WO2021164291A1

WO2021164291A1 - Communication method and apparatus

Info

Publication number: WO2021164291A1
Application number: PCT/CN2020/122866
Authority: WO
Inventors: 赵绪文; 张博
Original assignee: 华为技术有限公司
Priority date: 2020-02-20
Filing date: 2020-10-22
Publication date: 2021-08-26
Also published as: CN113285805B; CN113285805A

Abstract

Disclosed in embodiments of the present invention are a communication method and apparatus. The method comprises: after receiving an authentication resynchronization token (AUTS), a unified data management network element acquires indication information corresponding to a terminal device, recognizes, according to the indication information corresponding to the terminal device, an AUTS algorithm adopted when the terminal device calculates the AUTS, and thus verifies the AUTS by adopting the AUTS algorithm consistent with that of the terminal device. Therefore, the problem of resynchronization failure caused by inconsistent AUTS algorithm adopted by the unified data management network element and the terminal device can be effectively avoided, so that a resynchronization flow and subsequent authentication flows of the terminal device can be normally performed.

Description

Communication method and device

Cross-references to related applications

This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office of China, the application number is 202010103830.2, and the application name is "a communication method and device" on February 20, 2020, the entire content of which is incorporated into this application by reference middle.

Technical field

This application relates to the field of wireless communication technology, and in particular to a communication method and device.

Background technique

In the current authentication process, after receiving the authentication request message from the access and mobility management function (AMF), the terminal device will verify the sequence number (SQN) carried in the authentication request message If the verified SQN is not within the correct value range, the terminal device will further calculate the resynchronization authentication token (authentication token for synchronisation, AUTS), and send AUTS to unified data management (UDM). After the UDM receives the AUTS, it will verify the AUTS, and execute the resynchronization process after the verification is passed.

However, in the prior art, there may be multiple algorithms for calculating AUTS by terminal equipment, but UDM cannot identify which AUTS algorithm is used by the terminal equipment to calculate the AUTS. When the AUTS algorithm used by the terminal equipment is inconsistent with the AUTS algorithm used by UDM , It may cause UDM to check AUTS incorrectly, and cause resynchronization to fail.

Summary of the invention

The embodiments of the present application provide a communication method and device for identifying the AUTS algorithm adopted by the terminal equipment, so that the correct AUTS algorithm is used to verify the AUTS, and the authentication efficiency of the terminal equipment is improved.

In the first aspect, an embodiment of the present application provides a communication method that can be executed by a unified data management network element UDM. The method includes: the unified data management network element receives an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the unified data management network element obtains the instruction information corresponding to the terminal device, and the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data management network element uses the first AUTS algorithm to calibrate the AUTS Test.

In the embodiment of this application, the unified data management network element can identify the AUTS algorithm used by the terminal device to calculate AUTS according to the instruction information corresponding to the terminal device, and then use the AUTS algorithm consistent with the terminal device to calibrate the AUTS calculated by the terminal device. In this way, the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm adopted by the unified data management network element and the terminal device can be effectively avoided, so that the resynchronization process and the subsequent authentication process of the terminal device can be performed normally.

In a possible design of the first aspect, the unified data management network element may obtain the indication information corresponding to the terminal device for the unified data management network element to obtain the indication information from the local configuration, or obtain the indication information from the unified data storage network element. Instructions. That is, the indication information corresponding to the terminal device may be pre-configured locally in the unified data management network element, or may be configured in the unified data storage network element. In this way, the applicability of the technical solutions in the embodiments of the present application can be enhanced.

In a possible design of the first aspect, the indication information of the terminal device may be included in the contract data of the terminal device, and the contract data of the terminal device may be stored in the unified data management network element or stored in the unified data storage network. Yuanzhong.

In a possible design of the first aspect, the unified data management network element determines the first AUTS algorithm according to the indication information corresponding to the terminal device, which may include: the unified data management network element determines the first AUTS algorithm according to the identification of the terminal device in the authentication service request and the terminal The indication information corresponding to the device determines the first AUTS algorithm.

In a second aspect, the embodiments of the present application provide a communication method that can be executed by a unified data storage network element UDR. The method includes: the unified data storage network element receives a service invocation request from the unified data management network element, and the service invocation request is used for To request the instruction information corresponding to the terminal device, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data storage network element sends a service response message to the unified data management network element, and the service response message Include instruction information corresponding to the terminal device.

In the embodiment of this application, the indication information corresponding to the terminal device may be pre-configured in the unified data storage network element. When the unified data management network element needs to obtain the indication information corresponding to the terminal device, the unified data storage network element may be based on the unified data management network element. The service call request sent by the element sends the instruction information corresponding to the terminal device to the unified data management network element, so that the unified data management can verify the AUTS according to the AUTS algorithm indicated by the instruction information, so that the resynchronization process can proceed normally .

In the third aspect, the embodiments of the present application provide another communication method, which can be executed by the unified data management network element UDM, and the method includes: the unified data management network element receives an authentication service request, and the authentication service request includes encryption resynchronization authentication Token AUTS*; the unified data management network element decrypts AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device. The indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm: The unified data management network element verifies the AUTS according to the first AUTS algorithm.

In the embodiment of the present application, the unified data management network element can decrypt the instruction information corresponding to the terminal device and the AUTS generated with the terminal device according to the received encrypted resynchronization authentication token AUTS*. In this way, the unified data management network element can determine the AUTS algorithm used by the terminal device according to the instruction information corresponding to the terminal device, and then use the AUTS algorithm consistent with the terminal device to verify the AUTS sent by the terminal device, thereby avoiding the unified data management network. The problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the meta and the terminal device enables the resynchronization process and the subsequent authentication process of the terminal device to proceed normally, and at the same time, the security of the authentication process can be improved.

In a possible design of the third aspect, the unified data management network element determines the first AUTS algorithm according to the indication information corresponding to the terminal device, which may include: the unified data management network element determines the first AUTS algorithm according to the identification of the terminal device in the authentication service request and The indication information corresponding to the terminal device determines the first AUTS algorithm.

In a fourth aspect, the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device calculates a resynchronization authentication token AUTS, and encrypts the AUTS and the corresponding indication information of the terminal device, To obtain the encrypted resynchronization authentication token AUTS*, the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the terminal device sends the AUTS* to the access management network element.

In the embodiment of the present application, the terminal device may encrypt and protect the corresponding indication information together with the generated AUTS, and send it to the unified data management network element. In this way, the unified data management network element can determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to verify the AUTS sent by the terminal device, thereby avoiding the unified data management network. The problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the meta and the terminal device enables the resynchronization process and the subsequent authentication process of the terminal device to proceed normally, and at the same time, the security of the authentication process can be improved.

In a possible design of the fourth aspect, the method further includes: the terminal device generates the indication information corresponding to the terminal device according to the first AUTS algorithm used to calculate the AUTS.

In a fifth aspect, the embodiments of the present application provide another communication method, which can be executed by the unified data management network element UDM, and the method includes: the unified data management network element receives an authentication service request, and the authentication service request includes a resynchronization authentication order Brand AUTS, the unified data management network element obtains the instruction information corresponding to the terminal device from the AUTS. The instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data management network element is based on the first The AUTS algorithm checks AUTS.

In the embodiment of the present application, the indication information corresponding to the terminal device can also be directly carried in the AUTS, and integrity protection is performed. In this way, the unified data management network element can directly obtain the instruction information corresponding to the terminal device from the received AUTS, determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to control the terminal The AUTS sent by the device is checked, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the unified data management network element and the terminal device, so that the resynchronization process and the subsequent terminal device authentication process can proceed normally, and at the same time improve the authentication Security of the process.

In a possible design of the fifth aspect, the unified data management network element checks AUTS according to the first AUTS algorithm, which may include: the unified data management network element obtains the mobile terminal sequence from the AUTS according to the first AUTS algorithm Number SQN _MS , and calculate the MAC based on the SQN _MS ; if the calculated MAC is consistent with the MAC-S obtained from AUTS, the unified data management network element can determine that the AUTS verification is successful.

In a sixth aspect, the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device calculates the resynchronization authentication token AUTS according to the instruction information corresponding to the terminal device, and the instruction information is used to indicate The terminal equipment calculates the first AUTS algorithm used by the AUTS; the terminal equipment sends the AUTS to the access management network element.

In the embodiment of the present application, the terminal device may carry the corresponding indication information when calculating the AUTS, and then send the integrity protection of the AUTS to the unified data management network element. In this way, the unified data management network element can obtain the instruction information corresponding to the terminal device from the received AUTS, and then determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to check The AUTS sent by the terminal equipment is verified, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the unified data management network element and the terminal equipment, so that the resynchronization process and the subsequent terminal equipment authentication process can be carried out normally, and at the same time improve Security of the certification process.

In a possible design of the sixth aspect, the AUTS includes indication information corresponding to the terminal device and/or MAC-S calculated according to the indication information.

In a seventh aspect, the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device receives a resynchronization authentication token AUTS from a global subscriber identity module USIM card and configuration information of the USIM card; The terminal device determines the indication information according to the configuration information of the USIM card, the indication information is used to indicate the first AUTS algorithm used by the USIM card to calculate AUTS; the terminal device encrypts the AUTS and the indication information to obtain the encrypted resynchronization authentication token AUTS *; The terminal device sends the AUTS* to the access management network element.

In the embodiment of this application, the terminal device can determine the AUTS algorithm used by the USIM card according to the configuration information of the USIM card, and then encrypt the indication information used to indicate the AUTS algorithm used by the USIM card and the AUTS calculated by the USIM card. Send it to the unified data management network element. In this way, the resynchronization process can be performed normally, and at the same time, the problem of inability to generate instruction information or encryption processing that may be caused by the limitation or incompatibility of the USIM card is avoided, thereby enhancing the Applicability of the method.

In a possible design of the seventh aspect, the configuration information includes one or more of the following information: the AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and Version information of the USIM card.

In an eighth aspect, the embodiments of the present application provide another communication method, which can be executed by a USIM card, and the USIM card can be installed in a terminal device. The method includes: the global user identity module USIM card calculates the resynchronization authentication token AUTS, The USIM card sends the calculated AUTS and the configuration information of the USIM card to the terminal device.

In the embodiment of this application, since the USIM card can send the calculated AUTS and the configuration information of the USIM card to the terminal device, the terminal device itself generates the instruction information for indicating the AUTS algorithm according to the configuration information of the USIM card, and sends the instruction The information is encrypted with the AUTS calculated by the USIM card and then sent to the unified data management network element. In this way, the resynchronization process can be carried out normally, and at the same time, it can avoid the failure to generate due to the limitation or incompatibility of the USIM card. Indicates the problem of information or encryption processing, thereby enhancing the applicability of the method.

In a possible design of the eighth aspect, the configuration information includes one or more of the following information: the AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and Version information of the USIM card.

In a ninth aspect, an embodiment of the present application provides a communication device, which has the function of realizing the unified data management network element in the first aspect or any one of the possible designs of the first aspect, or may also have the function of realizing the third The function of the unified data management network element in any possible design of the aspect or the third aspect, or may also have the function of implementing the unified data management network element in any possible design of the fifth aspect or the fifth aspect, Or, it may also have the function of realizing the unified data storage network element in any possible design of the second aspect or the second aspect described above. The device may be a network device, or a device included in the network device, such as a chip.

The device may also have the function of realizing the terminal device in any possible design of the foregoing fourth aspect or the fourth aspect, or have the function of realizing the terminal device in any possible design of the foregoing sixth aspect or the sixth aspect , Or have the function of a terminal device in any possible design of the seventh aspect or the seventh aspect described above. The device can be a terminal device, such as a handheld terminal device, a vehicle-mounted terminal device, a vehicle user device, a roadside unit, etc., a device included in a terminal device, such as a chip, or a device containing terminal devices, such as a vehicle, etc. .

The device may also have the function of realizing the USIM card in the eighth aspect or any one of the possible designs of the eighth aspect. The USIM card may be a device included in a terminal device, such as a chip.

The functions of the above-mentioned communication device may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.

In a possible design, the structure of the device includes a processing module and a transceiver module, wherein the processing module is configured to support the device to execute the first aspect or the unified data management network element in any one of the first aspects of the design. Corresponding function, or perform the corresponding function of the unified data storage network element in the design of the second aspect or the second aspect, or perform the unified data management network element in the design of the third aspect or the third aspect Corresponding function, or perform the corresponding function of the terminal device in the design of the fourth aspect or the fourth aspect, or perform the corresponding function of the unified data management network element in the design of the fifth aspect or the fifth aspect , Or perform the corresponding function of the terminal device in the design of the sixth aspect or the sixth aspect, or perform the corresponding function of the terminal device in the design of the seventh aspect or the seventh aspect, or perform the eighth The corresponding function of the USIM card in any design of the aspect or the eighth aspect. The transceiver module is used to support communication between the device and other communication devices. For example, when the device is a unified data management network element, it obtains the indication information corresponding to the terminal device from the unified data storage network element. The communication device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the device. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory. The memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.

In another possible design, the structure of the device includes a processor and may also include a memory. The processor is coupled with the memory, and can be used to execute the computer program instructions stored in the memory, so that the device executes the above-mentioned first aspect or any one of the possible design methods of the first aspect, or executes the above-mentioned second aspect or the second aspect. The method in any design of the aspect, or the method in the design of the third aspect or the third aspect, or the method in the design of the fourth aspect or the fourth aspect, or the method in the design of the fourth aspect or the fourth aspect The method in the design of the fifth aspect or the fifth aspect, or the method in the design of the sixth aspect or the sixth aspect, or the method in the design of the seventh aspect or the seventh aspect The method in the design, or the method in the design of the eighth aspect or the eighth aspect described above. Optionally, the device further includes a communication interface, and the processor is coupled with the communication interface. When the device is a network device or terminal device, the communication interface may be a transceiver or an input/output interface; when the device is a chip included in the network device or terminal device, the communication interface may be an input/output interface of the chip. Optionally, the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.

In a tenth aspect, an embodiment of the present application provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or an instruction, when the program or an instruction is executed by the processor , Enabling the chip system to implement the method in any possible design of the first aspect or the first aspect, or implement the method in any possible design of the second aspect or the second aspect, or implement the method in the foregoing first aspect The method in any possible design of the third aspect or the third aspect, or the method in any possible design of the foregoing fourth aspect or the fourth aspect, or the realization of any of the foregoing fifth aspect or the fifth aspect A method in a possible design, or a method in a possible design that implements the sixth aspect or the sixth aspect, or a method in a possible design that implements the seventh aspect or the seventh aspect , Or implement the eighth aspect or any one of the possible design methods of the eighth aspect.

Optionally, the chip system further includes an interface circuit, which is used to exchange code instructions to the processor.

Optionally, there may be one or more processors in the chip system, and the processors may be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.

Optionally, there may be one or more memories in the chip system. The memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application. Exemplarily, the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips. The setting method of the processor is not specifically limited.

In an eleventh aspect, an embodiment of the present application provides a computer-readable storage medium on which a computer program or instruction is stored. When the computer program or instruction is executed, the computer executes any of the above-mentioned first aspect or the first aspect. A method in a possible design, or a method in any possible design of the second aspect or the second aspect, or a method in any possible design of the third aspect or the third aspect , Or implement the method in any possible design of the foregoing fourth aspect or the fourth aspect, or implement the method in any possible design of the foregoing fifth aspect or the fifth aspect, or implement the foregoing sixth aspect or The method in any possible design of the sixth aspect, or the method in any possible design of the seventh aspect or the seventh aspect above, or the method in any one of the eighth aspect or the eighth aspect described above The method in the design.

In a twelfth aspect, the embodiments of the present application provide a computer program product. When the computer reads and executes the computer program product, the computer executes the first aspect or any one of the possible design methods in the first aspect. , Or implement the method in any possible design of the foregoing second aspect or the second aspect, or implement the method in any of the foregoing third aspect or any possible design of the third aspect, or implement the foregoing fourth aspect or The method in any possible design of the fourth aspect, or the method in any possible design of the fifth aspect or the fifth aspect described above, or the method in any possible design of the sixth aspect or the sixth aspect described above The method in the design, or the method in any possible design of the seventh aspect or the seventh aspect, or the method in any possible design of the eighth aspect or the eighth aspect.

In a thirteenth aspect, an embodiment of the present application provides a communication system, which includes a unified data management network element and terminal equipment. Optionally, a USIM card is provided in the terminal device. Optionally, the communication system may also include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.

Description of the drawings

FIG. 1 is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable;

FIG. 2 is a schematic flowchart of a communication method provided by an embodiment of this application;

FIG. 3 is a schematic diagram of verifying AUTN provided by an embodiment of the application;

4a and 4b are schematic diagrams of the AUTS algorithm provided by an embodiment of this application;

FIG. 5 is a specific example of the communication method provided by the embodiment of this application;

FIG. 6 is a schematic flowchart of another communication method provided by an embodiment of this application;

FIG. 7 is a schematic flowchart of another communication method provided by an embodiment of this application;

FIG. 8 is another specific example of the communication method provided by the embodiment of this application;

FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of this application;

FIG. 10 is another specific example of the communication method provided by the embodiment of this application;

FIG. 11 is a schematic structural diagram of a communication device provided by an embodiment of this application;

FIG. 12 is another schematic structural diagram of a communication device provided by an embodiment of this application;

FIG. 13 is a schematic structural diagram of another communication device provided by an embodiment of this application;

FIG. 14 is a schematic diagram of another structure of another communication device provided by an embodiment of this application.

Detailed ways

In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

The technical solutions of the embodiments of this application can be applied to various communication systems, such as: global system for mobile communications (GSM) system, code division multiple access (CDMA) system, broadband code division multiple access (wideband code division multiple access, WCDMA) system, general packet radio service (GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE Time division duplex (TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WIMAX) communication system, fifth generation (5G) The system or new radio (NR), or applied to future communication systems or other similar communication systems, etc.

Please refer to FIG. 1, which is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable. The network architecture includes terminal equipment, access network equipment, access management network elements, session management network elements, user plane network elements, Policy control network element, network slicing selection network element, network warehouse function network element, network data analysis network element, unified data management network element, unified data storage network element, authentication service function network element, network capability opening network element, application function network Yuan, and the data network (DN) connected to the operator’s network. The terminal device can send service data to and receive service data from the data network through the access network device and the user plane network element.

Among them, the terminal device is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as Airplanes, balloons, satellites, etc. The terminal device can communicate with the core network via a radio access network (RAN), and exchange voice and/or data with the RAN. The terminal device can be a mobile phone (mobile phone). ), tablet computers (Pad), computers with wireless transceiver functions, mobile Internet devices (MID), wearable devices, virtual reality (VR) terminal devices, augmented reality (AR) terminals Equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, transportation safety ( The wireless terminal in transportation safety, the wireless terminal in the smart city, the wireless terminal in the smart home, etc. The embodiments of this application do not limit the application scenarios. Terminal equipment may also be called sometimes For user equipment (UE), mobile stations, remote stations, etc., the embodiments of the present application do not limit the specific technology, device form, and name adopted by the terminal device.

Access network equipment is a device used to connect terminal equipment to the wireless network in the network. The access network device may be a node in a radio access network, may also be called a base station, or may be called a radio access network (RAN) node (or device). The network equipment may include the evolved base station (NodeB or eNB or e-NodeB, evolutional Node B) in the long term evolution (LTE) system or the evolved LTE system (LTE-Advanced, LTE-A), such as the traditional The macro base station eNB and the micro base station eNB in the heterogeneous network scenario may also include the next generation node B (next generation node B) in the new radio (NR) system of the fifth generation mobile communication technology (5th generation, 5G) , GNB), or may also include radio network controller (RNC), node B (Node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS) , Transmission reception point (TRP), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (BBU), baseband pool BBU pool, or WiFi access point ( access point, AP), etc., or may also include the centralized unit (CU) and distributed unit (DU) in the cloud radio access network (CloudRAN) system. This application is implemented The examples are not limited. In a separate deployment scenario where access network equipment includes CU and DU, CU supports radio resource control (radio resource control, RRC), packet data convergence protocol (packet data convergence protocol, PDCP), and service data adaptation protocol (service data adaptation). Protocol, SDAP) and other protocols; DU mainly supports radio link control (RLC), media access control (MAC) and physical layer protocols.

The access management network element is mainly used for terminal attachment, mobility management, and tracking area update procedures in the mobile network. The access management network element terminates non-access stratum (NAS) messages, completes registration management, Connection management and reachability management, allocation of tracking area list (track area list, TA list), mobility management, etc., and transparent routing of session management (session management, SM) messages to the session management network element. In the 5th generation (5G) communication system, the access management network element can be the access and mobility management function (AMF). In future communication systems (such as 6G communication systems) , The mobility management network element may still be an AMF network element, or may also have other names, which is not limited in this application.

The session management network element is mainly used for session management in the mobile network, such as session establishment, modification, and release. Specific functions include assigning Internet Protocol (IP) addresses to terminals and selecting user plane network elements that provide message forwarding functions. In a 5G communication system, the session management network element can be a session management function (session management function, SMF). In a future communication system (such as a 6G communication system), the session management network element can still be an SMF network element, or it can be With other names, this application is not limited.

User plane network elements are mainly used to process user messages, such as forwarding, charging, and lawful monitoring. The user plane network element may also be referred to as a protocol data unit (PDU) session anchor (PDU) session anchor (PSA). In a 5G communication system, the user plane network element can be a user plane function (UPF). In a future communication system (such as a 6G communication system), the user plane network element can still be a UPF network element, or it can be With other names, this application is not limited.

Policy control network elements include user subscription data management functions, policy control functions, charging policy control functions, quality of service (QoS) control, etc. In a 5G communication system, the policy control network element can be a policy control function (PCF). In a future communication system (such as a 6G communication system), the policy control network element can still be a PCF network element, or it can be With other names, this application is not limited.

The authentication service function network element is mainly used for security authentication of terminal equipment. In a 5G communication system, the authentication service function network element may be an authentication server function (authentication server function, AUSF). In future communication systems (such as 6G communication systems), the authentication service function network element may still be an AUSF network element, or It can also have other names, and this application is not limited.

The unified data management network element is mainly used to manage the contract information of the terminal equipment. For example, in the authentication process, the calculation of the authentication vector, key deduction, user identification decryption, etc. are performed. In the resynchronization process, the AUTS is checked according to the corresponding algorithm, and the re-authentication process is initiated. In the 5G communication system, the unified data management network element may be unified data management (UDM). In the future communication system (such as 6G communication system), the unified data management network element may still be a UDM network element, or It can also have other names, and this application is not limited.

The unified data storage network element is mainly used to store structured data information, including contract information, policy information, and network data or business data defined in a standard format. In a 5G communication system, the unified data storage network element can be a unified data repository (UDR). In future communication systems (such as 6G communication systems), the unified data storage network element can still be a UDR network element, or It can also have other names, and this application is not limited.

The network slice selection function network element is mainly used to select a suitable network slice for the service of the terminal device. In a 5G communication system, the network slice selection network element can be a network slice selection function (NSSF) network element. In future communication systems (such as 6G communication systems), the network slice selection network element can still be NSSF The network element may also have other names, which is not limited in this application.

The network element of the network warehouse function is mainly used to provide the registration and discovery functions of the network element or the service provided by the network element. In a 5G communication system, the network warehouse function network element can be a network repository function (NRF). In a future communication system (such as a 6G communication system), the network warehouse function network element can still be an NRF network element, or It can also have other names, and this application is not limited.

Network data analysis network elements can be based on various network functions (network functions, NF), such as policy control network elements, session management network elements, user plane network elements, access management network elements, application function network elements (through network capability opening functions) Network element) collect data, and analyze and predict. In the 5G communication system, the network data analysis network element can be the network data analysis function (NWDAF). In the future communication system (such as 6G communication system), the network data analysis network element can still be the NWDAF network element , Or may have other names, and this application is not limited.

The network capability opening network element can expose part of the network functions to the application in a controlled manner. In a 5G communication system, the network capability opening network element may be a network exposure function (NEF). In a future communication system (such as a 6G communication system), the network capability opening network element may still be a NEF network element. Or it may have other names, which is not limited in this application.

The application function network element can provide service data of various applications to the control plane network element of the communication network of the operator, or obtain network data information and control information from the control plane network element of the communication network. In a 5G communication system, the application function network element may be an application function (AF). In a future communication system (such as a 6G communication system), the application function network element may still be an AF network element, or may also have other functions. The name is not limited in this application.

Data network is mainly used to provide data transmission services for terminal equipment. The data network can be a private network, such as a local area network, or a public data network (PDN) network, such as the Internet (Internet), or a private network jointly deployed by operators, such as a configured IP multimedia network. System (IP multimedia core network subsystem, IMS) service.

It should be understood that the foregoing network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).

For the convenience of explanation, in the follow-up of this application, the unified data management network element is the UDM network element, the authentication service function network element is the AUSF network element, and the access management network element is the AMF network element. Further, the UDM network element is abbreviated as UDM, the AUSF network element is abbreviated as AUSF, and the AMF network element is abbreviated as AMF. That is, the UDM described later in this application can be replaced with a unified data management network element, AUSF can be replaced with an authentication service function network element, and AMF can be replaced with an access management network element.

It should be noted that the terms "system" and "network" in the embodiments of the present application can be used interchangeably. "Multiple" refers to two or more than two. In view of this, "multiple" may also be understood as "at least two" in the embodiments of the present application. "At least one" can be understood as one or more, for example, one, two or more. For example, including at least one means including one, two or more, and it does not limit which ones are included. For example, if at least one of A, B, and C is included, then A, B, C, A and B, A and C, B and C, or A and B and C are included. In the same way, the understanding of "at least one" and other descriptions is similar. "And/or" describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone. In addition, the character "/", unless otherwise specified, generally indicates that the associated objects before and after are in an "or" relationship.

Unless otherwise stated, ordinal numbers such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority, or importance of multiple objects. In addition, the descriptions of "first" and "second" do not limit the objects to be different.

Example one

Please refer to FIG. 2, which is a schematic flowchart of a communication method provided by an embodiment of this application. The method specifically includes the following steps:

Step S201: UDM receives an authentication service request;

Optionally, the authentication service request includes a resynchronization authentication token AUTS, and the AUTS is used to instruct the terminal device to determine that the serial number SQN in the authentication token (authentication token, AUTN) is not within the correct range.

In the embodiment of the present application, in an implementation manner, the UDM may receive the authentication service request from the AMF or AUSF. In other words, the AMF can directly send the authentication service request to the UDM, or it can first send the authentication service request to the AUSF, and then the AUSF forwards the authentication service request to the terminal device.

Optionally, UDM may also receive authentication service requests from other network functions NF, which is not limited in this application.

Further, the embodiments of the present application can be applied to the authentication process of the terminal device. The terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range may mean that the terminal device determines that the authentication token AUTN is in the correct range. The serial number of is less than or equal to the serial number SQN _MS stored in the terminal device.

Specifically, before step S201 is performed, the terminal device may receive an authentication request message from AMF. The authentication request message includes a random number RAND and an authentication token AUTN. The authentication token AUTN specifically includes a serial number SQN and an anonymous key. (anonymity key, AK), authentication management domain (authentication and key agreement, AMF), message authentication code (message authentication code, MAC) and other parameters. The terminal device can verify the authentication token AUTN included in the authentication request message. If the terminal device verifies that the serial number SQN in the authentication token AUTN is not within the correct range, the terminal device can generate a resynchronization authentication token AUTS, It also sends an authentication failure message to the AMF. The authentication failure message carries the calculated resynchronization authentication token AUTS, which is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range. Subsequently, after the AMF receives the authentication failure message from the terminal device, it can send an authentication service request to the UDM or AUSF. The authentication service request includes the resynchronization authentication token AUTS calculated by the terminal device.

Optionally, a universal subscriber identity module (USIM) card may be installed in the terminal device. The USIM card refers to a phone card issued by the operator to the user, and the root key K that is consistent with the home network side is stored in it. And a series of contract configuration information, etc. After receiving the authentication request message from the AMF, the terminal device can send the random number RAND and the authentication token AUTN therein to the USIM card in the terminal device, and the USIM card verifies the authentication token AUTN.

As shown in Figure 3, the USIM card can first calculate the expected message authentication code (XMAC) based on the authentication token AUTN, the random number RAND, and the root key K, and then combine the obtained XMAC with the authentication token AUTN MAC for comparison. If the XMAC and MAC are inconsistent, it means that the MAC verification has failed. The terminal device can send an authentication failure message to AMF, and indicate the specific failure reason as MAC failure (MAC failure) in the authentication failure message, and then AMF based on the authentication failure The message initiates the re-authentication process.

If the XMAC is consistent with the MAC, it means that the MAC verification is successful, and the USIM card can further verify the serial number SQN in the authentication token AUTN. The USIM card can compare the serial number SQN in the authentication token AUTN with the serial number SQN _MS stored in the USIM card. If the SQN in the authentication token AUTN is out of the correct range, that is, the serial number SQN in the authentication token AUTN is less than or Equal to the serial number SQN _MS stored in the USIM card, then it can be considered that the SQN verification failed, the USIM card can calculate AUTS, and then the terminal device can send an authentication failure message to the AMF, and the authentication failure message indicates that the specific failure reason is synchronization failure (synch failure), the authentication failure message also includes the resynchronization authentication token AUTS calculated by the USIM card after the SQN verification fails, and the AUTS is used to instruct the USIM card to determine that the serial number SQN in the AUTN is not within the correct range. Optionally, the authentication failure message may also include a random number RAND.

In the embodiment of this application, the terminal device (or USIM card) can use multiple possible AUTS algorithms to calculate AUTS. Please refer to FIG. 4a, which is a schematic diagram of an AUTS algorithm provided in this embodiment of the application. In the AUTS algorithm, AUTS satisfies the following relationship:

It can be seen from formula one that AUTS is equal to _{the exclusive OR of SQN MS} and AK, and then the MAC-S is spliced. Among them, SQN _MS is the serial number of the terminal device, or it can also be understood as the highest serial number accepted by the USIM card.

Or xor means exclusive OR, AK is an anonymous key, and AK=f5*(RAND, K), f5*() means a function, RAND and K are the parameters of the function, RAND is a random number, and K is the root key , ∥ means splicing, MAC-S is the message authentication code calculated by the USIM card, used to realize _{the encryption and integrity protection of SQN MS} , and MAC-S=f1*(SQN _MS , K, RAND, AMF), f1* () is another function, and AMF is the authentication management domain.

Please refer to Fig. 4b, which is a schematic diagram of another AUTS algorithm provided by an embodiment of this application. In the AUTS algorithm, AUTS also satisfies the relationship in Formula 1:

However, it should be noted that the difference between the AUTS algorithm shown in Figure 4b and the AUTS algorithm shown in Figure 4a is that MAC-S is also used as input when calculating the anonymous key AK, that is, AK=f5*(RAND, K, MAC -S), corresponding to the dashed connection shown in Figure 4b, therefore, the AUTS algorithm can effectively prevent guessing attacks against SQN.

Step S202: The UDM obtains indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS.

In the embodiment of this application, the indication information may be combined with the identification of the terminal device or the identification of the USIM card or the user identification (such as subscription permanent identifier (SUPI), international mobile subscriber identification number, IMSI). ), a generic public subscription identifier (GPSI, etc.) is associated, and is used to directly or indirectly instruct the terminal device (or USIM card) to calculate the first AUTS algorithm used by the resynchronization authentication token AUTS. For example, the indication information may be the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information may include the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS. Identification, or there is a certain mapping relationship between the indication information and the identification of the first AUTS algorithm used by the terminal equipment (or USIM card) to calculate AUTS, or the indication information can also be used to indicate the terminal equipment (or USIM card) Whether to support the new AUTS algorithm, or the indication information may also be used to indicate whether the USIM card is a new card, or the indication information may also be information such as the type or batch or release of the USIM card. It should be understood that the first AUTS algorithm may be one of the two AUTS algorithms described above, or may be another AUTS algorithm, which is not limited in this application.

In a possible design, the indication information corresponding to the terminal device may be pre-configured in the UDM. In this way, after UDM receives the authentication failure message, it can obtain or query the indication information corresponding to the terminal equipment from the local configuration according to the identification of the terminal equipment or the identification of the USIM card or the user identification, such as SUPI, and then determine the terminal equipment ( Or USIM card) the first AUTS algorithm used to calculate AUTS.

Optionally, the indication information corresponding to the terminal device may be included in the subscription data of the terminal device, and the subscription data may also be referred to as user subscription data. That is to say, the user subscription data of the terminal device is stored in the UDM, and the operator can set the above-mentioned indication information in the user subscription data of the terminal device in advance, thereby directly or indirectly instructing the terminal device (or USIM card) to calculate the AUTS used The first AUTS algorithm.

Optionally, a user-granular subscription feature list can also be maintained in UDM, which is used to indicate which features the terminal device (or USIM card) supports or does not support, for example, whether to support the new AUTS algorithm, or the type and batch of the USIM card Or version information, etc. The UDM may also determine the first AUTS algorithm used by the terminal device (or USIM card) when calculating AUTS according to the features supported by the terminal device listed in the subscription feature list corresponding to the terminal device. That is, the subscription feature list corresponding to the terminal device can also be understood as a specific implementation manner of the foregoing indication information.

In another possible design, the indication information corresponding to the terminal device may also be configured in the UDR. After the UDM receives the authentication service request, the indication information corresponding to the terminal device may be obtained from the UDR.

For example, the user subscription data of the terminal device may be stored in the UDR, and the operator may set the above-mentioned indication information in the user subscription data of the terminal device in advance. In this way, after the UDM receives the authentication service request, it can send a service invocation request to the UDR according to the terminal device's identity or the USIM card's identity or the user's identity. The service invocation request is used to request user subscription data of the terminal device. Optionally, the service invocation request may include the identification of the terminal device or the identification of the USIM card or the user identification. The service invocation request may also be called a service request or a service request message or a service invocation request message, etc., which is not limited in this application .

UDR may receive the service invocation request and send a service response to UDM, where the service response is in response to the service invocation request sent by UDM, and the service response includes indication information corresponding to the terminal device, and the indication information may be included in the The user subscription data of the terminal device in the service response may also be included in other information elements or newly added information elements of the service response message, which is not limited by this application. Optionally, the service response may also include a list of subscription characteristics corresponding to the terminal device.

It should be understood that the indication information corresponding to the terminal device may also be independently configured in the UDR and not included in the user subscription data of the terminal device. In this way, the service invocation request sent by the UDM to the UDR can be used to request the indication information corresponding to the terminal device. Accordingly, the service response returned by the UDR to the UDM may include the indication information corresponding to the terminal device, excluding the user subscription data of the terminal device. Optionally, the service response may also include a list of subscription characteristics corresponding to the terminal device.

Step S203: The UDM checks the AUTS according to the first AUTS algorithm.

Optionally, the UDM may determine the first AUTS algorithm according to the identification of the terminal device included in the authentication service request and the indication information corresponding to the terminal device obtained in step S202.

Specifically, the UDM using the first AUTS algorithm to verify the AUTS may include: using the first AUTS algorithm to obtain the mobile terminal serial number SQN _MS from the AUTS, and then calculate the MAC, if the calculated MAC and the MAC-S included in the AUTS Consistent, it means that the AUTS verification is successful.

If the AUTS verification is successful, UDM can resynchronize the SQN stored on the network side, and then use the resynchronized SQN to re-initiate the authentication process for the terminal device.

It can be seen that by setting the instruction information corresponding to the terminal device in the UDM or UDR, UDM can identify the AUTS algorithm used by the terminal device (or USIM card) when calculating AUTS, and use the AUTS consistent with the terminal device (or USIM card) The algorithm is used to verify the AUTS calculated by the terminal device, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm adopted by the UDM and the terminal device, so that the resynchronization process and the subsequent terminal device authentication process can be performed normally.

Please refer to FIG. 5, which is a specific example of the communication method provided in the first embodiment of this application. The example specifically includes the following steps: Step S5001, configure indication information in the user subscription data of the terminal device stored in the UDM, the indication The information is used to instruct the terminal equipment (or USIM card) to calculate the first AUTS algorithm used by AUTS. For example, the indication information may be the identification of the first AUTS algorithm used by the terminal equipment (USIM card), or the indication information may include the terminal The device (or USIM card) calculates the identity of the first AUTS algorithm used by the AUTS, or there is a certain mapping relationship between the indication information and the identity of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, Or the indication information may also be information indicating whether the terminal device (or USIM card) supports the new AUTS algorithm, or the indication information may also be information indicating whether the USIM card is a new card, or the indication information may also It can be information such as the type or batch or version of the USIM card, or the indication information can also be a list of subscription features of the terminal device (or the USIM card). It should be understood that this step S5001 corresponds to a specific implementation in the first embodiment, that is, the indication information corresponding to the terminal device is configured in the UDM.

In step S5002, the indication information is configured in the user subscription data of the terminal device stored in the UDR, or the indication information is configured in other information in the UDR, or the indication information is configured independently in the UDR. Similarly, the indication information is used to indicate the first AUTS algorithm adopted by the terminal device (or USIM card). For the specific implementation manner of the indication information, reference may be made to the description in step S5001.

In step S501, the UDM obtains user subscription data of the terminal device from the UDR, and the user subscription data includes the above-mentioned indication information corresponding to the terminal device. This step S501 may specifically include the steps of UDM sending a service invocation request to UDR, and UDR in response to the service invocation request, sending a service response message to UDM, etc., which will not be described in detail here. The "acquisition" can also be understood as actions such as querying, invoking, and receiving.

It should be understood that step S5002 and step S501 correspond to another specific implementation manner in the first embodiment, that is, the instruction information of the terminal device is configured in the UDR. It can be seen that the methods shown in step S5001, step S5002 and step S501 are two parallel specific implementations. In practical applications, one of the two paths can be executed.

In step S502, an authentication procedure (authentication procedure) between the terminal device and the UDM is executed. This includes: the AMF sends an authentication request message to the terminal device, and the authentication request message includes the random number RAND and the authentication token AUTN.

Step S503: The terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not within the correct range, the terminal device calculates the resynchronization authentication token AUTS and initiates the resynchronization process. Optionally, the terminal device may also verify the message authentication code MAC in the authentication token AUTN, and the verification of the message authentication code MAC may be performed before the verification of the serial number SQN. Optionally, the actions of verifying the message authentication code MAC and the serial number SQN and calculating the resynchronization authentication token AUTS can also be performed by the USIM card in the terminal device.

Step S504: The terminal device sends an authentication failure message to the AMF. The authentication failure message includes the resynchronization authentication token AUTS and the random number RAND.

In step S505, the AMF sends an authentication service request to AUSF. The authentication service request includes the resynchronization authentication token AUTS and the random number RAND. Optionally, the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI. It should be understood that the authentication service request described in this step is a service invocation message between network elements, which may also be called a service request message or a service invocation request message, etc., or may also have other names, such as Nauf_UEAuthentication_Authenticate request. This application Not limited.

Step S506: AUSF sends an authentication service request to UDM, and the authentication service request includes the resynchronization authentication token AUTS and the random number RAND. Optionally, the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI. It should be understood that the authentication service request described in this step is also a service invocation message between network elements. It may also be called a service request message or a service invocation request message, etc., or may have other names, such as Nudm_UEAuthentication_GET. This application does not Not limited. The expression form and content of the authentication service request mentioned in step S505 and step S506 may be the same or different, and this application is not limited.

In step S507, the UDM receives the authentication service request, and according to the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI, queries the user subscription data, determines the instruction information corresponding to the terminal device, and then determines the terminal device (or USIM card) the first AUTS algorithm used to calculate AUTS.

In step S508, the UDM checks the AUTS according to the first AUTS algorithm, and after the check succeeds, resynchronizes the SQN.

Step S509: re-execute the authentication process between the terminal device and the UDM.

Example two

Please refer to FIG. 6, which is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:

Step S601: The terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range.

In the embodiment of the present application, before step S601 is performed, the terminal device may receive an authentication request message from the AMF. The authentication request message includes the random number RAND and the authentication token AUTN. The authentication token AUTN may specifically include the serial number SQN, Anonymous key AK, authentication management domain AMF, message authentication code MAC and other parameters. In this way, the terminal device (or the USIM card in the terminal device) can verify the authentication token AUTN in the authentication request message. If the serial number SQN in the verification token AUTN is not in the correct range, for example, the authentication token AUTN If the serial number SQN in is less than or equal to the serial number SQN _MS stored in the terminal device (or USIM card), it can be considered that the SQN verification has failed.

Optionally, the terminal device (or USIM card) may first verify the MAC in the authentication token AUTN, and after the MAC verification fails, then verify the serial number SQN in the authentication token AUTN. Here, verifying the MAC in the authentication token AUTN refers to calculating the XMAC according to the authentication token AUTN, the random number RAND and the root key K, and then comparing the obtained XMAC with the MAC in the authentication token AUTN. If they are consistent, the verification is considered successful, and if they are inconsistent, the verification is considered failed. Of course, other MAC verification methods can also be used, which is not limited in this application.

Step S602: The terminal device calculates the resynchronization authentication token AUTS, and encrypts the AUTS and the indication information corresponding to the terminal device to obtain the encrypted resynchronization authentication token AUTS*.

In step S602, the AUTS is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not in the correct range. The terminal device can use the algorithm shown in Figure 4a or Figure 4b to calculate the AUTS, or it can use Other algorithms to calculate AUTS are not limited in this application.

In addition, the terminal device can also generate indication information corresponding to the terminal device according to the first AUTS algorithm used to calculate AUTS, and the indication information is associated with the identification of the terminal device, the identification of the USIM card or the user identification (such as SUPI), Used to instruct the terminal equipment to calculate the AUTS algorithm used by the AUTS. For example, the terminal device may generate the indication information according to the identifier of the first AUTS algorithm used to calculate the AUTS. The indication information may be the identifier of the first AUTS algorithm used by the terminal device, or include the first AUTS algorithm used by the terminal device to calculate the AUTS. There is a certain mapping relationship between the identification of the AUTS algorithm or the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS. For another example, the indication information can also be a flag bit to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm, or to indicate whether the USIM card is a new card. If the flag is set to 1, it indicates support. 0 means not supported. For another example, the indication information may also be information such as the type or batch or version of the USIM card, and there is a certain correlation between the type or batch or version of the USIM card and the AUTS algorithm adopted by the terminal device. For another example, the indication information may also be a list of subscription features of the terminal device (or USIM card), and there is also a certain association relationship between the subscription features supported by the terminal device and the first AUTS algorithm adopted by the terminal device.

Further, the terminal device encrypts the indication information corresponding to the AUTS and the terminal device, which can be expressed as:

AUTS*=Enc(K, AUTS, indication) formula two

Among them, K is the encryption key, AUTS* is the encrypted resynchronization authentication token, Enc() is the encryption function, AUTS is the resynchronization authentication token, and indication refers to the indication information corresponding to the terminal device.

It can be understood that by encrypting the indication information corresponding to the AUTS and the terminal equipment, and sending the encrypted AUTS* to the UDM, the indication information corresponding to the AUTS and the terminal equipment can be protected, thereby facilitating the normal progress of the resynchronization process, and Improve the security of the authentication process.

It should be noted that in this embodiment of the application, the terminal device can use the root key K to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, or use the public key of the home network to encrypt the resynchronization authentication token AUTS and The indication information corresponding to the terminal device is encrypted, and SUPI encryption can also be used to obtain a subscription concealed identifier (SUCI) to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, which is not limited by this application. That is, the encryption key K in formula 2 can be the root key K or the public key of the home network. Of course, the terminal device may also use other encryption algorithms for encryption, which is also not limited in this application.

Optionally, the above steps S601 and S602 may also be specifically executed by the USIM card in the terminal device.

Step S603: The terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the encrypted resynchronization authentication token AUTS*.

Step S604: AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends the received authentication service request to UDM. The authentication service request includes the encrypted resynchronization authentication token AUTS*.

Step S605: The UDM receives an authentication service request from AMF or AUSF. The authentication service request includes an encrypted resynchronization authentication token AUTS*. The AUTS* is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range. .

Step S606: UDM decrypts the encrypted resynchronization authentication token AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device. The indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS used by the terminal device. An AUTS algorithm.

In step S606, UDM can use the root key K to decrypt the encrypted resynchronization authentication token AUTS*, or UDM can also use the private key of the home network to decrypt the encrypted resynchronization authentication token AUTS*, or UDM can also decrypt the encrypted resynchronization authentication token AUTS*. The encrypted resynchronization authentication token AUTS* can be decrypted based on SUCI decryption to obtain SUPI. Of course, UDM can also use other decryption algorithms for decryption, which is not limited in this application.

It should be noted that the decryption algorithm adopted by UDM matches the encryption algorithm adopted by the terminal device (or USIM card). Specifically, when the terminal device uses the root key K to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, correspondingly, UDM can use the root key K to encrypt the resynchronization authentication token AUTS*. Decryption; when the terminal device uses the public key of the home network to encrypt the resynchronization authentication token AUTS and the corresponding indication information of the terminal device, correspondingly, UDM can use the private key of the home network to encrypt the resynchronization authentication token AUTS* Decryption; when the terminal device encrypts the resynchronization authentication token AUTS and the indication information corresponding to the terminal device based on SUPI encryption to obtain SUCI, correspondingly, UDM also encrypts the resynchronization authentication token AUTS based on SUCI decryption to obtain SUPI. * Decrypt.

Step S607: The UDM checks the AUTS according to the first AUTS algorithm.

Optionally, the UDM may determine the first AUTS algorithm according to the identifier of the terminal device included in the authentication service request and the indication information corresponding to the terminal device.

In the embodiment of the present application, after UDM decrypts to obtain the resynchronization authentication token AUTS, the integrity of the resynchronization authentication token AUTS can also be verified. Specifically, UDM can obtain the terminal device serial number SQN _MS (that is, the highest serial number SQN _MS accepted by the USIM card) from AUTS according to the first AUTS algorithm, and then calculate the message authentication code MAC according to the SQN _MS; If the MAC is consistent with the MAC-S obtained from the resynchronization authentication token AUTS, it can be determined that the integrity check of the AUTS is successful.

It can be seen that, by adopting the above technical solution, the terminal device can encrypt and protect the corresponding indication information together with the generated AUTS, and send it to the UDM. In this way, UDM can determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and then use the AUTS algorithm consistent with the terminal device (or USIM card) to verify the AUTS sent by the terminal device, thereby avoiding UDM and the terminal The problem of resynchronization failure caused by the inconsistent AUTS algorithm adopted by the device allows the resynchronization process and subsequent terminal device authentication process to proceed normally, and at the same time can improve the security of the authentication process.

Example three

Please refer to FIG. 7, which is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:

Step S701: The terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range.

For a specific implementation manner of step S701, reference may be made to the description of step S201 in the first embodiment or step S601 in the second embodiment, which will not be repeated here.

Step S702: The terminal device calculates the resynchronization authentication token AUTS according to the instruction information corresponding to the terminal device.

In the embodiment of this application, the indication information is used to directly or indirectly instruct the terminal equipment to calculate the first AUTS algorithm used by the AUTS, and the indication information is related to the identification of the terminal equipment or the identification of the USIM card or the user identification (such as SUPI) United. For example, the indication information may be the identifier of the first AUTS algorithm used by the terminal device (USIM card), or the indication information may include the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the There is a certain mapping relationship between the indication information and the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information can also be used to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm information, or the indication information may also be information for indicating whether the USIM card is a new card, or the indication information may also be information such as the type or batch or version of the USIM card, or the indication information may also be It is a list of subscription features of terminal equipment (or USIM card).

Specifically, in step S702, the terminal device may calculate the resynchronization authentication token AUTS in the following manner:

Among them, AUTS is the resynchronization authentication token, which can be used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range, and SQN _MS is the terminal device serial number, which is the highest serial number accepted in the USIM card , AK is an anonymous key, and AK=f5*(RAND, K) or AK=f5*(RAND, K, MAC-S'), f5*() represents a function, RAND is a random number, and K is a root key , Indication is the indication information corresponding to the terminal device, MAC-S' is the message authentication code calculated according to the parameters in AUTN, and MAC-S'=f1*(AMF,RAND,K,SQN _MS ,indication), used for Realize the encryption and integrity protection of SQN _MS , f1*() represents another function, AMF is the authentication management domain,

Means exclusive OR, ∥ means splicing.

It should be noted that the AUTS calculated by the above formula 3 is different from the AUTS calculated in the foregoing first and second embodiments. To illustrate the difference, the AUTS in the third embodiment can also be recorded as AUTS'. Similarly, MAC-S can also be recorded as MAC-S’.

It can be known from the above formula 3 that in the third embodiment, the terminal device can carry the indication information corresponding to the terminal device when calculating the AUTS', and then use the MAC-S' to perform integrity protection on the AUTS'. In this way, the AUTS' and corresponding instruction information sent by the terminal device to the UDM can also be protected from being tampered with, thereby facilitating the normal progress of the resynchronization process and improving the security of the authentication process. It should be noted that here, when calculating AUTS', the indication information corresponding to the terminal device is carried. It can also be understood as embedding the indication information corresponding to the terminal device into the AUTS', or taking the indication information corresponding to the terminal device as a new version of the AUTS algorithm. The increased input parameters, that is, the method shown in formula 3 can also be understood as a new AUTS algorithm.

Optionally, the above steps S701 and S702 may also be specifically executed by the USIM card in the terminal device.

Step S703: The terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the resynchronization authentication token AUTS.

Step S704: AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends an authentication service request to UDM. The authentication service request includes the resynchronization authentication token AUTS'.

Step S705: The UDM receives an authentication service request from the AMF or AUSF. The authentication service request includes the resynchronization authentication token AUTS', which is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range.

Step S706: The UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS'. The indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS.

Here, since the indication information corresponding to the terminal device is directly spliced in the AUTS', the UDM can directly obtain the indication information corresponding to the terminal device from the AUTS.

Step S707: UDM checks AUTS' according to the first AUTS algorithm.

In the embodiment of the present application, after UDM obtains the re-synchronization authentication token AUTS', it can verify the integrity of the re-synchronization authentication token AUTS'. Specifically, UDM determines the first AUTS algorithm according to the indication information corresponding to the terminal equipment obtained from AUTS', then calculates AK according to the corresponding algorithm, and then restores SQN _MS , and then according to AMF, RAND, K, SQN _MS , indication Wait for the parameters, calculate the message authentication code MAC'; if the calculated MAC' is consistent with the MAC-S' obtained from the resynchronization authentication token AUTS', it is determined that the integrity check of the AUTS' is successful.

If the verification of AUTS’ is successful, UDM can resynchronize the SQN stored on the network side, and then use the resynchronized SQN to re-initiate the authentication process for the terminal device.

It can be seen from this that with the above technical solution, the terminal device can carry the corresponding indication information when calculating the AUTS', and then send it to UDM after integrity protection of the AUTS'. In this way, UDM can obtain the instruction information corresponding to the terminal device from the received AUTS', and then determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and adopt the AUTS algorithm consistent with the terminal device (or USIM card) To verify the AUTS' sent by the terminal device, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the UDM and the terminal device, so that the resynchronization process and the subsequent terminal device authentication process can proceed normally, and at the same time improve the authentication Security of the process.

Please refer to FIG. 8, which is a specific example of the communication method provided in Embodiments 2 and 3 of this application. The example specifically includes the following steps:

In step S801, an authentication procedure (authentication procedure) between the terminal device and the UDM is executed. The authentication process may include: the AMF sends an authentication request message to the terminal device, and the authentication request message includes the random number RAND and the authentication token AUTN.

In step S802, the terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not within the correct range, the terminal device calculates the resynchronization authentication token AUTS and initiates the resynchronization process. Optionally, the terminal device may also check the message authentication code MAC in the authentication token AUTN, and the check message authentication code MAC may be before the check sequence number SQN.

Corresponding to the second embodiment, in an implementation of step S802, the terminal device may also generate indication information, and encrypt the indication information with the calculated resynchronization authentication token AUTS to obtain the encrypted AUTS*. The specific encryption method can refer to the description in step S602, which will not be repeated here.

Corresponding to the third embodiment, in another implementation of step S802, the terminal device may also generate indication information, and when calculating the resynchronization authentication token AUTS, use the indication information as one of the input parameters for calculating AUTS. That is, the AUTS is calculated according to the instruction information corresponding to the terminal device. For the specific calculation method of AUTS, please refer to the description in step S702, which will not be repeated here.

Step S803: The terminal device sends an authentication failure message to the AMF. The authentication failure message includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.

Corresponding to the second embodiment, in an implementation of step S803, the authentication failure message includes an encrypted resynchronization authentication token AUTS*, which is obtained by the terminal device encrypting the calculated AUTS and the corresponding indication information .

Corresponding to the third embodiment, in another implementation of step S803, the authentication failure message includes the resynchronization authentication token AUTS, which is generated by the terminal device according to the indication information corresponding to the terminal device, that is, the terminal device is calculating When AUTS, the corresponding indication information is also used as one of the input parameters.

In step S804, the AMF sends an authentication service request to AUSF. The authentication service request includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.

Optionally, the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.

Step S805: AUSF sends the received authentication service request to UDM. The authentication service request includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.

In step S806, the UDM receives the authentication service request, and determines the first AUTS algorithm according to the indication information corresponding to the terminal device.

Corresponding to the second embodiment, in an implementation of step S806, UDM decrypts the encrypted resynchronization authentication token AUTS* in the received authentication service request to obtain the corresponding indication of the resynchronization authentication token AUTS and the terminal device Information, and then determine the first AUTS algorithm according to the instruction information corresponding to the terminal device.

Corresponding to the third embodiment, in an implementation of step S806, UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS in the received authentication service request, and verifies the AUTS according to MAC-S' Completeness, and then determine the first AUTS algorithm according to the indication information corresponding to the terminal device.

In step S807, the UDM checks the AUTS according to the first AUTS algorithm. After the check succeeds, it resynchronizes the SQN, and then re-initiates the authentication process according to the synchronized SQN.

For the specific process of verifying the AUTS, please refer to the description in step S607 or S707, which will not be repeated here.

Step S808: re-execute the authentication process between the terminal device and the UDM.

Example four

The technical solution in the fourth embodiment is similar to the technical solution shown in the second embodiment, but the difference is that in the second embodiment, the terminal device and the actions performed by the USIM card installed in the terminal device are not clearly distinguished. Some actions performed by the terminal device can also be performed by the USIM card installed in the terminal device. For example, verify the authentication token AUTN received by the terminal device, and verify that the serial number SQN in the authentication token AUTN is not present. After it is within the correct range, calculate the resynchronization authentication token AUTS, encrypt the resynchronization authentication token AUTS and the indication information to obtain AUTS*, and then send the encrypted AUTS* to UDM via the terminal device through the AMF.

In the fourth embodiment, the actions performed by the terminal device and the USIM card installed in the terminal device are described in detail. The USIM card installed in the terminal device can verify the authentication token AUTN received by the terminal device. After verifying that the serial number SQN in the authentication token AUTN is not in the correct range, calculate the resynchronization authentication token AUTS, and send the resynchronization authentication token AUTS to the terminal device, which is determined by the terminal device according to the configuration information of the USIM card The corresponding instruction information is then encrypted with the AUTS received from the USIM card, and finally sent to UDM by the terminal device via AMF.

Please refer to FIG. 9, which is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:

Step S901: The USIM card determines that the serial number SQN in the authentication token AUTN is not within the correct range.

In this embodiment of the application, before step S901 is performed, the terminal device may receive an authentication request message from the AMF, and send parameters such as the authentication token AUTN and the random number RAND included in the authentication request message to the USIM card installed in the terminal device , The USIM card verifies the authentication token AUTN. For the specific verification process, reference may be made to the descriptions in the previous embodiments, which will not be repeated here.

Similarly, that the serial number SQN in the authentication token AUTN is not within the correct range may mean that the USIM card determines that the serial number in the authentication token AUTN is less than or equal to the serial number SQN stored in the USIM card.

Step S902: The USIM card calculates the resynchronization authentication token AUTS.

In this step S902, the USIM card can use the algorithm shown in FIG. 4a or 4b to calculate the resynchronization authentication token AUTS, and other algorithms can also be used to calculate the resynchronization authentication token AUTS, which is not limited by this application.

Step S903: The USIM card sends the resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal device.

The configuration information may include information used to indicate the AUTS algorithm used when the USIM card calculates AUTS, for example, may include one or more of the following information: the identifier of the first AUTS algorithm used by the USIM card, which is used to indicate the USIM card Information about whether the new AUTS algorithm is supported, information used to indicate whether the USIM card is a new card, the type or batch or release of the USIM card, and other information. Alternatively, the configuration information may also include other information that can be used to distinguish the AUTS algorithm, which is not limited in this application.

Optionally, the USIM may also send the random number RAND to the terminal device.

Step S904: The terminal device receives the resynchronization authentication token AUTS from the USIM card and the configuration information of the USIM card.

It should be noted that the terminal device receiving the configuration information of the USIM card from the USIM card can also be understood as the terminal device reading the configuration information of the USIM card, or the terminal device acquiring the configuration information of the USIM card, etc.

Step S905: The terminal device determines the indication information according to the configuration information of the USIM card, and the indication information is used to instruct the first AUTS algorithm used by the USIM card to calculate the AUTS.

The indication information is associated with the identification of the terminal device, or the identification of the USIM card or the user identification (such as SUPI). For example, the indication information may be the identifier of the first AUTS algorithm used by the terminal device (USIM card), or the indication information may include the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the There is a certain mapping relationship between the indication information and the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information can also be used to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm information, or the indication information may also be information for indicating whether the USIM card is a new card, or the indication information may also be information such as the type or batch or version of the USIM card, or the indication information may also be It is a list of subscription features of terminal equipment (or USIM card).

It should be understood that the indication information may be part or all of the configuration information of the USIM card, or may be information derived and calculated based on the configuration information of the USIM card, which is not limited in this application.

Step S906: The terminal device encrypts the resynchronization authentication token AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS*.

For the specific implementation manner of step S906, reference may be made to the description of step S602 in the second embodiment, which will not be repeated here.

Step S907: The terminal device sends an authentication failure message to the AMF. The authentication failure message includes the encrypted resynchronization authentication token AUTS*. The encrypted resynchronization authentication token AUTS* can be used to instruct the terminal device or the USIM card to determine the authentication token AUTN. The serial number SQN is not in the correct range. The authentication failure message is used to trigger the UDM to resynchronize the SQN.

Step S908: AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends the received authentication service request to UDM. The authentication service request includes the encrypted resynchronization authentication token AUTS*.

Step S909: The UDM receives the authentication service request from the AMF or AUSF, and obtains the encrypted resynchronization authentication token AUTS* in the authentication service request.

Step S910: UDM decrypts the encrypted resynchronization authentication token AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.

Step S911: The UDM checks the AUTS according to the first AUTS algorithm.

For the specific implementation of steps S907 to S911 described above, reference may be made to steps S604 to S607 in the second embodiment, which will not be repeated here.

It can be seen that using the above technical solution, the terminal device can determine the AUTS algorithm used by the USIM card according to the configuration information of the USIM card, and then combine the indication information used to indicate the AUTS algorithm used by the USIM card and the AUTS calculated by the USIM card. After being encrypted, it is sent to UDM. In this way, the resynchronization process can be carried out normally, and at the same time, the problem of inability to generate instruction information or encryption processing that may be caused due to the limitation or incompatibility of the USIM card is avoided, thereby enhancing the method Applicability.

Please refer to FIG. 10, which is another specific example of the communication method provided in the fourth embodiment of this application. The example specifically includes the following steps:

In step S1001, an authentication procedure (authentication procedure) between the terminal device and the UDM is executed. The authentication process may include: the AMF sends an authentication request message to the terminal device, and the authentication request message includes the random number RAND and the authentication token AUTN.

In this step, the terminal device can send the random number RAND and the authentication token AUTN included in the authentication request message to the USIM card installed in the terminal device.

In step S1002, the USIM card in the terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not in the correct range, the USIM card can calculate the resynchronization authentication token AUTS. Optionally, the terminal device may also check the message authentication code MAC in the authentication token AUTN, and the check message authentication code MAC may be before the check sequence number SQN.

In this step, the USIM card can use the algorithm shown in Figure 4a or Figure 4b to calculate AUTS, or other algorithms can be used to calculate AUTS, which is not limited in this application.

In step S1003, the USIM card may send the calculated resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal device.

For the specific implementation of the configuration information of the USIM card, reference may be made to the description in step S903, which will not be repeated here.

Step S1004: The terminal device generates indication information according to the received USIM card configuration information, and then encrypts the received resynchronization authentication token AUTS and the generated indication information to obtain an encrypted resynchronization authentication token AUTS*.

The specific encryption method can refer to the description in step S602, which will not be repeated here.

Step S1005: The terminal device sends an authentication failure message to the AMF. The authentication failure message includes the encrypted resynchronization authentication token AUTS* and the random number RAND.

In step S1006, the AMF sends an authentication service request to AUSF. The authentication service request includes the encrypted resynchronization authentication token AUTS* and the random number RAND.

Step S1007: AUSF sends the received authentication service request to UDM. The authentication service request includes the encrypted resynchronization authentication token AUTS* and the random number RAND.

In step S1008, the UDM receives the authentication service request, decrypts the encrypted resynchronization authentication token AUTS* in the received authentication service request, and obtains the resynchronization authentication token AUTS and the corresponding indication information of the terminal device.

In this way, the UDM determines the first AUTS algorithm according to the indication information corresponding to the terminal device.

In step S1009, the UDM checks the AUTS according to the first AUTS algorithm. After the check succeeds, it resynchronizes the SQN, and then re-initiates the authentication process according to the synchronized SQN.

Step S1010: re-execute the authentication process between the terminal device and the UDM.

An embodiment of the present application also provides a communication device. Please refer to FIG. 11, which is a schematic structural diagram of a communication device provided by an embodiment of this application. The communication device 1100 includes a transceiver module 1110 and a processing module 1120. The communication device can be used to implement the function of the unified data management network element in any of the foregoing method embodiments, or be used to implement the function of the unified data storage network element in any of the foregoing method embodiments. For example, the communication device may be a UDM network element or a UDR network element in the core network, and the network element or network function may be a network element in a hardware device, or a software function running on dedicated hardware, or Virtualization functions instantiated on the platform (for example, cloud platform). For another example, the communication device may be a network device or a chip included in the network device.

When the communication device is used as a unified data management network element to perform the method embodiment shown in FIG. 2, the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 uses To obtain the instruction information corresponding to the terminal device, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the processing module 1120 is also used to verify the AUTS according to the first AUTS algorithm.

In a possible design, the processing module 1120 is specifically configured to obtain the indication information from a local configuration or obtain the indication information from a unified data storage network element.

In a possible design, the indication information corresponding to the terminal device is included in the subscription data of the terminal device.

When the communication device is used as a unified data storage network element to execute the method embodiment shown in FIG. 5, the transceiver module 1110 is used to receive a service call request from the unified data management network element, and the service call request is used to request the terminal device to correspond to The instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the processing module 1120 is used to send a service response message to the unified data management network element through the transceiver module 1110, the service response message Include instruction information corresponding to the terminal device.

When the communication device is used as a unified data management network element to execute the method embodiment shown in FIG. 6, the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes an encrypted resynchronization authentication token AUTS*; processing module 1120 is used to decrypt the AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device. The indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; processing module 1120 is also used to verify the AUTS according to the first AUTS algorithm.

When the communication device is used as a unified data management network element to perform the method embodiment shown in FIG. 7, the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 uses To obtain the instruction information corresponding to the terminal device from the AUTS, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the processing module 1120 is also used to calibrate the AUTS according to the first AUTS algorithm Test.

In a possible design, the processing module 1120 is specifically configured to obtain the mobile terminal serial number SQN _MS from the AUTS according to the first AUTS algorithm, and calculate the MAC according to the SQN _MS ; if the MAC is the same as the MAC obtained from the AUTS- If S is consistent, it is determined that the AUTS verification is successful.

It should be understood that the processing module 1120 involved in the communication device may be implemented by a processor or processor-related circuit components, and the transceiver module 1110 may be implemented by a transceiver or transceiver-related circuit components. The operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG.

Please refer to FIG. 12, which is another schematic structural diagram of a communication device according to an embodiment of this application. The communication device 1200 can be used to implement the methods described in the foregoing method embodiments. The communication device 1200 may be a chip or a network device.

The communication device 1200 includes one or more processors 1201, and the one or more processors 1201 can support the communication device 1200 to implement the unified data management network element or unified data storage network in FIG. 2, FIG. 5, FIG. 6 or FIG. Yuan method. The processor 1201 may be a general-purpose processor or a special-purpose processor. For example, the processor 1201 may be a central processing unit (CPU) or a baseband processor. The baseband processor may be used to process communication data, and the CPU may be used to control a communication device (for example, a network device, a terminal device, or a chip), execute a software program, and process data of the software program. The communication device 1200 may further include a transceiving unit 1205 to implement signal input (reception) and output (transmission).

For example, the communication device 1200 may be a chip, and the transceiver unit 1205 may be an input and/or output circuit of the chip, or the transceiver unit 1205 may be a communication interface of the chip, and the chip may be used as a terminal device or a network device or other wireless communication. Components of equipment.

The communication device 1200 may include one or more memories 1202 with a program 1204 stored thereon. The program 1204 can be run by the processor 1201 to generate an instruction 1203 so that the processor 1201 executes the method described in the foregoing method embodiment according to the instruction 1203. Optionally, the memory 1202 may also store data. Optionally, the processor 1201 may also read data stored in the memory 1202. The data may be stored at the same storage address as the program 1204, or the data may be stored at a different storage address from the program 1204.

The processor 1201 and the memory 1202 may be provided separately or integrated together, for example, integrated on a single board or a system-on-chip (SOC).

The communication device 1200 may further include a transceiver unit 1205 and an antenna 1206. The transceiver unit 1205 may be called a transceiver, a transceiver circuit, or a transceiver, and is used to implement the transceiver function of the communication device through the antenna 1206.

It should be understood that each step of the foregoing method embodiment may be completed by a logic circuit in the form of hardware or instructions in the form of software in the processor 1201. The processor 1201 may be a CPU, a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (ASIC), a field programmable gate array (field programmable gate array, FPGA) or other programmable logic devices , For example, discrete gates, transistor logic devices, or discrete hardware components.

An embodiment of the present application also provides another communication device. Please refer to FIG. 13, which is a schematic structural diagram of another communication device provided by an embodiment of the present application. The communication device 1300 includes a transceiver module 1310 and a processing module 1320. The communication device can be used to implement the function of the terminal device in any of the foregoing method embodiments. For example, the communication device may be a terminal device, such as a handheld terminal device or a vehicle-mounted terminal device; the communication device may also be a chip included in the terminal device, such as a USIM card installed in the terminal device, or a device including terminal devices, such as various Various types of vehicles, etc.

When the communication device is used as a terminal device to execute the method embodiment shown in FIG. 6, the processing module 1320 is used to calculate the resynchronization authentication token AUTS, and encrypt the AUTS and the instruction information corresponding to the communication device to Obtain the encrypted resynchronization authentication token AUTS*, the indication information corresponding to the communication device is used to instruct the communication device to calculate the first AUTS algorithm used by the AUTS; the transceiver module 1310 is used to send the AUTS* to the access management network element.

In a possible design, the processing module 1320 is further configured to generate the indication information corresponding to the device according to the first AUTS algorithm used to calculate the AUTS.

When the communication device is used as a terminal device to execute the method embodiment shown in FIG. 7, the processing module 1320 is configured to calculate the resynchronization authentication token AUTS according to the instruction information corresponding to the communication device, and the instruction information corresponding to the communication device It is used to instruct the communication device to calculate the first AUTS algorithm used by the AUTS; the transceiver module 1310 is used to send the AUTS to the access management network element.

In a possible design, the AUTS includes the indication information corresponding to the communication device and/or the MAC-S calculated according to the indication information corresponding to the communication device.

When the communication device is used as a terminal device to perform the method embodiment shown in FIG. 9, the transceiver module 1310 is used to receive the resynchronization authentication token AUTS and the configuration information of the USIM card from the global user identity module USIM card; the processing module 1320 uses According to the configuration information of the USIM card, the indication information is determined, and the indication information is used to indicate the first AUTS algorithm used by the USIM card to calculate AUTS; the processing module 1320 is also used to encrypt the AUTS and the indication information to obtain encryption resynchronization Authentication token AUTS*; the transceiver module 1310 is also used to send the AUTS* to the access management network element.

In a possible design, the configuration information includes one or more of the following information:

The AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.

When the communication device is used as the USIM card installed in the terminal device and the method embodiment shown in FIG. 9 is executed, the processing module 1320 is used to calculate the resynchronization authentication token AUTS; the transceiver module 1310 is used to calculate the AUTS and the USIM card The configuration information is sent to the terminal device.

The processing module 1320 involved in the communication device may be implemented by a processor or processor-related circuit components, and the transceiver module 1310 may be implemented by a transceiver or transceiver-related circuit components. The operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 6 to FIG. 10, and is not repeated here for brevity.

Please refer to FIG. 14, which is a schematic diagram of another structure of another communication device provided in an embodiment of this application. The communication device may specifically be a terminal device. It is easy to understand and easy to illustrate. In FIG. 14, the terminal device uses a mobile phone as an example. As shown in FIG. 14, the terminal device includes a processor, and may also include a memory. Of course, it may also include a radio frequency circuit, an antenna, and an input/output device. The processor is mainly used to process the communication protocol and communication data, and to control the terminal device, execute the software program, and process the data of the software program. The memory is mainly used to store software programs and data. The radio frequency circuit is mainly used for the conversion of baseband signals and radio frequency signals and the processing of radio frequency signals. The antenna is mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal devices may not have input and output devices.

When data needs to be sent, the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the radio frequency circuit. The radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal to the outside in the form of electromagnetic waves through the antenna. When data is sent to the terminal device, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. For ease of description, only one memory and processor are shown in FIG. 14. In an actual terminal device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or storage device. The memory may be set independently of the processor, or may be integrated with the processor, which is not limited in the embodiment of the present application.

In the embodiments of the present application, the antenna and radio frequency circuit with the transceiving function can be regarded as the transceiving unit of the terminal device, and the processor with the processing function can be regarded as the processing unit of the terminal device. As shown in FIG. 14, the terminal device includes a transceiving unit 1410 and a processing unit 1420. The transceiving unit may also be referred to as a transceiver, a transceiver, a transceiving device, and so on. The processing unit may also be called a processor, a processing board, a processing module, a processing device, and so on. Optionally, the device for implementing the receiving function in the transceiving unit 1410 can be regarded as the receiving unit, and the device for implementing the sending function in the transceiving unit 1410 as the sending unit, that is, the transceiving unit 1410 includes a receiving unit and a sending unit. The transceiver unit may sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit. The receiving unit may sometimes be called a receiver, a receiver, or a receiving circuit. The transmitting unit may sometimes be called a transmitter, a transmitter, or a transmitting circuit. It should be understood that the transceiving unit 1410 is used to perform sending and receiving operations on the terminal device side in the foregoing method embodiment, and the processing unit 1420 is used to perform other operations on the terminal device in the foregoing method embodiment except for the transceiving operation.

An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.

Optionally, there may be one or more processors in the chip system. The processor can be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.

Exemplarily, the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller). The controller unit, MCU), may also be a programmable controller (programmable logic device, PLD) or other integrated chips.

It should be understood that each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.

The embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the above-mentioned method embodiments In the method.

The embodiments of the present application also provide a computer program product. When the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.

The embodiment of the present application also provides a communication system, which includes a unified data management network element and terminal equipment. Optionally, a USIM card is provided in the terminal device. Optionally, the communication system may also include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.

It should be understood that the processor mentioned in the embodiments of this application may be a central processing unit (central processing unit, CPU), or other general-purpose processors, digital signal processors (digital signal processors, DSP), and application-specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.

It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) is integrated in the processor.

It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

It should be understood that in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention. The implementation process constitutes any limitation.

A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

A communication method, characterized in that the method includes:

The unified data management network element receives an authentication service request, and the authentication service request includes the resynchronization authentication token AUTS;

The unified data management network element obtains the indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;

The unified data management network element verifies the AUTS according to the first AUTS algorithm.
The method according to claim 1, wherein said unified data management network element acquiring indication information corresponding to said terminal device comprises:

The unified data management network element obtains the indication information from a local configuration or obtains the indication information from a unified data storage network element.
The method according to claim 1 or 2, wherein the indication information is included in the subscription data of the terminal device.
A communication method, characterized in that the method includes:

The unified data storage network element receives a service call request from the unified data management network element. The service call request is used to request indication information corresponding to the terminal device, and the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS used The first AUTS algorithm;

The unified data storage network element sends a service response message to the unified data management network element, and the service response message includes indication information corresponding to the terminal device.
A communication method, characterized in that the method includes:

The unified data management network element receives an authentication service request, and the authentication service request includes an encrypted resynchronization authentication token AUTS*;

The unified data management network element decrypts the AUTS* to obtain the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, and the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS The first AUTS algorithm used;

The unified data management network element verifies the AUTS according to the first AUTS algorithm.
A communication method, characterized in that the method includes:

The terminal equipment calculates the resynchronization authentication token AUTS, and encrypts the AUTS and the indication information corresponding to the terminal equipment to obtain the encrypted resynchronization authentication token AUTS*, and the indication information corresponding to the terminal equipment is used to indicate all The first AUTS algorithm used by the terminal device to calculate the AUTS;

The terminal device sends the AUTS* to the access management network element.
The method according to claim 6, wherein the method further comprises:

The terminal device generates the indication information corresponding to the terminal device according to the first AUTS algorithm used to calculate the AUTS.
A communication method, characterized in that the method includes:

The unified data management network element receives an authentication service request, and the authentication service request includes the resynchronization authentication token AUTS;

The unified data management network element obtains the indication information corresponding to the terminal device from the AUTS, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;

The unified data management network element verifies the AUTS according to the first AUTS algorithm.
The method according to claim 8, wherein the unified data management network element checking the AUTS according to the first AUTS algorithm comprises:

The unified data management network element obtains the mobile terminal serial number SQN MS from the AUTS according to the first AUTS algorithm;

The MAC is calculated according to the SQN MS , and if the MAC is consistent with the MAC-S obtained from the AUTS, the unified data management network element determines that the AUTS check succeeds.
A communication method, characterized in that the method includes:

The terminal device calculates the resynchronization authentication token AUTS according to the instruction information corresponding to the terminal device, where the instruction information is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;

The terminal device sends the AUTS to the access management network element.
The method according to claim 10, wherein the AUTS includes indication information corresponding to the terminal device and/or MAC-S calculated according to the indication information.
A communication method, characterized in that the method includes:

The terminal device receives the resynchronization authentication token AUTS and the configuration information of the USIM card from the global user identity module USIM card;

The terminal device determines indication information according to the configuration information of the USIM card, where the indication information is used to instruct the USIM card to calculate the first AUTS algorithm used by the AUTS;

The terminal device encrypts the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS*;

The terminal device sends the AUTS*.
The method according to claim 12, wherein the configuration information includes one or more of the following information:

The AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.
A communication method, characterized in that the method includes:

The global user identification module USIM card calculates the resynchronization authentication token AUTS;

The USIM card sends the AUTS and the configuration information of the USIM card to the terminal device.
The method according to claim 14, wherein the configuration information includes one or more of the following information:

The AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.
A communication device, characterized in that the device comprises:

The transceiver module is configured to receive an authentication service request, where the authentication service request includes the resynchronization authentication token AUTS;

A processing module, configured to obtain indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;

The processing module is further configured to use the first AUTS algorithm to verify the AUTS.
The device according to claim 16, wherein the processing module is specifically configured to:

Obtain the indication information from the local configuration, or obtain the indication information from the unified data storage network element.
The apparatus according to claim 16 or 17, wherein the instruction information is included in the subscription data of the terminal device.
A communication device, characterized in that the device comprises:

The transceiver module is configured to receive a service invocation request from the unified data management network element, the service invocation request is used to request indication information corresponding to the terminal device, and the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS used The first AUTS algorithm;

The processing module is configured to send a service response message to the unified data management network element through the transceiver module, and the service response message includes indication information corresponding to the terminal device.
A communication device, characterized in that the device comprises:

The transceiver module is configured to receive an authentication service request, where the authentication service request includes an encrypted resynchronization authentication token AUTS*;

The processing module is used to decrypt the AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device. The indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS used The first AUTS algorithm;

The processing module is further configured to use the first AUTS algorithm to verify the AUTS.
A communication device, characterized in that the device comprises:

The processing module is used to calculate the resynchronization authentication token AUTS, and encrypt the AUTS and the indication information corresponding to the device to obtain the encrypted resynchronization authentication token AUTS*, and the indication information corresponding to the device is used to indicate The first AUTS algorithm used by the device to calculate AUTS;

The transceiver module is used to send the AUTS* to the access management network element.
The device according to claim 21, wherein the processing module is further configured to:

According to the first AUTS algorithm used to calculate the AUTS, the indication information corresponding to the device is generated.
A communication device, characterized in that the device comprises:

The transceiver module is configured to receive an authentication service request, where the authentication service request includes the resynchronization authentication token AUTS;

A processing module, configured to obtain indication information corresponding to the terminal device from the AUTS, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;

The processing module is further configured to use the first AUTS algorithm to verify the AUTS.
The device according to claim 23, wherein the processing module is specifically configured to:

Calculate the MAC according to the mobile terminal serial number SQN MS obtained from the AUTS by the first AUTS algorithm;

If the MAC is consistent with the MAC-S obtained from the AUTS, it is determined that the AUTS check succeeds.
A communication device, characterized in that the device comprises:

A processing module, configured to calculate the resynchronization authentication token AUTS according to the instruction information corresponding to the device, where the instruction information is used to indicate the first AUTS algorithm used by the device to calculate the AUTS;

The transceiver module is used to send the AUTS to the access management network element.
The apparatus according to claim 25, wherein the AUTS includes indication information corresponding to the apparatus and/or MAC-S calculated according to the indication information.
A communication device, characterized in that the device comprises:

The transceiver module is used to receive the resynchronization authentication token AUTS and the configuration information of the USIM card from the global user identity module USIM card;

A processing module, configured to determine indication information according to the configuration information of the USIM card, where the indication information is used to indicate the first AUTS algorithm used by the USIM card to calculate the AUTS;

The processing module is further configured to encrypt the AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS*;

The transceiver module is further configured to send the AUTS* to the access management network element.
The device according to claim 27, wherein the configuration information includes one or more of the following information:

The AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.
A communication device, characterized in that the device comprises:

Processing module, used to calculate the resynchronization authentication token AUTS;

The transceiver module is used to send the AUTS and the configuration information of the device to the terminal equipment.
The device according to claim 29, wherein the configuration information includes one or more of the following information:

The AUTS algorithm supported by the device, whether the device supports a specific type of AUTS algorithm, the type information of the device, and the version information of the device.
A communication device, characterized in that the device includes at least one processor, and the at least one processor is coupled with at least one memory:

The at least one processor is configured to execute a computer program or instruction stored in the at least one memory, so that the apparatus executes the method according to any one of claims 1 to 3, or causes the apparatus to execute The method according to claim 4, or the apparatus is caused to perform the method according to claim 5, or the apparatus is caused to perform the method according to any one of claims 6 to 7, or the apparatus is caused Execute the method according to any one of claims 8 to 9, or cause the device to execute the method according to any one of claims 10 to 11, or cause the device to execute the method according to any one of claims 12 to 13 The method according to any one, or the device is caused to execute the method according to any one of claims 14-15.
A computer-readable storage medium, characterized in that it is used to store instructions. When the instructions are executed, the method according to any one of claims 1 to 3 is realized, or the method according to claim 4 is realized. The method described is implemented, or the method according to claim 5 is implemented, or the method according to claims 6 to 7 is implemented, or the method according to any one of claims 8 to 9 is implemented. Is realized, or the method according to any one of claims 10 to 11 is realized, or the method according to any one of claims 12 to 13 is realized, or the method according to any one of claims 14 to 15 is realized. Any one of the methods described is implemented.
A communication device, characterized in that it comprises a processor and an interface circuit;

The interface circuit is used to exchange code instructions to the processor;

The processor is configured to run the code instructions to perform the method according to any one of claims 1 to 3, or the processor is configured to run the code instructions to perform the method according to claim 4, or The processor is configured to run the code instructions to perform the method according to claim 5, or the processor is configured to run the code instructions to perform the method according to any one of claims 6 to 7, or The processor is used to run the code instructions to perform the method according to any one of claims 8 to 9, or the processor is used to run the code instructions to perform any one of claims 10 to 11 The method, or the processor is used to run the code instructions to execute the method according to any one of claims 12 to 13, or the processor is used to run the code instructions to execute the method as claimed in claim 14. The method of any one of to 15.
A computer program product, characterized in that, when the computer reads and executes the computer program product, the computer is caused to execute the method according to any one of claims 1 to 3, or execute the method according to claim 4 Method, or execute the method as claimed in claim 5, or execute the method as claimed in any one of claims 6 to 7, or execute the method as claimed in any one of claims 8 to 9, or execute as The method according to any one of claims 10 to 11, or the method according to any one of claims 12 to 13, or the method according to any one of claims 14 to 15.