
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF;
  • the NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ;
  • the initial AMF selects a different security algorithm from the security algorithm selected by the second AMF.
  • the first AMF after the first AMF receives the above-mentioned first service operation, it determines whether AMF redirection or direct non-access layer rerouting (also referred to as direct NAS reroute) occurs. If AMF redirection or direct non-access layer rerouting occurs, when the first AMF decides to perform primary authentication, the first AMF should protect the authentication request message. Specifically, the first AMF is based on the received KAMF or security context protection Authentication request message, and send a security-protected authentication request message, or the first AMF should send a security-protected N1 message, including the authentication request message.
  • AMF redirection or direct non-access layer rerouting also referred to as direct NAS reroute
  • the first AMF determines that AMF redirection occurs according to the registration context container information element (registrationCtxtContainer IE) carried in the first service operation, and/or the first AMF determines that the type of the N1 message notified in the first service operation is 5GMM AMF redirection occurred.
  • registrationCtxtContainer IE registration context container information element
  • the first AMF should protect the authentication request message, or the first AMF AMF shall send N1 messages with security protection, including authentication request messages.
  • the first AMF should protect the authentication request message, that is, the first AMF protects the authentication request message based on the received KAMF or security context, and sends the authentication request message with security protection;
  • the first AMF should send the N1 message with security protection, that is, the first AMF An AMF protects the N1 message based on the received KAMF or security context, and sends the N1 message with security protection.
  • option three if the first AMF receives the eighth indication information sent by the initial AMF, when the first AMF decides to perform the primary authentication, the first AMF should send no The authentication request message for security protection, or the first AMF should initiate the NAS SMC according to the eighth instruction information.
  • the eighth indication information is used to instruct the first AMF to send an authentication request message without security protection.
  • the eighth indication information may be a horizontal KAMF deduction indication.
  • the initial AMF determines to send eighth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5963: The initial AMF sends the eighth indication information to the first AMF). Specifically, when the initial AMF determines that the eighth preset condition is satisfied, the initial AMF sends the eighth indication information to the first AMF. Correspondingly, the first AMF receives the eighth indication information. Optionally, the initial AMF uses the first service operation to send eighth indication information to the first AMF.
  • the eighth preset condition is any one or more of the following conditions: the initial AMF performs horizontal KAMF deduction, or the initial AMF generates a new KAMF.
  • the initial AMF does not send the eighth indication information to the first AMF. Then the first AMF does not receive the eighth indication information. If the first AMF does not receive the eighth indication information, the first AMF may perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform the master authentication, the first AMF should protect the authentication request message based on the received KAMF or security context, and send the authentication request information with security protection.
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF should protect the N1 message based on the received KAMF or security context, and send the N1 message with security protection;
  • Operation 3 The first AMF should send the N1 message with security protection based on the received KAMF or the N1 message protected by the security context, including the authentication request message.
  • the eighth indication information can also be used to indicate any one or more of the following:
  • the initial AMF performs horizontal KAMF deduction; the initial AMF generates a new KAMF; the first AMF should send an authentication request message without security protection; the first AMF should initiate NAS SMC.
  • option four if the first AMF receives a horizontal KAMF deduction instruction, the first AMF shall not perform primary authentication, or the first AMF shall use the received KAMF or security context, or the first AMF shall use the received KAMF or security context. AMF initiated NAS SMC. Otherwise, if the first AMF does not receive the horizontal KAMF deduction instruction, but receives the seventh instruction information, then:
  • the first AMF should send a security-protected authentication request message, or,
  • the first AMF should send the N1 message with security protection, including the authentication request message.
  • the seventh indication information is used to instruct the first AMF to send an authentication request message with security protection, or the first AMF to send an N1 message with security protection.
  • the initial AMF determines to send seventh indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5964:
  • the initial AMF determines to send the seventh indication information to the first AMF).
  • the initial AMF sends the seventh indication information to the first AMF.
  • the first AMF receives the seventh indication information.
  • the initial AMF uses the first service operation to send the seventh indication information to the first AMF.
  • the seventh preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2.
  • the initial AMF does not send the seventh indication information to the first AMF. Then the first AMF does not receive the seventh indication information. If the first AM does not receive the seventh indication information, nor does it receive the horizontal KAMF deduction instruction, the first AMF can perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform the main authentication, the first AMF shall protect the authentication request message based on the received KAMF or security context, and send the authentication request message with security protection, or the first AMF shall send the authentication without security protection Request message.
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection news.
  • Operation 3 The first AMF should send the N1 message with security protection based on the received KAMF or the N1 message protected by the security context, including the authentication request message.
  • Operation 4 The first AMF should send an N1 message without security protection, including an authentication request message.
  • the seventh indication information can also be used to indicate any one or more of the following:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF;
  • the NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform the primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF, and decides to use the KAMF or security context received from the second AMF ;
  • the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF should send a security-protected authentication request message; the first AMF should protect the authentication request message; the first AMF should send a security-protected N1 Message, including authentication request message.
  • option four if the sixth indication information and the horizontal KAMF deduction indication received by the first AMF, the first AMF should not perform the primary authentication, or the first AMF should use the received KAMF or Security context. Otherwise, if the first AMF does not receive the horizontal KAMF deduction instruction, but receives the sixth instruction information, if the first AMF decides to initiate the primary authentication, according to the sixth instruction information, the first AMF should send an authentication request message with security protection; or,
  • the first AMF should send an N1 message with security protection, and the N1 message includes an authentication request message.
  • the sixth indication information is used to instruct the first AMF to send an authentication request message with security protection.
  • the initial AMF determines to send the sixth indication information to the first AMF (that is, the method flow shown in FIG. 11 further includes S5964:
  • the initial AMF determines to send the sixth indication information to the first AMF).
  • the initial AMF sends the sixth indication information to the first AMF.
  • the first AMF receives the sixth indication information.
  • the initial AMF uses the first service operation to send the sixth indication information to the first AMF.
  • the sixth preset condition is any one or more of the following conditions:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; NAS SMC is successfully carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; the security protection is activated between the UE and the initial AMF; A new NAS security context is established between the initial AMF; the primary authentication is performed between the UE and the initial AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the initial AMF uses the secondary 2.
  • the initial AMF does not send the sixth indication information to the first AMF. Then the first AMF does not receive the sixth indication information. If the first AMF does not receive the sixth indication information, but receives the horizontal KAMF derivation instruction, the first AMF may perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform master authentication, the first AMF should send an authentication request message without security protection.
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection Message, or the first AMF initiates NAS SMC;
  • Operation 3 The first AMF should send an N1 message without security protection, including an authentication request message.
  • the first AMF may perform any one of the following operations:
  • Operation 1 If the first AMF decides to perform the master authentication, the first AMF should send an authentication request message without security protection, or the first AMF should protect the authentication request message based on the received KAMF or security context, and send a security protected authentication request message Authentication message.
  • Operation 2 If the first AMF decides not to perform the master authentication, the first AMF shall protect the N1 message based on the received KAMF or security context and send the N1 message with security protection, or the first AMF shall send the N1 without security protection news;
  • Operation 3 The first AMF should send an N1 message without security protection, including an authentication request message.
  • Operation 4 The first AMF should send a N1 message with security protection, including an authentication request message.
  • the sixth indication information can also be used to indicate any one or more of the following:
  • the security exchange of NAS messages is carried out between the initial AMF and the UE; a security association is established between the UE and the initial AMF; security protection is activated between the UE and the initial AMF; a new NAS security context is established between the UE and the initial AMF;
  • the NAS SMC process is successfully carried out between the initial AMF and the UE; the initial AMF and the UE perform primary authentication; the initial AMF receives the horizontal KAMF deduction instruction from the second AMF and decides to use the received KAMF or security context; the initial AMF decides to use The KAMF generated by the horizontal KAMF deduction received from the second AMF; the initial AMF selects a security algorithm that is different from the security algorithm selected by the second AMF; the first AMF should send an authentication request message with security protection; the first AMF should Protect the authentication request message; the first AMF should send a protected N1 message, including the authentication request message.
  • the method flow shown in FIG. 11 prevents the UE from discarding the received unprotected authentication request message by making the first AMF not to do the main authentication or to protect the authentication request message.
  • the size of the sequence numbers of the foregoing processes does not mean the order of execution.
  • the execution order of the processes should be determined by their functions and internal logic, and should not correspond to the implementation process of the embodiments of this application. Constitute any limitation.
  • FIG. 5 is a schematic diagram of the device 10 for registration proposed in the present application.
  • the device 10 includes a receiving unit 110 and a processing unit 120.
  • the receiving unit 110 is configured to receive the protected first message from the first AMF;
  • the processing unit 120 is configured to process the protected first message, where the first AMF is a target AMF selected to serve the UE during AMF redirection, and the first message is one of the following messages :
  • the device 10 for registration receives and processes the protected first message can be described as the device 10 for registration accepts the protected first message.
  • the apparatus 10 completely corresponds to the user equipment in the method embodiment, and the apparatus 10 may be the user equipment in the method embodiment, or a chip or functional module inside the user equipment in the method embodiment.
  • the corresponding units of the apparatus 10 are used to execute the corresponding steps executed by the user equipment in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.
  • the receiving unit 110 in the apparatus 10 executes the steps of receiving by the user equipment in the method embodiment. For example, perform step S350 of receiving the NAS security mode command message sent by the initial AMF in Figure 3, perform step S301 of receiving the protected first message sent by the first AMF in Figure 3, and perform the NAS security sent by the initial AMF in Figure 4 Step S450 of the mode command message, perform step S496 of receiving the unprotected first message sent by the first AMF in FIG. 4, perform step S481 of receiving the second indication information sent by the initial AMF in FIG. 4, perform the receiving in FIG. 11 Step S550 of the NAS security mode command message sent by the initial AMF, step S5952 of receiving the third message sent by the first AMF in FIG. 11, and step S5954 of receiving the authentication request message with security protection sent by the first AMF in FIG. 11 And S5957, perform step S5956 in FIG. 11 of receiving the authentication request message without security protection sent by the first AMF.
  • the processing unit 120 in the device 10 executes the steps implemented or processed inside the user equipment in the method embodiment. For example, step S340 of performing primary authentication with the initial AMF in FIG. 3, step S440 of performing primary authentication with the initial AMF in FIG. 4, and step S540 of performing primary authentication with the initial AMF in FIG. 11 are executed.
  • the device for registration shown in the device 10 may also include a sending unit (not shown in FIG. 5), and the sending unit is used to perform the function of sending messages to other devices.
  • a sending unit not shown in FIG. 5
  • the sending unit is used to perform the function of sending messages to other devices. For example, execute step S310 of sending an RR message to the initial AMF in Figure 3, execute step S360 of sending a NAS security mode complete message to the initial AMF in Figure 3, execute step S410 of sending an RR message to the initial AMF in Figure 4, Perform step S460 of sending a NAS security mode complete message to the initial AMF in FIG. 4.
  • the receiving unit 110 and the sending unit may constitute a transceiver unit, and have the functions of receiving and sending at the same time.
  • the processing unit 120 may be a processor.
  • the sending unit may be a receiver.
  • the receiving unit 110 may be a transmitter. The receiver and transmitter can be integrated to form a transceiver.
  • FIG. 6 is a schematic structural diagram of a user equipment 20 applicable to an embodiment of the present application.
  • the user equipment 20 can be applied to the system shown in FIG. 1.
  • FIG. 6 only shows the main components of the user equipment.
  • the user equipment 20 includes a processor, a memory, a control circuit, an antenna, and an input and output device.
  • the processor is used to control the antenna and the input and output devices to send and receive signals
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program from the memory to execute the corresponding method executed by the user equipment in the method for registration proposed in this application. Process and/or operation. I won't repeat them here.
  • FIG. 6 only shows a memory and a processor. In actual user equipment, there may be multiple processors and memories.
  • the memory may also be referred to as a storage medium or a storage device, etc., which is not limited in the embodiment of the present application.
  • FIG. 7 is a schematic diagram of the device 30 for registration proposed in the present application.
  • the device 30 includes a processing unit 310 and a sending unit 320.
  • the processing unit 310 is configured to determine to send first indication information to the first AMF, where the first indication information is used to instruct the first AMF to protect the first message;
  • the sending unit 320 is configured to send the first indication information to the first AMF, where the first AMF is a target AMF selected to serve the UE when performing AMF redirection, and the first message is One of the following messages:
  • the device 30 completely corresponds to the initial AMF in the method embodiment, and the device 30 may be the initial AMF in the method embodiment, or a chip or functional module inside the initial AMF in the method embodiment.
  • the corresponding units of the device 30 are used to execute the corresponding steps performed by the initial AMF in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.
  • the processing unit 310 in the device 30 executes the internal implementation or processing steps of the initial AMF in the method embodiment. For example, perform step S396 in FIG. 3 for determining whether to send the first instruction information to the first AMF, perform step S596 in FIG. 11 for determining whether to perform horizontal KAMF deduction, and perform the determination in FIG. 11 for determining whether to send the tenth instruction information to the first AMF.
  • Step S5961 perform step S5962 in FIG. 11 where it is determined to send the ninth instruction information to the first AMF, perform step S5963 in FIG. 11 where it is determined to send the eighth instruction information to the first AMF, perform the determination in FIG. Step S5964 in which the AMF sends the sixth or seventh indication information.
  • the sending unit 320 in the device 30 executes the steps of initial AMF sending in the method embodiment. For example, perform step S320 of sending a sixth service operation to the second AMF in FIG. 3, perform step S350 of sending a NAS security mode command message to the UE in FIG. 3, and perform step S370 of sending a second service operation to UDM in FIG. 3. Perform step S390 of sending the third service operation to NSSF in FIG. 3, perform step S392 of sending the fourth service operation to the second AMF in FIG. 3, perform step S393 of sending the fifth service operation to NRF in FIG. 3, and perform FIG.
  • Step S493 of the fifth service operation execute S495 of sending the first service operation to the first AMF in FIG. 4, execute S481 of sending the second indication information to the UE in FIG.
  • Execute step S592 of sending the fourth service operation to the second AMF in FIG. 11 execute step S593 of sending the fifth service operation to the NRF in FIG. 11, and execute S595 of sending the first service operation to the first AMF in FIG. 11.
  • the device for registration shown in the device 30 may also include a receiving unit (not shown in FIG. 7), and the receiving unit is used to perform the function of receiving messages sent by other devices. For example, perform step S310 of receiving the RR message sent by the UE in Figure 3, perform step S360 of receiving the NAS security mode complete message sent by the UE in Figure 3, and perform the step of receiving the sixth service operation response sent by the second AMF in Figure 3 S330. Perform step S380 of receiving the second service operation response sent by UDM in FIG. 3, perform step S391 of receiving the third service operation response sent by NSSF in FIG. 3, and perform step S391 of receiving the fifth service operation response sent by NRF in FIG. 3 Step S394, perform step S410 of receiving the RR message sent by the UE in FIG.
  • Step S430 perform step S480 of receiving the second service operation response sent by UDM in FIG. 4, perform step S491 of receiving the third service operation response sent by NSSF in FIG. 4, and perform the fifth service operation response sent by NRF in FIG.
  • Step S494 of Figure 11 step S510 of receiving the RR message sent by the UE, step S560 of Figure 11 receiving the NAS security mode complete message sent by the UE, and step S560 of Figure 11 receiving the sixth service operation response sent by the second AMF Step S530 of Figure 11, step S580 of receiving the second service operation response sent by UDM, step S591 of Figure 11 receiving the third service operation response sent by NSSF, and step S591 of Figure 11 receiving the fifth service operation sent by NRF Respond to step S594.
  • the receiving unit and the sending unit 320 may constitute a transceiver unit, and have the functions of receiving and sending at the same time.
  • the processing unit 310 may be a processor.
  • the sending unit 320 may be a receiver.
  • the receiving unit may be a transmitter.
  • the receiver and transmitter can be integrated to form a transceiver.
  • the embodiment of the present application also provides an initial AMF 40.
  • the initial AMF 40 includes a processor 410, a memory 420, and a transceiver 430.
  • the memory 420 stores instructions or programs, and the processor 430 is configured to The instructions or programs stored in the memory 420 are executed.
  • the transceiver 430 is used to execute the operations performed by the sending unit 320 in the apparatus 30 shown in FIG. 7.
  • the device 50 includes a receiving unit 510, a processing unit 520, and a sending unit 530.
  • the receiving unit 510 is configured to receive the first indication information from the initial AMF
  • the processing unit 520 is configured to protect the first message according to the first indication information
  • the sending unit 530 is configured to send the protected first message to the user equipment UE, where the means for registration is the target AMF that is selected to serve the UE during AMF redirection, and the first message One of the following messages:
  • the device 50 completely corresponds to the first AMF in the method embodiment, and the device 50 may be the first AMF in the method embodiment, or a chip or functional module inside the first AMF in the method embodiment.
  • the corresponding units of the device 50 are used to execute the corresponding steps performed by the first AMF in the method embodiments shown in FIG. 3, FIG. 4, and FIG. 11.
  • the receiving unit 510 in the device 50 performs the first AMF receiving step in the method embodiment. For example, step S395 of receiving the first service operation sent by the initial AMF in FIG. 3 and step S495 of receiving the first service operation sent by the initial AMF in FIG. 4 are executed.
  • the processing unit 520 executes the steps implemented or processed internally by the first AMF in the method embodiment. For example, execute step S399 in FIG. 3 to determine that AMF redirection has occurred, execute step S398 in FIG. 3 to protect the first message, execute step S302 in FIG. 3 that does not perform primary authentication according to the first instruction information, execute FIG. Step S303 of not performing primary authentication according to the first service operation in Figure 11, perform step S5951 of skipping primary authentication in Figure 11, perform step S5953 of protecting authentication request message in Figure 11, perform step S5955 of initiating primary authentication in Figure 11, perform In FIG. 11, step S5956 of the master authentication or protection authentication request message is skipped.
  • the sending unit 530 executes the steps of sending the first AMF in the method embodiment. For example, execute step S301 of sending a protected first message to the UE in FIG. 3, execute step S496 of sending an unprotected first message to the UE in FIG. 4, execute step S5952 of sending a third message to the UE in FIG. 11, execute Steps S5954 and S5957 of sending an authentication request message with security protection to the UE in FIG. 11, and step S5956 of sending an authentication request message without security protection to the UE in FIG. 11 are performed.
  • the receiving unit 510 and the sending unit 530 may constitute a transceiver unit, and have the functions of receiving and sending at the same time.
  • the processing unit 520 may be a processor.
  • the transmitting unit 530 may be a receiver.
  • the receiving unit 510 may be a transmitter. The receiver and transmitter can be integrated to form a transceiver.
  • an embodiment of the present application also provides a first AMF 60.
  • the first AMF 60 includes a processor 610, a memory 620, and a transceiver 630.
  • the memory 620 stores instructions or programs, and the processor 630 It is used to execute instructions or programs stored in the memory 620.
  • the transceiver 630 is used to execute the operations performed by the receiving unit 510 and the sending unit 530 in the apparatus 50 shown in FIG. 9.
  • An embodiment of the present application also provides a communication system, which includes the aforementioned initial AMF, the first AMF, and one or more user equipments.
  • the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium.
  • the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the initial AMF.
  • the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium.
  • the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the first AMF.
  • the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium.
  • the computer executes the methods shown in FIGS. 3, 4, and 11 above. The various steps performed by the user equipment in the.
  • This application also provides a computer program product containing instructions.
  • the computer program product runs on a computer, the computer executes the steps of the initial AMF execution in the methods shown in FIG. 3, FIG. 4, and FIG. 11.
  • This application also provides a computer program product containing instructions.
  • the computer program product runs on a computer, the computer executes the steps performed by the first AMF in the methods shown in FIG. 3, FIG. 4, and FIG. 11.
  • This application also provides a computer program product containing instructions.
  • the computer program product runs on a computer, the computer executes the steps performed by the user equipment in the methods shown in FIG. 3, FIG. 4, and FIG. 11.
  • the application also provides a chip including a processor.
  • the processor is used to read and run the computer program stored in the memory to execute the corresponding operation and/or process executed by the user equipment in the method for registration provided in this application.
  • the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory.
  • the chip further includes a communication interface, and the processor is connected to the communication interface.
  • the communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information.
  • the communication interface can be an input and output interface.
  • the application also provides a chip including a processor.
  • the processor is used to call and run a computer program stored in the memory to execute the corresponding operation and/or process performed by the initial AMF in the method for registration provided in this application.
  • the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory.
  • the chip further includes a communication interface, and the processor is connected to the communication interface.
  • the communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information.
  • the communication interface can be an input and output interface.
  • the application also provides a chip including a processor.
  • the processor is used to call and run the computer program stored in the memory to execute the corresponding operation and/or process performed by the first AMF in the method for registration provided in this application.
  • the chip further includes a memory, the memory and the processor are connected to the memory through a circuit or a wire, and the processor is used to read and execute the computer program in the memory.
  • the chip further includes a communication interface, and the processor is connected to the communication interface.
  • the communication interface is used to receive data and/or information that needs to be processed, and the processor obtains the data and/or information from the communication interface, and processes the data and/or information.
  • the communication interface can be an input and output interface.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disks or optical disks and other media that can store program codes. .
  • the term "and/or” in this application is only an association relationship that describes associated objects, which means that there can be three types of relationships, for example, A and/or B, which can mean that A alone exists, and both A and B exist. , There are three cases of B alone.
  • the character "/" in this document generally means that the associated objects before and after are in an "or” relationship; the term “at least one” in this application can mean “one” and "two or more", for example, A At least one of, B and C can mean: A alone exists, B alone exists, C alone exists, A and B exist alone, A and C exist at the same time, C and B exist at the same time, A and B and C exist at the same time, this Seven situations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Un procédé et un dispositif destinés à être utilisés dans l'enregistrement sont fournis dans les modes de réalisation de la présente application. Le procédé destiné à être utilisé dans l'enregistrement est applicable dans un scénario dans lequel une redirection de fonction d'accès et de gestion de mobilité (AMF) a eu lieu. Le procédé fait appel aux étapes suivantes : une première AMF sélectionnée pendant une redirection d'AMF afin de desservir un UE détermine de protéger un premier message et transmet le premier message protégé à l'UE, le premier message comprenant un message de demande d'authentification. L'équipement utilisateur est ainsi empêché d'abandonner le message de demande d'authentification, et la probabilité d'un enregistrement réussi de l'équipement utilisateur est augmentée.
PCT/CN2020/113777 2019-09-29 2020-09-07 Procédé et dispositif destinés à être utilisés dans l'enregistrement WO2021057456A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20848683.7A EP3826341A4 (fr) 2019-09-29 2020-09-07 Procédé et dispositif destinés à être utilisés dans l'enregistrement
US17/180,032 US11606768B2 (en) 2019-09-29 2021-02-19 Method and apparatus for registration

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201910932460.0 2019-09-29
CN201910932460 2019-09-29
CN201911089396.0A CN112654046A (zh) 2019-09-29 2019-11-08 用于注册的方法和装置
CN201911089396.0 2019-11-08

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/180,032 Continuation US11606768B2 (en) 2019-09-29 2021-02-19 Method and apparatus for registration

Publications (1)

Publication Number Publication Date
WO2021057456A1 true WO2021057456A1 (fr) 2021-04-01

Family

ID=75164891

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/113777 WO2021057456A1 (fr) 2019-09-29 2020-09-07 Procédé et dispositif destinés à être utilisés dans l'enregistrement

Country Status (1)

Country Link
WO (1) WO2021057456A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257815A (zh) * 2017-07-14 2019-01-22 电信科学技术研究院 一种注册请求的管理方法和装置
WO2019034021A1 (fr) * 2017-08-14 2019-02-21 华为技术有限公司 Procédé et dispositif pour des opérations interactives entre différents systèmes
WO2019072681A1 (fr) * 2017-10-10 2019-04-18 Nokia Technologies Oy Changement de nœud amf 5g en cas de surcharge
CN110291837A (zh) * 2017-02-06 2019-09-27 华为技术有限公司 网络注册和网络切片选择系统和方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110291837A (zh) * 2017-02-06 2019-09-27 华为技术有限公司 网络注册和网络切片选择系统和方法
CN109257815A (zh) * 2017-07-14 2019-01-22 电信科学技术研究院 一种注册请求的管理方法和装置
WO2019034021A1 (fr) * 2017-08-14 2019-02-21 华为技术有限公司 Procédé et dispositif pour des opérations interactives entre différents systèmes
WO2019072681A1 (fr) * 2017-10-10 2019-04-18 Nokia Technologies Oy Changement de nœud amf 5g en cas de surcharge

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "EUTRA connected to 5GC: clauses 6.9.3 and 6.9.4", 3GPP DRAFT; S3-190431_WAS_S3-190262, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Kochi (India); 20190128 - 20190201, 30 January 2019 (2019-01-30), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051595857 *
ZTE CORPORATION: "Handling of AMF redirection", 3GPP DRAFT; S3-190153, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, 1 February 2019 (2019-02-01), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 3, XP051611423 *

Similar Documents

Publication Publication Date Title
CN109691154B (zh) 基于密钥刷新的按需网络功能重新认证
WO2020238595A1 (fr) Procédé et appareil pour acquérir un contexte de sécurité, et système de communication
WO2020220888A1 (fr) Procédé et appareil de traitement de transfert
US20230337002A1 (en) Security context generation method and apparatus, and computer-readable storage medium
US11606768B2 (en) Method and apparatus for registration
WO2021233340A1 (fr) Procédé et appareil d'enregistrement de réseau
WO2022252867A1 (fr) Procédé de communication et appareil de communication
WO2022148469A1 (fr) Procédé, appareil et système de protection de sécurité
WO2021057456A1 (fr) Procédé et dispositif destinés à être utilisés dans l'enregistrement
WO2020238596A1 (fr) Procédé de transfert intercellulaire, appareil et système de communication
WO2021073382A1 (fr) Appareil et procédé d'enregistrement
WO2019213925A1 (fr) Procédé de mise à jour de clé, dispositif, et support de stockage
WO2021201729A1 (fr) Libération ou reprise plus rapide pour un ue dans un état inactif
WO2023016395A1 (fr) Procédé et appareil de communication pour une communication sécurisée
WO2023213184A1 (fr) Procédé de communication et appareil de communication
US20240179516A1 (en) Secure communication method and communication apparatus
WO2023213191A1 (fr) Procédé de protection de sécurité et appareil de communication
WO2022147846A1 (fr) Procédé, système et appareil de génération de clé pour une communication entre des dispositifs
WO2022141025A1 (fr) Procédé et appareil de transmission de données
CN115915114A (zh) 注册方法及装置
CN117998305A (zh) 语音通话方法和装置
WO2023208472A1 (fr) Dispositifs, procédés, appareil et support lisible par ordinateur pour communications

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2020848683

Country of ref document: EP

Effective date: 20210208

NENP Non-entry into the national phase

Ref country code: DE