WO2021196818A1 - Procédé et appareil de génération de clés, ainsi que dispositif et support de stockage lisible par ordinateur - Google Patents

Procédé et appareil de génération de clés, ainsi que dispositif et support de stockage lisible par ordinateur Download PDF

Info

Publication number
WO2021196818A1
WO2021196818A1 PCT/CN2021/070544 CN2021070544W WO2021196818A1 WO 2021196818 A1 WO2021196818 A1 WO 2021196818A1 CN 2021070544 W CN2021070544 W CN 2021070544W WO 2021196818 A1 WO2021196818 A1 WO 2021196818A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
network element
information
key
akma
Prior art date
Application number
PCT/CN2021/070544
Other languages
English (en)
Chinese (zh)
Inventor
毕晓宇
Original Assignee
大唐移动通信设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大唐移动通信设备有限公司 filed Critical 大唐移动通信设备有限公司
Publication of WO2021196818A1 publication Critical patent/WO2021196818A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications

Definitions

  • the present disclosure relates to the field of communication technologies, and in particular, to a method and device for generating a key, equipment, and a computer-readable storage medium.
  • the 5G network provides the session security protection function between the user and the access application, and proposes an application-based key management method, referred to as AKMA (Authentication and Key Management for Applications, application layer authentication and key management).
  • AKMA Authentication and Key Management for Applications, application layer authentication and key management
  • NEF Network Exposure Function
  • the AKMA service requires logical entities, such as AAnF (AKMA Anchor Function) in Figure 1.
  • AAnF AKMA Anchor Function
  • the AAnF anchor point function is used to generate the application key K AF that protects the UE application data based on the anchor key K AKMA between the UE (User Equipment) and the AF (Application Function, application function).
  • AUSF Authentication Server Function
  • AAnF Authentication Server Function
  • the embodiments of the present disclosure provide a key generation method and device, equipment, and computer-readable storage medium to save network resources.
  • the embodiments of the present disclosure provide a key generation method applied to a first network element, which includes:
  • a key is generated.
  • the application service security capability includes the capability of supporting application layer authentication and key management AKMA service
  • the method further includes:
  • the generating a key according to the first information includes:
  • an AKMA key is generated, the first response indicating that the UDM confirms that the terminal supports the AKMA service.
  • the method further includes:
  • the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service is pre-stored.
  • said obtaining the first information of the terminal includes:
  • the authentication request message carrying the SUPI (Subscription Permanent Identifier) of the terminal, or the authentication request message carrying the SUCI (Subscription Concealed Identifier) of the terminal, Signed encryption mark);
  • the authentication request message carries the SUPI
  • query the correspondence relationship according to the SUPI to obtain the first information
  • the authentication request message When the authentication request message carries the SUCI, send the SUCI to the UDM and obtain the SUPI from the UDM; query the correspondence relationship according to the SUPI obtained from the UDM to obtain the first information.
  • the request for the unified data management entity UDM to confirm whether the terminal supports the AKMA service includes:
  • the method before the sending the first indication information to the UDM, the method further includes:
  • the sending first indication information to the UDM includes:
  • first indication information is sent to the UDM.
  • the obtaining of the first information of the terminal includes:
  • the authentication request message carries the first information
  • the application service security capability includes at least the capability of supporting AKMA services, and supporting GBA (Generic Bootstrapping Architecture) services Ability.
  • said method further includes:
  • the generating a key according to the first information includes:
  • the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, an AKMA key or a GBA key is generated;
  • the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the key is generated according to the preset policy.
  • the method further includes:
  • the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service, sending the information of the security capability of the target application service to a third network element;
  • the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service
  • the preset policy and the key generated according to the preset policy are sent to a third network element.
  • said obtaining the first information of the terminal includes:
  • the generating a key according to the first information includes:
  • the embodiments of the present disclosure provide a key generation method applied to a third network element, including:
  • the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application
  • the service security capability is one or more of the application service security capabilities supported by the terminal;
  • the determination of the application service security capabilities supported by the terminal and the information of the fourth network element includes:
  • the generating the key of the application service security capability supported by the terminal includes:
  • the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
  • the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .
  • the generating the key of the application service security capability supported by the terminal includes:
  • the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.
  • the determination of the application service security capabilities supported by the terminal and the information of the fourth network element includes:
  • the generating the key of the application service security capability supported by the terminal includes:
  • the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
  • embodiments of the present disclosure provide a method for generating a key, which is applied to a second network element, and includes:
  • the sending the first information to the first network element includes:
  • the sending the first information to the first network element includes:
  • the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the embodiments of the present disclosure provide a key generation method applied to UDM, including:
  • the target application service security capability supported by the terminal is confirmed.
  • the confirming the target application service security capability supported by the terminal according to the subscription information includes:
  • a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
  • the receiving the first request of the first network element includes:
  • the first request of the first network element is received.
  • the confirming the target application service security capability supported by the terminal according to the subscription information includes:
  • a second response is sent to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.
  • the confirming the target application service security capability supported by the terminal according to the subscription information includes:
  • a third response is sent to the first network element, where the third response is used to indicate that the target application service security capability is the capability of supporting AKMA service or the capability of supporting GBA service.
  • the target application service security capability is at least the capability of AKMA to support services and the capability of supporting GBA services.
  • the contract information further includes:
  • the identification information of the fourth network element that has enabled the AKMA service with the terminal is the identification information of the fourth network element that has enabled the AKMA service with the terminal.
  • the embodiments of the present disclosure also provide a key generation method applied to a second network element, including:
  • the indication information is used to indicate the ability of the terminal to support the AKMA service
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the embodiments of the present disclosure also provide a key generation method, which is applied to UDM, including:
  • said acquiring the contract information of the terminal includes:
  • the method further includes:
  • the method further includes:
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the embodiments of the present disclosure also provide a method for generating a key, which is applied to a terminal, and includes:
  • the sending the first information to the second network element includes:
  • the sending the first information to the second network element includes:
  • the N1 message is sent to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the method further includes:
  • the AKMA key is generated according to the key derivation parameter.
  • embodiments of the present disclosure provide a key generation device applied to a first network element, including:
  • the first obtaining module is configured to obtain first information of the terminal, where the first information is used to indicate the application service security capabilities supported by the terminal;
  • the first generating module is configured to generate a key according to the first information.
  • embodiments of the present disclosure provide a key generation device applied to a third network element, including:
  • the first receiving module is configured to receive the key request of the target fourth network element
  • the first determining module is configured to determine, according to the key request, the application service security capability supported by the terminal and the information of the fourth network element, and the fourth network element is the fourth network element that enables the terminal to enable the target application service security capability Network element, the target application service security capability is one or more of the application service security capabilities supported by the terminal;
  • the first generating module is used to generate the key of the application service security capability supported by the terminal.
  • an embodiment of the present disclosure provides a key generation device applied to a second network element, including:
  • the first sending module is configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first information is used to make the first network element according to the first information To generate a key.
  • an embodiment of the present disclosure provides a key generation device applied to UDM, including:
  • the first storage module is configured to store subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal;
  • the first confirmation module is configured to confirm the target application service security capability supported by the terminal according to the subscription information.
  • embodiments of the present disclosure provide a key generation device applied to a second network element, including:
  • the first sending module is configured to send indication information and the identification of the fourth network element to the UDM, where the indication information is used to indicate the application service security capabilities supported by the terminal;
  • the first receiving module is configured to receive the key derivation parameter sent by the UDM;
  • the second sending module is configured to send the key derivation parameter to the terminal.
  • embodiments of the present disclosure provide a key generation device applied to UDM, including:
  • the first obtaining module is configured to obtain contract information of the terminal, where the contract information includes the application service security capabilities supported by the terminal;
  • the first sending module is configured to send a first instruction to the first network element when it is determined that the terminal is to derive the application service security key according to the subscription information, and the first instruction is used to instruct the first network Yuan derives the application service security key of the terminal.
  • embodiments of the present disclosure provide a key generation device applied to a terminal, including:
  • the first sending module is configured to send first information to a second network element, where the first information is used to indicate an application service security capability supported by the terminal.
  • the embodiments of the present disclosure provide a key generation device, which is applied to a first network element, and includes: a transceiver, a memory, a processor, and is stored in the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:
  • a key is generated.
  • the application service security capability includes the capability to support the AKMA service, and the processor is also used to read the program in the memory and execute the following process:
  • an AKMA key is generated, the first response indicating that the UDM confirms that the terminal supports the AKMA service.
  • the embodiments of the present disclosure provide a key generation device, which is applied to a third network element, and includes: a transceiver, a memory, a processor, and is stored on the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:
  • the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application
  • the service security capability is one or more of the application service security capabilities supported by the terminal
  • the processor is used to read the program in the memory and execute the following process:
  • the generating the key of the application service security capability supported by the terminal includes:
  • the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
  • the embodiments of the present disclosure provide a key generation device, which is applied to a second network element, and includes: a transceiver, a memory, a processor, and is stored in the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:
  • the embodiments of the present disclosure provide a key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor;
  • the processor is used to read the program in the memory and execute the following process:
  • the target application service security capability supported by the terminal is confirmed.
  • the processor is used to read the program in the memory and execute the following process:
  • a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
  • the embodiments of the present disclosure provide a key generation device, which is applied to a second network element, and includes: a transceiver, a memory, a processor, and is stored on the memory and can run on the processor The program; the processor is used to read the program in the memory and execute the following process:
  • the embodiments of the present disclosure provide a key generation device applied to UDM, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor;
  • the processor is used to read the program in the memory and execute the following process:
  • a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal's security key.
  • Application service security key is used to instruct the first network element to derive the terminal's security key.
  • the processor is used to read the program in the memory and execute the following process:
  • embodiments of the present disclosure provide a key generation device applied to a terminal, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor
  • the processor is used to read the program in the memory and execute the following process:
  • the embodiments of the present disclosure provide a computer-readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the key generation method described in the first aspect Or, implement the steps in the key generation method as described in the second aspect; or implement the steps in the key generation method as described in the third aspect; or, implement the encryption as described in the fourth aspect Or, implement the steps in the key generation method as described in the fifth aspect; or implement the steps in the key generation method as described in the sixth aspect; or, implement the steps in the key generation method as described in the seventh aspect; The steps in the key generation method.
  • Figure 1 is a diagram of the AKMA architecture in related technologies
  • FIG. 2 is one of the flowcharts of the key generation method provided by the embodiment of the present disclosure
  • FIG. 3 is the second flowchart of the key generation method provided by the embodiment of the present disclosure.
  • FIG. 4 is the third flowchart of the key generation method provided by the embodiment of the present disclosure.
  • FIG. 5 is the fourth flow chart of the key generation method provided by the embodiment of the present disclosure.
  • FIG. 6 is the fifth flowchart of the key generation method provided by an embodiment of the present disclosure.
  • FIG. 7 is the sixth flowchart of the key generation method provided by an embodiment of the present disclosure.
  • FIG. 8 is the seventh flowchart of the key generation method provided by the embodiments of the present disclosure.
  • FIG. 9 is the eighth flowchart of the key generation method provided by an embodiment of the present disclosure.
  • FIG. 10 is the ninth flowchart of the key generation method provided by an embodiment of the present disclosure.
  • FIG. 11 is a tenth flowchart of a key generation method provided by an embodiment of the present disclosure.
  • Figure 12 is the eleventh flowchart of the key generation method provided by the embodiments of the present disclosure.
  • FIG. 13 is the twelfth of the flowchart of the key generation method provided by the embodiment of the present disclosure.
  • FIG. 14 is one of the structural diagrams of a key generation device provided by an embodiment of the present disclosure.
  • FIG. 15 is the second structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • FIG. 16 is the third structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • FIG. 17 is the fourth structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • FIG. 18 is the fifth structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • FIG. 19 is a sixth structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • FIG. 20 is the seventh structural diagram of the key generation device provided by an embodiment of the present disclosure.
  • Figure 21 is one of the structural diagrams of a key generation device provided by an embodiment of the present disclosure.
  • Fig. 22 is a second structural diagram of a key generation device provided by an embodiment of the present disclosure.
  • FIG. 2 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to the first network element.
  • the first network element may be AUSF (Authentication Server Function), as shown in FIG. 2, including the following steps 201 and 202.
  • AUSF Authentication Server Function
  • Step 201 Acquire first information of a terminal, where the first information is used to indicate an application service security capability supported by the terminal.
  • the application security service capability supported by the terminal may be, for example, the capability of supporting AKMA service, the capability of supporting GBA service, and so on.
  • Step 202 Generate a key according to the first information.
  • the first network element may generate an AKMA key for the terminal.
  • the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service may be pre-stored in the first network element.
  • the first network element may receive the authentication request sent by the second network element (AMF (Access and Mobility Management Function, access and mobility management function) or SEAF (Security Anchor Function, security anchor function)) Message, the authentication request message carries the SUPI of the terminal, or the authentication request message carries the SUCI of the terminal.
  • AMF Access and Mobility Management Function, access and mobility management function
  • SEAF Security Anchor Function, security anchor function
  • the first network element may query the correspondence relationship according to the SUPI to obtain the first information.
  • the first network element may send the SUCI to the UDM and obtain the SUPI from the UDM, and then the first network element may query according to the SUPI obtained from the UDM According to the corresponding relationship, the first information is acquired.
  • the first network element can confirm to the UDM whether the terminal supports the AKMA service.
  • step 201 specifically includes receiving an authentication request message sent by a second network element, where the authentication request message carries the first information.
  • Step 202 specifically includes generating an AKMA key when receiving a first response, where the first response indicates that the UDM confirms that the terminal supports the AKMA service.
  • the first network element may send first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service, and to receive the UDM sent A first confirmation instruction, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service.
  • the process of requesting UDM confirmation can occur during the main authentication process or after the main authentication process.
  • the first network element receives the first request of the terminal, and the first request is used to request the generation of an AKMA key, and then sends to the UDM according to the first request The first instruction information.
  • the first network element may receive an authentication request message sent by a second network element, the authentication request message carries the first information, and the application service security capability includes at least an AKMA service Ability, the ability to support GBA services.
  • the first network element may also request UDM to confirm the target application service security capabilities supported by the terminal.
  • step 202 is specifically that if the target application service security capability is one of the capability to support AKMA service or the capability to support GBA service, generate an AKMA key or GBA key; if the target application service is secure
  • the ability is at least the ability to support the AKMA service and the ability to support the GBA service, and the key is generated according to a preset strategy.
  • the preset strategy may be preset, for example, it may be generating an AKMA key, generating a GBA key, generating other keys, etc., or determining which form of key to generate according to the processing capability of the first network element itself.
  • the first network element sends the target application service security capability information to the third network element (such as AAnF); if the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, and the first network element sends the preset policy and the key generated according to the preset policy to the third network element.
  • the third network element such as AAnF
  • the first network element may also generate an AKMA key according to the UDM instruction.
  • the first network element receives instruction information sent by UDM, where the instruction information is used to instruct to select the AKMA service for the terminal.
  • step 202 is specifically: generating a key according to the instruction information, and sending the AKMA key derivation parameter to the UDM.
  • the key derivation parameters may include, for example, random numbers, counters, terminal identifications, and so on.
  • the key is generated according to the first information. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 3 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a third network element.
  • the third network element may be AAnF, as shown in FIG. 3, including the following steps 301 to 303.
  • Step 301 Receive a key request from the target fourth network element.
  • the fourth network element may be AF (Application Function).
  • Step 302 According to the key request, determine the application service security capability supported by the terminal and the information of the fourth network element, where the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and The target application service security capability is one or more of the application service security capabilities supported by the terminal.
  • the application service security capabilities supported by the terminal may include the ability to support AKMA services, the ability to support GBA services, and so on.
  • the information of the fourth network element may be the identification of the fourth network element or the like.
  • Step 303 Generate a key for the application service security capability supported by the terminal.
  • the third network element requests UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element. Then, in this step, if the application service security capability supported by the terminal is the capability to support AKMA services and it is determined based on the information of the fourth network element that the connection between the terminal and the target fourth network element is enabled AKMA service, then generate AF key.
  • the third network element obtains the first application service security capability supported by the terminal sent by the first network element, and obtains the identifier of the target fourth network element. If the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .
  • the third network element obtains the preset policy sent by the first network element and the key generated according to the preset policy, and obtains the identity of the fourth network element. If the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.
  • the third network element may receive the indication information sent by UDM and the identification of the fourth network element, and the indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element It is the fourth network element that has enabled the AKMA service between the terminals. Then, in this step, if the application service security capability supported by the terminal is the capability to support AKMA services and it is determined based on the information of the fourth network element that the connection between the terminal and the target fourth network element is enabled AKMA service, then generate AF key.
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 4 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a second network element.
  • the second network element may be SEAF or AMF, as shown in Figure 4, including the following steps:
  • Step 401 Send first information to a first network element, where the first information indicates an application service security capability supported by the terminal, and the first information is used to enable the first network element to generate a key according to the first information .
  • the second network element may send an authentication request message to the first network element, and the authentication request message carries the first information.
  • the second network element may send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 5 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to UDM. As shown in Figure 5, the following steps 501 and 502 are included.
  • Step 501 Store the subscription information of the terminal, where the subscription information includes the application service security capabilities supported by the terminal.
  • the subscription information may also include identification information of the fourth network element that has enabled the AKMA service with the terminal.
  • Step 502 According to the subscription information, confirm the target application service security capability supported by the terminal.
  • UDM may receive a first request from a first network element, the first request is used to confirm whether the terminal supports AKMA service, and then, according to the subscription information and the first request Send a first response to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
  • the above process may be during the main authentication process or after the main authentication process.
  • the UDM may receive a second request from a third network element, the second request is used to confirm whether the terminal supports the AKMA service, and then, according to the subscription information and the second request Send a second response to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.
  • UDM may receive the third request of the first network element. After that, UDM sends a third response to the first network element according to the subscription information and the third request.
  • the third response is used to indicate that the target application service security capability is one of the capability to support AKMA services or the capability to support GBA services, or the target application service security capability is at least the capability of AKMA to support services and the capability to support GBA services .
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 6 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a second network element.
  • the second network element may be SEAF or AMF, as shown in FIG. 6, including the following steps 601 to 603.
  • Step 601 Send indication information and the identifier of the fourth network element to the UDM, where the indication information is used to indicate the application service security capabilities supported by the terminal.
  • the indication information is used to indicate the ability of the terminal to support the AKMA service
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • Step 602 Receive the key derivation parameter sent by the UDM.
  • Step 603 Send the key derivation parameter to the terminal.
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 7 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to UDM. As shown in Fig. 7, the following steps 701 to 702 are included.
  • Step 701 Acquire subscription information of a terminal, where the subscription information includes application service security capabilities supported by the terminal.
  • UDM may receive the indication information sent by the second network element and the identification of the fourth network element, where the indication information is used to indicate the application service security capabilities supported by the terminal and to communicate with the terminal The identification information of the AF that enables the AKMA service.
  • Step 702 When it is determined that the terminal derives the application service security key according to the subscription information, send a first instruction to the first network element, where the first instruction is used to instruct the first network element to derive the security key.
  • the application service security key of the terminal When it is determined that the terminal derives the application service security key according to the subscription information, send a first instruction to the first network element, where the first instruction is used to instruct the first network element to derive the security key.
  • the method may further include: receiving the key derivation parameter sent by the first network element, and sending the key derivation parameter to the second network element. Derivation parameters.
  • the method may further include: UDM sending instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate where the terminal is located.
  • UDM sending instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate where the terminal is located.
  • Supported application service security capabilities where the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • FIG. 8 is a flowchart of a key generation method provided by an embodiment of the present disclosure, which is applied to a terminal. As shown in Figure 8, it includes the following steps:
  • Step 801 Send first information to a second network element, where the first information is used to indicate an application service security capability supported by the terminal.
  • the terminal may send an N1 message to the second network element, and the first information indicates that the terminal supports the AKMA service.
  • the terminal may send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the terminal may also receive the key derivation parameter sent by the second network element, and generate an AKMA key according to the key derivation parameter.
  • the key is generated according to the security capability of the application service supported by the terminal and the information of the fourth network element. Therefore, the solution of the embodiment of the present disclosure avoids the problem of always generating keys for the terminal in the related art, thereby saving network resources.
  • the subscription information of the UE can be pre-stored in the AUSF (Authentication Server Function), and the subscription information is a list of the UE’s identity and the corresponding information of the AKMA service. It can identify whether the UE has enabled or supported the AKMA service.
  • AUSF Authentication Server Function
  • the method may include the following steps:
  • Step 900 The AKMA subscription information of the UE is pre-stored in the AUSF.
  • Step 901 The UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI (5G Globally Unique Temporary Identifier).
  • N1 message N1 message
  • SEAF Security Anchor Function
  • 5G GUTI 5G Globally Unique Temporary Identifier
  • Step 902 The SEAF sends an authentication request message (Nausf_UE Authentication_Authenticate Request) to AUSF, and the request carries SUPI or 5G GUTI.
  • Nrf_UE Authentication_Authenticate Request an authentication request message
  • Step 903 This step can be divided into two different processing methods according to the content carried in the authentication request message.
  • the first way includes steps 903a-903c.
  • Step 903a After the AUSF receives the authentication request message NAUSF_UE Authentication Authenticate Request sent by the AMF (Access and Mobility Management Function) (SEAF), if it carries the SUPI, the AUSF can directly follow the pre-stored The list confirms whether K AKMA can be generated by Kausf.
  • AMF Access and Mobility Management Function
  • Step 903b AUSF sends Nudm_UEAuthentication_Get Request [SUCI or SUPI, SN name] to UDM.
  • Step 903c UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF.
  • the AUSF compares the service network name with the expected service network name to check whether the requested SEAF in the service network is authorized to use the received service network name.
  • the second way includes steps 903b-903d.
  • Step 903b AUSF sends Nudm_UEAuthentication_Get Request [SUCI or SUPI, SN name] to UDM.
  • Step 903c UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF.
  • Step 903d Since the SEAF sends SUCI, the AUSF confirms whether K AKMA can be generated by Kausf according to the SUPI obtained from UDM and the pre-stored list.
  • the main authentication process is performed between the AUSF and the UE, including steps 904-908.
  • Step 904 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.
  • Step 905 The SEAF sends an Authenticate Request to the UE.
  • Step 906 The UE sends an Authenticate Response to the SEAF.
  • Step 907 SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.
  • Step 908 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.
  • Step 909 The UE sends an Application session Establishment Request (K AKMA ID) to the AF.
  • K AKMA ID Application session Establishment Request
  • Step 910 The AF sends a Key Request to AAnF.
  • Step 911 AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.
  • the UDM stores the AKMA service between the UE and which AF has been subscribed, which may include: the identity of the UE (such as SUPI), whether AKMA is supported, and which AF the UE has activated AKMA with, and the validity period of the activation, Whether the AKMA settings of the UE can be modified, etc.
  • the AAnF when the AAnF queries, it needs to carry the identity of the UE (such as SUPI) and the identity of the AF.
  • Step 912 UDM sends a response Inquire the UE subscription to AAnF.
  • the UDM feeds back the AKMA service between the UE and the AF according to the UE subscription information stored locally. If allowed, UDM will feedback to AAnF to confirm that it can carry the UE's SUPI, AF ID, whether AKMA service [enabled/disabled] is enabled, and the validity period of the AKMA service. Otherwise, the feedback is not signed.
  • the AAnF determines whether to generate the key K af for protecting the application data for the AF according to the query result, and sends the Key Response to the AF.
  • Step 913 AAnF sends a query response to the AF.
  • the N1 request reported by the UE includes the ability to support the AKMA service
  • the AMF receives the ability of the AKMA of the UE, and the AMF informs the AUSF that the AKMA service capability indication is carried in the NAUSF_UE Authentication Request request.
  • the method may include the following steps:
  • Step 1001 the UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI and the capability of supporting the AKMA service (UE AKMA service capability).
  • N1 message N1 message
  • SEAF Security Anchor Function
  • Step 1002 the SEAF sends an authentication request message Nausf_UEAuthentication_Authenticate Request[SUPI or 5G GUTI, AKMA service capability indication] to AUSF, and the request carries the SUPI or 5G GUTI and the ability to support the AKMA service.
  • Step 1003 AUSF queries UDM for UE's support for AKMA service.
  • AUSF sends Nudm_UEAuthentication_Get Request [SUCI or SUPI, SN name] to UDM, and can carry an inquiry indication (inquire indication for AKMA).
  • Step 1004 UDM replies Nudm_UEAuthentication_Get Response[AV,[SUPI]] to AUSF, and may carry a confirmation indication (confirm indication).
  • the AUSF should compare the service network name with the expected service network name to check whether the requested SEAF in the service network has the right to use the received service network name.
  • the main authentication process is performed between the AUSF and the UE, including steps 1005-step 1009.
  • Step 1005 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.
  • Step 1006 The SEAF sends an Authenticate Request to the UE.
  • Step 1007 The UE sends an Authenticate Response to the SEAF.
  • Step 1008 SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.
  • Step 1009 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.
  • Step 1010 The UE sends an Application session Establishment Request (K AKMA ID) to the AF.
  • K AKMA ID Application session Establishment Request
  • Step 1011 The AF sends a Key Request to AAnF.
  • Step 1012 AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.
  • the UDM stores the AKMA service between the UE and which AF has been subscribed, which may include: the identity of the UE (such as SUPI), whether AKMA is supported, and which AF the UE has activated AKMA with, and the validity period of the activation, Whether the AKMA settings of the UE can be modified, etc.
  • the AAnF when the AAnF queries, it needs to carry the identity of the UE (such as SUPI) and the identity of the AF.
  • Step 1013 UDM sends a response Inquire the UE subscription to AAnF.
  • the UDM feeds back the AKMA service between the UE and the AF according to the UE subscription information stored locally. If allowed, UDM will feedback to AAnF to confirm that it can carry the UE's SUPI, AF ID, whether AKMA service [enabled/disabled] is enabled, and the validity period of the AKMA service. Otherwise, the feedback is not signed.
  • AAnF determines whether to generate a key K af for protecting application data for the AF according to the query result, and sends a key response Key Response to the AF.
  • Step 1014 AAnF sends a response Key Response to the AF.
  • FIG. 11 is a flowchart of a key generation method provided by an embodiment of the present disclosure.
  • the difference from the embodiment shown in FIG. 10 is that the challenge of the UDM for the UEAKMA capability by the AUSF occurs after the master authentication. It is possible that AUSF has received the UE's request for KAKMA key derivation, and AUSF immediately initiates the AKMA key derivation.
  • the method may include the following steps:
  • Step 1101 the UE sends an N1 message (N1 message) to a SEAF (Security Anchor Function), and the message may carry SUPI or 5G GUTI and the capability of supporting the AKMA service (UE AKMA service capability).
  • N1 message N1 message
  • SEAF Security Anchor Function
  • Step 1102 SEAF sends an authentication request message Nausf_UEAuthentication_Authenticate Request[SUPI or 5G GUTI, AKMA service capability indication] to AUSF, and the request carries SUPI or 5G GUTI and the ability to support the AKMA service.
  • Step 1103 AUSF sends Nudm_UEAuthentication_Get Request[SUCI or SUPI, SN name] to UDM.
  • Step 1104 UDM replies Nudm_UEAuthentication_Get ResponseResponse[AV,[SUPI]] to AUSF.
  • the main authentication process is performed between the AUSF and the UE, including steps 1105-step 1109.
  • Step 1105 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.
  • Step 1106 The SEAF sends an Authenticate Request to the UE.
  • Step 1107 The UE sends an Authenticate Response to the SEAF.
  • Step 1108 SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.
  • Step 1109 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.
  • Step 1110 AUSF queries UDM whether the UE supports AKMA service.
  • Step 1111 UDM performs a query according to the pre-stored subscription information, and returns the query result.
  • AUSF If the query result indicates that the UE supports the AKMA service, AUSF generates the key K AKMA .
  • Step 1112 the UE sends an Application session Establishment Request (K AKMA ID) to the AF.
  • K AKMA ID Application session Establishment Request
  • Step 1113 The AF sends a Key Request to AAnF.
  • Step 1114 AAnF queries UDM whether the UE has subscribed to the AKMA service with the AF.
  • the UDM stores the AKMA service between the UE and which AF has been subscribed, which may include: the identity of the UE (such as SUPI), whether AKMA is supported, and which AF the UE has activated AKMA with, and the validity period of the activation, Whether the AKMA settings of the UE can be modified, etc.
  • the AAnF when the AAnF queries, it needs to carry the identity of the UE (such as SUPI) and the identity of the AF.
  • Step 1115 UDM sends a response Inquire the UE subscription to AAnF.
  • the UDM feeds back the AKMA service between the UE and the AF according to the UE subscription information stored locally. If allowed, UDM will feedback to AAnF to confirm that it can carry the UE's SUPI, AF ID, whether AKMA service [enabled/disabled] is enabled, and the validity period of the AKMA service. Otherwise, the feedback is not signed.
  • the AAnF decides whether to generate the key K af for protecting the application data for the AF according to the query result.
  • Step 1116 AAnF sends a response Key Response to the AF.
  • the network side selects whether to use the AKMA architecture as a mechanism for protecting user application data according to the support of the service capabilities reported by the UE and the service support information reported by the AF.
  • the method may include:
  • Step 1201 The UE sends a registration request, and the registration request carries the user's application service security capabilities (AKMA service capability, GBA service capability, and others). Other service capabilities may be empty.
  • AKMA service capability the registration request carries the user's application service security capabilities (AKMA service capability, GBA service capability, and others).
  • Other service capabilities may be empty.
  • the UE can send N1 message [SUPI or 5G GUTI, Application protection information indication, UE AKMA service capability].
  • Step 1202 the AMF (SEAF) includes these service capabilities in the NAUSF_UE Authentication Authentication Request message, and sends it to the AUSF together with the user identity.
  • SEAF AMF
  • AMF can send Nausf_UEAuthentication_Authenticate Request [SUPI or 5G GUTI, Application protection information indication (application protection information indication), such as AKMA service capability indication (such as AKMA service capability indication)] to AUSF.
  • Application protection information indication application protection information indication
  • AKMA service capability indication such as AKMA service capability indication
  • Step 1203 If the AUSF does not include the message, when the AUSF receives the Nausf_UEAuthentication_Authenticate Request message, it will send the authentication acquisition request message to the UDM to carry the UE service capability challenge indication.
  • AUSF sends Nudm_UEAuthentication_Get Request[SUCI or SUPI,SN name] to UDM.
  • Step 1204 After receiving the authentication acquisition instruction sent by AUSF, the UDM will feed back the protection capability information of the UE for application data.
  • UDM sends Nudm_UEAuthentication_Get ResponseResponse[AV,[SUPI,Application protection information indication]] to AUSF.
  • Step 1205 AUSF determines which form of key to generate.
  • AUSF chooses which method to use to protect application data according to the received authentication acquisition response message. If UDM clearly indicates that a certain method is selected, such as AKMA service capability, AUSF will generate an AKMA key for the UE. If the UE supports multiple types, the AUSF will choose to derive the key according to the network policy. Among them, the strategy can be preset.
  • Step 1206 AUSF sends the policy together with the derived key to AAnF.
  • AUSF For example, if AUSF generates an AKMA key, AUSF sends the AKMA key to AAnF; if AUSF generates the AKMA key according to the network policy, AUSF sends the policy and the AKMA key to AAnF.
  • Step 1207 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[AV] to SEAF.
  • Step 1208 The SEAF sends an Authenticate Request to the UE.
  • Step 1209 The UE sends an Authenticate Response to the SEAF.
  • Step 1210 SEAF sends an authentication request Nausf_UEAuthentication_Authenticate Request[RES*] to AUSF.
  • Step 1211 AUSF sends an authentication response Nausf_UEAuthentication_Authenticate Response[Result] to SEAF.
  • Step 1212 The UE sends an application key session request Application session Establishment Request (KAKMA ID) to the AF.
  • KAKMA ID Application session Establishment Request
  • Step 1213 The AF sends a Key Request to AAnF.
  • AAnF receives the application key request sent by AF, and the request information contains information about whether it supports AKMA service to protect application data.
  • Step 1214 AAnF decides to derive the K AF key according to the UE capability and the AF capability sent by AUSF. If both support the AKMA service capability, AAnF decides to derive the K AF key.
  • Step 1215 AAnF sends a response Key Response to the AF.
  • FIG. 13 is a flowchart of a key generation method provided by an embodiment of the present disclosure. As shown in Figure 13, the method may include:
  • Step 1301 UE sends UL NAS message (SUPI, AF ID, AKMA capability) to AMF, carrying AKMA capability, AF ID, etc., where the AKMA capability may be an updated capability.
  • SUPI SUPI
  • AF ID AF ID
  • AKMA capability may be an updated capability.
  • Step 1302 AMF sends Nudm_APProtectionUPdate_Notification(SUPI, AF ID, AKMA capability)) to UDM to update the AKMA capability information.
  • Step 1303 After receiving the UDM, it decides to provide protection for the UE to open the AKMA application.
  • Step 1304 UDM informs AUSF of the information, and then it needs to derive the indication information of the AKMA key for the UE.
  • UDM sends Nausf_APProtection (SUPI, AKMA capability, [Key derivate Indication]) to AUSF.
  • Nausf_APProtection SUPI, AKMA capability, [Key derivate Indication]
  • Step 1305 After receiving it, AUSF sends a response to UDM and sends the required key derivation parameters to UDM.
  • AUSF sends Nausf_APProtection Response (Key derivate parameters) to UDM.
  • AUSF After that, AUSF generates a key.
  • Step 1306 UDM sends a response to AMF after receiving the confirmation from AUSF, and sends AKMA key derivation parameters to AMF.
  • UDM sends Nudm_APProtectionupdate_Notification Response ((AKMA Key derivate parameters)) to AMF.
  • Nudm_APProtectionupdate_Notification Response ((AKMA Key derivate parameters)
  • Step 1307 The AMF sends the necessary key derivation parameters to the UE through a downlink NAS (Non-Access Stratum, non-access stratum) message.
  • NAS Non-Access Stratum, non-access stratum
  • AMF sends DL NAS message (AKMA Key derivate parameters) to UE.
  • DL NAS message AKMA Key derivate parameters
  • Step 1308 The UDM sends the user identification, the user's AKMA capability, the AF ID, and an instruction to derive the key to AAnF.
  • UDM sends Nausf_APProtection (SUPI, AKMA Application capability, AF ID, [Key derivate Indication]) to AANF.
  • Nausf_APProtection SUPI, AKMA Application capability, AF ID, [Key derivate Indication]
  • Step 1309 AAnF responds to the confirmation message.
  • AANF sends Nausf_APProtection Response (Ack) to UDM.
  • Ack Nausf_APProtection Response
  • Step 1310 The UE sends an application key session request Application session Establishment Request (KAKMA ID) to the AF.
  • KAKMA ID Application session Establishment Request
  • Step 1311. The AF sends a Key Request to AAnF.
  • AAnF After AAnF receives the request of AF, it needs to derive the AF key according to UDM's instructions.
  • Step 1312 AAnF sends a response Key Response to the AF.
  • the embodiment of the present disclosure also provides a key generation device, which is applied to the first network element.
  • a key generation device which is applied to the first network element.
  • FIG. 14 which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1400 includes:
  • the first obtaining module 1401 is configured to obtain first information of the terminal, and the first information is used to indicate the security capability of the application service supported by the terminal; the first generating module 1402 is configured to generate Key.
  • the application service security capability includes the capability to support AKMA service
  • the device may further include: a first request module, configured to request UDM to confirm whether the terminal supports AKMA service; the first model generation module 1402 is specifically configured to generate an AKMA key when receiving the first response, The first response indicates that the UDM confirms that the terminal supports the AKMA service.
  • a first request module configured to request UDM to confirm whether the terminal supports AKMA service
  • the first model generation module 1402 is specifically configured to generate an AKMA key when receiving the first response, The first response indicates that the UDM confirms that the terminal supports the AKMA service.
  • the device may further include: a first storage module configured to pre-store the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service.
  • a first storage module configured to pre-store the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service.
  • the first obtaining module 1401 may include: a first receiving submodule, configured to receive an authentication request message sent by a second network element, the authentication request message carrying the terminal's contract permanent identity SUPI, or, The authentication request message carries the subscription encryption identifier SUCI of the terminal; the first obtaining sub-module is configured to query the corresponding relationship according to the SUPI in the case that the authentication request message carries the SUPI, and obtain the The first information; the second acquisition sub-module is used to send the SUCI to the UDM and obtain the SUPI from the UDM when the authentication request message carries the SUCI; query according to the SUPI obtained from the UDM According to the corresponding relationship, the first information is acquired.
  • a first receiving submodule configured to receive an authentication request message sent by a second network element, the authentication request message carrying the terminal's contract permanent identity SUPI, or, The authentication request message carries the subscription encryption identifier SUCI of the terminal
  • the first obtaining sub-module is configured to query the corresponding relationship according to
  • the first obtaining module 1401 may be specifically configured to receive an authentication request message sent by a second network element, where the authentication request message carries the first information.
  • the first request module includes:
  • the first sending submodule is used to send first indication information to the UDM, where the first indication information is used to instruct the UDM to confirm whether the terminal supports the AKMA service; the first receiving submodule is used to receive the A first confirmation instruction sent by the UDM, where the first confirmation instruction is used to indicate whether the terminal supports the AKMA service.
  • the device may further include: a first receiving module, configured to receive a first request from the terminal, where the first request is used to request to generate an AKMA key; and a first sending module, configured to receive the AKMA key according to the The first request is to send first indication information to the UDM.
  • a first receiving module configured to receive a first request from the terminal, where the first request is used to request to generate an AKMA key
  • a first sending module configured to receive the AKMA key according to the The first request is to send first indication information to the UDM.
  • the first acquisition module is specifically configured to receive an authentication request message sent by a second network element, where the authentication request message carries the first information, and the application service security capability includes at least one supporting AKMA service Ability, the ability to support the GBA service of the universal guidance architecture.
  • the device may further include: a second request module for requesting UDM to confirm the target application service security capability supported by the terminal.
  • the first generating module is specifically configured to generate an AKMA key or a GBA key if the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service; if The target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, and the key is generated according to a preset policy.
  • the device may further include: a second sending module, configured to send the target application service security capability to one of the capability of supporting AKMA service or the capability of supporting GBA service to the third network element.
  • a second sending module configured to send the target application service security capability to one of the capability of supporting AKMA service or the capability of supporting GBA service to the third network element.
  • Information about the security capability of the target application service if the security capability of the target application service is at least the ability to support AKMA services and the ability to support GBA services, send the preset policy to the third network element and generate it according to the preset policy Key.
  • the first acquisition module is configured to receive instruction information sent by UDM, where the instruction information is used to instruct to select an AKMA service for the terminal; the first generation module is specifically configured to: Information, generate a key; send AKMA key derivation parameters to the UDM.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • the embodiment of the present disclosure also provides a key generation device, which is applied to a third network element.
  • FIG. 15 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1500 includes:
  • the first receiving module 1501 is used to receive the key request of the target fourth network element; the first determining module 1502 is used to determine the application service security capability supported by the terminal and the information of the fourth network element according to the key request ,
  • the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application service security capability is one or more of the application service security capabilities supported by the terminal;
  • a generating module 1503 is used to generate the key of the application service security capability supported by the terminal.
  • the first determining module 1502 may be used to request UDM to confirm the application service security capabilities supported by the terminal and the information of the fourth network element; the first generating module 1503 may be used to, if the terminal is The supported application service security capability is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated.
  • the first generating module 1503 may include:
  • the first obtaining submodule is used to obtain the first application service security capability supported by the terminal sent by the first network element; the second obtaining submodule is used to obtain the identification of the target fourth network element; first generation A sub-module, configured to: if the first application service security capability is the capability to support AKMA services, and according to the identifier of the target fourth network element, it is determined that the AKMA service is enabled between the terminal and the target fourth network element, Then the AF key is generated.
  • the first generating module 1503 may include:
  • the third obtaining submodule is used to obtain the preset policy sent by the first network element and the key generated according to the preset policy; the fourth obtaining submodule is used to obtain the identity of the fourth network element; second A generation sub-module is used to determine if the preset policy indicates that the key is generated due to the ability of the terminal to support AKMA services, and determine the relationship between the terminal and the target according to the identity of the target fourth network element If the AKMA service is enabled between the fourth network element, the AF key is generated.
  • the first determining module 1502 may be configured to receive indication information sent by UDM and the identification of the fourth network element, where the indication information is used to indicate the ability of the terminal to support the AKMA service, and the fourth network element Is the fourth network element that has AKMA service enabled between the terminals; the first generation module 1503 can be used if the application service security capability supported by the terminal is the capability to support AKMA services and is based on the fourth network If the information of the element determines that the AKMA service is enabled between the terminal and the target fourth network element, an AF key is generated.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • the embodiment of the present disclosure also provides a key generation device, which is applied to the second network element.
  • a key generation device which is applied to the second network element.
  • FIG. 16 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1600 includes: a first sending module 1601, configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first The information is used to enable the first network element to generate a key according to the first information.
  • a first sending module 1601 configured to send first information to a first network element, where the first information represents an application service security capability supported by the terminal, and the first The information is used to enable the first network element to generate a key according to the first information.
  • the first sending module 1601 is specifically configured to send an authentication request message to the first network element, where the authentication request message carries the first information.
  • the first sending module 1601 is specifically configured to send an authentication request message to the first network element, where the authentication request message carries the first information, and the application service security capability includes at least AKMA service Capacity, GBA service capacity.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • the embodiment of the present disclosure also provides a key generation device, which is applied to UDM.
  • a key generation device which is applied to UDM.
  • FIG. 17 which is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1700 includes: a first storage module 1701 for storing subscription information of a terminal, the subscription information includes the security capabilities of application services supported by the terminal; a first confirmation module 1702, According to the subscription information, confirm the target application service security capability supported by the terminal.
  • the first confirmation module 1702 may include: a first receiving submodule, configured to receive a first request from a first network element, where the first request is used to confirm whether the terminal supports the AKMA service;
  • the sending submodule is configured to send a first response to the first network element according to the subscription information and the first request, where the first response is used to indicate whether the terminal supports the AKMA service.
  • the first receiving submodule is specifically configured to receive the first request of the first network element during the main authentication process; or after the main authentication process is completed, receive the first request of the first network element .
  • the first confirmation module 1702 may include: a second receiving submodule, configured to receive a second request from a third network element, the second request being used to confirm whether the terminal supports AKMA service; second The sending submodule is configured to send a second response to the third network element according to the subscription information and the second request, where the second response is used to indicate whether the terminal supports the AKMA service.
  • the first confirmation module 1702 may include: a third receiving submodule, configured to receive a third request from the first network element; and a third sending submodule, configured to receive the subscription information and the third request Request, send a third response to the first network element, where the third response is used to indicate that the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, or the target application
  • the service security capability is at least the capability of AKMA to support services and the capability to support GBA services.
  • the subscription information further includes: identification information of the fourth network element that has enabled the AKMA service with the terminal.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • FIG. 18 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1800 includes: a first sending module 1801, configured to send indication information and an identifier of a fourth network element to UDM, where the indication information is used to indicate application service security capabilities supported by the terminal;
  • the first receiving module 1802 is configured to receive the key derivation parameter sent by the UDM;
  • the second sending module 1803 is configured to send the key derivation parameter to the terminal.
  • the indication information is used to indicate the ability of the terminal to support the AKMA service
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • the embodiment of the present disclosure also provides a key generation device, which is applied to UDM.
  • a key generation device which is applied to UDM.
  • FIG. 19 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 1900 includes: a first acquisition module 1901, configured to acquire subscription information of a terminal, the subscription information includes the application service security capabilities supported by the terminal; a first sending module 1902, When it is determined according to the subscription information that the terminal derives the application service security key, a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal The security key for the application service.
  • the first obtaining module 1901 is specifically configured to receive the indication information sent by the second network element and the identification of the fourth network element, where the indication information is used to indicate the application service security capabilities supported by the terminal, And the identification information of the AF that starts the AKMA service with the terminal.
  • the device may further include: a first receiving module, configured to receive key derivation parameters sent by the first network element; a first sending module, configured to send the second network element to the Key derivation parameters.
  • the device may further include: a second sending module, configured to send instruction information and an identifier of the fourth network element to the fourth network element, where the instruction information is used to indicate the security of the application service supported by the terminal Capability;
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • FIG. 20 is a structural diagram of a key generation device provided by an embodiment of the present disclosure. Since the principle of the key generation device to solve the problem is similar to the key generation method in the embodiment of the present disclosure, the implementation of the key generation device can refer to the implementation of the method, and the repetition will not be repeated.
  • the key generation device 2000 includes: a first sending module 2001, configured to send first information to a second network element, where the first information is used to indicate the application service security capabilities supported by the terminal.
  • the first sending module 2001 is specifically configured to send an N1 message to the second network element, and the first information indicates that the terminal supports the AKMA service.
  • the first sending module 2001 is specifically configured to send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the device may further include: a first receiving module, configured to receive key derivation parameters sent by the second network element; a first generation module, configured to generate AKMA according to the key derivation parameters Key.
  • a first receiving module configured to receive key derivation parameters sent by the second network element
  • a first generation module configured to generate AKMA according to the key derivation parameters Key.
  • the device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.
  • the key generation device of the embodiment of the present disclosure applied to a terminal, includes a processor 2100, configured to read a program in a memory 2120, and execute the following process:
  • the transceiver 2110 is used to receive and send data under the control of the processor 2100.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2100 and various circuits of the memory represented by the memory 2120 are linked together.
  • the bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2110 may be a plurality of elements, that is, including a transmitter and a receiver, and provide a unit for communicating with various other devices on a transmission medium.
  • the user interface 2130 may also be an interface that can externally and internally connect the required equipment.
  • the connected equipment includes, but is not limited to, a keypad, a display, a speaker, a microphone, a joystick, and the like.
  • the processor 2100 is responsible for managing the bus architecture and general processing, and the memory 2120 can store data used by the processor 2100 when performing operations.
  • the processor 2100 is further configured to read the program and perform the following steps: send an N1 message to the second network element, where the first information indicates that the terminal supports the AKMA service.
  • the processor 2100 is further configured to read the program and perform the following steps: send an N1 message to the second network element, and the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the processor 2100 is further configured to read the program and execute the following steps:
  • the key generation device of the embodiment of the present disclosure applied to the first network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • a key is generated.
  • the transceiver 2210 is configured to receive and send data under the control of the processor 2200.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the application service security capability includes the capability to support AKMA service; the processor 2200 is also used to read the program and perform the following steps: request UDM to confirm whether the terminal supports AKMA service; when receiving the first response, generate AKMA Key, the first response indicates that the UDM confirms that the terminal supports the AKMA service.
  • the processor 2200 is further configured to read the program and perform the following steps: pre-store the corresponding relationship between the identification information of the terminal and whether the terminal supports the AKMA service.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the authentication request message carrying the terminal's subscription permanent identification SUPI, or the authentication request message carrying the terminal's subscription encryption identification SUCI;
  • the authentication request message carries the SUPI
  • query the correspondence relationship according to the SUPI to obtain the first information
  • the authentication request message When the authentication request message carries the SUCI, send the SUCI to the UDM and obtain the SUPI from the UDM; query the correspondence relationship according to the SUPI obtained from the UDM to obtain the first information.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the sending first indication information to the UDM includes:
  • first indication information is sent to the UDM.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • An authentication request message sent by a second network element is received, the authentication request message carries the first information, and the application service security capability includes at least the capability of supporting the AKMA service and the capability of supporting the GBA service of the universal guidance architecture.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the target application service security capability is one of the capability to support the AKMA service or the capability to support the GBA service, an AKMA key or a GBA key is generated;
  • the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service, the key is generated according to the preset policy.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the target application service security capability is one of the capability of supporting AKMA service or the capability of supporting GBA service, sending the information of the security capability of the target application service to a third network element;
  • the target application service security capability is at least the capability of supporting the AKMA service and the capability of supporting the GBA service
  • the preset policy and the key generated according to the preset policy are sent to a third network element.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the key generation device of the embodiment of the present disclosure applied to a third network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • the fourth network element is the fourth network element that enables the target application service security capability of the terminal, and the target application
  • the service security capability is one or more of the application service security capabilities supported by the terminal;
  • the transceiver 2210 is configured to receive and send data under the control of the processor 2200.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the generating the key of the application service security capability supported by the terminal includes:
  • the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the first application service security capability is the capability to support AKMA services and it is determined according to the identification of the target fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF key is generated .
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the preset policy indicates that the key is generated due to the ability of the terminal to support the AKMA service, and the identification of the target fourth network element determines the connection between the terminal and the target fourth network element When the AKMA service is turned on, the AF key is generated.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the generating the key of the application service security capability supported by the terminal includes:
  • the application service security capability supported by the terminal is the capability to support the AKMA service and it is determined according to the information of the fourth network element that the AKMA service is enabled between the terminal and the target fourth network element, then an AF secret is generated key.
  • the key generation device of the embodiment of the present disclosure applied to the second network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • the transceiver 2210 is configured to receive and send data under the control of the processor 2200.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the application service security capability includes at least an AKMA service capability and a GBA service capability.
  • the key generation device of the embodiment of the present disclosure applied to UDM, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • the target application service security capability supported by the terminal is confirmed.
  • the transceiver 2210 is configured to receive and send data under the control of the processor 2200.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • a first response is sent to the first network element, where the first response is used to indicate whether the terminal supports the AKMA service.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the first request of the first network element is received.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • a second response is sent to the third network element, where the second response is used to indicate whether the terminal supports the AKMA service.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • a third response is sent to the first network element, where the third response is used to indicate that the target application service security capability is the capability of supporting AKMA service or the capability of supporting GBA service.
  • the target application service security capability is at least the capability of AKMA to support services and the capability of supporting GBA services.
  • the subscription information further includes: identification information of the fourth network element that has enabled the AKMA service with the terminal.
  • the key generation device of the embodiment of the present disclosure applied to the second network element, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the indication information is used to indicate the ability of the terminal to support the AKMA service
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the key generation device of the embodiment of the present disclosure applied to UDM, includes: a processor 2200, configured to read a program in a memory 2222, and execute the following process:
  • a first instruction is sent to the first network element, and the first instruction is used to instruct the first network element to derive the terminal's security key.
  • Application service security key is used to instruct the first network element to derive the terminal's security key.
  • the transceiver 2210 is configured to receive and send data under the control of the processor 2200.
  • the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2222 are linked together.
  • the bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein.
  • the bus interface provides the interface.
  • the transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2222 can store data used by the processor 2200 when performing operations.
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the processor 2200 is further configured to read the program and execute the following steps:
  • the fourth network element is the fourth network element that has enabled the AKMA service between the terminals.
  • the embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored.
  • a computer program is stored.
  • the computer program is executed by a processor, each process of the above-mentioned key generation method embodiment is realized, and the same The technical effect, in order to avoid repetition, will not be repeated here.
  • the computer-readable storage medium such as read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk, or optical disk, etc.
  • the technical solution of the present disclosure can be embodied in the form of a software product in essence or a part that contributes to the related technology.
  • the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk). ) Includes several instructions to make a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present disclosure.
  • each module, unit, sub-unit or sub-module can be implemented in one or more application specific integrated circuits (ASICs), digital signal processors (Digital Signal Processing, DSP), digital signal processing equipment (DSP Device, DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), general-purpose processors, controllers, microcontrollers, microprocessors, In other electronic units or combinations thereof that perform the functions described in the present disclosure.
  • ASICs application specific integrated circuits
  • DSP digital signal processors
  • DSP Device digital signal processing equipment
  • PLD Programmable Logic Device
  • Field-Programmable Gate Array Field-Programmable Gate Array
  • FPGA Field-Programmable Gate Array
  • the technology described in the embodiments of the present disclosure can be implemented by modules (for example, procedures, functions, etc.) that perform the functions described in the embodiments of the present disclosure.
  • the software codes can be stored in the memory and executed by the processor.
  • the memory can be implemented in the processor or external to the processor.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un appareil de génération de clés, ainsi qu'un dispositif et un support de stockage lisible par ordinateur. Le procédé comprend : l'obtention de premières informations d'un terminal, les premières informations étant utilisées pour représenter une capacité de sécurité, prise en charge par le terminal, d'un service d'applications ; et la génération d'une clé selon les premières informations.
PCT/CN2021/070544 2020-03-31 2021-01-07 Procédé et appareil de génération de clés, ainsi que dispositif et support de stockage lisible par ordinateur WO2021196818A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010249052.8A CN113543127B (zh) 2020-03-31 2020-03-31 一种密钥生成方法、装置、设备及计算机可读存储介质
CN202010249052.8 2020-03-31

Publications (1)

Publication Number Publication Date
WO2021196818A1 true WO2021196818A1 (fr) 2021-10-07

Family

ID=77927630

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/070544 WO2021196818A1 (fr) 2020-03-31 2021-01-07 Procédé et appareil de génération de clés, ainsi que dispositif et support de stockage lisible par ordinateur

Country Status (2)

Country Link
CN (1) CN113543127B (fr)
WO (1) WO2021196818A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023138349A1 (fr) * 2022-01-19 2023-07-27 华为技术有限公司 Procédé de vérification, appareil de communication et système de communication

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021098115A1 (fr) * 2020-03-31 2021-05-27 Zte Corporation Paramètres d'établissement de communication d'application
WO2024092443A1 (fr) * 2022-10-31 2024-05-10 华为技术有限公司 Procédé et appareil de communication
CN116506842B (zh) * 2023-06-30 2023-10-03 中国电信股份有限公司 用户识别卡能力信息上报方法、终端、系统及相关设备

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102811441A (zh) * 2011-06-02 2012-12-05 华为技术有限公司 管理移动ip密钥的方法和装置
CN105025478A (zh) * 2014-04-30 2015-11-04 中兴通讯股份有限公司 D2D通信安全配置方法、ProSe密钥管理功能实体、终端及系统
CN108810884A (zh) * 2017-05-06 2018-11-13 华为技术有限公司 密钥配置方法、装置以及系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068148A (zh) * 2007-04-19 2007-11-07 华为技术有限公司 策略和计费控制的方法及装置
CN114285570B (zh) * 2016-07-01 2024-07-16 华为技术有限公司 密钥配置及安全策略确定方法、装置
CN110536293B (zh) * 2019-08-15 2024-10-18 中兴通讯股份有限公司 访问闭合访问组的方法、装置和系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102811441A (zh) * 2011-06-02 2012-12-05 华为技术有限公司 管理移动ip密钥的方法和装置
CN105025478A (zh) * 2014-04-30 2015-11-04 中兴通讯股份有限公司 D2D通信安全配置方法、ProSe密钥管理功能实体、终端及系统
CN108810884A (zh) * 2017-05-06 2018-11-13 华为技术有限公司 密钥配置方法、装置以及系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Study on authentication and key management for applications based on 3GPP credential in 5G(Release 16), 3GPP TR 33.835 V2.0.0 (2019-12)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.835, vol. SA WG3, no. V2.0.0, 4 December 2019 (2019-12-04), pages 1 - 83, XP051840699 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023138349A1 (fr) * 2022-01-19 2023-07-27 华为技术有限公司 Procédé de vérification, appareil de communication et système de communication

Also Published As

Publication number Publication date
CN113543127A (zh) 2021-10-22
CN113543127B (zh) 2023-02-17

Similar Documents

Publication Publication Date Title
WO2021196818A1 (fr) Procédé et appareil de génération de clés, ainsi que dispositif et support de stockage lisible par ordinateur
US11310266B2 (en) Mobile communication method, apparatus, and device
CN110798833B (zh) 一种鉴权过程中验证用户设备标识的方法及装置
CA2517800C (fr) Systeme de services de localisation (lcs) a plan utilisateur, procede et appareil associes
JP6185017B2 (ja) セキュアユーザプレーンロケーション(supl)システムにおける認証
US11582602B2 (en) Key obtaining method and device, and communications system
CN113541925B (zh) 通信系统、方法及装置
US9113332B2 (en) Method and device for managing authentication of a user
US20230422032A1 (en) Session request method and apparatus, terminal, and storage medium
US20230024999A1 (en) Communication system, method, and apparatus
EP4271015A1 (fr) Procédé et appareil d'enregistrement, procédé et appareil d'authentification, procédé et appareil de détermination d'indicateur de routage, entité et terminal
CN113498060A (zh) 一种控制网络切片认证的方法、装置、设备及存储介质
WO2021031053A1 (fr) Système, dispositif et procédé de communication
CN117041955A (zh) 签约数据更新方法、装置、节点和存储介质
US20230232228A1 (en) Method and apparatus for establishing secure communication
US11134384B2 (en) Access point AP authentication method, system, and related device
WO2023216274A1 (fr) Procédé et appareil de gestion de clé, dispositif et support de stockage
JP7560567B2 (ja) アクセス制御方法及び通信機器
WO2023109865A1 (fr) Procédé et appareil de génération de clé, dispositif, et support de stockage lisible
WO2024067993A1 (fr) Modification de session pdu pour une entité d'abonné
CN114158028A (zh) 数据网络鉴权方式适配方法、装置及可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21780342

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21780342

Country of ref document: EP

Kind code of ref document: A1