WO2021196011A1 - 一种终端设备标识的获取方法、装置及系统 - Google Patents

一种终端设备标识的获取方法、装置及系统 Download PDF

Info

Publication number
WO2021196011A1
WO2021196011A1 PCT/CN2020/082564 CN2020082564W WO2021196011A1 WO 2021196011 A1 WO2021196011 A1 WO 2021196011A1 CN 2020082564 W CN2020082564 W CN 2020082564W WO 2021196011 A1 WO2021196011 A1 WO 2021196011A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
network element
management network
identifier
supi
Prior art date
Application number
PCT/CN2020/082564
Other languages
English (en)
French (fr)
Other versions
WO2021196011A9 (zh
Inventor
吴义壮
李�赫
胡力
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN202080099106.5A priority Critical patent/CN115336303A/zh
Priority to PCT/CN2020/082564 priority patent/WO2021196011A1/zh
Priority to EP20928846.3A priority patent/EP4120713A4/en
Priority to BR112022019957A priority patent/BR112022019957A2/pt
Publication of WO2021196011A1 publication Critical patent/WO2021196011A1/zh
Publication of WO2021196011A9 publication Critical patent/WO2021196011A9/zh
Priority to US17/955,614 priority patent/US20230013010A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user

Definitions

  • This application relates to the field of communication technology, and in particular to a method, device and system for obtaining terminal equipment identification.
  • D2D device-to-device
  • UE user equipment
  • a remote UE When a remote UE is outside the coverage of the communication network, or when the communication quality with the access network device in the communication network is poor, it can be based on D2D communication through a relay device
  • the (relay) UE establishes indirect communication with the communication network, that is, through the communication between the remote device and the relay device, and the relay device interacts with the communication network, so that the remote device can obtain data from the communication network.
  • the relay device When the remote device establishes indirect communication with the communication network by means of the relay device, the relay device needs to first obtain the identification of the remote device and report it to the communication network so that the communication network can perform authentication and authentication based on the identification of the remote device. Authorization check or perform service control based on the identification of the remote device, such as lawful interception, etc.
  • the remote device can provide the relay device with the permanent user identification of the remote device in plain text through the air interface. Further, the remote device will receive The permanent user identification of the arrived remote device is sent to the communication network. This way, sending the user's permanent identification directly on the air interface in plain text will result in the exposure of the user's privacy.
  • This application provides a method, device, and system for obtaining a terminal device identifier to solve the problem that the transmission method of the user's permanent identifier causes the user's privacy to be exposed.
  • an embodiment of the present application provides a method for obtaining a terminal device identity, the method is executed by a key management network element, and the method includes: the key management network element receives a first key request from a first terminal device, The first key request includes a first identifier, which is the anonymization identifier or temporary identifier of the second terminal device; the key management network element parses the first key request, and if it is determined that the key request includes the first identifier , The user permanent identification of the second terminal device needs to be determined, the key management network element can send a first request to the unified data management network element, and the first request includes the first identification; after that, the key management network element can manage from the unified data The network element receives the first response, and the first response includes the SUPI of the second terminal device; after that, the key management network element can perform an authorization check on the second terminal device according to the SUPI of the second terminal device, and then check the authorization of the second terminal device. After passing, a first key response is sent to the first
  • the key management network element obtains the permanent user identification of the second terminal device from the unified data management network element, and the key management network element only needs to obtain the anonymization identification or temporary identification of the second terminal device from the first terminal device That is, it is no longer necessary to obtain the permanent user identification of the second terminal device from the first terminal device, and the security of the permanent user identification of the second terminal device can be effectively guaranteed, and further, the situation of user privacy exposure can be avoided.
  • the first response and the first key response also include the GPSI of the second terminal device, and may also include the first identification.
  • the first response and the first key response may carry the first identification or GPSI. Further instruct the second terminal device to avoid the situation of user privacy exposure caused by carrying the user's permanent identification.
  • the first request and the first response may be information in the existing interaction process between the key management network element and the unified data management network element.
  • the first request is a secure communication parameter acquisition request
  • the first response is Secure communication parameter acquisition response
  • the first request and the first response may also be newly added information in the existing interaction process between the key management network element and the unified data management network element.
  • the setting of the first request and the first response is more flexible, which can effectively expand the application range.
  • the key management network element after the key management network element fails the authorization check of the second terminal device according to the second identifier, it can notify the first terminal device to refuse or terminate the service for the second terminal device, and can also notify the unified data management
  • the network element deletes the correspondence between the first identifier and the SUPI of the second terminal device.
  • the key management network element can promptly and conveniently notify the first terminal device or the unified data management network element to perform corresponding operations.
  • the key management network element may also send a first instruction to the unified data management network element, where the first instruction is used to instruct to store the corresponding relationship between the first identifier and the SUPI of the second terminal device.
  • the key management network element informs the unified data management network element to store the corresponding relationship between the first identifier and the SUPI of the second terminal device by sending the first instruction, so that other network elements can obtain the first identifier from the unified data management network element through the first identifier.
  • the embodiments of the present application provide a method for obtaining a terminal device identifier, which is executed by a unified data management network element, in which the unified data management network element may receive a first request from the key management network element,
  • the first request includes the first identifier, which is the anonymization identifier or temporary identifier of the second terminal device; after determining that the first request includes the first identifier, the unified data management network element can obtain the second terminal according to the first identifier The SUPI of the device; afterwards, the unified data management network element sends a first response to the key management network element, and the first response includes the SUPI of the second terminal device.
  • the key management network element interacts with the unified data management network element to conveniently obtain the SUPI of the second terminal device.
  • the unified data management network element determines the SUPI of the second terminal device based on the anonymized identifier of the second terminal device, it can obtain the SUPI from the user identifier according to the anonymized identifier of the second terminal device.
  • the SUPI of the second terminal device The way for the unified data management network element to obtain the SUPI of the second terminal device is more convenient.
  • the unified data management network element determines the SUPI of the second terminal device according to the temporary identifier of the second terminal device, it can be based on the saved correspondence between the SUPI of the terminal device and the temporary identifier, and according to the second terminal device
  • the temporary identifier of determines the SUPI of the second terminal device.
  • the unified data management network element stores the corresponding relationship between the SUPI of the terminal device and the temporary identifier, which can provide the key management network element with the SUPI of the second terminal device more conveniently.
  • the unified data management network element needs to determine the temporary identification assigned to the second terminal first. Two methods are described below:
  • the unified data management network element may assign a temporary identifier to the second terminal device, and then send the temporary identifier to the second terminal device through the proximity service network element, and may also save the correspondence between the SUPI and the temporary identifier of the second terminal device.
  • the unified data management network element may also obtain the temporary identifier assigned by the neighboring service network element to the second terminal device from the neighboring service network element, and save the corresponding relationship between the SUPI of the second terminal device and the temporary identifier.
  • the unified data management network element can determine the assigned temporary identifier for the second terminal in a variety of different ways, which is suitable for different scenarios.
  • the unified data management network element obtains the SUPI of the second terminal device according to the first identifier
  • the corresponding relationship between the first identifier and the SUPI of the second terminal device can be stored, so that other network elements subsequently pass the first identifier.
  • the unified data management network element can actively store the corresponding relationship between the first identifier and the SUPI of the second terminal device; the unified data management network element can also store the first identifier under the instruction of the key management network element
  • the corresponding relationship with the SUPI of the second terminal device for example, the unified data management network element receives a first indication from the key management network element, and the first indication is used to indicate the corresponding relationship between the first identifier and the SUPI of the second terminal device. After that, the unified data management network element stores the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element may also first determine whether it is necessary to store the corresponding relationship between the first identifier and the SUPI of the second terminal device, and store the corresponding relationship after determining that the corresponding relationship between the first identifier and the SUPI of the second terminal device needs to be stored For example, the unified data management network element determines whether the corresponding relationship between the first identifier and the SUPI of the second terminal device needs to be stored according to the attribute of the second terminal device.
  • the unified data management network element after the unified data management network element stores the corresponding relationship between the first identifier and the SUPI of the second terminal device, it can also delete the first identifier and the second terminal device under the notification of the key management network element.
  • the corresponding relationship of SUPI in order to save storage space.
  • the first response may carry the first identifier, and may also carry other identifiers of the second terminal device.
  • the unified data management network element may also determine the second terminal device's status according to the SUPI of the second terminal device. GPSI, which carries the GPSI of the second terminal device in the first response.
  • the first response may also carry other identifiers of the second terminal device, which can provide more information about the second terminal device to the key management network element.
  • the unified data management network element can also provide the SUPI of the second terminal device to other network elements.
  • This other network element may be a session management network element or a mobile access management network element, which will be described separately as follows:
  • the unified data management network element may receive a user identity resolution request from the session management network element.
  • the user identity resolution request includes a second identifier, and the second identifier is one of the following: the anonymization identifier of the second terminal device, the second The temporary identification of the terminal device or the GPSI of the second terminal device.
  • the unified data management network element determines the SUPI of the second terminal device according to the second identifier; then, the unified data management network element sends a user identity resolution response to the session management network element, and the user identity resolution response includes the SUPI of the second terminal device.
  • the unified data management network element may also receive an identity resolution request from the mobile access management network element.
  • the identity resolution request includes a second identity, and the second identity is one of the following: the anonymization identity of the second terminal device, the second identity 2.
  • the temporary identification of the terminal device or the GPSI of the second terminal device after that, the unified data management network element determines the SUPI of the second terminal device according to the second identification; after that, the unified data management network element can send the identification to the mobile access management network element
  • the analysis response identifies that the SUPI of the second terminal device is included in the analysis response.
  • the first request and the first response may be information in the existing interaction process between the key management network element and the unified data management network element.
  • the first request is a secure communication parameter acquisition request
  • the first response is Secure communication parameter acquisition response
  • the first request and the first response may also be newly added information in the existing interaction process between the key management network element and the unified data management network element.
  • the setting of the first request and the first response is more flexible, which can effectively expand the application range.
  • the first response also includes the first identification.
  • the embodiments of the present application provide a method for obtaining a terminal device identity.
  • the session management network element may receive a terminal report message from a first terminal device, and the terminal report message includes the second identity and the first terminal device.
  • the second identifier is one of the following: the anonymization identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device; the session management network element determines that the terminal reports a message Including the second identifier, it is necessary to obtain the SUPI of the second terminal device.
  • the session management network element can send a user identity resolution request to the unified data management network element, and the user identity resolution request includes the second identifier; then, the session management network element obtains the unified data from the unified data
  • the management network element receives the user identity resolution response.
  • the user identity resolution response includes the SUPI of the second terminal device. After obtaining the SUPI, the session management network element can perform services on the second terminal device according to the SUPI and IP information of the second terminal device. control.
  • the session management network element can obtain the permanent user identification of the second terminal device from the unified data management network element, and the session management network element only needs to obtain the anonymization identification or temporary identification of the second terminal device from the first terminal device.
  • the session management network element it is no longer necessary to obtain the permanent user identification of the second terminal device from the first terminal device, which can effectively ensure the security of the permanent user identification of the second terminal device, and further, can avoid the situation of user privacy exposure.
  • an embodiment of the present application provides a method for obtaining a terminal device identity, which is executed by a mobile access management network element, and the mobile access management network element receives a terminal report message from a first terminal device, and the terminal report message includes The second identifier and the IP information allocated by the first terminal device to the second terminal device.
  • the second identifier is one of the following: the anonymization identifier of the second terminal device, the temporary identifier of the second terminal device, or the general public of the second terminal device User ID GPSI; afterwards, the mobile access management network element determines that the terminal report message includes the second ID and needs to obtain the SUPI of the second terminal device.
  • the mobile access management network element can send an ID resolution request to the unified data management network element, and the ID resolution request includes the second terminal
  • the user's permanent identity SUPI of the device the mobile access management network element receives the identity resolution response from the unified data management network element, and the identity resolution request includes the SUPI of the second terminal device; after that, the mobile access management network element can send the session management network element to the session management network element. Send the SUPI and IP information of the second terminal device.
  • the mobile access management network element can obtain the permanent user identification of the second terminal device from the unified data management network element, and then send the obtained permanent user identification of the second terminal device to the session management network element.
  • a terminal device no longer needs to provide the permanent user identification of the second terminal device, which can effectively ensure the security of the permanent user identification of the second terminal device, and further, can avoid the situation of user privacy exposure.
  • the embodiments of the present application provide a method for acquiring a terminal device identity, which is executed by a first terminal device.
  • the first terminal device may Send a first key request to the key management network element, the first key request includes a first identifier, and the first identifier is the anonymization identifier or temporary identifier of the second terminal device; after that, the first terminal device can manage from the key
  • the network element receives the second key response, and the first key response includes the secure communication parameter.
  • the first terminal device establishes secure communication with the second terminal device based on the secure communication parameter.
  • the first terminal device can obtain the secure communication parameters used to establish secure communication with the second terminal device from the key management network element through the first identifier, and the first terminal device no longer needs to provide the user of the second terminal device
  • the permanent identification can effectively ensure the security of the permanent identification of the user of the second terminal device, and further, the situation of user privacy exposure can be avoided.
  • the first key response also includes the GPSI or the first identifier of the second terminal device, which is used to indicate the second terminal device.
  • an embodiment of the present application also provides a communication device, which is applied to a key management network element, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the first aspect described above.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the above-mentioned method example of the first aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to a unified data management network element, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method example of the second aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a session management network element, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the third aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method example of the third aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to a mobile access management network element, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fourth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method example of the fourth aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to a first terminal device, and the beneficial effects can be referred to the description of the fifth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fifth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the above-mentioned method example of the fifth aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to a key management network element, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the key management network element to perform the corresponding functions in the above-mentioned method in the first aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication device, the communication device is applied to a unified data management network element, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the unified data management network element to perform the corresponding function in the above-mentioned second aspect method.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a session management network element, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the session management network element to perform the corresponding functions in the above-mentioned third aspect method.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a mobile access management network element, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the mobile access management network element to perform the corresponding function in the above-mentioned fourth aspect method.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication device, the communication device is applied to the first terminal device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the first terminal device to perform the corresponding function in the above-mentioned method of the first aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a transceiver for communicating with other devices.
  • the embodiments of the present application also provide a communication system.
  • the communication system includes a key management network element and a unified data management network element;
  • a key management network element configured to receive a first key request from the first terminal device, the first key request including a first identifier; and after determining that the first key request includes the first identifier, send to the unified data management network element A first request is sent, and the first request includes a first identifier, where the first identifier is an anonymization identifier or a temporary identifier of the second terminal device.
  • the unified data management network element is used to receive the first request; after determining that the first request includes the first identifier, the user permanent identifier SUPI of the second terminal device is determined according to the first identifier; and the first terminal device is sent to the key management network element. In response, the first response includes the SUPI of the second terminal device.
  • the key management network element is also used to receive the first response; perform an authorization check on the second terminal device according to the SUPI of the second terminal device, and send the first password to the first terminal device after the authorization check of the second terminal device is passed.
  • the first key response includes a secure communication parameter, and the secure communication parameter is used by the first terminal device to establish secure communication with the second terminal device.
  • the first response and the first key response also include the GPSI of the second terminal device, a unified data management network element, and are also used to determine the GPSI of the second terminal device according to the SUPI of the second terminal device .
  • the first response and the first key response further include a first identifier
  • the unified data management network element may store the corresponding relationship between the first identifier and the SUPI of the second terminal device.
  • the key management network element sends a first instruction to the unified data management network element, and the first instruction is used to indicate the corresponding relationship between the first identifier and the SUPI of the second terminal device; the unified data management network element , Is also used to receive the first indication, and then store the first identifier and the SUPI of the second terminal device.
  • the key management network element after the key management network element fails the authorization check of the second terminal device, it notifies the unified data management network element to delete the correspondence between the first identifier and the SUPI of the second terminal device.
  • the unified data management network element is also used to delete the correspondence between the first identifier and the SUPI of the second terminal device under the notification of the key management network element.
  • the unified data management network element determines the SUPI of the second terminal device according to the anonymization identifier of the second terminal device, it obtains the second terminal device from the user identifier to hide the network element according to the anonymization identifier of the second terminal device.
  • the unified data management network element determines the SUPI of the second terminal device according to the temporary identifier of the second terminal device, it is based on the saved correspondence between the SUPI of the terminal device and the temporary identifier, and according to the second terminal device's SUPI.
  • the temporary identifier determines the SUPI of the second terminal device.
  • the second terminal device may be assigned a temporary identifier, and the second terminal device may be assigned a temporary identifier through the adjacent serving network element. Send the temporary identifier, and save the corresponding relationship between the SUPI of the second terminal device and the temporary identifier. It is also possible to obtain the temporary identifier allocated by the neighboring service network element to the second terminal device from the neighboring service network element, and save the corresponding relationship between the SUPI of the second terminal device and the temporary identifier.
  • the system also includes a session management network element.
  • the session management network element is used to receive information reported by the terminal device from the first terminal device.
  • the information reported by the terminal device includes a second identifier and IP information allocated by the first terminal device to the second terminal device.
  • the second identifier is one of the following: Anonymity After confirming that the message reported by the terminal includes the second identifier, send a user identity resolution request to the unified data management network element, and the user identity resolution request includes the second identity;
  • the unified data management network element is also used to receive a user identity analysis request, determine the SUPI of the second terminal device according to the second identifier, and send a user analysis response to the session management network element, and the user analysis response includes the SUPI of the second terminal device;
  • the session management network element is also used to receive a user analysis response, and perform service control on the second terminal device according to the SUPI and IP information of the second terminal device.
  • the system also includes a mobile access management network element.
  • the mobile access management network element is configured to receive a terminal report message from the first terminal device, the terminal report message includes a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: 2.
  • the unified data management network element is also used to receive an identity resolution request, determine the SUPI of the second terminal device according to the second identity, and send an identity resolution response to the mobile access management network element, and the identity resolution response includes the SUPI of the second terminal device;
  • the mobile access management network element is also used to receive an identification resolution response, and send the SUPI and IP information of the second terminal device to the session management network element.
  • the system also includes a first terminal device
  • the first terminal device is configured to send a first key request to the key management network element, and receive the first key response from the key management network element; after establishing secure communication with the second terminal device based on the secure communication parameters, move The access management network element sends a terminal report message to the session management network element.
  • the system further includes a proximity service network element; the proximity service network element is used to allocate a temporary identifier to the second terminal device and send the temporary identifier to the unified data management network element.
  • this application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the above aspects.
  • this application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the methods described in the foregoing aspects.
  • FIG. 1 is an architecture diagram of a system provided by an embodiment of the application
  • FIG. 2 is a schematic diagram of a method for acquiring a terminal device identifier provided by an embodiment of the application
  • FIG. 3 is a schematic diagram of a first method for acquiring a terminal device identifier provided by an embodiment of the application
  • FIG. 4 is a schematic diagram of a second method for acquiring a terminal device identifier provided by an embodiment of this application;
  • FIG. 5 is a schematic diagram of a third method for obtaining a terminal device identifier provided by an embodiment of the application.
  • FIG. 6 is a schematic diagram of a fourth method for acquiring a terminal device identifier provided by an embodiment of this application.
  • FIG. 7 is a schematic diagram of a fifth method for acquiring a terminal device identifier provided by an embodiment of this application.
  • FIG. 8 is a schematic diagram of a sixth method for acquiring a terminal device identifier provided by an embodiment of this application.
  • 9 to 15 are schematic structural diagrams of a communication device provided by embodiments of this application.
  • the network architecture is the network architecture of the 5G system.
  • the network elements in the 5G architecture include terminal equipment (user equipment, UE).
  • the network architecture also includes radio access network (RAN), access and mobility management function (access and mobility management function, AMF) network elements, session management function (session management function, SMF) network elements, user plane Function (user plane function, UPF) network element, unified data management (unified data management, UDM) network element, application function (AF) network element, data network (data network, DN), etc.
  • RAN radio access network
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane Function
  • UDM unified data management
  • AF application function
  • a terminal device is a device with wireless transceiver function. It can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, etc.). Satellite class).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, etc.
  • terminal equipment can be divided into two types, namely remote UE (such as the second terminal device) and relay UE (such as the first terminal device).
  • the remote UE refers to the need to rely on the relay UE and data
  • a relay UE is a UE that can directly communicate with the data network.
  • the remote UE may send the anonymization identifier or the assigned temporary identifier of the remote UE to the relay UE, and the relay UE may send the anonymization identifier or the assigned temporary identifier sent by the remote UE.
  • the relay UE may send the anonymization identifier or the assigned temporary identifier sent by the remote UE.
  • RAN The main function of RAN is to control users to access the mobile communication network through wireless.
  • RAN is a part of the mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
  • the AMF network element is responsible for terminal access management and mobility management. In practical applications, it includes the mobility management function in the MME in the LTE network framework, and adds the access management function.
  • the SMF network element is responsible for session management, such as user session establishment.
  • the UPF network element is a functional network element of the user plane, which is mainly responsible for connecting to external networks. It includes the related functions of the LTE serving gateway (serving gateway, SGW) and the public data network gateway (public data network gateway, PDN-GW).
  • serving gateway serving gateway
  • PDN-GW public data network gateway
  • the DN is responsible for the network that provides services for the terminal. For example, some DNs provide the terminal with Internet access, and some other DNs provide the terminal with short message functions, and so on.
  • the UDM network element can store the user's subscription information, which is similar to the HSS in 4G.
  • the UDM can determine the user's permanent identity of the terminal device according to the anonymized identity or temporary identity of the remote UE. identifier, SUPI).
  • the AF network element can be a third-party application control platform or the operator’s own equipment.
  • the AF network element can provide services for multiple application servers.
  • the core network elements also include proximity-based services key management function (PKMF) network elements, user identification de-concealing function network elements (subscription identifier de-concealing function) , SIDF), proximity-based Services (ProSe) network elements, unified data repository (UDR) network elements, and bootstrapping server function (BSF) network elements.
  • PKMF proximity-based services key management function
  • SIDF user identification de-concealing function network elements
  • ProSe proximity-based Services
  • UDR unified data repository
  • BSF bootstrapping server function
  • the PKMF network element is used to manage keys for ProSe communication UEs.
  • PKMF can be deployed independently or co-deployed with other network elements.
  • PKMF network elements can be co-deployed with ProSe network elements.
  • the SIDF network element in this embodiment of the application, can decrypt the SUCI to obtain SUPI.
  • SIDF can be deployed independently or co-deployed with other network elements.
  • SIDF network elements can be co-deployed with UDM network elements.
  • ProSe network elements are used to support network-related actions required by ProSe.
  • the ProSe network element has the following functions: Function 1, direct configuration function, used to provide necessary parameters for the UE, such as temporary identification.
  • Function 2 Direct discovery name management function, used to open ProSe direct discovery and distribution of ProSe application codes.
  • the ProSe network element may allocate a temporary identity for the UE, and will notify the UE of the allocated temporary identity, which may send the temporary identity allocated for the UE to the UDM network element.
  • UDR network elements are mainly used to store user-related subscription data, policy data, open structured data, and application data.
  • the BSF network element can provide the PKMF network element with the secure communication parameters required by the relay UE and the remote UE to establish secure communication.
  • the key management network element may receive a first key request carrying a first identification from the first terminal device, where the first identification is the anonymization identification or temporary identification of the second terminal device; After the key management network element determines that the first key request carries the first identifier, it can request the unified data management network element to obtain the user permanent identifier of the second terminal device according to the first identifier, and then the key management network element The authorization check may be performed on the second terminal device based on the permanent user identification of the second terminal device, and after the authorization check is passed, the secure communication parameters for establishing secure communication may be sent to the first terminal device. In the embodiment of this application, the first terminal device does not need to provide the key management network element with the permanent user identification of the second terminal device. The key management network element can obtain the user of the second terminal device from the unified data management network element.
  • the permanent identification is used for authorization checking, which ensures the security of the permanent identification of the user of the second terminal device.
  • the method includes:
  • Step 201 The key management network element receives a first key request from a first terminal device, the first key request includes a first identifier, and the first identifier is an anonymization identifier or a temporary identifier of the second terminal device.
  • Step 202 The key management network element determines that the first key request includes the first identifier.
  • Step 203 After receiving the first key request, the key management network element parses the first key request, and after determining that the first key request includes the first identification, in order to be able to obtain the permanent user identification of the second terminal device , Step 203 can be performed.
  • Step 203 The key management network element sends a first request to the unified data management network element, where the first request includes the first identifier.
  • Step 204 The unified data management network element receives the first request from the key management network element, and obtains the user permanent identifier of the second terminal device according to the first identifier.
  • Step 205 The unified data management network element sends a first response to the key management network element, where the first response includes the permanent user identification of the second terminal device.
  • Step 206 The key management network element performs an authorization check on the second terminal device according to the permanent user identification of the second terminal device.
  • Step 207 After passing the authorization check of the second terminal device, the key management network element may send a first key response to the first terminal device, and the first key response includes the secure communication parameter.
  • the second terminal device When the second terminal device needs to communicate with the data network, it may initiate a direct communication request to the first terminal device, and the direct communication request may carry the anonymization identification or temporary identification of the second terminal device.
  • the anonymized identifier or temporary identifier is an identifier assigned to the second terminal device in advance.
  • the anonymized identifier can be a permanent identifier that hides the terminal device. Only a specific network element can obtain the anonymized identifier through the anonymized identifier.
  • the information of the hidden terminal device for example, the anonymization identifier may be a user concealed identifier (SUCI), and the SUCI is a privacy protection identifier including a user's permanent identifier (SUPI).
  • the temporary identifier may be an identifier with a short validity period allocated to the second terminal device by a neighboring service network element (such as a ProSe network element) or a unified data management network element.
  • a neighboring service network element such as a ProSe network element
  • a unified data management network element such as a Wi-Fi network element
  • the proximity service network element may send the temporary identifier to the second terminal device during the registration process of the second terminal device.
  • the temporary identifier may be allocated to the second terminal device when the proximity service network element receives the registration request sent by the second terminal device, and the proximity service network element carries the temporary identifier in the registration request response message and sends it to the first terminal device.
  • Two terminal equipment After the neighboring service network element allocates a temporary identifier to the second terminal device, it may send the temporary identifier of the second terminal device to the unified data management network element. After the unified data management network element receives the temporary identifier of the second terminal device, The corresponding relationship between the temporary identification of the second terminal device and the permanent identification of the user can be stored locally.
  • the unified data management network element may also allocate a temporary identifier to the second terminal device during the registration process of the second terminal device. After the unified data management network element allocates a temporary identifier to the second terminal device, it may locally save the correspondence between the temporary identifier of the second terminal device and the permanent identifier of the user. The unified data management network element may also send the temporary identification of the second terminal device to the neighboring service network element. Further, the proximity service network element sends the received temporary identifier to the second terminal device.
  • the proximity service network element or the unified data management network element may periodically update the temporary identification of the second terminal device. After the temporary identification of the second terminal device is updated, the proximity service network element or the unified data management network element The updated temporary identification of the second terminal device may be sent to the second terminal device. If the proximity serving network element updates the temporary identification of the second terminal device, the updated temporary identification of the second terminal device can be sent to the unified data management network element, so that the unified data management network element can update the temporary identification of the second terminal device stored locally. logo.
  • step 201 may be performed to send the first key request to the key management network element to request the encryption.
  • the key management network element can perform an authorization check on the first terminal device.
  • the key management network element parses the first key request, and if it is determined that the identifier carried in the first key request is the anonymized identifier or temporary identifier of the second terminal device, it cannot be based on the anonymized identifier or temporary identifier of the second terminal device , Perform authorization check on the second terminal device.
  • the key management network element may perform step 203, send a first request carrying the first identifier, and request the unified data management network element to obtain the user permanent identifier of the second terminal device.
  • the unified data management network element After the unified data management network element receives the first request, it can determine the permanent user identification of the second terminal device according to the anonymized identification or temporary identification of the second terminal device, and feed back to the key management network element including the second terminal device's permanent identification. The first response of the user's permanent identification.
  • the first request and the first response may be information in an existing interaction process between the key management network element and the unified data management network element.
  • the first request may be a secure communication parameter acquisition request
  • the secure communication parameter acquisition request is used to request the unified data management network element to acquire the secure communication parameters required by the first terminal device and the second terminal device to establish secure communication.
  • the key management network element may carry the anonymization or temporary identification of the second terminal device in the secure communication parameter acquisition request.
  • the secure communication parameter acquisition request is also used to request the unified data management network element to acquire the permanent user of the second terminal device. Sexual identification.
  • the first response is a safety communication parameter acquisition response
  • the safety communication parameter acquisition response carries the safety communication parameters required by the first terminal device and the second terminal device to establish safety communication and the permanent user identification of the second terminal device .
  • the first request is a safety communication parameter acquisition request and the first response is a safety communication parameter acquisition response as an example.
  • the embodiment of the present application does not limit the first request and the first response.
  • the first request and the first response may also be other information in the existing interaction process between the key management network element and the unified data management network element.
  • the first request and the first response may also be newly added information in the interaction process between the key management network element and the unified data management network element, which are specifically used to request the permanent user identification of the second terminal device, for example, the first
  • the request is a first user identity resolution request
  • the first response is a first user identity resolution response.
  • the following describes the manner in which the unified data management network element determines the permanent user identification of the second terminal device according to the anonymized identification or temporary identification of the second terminal device.
  • the unified data management network element determines the permanent user identification of the second terminal device according to the anonymized identification of the second terminal device.
  • the unified data management network element locally stores the corresponding relationship between the anonymized identifier of the second terminal device and the permanent user identifier, and the unified data management network element may determine the second terminal device based on the stored corresponding relationship based on the anonymized identifier of the second terminal device. Permanent user identification of the terminal device.
  • the unified data management network element may also obtain the permanent user identification of the second terminal device from other network elements by using the anonymized identification of the second terminal device.
  • the other network elements may be user identification hidden function network elements or unified data storage network elements.
  • the unified data management network element After the unified data management network element obtains the permanent user identification of the second terminal device from other network elements, it may directly store the corresponding relationship between the anonymized identification of the second terminal device and the permanent user identification. The unified data management network element may also first determine the attributes of the second terminal device, and determine whether to store the correspondence between the anonymized identifier of the second terminal device and the permanent user identifier according to the attributes of the second terminal device.
  • the unified data management network element may query the subscription information of the second terminal device according to the permanent user identification of the second terminal device to determine whether the second terminal device is a commercial user. If the second terminal device is a commercial user, the unified The data management network element may store the corresponding relationship. If the second terminal device is not a business user, such as the second terminal device is a public safety (mission critical) user, the unified data management network element does not store the corresponding relationship.
  • the unified data management network element may actively store the corresponding relationship.
  • the unified data management network element may also store the corresponding relationship under the instruction of the key management network element.
  • the key management network element may send a first instruction to the unified data management network element, where the first instruction is used to instruct the unified data management network element to store the correspondence between the anonymized identifier of the second terminal device and the permanent user identifier.
  • the key management network element may separately send the first instruction to the unified data management network element.
  • the key management network element may send the first instruction to the unified data management network element in advance, and the key management network element may also send the first request in advance. After that, the first instruction is sent to the unified data management network element.
  • the key management network element may also send the first instruction after receiving the first response.
  • the key management network element may also carry the first indication in a message that needs to be sent to the unified data management network element. For example, the key management network element may carry the first indication in the first request.
  • the unified data management network element determines the permanent user identification of the second terminal device according to the temporary identification of the second terminal device.
  • the unified data management network element locally stores the correspondence between the temporary identification of the second terminal device and the permanent identification of the user, and the unified data management network element may determine the second terminal device according to the temporary identification of the second terminal device based on the stored correspondence. Permanent identification of the user.
  • the unified data management network element may also store the corresponding relationship between the temporary identification of the second terminal device and the permanent identification of the user in other network elements, such as a unified data storage network element.
  • the unified data management network element may obtain the corresponding relationship from other network elements, and then determine the permanent user identification of the second terminal device according to the temporary identification of the second terminal device.
  • the unified data management network element may also determine the generic public subscription identifier (GPSI) of the second terminal device.
  • GPSI generic public subscription identifier
  • the key management network element After receiving the first response from the unified data management network element, the key management network element obtains the permanent user identification of the second terminal device, and can perform authorization on the second terminal device according to the permanent user identification of the second terminal device Inspection of.
  • the key management network element may store an identification set.
  • the identification in the identification set is the user permanent identification of the terminal device that can directly communicate with the first terminal device, that is to say, the permanent identification of each user in the identification set indicates
  • the terminal device of can establish a connection with the communication system through the first terminal device, perform data interaction, and have the right to use the first terminal device to communicate.
  • the key management network element can perform an authorization check on the second terminal device based on the identification set and the permanent user identification of the second terminal device, that is, the key management center determines whether the permanent user identification of the second terminal device is Is the ID in the ID set.
  • the key management network element passes the authorization check of the second terminal device.
  • the key management network element may directly execute step 207.
  • the first response is the first user identity analysis response
  • the key management network element After the key management network element passes the authorization check of the second terminal device, it can send a secure communication parameter acquisition request to the unified data management network element to obtain security from the unified data management network element. Communication parameters, and then step 207 is executed.
  • the first key response may also include the first identification, and may also include the general public user identification of the second terminal device, and the second terminal device can be indicated by the first identification or the general public user identification, that is, or,
  • the secure communication parameters carried in the first key response are secure communication parameters required for establishing secure communication with the second terminal device.
  • the key management network element interacts with the unified data management network element to obtain the permanent user identification of the second terminal device.
  • the key management network element may also The permanent user identification of the second terminal device is used to interact with the guidance service function network element (such as the BSF network element) to obtain secure communication parameters.
  • the key management network element may send a second instruction to the first terminal device.
  • the second instruction is used to indicate that the authorization check of the second terminal device fails.
  • the first terminal device can terminate or refuse to communicate with the second terminal device and not serve the second terminal device.
  • the key management network element can also notify the unified data management network element to delete the corresponding relationship between the anonymized identifier of the second terminal device and the user's permanent identifier.
  • the unified data management network element deletes the saved data under the notification of the key management network element. Correspondence between the anonymized identification of the second terminal device and the permanent identification of the user.
  • the key management network element passes the authorization check of the second terminal device.
  • the first terminal device After the first terminal device receives the first key response, it can establish secure communication with the second terminal device based on the secure communication parameters carried in the first key response.
  • the first terminal device may send a direct security mode command to the second terminal device.
  • the direct security mode command includes key-related information, and the key-related information is determined by the security communication parameters (for example, The security communication parameters may include the key-related information).
  • the second terminal device may generate a security key according to the key-related information, and the security key may be used for the second terminal device and the first terminal device.
  • a terminal device performs data exchange, it encrypts and/or protects the integrity of the exchanged data.
  • the second terminal device After generating the security key, the second terminal device sends a direct security mode completion message to the first terminal device to notify the first terminal device that the direct security mode is completed.
  • the first terminal device may send a direct communication response to the second terminal device.
  • the first terminal device may allocate an internet protocol (IP) address to the second terminal device, and the IP address is used by the second terminal device to use the first terminal device to perform data communication with the data network.
  • IP internet protocol
  • the IP address can be a network protocol version 6 (Internet Protocol Version 6, IPv6) prefix or an IPv4 address.
  • the second terminal device communicates with the data network through the first terminal device as follows: the second terminal device uses the IP address (such as an IPv6 prefix or IPv4 address) allocated by the first terminal device for data encapsulation , Generate a data packet, and the second terminal device sends the data packet to the first terminal device.
  • IP address such as an IPv6 prefix or IPv4 address
  • the first terminal device converts the IPv4 address of the data packet into the IPv4 address of the PDU session (the IPv4 address of the PDU session is allocated by the network side for the first terminal device) ,
  • the PDU session is a PDU session used for relay services.
  • the first terminal device sends the converted data packet of the IPv4 address through the specific port.
  • the data packet also carries the port number of the specific port, and the specific port is allocated by the first terminal device and used for transmitting the data packet of the second terminal device.
  • the first terminal device may directly send the data packet to the PDU session.
  • the first terminal device When the first terminal device receives a data packet that needs to be sent to the second terminal device from the data network, it analyzes the IP address of the data packet or the port number of the data packet to determine that the data packet is data that needs to be sent to the second terminal device Packet, the first terminal device sends the data packet to the second terminal device. Wherein, for the data packet generated by IPv4 address encapsulation, the first terminal device determines the second terminal device through the port number of the data packet.
  • the first terminal device After the first terminal device performs IP address allocation to the second terminal device, the first terminal device can send the terminal report information carrying the IP information of the second terminal device to the session management network element, so that the session management network element can perform based on the IP information Business control, such as lawful monitoring, usage statistics, etc.
  • the IP information is the IPv6 prefix.
  • the first terminal device uses the data packet
  • the carried port number determines that the data packet comes from the second terminal device, and the IP information may be a range of port numbers allocated by the first terminal device to the second terminal device.
  • the information reported by the terminal may also include a second identifier, and the second identifier may be any of the following identifiers: the anonymization identifier of the second terminal device, the temporary identifier of the second terminal device, and the general public identifier of the second terminal device, Used to identify the second terminal device.
  • the second identifier in the information reported by the terminal may be obtained by the first terminal device from the key management network element, or may be obtained from the second terminal device.
  • the session management network element determines that the information reported by the terminal includes the second identifier. In order to determine the true identity of the second terminal device, the session management network element may request the second terminal device from the unified data management network element Permanent identification of the user.
  • the session management network element may send a second user identity resolution request to the unified data management network element, where the second user identity resolution request carries the second identifier.
  • the unified data management network element determines the permanent user identification of the second terminal device according to the second identifier, and the unified data management network element sends the first user identification to the session management network element. 2.
  • the second user identity analysis response permanently identified by the user of the terminal device. After receiving the second user identity analysis response, the session management network element obtains the user permanent identifier of the second terminal device.
  • the manner in which the unified data management network element determines the permanent user identification of the second terminal device according to the second identification can refer to the foregoing description, and will not be repeated here.
  • the second identifier may also be a permanent user identifier of the second terminal device.
  • the session management network element does not need to obtain the user permanent identifier from the unified data management network element.
  • the session management network element needs to interact with the unified data management network element to obtain the permanent user identification of the second terminal device.
  • the mobile access management network element may also interact with the unified data management network element to obtain the permanent user identification of the second terminal device, and then the mobile access management network element will obtain the second terminal device's permanent identity.
  • the permanent user identification is sent to the session management network element.
  • the first terminal device may send an N1 message to the mobile access management network element, where the N1 message includes the second identifier and the N1SM message, and the NI SM message includes IP information.
  • the mobile access management network element can initiate an identifier resolution process and send an identifier resolution request carrying the second identifier to the unified data management network element; after the unified data management network element receives the identifier resolution request,
  • the permanent user identification of the second terminal device can be determined according to the second identification, and then the unified data management network element sends an identification resolution response carrying the permanent user identification of the second terminal device to the mobile access network element, and the mobile access network
  • the element sends the permanent user identification of the second terminal device and the N1SM message to the session management network element.
  • the permanent user identification of the second terminal device and the N1SM message can be carried in the Nsmf message. In this way, the session management network element can obtain information from the Nsmf message. Acquire the permanent user identification of the second terminal device.
  • the first terminal device is allowed to send a second key request to the key management network element.
  • the second key request may include the international mobile subscriber identity (IMSI) of the second terminal device.
  • IMSI international mobile subscriber identity
  • the key management network element may perform authorization check on the second terminal device according to the IMSI of the second terminal device. After the authorization check on the second terminal device is passed, it may check the authorization from the unified data management network. The element obtains the secure communication parameters. After obtaining the secure communication parameters, the key management network element may send a second key response to the first terminal device, and the second key response carries the secure communication parameters.
  • the key management network element is the PKMF network element
  • the unified data management network element is the UDM network element
  • the session management network element is the SMF network element
  • the mobile access management network element is the AMF network.
  • the element and the neighboring service network element are ProSe network elements, and the method for obtaining the terminal device identification as shown in FIG. 2 is further introduced.
  • the first mark is SUCI.
  • a method for acquiring a terminal device identifier includes:
  • Step 301 The relay UE initiates a registration procedure to the AMF network element through the RAN, so that the UE is registered to the 5G system.
  • Step 302 When the remote UE needs to exchange data with the data network, initiate a discovery process to discover the relay UE.
  • the remote UE detects a nearby relay UE through wireless signals and identifies the relay UE.
  • Step 303 After discovering the relay UE, the remote UE may send a direct communication request to the relay UE.
  • the direct communication request is used to request to establish a communication connection with the relay UE.
  • the direct communication request includes the SUCI of the remote UE.
  • Step 304 After receiving the direct communication request, the relay UE may send a first key request to the PKMF network element, and the first key request includes the SUCI.
  • the function of the first key request is not limited.
  • the first key request can be used to request the PKMF network element to perform authorization checks on the remote UE, or to request the allocation of a security key for the remote UE, or Request the remote UE and the relay UE to establish secure communication parameters required for secure communication.
  • the relay UE may directly send the first key request to the PKMF network element, or may also send the first key request to the PKMF network element through other network elements.
  • Step 305 The PKMF network element receives the first key request, determines that the first key request carries SUCI, selects the UDM network element according to the SUCI, and sends the first user identity resolution request carrying the SUCI to the UDM network element. Used to request the UDM network element to parse the SUCI.
  • Step 306 After receiving the first user identity resolution request, the UDM network element obtains the SUCI in the first user identity resolution request. The UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE.
  • the UDM network element determines the SUPI of the remote UE based on the SUCI of the remote UE.
  • the UDM network element itself has a decryption function and can directly decrypt the SUCI of the remote UE to obtain the SUPI of the remote UE.
  • the UDM network element can call other network elements (such as the SIDF network element) to obtain the SUPI of the remote UE from the other network elements.
  • the UDM network element may also store the corresponding relationship between the SUCI and SUPI of the remote UE.
  • the embodiment of the application does not limit the location where the UDM network element saves the corresponding relationship.
  • the UDM network element can save the corresponding relationship locally, or save the corresponding relationship in other network elements (such as UDR network elements).
  • the saved correspondence between the SUCI and SUPI of the remote UE can be obtained from other network elements.
  • the UDM network element can actively save the corresponding relationship between the SUCI and SUPI of the remote UE. For example, after the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE, the corresponding relationship can be directly saved. First, determine whether to store the corresponding relationship according to the attributes of the remote UE. The UDM network element can query the subscription information of the remote UE according to the SUPI of the remote UE, and after determining that the remote UE is a business user, store the corresponding relationship.
  • the UDM network element can also store the corresponding relationship between SUCI and SUPI of the remote UE under the instruction of the PKMF network element.
  • the PKMF network element can send to the UDM network element the first instruction for storing the corresponding relationship between SUCI and SUPI of the remote UE.
  • Indication after receiving the first indication, the UDM network element can save the corresponding relationship between the SUCI and SUPI of the remote UE.
  • the first indication message may be sent separately, or may be carried in a message (such as the first user identity resolution request) sent by the PKMF network element to the UDM network element.
  • Step 307 After determining the SUPI of the remote UE, the UDM network element feeds back the first user identity resolution response to the PKMF network element, and the first user identity resolution response carries the SUPI of the remote UE.
  • the UDM network element may determine the GPSI of the remote UE according to the SUPI of the remote UE, and carry the GPSI of the remote UE in the first user identity analysis response.
  • Step 308 After receiving the first user identity resolution response, the PKMF network element obtains the SUPI of the remote UE from the first user identity resolution response. The PKMF network element performs authorization checks on the remote UE based on the SUPI of the remote UE, and determines whether the remote UE has the right to connect to the network through the selected relay UE and exchange data with the DN.
  • the PKMF network element can save a SUPI set in advance.
  • the set includes one or more SUPIs.
  • the terminal equipment corresponding to each SUPI in the set can be connected to the network through the relay UE.
  • the PKMF network element can determine the SUPI of the remote UE. Whether it belongs to the SUPI set, if it belongs, the PKMF network element passes the authorization check of the remote UE, and the remote UE can exchange data with the 5G system through the relay UE; otherwise, the PKMF network element fails the authorization check of the remote UE.
  • the first user identity analysis response may also carry the GPSI of the remote UE.
  • Step 309 After the PKMF network element passes the authorization check of the remote UE, the PKMF network element obtains secure communication parameters from the UDM network element, and the secure communication parameters are parameters required for the relay UE to establish secure communication with the remote UE.
  • the secure communication parameter may include key-related information used to generate the secure key.
  • the PKMF network element may also obtain the secure communication parameters through other network elements such as BSF network elements.
  • the PKMF network element can send an authorization failure indication message to the relay UE, so that the relay UE terminates or refuses to serve the remote UE, and the PKMF network element can also notify the UDM network Meta deletes the saved correspondence between SUCI and SUPI of the remote UE. After the UDM network element receives the notification, if the corresponding relationship between the SUCI and SUPI of the remote UE has been saved, the corresponding relationship is deleted, otherwise the notification is ignored.
  • Step 310 After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, and the first key response includes the secure communication parameter.
  • the first key response may also carry the SUCI of the remote UE.
  • the SUCI of the remote UE carried in the first key response is used to relay the UE to provide this information to a core network element, such as an SMF network element or an AMF network element.
  • the first key response may not carry the secure communication parameters, that is, the PKMF network element does not need to perform step 309
  • the PKMF network element After passing the authorization check for the remote UE, the PKMF network element directly sends the first key response to indicate that the authorization check for the remote UE is passed.
  • the first key response carries the secure communication parameters including key related information.
  • the first user identity resolution response carries the GPSI of the remote UE
  • the first key response may not carry the SUCI but carries the GPSI of the remote UE.
  • Step 311 After receiving the first key response, the relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 312 The relay UE sends a direct communication response to the remote UE, where the direct communication response is used to respond to the direct communication request.
  • Step 313 The relay UE allocates an IP address required for communication to the remote UE.
  • the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 314 The relay UE needs to send terminal report information to the SMF network element, and the terminal report message includes the SUCI and IP information of the remote UE. If the IP address in step 313 is an IPv6 prefix, the IP information is the IPv6 prefix allocated by the relay UE to the remote UE. If the IP address in step 313 is an IPv4 address, the IP information is the range of port numbers allocated by the relay UE to the remote UE.
  • the SUCI of the remote UE carried in the terminal report message by the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 315 The SMF network element receives the information reported by the terminal, and after determining that the information reported by the terminal carries the SUCI, sends a second user identity resolution request carrying the SUCI to the UDM network element for requesting the UDM network element to analyze the SUCI.
  • Step 316 After receiving the second user identity resolution request, the UDM network element obtains the SUCI in the second user identity resolution request. The UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE.
  • the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE is similar to the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE in step 306.
  • the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE is similar to the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE in step 306.
  • the UDM network element saves the corresponding relationship between the SUCI and SUPI of the remote UE.
  • the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE, it can directly determine the SUPI of the remote UE according to the SUCI of the remote UE based on the corresponding relationship.
  • the UDM network element when the UDM network element saves the correspondence between the SUCI and SUPI of the remote UE, after the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE, the UDM network element may delete the correspondence.
  • Step 317 After determining the SUPI of the remote UE, the UDM network element feeds back a second user identity resolution response to the SMF network element, and the second user identity resolution response carries the SUPI of the remote UE.
  • Step 318 After receiving the second user identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second user identity resolution response. Further, the SMF network element can perform service control based on the SUPI and the received IP information, such as lawful interception, usage statistics, etc. There is no limitation here.
  • the SUCI of the remote UE in steps 314 to 316 can be replaced with the GPSI of the remote UE.
  • the PKMF network element first requests the UDM network element to obtain the SUPI of the remote UE, and then requests the UDM network element or other network elements for secure communication parameters, in order to further reduce the PKMF network element and UDM
  • the PKMF network element can request the UDM network element to obtain the SUPI of the remote UE while requesting the secure communication parameters.
  • a method for acquiring a terminal device identifier provided in this embodiment of the application includes:
  • Step 401 to step 404 same as step 301 to step 304, please refer to the foregoing content for details, and will not be repeated here.
  • Step 405 The PKMF network element receives the first key request, determines that the first key request carries the SUCI, selects the UDM network element according to the SUCI, and sends a secure communication parameter acquisition request carrying the SUCI to the UDM network element.
  • the secure communication parameter acquisition request is used to request to acquire the secure communication parameter, and the secure communication parameter acquisition request includes the SUCI and is used to request the UDM network element to parse the SUCI.
  • Step 406 After the UDM network element receives the secure communication parameter acquisition request, the UDM network element determines the secure communication parameter, the UDM network element also acquires the SUCI from the secure communication parameter acquisition request, and the UDM network element determines the SUCI according to the remote UE's SUCI SUPI of the remote UE.
  • the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE and saves the corresponding relationship between the SUCI and SUPI of the remote UE, refer to the relevant description in step 306, which will not be repeated here.
  • Step 407 After determining the SUPI of the remote UE, the UDM network element feeds back a safety communication parameter acquisition response to the PKMF network element, and the safety communication parameter acquisition response carries the SUPI and safety communication parameters of the remote UE.
  • the UDM network element may determine the GPSI of the remote UE according to the SUPI of the remote UE, and carry the GPSI of the remote UE in the secure communication parameter acquisition response.
  • Step 408 After receiving the safety communication parameter acquisition response, the PKMF network element acquires the SUPI of the remote UE from the safety communication parameter acquisition response. The PKMF network element performs authorization checks on the remote UE based on the SUPI of the remote UE, and determines whether the remote UE has the right to connect to the network through the selected relay UE and exchange data with the DN.
  • Step 409 After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, and the first key response includes the secure communication parameter.
  • Step 410 After passing the authorization check of the remote UE, the PKMF network element establishes secure communication with the remote UE based on the secure communication parameters.
  • Step 411 to step 417 the same as step 312 to step 318.
  • step 312 to step 318 the same as step 312 to step 318.
  • the first key response sent to the relay UE carries the SUCI and PKMF of the remote UE.
  • the network element can also directly inform the relay UE of the SUPI of the remote UE. For details, please refer to the following examples.
  • a method for acquiring a terminal device identifier includes:
  • Step 501 to step 509 the same as step 301 to step 309.
  • Step 501 to step 509 the same as step 301 to step 309.
  • Step 510 After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, and the first key response includes the secure communication parameter.
  • the first key response may also carry the SUPI of the remote UE.
  • Step 511 to step 513 the same as step 311 to step 313.
  • step 311 to step 313. please refer to the foregoing content, which will not be repeated here.
  • Step 514 The relay UE needs to send terminal report information to the SMF network element, and the terminal report message includes the SUPI and IP information of the remote UE. If the IP address in step 513 is an IPv6 prefix, the IP information is the IPv6 prefix allocated by the relay UE to the remote UE. If the IP address in step 513 is an IPv4 address, the IP information is the port number range allocated by the relay UE to the remote UE. The IPv4 address corresponds to the port number range.
  • the SUCI of the remote UE carried in the terminal report message by the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 515 The SMF network element obtains the SUPI of the remote UE from the message reported by the terminal. Further, the SMF network element can perform service control based on the SUPI and the received IP information, such as lawful interception, usage statistics, etc. There is no limitation here.
  • the PKMF network element can also directly send a security parameter acquisition request carrying SUCI to the UDM network element.
  • the UDM network element determines the remote SUPI according to the SUCI and determines the security Communication parameters. After that, the UDM network element sends a security parameter acquisition response to PKFM, and the security parameter acquisition response includes remote SUPI and security communication parameters.
  • the SMF network element does not need to interact with the UDM network element to determine the SUPI of the remote UE, which can further reduce signaling interaction.
  • the first identifier is a temporary identifier of the remote UE.
  • a method for acquiring a terminal device identifier includes:
  • Step 601 The ProSe network element allocates a temporary identity to the remote UE.
  • Step 602 The ProSe network element sends the temporary identifier allocated for the remote UE to the UDM network element.
  • the UDM network element After receiving the temporary identifier of the remote UE, the UDM network element can locally store the corresponding relationship between the temporary identifier of the remote UE and the SUPI.
  • Step 603 The ProSe network element sends the temporary identifier of the remote UE to the remote UE.
  • Step 604 The relay UE initiates a registration procedure to the AMF network element through the RAN, so that the UE is registered to the 5G system.
  • Step 605 When the remote UE needs to exchange data with the data network, initiate a discovery process to discover the relay UE.
  • Step 606 After discovering the relay UE, the remote UE may send a direct communication request to the relay UE.
  • the direct communication request is used to request the establishment of a communication connection with the relay UE.
  • the direct communication request includes the temporary identifier of the remote UE.
  • Step 607 After receiving the direct communication request, the relay UE may send the first key request to the PKMF network element.
  • the first key request includes a temporary identifier.
  • the relay UE may directly send the first key request to the PKMF network element, or may send the first key request to the PKMF network element through other network elements.
  • Step 608 The PKMF network element receives the first key request, determines that the first key request carries a temporary identifier, selects the UDM network element according to the temporary identifier, and sends the first user identity carrying the temporary identifier to the UDM network element
  • the resolution request is used to request the UDM network element to resolve the temporary identifier.
  • Step 609 After receiving the first user identity resolution request, the UDM network element obtains the temporary identifier in the first user identity resolution request. The UDM network element determines the SUPI of the remote UE according to the temporary identity of the remote UE.
  • the UDM network element determines the SUPI of the remote UE according to the saved correspondence between the temporary identifier of the remote UE and the SUPI.
  • Step 610 After determining the SUPI of the remote UE, the UDM network element feeds back the first user identity resolution response to the PKMF network element, and the first user identity resolution response carries the SUPI of the remote UE.
  • Step 611 to step 612 the same as step 308 to step 309.
  • step 611 to step 612 the same as step 308 to step 309.
  • Step 613 After obtaining the secure communication parameter, the PKMF network element may send a first key response to the relay UE, and the first key response includes the secure communication parameter.
  • the first key response may also carry the temporary identity of the remote UE.
  • the temporary identifier of the remote UE carried in the key response is used to relay the UE to provide the information to the core network element, such as the SMF network element or the AMF network element.
  • Step 614 to step 616 the same as step 311 to step 313.
  • Step 614 to step 616 the same as step 311 to step 313.
  • Step 617 The relay UE needs to send terminal report information to the SMF network element, and the terminal report message includes the temporary identifier and IP information of the remote UE. If the IP address in step 613 is an IPv6 prefix, the IP information is the IPv6 prefix allocated by the relay UE to the remote UE. If the IP address in step 613 is an IPv4 address, the IP information is the range of port numbers allocated by the relay UE to the remote UE.
  • the temporary identifier of the remote UE carried in the terminal report message by the relay UE may be obtained from the first key response, or may be obtained from the direct communication request.
  • Step 618 The SMF network element receives the information reported by the terminal and determines that the temporary identifier is carried in the information reported by the terminal, and then sends a second user identity resolution request carrying the temporary identifier to the UDM network element to request the UDM network element to analyze the temporary identifier. logo.
  • Step 619 After receiving the second user identity resolution request, the UDM network element obtains the temporary identifier in the second user identity resolution request. The UDM network element determines the SUPI of the remote UE according to the temporary identity of the remote UE.
  • the manner in which the UDM network element determines the SUPI of the remote UE according to the temporary identifier of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE according to the temporary identifier of the remote UE in step 606.
  • the UDM network element determines the SUPI of the remote UE according to the temporary identifier of the remote UE is similar to the manner in which the UDM network element determines the SUPI of the remote UE according to the temporary identifier of the remote UE in step 606.
  • Step 620 After determining the SUPI of the remote UE, the UDM network element feeds back a second user identity resolution response to the SMF network element, and the second user identity resolution response carries the SUPI of the remote UE.
  • Step 621 After receiving the second user identity resolution response, the SMF network element obtains the SUPI of the remote UE from the second user identity resolution response. Further, the SMF network element can perform service control based on the SUPI and the received IP information, such as lawful interception, usage statistics, etc. There is no limitation here.
  • the PKMF network element can also directly send a security parameter acquisition request carrying the temporary identifier of the remote UE to the UDM network element, and the UDM network element determines the remote end according to the temporary identifier. SUPI, and determine the safety communication parameters. After that, the UDM network element sends a security parameter acquisition response to PKFM, and the security parameter acquisition response includes the remote SUPI and the security communication parameters.
  • the SMF network element needs to interact with the UDM network element to obtain the SUPI of the remote UE.
  • the AMF network element can also interact with the UDM network element to obtain the SUPI of the remote UE, and the remote UE can send an N1 message to the AMF network element.
  • the N1 message includes the temporary identity of the remote UE and the N1SM.
  • the NI SM message includes IP information.
  • the AMF network element can initiate an identity resolution process and send an identity resolution request carrying the temporary identity of the remote UE to the UDM network element; after the UDM network element receives the identity resolution request, it can The SUPI of the remote UE is determined according to the temporary identity of the remote UE. After that, the UDM network element sends an identity resolution response carrying the SUPI of the remote UE to the AMF network element, and the AMF network element sends an Nsmf message to the SMF network element. The NSsmf message Including the SUPI and N1SM messages of the remote UE, the SMF network element can obtain the SUPI of the remote UE from the Nsmf message.
  • the first key response sent to the relay UE carries the temporary identity of the remote UE, and the PKMF network element It can also directly inform the relay UE of the SUPI of the remote UE.
  • the relay UE can also directly inform the relay UE of the SUPI of the remote UE.
  • a method for acquiring a terminal device identifier includes:
  • Step 701 to step 712 the same as step 601 to step 612.
  • Step 701 to step 712 the same as step 601 to step 612.
  • Step 713 to step 718 the same as step 510 to step 515, for details, please refer to the foregoing content, which will not be repeated here.
  • the PKMF network element can also directly send a security parameter acquisition request carrying the temporary identifier of the remote UE to the UDM network element, and the UDM network element determines the remote end according to the temporary identifier. SUPI, and determine the safety communication parameters.
  • the UDM network element sends a security parameter acquisition response to PKFM, and the security parameter acquisition response includes the remote SUPI and the security communication parameters.
  • the PKMF network element can request the UDM network element to obtain the SUPI of the remote UE while requesting the secure communication parameters, which can reduce signaling interaction.
  • the relay UE may also first obtain the secure communication parameters, establish secure communication with the remote UE, and then request the UDM network element to analyze the SUCI through the SMF network element or the AMF network element. .
  • the relay UE requests the UDM network element to parse SUCI through the AMF network element as an example for description.
  • the method includes:
  • Step 801 to step 803 the same as step 301 to step 303, for details, please refer to the foregoing content, which will not be repeated here.
  • Step 804 After receiving the direct communication request, the relay UE may obtain the secure communication parameters from the PKMF network element.
  • the direct communication request includes a key identifier
  • the key identifier is an identifier of a security key used to encrypt and/or integrity protect the exchanged data when the remote UE interacts with the relay UE.
  • the relay UE can obtain the corresponding secure communication parameters from the PKMF network element through the key identifier.
  • Step 805 The relay UE establishes secure communication with the remote UE based on the secure communication parameter.
  • Step 806 The relay UE sends a direct communication response to the remote UE, where the direct communication response is used to respond to the direct communication request.
  • Step 807 The relay UE allocates an IP address required for communication to the remote UE.
  • the IP address may be an IPv6 prefix or an IPv4 address.
  • Step 808 The relay UE needs to send an N1 message to the AMF network element.
  • the NI message includes the SUCI and N1SM messages of the remote UE, and the NI SM message includes IP information.
  • the IP information is the IPv6 prefix allocated by the relay UE to the remote UE. If the IP address in step 808 is an IPv4 address, the IP information is the port number range allocated by the relay UE to the remote UE.
  • Step 809 The AMF network element receives the information reported by the terminal, and after determining that the information reported by the terminal carries the SUCI, sends an identity resolution request carrying the SUCI to the UDM network element to request the UDM network element to analyze the SUCI.
  • Step 810 After receiving the identity resolution request, the UDM network element obtains the SUCI in the identity resolution request. The UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE.
  • the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE is similar to the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE in step 306.
  • the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE is similar to the way that the UDM network element determines the SUPI of the remote UE according to the SUCI of the remote UE in step 306.
  • Step 811 After determining the SUPI of the remote UE, the UDM network element feeds back an identity resolution response to the AMF network element, and the identity resolution response carries the SUPI of the remote UE.
  • Step 812 After receiving the identity resolution response, the AMF network element obtains the SUPI of the remote UE from the identity resolution response.
  • the AMF network element sends an Nsmf message to the SMF network element, and the Nsmf message includes the SUPI and N1SM messages of the remote UE.
  • Step 813 The SMF network element can perform service control, such as lawful interception, usage statistics, etc., based on the SUPI and the received IP information. There is no limitation here.
  • the relay UE can also request UDM to analyze the SUCI through SMF. Specifically, the relay UE can send a terminal report message to the SMF through AMF. After the SMF receives the terminal report message, the SMF can request the UDM for analysis.
  • the SMF can request the UDM for analysis.
  • the embodiment of the application also provides a communication device for executing the method performed by the key management user or PKMF network element in the above method embodiment.
  • a communication device for executing the method performed by the key management user or PKMF network element in the above method embodiment.
  • the device includes a receiving unit 901, a processing unit 902, and a sending unit 903;
  • the receiving unit 901 is configured to receive a first key request from a first terminal device, where the first key request includes a first identifier, and the first identifier is an anonymization identifier or a temporary identifier of the second terminal device;
  • the processing unit 902 is configured to determine that the first key request includes the first identifier
  • the sending unit 903 is configured to send a first request to the unified data management network element after the processing unit 902 determines that the key request includes the first identifier, where the first request includes the first identifier;
  • the receiving unit 901 is further configured to receive a first response from the unified data management network element, where the first response includes the user permanent identity SUPI of the second terminal device;
  • the processing unit 902 is further configured to perform authorization check on the second terminal device according to the SUPI of the second terminal device;
  • the sending unit 903 is further configured to send a first key response to the first terminal device after the processing unit 902 passes the authorization check of the second terminal device.
  • the first key response includes the secure communication parameter, and the secure communication parameter is the first The terminal device and the second terminal device establish the parameters required for secure communication.
  • the first response and the first key response further include the GPSI or the first identifier of the second terminal device.
  • the first request is a secure communication parameter acquisition request
  • the first response is a secure communication parameter acquisition response
  • the sending unit 903 may notify the unified data management network element to delete the first identifier and the SUPI of the second terminal device after the processing unit 902 fails the authorization check of the second terminal device according to the second identifier. Correspondence.
  • the sending unit 903 may also send a first instruction to the unified data management network element, where the first instruction is used to instruct to store the corresponding relationship between the first identifier and the SUPI of the second terminal device.
  • the embodiment of the application also provides a communication device for executing the method performed by the unified data management network element or UDM network element in the above method embodiment.
  • the device includes a receiving unit 1001, a processing unit 1002, and a sending unit 1003;
  • the receiving unit 1001 is configured to receive a first request from a key management network element, the first request includes a first identifier, and the first identifier is an anonymization identifier or a temporary identifier of the second terminal device;
  • the processing unit 1002 is configured to determine that the first request includes the first identifier; after determining that the first request includes the first identifier, obtain the SUPI of the second terminal device according to the first identifier;
  • the sending unit 1003 is configured to send a first response to the key management network element, where the first response includes the SUPI of the second terminal device.
  • the processing unit 1002 may obtain the SUPI from the user identifier to hide the network element according to the anonymized identifier of the second terminal device.
  • the SUPI of the second terminal device may obtain the SUPI from the user identifier to hide the network element according to the anonymized identifier of the second terminal device.
  • the processing unit 1002 determines the SUPI of the second terminal device according to the temporary identifier of the second terminal device, it may be based on the saved correspondence between the SUPI of the terminal device and the temporary identifier, and according to the second terminal device The temporary identifier of determines the SUPI of the second terminal device.
  • the processing unit 1002 may also assign a temporary identifier to the second terminal device, and save the correspondence between the SUPI and the temporary identifier of the second terminal device; after that, the sending unit 1003 may send the second terminal device to the second terminal device through the neighboring serving network element. 2.
  • the terminal device sends a temporary identifier.
  • the processing unit 1002 may also obtain a temporary identifier allocated by the neighboring serving network element to the second terminal device from the neighboring serving network element, and save the correspondence between the SUPI and the temporary identifier of the second terminal device.
  • the processing unit 1002 may store the correspondence between the first identifier and the SUPI of the second terminal device.
  • the receiving unit 1001 may receive a first indication from the key management network element, where the first indication is used to indicate The corresponding relationship between the first identifier and the SUPI of the second terminal device is stored.
  • the processing unit 1002 may also determine according to the attributes of the second terminal device that it is necessary to store the first identifier and the second terminal device. Correspondence of SUPI.
  • the processing unit 1002 may delete the correspondence between the first identifier and the SUPI of the second terminal device under the notification of the key management network element.
  • the processing unit 1002 may determine the GPSI of the second terminal device according to the SUPI of the second terminal device, and then carry the GPSI of the second terminal device in the first response.
  • the receiving unit 1001 may also receive a user identity resolution request from the session management network element, the user identity resolution request includes a second identifier, and the second identifier is one of the following: anonymization of the second terminal device ID, the temporary ID of the second terminal device, or the GPSI of the second terminal device; afterwards, the processing unit 1002 determines the SUPI of the second terminal device according to the second ID; afterwards, the sending unit 1003 sends a user identity analysis response to the session management network element, The user identity analysis response includes the SUPI of the second terminal device.
  • the receiving unit 1001 may also receive an identity resolution request from a mobile access management network element, the identity resolution request includes a second identity, and the second identity is one of the following: anonymization of the second terminal device ID, the temporary ID of the second terminal device or the GPSI of the second terminal device; after that, the processing unit 1002 can determine the SUPI of the second terminal device according to the second ID; after that, the sending unit 1003 sends the identification analysis to the mobile access management network element In response, the identity resolution response includes the SUPI of the second terminal device.
  • the first request is a secure communication parameter acquisition request
  • the first response is a secure communication parameter acquisition response
  • the first response may include the first identifier.
  • the embodiment of the application also provides a communication device for executing the method performed by the session management network element or the SMF network element in the above method embodiment.
  • the device includes a receiving unit 1101, a processing unit 1102, and a sending unit 1103;
  • the receiving unit 1101 is configured to receive a terminal report message from a first terminal device, the terminal report message includes a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: second terminal device The anonymization identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device.
  • the processing unit 1102 is configured to determine that the message reported by the terminal includes the second identifier.
  • the sending unit 1103 is configured to send a user identity resolution request to the unified data management network element after the processing unit 1102 determines that the message reported by the terminal includes the second identifier, and the user identity resolution request includes the second identifier.
  • the receiving unit 1101 is further configured to receive a user identity analysis response from the unified data management network element, and the user identity analysis response includes the SUPI of the second terminal device.
  • the processing unit 1102 also performs service control on the second terminal device according to the SUPI and IP information of the second terminal device.
  • the embodiment of the application also provides a communication device for executing the method executed by the mobile access management network element or the AMF network element in the above method embodiment.
  • the device includes a receiving unit 1201, a processing unit 1202, and a sending unit 1203;
  • the receiving unit 1201 is configured to receive a terminal report message from a first terminal device, the terminal report message includes a second identifier and IP information allocated by the first terminal device to the second terminal device, and the second identifier is one of the following: second terminal device The anonymization identifier of the second terminal device, the temporary identifier of the second terminal device, or the GPSI of the second terminal device.
  • the processing unit 1202 is configured to determine that the message reported by the terminal includes the second identifier.
  • the sending unit 1203 is configured to send an identity resolution request to the unified data management network element after the processing unit 1202 determines that the message reported by the terminal includes the second identity.
  • the identity resolution request includes the user permanent identity SUPI of the second terminal device.
  • the receiving unit 1201 is further configured to receive an identity resolution response from the unified data management network element, where the identity resolution request includes the SUPI of the second terminal device.
  • the sending unit 1203 is further configured to send the SUPI and IP information of the second terminal device to the session management network element.
  • the embodiment of the application also provides a communication device for executing the method performed by the first terminal device or the relay UE in the above method embodiment.
  • the device includes a receiving unit 1301, a processing unit 1302, and a sending unit 1303;
  • the processing unit 1302 is configured to determine that it is necessary to establish direct communication with the second terminal device.
  • the sending unit 1303 is configured to send a first key request to the key management network element after the processing unit 1302 determines that it needs to establish direct communication with the second terminal device.
  • the first key request includes a first identifier, and the first identifier is a first identifier. 2. Anonymized identification or temporary identification of the terminal device;
  • the receiving unit 1301 is configured to receive a first key response from the key management network element, where the first key response includes secure communication parameters;
  • the processing unit 1302 is further configured to establish secure communication with the second terminal device based on the secure communication parameters.
  • the first key response further includes the GPSI or the first identifier of the second terminal device.
  • the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
  • the functional units in the various embodiments of this application can be integrated into one processing unit. In the device, it can also exist alone physically, or two or more units can be integrated into one module.
  • the above-mentioned integrated unit can be realized in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disks or optical disks and other media that can store program codes. .
  • the key management network element, the unified data management network element, the session management network element, the mobile access management network element, and the first terminal device can all be divided into the functional modules in an integrated manner.
  • the “module” here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
  • the communication device 1400 shown in FIG. 14 includes at least one processor 1401, a memory 1402, and optionally, a communication interface 1403.
  • the memory 1402 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as a read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1402 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1402 may be a combination of the above-mentioned memories.
  • the specific connection medium between the foregoing processor 1401 and the memory 1402 is not limited in the embodiment of the present application.
  • the memory 1402 and the processor 1401 are connected through a bus 1404 in the figure, and the bus 1404 is represented by a thick line in the figure. Is limited.
  • the bus 1404 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 14, but it does not mean that there is only one bus or one type of bus.
  • the processor 1401 may have data transceiving functions and be able to communicate with other devices.
  • an independent data transceiving module such as a communication interface 1403, can also be set to send and receive data; the processor 1401 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1403.
  • the processor 1401 in FIG. 14 can call the computer execution instructions stored in the memory 1402, so that the key management network element can execute any of the above methods.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 9 can all be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 9 may be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402
  • the function/implementation process of the sending unit and the receiving unit in FIG. 9 may be implemented by The communication interface 1403 in FIG. 14 is implemented.
  • the processor 1401 in FIG. 14 can call the computer execution instructions stored in the memory 1402, so that the unified data management network element can execute any of the above methods.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 10 can all be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 10 may be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402
  • the function/implementation process of the sending unit and the receiving unit in FIG. 10 may be implemented by The communication interface 1403 in FIG. 14 is implemented.
  • the processor 1401 in FIG. 14 can invoke the computer execution instructions stored in the memory 1402, so that the session management network element can execute any of the foregoing method embodiments The session management network element or SMF network element in the implementation method.
  • the functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 11 can all be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 11 may be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402
  • the function/implementation process of the receiving unit and the sending unit in FIG. 11 may be implemented by The communication interface 1403 in FIG. 14 is implemented.
  • the processor 1401 in FIG. 14 can invoke the computer to execute instructions stored in the memory 1402, so that the mobile access management network element can execute any of the foregoing.
  • the functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 12 may all be implemented by the processor 1401 in FIG. 14 invoking a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 12 may be implemented by the processor 1401 in FIG. 14 calling computer execution instructions stored in the memory 1402
  • the function/implementation process of the receiving unit and the sending unit in FIG. 12 may be implemented by The communication interface 1403 in FIG. 14 is implemented.
  • the key management network element, the unified data management network element, the session management network element, and the mobile access management network element can all be as shown in FIG. 15 form.
  • the communication device 1500 shown in FIG. 15 includes at least one processor 1501, a memory 1502, and optionally, a transceiver 1503.
  • the processor 1501 and the memory 1502 are similar to the processor 1401 and the memory 1402. For details, please refer to the foregoing content, which will not be repeated here.
  • the specific connection medium between the foregoing processor 1501 and the memory 1502 is not limited in the embodiment of the present application.
  • the memory 1502 and the processor 1501 are connected by a bus 1504 in the figure, and the bus 1504 is indicated by a thick line in the figure. Is limited.
  • the bus 1504 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 15 to represent it, but it does not mean that there is only one bus or one type of bus.
  • the processor 1501 may have a function of data transceiving and can communicate with other devices.
  • an independent data transceiving module such as a transceiver 1503, can be set to send and receive data; the processor 1501 is communicating with other devices.
  • the transceiver 1503 can be used for data transmission.
  • the processor 1501 in FIG. 15 can call the computer execution instructions stored in the memory 1502, so that the first terminal device can execute any of the above method embodiments. The method performed by the first terminal device or the relay UE.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 13 can all be implemented by the processor 1501 in FIG. 15 calling a computer execution instruction stored in the memory 1502.
  • the function/implementation process of the processing unit in FIG. 13 may be implemented by the processor 1501 in FIG. 15 calling a computer execution instruction stored in the memory 1502
  • the function/implementation process of the sending unit and the receiving unit in FIG. 13 may be implemented by The transceiver 1503 in FIG. 15 is implemented.
  • this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Selective Calling Equipment (AREA)

Abstract

一种终端设备标识的获取方法、装置及系统,用以解决用户永久性标识的传输方式导致用户隐私的暴露的问题。该方法中,密钥管理网元从第一终端设备接收携带第一标识的第一密钥请求,第一标识为第二终端设备的匿名化标识或临时标识;密钥管理网元向统一数据管理网元发送携带第一标识的第一请求,统一数据管理网元根据第一标识确定第二终端设备的SUPI,向密钥管理网元发送携带SUPI的第一响应,密钥管理网元根据该SUPI对第二终端设备执行授权检查通过后,向第一终端设备发送第一密钥响应,第一密钥响应包括安全通信参数,密钥管理网元从统一数据管理网元获取该SUPI,能够有效的保证第二终端设备的用户永久性标识的安全性。

Description

一种终端设备标识的获取方法、装置及系统 技术领域
本申请涉及通信技术领域,尤其涉及一种终端设备标识的获取方法、装置及系统。
背景技术
目前,设备到设备(device to device,D2D)通信允许用户设备(user equipment,UE)之间直接进行通信。
当某一远端设备(remote UE)处于通信网络的覆盖范围之外,或者在与通信网络中的接入网设备之间的通信质量较差的情况下,可以基于D2D通信,通过中继设备(relay UE)与通信网络建立非直接通信,也即通过远端设备与中继设备之间的通信、中继设备与通信网络交互,以使得远端设备能够从通信网络中获取数据。
远端设备借助中继设备与通信网络建立非直接通信的过程中,中继设备需要先获取远端设备的标识,并上报给通信网络,以便通信网络能够基于该远端设备的标识执行认证、授权检查或者基于该远端设备的标识执行业务控制,如合法监听等。在第四代移动通信技术(4th generation mobile networks,4G)系统中,远端设备可以通过空口向中继设备以明文的方式提供远端设备的用户永久性标识,进一步的,远端设备将接收到的远端设备的用户永久性标识发送给通信网络。这种通过明文方式直接在空口发送用户永久性标识会导致用户隐私的暴露。
发明内容
本申请提供一种终端设备标识的获取方法、装置及系统,用以解决用户永久性标识的传输方式导致用户隐私的暴露的问题。
第一方面,本申请实施例提供了一种终端设备标识的获取方法,该方法由密钥管理网元执行,该方法包括:密钥管理网元从第一终端设备接收第一密钥请求,第一密钥请求中包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;密钥管理网元解析该第一密钥请求,若确定密钥请求中包括第一标识,需要确定第二终端设备的用户永久性标识,密钥管理网元可以向统一数据管理网元发送第一请求,第一请求包括第一标识;之后,密钥管理网元可以从统一数据管理网元接收第一响应,第一响应包括第二终端设备的SUPI;之后,密钥管理网元可以根据第二终端设备的SUPI对第二终端设备执行授权检查,在对第二终端设备授权检查通过后,向第一终端设备发送第一密钥响应,第一密钥响应中包括安全通信参数,安全通信参数为第一终端设备与第二终端设备建立安全通信所需的参数。
通过上述方法,密钥管理网元从统一数据管理网元获取第二终端设备的用户永久性标识,密钥管理网元仅需要从第一终端设备获取第二终端设备的匿名化标识或临时标识即可,不再需要从第一终端设备获取第二终端设备的用户永久性标识,能够有效的保证第二终端设备的用户永久性标识的安全性,进而,可以避免用户隐私暴露的情况。
在一个可能的设计中,第一响应和第一密钥响应中还包括第二终端设备的GPSI,也可以包括第一标识,第一响应和第一密钥响应通过携带第一标识或GPSI可以进一步指示该第二终端设备,避免通过携带用户永久性标识导致的用户隐私暴露的情况。
在一个可能的设计中,第一请求和第一响应可以是密钥管理网元与统一数据管理网元现有交互流程的中信息,如第一请求为安全通信参数获取请求,第一响应为安全通信参数获取响应;第一请求和第一响应也可以密钥管理网元与统一数据管理网元现有交互流程的中新增的信息。第一请求和第一响应的设置方式更加灵活,能够有效扩展应用范围。
在一个可能的设计中,密钥管理网元在根据第二标识对第二终端设备授权检查未通过后,可以通知第一终端设备拒绝或终止为第二终端设备服务,还可以通知统一数据管理网元删除第一标识和第二终端设备的SUPI的对应关系。密钥管理网元可以及时、方便的通知第一终端设备或统一数据管理网元执行对应操作。
在一个可能的设计中,密钥管理网元还可以向统一数据管理网元发送第一指示,第一指示用于指示存储第一标识和第二终端设备的SUPI的对应关系。密钥管理网元通过发送第一指示的方式告知统一数据管理网元存储第一标识和第二终端设备的SUPI的对应关系,便于其他网元能够通过第一标识从统一数据管理网元获取第二终端设备的SUPI。
第二方面,本申请实施例提供了一种终端设备标识的获取方法,该方法由统一数据管理网元执行,该方法中,统一数据管理网元可以从密钥管理网元接收第一请求,第一请求包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;统一数据管理网元在确定第一请求中包括第一标识后,可以根据第一标识获取第二终端设备的SUPI;之后,统一数据管理网元向密钥管理网元发送第一响应,第一响应包括第二终端设备的SUPI。
通过上述方法,密钥管理网元通过与统一数据管理网元交互,方便的获取第二终端设备的SUPI。
在一个可能的设计中,统一数据管理网元在根据第二终端设备的匿名化标识确定第二终端设备的SUPI时,可以根据第二终端设备的匿名化标识,从用户标识去隐藏网元获取第二终端设备的SUPI。统一数据管理网元获取第二终端设备的SUPI的方式更加便捷。
在一个可能的设计中,统一数据管理网元在根据第二终端设备的临时标识确定第二终端设备的SUPI时,可以基于保存的终端设备的SUPI和临时标识的对应关系,根据第二终端设备的临时标识确定第二终端设备的SUPI。统一数据管理网元保存有终端设备的SUPI和临时标识的对应关系,能够更加方便的为密钥管理网元提供第二终端设备的SUPI。
在一个可能的设计中,统一数据管理网元在根据第二终端设备的临时标识确定第二终端设备的SUPI之前,需要先确定为第二终端的分配的临时标识,下面介绍两种方式:
方式一、统一数据管理网元可以为第二终端设备分配临时标识,之后通过邻近服务网元向第二终端设备发送临时标识,还可以保存第二终端设备的SUPI和临时标识的对应关系。
方式二、统一数据管理网元也可以从邻近服务网元获取邻近服务网元为第二终端设备分配的临时标识,并保存第二终端设备的SUPI和临时标识的对应关系。
通过上述方法,统一数据管理网元能够通过多种不同的方式确定为第二终端的分配的临时标识,适用于不同的场景。
在一个可能的设计中,统一数据管理网元根据第一标识获取第二终端设备的SUPI之后,可以存储第一标识和第二终端设备的SUPI的对应关系,以便后续其他网元通过第一标识从统一数据管理网元获取第二终端设备的SUPI。
在一个可能的设计中,统一数据管理网元可以主动的存储第一标识和第二终端设备的SUPI的对应关系;统一数据管理网元也可以在密钥管理网元的指示下存储第一标识和第二 终端设备的SUPI的对应关系,例如,统一数据管理网元从密钥管理网元接收第一指示,第一指示用于指示存储第一标识和第二终端设备的SUPI的对应关系,之后,统一数据管理网元存储第一标识和第二终端设备的SUPI的对应关系。统一数据管理网元也可以先判断是否需要存储第一标识和第二终端设备的SUPI的对应关系,在确定需要存储第一标识和第二终端设备的SUPI的对应关系之后,再存储该对应关系,例如,统一数据管理网元根据第二终端设备的属性确定是否需要存储第一标识和第二终端设备的SUPI的对应关系。统一数据管理网元确定存储第一标识和第二终端设备的SUPI的对应关系的方式有多种,能够应用于不同的场景,有效的扩展了应用范围。
在一个可能的设计中,统一数据管理网元在存储了第一标识和第二终端设备的SUPI的对应关系之后,还可以在密钥管理网元的通知下删除第一标识和第二终端设备的SUPI的对应关系,以便节省存储空间。
在一个可能的设计中,第一响应中可以携带第一标识,也可以携带第二终端设备的其他标识,例如,统一数据管理网元还可以根据第二终端设备的SUPI确定第二终端设备的GPSI,将第二终端设备的GPSI携带在第一响应中。第一响应中除了第二终端设备的SUPI外,还可以携带第二终端设备的其他标识,能够向密钥管理网元提供更多第二终端设备的信息。
在一个可能的设计中,统一数据管理网元还可以向其他网元提供第二终端设备的SUPI。该其他网元可以为会话管理网元或移动接入管理网元,下面分别进行说明:
(1)、统一数据管理网元可以从会话管理网元接收用户身份解析请求,用户解析身份请求中包括第二标识,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI。之后,统一数据管理网元根据第二标识确定第二终端设备的SUPI;之后,统一数据管理网元向会话管理网元发送用户身份解析响应,用户身份解析响应中包括第二终端设备的SUPI。
(2)、统一数据管理网元还可以从移动接入管理网元接收标识解析请求,标识解析请求中包括第二标识,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI;之后,统一数据管理网元根据第二标识确定第二终端设备的SUPI;之后,统一数据管理网元可以向移动接入管理网元发送标识解析响应,标识解析响应中包括第二终端设备的SUPI。
在一个可能的设计中,第一请求和第一响应可以是密钥管理网元与统一数据管理网元现有交互流程的中信息,如第一请求为安全通信参数获取请求,第一响应为安全通信参数获取响应;第一请求和第一响应也可以密钥管理网元与统一数据管理网元现有交互流程的中新增的信息。第一请求和第一响应的设置方式更加灵活,能够有效扩展应用范围。
在一个可能的设计中,第一响应还包括第一标识。
第三方面,本申请实施例提供了一种终端设备标识的获取方法,该方法中,会话管理网元可以从第一终端设备接收终端上报消息,终端上报消息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI;会话管理网元确定终端上报消息包括第二标识,需要获取第二终端设备的SUPI,会话管理网元可以向统一数据管理网元发送用户身份解析请求,用户身份解析请求中包括第二标识;之后,会话管理网元从统一数据管理网元接收用户身份解析响应,用户身份解析响应中包括第二终端设备的SUPI,在获取该SUPI 后,会话管理网元可以根据第二终端设备的SUPI和IP信息对第二终端设备进行业务控制。
通过上述方法,会话管理网元可以从统一数据管理网元获取第二终端设备的用户永久性标识,会话管理网元仅需要从第一终端设备获取第二终端设备的匿名化标识或临时标识即可,不再需要从第一终端设备获取第二终端设备的用户永久性标识,能够有效的保证第二终端设备的用户永久性标识的安全性,进而,可以避免用户隐私暴露的情况。
第四方面,本申请实施例提供了一种终端设备标识的获取方法,该方法由移动接入管理网元执行,移动接入管理网元从第一终端设备接收终端上报消息,终端上报消息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的通用公共用户标识GPSI;之后,移动接入管理网元确定终端上报消息包括第二标识,需要获取第二终端设备的SUPI,可以向统一数据管理网元发送标识解析请求,标识解析请求中包括第二终端设备的用户永久性标识SUPI;移动接入管理网元从统一数据管理网元接收标识解析响应,标识解析请求包括第二终端设备的SUPI;之后,移动接入管理网元可以向会话管理网元发送第二终端设备的SUPI和IP信息。
通过上述方法,移动接入管理网元可以从统一数据管理网元获取第二终端设备的用户永久性标识,之后,将获取的第二终端设备的用户永久性标识发送给会话管理网元,第一终端设备不再需要提供第二终端设备的用户永久性标识,能够有效的保证第二终端设备的用户永久性标识的安全性,进而,可以避免用户隐私暴露的情况。
第五方面,本申请实施例提供了一种终端设备标识的获取方法,该方法由第一终端设备执行,该方法中,第一终端设备在确定需要与第二终端设备建立直接通信后,可以向密钥管理网元发送第一密钥请求,第一密钥请求包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;之后,第一终端设备可以从密钥管理网元接收第二密钥响应,第一密钥响应中包括安全通信参数,之后,第一终端设备基于安全通信参数与第二终端设备建立安全通信。
通过上述方法,第一终端设备可以从通过第一标识从密钥管理网元获取用于与第二终端设备建立安全通信的安全通信参数,第一终端设备不再需要提供第二终端设备的用户永久性标识,能够有效的保证第二终端设备的用户永久性标识的安全性,进而,可以避免用户隐私暴露的情况。
在一个可能的设计中,第一密钥响应中还包括第二终端设备的GPSI或第一标识,用于指示第二终端设备。
第六方面,本申请实施例还提供了一种通信装置,所述通信装置应用于密钥管理网元,有益效果可以参见第一方面的描述此处不再赘述。该装置具有实现上述第一方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第七方面,本申请实施例还提供了一种通信装置,所述通信装置应用于统一数据管理网元,有益效果可以参见第二方面的描述此处不再赘述。该装置具有实现上述第二方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所 述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第二方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第八方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网元,有益效果可以参见第三方面的描述此处不再赘述。该装置具有实现上述第三方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第三方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第九方面,本申请实施例还提供了一种通信装置,所述通信装置应用于移动接入管理网元,有益效果可以参见第四方面的描述此处不再赘述。该装置具有实现上述第四方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第四方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第十方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一终端设备,有益效果可以参见第五方面的描述此处不再赘述。该装置具有实现上述第五方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第五方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第十一方面,本申请实施例还提供了一种通信装置,所述通信装置应用于密钥管理网元,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述密钥管理网元执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十二方面,本申请实施例还提供了一种通信装置,所述通信装置应用于统一数据管理网元,有益效果可以参见第二方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述统一数据管理网元执行上述第二方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十三方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网元,有益效果可以参见第三方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述会话管理网元执行上述第三方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十四方面,本申请实施例还提供了一种通信装置,所述通信装置应用于移动接入管理网元,有益效果可以参见第四方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述移动接入管理网元执行上述第四方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十五方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一终端设备,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述第一终端设备执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括收发器,用于与其他设备进行通信。
第十六方面,本申请实施例还提供了一种通信系统,有益效果可以参见上个各个方面的描述此处不再赘述,所述通信系统包括密钥管理网元和统一数据管理网元;
密钥管理网元,用于从第一终端设备接收第一密钥请求,第一密钥请求包括第一标识;以及在确定第一密钥请求包括第一标识后,向统一数据管理网元发送第一请求,第一请求包括第一标识,其中,第一标识为第二终端设备的匿名化标识或临时标识。
统一数据管理网元,用于接收第一请求;在确定第一请求中包括第一标识后,根据第一标识确定第二终端设备的用户永久性标识SUPI;向密钥管理网元发送第一响应,第一响应包括第二终端设备的SUPI。
密钥管理网元,还用于接收第一响应;根据第二终端设备的SUPI对第二终端设备进行授权检查,在对第二终端设备授权检查通过后,向第一终端设备发送第一密钥响应,第一密钥响应中包括安全通信参数,该安全通信参数用于第一终端设备建立与第二终端设备的安全通信。
在一种可能的设计中,第一响应和第一密钥响应中还包括第二终端设备的GPSI,统一数据管理网元,还用于根据第二终端设备的SUPI确定第二终端设备的GPSI。
在一种可能的设计中,第一响应和第一密钥响应中还包括第一标识,统一数据管理网元可以存储第一标识和第二终端设备的SUPI的对应关系。
在一种可能的设计中,密钥管理网元向统一数据管理网元发送第一指示,第一指示用于指示存储第一标识和第二终端设备的SUPI的对应关系;统一数据管理网元,还用于接收第一指示,之后再存储第一标识和第二终端设备的SUPI。
在一种可能的设计中,密钥管理网元在对第二终端设备授权检查未通过后,通知统一数据管理网元删除第一标识和第二终端设备的SUPI的对应关系。
统一数据管理网元,还用于在密钥管理网元的通知下,删除第一标识和第二终端设备的SUPI的对应关系。
在一种可能的设计中,统一数据管理网元根据第二终端设备的匿名化标识确定第二终端设备的SUPI时,根据第二终端设备的匿名化标识,从用户标识去隐藏网元获取第二终端设备的SUPI。
在一种可能的设计中,统一数据管理网元根据第二终端设备的临时标识确定第二终端设备的SUPI时,基于保存的终端设备的SUPI和临时标识的对应关系,根据第二终端设备的临时标识确定第二终端设备的SUPI。
在一种可能的设计中,统一数据管理网元根据第二终端设备的临时标识确定第二终端设备的SUPI之前,可以为第二终端设备分配临时标识,通过邻近服务网元向第二终端设备发送临时标识,并保存第二终端设备的SUPI和临时标识的对应关系。也可以从邻近服务网元获取邻近服务网元为第二终端设备分配的临时标识,并保存第二终端设备的SUPI和临时标识的对应关系。
在一种可能的设计中,该系统还包括会话管理网元。
会话管理网元,用于从第一终端设备接收终端设备上报信息,终端设备上报信息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:匿名化标识、临时标识或GPSI;在确定终端上报消息包括第二标识后,向统一数据管理网元发送用户身份解析请求,用户身份解析请求中包括第二标识;
统一数据管理网元,还用于接收用户身份解析请求,根据第二标识确定第二终端设备的SUPI,向会话管理网元发送用户解析响应,用户解析响应中包括第二终端设备的SUPI;
会话管理网元,还用于接收用户解析响应,根据第二终端设备的SUPI和IP信息对第二终端设备进行业务控制。
在一种可能的设计中,该系统还包括移动接入管理网元。
移动接入管理网元,用于从第一终端设备接收终端上报消息,终端上报消息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI,向统一数据管理网元发送标识解析请求,标识解析请求中包括第二标识;
统一数据管理网元,还用于接收标识解析请求,根据第二标识确定第二终端设备的SUPI,向移动接入管理网元发送标识解析响应,标识解析响应中包括第二终端设备的SUPI;
移动接入管理网元,还用于接收标识解析响应,向会话管理网元发送第二终端设备的SUPI和IP信息。
在一种可能的设计中,该系统还包括第一终端设备;
第一终端设备,用于向密钥管理网元发送第一密钥请求,从密钥管理网元接收第一密钥响应;在基于安全通信参数与第二终端设备建立安全通信后,通过移动接入管理网元向会话管理网元发送终端上报消息。
在一种可能的设计中,该系统还包括邻近服务网元;邻近服务网元,用于为第二终端设备分配临时标识,并向统一数据管理网元发送临时标识。
第十七方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十八方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十九方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述各方面所述的方法。
附图说明
图1为本申请实施例提供的一种系统的架构图;
图2为本申请实施例提供的一种终端设备标识的获取方法示意图;
图3为本申请实施例提供的第一种终端设备标识的获取方法示意图;
图4为本申请实施例提供的第二种终端设备标识的获取方法示意图;
图5为本申请实施例提供的第三种终端设备标识的获取方法示意图;
图6为本申请实施例提供的第四种终端设备标识的获取方法示意图;
图7为本申请实施例提供的第五种终端设备标识的获取方法示意图;
图8为本申请实施例提供的第六种终端设备标识的获取方法示意图;
图9~图15为本申请实施例提供的一种通信装置的结构示意图。
具体实施方式
参阅图1所示,一种本申请适用的具体的网络架构示意图。该网络架构为5G系统的网络架构。该5G架构中的网元包括终端设备(user equipment,UE)。网络架构还包括无线接入网(radio access network,RAN)、接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元、统一数据管理(unified data management,UDM)网元、应用功能(application function,AF)网元、数据网络(data network,DN)等。
终端设备是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。在本申请实施例中终端设备可以分为两种,分别为远端UE(如第二终端设备)和中继UE(如第一终端设备),远端UE是指需要借助中继UE与数据网络进行通信的UE,中继UE为可以与数据网络直接进行通信的UE。
在本申请实施例中,远端UE可以向中继UE发送远端UE的匿名化标识或已分配的临时标识,中继UE可以将远端UE发送的匿名化标识或已分配的临时标识发送给PKMF网元。
RAN的主要功能是控制用户通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。
AMF网元负责终端的接入管理和移动性管理,在实际应用中,其包括了LTE中网络框架中MME里的移动性管理功能,并加入了接入管理功能。
SMF网元负责会话管理,如用户的会话建立等。
UPF网元是用户面的功能网元,主要负责连接外部网络,其包括了LTE的服务网关(serving gateway,SGW)和公用数据网网关(public data network gateway,PDN-GW)的相关功能。
DN负责为终端提供服务的网络,如一些DN为终端提供上网功能,另一些DN为终端提供短信功能等等。
UDM网元可存储用户的签约信息,实现类似于4G中的HSS,在本申请实施例中,UDM能够根据远端UE的匿名化标识或临时标识确定终端设备的的用户永久性标识(subscription permanent identifier,SUPI)。
AF网元可以是第三方的应用控制平台,也可以是运营商自己的设备,AF网元可以为多个应用服务器提供服务。
尽管未示出,核心网网元还包括基于邻近的服务的密钥管理功能网元(proximity-based  services key management function,PKMF)网元、用户标识去隐藏功能网元(subscription identifier de-concealing function,SIDF)、基于邻近的服务(proximity-based Services,ProSe)网元,统一数据仓储(unified data repository,UDR)网元,引导服务功能(bootstrapping server function,BSF)网元。
其中,PKMF网元,用于为ProSe通信的UE管理密钥。PKMF可以独立部署,也可以与其他网元共部署,如PKMF网元可以与ProSe网元共部署。
SIDF网元,在本申请实施例中,SIDF网元能够对SUCI解密获取SUPI。SIDF可以独立部署,也可以与其他网元共部署,如SIDF网元可以与UDM网元共部署。
ProSe网元,用于支持ProSe所需的网络相关动作。ProSe网元具备如下功能:功能一、直接配置功能,用于为UE提供必要参数,如临时标识。功能二、直接发现名称管理功能,用于开放ProSe直接发现分配ProSe应用码。在本申请实施例中ProSe网元可以为UE分配临时标识,并将向UE通知所分配的临时标识,该可以向UDM网元发送为UE分配的临时标识。
UDR网元主要用来存储用户相关的签约数据、策略数据、用于开放的结构化数据、应用数据。
在本申请实施例中,BSF网元能够向PKMF网元提供中继UE和远端UE建立安全通信所需的安全通信参数。
在本申请实施例中密钥管理网元中可以从第一终端设备中接收携带有第一标识的第一密钥请求,该第一标识为第二终端设备的匿名化标识或临时标识;密钥管理网元在确定第一密钥请求中携带有第一标识后,可以根据第一标识向统一数据管理网元请求获取第二终端设备的用户永久性标识,之后,密钥管理网元就可以基于第二终端设备的用户永久性标识,对第二终端设备进行授权检查,在授权检查通过后,可以向第一终端设备发送用于建立安全通信的安全通信参数。在本申请实施例中,第一终端设备不需要再向密钥管理网元提供第二终端设备的用户永久性标识,密钥管理网元可以从统一数据管理网元获取第二终端设备的用户永久性标识,以进行授权检查,保证了第二终端设备的用户永久性标识的安全性。
下面结合附图,对本申请实施例提供的终端设备标识的获取方法进行说明,参见图2,该方法包括:
步骤201:密钥管理网元从第一终端设备接收第一密钥请求,该第一密钥请求中包括第一标识,该第一标识为第二终端设备的匿名化标识或临时标识。
步骤202:密钥管理网元确定第一密钥请求中包括第一标识。
密钥管理网元在接收到该第一密钥请求后,解析该第一密钥请求,确定该第一密钥请求中包括第一标识后,为了能够获取第二终端设备的用户永久性标识,可以执行步骤203。
步骤203:密钥管理网元向统一数据管理网元发送第一请求,第一请求包括第一标识。
步骤204:统一数据管理网元从密钥管理网元接收第一请求,根据第一标识获取第二终端设备的用户永久性标识。
步骤205:统一数据管理网元向密钥管理网元发送第一响应,第一响应包括所述第二终端设备的用户永久性标识。
步骤206:密钥管理网元根据第二终端设备的用户永久性标识对第二终端设备执行授权检查。
步骤207:密钥管理网元在对第二终端设备授权检查通过后,可以向第一终端设备发送第一密钥响应,第一密钥响应中包括安全通信参数。
当第二终端设备需要与数据网络通信时,可以向第一终端设备发起直接通信请求,该直接通信请求中可以携带第二终端设备的匿名化标识或临时标识。
其中,匿名化标识或临时标识是预先为第二终端设备分配的标识,匿名化标识可以为一种隐藏了终端设备的永久性标识,只有特定网元可以通过匿名化标识获取该匿名化标识中隐藏的终端设备的信息,例如,匿名化标识可以为用户隐藏标识(subscription concealed identifier,SUCI),SUCI为包含用户永久性标识(subscription permanent identifier,SUPI)的隐私保护标识。
在本申请实施例中临时标识可以是邻近服务网元(如ProSe网元)或统一数据管理网元为第二终端设备分配的、有效期限较短的标识。
例如,邻近服务网元可以在第二终端设备注册过程中将临时标识发送给第二终端设备。具体的,该临时标识可以是邻近服务网元接收到第二终端设备发送的注册请求时,为第二终端设备分配的,邻近服务网元将该临时标识携带在注册请求响应消息中发送给第二终端设备。邻近服务网元在为第二终端设备分配了临时标识后,可以将第二终端设备的临时标识发送给统一数据管理网元,统一数据管理网元在接收到第二终端设备的临时标识后,可以在本地保存第二终端设备的临时标识与用户永久性标识的对应关系。
又例如,统一数据管理网元也可以在第二终端设备注册过程为第二终端设备分配临时标识。统一数据管理网元在为第二终端设备分配了临时标识后,可以在本地保存第二终端设备的临时标识与用户永久性标识的对应关系。统一数据管理网元还可以将第二终端设备的临时标识发送给邻近服务网元。进一步的,邻近服务网元将接收到的临时标识发送给第二终端设备。
需要说明的是,邻近服务网元或统一数据管理网元可以周期性的更新第二终端设备的临时标识,在更新了第二终端设备的临时标识后,邻近服务网元或统一数据管理网元可以将更新后的第二终端设备的临时标识发送给第二终端设备。若邻近服务网元更新了第二终端设备的临时标识,可以将更新后的第二终端设备的临时标识发送统一数据管理网元,以便统一数据管理网元更新本地保存的第二终端设备的临时标识。
第一终端设备在接收到直接通信请求后,为了确定第二终端设备是否具备使用第一终端设备通信的权利,可以执行步骤201,向密钥管理网元发送第一密钥请求,以请求密钥管理网元能够对第一终端设备进行授权检查。
密钥管理网元解析第一密钥请求,若确定第一密钥请求中携带的标识为第二终端设备的匿名化标识或临时标识后,无法基于第二终端设备的匿名化标识或临时标识,对第二终端设备进行授权检查。密钥管理网元可以执行步骤203,发送携带有第一标识的第一请求,向统一数据管理网元请求获取第二终端设备的用户永久性标识。
统一数据管理网元在接收到第一请求后,可以根据第二终端设备的匿名化标识或临时标识确定第二终端设备的用户永久性标识,向密钥管理网元反馈包括第二终端设备的用户永久性标识的第一响应。
第一请求和第一响应可以为密钥管理网元与统一数据管理网元的现有交互流程中的信息。
例如,第一请求可以是安全通信参数获取请求,安全通信参数获取请求用于向统一数 据管理网元请求获取第一终端设备和第二终端设备建立安全通信所需要的安全通信参数。密钥管理网元可以在安全通信参数获取请求中携带有第二终端设备的匿名化标识或临时标识,安全通信参数获取请求还用于向统一数据管理网元请求获取第二终端设备的用户永久性标识。
相应的,第一响应为安全通信参数获取响应,该安全通信参数获取响应中携带有第一终端设备和第二终端设备建立安全通信所需要的安全通信参数以及第二终端设备的用户永久性标识。
需要说明的是,在上述说明中仅是以第一请求是安全通信参数获取请求以及第一响应为安全通信参数获取响应为例进行说明,本申请实施例并不限定第一请求和第一响应的类型,第一请求和第一响应也可以是密钥管理网元与统一数据管理网元的现有交互流程中的其它信息。
第一请求和第一响应也可以为密钥管理网元与统一数据管理网元的交互流程中的新增的信息,专门用于请求获取第二终端设备的用户永久性标识,例如,第一请求为第一用户身份解析请求,第一响应为第一用户身份解析响应。
下面对统一数据管理网元根据第二终端设备的匿名化标识或临时标识确定第二终端设备的用户永久性标识的方式进行说明。
一、统一数据管理网元根据第二终端设备的匿名化标识确定第二终端设备的用户永久性标识。
统一数据管理网元本地保存有第二终端设备的匿名化标识与用户永久性标识的对应关系,统一数据管理网元可以基于保存的该对应关系,根据第二终端设备的匿名化标识确定第二终端设备的用户永久性标识。
统一数据管理网元也可以从其他网元利用第二终端设备的匿名化标识获取第二终端设备的用户永久性标识,其他网元可以是用户标识去隐藏功能网元或统一数据仓储网元。
统一数据管理网元从其他网元获取第二终端设备的用户永久性标识后,可以直接存储该第二终端设备的匿名化标识与用户永久性标识的对应关系。统一数据管理网元也可以先确定第二终端设备的属性,根据第二终端设备的属性确定是否存储该第二终端设备的匿名化标识与用户永久性标识的对应关系。
例如,统一数据管理网元可以根据第二终端设备的用户永久性标识查询第二终端设备的签约信息,确定第二终端设备是否为商务(commercial)用户,若第二终端设备为商务用户,统一数据管理网元可以存储该对应关系,若第二终端设备并非商务用户,如第二终端设备为公共安全(mission critical)用户,统一数据管理网元不存储该对应关系。
在上述说明中,统一数据管理网元可以主动的存储该对应关系,当然,在实际应用中,统一数据管理网元也可以在密钥管理网元的指示下,存储该对应关系。
例如,密钥管理网元可以向统一数据管理网元发送第一指示,第一指示用于指示统一数据管理网元存储第二终端设备的匿名化标识与用户永久性标识的对应关系。本申请并不限定密钥管理网发送第一指示的方式以及时间。密钥管理网元可以单独向统一数据管理网元发送第一指示,例如,密钥管理网元可以预先向统一数据管理网元发送第一指示,密钥管理网元也可以在发送第一请求之后,向统一数据管理网元发送第一指示。密钥管理网元还可以在接收到第一响应后,发送第一指示。密钥管理网元也可以将第一指示携带在需要 向统一数据管理网元中的消息中,例如密钥管理网元可以将第一指示携带在第一请求中。
二、统一数据管理网元根据第二终端设备的临时标识确定第二终端设备的用户永久性标识。
统一数据管理网元本地保存有第二终端设备的临时标识与用户永久性标识的对应关系,统一数据管理网元可以基于保存的该对应关系,根据第二终端设备的临时标识确定第二终端设备的用户永久性标识。
统一数据管理网元也可以将第二终端设备的临时标识与用户永久性标识的对应关系保存在其他网元中,如统一数据仓储网元。统一数据管理网元可以从其他网元获取该对应关系,之后再根据第二终端设备的临时标识确定第二终端设备的用户永久性标识。
可选的,统一数据管理网元在获取第二终端设备的用户永久性标识后,还可以确定第二终端设备的通用公共用户标识(generic public subscription identifier,GPSI)。
统一数据管理网元根据第二终端设备的用户永久性标识确定第二终端设备的通用公共用户标识的方式与统一数据管理网元根据第一标识确定第二终端设备的用户永久性标识的方式的类似,具体可参见前述内容,此处不再赘述。
密钥管理网元在从统一数据管理网元接收到第一响应后,获取第二终端设备的用户永久性标识后,可以根据第二终端设备的用户永久性标识,对第二终端设备执行授权检查。
密钥管理网元中可以保存有标识集合,该标识集合中的标识为能够与第一终端设备进行直接通信的终端设备的用户永久性标识,也就是说标识集合中各个用户永久性标识所指示的终端设备可以通过第一终端设备与通信系统建立连接,进行数据交互,具备使用第一终端设备通信的权利。
密钥管理网元可以基于该标识集合,根据第二终端设备的用户永久性标识,对第二终端设备执行授权检查,也就是说,密钥管理中心确定第二终端设备的用户永久性标识是否为该标识集合中的标识。
当第二终端设备的用户永久性标识为该标识集合中的标识,密钥管理网元对第二终端设备授权检查通过。
若第一响应为安全通信参数获取响应,密钥管理网元可以直接执行步骤207。
若第一响应为第一用户身份解析响应,密钥管理网元在对第二终端设备授权检查通过后,可以向统一数据管理网元发送安全通信参数获取请求,从统一数据管理网元获取安全通信参数,之后,再执行步骤207。其中,第一密钥响应中还可以包括第一标识,还可以包括第二终端设备的通用公共用户标识,通过第一标识或通用公共用户标识可以指示该第二终端设备,也就说或,第一密钥响应中携带的安全通信参数是用于与第二终端设备建立安全通信所需的安全通信参数。
可选的,密钥管理网元与统一数据管理网元交互获取第二终端设备的用户永久性标识,密钥管理网元执行对第二终端设备授权检查通过后,密钥管理网元也可以利用第二终端设备的用户永久性标识与引导服务功能网元(如BSF网元)交互获取安全通信参数。
当第二终端设备的用户永久性标识并非该标识集合中的标识,密钥管理网元对第二终端设备授权检查未通过,密钥管理网元可以向第一终端设备发送第二指示,该第二指示用 于指示第二终端设备授权检查未通过,第一终端设备在接收到第二指示后,可以终止或拒绝与第二终端设备进行通信,不为第二终端设备服务。
密钥管理网元还可以通知统一数据管理网元删除第二终端设备的匿名化标识与用户永久性标识的对应关系,统一数据管理网元在密钥管理网元的通知下,删除已保存的第二终端设备的匿名化标识与用户永久性标识的对应关系。
密钥管理网元对第二终端设备授权检查通过,第一终端设备接收到第一密钥响应后,可以基于第一密钥响应中携带的安全通信参数与第二终端设备建立安全通信,安全通信的建立过程中,第一终端设备可以向第二终端设备发送直接安全模式命令,该直接安全模式命令中包括密钥相关信息,该密钥相关信息是由安全通信参数中确定的(例如,安全通信参数中可以包括该密钥相关信息),第二终端设备在接收到直接安全模式命令后,可以根据密钥相关信息生成安全密钥,该安全密钥可以用于第二终端设备与第一终端设备进行数据交互时,对交互的数据进行加密和/或完整性保护。第二终端设备在生成安全密钥后,向第一终端设备发送直接安全模式完成消息,用以通知第一终端设备直接安全模式完成。
第一终端设备在与第二终端设备建立安全通信后,响应于第二终端设备发送的直接通信请求,第一终端设备可以向第二终端设备发送直接通信响应。
第一终端设备可以为第二终端设备分配网络协议(internet protocol,IP)地址,该IP地址用于第二终端设备利用第一终端设备与数据网络进行数据通信。该IP地址可以为网络协议第6版(internet protocol version 6,IPv6)前缀或IPv4地址。
第二终端设备基于该IP地址,通过第一终端设备与数据网络进行数据通信的过程如下:第二终端设备使用第一终端设备为其分配的IP地址(如IPv6前缀或IPv4地址)进行数据封装,生成数据包,第二终端设备将该数据包发送给第一终端设备。
对于利用IPv4地址封装生成的数据包,第一终端设备接收该数据包后,将数据包的IPv4地址转换成PDU会话的IPv4地址(PDU会话的IPv4地址为网络侧为第一终端设备分配的),该PDU会话为用于中继业务的PDU会话。第一终端设备通过特定端口发送转换后了IPv4地址的数据包。其中,该数据包中还携带该特定端口的端口号,该特定端口是第一终端设备分配的、用于传输第二终端设备的数据包。
对于利用IPv6前缀封装生成的数据包,第一终端设备可以直接向PDU会话发送该数据包。
当第一终端设备从数据网络接收到需要发送给第二终端设备的数据包时,解析数据包的IP地址或数据包的端口号时,确定该数据包为需要发送给第二终端设备的数据包,第一终端设备向第二终端设备发送该数据包。其中,对于IPv4地址封装生成的数据包,第一终端设备是通过数据包的端口号来确定第二终端设备的。
第一终端设备向第二终端设备执行IP地址分配之后,第一终端设备可以向会话管理网元发送携带有第二终端设备的IP信息的终端上报信息,以便会话管理网元能够基于IP信息执行业务控制,如合法监听、用量统计等。
其中,若第一终端设备为第二终端设备分配的IP地址为IPv6前缀,则IP信息为该IPv6前缀。
若第一终端设备为第二终端设备分配的IP地址为IPv4地址,由于第一终端设备通常需要为第二终端设备分配用于传输数据包的端口号,后续,第一终端设备利用数据包中携 带的端口号确定该数据包来自第二终端设备,IP信息可以为第一终端设备为第二终端设备分配的端口号的范围。
该终端上报信息还可以包括第二标识,该第二标识可以为下列标识的任一标识:第二终端设备的匿名化标识、第二终端设备的临时标识以及第二终端设备的通用公共标识,用于标识第二终端设备。该终端上报信息中的第二标识可以是第一终端设备从密钥管理网元中获取的,也可以是从第二终端设备中获取的。会话管理网元在接收到该终端上报信息后,确定该终端上报信息中包括第二标识,为了确定第二终端设备的真实身份,会话管理网元可以向统一数据管理网元请求第二终端设备的用户永久性标识。
示例性的,会话管理网元可以向统一数据管理网元发送第二用户身份解析请求,该第二用户身份解析请求中携带第二标识。统一数据管理网元接收到第二用户身份解析请求后,统一数据管理网元根据该第二标识确定第二终端设备的用户永久性标识,统一数据管理网元向会话管理网元发送携带有第二终端设备的用户永久性标识的第二用户身份解析响应。会话管理网元在接收到第二用户身份解析响应后,获取第二终端设备的用户永久性标识。
其中,统一数据管理网元根据该第二标识确定第二终端设备的用户永久性标识的方式可以参见前述说明,此处不再赘述。
需要说明的是,在本申请实施例中第二标识也可以为第二终端设备的用户永久性标识,在这种情况下,会话管理网元无需向统一数据管理网元获取该用户永久性标识,可以直接能够基于IP信息执行业务控制,如合法监听、用量统计等。
在上述说明中,会话管理网元需要与统一数据管理网元交互获取第二终端设备的用户永久性标识。作为一种可能的实施方式,移动接入管理网元也可以与统一数据管理网元交互获取第二终端设备的用户永久性标识,之后移动接入管理网元再将获取的第二终端设备的用户永久性标识发送给会话管理网元。
示例性的,第一终端设备可以向移动接入管理网元发送N1消息,该N1消息中包括第二标识和N1SM消息,该NI SM消息中包括IP信息。移动接入管理网元在接收到第二标识后,可以发起标识解析流程,向统一数据管理网元发送携带有第二标识的标识解析请求;统一数据管理网元接收到该标识解析请求后,可以根据第二标识确定第二终端设备的用户永久性标识,之后,统一数据管理网元向移动接入网元发送携带有第二终端设备的用户永久性标识的标识解析响应,移动接入网元向会话管理网元发送第二终端设备的用户永久性标识以及N1SM消息,第二终端设备的用户永久性标识以及N1SM消息可以携带在Nsmf消息中,这样,会话管理网元可以从Nsmf消息中获取第二终端设备的用户永久性标识。
在本申请实施例中允许第一终端设备向密钥管理网元发送第二密钥请求,该第二密钥请求中可以第二终端设备的国际移动用户识别码(international mobile subscriber identity,IMSI),密钥管理网元在接收到第二密钥请求后,可以根据第二终端设备的IMSI对第二终端设备进行授权检查,在对第二终端设备授权检查通过后,可以从统一数据管理网元获取安全通信参数,在获取安全通信参数后,密钥管理网元可以向第一终端设备发送第二密钥响应,该第二密钥响应中携带有安全通信参数。
下面基于如图1所示的网络架构,以密钥管理网元为PKMF网元、统一数据管理网元 为UDM网元、会话管理网元为SMF网元、移动接入管理网元为AMF网元以及邻近服务网元为ProSe网元为例,对如图2所示的终端设备标识的获取方法进行进一步介绍。
(一)、第一标识为SUCI。
如图3所示,为本申请实施例提供的一种终端设备标识的获取方法,该方法包括:
步骤301:中继UE通过RAN向AMF网元发起注册流程,使得UE注册到5G系统。
步骤302:当远端UE需要与数据网络进行数据交互时,发起发现流程,发现中继UE,其中,发现流程中远端UE通过无线信号检测临近的中继UE,并识别该中继UE。
步骤303:远端UE在发现中继UE后,可以向中继UE发送直接通信请求,该直接通信请求用于请求与中继UE建立通信连接,该直接通信请求包括远端UE的SUCI。
步骤304:中继UE在接收到直接通信请求后,可以向PKMF网元发送第一密钥请求,该第一密钥请求中包括SUCI。
在本申请实施例并不限定第一密钥请求的作用,第一密钥请求可以用于请求PKMF网元对远端UE进行授权检查,也可以请求为远端UE分配安全密钥,也可以请求远端UE与中继UE建立安全通信所需的安全通信参数。
需要说明的是,中继UE可以直接向PKMF网元发送第一密钥请求,也可以通过其他网元向PKMF网元发送第一密钥请求。
步骤305:PKMF网元接收第一密钥请求,确定该第一密钥请求中携带有SUCI后,根据SUCI选择UDM网元,并向UDM网元发送携带有SUCI的第一用户身份解析请求,用于请求UDM网元解析该SUCI。
步骤306:UDM网元在接收到该第一用户身份解析请求后,获取该第一用户身份解析请求中的SUCI。UDM网元根据远端UE的SUCI确定远端UE的SUPI。
本申请实施例并不限定UDM网元根据远端UE的SUCI确定远端UE的SUPI的方式,例如UDM网元本身具备解密功能,可以直接对远端UE的SUCI解密获取远端UE的SUPI。又例如,UDM网元可以调用其他网元(如SIDF网元),从其他网元获取远端UE的SUPI。
可选的,UDM网元还可以保存远端UE的SUCI和SUPI的对应关系。本申请实施例并不限定UDM网元保存该对应关系的位置,如UDM网元可以将该对应关系保存在本地,也可以将该对应关系保存在其他网元(如UDR网元)中,当后续需要确定远端UE的SUCI或SUPI时,可以从其他网元获取已保存的远端UE的SUCI和SUPI的对应关系。
需要说明的是,UDM网元可以主动保存远端UE的SUCI和SUPI的对应关系,例如,UDM网元在根据远端UE的SUCI确定远端UE的SUPI后,直接保存该对应关系,也可以先根据远端UE属性确定是否存储该对应关系。UDM网元可以根据远端UE的SUPI查询该远端UE的签约信息,确定该远端UE为商务用户后,存储该对应关系。
UDM网元也可以在PKMF网元的指示下保存远端UE的SUCI和SUPI的对应关系,PKMF网元可以向UDM网元发送用于指示保存远端UE的SUCI和SUPI的对应关系的第一指示,在接收到该第一指示后,UDM网元可以保存远端UE的SUCI和SUPI的对应关系。该第一指示消息可以单独发送,也可以携带在PKMF网元向UDM网元发送的消息(如第一用户身份解析请求)中。
步骤307:UDM网元在确定远端UE的SUPI后,向PKMF网元反馈第一用户身份解析响应,该第一用户身份解析响应中携带远端UE的SUPI。
可选的,UDM网元还可以在确定远端UE的SUPI后,根据远端UE的SUPI确定远 端UE的GPSI,将远端UE的GPSI携带在第一用户身份解析响应中。
步骤308:PKMF网元在接收到第一用户身份解析响应后,从第一用户身份解析响应获取远端UE的SUPI。PKMF网元根据远端UE的SUPI对远端UE执行授权检查,确定该远端UE是否有权通过选择的中继UE连接到网络,与DN进行数据交互。
PKMF网元可以预先保存一个SUPI集合,该集合中包括一个或多个SUPI,该集合中每个SUPI所对应的终端设备能够通过中继UE连接到网络,PKMF网元可以确定远端UE的SUPI是否属于该SUPI集合,若属于,则PKMF网元对远端UE授权检查通过,远端UE能够通过中继UE与5G系统进行数据交互,否则,PKMF网元对远端UE授权检查未通过。
可选的,第一用户身份解析响应中还可以携带远端UE的GPSI。
步骤309:PKMF网元对远端UE授权检查通过后,PKMF网元从UDM网元获取安全通信参数,该安全通信参数为中继UE与远端UE建立安全通信所需的参数。该安全通信参数可以包括用于生成安全密钥的密钥相关信息。
可选的,PKMF网元也可以通过其他网元如BSF网元获取该安全通信参数。
若PKMF网元对远端UE授权检查未通过,PKMF网元可以向中继UE发送授权未通过指示信息,以使得中继UE终止或者拒绝为远端UE服务,PKMF网元还可以通知UDM网元删除已保存的远端UE的SUCI和SUPI的对应关系。UDM网元在接收到该通知后,若已保存远端UE的SUCI和SUPI的对应关系,则删除该对应关系,否则忽视该通知。
步骤310:PKMF网元获取安全通信参数后,可以向中继UE发送第一密钥响应,该第一密钥响应中包括该安全通信参数。
可选的,该第一密钥响应中还可以携带远端UE的SUCI。第一密钥响应中携带的远端UE的SUCI用于中继UE将该信息提供给核心网网元,如SMF网元或者AMF网元。
需要说明的是,当第一密钥请求用于请求PKMF网元对远端UE进行授权检查时,第一密钥响应中也可以不携带安全通信参数,也即PKMF网元不需要执行步骤309,PKMF网元在对远端UE授权检查通过后,直接发送第一密钥响应,指示对远端UE授权检查通过。当第一密钥请求用于请求获取安全通信参数,则第一密钥响应中携带有包括密钥相关信息的安全通信参数。
需要说明的是,若第一用户身份解析响应中携带远端UE的GPSI,第一密钥响应中可以不携带SUCI,携带远端UE的GPSI。
步骤311:中继UE在接收到该第一密钥响应后,基于该安全通信参数与远端UE建立安全通信。
步骤312:中继UE向远端UE发送直接通信响应,该直接通信响应用于响应直接通信请求。
步骤313:中继UE为远端UE分配进行通信所需的IP地址。
具体的,其中IP地址可以为IPv6前缀或IPv4地址。
步骤314:中继UE需要向SMF网元发送终端上报信息,该终端上报消息中包括远端UE的SUCI和IP信息。若步骤313中的IP地址为IPv6前缀,则IP信息为中继UE为远端UE分配的IPv6前缀。若步骤313中的IP地址为IPv4地址,则IP信息为中继UE为远端UE分配的端口号的范围。
中继UE在终端上报消息中携带的远端UE的SUCI可以是该第一密钥响应中获取的, 也可以是从直接通信请求中获取的。
步骤315:SMF网元接收到终端上报信息,确定该终端上报信息中携带有SUCI后,向UDM网元发送携带有SUCI的第二用户身份解析请求,用于请求UDM网元解析该SUCI。
步骤316:UDM网元在接收到该第二用户身份解析请求后,获取该第二用户身份解析请求中的SUCI。UDM网元根据远端UE的SUCI确定远端UE的SUPI。
UDM网元根据远端UE的SUCI确定远端UE的SUPI的方式与步骤306中UDM网元根据远端UE的SUCI确定远端UE的SUPI的方式类似,具体可参见前述内容,此处不再赘述。
需要说明的是,若UDM网元保存远端UE的SUCI和SUPI的对应关系。UDM网元在根据远端UE的SUCI确定远端UE的SUPI时,可以直接基于该对应关系,根据远端UE的SUCI确定远端UE的SUPI。
可选的,在UDM网元保存远端UE的SUCI和SUPI的对应关系的情况下,在UDM网元根据远端UE的SUCI确定远端UE的SUPI后,UDM网元可以删除该对应关系。
步骤317:UDM网元在确定远端UE的SUPI后,向SMF网元反馈第二用户身份解析响应,该第二用户身份解析响应中携带远端UE的SUPI。
步骤318:SMF网元在接收到第二用户身份解析响应后,从第二用户身份解析响应获取远端UE的SUPI。进一步的,SMF网元可以根据SUPI和接收到的IP信息执行业务控制,如合法监听,用量统计等。此处不做限定。
需要说明的是,若在步骤310中第一密钥响应中携带有远端UE的GPSI,步骤314~步骤316中远端UE的SUCI可以替换为远端UE的GPSI。
在如图3所示的实施例中PKMF网元先向UDM网元请求获取远端UE的SUPI,之后再向UDM网元或其他网元请求安全通信参数,为了能够进一步减少PKMF网元与UDM网元之间的信令交互,PKMF网元可以在向UDM网元请求获取远端UE的SUPI的同时请求安全通信参数,具体可参见如图4所示的实施例,如图4所示,为本申请实施例提供的一种终端设备标识的获取方法,该方法包括:
步骤401~步骤404:与步骤301~步骤304相同,具体可以参见前述内容,此处不再赘述。
步骤405:PKMF网元接收第一密钥请求,确定该第一密钥请求中携带有SUCI后,根据SUCI选择UDM网元,并向UDM网元发送携带有SUCI的安全通信参数获取请求,该安全通信参数获取请求用于请求获取安全通信参数,该安全通信参数获取请求包括SUCI,用于请求UDM网元解析该SUCI。
步骤406:UDM网元在接收到该安全通信参数获取请求后,UDM网元确定安全通信参数,UDM网元还从该安全通信参数获取请求中获取SUCI,UDM网元根据远端UE的SUCI确定远端UE的SUPI。
UDM网元根据远端UE的SUCI确定远端UE的SUPI以及保存远端UE的SUCI和SUPI的对应关系的方式可以参见步骤306中的相关说明,此处不再赘述。
步骤407:UDM网元在确定远端UE的SUPI后,向PKMF网元反馈安全通信参数获取响应,该安全通信参数获取响应中携带远端UE的SUPI和安全通信参数。
可选的,UDM网元还可以在确定远端UE的SUPI后,根据远端UE的SUPI确定远端UE的GPSI,将远端UE的GPSI携带在安全通信参数获取响应中。
步骤408:PKMF网元在接收到安全通信参数获取响应后,从安全通信参数获取响应获取远端UE的SUPI。PKMF网元根据远端UE的SUPI对远端UE执行授权检查,确定该远端UE是否有权通过选择的中继UE连接到网络,与DN进行数据交互。
步骤409:PKMF网元获取安全通信参数后,可以向中继UE发送第一密钥响应,该第一密钥响应中包括该安全通信参数。
步骤410:PKMF网元对远端UE授权检查通过后,基于该安全通信参数与远端UE建立安全通信。
步骤411~步骤417:与步骤312~步骤318相同,具体可以参见前述内容,此处不再赘述。
在如图3或图4所示的实施例中,PKMF网元在对远端UE授权检查通过后,向中继UE发送的第一密钥响应中携带的是远端的UE的SUCI,PKMF网元也可以直接告知中继UE该远端UE的SUPI。具体可参见下面的实施例。
如图5所示,为本申请实施例提供的一种终端设备标识的获取方法,该方法包括:
步骤501~步骤509:与步骤301~步骤309相同,具体可以参见前述内容,此处不再赘述。
步骤510:PKMF网元获取安全通信参数后,可以向中继UE发送第一密钥响应,该第一密钥响应中包括该安全通信参数。
可选的,该第一密钥响应中还可以携带远端UE的SUPI。
步骤511~步骤513:与步骤311~步骤313相同,具体可以参见前述内容,此处不再赘述。
步骤514:中继UE需要向SMF网元发送终端上报信息,该终端上报消息中包括远端UE的SUPI和IP信息。若步骤513中的IP地址为IPv6前缀,则IP信息为中继UE为远端UE分配的IPv6前缀。若步骤513中的IP地址为IPv4地址,则IP信息为中继UE为远端UE分配的端口号范围。IPv4地址与该端口号范围对应。
中继UE在终端上报消息中携带的远端UE的SUCI可以是该第一密钥响应中获取的,也可以是从直接通信请求中获取的。
步骤515:SMF网元从终端上报消息获取远端UE的SUPI。进一步的,SMF网元可以根据SUPI和接收到的IP信息执行业务控制,如合法监听,用量统计等。此处不做限定。
需要说明的是,在如图5所示的实施例中,PKMF网元也可以直接向UDM网元发送携带有SUCI的安全参数获取请求,UDM网元根据SUCI确定远端的SUPI,并确定安全通信参数。之后,UDM网元向PKFM发送安全参数获取响应,该安全参数获取响应中包括远端SUPI和安全通信参数。
在该实施例中,SMF网元不需要与UDM网元进行交互确定远端UE的SUPI,进一步可以减少信令交互。
(二)、第一标识为远端UE的临时标识。
如图6所示,为本申请实施例提供的一种终端设备标识的获取方法,该方法包括:
步骤601:ProSe网元为远端UE分配临时标识。
步骤602:ProSe网元将为远端UE分配的临时标识发送至UDM网元。
UDM网元在接收到该远端UE的临时标识后,可以在本地保存远端UE的临时标识与SUPI的对应关系。
步骤603:ProSe网元向远端UE发送远端UE的临时标识。
步骤604:中继UE通过RAN向AMF网元发起注册流程,使得UE注册到5G系统。
步骤605:当远端UE需要与数据网络进行数据交互时,发起发现流程,发现中继UE。
步骤606:远端UE在发现中继UE后,可以向中继UE发送直接通信请求,该直接通信请求用于请求与中继UE建立通信连接,该直接通信请求包括远端UE的临时标识。
步骤607:中继UE在接收到直接通信请求后,可以向PKMF网元发送第一密钥请求。该第一密钥请求中包括临时标识。
中继UE可以直接向PKMF网元发送第一密钥请求,也可以通过其他网元向PKMF网元发送第一密钥请求。
关于第一密钥请求的描述可参见如图3所示的实施例中的相关说明,此处不再赘述。
步骤608:PKMF网元接收第一密钥请求,确定该第一密钥请求中携带有临时标识后,根据临时标识选择UDM网元,并向UDM网元发送携带有临时标识的第一用户身份解析请求,用于请求UDM网元解析该临时标识。
步骤609:UDM网元在接收到该第一用户身份解析请求后,获取该第一用户身份解析请求中的临时标识。UDM网元根据远端UE的临时标识确定远端UE的SUPI。
UDM网元根据已保存的远端UE的临时标识和SUPI的对应关系确定远端UE的SUPI。
步骤610:UDM网元在确定远端UE的SUPI后,向PKMF网元反馈第一用户身份解析响应,该第一用户身份解析响应中携带远端UE的SUPI。
步骤611~步骤612:与步骤308~步骤309相同,具体可以参见前述内容,此处不再赘述。
步骤613:PKMF网元获取安全通信参数后,可以向中继UE发送第一密钥响应,该第一密钥响应中包括该安全通信参数。
可选的,该第一密钥响应中还可以携带远端UE的临时标识。密钥响应中携带的远端UE的临时标识用于中继UE将该信息提供给核心网网元,如SMF网元或者AMF网元。
步骤614~步骤616:与步骤311~步骤313相同,具体可以参见前述内容,此处不再赘述。
步骤617:中继UE需要向SMF网元发送终端上报信息,该终端上报消息中包括远端UE的临时标识和IP信息。若步骤613中的IP地址为IPv6前缀,则IP信息为中继UE为远端UE分配的IPv6前缀。若步骤613中的IP地址为IPv4地址,则IP信息为中继UE为远端UE分配的端口号的范围。
中继UE在终端上报消息中携带的远端UE的临时标识可以是该第一密钥响应中获取的,也可以是从直接通信请求中获取的。
步骤618:SMF网元接收到终端上报信息,确定该终端上报信息中携带有临时标识后,向UDM网元发送携带有临时标识的第二用户身份解析请求,用于请求UDM网元解析该临时标识。
步骤619:UDM网元在接收到该第二用户身份解析请求后,获取该第二用户身份解析请求中的临时标识。UDM网元根据远端UE的临时标识确定远端UE的SUPI。
UDM网元根据远端UE的临时标识确定远端UE的SUPI的方式与步骤606中UDM网元根据远端UE的临时标识确定远端UE的SUPI的方式类似,具体可参见前述内容,此处不再赘述。
步骤620:UDM网元在确定远端UE的SUPI后,向SMF网元反馈第二用户身份解析响应,该第二用户身份解析响应中携带远端UE的SUPI。
步骤621:SMF网元在接收到第二用户身份解析响应后,从第二用户身份解析响应获取远端UE的SUPI。进一步的,SMF网元可以根据SUPI和接收到的IP信息执行业务控制,如合法监听,用量统计等。此处不做限定。
需要说明的是,在如图6所示的实施例中,PKMF网元也可以直接向UDM网元发送携带有远端UE的临时标识的安全参数获取请求,UDM网元根据临时标识确定远端的SUPI,并确定安全通信参数。之后,UDM网元向PKFM发送安全参数获取响应,该安全参数获取响应中包括远端SUPI和安全通信参数。
图6所示的实施例中,SMF网元需要与UDM网元交互获取远端UE的SUPI。作为一种可能的实施方式,AMF网元也可以与UDM网元交互获取远端UE的SUPI,远端UE可以向AMF网元发送N1消息,该N1消息中包括远端UE的临时标识和N1SM消息,该NI SM消息中包括IP信息。AMF网元在接收到远端UE的临时标识后,可以发起标识解析流程,向UDM网元发送携带有远端UE的临时标识的标识解析请求;UDM网元接收到该标识解析请求后,可以根据远端UE的临时标识确定远端UE的SUPI,之后,UDM网元向AMF网元发送携带有远端UE的SUPI的标识解析响应,AMF网元向SMF网元发送Nsmf消息,该NSsmf消息包括远端UE的SUPI以及N1SM消息,SMF网元可以从Nsmf消息中获取远端UE的SUPI。
在如图6所示的实施例中,PKMF网元在对远端UE授权检查通过后,向中继UE发送的第一密钥响应中携带的是远端的UE的临时标识,PKMF网元也可以直接告知中继UE该远端UE的SUPI。具体可参见下面的实施例。
如图7所示,为本申请实施例提供的一种终端设备标识的获取方法,该方法包括:
步骤701~步骤712:与步骤601~步骤612相同,具体可以参见前述内容,此处不再赘述。
步骤713~步骤718:与步骤510~步骤515相同,具体可以参见前述内容,此处不再赘述。
需要说明的是,在如图7所示的实施例中,PKMF网元也可以直接向UDM网元发送携带有远端UE的临时标识的安全参数获取请求,UDM网元根据临时标识确定远端的SUPI,并确定安全通信参数。之后,UDM网元向PKFM发送安全参数获取响应,该安全参数获取响应中包括远端SUPI和安全通信参数。也就是说,PKMF网元可以在向UDM网元请求获取远端UE的SUPI的同时请求安全通信参数,能够减少信令交互。
作为一种可能的实施方式,本申请实施例中,中继UE也可以先获取安全通信参数,与远端UE建立安全通信,之后再通过SMF网元或AMF网元向UDM网元请求解析SUCI。
参见图8,以中继UE通过AMF网元向UDM网元请求解析SUCI为例进行说明,该方法包括:
步骤801~步骤803:与步骤301~步骤303相同,具体可以参见前述内容,此处不再赘述。
步骤804:中继UE在接收到直接通信请求后,可以从PKMF网元获取安全通信参数。
具体的,直接通信请求中包含密钥标识,该密钥标识为远端UE与中继UE进行数据交互时,对交互的数据进行加密和/或完整性保护所使用的安全密钥的标识,中继UE可以通过该密钥标识从PKMF网元获取对应的安全通信参数。
步骤805:中继UE基于该安全通信参数与远端UE建立安全通信。
步骤806:中继UE向远端UE发送直接通信响应,该直接通信响应用于响应直接通信请求。
步骤807:中继UE为远端UE分配进行通信所需的IP地址。
具体的,其中IP地址可以为IPv6前缀或IPv4地址。
步骤808:中继UE需要向AMF网元发送N1消息,该NI消息中包括远端UE的SUCI和N1SM消息,NI SM消息中包括IP信息。
若步骤807中的IP地址为IPv6前缀,则IP信息为中继UE为远端UE分配的IPv6前缀。若步骤808中的IP地址为IPv4地址,则IP信息为中继UE为远端UE分配的端口号范围。
步骤809:AMF网元接收到终端上报信息,确定该终端上报信息中携带有SUCI后,向UDM网元发送携带有SUCI的标识解析请求,用于请求UDM网元解析该SUCI。
步骤810:UDM网元在接收到该标识解析请求后,获取该标识解析请求中的SUCI。UDM网元根据远端UE的SUCI确定远端UE的SUPI。
UDM网元根据远端UE的SUCI确定远端UE的SUPI的方式与步骤306中UDM网元根据远端UE的SUCI确定远端UE的SUPI的方式类似,具体可参见前述内容,此处不再赘述。
步骤811:UDM网元在确定远端UE的SUPI后,向AMF网元反馈标识解析响应,该标识解析响应中携带远端UE的SUPI。
步骤812:AMF网元在接收到标识解析响应后,从标识解析响应获取远端UE的SUPI。AMF网元向SMF网元发送Nsmf消息,该Nsmf消息中包括远端UE的SUPI、N1SM消息。
步骤813:SMF网元可以根据SUPI和接收到的IP信息执行业务控制,如合法监听,用量统计等。此处不做限定。
需要说明的是,中继UE也可以通过SMF向UDM请求解析SUCI,具体的,中继UE可以向通过AMF向SMF发送终端上报消息,SMF在接收到终端上报消息之后,SMF可以向UDM请求解析SUCI,具体过程可以参见如图3所示的实施例中步骤315~步骤318的相关说明。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中所述密钥管理网友或PKMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图9所示,该装置包括接收单元901、处理单元902和发送单元903;
接收单元901,用于从第一终端设备接收第一密钥请求,第一密钥请求中包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;
处理单元902,用于确定第一密钥请求中包括第一标识;
发送单元903,用于在处理单元902确定密钥请求中包括第一标识后,向统一数据管理网元发送第一请求,第一请求包括第一标识;
接收单元901,还用于从统一数据管理网元接收第一响应,第一响应包括第二终端设备的用户永久性标识SUPI;
处理单元902,还用于根据第二终端设备的SUPI对第二终端设备执行授权检查;
发送单元903,还用于在处理单元902对第二终端设备授权检查通过后,向第一终端设备发送第一密钥响应,第一密钥响应中包括安全通信参数,安全通信参数为第一终端设备与第二终端设备建立安全通信所需的参数。
在一种可能的实施方式中,第一响应和第一密钥响应中还包括第二终端设备的GPSI或第一标识。
在一种可能的实施方式中,第一请求为安全通信参数获取请求,第一响应为安全通信参数获取响应。
在一种可能的实施方式中,发送单元903在处理单元902根据第二标识对第二终端设备授权检查未通过后,可以通知统一数据管理网元删除第一标识和第二终端设备的SUPI的对应关系。
在一种可能的实施方式中,发送单元903还可以向统一数据管理网元发送第一指示,第一指示用于指示存储第一标识和第二终端设备的SUPI的对应关系。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中统一数据管理网元或UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图10所示,该装置包括接收单元1001、处理单元1002和发送单元1003;
接收单元1001,用于从密钥管理网元接收第一请求,第一请求包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;
处理单元1002,用于确定第一请求中包括第一标识;在确定第一请求中包括第一标识后,根据第一标识获取第二终端设备的SUPI;
发送单元1003,用于向密钥管理网元发送第一响应,第一响应包括第二终端设备的SUPI。
在一种可能的实施方式中,处理单元1002在根据第二终端设备的匿名化标识确定第二终端设备的SUPI时,可以根据第二终端设备的匿名化标识,从用户标识去隐藏网元获取第二终端设备的SUPI。
在一种可能的实施方式中,处理单元1002在根据第二终端设备的临时标识确定第二终端设备的SUPI时,可以基于保存的终端设备的SUPI和临时标识的对应关系,根据第二终端设备的临时标识确定第二终端设备的SUPI。
在一种可能的实施方式中,处理单元1002还可以为第二终端设备分配临时标识,保存第二终端设备的SUPI和临时标识的对应关系;之后,发送单元1003可以通过邻近服务网元向第二终端设备发送临时标识。
在一种可能的实施方式中,处理单元1002还可以从邻近服务网元获取邻近服务网元为第二终端设备分配的临时标识,并保存第二终端设备的SUPI和临时标识的对应关系。
在一种可能的实施方式中,处理单元1002在根据第一标识获取第二终端设备的SUPI之后,可以存储第一标识和第二终端设备的SUPI的对应关系。
在一种可能的实施方式中,接收单元1001在处理单元1002存储第一标识和第二终端设备的SUPI的对应关系之前,可以从密钥管理网元接收第一指示,第一指示用于指示存 储第一标识和第二终端设备的SUPI的对应关系。
在一种可能的实施方式中,处理单元1002在存储第一标识和第二终端设备的SUPI的对应关系之前,还可以根据第二终端设备的属性确定需要存储第一标识和第二终端设备的SUPI的对应关系。
在一种可能的实施方式中,处理单元1002可以在密钥管理网元的通知下删除第一标识和第二终端设备的SUPI的对应关系。
在一种可能的实施方式中,处理单元1002可以根据第二终端设备的SUPI确定第二终端设备的GPSI,之后将第二终端设备的GPSI携带在第一响应中。
在一种可能的实施方式中,接收单元1001还可以从会话管理网元接收用户身份解析请求,用户解析身份请求中包括第二标识,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI;之后,处理单元1002根据第二标识确定第二终端设备的SUPI;之后,发送单元1003向会话管理网元发送用户身份解析响应,用户身份解析响应中包括第二终端设备的SUPI。
在一种可能的实施方式中,接收单元1001也可以从移动接入管理网元接收标识解析请求,标识解析请求中包括第二标识,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI;之后,处理单元1002可以根据第二标识确定第二终端设备的SUPI;之后,发送单元1003向移动接入管理网元发送标识解析响应,标识解析响应中包括第二终端设备的SUPI。
在一种可能的实施方式中,第一请求为安全通信参数获取请求,第一响应为安全通信参数获取响应。
在一种可能的实施方式中,第一响应中可以包括第一标识。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中会话管理网元或SMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图11所示,该装置包括接收单元1101、处理单元1102和发送单元1103;
接收单元1101,用于从第一终端设备接收终端上报消息,终端上报消息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI。
处理单元1102,用于确定终端上报消息包括第二标识。
发送单元1103,用于在处理单元1102确定终端上报消息包括第二标识后,向统一数据管理网元发送用户身份解析请求,用户身份解析请求中包括第二标识。
接收单元1101,还用于从统一数据管理网元接收用户身份解析响应,用户身份解析响应中包括第二终端设备的SUPI。
处理单元1102,还根据第二终端设备的SUPI和IP信息对第二终端设备进行业务控制。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中移动接入管理网元或AMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图12所示,该装置包括接收单元1201、处理单元1202和发送单元1203;
接收单元1201,用于从第一终端设备接收终端上报消息,终端上报消息包括第二标识和第一终端设备为第二终端设备分配的IP信息,第二标识为下列之一:第二终端设备的匿名化标识、第二终端设备的临时标识或第二终端设备的GPSI。
处理单元1202,用于确定终端上报消息包括第二标识。
发送单元1203,用于在处理单元1202确定终端上报消息包括第二标识后,向统一数据管理网元发送标识解析请求,标识解析请求中包括第二终端设备的用户永久性标识SUPI。
接收单元1201,还用于从统一数据管理网元接收标识解析响应,标识解析请求包括第二终端设备的SUPI。
发送单元1203,还用于向会话管理网元发送第二终端设备的SUPI和IP信息。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中第一终端设备或中继UE执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图13所示,该装置包括接收单元1301、处理单元1302和发送单元1303;
处理单元1302,用于确定需要与第二终端设备建立直接通信。
发送单元1303,用于在处理单元1302确定需要与第二终端设备建立直接通信后,向密钥管理网元发送第一密钥请求,第一密钥请求包括第一标识,第一标识为第二终端设备的匿名化标识或临时标识;
接收单元1301,用于从密钥管理网元接收第一密钥响应,第一密钥响应中包括安全通信参数;
处理单元1302,还用于基于安全通信参数与第二终端设备建立安全通信。
在一种可能的实施方式中,第一密钥响应中还包括第二终端设备的GPSI或第一标识。
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,所述密钥管理网元、统一数据管理网元、所述会话管理网元以及移动接入管理网元以及第一终端设备均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
在一个简单的实施例中,本领域的技术人员可以想到所述密钥管理网元、统一数据管理网元、所述会话管理网元以及移动接入管理网元均可采用图14所示的形式。
如图14所示的通信装置1400,包括至少一个处理器1401、存储器1402,可选的,还可以包括通信接口1403。
存储器1402可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1402是能够用于携带或存储具有指令或数据结构形式的期望的 程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1402可以是上述存储器的组合。
本申请实施例中不限定上述处理器1401以及存储器1402之间的具体连接介质。本申请实施例在图中以存储器1402和处理器1401之间通过总线1404连接,总线1404在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1404可以分为地址总线、数据总线、控制总线等。为便于表示,图14中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1401可以具有数据收发功能,能够与其他设备进行通信,在如图14装置中,也可以设置独立的数据收发模块,例如通信接口1403,用于收发数据;处理器1401在与其他设备进行通信时,可以通过通信接口1403进行数据传输。
当所述密钥管理网元采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述密钥管理网元可以执行上述任一方法实施例中的所述密钥管理网元或PKMF网元执行的方法。
具体的,图9中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图9中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现,图9中的发送单元和接收单元的功能/实现过程可以通过图14中的通信接口1403来实现。
当所述统一数据管理网元采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述统一数据管理网元可以执行上述任一方法实施例中的所述统一数据管理网元或UDM网元执行的方法。
具体的,图10中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图10中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现,图10中的发送单元和接收单元的功能/实现过程可以通过图14中的通信接口1403来实现。
当所述会话管理网元采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述会话管理网元可以执行上述任一方法实施例中的会话管理网元或SMF网元执行的方法。
具体的,图11中的接收单元、发送单元和处理单元的功能/实现过程均可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图11中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现,图11中的接收单元、发送单元的功能/实现过程可以通过图14中的通信接口1403来实现。
当所述移动接入管理网元采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述移动接入管理网元可以执行上述任一方法实施例中的移动接入管理网元或AMF网元执行的方法。
具体的,图12中的接收单元、发送单元和处理单元的功能/实现过程均可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图12中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机 执行指令来实现,图12中的接收单元、发送单元的功能/实现过程可以通过图14中的通信接口1403来实现。
在一个简单的实施例中,本领域的技术人员可以想到所述密钥管理网元、统一数据管理网元、所述会话管理网元以及移动接入管理网元均可采用图15所示的形式。
如图15所示的通信装置1500,包括至少一个处理器1501、存储器1502,可选的,还可以包括收发器1503。
处理器1501和存储器1502与处理器1401和存储器1402类似,具体可以参见前述内容,此处不再赘述。
本申请实施例中不限定上述处理器1501以及存储器1502之间的具体连接介质。本申请实施例在图中以存储器1502和处理器1501之间通过总线1504连接,总线1504在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1504可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1501可以具有数据收发功能,能够与其他设备进行通信,在如图15装置中,也可以设置独立的数据收发模块,例如收发器1503,用于收发数据;处理器1501在与其他设备进行通信时,可以通过收发器1503进行数据传输。
当第一终端设备采用图15所示的形式时,图15中的处理器1501可以通过调用存储器1502中存储的计算机执行指令,使得所述第一终端设备可以执行上述任一方法实施例中的所述第一终端设备或中继UE执行的方法。
具体的,图13中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图15中的处理器1501调用存储器1502中存储的计算机执行指令来实现。或者,图13中的处理单元的功能/实现过程可以通过图15中的处理器1501调用存储器1502中存储的计算机执行指令来实现,图13中的发送单元和接收单元的功能/实现过程可以通过图15中的收发器1503来实现。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个 方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (46)

  1. 一种通信系统,其特征在于,该通信系统包括密钥管理网和统一数据管理网元:
    所述密钥管理网元,用于从第一终端设备接收第一密钥请求,所述第一密钥请求包括第一标识;以及在确定所述第一密钥请求包括所述第一标识后,向所述统一数据管理网元发送第一请求,所述第一请求包括所述第一标识,其中,所述第一标识为第二终端设备的匿名化标识或临时标识;
    所述统一数据管理网元,用于接收所述第一请求;在确定所述第一请求中包括所述第一标识后,根据所述第一标识确定所述第二终端设备的用户永久性标识SUPI;向所述密钥管理网元发送第一响应,所述第一响应包括所述第二终端设备的SUPI;
    所述密钥管理网元,还用于接收所述第一响应;根据所述第二终端设备的SUPI对所述第二终端设备进行授权检查,在对所述第二终端设备授权检查通过后,向所述第一终端设备发送第一密钥响应,所述第一密钥响应中包括安全通信参数。
  2. 如权利要求1所述的系统,其特征在于,所述第一响应和所述第一密钥响应中还包括所述第二终端设备的通用公共用户标识GPSI,所述统一数据管理网元,还用于:
    根据所述第二终端设备的SUPI确定所述第二终端设备的GPSI。
  3. 如权利要求1所述的系统,其特征在于,所述第一响应和所述第一密钥响应中还包括所述第一标识,所述统一数据管理网元,还用于:
    存储所述第一标识和所述第二终端设备的SUPI的对应关系。
  4. 如权利要求3所述的系统,其特征在于,
    所述统一数据管理网元存储所述第一标识和所述第二终端设备的SUPI之前,还用于:
    从所述密钥管理网元接收第一指示,所述第一指示用于指示存储所述第一标识和所述第二终端设备的SUPI的对应关系;
    所述密钥管理网元,还用于:
    向统一数据管理网元发送所述第一指示。
  5. 如权利要求3或4所述的系统,其特征在于,
    所述密钥管理网元,还用于在对所述第二终端设备授权检查未通过后,通知所述统一数据管理网元删除所述第一标识和所述第二终端设备的SUPI的对应关系;
    所述统一数据管理网元,还用于在所述密钥管理网元的通知下,删除所述第一标识和所述第二终端设备的SUPI的对应关系。
  6. 如权利要求1~5任一所述的系统,其特征在于,所述统一数据管理网元根据所述第二终端设备的匿名化标识确定所述第二终端设备的SUPI,具体用于:
    根据所述第二终端设备的匿名化标识,从用户标识去隐藏网元获取所述第二终端设备的SUPI。
  7. 如权利要求1~5任一所述的系统,其特征在于,所述统一数据管理网元根据所述第二终端设备的临时标识确定所述第二终端设备的SUPI,具体用于:
    基于保存的终端设备的SUPI和临时标识的对应关系,根据所述第二终端设备的临时标识确定所述第二终端设备的SUPI。
  8. 如权利要求7所述的系统,其特征在于,所述统一数据管理网元根据所述第二终端设备的临时标识确定所述第二终端设备的SUPI之前,还用于:
    为所述第二终端设备分配临时标识,通过邻近服务网元向所述第二终端设备发送所述临时标识,并保存所述第二终端设备的SUPI和临时标识的对应关系;或
    从所述邻近服务网元获取所述邻近服务网元为所述第二终端设备分配的临时标识,并保存所述第二终端设备的SUPI和临时标识的对应关系。
  9. 如权利要求1~8任一所述的系统,其特征在于,所述系统还包括会话管理网元,
    所述会话管理网元,用于从所述第一终端设备接收所述终端设备上报信息,所述终端设备上报信息包括第二标识和所述第一终端设备为所述第二终端设备分配的IP信息,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的GPSI;在确定所述终端上报消息包括所述第二标识后,向所述统一数据管理网元发送用户身份解析请求,所述用户身份解析请求中包括所述第二标识;
    所述统一数据管理网元,还用于接收所述用户身份解析请求,根据所述第二标识确定所述第二终端设备的SUPI,向所述会话管理网元发送所述用户解析响应,所述用户解析响应中包括所述第二终端设备的SUPI;
    所述会话管理网元,还用于接收所述用户身份解析响应,根据所述第二终端设备的SUPI和所述IP信息对所述第二终端设备进行业务控制。
  10. 如权利要求1~9任一所述的系统,其特征在于,所述系统还包括移动接入管理网元,
    移动接入管理网元,用于从所述第一终端设备接收终端上报消息,所述终端上报消息包括第二标识和所述第一终端设备为所述第二终端设备分配的IP信息,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的GPSI,向所述统一数据管理网元发送标识解析请求,所述标识解析请求中包括所述第二标识;
    所述统一数据管理网元,还用于接收所述标识解析请求,根据所述第二标识确定所述第二终端设备的SUPI,向所述移动接入管理网元发送所述标识解析响应,所述标识解析响应中包括所述第二终端设备的SUPI;
    所述移动接入管理网元,还用于接收所述标识解析响应,向会话管理网元发送所述第二终端设备的SUPI和所述IP信息。
  11. 如权利要求1~10任一所述的系统,其特征在于,所述系统还包括所述第一终端设备;
    所述第一终端设备,用于向所述密钥管理网元发送所述第一密钥请求,从所述密钥管理网元接收所述第一密钥响应;在基于所述安全通信参数与所述第二终端设备建立安全通信后,通过所述移动接入管理网元向所述会话管理网元发送所述终端上报消息。
  12. 如权利要求1~11任一所述的系统,其特征在于,所述系统还包括所述邻近服务网元;
    所述邻近服务网元,用于为所述第二终端设备分配临时标识,并向所述统一数据管理网元和所述第二终端设备发送所述临时标识。
  13. 如权利要求1~12任一所述的系统,其特征在于,
    所述密钥管理网元,还用于从第一终端设备接收第二密钥请求,所述第二密钥请求用于向所述密钥管理网元请求所述安全通信参数,所述第二密钥请求包括所述第二终端设备的国际移动用户识别码IMSI;根据所述第二终端设备的IMSI对所述第二终端设备进行授 权检查,在对所述第二终端设备授权检查通过后,向所述第一终端设备发送第二密钥响应,所述第二密钥响应中包括所述安全通信参数。
  14. 如权利要求1-13任一项所述的系统,其特征在于,所述第一请求为安全通信参数获取请求,所述第一响应为安全通信参数获取响应。
  15. 一种终端设备的标识获取方法,其特征在于,包括:
    密钥管理网元从第一终端设备接收第一密钥请求,所述第一密钥请求中包括第一标识,所述第一标识为第二终端设备的匿名化标识或临时标识;
    所述密钥管理网元在确定所述第一密钥请求中包括所述第一标识后,向统一数据管理网元发送第一请求,所述第一请求包括所述第一标识;
    所述密钥管理网元从所述统一数据管理网元接收第一响应,所述第一响应包括所述第二终端设备的用户永久性标识SUPI;
    所述密钥管理网元根据所述第二终端设备的SUPI对所述第二终端设备执行授权检查,在对所述第二终端设备授权检查通过后,向所述第一终端设备发送第一密钥响应,所述第一密钥响应中包括安全通信参数。
  16. 如权利要求15所述的方法,其特征在于,所述第一响应和所述第一密钥响应中还包括第二终端设备的通用公共用户标识GPSI或所述第一标识。
  17. 如权利要求15或16所述的方法,其特征在于,所述第一请求为安全通信参数获取请求,所述第一响应为安全通信参数获取响应。
  18. 如权利要求15-17任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥管理网元在根据所述第二标识对所述第二终端设备授权检查未通过后,通知所述统一数据管理网元删除所述第一标识和所述第二终端设备的SUPI的对应关系。
  19. 如权利要求15-18任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥管理网元向所述统一数据管理网元发送第一指示,所述第一指示用于指示存储所述第一标识和所述第二终端设备的SUPI的对应关系。
  20. 一种终端设备的标识获取方法,其特征在于,包括:
    统一数据管理网元从密钥管理网元接收第一请求,所述第一请求包括第一标识,所述第一标识为第二终端设备的匿名化标识或临时标识;
    所述统一数据管理网元在确定所述第一请求中包括所述第一标识后,根据所述第一标识获取所述第二终端设备的用户永久性标识SUPI;
    所述统一数据管理网元向所述密钥管理网元发送第一响应,所述第一响应包括所述第二终端设备的SUPI。
  21. 如权利要求20所述的方法,其特征在于,所述统一数据管理网元根据所述第二终端设备的匿名化标识确定所述第二终端设备的SUPI,包括:
    所述统一数据管理网元根据所述第二终端设备的匿名化标识,从用户标识去隐藏网元获取所述第二终端设备的SUPI。
  22. 如权利要求20所述的方法,其特征在于,所述统一数据管理网元根据所述第二终端设备的临时标识确定所述第二终端设备的SUPI,包括:
    所述统一数据管理网元基于保存的终端设备的SUPI和临时标识的对应关系,根据所述第二终端设备的临时标识确定所述第二终端设备的SUPI。
  23. 如权利要求22所述的方法,其特征在于,所述统一数据管理网元根据所述第二 终端设备的临时标识确定所述第二终端设备的SUPI之前,还包括:
    所述统一数据管理网元为所述第二终端设备分配临时标识,通过邻近服务网元向所述第二终端设备发送所述临时标识,并保存所述第二终端设备的SUPI和临时标识的对应关系;或
    所述统一数据管理网元从所述邻近服务网元获取所述邻近服务网元为所述第二终端设备分配的临时标识,并保存所述第二终端设备的SUPI和临时标识的对应关系。
  24. 如权利要求20~23任一所述的方法,其特征在于,所述统一数据管理网元根据所述第一标识获取所述第二终端设备的SUPI之后,还包括:
    所述统一数据管理网元存储所述第一标识和所述第二终端设备的SUPI的对应关系。
  25. 如权利要求24所述的方法,其特征在于,所述统一数据管理网元存储所述第一标识和所述第二终端设备的SUPI的对应关系之前,还包括:
    所述统一数据管理网元从所述密钥管理网元接收第一指示,所述第一指示用于指示存储所述第一标识和所述第二终端设备的SUPI的对应关系。
  26. 如权利要求25所述的方法,其特征在于,所述统一数据管理网元存储所述第一标识和所述第二终端设备的SUPI的对应关系之前,还包括:
    所述统一数据管理网元根据所述第二终端设备的属性确定需要存储所述第一标识和所述第二终端设备的SUPI的对应关系。
  27. 如权利要求24~26任一所述的方法,其特征在于,所述方法还包括:
    所述统一数据管理网元在所述密钥管理网元的通知下删除所述第一标识和所述第二终端设备的SUPI的对应关系。
  28. 如权利要求20~27任一所述的方法,其特征在于,所述第一响应还包括所述第二终端设备的通用公共用户标识GPSI,所述方法还包括:
    所述统一数据管理网元根据所述第二终端设备的SUPI确定所述第二终端设备的GPSI。
  29. 如权利要求20~28任一所述的方法,其特征在于,所述第一响应还包括所述第一标识。
  30. 如权利要求20~29任一所述的方法,其特征在于,所述方法还包括:
    所述统一数据管理网元从会话管理网元接收用户身份解析请求,所述用户解析身份请求中包括第二标识,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的GPSI;
    所述统一数据管理网元根据所述第二标识确定所述第二终端设备的SUPI;
    所述统一数据管理网元向所述会话管理网元发送用户身份解析响应,所述用户身份解析响应中包括第二终端设备的SUPI。
  31. 如权利要求20~29任一所述的方法,其特征在于,所述方法还包括:
    所述统一数据管理网元从移动接入管理网元接收标识解析请求,所述标识解析请求中包括第二标识,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的GPSI;
    所述统一数据管理网元根据所述第二标识确定所述第二终端设备的SUPI;
    所述统一数据管理网元向所述移动接入管理网元发送标识解析响应,所述标识解析响应中包括所述第二终端设备的SUPI。
  32. 如权利要求20-31任一项所述的方法,其特征在于,所述第一请求为安全通信参 数获取请求,所述第一响应为安全通信参数获取响应。
  33. 一种终端设备的标识获取方法,其特征在于,包括:
    会话管理网元从第一终端设备接收终端上报消息,所述终端上报消息包括第二标识和所述第一终端设备为所述第二终端设备分配的IP信息,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的通用公共用户标识GPSI;
    所述会话管理网元在确定所述终端上报消息包括所述第二标识后,向统一数据管理网元发送用户身份解析请求,所述用户身份解析请求中包括所述第二标识;
    所述会话管理网元从所述统一数据管理网元接收用户身份解析响应,所述用户身份解析响应中包括第二终端设备的用户永久性标识SUPI,根据所述第二终端设备的SUPI和所述IP信息对所述第二终端设备进行业务控制。
  34. 一种终端设备的标识获取方法,其特征在于,包括:
    移动接入管理网元从第一终端设备接收终端上报消息,所述终端上报消息包括所述第二标识和所述第一终端设备为所述第二终端设备分配的IP信息,所述第二标识为下列之一:所述第二终端设备的匿名化标识、所述第二终端设备的临时标识或所述第二终端设备的通用公共用户标识GPSI;
    所述移动接入管理网元在确定所述终端上报消息包括所述第二标识后,向统一数据管理网元发送标识解析请求,所述标识解析请求中包括所述第二终端设备的用户永久性标识SUPI;
    所述移动接入管理网元从所述统一数据管理网元接收标识解析响应,所述标识解析请求包括第二终端设备的SUPI;
    所述移动接入管理网元向会话管理网元发送所述第二终端设备的SUPI和所述IP信息。
  35. 一种终端设备的标识获取方法,其特征在于,包括:
    第一终端设备在确定需要与第二终端设备建立直接通信后,向密钥管理网元发送所述第一密钥请求,所述第一密钥请求包括第一标识,所述第一标识为第二终端设备的匿名化标识或临时标识;
    所述第一终端设备从所述密钥管理网元接收第一密钥响应,所述第一密钥响应中包括所述安全通信参数,所述第一终端设备基于所述安全通信参数与所述第二终端设备建立安全通信。
  36. 如权利要求35所述的方法,其特征在于,所述第一密钥响应中还包括所述第二终端设备的通用公共用户标识GPSI或所述第一标识。
  37. 一种通信装置,其特征在于,用于实现如权利要求15至19任一项所述的方法。
  38. 一种通信装置,其特征在于,用于实现如权利要求20至32任一项所述的方法。
  39. 一种通信装置,其特征在于,用于实现如权利要求33所述的方法。
  40. 一种通信装置,其特征在于,用于实现如权利要求34所述的方法。
  41. 一种通信装置,其特征在于,用于实现如权利要求35至36任一项所述的方法。
  42. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求15至19任一项所述的方法。
  43. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求20至32任一项所述的方法。
  44. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求33项所述的方法。
  45. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求34所述的方法。
  46. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求35至36任一项所述的方法。
PCT/CN2020/082564 2020-03-31 2020-03-31 一种终端设备标识的获取方法、装置及系统 WO2021196011A1 (zh)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN202080099106.5A CN115336303A (zh) 2020-03-31 2020-03-31 一种终端设备标识的获取方法、装置及系统
PCT/CN2020/082564 WO2021196011A1 (zh) 2020-03-31 2020-03-31 一种终端设备标识的获取方法、装置及系统
EP20928846.3A EP4120713A4 (en) 2020-03-31 2020-03-31 METHOD, DEVICE AND SYSTEM FOR OBTAINING A TERMINAL DEVICE IDENTIFIER
BR112022019957A BR112022019957A2 (pt) 2020-03-31 2020-03-31 Método para obtenção de identificador de dispositivo terminal, aparelho e sistema
US17/955,614 US20230013010A1 (en) 2020-03-31 2022-09-29 Method for obtaining identifier of terminal device, apparatus, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/082564 WO2021196011A1 (zh) 2020-03-31 2020-03-31 一种终端设备标识的获取方法、装置及系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/955,614 Continuation US20230013010A1 (en) 2020-03-31 2022-09-29 Method for obtaining identifier of terminal device, apparatus, and system

Publications (2)

Publication Number Publication Date
WO2021196011A1 true WO2021196011A1 (zh) 2021-10-07
WO2021196011A9 WO2021196011A9 (zh) 2021-11-11

Family

ID=77926924

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/082564 WO2021196011A1 (zh) 2020-03-31 2020-03-31 一种终端设备标识的获取方法、装置及系统

Country Status (5)

Country Link
US (1) US20230013010A1 (zh)
EP (1) EP4120713A4 (zh)
CN (1) CN115336303A (zh)
BR (1) BR112022019957A2 (zh)
WO (1) WO2021196011A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024065549A1 (zh) * 2022-09-29 2024-04-04 北京小米移动软件有限公司 直连通信密钥生成方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019023825A1 (zh) * 2017-07-30 2019-02-07 华为技术有限公司 隐私保护的方法及设备
CN110602803A (zh) * 2019-10-15 2019-12-20 广州爱浦路网络技术有限公司 一种限制用户终端接入upf的方法
CN110830989A (zh) * 2018-08-09 2020-02-21 华为技术有限公司 一种通信方法和装置
US20200092836A1 (en) * 2018-08-09 2020-03-19 Nec Corporation Method and system for transmission of susi in the nas procedure

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3398287B1 (en) * 2015-12-22 2023-11-22 Nokia Technologies Oy Flexible security channel establishment in d2d communications
US20170325270A1 (en) * 2016-05-06 2017-11-09 Futurewei Technologies, Inc. System and Method for Device Identification and Authentication
WO2018126452A1 (zh) * 2017-01-06 2018-07-12 华为技术有限公司 授权验证方法和装置
CN109672708B (zh) * 2017-10-16 2022-03-11 华为技术有限公司 通信方法及装置、系统
WO2019105695A1 (en) * 2017-11-30 2019-06-06 Telefonaktiebolaget Lm Ericsson (Publ) Secure deactivation of subscriber identifier protection in 5g

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019023825A1 (zh) * 2017-07-30 2019-02-07 华为技术有限公司 隐私保护的方法及设备
CN110830989A (zh) * 2018-08-09 2020-02-21 华为技术有限公司 一种通信方法和装置
US20200092836A1 (en) * 2018-08-09 2020-03-19 Nec Corporation Method and system for transmission of susi in the nas procedure
CN110602803A (zh) * 2019-10-15 2019-12-20 广州爱浦路网络技术有限公司 一种限制用户终端接入upf的方法

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Solution for providing IMS voice and emergency services for SNPN subscribers reusing access level identifiers and credentials.", 3GPP DRAFT; S2-2000169, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Incheon, Korea; 20200113 - 20200117, 7 January 2020 (2020-01-07), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051842273 *
See also references of EP4120713A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024065549A1 (zh) * 2022-09-29 2024-04-04 北京小米移动软件有限公司 直连通信密钥生成方法及装置

Also Published As

Publication number Publication date
CN115336303A (zh) 2022-11-11
BR112022019957A2 (pt) 2022-12-13
US20230013010A1 (en) 2023-01-19
WO2021196011A9 (zh) 2021-11-11
EP4120713A4 (en) 2023-05-10
EP4120713A1 (en) 2023-01-18

Similar Documents

Publication Publication Date Title
WO2019004929A2 (zh) 网络切片分配方法、设备及系统
KR102164823B1 (ko) 통합 코어 망 서비스 이용방법과 이를 위한 통합 제어장치 및 그 시스템
US20230239686A1 (en) Secure communication method, apparatus, and system
US11871223B2 (en) Authentication method and apparatus and device
WO2017147772A1 (zh) 一种消息传输方法及核心网接口设备
US20230029714A1 (en) Authorization method, policy control function device, and access and mobility management function device
WO2021008466A1 (zh) 一种通信方法及装置
US11743733B2 (en) Method and devices for hardware identifier-based subscription management
WO2021197489A1 (zh) 通信系统、方法及装置
WO2021047454A1 (zh) 位置信息获取、位置服务配置方法和通信设备
US20230188997A1 (en) Secure communication method and apparatus
US20220303767A1 (en) User Equipment Authentication and Authorization Procedure for Edge Data Network
US20230232196A1 (en) Data communication method and communication apparatus
TW202142010A (zh) 用戶資料更新方法、裝置、節點和儲存媒體
TWI796819B (zh) 處理通信裝置-網路中繼場景中之密鑰管理之應用功能
WO2021196011A1 (zh) 一种终端设备标识的获取方法、装置及系统
WO2023071885A1 (zh) 一种通信方法及通信装置
US10999729B2 (en) Discovery method and device
US20240137764A1 (en) User Equipment Authentication and Authorization Procedure for Edge Data Network
WO2021073382A1 (zh) 注册方法及装置
CN116888988A (zh) 实现网络之间的服务广告和服务发现的双连接设备、用户设备及系统
JP2018538706A (ja) モバイル無線通信ネットワーク及び通信ネットワークデバイスへのモバイル端末の接続を確立するための方法
CN103621158B (zh) 网络接入方法、网络设备接入点装置以及移动性管理实体装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20928846

Country of ref document: EP

Kind code of ref document: A1

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112022019957

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 2020928846

Country of ref document: EP

Effective date: 20221013

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 112022019957

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20220930