WO2021164291A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2021164291A1
WO2021164291A1 PCT/CN2020/122866 CN2020122866W WO2021164291A1 WO 2021164291 A1 WO2021164291 A1 WO 2021164291A1 CN 2020122866 W CN2020122866 W CN 2020122866W WO 2021164291 A1 WO2021164291 A1 WO 2021164291A1
Authority
WO
WIPO (PCT)
Prior art keywords
auts
terminal device
indication information
algorithm
network element
Prior art date
Application number
PCT/CN2020/122866
Other languages
English (en)
Chinese (zh)
Inventor
赵绪文
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021164291A1 publication Critical patent/WO2021164291A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This application relates to the field of wireless communication technology, and in particular to a communication method and device.
  • the terminal device After receiving the authentication request message from the access and mobility management function (AMF), the terminal device will verify the sequence number (SQN) carried in the authentication request message If the verified SQN is not within the correct value range, the terminal device will further calculate the resynchronization authentication token (authentication token for synchronisation, AUTS), and send AUTS to unified data management (UDM). After the UDM receives the AUTS, it will verify the AUTS, and execute the resynchronization process after the verification is passed.
  • SQN sequence number
  • AUTS authentication token for synchronisation
  • UDM unified data management
  • the embodiments of the present application provide a communication method and device for identifying the AUTS algorithm adopted by the terminal equipment, so that the correct AUTS algorithm is used to verify the AUTS, and the authentication efficiency of the terminal equipment is improved.
  • an embodiment of the present application provides a communication method that can be executed by a unified data management network element UDM.
  • the method includes: the unified data management network element receives an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the unified data management network element obtains the instruction information corresponding to the terminal device, and the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data management network element uses the first AUTS algorithm to calibrate the AUTS Test.
  • the unified data management network element can identify the AUTS algorithm used by the terminal device to calculate AUTS according to the instruction information corresponding to the terminal device, and then use the AUTS algorithm consistent with the terminal device to calibrate the AUTS calculated by the terminal device. In this way, the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm adopted by the unified data management network element and the terminal device can be effectively avoided, so that the resynchronization process and the subsequent authentication process of the terminal device can be performed normally.
  • the unified data management network element may obtain the indication information corresponding to the terminal device for the unified data management network element to obtain the indication information from the local configuration, or obtain the indication information from the unified data storage network element.
  • the indication information corresponding to the terminal device may be pre-configured locally in the unified data management network element, or may be configured in the unified data storage network element. In this way, the applicability of the technical solutions in the embodiments of the present application can be enhanced.
  • the indication information of the terminal device may be included in the contract data of the terminal device, and the contract data of the terminal device may be stored in the unified data management network element or stored in the unified data storage network. Yuanzhong.
  • the unified data management network element determines the first AUTS algorithm according to the indication information corresponding to the terminal device, which may include: the unified data management network element determines the first AUTS algorithm according to the identification of the terminal device in the authentication service request and the terminal The indication information corresponding to the device determines the first AUTS algorithm.
  • the embodiments of the present application provide a communication method that can be executed by a unified data storage network element UDR.
  • the method includes: the unified data storage network element receives a service invocation request from the unified data management network element, and the service invocation request is used for To request the instruction information corresponding to the terminal device, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data storage network element sends a service response message to the unified data management network element, and the service response message Include instruction information corresponding to the terminal device.
  • the indication information corresponding to the terminal device may be pre-configured in the unified data storage network element.
  • the unified data management network element may be based on the unified data management network element.
  • the service call request sent by the element sends the instruction information corresponding to the terminal device to the unified data management network element, so that the unified data management can verify the AUTS according to the AUTS algorithm indicated by the instruction information, so that the resynchronization process can proceed normally .
  • the embodiments of the present application provide another communication method, which can be executed by the unified data management network element UDM, and the method includes: the unified data management network element receives an authentication service request, and the authentication service request includes encryption resynchronization authentication Token AUTS*; the unified data management network element decrypts AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.
  • the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm:
  • the unified data management network element verifies the AUTS according to the first AUTS algorithm.
  • the unified data management network element can decrypt the instruction information corresponding to the terminal device and the AUTS generated with the terminal device according to the received encrypted resynchronization authentication token AUTS*. In this way, the unified data management network element can determine the AUTS algorithm used by the terminal device according to the instruction information corresponding to the terminal device, and then use the AUTS algorithm consistent with the terminal device to verify the AUTS sent by the terminal device, thereby avoiding the unified data management network.
  • the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the meta and the terminal device enables the resynchronization process and the subsequent authentication process of the terminal device to proceed normally, and at the same time, the security of the authentication process can be improved.
  • the unified data management network element determines the first AUTS algorithm according to the indication information corresponding to the terminal device, which may include: the unified data management network element determines the first AUTS algorithm according to the identification of the terminal device in the authentication service request and The indication information corresponding to the terminal device determines the first AUTS algorithm.
  • the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device calculates a resynchronization authentication token AUTS, and encrypts the AUTS and the corresponding indication information of the terminal device, To obtain the encrypted resynchronization authentication token AUTS*, the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the terminal device sends the AUTS* to the access management network element.
  • the terminal device may encrypt and protect the corresponding indication information together with the generated AUTS, and send it to the unified data management network element.
  • the unified data management network element can determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to verify the AUTS sent by the terminal device, thereby avoiding the unified data management network.
  • the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the meta and the terminal device enables the resynchronization process and the subsequent authentication process of the terminal device to proceed normally, and at the same time, the security of the authentication process can be improved.
  • the method further includes: the terminal device generates the indication information corresponding to the terminal device according to the first AUTS algorithm used to calculate the AUTS.
  • the embodiments of the present application provide another communication method, which can be executed by the unified data management network element UDM, and the method includes: the unified data management network element receives an authentication service request, and the authentication service request includes a resynchronization authentication order Brand AUTS, the unified data management network element obtains the instruction information corresponding to the terminal device from the AUTS.
  • the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the unified data management network element is based on the first The AUTS algorithm checks AUTS.
  • the indication information corresponding to the terminal device can also be directly carried in the AUTS, and integrity protection is performed.
  • the unified data management network element can directly obtain the instruction information corresponding to the terminal device from the received AUTS, determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to control the terminal.
  • the AUTS sent by the device is checked, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the unified data management network element and the terminal device, so that the resynchronization process and the subsequent terminal device authentication process can proceed normally, and at the same time improve the authentication Security of the process.
  • the unified data management network element checks AUTS according to the first AUTS algorithm, which may include: the unified data management network element obtains the mobile terminal sequence from the AUTS according to the first AUTS algorithm Number SQN MS , and calculate the MAC based on the SQN MS ; if the calculated MAC is consistent with the MAC-S obtained from AUTS, the unified data management network element can determine that the AUTS verification is successful.
  • the first AUTS algorithm may include: the unified data management network element obtains the mobile terminal sequence from the AUTS according to the first AUTS algorithm Number SQN MS , and calculate the MAC based on the SQN MS ; if the calculated MAC is consistent with the MAC-S obtained from AUTS, the unified data management network element can determine that the AUTS verification is successful.
  • the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device calculates the resynchronization authentication token AUTS according to the instruction information corresponding to the terminal device, and the instruction information is used to indicate The terminal equipment calculates the first AUTS algorithm used by the AUTS; the terminal equipment sends the AUTS to the access management network element.
  • the terminal device may carry the corresponding indication information when calculating the AUTS, and then send the integrity protection of the AUTS to the unified data management network element.
  • the unified data management network element can obtain the instruction information corresponding to the terminal device from the received AUTS, and then determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and use the AUTS algorithm consistent with the terminal device to check
  • the AUTS sent by the terminal equipment is verified, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm used by the unified data management network element and the terminal equipment, so that the resynchronization process and the subsequent terminal equipment authentication process can be carried out normally, and at the same time improve Security of the certification process.
  • the AUTS includes indication information corresponding to the terminal device and/or MAC-S calculated according to the indication information.
  • the embodiments of the present application provide another communication method, which can be executed by a terminal device, and the method includes: the terminal device receives a resynchronization authentication token AUTS from a global subscriber identity module USIM card and configuration information of the USIM card; The terminal device determines the indication information according to the configuration information of the USIM card, the indication information is used to indicate the first AUTS algorithm used by the USIM card to calculate AUTS; the terminal device encrypts the AUTS and the indication information to obtain the encrypted resynchronization authentication token AUTS *; The terminal device sends the AUTS* to the access management network element.
  • the terminal device can determine the AUTS algorithm used by the USIM card according to the configuration information of the USIM card, and then encrypt the indication information used to indicate the AUTS algorithm used by the USIM card and the AUTS calculated by the USIM card. Send it to the unified data management network element.
  • the resynchronization process can be performed normally, and at the same time, the problem of inability to generate instruction information or encryption processing that may be caused by the limitation or incompatibility of the USIM card is avoided, thereby enhancing the Applicability of the method.
  • the configuration information includes one or more of the following information: the AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and Version information of the USIM card.
  • the embodiments of the present application provide another communication method, which can be executed by a USIM card, and the USIM card can be installed in a terminal device.
  • the method includes: the global user identity module USIM card calculates the resynchronization authentication token AUTS, The USIM card sends the calculated AUTS and the configuration information of the USIM card to the terminal device.
  • the terminal device since the USIM card can send the calculated AUTS and the configuration information of the USIM card to the terminal device, the terminal device itself generates the instruction information for indicating the AUTS algorithm according to the configuration information of the USIM card, and sends the instruction
  • the information is encrypted with the AUTS calculated by the USIM card and then sent to the unified data management network element. In this way, the resynchronization process can be carried out normally, and at the same time, it can avoid the failure to generate due to the limitation or incompatibility of the USIM card. Indicates the problem of information or encryption processing, thereby enhancing the applicability of the method.
  • the configuration information includes one or more of the following information: the AUTS algorithm supported by the USIM card, whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and Version information of the USIM card.
  • an embodiment of the present application provides a communication device, which has the function of realizing the unified data management network element in the first aspect or any one of the possible designs of the first aspect, or may also have the function of realizing the third
  • the function of the unified data management network element in any possible design of the aspect or the third aspect or may also have the function of implementing the unified data management network element in any possible design of the fifth aspect or the fifth aspect, Or, it may also have the function of realizing the unified data storage network element in any possible design of the second aspect or the second aspect described above.
  • the device may be a network device, or a device included in the network device, such as a chip.
  • the device may also have the function of realizing the terminal device in any possible design of the foregoing fourth aspect or the fourth aspect, or have the function of realizing the terminal device in any possible design of the foregoing sixth aspect or the sixth aspect , Or have the function of a terminal device in any possible design of the seventh aspect or the seventh aspect described above.
  • the device can be a terminal device, such as a handheld terminal device, a vehicle-mounted terminal device, a vehicle user device, a roadside unit, etc., a device included in a terminal device, such as a chip, or a device containing terminal devices, such as a vehicle, etc. .
  • the device may also have the function of realizing the USIM card in the eighth aspect or any one of the possible designs of the eighth aspect.
  • the USIM card may be a device included in a terminal device, such as a chip.
  • the functions of the above-mentioned communication device may be realized by hardware, or may be realized by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a processing module and a transceiver module, wherein the processing module is configured to support the device to execute the first aspect or the unified data management network element in any one of the first aspects of the design.
  • Corresponding function or perform the corresponding function of the unified data storage network element in the design of the second aspect or the second aspect, or perform the unified data management network element in the design of the third aspect or the third aspect
  • Corresponding function or perform the corresponding function of the terminal device in the design of the fourth aspect or the fourth aspect, or perform the corresponding function of the unified data management network element in the design of the fifth aspect or the fifth aspect
  • the transceiver module is used to support communication between the device and other communication devices. For example, when the device is a unified data management network element, it obtains the indication information corresponding to the terminal device from the unified data storage network element.
  • the communication device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the device.
  • the processing module may be a processor
  • the communication module may be a transceiver
  • the storage module may be a memory.
  • the memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.
  • the structure of the device includes a processor and may also include a memory.
  • the processor is coupled with the memory, and can be used to execute the computer program instructions stored in the memory, so that the device executes the above-mentioned first aspect or any one of the possible design methods of the first aspect, or executes the above-mentioned second aspect or the second aspect.
  • the device further includes a communication interface, and the processor is coupled with the communication interface.
  • the communication interface may be a transceiver or an input/output interface; when the device is a chip included in the network device or terminal device, the communication interface may be an input/output interface of the chip.
  • the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.
  • an embodiment of the present application provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or an instruction, when the program or an instruction is executed by the processor , Enabling the chip system to implement the method in any possible design of the first aspect or the first aspect, or implement the method in any possible design of the second aspect or the second aspect, or implement the method in the foregoing first aspect
  • the method in any possible design of the third aspect or the third aspect, or the method in any possible design of the foregoing fourth aspect or the fourth aspect, or the realization of any of the foregoing fifth aspect or the fifth aspect A method in a possible design, or a method in a possible design that implements the sixth aspect or the sixth aspect, or a method in a possible design that implements the seventh aspect or the seventh aspect , Or implement the eighth aspect or any one of the possible design methods of the eighth aspect.
  • the chip system further includes an interface circuit, which is used to exchange code instructions to the processor.
  • processors in the chip system, and the processors may be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • an embodiment of the present application provides a computer-readable storage medium on which a computer program or instruction is stored.
  • the computer executes any of the above-mentioned first aspect or the first aspect.
  • a method in a possible design, or a method in any possible design of the second aspect or the second aspect, or a method in any possible design of the third aspect or the third aspect Or implement the method in any possible design of the foregoing fourth aspect or the fourth aspect, or implement the method in any possible design of the foregoing fifth aspect or the fifth aspect, or implement the foregoing sixth aspect or
  • the method in any possible design of the sixth aspect, or the method in any possible design of the seventh aspect or the seventh aspect above, or the method in any one of the eighth aspect or the eighth aspect described above The method in the design.
  • the embodiments of the present application provide a computer program product.
  • the computer reads and executes the computer program product, the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the first aspect or any one of the possible design methods in the first aspect.
  • the computer executes the
  • an embodiment of the present application provides a communication system, which includes a unified data management network element and terminal equipment.
  • a USIM card is provided in the terminal device.
  • the communication system may also include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.
  • FIG. 1 is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable;
  • FIG. 2 is a schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 3 is a schematic diagram of verifying AUTN provided by an embodiment of the application.
  • 4a and 4b are schematic diagrams of the AUTS algorithm provided by an embodiment of this application.
  • FIG. 5 is a specific example of the communication method provided by the embodiment of this application.
  • FIG. 6 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 7 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of this application.
  • FIG. 10 is another specific example of the communication method provided by the embodiment of this application.
  • FIG. 11 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 12 is another schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 13 is a schematic structural diagram of another communication device provided by an embodiment of this application.
  • FIG. 14 is a schematic diagram of another structure of another communication device provided by an embodiment of this application.
  • GSM global system for mobile communications
  • CDMA code division multiple access
  • WCDMA broadband code division multiple access
  • GPRS general packet radio service
  • LTE long term evolution
  • LTE frequency division duplex FDD
  • TDD LTE Time division duplex
  • UMTS universal mobile telecommunication system
  • WIMAX worldwide interoperability for microwave access
  • 5G fifth generation
  • NR new radio
  • FIG. 1 is a schematic diagram of a network architecture of a communication system to which an embodiment of this application is applicable.
  • the network architecture includes terminal equipment, access network equipment, access management network elements, session management network elements, user plane network elements, Policy control network element, network slicing selection network element, network warehouse function network element, network data analysis network element, unified data management network element, unified data storage network element, authentication service function network element, network capability opening network element, application function network Yuan, and the data network (DN) connected to the operator’s network.
  • the terminal device can send service data to and receive service data from the data network through the access network device and the user plane network element.
  • the terminal device is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as Airplanes, balloons, satellites, etc.
  • the terminal device can communicate with the core network via a radio access network (RAN), and exchange voice and/or data with the RAN.
  • the terminal device can be a mobile phone (mobile phone).
  • Access network equipment is a device used to connect terminal equipment to the wireless network in the network.
  • the access network device may be a node in a radio access network, may also be called a base station, or may be called a radio access network (RAN) node (or device).
  • RAN radio access network
  • the network equipment may include the evolved base station (NodeB or eNB or e-NodeB, evolutional Node B) in the long term evolution (LTE) system or the evolved LTE system (LTE-Advanced, LTE-A), such as the traditional
  • the macro base station eNB and the micro base station eNB in the heterogeneous network scenario may also include the next generation node B (next generation node B) in the new radio (NR) system of the fifth generation mobile communication technology (5th generation, 5G) , GNB), or may also include radio network controller (RNC), node B (Node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS) , Transmission reception point (TRP), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (BBU), baseband pool BBU pool, or WiFi access point ( access point, AP), etc., or may also include the centralized unit (CU) and distributed unit (DU
  • CU supports radio resource control (radio resource control, RRC), packet data convergence protocol (packet data convergence protocol, PDCP), and service data adaptation protocol (service data adaptation). Protocol, SDAP) and other protocols; DU mainly supports radio link control (RLC), media access control (MAC) and physical layer protocols.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • service data adaptation protocol service data adaptation protocol
  • SDAP radio link control
  • MAC media access control
  • the access management network element is mainly used for terminal attachment, mobility management, and tracking area update procedures in the mobile network.
  • the access management network element terminates non-access stratum (NAS) messages, completes registration management, Connection management and reachability management, allocation of tracking area list (track area list, TA list), mobility management, etc., and transparent routing of session management (session management, SM) messages to the session management network element.
  • NAS non-access stratum
  • the access management network element can be the access and mobility management function (AMF).
  • AMF access and mobility management function
  • future communication systems such as 6G communication systems
  • the mobility management network element may still be an AMF network element, or may also have other names, which is not limited in this application.
  • the session management network element is mainly used for session management in the mobile network, such as session establishment, modification, and release. Specific functions include assigning Internet Protocol (IP) addresses to terminals and selecting user plane network elements that provide message forwarding functions.
  • IP Internet Protocol
  • the session management network element can be a session management function (session management function, SMF).
  • SMF session management function
  • the session management network element can still be an SMF network element, or it can be With other names, this application is not limited.
  • User plane network elements are mainly used to process user messages, such as forwarding, charging, and lawful monitoring.
  • the user plane network element may also be referred to as a protocol data unit (PDU) session anchor (PDU) session anchor (PSA).
  • PDU protocol data unit
  • PDU session anchor
  • PSA protocol data unit
  • the user plane network element can be a user plane function (UPF).
  • UPF user plane function
  • the user plane network element can still be a UPF network element, or it can be With other names, this application is not limited.
  • Policy control network elements include user subscription data management functions, policy control functions, charging policy control functions, quality of service (QoS) control, etc.
  • the policy control network element can be a policy control function (PCF).
  • PCF policy control function
  • the policy control network element can still be a PCF network element, or it can be With other names, this application is not limited.
  • the authentication service function network element is mainly used for security authentication of terminal equipment.
  • the authentication service function network element may be an authentication server function (authentication server function, AUSF).
  • the authentication service function network element may still be an AUSF network element, or It can also have other names, and this application is not limited.
  • the unified data storage network element is mainly used to store structured data information, including contract information, policy information, and network data or business data defined in a standard format.
  • the unified data storage network element can be a unified data repository (UDR).
  • UDR unified data repository
  • future communication systems such as 6G communication systems
  • the unified data storage network element can still be a UDR network element, or It can also have other names, and this application is not limited.
  • the network slice selection function network element is mainly used to select a suitable network slice for the service of the terminal device.
  • the network slice selection network element can be a network slice selection function (NSSF) network element.
  • the network slice selection network element can still be NSSF
  • the network element may also have other names, which is not limited in this application.
  • the network element of the network warehouse function is mainly used to provide the registration and discovery functions of the network element or the service provided by the network element.
  • the network warehouse function network element can be a network repository function (NRF).
  • NRF network repository function
  • the network warehouse function network element can still be an NRF network element, or It can also have other names, and this application is not limited.
  • the network capability opening network element can expose part of the network functions to the application in a controlled manner.
  • the network capability opening network element may be a network exposure function (NEF).
  • NEF network exposure function
  • the network capability opening network element may still be a NEF network element. Or it may have other names, which is not limited in this application.
  • the application function network element can provide service data of various applications to the control plane network element of the communication network of the operator, or obtain network data information and control information from the control plane network element of the communication network.
  • the application function network element may be an application function (AF).
  • AF application function
  • the application function network element may still be an AF network element, or may also have other functions. The name is not limited in this application.
  • Data network is mainly used to provide data transmission services for terminal equipment.
  • the data network can be a private network, such as a local area network, or a public data network (PDN) network, such as the Internet (Internet), or a private network jointly deployed by operators, such as a configured IP multimedia network.
  • PDN public data network
  • IMS IP multimedia core network subsystem
  • network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • the unified data management network element is the UDM network element
  • the authentication service function network element is the AUSF network element
  • the access management network element is the AMF network element.
  • UDM the UDM network element
  • AUSF the AUSF
  • AMF the AMF network element
  • ordinal numbers such as “first” and “second” mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority, or importance of multiple objects.
  • the descriptions of “first” and “second” do not limit the objects to be different.
  • FIG. 2 is a schematic flowchart of a communication method provided by an embodiment of this application. The method specifically includes the following steps:
  • Step S201 UDM receives an authentication service request
  • the authentication service request includes a resynchronization authentication token AUTS, and the AUTS is used to instruct the terminal device to determine that the serial number SQN in the authentication token (authentication token, AUTN) is not within the correct range.
  • UDM may also receive authentication service requests from other network functions NF, which is not limited in this application.
  • the embodiments of the present application can be applied to the authentication process of the terminal device.
  • the terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range may mean that the terminal device determines that the authentication token AUTN is in the correct range.
  • the serial number of is less than or equal to the serial number SQN MS stored in the terminal device.
  • the terminal device may receive an authentication request message from AMF.
  • the authentication request message includes a random number RAND and an authentication token AUTN.
  • the authentication token AUTN specifically includes a serial number SQN and an anonymous key. (anonymity key, AK), authentication management domain (authentication and key agreement, AMF), message authentication code (message authentication code, MAC) and other parameters.
  • the terminal device can verify the authentication token AUTN included in the authentication request message. If the terminal device verifies that the serial number SQN in the authentication token AUTN is not within the correct range, the terminal device can generate a resynchronization authentication token AUTS, It also sends an authentication failure message to the AMF.
  • the authentication failure message carries the calculated resynchronization authentication token AUTS, which is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range. Subsequently, after the AMF receives the authentication failure message from the terminal device, it can send an authentication service request to the UDM or AUSF.
  • the authentication service request includes the resynchronization authentication token AUTS calculated by the terminal device.
  • the USIM card can further verify the serial number SQN in the authentication token AUTN.
  • the USIM card can compare the serial number SQN in the authentication token AUTN with the serial number SQN MS stored in the USIM card.
  • the USIM card can calculate AUTS, and then the terminal device can send an authentication failure message to the AMF, and the authentication failure message indicates that the specific failure reason is synchronization failure (synch failure), the authentication failure message also includes the resynchronization authentication token AUTS calculated by the USIM card after the SQN verification fails, and the AUTS is used to instruct the USIM card to determine that the serial number SQN in the AUTN is not within the correct range.
  • the authentication failure message may also include a random number RAND.
  • the terminal device can use multiple possible AUTS algorithms to calculate AUTS.
  • FIG. 4a is a schematic diagram of an AUTS algorithm provided in this embodiment of the application.
  • AUTS satisfies the following relationship:
  • AUTS is equal to the exclusive OR of SQN MS and AK, and then the MAC-S is spliced.
  • SQN MS is the serial number of the terminal device, or it can also be understood as the highest serial number accepted by the USIM card.
  • Or xor means exclusive OR
  • AK is an anonymous key
  • AK f5*(RAND, K)
  • f5*() means a function
  • RAND and K are the parameters of the function
  • RAND is a random number
  • K is the root key
  • means splicing
  • MAC-S is the message authentication code calculated by the USIM card, used to realize the encryption and integrity protection of SQN MS
  • MAC-S f1*(SQN MS , K, RAND, AMF)
  • f1* () is another function
  • AMF is the authentication management domain.
  • Fig. 4b is a schematic diagram of another AUTS algorithm provided by an embodiment of this application.
  • AUTS also satisfies the relationship in Formula 1:
  • Step S202 The UDM obtains indication information corresponding to the terminal device, where the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS.
  • the indication information may be combined with the identification of the terminal device or the identification of the USIM card or the user identification (such as subscription permanent identifier (SUPI), international mobile subscriber identification number, IMSI). ), a generic public subscription identifier (GPSI, etc.) is associated, and is used to directly or indirectly instruct the terminal device (or USIM card) to calculate the first AUTS algorithm used by the resynchronization authentication token AUTS.
  • the indication information may be the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information may include the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS.
  • the indication information can also be used to indicate the terminal equipment (or USIM card) Whether to support the new AUTS algorithm, or the indication information may also be used to indicate whether the USIM card is a new card, or the indication information may also be information such as the type or batch or release of the USIM card.
  • the first AUTS algorithm may be one of the two AUTS algorithms described above, or may be another AUTS algorithm, which is not limited in this application.
  • the indication information corresponding to the terminal device may be included in the subscription data of the terminal device, and the subscription data may also be referred to as user subscription data. That is to say, the user subscription data of the terminal device is stored in the UDM, and the operator can set the above-mentioned indication information in the user subscription data of the terminal device in advance, thereby directly or indirectly instructing the terminal device (or USIM card) to calculate the AUTS used The first AUTS algorithm.
  • a user-granular subscription feature list can also be maintained in UDM, which is used to indicate which features the terminal device (or USIM card) supports or does not support, for example, whether to support the new AUTS algorithm, or the type and batch of the USIM card Or version information, etc.
  • the UDM may also determine the first AUTS algorithm used by the terminal device (or USIM card) when calculating AUTS according to the features supported by the terminal device listed in the subscription feature list corresponding to the terminal device. That is, the subscription feature list corresponding to the terminal device can also be understood as a specific implementation manner of the foregoing indication information.
  • the indication information corresponding to the terminal device may also be configured in the UDR. After the UDM receives the authentication service request, the indication information corresponding to the terminal device may be obtained from the UDR.
  • the user subscription data of the terminal device may be stored in the UDR, and the operator may set the above-mentioned indication information in the user subscription data of the terminal device in advance.
  • the UDM receives the authentication service request, it can send a service invocation request to the UDR according to the terminal device's identity or the USIM card's identity or the user's identity.
  • the service invocation request is used to request user subscription data of the terminal device.
  • the service invocation request may include the identification of the terminal device or the identification of the USIM card or the user identification.
  • the service invocation request may also be called a service request or a service request message or a service invocation request message, etc., which is not limited in this application .
  • UDR may receive the service invocation request and send a service response to UDM, where the service response is in response to the service invocation request sent by UDM, and the service response includes indication information corresponding to the terminal device, and the indication information may be included in the
  • the user subscription data of the terminal device in the service response may also be included in other information elements or newly added information elements of the service response message, which is not limited by this application.
  • the service response may also include a list of subscription characteristics corresponding to the terminal device.
  • the indication information corresponding to the terminal device may also be independently configured in the UDR and not included in the user subscription data of the terminal device.
  • the service invocation request sent by the UDM to the UDR can be used to request the indication information corresponding to the terminal device.
  • the service response returned by the UDR to the UDM may include the indication information corresponding to the terminal device, excluding the user subscription data of the terminal device.
  • the service response may also include a list of subscription characteristics corresponding to the terminal device.
  • Step S203 The UDM checks the AUTS according to the first AUTS algorithm.
  • the UDM may determine the first AUTS algorithm according to the identification of the terminal device included in the authentication service request and the indication information corresponding to the terminal device obtained in step S202.
  • the UDM using the first AUTS algorithm to verify the AUTS may include: using the first AUTS algorithm to obtain the mobile terminal serial number SQN MS from the AUTS, and then calculate the MAC, if the calculated MAC and the MAC-S included in the AUTS Consistent, it means that the AUTS verification is successful.
  • UDM can resynchronize the SQN stored on the network side, and then use the resynchronized SQN to re-initiate the authentication process for the terminal device.
  • UDM can identify the AUTS algorithm used by the terminal device (or USIM card) when calculating AUTS, and use the AUTS consistent with the terminal device (or USIM card)
  • the algorithm is used to verify the AUTS calculated by the terminal device, so as to avoid the problem of resynchronization failure caused by the inconsistency of the AUTS algorithm adopted by the UDM and the terminal device, so that the resynchronization process and the subsequent terminal device authentication process can be performed normally.
  • Step S5001 configure indication information in the user subscription data of the terminal device stored in the UDM, the indication The information is used to instruct the terminal equipment (or USIM card) to calculate the first AUTS algorithm used by AUTS.
  • the indication information may be the identification of the first AUTS algorithm used by the terminal equipment (USIM card), or the indication information may include the terminal The device (or USIM card) calculates the identity of the first AUTS algorithm used by the AUTS, or there is a certain mapping relationship between the indication information and the identity of the first AUTS algorithm used by the terminal device (or USIM card) to calculate the AUTS, Or the indication information may also be information indicating whether the terminal device (or USIM card) supports the new AUTS algorithm, or the indication information may also be information indicating whether the USIM card is a new card, or the indication information may also It can be information such as the type or batch or version of the USIM card, or the indication information can also be a list of subscription features of the terminal device (or the USIM card). It should be understood that this step S5001 corresponds to a specific implementation in the first embodiment, that is, the indication information corresponding to the terminal device is configured in the UDM.
  • the indication information is configured in the user subscription data of the terminal device stored in the UDR, or the indication information is configured in other information in the UDR, or the indication information is configured independently in the UDR.
  • the indication information is used to indicate the first AUTS algorithm adopted by the terminal device (or USIM card). For the specific implementation manner of the indication information, reference may be made to the description in step S5001.
  • step S501 the UDM obtains user subscription data of the terminal device from the UDR, and the user subscription data includes the above-mentioned indication information corresponding to the terminal device.
  • This step S501 may specifically include the steps of UDM sending a service invocation request to UDR, and UDR in response to the service invocation request, sending a service response message to UDM, etc., which will not be described in detail here.
  • the "acquisition” can also be understood as actions such as querying, invoking, and receiving.
  • step S5002 and step S501 correspond to another specific implementation manner in the first embodiment, that is, the instruction information of the terminal device is configured in the UDR. It can be seen that the methods shown in step S5001, step S5002 and step S501 are two parallel specific implementations. In practical applications, one of the two paths can be executed.
  • step S502 an authentication procedure (authentication procedure) between the terminal device and the UDM is executed.
  • Step S503 The terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not within the correct range, the terminal device calculates the resynchronization authentication token AUTS and initiates the resynchronization process. Optionally, the terminal device may also verify the message authentication code MAC in the authentication token AUTN, and the verification of the message authentication code MAC may be performed before the verification of the serial number SQN. Optionally, the actions of verifying the message authentication code MAC and the serial number SQN and calculating the resynchronization authentication token AUTS can also be performed by the USIM card in the terminal device.
  • Step S504 The terminal device sends an authentication failure message to the AMF.
  • the authentication failure message includes the resynchronization authentication token AUTS and the random number RAND.
  • the AMF sends an authentication service request to AUSF.
  • the authentication service request includes the resynchronization authentication token AUTS and the random number RAND.
  • the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.
  • SUPI the authentication service request described in this step is a service invocation message between network elements, which may also be called a service request message or a service invocation request message, etc., or may also have other names, such as Nauf_UEAuthentication_Authenticate request. This application Not limited.
  • Step S506 AUSF sends an authentication service request to UDM, and the authentication service request includes the resynchronization authentication token AUTS and the random number RAND.
  • the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.
  • SUPI the authentication service request described in this step is also a service invocation message between network elements. It may also be called a service request message or a service invocation request message, etc., or may have other names, such as Nudm_UEAuthentication_GET. This application does not Not limited.
  • the expression form and content of the authentication service request mentioned in step S505 and step S506 may be the same or different, and this application is not limited.
  • the UDM receives the authentication service request, and according to the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI, queries the user subscription data, determines the instruction information corresponding to the terminal device, and then determines the terminal device (or USIM card) the first AUTS algorithm used to calculate AUTS.
  • step S508 the UDM checks the AUTS according to the first AUTS algorithm, and after the check succeeds, resynchronizes the SQN.
  • Step S509 re-execute the authentication process between the terminal device and the UDM.
  • FIG. 6 is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:
  • Step S601 The terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range.
  • the terminal device may receive an authentication request message from the AMF.
  • the authentication request message includes the random number RAND and the authentication token AUTN.
  • the authentication token AUTN may specifically include the serial number SQN, Anonymous key AK, authentication management domain AMF, message authentication code MAC and other parameters.
  • the terminal device (or the USIM card in the terminal device) can verify the authentication token AUTN in the authentication request message. If the serial number SQN in the verification token AUTN is not in the correct range, for example, the authentication token AUTN If the serial number SQN in is less than or equal to the serial number SQN MS stored in the terminal device (or USIM card), it can be considered that the SQN verification has failed.
  • the terminal device may first verify the MAC in the authentication token AUTN, and after the MAC verification fails, then verify the serial number SQN in the authentication token AUTN.
  • verifying the MAC in the authentication token AUTN refers to calculating the XMAC according to the authentication token AUTN, the random number RAND and the root key K, and then comparing the obtained XMAC with the MAC in the authentication token AUTN. If they are consistent, the verification is considered successful, and if they are inconsistent, the verification is considered failed.
  • verifying the MAC in the authentication token AUTN refers to calculating the XMAC according to the authentication token AUTN, the random number RAND and the root key K, and then comparing the obtained XMAC with the MAC in the authentication token AUTN. If they are consistent, the verification is considered successful, and if they are inconsistent, the verification is considered failed.
  • other MAC verification methods can also be used, which is not limited in this application.
  • Step S602 The terminal device calculates the resynchronization authentication token AUTS, and encrypts the AUTS and the indication information corresponding to the terminal device to obtain the encrypted resynchronization authentication token AUTS*.
  • the AUTS is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not in the correct range.
  • the terminal device can use the algorithm shown in Figure 4a or Figure 4b to calculate the AUTS, or it can use Other algorithms to calculate AUTS are not limited in this application.
  • the terminal device can also generate indication information corresponding to the terminal device according to the first AUTS algorithm used to calculate AUTS, and the indication information is associated with the identification of the terminal device, the identification of the USIM card or the user identification (such as SUPI), Used to instruct the terminal equipment to calculate the AUTS algorithm used by the AUTS.
  • the terminal device may generate the indication information according to the identifier of the first AUTS algorithm used to calculate the AUTS.
  • the indication information may be the identifier of the first AUTS algorithm used by the terminal device, or include the first AUTS algorithm used by the terminal device to calculate the AUTS.
  • the indication information can also be a flag bit to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm, or to indicate whether the USIM card is a new card. If the flag is set to 1, it indicates support. 0 means not supported.
  • the indication information may also be information such as the type or batch or version of the USIM card, and there is a certain correlation between the type or batch or version of the USIM card and the AUTS algorithm adopted by the terminal device.
  • the indication information may also be a list of subscription features of the terminal device (or USIM card), and there is also a certain association relationship between the subscription features supported by the terminal device and the first AUTS algorithm adopted by the terminal device.
  • the terminal device encrypts the indication information corresponding to the AUTS and the terminal device, which can be expressed as:
  • K is the encryption key
  • AUTS* is the encrypted resynchronization authentication token
  • Enc() is the encryption function
  • AUTS is the resynchronization authentication token
  • indication refers to the indication information corresponding to the terminal device.
  • the indication information corresponding to the AUTS and the terminal equipment can be protected, thereby facilitating the normal progress of the resynchronization process, and Improve the security of the authentication process.
  • the terminal device can use the root key K to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, or use the public key of the home network to encrypt the resynchronization authentication token AUTS and
  • the indication information corresponding to the terminal device is encrypted, and SUPI encryption can also be used to obtain a subscription concealed identifier (SUCI) to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, which is not limited by this application.
  • the encryption key K in formula 2 can be the root key K or the public key of the home network.
  • the terminal device may also use other encryption algorithms for encryption, which is also not limited in this application.
  • steps S601 and S602 may also be specifically executed by the USIM card in the terminal device.
  • Step S603 The terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the encrypted resynchronization authentication token AUTS*.
  • Step S604 AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends the received authentication service request to UDM.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS*.
  • Step S605 The UDM receives an authentication service request from AMF or AUSF.
  • the authentication service request includes an encrypted resynchronization authentication token AUTS*.
  • the AUTS* is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range. .
  • Step S606 UDM decrypts the encrypted resynchronization authentication token AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.
  • the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the AUTS used by the terminal device.
  • UDM can use the root key K to decrypt the encrypted resynchronization authentication token AUTS*, or UDM can also use the private key of the home network to decrypt the encrypted resynchronization authentication token AUTS*, or UDM can also decrypt the encrypted resynchronization authentication token AUTS*.
  • the encrypted resynchronization authentication token AUTS* can be decrypted based on SUCI decryption to obtain SUPI.
  • UDM can also use other decryption algorithms for decryption, which is not limited in this application.
  • the decryption algorithm adopted by UDM matches the encryption algorithm adopted by the terminal device (or USIM card). Specifically, when the terminal device uses the root key K to encrypt the resynchronization authentication token AUTS and the indication information corresponding to the terminal device, correspondingly, UDM can use the root key K to encrypt the resynchronization authentication token AUTS*.
  • Step S607 The UDM checks the AUTS according to the first AUTS algorithm.
  • the UDM may determine the first AUTS algorithm according to the identifier of the terminal device included in the authentication service request and the indication information corresponding to the terminal device.
  • the integrity of the resynchronization authentication token AUTS can also be verified.
  • UDM can obtain the terminal device serial number SQN MS (that is, the highest serial number SQN MS accepted by the USIM card) from AUTS according to the first AUTS algorithm, and then calculate the message authentication code MAC according to the SQN MS; If the MAC is consistent with the MAC-S obtained from the resynchronization authentication token AUTS, it can be determined that the integrity check of the AUTS is successful.
  • SQN MS that is, the highest serial number SQN MS accepted by the USIM card
  • UDM can resynchronize the SQN stored on the network side, and then use the resynchronized SQN to re-initiate the authentication process for the terminal device.
  • the terminal device can encrypt and protect the corresponding indication information together with the generated AUTS, and send it to the UDM.
  • UDM can determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and then use the AUTS algorithm consistent with the terminal device (or USIM card) to verify the AUTS sent by the terminal device, thereby avoiding UDM and the terminal.
  • the problem of resynchronization failure caused by the inconsistent AUTS algorithm adopted by the device allows the resynchronization process and subsequent terminal device authentication process to proceed normally, and at the same time can improve the security of the authentication process.
  • FIG. 7 is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:
  • Step S701 The terminal device determines that the serial number SQN in the authentication token AUTN is not within the correct range.
  • step S701 For a specific implementation manner of step S701, reference may be made to the description of step S201 in the first embodiment or step S601 in the second embodiment, which will not be repeated here.
  • Step S702 The terminal device calculates the resynchronization authentication token AUTS according to the instruction information corresponding to the terminal device.
  • the indication information is used to directly or indirectly instruct the terminal equipment to calculate the first AUTS algorithm used by the AUTS, and the indication information is related to the identification of the terminal equipment or the identification of the USIM card or the user identification (such as SUPI) United.
  • the indication information may be the identifier of the first AUTS algorithm used by the terminal device (USIM card), or the indication information may include the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the There is a certain mapping relationship between the indication information and the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information can also be used to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm information, or the indication information may also be information for indicating whether the USIM card is a new card, or the indication information may also be information such as the type or batch or version of the USIM card, or the indication information may also be It is a list of subscription features of terminal equipment (or USIM card).
  • the terminal device may calculate the resynchronization authentication token AUTS in the following manner:
  • AUTS is the resynchronization authentication token, which can be used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range
  • SQN MS is the terminal device serial number, which is the highest serial number accepted in the USIM card
  • AK is an anonymous key
  • f5*() represents a function
  • RAND is a random number
  • K is a root key
  • Indication is the indication information corresponding to the terminal device
  • MAC-S' is the message authentication code calculated according to the parameters in AUTN
  • f1*() represents another function
  • AMF is the authentication management domain
  • Means exclusive OR
  • means splicing.
  • the AUTS calculated by the above formula 3 is different from the AUTS calculated in the foregoing first and second embodiments.
  • the AUTS in the third embodiment can also be recorded as AUTS'.
  • MAC-S can also be recorded as MAC-S’.
  • the terminal device can carry the indication information corresponding to the terminal device when calculating the AUTS', and then use the MAC-S' to perform integrity protection on the AUTS'.
  • the AUTS' and corresponding instruction information sent by the terminal device to the UDM can also be protected from being tampered with, thereby facilitating the normal progress of the resynchronization process and improving the security of the authentication process.
  • the indication information corresponding to the terminal device is carried. It can also be understood as embedding the indication information corresponding to the terminal device into the AUTS', or taking the indication information corresponding to the terminal device as a new version of the AUTS algorithm.
  • the increased input parameters that is, the method shown in formula 3 can also be understood as a new AUTS algorithm.
  • steps S701 and S702 may also be specifically executed by the USIM card in the terminal device.
  • Step S703 The terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the resynchronization authentication token AUTS.
  • Step S704 AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends an authentication service request to UDM.
  • the authentication service request includes the resynchronization authentication token AUTS'.
  • Step S705 The UDM receives an authentication service request from the AMF or AUSF.
  • the authentication service request includes the resynchronization authentication token AUTS', which is used to instruct the terminal device to determine that the serial number SQN in the authentication token AUTN is not within the correct range.
  • Step S706 The UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS'.
  • the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS.
  • the UDM can directly obtain the indication information corresponding to the terminal device from the AUTS.
  • Step S707 UDM checks AUTS' according to the first AUTS algorithm.
  • UDM after UDM obtains the re-synchronization authentication token AUTS', it can verify the integrity of the re-synchronization authentication token AUTS'. Specifically, UDM determines the first AUTS algorithm according to the indication information corresponding to the terminal equipment obtained from AUTS', then calculates AK according to the corresponding algorithm, and then restores SQN MS , and then according to AMF, RAND, K, SQN MS , indication Wait for the parameters, calculate the message authentication code MAC'; if the calculated MAC' is consistent with the MAC-S' obtained from the resynchronization authentication token AUTS', it is determined that the integrity check of the AUTS' is successful.
  • UDM can resynchronize the SQN stored on the network side, and then use the resynchronized SQN to re-initiate the authentication process for the terminal device.
  • the terminal device can carry the corresponding indication information when calculating the AUTS', and then send it to UDM after integrity protection of the AUTS'.
  • UDM can obtain the instruction information corresponding to the terminal device from the received AUTS', and then determine the AUTS algorithm used by the terminal device according to the instruction information sent by the terminal device, and adopt the AUTS algorithm consistent with the terminal device (or USIM card)
  • the terminal device or USIM card
  • FIG. 8 is a specific example of the communication method provided in Embodiments 2 and 3 of this application.
  • the example specifically includes the following steps:
  • an authentication procedure (authentication procedure) between the terminal device and the UDM is executed.
  • the authentication process may include: the AMF sends an authentication request message to the terminal device, and the authentication request message includes the random number RAND and the authentication token AUTN.
  • step S802 the terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not within the correct range, the terminal device calculates the resynchronization authentication token AUTS and initiates the resynchronization process. Optionally, the terminal device may also check the message authentication code MAC in the authentication token AUTN, and the check message authentication code MAC may be before the check sequence number SQN.
  • the terminal device may also generate indication information, and encrypt the indication information with the calculated resynchronization authentication token AUTS to obtain the encrypted AUTS*.
  • the specific encryption method can refer to the description in step S602, which will not be repeated here.
  • the terminal device may also generate indication information, and when calculating the resynchronization authentication token AUTS, use the indication information as one of the input parameters for calculating AUTS. That is, the AUTS is calculated according to the instruction information corresponding to the terminal device.
  • the specific calculation method of AUTS please refer to the description in step S702, which will not be repeated here.
  • Step S803 The terminal device sends an authentication failure message to the AMF.
  • the authentication failure message includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.
  • the authentication failure message includes an encrypted resynchronization authentication token AUTS*, which is obtained by the terminal device encrypting the calculated AUTS and the corresponding indication information .
  • the authentication failure message includes the resynchronization authentication token AUTS, which is generated by the terminal device according to the indication information corresponding to the terminal device, that is, the terminal device is calculating When AUTS, the corresponding indication information is also used as one of the input parameters.
  • step S804 the AMF sends an authentication service request to AUSF.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.
  • the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.
  • Step S805 AUSF sends the received authentication service request to UDM.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS* or the resynchronization authentication token AUTS, and the random number RAND.
  • the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.
  • step S806 the UDM receives the authentication service request, and determines the first AUTS algorithm according to the indication information corresponding to the terminal device.
  • step S806 UDM decrypts the encrypted resynchronization authentication token AUTS* in the received authentication service request to obtain the corresponding indication of the resynchronization authentication token AUTS and the terminal device Information, and then determine the first AUTS algorithm according to the instruction information corresponding to the terminal device.
  • step S806 UDM obtains the indication information corresponding to the terminal device from the resynchronization authentication token AUTS in the received authentication service request, and verifies the AUTS according to MAC-S' Completeness, and then determine the first AUTS algorithm according to the indication information corresponding to the terminal device.
  • step S807 the UDM checks the AUTS according to the first AUTS algorithm. After the check succeeds, it resynchronizes the SQN, and then re-initiates the authentication process according to the synchronized SQN.
  • step S607 or S707 For the specific process of verifying the AUTS, please refer to the description in step S607 or S707, which will not be repeated here.
  • Step S808 re-execute the authentication process between the terminal device and the UDM.
  • the technical solution in the fourth embodiment is similar to the technical solution shown in the second embodiment, but the difference is that in the second embodiment, the terminal device and the actions performed by the USIM card installed in the terminal device are not clearly distinguished. Some actions performed by the terminal device can also be performed by the USIM card installed in the terminal device. For example, verify the authentication token AUTN received by the terminal device, and verify that the serial number SQN in the authentication token AUTN is not present. After it is within the correct range, calculate the resynchronization authentication token AUTS, encrypt the resynchronization authentication token AUTS and the indication information to obtain AUTS*, and then send the encrypted AUTS* to UDM via the terminal device through the AMF.
  • the USIM card installed in the terminal device can verify the authentication token AUTN received by the terminal device. After verifying that the serial number SQN in the authentication token AUTN is not in the correct range, calculate the resynchronization authentication token AUTS, and send the resynchronization authentication token AUTS to the terminal device, which is determined by the terminal device according to the configuration information of the USIM card. The corresponding instruction information is then encrypted with the AUTS received from the USIM card, and finally sent to UDM by the terminal device via AMF.
  • FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of this application. The method specifically includes the following steps:
  • the terminal device may receive an authentication request message from the AMF, and send parameters such as the authentication token AUTN and the random number RAND included in the authentication request message to the USIM card installed in the terminal device ,
  • the USIM card verifies the authentication token AUTN.
  • Step S902 The USIM card calculates the resynchronization authentication token AUTS.
  • the USIM card can use the algorithm shown in FIG. 4a or 4b to calculate the resynchronization authentication token AUTS, and other algorithms can also be used to calculate the resynchronization authentication token AUTS, which is not limited by this application.
  • Step S903 The USIM card sends the resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal device.
  • the configuration information may include information used to indicate the AUTS algorithm used when the USIM card calculates AUTS, for example, may include one or more of the following information: the identifier of the first AUTS algorithm used by the USIM card, which is used to indicate the USIM card Information about whether the new AUTS algorithm is supported, information used to indicate whether the USIM card is a new card, the type or batch or release of the USIM card, and other information.
  • the configuration information may also include other information that can be used to distinguish the AUTS algorithm, which is not limited in this application.
  • the USIM may also send the random number RAND to the terminal device.
  • Step S904 The terminal device receives the resynchronization authentication token AUTS from the USIM card and the configuration information of the USIM card.
  • the terminal device receiving the configuration information of the USIM card from the USIM card can also be understood as the terminal device reading the configuration information of the USIM card, or the terminal device acquiring the configuration information of the USIM card, etc.
  • Step S905 The terminal device determines the indication information according to the configuration information of the USIM card, and the indication information is used to instruct the first AUTS algorithm used by the USIM card to calculate the AUTS.
  • the indication information is associated with the identification of the terminal device, or the identification of the USIM card or the user identification (such as SUPI).
  • the indication information may be the identifier of the first AUTS algorithm used by the terminal device (USIM card), or the indication information may include the identifier of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the There is a certain mapping relationship between the indication information and the identification of the first AUTS algorithm used by the terminal device (or USIM card) to calculate AUTS, or the indication information can also be used to indicate whether the terminal device (or USIM card) supports the new AUTS algorithm information, or the indication information may also be information for indicating whether the USIM card is a new card, or the indication information may also be information such as the type or batch or version of the USIM card, or the indication information may also be It is a list of subscription features of terminal equipment (or USIM card).
  • the indication information may be part or all of the configuration information of the USIM card, or may be information derived and calculated based on the configuration information of the USIM card, which is not limited in this application.
  • Step S906 The terminal device encrypts the resynchronization authentication token AUTS and the indication information to obtain an encrypted resynchronization authentication token AUTS*.
  • step S906 reference may be made to the description of step S602 in the second embodiment, which will not be repeated here.
  • Step S907 The terminal device sends an authentication failure message to the AMF.
  • the authentication failure message includes the encrypted resynchronization authentication token AUTS*.
  • the encrypted resynchronization authentication token AUTS* can be used to instruct the terminal device or the USIM card to determine the authentication token AUTN.
  • the serial number SQN is not in the correct range.
  • the authentication failure message is used to trigger the UDM to resynchronize the SQN.
  • Step S908 AMF sends an authentication service request to UDM, or AMF sends an authentication service request to AUSF, and then AUSF sends the received authentication service request to UDM.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS*.
  • Step S909 The UDM receives the authentication service request from the AMF or AUSF, and obtains the encrypted resynchronization authentication token AUTS* in the authentication service request.
  • Step S910 UDM decrypts the encrypted resynchronization authentication token AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.
  • steps S907 to S911 For the specific implementation of steps S907 to S911 described above, reference may be made to steps S604 to S607 in the second embodiment, which will not be repeated here.
  • the terminal device can determine the AUTS algorithm used by the USIM card according to the configuration information of the USIM card, and then combine the indication information used to indicate the AUTS algorithm used by the USIM card and the AUTS calculated by the USIM card. After being encrypted, it is sent to UDM. In this way, the resynchronization process can be carried out normally, and at the same time, the problem of inability to generate instruction information or encryption processing that may be caused due to the limitation or incompatibility of the USIM card is avoided, thereby enhancing the method Applicability.
  • FIG. 10 is another specific example of the communication method provided in the fourth embodiment of this application.
  • the example specifically includes the following steps:
  • step S1001 an authentication procedure (authentication procedure) between the terminal device and the UDM is executed.
  • the authentication process may include: the AMF sends an authentication request message to the terminal device, and the authentication request message includes the random number RAND and the authentication token AUTN.
  • the terminal device can send the random number RAND and the authentication token AUTN included in the authentication request message to the USIM card installed in the terminal device.
  • step S1002 the USIM card in the terminal device verifies the serial number SQN in the authentication token AUTN. If the verified SQN is not in the correct range, the USIM card can calculate the resynchronization authentication token AUTS.
  • the terminal device may also check the message authentication code MAC in the authentication token AUTN, and the check message authentication code MAC may be before the check sequence number SQN.
  • the USIM card may send the calculated resynchronization authentication token AUTS and the configuration information of the USIM card to the terminal device.
  • step S903 For the specific implementation of the configuration information of the USIM card, reference may be made to the description in step S903, which will not be repeated here.
  • Step S1004 The terminal device generates indication information according to the received USIM card configuration information, and then encrypts the received resynchronization authentication token AUTS and the generated indication information to obtain an encrypted resynchronization authentication token AUTS*.
  • the specific encryption method can refer to the description in step S602, which will not be repeated here.
  • Step S1005 The terminal device sends an authentication failure message to the AMF.
  • the authentication failure message includes the encrypted resynchronization authentication token AUTS* and the random number RAND.
  • step S1006 the AMF sends an authentication service request to AUSF.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS* and the random number RAND.
  • Step S1007 AUSF sends the received authentication service request to UDM.
  • the authentication service request includes the encrypted resynchronization authentication token AUTS* and the random number RAND.
  • the authentication service request may also include the identification of the terminal device or the identification of the USIM card or the user identification, such as SUPI.
  • step S1008 the UDM receives the authentication service request, decrypts the encrypted resynchronization authentication token AUTS* in the received authentication service request, and obtains the resynchronization authentication token AUTS and the corresponding indication information of the terminal device.
  • the UDM determines the first AUTS algorithm according to the indication information corresponding to the terminal device.
  • step S1009 the UDM checks the AUTS according to the first AUTS algorithm. After the check succeeds, it resynchronizes the SQN, and then re-initiates the authentication process according to the synchronized SQN.
  • step S607 or S707 For the specific process of verifying the AUTS, please refer to the description in step S607 or S707, which will not be repeated here.
  • Step S1010 re-execute the authentication process between the terminal device and the UDM.
  • FIG. 11 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • the communication device 1100 includes a transceiver module 1110 and a processing module 1120.
  • the communication device can be used to implement the function of the unified data management network element in any of the foregoing method embodiments, or be used to implement the function of the unified data storage network element in any of the foregoing method embodiments.
  • the communication device may be a UDM network element or a UDR network element in the core network
  • the network element or network function may be a network element in a hardware device, or a software function running on dedicated hardware, or Virtualization functions instantiated on the platform (for example, cloud platform).
  • the communication device may be a network device or a chip included in the network device.
  • the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 uses To obtain the instruction information corresponding to the terminal device, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the processing module 1120 is also used to verify the AUTS according to the first AUTS algorithm.
  • the processing module 1120 is specifically configured to obtain the indication information from a local configuration or obtain the indication information from a unified data storage network element.
  • the indication information corresponding to the terminal device is included in the subscription data of the terminal device.
  • the transceiver module 1110 is used to receive a service call request from the unified data management network element, and the service call request is used to request the terminal device to correspond to
  • the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS;
  • the processing module 1120 is used to send a service response message to the unified data management network element through the transceiver module 1110, the service response message Include instruction information corresponding to the terminal device.
  • the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes an encrypted resynchronization authentication token AUTS*; processing module 1120 is used to decrypt the AUTS* to obtain the indication information corresponding to the resynchronization authentication token AUTS and the terminal device.
  • the indication information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; processing module 1120 is also used to verify the AUTS according to the first AUTS algorithm.
  • the transceiver module 1110 is used to receive an authentication service request, and the authentication service request includes a resynchronization authentication token AUTS; the processing module 1120 uses To obtain the instruction information corresponding to the terminal device from the AUTS, the instruction information corresponding to the terminal device is used to instruct the terminal device to calculate the first AUTS algorithm used by the AUTS; the processing module 1120 is also used to calibrate the AUTS according to the first AUTS algorithm Test.
  • the processing module 1120 is specifically configured to obtain the mobile terminal serial number SQN MS from the AUTS according to the first AUTS algorithm, and calculate the MAC according to the SQN MS ; if the MAC is the same as the MAC obtained from the AUTS- If S is consistent, it is determined that the AUTS verification is successful.
  • processing module 1120 involved in the communication device may be implemented by a processor or processor-related circuit components
  • transceiver module 1110 may be implemented by a transceiver or transceiver-related circuit components.
  • the operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG.
  • FIG. 12 is another schematic structural diagram of a communication device according to an embodiment of this application.
  • the communication device 1200 can be used to implement the methods described in the foregoing method embodiments.
  • the communication device 1200 may be a chip or a network device.
  • the communication device 1200 includes one or more processors 1201, and the one or more processors 1201 can support the communication device 1200 to implement the unified data management network element or unified data storage network in FIG. 2, FIG. 5, FIG. 6 or FIG. Yuan method.
  • the processor 1201 may be a general-purpose processor or a special-purpose processor.
  • the processor 1201 may be a central processing unit (CPU) or a baseband processor.
  • the baseband processor may be used to process communication data, and the CPU may be used to control a communication device (for example, a network device, a terminal device, or a chip), execute a software program, and process data of the software program.
  • the communication device 1200 may further include a transceiving unit 1205 to implement signal input (reception) and output (transmission).
  • the communication device 1200 may be a chip, and the transceiver unit 1205 may be an input and/or output circuit of the chip, or the transceiver unit 1205 may be a communication interface of the chip, and the chip may be used as a terminal device or a network device or other wireless communication. Components of equipment.
  • the communication device 1200 may include one or more memories 1202 with a program 1204 stored thereon.
  • the program 1204 can be run by the processor 1201 to generate an instruction 1203 so that the processor 1201 executes the method described in the foregoing method embodiment according to the instruction 1203.
  • the memory 1202 may also store data.
  • the processor 1201 may also read data stored in the memory 1202. The data may be stored at the same storage address as the program 1204, or the data may be stored at a different storage address from the program 1204.
  • the processor 1201 and the memory 1202 may be provided separately or integrated together, for example, integrated on a single board or a system-on-chip (SOC).
  • SOC system-on-chip
  • the communication device 1200 may further include a transceiver unit 1205 and an antenna 1206.
  • the transceiver unit 1205 may be called a transceiver, a transceiver circuit, or a transceiver, and is used to implement the transceiver function of the communication device through the antenna 1206.
  • each step of the foregoing method embodiment may be completed by a logic circuit in the form of hardware or instructions in the form of software in the processor 1201.
  • the processor 1201 may be a CPU, a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (ASIC), a field programmable gate array (field programmable gate array, FPGA) or other programmable logic devices , For example, discrete gates, transistor logic devices, or discrete hardware components.
  • FIG. 13 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
  • the communication device 1300 includes a transceiver module 1310 and a processing module 1320.
  • the communication device can be used to implement the function of the terminal device in any of the foregoing method embodiments.
  • the communication device may be a terminal device, such as a handheld terminal device or a vehicle-mounted terminal device; the communication device may also be a chip included in the terminal device, such as a USIM card installed in the terminal device, or a device including terminal devices, such as various Various types of vehicles, etc.
  • the processing module 1320 is used to calculate the resynchronization authentication token AUTS, and encrypt the AUTS and the instruction information corresponding to the communication device to Obtain the encrypted resynchronization authentication token AUTS*, the indication information corresponding to the communication device is used to instruct the communication device to calculate the first AUTS algorithm used by the AUTS; the transceiver module 1310 is used to send the AUTS* to the access management network element.
  • the processing module 1320 is further configured to generate the indication information corresponding to the device according to the first AUTS algorithm used to calculate the AUTS.
  • the processing module 1320 is configured to calculate the resynchronization authentication token AUTS according to the instruction information corresponding to the communication device, and the instruction information corresponding to the communication device It is used to instruct the communication device to calculate the first AUTS algorithm used by the AUTS; the transceiver module 1310 is used to send the AUTS to the access management network element.
  • the AUTS includes the indication information corresponding to the communication device and/or the MAC-S calculated according to the indication information corresponding to the communication device.
  • the transceiver module 1310 is used to receive the resynchronization authentication token AUTS and the configuration information of the USIM card from the global user identity module USIM card; the processing module 1320 uses According to the configuration information of the USIM card, the indication information is determined, and the indication information is used to indicate the first AUTS algorithm used by the USIM card to calculate AUTS; the processing module 1320 is also used to encrypt the AUTS and the indication information to obtain encryption resynchronization Authentication token AUTS*; the transceiver module 1310 is also used to send the AUTS* to the access management network element.
  • the configuration information includes one or more of the following information:
  • the AUTS algorithm supported by the USIM card whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.
  • the processing module 1320 is used to calculate the resynchronization authentication token AUTS; the transceiver module 1310 is used to calculate the AUTS and the USIM card
  • the configuration information is sent to the terminal device.
  • the configuration information includes one or more of the following information:
  • the AUTS algorithm supported by the USIM card whether the USIM card supports a specific type of AUTS algorithm, the type information of the USIM card, and the version information of the USIM card.
  • the processing module 1320 involved in the communication device may be implemented by a processor or processor-related circuit components, and the transceiver module 1310 may be implemented by a transceiver or transceiver-related circuit components.
  • the operation and/or function of each module in the communication device is to implement the corresponding process of the method shown in FIG. 6 to FIG. 10, and is not repeated here for brevity.
  • FIG. 14 is a schematic diagram of another structure of another communication device provided in an embodiment of this application.
  • the communication device may specifically be a terminal device. It is easy to understand and easy to illustrate.
  • the terminal device uses a mobile phone as an example.
  • the terminal device includes a processor, and may also include a memory. Of course, it may also include a radio frequency circuit, an antenna, and an input/output device.
  • the processor is mainly used to process the communication protocol and communication data, and to control the terminal device, execute the software program, and process the data of the software program.
  • the memory is mainly used to store software programs and data.
  • the radio frequency circuit is mainly used for the conversion of baseband signals and radio frequency signals and the processing of radio frequency signals.
  • the antenna is mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, keyboards, etc., are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal devices may not have input and output devices.
  • the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the radio frequency circuit.
  • the radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal to the outside in the form of electromagnetic waves through the antenna.
  • the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
  • FIG. 14 only one memory and processor are shown in FIG. 14. In an actual terminal device product, there may be one or more processors and one or more memories.
  • the memory may also be referred to as a storage medium or storage device.
  • the memory may be set independently of the processor, or may be integrated with the processor, which is not limited in the embodiment of the present application.
  • the antenna and radio frequency circuit with the transceiving function can be regarded as the transceiving unit of the terminal device
  • the processor with the processing function can be regarded as the processing unit of the terminal device.
  • the terminal device includes a transceiving unit 1410 and a processing unit 1420.
  • the transceiving unit may also be referred to as a transceiver, a transceiver, a transceiving device, and so on.
  • the processing unit may also be called a processor, a processing board, a processing module, a processing device, and so on.
  • the device for implementing the receiving function in the transceiving unit 1410 can be regarded as the receiving unit, and the device for implementing the sending function in the transceiving unit 1410 as the sending unit, that is, the transceiving unit 1410 includes a receiving unit and a sending unit.
  • the transceiver unit may sometimes be referred to as a transceiver, a transceiver, or a transceiver circuit.
  • the receiving unit may sometimes be called a receiver, a receiver, or a receiving circuit.
  • the transmitting unit may sometimes be called a transmitter, a transmitter, or a transmitting circuit.
  • transceiving unit 1410 is used to perform sending and receiving operations on the terminal device side in the foregoing method embodiment
  • processing unit 1420 is used to perform other operations on the terminal device in the foregoing method embodiment except for the transceiving operation.
  • An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.
  • processors in the chip system there may be one or more processors in the chip system.
  • the processor can be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller).
  • the controller unit, MCU may also be a programmable controller (programmable logic device, PLD) or other integrated chips.
  • each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
  • the steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the above-mentioned method embodiments In the method.
  • the embodiments of the present application also provide a computer program product.
  • the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.
  • the embodiment of the present application also provides a communication system, which includes a unified data management network element and terminal equipment.
  • a USIM card is provided in the terminal device.
  • the communication system may also include one or more of an access network device, an access management network element, an authentication service function network element, and a unified data storage network element.
  • processors mentioned in the embodiments of this application may be a central processing unit (central processing unit, CPU), or other general-purpose processors, digital signal processors (digital signal processors, DSP), and application-specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • CPU central processing unit
  • DSP digital signal processors
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic RAM
  • DRAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM, DR RAM
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon des modes de réalisation, la présente invention concerne un procédé et un appareil de communication. Le procédé comprend les étapes suivantes : après la réception d'un jeton de resynchronisation d'authentification (AUTS), un élément de réseau de gestion de données unifié acquiert des informations d'indication correspondant à un dispositif terminal, il reconnaît, en fonction des informations d'indication correspondant au dispositif terminal, un algorithme AUTS adopté lorsque le dispositif terminal calcule l'AUTS, et il vérifie ainsi l'AUTS en adoptant l'algorithme AUTS qui est cohérent avec celui du dispositif terminal. Par conséquent, le problème de la défaillance de resynchronisation provoquée par un algorithme AUTS incohérent adopté par l'élément de réseau de gestion de données unifié et le dispositif terminal peut être efficacement évité, de telle sorte qu'un flux de resynchronisation ainsi que des flux d'authentification ultérieurs du dispositif terminal peuvent être effectués normalement.
PCT/CN2020/122866 2020-02-20 2020-10-22 Procédé et appareil de communication WO2021164291A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010103830.2A CN113285805B (zh) 2020-02-20 2020-02-20 一种通信方法及装置
CN202010103830.2 2020-02-20

Publications (1)

Publication Number Publication Date
WO2021164291A1 true WO2021164291A1 (fr) 2021-08-26

Family

ID=77274991

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/122866 WO2021164291A1 (fr) 2020-02-20 2020-10-22 Procédé et appareil de communication

Country Status (2)

Country Link
CN (1) CN113285805B (fr)
WO (1) WO2021164291A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101448263A (zh) * 2008-12-16 2009-06-03 华为技术有限公司 一种实现鉴权重同步的方法和网络设备
US20130331063A1 (en) * 2012-06-11 2013-12-12 Research In Motion Limited Enabling multiple authentication applications

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN101123778A (zh) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 网络接入鉴权方法及其usim卡
JP6101088B2 (ja) * 2012-10-31 2017-03-22 株式会社Nttドコモ 状態変化通知方法、加入者認証装置、状態変化検出装置及び移動通信システム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101448263A (zh) * 2008-12-16 2009-06-03 华为技术有限公司 一种实现鉴权重同步的方法和网络设备
US20130331063A1 (en) * 2012-06-11 2013-12-12 Research In Motion Limited Enabling multiple authentication applications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on authentication enhancements in 5G System; (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.846, vol. SA WG3, no. V0.5.0, 2 January 2020 (2020-01-02), pages 1 - 25, XP051841106 *

Also Published As

Publication number Publication date
CN113285805B (zh) 2022-08-26
CN113285805A (zh) 2021-08-20

Similar Documents

Publication Publication Date Title
US11909870B2 (en) ECDHE key exchange for mutual authentication using a key server
CN109587688B (zh) 系统间移动性中的安全性
JP6759232B2 (ja) 完全前方秘匿性を有する認証および鍵共有
US11533160B2 (en) Embedded universal integrated circuit card (eUICC) profile content management
JP7443541B2 (ja) 鍵取得方法および装置
WO2018077232A1 (fr) Procédé d'authentification de réseau, et dispositif et système associés
WO2022057736A1 (fr) Procédé et dispositif d'autorisation
WO2019153994A1 (fr) Procédé et appareil de négociation de sécurité
WO2020216338A1 (fr) Procédé et appareil d'envoi de paramètres
WO2019029531A1 (fr) Procédé de déclenchement d'authentification de réseau et dispositif associé
US20230232219A1 (en) Data transmission method and system, electronic device and computer-readable storage medium
WO2019095990A1 (fr) Procédé et dispositif de communication
WO2018233726A1 (fr) Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support
WO2021120924A1 (fr) Procédé et dispositif d'application de certificats
WO2018205148A1 (fr) Procédé et dispositif de contrôle de paquet de données
WO2021218978A1 (fr) Procédé, dispositif, et système de gestion de clé
WO2021244569A1 (fr) Procédé et système de transmission de données, dispositif électronique et support de stockage
JP2022501973A (ja) システム間変更中のセキュリティ・コンテキストを扱う方法及び装置
WO2017152360A1 (fr) Procédé et dispositif pour une configuration de sécurité de support radio
WO2021164291A1 (fr) Procédé et appareil de communication
CN111836260A (zh) 一种认证信息处理方法、终端和网络设备
WO2020147602A1 (fr) Procédé, appareil et système d'authentification
WO2022088106A1 (fr) Procédé et appareil de transmission de messages
WO2021134364A1 (fr) Procédé et appareil d'abonnement en ligne
CN115515130A (zh) 一种会话密钥生成的方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20920032

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20920032

Country of ref document: EP

Kind code of ref document: A1