WO2021196818A1

WO2021196818A1 - Key generation method and apparatus, and device and computer readable storage medium

Info

Publication number: WO2021196818A1
Application number: PCT/CN2021/070544
Authority: WO
Inventors: 毕晓宇
Original assignee: 大唐移动通信设备有限公司
Priority date: 2020-03-31
Filing date: 2021-01-07
Publication date: 2021-10-07
Also published as: CN113543127B; CN113543127A

Abstract

Disclosed are a key generation method and apparatus, and a device and a computer readable storage medium. The method comprises: obtaining first information of a terminal, the first information being used for representing application service security capability supported by the terminal; and generating a key according to the first information.

Description

Key generation method and device, equipment and computer readable storage medium

Cross-references to related applications

This application claims the priority of Chinese Patent Application No. 202010249052.8 filed in China on March 31, 2020, the entire content of which is incorporated herein by reference.

Technical field

The present disclosure relates to the field of communication technologies, and in particular, to a method and device for generating a key, equipment, and a computer-readable storage medium.

Background technique

The 5G network provides the session security protection function between the user and the access application, and proposes an application-based key management method, referred to as AKMA (Authentication and Key Management for Applications, application layer authentication and key management).

As shown in Figure 1, in the existing AKMA architecture, NEF (Network Exposure Function) provides functions that safely expose services and capabilities provided by the 3GPP network to external networks. The AKMA service requires logical entities, such as AAnF (AKMA Anchor Function) in Figure 1. _{The AAnF anchor point function is used to generate the application key K AF that} protects the UE application data _{based on the anchor key K AKMA} between the UE (User Equipment) and the AF (Application Function, application function).

In related technologies, once the UE requests a key from the network, AUSF (Authentication Server Function) or AAnF will generate the key. However, not all users of 5G will turn on the AKMA function. Therefore, this causes a waste of network resources.

Summary of the invention

The embodiments of the present disclosure provide a key generation method and device, equipment, and computer-readable storage medium to save network resources.

In the first aspect, the embodiments of the present disclosure provide a key generation method applied to a first network element, which includes:

Acquiring first information of the terminal, where the first information is used to indicate an application service security capability supported by the terminal;

According to the first information, a key is generated.

Wherein, the application service security capability includes the capability of supporting application layer authentication and key management AKMA service;

Before the generating a key according to the first information, the method further includes:

Request UDM (Unified Data Management, unified data management entity) to confirm whether the terminal supports AKMA service;

The generating a key according to the first information includes:

Upon receiving the first response, an AKMA key is generated, the first response indicating that the UDM confirms that the terminal supports the AKMA service.

Wherein, the method further includes:

The corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service is pre-stored.

Wherein, said obtaining the first information of the terminal includes:

Receiving an authentication request message sent by the second network element, the authentication request message carrying the SUPI (Subscription Permanent Identifier) of the terminal, or the authentication request message carrying the SUCI (Subscription Concealed Identifier) of the terminal, Signed encryption mark);

In the case where the authentication request message carries the SUPI, query the correspondence relationship according to the SUPI to obtain the first information;

When the authentication request message carries the SUCI, send the SUCI to the UDM and obtain the SUPI from the UDM; query the correspondence relationship according to the SUPI obtained from the UDM to obtain the first information.

Wherein, said obtaining the first information of the terminal includes:

Receiving an authentication request message sent by a second network element, where the authentication request message carries the first information.

Wherein, the request for the unified data management entity UDM to confirm whether the terminal supports the AKMA service includes:

Sending first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service;

Receiving a first confirmation instruction sent by the UDM, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service.

Wherein, before the sending the first indication information to the UDM, the method further includes:

Receiving a first request from the terminal, where the first request is used to request the generation of an AKMA key;

The sending first indication information to the UDM includes:

According to the first request, first indication information is sent to the UDM.

Wherein, the obtaining of the first information of the terminal includes:

Receive an authentication request message sent by a second network element, the authentication request message carries the first information, the application service security capability includes at least the capability of supporting AKMA services, and supporting GBA (Generic Bootstrapping Architecture) services Ability.

Wherein, before said generating a key according to said first information, said method further includes:

Request UDM to confirm the target application service security capabilities supported by the terminal.

Wherein, the generating a key according to the first information includes:

If the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, an AKMA key or a GBA key is generated;

If the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the key is generated according to the preset policy.

Wherein, the method further includes:

If the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service, sending the information of the security capability of the target application service to a third network element;

If the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the preset policy and the key generated according to the preset policy are sent to a third network element.

Wherein, said obtaining the first information of the terminal includes:

Receiving instruction information sent by UDM, where the instruction information is used to instruct to select an AKMA service for the terminal;

The generating a key according to the first information includes:

Generate a key according to the instruction information;

Send the AKMA key derivation parameter to the UDM.

In the second aspect, the embodiments of the present disclosure provide a key generation method applied to a third network element, including:

Receive the key request of the target fourth network element;

According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element. The fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application The service security capability is one or more of the application service security capabilities supported by the terminal;

Generate a key for the application service security capability supported by the terminal.

Wherein, the determination of the application service security capabilities supported by the terminal and the information of the fourth network element includes:

Request UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element;

The generating the key of the application service security capability supported by the terminal includes:

If the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.

Wherein, the generating the key of the application service security capability supported by the terminal includes:

Acquiring the first application service security capability supported by the terminal and sent by the first network element;

Acquiring the identifier of the target fourth network element;

If the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .

Acquiring a preset policy sent by the first network element and a key generated according to the preset policy;

Acquiring the identifier of the fourth network element;

If the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.

Receive the indication information sent by UDM and the identification of the fourth network element, where the indication information is used to indicate the capability of the terminal to support the AKMA service, and the fourth network element is the fourth network with the AKMA service enabled between the terminals Yuan;

In a third aspect, embodiments of the present disclosure provide a method for generating a key, which is applied to a second network element, and includes:

Send first information to the first network element, where the first information indicates an application service security capability supported by the terminal, and the first information is used to enable the first network element to generate a key according to the first information.

Wherein, the sending the first information to the first network element includes:

Sending an authentication request message to the first network element, where the authentication request message carries the first information.

Send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

In a fourth aspect, the embodiments of the present disclosure provide a key generation method applied to UDM, including:

Storing the subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;

According to the subscription information, the target application service security capability supported by the terminal is confirmed.

Wherein, the confirming the target application service security capability supported by the terminal according to the subscription information includes:

Receiving a first request from a first network element, where the first request is used to confirm whether the terminal supports the AKMA service;

According to the subscription information and the first request, a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.

Wherein, the receiving the first request of the first network element includes:

During the master authentication process, receive the first request of the first network element; or

After the master authentication process is completed, the first request of the first network element is received.

Receiving a second request from a third network element, where the second request is used to confirm whether the terminal supports the AKMA service;

According to the subscription information and the second request, a second response is sent to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.

Receiving the third request of the first network element;

According to the subscription information and the third request, a third response is sent to the first network element, where the third response is used to indicate that the target application service security capability is the capability of supporting AKMA service or the capability of supporting GBA service. Or, the target application service security capability is at least the capability of AKMA to support services and the capability of supporting GBA services.

Wherein, the contract information further includes:

The identification information of the fourth network element that has enabled the AKMA service with the terminal.

In a fifth aspect, the embodiments of the present disclosure also provide a key generation method applied to a second network element, including:

Sending instruction information and an identifier of the fourth network element to the UDM, where the instruction information is used to indicate the application service security capabilities supported by the terminal;

Receiving the key derivation parameter sent by the UDM;

Sending the key derivation parameter to the terminal.

The indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.

In the sixth aspect, the embodiments of the present disclosure also provide a key generation method, which is applied to UDM, including:

Acquiring subscription information of the terminal, where the subscription information includes application service security capabilities supported by the terminal;

When it is determined according to the subscription information that the terminal derives the application service security key, a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal's security key. Application service security key.

Wherein, said acquiring the contract information of the terminal includes:

Receive instruction information sent by the second network element and the identification of the fourth network element, where the instruction information is used to indicate the application service security capabilities supported by the terminal and the identification information of the AF that enables the AKMA service with the terminal.

Wherein, after the sending the first instruction to the first network element, the method further includes:

Receiving the key derivation parameter sent by the first network element;

Sending the key derivation parameter to the second network element.

Wherein, the method further includes:

Sending instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate the application service security capabilities supported by the terminal;

The fourth network element is the fourth network element that has enabled the AKMA service between the terminals.

In a seventh aspect, the embodiments of the present disclosure also provide a method for generating a key, which is applied to a terminal, and includes:

Send first information to the second network element, where the first information is used to indicate the application service security capabilities supported by the terminal.

Wherein, the sending the first information to the second network element includes:

Sending an N1 message to the second network element, where the first information indicates that the terminal supports the AKMA service.

The N1 message is sent to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

Wherein, the method further includes:

Receiving the key derivation parameter sent by the second network element;

The AKMA key is generated according to the key derivation parameter.

In an eighth aspect, embodiments of the present disclosure provide a key generation device applied to a first network element, including:

The first obtaining module is configured to obtain first information of the terminal, where the first information is used to indicate the application service security capabilities supported by the terminal;

The first generating module is configured to generate a key according to the first information.

In a ninth aspect, embodiments of the present disclosure provide a key generation device applied to a third network element, including:

The first receiving module is configured to receive the key request of the target fourth network element;

The first determining module is configured to determine, according to the key request, the application service security capability supported by the terminal and the information of the fourth network element, and the fourth network element is the fourth network element that enables the terminal to enable the target application service security capability Network element, the target application service security capability is one or more of the application service security capabilities supported by the terminal;

The first generating module is used to generate the key of the application service security capability supported by the terminal.

In a tenth aspect, an embodiment of the present disclosure provides a key generation device applied to a second network element, including:

The first sending module is configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first information is used to make the first network element according to the first information To generate a key.

In an eleventh aspect, an embodiment of the present disclosure provides a key generation device applied to UDM, including:

The first storage module is configured to store subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;

The first confirmation module is configured to confirm the target application service security capability supported by the terminal according to the subscription information.

In a twelfth aspect, embodiments of the present disclosure provide a key generation device applied to a second network element, including:

The first sending module is configured to send indication information and the identification of the fourth network element to the UDM, where the indication information is used to indicate the application service security capabilities supported by the terminal;

The first receiving module is configured to receive the key derivation parameter sent by the UDM;

The second sending module is configured to send the key derivation parameter to the terminal.

In a thirteenth aspect, embodiments of the present disclosure provide a key generation device applied to UDM, including:

The first obtaining module is configured to obtain contract information of the terminal, where the contract information includes the application service security capabilities supported by the terminal;

The first sending module is configured to send a first instruction to the first network element when it is determined that the terminal is to derive the application service security key according to the subscription information, and the first instruction is used to instruct the first network Yuan derives the application service security key of the terminal.

In a fourteenth aspect, embodiments of the present disclosure provide a key generation device applied to a terminal, including:

The first sending module is configured to send first information to a second network element, where the first information is used to indicate an application service security capability supported by the terminal.

In a fifteenth aspect, the embodiments of the present disclosure provide a key generation device, which is applied to a first network element, and includes: a transceiver, a memory, a processor, and is stored in the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:

According to the first information, a key is generated.

Wherein, the application service security capability includes the capability to support the AKMA service, and the processor is also used to read the program in the memory and execute the following process:

Request UDM to confirm whether the terminal supports AKMA service;

In a sixteenth aspect, the embodiments of the present disclosure provide a key generation device, which is applied to a third network element, and includes: a transceiver, a memory, a processor, and is stored on the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:

Receive the key request of the target fourth network element;

According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element, where the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application The service security capability is one or more of the application service security capabilities supported by the terminal;

Wherein, the processor is used to read the program in the memory and execute the following process:

In a seventeenth aspect, the embodiments of the present disclosure provide a key generation device, which is applied to a second network element, and includes: a transceiver, a memory, a processor, and is stored in the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:

In an eighteenth aspect, the embodiments of the present disclosure provide a key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; The processor is used to read the program in the memory and execute the following process:

In a nineteenth aspect, the embodiments of the present disclosure provide a key generation device, which is applied to a second network element, and includes: a transceiver, a memory, a processor, and is stored on the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:

Receiving the key derivation parameter sent by the UDM;

Sending the key derivation parameter to the terminal.

In a twentieth aspect, the embodiments of the present disclosure provide a key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; The processor is used to read the program in the memory and execute the following process:

In the twenty-first aspect, embodiments of the present disclosure provide a key generation device applied to a terminal, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor The processor is used to read the program in the memory and execute the following process:

In the twenty-second aspect, the embodiments of the present disclosure provide a computer-readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the key generation method described in the first aspect Or, implement the steps in the key generation method as described in the second aspect; or implement the steps in the key generation method as described in the third aspect; or, implement the encryption as described in the fourth aspect Or, implement the steps in the key generation method as described in the fifth aspect; or implement the steps in the key generation method as described in the sixth aspect; or, implement the steps in the key generation method as described in the seventh aspect; The steps in the key generation method.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present disclosure more clearly, the following will briefly introduce the accompanying drawings used in the description of the embodiments of the present disclosure. Obviously, the accompanying drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained from these drawings without creative labor.

Figure 1 is a diagram of the AKMA architecture in related technologies;

FIG. 2 is one of the flowcharts of the key generation method provided by the embodiment of the present disclosure;

FIG. 3 is the second flowchart of the key generation method provided by the embodiment of the present disclosure;

FIG. 4 is the third flowchart of the key generation method provided by the embodiment of the present disclosure;

FIG. 5 is the fourth flow chart of the key generation method provided by the embodiment of the present disclosure;

FIG. 6 is the fifth flowchart of the key generation method provided by an embodiment of the present disclosure;

FIG. 7 is the sixth flowchart of the key generation method provided by an embodiment of the present disclosure;

FIG. 8 is the seventh flowchart of the key generation method provided by the embodiments of the present disclosure;

FIG. 9 is the eighth flowchart of the key generation method provided by an embodiment of the present disclosure;

FIG. 10 is the ninth flowchart of the key generation method provided by an embodiment of the present disclosure;

FIG. 11 is a tenth flowchart of a key generation method provided by an embodiment of the present disclosure;

Figure 12 is the eleventh flowchart of the key generation method provided by the embodiments of the present disclosure;

FIG. 13 is the twelfth of the flowchart of the key generation method provided by the embodiment of the present disclosure;

FIG. 14 is one of the structural diagrams of a key generation device provided by an embodiment of the present disclosure;

FIG. 15 is the second structural diagram of the key generation device provided by an embodiment of the present disclosure;

FIG. 16 is the third structural diagram of the key generation device provided by an embodiment of the present disclosure;

FIG. 17 is the fourth structural diagram of the key generation device provided by an embodiment of the present disclosure;

FIG. 18 is the fifth structural diagram of the key generation device provided by an embodiment of the present disclosure;

FIG. 19 is a sixth structural diagram of the key generation device provided by an embodiment of the present disclosure;

FIG. 20 is the seventh structural diagram of the key generation device provided by an embodiment of the present disclosure;

Figure 21 is one of the structural diagrams of a key generation device provided by an embodiment of the present disclosure;

Fig. 22 is a second structural diagram of a key generation device provided by an embodiment of the present disclosure.

Detailed ways

The technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are part of the embodiments of the present disclosure, rather than all of the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present disclosure.

Referring to FIG. 2, FIG. 2 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to the first network element. Among them, the first network element may be AUSF (Authentication Server Function), as shown in FIG. 2, including the following

steps

201 and 202.

Step 201: Acquire first information of a terminal, where the first information is used to indicate an application service security capability supported by the terminal.

Wherein, the application security service capability supported by the terminal may be, for example, the capability of supporting AKMA service, the capability of supporting GBA service, and so on.

Step 202: Generate a key according to the first information.

In this step, for example, if the first information indicates the capability of the terminal to support the AKMA service, then the first network element may generate an AKMA key for the terminal.

In an embodiment of the present disclosure, the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service may be pre-stored in the first network element.

At this time, for step 201, the first network element may receive the authentication request sent by the second network element (AMF (Access and Mobility Management Function, access and mobility management function) or SEAF (Security Anchor Function, security anchor function)) Message, the authentication request message carries the SUPI of the terminal, or the authentication request message carries the SUCI of the terminal.

In the case where the authentication request message carries the SUPI, the first network element may query the correspondence relationship according to the SUPI to obtain the first information. In the case that the authentication request message carries the SUCI, the first network element may send the SUCI to the UDM and obtain the SUPI from the UDM, and then the first network element may query according to the SUPI obtained from the UDM According to the corresponding relationship, the first information is acquired.

In an embodiment of the present disclosure, if the terminal supports the AKMA service, the first network element can confirm to the UDM whether the terminal supports the AKMA service. In this case, step 201 specifically includes receiving an authentication request message sent by a second network element, where the authentication request message carries the first information. Step 202 specifically includes generating an AKMA key when receiving a first response, where the first response indicates that the UDM confirms that the terminal supports the AKMA service.

In the embodiment of the present disclosure, the first network element may send first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service, and to receive the UDM sent A first confirmation instruction, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service. Among them, the process of requesting UDM confirmation can occur during the main authentication process or after the main authentication process.

If it occurs after the main authentication process, the first network element receives the first request of the terminal, and the first request is used to request the generation of an AKMA key, and then sends to the UDM according to the first request The first instruction information.

In an embodiment of the present disclosure, the first network element may receive an authentication request message sent by a second network element, the authentication request message carries the first information, and the application service security capability includes at least an AKMA service Ability, the ability to support GBA services. In this case, the first network element may also request UDM to confirm the target application service security capabilities supported by the terminal. At this time, step 202 is specifically that if the target application service security capability is one of the capability to support AKMA service or the capability to support GBA service, generate an AKMA key or GBA key; if the target application service is secure The ability is at least the ability to support the AKMA service and the ability to support the GBA service, and the key is generated according to a preset strategy.

The preset strategy may be preset, for example, it may be generating an AKMA key, generating a GBA key, generating other keys, etc., or determining which form of key to generate according to the processing capability of the first network element itself.

If the target application service security capability is one of the capability to support the AKMA service or the GBA service capability, the first network element sends the target application service security capability information to the third network element (such as AAnF); if The target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, and the first network element sends the preset policy and the key generated according to the preset policy to the third network element.

In an embodiment of the present disclosure, the first network element may also generate an AKMA key according to the UDM instruction. Specifically, the first network element receives instruction information sent by UDM, where the instruction information is used to instruct to select the AKMA service for the terminal. Then, step 202 is specifically: generating a key according to the instruction information, and sending the AKMA key derivation parameter to the UDM. Among them, the key derivation parameters may include, for example, random numbers, counters, terminal identifications, and so on.

In the embodiment of the present disclosure, when the first information of the terminal indicates the security capability of the application service supported by the terminal, the key is generated according to the first information. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.

Referring to FIG. 3, FIG. 3 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a third network element. Wherein, the third network element may be AAnF, as shown in FIG. 3, including the following steps 301 to 303.

Step 301: Receive a key request from the target fourth network element.

Among them, the fourth network element may be AF (Application Function).

Step 302: According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element, where the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and The target application service security capability is one or more of the application service security capabilities supported by the terminal.

The application service security capabilities supported by the terminal may include the ability to support AKMA services, the ability to support GBA services, and so on. The information of the fourth network element may be the identification of the fourth network element or the like.

Step 303: Generate a key for the application service security capability supported by the terminal.

In an embodiment of the present disclosure, the third network element requests UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element. Then, in this step, if the application service security capability supported by the terminal is the capability to support AKMA services and it is determined based on the information of the fourth network element that the connection between the terminal and the target fourth network element is enabled AKMA service, then generate AF key.

In an embodiment of the present disclosure, the third network element obtains the first application service security capability supported by the terminal sent by the first network element, and obtains the identifier of the target fourth network element. If the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .

In an embodiment of the present disclosure, the third network element obtains the preset policy sent by the first network element and the key generated according to the preset policy, and obtains the identity of the fourth network element. If the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.

In an embodiment of the present disclosure, the third network element may receive the indication information sent by UDM and the identification of the fourth network element, and the indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element It is the fourth network element that has enabled the AKMA service between the terminals. Then, in this step, if the application service security capability supported by the terminal is the capability to support AKMA services and it is determined based on the information of the fourth network element that the connection between the terminal and the target fourth network element is enabled AKMA service, then generate AF key.

In the embodiment of the present disclosure, the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.

Referring to FIG. 4, FIG. 4 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a second network element. Wherein, the second network element may be SEAF or AMF, as shown in Figure 4, including the following steps:

Step 401: Send first information to a first network element, where the first information indicates an application service security capability supported by the terminal, and the first information is used to enable the first network element to generate a key according to the first information .

Specifically, the second network element may send an authentication request message to the first network element, and the authentication request message carries the first information.

Alternatively, the second network element may send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

Referring to FIG. 5, FIG. 5 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to UDM. As shown in Figure 5, the following

steps

501 and 502 are included.

Step 501: Store the subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal.

Wherein, the subscription information may also include identification information of the fourth network element that has enabled the AKMA service with the terminal.

Step 502: According to the subscription information, confirm the target application service security capability supported by the terminal.

In an embodiment of the present disclosure, UDM may receive a first request from a first network element, the first request is used to confirm whether the terminal supports AKMA service, and then, according to the subscription information and the first request Send a first response to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service. Wherein, the above process may be during the main authentication process or after the main authentication process.

In an embodiment of the present disclosure, the UDM may receive a second request from a third network element, the second request is used to confirm whether the terminal supports the AKMA service, and then, according to the subscription information and the second request Send a second response to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.

In an embodiment of the present disclosure, UDM may receive the third request of the first network element. After that, UDM sends a third response to the first network element according to the subscription information and the third request. The third response is used to indicate that the target application service security capability is one of the capability to support AKMA services or the capability to support GBA services, or the target application service security capability is at least the capability of AKMA to support services and the capability to support GBA services .

Referring to FIG. 6, FIG. 6 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a second network element. Wherein, the second network element may be SEAF or AMF, as shown in FIG. 6, including the following steps 601 to 603.

Step 601: Send indication information and the identifier of the fourth network element to the UDM, where the indication information is used to indicate the application service security capabilities supported by the terminal.

Step 602: Receive the key derivation parameter sent by the UDM.

Step 603: Send the key derivation parameter to the terminal.

For the meaning of the key derivation parameter, refer to the description of the foregoing embodiment.

Refer to FIG. 7, which is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to UDM. As shown in Fig. 7, the following steps 701 to 702 are included.

Step 701: Acquire subscription information of a terminal, where the subscription information includes application service security capabilities supported by the terminal.

Specifically, in this step, UDM may receive the indication information sent by the second network element and the identification of the fourth network element, where the indication information is used to indicate the application service security capabilities supported by the terminal and to communicate with the terminal The identification information of the AF that enables the AKMA service.

Step 702: When it is determined that the terminal derives the application service security key according to the subscription information, send a first instruction to the first network element, where the first instruction is used to instruct the first network element to derive the security key. The application service security key of the terminal.

Optionally, in one embodiment, after step 702, the method may further include: receiving the key derivation parameter sent by the first network element, and sending the key derivation parameter to the second network element. Derivation parameters.

In addition, to facilitate the generation of the AF key, in one embodiment, the method may further include: UDM sending instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate where the terminal is located. Supported application service security capabilities, where the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.

Referring to FIG. 8, FIG. 8 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a terminal. As shown in Figure 8, it includes the following steps:

Step 801: Send first information to a second network element, where the first information is used to indicate an application service security capability supported by the terminal.

Specifically, the terminal may send an N1 message to the second network element, and the first information indicates that the terminal supports the AKMA service. Alternatively, the terminal may send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

Optionally, in one embodiment, the terminal may also receive the key derivation parameter sent by the second network element, and generate an AKMA key according to the key derivation parameter.

Refer to FIG. 9, which is a flowchart of a key generation method provided by an embodiment of the present disclosure. In the embodiment of the present disclosure, the subscription information of the UE can be pre-stored in the AUSF (Authentication Server Function), and the subscription information is a list of the UE’s identity and the corresponding information of the AKMA service. It can identify whether the UE has enabled or supported the AKMA service.

As shown in Figure 9, the method may include the following steps:

Step 900: The AKMA subscription information of the UE is pre-stored in the AUSF.

Step 901: The UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI (5G Globally Unique Temporary Identifier).

Step 902: The SEAF sends an authentication request message (Nausf_UE Authentication_Authenticate Request) to AUSF, and the request carries SUPI or 5G GUTI.

Step 903: This step can be divided into two different processing methods according to the content carried in the authentication request message.

The first way includes steps 903a-903c.

Step 903a. After the AUSF receives the authentication request message NAUSF_UE Authentication Authenticate Request sent by the AMF (Access and Mobility Management Function) (SEAF), if it carries the SUPI, the AUSF can directly follow the pre-stored The list confirms whether K _AKMA can be generated by Kausf.

Step 903b: AUSF sends Nudm_UEAuthentication_Get Request [SUCI or SUPI, SN name] to UDM.

Step 903c: UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF.

The AUSF compares the service network name with the expected service network name to check whether the requested SEAF in the service network is authorized to use the received service network name.

The second way includes steps 903b-903d.

Step 903c: UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF.

_{Step 903d: Since the SEAF sends SUCI, the AUSF confirms whether K AKMA} can be generated by Kausf according to the SUPI obtained from UDM and the pre-stored list.

The main authentication process is performed between the AUSF and the UE, including steps 904-908.

Step 904: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.

Step 905: The SEAF sends an Authenticate Request to the UE.

Step 906: The UE sends an Authenticate Response to the SEAF.

Step 907: SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.

Step 908: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.

Step 909: The UE sends an Application session Establishment Request (K _AKMA ID) to the AF.

Step 910: The AF sends a Key Request to AAnF.

Step 911: AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.

In the embodiment of the present disclosure, the UDM stores the AKMA service between the UE and which AF has been subscribed, which may include: the identity of the UE (such as SUPI), whether AKMA is supported, and which AF the UE has activated AKMA with, and the validity period of the activation, Whether the AKMA settings of the UE can be modified, etc.

Specifically, when the AAnF queries, it needs to carry the identity of the UE (such as SUPI) and the identity of the AF.

Step 912: UDM sends a response Inquire the UE subscription to AAnF.

For example, the UDM feeds back the AKMA service between the UE and the AF according to the UE subscription information stored locally. If allowed, UDM will feedback to AAnF to confirm that it can carry the UE's SUPI, AF ID, whether AKMA service [enabled/disabled] is enabled, and the validity period of the AKMA service. Otherwise, the feedback is not signed.

_{The AAnF determines whether to generate the key K af} for protecting the application data for the AF according to the query result, and sends the Key Response to the AF.

Step 913: AAnF sends a query response to the AF.

Refer to FIG. 10, which is a flowchart of a key generation method provided by an embodiment of the present disclosure. In the embodiment of the present disclosure, the N1 request reported by the UE includes the ability to support the AKMA service, and the AMF receives the ability of the AKMA of the UE, and the AMF informs the AUSF that the AKMA service capability indication is carried in the NAUSF_UE Authentication Request request. The ability of AKMA to serve.

As shown in Figure 10, the method may include the following steps:

Step 1001, the UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI and the capability of supporting the AKMA service (UE AKMA service capability).

Step 1002, the SEAF sends an authentication request message Nausf_UEAuthentication_Authenticate Request[SUPI or 5G GUTI, AKMA service capability indication] to AUSF, and the request carries the SUPI or 5G GUTI and the ability to support the AKMA service.

Step 1003: AUSF queries UDM for UE's support for AKMA service.

For example, AUSF sends Nudm_UEAuthentication_Get Request [SUCI or SUPI, SN name] to UDM, and can carry an inquiry indication (inquire indication for AKMA).

Step 1004: UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF, and may carry a confirmation indication (confirm indication).

The AUSF should compare the service network name with the expected service network name to check whether the requested SEAF in the service network has the right to use the received service network name.

After that, AUSF generates the key KAKMA.

The main authentication process is performed between the AUSF and the UE, including steps 1005-step 1009.

Step 1005: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.

Step 1006: The SEAF sends an Authenticate Request to the UE.

Step 1007: The UE sends an Authenticate Response to the SEAF.

Step 1008: SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.

Step 1009: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.

Step 1010: The UE sends an Application session Establishment Request (K _AKMA ID) to the AF.

Step 1011. The AF sends a Key Request to AAnF.

Step 1012: AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.

Step 1013: UDM sends a response Inquire the UE subscription to AAnF.

_{AAnF determines whether to generate a key K af} for protecting application data for the AF according to the query result, and sends a key response Key Response to the AF.

Step 1014: AAnF sends a response Key Response to the AF.

Refer to FIG. 11, which is a flowchart of a key generation method provided by an embodiment of the present disclosure. In the embodiment of the present disclosure, the difference from the embodiment shown in FIG. 10 is that the challenge of the UDM for the UEAKMA capability by the AUSF occurs after the master authentication. It is possible that AUSF has received the UE's request for KAKMA key derivation, and AUSF immediately initiates the AKMA key derivation.

As shown in Figure 11, the method may include the following steps:

Step 1101, the UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI and the capability of supporting the AKMA service (UE AKMA service capability).

Step 1102, SEAF sends an authentication request message Nausf_UEAuthentication_Authenticate Request[SUPI or 5G GUTI, AKMA service capability indication] to AUSF, and the request carries SUPI or 5G GUTI and the ability to support the AKMA service.

Step 1103: AUSF sends Nudm_UEAuthentication_Get Request[SUCI or SUPI, SN name] to UDM.

Step 1104: UDM replies Nudm_UEAuthentication_Get ResponseResponse[AV,[SUPI]] to AUSF.

The main authentication process is performed between the AUSF and the UE, including steps 1105-step 1109.

Step 1105: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.

Step 1106: The SEAF sends an Authenticate Request to the UE.

Step 1107: The UE sends an Authenticate Response to the SEAF.

Step 1108: SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.

Step 1109: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.

Step 1110: AUSF queries UDM whether the UE supports AKMA service.

Step 1111, UDM performs a query according to the pre-stored subscription information, and returns the query result.

If the query result indicates that the UE supports the AKMA service, AUSF generates the key K _AKMA .

Step 1112, the UE sends an Application session Establishment Request (K _AKMA ID) to the AF.

Step 1113: The AF sends a Key Request to AAnF.

Step 1114: AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.

Step 1115: UDM sends a response Inquire the UE subscription to AAnF.

_{The AAnF decides whether to generate the key K af} for protecting the application data for the AF according to the query result.

Step 1116: AAnF sends a response Key Response to the AF.

Refer to FIG. 12, which is a flowchart of a key generation method provided by an embodiment of the present disclosure. In the embodiments of the present disclosure, the network side selects whether to use the AKMA architecture as a mechanism for protecting user application data according to the support of the service capabilities reported by the UE and the service support information reported by the AF. As shown in FIG. 12, the method may include:

Step 1201: The UE sends a registration request, and the registration request carries the user's application service security capabilities (AKMA service capability, GBA service capability, and others). Other service capabilities may be empty.

For example, the UE can send N1 message [SUPI or 5G GUTI, Application protection information indication, UE AKMA service capability].

Step 1202, the AMF (SEAF) includes these service capabilities in the NAUSF_UE Authentication Authentication Request message, and sends it to the AUSF together with the user identity.

For example, AMF can send Nausf_UEAuthentication_Authenticate Request [SUPI or 5G GUTI, Application protection information indication (application protection information indication), such as AKMA service capability indication (such as AKMA service capability indication)] to AUSF.

Step 1203: If the AUSF does not include the message, when the AUSF receives the Nausf_UEAuthentication_Authenticate Request message, it will send the authentication acquisition request message to the UDM to carry the UE service capability challenge indication.

For example, AUSF sends Nudm_UEAuthentication_Get Request[SUCI or SUPI,SN name] to UDM.

Step 1204: After receiving the authentication acquisition instruction sent by AUSF, the UDM will feed back the protection capability information of the UE for application data.

For example, UDM sends Nudm_UEAuthentication_Get ResponseResponse[AV,[SUPI,Application protection information indication]] to AUSF.

Step 1205: AUSF determines which form of key to generate.

AUSF chooses which method to use to protect application data according to the received authentication acquisition response message. If UDM clearly indicates that a certain method is selected, such as AKMA service capability, AUSF will generate an AKMA key for the UE. If the UE supports multiple types, the AUSF will choose to derive the key according to the network policy. Among them, the strategy can be preset.

Step 1206: AUSF sends the policy together with the derived key to AAnF.

For example, if AUSF generates an AKMA key, AUSF sends the AKMA key to AAnF; if AUSF generates the AKMA key according to the network policy, AUSF sends the policy and the AKMA key to AAnF.

Step 1207: AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.

Step 1208: The SEAF sends an Authenticate Request to the UE.

Step 1209: The UE sends an Authenticate Response to the SEAF.

Step 1210: SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.

Step 1211, AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.

Step 1212: The UE sends an application key session request Application session Establishment Request (KAKMA ID) to the AF.

Step 1213: The AF sends a Key Request to AAnF.

AAnF receives the application key request sent by AF, and the request information contains information about whether it supports AKMA service to protect application data.

_{Step 1214: AAnF decides to derive the K AF} key according to the UE capability and the AF capability sent by AUSF. If both support the AKMA service capability, AAnF decides to derive the K AF key.

Step 1215: AAnF sends a response Key Response to the AF.

Refer to FIG. 13, which is a flowchart of a key generation method provided by an embodiment of the present disclosure. As shown in Figure 13, the method may include:

Step 1301, UE sends UL NAS message (SUPI, AF ID, AKMA capability) to AMF, carrying AKMA capability, AF ID, etc., where the AKMA capability may be an updated capability.

Step 1302, AMF sends Nudm_APProtectionUPdate_Notification(SUPI, AF ID, AKMA capability)) to UDM to update the AKMA capability information.

Step 1303: After receiving the UDM, it decides to provide protection for the UE to open the AKMA application.

Step 1304: UDM informs AUSF of the information, and then it needs to derive the indication information of the AKMA key for the UE.

For example, UDM sends Nausf_APProtection (SUPI, AKMA capability, [Key derivate Indication]) to AUSF.

Step 1305: After receiving it, AUSF sends a response to UDM and sends the required key derivation parameters to UDM.

For example, AUSF sends Nausf_APProtection Response (Key derivate parameters) to UDM.

After that, AUSF generates a key.

Step 1306: UDM sends a response to AMF after receiving the confirmation from AUSF, and sends AKMA key derivation parameters to AMF.

For example, UDM sends Nudm_APProtectionupdate_Notification Response ((AKMA Key derivate parameters)) to AMF.

Step 1307: The AMF sends the necessary key derivation parameters to the UE through a downlink NAS (Non-Access Stratum, non-access stratum) message.

For example, AMF sends DL NAS message (AKMA Key derivate parameters) to UE.

Step 1308: The UDM sends the user identification, the user's AKMA capability, the AF ID, and an instruction to derive the key to AAnF.

For example, UDM sends Nausf_APProtection (SUPI, AKMA Application capability, AF ID, [Key derivate Indication]) to AANF.

Step 1309: AAnF responds to the confirmation message.

For example, AANF sends Nausf_APProtection Response (Ack) to UDM.

Step 1310: The UE sends an application key session request Application session Establishment Request (KAKMA ID) to the AF.

Step 1311. The AF sends a Key Request to AAnF.

After AAnF receives the request of AF, it needs to derive the AF key according to UDM's instructions.

Step 1312, AAnF sends a response Key Response to the AF.

The embodiment of the present disclosure also provides a key generation device, which is applied to the first network element. Refer to FIG. 14, which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 14, the key generation device 1400 includes:

The first obtaining module 1401 is configured to obtain first information of the terminal, and the first information is used to indicate the security capability of the application service supported by the terminal; the first generating module 1402 is configured to generate Key.

Optionally, the application service security capability includes the capability to support AKMA service;

The device may further include: a first request module, configured to request UDM to confirm whether the terminal supports AKMA service; the first model generation module 1402 is specifically configured to generate an AKMA key when receiving the first response, The first response indicates that the UDM confirms that the terminal supports the AKMA service.

Optionally, the device may further include: a first storage module configured to pre-store the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service.

Optionally, the first obtaining module 1401 may include: a first receiving submodule, configured to receive an authentication request message sent by a second network element, the authentication request message carrying the terminal's contract permanent identity SUPI, or, The authentication request message carries the subscription encryption identifier SUCI of the terminal; the first obtaining sub-module is configured to query the corresponding relationship according to the SUPI in the case that the authentication request message carries the SUPI, and obtain the The first information; the second acquisition sub-module is used to send the SUCI to the UDM and obtain the SUPI from the UDM when the authentication request message carries the SUCI; query according to the SUPI obtained from the UDM According to the corresponding relationship, the first information is acquired.

Optionally, the first obtaining module 1401 may be specifically configured to receive an authentication request message sent by a second network element, where the authentication request message carries the first information.

Optionally, the first request module includes:

The first sending submodule is used to send first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service; the first receiving submodule is used to receive the A first confirmation instruction sent by the UDM, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service.

Optionally, the device may further include: a first receiving module, configured to receive a first request from the terminal, where the first request is used to request to generate an AKMA key; and a first sending module, configured to receive the AKMA key according to the The first request is to send first indication information to the UDM.

Optionally, the first acquisition module is specifically configured to receive an authentication request message sent by a second network element, where the authentication request message carries the first information, and the application service security capability includes at least one supporting AKMA service Ability, the ability to support the GBA service of the universal guidance architecture.

Optionally, the device may further include: a second request module for requesting UDM to confirm the target application service security capability supported by the terminal.

Optionally, the first generating module is specifically configured to generate an AKMA key or a GBA key if the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service; if The target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, and the key is generated according to a preset policy.

Optionally, the device may further include: a second sending module, configured to send the target application service security capability to one of the capability of supporting AKMA service or the capability of supporting GBA service to the third network element. Information about the security capability of the target application service; if the security capability of the target application service is at least the ability to support AKMA services and the ability to support GBA services, send the preset policy to the third network element and generate it according to the preset policy Key.

Optionally, the first acquisition module is configured to receive instruction information sent by UDM, where the instruction information is used to instruct to select an AKMA service for the terminal; the first generation module is specifically configured to: Information, generate a key; send AKMA key derivation parameters to the UDM.

The device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.

The embodiment of the present disclosure also provides a key generation device, which is applied to a third network element. Refer to FIG. 15, which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 15, the key generation device 1500 includes:

The first receiving module 1501 is used to receive the key request of the target fourth network element; the first determining module 1502 is used to determine the application service security capability supported by the terminal and the information of the fourth network element according to the key request , The fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application service security capability is one or more of the application service security capabilities supported by the terminal; A generating module 1503 is used to generate the key of the application service security capability supported by the terminal.

Optionally, the first determining module 1502 may be used to request UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element; the first generating module 1503 may be used to, if the terminal is The supported application service security capability is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated.

Optionally, the first generating module 1503 may include:

The first obtaining submodule is used to obtain the first application service security capability supported by the terminal sent by the first network element; the second obtaining submodule is used to obtain the identification of the target fourth network element; first generation A sub-module, configured to: if the first application service security capability is the capability to support AKMA services, and according to the identifier of the target fourth network element, it is determined that the AKMA service is enabled between the terminal and the target fourth network element, Then the AF key is generated.

Optionally, the first generating module 1503 may include:

The third obtaining submodule is used to obtain the preset policy sent by the first network element and the key generated according to the preset policy; the fourth obtaining submodule is used to obtain the identity of the fourth network element; second A generation sub-module is used to determine if the preset policy indicates that the key is generated due to the ability of the terminal to support AKMA services, and determine the relationship between the terminal and the target according to the identity of the target fourth network element If the AKMA service is enabled between the fourth network element, the AF key is generated.

Optionally, the first determining module 1502 may be configured to receive indication information sent by UDM and the identification of the fourth network element, where the indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element Is the fourth network element that has AKMA service enabled between the terminals; the first generation module 1503 can be used if the application service security capability supported by the terminal is the capability to support AKMA services and is based on the fourth network If the information of the element determines that the AKMA service is enabled between the terminal and the target fourth network element, an AF key is generated.

The embodiment of the present disclosure also provides a key generation device, which is applied to the second network element. Refer to FIG. 16, which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 16, the key generation device 1600 includes: a first sending module 1601, configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first The information is used to enable the first network element to generate a key according to the first information.

Optionally, the first sending module 1601 is specifically configured to send an authentication request message to the first network element, where the authentication request message carries the first information.

Optionally, the first sending module 1601 is specifically configured to send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least AKMA service Capacity, GBA service capacity.

The embodiment of the present disclosure also provides a key generation device, which is applied to UDM. Refer to FIG. 17, which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 17, the key generation device 1700 includes: a first storage module 1701 for storing subscription information of a terminal, the subscription information includes the security capabilities of application services supported by the terminal; a first confirmation module 1702, According to the subscription information, confirm the target application service security capability supported by the terminal.

Optionally, the first confirmation module 1702 may include: a first receiving submodule, configured to receive a first request from a first network element, where the first request is used to confirm whether the terminal supports the AKMA service; The sending submodule is configured to send a first response to the first network element according to the subscription information and the first request, where the first response is used to indicate whether the terminal supports the AKMA service.

Optionally, the first receiving submodule is specifically configured to receive the first request of the first network element during the main authentication process; or after the main authentication process is completed, receive the first request of the first network element .

Optionally, the first confirmation module 1702 may include: a second receiving submodule, configured to receive a second request from a third network element, the second request being used to confirm whether the terminal supports AKMA service; second The sending submodule is configured to send a second response to the third network element according to the subscription information and the second request, where the second response is used to indicate whether the terminal supports the AKMA service.

Optionally, the first confirmation module 1702 may include: a third receiving submodule, configured to receive a third request from the first network element; and a third sending submodule, configured to receive the subscription information and the third request Request, send a third response to the first network element, where the third response is used to indicate that the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, or the target application The service security capability is at least the capability of AKMA to support services and the capability to support GBA services.

Optionally, the subscription information further includes: identification information of the fourth network element that has enabled the AKMA service with the terminal.

The embodiment of the present disclosure also provides a key generation device, which is applied to the second network element. Referring to FIG. 18, FIG. 18 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 18, the key generation device 1800 includes: a first sending module 1801, configured to send indication information and an identifier of a fourth network element to UDM, where the indication information is used to indicate application service security capabilities supported by the terminal; The first receiving module 1802 is configured to receive the key derivation parameter sent by the UDM; the second sending module 1803 is configured to send the key derivation parameter to the terminal.

The embodiment of the present disclosure also provides a key generation device, which is applied to UDM. Refer to FIG. 19, which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 19, the key generation device 1900 includes: a first acquisition module 1901, configured to acquire subscription information of a terminal, the subscription information includes the application service security capabilities supported by the terminal; a first sending module 1902, When it is determined according to the subscription information that the terminal derives the application service security key, a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal The security key for the application service.

Optionally, the first obtaining module 1901 is specifically configured to receive the indication information sent by the second network element and the identification of the fourth network element, where the indication information is used to indicate the application service security capabilities supported by the terminal, And the identification information of the AF that starts the AKMA service with the terminal.

Optionally, the device may further include: a first receiving module, configured to receive key derivation parameters sent by the first network element; a first sending module, configured to send the second network element to the Key derivation parameters.

Optionally, the device may further include: a second sending module, configured to send instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate the security of the application service supported by the terminal Capability; The fourth network element is the fourth network element that has enabled the AKMA service between the terminals.

The embodiment of the present disclosure also provides a key generation device, which is applied to a terminal. Referring to FIG. 20, FIG. 20 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 20, the key generation device 2000 includes: a first sending module 2001, configured to send first information to a second network element, where the first information is used to indicate the application service security capabilities supported by the terminal.

Optionally, the first sending module 2001 is specifically configured to send an N1 message to the second network element, and the first information indicates that the terminal supports the AKMA service.

Optionally, the first sending module 2001 is specifically configured to send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

Optionally, the device may further include: a first receiving module, configured to receive key derivation parameters sent by the second network element; a first generation module, configured to generate AKMA according to the key derivation parameters Key.

As shown in FIG. 21, the key generation device of the embodiment of the present disclosure, applied to a terminal, includes a processor 2100, configured to read a program in a memory 2120, and execute the following process:

The transceiver 2110 is used to receive and send data under the control of the processor 2100.

Wherein, in FIG. 21, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2100 and various circuits of the memory represented by the memory 2120 are linked together. The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2110 may be a plurality of elements, that is, including a transmitter and a receiver, and provide a unit for communicating with various other devices on a transmission medium. For different user equipment, the user interface 2130 may also be an interface that can externally and internally connect the required equipment. The connected equipment includes, but is not limited to, a keypad, a display, a speaker, a microphone, a joystick, and the like.

The processor 2100 is responsible for managing the bus architecture and general processing, and the memory 2120 can store data used by the processor 2100 when performing operations.

The processor 2100 is further configured to read the program and perform the following steps: send an N1 message to the second network element, where the first information indicates that the terminal supports the AKMA service.

The processor 2100 is further configured to read the program and perform the following steps: send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.

The processor 2100 is further configured to read the program and execute the following steps:

Receiving the key derivation parameter sent by the second network element; generating an AKMA key according to the key derivation parameter.

As shown in FIG. 22, the key generation device of the embodiment of the present disclosure, applied to the first network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:

According to the first information, a key is generated.

The transceiver 2210 is configured to receive and send data under the control of the processor 2200.

Wherein, in FIG. 22, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together. The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.

The processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.

The application service security capability includes the capability to support AKMA service; the processor 2200 is also used to read the program and perform the following steps: request UDM to confirm whether the terminal supports AKMA service; when receiving the first response, generate AKMA Key, the first response indicates that the UDM confirms that the terminal supports the AKMA service.

The processor 2200 is further configured to read the program and perform the following steps: pre-store the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service.

The processor 2200 is further configured to read the program and execute the following steps:

Receiving an authentication request message sent by the second network element, the authentication request message carrying the terminal's subscription permanent identification SUPI, or the authentication request message carrying the terminal's subscription encryption identification SUCI;

The sending first indication information to the UDM includes:

An authentication request message sent by a second network element is received, the authentication request message carries the first information, and the application service security capability includes at least the capability of supporting the AKMA service and the capability of supporting the GBA service of the universal guidance architecture.

Generate a key according to the instruction information;

Send the AKMA key derivation parameter to the UDM.

Referring again to FIG. 22, the key generation device of the embodiment of the present disclosure, applied to a third network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:

Receive the key request of the target fourth network element;

Acquiring the identifier of the target fourth network element;

Acquiring the identifier of the fourth network element;

Referring again to FIG. 22, the key generation device of the embodiment of the present disclosure, applied to the second network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:

Wherein, in FIG. 22, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.

Referring again to FIG. 22, the key generation device of the embodiment of the present disclosure, applied to UDM, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:

Receiving the third request of the first network element;

Wherein, the subscription information further includes: identification information of the fourth network element that has enabled the AKMA service with the terminal.

Receiving the key derivation parameter sent by the UDM;

Sending the key derivation parameter to the terminal.

Receiving the key derivation parameter sent by the first network element;

Sending the key derivation parameter to the second network element.

The embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, each process of the above-mentioned key generation method embodiment is realized, and the same The technical effect, in order to avoid repetition, will not be repeated here. Wherein, the computer-readable storage medium, such as read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk, or optical disk, etc.

It should be noted that in this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements, It also includes other elements that are not explicitly listed, or elements inherent to the process, method, article, or device. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, article, or device that includes the element.

Through the description of the above implementation manners, those skilled in the art can clearly understand that the above-mentioned embodiment method can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。 According to this understanding, the technical solution of the present disclosure can be embodied in the form of a software product in essence or a part that contributes to the related technology. The computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk). ) Includes several instructions to make a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present disclosure.

It can be understood that the embodiments described in the embodiments of the present disclosure may be implemented by hardware, software, firmware, middleware, microcode, or a combination thereof. For hardware implementation, each module, unit, sub-unit or sub-module can be implemented in one or more application specific integrated circuits (ASICs), digital signal processors (Digital Signal Processing, DSP), digital signal processing equipment (DSP Device, DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), general-purpose processors, controllers, microcontrollers, microprocessors, In other electronic units or combinations thereof that perform the functions described in the present disclosure.

For software implementation, the technology described in the embodiments of the present disclosure can be implemented by modules (for example, procedures, functions, etc.) that perform the functions described in the embodiments of the present disclosure. The software codes can be stored in the memory and executed by the processor. The memory can be implemented in the processor or external to the processor.

The embodiments of the present disclosure are described above with reference to the accompanying drawings, but the present disclosure is not limited to the above-mentioned specific embodiments. The above-mentioned specific embodiments are only illustrative and not restrictive. Those of ordinary skill in the art are Under the enlightenment of the present disclosure, many forms can be made without departing from the purpose of the present disclosure and the scope of protection of the claims, all of which fall within the protection of the present disclosure.

Claims

A key generation method, applied to a first network element, includes:

Acquiring first information of the terminal, where the first information is used to indicate an application service security capability supported by the terminal;

According to the first information, a key is generated.
The method according to claim 1, wherein the application service security capability includes the capability of supporting application layer authentication and key management AKMA service;

Before the generating a key according to the first information, the method further includes:

Request the unified data management entity UDM to confirm whether the terminal supports the AKMA service;

The generating a key according to the first information includes:

Upon receiving the first response, an AKMA key is generated, the first response indicating that the UDM confirms that the terminal supports the AKMA service.
The method according to claim 1, wherein the method further comprises:

The corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service is pre-stored.
The method according to claim 3, wherein said obtaining the first information of the terminal comprises:

Receiving an authentication request message sent by the second network element, the authentication request message carrying the terminal's subscription permanent identification SUPI, or the authentication request message carrying the terminal's subscription encryption identification SUCI;

In the case where the authentication request message carries the SUPI, query the correspondence relationship according to the SUPI to obtain the first information;

When the authentication request message carries the SUCI, send the SUCI to the UDM and obtain the SUPI from the UDM; query the correspondence relationship according to the SUPI obtained from the UDM to obtain the first information.
The method according to claim 2, wherein said obtaining the first information of the terminal comprises:

Receiving an authentication request message sent by a second network element, where the authentication request message carries the first information.
The method according to claim 5, wherein the requesting the unified data management entity UDM to confirm whether the terminal supports the AKMA service comprises:

Sending first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service;

Receiving a first confirmation instruction sent by the UDM, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service.
The method according to claim 6, wherein, before the sending the first indication information to the UDM, the method further comprises:

Receiving a first request from the terminal, where the first request is used to request the generation of an AKMA key;

The sending first indication information to the UDM includes:

According to the first request, first indication information is sent to the UDM.
The method according to claim 1, wherein said obtaining the first information of the terminal comprises:

An authentication request message sent by a second network element is received, the authentication request message carries the first information, and the application service security capability includes at least the capability of supporting the AKMA service and the capability of supporting the GBA service of the universal guidance architecture.
The method according to claim 8, wherein, before said generating a key according to said first information, said method further comprises:

Request UDM to confirm the target application service security capabilities supported by the terminal.
The method according to claim 9, wherein said generating a key according to said first information comprises:

If the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, an AKMA key or a GBA key is generated;

If the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the key is generated according to the preset policy.
The method according to claim 10, wherein the method further comprises:

If the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service, sending the information of the security capability of the target application service to a third network element;

If the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the preset policy and the key generated according to the preset policy are sent to a third network element.
The method according to claim 1, wherein said obtaining the first information of the terminal comprises:

Receiving instruction information sent by UDM, where the instruction information is used to instruct to select an AKMA service for the terminal;

The generating a key according to the first information includes:

Generate a key according to the instruction information;

Send the AKMA key derivation parameter to the UDM.
A key generation method, applied to a third network element, includes:

Receive the key request of the target fourth network element;

According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element. The fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application The service security capability is one or more of the application service security capabilities supported by the terminal;

Generate a key for the application service security capability supported by the terminal.
The method according to claim 13, wherein said determining the application service security capabilities supported by the terminal and the information of the fourth network element comprises:

Request UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element;

The generating the key of the application service security capability supported by the terminal includes:

If the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
The method according to claim 13, wherein said generating the key of the application service security capability supported by the terminal comprises:

Acquiring the first application service security capability supported by the terminal and sent by the first network element;

Acquiring the identifier of the target fourth network element;

If the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .
The method according to claim 13, wherein said generating the key of the application service security capability supported by the terminal comprises:

Acquiring a preset policy sent by the first network element and a key generated according to the preset policy;

Acquiring the identifier of the fourth network element;

If the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.
The method according to claim 13, wherein said determining the application service security capabilities supported by the terminal and the information of the fourth network element comprises:

Receive the indication information sent by UDM and the identification of the fourth network element, where the indication information is used to indicate the capability of the terminal to support the AKMA service, and the fourth network element is the fourth network with the AKMA service enabled between the terminals Yuan;

The generating the key of the application service security capability supported by the terminal includes:

If the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
A key generation method, applied to a second network element, includes:

Send first information to the first network element, where the first information indicates an application service security capability supported by the terminal, and the first information is used to enable the first network element to generate a key according to the first information.
The method according to claim 18, wherein the sending the first information to the first network element comprises:

Sending an authentication request message to the first network element, where the authentication request message carries the first information.
The method according to claim 18, wherein the sending the first information to the first network element comprises:

Send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
A key generation method applied to UDM, including:

Storing subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;

According to the subscription information, the target application service security capability supported by the terminal is confirmed.
The method according to claim 21, wherein the confirming the target application service security capability supported by the terminal according to the subscription information comprises:

Receiving a first request from a first network element, where the first request is used to confirm whether the terminal supports the AKMA service;

According to the subscription information and the first request, a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
The method according to claim 22, wherein said receiving the first request of the first network element comprises:

During the master authentication process, receive the first request of the first network element; or

After the master authentication process is completed, the first request of the first network element is received.
The method according to claim 21, wherein the confirming the target application service security capability supported by the terminal according to the subscription information comprises:

Receiving a second request from a third network element, where the second request is used to confirm whether the terminal supports the AKMA service;

According to the subscription information and the second request, a second response is sent to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.
The method according to claim 21, wherein the confirming the target application service security capability supported by the terminal according to the subscription information comprises:

Receiving the third request of the first network element;

According to the subscription information and the third request, a third response is sent to the first network element, where the third response is used to indicate that the target application service security capability is the capability of supporting AKMA service or the capability of supporting GBA service. Or, the target application service security capability is at least the capability of AKMA to support services and the capability of supporting GBA services.
The method according to claim 21, wherein the subscription information further comprises:

The identification information of the fourth network element that has enabled the AKMA service with the terminal.
A key generation method, applied to a second network element, includes:

Sending instruction information and an identifier of the fourth network element to UDM, where the instruction information is used to indicate the application service security capabilities supported by the terminal;

Receiving the key derivation parameter sent by the UDM;

Sending the key derivation parameter to the terminal.
The method according to claim 27, wherein the indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element is a fourth network element that has enabled the AKMA service between the terminals.
A key generation method applied to UDM, including:

Acquiring subscription information of the terminal, where the subscription information includes application service security capabilities supported by the terminal;

When it is determined according to the subscription information that the terminal derives the application service security key, a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal's security key. Application service security key.
The method according to claim 29, wherein said acquiring the subscription information of the terminal comprises:

Receive instruction information sent by the second network element and the identification of the fourth network element, where the instruction information is used to indicate the application service security capabilities supported by the terminal and the identification information of the AF that enables the AKMA service with the terminal.
The method according to claim 30, wherein after the sending the first indication to the first network element, the method further comprises:

Receiving the key derivation parameter sent by the first network element;

Sending the key derivation parameter to the second network element.
The method of claim 29, wherein the method further comprises:

Sending instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate the application service security capabilities supported by the terminal;

The fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
A key generation method, applied to a terminal, includes:

Send first information to the second network element, where the first information is used to indicate the application service security capabilities supported by the terminal.
The method according to claim 33, wherein the sending the first information to the second network element comprises:

Sending an N1 message to the second network element, where the first information indicates that the terminal supports the AKMA service.
The method according to claim 33, wherein said sending the first information to the second network element comprises:

The N1 message is sent to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
The method according to claim 33, wherein the method further comprises:

Receiving the key derivation parameter sent by the second network element;

The AKMA key is generated according to the key derivation parameter.
A key generation device, applied to a first network element, includes:

The first obtaining module is configured to obtain first information of the terminal, where the first information is used to indicate the application service security capabilities supported by the terminal;

The first generating module is configured to generate a key according to the first information.
A key generation device, applied to a third network element, includes:

The first receiving module is configured to receive the key request of the target fourth network element;

The first determining module is configured to determine, according to the key request, the application service security capability supported by the terminal and the information of the fourth network element, and the fourth network element is the fourth network element that enables the terminal to enable the target application service security capability Network element, the target application service security capability is one or more of the application service security capabilities supported by the terminal;

The first generating module is used to generate the key of the application service security capability supported by the terminal.
A key generation device, applied to a second network element, includes:

The first sending module is configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first information is used to make the first network element according to the first information To generate a key.
A key generation device applied to UDM, including:

The first storage module is configured to store subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;

The first confirmation module is used to confirm the target application service security capability supported by the terminal according to the subscription information.
A key generation device, applied to a second network element, includes:

The first sending module is configured to send indication information and the identification of the fourth network element to the UDM, where the indication information is used to indicate the application service security capabilities supported by the terminal;

The first receiving module is configured to receive the key derivation parameter sent by the UDM;

The second sending module is configured to send the key derivation parameter to the terminal.
A key generation device applied to UDM, including:

The first obtaining module is configured to obtain contract information of the terminal, where the contract information includes the application service security capabilities supported by the terminal;

The first sending module is configured to send a first instruction to the first network element when it is determined that the terminal is to derive the application service security key according to the subscription information, and the first instruction is used to instruct the first network Yuan derives the application service security key of the terminal.
A key generation device, applied to a terminal, includes:

The first sending module is configured to send first information to a second network element, where the first information is used to indicate an application service security capability supported by the terminal.
A key generation device, applied to a first network element, includes: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor uses To read the program in the memory, perform the following process:

Acquiring first information of the terminal, where the first information is used to indicate an application service security capability supported by the terminal;

According to the first information, a key is generated.
The device according to claim 44, wherein the application service security capability includes the capability to support AKMA service, and the processor is further configured to read a program in the memory and execute the following process:

Request UDM to confirm whether the terminal supports AKMA service;

Upon receiving the first response, an AKMA key is generated, the first response indicating that the UDM confirms that the terminal supports the AKMA service.
A key generation device, applied to a third network element, includes: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor uses To read the program in the memory, perform the following process:

Receive the key request of the target fourth network element;

According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element. The fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application The service security capability is one or more of the application service security capabilities supported by the terminal;

Generate a key for the application service security capability supported by the terminal.
The device according to claim 46, wherein the processor is configured to read the program in the memory and execute the following process:

Request UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element;

The generating the key of the application service security capability supported by the terminal includes:

If the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
A key generation device applied to a second network element, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor uses To read the program in the memory, perform the following process:

Send first information to the first network element, where the first information indicates an application service security capability supported by the terminal, and the first information is used to enable the first network element to generate a key according to the first information.
A key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor is used to read The program in the memory performs the following process:

Storing the subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;

According to the subscription information, the target application service security capability supported by the terminal is confirmed.
The device according to claim 49, wherein the processor is configured to read the program in the memory and execute the following process:

Receiving a first request from a first network element, where the first request is used to confirm whether the terminal supports the AKMA service;

According to the subscription information and the first request, a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
A key generation device applied to a second network element, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor uses To read the program in the memory, perform the following process:

Sending instruction information and an identifier of the fourth network element to the UDM, where the instruction information is used to indicate the application service security capabilities supported by the terminal;

Receiving the key derivation parameter sent by the UDM;

Sending the key derivation parameter to the terminal.
A key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein, the processor is used to read The program in the memory performs the following process:

Acquiring subscription information of the terminal, where the subscription information includes application service security capabilities supported by the terminal;

When it is determined according to the subscription information that the terminal derives the application service security key, a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal's security key. Application service security key.
The device according to claim 52, wherein the processor is configured to read the program in the memory and execute the following process:

Receive instruction information sent by the second network element and the identification of the fourth network element, where the instruction information is used to indicate the application service security capabilities supported by the terminal and the identification information of the AF that enables the AKMA service with the terminal.
A key generation device applied to a terminal, including: a transceiver, a memory, a processor, and a program stored in the memory and running on the processor; wherein the processor is used to read The program in the memory performs the following process:

Send first information to the second network element, where the first information is used to indicate the application service security capabilities supported by the terminal.
A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the steps in the method for generating a key according to any one of claims 1 to 12; or The steps in the key generation method according to any one of claims 13 to 17; or, to implement the steps in the key generation method according to any one of claims 18 to 20; or, to implement the steps in the key generation method according to any one of claims 18 to 20; The steps in the key generation method according to any one of claims 21 to 26; or, the steps in the key generation method according to any one of claims 27 to 28 are implemented; or, the steps in the key generation method according to any one of claims 27 to 28; or, the steps are implemented as claimed in claim 29 The steps in the key generation method according to any one of claims 33 to 32; or the steps in the key generation method according to any one of claims 33 to 36 are implemented.