WO2021148027A1 - Communication method, apparatus and system - Google Patents

Communication method, apparatus and system Download PDF

Info

Publication number
WO2021148027A1
WO2021148027A1 PCT/CN2021/073594 CN2021073594W WO2021148027A1 WO 2021148027 A1 WO2021148027 A1 WO 2021148027A1 CN 2021073594 W CN2021073594 W CN 2021073594W WO 2021148027 A1 WO2021148027 A1 WO 2021148027A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
application
network element
terminal device
authentication
Prior art date
Application number
PCT/CN2021/073594
Other languages
French (fr)
Chinese (zh)
Inventor
李�赫
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021148027A1 publication Critical patent/WO2021148027A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the embodiments of the present application relate to the field of communication technology, and in particular to a communication method, device, and system.
  • terminal devices can support application authentication and key management (authentication and key management for applications, AKMA) services.
  • AKMA authentication and key management for applications
  • the terminal equipment is authenticated by AKMA in the following manner: after the terminal equipment is successfully registered and the master authentication is completed, the AKMA authentication of the terminal equipment is completed at the same time.
  • the terminal device and the authentication server function Authentication Server Function, AUSF respectively generate the application's identity verification and key management root key Kakma and key identification information key identifier.
  • the terminal device will request the session service from the application service network element (Application function, AF), and the application service network element will use the key identification information sent by the terminal device to verify the identity of the application and the key management anchor function network element (AKMA).
  • Application function Application function
  • AF application service network element
  • anchor function, AAnF anchor function
  • AAnF anchor function
  • AAnF continues to carry the key identification information to request Kakma from AUSF.
  • AUSF determines Kakma according to the key identification information, and sends the Kakma to AAnF.
  • the application service network element will obtain the application key and the validity period of the application key from the anchor function network element for application authentication and key management.
  • Kakma is the input parameter to generate kaf.
  • Kaf has a clear validity period, but the validity period of kakma is bound to the master authentication. That is, when the master authentication occurs, Kakma needs to be regenerated, and the key identification information is also regenerated. But regenerating kakma will not affect the kaf being used. In other words, the refresh of Kaf and the refresh of Kakma are independent of each other. Therefore, when the validity period of Kaf expires, Kakma may have been refreshed, and the key identification information has also been refreshed. Refreshing the key identification information will cause AUSF to fail to recognize the old key identification, and therefore will cause AF to fail when requesting the Kaf key update using the old key identification, which will interrupt the service.
  • the embodiments of the present application provide a communication method, device, and system to ensure that after the master authentication occurs, when the terminal and the AUSF key identifier are updated, the UE and the AF perform the Kaf key update when the service is not the terminal.
  • the embodiments of the present application provide a network device, which has a function of implementing the behavior of the network device in any of the foregoing method embodiments.
  • the functions described can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to each sub-function of the above-mentioned functions.
  • the network device may be an application function network element AF, an application authentication and key management service network element AAnF, or an authentication service network element AUSF.
  • the embodiment of the present application provides a terminal device, which has a function of implementing the behavior of the terminal device in any of the foregoing method embodiments.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to each sub-function of the above-mentioned functions.
  • the terminal device may be user equipment.
  • An embodiment of the present application also provides a communication system, which includes the network device and the terminal device described in any of the foregoing embodiments.
  • the embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a computer, the method process related to the terminal device in any of the foregoing method embodiments is implemented.
  • the computer may be the aforementioned terminal device.
  • the embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a computer, the method process related to the network device in any of the above method embodiments is implemented.
  • the computer may be the aforementioned network device.
  • the embodiment of the present application also provides a computer program or a computer program product including a computer program.
  • the computer program When the computer program is executed on a computer, the computer will realize the interaction with the terminal device in any of the above-mentioned method embodiments.
  • the computer may be the aforementioned terminal device.
  • the embodiments of the present application also provide a computer program or a computer program product including a computer program.
  • the computer program When the computer program is executed on a computer, the computer will enable the computer to realize the connection with the network device in any of the above-mentioned method embodiments.
  • the computer may be the aforementioned network device.
  • the embodiment of the present application also provides a device, which is applied to a terminal device, and the device is coupled with a memory, and is used to read and execute instructions stored in the memory, so that the terminal device can execute any of the foregoing method implementations.
  • the method flow related to the terminal equipment in the example.
  • the memory may be integrated in the processor or independent of the processor.
  • the device may be a chip on the user terminal (such as a System on a Chip (SoC)).
  • SoC System on a Chip
  • the embodiment of the present application also provides a device, which is applied to a network device, and the device is coupled with a memory, and is used to read and execute instructions stored in the memory, so that the network device can execute any of the above method implementations.
  • the method flow related to the network equipment in the example.
  • the memory may be integrated in the processor or independent of the processor.
  • the device may be a chip on the network device (such as a System on a Chip (SoC)).
  • SoC System on a Chip
  • FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of this application.
  • FIG. 2 is a schematic diagram of Kaf key distribution provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of Kaf key distribution provided by an embodiment of this application.
  • FIG. 4 is a schematic diagram of Kaf key distribution provided by an embodiment of this application.
  • FIG. 5 is a schematic diagram of Kaf key distribution provided by an embodiment of this application.
  • FIG. 6 is a schematic diagram of Kaf key distribution provided by an embodiment of this application.
  • FIG. 9 is a schematic structural diagram of a communication device provided by an embodiment of the application.
  • the embodiments of this application may be applicable to 4G (fourth generation mobile communication system) evolution systems, such as long term evolution (long term evolution, LTE) systems, or may also be 5G (fifth generation mobile communication systems) systems, such as adopting new wireless Access technology (new radio access technology, New RAT) access network; cloud radio access network (cloud radio access network, CRAN), etc., or even future communication systems such as 6G (sixth generation mobile communication system).
  • 4G (fourth generation mobile communication system) evolution systems such as long term evolution (long term evolution, LTE) systems
  • 5G (fifth generation mobile communication systems) systems such as adopting new wireless Access technology (new radio access technology, New RAT) access network; cloud radio access network (cloud radio access network, CRAN), etc.
  • 6G ixth generation mobile communication system
  • the network architecture provided by this embodiment of the application at least includes a terminal device, an access network (AN), a core network, and a data service network. It can be understood that FIG. 1 is only a schematic illustration, and is not intended to limit the application.
  • a terminal device can be referred to as a terminal for short, which is a device with a wireless transceiver function.
  • the terminal device can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships); Deployed in the air (for example, on airplanes, balloons, satellites, etc.).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, virtual reality (VR) terminal equipment, augmented reality (AR) terminal equipment, industrial control ( Wireless terminal equipment in industrial control, wireless terminal equipment in self-driving, wireless terminal equipment in remote medical, wireless terminal equipment in smart grid, transportation safety (transportation) Wireless terminal equipment in safety), wireless terminal equipment in a smart city (smart city), wireless terminal equipment in a smart home (smart home), and may also include user equipment (UE), etc.
  • UE user equipment
  • the terminal equipment can also be a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (personal digital assistant, PDA), with wireless communication Functional handheld devices, computing devices, or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the 5th generation (5G) network in the future, or public land mobile communication networks that will evolve in the future (Public land mobile network (PLMN) terminal equipment, etc.
  • SIP session initiation protocol
  • WLL wireless local loop
  • PDA personal digital assistant
  • Terminal equipment can sometimes be called terminal equipment, user equipment (UE), access terminal equipment, vehicle terminal equipment, industrial control terminal equipment, UE unit, UE station, mobile station, mobile station, remote station, remote terminal Equipment, mobile equipment, UE terminal equipment, terminal equipment, wireless communication equipment, UE agent or UE device, etc.
  • the terminal device can also be fixed or mobile. The embodiments of the present application are not limited thereto.
  • the access network AN can adopt different types of access technologies.
  • the access network may adopt the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) access technology (for example, the wireless access technology used in 3G, 4G, or 5G systems).
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • non-3rd Generation Partnership Project one 3rd Generation Partnership Project, non-3GPP
  • the access network adopting the 3GPP access technology is called a radio access network (RAN).
  • RAN radio access network
  • the access network equipment in the 5G system is called next generation Node Basestation (gNB) and so on.
  • Non-3GPP access technologies refer to access technologies that do not comply with 3GPP standard specifications, for example, air interface technologies represented by wireless fidelity access points (WIFI AP).
  • WIFI AP wireless fidelity access points
  • the core network may include authentication server function network elements, mobile management network elements, session function network elements, application authentication and key management (authentication and key management for applications, AKMA) anchor point function network elements, unified data management network
  • the user plane function network element is the user plane data export, which is mainly used to connect to the external network.
  • the authentication function server network element is a functional entity for the network to authenticate the UE, and is mainly used for the network to verify the authenticity of the UE.
  • Mobility management network element mainly responsible for mobility management.
  • the session function network element is mainly used to allocate session resources for the user plane.
  • the unified data management network element is used to store the user's subscription data, and to generate a long-term key used to authenticate the user.
  • the AKMA anchor function network element is mainly used to provide the function of Kaf and Kaf validity period to the AKMA application function network element.
  • the network elements in the above-mentioned core network may have different names.
  • the above-mentioned mobility management network element may be referred to as a mobility management entity (MME).
  • MME mobility management entity
  • AMF access and mobility management function
  • the fifth generation mobile communication system is taken as an example to introduce the above-mentioned core network network elements, which is not a limitation to the embodiments of the present application.
  • the user plane function network element may be called the user plane function (UPF)
  • the authentication server function network element may be called the authentication server function (authentication server function, AUSF)
  • Mobility management network element can be called AMF
  • session management function network element can be called session management function (session management function, SMF)
  • unified data management network element can be called unified data management (UDM)
  • anchor of AKMA The point function network element, which can also become the authentication function network element of AKMA, can be called AKMA authentication function (AKMA authentication function, AAuF) and so on.
  • the core network element in FIG. 1 is only a schematic illustration and is not meant to be a limitation.
  • the core network may include the network slice selection function (NSSF) and the network exposure function (NEF) in addition to the core network elements shown in FIG.
  • NRF Network Repository Function
  • PCF Policy Control Function
  • AF Application Function
  • SCP SCP
  • the data service network may specifically be a data network (DN), etc.
  • the AKMA application function (AKMA application function, AApF) network element which can also be directly called an application function (Application, Function), can be deployed in one or more servers in the DN to provide data services for 3GPP user terminals. It is understandable that the AKMA application function network element can be deployed in the server of the DN, and can also be deployed in the core network, without limitation. In the embodiment of the present application, the AKMA application network element is deployed in the server of the DN as an example for description.
  • the embodiment of the present application provides an application scenario in which the terminal device can support AKMA service, and the core network device can perform AKMA authentication on the terminal device.
  • an AKMA key distribution process is provided, in which the UE can be specifically the terminal device in the architecture shown in Figure 1 above, and the AAnF can be specifically the AKMA authentication function in the architecture shown in Figure 1 above Network element, AUSF can be specifically the authentication function serving network element in the architecture shown in Figure 1 above, and the process includes:
  • the UE and the authentication service network element AUSF complete the main authentication process.
  • the main authentication process can also be called the two-way authentication process, which is defined in Chapter 6 of the standard TS33.501.
  • the role of the primary authentication is to complete the two-way authentication between the UE and the network. It is defined according to the TS33.501 standard.
  • a two-way authentication is performed between the AUSF and the UE, and the two-way authentication can be specifically an extensible authentication protocol (extensible authentication protocol, EAP) exchange (exchange).
  • EAP extensible authentication protocol
  • the specific method is EAP-AKA', or 5G authentication and key management Agreement (5G authentication and key management, 5G AkA). If the UE and AUSF two-way authentication succeeds, it can be considered that the AKMA authentication of the terminal device is successful.
  • the key identification information is used to identify the authentication and key management root key Kakma of the UE's application program, and Kakma is used as the root key to generate other AKMA keys (for example, application keys of different applications corresponding to the UE). ).
  • the key identification information can also be used for the AF and AAnF to identify the UE, and the key identification information is the identification of the specific UE that the AF and AAnF determine in the 5GC.
  • S203 After the UE and AUSF respectively generate Kakma-1 and Keyidentifier-1, when the UE wants to use a service, the UE sends an application session establishment request (Application session establishment request) message to the AF.
  • the message carries the first key identification information Keyidentifier-1.
  • S205 AAnF sends an authentication and key management key request (AKMA Key Notification Request) message of the application to AUSF, and the message carries the first key identification information.
  • AKMA Key Notification Request an authentication and key management key request
  • S206 AUSF replies to the authentication and key management key response (AKMA Key Notification Response) message of the application.
  • the message carries the authentication and key management root key Kakma-1 of the first application program of the first application service.
  • S207: AAnF generates the first application key Kaf-1 for the UE according to the received Kakma-1, and determines the validity period of the first key.
  • the message carries the first application key Kaf-1 and the validity period of the first application key.
  • S210 AUSF receives the authentication request message.
  • the authentication request message is used to trigger the two-way authentication between the network and the UE.
  • the AUSF After the authentication succeeds, the AUSF generates the authentication and key management root key Kakma-2 of the second application service and the second key identification information keyidentifier-2.
  • Kakma is independent of the update of Kaf.
  • Kaf will be deleted directly after the key expires. If the UE and AF have ongoing services, the services will be interrupted due to the expiration of the key. This will affect the UE experience.
  • the present application provides a communication method.
  • the principle of the communication method is to allow the AF to obtain the latest key Identifier of the UE before the key Kaf expires, and the AF can request the AUSF to update the Kaf based on the latest key identifier. This can ensure that the services of the UE and the AF are not interrupted, and the user experience is improved.
  • At least one of a, b, or c can represent: a; b; c; a and b; a and c; b and c; or a, b and c.
  • a, b, and c may be single or multiple.
  • the terminal device in the flow can be the terminal device in the architecture of Figure 1
  • the mobility management network element can be the mobility management network element in the architecture of Figure 1.
  • the authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1.
  • the specific process is:
  • the terminal device and the authentication service network element complete two-way authentication, and obtain the authentication and key management root key Kakma-1 and key identifier-1 of the application program respectively.
  • the UE initiates the service, and the application function network element obtains the validity period of Kaf-1 and Kaf-1.
  • the application function network element obtains the validity period of Kaf-1 and Kaf-1.
  • AUSF After AAnF requests Kakma from AUSF, AUSF locally stores a mapping relationship.
  • the mapping relationship is used to reflect which AAnF requests which key identifer corresponds to the Kakma.
  • the function of the storage of this mapping relationship is that when the master authentication occurs, AUSF can notify the AAnF that uses the key identifier- so that AAnF can learn in time that Kakma can no longer be used.
  • AAnF ID, key identifier, and Kakma are stored internally in AUSF.
  • the form of AAnF ID is not specified in the present invention.
  • it can be an ID assigned by an operator, a globally unified ID, or an IP address.
  • AUSF can uniquely locate the AAnF that requested Kakma based on the key identifier in the past based on the AAnF ID.
  • Key identifier and Kakma are generated after the master authentication.
  • AUSF generates key identifier-1 and Kakma-1 after the first authentication. If there is only one AAnF in the network, the AAnF information can be stored in the mapping relationship without being displayed.
  • AUSF receives the authentication request message.
  • the authentication request message is used to trigger the two-way authentication between the network and the UE.
  • the UE and AUSF will delete Kakma-1 and keyidentifier-1.
  • AUSF sends an authentication and key management notification request (AKMA key Notification Request) message of the application service to the related AAnF.
  • AKMA key Notification Request an authentication and key management notification request
  • the AKMA key Notification Request carries key identifier-1.
  • the AUSF determines the AAnF that has requested the key identifier-1 according to the mapping relationship saved in step 301. It should be noted that if there is only one AAnF in the network, then AUSF does not need to determine the AAnF according to the mapping relationship, and then sends the message. If the network has multiple AAnFs, AUSF will send KMA key Notification Request messages to different AAnFs.
  • the AKMA key Notification Request carries an indication information, which is used to indicate that kakma-1 corresponding to key identifier-1 is no longer valid. The specific form of the indication information is not specified in the present invention.
  • it may be an indicator or a cause value. If the AKMA Key Notification Request message only has the function of notifying AAnF to delete the key, then the indication information does not need to be carried. If the AKMA Key Notification Request message has multiple different functions, then the indication information is mandatory.
  • S304 AAnF deletes Kakma-1 and Key identifier-1 according to the AKMA key Notification Request, or according to the indication information carried in the AKMA key Notification Request; or marks Kakma-1 and Key identifier-1 as invalid; or Delete Kakma-1 and mark Keyidentifier-1 as invalid.
  • this embodiment stipulates that the validity period of the key identifier is the same as that of Kakma. Compared with direct deletion, invalid identification can facilitate the subsequent process.
  • AAnF can maintain a mapping relationship locally, and the mapping relationship includes at least four items among key identifier-1, Kakma-1, Kaf, and Kaf validity period and AF ID. After AAnF receives the message in step 303, it marks the key identifier-1 and Kakma-1 as invlaid, so that when kaf expires, AAnF can directly reply the identifier expiration indication information in step 309 of the present invention. Then delete the key identifier-1, Kakma-1 and Kaf.
  • AAnF may not know whether the key identifier requested by the AF is wrong or out of date. That is, the cause is unknown. Therefore, keeping the key identifier-1 for a longer period of time and marking it as Invalid can make AAnF know the reason clearly.
  • AAnF After deleting Kakma-1 and Keyidentifier-1, AAnF replies to the authentication and key management notification response (AKMA Key Notification Response) message of the application service.
  • AKMA Key Notification Response AKMA Key Notification Response
  • Step S306 The UE and AUSF complete the primary authentication, and then generate Kakma-2 and the corresponding key identifier-2. It should be noted that steps S303 to S305 can occur before or after step S306. The invention does not make specific provisions. Steps S303 to S305 occur before step S306 because the authentication takes place and Kakma-1 needs to be deleted, so there is no need to wait for the authentication result.
  • the AUSF may initiate step S303 after sending the authentication vector to the UE.
  • AUSF immediately initiates step S303. Steps S303 to S305 occur after step S306, which will simplify the processing logic of AUSF.
  • the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity of Kaf-1.
  • S308 The AF sends a key update message to AAnF according to Keyidentifier-1.
  • the message carries key identifier-1.
  • the purpose of this message is to request an updated application key Kaf from AAnF.
  • the message indicates that the Kakma corresponding to key identifier-1 cannot be found, or is invalid or does not carry the updated application key.
  • the AF sends a key identification information request (AKMA Identifier Request) message of the application service to the UE.
  • the function of this message is to let the UE know that Kaf-1 has expired and needs to generate a new Kaf-2.
  • This message can also trigger the UE to send a new key identifier to the AF.
  • the name of the message is not specifically limited in the present invention, that is, it does not need to be called AKMA Identifier Request.
  • the message carries indication information, and the indication information is used to inform the UE that the key identifier-1 used in the past has expired and/or Kaf-1 has expired.
  • the form of the indication information is not limited in the present invention. For example, it may be an indicator or a cause value.
  • the message carries key identifier-1.
  • the message carries AF ID. Because the UE and the AF have interacted before and provided the AF ID, it is not necessary to provide the AF ID in the message.
  • S312 The UE sends a key identification information response (AKMA Identifier Response) message of the application service to the AF.
  • the message carries the latest Key identifier-2.
  • the latest refers to if multiple primary authentications have occurred before the UE receives the 11th step message. Then, after receiving the message of step S311, the UE sends the key identifier generated by the last primary authentication to the AF. In this embodiment, because the primary authentication has only occurred once, the latest one is Keyidentifier-2.
  • the UE needs to determine kaf-2. If Kaf-2 has been obtained through Kakma-2, the UE can directly determine that this kaf-2 will be used. If Kaf-2 has not been obtained before, Kakma-2 generates a new Kaf-2. Ready to use Kaf-2.
  • the message carries Key identifier-1
  • the UE determines kakma-1 corresponding to key identifier-1. If the key identifier-1 cannot be found, the UE determines the latest key identifier-2.
  • the AF After acquiring the new Kaf-2, the AF sends an Application key update Request message to the UE, so that the UE starts to use Kaf-2 synchronously. If the UE has not generated Kaf-2 before, then Kaf-2 is newly generated. If Kaf-2 was generated before, use it directly.
  • step S318 and step S319 can be replaced by application layer messages that execute specific security protocols.
  • application layer messages that execute specific security protocols.
  • TLS-related application layer messages For example, TLS-related application layer messages.
  • the AF can request the AAnF to update the Kaf through the latest key identifier of the terminal device. This ensures business continuity between the terminal equipment and the AF.
  • the AUSF and the UE respectively update the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE.
  • AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted.
  • the AF uses the key identifier-old to request AAnF to update the application key. Since AAnF has deleted the key identifier-old or set the key identifier-old to be invalid, AAnF cannot Update the application key for AF. At this time, AAnF notifies the AF that the key update fails, and optionally can carry the value of the reason for the key update failure.
  • the AF determines that the application key update fails, it requests the UE to obtain new key identifier information keyidentifier-new, and uses the key identifier-new to request the update of the application key from AAnF again. After obtaining the new application key and the corresponding validity period from AAnF, the UE is triggered to also update the application key.
  • the terminal device in the flow can be the terminal device in the architecture of Figure 1
  • the mobility management network element can be the mobility management network element in the architecture of Figure 1.
  • the authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1.
  • the specific process is:
  • S401 is the same as S301 in the embodiment in FIG. 3.
  • S402 is the same as S209 in the embodiment of FIG. 2.
  • step 402 related steps from step 201 to step 208 are further included.
  • S403-S407 are the same as S302-S306 in the embodiment of FIG. 3.
  • the UE may determine the time point at which Kaf-1 is about to expire according to a preset duration in advance according to the validity period of Kaf-1.
  • S409 The UE sends a key identification information update request (AKMA Identifier Update Request) message of the application service to the AF.
  • the message carries the latest key identifier.
  • the function of this message is to let AF know the latest key identifier.
  • the present invention takes Keyidentifier-2 as an example.
  • the name of the message is not specifically limited in the present invention, that is, it does not need to be called AKMA Identifier Request.
  • the message also carries Key identifier-1.
  • the UE and the network have performed multiple primary authentications before the expiration of Kaf-1, and the services of the UE and AF are still in use, the UE will carry the latest key identifier in the message in this step.
  • S410 The AF saves the received new key identifier-2.
  • the AF marks the key identifier-1 as invalid, or deletes the key identifier-1.
  • S411 The AF sends a key identification information update response (AKMA Identifier Response) message of the application service to the UE.
  • AKMA Identifier Response key identification information update response
  • S412 AF determines that Kaf-1 is about to expire.
  • the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity of Kaf-1.
  • the UE side judges that the time when kaf-1 is about to expire is earlier than the AF side.
  • the expiration time of Kaf-1 sent by AF is earlier than that received from AAnF, which facilitates early triggering on the UE side.
  • the timing of triggering step S409 on the UE side through specific configuration is earlier than the timing of triggering Kaf-1 on the AF side (for example, the advance time when the AF determines that Kaf-1 is about to expire is less than the time when the UE determines that Kaf-1 is about to expire Time ahead).
  • the specific implementation method is not specified in the present invention.
  • S413-S420 are the same as S313-S319 in the embodiment in FIG. 3.
  • the Kaf expiration time is sent to the UE, so that the UE side sends the latest key identifier to the AF before the expiration, the whole process is smoother, and the time delay is further reduced compared with the embodiment in FIG. 3.
  • the AF informs the UE of the validity period of the UE's application key.
  • the AUSF and the UE respectively update the authentication and key management root key Kakma-new of the application program corresponding to the UE and the key identification information key identifier-new.
  • AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted.
  • the UE When the UE determines that its application key is about to expire, the UE actively notifies the key identifier-new to the AF. Subsequently, when the application key Kaf corresponding to the UE is about to expire, the AF uses Kakma-new to request an updated application key from AAnF, and after obtaining the updated application key and the corresponding validity period from AAnF, the UE is triggered to also update the application key.
  • the terminal device in the flow can be the terminal device in the architecture of Figure 1, and the mobility management network element can be the mobility management network element in the architecture of Figure 1.
  • the authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1.
  • the specific process is:
  • S501-S506 are the same as S301-S306 in the embodiment in FIG. 3.
  • S507-S509 are the same as S409-S411 in the embodiment in Figure 4.
  • the UE must send the latest key identifier to the AF every time. In this embodiment, only one master authentication occurs, so the AKMA identifier update process is triggered only once.
  • S510-S517 are the same as S412-S419 in the embodiment of FIG. 4.
  • the key identifier used is the latest key identifier sent by the UE side.
  • the AF only retains the latest key identification information in step S508.
  • the AF needs to obtain the latest key identification information from the terminal device through the above-mentioned methods in FIG. 3, FIG. 4, and FIG. In Figure 6 below, the description will be continued.
  • the AUSF updates the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE.
  • AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted.
  • the UE After the UE generates a new application authentication and key management root key Kakma-new core key identification information key identifier-new, the UE actively notifies the key identifier-new to the AF.
  • S601-S602 are the same as S301-S302 in the embodiment of FIG. 3. For related steps, please refer to the related description of the embodiment of FIG. 3, which will not be repeated here.
  • the authentication service network element sends an authentication success message to the terminal device.
  • S604 is the same as S306 in the embodiment in FIG. 3.
  • AUSF sends an authentication and key management notification request (AKMA key Notification Request) message of the application service to the related AAnF.
  • the message carries key identifier-1, key identifier-2 and Kakma-2 generated by S604.
  • AAnF saves the newly received Keyidentifier-2 and Kakma-2.
  • the AF may save the Key identifier-2 and Kakma-2, continue to save the Key identifier-1 and Kakma-1, and mark them as invalid (invalid). Or, continue to save Keyidentifier-1 and mark it as invalid, and delete kakma-1.
  • AAnF replies to the authentication and key management notification response (AKMA key Notification Response) message of the application service.
  • the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity period of Kaf-1.
  • S609 The AF sends a key update message to AAnF according to Keyidentifier-1.
  • the message carries key identifier-1.
  • the purpose of this message is to request AAnF to update the application key Kaf.
  • AAnF determines Kakma-2 according to Keyidentifier-1, and deletes Keyidentifier-1. AAnF generates Kaf-2 based on Kakma-2 and determines the validity period of Kaf-2.
  • S611 AAnF replies a key response message to the AF.
  • the message carries the second application key Kaf-2 and the validity period of Kaf-2.
  • S612-S613 are the same as S318-S319 in the embodiment in FIG. 3.
  • the AUSF updates the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE.
  • AUSF sends the updated Kakma-new, keyidentifier-new and the old key identifier-old corresponding to the UE to AAnF together.
  • AAnF receives the key identifier-new, Kakma-new, and key identifier-old sent by AUSF, it saves the correspondence between key identifier-new, Kakma-new, and key identifier-old.
  • AAnF invalidates or deletes the previously maintained correspondence between key identifier-old and Kakma-old.
  • the subsequent AF uses the key identifier-old to request an application key update from AAnF.
  • AAnF can determine the authentication and key management root key Kakma-new of the updated application program of the UE according to the key identifier-old and the correspondence between key identifier-new, Kakma-new, and key identifier-old maintained by itself. , And use Kakma-new to generate a new application key Kaf_new, and determine the validity period corresponding to Kaf_new.
  • AAnF sends the new application key Kaf_new and the corresponding validity period to AF. After the AF receives the new application key Kaf_new and the corresponding validity period, it triggers the UE to update the corresponding application key Kaf.
  • an embodiment of the present application further provides a device 800 for executing the method executed by the terminal device in the method embodiment shown in FIG. 3 to FIG. 6.
  • the device 800 includes a transceiver module 801 and a processing module 802.
  • transceiver module 801 and the processing module 802 please refer to the records in the foregoing method embodiment, which will not be described here.
  • an embodiment of the present application further provides a device 900 for executing other network elements (such as application function network element AF, application authentication As for the method executed by the key management service network element AAnF or the authentication service network element AUSF), the relevant features can be referred to the above method embodiment, which will not be repeated here.
  • the device 900 includes a transceiver module 901 and a processing module 902.
  • transceiver module 901 Regarding the specific functions of the transceiver module 901 and the processing module 902, reference may be made to the record in the foregoing method embodiment, which will not be described here.
  • the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
  • the functional units in the various embodiments of this application can be integrated into one processing unit. In the device, it can also exist alone physically, or two or more units can be integrated into one module.
  • the above-mentioned integrated unit can be realized in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • the terminal device, the application function network element AF, the application authentication and key management service network element AAnF, or the authentication service network element AUSF can all be presented in the form of dividing each functional module in an integrated manner.
  • the "module” here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
  • the communication device 1200 shown in FIG. 9 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
  • the memory 1202 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1202 may be a combination of the above-mentioned memories.
  • the specific connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application.
  • the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure.
  • the bus 1204 is represented by a thick line in the figure. Is limited.
  • the bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
  • the processor 1201 may have a data transceiving function and can communicate with other devices.
  • an independent data transceiving module such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203.
  • the processor in FIG. 9 can call the computer execution instructions stored in the memory 1202, so that the terminal device executes any of the foregoing method embodiments. The method executed by the terminal device.
  • the functions/implementation processes of the processing module and the transceiver module in FIG. 7 can all be implemented by the processor 1201 in FIG. 9 calling a computer execution instruction stored in the memory 1202.
  • the function/implementation process of the processing module in FIG. 7 may be implemented by the processor 1201 in FIG. 9 calling computer execution instructions stored in the memory 1202, and the function/implementation process of the transceiver module in FIG. 7 may be implemented through the communication in FIG. 9 Interface 1203 is implemented.
  • the processor in FIG. 9 may call The computer-executed instructions stored in the memory 1202 cause the authentication server function to execute the method executed by the authentication server function in any of the foregoing method embodiments.
  • An embodiment of the present application also provides a communication system, which may include at least one of an application function network element AF, an application authentication and key management service network element AAnF, or an authentication service network element AUSF.
  • this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are a communication method, apparatus and system for solving the problem in the prior art of user data interruptions caused by application key updating. The principle of the method is: before a key expires, an application server obtaining, in advance, key identifier information corresponding to a new key; and when the key expires, the application server being able to directly use the key identifier information to request the new key from an AKMA anchor network element, such that the service continuity is ensured.

Description

一种通信方法、装置及系统Communication method, device and system
本申请要求于2020年01月23日提交中国专利局、申请号为202010078309.8、申请名称为“一种通信方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on January 23, 2020, the application number is 202010078309.8, and the application name is "a communication method, device and system", the entire content of which is incorporated into this application by reference middle.
技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种通信方法、装置及系统。The embodiments of the present application relate to the field of communication technology, and in particular to a communication method, device, and system.
背景技术Background technique
目前,终端设备可支持应用程序的身份验证和密钥管理(authentication and key management for applications,AKMA)服务。一般采用以下方式对终端设备进行AKMA鉴权:在终端设备注册成功,主鉴权完成后,即同时完成对终端设备的AKMA鉴权。AKMA鉴权后,终端设备和鉴权服务功能(Authentication Server Function,AUSF)分别生成应用程序的身份验证和密钥管理根密钥Kakma和密钥标识信息key identifier。终端设备会向应用服务网元(Application function,AF)请求会话服务,应用服务网元则使用终端设备发送的密钥标识信息向应用程序的身份验证和密钥管理的锚点功能网元(AKMA anchor function,AAnF)请求应用密钥Kaf。AAnF则继续携带密钥标识信息向AUSF请求Kakma。AUSF根据密钥标识信息确定Kakma,并将Kakma发送给AAnF。最终,应用服务网元会从应用程序的身份验证和密钥管理的锚点功能网元处获得应用密钥和应用密钥的有效期。Currently, terminal devices can support application authentication and key management (authentication and key management for applications, AKMA) services. Generally, the terminal equipment is authenticated by AKMA in the following manner: after the terminal equipment is successfully registered and the master authentication is completed, the AKMA authentication of the terminal equipment is completed at the same time. After AKMA authentication, the terminal device and the authentication server function (Authentication Server Function, AUSF) respectively generate the application's identity verification and key management root key Kakma and key identification information key identifier. The terminal device will request the session service from the application service network element (Application function, AF), and the application service network element will use the key identification information sent by the terminal device to verify the identity of the application and the key management anchor function network element (AKMA). anchor function, AAnF) request to apply the key Kaf. AAnF continues to carry the key identification information to request Kakma from AUSF. AUSF determines Kakma according to the key identification information, and sends the Kakma to AAnF. Finally, the application service network element will obtain the application key and the validity period of the application key from the anchor function network element for application authentication and key management.
因为Kakma是生成kaf的输入参数。Kaf有明确的有效期,但是kakma的有效期与主鉴权绑定。即主鉴权发生,Kakma就需要重新生成,同时密钥标识信息也会重新生成。但是重新生成kakma并不会影响正在使用的kaf。也就是说,Kaf的刷新和Kakma的刷新是彼此独立的。因此,在Kaf有效期到期的时候,Kakma可能已经刷新,密钥标识信息也进行了刷新。密钥标识信息的刷新会导致AUSF无法识别旧的密钥标识,因此会导致AF在使用旧的密钥标识请求kaf密钥更新时失败,使服务中断。Because Kakma is the input parameter to generate kaf. Kaf has a clear validity period, but the validity period of kakma is bound to the master authentication. That is, when the master authentication occurs, Kakma needs to be regenerated, and the key identification information is also regenerated. But regenerating kakma will not affect the kaf being used. In other words, the refresh of Kaf and the refresh of Kakma are independent of each other. Therefore, when the validity period of Kaf expires, Kakma may have been refreshed, and the key identification information has also been refreshed. Refreshing the key identification information will cause AUSF to fail to recognize the old key identification, and therefore will cause AF to fail when requesting the Kaf key update using the old key identification, which will interrupt the service.
发明内容Summary of the invention
本申请实施例提供一种通信方法、装置及系统,确保主鉴权发生后,终端和AUSF密钥标识符更新了的情况下,UE和AF在业务不终端的情况下进行Kaf密钥更新。The embodiments of the present application provide a communication method, device, and system to ensure that after the master authentication occurs, when the terminal and the AUSF key identifier are updated, the UE and the AF perform the Kaf key update when the service is not the terminal.
本申请提供的实施例包括如下图2-图6任一实施例(本部分提供的各实施例的编号与本文其他部分提供的各实施例的编号并无明确的对应关系,仅为了此部分在表述上的方便)。The embodiments provided in this application include any one of the following Figures 2 to 6 (the numbers of the embodiments provided in this section do not have a clear correspondence with the numbers of the embodiments provided in other parts of this document, only that this part is in Convenience in presentation).
本申请实施例提供了一种网络设备,该网络设备具有实现上述任一方法实施例中网络设备的行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软 件实现。所述硬件或软件包括一个或多个与上述功能中各个子功能相对应的模块。该网络设备可以是应用功能网元AF、应用鉴权和密钥管理服务网元AAnF或者鉴权服务网元AUSF。The embodiments of the present application provide a network device, which has a function of implementing the behavior of the network device in any of the foregoing method embodiments. The functions described can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to each sub-function of the above-mentioned functions. The network device may be an application function network element AF, an application authentication and key management service network element AAnF, or an authentication service network element AUSF.
本申请实施例提供了一种终端设备,该终端设备具有实现上述任一方法实施例中终端设备的行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能中各个子功能相对应的模块。该终端设备可以是用户设备。The embodiment of the present application provides a terminal device, which has a function of implementing the behavior of the terminal device in any of the foregoing method embodiments. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to each sub-function of the above-mentioned functions. The terminal device may be user equipment.
本申请实施例还提供了一种通信系统,该系统包括上述任一实施例所述的网络设备和终端设备。An embodiment of the present application also provides a communication system, which includes the network device and the terminal device described in any of the foregoing embodiments.
本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被计算机执行时实现上述任一方法实施例中与终端设备相关的方法流程。具体地,该计算机可以为上述终端设备。The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a computer, the method process related to the terminal device in any of the foregoing method embodiments is implemented. Specifically, the computer may be the aforementioned terminal device.
本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被计算机执行时实现上述任一方法实施例中与网络设备相关的方法流程。具体地,该计算机可以为上述网络设备。The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a computer, the method process related to the network device in any of the above method embodiments is implemented. Specifically, the computer may be the aforementioned network device.
本申请实施例还提供了一种计算机程序或包括计算机程序的一种计算机程序产品,该计算机程序在某一计算机上执行时,将会使所述计算机实现上述任一方法实施例中与终端设备相关的方法流程。具体地,该计算机可以为上述终端设备。The embodiment of the present application also provides a computer program or a computer program product including a computer program. When the computer program is executed on a computer, the computer will realize the interaction with the terminal device in any of the above-mentioned method embodiments. Related method flow. Specifically, the computer may be the aforementioned terminal device.
本申请实施例还提供了一种计算机程序或包括计算机程序的一种计算机程序产品,该计算机程序在某一计算机上执行时,将会使所述计算机实现上述任一方法实施例中与网络设备相关的方法流程。具体地,该计算机可以为上述网络设备。The embodiments of the present application also provide a computer program or a computer program product including a computer program. When the computer program is executed on a computer, the computer will enable the computer to realize the connection with the network device in any of the above-mentioned method embodiments. Related method flow. Specifically, the computer may be the aforementioned network device.
本申请实施例还提供了一种装置,应用于终端设备中,所述装置与存储器耦合,用于读取并执行所述存储器中存储的指令,使得所述终端设备能执行上述任一方法实施例中与终端设备相关的方法流程。所述存储器可以集成在所述处理器中,也可以独立于所述处理器之外。所述装置可以为所述用户终端上的芯片(如片上系统SoC(System on a Chip))。The embodiment of the present application also provides a device, which is applied to a terminal device, and the device is coupled with a memory, and is used to read and execute instructions stored in the memory, so that the terminal device can execute any of the foregoing method implementations. The method flow related to the terminal equipment in the example. The memory may be integrated in the processor or independent of the processor. The device may be a chip on the user terminal (such as a System on a Chip (SoC)).
本申请实施例还提供了一种装置,应用于网络设备中,所述装置与存储器耦合,用于读取并执行所述存储器中存储的指令,使得所述网络设备能执行上述任一方法实施例中与网络设备相关的方法流程。所述存储器可以集成在所述处理器中,也可以独立于所述处理器之外。所述装置可以为所述网络设备上的芯片(如片上系统SoC(System on a Chip))。The embodiment of the present application also provides a device, which is applied to a network device, and the device is coupled with a memory, and is used to read and execute instructions stored in the memory, so that the network device can execute any of the above method implementations. The method flow related to the network equipment in the example. The memory may be integrated in the processor or independent of the processor. The device may be a chip on the network device (such as a System on a Chip (SoC)).
附图说明Description of the drawings
图1为本申请实施例提供的网络架构的一示意图;FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of this application;
图2为本申请实施例提供的Kaf密钥分发的一示意图;FIG. 2 is a schematic diagram of Kaf key distribution provided by an embodiment of this application;
图3为本申请实施例提供的Kaf密钥分发的一示意图;FIG. 3 is a schematic diagram of Kaf key distribution provided by an embodiment of this application;
图4为本申请实施例提供的Kaf密钥分发的一示意图;FIG. 4 is a schematic diagram of Kaf key distribution provided by an embodiment of this application;
图5为本申请实施例提供的Kaf密钥分发的一示意图;FIG. 5 is a schematic diagram of Kaf key distribution provided by an embodiment of this application;
图6为本申请实施例提供的Kaf密钥分发的一示意图;FIG. 6 is a schematic diagram of Kaf key distribution provided by an embodiment of this application;
图7至图8为本申请实施例提供的通信装置的示意图;7 to 8 are schematic diagrams of communication devices provided by embodiments of this application;
图9为本申请实施例提供的通信装置的结构示意图。FIG. 9 is a schematic structural diagram of a communication device provided by an embodiment of the application.
具体实施方式Detailed ways
本申请实施例可以适用于4G(第四代移动通信系统)演进系统,如长期演进(long term evolution,LTE)系统,或者还可以为5G(第五代移动通信系统)系统,如采用新型无线接入技术(new radio access technology,New RAT)的接入网;云无线接入网(cloud radio access network,CRAN)等,或者,甚至未来的6G(第六代移动通信系统)等通信系统。The embodiments of this application may be applicable to 4G (fourth generation mobile communication system) evolution systems, such as long term evolution (long term evolution, LTE) systems, or may also be 5G (fifth generation mobile communication systems) systems, such as adopting new wireless Access technology (new radio access technology, New RAT) access network; cloud radio access network (cloud radio access network, CRAN), etc., or even future communication systems such as 6G (sixth generation mobile communication system).
参见图1,为本申请实施例提供的网络架构,该网络架构至少包括终端设备、接入网(access network,AN)、核心网和数据服务网络。可以理解的是,图1仅为示意性说明,并不作为对本申请的限定。Referring to FIG. 1, the network architecture provided by this embodiment of the application at least includes a terminal device, an access network (AN), a core network, and a data service network. It can be understood that FIG. 1 is only a schematic illustration, and is not intended to limit the application.
其中,终端设备可以简称为终端,是一种具有无线收发功能的设备,终端设备可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self driving)中的无线终端设备、远程医疗(remote medical)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备,以及还可以包括用户设备(user equipment,UE)等。终端设备还可以是蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,未来第五代(the 5th generation,5G)网络中的终端设备或者未来演进的公用陆地移动通信网络(public land mobile network,PLMN)中的终端设备等。终端设备有时也可以称为终端设备、用户设备(user equipment,UE)、接入终端设备、车载终端设备、工业控制终端设备、UE单元、UE站、移动站、移动台、远方站、远程终端设备、移动设备、UE终端设备、终端设备、无线通信设备、UE代理或UE装置等。终端设备也可以是固定的或者移动的。本申请实施例对此并不限定。Among them, a terminal device can be referred to as a terminal for short, which is a device with a wireless transceiver function. The terminal device can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships); Deployed in the air (for example, on airplanes, balloons, satellites, etc.). The terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, virtual reality (VR) terminal equipment, augmented reality (AR) terminal equipment, industrial control ( Wireless terminal equipment in industrial control, wireless terminal equipment in self-driving, wireless terminal equipment in remote medical, wireless terminal equipment in smart grid, transportation safety (transportation) Wireless terminal equipment in safety), wireless terminal equipment in a smart city (smart city), wireless terminal equipment in a smart home (smart home), and may also include user equipment (UE), etc. The terminal equipment can also be a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (personal digital assistant, PDA), with wireless communication Functional handheld devices, computing devices, or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the 5th generation (5G) network in the future, or public land mobile communication networks that will evolve in the future ( Public land mobile network (PLMN) terminal equipment, etc. Terminal equipment can sometimes be called terminal equipment, user equipment (UE), access terminal equipment, vehicle terminal equipment, industrial control terminal equipment, UE unit, UE station, mobile station, mobile station, remote station, remote terminal Equipment, mobile equipment, UE terminal equipment, terminal equipment, wireless communication equipment, UE agent or UE device, etc. The terminal device can also be fixed or mobile. The embodiments of the present application are not limited thereto.
接入网AN,可以采用不同类型的接入技术。比如,接入网可采用第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入技术(例如3G、4G或5G系统中采用的无线接入技术)。或者,非第三代合作伙伴计划(none 3rd Generation Partnership Project,non-3GPP)接入技术。其中,采用3GPP接入技术的接入网称为无线接入网(radio access network,RAN)。例如,5G系统中的接入网设备称为下一代基站节点(next generation Node Basestation,gNB)等。非3GPP接入技术是指不符合3GPP标准规范的接入技术,例如,以无线保真接入点(wireless fidelity access point,WIFI AP)为代表的空口技术等。The access network AN can adopt different types of access technologies. For example, the access network may adopt the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) access technology (for example, the wireless access technology used in 3G, 4G, or 5G systems). Or, non-3rd Generation Partnership Project (none 3rd Generation Partnership Project, non-3GPP) access technology. Among them, the access network adopting the 3GPP access technology is called a radio access network (RAN). For example, the access network equipment in the 5G system is called next generation Node Basestation (gNB) and so on. Non-3GPP access technologies refer to access technologies that do not comply with 3GPP standard specifications, for example, air interface technologies represented by wireless fidelity access points (WIFI AP).
核心网可包括鉴权服务器功能网元、移动管理网元、会话功能网元、应用程序的身份验证和密钥管理(authentication and key management for applications,AKMA)锚点功能网元、统一数据管理网元或用户面功能网元等中的一个或多个。其中,用户面功能网元为用户面数据出口,主要用于连接外部网络。鉴权功能服务器网元,为网络认证UE的功能实体,主要用于网络验证UE的真实性。移动管理网元,主要负责移动性管理。会话功能网元主要用于为用户面分配会话资源。统一数据管理网元,用于存储用户的签约数据,生成用于鉴权用户的长期密钥。AKMA锚点功能网元,主要用于提供Kaf和Kaf有效期给AKMA应用功能网元的功能。The core network may include authentication server function network elements, mobile management network elements, session function network elements, application authentication and key management (authentication and key management for applications, AKMA) anchor point function network elements, unified data management network One or more of the element or user plane function network element, etc. Among them, the user plane function network element is the user plane data export, which is mainly used to connect to the external network. The authentication function server network element is a functional entity for the network to authenticate the UE, and is mainly used for the network to verify the authenticity of the UE. Mobility management network element, mainly responsible for mobility management. The session function network element is mainly used to allocate session resources for the user plane. The unified data management network element is used to store the user's subscription data, and to generate a long-term key used to authenticate the user. The AKMA anchor function network element is mainly used to provide the function of Kaf and Kaf validity period to the AKMA application function network element.
需要说明的是,在不同的通信系统中,上述核心网中的网元可有不同的名称。比如,在第四代移动通信系统中,上述移动管理网元可称为移动管理实体(mobility management entity,MME)。在第五代移动通信系统中,上述移动管理网元可称为接入和移动性管理功能(access and mobility management function,AMF)等。在本申请实施例中,以第五代移动通信系统为例,介绍上述核心网网元,并不作为对本申请实施例的限定。比如,在第五代移动通信系统中,用户面功能网元可称为用户功能(user plane function,UPF),鉴权服务器功能网元可称为鉴权服务器功能(authentication server function,AUSF)、移动管理网元可称为AMF、会话管理功能网元可称为会话管理功能(session management function,SMF)、统一数据管理网元可称为统一数据管理(unified data management,UDM)、AKMA的锚点功能网元,又可以成为AKMA的鉴权功能网元可称为AKMA的鉴权功能(AKMA authentication function,AAuF)等。It should be noted that in different communication systems, the network elements in the above-mentioned core network may have different names. For example, in the fourth-generation mobile communication system, the above-mentioned mobility management network element may be referred to as a mobility management entity (MME). In the fifth-generation mobile communication system, the above-mentioned mobility management network element may be referred to as an access and mobility management function (AMF), etc. In the embodiments of the present application, the fifth generation mobile communication system is taken as an example to introduce the above-mentioned core network network elements, which is not a limitation to the embodiments of the present application. For example, in the fifth-generation mobile communication system, the user plane function network element may be called the user plane function (UPF), and the authentication server function network element may be called the authentication server function (authentication server function, AUSF), Mobility management network element can be called AMF, session management function network element can be called session management function (session management function, SMF), unified data management network element can be called unified data management (UDM), anchor of AKMA The point function network element, which can also become the authentication function network element of AKMA, can be called AKMA authentication function (AKMA authentication function, AAuF) and so on.
可以理解的是,图1的核心网网元仅为示意性的说明,并不作为限定。比如,在本申请实施例中核心网,除包括图1所示的核心网网元外,还可包括网络切片选择功能(Network Slice Selection Function,NSSF)、网络开放功能(Network Exposure Function,NEF)、网络存储器功能(Network Repository Function,NRF)、策略控制功能(Policy Control Function,PCF)、应用功能(Application Function,AF)或SCP等中的一个或多个网元。It can be understood that the core network element in FIG. 1 is only a schematic illustration and is not meant to be a limitation. For example, in the embodiment of this application, the core network may include the network slice selection function (NSSF) and the network exposure function (NEF) in addition to the core network elements shown in FIG. One or more network elements of network storage function (Network Repository Function, NRF), Policy Control Function (PCF), Application Function (AF), or SCP.
数据服务网络可具体为数据网络(data network,DN)等。AKMA应用功能(AKMA application function,AApF)网元,又可以直接叫做应用功能(Application,Function)可以部署在DN中的一个或多个服务器中,为3GPP用户终端提供数据服务。可以理解的是,AKMA应用功能网元可部署在DN的服务器中,还可布署于核心网内,不作限定。在本申请实施例中,是以AKMA应用网元部署在DN的服务器中为例进行说明的。The data service network may specifically be a data network (DN), etc. The AKMA application function (AKMA application function, AApF) network element, which can also be directly called an application function (Application, Function), can be deployed in one or more servers in the DN to provide data services for 3GPP user terminals. It is understandable that the AKMA application function network element can be deployed in the server of the DN, and can also be deployed in the core network, without limitation. In the embodiment of the present application, the AKMA application network element is deployed in the server of the DN as an example for description.
针对图1所示的架构,本申请实施例提供一种应用场景,在该应用场景中,终端设备可支持AKMA服务,核心网设备可对终端设备进行AKMA鉴权。如图2所示,提供一种AKMA密钥分发流程,在该流程中UE可具体为上述图1所示架构中的终端设备,AAnF可具体为上述图1所示架构中的AKMA鉴权功能网元,AUSF可具体为上述图1所示架构中的鉴权功能服务网元,该流程包括:With respect to the architecture shown in FIG. 1, the embodiment of the present application provides an application scenario in which the terminal device can support AKMA service, and the core network device can perform AKMA authentication on the terminal device. As shown in Figure 2, an AKMA key distribution process is provided, in which the UE can be specifically the terminal device in the architecture shown in Figure 1 above, and the AAnF can be specifically the AKMA authentication function in the architecture shown in Figure 1 above Network element, AUSF can be specifically the authentication function serving network element in the architecture shown in Figure 1 above, and the process includes:
S201:UE与鉴权服务网元AUSF完成主鉴权流程。主鉴权的流程又可以叫做双向鉴权流程在标准TS33.501中第6章进行了定义。主鉴权的作用是完成UE和网络 的双向鉴权.根据TS33.501标准定义。AUSF和UE之间进行双向鉴权,所述双向鉴权可具体为可扩展鉴权协议(extensible authentication protocol,EAP)交换(exchange)具体方法为EAP-AKA’,或者5G鉴权和密钥管理协议(5G authentication and key management,5G AkA)。UE和AUSF双向鉴权成功,可认为终端设备的AKMA鉴权成功。S201: The UE and the authentication service network element AUSF complete the main authentication process. The main authentication process can also be called the two-way authentication process, which is defined in Chapter 6 of the standard TS33.501. The role of the primary authentication is to complete the two-way authentication between the UE and the network. It is defined according to the TS33.501 standard. A two-way authentication is performed between the AUSF and the UE, and the two-way authentication can be specifically an extensible authentication protocol (extensible authentication protocol, EAP) exchange (exchange). The specific method is EAP-AKA', or 5G authentication and key management Agreement (5G authentication and key management, 5G AkA). If the UE and AUSF two-way authentication succeeds, it can be considered that the AKMA authentication of the terminal device is successful.
S202:在完成主鉴权后,AUSF会获得Kausf,UE会自己生成Kausf。这2个Kausf是相同的。之后,UE和AUSF分别使用Kausf生成第一应用程序的鉴权和密钥管理根密钥Kakma-1和第一密钥标识信息Key identifier-1。具体Kakma和Key identifier的生成方法与本发明无关,在此不做过多解释。S202: After the master authentication is completed, the AUSF will obtain Kausf, and the UE will generate Kausf by itself. These two Kausf are the same. After that, the UE and AUSF respectively use Kausf to generate the authentication and key management root key Kakma-1 of the first application and the first key identification information Keyidentifier-1. The specific method of generating Kakma and Keyidentifier has nothing to do with the present invention, and will not be explained too much here.
具体的,密钥标识信息用于标识UE的应用程序的鉴权和密钥管理根密钥Kakma,Kakma作为根密钥用于生成其他AKMA密钥(例如,UE对应的不同应用的应用密钥)。密钥标识信息还可以用于AF和AAnF识别UE,密钥标识信息是AF和AAnF在5GC内确定具体UE的标识。Specifically, the key identification information is used to identify the authentication and key management root key Kakma of the UE's application program, and Kakma is used as the root key to generate other AKMA keys (for example, application keys of different applications corresponding to the UE). ). The key identification information can also be used for the AF and AAnF to identify the UE, and the key identification information is the identification of the specific UE that the AF and AAnF determine in the 5GC.
S203:在UE和AUSF分别生成Kakma-1和Key identifier-1后,当UE要使用一个业务的时候,UE向AF发送应用会话建立请求(Application session establishment request)消息。消息中携带第一密钥标识信息Key identifier-1。S203: After the UE and AUSF respectively generate Kakma-1 and Keyidentifier-1, when the UE wants to use a service, the UE sends an application session establishment request (Application session establishment request) message to the AF. The message carries the first key identification information Keyidentifier-1.
S204:AF在确定本地没有第一密钥标识信息对应的应用密钥Kaf后,会向应用程序的身份验证和密钥管理服务网元(AKMA anchor function,AAnF)发送密钥请求(key request)消息。消息中携带第一密钥标识信息和AF身份信息AF ID。S204: After the AF determines that there is no application key Kaf corresponding to the first key identification information locally, it will send a key request (key request) to the application's identity verification and key management service network element (AKMA anchor function, AAnF) information. The message carries the first key identification information and the AF identity information AF ID.
S205:AAnF向AUSF发送应用程序的鉴权和密钥管理密钥请求(AKMA Key Notification Request)消息,消息中携带有第一密钥标识信息。S205: AAnF sends an authentication and key management key request (AKMA Key Notification Request) message of the application to AUSF, and the message carries the first key identification information.
S206:AUSF回复应用程序的鉴权和密钥管理密钥响应(AKMA Key Notification Response)消息。消息携带第一应用服务的第一应用程序的鉴权和密钥管理根密钥Kakma-1。S206: AUSF replies to the authentication and key management key response (AKMA Key Notification Response) message of the application. The message carries the authentication and key management root key Kakma-1 of the first application program of the first application service.
S207:AAnF根据收到的Kakma-1,为所述UE生成第一应用密钥Kaf-1,并确定第一密钥有效期。S207: AAnF generates the first application key Kaf-1 for the UE according to the received Kakma-1, and determines the validity period of the first key.
S208:AAnF回复密钥响应(key response)消息。消息中携带第一应用密钥Kaf-1和第一应用密钥有效期。S208: AAnF replies with a key response (key response) message. The message carries the first application key Kaf-1 and the validity period of the first application key.
S209:AF回复应用会话建立响应(Application session establishment response)消息。S209: The AF replies to an application session establishment response (Application session establishment response) message.
S210:AUSF收到鉴权请求消息。鉴权请求消息用于触发网络和UE的双向鉴权。S210: AUSF receives the authentication request message. The authentication request message is used to trigger the two-way authentication between the network and the UE.
S211:AUSF在鉴权成功后,生成第二应用服务的鉴权和密钥管理根密钥Kakma-2和第二密钥标识信息key identifier-2。S211: After the authentication succeeds, the AUSF generates the authentication and key management root key Kakma-2 of the second application service and the second key identification information keyidentifier-2.
S212:可选的,Kakma-2和key identifier-2的生成不需要影响Kaf-1的使用。因此不需要通知AF进行密钥更新。S212: Optionally, the generation of Kakma-2 and keyidentifier-2 does not need to affect the use of Kaf-1. Therefore, there is no need to notify the AF to update the key.
S213:Kaf-1密钥到期,则AF删除Kaf-1。S213: When the Kaf-1 key expires, the AF deletes Kaf-1.
通过上述方法,可以发现,Kakma的更新与Kaf的更新是独立开的。Kaf在密钥到期后,会直接被删除。如果UE和AF有正在进行的业务,那么业务会因为密钥的 过期而中断。这样会影响UE的体验。Through the above method, it can be found that the update of Kakma is independent of the update of Kaf. Kaf will be deleted directly after the key expires. If the UE and AF have ongoing services, the services will be interrupted due to the expiration of the key. This will affect the UE experience.
基于此,本申请提供一种通信方法,该通信方法的原理为:让AF在密钥Kaf过期前获得UE的最新的key Identifier,AF可以基于最新的key identifier向AUSF请求更新Kaf。这样可以保证UE和AF的业务不中断,提升了用户的体验。Based on this, the present application provides a communication method. The principle of the communication method is to allow the AF to obtain the latest key Identifier of the UE before the key Kaf expires, and the AF can request the AUSF to update the Kaf based on the latest key identifier. This can ensure that the services of the UE and the AF are not interrupted, and the user experience is improved.
需要说明的是,在本申请的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序,例如,“第一请求消息”和“第二请求消息”等。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单个或者多个。a、b、或c中的至少一项(个),可以表示:a;b;c;a和b;a和c;b和c;或a、b和c。其中,a、b、c可以是单个,也可以是多个。It should be noted that in the description of this application, words such as "first" and "second" are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor shall they be understood as indicating or implying. Sequence, for example, "first request message" and "second request message", etc. "And/or" describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be single or multiple. At least one of a, b, or c can represent: a; b; c; a and b; a and c; b and c; or a, b and c. Among them, a, b, and c may be single or multiple.
参照图3所示,提供一种通信方法的流程,该流程中的终端设备可为图1架构中的终端设备,移动管理网元可为图1架构中的移动管理网元,鉴权服务器功能网元可为图1架构中的鉴权服务器功能网元,统一数据管理网元可为图1架构中的统一数据管理网元,该流程具体为:Referring to Figure 3, there is provided a communication method flow. The terminal device in the flow can be the terminal device in the architecture of Figure 1, and the mobility management network element can be the mobility management network element in the architecture of Figure 1. The authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1. The specific process is:
S300:终端设备和鉴权服务网元完成双向鉴权,并分别获得应用程序的鉴权和密钥管理根密钥Kakma-1和密钥标识信息key identifier-1。UE发起业务,应用功能网元获得Kaf-1和Kaf-1的有效期。具体流程可以参考步骤S201到S208的描述。S300: The terminal device and the authentication service network element complete two-way authentication, and obtain the authentication and key management root key Kakma-1 and key identifier-1 of the application program respectively. The UE initiates the service, and the application function network element obtains the validity period of Kaf-1 and Kaf-1. For the specific process, refer to the description of steps S201 to S208.
S301:在AAnF向AUSF请求Kakma后,AUSF本地保存一个映射关系。映射关系用于体现哪个AAnF请求了哪个key identifer对应的Kakma。这个映射关系的存储的作用是当主鉴权发生的时候,AUSF可以通知使用了key identifier-的AAnF,以便于AAnF及时获知Kakma不可以再继续使用。S301: After AAnF requests Kakma from AUSF, AUSF locally stores a mapping relationship. The mapping relationship is used to reflect which AAnF requests which key identifer corresponds to the Kakma. The function of the storage of this mapping relationship is that when the master authentication occurs, AUSF can notify the AAnF that uses the key identifier- so that AAnF can learn in time that Kakma can no longer be used.
一种可选的实现方法是:AUSF内部保存AAnF ID,key identifier,Kakma的对应关系。其中,AAnF ID的形式本发明不做规定。比如,其可以是运营商分配的ID,也可以是一个全球统一的ID,还可以是IP地址。总之,AUSF可以根据AAnF ID唯一定位到过去根据key identifier请求Kakma的那个AAnF。其中,Key identifier和Kakma是在主鉴权后生成的。在本发明中,AUSF在第一次鉴权后,生成key identifier-1,Kakma-1。如果网络中只有一个AAnF,则AAnF的信息可以不显示的保存在映射关系中。An optional implementation method is: AAnF ID, key identifier, and Kakma are stored internally in AUSF. Among them, the form of AAnF ID is not specified in the present invention. For example, it can be an ID assigned by an operator, a globally unified ID, or an IP address. In short, AUSF can uniquely locate the AAnF that requested Kakma based on the key identifier in the past based on the AAnF ID. Among them, Key identifier and Kakma are generated after the master authentication. In the present invention, AUSF generates key identifier-1 and Kakma-1 after the first authentication. If there is only one AAnF in the network, the AAnF information can be stored in the mapping relationship without being displayed.
S302:AUSF收到鉴权请求消息。鉴权请求消息用于触发网络和UE的双向鉴权。S302: AUSF receives the authentication request message. The authentication request message is used to trigger the two-way authentication between the network and the UE.
可选的,UE和AUSF会删除Kakma-1和key identifier-1。Optionally, the UE and AUSF will delete Kakma-1 and keyidentifier-1.
S303:AUSF向相关的AAnF发送应用服务的鉴权和密钥管理通知请求(AKMA key Notification Request)消息。S303: AUSF sends an authentication and key management notification request (AKMA key Notification Request) message of the application service to the related AAnF.
具体的,AKMA key Notification Request中携带key identifier-1。可选地,AUSF根据步骤301保存的映射关系确定请求过key identifier-1的AAnF。需要说明的是,如果网络中只有1个AAnF,那么AUSF不需要根据映射关系,可以直接确定AAnF,然后发送消息。如果网络有多个AAnF,则AUSF要向不同的AAnF发送KMA key Notification Request消息。可选地,该AKMA key Notification Request中携 带一个指示信息,指示信息用于指示key identifier-1对应的kakma-1不再有效。指示信息的具体形式本发明不做规定,比如可以是indicator,可以是原因值(cause value)。如果AKMA Key Notification Request消息只有告知AAnF删除密钥一个作用,那么指示信息不需要携带。如果AKMA Key Notification Request消息有多种不同的作用,那么指示信息是必选的。Specifically, the AKMA key Notification Request carries key identifier-1. Optionally, the AUSF determines the AAnF that has requested the key identifier-1 according to the mapping relationship saved in step 301. It should be noted that if there is only one AAnF in the network, then AUSF does not need to determine the AAnF according to the mapping relationship, and then sends the message. If the network has multiple AAnFs, AUSF will send KMA key Notification Request messages to different AAnFs. Optionally, the AKMA key Notification Request carries an indication information, which is used to indicate that kakma-1 corresponding to key identifier-1 is no longer valid. The specific form of the indication information is not specified in the present invention. For example, it may be an indicator or a cause value. If the AKMA Key Notification Request message only has the function of notifying AAnF to delete the key, then the indication information does not need to be carried. If the AKMA Key Notification Request message has multiple different functions, then the indication information is mandatory.
S304:AAnF根据AKMA key Notification Request,或根据AKMA key Notification Request中携带的指示信息,删掉Kakma-1和Key identifier-1;或者将Kakma-1与Key identifier-1标识为无效的;亦或者是删除Kakma-1,并将Key identifier-1标识为无效的。S304: AAnF deletes Kakma-1 and Key identifier-1 according to the AKMA key Notification Request, or according to the indication information carried in the AKMA key Notification Request; or marks Kakma-1 and Key identifier-1 as invalid; or Delete Kakma-1 and mark Keyidentifier-1 as invalid.
即,本实施例规定key identifier的有效期与Kakma一样。与直接删掉相比,标识无效的可以方便后面的流程。具体地,AAnF本地可以保持一个映射关系,映射关系至少包括key identifier-1,Kakma-1,Kaf,Kaf的有效期和AF ID中的至少4项。在AAnF收到步骤303消息后,将key identifier-1和Kakma-1标识为invlaid,这样在kaf到期的时候,AAnF可以在本发明的步骤309直接回复identifier过期的指示信息。然后再删掉key identifier-1,Kakma-1和Kaf。如果没有这种标识,AAnF可能不清楚是AF请求的key identifier是错误的,还是过期的。也就是会造成原因不明。因此,将key identifier-1多保留一段时间,并且标记为Invalid可以使AAnF明确的知道原因。That is, this embodiment stipulates that the validity period of the key identifier is the same as that of Kakma. Compared with direct deletion, invalid identification can facilitate the subsequent process. Specifically, AAnF can maintain a mapping relationship locally, and the mapping relationship includes at least four items among key identifier-1, Kakma-1, Kaf, and Kaf validity period and AF ID. After AAnF receives the message in step 303, it marks the key identifier-1 and Kakma-1 as invlaid, so that when kaf expires, AAnF can directly reply the identifier expiration indication information in step 309 of the present invention. Then delete the key identifier-1, Kakma-1 and Kaf. If there is no such identifier, AAnF may not know whether the key identifier requested by the AF is wrong or out of date. That is, the cause is unknown. Therefore, keeping the key identifier-1 for a longer period of time and marking it as Invalid can make AAnF know the reason clearly.
S305:AAnF在删除Kakma-1和Key identifier-1后,回复应用服务的鉴权和密钥管理通知响应(AKMA Key Notification Response)消息。S305: After deleting Kakma-1 and Keyidentifier-1, AAnF replies to the authentication and key management notification response (AKMA Key Notification Response) message of the application service.
S306:UE和AUSF完成主鉴权,又生成了Kakma-2和对应的key identifier-2.。需要说明的是,步骤S303到S305可以发生在步骤S306之前,也可以之后。本发明不做具体规定。步骤S303到S305发生在步骤S306之前,是因为鉴权发生,需要删除Kakma-1,因此没必要等鉴权结果。比如,AUSF可以在发送鉴权向量给UE后,就发起步骤S303。再比如,AUSF在收到步骤S302消息后,立即发起步骤S303。步骤S303到S305发生在步骤S306之后,会使AUSF的处理逻辑变得简单。S306: The UE and AUSF complete the primary authentication, and then generate Kakma-2 and the corresponding key identifier-2. It should be noted that steps S303 to S305 can occur before or after step S306. The invention does not make specific provisions. Steps S303 to S305 occur before step S306 because the authentication takes place and Kakma-1 needs to be deleted, so there is no need to wait for the authentication result. For example, the AUSF may initiate step S303 after sending the authentication vector to the UE. For another example, after receiving the message of step S302, AUSF immediately initiates step S303. Steps S303 to S305 occur after step S306, which will simplify the processing logic of AUSF.
S307:AF确定Kaf-1即将到期。S307: AF determines that Kaf-1 is about to expire.
例如,AF可以根据Kaf-1有效期提前预设时长,确定Kaf-1即将到期的时间点。For example, the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity of Kaf-1.
S308:AF根据Key identifier-1,向AAnF发送key update消息。消息中携带key identifier-1。该消息的目的是向AAnF请求更新的应用密钥Kaf。S308: The AF sends a key update message to AAnF according to Keyidentifier-1. The message carries key identifier-1. The purpose of this message is to request an updated application key Kaf from AAnF.
S309:如果步骤304中AAnF中将Key identifier-1设置为无效的,则AAnF确定key update消息中的key identifier-1是无效的。或者如果步骤304中Key identifier-1被删除,则AAnF无法再找到key identifier-1对应的Kakma。S309: If the Key identifier-1 in the AAnF is set as invalid in step 304, the AAnF determines that the key identifier-1 in the key update message is invalid. Or if Keyidentifier-1 is deleted in step 304, AAnF can no longer find the Kakma corresponding to keyidentifier-1.
S310:AAnF回复key response消息给AF。消息中指示key identifier-1对应的Kakma无法找到,或者无效或者不携带更新的应用密钥。S310: AAnF replies a key response message to the AF. The message indicates that the Kakma corresponding to key identifier-1 cannot be found, or is invalid or does not carry the updated application key.
当AAnF向AF发送的key response消息中不携带更新的应用密钥时,可以隐式的指示key identifier-1对应的Kakma无法找到,或者无效。When the key response message sent by AAnF to the AF does not carry the updated application key, it can implicitly indicate that the Kakma corresponding to key identifier-1 cannot be found or is invalid.
S311:AF向UE发送应用服务的密钥标识信息请求(AKMA Identifier Request)消息。该消息的作用是使UE知道Kaf-1到期,需要生成新的kaf-2。该消息还可以触发UE发送新的key identifier给AF。消息的名称本发明不做具体限制,即不需要一定叫做AKMA Identifier Request。可选地,消息中携带指示信息,指示信息用于告知UE过去使用的key identifier-1已经失效和/或Kaf-1已失效。指示信息的形式本发明不做限制,比如,可以是indicator,也可以是原因值(cause value)。S311: The AF sends a key identification information request (AKMA Identifier Request) message of the application service to the UE. The function of this message is to let the UE know that Kaf-1 has expired and needs to generate a new Kaf-2. This message can also trigger the UE to send a new key identifier to the AF. The name of the message is not specifically limited in the present invention, that is, it does not need to be called AKMA Identifier Request. Optionally, the message carries indication information, and the indication information is used to inform the UE that the key identifier-1 used in the past has expired and/or Kaf-1 has expired. The form of the indication information is not limited in the present invention. For example, it may be an indicator or a cause value.
可选地,消息携带key identifier-1.Optionally, the message carries key identifier-1.
可选地,消息携带AF ID。因为UE和AF之前已经有过交互,并且提供了AF ID,所以消息中也可以不用提供AF ID。Optionally, the message carries AF ID. Because the UE and the AF have interacted before and provided the AF ID, it is not necessary to provide the AF ID in the message.
S312:UE发送应用服务的密钥标识信息响应(AKMA Identifier Response)消息给AF。消息中携带最新的Key identifier-2。S312: The UE sends a key identification information response (AKMA Identifier Response) message of the application service to the AF. The message carries the latest Key identifier-2.
这里,最新的是指如果在UE收到第11步消息前,发生了多次主鉴权。那么UE在收到第步骤S311步消息后,将最后一次主鉴权生成的key identifier发送给AF。在本实施例中,因为只发生了一次主鉴权,因此最新的是Key identifier-2。Here, the latest refers to if multiple primary authentications have occurred before the UE receives the 11th step message. Then, after receiving the message of step S311, the UE sends the key identifier generated by the last primary authentication to the AF. In this embodiment, because the primary authentication has only occurred once, the latest one is Keyidentifier-2.
可选地,在步骤S312发生前,UE需要确定kaf-2。如果已经通过Kakma-2已经获得了Kaf-2,则UE可以直接确定将要使用这个kaf-2。如果之前没有获得kaf-2,则Kakma-2生成新的Kaf-2。准备使用Kaf-2。可选地,如果消息携带Key identifier-1,则UE确定key identifier-1对应的kakma-1。如果key identifier-1无法找到,则UE确定最新的key identifier-2.Optionally, before step S312 occurs, the UE needs to determine kaf-2. If Kaf-2 has been obtained through Kakma-2, the UE can directly determine that this kaf-2 will be used. If Kaf-2 has not been obtained before, Kakma-2 generates a new Kaf-2. Ready to use Kaf-2. Optionally, if the message carries Key identifier-1, the UE determines kakma-1 corresponding to key identifier-1. If the key identifier-1 cannot be found, the UE determines the latest key identifier-2.
S313到S317的过程参考步骤S204到S208。区别在于,S313过程使用的是从UE收到的最新的密钥标识消息。Refer to steps S204 to S208 for the process of S313 to S317. The difference is that the S313 process uses the latest key identification message received from the UE.
S318:AF在获取新的Kaf-2后,再向UE发送Application key update Request消息,使UE同步开始使用Kaf-2。若UE之前没有生成Kaf-2,则新生成Kaf-2。如果在之前生成了Kaf-2,则直接使用。S318: After acquiring the new Kaf-2, the AF sends an Application key update Request message to the UE, so that the UE starts to use Kaf-2 synchronously. If the UE has not generated Kaf-2 before, then Kaf-2 is newly generated. If Kaf-2 was generated before, use it directly.
S319:UE回复Application key update Acknowledge消息给AF。S319: The UE replies the Application key update Acknowledge message to the AF.
需要说明的是:步骤S318和步骤S319可以是执行具体安全协议的应用层消息进行替代。比如为TLS相关的应用层消息。It should be noted that step S318 and step S319 can be replaced by application layer messages that execute specific security protocols. For example, TLS-related application layer messages.
通过上述方法,AF在密钥过期的时候,可以通过终端设备最新的密钥标识符向AAnF请求更新Kaf。这样保证了终端设备和AF之间的业务连续性。Through the above method, when the key expires, the AF can request the AAnF to update the Kaf through the latest key identifier of the terminal device. This ensures business continuity between the terminal equipment and the AF.
在本申请实施例中,在发生主鉴权之后,AUSF和UE分别更新UE对应的应用程序的鉴权和密钥管理根密钥Kakma-new以及密钥标识信息key identifier-new。AUSF通知AAnFkey identifier-old对应的应用程序的鉴权和密钥管理根密钥无效/过期,AAnF将原先保存的key identifier-old和Kakma-old的对应关系设置为无效或者删除。In the embodiment of the present application, after the primary authentication occurs, the AUSF and the UE respectively update the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE. AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted.
后续当AF确定UE的应用密钥Kaf即将过期时,AF使用key identifier-old向AAnF请求更新应用密钥,由于AAnF已经将key identifier-old删除或者将key identifier-old设置为无效,所以AAnF无法为AF更新应用密钥,此时AAnF通知AF密钥更新失败,可选的可以携带密钥更新失败的原因值。AF确定应用密钥更新失败的情况下,向UE请求获取新的密钥标识信息key identifier-new,并使用key  identifier-new重新向AAnF请求更新应用密钥。在从AAnF获得新的应用密钥和对应的有效期之后,触发UE也更新应用密钥。Later, when the AF determines that the UE’s application key Kaf is about to expire, the AF uses the key identifier-old to request AAnF to update the application key. Since AAnF has deleted the key identifier-old or set the key identifier-old to be invalid, AAnF cannot Update the application key for AF. At this time, AAnF notifies the AF that the key update fails, and optionally can carry the value of the reason for the key update failure. When the AF determines that the application key update fails, it requests the UE to obtain new key identifier information keyidentifier-new, and uses the key identifier-new to request the update of the application key from AAnF again. After obtaining the new application key and the corresponding validity period from AAnF, the UE is triggered to also update the application key.
参见图4所示,提供一种通信方法的流程,该流程中的终端设备可为图1架构中的终端设备,移动管理网元可为图1架构中的移动管理网元,鉴权服务器功能网元可为图1架构中的鉴权服务器功能网元,统一数据管理网元可为图1架构中的统一数据管理网元,该流程具体为:Referring to Figure 4, there is provided a communication method flow. The terminal device in the flow can be the terminal device in the architecture of Figure 1, and the mobility management network element can be the mobility management network element in the architecture of Figure 1. The authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1. The specific process is:
S401同图3实施例中S301,相关步骤请参考图3实施例相关描述,这里不再赘述。S401 is the same as S301 in the embodiment in FIG. 3. For related steps, please refer to the related description in the embodiment in FIG. 3, which will not be repeated here.
S402同图2实施例中S209,相关步骤请参考图2实施例相关描述,这里不同之处在于,AF会将Kaf-1的有效期发送给终端设备。S402 is the same as S209 in the embodiment of FIG. 2. For related steps, please refer to the related description of the embodiment of FIG. 2. The difference here is that the AF will send the validity period of Kaf-1 to the terminal device.
可选的,在步骤402之前还包括步骤201-步骤208的相关步骤。Optionally, before step 402, related steps from step 201 to step 208 are further included.
S403-S407同图3实施例中S302-S306,相关步骤请参考图3实施例相关描述,这里不再赘述。S403-S407 are the same as S302-S306 in the embodiment of FIG. 3. For related steps, please refer to the related description of the embodiment of FIG. 3, which will not be repeated here.
S408UE在发现Kaf-1即将过期的时候,UE主动触发应用服务的密钥标识信息更新请求消息。S408 When the UE discovers that Kaf-1 is about to expire, the UE actively triggers the key identification information update request message of the application service.
例如,UE可以根据Kaf-1有效期提前预设时长,确定Kaf-1即将到期的时间点。For example, the UE may determine the time point at which Kaf-1 is about to expire according to a preset duration in advance according to the validity period of Kaf-1.
S409:UE向AF发送应用服务的密钥标识信息更新请求(AKMA Identifier Update Request)消息。消息携带最新的key identifier。该消息的作用是使AF知道最新的key identifier。本发明以Key identifier-2举例。消息的名称本发明不做具体限制,即不需要一定叫做AKMA Identifier Request。可选地,消息还携带Key identifier-1。S409: The UE sends a key identification information update request (AKMA Identifier Update Request) message of the application service to the AF. The message carries the latest key identifier. The function of this message is to let AF know the latest key identifier. The present invention takes Keyidentifier-2 as an example. The name of the message is not specifically limited in the present invention, that is, it does not need to be called AKMA Identifier Request. Optionally, the message also carries Key identifier-1.
若在Kaf-1到期之前,UE和网络侧进行了多次主认证,并且UE和AF的业务还一直在使用的情况下,UE将最新的key identifier携带在本步消息中。If the UE and the network have performed multiple primary authentications before the expiration of Kaf-1, and the services of the UE and AF are still in use, the UE will carry the latest key identifier in the message in this step.
S410:AF保存收到的新的key identifier-2.可选地,AF将key identifier-1标识为无效的,或删除key identifier-1。S410: The AF saves the received new key identifier-2. Optionally, the AF marks the key identifier-1 as invalid, or deletes the key identifier-1.
S411:AF发送应用服务的密钥标识信息更新响应(AKMA Identifier Response)消息给UE。S411: The AF sends a key identification information update response (AKMA Identifier Response) message of the application service to the UE.
S412:AF确定Kaf-1即将到期。S412: AF determines that Kaf-1 is about to expire.
例如,AF可以根据Kaf-1有效期提前预设时长,确定Kaf-1即将到期的时间点。For example, the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity of Kaf-1.
需要说明的是,UE侧判断kaf-1即将到期的时间要早于AF侧。比如,AF发送的Kaf-1过期时间要比从AAnF收到的早,这样便于UE侧提早触发。再比如,通过具体配置实现UE侧触发发送步骤S409的时机要早于AF侧触发Kaf-1的时机(例如,AF判断Kaf-1即将到期的提前时长小于UE判断Kaf-1即将到期的提前时长)。具体的实现方法本发明不做规定。It should be noted that the UE side judges that the time when kaf-1 is about to expire is earlier than the AF side. For example, the expiration time of Kaf-1 sent by AF is earlier than that received from AAnF, which facilitates early triggering on the UE side. For another example, the timing of triggering step S409 on the UE side through specific configuration is earlier than the timing of triggering Kaf-1 on the AF side (for example, the advance time when the AF determines that Kaf-1 is about to expire is less than the time when the UE determines that Kaf-1 is about to expire Time ahead). The specific implementation method is not specified in the present invention.
S413-S420同图3实施例中S313-S319,相关步骤请参考图3实施例相关描述,这里不再赘述。S413-S420 are the same as S313-S319 in the embodiment in FIG. 3. For related steps, please refer to related descriptions in the embodiment in FIG. 3, and details are not repeated here.
由于在现有技术中,将Kaf过期时间发送给UE,使UE侧在即将过期前发送最 新的密钥标识符给AF,整个过程更流畅,与图3实施例相比进一步减少了时延。Since in the prior art, the Kaf expiration time is sent to the UE, so that the UE side sends the latest key identifier to the AF before the expiration, the whole process is smoother, and the time delay is further reduced compared with the embodiment in FIG. 3.
在本申请实施例中,在UE建立到AF的会话过程中,AF将UE的应用密钥有效期告诉UE。在发生主鉴权之后,AUSF和UE分别更新UE对应的应用程序的鉴权和密钥管理根密钥Kakma-new以及密钥标识信息key identifier-new。AUSF通知AAnFkey identifier-old对应的应用程序的鉴权和密钥管理根密钥无效/过期,AAnF将原先保存的key identifier-old和Kakma-old的对应关系设置为无效或者删除。当UE确定自身的应用密钥即将过期时,UE主动将key identifier-new通知给AF。后续在UE对应的应用密钥Kaf即将过期时,AF使用Kakma-new向AAnF请求更新的应用密钥,并且从AAnF获得更新的应用密钥和对应的有效期之后,触发UE也更新应用密钥。In the embodiment of the present application, during the process of the UE establishing a session with the AF, the AF informs the UE of the validity period of the UE's application key. After the primary authentication occurs, the AUSF and the UE respectively update the authentication and key management root key Kakma-new of the application program corresponding to the UE and the key identification information key identifier-new. AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted. When the UE determines that its application key is about to expire, the UE actively notifies the key identifier-new to the AF. Subsequently, when the application key Kaf corresponding to the UE is about to expire, the AF uses Kakma-new to request an updated application key from AAnF, and after obtaining the updated application key and the corresponding validity period from AAnF, the UE is triggered to also update the application key.
参见图5所示,提供一种通信方法的流程,该流程中的终端设备可为图1架构中的终端设备,移动管理网元可为图1架构中的移动管理网元,鉴权服务器功能网元可为图1架构中的鉴权服务器功能网元,统一数据管理网元可为图1架构中的统一数据管理网元,该流程具体为:Referring to Figure 5, there is provided a communication method flow. The terminal device in the flow can be the terminal device in the architecture of Figure 1, and the mobility management network element can be the mobility management network element in the architecture of Figure 1. The authentication server functions The network element can be the authentication server function network element in the architecture of Figure 1, and the unified data management network element can be the unified data management network element in the architecture of Figure 1. The specific process is:
S501-S506同图3实施例中S301-S306,相关步骤请参考图3实施例相关描述,这里不再赘述。S501-S506 are the same as S301-S306 in the embodiment in FIG. 3. For related steps, please refer to the related description of the embodiment in FIG. 3, which will not be repeated here.
S507-S509同图4实施例中S409-S411,相关步骤请参考图4实施例相关描述,区别在于,当UE发现主鉴权完成,生成新的密钥标识信息后,主动发起AKMA identifier更新流程,将最新的identifier发送给AF。具体地,如果在Kaf到期前,发生了多次主鉴权,则UE每次都要将最新的key identifier发送给AF。在本实施例中,只有一次主鉴权发生,因此只触发一遍AKMA identifier更新流程。S507-S509 are the same as S409-S411 in the embodiment in Figure 4. For related steps, please refer to the description of the embodiment in Figure 4. The difference is that when the UE finds that the master authentication is completed and generates new key identification information, it actively initiates the AKMA identifier update process , And send the latest identifier to AF. Specifically, if multiple primary authentications occur before the Kaf expires, the UE must send the latest key identifier to the AF every time. In this embodiment, only one master authentication occurs, so the AKMA identifier update process is triggered only once.
S510-S517同图4实施例中S412-S419,相关步骤请参考图4实施例相关描述,区别在于使用的key identifier要是UE侧发送的最新的key identifier。可选地AF在步骤S508中只保留最新的密钥标识信息。S510-S517 are the same as S412-S419 in the embodiment of FIG. 4. For related steps, please refer to the related description of the embodiment of FIG. 4. The difference is that the key identifier used is the latest key identifier sent by the UE side. Optionally, the AF only retains the latest key identification information in step S508.
需要说明的是,在本申请实施例中,通过上述图3、图4和图5的方法,AF要从终端设备处获得最新的密钥标识信息。在下述图6中,将继续描述,AF可以从AAnF处获得最新的密钥标识信息的方法,以确保UE和AF之间的业务连续性。。It should be noted that, in the embodiment of the present application, the AF needs to obtain the latest key identification information from the terminal device through the above-mentioned methods in FIG. 3, FIG. 4, and FIG. In Figure 6 below, the description will be continued. The method by which the AF can obtain the latest key identification information from the AAnF to ensure business continuity between the UE and the AF. .
在本申请实施例中,在发生主鉴权之后,AUSF更新UE对应的应用程序的鉴权和密钥管理根密钥Kakma-new以及密钥标识信息key identifier-new。AUSF通知AAnFkey identifier-old对应的应用程序的鉴权和密钥管理根密钥无效/过期,AAnF将原先保存的key identifier-old和Kakma-old的对应关系设置为无效或者删除。当UE生成新的应用程序的鉴权和密钥管理根密钥Kakma-new核密钥标识信息key identifier-new之后,UE主动将key identifier-new通知给AF。后续在UE对应的应用密钥Kaf即将过期时,AF使用Kakma-new向AAnF请求更新的应用密钥,并且从AAnF获得更新的应用密钥和对应的有效期之后,触发UE也更新应用密钥。S601-S602同图3实施例中S301-S302,相关步骤请参考图3实施例相关描述,这里不再赘述。In the embodiment of the present application, after the master authentication occurs, the AUSF updates the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE. AUSF notifies AAnFkey that the authentication and key management root key of the application corresponding to the identifier-old is invalid/expired, and AAnF sets the correspondence between the previously saved keyidentifier-old and Kakma-old to be invalid or deleted. After the UE generates a new application authentication and key management root key Kakma-new core key identification information key identifier-new, the UE actively notifies the key identifier-new to the AF. Subsequently, when the application key Kaf corresponding to the UE is about to expire, the AF uses Kakma-new to request an updated application key from AAnF, and after obtaining the updated application key and the corresponding validity period from AAnF, the UE is triggered to also update the application key. S601-S602 are the same as S301-S302 in the embodiment of FIG. 3. For related steps, please refer to the related description of the embodiment of FIG. 3, which will not be repeated here.
S603:鉴权服务网元向终端设备发送鉴权成功消息。S603: The authentication service network element sends an authentication success message to the terminal device.
S604同图3实施例中S306,相关步骤请参考图3实施例相关描述,这里不再赘 述。S604 is the same as S306 in the embodiment in FIG. 3. For related steps, please refer to the related description in the embodiment in FIG. 3, which will not be repeated here.
S605:AUSF向相关的AAnF发送应用服务的鉴权和密钥管理通知请求(AKMA key Notification Request)消息。消息中携带key identifier-1,S604生成的key identifier-2和Kakma-2。S605: AUSF sends an authentication and key management notification request (AKMA key Notification Request) message of the application service to the related AAnF. The message carries key identifier-1, key identifier-2 and Kakma-2 generated by S604.
S606:AAnF将新收到的Key identifier-2和Kakma-2进行保存。可选地,AF可以将Key identifier-2和Kakma-2保存,继续保存Key identifier-1和Kakma-1并将它们标记为无效的(invalid)。或者,将Key identifier-1继续保存并标记为无效的,将kakma-1删掉。S606: AAnF saves the newly received Keyidentifier-2 and Kakma-2. Optionally, the AF may save the Key identifier-2 and Kakma-2, continue to save the Key identifier-1 and Kakma-1, and mark them as invalid (invalid). Or, continue to save Keyidentifier-1 and mark it as invalid, and delete kakma-1.
S607:AAnF回复应用服务的鉴权和密钥管理通知响应(AKMA key Notification Response)消息。S607: AAnF replies to the authentication and key management notification response (AKMA key Notification Response) message of the application service.
S608:AF侧的Kaf-1即将到期。S608: Kaf-1 on the AF side is about to expire.
例如,AF可以根据Kaf-1有效期提前预设时长,确定Kaf-1即将到期的时间点。For example, the AF can determine the time point when Kaf-1 is about to expire according to a preset time period in advance according to the validity period of Kaf-1.
S609:AF根据Key identifier-1,向AAnF发送key update消息。消息中携带key identifier-1.该消息的目的是向AAnF请求更新应用密钥Kaf。S609: The AF sends a key update message to AAnF according to Keyidentifier-1. The message carries key identifier-1. The purpose of this message is to request AAnF to update the application key Kaf.
S610:AAnF根据Key identifier-1确定出Kakma-2,并且删除Key identifier-1。AAnF根据Kakma-2生成Kaf-2,并确定Kaf-2的有效期。S610: AAnF determines Kakma-2 according to Keyidentifier-1, and deletes Keyidentifier-1. AAnF generates Kaf-2 based on Kakma-2 and determines the validity period of Kaf-2.
S611:AAnF回复key response消息给AF。消息中携带第二应用密钥Kaf-2和Kaf-2有效期。S611: AAnF replies a key response message to the AF. The message carries the second application key Kaf-2 and the validity period of Kaf-2.
S612-S613同图3实施例中S318-S319,相关步骤请参考图3实施例相关描述,这里不再赘述S612-S613 are the same as S318-S319 in the embodiment in FIG. 3. For related steps, please refer to the related description of the embodiment in FIG.
在本申请实施例中,在发生主鉴权之后,AUSF更新UE对应的应用程序的鉴权和密钥管理根密钥Kakma-new以及密钥标识信息key identifier-new。AUSF把更新之后的Kakma-new,key identifier-new以及UE对应的老的密钥标识信息key identifier-old一起发送给AAnF。AAnF收到AUSF发送的key identifier-new、Kakma-new以及key identifier-old之后,保存key identifier-new、Kakma-new和key identifier-old的对应关系。可选的,AAnF将原先保持的key identifier-old和Kakma-old的对应关系设置为无效或者删除。后续AF在确定UE的应用密钥Kaf即将过期的时候,使用key identifier-old向AAnF请求应用密钥更新。AAnF可以根据key identifier-old以及自身保持的key identifier-new、Kakma-new和key identifier-old的对应关系,确定所述UE更新后的应用程序的鉴权和密钥管理根密钥Kakma-new,并使用Kakma-new生成新的应用密钥Kaf_new,且确定Kaf_new对应的有效期。AAnF将新的应用密钥Kaf_new和对应的有效期发送给AF。AF收到新的应用密钥Kaf_new和对应的有效期之后,触发UE更新对应的应用密钥Kaf。In the embodiment of the present application, after the master authentication occurs, the AUSF updates the authentication and key management root key Kakma-new and key identification information key identifier-new of the application corresponding to the UE. AUSF sends the updated Kakma-new, keyidentifier-new and the old key identifier-old corresponding to the UE to AAnF together. After AAnF receives the key identifier-new, Kakma-new, and key identifier-old sent by AUSF, it saves the correspondence between key identifier-new, Kakma-new, and key identifier-old. Optionally, AAnF invalidates or deletes the previously maintained correspondence between key identifier-old and Kakma-old. When the subsequent AF determines that the UE's application key Kaf is about to expire, it uses the key identifier-old to request an application key update from AAnF. AAnF can determine the authentication and key management root key Kakma-new of the updated application program of the UE according to the key identifier-old and the correspondence between key identifier-new, Kakma-new, and key identifier-old maintained by itself. , And use Kakma-new to generate a new application key Kaf_new, and determine the validity period corresponding to Kaf_new. AAnF sends the new application key Kaf_new and the corresponding validity period to AF. After the AF receives the new application key Kaf_new and the corresponding validity period, it triggers the UE to update the corresponding application key Kaf.
基于与方法实施例同一发明构思,本申请实施例还提供一种装置800,用于执行上述图3至图6所示的方法实施例中终端设备执行的方法,相关特征可参见上述方法实施例,在此不再赘述。作为一种示例,如图7所示,所述装置800包括收发模块801和处理模块802。Based on the same inventive concept as the method embodiment, an embodiment of the present application further provides a device 800 for executing the method executed by the terminal device in the method embodiment shown in FIG. 3 to FIG. 6. For related features, please refer to the above method embodiment. , I won’t repeat it here. As an example, as shown in FIG. 7, the device 800 includes a transceiver module 801 and a processing module 802.
关于收发模块801和处理模块802的具体功能,可参见上述方法实施例中的记 载,在此不再说明。Regarding the specific functions of the transceiver module 801 and the processing module 802, please refer to the records in the foregoing method embodiment, which will not be described here.
基于与方法实施例同一发明构思,本申请实施例还提供一种装置900,用于执行上述图3至图6所示的方法实施例中其他网元(例如应用功能网元AF、应用鉴权和密钥管理服务网元AAnF或者鉴权服务网元AUSF)执行的方法,相关特征可参见上述方法实施例,在此不再赘述。作为一种示例,如图8所示,所述装置900包括收发模块901和处理模块902。Based on the same inventive concept as the method embodiment, an embodiment of the present application further provides a device 900 for executing other network elements (such as application function network element AF, application authentication As for the method executed by the key management service network element AAnF or the authentication service network element AUSF), the relevant features can be referred to the above method embodiment, which will not be repeated here. As an example, as shown in FIG. 8, the device 900 includes a transceiver module 901 and a processing module 902.
关于收发模块901和处理模块902的具体功能,可参见上述方法实施例中的记载,在此不再说明。Regarding the specific functions of the transceiver module 901 and the processing module 902, reference may be made to the record in the foregoing method embodiment, which will not be described here.
在此不再说明。本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。No more explanation here. The division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods. In addition, the functional units in the various embodiments of this application can be integrated into one processing unit. In the device, it can also exist alone physically, or two or more units can be integrated into one module. The above-mentioned integrated unit can be realized in the form of hardware or software function module.
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
在本申请实施例中,终端设备、应用功能网元AF、应用鉴权和密钥管理服务网元AAnF或者鉴权服务网元AUSF均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。In the embodiments of the present application, the terminal device, the application function network element AF, the application authentication and key management service network element AAnF, or the authentication service network element AUSF can all be presented in the form of dividing each functional module in an integrated manner. The "module" here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
在一个简单无实施例中,如图9所示的通信装置1200,包括至少一个处理器1201、存储器1202,可选的,还可包括通信接口1203。In a simple embodiment, the communication device 1200 shown in FIG. 9 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
存储器1202可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1202是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以是上述存储器的组合。The memory 1202 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 1202 may be a combination of the above-mentioned memories.
本申请实施例中不限定上述处理器1201以及存储器1202之间的具体连接介质。本申请实施例在图中以存储器1202和处理器1201之间通过总线1204连接,总线1204在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1204可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure. The bus 1204 is represented by a thick line in the figure. Is limited. The bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
处理器1201可以具有数据收发功能,能够与其他设备进行通信,在如图9装置中,也可以设置独立的数据收发模块,例如通信接口1203,用于收发数据;处理器 1201在与其他设备进行通信时,可以通过通信接口1203进行数据传输。The processor 1201 may have a data transceiving function and can communicate with other devices. In the device shown in Figure 9, an independent data transceiving module, such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203.
一种示例中,当所述终端设备采用图9所示的形式时,图9中的处理器可以通过调用存储器1202中存储的计算机执行指令,使得所述终端设备执行上述任一方法实施例中的所述终端设备执行的方法。In an example, when the terminal device adopts the form shown in FIG. 9, the processor in FIG. 9 can call the computer execution instructions stored in the memory 1202, so that the terminal device executes any of the foregoing method embodiments. The method executed by the terminal device.
具体的,图7的处理模块和收发模块的功能/实现过程均可以通过图9中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图7的处理模块的功能/实现过程可以通过图9中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图7的收发模块的功能/实现过程可以通过图9中的通信接口1203来实现。Specifically, the functions/implementation processes of the processing module and the transceiver module in FIG. 7 can all be implemented by the processor 1201 in FIG. 9 calling a computer execution instruction stored in the memory 1202. Alternatively, the function/implementation process of the processing module in FIG. 7 may be implemented by the processor 1201 in FIG. 9 calling computer execution instructions stored in the memory 1202, and the function/implementation process of the transceiver module in FIG. 7 may be implemented through the communication in FIG. 9 Interface 1203 is implemented.
另一种示例中,当所述应用功能网元AF、应用鉴权和密钥管理服务网元AAnF或者鉴权服务网元AUSF采用图9所示的形式时,图9中的处理器可以调用存储器1202中存储的计算机执行指令,使得所述鉴权服务器功能执行上述任一方法实施例中的所述鉴权服务器功能执行的方法。In another example, when the application function network element AF, the application authentication and key management service network element AAnF, or the authentication service network element AUSF adopts the form shown in FIG. 9, the processor in FIG. 9 may call The computer-executed instructions stored in the memory 1202 cause the authentication server function to execute the method executed by the authentication server function in any of the foregoing method embodiments.
本申请实施例还提供一种通信系统,该通信系统可包括应用功能网元AF、应用鉴权和密钥管理服务网元AAnF或者鉴权服务网元AUSF中的至少一个。An embodiment of the present application also provides a communication system, which may include at least one of an application function network element AF, an application authentication and key management service network element AAnF, or an authentication service network element AUSF.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。This application is described with reference to flowcharts and/or block diagrams of methods, equipment (systems), and computer program products according to this application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, then this application is also intended to include these modifications and variations.

Claims (16)

  1. 一种密钥更新方法,其特征在于,所述方法包括:A key update method, characterized in that the method includes:
    应用功能网元接受终端设备发送的第二密钥标识信息;The application function network element receives the second key identification information sent by the terminal device;
    所述应用功能网元向应用鉴权和密钥管理锚点功能实体发送第一应用鉴权和密钥管理密钥更新请求消息,所述第一应用鉴权和密钥管理密钥更新请求消息中携带第二密钥标识信息;The application function network element sends a first application authentication and key management key update request message to the application authentication and key management anchor function entity, and the first application authentication and key management key update request message Carries the second key identification information;
    所述应用功能网元从应用鉴权和密钥管理锚点功能实体接收第一应用鉴权和密钥管理密钥更新响应消息,所述第一应用鉴权和密钥管理密钥更新响应消息携带有第二密钥标识信息对应的第二应用密钥;The application function network element receives a first application authentication and key management key update response message from an application authentication and key management anchor function entity, and the first application authentication and key management key update response message Carrying the second application key corresponding to the second key identification information;
    所述应用功能网元向UE发起应用密钥更新流程,所述应用功能网元删掉第一应用密钥,开始使用所述第二应用密钥。The application function network element initiates an application key update procedure to the UE, and the application function network element deletes the first application key and starts to use the second application key.
  2. 根据权利要求1所述的方法,其特征在于,在所述第一应用功能网元接受终端发送的最新的的第二密钥标识信息之前,所方法包括:The method according to claim 1, wherein before the first application function network element accepts the latest second key identification information sent by the terminal, the method comprises:
    所述应用功能网元向所述终端设备发送应用鉴权和密钥管理标识符请求消息,所述消息用于向终端设备请求最新的密钥标识信息;The application function network element sends an application authentication and key management identifier request message to the terminal device, where the message is used to request the latest key identification information from the terminal device;
    所述应用功能网元接收所述终端设备发送应用鉴权和密钥管理标识符响应消息,所述响应消息包括所述第二密钥标识信息。The application function network element receives an application authentication and key management identifier response message sent by the terminal device, where the response message includes the second key identification information.
  3. 根据权利要求2所述的方法,其特征在于,在所述应用功能网元向所述终端设备发送应用鉴权和密钥管理标识符请求消息之前,所述方法包括:The method according to claim 2, wherein before the application function network element sends an application authentication and key management identifier request message to the terminal device, the method comprises:
    所述应用功能网元向所述应用鉴权和密钥管理锚点功能实体发送第二应用鉴权和密钥管理密钥更新请求消息,所述第二应用鉴权和密钥管理密钥更新请求消息携带第一密钥标识信息。The application function network element sends a second application authentication and key management key update request message to the application authentication and key management anchor function entity, and the second application authentication and key management key update The request message carries the first key identification information.
    所述应用功能网元接收所述应用鉴权和密钥管理锚点功能实体发送的第二应用鉴权和密钥管理密钥更新响应消息,所述响应消息不携带更新的应用密钥。The application function network element receives a second application authentication and key management key update response message sent by the application authentication and key management anchor function entity, where the response message does not carry the updated application key.
  4. 根据权利要求1所述方法,其特征在于,在所述第一应用功能网元接受终端发送的最新的的第二密钥标识信息之前,所方法包括:The method according to claim 1, characterized in that, before the first application function network element accepts the latest second key identification information sent by the terminal, the method comprises:
    所述应用功能网元接收所述终端设备发送应用鉴权和密钥管理标识符请求消息。所应用鉴权和密钥管理标识符请求消息息包括第二密钥标识信息。The application function network element receives the application authentication and key management identifier request message sent by the terminal device. The applied authentication and key management identifier request message includes the second key identification information.
    所述应用功能网元向所述终端设备发送应用鉴权和密钥管理标识符响应消息。The application function network element sends an application authentication and key management identifier response message to the terminal device.
  5. 根据权利要求4所述方法,其特征在于,在所述应用功能网元接收所述终端设备发送应用鉴权和密钥管理标识符请求消息之前,所述方法包括:The method according to claim 4, characterized in that, before the application function network element receives the application authentication and key management identifier request message sent by the terminal device, the method comprises:
    所述应用功能网元向所述终端发送所述第一密钥标识对应的第一应用密钥的过期时间。The application function network element sends the expiration time of the first application key corresponding to the first key identifier to the terminal.
  6. 根据权利要求4所述方法,其特征在于,The method of claim 4, wherein:
    所述应用网元保存所述第二密钥标识信息;删掉所述第一密钥标识信息。The application network element saves the second key identification information; deletes the first key identification information.
  7. 一种密钥更新方法,其特征在于,所述方法包括:A key update method, characterized in that the method includes:
    所述终端设备获取第二密钥标识信息;Acquiring the second key identification information by the terminal device;
    所述终端设备将所述第二密钥标识信息发送给应用功能网元;The terminal device sends the second key identification information to the application function network element;
    所述终端设备获取第二密钥标识信息符对应的第二应用密钥;Acquiring, by the terminal device, the second application key corresponding to the second key identifier;
    所述终端设备删除第一应用密钥,使用第二应用密钥。The terminal device deletes the first application key and uses the second application key.
  8. 根据权利要求7所述方法,在终端设备将第二密钥标识信息发送给所述应用功能网元前,所述方法包括:The method according to claim 7, before the terminal device sends the second key identification information to the application function network element, the method comprises:
    所述终端设备接受所述应用功能网元发送的第一应用鉴权和密钥管理密钥更新请求消息,所述请求消息用于请求终端设备的最新的密钥标识信息。The terminal device accepts the first application authentication and key management key update request message sent by the application function network element, and the request message is used to request the latest key identification information of the terminal device.
  9. 根据权利要求7所述方法,在终端设备将第二密钥标识信息发送给所述应用功能网元前,所述方法包括:The method according to claim 7, before the terminal device sends the second key identification information to the application function network element, the method comprises:
    所述终端设备接受所述应用网元发送的第一密钥标识对应的第一应用密钥的过期时间;Receiving, by the terminal device, the expiration time of the first application key corresponding to the first key identifier sent by the application network element;
    所述终端根据所述第一应用密钥的过期时间判断所述第一应用密钥即将过期;Determining, by the terminal, that the first application key is about to expire according to the expiration time of the first application key;
    所述终端设备向所述应用功能网元发送第一应用鉴权和密钥管理密钥更新请求消息,所述第一应用鉴权和密钥管理密钥更新请求消息携带所述第二密钥标识信息。The terminal device sends a first application authentication and key management key update request message to the application function network element, and the first application authentication and key management key update request message carries the second key Identification information.
  10. 根据权利要求8到9,所述方法还包括:According to claims 8 to 9, the method further comprises:
    所述终端设备获取第二密钥标识信息对应的第二应用密钥。The terminal device obtains the second application key corresponding to the second key identification information.
  11. 根据权利要求7-10,所述方法还包括:According to claims 7-10, the method further comprises:
    所述终端设备接受所述应用功能网元发送的应用密钥更新消息后,所述终端设备开始使用第二密钥标识信息对应的第二应用密钥。After the terminal device accepts the application key update message sent by the application function network element, the terminal device starts to use the second application key corresponding to the second key identification information.
  12. 一种通信设备,其特征在于,包括用于实现上述方法1-11任一所述方法的模块。A communication device, characterized in that it comprises a module for implementing any one of the above methods 1-11.
  13. 一种网络设备,其特征在于,所述网络设备包括:A network device, characterized in that the network device includes:
    存储器,用于存储指令;Memory, used to store instructions;
    处理器,用于调用并执行所述存储器中的指令,使得所述网络设备执行上述权利要求1-6任一所述的方法。The processor is configured to call and execute instructions in the memory, so that the network device executes the method according to any one of claims 1-6.
  14. 一种终端设备,其特征在于,所述终端设备包括:A terminal device, characterized in that, the terminal device includes:
    存储器,用于存储指令;Memory, used to store instructions;
    处理器,用于调用并执行所述存储器中的指令,使得所述终端设备执行上述权利要求7-11任一所述的方法。The processor is configured to call and execute instructions in the memory, so that the terminal device executes the method according to any one of claims 7-11.
  15. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上执行时,将会使所述计算机实现权利要求1-11任一所述的方法。A computer program product, characterized in that, when the computer program product is executed on a computer, it will enable the computer to implement the method according to any one of claims 1-11.
  16. 一种计算机可读程序,其特征在于,当所述计算机可读程序在计算机上执行时,将会使所述计算机实现权利要求1-11任一所述的方法。A computer-readable program, characterized in that, when the computer-readable program is executed on a computer, it will enable the computer to implement the method according to any one of claims 1-11.
PCT/CN2021/073594 2020-01-23 2021-01-25 Communication method, apparatus and system WO2021148027A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010078309.8A CN113163402B (en) 2020-01-23 2020-01-23 Communication method, device and system
CN202010078309.8 2020-01-23

Publications (1)

Publication Number Publication Date
WO2021148027A1 true WO2021148027A1 (en) 2021-07-29

Family

ID=76882083

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/073594 WO2021148027A1 (en) 2020-01-23 2021-01-25 Communication method, apparatus and system

Country Status (2)

Country Link
CN (1) CN113163402B (en)
WO (1) WO2021148027A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11696124B2 (en) 2021-10-08 2023-07-04 Cisco Technology, Inc. Secure communications for a client device involving authentication and key management for applications (AKMA)
CN117596588A (en) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115915121A (en) * 2021-08-05 2023-04-04 华为技术有限公司 Communication method and related device
CN115706663A (en) * 2021-08-09 2023-02-17 中国移动通信有限公司研究院 Updating method, network side equipment, terminal and computer readable storage medium
CN115915124A (en) * 2021-08-18 2023-04-04 中兴通讯股份有限公司 Key updating method, network element, user equipment and storage medium
CN114339745B (en) * 2021-12-28 2024-01-26 中国电信股份有限公司 Key distribution method, system and related equipment
WO2023125642A1 (en) * 2021-12-31 2023-07-06 中国移动通信有限公司研究院 Authentication and/or key management method, first device, terminal and communication device
CN115865316A (en) * 2022-04-27 2023-03-28 中兴通讯股份有限公司 Application key deleting method, key anchoring node, server, system and medium
CN117858082A (en) * 2022-09-30 2024-04-09 中国移动通信有限公司研究院 Authentication processing method, device, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0670645A1 (en) * 1994-03-01 1995-09-06 International Business Machines Corporation Method for session key generation and updating in a distributed communication network
CN101043328A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Cipher key updating method of universal leading frame
CN101237444A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Secret key processing method, system and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8875232B2 (en) * 2009-02-18 2014-10-28 Telefonaktiebolaget L M Ericsson (Publ) User authentication
US10574457B2 (en) * 2017-05-12 2020-02-25 Nokia Technologies Oy Indicator for determination of key for processing message in communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0670645A1 (en) * 1994-03-01 1995-09-06 International Business Machines Corporation Method for session key generation and updating in a distributed communication network
CN101043328A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Cipher key updating method of universal leading frame
CN101237444A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Secret key processing method, system and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Authentication and key management for applications; based on 3GPP credential in 5G AKMA (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.535, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.2.0, 2 January 2020 (2020-01-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 11, XP051841097 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11696124B2 (en) 2021-10-08 2023-07-04 Cisco Technology, Inc. Secure communications for a client device involving authentication and key management for applications (AKMA)
CN117596588A (en) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network
CN117596588B (en) * 2024-01-18 2024-03-26 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network

Also Published As

Publication number Publication date
CN113163402B (en) 2022-10-28
CN113163402A (en) 2021-07-23

Similar Documents

Publication Publication Date Title
WO2021148027A1 (en) Communication method, apparatus and system
US20210345187A1 (en) Inter-Communications-System Moving Method, Device, and System
US9713001B2 (en) Method and system for generating an identifier of a key
US11432349B2 (en) Group creation method, apparatus, and system
CN109429213B (en) Information processing method, device, equipment and computer readable storage medium
EP3687259B1 (en) Communication method and device
EP2290875A1 (en) Generating method and system for key identity identifier at the time when user device transfers
WO2021197489A1 (en) Communication system, method and apparatus
CN113541925B (en) Communication system, method and device
CN112654100B9 (en) Information processing method and related network equipment
CN112822678B (en) Method for authorizing service architecture
US20220272653A1 (en) Systems and methods for user equipment (ue) registration
WO2018228165A1 (en) Data transmission method and device
CN109673008B (en) Method, device and equipment for determining state of terminal equipment
WO2021031053A1 (en) Communication method, device, and system
US20230388802A1 (en) Method for configuring evolved packet system non-access stratum security algorithm and related apparatus
WO2018130053A1 (en) Flow conflict processing method and device
CN111405553B (en) Method and device for establishing session based on 5G network
CN112153756B (en) Data processing method and communication equipment based on tunnel establishment service
CN107567052B (en) Method and device for updating service flow template
WO2019219251A1 (en) Stickiness removal of transactions in the core network
CN110521258B (en) Connection establishment method and user equipment
WO2023057797A1 (en) Apparatus, method, and computer program
CN117528536A (en) Information updating method and device of user identification card, electronic equipment and medium
JP5492251B2 (en) Communication control device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21744422

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21744422

Country of ref document: EP

Kind code of ref document: A1