WO2022028259A1 - User subscription data obtaining method and apparatus - Google Patents

User subscription data obtaining method and apparatus Download PDF

Info

Publication number
WO2022028259A1
WO2022028259A1 PCT/CN2021/108022 CN2021108022W WO2022028259A1 WO 2022028259 A1 WO2022028259 A1 WO 2022028259A1 CN 2021108022 W CN2021108022 W CN 2021108022W WO 2022028259 A1 WO2022028259 A1 WO 2022028259A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
user
subscription data
identifier
user subscription
Prior art date
Application number
PCT/CN2021/108022
Other languages
French (fr)
Chinese (zh)
Inventor
李飞
何承东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022028259A1 publication Critical patent/WO2022028259A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and device for acquiring user subscription data.
  • the current fifth generation (5G) mobile communication technology proposes a new application scenario, namely enhanced non-public-network (eNPN ).
  • eNPN can achieve end-to-end resource isolation, provide dedicated access networks for vertical industries, and ensure exclusive access to customer resources in vertical industries.
  • eNPN can provide support for local area network (LAN) services, and can meet the needs of some enterprises, residences, schools, etc. for reliable and stable private networks.
  • LAN local area network
  • eNPN is divided into completely independently deployed networks, namely independent non-public network (standalone non-public-network, SNPN), and non-public network integrated into public network (public network integrated non-public-network, PNI- NPN), such as a non-public network carried by a public land mobile network (PLMN).
  • independent non-public network standalone non-public-network, SNPN
  • non-public network integrated into public network public network integrated non-public-network, PNI- NPN
  • PLMN public land mobile network
  • the eNPN network architecture includes a user equipment (UE), an onboarding-standalone non-public-network (O-SNPN), a default Certificate server (default credential server, DCS), provisioning server (provisioning server, PS) and SNPN.
  • the eNPN includes an onboarding service, which means that the UE goes online to the eNPN, so that the eNPN can obtain the user subscription data of the UE in the SNPN network from the PS and deliver it to the UE, so that the UE can access the SNPN network.
  • the SNPN buys the manufacturer's equipment (such as UE), and can configure the UE not in a one-by-one manner, but in a unified configuration manner.
  • the UE may first access the O-SNPN network, and then connect to the PS.
  • the PS stores the user subscription data of the SNPN, or the PS obtains the user subscription data from the SNPN.
  • the PS sends the user subscription data to the UE. Then the UE can access the SNPN network using the new identity according to the user subscription data.
  • the SNPN network has high requirements on the security of the UE going online. Therefore, how to protect the acquisition of user subscription data and avoid the theft of user subscription data is a problem that needs to be solved.
  • the present application provides a method and device for acquiring user subscription data, so as to protect the acquisition of user subscription data.
  • a first aspect provides a method for acquiring user subscription data, comprising: generating a first public key and a first private key; sending a registration request to a first network, the registration request including the first public key; receiving a first public key User contract data, the first user contract data is obtained by encrypting the second user contract data with the first public key; and the first user contract data is decrypted using the first private key to obtain the second user contract data User subscription data.
  • the acquisition of the user contract data can be protected. , avoiding the theft of user subscription data and improving communication security; and by obtaining the private network identifier from the second network element, the first network element can obtain correct user subscription data from a suitable PS.
  • the registration request further includes an online indication, where the online indication is used to indicate that the type of the registration request is an online service.
  • the second network element in the second network determines the first authentication server in the first network, so that the first authentication server requests the second network for the request The online terminal device is authenticated.
  • the registration request further includes a user hidden identifier
  • the user hidden identifier includes the first public key.
  • the user hidden identifier is calculated using the first public key, therefore, the first public key can be carried in the user hidden identifier to realize the transmission of the first public key.
  • a method for acquiring user subscription data including: receiving an authentication request for a terminal device from a first network, where the authentication request includes a first public key; saving the first public key ; sending the identity of the private network to the first network; and sending the first public key to the third network.
  • the first network element can access the private network from the identifier of the private network.
  • the third network obtains the first user contract data, and the first user contract data is encrypted data, so that the acquisition of the user contract data can be protected, the user contract data can be prevented from being stolen, and the security of communication can be improved;
  • the element acquires the identity of the private network, so that the first network element can acquire correct user subscription data from an appropriate PS.
  • the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  • the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service;
  • the key includes: saving the first public key according to the online instruction.
  • the first public key is saved so that it can be sent to the PS later.
  • a method for acquiring user subscription data including: a first network element in a first network receives an identifier of a private network from a second network; the first network element sends an identifier to the private network according to the identifier of the private network.
  • the third network sends the user subscription data acquisition request of the terminal device; the first network element receives the user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes that the terminal device is in the private network and the first network element sends the first user subscription data to the terminal device.
  • an appropriate PS can be selected to obtain correct user subscription data; further, the second user subscription data can be encrypted by using the received first public key to obtain the first A user's subscription data is sent, and the first user's subscription data is sent, so that the acquisition of the user's subscription data can be protected, the user's subscription data can be prevented from being stolen, and the security of communication can be improved.
  • the method before the first network element receives the identifier of the private network from the second network, the method further includes: the first network element receives a registration request from the terminal device, and the The registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier; the first network element determines the first authentication server in the first network according to the registration request; the The first network element sends the authentication request of the terminal device to the second network through the first authentication server; wherein, determining the first authentication server according to the registration request includes: the user hides The identifier includes the identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier includes a routing indication, and the first authentication server is determined according to the routing instruction.
  • the first network element receives a registration request from a terminal device, and generally sends the registration request to an authentication server of the network where the first network element is located for subsequent processing.
  • the first network element determines that the online service is to be performed according to the received registration request, then determines the first authentication server of the network, and the first authentication server submits the authentication request to authenticate the online service.
  • the second network for right management is used to authenticate the UE.
  • the registration request includes a first public key
  • the method further includes: sending to the The second network sends the first public key, and the first user subscription data is obtained by encrypting the second user subscription data with the first public key.
  • the registration request includes a user hidden identifier
  • the user hidden identifier includes the first public key
  • a method for acquiring user subscription data is provided, which is applied to a communication system, where the communication system includes a first network element in a first network and a second network element in a second network, including: the first network element A network element sends an authentication request for the terminal device to the second network element, where the authentication request includes the first public key; the second network element stores the first public key; the second network element Sending the identifier of the private network to the first network element; sending the first public key to the third network by the second network element; and sending the first network element to the third network according to the identifier of the private network Send a user subscription data acquisition request of the terminal device; the first network element receives a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the terminal device in the private network. user subscription data; and the first network element sends the first user subscription data to the terminal device.
  • a device for acquiring user subscription data for executing the above-mentioned first aspect or the method in any possible implementation of the first aspect.
  • the device for acquiring the user subscription data may be a terminal device in the first aspect or any possible implementation of the first aspect, or a module applied in the terminal device, such as a chip or a chip system.
  • the device for acquiring user subscription data includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • the device for acquiring user subscription data includes: a generating unit, a sending unit, a receiving unit, and a decrypting unit; wherein the generating unit is used to generate a first public key and a first private key a sending unit, configured to send a registration request to the first network, where the registration request includes the first public key; a receiving unit, configured to receive the first user contract data, the first user contract data from the second user The contract data is obtained by encrypting with the first public key; and a decryption unit is configured to use the first private key to decrypt the first user contract data to obtain the second user contract data.
  • the device for acquiring user subscription data includes: an input interface, an output interface, and a processing circuit; wherein, the processing circuit is used to generate a first public key and a first private key; an output interface, used to send a registration request to the first network, where the registration request includes the first public key; an input interface, used to receive first user contract data, the first user contract data is obtained from the second user contract data Obtained by encrypting with the first public key; and a processing circuit configured to decrypt the first user contract data by using the first private key to obtain the second user contract data.
  • the device for acquiring user subscription data further includes a memory, which is coupled to the at least one processor, and the at least one processor is configured to execute program instructions stored in the memory, so that the device for acquiring user subscription data executes
  • a memory which is coupled to the at least one processor, and the at least one processor is configured to execute program instructions stored in the memory, so that the device for acquiring user subscription data executes
  • the device for acquiring user subscription data executes The first aspect or the method in any possible implementation of the first aspect.
  • the memory is used to store program instructions and data.
  • the memory is coupled to the at least one processor, and the at least one processor can call and execute program instructions stored in the memory, so that the apparatus for acquiring user subscription data executes the first aspect or any possibility of the first aspect method in the implementation.
  • the apparatus for acquiring user subscription data further includes a communication interface, where the communication interface is used for the apparatus for acquiring user subscription data to communicate with other devices.
  • the communication interface is a transceiver, an input/output interface, or a circuit or the like.
  • the device for acquiring user subscription data includes: at least one processor and a communication interface for executing the method in the first aspect or any possible implementation of the first aspect, specifically including: The at least one processor communicates with the outside using the communication interface; the at least one processor is configured to run a computer program, so that the apparatus for acquiring user subscription data executes the method in the first aspect or any possible implementation of the first aspect.
  • the external part may be an object other than the processor, or an object other than the device for acquiring the user contract data.
  • the device for acquiring the user subscription data is a chip or a chip system.
  • the communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system.
  • the processor may also be embodied as processing circuitry or logic circuitry.
  • a communication apparatus for performing the second aspect or the method in any possible implementation of the second aspect.
  • the communication apparatus may be the second network element in the second network in the second aspect or any possible implementation of the second aspect, or a module applied to the second network element, such as a chip or a chip system.
  • the communication device includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • the communication device includes: a receiving unit, a processing unit, and a sending unit; wherein the receiving unit is configured to receive an authentication request for the terminal device from the first network, and the The authentication request includes a first public key; a processing unit, used to save the first public key; a sending unit, used to send the identity of the private network to the first network; and the sending unit, also used to send to the first network.
  • the third network sends the first public key.
  • the authentication request further includes an online instruction, where the online instruction is used to indicate that the type of the authentication request is an online service; the processing unit is configured to save the first online service according to the online instruction. public key.
  • the communication device includes: an input interface, an output interface, and a processing circuit; wherein, the input interface is used to receive authentication for the terminal device from the first network request, the authentication request includes a first public key; a processing circuit, configured to save the first public key; an output interface, used to send the identifier of the private network to the first network; and the output interface, further for sending the first public key to the third network.
  • the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service; the processing circuit is configured to save the first online service according to the online instruction. public key.
  • the communication device further includes a memory coupled to the at least one processor for executing program instructions stored in the memory to cause the communication device to perform the above-mentioned second aspect or the second aspect method in any possible implementation of .
  • the memory is used to store program instructions and data.
  • the memory is coupled to the at least one processor, and the at least one processor can invoke and execute program instructions stored in the memory to cause the communication device to perform the above-mentioned second aspect or any possible implementation of the second aspect. method.
  • the communication apparatus further includes a communication interface for the communication apparatus to communicate with other devices.
  • the communication interface is a transceiver, an input/output interface, a circuit, or the like.
  • the communication device includes: at least one processor and a communication interface for executing the method in the second aspect or any possible implementation of the second aspect, specifically including: the at least one processor
  • the communication device communicates with the outside using the communication interface; the at least one processor is used for running a computer program, so that the communication device executes the method in the second aspect or any possible implementation of the second aspect.
  • the external may be an object other than the processor, or an object other than the communication device.
  • the communication device is a chip or a system of chips.
  • the communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system.
  • the processor may also be embodied as processing circuitry or logic circuitry.
  • a communication apparatus for performing the third aspect or the method in any possible implementation of the third aspect.
  • the communication apparatus may be the first network element in the first network in the third aspect or any possible implementation of the third aspect, or a module applied to the first network element, such as a chip or a chip system.
  • the communication device includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • the communication device includes: a receiving unit, a processing unit, and a sending unit; wherein the receiving unit is used to receive the identifier of the private network from the second network; The identifier of the private network determines the user subscription data acquisition request of the terminal device; the sending unit is configured to send the user subscription data acquisition request to a third network; the receiving unit is further configured to receive a response from the third network The user subscription data acquisition response includes the first user subscription data of the terminal device in the private network; and the sending unit is further configured to send the first user subscription data to the terminal device User subscription data.
  • the receiving unit is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier; the processing unit , and is further configured to determine the first authentication server in the first network according to the registration request; the sending unit is further configured to send the terminal device to the second network through the first authentication server The authentication request; wherein, the processing unit is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or The processing unit is specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or the processing unit is specifically configured to determine the first authentication server according to the online indication an authentication server, where the online indication is used to indicate that the type of the registration request is an online service; or the processing unit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
  • the communication device includes: an input interface, an output interface, and a processing circuit; wherein the input interface is used for receiving the identifier of the private network from the second network; the output interface is used for Send the user subscription data acquisition request of the terminal device to the third network according to the identity of the private network; the input interface is further configured to receive the user subscription data acquisition response returned by the third network, the user subscription data acquisition response It includes the first user subscription data of the terminal device in the private network; and the output interface is further configured to send the first user subscription data to the terminal device.
  • the input interface is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier; the processing circuit , used to determine the first authentication server in the first network according to the registration request; the sending unit is further configured to send the information of the terminal device to the second network through the first authentication server An authentication request; wherein the processing circuit is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or the a processing circuit, specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or the processing circuit, specifically configured to determine the first authentication server according to the online indication an authentication server, where the online indication is used to indicate that the type of the registration request is an online service; or the processing circuit is specifically configured to determine the first authentication server according to the registration type, where the registration type is online or the processing
  • the communication device further includes a memory coupled to the at least one processor, the at least one processor is configured to execute program instructions stored in the memory, so that the communication device performs the above-mentioned third aspect or the third aspect method in any possible implementation of .
  • the memory is used to store program instructions and data.
  • the memory is coupled to the at least one processor, and the at least one processor can invoke and execute program instructions stored in the memory to cause the communication device to perform the above third aspect or any possible implementation of the third aspect. method.
  • the communication apparatus further includes a communication interface for the communication apparatus to communicate with other devices.
  • the communication interface is a transceiver, an input/output interface, or a circuit or the like.
  • the communication device includes: at least one processor and a communication interface for executing the method in the third aspect or any possible implementation of the third aspect, specifically including: the at least one processor
  • the communication device communicates with the outside using the communication interface; the at least one processor is used for running a computer program, so that the communication device executes the method in the third aspect or any possible implementation of the third aspect.
  • the external may be an object other than the processor, or an object other than the communication device.
  • the communication device is a chip or a system of chips.
  • the communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system.
  • the processor may also be embodied as processing circuitry or logic circuitry.
  • a communication system in an eighth aspect, includes a first network element in a first network and a second network element in a second network, wherein the first network element is configured to report to the first network element
  • the second network element sends an authentication request for the terminal device, where the authentication request includes the first public key; the second network element is used to store the first public key; the second network element is also used to send the The first network element sends the identifier of the private network; the second network element is further configured to send the first public key to the third network; the first network element is further configured to send the private network identifier to the third network.
  • the third network sends a user subscription data acquisition request of the terminal device; the first network element is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the terminal device in the the first user subscription data of the private network; and the first network element is further configured to send the first user subscription data to the terminal device.
  • the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  • the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service, and the second network element also uses and storing the first public key according to the online instruction.
  • the first network element is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication , registration type, slice identifier; the first network element is further configured to determine the first authentication server in the first network according to the registration request; the first network element is further configured to pass the first authentication server
  • the authorization server sends the authentication request of the terminal device to the second network; wherein, the first network element is specifically used for the user hidden identifier to include the identifier of the second network, according to the second network element.
  • the identifier of the network determines the first authentication server; or the first network element is specifically configured to include a routing indication in the user hidden identifier, and the first authentication server is determined according to the routing indication; or the The first network element is specifically used to determine the first authentication server according to the online instruction, and the online instruction is used to indicate that the type of the registration request is an online service; or the first network element is specifically used to determine the first authentication server according to the online service.
  • the registration type determines the first authentication server, and the registration type is an online service; or the first network element is specifically configured to determine the first authentication server according to the slice identifier.
  • the registration request includes a first public key
  • the first network element is further configured to send the first public key to the second network element
  • the The first user subscription data is obtained by encrypting the second user subscription data by using the first public key
  • the registration request includes a user hidden identifier
  • the user hidden identifier includes the first public key
  • a computer-readable storage medium which stores a computer program, and when it runs on a computer, the above-mentioned aspects or any one of the above-mentioned aspects to implement the described method is executed.
  • a computer program product which, when run on a computer, causes the above-mentioned aspects or any of the above-mentioned aspects to be executed.
  • a computer program which, when run on a computer, causes the above-mentioned aspects or any one of the above-mentioned aspects to be executed.
  • Figure 1 is a schematic diagram of the architecture of the eNPN network
  • FIG. 2 is a schematic structural diagram of a communication system 100 provided by an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of a method for acquiring user subscription data according to an embodiment of the present application
  • FIG. 4 is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a communication apparatus 200 according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of an apparatus 300 for acquiring user subscription data according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a communication apparatus 400 according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a communication apparatus 500 according to an embodiment of the present application.
  • the technical solutions of the embodiments of the present application can be applied to various communication systems. For example: enhanced long term evolution (enhanced-long term evolution, eLTE) system, fifth generation (5th generation, 5G) system or new radio (new radio, NR), etc.
  • the 5G mobile communication system involved in this application includes non-standalone A 5G mobile communication system of a non-standalone (NSA) network or a 5G mobile communication system of an independent network (standalone, SA).
  • the technical solutions provided in this application can also be applied to future communication systems, such as the sixth generation mobile communication system.
  • the communication system may also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, an object Internet of things (IoT) communication system or other communication system.
  • PLMN public land mobile network
  • D2D device-to-device
  • M2M machine-to-machine
  • IoT object Internet of things
  • FIG. 2 is a schematic structural diagram of a communication system 100 according to an embodiment of the present application.
  • the communication system 100 includes a first network, a second network and a third network.
  • the first network may be an onboarding network
  • the second network may be the network where the DCS/unified data management (unified data management, UDM) is located
  • the third network may be the network where the PS is located.
  • the PS is generally set independently from the private network, that is, the third network is generally a network different from the private network.
  • the UE initiates a registration request on the first network, the first network requests the second network to authenticate the UE, and after the second network authenticates the UE, it returns the identity of the private network to the first network, and the first network uses the identity of the private network
  • the user subscription data is requested from the third network, and the third network encrypts the user subscription data and sends it to the UE.
  • the first network includes the first network element 11, the second network includes the second network element 12, and the third network includes the PS13.
  • the first network element 11 may be a mobility management network element
  • the second network element 12 may be a unified data management network element or a DCS.
  • the network element or entity corresponding to the mobility management network element may be an access and mobility management function (AMF) entity in the 5G mobile communication system, and the network element corresponding to the unified data management network element
  • the element or entity may be a UDM functional entity in the 5G mobile communication system, which is not specifically limited in this embodiment of the present application.
  • the foregoing network elements may communicate directly or communicate through forwarding by other network elements, which is not specifically limited in this embodiment of the present application.
  • the communication system may further include other network elements, which are not specifically limited in this embodiment of the present application.
  • Embodiments of the present application provide a method and device for acquiring user subscription data. After receiving a registration request from a UE, a first network element in the first network requests to perform authentication on the UE; a second network element in the second network Perform authentication and authentication on the UE, and send the identifier of the private network that the UE can access to the first network element in the first network, and send pk1 to the third network; the first network element can use the identifier of the private network from The third network requests to obtain the subscription data of the first user, and the third network encrypts the subscription data of the second user using pk1 to obtain the subscription data of the first user; the third network sends the data to the UE through the control plane of the first network or through the user of the first network The first user subscription data.
  • the acquisition of user subscription data can be protected, the user subscription data can be prevented from being stolen, and the security of communication can be improved; and by acquiring the identity of the private network from the second network element, the first network element can obtain the correct user from the appropriate PS. contract data.
  • the solution can be applied to the above-mentioned communication system.
  • the solution includes: the first network element sends an authentication request for the terminal device to the second network element, where the authentication request includes the first public key pk1; the second network element saves the pk1;
  • the second network element sends the identifier of the private network to the first network element;
  • the second network element sends the pk1 to the third network;
  • the first network element sends the identifier of the private network to the third network according to the identifier of the private network.
  • the third network sends the user subscription data acquisition request of the terminal device;
  • the first network element receives the user subscription data acquisition response returned by the third network, and the user subscription data acquisition response includes the terminal device in the private network.
  • first user subscription data; and the first network element sends the first user subscription data to the terminal device.
  • the authentication request further includes a hidden user identifier, and the hidden user identifier includes the pk1.
  • the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service, and the second network element storing the pk1 includes: The second network element saves the pk1 according to the online instruction.
  • the method before the second network element sends the identity of the private network to the first network element, the method further includes: the first network element receives a registration request from the terminal device , the registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier; the first network element determines the first authentication server in the first network according to the registration request; The first network element sends the authentication request of the terminal device to the second network through the first authentication server; wherein determining the first authentication server according to the registration request includes: the The user hidden identifier includes the identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier includes a routing instruction, and the routing instruction is determined according to the routing instruction.
  • the first authentication server or determine the first authentication server according to the online instruction, the online instruction is used to indicate that the type of the registration request is an online service; or determine the first authentication server according to the registration type An authentication server, where the registration type is an online service; or the first authentication server is determined according to the slice identifier.
  • the registration request includes the first public key pk1, and before the second network element sends the identifier of the private network to the first network element, the registration request further includes: the first network element to the first network element The second network element sends the pk1, and the first user subscription data is obtained by encrypting the second user subscription data by using the pk1.
  • the registration request includes a hidden user identifier
  • the hidden user identifier includes the pk1.
  • the AMF entity mainly responsible for the processing of signaling, such as: access control, mobility management, attachment and detachment, and gateway selection and other functions.
  • the AMF entity provides services for the session in the terminal, it provides storage resources of the control plane for the session to store the session identifier, the identifier of the session management function (SMF) entity associated with the session identifier, and the like.
  • SMF session management function
  • UDM entity mainly used to manage user subscription information.
  • the DCS includes information that can be used to verify terminal equipment. For example, if the terminal device includes only the manufacturer's credential, the DCS includes information (ie, the root certificate) that can verify the manufacturer's credential.
  • the DCS can pass the authentication information to the authentication service function (AUSF) entity, or it can perform the authentication itself.
  • AUSF authentication service function
  • PS an entity used to provide the SNPN identity, which can obtain the user subscription data of the SNPN from the SNPN, and send the SNPN identifier to the terminal device.
  • the above functional entity is only a name, and the name itself does not limit the entity.
  • the mobility management function entity may also be replaced by "mobility management function" or other names.
  • the mobility management function entity may also correspond to an entity including other functions besides the mobility management function.
  • the unified data management function entity may also be replaced by "unified data management function" or other names, and the unified data management function entity may also correspond to an entity that includes other functions in addition to the unified data management function.
  • a unified description is provided here, and details are not repeated below.
  • the terminal device accesses the network through a radio access network (RAN) device or an access network (AN) device.
  • the RAN device is mainly the wireless network device in the 3GPP network, and the AN may be the access network device defined by non-3GPP.
  • the terminal device in this embodiment of the present application may refer to an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a relay station, a remote station, a remote terminal, a mobile device, a user terminal (user terminal), and user equipment.
  • terminal wireless communication equipment, user agent, user equipment, cellular phone, cordless phone, session initiation protocol (session initiation protocol, SIP) phone, wireless local loop (wireless local loop, WLL) ) stations, personal digital assistants (PDAs), handheld devices with wireless communication capabilities, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, end devices in future 5G networks or future
  • a terminal device in an evolved public land mobile network (Public Land Mobile Network, PLMN) or a terminal device in the future Internet of Vehicles, etc., are not limited in this embodiment of the present application.
  • the terminal device may be a mobile phone, a tablet computer, a computer with wireless transceiver function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in an unmanned driving wireless terminal in remote surgery, wireless terminal in smart grid, wireless terminal in transportation safety, wireless terminal in smart city, wireless terminal in smart home, etc.
  • a wearable device may also be referred to as a wearable smart device, which is a general term for intelligently designing daily wearable devices and developing wearable devices using wearable technology, such as glasses, Gloves, watches, clothing and shoes, etc.
  • a wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction.
  • wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones.
  • the terminal device may also be a terminal device in an Internet of Things (IoT) system.
  • IoT Internet of Things
  • the IoT technology can achieve massive connections, deep coverage, and power saving of terminals through, for example, a narrow band (narrow band, NB) technology.
  • NB narrow band
  • the terminal device may also include sensors such as smart printers, train detectors, and gas stations, and the main functions include collecting data (part of terminal devices), receiving control information and downlink data of access network devices, and Send electromagnetic waves to transmit uplink data to access network equipment.
  • sensors such as smart printers, train detectors, and gas stations
  • the main functions include collecting data (part of terminal devices), receiving control information and downlink data of access network devices, and Send electromagnetic waves to transmit uplink data to access network equipment.
  • the access network device in this embodiment of the present application may be any communication device with a wireless transceiver function that is used to communicate with a terminal device.
  • the access network equipment includes but is not limited to: evolved node B (evolved node B, eNB), baseband unit (baseband unit, BBU), access point (access point, wireless fidelity, WIFI) system AP), wireless relay node, wireless backhaul node, transmission point (TP) or TRP, etc.
  • the access network device may also be a gNB or TRP or TP in the 5G system, or one or a group (including multiple antenna panels) antenna panels of a base station in the 5G system.
  • the access network device may also be a network node that constitutes a gNB or a TP, such as a BBU, or a distributed unit (distributed unit, DU).
  • a gNB may include a centralized unit (CU) and a DU.
  • the gNB may also include an active antenna unit (active antenna unit, AAU).
  • the CU implements some functions of the gNB, and the DU implements some functions of the gNB.
  • the CU is responsible for processing non-real-time protocols and services, and implementing functions of radio resource control (RRC) and packet data convergence protocol (PDCP) layers.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • the DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer.
  • RLC radio link control
  • MAC media access control
  • PHY physical layer
  • the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
  • the access network device and the terminal device in the embodiment of the present application may communicate through licensed spectrum, may also communicate through unlicensed spectrum, or may communicate through licensed spectrum and unlicensed spectrum at the same time.
  • the access network equipment and the terminal equipment can communicate through the frequency spectrum below 6 GHz (gigahertz, GHz), and can also communicate through the frequency spectrum above 6 GHz, and can also use the frequency spectrum below 6 GHz and the frequency spectrum above 6 GHz for communication at the same time.
  • the embodiments of the present application do not limit the spectrum resources used between the access network device and the terminal device 101 .
  • the terminal equipment and network equipment in the embodiments of the present application can be deployed on land, including indoor or outdoor, handheld or vehicle mounted; can also be deployed on water; and can also be deployed on aircraft, balloons, and artificial satellites in the air.
  • the embodiments of the present application do not limit the application scenarios of the terminal device and the network device.
  • the terminal device or the network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer.
  • This hardware layer includes hardware such as central processing unit (CPU), memory management unit (MMU), and memory (also called main memory).
  • the operating system may be any one or more computer operating systems that implement business processing through processes, such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a Windows operating system.
  • the application layer includes applications such as browsers, address books, word processing software, and instant messaging software.
  • the embodiments of the present application do not specifically limit the specific structure of the execution body of the methods provided by the embodiments of the present application, as long as the program that records the codes of the methods provided by the embodiments of the present application can be executed to provide the methods provided by the embodiments of the present application.
  • the execution subject of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call and execute a program.
  • the related functions of the terminal device, the first network element, and the second network element in the embodiments of the present application may be implemented by one device, or jointly implemented by multiple devices, or may be implemented by one or more devices in one device.
  • the functional module is implemented, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
  • FIG. 3 it is a schematic flowchart of a method for acquiring user subscription data according to an embodiment of the present application.
  • the method may include the following steps:
  • the UE generates a first public key (public key, pk) 1 and a first private key (secret key, sk) 1.
  • the UE generates a public-private key pair pk1 and sk1, and can use sk1 to decrypt the data encrypted by pk1.
  • the UE can generate the public and private key pairs pk1 and sk1 in the following ways:
  • the UE may generate a public-private key pair pk1 and sk1 for calculating a subscriber concealed identifier (SUCI).
  • the UE uses sk1 to encrypt the user temporary identifier (subscription permanent identifier, SUPI) to obtain SUCI.
  • SUPI subscriber concealed identifier
  • the UE may also generate the public-private key pairs pk1 and sk1 automatically and independently, instead of generating the public-private key pairs pk1 and sk1 when calculating the SUCI.
  • the UE sends a registration request to a first network element in the first network, where the registration request includes pk1.
  • the first network element receives the registration request.
  • the first network is the online network
  • the second network is the network where the DCS/UDM is located
  • the third network is the network where the PS is located.
  • the registration request is used to request registration to the online network. What the UE performs through the first network is an online service, that is, through the first network request, the user subscription data of the UE is delivered to the UE, so that the UE can go online on the private network.
  • the UE sends a registration request to the first network element in the first network.
  • the first network element may be, for example, an AMF.
  • the registration request includes pk1.
  • the first network element sends an authentication request for the UE to a second network element in the second network, where the authentication request includes pk1.
  • the second network element receives the authentication request for the UE from the first network.
  • the first network element learns that the registration request is a request to register on the online network to access the private network, and the second network performs authentication for the UE accessing the private network. Therefore, the first network element sends an authentication request for the UE to the second network element in the second network.
  • the authentication request is used to request to perform authentication and authentication on the UE.
  • the authentication request includes pk1 so that the pk1 is passed to the second network element.
  • the second network element stores pk1.
  • the second network element receives the registration request sent by the first network element, and thus recognizes that the registration request is an online service, so that the second network element stores the pk1 carried in the authentication request.
  • the second network element sends the identifier of the private network to the first network element.
  • the first network element receives the identifier of the private network.
  • the second network element performs authentication on the UE, and after the authentication is passed, the identifier of the private network is sent to the first network element.
  • the identifier of the private network is used to uniquely identify the private network.
  • the online network can serve multiple private networks, and can also be connected to PSs corresponding to multiple private networks. Therefore, by acquiring the identifier of the private network, the first network element can make the first network element select an appropriate PS to obtain user subscriptions data.
  • the second network element sends pk1 to the PS in the third network. Accordingly, the PS receives the pk1.
  • the second network element After receiving the pk1, the second network element finally delivers the pk1 to the PS in the third network.
  • steps S104 and S105 there is no order of execution between steps S104 and S105, that is, S104 may be executed first, and then S105 may be executed; S105 may be executed first, and then S104 may be executed; or S104 and S105 may be executed simultaneously.
  • the first network element may also send pk1 to the PS in the third network in the following step S106, or after step S106, the PS actively requests the AMF for a key, that is, pk1.
  • the first network element sends a request for obtaining user subscription data of the UE to the PS in the third network according to the identifier of the private network. Accordingly, the PS receives the user subscription data acquisition request.
  • the first network element may request the PS in the third network for user subscription data of the UE according to the identity of the private network.
  • the first network element requests to acquire user subscription data of the UE, so that the UE can access the private network.
  • the PS returns a user subscription data acquisition response to the first network element, where the user subscription data acquisition response includes the first user subscription data of the UE in the private network.
  • the first network element receives the user subscription data acquisition response, and parses and acquires the first user subscription data carried in the response.
  • the PS can receive the user subscription data acquisition request.
  • the PS acquires the second user subscription data of the UE.
  • the PS obtains the public key pk1 of the UE, and can use pk1 to encrypt the second user contract data to obtain the first user contract data, so as to protect the second user contract data, prevent the user contract data from being stolen, and improve the security of communication. .
  • the first network element sends the first user subscription data to the UE.
  • the UE receives the first user subscription data.
  • the first network element sends the first user subscription data to the UE, where the first user subscription data is encrypted data, so that the first user subscription data can be protected.
  • the UE decrypts the first user subscription data using sk1 to obtain the second user subscription data.
  • the UE After receiving the first user subscription data, the UE decrypts the first user subscription data using sk1 corresponding to pk1, and obtains the second user subscription data. Therefore, the UE can access the above-mentioned private network based on the second user subscription data, and complete the process of the UE going online.
  • the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network.
  • the first network element so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and the first user subscription data is encrypted subscription data, so that the acquisition of the user subscription data can be protected and avoid The user subscription data is stolen, which improves communication security; and by acquiring the private network identifier from the second network element, the first network element can acquire correct user subscription data from a suitable PS.
  • FIG. 4 it is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application.
  • the method may include the following steps:
  • the UE presets the PS public key pk2.
  • the public key pk2 for encrypted communication with the PS can be preset.
  • the UE may also preset a PS certificate, where the PS certificate includes the PS public key pk2.
  • PS can also preset public and private key pairs pk2, sk2.
  • the UE generates a public-private key pair pk1 and sk1.
  • the UE can generate the public and private key pairs pk1 and sk1 in the following ways:
  • the UE may generate a public-private key pair pk1 and sk1 for calculating SUCI.
  • the UE uses sk1 to encrypt SUPI to obtain SUCI.
  • the UE may also generate the public-private key pairs pk1 and sk1 automatically and independently, instead of generating the public-private key pairs pk1 and sk1 when calculating the SUCI.
  • the UE sends a registration request to the AMF in the onboarding network. Accordingly, the AMF receives the registration request.
  • the registration request is used to request registration to the online network.
  • the registration request includes SUCI, and may further include at least one of the following: an onboarding indication, a registration type, and a slice identifier.
  • the online indication is used to indicate that the type of the registration request is an online service.
  • the SUCI includes the above pk1.
  • the registration type is online business.
  • the slice identifier is used to indicate the identifier of the network slice where the private network that the UE requests to register is located.
  • the AMF determines the first authentication server (AUSF1/AUSF1*) in the first network according to the registration request.
  • the AMF receives the registration request of the UE, and generally sends the registration request to the AUSF of the network where the AMF is located for subsequent processing.
  • the AMF determines that the online service is to be performed according to the received registration request, and then determines the first authentication server of the network, and the first authentication server submits the authentication request to the authentication management of the online service.
  • the second network is used to authenticate the UE.
  • the AMF determines the first authentication server in the first network according to the registration request, which can be implemented in the following ways:
  • the SUCI includes an identifier of the second network, and the first authentication server is determined according to the identifier of the second network.
  • the identifier of the second network may be a DCS ID, or an ID of a network where the DCS is located, or an ID of a DCS administrator (for example, a vendor ID). That is, according to the identifier of the second network, the AMF determines that the second network needs to authenticate the UE, and then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service.
  • AUSF1 first authentication server
  • the SUCI includes a routing indicator (RI), and the first authentication server is determined according to the routing indicator.
  • the routing indication is used to indicate routing to the SNPN.
  • the AMF determines that it is an online service, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service. ).
  • the first authentication server is determined according to an online indication, where the online indication is used to indicate that the type of the registration request is an online service.
  • the AMF determines that it is an online service, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF dedicated to the online service (AUSF1*) .
  • the first authentication server is determined according to a registration type, where the registration type is an online service.
  • the existing UE registration types include: initial registration, mobility registration, and periodic registration.
  • This embodiment proposes a new registration type: online service.
  • the AMF determines that the online service is to be performed, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service. ).
  • the first authentication server is determined according to the slice identifier.
  • the AMF is used to indicate the identifier of the network slice where the private network that the UE requests to register is located, so that the AMF determines that the UE is performing an online service, and determines that the second network is required to authenticate the UE, Then determine the first authentication server (AUSF1) of the network, or select an AUSF (AUSF1*) dedicated to the online service.
  • the AMF After determining the first authentication server, the AMF sends an authentication request for the UE to the first authentication server.
  • the authentication request is used to request to perform authentication and authentication on the UE.
  • the authentication request includes SUCI, and may also include an on-line indication.
  • the first authentication server receives the authentication request.
  • the SUCI includes the above pk1.
  • the first authentication server determines, according to the authentication request, to forward the authentication request to the second network.
  • the first authentication server determines, according to the authentication request, that the online service is to be performed, and then determines to forward the authentication request to the second network.
  • the first authentication server forwards the authentication request to the AUSF2 of the second network.
  • the authentication request is used to request to perform authentication and authentication on the UE.
  • the authentication request includes SUCI, and may also include an on-line indication.
  • AUSF2 forwards the authentication request to the UDM/DCS of the second network.
  • the UDM/DCS of the second network receives the authentication request.
  • the UDM/DCS of the second network decrypts the SUPI from the SUCI, and extracts the pk1 in the SUCI and saves it.
  • the UDM/DCS of the second network obtains the SUCI carried in the authentication request, and can decrypt the SUPI.
  • the UDM/DCS of the second network receives the authentication request, because the authentication request also includes an on-line instruction, and the on-line instruction is used to indicate that the type of the authentication request is an on-line service, then the UDM/DCS saves the on-line instruction according to the pk1.
  • the AMF obtains the SUPI of the UE.
  • the subsequent signal transmission between the first network and the second network may be performed on the UE based on the SUPI.
  • the UDM/DCS of the second network sends pk1 to the PS of the third network. Accordingly, the PS receives the pk1.
  • the UE After the UE is authenticated by the UDM/DCS of the second network, it can send pk1 to the PS in the third network, so that the subsequent PS can use the pk1 to encrypt data.
  • the UDM/DCS pushes the key, it can also carry the generic public subscription identifier (GPSI) and pk1. Further, it can also carry a serving network name (serving network name). This GPSI corresponds to SUPI.
  • GPSI generic public subscription identifier
  • serving network name serving network name
  • the UDM/DCS of the second network actively pushes pk1 to the PS in the third network.
  • the pk1 may also be carried when the AMF in the first network requests the PS in the third network to acquire user subscription data in the following step S212.
  • the PS in the third network receives the user subscription data acquisition request, it requests the UDM/DCS of the second network to acquire the key, and then the UDM/DCS of the second network sends the request to the UDM/DCS of the second network.
  • the PS in the third network sends this pk1.
  • the AMF in the first network sends a first acquisition request to the UDM/DCS of the second network, where the first acquisition request includes SUPI and may also include an online indication.
  • the UDM/DCS of the second network receives the first acquisition request.
  • the online network can serve multiple private networks, and can also be connected to PSs corresponding to multiple private networks. Therefore, the AMF in the first network sends a first acquisition request to the UDM/DCS of the second network to acquire the private network.
  • the identifier can make the first network element select an appropriate PS to obtain user subscription data.
  • the UDM/DCS of the second network authenticates the UE, the identifier of the private network that the UE can access may be sent to the AMF.
  • the UDM/DCS of the second network acquires the identifier of the private network according to the online instruction or the local configuration.
  • the UDM/DCS searches for the identity of the private network that the UE can access according to the SUPI, and obtains the identity of the private network (ie, the SNPN ID) according to the online instruction or local configuration.
  • the SNPN network is identified by a PLMN ID and a network identifier (NID), and the SNPN ID includes a public land mobile network (Public land mobile network, PLMN) ID and NID.
  • PLMN ID public land mobile network
  • NID network identifier
  • the PLMN ID can be an inherent value reserved by a third-party operator, or can be a specific value of the PLMN operator that deploys this SNPN.
  • the UDM/DCS searches for the identifiers of multiple private networks that the UE can access according to the SUPI, determines the private network that the UE requests to perform the online service according to the online instruction, and obtains the identifiers of the private network.
  • the identifier of the private network is one or more of the identifiers of the above-mentioned multiple private networks.
  • the UDM/DCS searches the identities of multiple private networks that the UE can access according to the SUPI, and determines the identities of the private networks that the UE is allowed to access according to the local configuration, so as to obtain the identities of the private networks that the UE is allowed to access.
  • the UDM/DCS of the second network sends a first acquisition response to the AMF, where the first acquisition response includes the SUPI, the identifier of the private network, and may also include pk1. Accordingly, the AMF receives the first acquisition response.
  • the AMF in the first network sends a request for obtaining user subscription data of the UE to the PS in the third network according to the identifier of the private network.
  • the PS in the third network receives the user subscription data acquisition request.
  • the AMF After acquiring the identity of the private network, the AMF can request the user subscription data of the UE from the PS in the third network according to the identity of the private network.
  • the user subscription data acquisition request includes GPSI. Further, it may also include pk1, online indication, service network name.
  • the PS in the third network encrypts the second user subscription data with pk1 to obtain the first user subscription data, and uses sk2 to sign the first user subscription data.
  • the PS After receiving the user subscription data acquisition request, the PS searches for the UE's second user subscription data according to the GPSI. and encrypting the second user subscription data according to the acquired pk1 corresponding to the UE to obtain the first user subscription data, which can protect the second user subscription data from being stolen. Further, the sk2 preset by the PS in step S200b can also be used to sign the first user subscription data, which can protect the first user subscription data from being tampered with.
  • the PS in the third network sends a user subscription data acquisition response to the AMF in the first network.
  • the user subscription data acquisition response includes the signed first user subscription data.
  • the AMF in the first network receives the user subscription data acquisition response.
  • the PS delivers the signed first user subscription data through the control plane. Specifically, the PS sends a user subscription data acquisition response to the UE through the AMF in the first network.
  • the user subscription data acquisition response includes the signed first user subscription data.
  • the AMF in the first network issues the signed first user subscription data through a terminal configuration update (UE configruated updated, UCU) process.
  • the UE receives the signed first user subscription data.
  • the UE uses pk2 to verify the signature, and after the signature verification is passed, it then uses sk1 to decrypt the first user subscription data to obtain the second user subscription data.
  • the UE After receiving the user subscription data acquisition response, the UE extracts the signed first user subscription data carried therein, and uses the pk2 preset by the UE in step S200a to verify the signature, and after the signature verification is passed, then uses sk1 to decrypt the first user subscription The data obtains the second user subscription data.
  • the UE sends a UCU response to the AMF in the first network. Accordingly, the AMF receives the UCU response.
  • the UCU response is used to indicate that the UE has successfully received the user subscription data acquisition response.
  • the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network.
  • the first network element so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and deliver the first user subscription data to the UE through the control plane, and the first user subscription data is encrypted Therefore, the acquisition of the user's subscription data can be protected, the stealing and tampering of the user's subscription data can be avoided, and the security of communication can be improved; and by obtaining the private network identifier from the second network element, the first network element can obtain the private network identity from the appropriate network element.
  • the PS obtains the correct user subscription data.
  • FIG. 5 it is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application.
  • the method may include the following steps:
  • the UE presets the PS public key pk2.
  • step S200a of the embodiment shown in FIG. 4 .
  • step S200b of the embodiment shown in FIG. 4 For the specific implementation of this step, reference may be made to step S200b of the embodiment shown in FIG. 4 .
  • the UE generates a public-private key pair pk1 and sk1.
  • step S201 of the embodiment shown in FIG. 4 For the specific implementation of this step, reference may be made to step S201 of the embodiment shown in FIG. 4 .
  • the UE sends a registration request to the AMF in the onboarding network, where the registration request includes the SUCI and may also include an onboarding indication. Accordingly, the AMF receives the registration request.
  • step S202 for the specific implementation of this step, reference may be made to step S202 in the embodiment shown in FIG. 4 .
  • the AMF determines the first authentication server (AUSF1/AUSF1*) in the first network according to the registration request.
  • step S203 for the specific implementation of this step, reference may be made to step S203 in the embodiment shown in FIG. 4 .
  • the AMF sends an authentication request for the UE to the first authentication server.
  • the authentication request includes SUCI, and may also include an on-line indication.
  • the first authentication server receives the authentication request.
  • step S204 in the embodiment shown in FIG. 4 .
  • the first authentication server determines, according to the authentication request, to forward the authentication request to the second network.
  • step S205 in the embodiment shown in FIG. 4 .
  • the first authentication server forwards the authentication request to the AUSF2 of the second network.
  • the authentication request includes SUCI, and may also include an on-line indication.
  • AUSF2 forwards the authentication request to the UDM/DCS of the second network.
  • the UDM/DCS of the second network receives the authentication request.
  • step S206 in the embodiment shown in FIG. 4 .
  • the UDM/DCS of the second network decrypts the SUPI from the SUCI, and extracts the pk1 in the SUCI and saves it.
  • step S207 in the embodiment shown in FIG. 4 .
  • the AMF obtains the SUPI of the UE.
  • the AMF sends a second acquisition request to the UDM/DCS of the second network, where the second acquisition request includes SUPI and may also include an online indication.
  • the UDM/DCS of the second network receives the second acquisition request.
  • the second acquisition request is used to acquire the identifier of the private network that the UE can access.
  • step S209 in the embodiment shown in FIG. 4 .
  • the UDM/DCS of the second network obtains the identifier of the private network according to the online instruction or according to the local configuration.
  • step S210 in the embodiment shown in FIG. 4 .
  • steps S308 and S309 are optional steps, which are represented by dotted lines in the figure.
  • the user subscription data is delivered through the user plane. Therefore, the SMF also obtains the identity of the private network from the UDM/DCS of the second network, which is specifically described in steps S314 and S315.
  • the UDM/DCS of the second network sends a second acquisition response to the AMF, where the second acquisition response includes SUPI, the identity of the private network, and may also include pk1. Accordingly, the AMF receives the second acquisition response.
  • step S211 of the embodiment shown in FIG. 4 For the specific implementation of this step, reference may be made to step S211 of the embodiment shown in FIG. 4 .
  • the AMF of the first network sends a registration response to the UE. Accordingly, the UE receives the registration response.
  • the registration response is used to indicate registration success or failure.
  • the UE After the UE completes the registration with the third network, it may establish a protocol data unit (protocol data unit, PDU) session with the third network.
  • protocol data unit protocol data unit
  • S312 The UE sends a PDU session establishment request to the AMF of the first network. Accordingly, the AMF of the first network receives the PDU session establishment request.
  • the AMF of the first network sends a PDU session establishment request to the SMF of the second network.
  • the PDU session establishment request includes SUPI/GPSI, and may also include the identity of the private network, pk1. Accordingly, the SMF of the second network receives the PDU session establishment request, and establishes the PDU session.
  • the SMF of the second network sends a third acquisition request to the UDM/DCS of the second network, where the third acquisition request includes SUPI and may also include an online indication.
  • the UDM/DCS of the second network receives the third acquisition request.
  • the third acquisition request is used to request to acquire the identifier of the private network accessible to the UE.
  • the UDM/DCS of the second network searches for the identifier and pk1 of the private network accessible to the UE according to the SUPI, and sends the identifier and pk1 of the private network to the SMF with the identifier and pk1 of the private network in the third acquisition request.
  • the UDM/DCS of the second network sends a third acquisition response to the SMF of the second network, where the third acquisition response includes SUPI, the identity of the private network, and may also include pk1.
  • the SMF of the second network sends pk1 to the PS of the third network. Accordingly, the PS of the third network receives the pk1.
  • pk1 can be pushed to the PS of the third network through the SMF of the second network when the session is established.
  • the SMF of the second network may push pk1 to the PS of the third network.
  • the key push carries GPSI, pk1, and may also include the service network name.
  • the SMF of the second network may send a key acquisition response to the PS of the third network after receiving the key acquisition request of the PS of the third network.
  • the key acquisition request includes GPSI, and may also include service network name, online indication, and the like.
  • the key acquisition response includes GPSI, pk1.
  • S317 The PS encrypts the second user subscription data with pk1 to obtain the first user subscription data, and uses sk2 to sign the first user subscription data.
  • step S213 in the embodiment shown in FIG. 4 .
  • the PS receives the pk1 sent by the SMF, and triggers the PS to send a user subscription data acquisition response to the UE.
  • the user subscription data acquisition response includes the signed first user subscription data.
  • the UE receives the user subscription data acquisition response.
  • the PS sends the user subscription data acquisition response to the UE through the established session channel, that is, through the user.
  • the UE uses pk2 to verify the signature, and after the signature verification is passed, uses sk1 to decrypt the first user subscription data to obtain the second user subscription data.
  • step S216 in the embodiment shown in FIG. 4 .
  • the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network.
  • the first network element so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and deliver the first user subscription data to the UE through the user plane, and the first user subscription data is encrypted Therefore, the acquisition of the user's subscription data can be protected, the stealing and tampering of the user's subscription data can be avoided, and the security of communication can be improved; and by obtaining the private network identifier from the second network element, the first network element can obtain the private network identity from the appropriate network element.
  • the PS obtains the correct user subscription data.
  • the methods and/or steps implemented by the terminal device may also be implemented by components (such as chips or circuits) that can be used in the terminal device; the methods and/or steps implemented by the first network element The steps can also be implemented by components (such as chips or circuits) that can be used in the first network element; the methods and/or steps implemented by the second network element can also be implemented by components (such as chips or circuits) that can be used in the second network element. )accomplish.
  • an embodiment of the present application further provides an apparatus, and the apparatus is used to implement the above-mentioned various methods.
  • the apparatus may be a terminal device, a first network element, and a second network element in the foregoing method embodiments.
  • the apparatus includes corresponding hardware structures and/or software modules for executing each function.
  • the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • the device may be divided into functional modules according to the above method embodiments.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
  • FIG. 6 is a schematic structural diagram of a communication apparatus 200 according to an embodiment of the present application.
  • the communication device 200 includes one or more processors 21, a communication line 22, and at least one communication interface (in FIG. 6, it is only exemplary to include the communication interface 24 and one processor 21 for illustration), optional
  • the memory 23 may also be included.
  • the processor 21 may be a CPU, a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.
  • ASIC application-specific integrated circuit
  • the communication line 22 may include a path for connecting between the various components.
  • the communication interface 24 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like.
  • the transceiver module may be a device such as a transceiver or a transceiver.
  • the communication interface 24 may also be a transceiver circuit located in the processor 21 to implement signal input and signal output of the processor.
  • the memory 23 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions
  • the dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this.
  • the memory may exist independently and be connected to the processor through the communication line 22 .
  • the memory can also be integrated with the processor.
  • the memory 23 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 21 .
  • the processor 21 is configured to execute the computer-executable instructions stored in the memory 23, thereby implementing the method for acquiring user subscription data provided in the embodiments of the present application.
  • the processor 21 may also execute the processing-related functions in the method for obtaining user subscription data provided by the following embodiments of the present application, and the communication interface 24 is responsible for communicating with other devices or communication networks.
  • the embodiment does not specifically limit this.
  • the computer-executed instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
  • the processor 21 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 6 .
  • the communication apparatus 200 may include multiple processors, such as the processor 21 and the processor 27 in FIG. 6 .
  • processors can be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor.
  • a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
  • the communication apparatus 200 may further include an output device 25 and an input device 26 .
  • the output device 25 is in communication with the processor 21 and can display information in a variety of ways.
  • the above-mentioned communication device 200 may be a general-purpose device or a dedicated device.
  • the communication device 200 may be a desktop computer, a portable computer, a web server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless user equipment, an embedded device, or a device with a similar structure in FIG. 6 .
  • PDA personal digital assistant
  • This embodiment of the present application does not limit the type of the communication apparatus 200 .
  • FIG. 7 is another schematic structural diagram of an apparatus for acquiring user subscription data provided by an embodiment of the present application.
  • the apparatus for acquiring user subscription data may be the terminal device in the above-mentioned embodiment.
  • the device 300 for acquiring user subscription data includes: a processing unit 31, a sending unit 32 and a receiving unit 33; wherein:
  • a sending unit 32 configured to send a registration request to the first network, where the registration request includes the pk1;
  • a receiving unit 33 configured to receive the first user contract data, the first user contract data is obtained by encrypting the second user contract data by using the pk1;
  • the processing unit 31 is further configured to decrypt the first user subscription data by using the sk1 to obtain the second user subscription data.
  • processing unit 31 For the specific implementation of the above-mentioned processing unit 31 , sending unit 32 and receiving unit 33 , reference may be made to the relevant description of the UE in the embodiments shown in FIG. 3 to FIG. 5 .
  • the device receives the encrypted first user contract data returned by a third network, and decrypts the first user contract data by using the first private key generated by itself to obtain the first user contract data.
  • the second user subscription data can protect the acquisition of the user subscription data, prevent the user subscription data from being stolen, and improve the security of communication; and by acquiring the private network identifier from the second network element, the first network element can obtain the private network from the appropriate PS. Get the correct user subscription data.
  • FIG. 8 is another schematic structural diagram of a communication apparatus provided by an embodiment of the present application, where the communication apparatus may be a second network element in the second network in the foregoing embodiment.
  • the communication device 400 includes: a receiving unit 41, a processing unit 42 and a sending unit 43; wherein:
  • a receiving unit 41 configured to receive an authentication request for the terminal device from the first network, where the authentication request includes the first public key pk1;
  • a processing unit 42 configured to save the pk1;
  • a sending unit 43 configured to send the identifier of the private network to the first network
  • the sending unit 43 is further configured to send the pk1 to the third network.
  • the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service; the processing unit 42 is configured to, according to the online instruction, Save the pk1.
  • the device authenticates a terminal device and sends an identifier of a private network accessible to the terminal device to a first network element in a first network, so that the first network
  • the element can obtain the first user contract data from the third network according to the identity of the private network, and the first user contract data is encrypted data, so that the acquisition of the user contract data can be protected, the user contract data can be prevented from being stolen, and the communication efficiency can be improved. security; and by acquiring the identity of the private network from the second network element, the first network element can acquire correct user subscription data from an appropriate PS.
  • FIG. 9 is another schematic structural diagram of a communication apparatus provided by an embodiment of the present application, where the communication apparatus may be a first network element in the first network in the foregoing embodiment.
  • the communication device 500 includes: a receiving unit 51, a processing unit 52 and a sending unit 53; wherein:
  • a receiving unit 51 configured to receive the identifier of the private network from the second network
  • a processing unit 52 configured to determine the user subscription data acquisition request of the terminal device according to the identifier of the private network
  • a sending unit 53 configured to send the user subscription data acquisition request to a third network
  • the receiving unit 51 is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the first user subscription data of the terminal device in the private network;
  • the sending unit 53 is further configured to send the first user subscription data to the terminal device.
  • the receiving unit 51 is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier ;
  • the processing unit 52 is further configured to determine a first authentication server in the first network according to the registration request;
  • the sending unit 53 is further configured to send the authentication request of the terminal device to the second network through the first authentication server;
  • the processing unit 52 is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or
  • the processing unit 52 is specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or
  • the processing unit 52 is specifically configured to determine the first authentication server according to the online instruction, and the online instruction is used to indicate that the type of the registration request is an online service; or
  • the processing unit 52 is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
  • the processing unit 52 is specifically configured to determine the first authentication server according to the slice identifier.
  • receiving unit 51 processing unit 52 and sending unit 53 .
  • receiving unit 51 processing unit 52 and sending unit 53 .
  • the device can select an appropriate PS to obtain correct user subscription data according to the identifier of the private network received from the second network; further, the device can use the received first A public key encrypts the second user contract data to obtain the first user contract data, and sends the first user contract data, thereby protecting the acquisition of the user contract data, preventing the user contract data from being stolen, and improving communication security.
  • an embodiment of the present application further provides a chip system, including: at least one processor and an interface, the at least one processor is coupled to the memory through the interface, and when the at least one processor executes the computer program or instruction in the memory , the method in any of the above method embodiments is executed.
  • the chip system may be composed of chips, or may include chips and other discrete devices, which are not specifically limited in this embodiment of the present application.
  • At least one item(s) below or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s).
  • at least one item (a) of a, b, or c may represent: a, b, c, ab, ac, bc, or abc, where a, b, and c may be single or multiple .
  • words such as “first” and “second” are used to distinguish the same or similar items with basically the same function and effect.
  • the words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like are not necessarily different.
  • words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as “exemplary” or “such as” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as “exemplary” or “such as” is intended to present the related concepts in a specific manner to facilitate understanding.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium.
  • the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, digital versatile disc (DVD)), or semiconductor media (eg, solid state disk (SSD)) Wait.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A user subscription data obtaining method and apparatus. A terminal device generates pk1 and sk1, and sends a registration request to a first network, the registration request comprising pk1; a first network element in the first network sends an authentication request for the terminal device to a second network element in a second network, the authentication request comprising pk1, and the second network element sends the identifier of a private network to the first network; the first network element obtains first user subscription data from a third network according to the identifier of the private network, the first user subscription data being obtained by encrypting second user subscription data by using pk1; the terminal device decrypts the first user subscription data by using sk1 to obtain the second user subscription data. By adopting the solution of the present application, obtaining of user subscription data can be protected, the user subscription data is prevented from being stolen, and the communication security is improved; moreover, by obtaining the identifier of a private network from a second network element, a first network element can obtain correct user subscription data from an appropriate PS.

Description

用户签约数据的获取方法及装置Method and device for acquiring user subscription data
本申请要求于2020年08月07日提交中国国家知识产权局、申请号为202010790909.7、发明名称为“用户签约数据的获取方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202010790909.7 and the invention titled "Method and Device for Obtaining User Signing Data", which was submitted to the State Intellectual Property Office of China on August 7, 2020, the entire contents of which are incorporated by reference in in this application.
技术领域technical field
本申请涉及通信技术领域,尤其涉及一种用户签约数据的获取方法及装置。The present application relates to the field of communication technologies, and in particular, to a method and device for acquiring user subscription data.
背景技术Background technique
当前第五代(5 th generation,5G)移动通信技术提出了一种新的应用场景,即增强的非公共网络(enhanced non-public-network,eNPN)。eNPN可以实现端到端的资源隔离,为垂直行业提供专属接入网络,保障垂直行业客户资源独享。同时,eNPN可以为局域网(local area network,LAN)服务提供支持,可以满足一些企业、住宅、学校等对于可靠且稳定的私有网络的需求。其中,eNPN又分为完全独立部署的网络,即独立的非公共网络(standalone non-public-network,SNPN),以及集成到公共网络的非公共网络(public network integrated non-public-network,PNI-NPN),例如由公共陆地移动网络(public land mobile network,PLMN)承载的非公共网络。 The current fifth generation (5G) mobile communication technology proposes a new application scenario, namely enhanced non-public-network ( eNPN ). eNPN can achieve end-to-end resource isolation, provide dedicated access networks for vertical industries, and ensure exclusive access to customer resources in vertical industries. At the same time, eNPN can provide support for local area network (LAN) services, and can meet the needs of some enterprises, residences, schools, etc. for reliable and stable private networks. Among them, eNPN is divided into completely independently deployed networks, namely independent non-public network (standalone non-public-network, SNPN), and non-public network integrated into public network (public network integrated non-public-network, PNI- NPN), such as a non-public network carried by a public land mobile network (PLMN).
如图1所示,为eNPN网络的架构示意图,该eNPN网络架构包括用户设备(user equipment,UE)、上线独立的非公共网络(onboarding-standalone non-public-network,O-SNPN)、默认的证书服务器(default credential server,DCS)、配置服务器(provisioning server,PS)和SNPN。eNPN包括一种上线(onboarding)业务,是指UE上线到eNPN,从而eNPN可以从PS获取UE在SNPN网络的用户签约数据并下发给UE,使得UE能够接入到SNPN网络。SNPN买了生产商的设备(如UE),可以不采用逐一(one-by-one)的方式配置UE,而使用统一配置的方式。具体地,如图1所示的上线流程,UE可以先接入O-SNPN网络,再连接到PS。其中,PS保存有SNPN的用户签约数据,或者PS从SNPN获取用户签约数据。PS把用户签约数据发给UE。之后UE就可以根据该用户签约数据,使用新的身份接入SNPN网络了。As shown in Figure 1, it is a schematic diagram of the architecture of the eNPN network. The eNPN network architecture includes a user equipment (UE), an onboarding-standalone non-public-network (O-SNPN), a default Certificate server (default credential server, DCS), provisioning server (provisioning server, PS) and SNPN. The eNPN includes an onboarding service, which means that the UE goes online to the eNPN, so that the eNPN can obtain the user subscription data of the UE in the SNPN network from the PS and deliver it to the UE, so that the UE can access the SNPN network. The SNPN buys the manufacturer's equipment (such as UE), and can configure the UE not in a one-by-one manner, but in a unified configuration manner. Specifically, as shown in the online process shown in FIG. 1 , the UE may first access the O-SNPN network, and then connect to the PS. The PS stores the user subscription data of the SNPN, or the PS obtains the user subscription data from the SNPN. The PS sends the user subscription data to the UE. Then the UE can access the SNPN network using the new identity according to the user subscription data.
然而,SNPN网络作为私有网络,对UE的上线的安全性要求较高,因此,如何保护用户签约数据的获取,避免用户签约数据被窃取,是需要解决的问题。However, as a private network, the SNPN network has high requirements on the security of the UE going online. Therefore, how to protect the acquisition of user subscription data and avoid the theft of user subscription data is a problem that needs to be solved.
发明内容SUMMARY OF THE INVENTION
本申请提供一种用户签约数据的获取方法及装置,以保护用户签约数据的获取。The present application provides a method and device for acquiring user subscription data, so as to protect the acquisition of user subscription data.
第一方面,提供了一种用户签约数据的获取方法,包括:生成第一公钥和第一私钥;向第一网络发送注册请求,所述注册请求包括所述第一公钥;接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到;以及使用所述第一私钥解密所述第一用户签约数据获取到所述第二用户签约数据。在该方面中,通过接收第三网络返回的加密的第一用户签约数据,并使用自身生成的第一私钥解密第一用户签约数 据获取到第二用户签约数据,可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。A first aspect provides a method for acquiring user subscription data, comprising: generating a first public key and a first private key; sending a registration request to a first network, the registration request including the first public key; receiving a first public key User contract data, the first user contract data is obtained by encrypting the second user contract data with the first public key; and the first user contract data is decrypted using the first private key to obtain the second user contract data User subscription data. In this aspect, by receiving the encrypted first user contract data returned by the third network, and decrypting the first user contract data with the first private key generated by itself to obtain the second user contract data, the acquisition of the user contract data can be protected. , avoiding the theft of user subscription data and improving communication security; and by obtaining the private network identifier from the second network element, the first network element can obtain correct user subscription data from a suitable PS.
结合第一方面,在一种可能的实现中,所述注册请求还包括上线指示,所述上线指示用于指示所述注册请求的类型为上线业务。在该实现中,通过在注册请求中携带上线指示,从而使得第二网络中的第二网元确定第一网络中的第一鉴权服务器,使得第一鉴权服务器向第二网络请求对请求上线的终端设备进行鉴权。With reference to the first aspect, in a possible implementation, the registration request further includes an online indication, where the online indication is used to indicate that the type of the registration request is an online service. In this implementation, by carrying an online indication in the registration request, the second network element in the second network determines the first authentication server in the first network, so that the first authentication server requests the second network for the request The online terminal device is authenticated.
结合第一方面,在又一种可能的实现中,所述注册请求还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。在该实现中,用户隐藏标识符是使用第一公钥计算得到的,因此,可以在该用户隐藏标识符中携带第一公钥,实现第一公钥的传递。With reference to the first aspect, in another possible implementation, the registration request further includes a user hidden identifier, and the user hidden identifier includes the first public key. In this implementation, the user hidden identifier is calculated using the first public key, therefore, the first public key can be carried in the user hidden identifier to realize the transmission of the first public key.
第二方面,提供了一种用户签约数据的获取方法,包括:接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;保存所述第一公钥;向所述第一网络发送私有网络的标识;以及向第三网络发送所述第一公钥。在该方面中,通过对终端设备进行鉴权,并发送该终端设备可接入的私有网络的标识给第一网络中的第一网元,使得第一网元可以根据该私有网络的标识从第三网络获取第一用户签约数据,该第一用户签约数据为加密的数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。In a second aspect, a method for acquiring user subscription data is provided, including: receiving an authentication request for a terminal device from a first network, where the authentication request includes a first public key; saving the first public key ; sending the identity of the private network to the first network; and sending the first public key to the third network. In this aspect, by authenticating the terminal device and sending the identifier of the private network accessible to the terminal device to the first network element in the first network, the first network element can access the private network from the identifier of the private network. The third network obtains the first user contract data, and the first user contract data is encrypted data, so that the acquisition of the user contract data can be protected, the user contract data can be prevented from being stolen, and the security of communication can be improved; The element acquires the identity of the private network, so that the first network element can acquire correct user subscription data from an appropriate PS.
结合第二方面,在一种可能的实现中,所述鉴权请求中还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。With reference to the second aspect, in a possible implementation, the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
结合第二方面,在又一种可能的实现中,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;所述保存所述第一公钥包括:根据所述上线指示,保存所述第一公钥。在该方面中,在确定该鉴权请求的类型为上线业务时,保存第一公钥,以便后续可以发送给PS。With reference to the second aspect, in another possible implementation, the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service; The key includes: saving the first public key according to the online instruction. In this aspect, when it is determined that the type of the authentication request is an online service, the first public key is saved so that it can be sent to the PS later.
第三方面,提供了一种用户签约数据的获取方法,包括:第一网络中的第一网元从第二网络接收私有网络的标识;所述第一网元根据所述私有网络的标识向第三网络发送终端设备的用户签约数据获取请求;所述第一网元接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述第一网元向所述终端设备发送所述第一用户签约数据。在该方面中,根据从第二网络接收到的私有网络的标识,可以选择合适的PS获取正确的用户签约数据;进一步地,可以采用接收到的第一公钥加密第二用户签约数据得到第一用户签约数据,并发送第一用户签约数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性。In a third aspect, a method for acquiring user subscription data is provided, including: a first network element in a first network receives an identifier of a private network from a second network; the first network element sends an identifier to the private network according to the identifier of the private network. The third network sends the user subscription data acquisition request of the terminal device; the first network element receives the user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes that the terminal device is in the private network and the first network element sends the first user subscription data to the terminal device. In this aspect, according to the identity of the private network received from the second network, an appropriate PS can be selected to obtain correct user subscription data; further, the second user subscription data can be encrypted by using the received first public key to obtain the first A user's subscription data is sent, and the first user's subscription data is sent, so that the acquisition of the user's subscription data can be protected, the user's subscription data can be prevented from being stolen, and the security of communication can be improved.
结合第三方面,在一种可能的实现中,所述第一网元从第二网络接收私有网络的标识之前,还包括:所述第一网元接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;所述第一网元根据所述注册请求确定所述第一网络中的第一鉴权服务器;所述第一网元通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;其中,根据所述注册请求确定所述第一鉴权 服务器,包括:所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或根据所述切片标识确定所述第一鉴权服务器。在已有的注册流程中,第一网元接收到终端设备的注册请求,一般是将该注册请求发送给第一网元所在网络的鉴权服务器进行后续处理。然而,本实现中,第一网元根据接收到的注册请求,确定是进行上线业务,则确定本网络的第一鉴权服务器,由第一鉴权服务器提交鉴权请求给对上线业务进行鉴权管理的第二网络,以对UE进行鉴权认证。With reference to the third aspect, in a possible implementation, before the first network element receives the identifier of the private network from the second network, the method further includes: the first network element receives a registration request from the terminal device, and the The registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier; the first network element determines the first authentication server in the first network according to the registration request; the The first network element sends the authentication request of the terminal device to the second network through the first authentication server; wherein, determining the first authentication server according to the registration request includes: the user hides The identifier includes the identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier includes a routing indication, and the first authentication server is determined according to the routing instruction. an authentication server; or determine the first authentication server according to the online instruction, the online instruction is used to indicate that the type of the registration request is an online service; or determine the first authentication server according to the registration type server, the registration type is online service; or the first authentication server is determined according to the slice identifier. In an existing registration process, the first network element receives a registration request from a terminal device, and generally sends the registration request to an authentication server of the network where the first network element is located for subsequent processing. However, in this implementation, the first network element determines that the online service is to be performed according to the received registration request, then determines the first authentication server of the network, and the first authentication server submits the authentication request to authenticate the online service. The second network for right management is used to authenticate the UE.
结合第三方面,在又一种可能的实现中,所述注册请求包括第一公钥,所述第一网元从第二网络接收私有网络的标识之前,所述方法还包括:向所述第二网络发送所述第一公钥,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到。With reference to the third aspect, in yet another possible implementation, the registration request includes a first public key, and before the first network element receives the identifier of the private network from the second network, the method further includes: sending to the The second network sends the first public key, and the first user subscription data is obtained by encrypting the second user subscription data with the first public key.
结合第三方面,在又一种可能的实现中,所述注册请求包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。With reference to the third aspect, in yet another possible implementation, the registration request includes a user hidden identifier, and the user hidden identifier includes the first public key.
第四方面,提供了一种用户签约数据的获取方法,应用于通信系统,所述通信系统包括第一网络中的第一网元和第二网络中的第二网元,包括:所述第一网元向所述第二网元发送针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;所述第二网元保存所述第一公钥;所述第二网元向所述第一网元发送私有网络的标识;所述第二网元向第三网络发送所述第一公钥;所述第一网元根据所述私有网络的标识向所述第三网络发送终端设备的用户签约数据获取请求;所述第一网元接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述第一网元向所述终端设备发送所述第一用户签约数据。In a fourth aspect, a method for acquiring user subscription data is provided, which is applied to a communication system, where the communication system includes a first network element in a first network and a second network element in a second network, including: the first network element A network element sends an authentication request for the terminal device to the second network element, where the authentication request includes the first public key; the second network element stores the first public key; the second network element Sending the identifier of the private network to the first network element; sending the first public key to the third network by the second network element; and sending the first network element to the third network according to the identifier of the private network Send a user subscription data acquisition request of the terminal device; the first network element receives a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the terminal device in the private network. user subscription data; and the first network element sends the first user subscription data to the terminal device.
其中,有关终端设备、第一网元、第二网元以及第三网络的具体交互过程可参考前述第一方面至第三方面中的任一种实现方式,在此不再赘述。For the specific interaction process of the terminal device, the first network element, the second network element, and the third network, reference may be made to any one of the foregoing implementation manners of the first to third aspects, and details are not described herein again.
第五方面,提供了一种用户签约数据的获取装置用于执行上述第一方面或第一方面的任一可能的实现中的方法。该用户签约数据的获取装置可以为上述第一方面或第一方面的任一可能的实现中的终端设备,或者应用于终端设备中的模块,例如芯片或芯片系统。其中,该用户签约数据的获取装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a fifth aspect, a device for acquiring user subscription data is provided for executing the above-mentioned first aspect or the method in any possible implementation of the first aspect. The device for acquiring the user subscription data may be a terminal device in the first aspect or any possible implementation of the first aspect, or a module applied in the terminal device, such as a chip or a chip system. Wherein, the device for acquiring user subscription data includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.
结合上述第五方面,在一种可能的实现中,用户签约数据的获取装置包括:生成单元、发送单元、接收单元和解密单元;其中,生成单元,用于生成第一公钥和第一私钥;发送单元,用于向第一网络发送注册请求,所述注册请求包括所述第一公钥;接收单元,用于接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到;以及解密单元,用于使用所述第一私钥解密所述第一用户签约数据获取到所述第二用户签约数据。With reference to the fifth aspect, in a possible implementation, the device for acquiring user subscription data includes: a generating unit, a sending unit, a receiving unit, and a decrypting unit; wherein the generating unit is used to generate a first public key and a first private key a sending unit, configured to send a registration request to the first network, where the registration request includes the first public key; a receiving unit, configured to receive the first user contract data, the first user contract data from the second user The contract data is obtained by encrypting with the first public key; and a decryption unit is configured to use the first private key to decrypt the first user contract data to obtain the second user contract data.
结合上述第五方面,在又一种可能的实现中,用户签约数据的获取装置包括:输入接口、输出接口和处理电路;其中,处理电路,用于生成第一公钥和第一私钥;输出接口, 用于向第一网络发送注册请求,所述注册请求包括所述第一公钥;输入接口,用于接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到;以及处理电路,用于使用所述第一私钥解密所述第一用户签约数据获取到所述第二用户签约数据。With reference to the fifth aspect, in another possible implementation, the device for acquiring user subscription data includes: an input interface, an output interface, and a processing circuit; wherein, the processing circuit is used to generate a first public key and a first private key; an output interface, used to send a registration request to the first network, where the registration request includes the first public key; an input interface, used to receive first user contract data, the first user contract data is obtained from the second user contract data Obtained by encrypting with the first public key; and a processing circuit configured to decrypt the first user contract data by using the first private key to obtain the second user contract data.
示例性地,该用户签约数据的获取装置还包括存储器,该存储器与该至少一个处理器耦合,该至少一个处理器用于运行存储器中存储的程序指令,以使得所述用户签约数据的获取装置执行上述第一方面或第一方面的任一可能的实现中的方法。Exemplarily, the device for acquiring user subscription data further includes a memory, which is coupled to the at least one processor, and the at least one processor is configured to execute program instructions stored in the memory, so that the device for acquiring user subscription data executes The first aspect or the method in any possible implementation of the first aspect.
在一种可能的实现中,该存储器用于存储程序指令和数据。该存储器与该至少一个处理器耦合,该至少一个处理器可以调用并执行该存储器中存储的程序指令,以使得所述用户签约数据的获取装置执行上述第一方面或第一方面的任一可能的实现中的方法。In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, and the at least one processor can call and execute program instructions stored in the memory, so that the apparatus for acquiring user subscription data executes the first aspect or any possibility of the first aspect method in the implementation.
示例性地,该用户签约数据的获取装置还包括通信接口,该通信接口用于该用户签约数据的获取装置与其它设备进行通信。当该用户签约数据的获取装置为终端设备时,该通信接口为收发器、输入/输出接口、或电路等。Exemplarily, the apparatus for acquiring user subscription data further includes a communication interface, where the communication interface is used for the apparatus for acquiring user subscription data to communicate with other devices. When the device for acquiring the user subscription data is a terminal device, the communication interface is a transceiver, an input/output interface, or a circuit or the like.
在一种可能的设计中,该用户签约数据的获取装置包括:至少一个处理器和通信接口,用于执行上述第一方面或第一方面的任一可能的实现中的方法,具体地包括:该至少一个处理器利用该通信接口与外部通信;该至少一个处理器用于运行计算机程序,使得该用户签约数据的获取装置执行上述第一方面或第一方面的任一可能的实现中的方法。可以理解,该外部可以是处理器以外的对象,或者是该用户签约数据的获取装置以外的对象。In a possible design, the device for acquiring user subscription data includes: at least one processor and a communication interface for executing the method in the first aspect or any possible implementation of the first aspect, specifically including: The at least one processor communicates with the outside using the communication interface; the at least one processor is configured to run a computer program, so that the apparatus for acquiring user subscription data executes the method in the first aspect or any possible implementation of the first aspect. It can be understood that the external part may be an object other than the processor, or an object other than the device for acquiring the user contract data.
在另一种可能的设计中,该用户签约数据的获取装置为芯片或芯片系统。该通信接口可以是该芯片或芯片系统上的输入/输出接口、接口电路、输出电路、输入电路、管脚或相关电路等。该处理器也可以体现为处理电路或逻辑电路。In another possible design, the device for acquiring the user subscription data is a chip or a chip system. The communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system. The processor may also be embodied as processing circuitry or logic circuitry.
其中,第五方面中任一种设计方式所带来的技术效果可参见上述第一方面中不同设计方式所带来的技术效果,此处不再赘述。Wherein, for the technical effects brought by any one of the design methods in the fifth aspect, reference may be made to the technical effects brought by different design methods in the above-mentioned first aspect, which will not be repeated here.
第六方面,提供了一种通信装置用于执行上述第二方面或第二方面的任一可能的实现中的方法。该通信装置可以为上述第二方面或第二方面的任一可能的实现中的第二网络中的第二网元,或者应用于第二网元的模块,例如芯片或芯片系统。其中,该通信装置包括实现上述方法相应的模块、单元、或means,该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a sixth aspect, a communication apparatus is provided for performing the second aspect or the method in any possible implementation of the second aspect. The communication apparatus may be the second network element in the second network in the second aspect or any possible implementation of the second aspect, or a module applied to the second network element, such as a chip or a chip system. Wherein, the communication device includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.
结合上述第六方面,在一种可能的实现中,通信装置包括:接收单元、处理单元和发送单元;其中,接收单元,用于接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;处理单元,用于保存所述第一公钥;发送单元,用于向所述第一网络发送私有网络的标识;以及所述发送单元,还用于向第三网络发送所述第一公钥。With reference to the sixth aspect, in a possible implementation, the communication device includes: a receiving unit, a processing unit, and a sending unit; wherein the receiving unit is configured to receive an authentication request for the terminal device from the first network, and the The authentication request includes a first public key; a processing unit, used to save the first public key; a sending unit, used to send the identity of the private network to the first network; and the sending unit, also used to send to the first network. The third network sends the first public key.
可选地,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;所述处理单元,用于根据所述上线指示,保存所述第一公钥。Optionally, the authentication request further includes an online instruction, where the online instruction is used to indicate that the type of the authentication request is an online service; the processing unit is configured to save the first online service according to the online instruction. public key.
结合上述第六方面,在又一种可能的实现中,通信装置包括:输入接口、输出接口和处理电路;其中,其中,输入接口,用于接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;处理电路,用于保存所述第一公钥;输出接口,用于向所述 第一网络发送私有网络的标识;以及所述输出接口,还用于向第三网络发送所述第一公钥。With reference to the above sixth aspect, in yet another possible implementation, the communication device includes: an input interface, an output interface, and a processing circuit; wherein, the input interface is used to receive authentication for the terminal device from the first network request, the authentication request includes a first public key; a processing circuit, configured to save the first public key; an output interface, used to send the identifier of the private network to the first network; and the output interface, further for sending the first public key to the third network.
可选地,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;所述处理电路,用于根据所述上线指示,保存所述第一公钥。Optionally, the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service; the processing circuit is configured to save the first online service according to the online instruction. public key.
示例性地,该通信装置还包括存储器,该存储器与该至少一个处理器耦合,该至少一个处理器用于运行存储器中存储的程序指令,以使得所述通信装置执行上述第二方面或第二方面的任一可能的实现中的方法。Exemplarily, the communication device further includes a memory coupled to the at least one processor for executing program instructions stored in the memory to cause the communication device to perform the above-mentioned second aspect or the second aspect method in any possible implementation of .
在一种可能的实现中,该存储器用于存储程序指令和数据。该存储器与该至少一个处理器耦合,该至少一个处理器可以调用并执行该存储器中存储的程序指令,以使得所述通信装置执行上述第二方面或第二方面的任一可能的实现中的方法。In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, and the at least one processor can invoke and execute program instructions stored in the memory to cause the communication device to perform the above-mentioned second aspect or any possible implementation of the second aspect. method.
示例性地,该通信装置还包括通信接口,该通信接口用于该通信装置与其它设备进行通信。当该通信装置为第二网元时,该通信接口为收发器、输入/输出接口、或电路等。Exemplarily, the communication apparatus further includes a communication interface for the communication apparatus to communicate with other devices. When the communication device is the second network element, the communication interface is a transceiver, an input/output interface, a circuit, or the like.
在一种可能的设计中,该通信装置包括:至少一个处理器和通信接口,用于执行上述第二方面或第二方面的任一可能的实现中的方法,具体地包括:该至少一个处理器利用该通信接口与外部通信;该至少一个处理器用于运行计算机程序,使得该通信装置执行上述第二方面或第二方面的任一可能的实现中的方法。可以理解,该外部可以是处理器以外的对象,或者是该通信装置以外的对象。In a possible design, the communication device includes: at least one processor and a communication interface for executing the method in the second aspect or any possible implementation of the second aspect, specifically including: the at least one processor The communication device communicates with the outside using the communication interface; the at least one processor is used for running a computer program, so that the communication device executes the method in the second aspect or any possible implementation of the second aspect. It is understood that the external may be an object other than the processor, or an object other than the communication device.
在另一种可能的设计中,该通信装置为芯片或芯片系统。该通信接口可以是该芯片或芯片系统上的输入/输出接口、接口电路、输出电路、输入电路、管脚或相关电路等。该处理器也可以体现为处理电路或逻辑电路。In another possible design, the communication device is a chip or a system of chips. The communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system. The processor may also be embodied as processing circuitry or logic circuitry.
其中,第六方面中任一种设计方式所带来的技术效果可参见上述第二方面中不同设计方式所带来的技术效果,此处不再赘述。Wherein, for the technical effect brought by any one of the design methods in the sixth aspect, reference may be made to the technical effects brought by the different design methods in the above-mentioned second aspect, which will not be repeated here.
第七方面,提供了一种通信装置用于执行上述第三方面或第三方面的任一可能的实现中的方法。该通信装置可以为上述第三方面或第三方面的任一可能的实现中的第一网络中的第一网元,或者应用于第一网元的模块,例如芯片或芯片系统。其中,该通信装置包括实现上述方法相应的模块、单元、或means,该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a seventh aspect, a communication apparatus is provided for performing the third aspect or the method in any possible implementation of the third aspect. The communication apparatus may be the first network element in the first network in the third aspect or any possible implementation of the third aspect, or a module applied to the first network element, such as a chip or a chip system. Wherein, the communication device includes corresponding modules, units, or means for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.
结合上述第七方面,在一种可能的实现中,通信装置包括:接收单元、处理单元和发送单元;其中,接收单元,用于从第二网络接收私有网络的标识;处理单元,用于根据所述私有网络的标识,确定终端设备的用户签约数据获取请求;发送单元,用于向第三网络发送所述用户签约数据获取请求;所述接收单元,还用于接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述发送单元,还用于向所述终端设备发送所述第一用户签约数据。With reference to the above seventh aspect, in a possible implementation, the communication device includes: a receiving unit, a processing unit, and a sending unit; wherein the receiving unit is used to receive the identifier of the private network from the second network; The identifier of the private network determines the user subscription data acquisition request of the terminal device; the sending unit is configured to send the user subscription data acquisition request to a third network; the receiving unit is further configured to receive a response from the third network The user subscription data acquisition response includes the first user subscription data of the terminal device in the private network; and the sending unit is further configured to send the first user subscription data to the terminal device User subscription data.
可选地,所述接收单元,还用于接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;所述处理单元,还用于根据所述注册请求确定所述第一网络中的第一鉴权服务器;所述发送单元,还用于通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;其中,所述处理单元,具体用于所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识 确定所述第一鉴权服务器;或所述处理单元,具体用于所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或所述处理单元,具体用于根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或所述处理单元,具体用于根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或所述处理单元,具体用于根据所述切片标识确定所述第一鉴权服务器。Optionally, the receiving unit is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier; the processing unit , and is further configured to determine the first authentication server in the first network according to the registration request; the sending unit is further configured to send the terminal device to the second network through the first authentication server The authentication request; wherein, the processing unit is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or The processing unit is specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or the processing unit is specifically configured to determine the first authentication server according to the online indication an authentication server, where the online indication is used to indicate that the type of the registration request is an online service; or the processing unit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or the processing unit, specifically configured to determine the first authentication server according to the slice identifier.
结合上述第七方面,在又一种可能的实现中,通信装置包括:输入接口、输出接口和处理电路;其中,输入接口,用于从第二网络接收私有网络的标识;输出接口,用于根据所述私有网络的标识向第三网络发送终端设备的用户签约数据获取请求;所述输入接口,还用于接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述输出接口,还用于向所述终端设备发送所述第一用户签约数据。With reference to the above seventh aspect, in yet another possible implementation, the communication device includes: an input interface, an output interface, and a processing circuit; wherein the input interface is used for receiving the identifier of the private network from the second network; the output interface is used for Send the user subscription data acquisition request of the terminal device to the third network according to the identity of the private network; the input interface is further configured to receive the user subscription data acquisition response returned by the third network, the user subscription data acquisition response It includes the first user subscription data of the terminal device in the private network; and the output interface is further configured to send the first user subscription data to the terminal device.
可选地,所述输入接口,还用于接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;所述处理电路,用于根据所述注册请求确定所述第一网络中的第一鉴权服务器;所述发送单元,还用于通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;其中,所述处理电路,具体用于所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或所述处理电路,具体用于所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或所述处理电路,具体用于根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或所述处理电路,具体用于根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或所述处理电路,具体用于根据所述切片标识确定所述第一鉴权服务器。Optionally, the input interface is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier; the processing circuit , used to determine the first authentication server in the first network according to the registration request; the sending unit is further configured to send the information of the terminal device to the second network through the first authentication server An authentication request; wherein the processing circuit is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or the a processing circuit, specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or the processing circuit, specifically configured to determine the first authentication server according to the online indication an authentication server, where the online indication is used to indicate that the type of the registration request is an online service; or the processing circuit is specifically configured to determine the first authentication server according to the registration type, where the registration type is online or the processing circuit, specifically configured to determine the first authentication server according to the slice identifier.
示例性地,该通信装置还包括存储器,该存储器与该至少一个处理器耦合,该至少一个处理器用于运行存储器中存储的程序指令,以使得所述通信装置执行上述第三方面或第三方面的任一可能的实现中的方法。Exemplarily, the communication device further includes a memory coupled to the at least one processor, the at least one processor is configured to execute program instructions stored in the memory, so that the communication device performs the above-mentioned third aspect or the third aspect method in any possible implementation of .
在一种可能的实现中,该存储器用于存储程序指令和数据。该存储器与该至少一个处理器耦合,该至少一个处理器可以调用并执行该存储器中存储的程序指令,以使得所述通信装置执行上述第三方面或第三方面的任一可能的实现中的方法。In one possible implementation, the memory is used to store program instructions and data. The memory is coupled to the at least one processor, and the at least one processor can invoke and execute program instructions stored in the memory to cause the communication device to perform the above third aspect or any possible implementation of the third aspect. method.
示例性地,该通信装置还包括通信接口,该通信接口用于该通信装置与其它设备进行通信。当该通信装置为第一网元时,该通信接口为收发器、输入/输出接口、或电路等。Exemplarily, the communication apparatus further includes a communication interface for the communication apparatus to communicate with other devices. When the communication device is the first network element, the communication interface is a transceiver, an input/output interface, or a circuit or the like.
在一种可能的设计中,该通信装置包括:至少一个处理器和通信接口,用于执行上述第三方面或第三方面的任一可能的实现中的方法,具体地包括:该至少一个处理器利用该通信接口与外部通信;该至少一个处理器用于运行计算机程序,使得该通信装置执行上述第三方面或第三方面的任一可能的实现中的方法。可以理解,该外部可以是处理器以外的对象,或者是该通信装置以外的对象。In a possible design, the communication device includes: at least one processor and a communication interface for executing the method in the third aspect or any possible implementation of the third aspect, specifically including: the at least one processor The communication device communicates with the outside using the communication interface; the at least one processor is used for running a computer program, so that the communication device executes the method in the third aspect or any possible implementation of the third aspect. It is understood that the external may be an object other than the processor, or an object other than the communication device.
在另一种可能的设计中,该通信装置为芯片或芯片系统。该通信接口可以是该芯片或芯片系统上的输入/输出接口、接口电路、输出电路、输入电路、管脚或相关电路等。该处理器也可以体现为处理电路或逻辑电路。In another possible design, the communication device is a chip or a system of chips. The communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit, etc. on the chip or the chip system. The processor may also be embodied as processing circuitry or logic circuitry.
其中,第七方面中任一种设计方式所带来的技术效果可参见上述第三方面中不同设计 方式所带来的技术效果,此处不再赘述。Wherein, for the technical effect brought by any one of the design methods in the seventh aspect, reference may be made to the technical effects brought by different design methods in the above-mentioned third aspect, which will not be repeated here.
第八方面,提供了一种通信系统,所述通信系统包括第一网络中的第一网元和第二网络中的第二网元,其中,所述第一网元用于向所述第二网元发送针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;所述第二网元用于保存所述第一公钥;所述第二网元还用于向所述第一网元发送私有网络的标识;所述第二网元还用于向第三网络发送所述第一公钥;所述第一网元还用于根据所述私有网络的标识向所述第三网络发送终端设备的用户签约数据获取请求;所述第一网元还用于接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述第一网元还用于向所述终端设备发送所述第一用户签约数据。In an eighth aspect, a communication system is provided, the communication system includes a first network element in a first network and a second network element in a second network, wherein the first network element is configured to report to the first network element The second network element sends an authentication request for the terminal device, where the authentication request includes the first public key; the second network element is used to store the first public key; the second network element is also used to send the The first network element sends the identifier of the private network; the second network element is further configured to send the first public key to the third network; the first network element is further configured to send the private network identifier to the third network. The third network sends a user subscription data acquisition request of the terminal device; the first network element is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the terminal device in the the first user subscription data of the private network; and the first network element is further configured to send the first user subscription data to the terminal device.
结合第八方面,在一种可能的实现中,所述鉴权请求中还包括用户隐藏标识符,所述用户隐藏标识符包括所述第一公钥。With reference to the eighth aspect, in a possible implementation, the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
结合第八方面,在又一种可能的实现中,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务,所述第二网元还用于根据所述上线指示,保存所述第一公钥。With reference to the eighth aspect, in another possible implementation, the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service, and the second network element also uses and storing the first public key according to the online instruction.
结合第八方面,在又一种可能的实现中,所述第一网元还用于接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;所述第一网元还用于根据所述注册请求确定所述第一网络中的第一鉴权服务器;所述第一网元还用于通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;其中,所述第一网元具体用于所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或所述第一网元具体用于所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或所述第一网元具体用于根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或所述第一网元具体用于根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或所述第一网元具体用于根据所述切片标识确定所述第一鉴权服务器。With reference to the eighth aspect, in another possible implementation, the first network element is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication , registration type, slice identifier; the first network element is further configured to determine the first authentication server in the first network according to the registration request; the first network element is further configured to pass the first authentication server The authorization server sends the authentication request of the terminal device to the second network; wherein, the first network element is specifically used for the user hidden identifier to include the identifier of the second network, according to the second network element. The identifier of the network determines the first authentication server; or the first network element is specifically configured to include a routing indication in the user hidden identifier, and the first authentication server is determined according to the routing indication; or the The first network element is specifically used to determine the first authentication server according to the online instruction, and the online instruction is used to indicate that the type of the registration request is an online service; or the first network element is specifically used to determine the first authentication server according to the online service. The registration type determines the first authentication server, and the registration type is an online service; or the first network element is specifically configured to determine the first authentication server according to the slice identifier.
结合第八方面,在又一种可能的实现中,所述注册请求包括第一公钥,所述第一网元还用于向所述第二网元发送所述第一公钥,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到。With reference to the eighth aspect, in another possible implementation, the registration request includes a first public key, the first network element is further configured to send the first public key to the second network element, the The first user subscription data is obtained by encrypting the second user subscription data by using the first public key.
结合第八方面,在又一种可能的实现中,所述注册请求包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。With reference to the eighth aspect, in another possible implementation, the registration request includes a user hidden identifier, and the user hidden identifier includes the first public key.
第九方面,提供了一种计算机可读存储介质,存储有计算机程序,当其在计算机上运行时,上述各方面或各方面的任一种实现所述的方法被执行。In a ninth aspect, a computer-readable storage medium is provided, which stores a computer program, and when it runs on a computer, the above-mentioned aspects or any one of the above-mentioned aspects to implement the described method is executed.
第十方面,提供了一种计算机程序产品,当其在计算机上运行时,使得上述各方面或各方面的任一种实现所述的方法被执行。In a tenth aspect, there is provided a computer program product which, when run on a computer, causes the above-mentioned aspects or any of the above-mentioned aspects to be executed.
第十一方面,提供了一种计算机程序,当其在计算机上运行时,使得上述各方面或各方面的任一种实现所述的方法被执行。In an eleventh aspect, there is provided a computer program which, when run on a computer, causes the above-mentioned aspects or any one of the above-mentioned aspects to be executed.
附图说明Description of drawings
图1为eNPN网络的架构示意图;Figure 1 is a schematic diagram of the architecture of the eNPN network;
图2为本申请实施例提供的通信系统100的架构示意图;FIG. 2 is a schematic structural diagram of a communication system 100 provided by an embodiment of the present application;
图3为本申请实施例提供的一种用户签约数据的获取方法的流程示意图;3 is a schematic flowchart of a method for acquiring user subscription data according to an embodiment of the present application;
图4为本申请实施例提供的又一种用户签约数据的获取方法的流程示意图;4 is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application;
图5为本申请实施例提供的又一种用户签约数据的获取方法的流程示意图;5 is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application;
图6为本申请实施例提供的一种通信装置200的结构示意图;FIG. 6 is a schematic structural diagram of a communication apparatus 200 according to an embodiment of the present application;
图7为本申请实施例提供的一种用户签约数据的获取装置300的结构示意图;FIG. 7 is a schematic structural diagram of an apparatus 300 for acquiring user subscription data according to an embodiment of the present application;
图8为本申请实施例提供的一种通信装置400的结构示意图;FIG. 8 is a schematic structural diagram of a communication apparatus 400 according to an embodiment of the present application;
图9为本申请实施例提供的一种通信装置500的结构示意图。FIG. 9 is a schematic structural diagram of a communication apparatus 500 according to an embodiment of the present application.
具体实施方式detailed description
下面结合本申请实施例中的附图对本申请实施例进行描述。The embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
本申请实施例的技术方案可以应用于各种通信系统。例如:增强的长期演进(enhanced-long term evolution,eLTE)系统、第五代(5th generation,5G)系统或新无线(new radio,NR)等,本申请中涉及的5G移动通信系统包括非独立组网(non-standalone,NSA)的5G移动通信系统或独立组网(standalone,SA)的5G移动通信系统。本申请提供的技术方案还可以应用于未来的通信系统,如第六代移动通信系统。通信系统还可以是陆上公用移动通信网(public land mobile network,PLMN)网络、设备到设备(device-to-device,D2D)通信系统、机器到机器(machine to machine,M2M)通信系统、物联网(internet of things,IoT)通信系统或者其他通信系统。The technical solutions of the embodiments of the present application can be applied to various communication systems. For example: enhanced long term evolution (enhanced-long term evolution, eLTE) system, fifth generation (5th generation, 5G) system or new radio (new radio, NR), etc. The 5G mobile communication system involved in this application includes non-standalone A 5G mobile communication system of a non-standalone (NSA) network or a 5G mobile communication system of an independent network (standalone, SA). The technical solutions provided in this application can also be applied to future communication systems, such as the sixth generation mobile communication system. The communication system may also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, an object Internet of things (IoT) communication system or other communication system.
图2为本申请实施例提供的通信系统100的架构示意图。如图2所示,该通信系统100包括第一网络、第二网络和第三网络。其中,第一网络可以是上线网络(onboarding network),第二网络可以是DCS/统一数据管理(unified data management,UDM)所在网络,第三网络可以是PS所在网络。本申请实施例中,PS一般与私有网络单独设置,即第三网络一般是与私有网络不同的网络。UE在第一网络发起注册请求,第一网络请求第二网络对UE进行鉴权,第二网络对UE鉴权通过后,向第一网络返回私有网络的标识,第一网络根据私有网络的标识向第三网络请求用户签约数据,第三网络对用户签约数据加密后发送给UE。FIG. 2 is a schematic structural diagram of a communication system 100 according to an embodiment of the present application. As shown in FIG. 2, the communication system 100 includes a first network, a second network and a third network. Wherein, the first network may be an onboarding network, the second network may be the network where the DCS/unified data management (unified data management, UDM) is located, and the third network may be the network where the PS is located. In the embodiment of the present application, the PS is generally set independently from the private network, that is, the third network is generally a network different from the private network. The UE initiates a registration request on the first network, the first network requests the second network to authenticate the UE, and after the second network authenticates the UE, it returns the identity of the private network to the first network, and the first network uses the identity of the private network The user subscription data is requested from the third network, and the third network encrypts the user subscription data and sends it to the UE.
其中,第一网络中包括第一网元11,第二网络中包括第二网元12,第三网络中包括PS13。第一网元11可以是移动管理网元,第二网元12可以是统一数据管理网元或DCS。其中,移动管理网元所对应的网元或者实体可以为该5G移动通信系统中的接入和移动性管理功能(access and mobility management function,AMF)实体等,统一数据管理网元所对应的网元或者实体可以为该5G移动通信系统中的UDM功能实体,本申请实施例对此不作具体限定。上述各网元之间可以直接通信,也可以通过其他网元的转发进行通信,本申请实施例对此不作具体限定。虽然未示出,该通信系统还可以包括其他网元,本申请实施例对此不做具体限定。The first network includes the first network element 11, the second network includes the second network element 12, and the third network includes the PS13. The first network element 11 may be a mobility management network element, and the second network element 12 may be a unified data management network element or a DCS. The network element or entity corresponding to the mobility management network element may be an access and mobility management function (AMF) entity in the 5G mobile communication system, and the network element corresponding to the unified data management network element The element or entity may be a UDM functional entity in the 5G mobile communication system, which is not specifically limited in this embodiment of the present application. The foregoing network elements may communicate directly or communicate through forwarding by other network elements, which is not specifically limited in this embodiment of the present application. Although not shown, the communication system may further include other network elements, which are not specifically limited in this embodiment of the present application.
本申请实施例提供一种用户签约数据的获取方法及装置,第一网络中的第一网元接收到UE的注册请求后,请求对UE进行鉴权认证;第二网络中的第二网元对UE进行鉴权认证,并发送该UE可接入的私有网络的标识给第一网络中的第一网元,以及向第三网络发 送pk1;第一网元可以根据该私有网络的标识从第三网络请求获取第一用户签约数据,第三网络使用pk1加密第二用户签约数据,得到第一用户签约数据;第三网络通过第一网络的控制面或通过第一网络的用户面向UE发送该第一用户签约数据。从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。Embodiments of the present application provide a method and device for acquiring user subscription data. After receiving a registration request from a UE, a first network element in the first network requests to perform authentication on the UE; a second network element in the second network Perform authentication and authentication on the UE, and send the identifier of the private network that the UE can access to the first network element in the first network, and send pk1 to the third network; the first network element can use the identifier of the private network from The third network requests to obtain the subscription data of the first user, and the third network encrypts the subscription data of the second user using pk1 to obtain the subscription data of the first user; the third network sends the data to the UE through the control plane of the first network or through the user of the first network The first user subscription data. Thereby, the acquisition of user subscription data can be protected, the user subscription data can be prevented from being stolen, and the security of communication can be improved; and by acquiring the identity of the private network from the second network element, the first network element can obtain the correct user from the appropriate PS. contract data.
具体地,该方案可应用于上述通信系统。该方案包括:所述第一网元向所述第二网元发送针对终端设备的鉴权请求,所述鉴权请求包括第一公钥pk1;所述第二网元保存所述pk1;所述第二网元向所述第一网元发送私有网络的标识;所述第二网元向第三网络发送所述pk1;所述第一网元根据所述私有网络的标识向所述第三网络发送终端设备的用户签约数据获取请求;所述第一网元接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;以及所述第一网元向所述终端设备发送所述第一用户签约数据。Specifically, the solution can be applied to the above-mentioned communication system. The solution includes: the first network element sends an authentication request for the terminal device to the second network element, where the authentication request includes the first public key pk1; the second network element saves the pk1; The second network element sends the identifier of the private network to the first network element; the second network element sends the pk1 to the third network; the first network element sends the identifier of the private network to the third network according to the identifier of the private network. The third network sends the user subscription data acquisition request of the terminal device; the first network element receives the user subscription data acquisition response returned by the third network, and the user subscription data acquisition response includes the terminal device in the private network. first user subscription data; and the first network element sends the first user subscription data to the terminal device.
在一种可能的实现中,所述鉴权请求中还包括用户隐藏标识符,所述用户隐藏标识符包括所述pk1。In a possible implementation, the authentication request further includes a hidden user identifier, and the hidden user identifier includes the pk1.
在又一种可能的实现中,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务,所述第二网元保存所述pk1包括:所述第二网元根据所述上线指示,保存所述pk1。In another possible implementation, the authentication request further includes an online indication, where the online indication is used to indicate that the type of the authentication request is an online service, and the second network element storing the pk1 includes: The second network element saves the pk1 according to the online instruction.
在又一种可能的实现中,所述第二网元向所述第一网元发送私有网络的标识之前,所述方法还包括:所述第一网元接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;所述第一网元根据所述注册请求确定所述第一网络中的第一鉴权服务器;所述第一网元通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;其中,根据所述注册请求确定所述第一鉴权服务器,包括:所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或根据所述切片标识确定所述第一鉴权服务器。In another possible implementation, before the second network element sends the identity of the private network to the first network element, the method further includes: the first network element receives a registration request from the terminal device , the registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier; the first network element determines the first authentication server in the first network according to the registration request; The first network element sends the authentication request of the terminal device to the second network through the first authentication server; wherein determining the first authentication server according to the registration request includes: the The user hidden identifier includes the identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or the user hidden identifier includes a routing instruction, and the routing instruction is determined according to the routing instruction. the first authentication server; or determine the first authentication server according to the online instruction, the online instruction is used to indicate that the type of the registration request is an online service; or determine the first authentication server according to the registration type An authentication server, where the registration type is an online service; or the first authentication server is determined according to the slice identifier.
在又一种可能的实现中,所述注册请求包括第一公钥pk1,所述第二网元向所述第一网元发送私有网络的标识之前,还包括:所述第一网元向所述第二网元发送所述pk1,所述第一用户签约数据由第二用户签约数据采用所述pk1加密得到。In yet another possible implementation, the registration request includes the first public key pk1, and before the second network element sends the identifier of the private network to the first network element, the registration request further includes: the first network element to the first network element The second network element sends the pk1, and the first user subscription data is obtained by encrypting the second user subscription data by using the pk1.
在又一种可能的实现中,所述注册请求包括用户隐藏标识符,所述用户隐藏标识符中包括所述pk1。In yet another possible implementation, the registration request includes a hidden user identifier, and the hidden user identifier includes the pk1.
其中,AMF实体:主要负责信令的处理,例如:接入控制、移动性管理、附着与去附着以及网关选择等功能。AMF实体为终端中的会话提供服务的情况下,会为该会话提供控制面的存储资源,以存储会话标识、与会话标识关联的会话管理功能(session management function,SMF)实体的标识等。Among them, the AMF entity: mainly responsible for the processing of signaling, such as: access control, mobility management, attachment and detachment, and gateway selection and other functions. When the AMF entity provides services for the session in the terminal, it provides storage resources of the control plane for the session to store the session identifier, the identifier of the session management function (SMF) entity associated with the session identifier, and the like.
UDM实体:主要用于管理用户签约信息。UDM entity: mainly used to manage user subscription information.
DCS包括可以用来校验终端设备的信息。例如,若终端设备仅包括生产商的证书 (credential),那么DCS包括可以校验生产商的证书的信息(即根证书)。DCS可以将认证的信息传递给认证服务功能(authentication service function,AUSF)实体,也可以自身执行认证。The DCS includes information that can be used to verify terminal equipment. For example, if the terminal device includes only the manufacturer's credential, the DCS includes information (ie, the root certificate) that can verify the manufacturer's credential. The DCS can pass the authentication information to the authentication service function (AUSF) entity, or it can perform the authentication itself.
PS:用来提供SNPN身份的实体,其可以从SNPN获取SNPN的用户签约数据,并将SNPN的标识发送给终端设备。PS: an entity used to provide the SNPN identity, which can obtain the user subscription data of the SNPN from the SNPN, and send the SNPN identifier to the terminal device.
需要说明的是,以上功能实体仅是一个名字,名字本身对实体不构成限定。例如,该移动管理功能实体也有可能被替换为“移动管理功能”或其它名字。而且,该移动管理功能实体也可以对应一个包括除了移动管理功能外还有其他功能的实体。统一数据管理功能实体也有可能被替换为“统一数据管理功能”或其它名字,而且,该统一数据管理功能实体也可以对应一个包括除了统一数据管理功能外还有其他功能的实体。在此进行统一说明,以下不再赘述。It should be noted that the above functional entity is only a name, and the name itself does not limit the entity. For example, the mobility management function entity may also be replaced by "mobility management function" or other names. Moreover, the mobility management function entity may also correspond to an entity including other functions besides the mobility management function. The unified data management function entity may also be replaced by "unified data management function" or other names, and the unified data management function entity may also correspond to an entity that includes other functions in addition to the unified data management function. A unified description is provided here, and details are not repeated below.
终端设备通过无线接入网(radio access network,RAN)设备或接入网(access network,AN)设备接入网络。RAN设备主要是3GPP网络中的无线网络设备,AN可以是non-3GPP定义的接入网设备。The terminal device accesses the network through a radio access network (RAN) device or an access network (AN) device. The RAN device is mainly the wireless network device in the 3GPP network, and the AN may be the access network device defined by non-3GPP.
可选的,本申请实施例中的终端设备可以指接入终端、用户单元、用户站、移动站、移动台、中继站、远方站、远程终端、移动设备、用户终端(user terminal)、用户设备(user equipment,UE)、终端(terminal)、无线通信设备、用户代理、用户装置、蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,未来5G网络中的终端设备或者未来演进的公共陆地移动网(public land mobile network,PLMN)中的终端设备或者未来车联网中的终端设备等,本申请实施例对此并不限定。Optionally, the terminal device in this embodiment of the present application may refer to an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a relay station, a remote station, a remote terminal, a mobile device, a user terminal (user terminal), and user equipment. (user equipment, UE), terminal (terminal), wireless communication equipment, user agent, user equipment, cellular phone, cordless phone, session initiation protocol (session initiation protocol, SIP) phone, wireless local loop (wireless local loop, WLL) ) stations, personal digital assistants (PDAs), handheld devices with wireless communication capabilities, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, end devices in future 5G networks or future A terminal device in an evolved public land mobile network (Public Land Mobile Network, PLMN) or a terminal device in the future Internet of Vehicles, etc., are not limited in this embodiment of the present application.
作为示例而非限定,在本申请实施例中,终端设备可以是手机、平板电脑、带无线收发功能的电脑、虚拟现实终端设备、增强现实终端设备、工业控制中的无线终端、无人驾驶中的无线终端、远程手术中的无线终端、智能电网中的无线终端、运输安全中的无线终端、智慧城市中的无线终端、智慧家庭中的无线终端等。As an example but not a limitation, in this embodiment of the present application, the terminal device may be a mobile phone, a tablet computer, a computer with wireless transceiver function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in an unmanned driving wireless terminal in remote surgery, wireless terminal in smart grid, wireless terminal in transportation safety, wireless terminal in smart city, wireless terminal in smart home, etc.
作为示例而非限定,在本申请实施例中,可穿戴设备也可以称为穿戴式智能设备,是应用穿戴式技术对日常穿戴进行智能化设计、开发出可以穿戴的设备的总称,如眼镜、手套、手表、服饰及鞋等。可穿戴设备即直接穿在身上,或是整合到用户的衣服或配件的一种便携式设备。可穿戴设备不仅仅是一种硬件设备,更是通过软件支持以及数据交互、云端交互来实现强大的功能。广义穿戴式智能设备包括功能全、尺寸大、可不依赖智能手机实现完整或者部分的功能,例如:智能手表或智能眼镜等,以及只专注于某一类应用功能,需要和其它设备如智能手机配合使用,如各类进行体征监测的智能手环、智能首饰等。As an example and not a limitation, in the embodiments of this application, a wearable device may also be referred to as a wearable smart device, which is a general term for intelligently designing daily wearable devices and developing wearable devices using wearable technology, such as glasses, Gloves, watches, clothing and shoes, etc. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones. Use, such as all kinds of smart bracelets, smart jewelry, etc. for physical sign monitoring.
此外,在本申请实施例中,终端设备还可以是物联网(internet of things,IoT)系统中的终端设备,IoT是未来信息技术发展的重要组成部分,其主要技术特点是将物品通过通信技术与网络连接,从而实现人机互连,物物互连的智能化网络。在本申请实施例中,IoT技术可以通过例如窄带(narrow band,NB)技术,做到海量连接,深度覆盖,终端省电。In addition, in the embodiments of the present application, the terminal device may also be a terminal device in an Internet of Things (IoT) system. IoT is an important part of the future development of information technology, and its main technical feature is that items pass through communication technology Connect with the network, so as to realize the intelligent network of human-machine interconnection and interconnection of things. In the embodiments of the present application, the IoT technology can achieve massive connections, deep coverage, and power saving of terminals through, for example, a narrow band (narrow band, NB) technology.
此外,在本申请实施例中,终端设备还可以包括智能打印机、火车探测器、加油站等 传感器,主要功能包括收集数据(部分终端设备)、接收接入网设备的控制信息与下行数据,并发送电磁波,向接入网设备传输上行数据。In addition, in the embodiment of the present application, the terminal device may also include sensors such as smart printers, train detectors, and gas stations, and the main functions include collecting data (part of terminal devices), receiving control information and downlink data of access network devices, and Send electromagnetic waves to transmit uplink data to access network equipment.
可选的,本申请实施例中的接入网设备可以是用于与终端设备通信的任意一种具有无线收发功能的通信设备。该接入网设备包括但不限于:演进型节点B(evolved node B,eNB),基带单元(baseband unit,BBU),无线保真(wireless fidelity,WIFI)系统中的接入点(access point,AP)、无线中继节点、无线回传节点、传输点(transmission point,TP)或者TRP等。该接入网设备还可以为5G系统中的gNB或TRP或TP,或者5G系统中的基站的一个或一组(包括多个天线面板)天线面板。此外,该接入网设备还可以为构成gNB或TP的网络节点,如BBU,或分布式单元(distributed unit,DU)等。Optionally, the access network device in this embodiment of the present application may be any communication device with a wireless transceiver function that is used to communicate with a terminal device. The access network equipment includes but is not limited to: evolved node B (evolved node B, eNB), baseband unit (baseband unit, BBU), access point (access point, wireless fidelity, WIFI) system AP), wireless relay node, wireless backhaul node, transmission point (TP) or TRP, etc. The access network device may also be a gNB or TRP or TP in the 5G system, or one or a group (including multiple antenna panels) antenna panels of a base station in the 5G system. In addition, the access network device may also be a network node that constitutes a gNB or a TP, such as a BBU, or a distributed unit (distributed unit, DU).
在一些部署中,gNB可以包括集中式单元(centralized unit,CU)和DU。此外,gNB还可以包括有源天线单元(active antenna unit,AAU)。CU实现gNB的部分功能,DU实现gNB的部分功能。比如,CU负责处理非实时协议和服务,实现无线资源控制(radio resource control,RRC),分组数据汇聚层协议(packet data convergence protocol,PDCP)层的功能。DU负责处理物理层协议和实时服务,实现无线链路控制(radio link control,RLC)层、媒体接入控制(media access control,MAC)层和物理(physical,PHY)层的功能。AAU实现部分物理层处理功能、射频处理及有源天线的相关功能。由于RRC层的信息最终会变成PHY层的信息,或者,由PHY层的信息转变而来,因而,在这种架构下,高层信令,如RRC层信令,也可以认为是由DU发送的,或者,由DU和AAU发送的。可以理解的是,接入网设备可以为包括CU节点、DU节点、AAU节点中一项或多项的设备。In some deployments, a gNB may include a centralized unit (CU) and a DU. In addition, the gNB may also include an active antenna unit (active antenna unit, AAU). The CU implements some functions of the gNB, and the DU implements some functions of the gNB. For example, the CU is responsible for processing non-real-time protocols and services, and implementing functions of radio resource control (RRC) and packet data convergence protocol (PDCP) layers. The DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer. AAU implements some physical layer processing functions, radio frequency processing and related functions of active antennas. Since the information of the RRC layer will eventually become the information of the PHY layer, or be transformed from the information of the PHY layer, therefore, in this architecture, the higher-layer signaling, such as the RRC layer signaling, can also be considered to be sent by the DU. , or, sent by DU and AAU. It can be understood that the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
可选的,本申请实施例中的接入网设备和终端设备之间可以通过授权频谱进行通信,也可以通过免授权频谱进行通信,也可以同时通过授权频谱和免授权频谱进行通信。接入网设备和终端设备之间可以通过6千兆赫(gigahertz,GHz)以下的频谱进行通信,也可以通过6GHz以上的频谱进行通信,还可以同时使用6GHz以下的频谱和6GHz以上的频谱进行通信。本申请的实施例对接入网设备和终端设备101之间所使用的频谱资源不做限定。Optionally, the access network device and the terminal device in the embodiment of the present application may communicate through licensed spectrum, may also communicate through unlicensed spectrum, or may communicate through licensed spectrum and unlicensed spectrum at the same time. The access network equipment and the terminal equipment can communicate through the frequency spectrum below 6 GHz (gigahertz, GHz), and can also communicate through the frequency spectrum above 6 GHz, and can also use the frequency spectrum below 6 GHz and the frequency spectrum above 6 GHz for communication at the same time. . The embodiments of the present application do not limit the spectrum resources used between the access network device and the terminal device 101 .
可选的,本申请实施例中的终端设备、网络设备可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上;还可以部署在空中的飞机、气球和人造卫星上。本申请的实施例对终端设备、网络设备的应用场景不做限定。Optionally, the terminal equipment and network equipment in the embodiments of the present application can be deployed on land, including indoor or outdoor, handheld or vehicle mounted; can also be deployed on water; and can also be deployed on aircraft, balloons, and artificial satellites in the air. . The embodiments of the present application do not limit the application scenarios of the terminal device and the network device.
可选的,在本申请实施例中,终端设备或网络设备包括硬件层、运行在硬件层之上的操作系统层,以及运行在操作系统层上的应用层。该硬件层包括中央处理器(central processing unit,CPU)、内存管理单元(memory management unit,MMU)和内存(也称为主存)等硬件。该操作系统可以是任意一种或多种通过进程(process)实现业务处理的计算机操作系统,例如,Linux操作系统、Unix操作系统、Android操作系统、iOS操作系统或windows操作系统等。该应用层包含浏览器、通讯录、文字处理软件、即时通信软件等应用。并且,本申请实施例并未对本申请实施例提供的方法的执行主体的具体结构特别限定,只要能够通过运行记录有本申请实施例的提供的方法的代码的程序,以根据本申请实施例提供的方法进行通信即可,例如,本申请实施例提供的方法的执行主体可以是终端设备或网络设备,或者,是终端设备或网络设备中能够调用程序并执行程序的功能模块。Optionally, in this embodiment of the present application, the terminal device or the network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer. This hardware layer includes hardware such as central processing unit (CPU), memory management unit (MMU), and memory (also called main memory). The operating system may be any one or more computer operating systems that implement business processing through processes, such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a Windows operating system. The application layer includes applications such as browsers, address books, word processing software, and instant messaging software. In addition, the embodiments of the present application do not specifically limit the specific structure of the execution body of the methods provided by the embodiments of the present application, as long as the program that records the codes of the methods provided by the embodiments of the present application can be executed to provide the methods provided by the embodiments of the present application. For example, the execution subject of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call and execute a program.
换言之,本申请实施例中的终端设备、第一网元、第二网元的相关功能可以由一个设备实现,也可以由多个设备共同实现,还可以是由一个设备内的一个或多个功能模块实现,本申请实施例对此不作具体限定。可以理解的是,上述功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能,或者是硬件与软件的结合,或者是平台(例如,云平台)上实例化的虚拟化功能。In other words, the related functions of the terminal device, the first network element, and the second network element in the embodiments of the present application may be implemented by one device, or jointly implemented by multiple devices, or may be implemented by one or more devices in one device. The functional module is implemented, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
下面将结合图1至图5描述本申请实施例提供的用户签约数据的获取方法。The method for acquiring user subscription data provided by the embodiments of the present application will be described below with reference to FIG. 1 to FIG. 5 .
需要说明的是,本申请下述实施例中各个网元之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不做具体限定。It should be noted that the name of the message between each network element or the name of each parameter in the message in the following embodiments of the present application is just an example, and other names may also be used in the specific implementation, which is not done in this embodiment of the present application. Specific restrictions.
如图3所示,为本申请实施例提供的一种用户签约数据的获取方法的流程示意图。该方法可以包括以下步骤:As shown in FIG. 3 , it is a schematic flowchart of a method for acquiring user subscription data according to an embodiment of the present application. The method may include the following steps:
S100、UE生成第一公钥(public key,pk)1和第一私钥(secret key,sk)1。S100. The UE generates a first public key (public key, pk) 1 and a first private key (secret key, sk) 1.
UE生成公私钥对pk1和sk1,可以使用sk1对经pk1加密的数据进行解密。The UE generates a public-private key pair pk1 and sk1, and can use sk1 to decrypt the data encrypted by pk1.
具体地,UE生成公私钥对pk1和sk1可以有以下实现方式:Specifically, the UE can generate the public and private key pairs pk1 and sk1 in the following ways:
在一个实现中,UE可以生成用于计算用户隐藏标识符(subscription concealed identifier,SUCI)的公私钥对pk1和sk1。UE采用sk1对用户临时标识符(subscription permanent identifier,SUPI)加密获得SUCI。In one implementation, the UE may generate a public-private key pair pk1 and sk1 for calculating a subscriber concealed identifier (SUCI). The UE uses sk1 to encrypt the user temporary identifier (subscription permanent identifier, SUPI) to obtain SUCI.
在另一个实现中,UE也可以自动、单独地生成公私钥对pk1和sk1,而不是在计算SUCI时生成公私钥对pk1和sk1。In another implementation, the UE may also generate the public-private key pairs pk1 and sk1 automatically and independently, instead of generating the public-private key pairs pk1 and sk1 when calculating the SUCI.
S101、UE向第一网络中的第一网元发送注册请求,该注册请求包括pk1。相应地,第一网元接收该注册请求。S101. The UE sends a registration request to a first network element in the first network, where the registration request includes pk1. Correspondingly, the first network element receives the registration request.
本实施例中,第一网络为上线网络,第二网络为DCS/UDM所在网络,第三网络为PS所在网络。该注册请求用于请求注册到上线网络。UE通过第一网络进行的是一种上线业务,即通过第一网络请求把UE的用户签约数据下发给UE,使得UE能在私有网络上线。In this embodiment, the first network is the online network, the second network is the network where the DCS/UDM is located, and the third network is the network where the PS is located. The registration request is used to request registration to the online network. What the UE performs through the first network is an online service, that is, through the first network request, the user subscription data of the UE is delivered to the UE, so that the UE can go online on the private network.
具体地,UE向第一网络中的第一网元发送注册请求。该第一网元例如可以是AMF。该注册请求包括pk1。Specifically, the UE sends a registration request to the first network element in the first network. The first network element may be, for example, an AMF. The registration request includes pk1.
S102、第一网元向第二网络中的第二网元发送针对UE的鉴权请求,该鉴权请求包括pk1。相应地,第二网元接收来自第一网络的、针对UE的鉴权请求。S102. The first network element sends an authentication request for the UE to a second network element in the second network, where the authentication request includes pk1. Correspondingly, the second network element receives the authentication request for the UE from the first network.
第一网元接收到该注册请求后,了解到该注册请求为请求在上线网络注册以接入到私有网络,而由第二网络对接入到私有网络的UE进行鉴权认证。因此,第一网元向第二网络中的第二网元发送针对UE的鉴权请求。该鉴权请求用于请求对UE进行鉴权认证。该鉴权请求包括pk1,从而该pk1传递到第二网元。After receiving the registration request, the first network element learns that the registration request is a request to register on the online network to access the private network, and the second network performs authentication for the UE accessing the private network. Therefore, the first network element sends an authentication request for the UE to the second network element in the second network. The authentication request is used to request to perform authentication and authentication on the UE. The authentication request includes pk1 so that the pk1 is passed to the second network element.
S103、第二网元保存pk1。S103. The second network element stores pk1.
第二网元接收到通过第一网元发送的注册请求,从而识别出该注册请求是上线业务,从而第二网元保存鉴权请求中携带的pk1。The second network element receives the registration request sent by the first network element, and thus recognizes that the registration request is an online service, so that the second network element stores the pk1 carried in the authentication request.
S104、第二网元向第一网元发送私有网络的标识。相应地,第一网元接收该私有网络的标识。S104. The second network element sends the identifier of the private network to the first network element. Correspondingly, the first network element receives the identifier of the private network.
第二网元对UE进行鉴权认证,认证通过后,向第一网元发送私有网络的标识。该私有网络的标识用于唯一的标识私有网络。The second network element performs authentication on the UE, and after the authentication is passed, the identifier of the private network is sent to the first network element. The identifier of the private network is used to uniquely identify the private network.
该上线网络可以为多个私有网络服务,也可以和多个私有网络对应的PS对接,因此,第一网元通过获取该私有网络的标识,可以使得第一网元选择合适的PS获取用户签约数据。The online network can serve multiple private networks, and can also be connected to PSs corresponding to multiple private networks. Therefore, by acquiring the identifier of the private network, the first network element can make the first network element select an appropriate PS to obtain user subscriptions data.
S105、第二网元向第三网络中的PS发送pk1。相应地,PS接收该pk1。S105. The second network element sends pk1 to the PS in the third network. Accordingly, the PS receives the pk1.
第二网元接收到pk1后,最终将pk1传递给第三网络中的PS。After receiving the pk1, the second network element finally delivers the pk1 to the PS in the third network.
可以理解的是,步骤S104和S105之间没有执行的先后顺序,即可以先执行S104,再执行S105;也可以先执行S105,再执行S104;或者同时执行S104和S105。It can be understood that there is no order of execution between steps S104 and S105, that is, S104 may be executed first, and then S105 may be executed; S105 may be executed first, and then S104 may be executed; or S104 and S105 may be executed simultaneously.
可替换地,也可以由第一网元在下述步骤S106中将pk1发送给第三网络中的PS,或者在步骤S106之后,PS主动向AMF请求密钥,即pk1。Alternatively, the first network element may also send pk1 to the PS in the third network in the following step S106, or after step S106, the PS actively requests the AMF for a key, that is, pk1.
S106、第一网元根据私有网络的标识向第三网络中的PS发送UE的用户签约数据获取请求。相应地,PS接收该用户签约数据获取请求。S106: The first network element sends a request for obtaining user subscription data of the UE to the PS in the third network according to the identifier of the private network. Accordingly, the PS receives the user subscription data acquisition request.
第一网元获取到私有网络的标识后,便可以根据该私有网络的标识向第三网络中的PS请求该UE的用户签约数据。第一网元请求获取该UE的用户签约数据,以使得UE可以接入到私有网络。After acquiring the identity of the private network, the first network element may request the PS in the third network for user subscription data of the UE according to the identity of the private network. The first network element requests to acquire user subscription data of the UE, so that the UE can access the private network.
S107、PS向第一网元返回用户签约数据获取响应,该用户签约数据获取响应包括UE在私有网络的第一用户签约数据。相应地,第一网元接收该用户签约数据获取响应,解析获取其中携带的第一用户签约数据。S107: The PS returns a user subscription data acquisition response to the first network element, where the user subscription data acquisition response includes the first user subscription data of the UE in the private network. Correspondingly, the first network element receives the user subscription data acquisition response, and parses and acquires the first user subscription data carried in the response.
第二网元对UE进行了鉴权认证,PS才可以接收到用户签约数据获取请求。PS获取该UE的第二用户签约数据。并且PS获取了UE的公钥pk1,便可以使用pk1对第二用户签约数据进行加密,得到第一用户签约数据,以保护第二用户签约数据,避免用户签约数据被窃取,提高通信的安全性。Only after the second network element performs authentication on the UE, the PS can receive the user subscription data acquisition request. The PS acquires the second user subscription data of the UE. And the PS obtains the public key pk1 of the UE, and can use pk1 to encrypt the second user contract data to obtain the first user contract data, so as to protect the second user contract data, prevent the user contract data from being stolen, and improve the security of communication. .
S108、第一网元向UE发送第一用户签约数据。相应地,UE接收该第一用户签约数据。S108: The first network element sends the first user subscription data to the UE. Correspondingly, the UE receives the first user subscription data.
第一网元向UE发送第一用户签约数据,该第一用户签约数据是被加密处理后的数据,从而可以保护该第一用户签约数据。The first network element sends the first user subscription data to the UE, where the first user subscription data is encrypted data, so that the first user subscription data can be protected.
S109、UE使用sk1解密第一用户签约数据获取到第二用户签约数据。S109, the UE decrypts the first user subscription data using sk1 to obtain the second user subscription data.
UE接收到第一用户签约数据后,采用与pk1对应的sk1解密第一用户签约数据,获取到第二用户签约数据。从而,UE可以基于该第二用户签约数据,接入到上述私有网络,完成了UE上线的流程。After receiving the first user subscription data, the UE decrypts the first user subscription data using sk1 corresponding to pk1, and obtains the second user subscription data. Therefore, the UE can access the above-mentioned private network based on the second user subscription data, and complete the process of the UE going online.
根据本申请实施例提供的一种用户签约数据的获取方法,第二网络中的第二网元通过对UE进行鉴权,并发送该UE可接入的私有网络的标识给第一网络中的第一网元,使得第一网元可以根据该私有网络的标识从第三网络获取第一用户签约数据,该第一用户签约数据为加密的签约数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。According to a method for acquiring user subscription data provided by an embodiment of the present application, the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network. The first network element, so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and the first user subscription data is encrypted subscription data, so that the acquisition of the user subscription data can be protected and avoid The user subscription data is stolen, which improves communication security; and by acquiring the private network identifier from the second network element, the first network element can acquire correct user subscription data from a suitable PS.
如图4所示,为本申请实施例提供的又一种用户签约数据的获取方法的流程示意图。该方法可以包括以下步骤:As shown in FIG. 4 , it is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application. The method may include the following steps:
S200a、UE预置PS公钥pk2。S200a, the UE presets the PS public key pk2.
UE在出厂时可以预置与PS之间进行加密通信的公钥pk2。可替换地,UE也可以预置 PS证书,该PS证书包括PS公钥pk2。When the UE leaves the factory, the public key pk2 for encrypted communication with the PS can be preset. Alternatively, the UE may also preset a PS certificate, where the PS certificate includes the PS public key pk2.
S200b、第三网络的PS预置公钥pk2和私钥sk2。S200b, the PS preset public key pk2 and private key sk2 of the third network.
PS也可以预置公私钥对pk2、sk2。PS can also preset public and private key pairs pk2, sk2.
S201、UE生成公私钥对pk1和sk1。S201, the UE generates a public-private key pair pk1 and sk1.
具体地,UE生成公私钥对pk1和sk1可以有以下实现方式:Specifically, the UE can generate the public and private key pairs pk1 and sk1 in the following ways:
在一个实现中,UE可以生成用于计算SUCI的公私钥对pk1和sk1。UE采用sk1对SUPI加密获得SUCI。In one implementation, the UE may generate a public-private key pair pk1 and sk1 for calculating SUCI. The UE uses sk1 to encrypt SUPI to obtain SUCI.
在另一个实现中,UE也可以自动、单独地生成公私钥对pk1和sk1,而不是在计算SUCI时生成公私钥对pk1和sk1。In another implementation, the UE may also generate the public-private key pairs pk1 and sk1 automatically and independently, instead of generating the public-private key pairs pk1 and sk1 when calculating the SUCI.
S202、UE向上线网络(onboarding network)中的AMF发送注册请求。相应地,AMF接收该注册请求。S202. The UE sends a registration request to the AMF in the onboarding network. Accordingly, the AMF receives the registration request.
该注册请求用于请求注册到上线网络。该注册请求包括SUCI,还可包括以下至少一项:上线指示(onboarding indication),注册类型,切片标识。The registration request is used to request registration to the online network. The registration request includes SUCI, and may further include at least one of the following: an onboarding indication, a registration type, and a slice identifier.
其中,该上线指示用于指示注册请求的类型为上线业务。Wherein, the online indication is used to indicate that the type of the registration request is an online service.
该SUCI包括上述pk1。The SUCI includes the above pk1.
该注册类型为上线业务。The registration type is online business.
该切片标识用于指示UE请求注册的私有网络所在的网络切片的标识。The slice identifier is used to indicate the identifier of the network slice where the private network that the UE requests to register is located.
S203、AMF根据注册请求确定第一网络中的第一鉴权服务器(AUSF1/AUSF1*)。S203. The AMF determines the first authentication server (AUSF1/AUSF1*) in the first network according to the registration request.
在已有的注册流程中,AMF接收到UE的注册请求,一般是将该注册请求发送给AMF所在网络的AUSF进行后续处理。然而,本实施例中,AMF根据接收到的注册请求,确定是进行上线业务,则确定本网络的第一鉴权服务器,由第一鉴权服务器提交鉴权请求给对上线业务进行鉴权管理的第二网络,以对UE进行鉴权认证。In the existing registration process, the AMF receives the registration request of the UE, and generally sends the registration request to the AUSF of the network where the AMF is located for subsequent processing. However, in this embodiment, the AMF determines that the online service is to be performed according to the received registration request, and then determines the first authentication server of the network, and the first authentication server submits the authentication request to the authentication management of the online service. The second network is used to authenticate the UE.
具体地,AMF根据注册请求确定第一网络中的第一鉴权服务器,可以有以下几种实现方式:Specifically, the AMF determines the first authentication server in the first network according to the registration request, which can be implemented in the following ways:
在一个实现中,该SUCI中包括第二网络的标识,根据第二网络的标识确定第一鉴权服务器。该第二网络的标识可以是DCS ID,或DCS所在网络的ID,或DCS管理方ID(例如,供应商标识(vendor ID))。即AMF根据该第二网络的标识,确定需要第二网络对UE进行鉴权认证,则确定本网络的第一鉴权服务器(AUSF1),或者选择一个上线业务专用的AUSF(AUSF1*)。In one implementation, the SUCI includes an identifier of the second network, and the first authentication server is determined according to the identifier of the second network. The identifier of the second network may be a DCS ID, or an ID of a network where the DCS is located, or an ID of a DCS administrator (for example, a vendor ID). That is, according to the identifier of the second network, the AMF determines that the second network needs to authenticate the UE, and then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service.
在另一个实现中,该SUCI中包括路由指示(routing indicator,RI),根据该路由指示确定第一鉴权服务器。该路由指示用于指示路由到SNPN。则AMF根据该路由指示,确定是进行上线业务,确定需要第二网络对UE进行鉴权认证,则确定本网络的第一鉴权服务器(AUSF1),或者选择一个上线业务专用的AUSF(AUSF1*)。In another implementation, the SUCI includes a routing indicator (RI), and the first authentication server is determined according to the routing indicator. The routing indication is used to indicate routing to the SNPN. Then, according to the routing instruction, the AMF determines that it is an online service, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service. ).
在又一个实现中,根据上线指示确定第一鉴权服务器,该上线指示用于指示注册请求的类型为上线业务。AMF根据该上线指示,确定是进行上线业务,确定需要第二网络对UE进行鉴权认证,则确定本网络的第一鉴权服务器(AUSF1),或者选择一个上线业务专用的AUSF(AUSF1*)。In yet another implementation, the first authentication server is determined according to an online indication, where the online indication is used to indicate that the type of the registration request is an online service. According to the online instruction, the AMF determines that it is an online service, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF dedicated to the online service (AUSF1*) .
在又一个实现中,根据注册类型确定第一鉴权服务器,该注册类型为上线业务。已有 的UE的注册类型包括:初始注册、移动性注册、周期性注册。本实施例提出了一种新的注册类型:上线业务。则AMF根据该注册类型,确定是进行上线业务,确定需要第二网络对UE进行鉴权认证,则确定本网络的第一鉴权服务器(AUSF1),或者选择一个上线业务专用的AUSF(AUSF1*)。In yet another implementation, the first authentication server is determined according to a registration type, where the registration type is an online service. The existing UE registration types include: initial registration, mobility registration, and periodic registration. This embodiment proposes a new registration type: online service. Then, according to the registration type, the AMF determines that the online service is to be performed, and determines that the second network needs to authenticate the UE, then determines the first authentication server (AUSF1) of the network, or selects an AUSF (AUSF1*) dedicated to the online service. ).
在又一个实现中,根据切片标识确定第一鉴权服务器。AMF根据注册请求中携带的切片标识,该切片标识用于指示UE请求注册的私有网络所在的网络切片的标识,从而AMF确定UE是进行上线业务,确定需要第二网络对UE进行鉴权认证,则确定本网络的第一鉴权服务器(AUSF1),或者选择一个上线业务专用的AUSF(AUSF1*)。In yet another implementation, the first authentication server is determined according to the slice identifier. According to the slice identifier carried in the registration request, the AMF is used to indicate the identifier of the network slice where the private network that the UE requests to register is located, so that the AMF determines that the UE is performing an online service, and determines that the second network is required to authenticate the UE, Then determine the first authentication server (AUSF1) of the network, or select an AUSF (AUSF1*) dedicated to the online service.
S204、AMF确定第一鉴权服务器后,向该第一鉴权服务器发送针对UE的鉴权请求。该鉴权请求用于请求对UE进行鉴权认证。该鉴权请求包括SUCI,还可包括上线指示。相应地,第一鉴权服务器接收该鉴权请求。该SUCI包括上述pk1。S204: After determining the first authentication server, the AMF sends an authentication request for the UE to the first authentication server. The authentication request is used to request to perform authentication and authentication on the UE. The authentication request includes SUCI, and may also include an on-line indication. Correspondingly, the first authentication server receives the authentication request. The SUCI includes the above pk1.
S205、第一鉴权服务器根据该鉴权请求确定将该鉴权请求转发给第二网络。S205. The first authentication server determines, according to the authentication request, to forward the authentication request to the second network.
第一鉴权服务器根据该鉴权请求确定是进行上线业务,则确定将该鉴权请求转发给第二网络。The first authentication server determines, according to the authentication request, that the online service is to be performed, and then determines to forward the authentication request to the second network.
S206、第一鉴权服务器向第二网络的AUSF2转发该鉴权请求。该鉴权请求用于请求对UE进行鉴权认证。该鉴权请求包括SUCI,还可包括上线指示。相应地,AUSF2接收到该鉴权请求后,将该鉴权请求转发给第二网络的UDM/DCS。第二网络的UDM/DCS接收该鉴权请求。S206. The first authentication server forwards the authentication request to the AUSF2 of the second network. The authentication request is used to request to perform authentication and authentication on the UE. The authentication request includes SUCI, and may also include an on-line indication. Correspondingly, after receiving the authentication request, AUSF2 forwards the authentication request to the UDM/DCS of the second network. The UDM/DCS of the second network receives the authentication request.
S207、第二网络的UDM/DCS从SUCI解密出SUPI,提取出SUCI中的pk1保存。S207, the UDM/DCS of the second network decrypts the SUPI from the SUCI, and extracts the pk1 in the SUCI and saves it.
第二网络的UDM/DCS获取到鉴权请求中携带的SUCI,可以解密出SUPI。The UDM/DCS of the second network obtains the SUCI carried in the authentication request, and can decrypt the SUPI.
并且第二网络的UDM/DCS接收到该鉴权请求,由于鉴权请求还包括上线指示,该上线指示用于指示该鉴权请求的类型为上线业务,则UDM/DCS根据该上线指示,保存pk1。And the UDM/DCS of the second network receives the authentication request, because the authentication request also includes an on-line instruction, and the on-line instruction is used to indicate that the type of the authentication request is an on-line service, then the UDM/DCS saves the on-line instruction according to the pk1.
至此,完成上述鉴权认证,AMF获取到UE的SUPI。后续第一网络、第二网络之间可以基于SUPI进行关于UE的信号传输。So far, the above authentication and authentication are completed, and the AMF obtains the SUPI of the UE. The subsequent signal transmission between the first network and the second network may be performed on the UE based on the SUPI.
S208、第二网络的UDM/DCS向第三网络的PS发送pk1。相应地,PS接收该pk1。S208. The UDM/DCS of the second network sends pk1 to the PS of the third network. Accordingly, the PS receives the pk1.
第二网络的UDM/DCS对UE认证通过后,可以向第三网络中的PS发送pk1,以便后续PS可以使用该pk1对数据进行加密。UDM/DCS进行密钥推送时,还可以携带通用公共用户标识(generic public subscription identifier,GPSI)、pk1。进一步地,还可以携带服务网络名称(serving network name)。该GPSI与SUPI对应。After the UE is authenticated by the UDM/DCS of the second network, it can send pk1 to the PS in the third network, so that the subsequent PS can use the pk1 to encrypt data. When the UDM/DCS pushes the key, it can also carry the generic public subscription identifier (GPSI) and pk1. Further, it can also carry a serving network name (serving network name). This GPSI corresponds to SUPI.
上述是第二网络的UDM/DCS主动向第三网络中的PS推送pk1。可选地,也可以是在下述步骤S212中第一网络中的AMF向第三网络中的PS请求获取用户签约数据时携带该pk1。可选地,也可以是在步骤S212之后,第三网络中的PS接收到用户签约数据获取请求时,向第二网络的UDM/DCS请求获取密钥,然后由第二网络的UDM/DCS向第三网络中的PS发送该pk1。The above is that the UDM/DCS of the second network actively pushes pk1 to the PS in the third network. Optionally, the pk1 may also be carried when the AMF in the first network requests the PS in the third network to acquire user subscription data in the following step S212. Optionally, after step S212, when the PS in the third network receives the user subscription data acquisition request, it requests the UDM/DCS of the second network to acquire the key, and then the UDM/DCS of the second network sends the request to the UDM/DCS of the second network. The PS in the third network sends this pk1.
S209、第一网络中的AMF向第二网络的UDM/DCS发送第一获取请求,该第一获取请求包括SUPI,还可包括上线指示。相应地,第二网络的UDM/DCS接收该第一获取请求。S209. The AMF in the first network sends a first acquisition request to the UDM/DCS of the second network, where the first acquisition request includes SUPI and may also include an online indication. Correspondingly, the UDM/DCS of the second network receives the first acquisition request.
该上线网络可以为多个私有网络服务,也可以和多个私有网络对应的PS对接,因此,第一网络中的AMF向第二网络的UDM/DCS发送第一获取请求,以获取该私有网络的标 识,可以使得第一网元选择合适的PS获取用户签约数据。而第二网络的UDM/DCS对UE进行认证后,可以将UE可以接入的私有网络的标识发送给AMF。The online network can serve multiple private networks, and can also be connected to PSs corresponding to multiple private networks. Therefore, the AMF in the first network sends a first acquisition request to the UDM/DCS of the second network to acquire the private network. The identifier can make the first network element select an appropriate PS to obtain user subscription data. After the UDM/DCS of the second network authenticates the UE, the identifier of the private network that the UE can access may be sent to the AMF.
S210、第二网络的UDM/DCS根据上线指示或本地配置,获取私有网络的标识。S210. The UDM/DCS of the second network acquires the identifier of the private network according to the online instruction or the local configuration.
该UDM/DCS根据SUPI查找UE可以接入的私有网络的标识,并根据上线指示或本地配置,获取私有网络的标识(即SNPN ID)。其中,SNPN网络使用PLMN ID和网络标识(network identifier,NID)来标识,SNPN ID包括公共陆地移动网络(public land mobile network,PLMN)ID和NID。其中,PLMN ID可以为第三方运营商预留的固有值,也可以是部署此SNPN的PLMN运营商的特定值。The UDM/DCS searches for the identity of the private network that the UE can access according to the SUPI, and obtains the identity of the private network (ie, the SNPN ID) according to the online instruction or local configuration. The SNPN network is identified by a PLMN ID and a network identifier (NID), and the SNPN ID includes a public land mobile network (Public land mobile network, PLMN) ID and NID. Among them, the PLMN ID can be an inherent value reserved by a third-party operator, or can be a specific value of the PLMN operator that deploys this SNPN.
具体地,UDM/DCS根据SUPI查找UE可以接入的多个私有网络的标识,并根据上线指示,确定UE请求进行上线业务的私有网络,并获取该私有网络的标识。该私有网络的标识为上述多个私有网络的标识中的一个或多个。Specifically, the UDM/DCS searches for the identifiers of multiple private networks that the UE can access according to the SUPI, determines the private network that the UE requests to perform the online service according to the online instruction, and obtains the identifiers of the private network. The identifier of the private network is one or more of the identifiers of the above-mentioned multiple private networks.
或者,UDM/DCS根据SUPI查找UE可以接入的多个私有网络的标识,并根据本地配置确定允许UE接入的私有网络的标识,从而获取该UE被允许接入的私有网络的标识。Alternatively, the UDM/DCS searches the identities of multiple private networks that the UE can access according to the SUPI, and determines the identities of the private networks that the UE is allowed to access according to the local configuration, so as to obtain the identities of the private networks that the UE is allowed to access.
S211、第二网络的UDM/DCS向AMF发送第一获取响应,该第一获取响应包括SUPI,私有网络的标识,还可包括pk1。相应地,AMF接收该第一获取响应。S211. The UDM/DCS of the second network sends a first acquisition response to the AMF, where the first acquisition response includes the SUPI, the identifier of the private network, and may also include pk1. Accordingly, the AMF receives the first acquisition response.
S212、第一网络中的AMF根据该私有网络的标识,向第三网络中的PS发送UE的用户签约数据获取请求。相应地,第三网络中的PS接收该用户签约数据获取请求。S212: The AMF in the first network sends a request for obtaining user subscription data of the UE to the PS in the third network according to the identifier of the private network. Correspondingly, the PS in the third network receives the user subscription data acquisition request.
AMF获取到私有网络的标识后,便可以根据该私有网络的标识向第三网络中的PS请求该UE的用户签约数据。After acquiring the identity of the private network, the AMF can request the user subscription data of the UE from the PS in the third network according to the identity of the private network.
其中,该用户签约数据获取请求包括GPSI。进一步地,还可以包括pk1,上线指示,服务网络名称。Wherein, the user subscription data acquisition request includes GPSI. Further, it may also include pk1, online indication, service network name.
S213、第三网络中的PS采用pk1加密第二用户签约数据得到第一用户签约数据,并用sk2对第一用户签约数据签名。S213. The PS in the third network encrypts the second user subscription data with pk1 to obtain the first user subscription data, and uses sk2 to sign the first user subscription data.
PS接收到用户签约数据获取请求后,根据GPSI查找该UE的第二用户签约数据。并根据获取的UE对应的pk1加密第二用户签约数据得到第一用户签约数据,可以保护该第二用户签约数据不被窃取。进一步地,还可以采用步骤S200b中PS预置的sk2对第一用户签约数据进行签名,可以保护该第一用户签约数据不被篡改。After receiving the user subscription data acquisition request, the PS searches for the UE's second user subscription data according to the GPSI. and encrypting the second user subscription data according to the acquired pk1 corresponding to the UE to obtain the first user subscription data, which can protect the second user subscription data from being stolen. Further, the sk2 preset by the PS in step S200b can also be used to sign the first user subscription data, which can protect the first user subscription data from being tampered with.
S214、第三网络中的PS向第一网络中的AMF发送用户签约数据获取响应。该用户签约数据获取响应包括签名后的第一用户签约数据。相应地,第一网络中的AMF接收该用户签约数据获取响应。S214. The PS in the third network sends a user subscription data acquisition response to the AMF in the first network. The user subscription data acquisition response includes the signed first user subscription data. Correspondingly, the AMF in the first network receives the user subscription data acquisition response.
在本实施例中,PS通过控制面下发该签名后的第一用户签约数据。具体地,PS通过第一网络中的AMF向UE发送用户签约数据获取响应。该用户签约数据获取响应包括签名后的第一用户签约数据。In this embodiment, the PS delivers the signed first user subscription data through the control plane. Specifically, the PS sends a user subscription data acquisition response to the UE through the AMF in the first network. The user subscription data acquisition response includes the signed first user subscription data.
S215、第一网络中的AMF通过终端配置更新(UE configruated updated,UCU)过程下发签名后的第一用户签约数据。相应地,UE接收该签名后的第一用户签约数据。S215. The AMF in the first network issues the signed first user subscription data through a terminal configuration update (UE configruated updated, UCU) process. Correspondingly, the UE receives the signed first user subscription data.
S216、UE采用pk2验证签名,签名验证通过后,再采用sk1解密第一用户签约数据获得第二用户签约数据。S216 , the UE uses pk2 to verify the signature, and after the signature verification is passed, it then uses sk1 to decrypt the first user subscription data to obtain the second user subscription data.
UE接收到该用户签约数据获取响应后,提取其中携带的签名后的第一用户签约数据, 并采用步骤S200a中UE预置的pk2验证签名,签名验证通过后,再采用sk1解密第一用户签约数据获得第二用户签约数据。After receiving the user subscription data acquisition response, the UE extracts the signed first user subscription data carried therein, and uses the pk2 preset by the UE in step S200a to verify the signature, and after the signature verification is passed, then uses sk1 to decrypt the first user subscription The data obtains the second user subscription data.
S217、UE向第一网络中的AMF发送UCU响应。相应地,该AMF接收该UCU响应。S217. The UE sends a UCU response to the AMF in the first network. Accordingly, the AMF receives the UCU response.
该UCU响应用于指示UE成功接收到用户签约数据获取响应。The UCU response is used to indicate that the UE has successfully received the user subscription data acquisition response.
根据本申请实施例提供的一种用户签约数据的获取方法,第二网络中的第二网元通过对UE进行鉴权,并发送该UE可接入的私有网络的标识给第一网络中的第一网元,使得第一网元可以根据该私有网络的标识从第三网络获取第一用户签约数据,并通过控制面下发第一用户签约数据给UE,该第一用户签约数据为加密的签约数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取和篡改,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。According to a method for acquiring user subscription data provided by an embodiment of the present application, the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network. The first network element, so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and deliver the first user subscription data to the UE through the control plane, and the first user subscription data is encrypted Therefore, the acquisition of the user's subscription data can be protected, the stealing and tampering of the user's subscription data can be avoided, and the security of communication can be improved; and by obtaining the private network identifier from the second network element, the first network element can obtain the private network identity from the appropriate network element. The PS obtains the correct user subscription data.
如图5所示,为本申请实施例提供的又一种用户签约数据的获取方法的流程示意图。该方法可以包括以下步骤:As shown in FIG. 5 , it is a schematic flowchart of another method for acquiring user subscription data provided by an embodiment of the present application. The method may include the following steps:
S300a、UE预置PS公钥pk2。S300a, the UE presets the PS public key pk2.
该步骤的具体实现可参考图4所示实施例的步骤S200a。For the specific implementation of this step, reference may be made to step S200a of the embodiment shown in FIG. 4 .
S300b、第三网络的PS预置公钥pk2和私钥sk2。S300b, the PS preset public key pk2 and private key sk2 of the third network.
该步骤的具体实现可参考图4所示实施例的步骤S200b。For the specific implementation of this step, reference may be made to step S200b of the embodiment shown in FIG. 4 .
S301、UE生成公私钥对pk1和sk1。S301, the UE generates a public-private key pair pk1 and sk1.
该步骤的具体实现可参考图4所示实施例的步骤S201。For the specific implementation of this step, reference may be made to step S201 of the embodiment shown in FIG. 4 .
S302、UE向上线网络(onboarding network)中的AMF发送注册请求,该注册请求包括SUCI,还可包括上线指示。相应地,AMF接收该注册请求。S302. The UE sends a registration request to the AMF in the onboarding network, where the registration request includes the SUCI and may also include an onboarding indication. Accordingly, the AMF receives the registration request.
该步骤的具体实现可参考图4所示实施例的步骤S202。For the specific implementation of this step, reference may be made to step S202 in the embodiment shown in FIG. 4 .
S303、AMF根据注册请求确定第一网络中的第一鉴权服务器(AUSF1/AUSF1*)。S303. The AMF determines the first authentication server (AUSF1/AUSF1*) in the first network according to the registration request.
该步骤的具体实现可参考图4所示实施例的步骤S203。For the specific implementation of this step, reference may be made to step S203 in the embodiment shown in FIG. 4 .
S304、AMF向第一鉴权服务器发送针对UE的鉴权请求。该鉴权请求包括SUCI,还可包括上线指示。相应地,第一鉴权服务器接收该鉴权请求。S304: The AMF sends an authentication request for the UE to the first authentication server. The authentication request includes SUCI, and may also include an on-line indication. Correspondingly, the first authentication server receives the authentication request.
该步骤的具体实现可参考图4所示实施例的步骤S204。For the specific implementation of this step, reference may be made to step S204 in the embodiment shown in FIG. 4 .
S305、第一鉴权服务器根据该鉴权请求确定将该鉴权请求转发给第二网络。S305. The first authentication server determines, according to the authentication request, to forward the authentication request to the second network.
该步骤的具体实现可参考图4所示实施例的步骤S205。For the specific implementation of this step, reference may be made to step S205 in the embodiment shown in FIG. 4 .
S306、第一鉴权服务器向第二网络的AUSF2转发该鉴权请求。该鉴权请求包括SUCI,还可包括上线指示。相应地,AUSF2接收到该鉴权请求后,将该鉴权请求转发给第二网络的UDM/DCS。第二网络的UDM/DCS接收该鉴权请求。S306. The first authentication server forwards the authentication request to the AUSF2 of the second network. The authentication request includes SUCI, and may also include an on-line indication. Correspondingly, after receiving the authentication request, AUSF2 forwards the authentication request to the UDM/DCS of the second network. The UDM/DCS of the second network receives the authentication request.
该步骤的具体实现可参考图4所示实施例的步骤S206。For the specific implementation of this step, reference may be made to step S206 in the embodiment shown in FIG. 4 .
S307、第二网络的UDM/DCS从SUCI解密出SUPI,提取出SUCI中的pk1保存。S307, the UDM/DCS of the second network decrypts the SUPI from the SUCI, and extracts the pk1 in the SUCI and saves it.
该步骤的具体实现可参考图4所示实施例的步骤S207。For the specific implementation of this step, reference may be made to step S207 in the embodiment shown in FIG. 4 .
至此,完成上述鉴权认证,AMF获取到UE的SUPI。So far, the above authentication and authentication are completed, and the AMF obtains the SUPI of the UE.
S308、AMF向第二网络的UDM/DCS发送第二获取请求,该第二获取请求包括SUPI,还可包括上线指示。相应地,第二网络的UDM/DCS接收该第二获取请求。该第二获取请求用于获取该UE可以接入的私有网络的标识。S308: The AMF sends a second acquisition request to the UDM/DCS of the second network, where the second acquisition request includes SUPI and may also include an online indication. Correspondingly, the UDM/DCS of the second network receives the second acquisition request. The second acquisition request is used to acquire the identifier of the private network that the UE can access.
该步骤的具体实现可参考图4所示实施例的步骤S209。For the specific implementation of this step, reference may be made to step S209 in the embodiment shown in FIG. 4 .
S309、第二网络的UDM/DCS根据上线指示,或根据本地配置,获取私有网络的标识。S309 , the UDM/DCS of the second network obtains the identifier of the private network according to the online instruction or according to the local configuration.
该步骤的具体实现可参考图4所示实施例的步骤S210。For the specific implementation of this step, reference may be made to step S210 in the embodiment shown in FIG. 4 .
其中,步骤S308、S309为可选的步骤,图中以虚线表示。在本实施例中,是通过用户面下发用户签约数据,因此,SMF也会向第二网络的UDM/DCS获取私有网络的标识,具体在步骤S314和S315中描述。Among them, steps S308 and S309 are optional steps, which are represented by dotted lines in the figure. In this embodiment, the user subscription data is delivered through the user plane. Therefore, the SMF also obtains the identity of the private network from the UDM/DCS of the second network, which is specifically described in steps S314 and S315.
S310、第二网络的UDM/DCS向AMF发送第二获取响应,该第二获取响应包括SUPI,私有网络的标识,还可包括pk1。相应地,AMF接收该第二获取响应。S310. The UDM/DCS of the second network sends a second acquisition response to the AMF, where the second acquisition response includes SUPI, the identity of the private network, and may also include pk1. Accordingly, the AMF receives the second acquisition response.
该步骤的具体实现可参考图4所示实施例的步骤S211。For the specific implementation of this step, reference may be made to step S211 of the embodiment shown in FIG. 4 .
S311、第一网络的AMF向UE发送注册响应。相应地,UE接收该注册响应。S311. The AMF of the first network sends a registration response to the UE. Accordingly, the UE receives the registration response.
该注册响应用于指示注册成功或失败。The registration response is used to indicate registration success or failure.
UE完成在第三网络的注册后,可以与第三网络建立协议数据单元(protocol data unit,PDU)会话。After the UE completes the registration with the third network, it may establish a protocol data unit (protocol data unit, PDU) session with the third network.
S312、UE向第一网络的AMF发送PDU会话建立请求。相应地,第一网络的AMF接收该PDU会话建立请求。S312: The UE sends a PDU session establishment request to the AMF of the first network. Accordingly, the AMF of the first network receives the PDU session establishment request.
S313、第一网络的AMF向第二网络的SMF发送PDU会话建立请求。该PDU会话建立请求包括SUPI/GPSI,还可以包括私有网络的标识、pk1。相应地,第二网络的SMF接收该PDU会话建立请求,并建立该PDU会话。S313. The AMF of the first network sends a PDU session establishment request to the SMF of the second network. The PDU session establishment request includes SUPI/GPSI, and may also include the identity of the private network, pk1. Accordingly, the SMF of the second network receives the PDU session establishment request, and establishes the PDU session.
S314、第二网络的SMF向第二网络的UDM/DCS发送第三获取请求,该第三获取请求包括SUPI,还可包括上线指示。相应地,第二网络的UDM/DCS接收该第三获取请求。该第三获取请求用于请求获取UE可接入的私有网络的标识。S314. The SMF of the second network sends a third acquisition request to the UDM/DCS of the second network, where the third acquisition request includes SUPI and may also include an online indication. Correspondingly, the UDM/DCS of the second network receives the third acquisition request. The third acquisition request is used to request to acquire the identifier of the private network accessible to the UE.
第二网络的UDM/DCS根据SUPI,查找该UE可接入的私有网络的标识和pk1,将私有网络的标识和pk1携带在第三获取请求中发送给SMF。The UDM/DCS of the second network searches for the identifier and pk1 of the private network accessible to the UE according to the SUPI, and sends the identifier and pk1 of the private network to the SMF with the identifier and pk1 of the private network in the third acquisition request.
S315、第二网络的UDM/DCS向第二网络的SMF发送第三获取响应,该第三获取响应包括SUPI,私有网络的标识,还可以包括pk1。S315 . The UDM/DCS of the second network sends a third acquisition response to the SMF of the second network, where the third acquisition response includes SUPI, the identity of the private network, and may also include pk1.
至此,完成PDU会话建立。So far, the establishment of the PDU session is completed.
S316、第二网络的SMF向第三网络的PS发送pk1。相应地,第三网络的PS接收该pk1。S316. The SMF of the second network sends pk1 to the PS of the third network. Accordingly, the PS of the third network receives the pk1.
与图4所示实施例不同的是,可以通过第二网络的SMF在建立会话时向第三网络的PS推送pk1。Different from the embodiment shown in FIG. 4 , pk1 can be pushed to the PS of the third network through the SMF of the second network when the session is established.
具体地,第二网络的SMF在上述第一用户签约数据获取响应中获取到了pk1,则可以由第二网络的SMF向第三网络的PS推送pk1。该密钥推送携带GPSI、pk1,还可以包括服务网络名称。Specifically, if the SMF of the second network obtains pk1 in the above-mentioned first user subscription data acquisition response, the SMF of the second network may push pk1 to the PS of the third network. The key push carries GPSI, pk1, and may also include the service network name.
可替换地,也可以在下述会话建立完成后,第二网络的SMF在接收到第三网络的PS的密钥获取请求后,向第三网络的PS发送密钥获取响应。其中,该密钥获取请求包括GPSI,还可以包括服务网络名称、上线指示等。该密钥获取响应包括GPSI、pk1。Alternatively, after the following session establishment is completed, the SMF of the second network may send a key acquisition response to the PS of the third network after receiving the key acquisition request of the PS of the third network. Wherein, the key acquisition request includes GPSI, and may also include service network name, online indication, and the like. The key acquisition response includes GPSI, pk1.
S317、PS采用pk1加密第二用户签约数据得到第一用户签约数据,并用sk2对第一用户签约数据签名。S317: The PS encrypts the second user subscription data with pk1 to obtain the first user subscription data, and uses sk2 to sign the first user subscription data.
该步骤的具体实现可参考图4所示实施例的步骤S213。For the specific implementation of this step, reference may be made to step S213 in the embodiment shown in FIG. 4 .
S318、PS接收到SMF发送的pk1,则触发PS向UE发送用户签约数据获取响应。该用户签约数据获取响应包括签名后的第一用户签约数据。相应地,UE接收该用户签约数据获取响应。S318. The PS receives the pk1 sent by the SMF, and triggers the PS to send a user subscription data acquisition response to the UE. The user subscription data acquisition response includes the signed first user subscription data. Correspondingly, the UE receives the user subscription data acquisition response.
本实施例中,PS通过已经建立的会话通道,即通过用户面向UE发送用户签约数据获取响应。In this embodiment, the PS sends the user subscription data acquisition response to the UE through the established session channel, that is, through the user.
S319、UE采用pk2验证签名,签名验证通过后,再采用sk1解密第一用户签约数据获得第二用户签约数据。S319 , the UE uses pk2 to verify the signature, and after the signature verification is passed, uses sk1 to decrypt the first user subscription data to obtain the second user subscription data.
该步骤的具体实现可参考图4所示实施例的步骤S216。For the specific implementation of this step, reference may be made to step S216 in the embodiment shown in FIG. 4 .
根据本申请实施例提供的一种用户签约数据的获取方法,第二网络中的第二网元通过对UE进行鉴权,并发送该UE可接入的私有网络的标识给第一网络中的第一网元,使得第一网元可以根据该私有网络的标识从第三网络获取第一用户签约数据,并通过用户面下发第一用户签约数据给UE,该第一用户签约数据为加密的签约数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取和篡改,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。According to a method for acquiring user subscription data provided by an embodiment of the present application, the second network element in the second network authenticates the UE and sends the identifier of the private network that the UE can access to the user in the first network. The first network element, so that the first network element can obtain the first user subscription data from the third network according to the identity of the private network, and deliver the first user subscription data to the UE through the user plane, and the first user subscription data is encrypted Therefore, the acquisition of the user's subscription data can be protected, the stealing and tampering of the user's subscription data can be avoided, and the security of communication can be improved; and by obtaining the private network identifier from the second network element, the first network element can obtain the private network identity from the appropriate network element. The PS obtains the correct user subscription data.
可以理解的是,以上各个实施例中,由终端设备实现的方法和/或步骤,也可以由可用于终端设备的部件(例如芯片或者电路)实现;由第一网元实现的方法和/或步骤,也可以由可用于第一网元的部件(例如芯片或者电路)实现;由第二网元实现的方法和/或步骤,也可以由可用于第二网元的部件(例如芯片或者电路)实现。It can be understood that, in the above embodiments, the methods and/or steps implemented by the terminal device may also be implemented by components (such as chips or circuits) that can be used in the terminal device; the methods and/or steps implemented by the first network element The steps can also be implemented by components (such as chips or circuits) that can be used in the first network element; the methods and/or steps implemented by the second network element can also be implemented by components (such as chips or circuits) that can be used in the second network element. )accomplish.
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍。相应的,本申请实施例还提供了装置,该装置用于实现上述各种方法。该装置可以为上述方法实施例中的终端设备、第一网元、第二网元。可以理解的是,该装置为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between various network elements. Correspondingly, an embodiment of the present application further provides an apparatus, and the apparatus is used to implement the above-mentioned various methods. The apparatus may be a terminal device, a first network element, and a second network element in the foregoing method embodiments. It can be understood that, in order to realize the above-mentioned functions, the apparatus includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法实施例中对装置进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In this embodiment of the present application, the device may be divided into functional modules according to the above method embodiments. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
本申请实施例中的通信装置的相关功能可以通过图6中的通信装置200来实现。图6所示为本申请实施例提供的通信装置200的一个结构示意图。该通信装置200包括一个或多个处理器21,通信线路22,以及至少一个通信接口(图6中仅是示例性的以包括通信接口24,以及一个处理器21为例进行说明),可选的还可以包括存储器23。The related functions of the communication apparatus in the embodiment of the present application may be implemented by the communication apparatus 200 in FIG. 6 . FIG. 6 is a schematic structural diagram of a communication apparatus 200 according to an embodiment of the present application. The communication device 200 includes one or more processors 21, a communication line 22, and at least one communication interface (in FIG. 6, it is only exemplary to include the communication interface 24 and one processor 21 for illustration), optional The memory 23 may also be included.
处理器21可以是一个CPU,微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 21 may be a CPU, a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.
通信线路22可包括一通路,用于连接于不同组件之间。The communication line 22 may include a path for connecting between the various components.
通信接口24,可以是收发模块用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN)等。例如,所述收发模块可以是收发器、收发机一类的装置。可选的,所述通信接口24也可以是位于处理器21内的收发电路,用以实现处理器的信号输入和信号输出。The communication interface 24 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like. For example, the transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 24 may also be a transceiver circuit located in the processor 21 to implement signal input and signal output of the processor.
存储器23可以是具有存储功能的装置。例如可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路22与处理器相连接。存储器也可以和处理器集成在一起。The memory 23 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this. The memory may exist independently and be connected to the processor through the communication line 22 . The memory can also be integrated with the processor.
其中,存储器23用于存储执行本申请方案的计算机执行指令,并由处理器21来控制执行。处理器21用于执行存储器23中存储的计算机执行指令,从而实现本申请实施例中提供的用户签约数据的获取方法。The memory 23 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 21 . The processor 21 is configured to execute the computer-executable instructions stored in the memory 23, thereby implementing the method for acquiring user subscription data provided in the embodiments of the present application.
或者,本申请实施例中,也可以是处理器21执行本申请下述实施例提供的用户签约数据的获取方法中的处理相关的功能,通信接口24负责与其他设备或通信网络通信,本申请实施例对此不作具体限定。Alternatively, in this embodiment of the present application, the processor 21 may also execute the processing-related functions in the method for obtaining user subscription data provided by the following embodiments of the present application, and the communication interface 24 is responsible for communicating with other devices or communication networks. The embodiment does not specifically limit this.
本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。The computer-executed instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
在具体实现中,作为一种实施例,处理器21可以包括一个或多个CPU,例如图6中的CPU0和CPU1。In a specific implementation, as an embodiment, the processor 21 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 6 .
在具体实现中,作为一种实施例,通信装置200可以包括多个处理器,例如图6中的处理器21和处理器27。这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In a specific implementation, as an embodiment, the communication apparatus 200 may include multiple processors, such as the processor 21 and the processor 27 in FIG. 6 . Each of these processors can be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
在具体实现中,作为一种实施例,通信装置200还可以包括输出设备25和输入设备26。输出设备25和处理器21通信,可以以多种方式来显示信息。In a specific implementation, as an embodiment, the communication apparatus 200 may further include an output device 25 and an input device 26 . The output device 25 is in communication with the processor 21 and can display information in a variety of ways.
上述的通信装置200可以是一个通用装置或者是一个专用装置。例如通信装置200可以是台式机、便携式电脑、网络服务器、掌上电脑(personal digital assistant,PDA)、移动手机、平板电脑、无线用户设备、嵌入式设备或具有图6中类似结构的设备。本申请实施例不限定通信装置200的类型。The above-mentioned communication device 200 may be a general-purpose device or a dedicated device. For example, the communication device 200 may be a desktop computer, a portable computer, a web server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless user equipment, an embedded device, or a device with a similar structure in FIG. 6 . This embodiment of the present application does not limit the type of the communication apparatus 200 .
图7为本申请实施例提供的用户签约数据的获取装置的又一个结构示意图,该用户签约数据的获取装置可以是上述实施例中的终端设备。该用户签约数据的获取装置300包括:处理单元31、发送单元32和接收单元33;其中:FIG. 7 is another schematic structural diagram of an apparatus for acquiring user subscription data provided by an embodiment of the present application. The apparatus for acquiring user subscription data may be the terminal device in the above-mentioned embodiment. The device 300 for acquiring user subscription data includes: a processing unit 31, a sending unit 32 and a receiving unit 33; wherein:
处理单元31,用于生成第一公钥pk1和第一私钥sk1;a processing unit 31 for generating a first public key pk1 and a first private key sk1;
发送单元32,用于向第一网络发送注册请求,所述注册请求包括所述pk1;a sending unit 32, configured to send a registration request to the first network, where the registration request includes the pk1;
接收单元33,用于接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述pk1加密得到;a receiving unit 33, configured to receive the first user contract data, the first user contract data is obtained by encrypting the second user contract data by using the pk1;
所述处理单元31,还用于使用所述sk1解密所述第一用户签约数据获取到所述第二用户签约数据。The processing unit 31 is further configured to decrypt the first user subscription data by using the sk1 to obtain the second user subscription data.
有关上述处理单元31、发送单元32和接收单元33的具体实现可参考图3~图5所示实施例中UE的相关描述。For the specific implementation of the above-mentioned processing unit 31 , sending unit 32 and receiving unit 33 , reference may be made to the relevant description of the UE in the embodiments shown in FIG. 3 to FIG. 5 .
根据本申请实施例提供的一种用户签约数据的获取装置,该装置接收第三网络返回的加密的第一用户签约数据,并使用自身生成的第一私钥解密第一用户签约数据获取到第二用户签约数据,可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。According to an apparatus for obtaining user contract data provided by an embodiment of the present application, the device receives the encrypted first user contract data returned by a third network, and decrypts the first user contract data by using the first private key generated by itself to obtain the first user contract data. The second user subscription data can protect the acquisition of the user subscription data, prevent the user subscription data from being stolen, and improve the security of communication; and by acquiring the private network identifier from the second network element, the first network element can obtain the private network from the appropriate PS. Get the correct user subscription data.
图8为本申请实施例提供的通信装置的又一个结构示意图,该通信装置可以是上述实施例中的第二网络中的第二网元。该通信装置400包括:接收单元41、处理单元42和发送单元43;其中:FIG. 8 is another schematic structural diagram of a communication apparatus provided by an embodiment of the present application, where the communication apparatus may be a second network element in the second network in the foregoing embodiment. The communication device 400 includes: a receiving unit 41, a processing unit 42 and a sending unit 43; wherein:
接收单元41,用于接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥pk1;a receiving unit 41, configured to receive an authentication request for the terminal device from the first network, where the authentication request includes the first public key pk1;
处理单元42,用于保存所述pk1;a processing unit 42, configured to save the pk1;
发送单元43,用于向所述第一网络发送私有网络的标识;a sending unit 43, configured to send the identifier of the private network to the first network;
所述发送单元43,还用于向第三网络发送所述pk1。The sending unit 43 is further configured to send the pk1 to the third network.
在一种可能的实现中,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;所述处理单元42,用于根据所述上线指示,保存所述pk1。In a possible implementation, the authentication request further includes an online indication, and the online indication is used to indicate that the type of the authentication request is an online service; the processing unit 42 is configured to, according to the online instruction, Save the pk1.
有关上述接收单元41、处理单元42和发送单元43的相关描述可参考图3~图5所示实施例中第二网元的相关描述。For the relevant description of the above receiving unit 41, the processing unit 42 and the sending unit 43, reference may be made to the relevant description of the second network element in the embodiments shown in FIG. 3 to FIG. 5 .
根据本申请实施例提供的一种通信装置,该装置通过对终端设备进行鉴权,并发送该终端设备可接入的私有网络的标识给第一网络中的第一网元,使得第一网元可以根据该私有网络的标识从第三网络获取第一用户签约数据,该第一用户签约数据为加密的数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性;且通过从第二网元获取私有网络的标识,使得第一网元可以从合适的PS获取正确的用户签约数据。According to a communication device provided by an embodiment of the present application, the device authenticates a terminal device and sends an identifier of a private network accessible to the terminal device to a first network element in a first network, so that the first network The element can obtain the first user contract data from the third network according to the identity of the private network, and the first user contract data is encrypted data, so that the acquisition of the user contract data can be protected, the user contract data can be prevented from being stolen, and the communication efficiency can be improved. security; and by acquiring the identity of the private network from the second network element, the first network element can acquire correct user subscription data from an appropriate PS.
图9为本申请实施例提供的通信装置的又一个结构示意图,该通信装置可以是上述实施例中的第一网络中的第一网元。该通信装置500包括:接收单元51、处理单元52和发送单元53;其中:FIG. 9 is another schematic structural diagram of a communication apparatus provided by an embodiment of the present application, where the communication apparatus may be a first network element in the first network in the foregoing embodiment. The communication device 500 includes: a receiving unit 51, a processing unit 52 and a sending unit 53; wherein:
接收单元51,用于从第二网络接收私有网络的标识;a receiving unit 51, configured to receive the identifier of the private network from the second network;
处理单元52,用于根据所述私有网络的标识确定终端设备的用户签约数据获取请求;a processing unit 52, configured to determine the user subscription data acquisition request of the terminal device according to the identifier of the private network;
发送单元53,用于向第三网络发送所述用户签约数据获取请求;a sending unit 53, configured to send the user subscription data acquisition request to a third network;
所述接收单元51,还用于接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;The receiving unit 51 is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the first user subscription data of the terminal device in the private network;
所述发送单元53,还用于向所述终端设备发送所述第一用户签约数据。The sending unit 53 is further configured to send the first user subscription data to the terminal device.
在一种可能的实现中,所述接收单元51,还用于接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;In a possible implementation, the receiving unit 51 is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: user hidden identifier, online indication, registration type, slice identifier ;
所述处理单元52,还用于根据所述注册请求确定所述第一网络中的第一鉴权服务器;The processing unit 52 is further configured to determine a first authentication server in the first network according to the registration request;
所述发送单元53,还用于通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;The sending unit 53 is further configured to send the authentication request of the terminal device to the second network through the first authentication server;
其中,所述处理单元52,具体用于所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或Wherein, the processing unit 52 is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or
所述处理单元52,具体用于所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或The processing unit 52 is specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or
所述处理单元52,具体用于根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或The processing unit 52 is specifically configured to determine the first authentication server according to the online instruction, and the online instruction is used to indicate that the type of the registration request is an online service; or
所述处理单元52,具体用于根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或The processing unit 52 is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
所述处理单元52,具体用于根据所述切片标识确定所述第一鉴权服务器。The processing unit 52 is specifically configured to determine the first authentication server according to the slice identifier.
有关上述接收单元51、处理单元52和发送单元53的具体实现可参考图3~图5所示实施例中第一网元的描述。For the specific implementation of the above receiving unit 51 , processing unit 52 and sending unit 53 , reference may be made to the description of the first network element in the embodiments shown in FIG. 3 to FIG. 5 .
根据本申请实施例提供的一种通信装置,该装置根据从第二网络接收到的私有网络的标识,可以选择合适的PS获取正确的用户签约数据;进一步地,该装置可以采用接收到的第一公钥加密第二用户签约数据得到第一用户签约数据,并发送第一用户签约数据,从而可以保护用户签约数据的获取,避免用户签约数据被窃取,提高了通信的安全性。According to a communication device provided by an embodiment of the present application, the device can select an appropriate PS to obtain correct user subscription data according to the identifier of the private network received from the second network; further, the device can use the received first A public key encrypts the second user contract data to obtain the first user contract data, and sends the first user contract data, thereby protecting the acquisition of the user contract data, preventing the user contract data from being stolen, and improving communication security.
可选的,本申请实施例还提供了一种芯片系统,包括:至少一个处理器和接口,该至少一个处理器通过接口与存储器耦合,当该至少一个处理器执行存储器中的计算机程序或指令时,使得上述任一方法实施例中的方法被执行。可选的,该芯片系统可以由芯片构成,也可以包含芯片和其他分立器件,本申请实施例对此不作具体限定。Optionally, an embodiment of the present application further provides a chip system, including: at least one processor and an interface, the at least one processor is coupled to the memory through the interface, and when the at least one processor executes the computer program or instruction in the memory , the method in any of the above method embodiments is executed. Optionally, the chip system may be composed of chips, or may include chips and other discrete devices, which are not specifically limited in this embodiment of the present application.
应理解,在本申请的描述中,除非另有说明,“/”表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。同时,在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。It should be understood that in the description of this application, unless otherwise specified, "/" indicates that the objects associated before and after are an "or" relationship, for example, A/B can indicate A or B; wherein A and B can be singular. or plural. Also, in the description of the present application, unless stated otherwise, "plurality" means two or more than two. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one item (a) of a, b, or c may represent: a, b, c, ab, ac, bc, or abc, where a, b, and c may be single or multiple . In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner to facilitate understanding.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。 当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,数字通用光盘(digital versatile disc,DVD))、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, digital versatile disc (DVD)), or semiconductor media (eg, solid state disk (SSD)) Wait.
尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请过程中,本领域技术人员通过查看所述附图、公开内容、以及所附权利要求书,可理解并实现所述公开实施例的其他变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (28)

  1. 一种用户签约数据的获取方法,其特征在于,包括:A method for obtaining user subscription data, comprising:
    生成第一公钥和第一私钥;generating a first public key and a first private key;
    向第一网络发送注册请求,所述注册请求包括所述第一公钥;sending a registration request to the first network, the registration request including the first public key;
    接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到;receiving first user contract data, the first user contract data is obtained by encrypting the second user contract data with the first public key;
    使用所述第一私钥解密所述第一用户签约数据获取到所述第二用户签约数据。Decrypt the first user subscription data by using the first private key to obtain the second user subscription data.
  2. 根据权利要求1所述的方法,其特征在于,所述注册请求还包括上线指示,所述上线指示用于指示所述注册请求的类型为上线业务。The method according to claim 1, wherein the registration request further comprises an online indication, and the online indication is used to indicate that the type of the registration request is an online service.
  3. 根据权利要求1或2所述的方法,其特征在于,所述注册请求还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The method according to claim 1 or 2, wherein the registration request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  4. 一种用户签约数据的获取方法,其特征在于,包括:A method for obtaining user subscription data, comprising:
    接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;receiving an authentication request for the terminal device from the first network, where the authentication request includes the first public key;
    保存所述第一公钥;save the first public key;
    向所述第一网络发送私有网络的标识;sending the identity of the private network to the first network;
    向第三网络发送所述第一公钥。The first public key is sent to the third network.
  5. 根据权利要求4所述的方法,其特征在于,所述鉴权请求中还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The method according to claim 4, wherein the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  6. 根据权利要求4或5所述的方法,其特征在于,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;The method according to claim 4 or 5, wherein the authentication request further comprises an online instruction, and the online instruction is used to indicate that the type of the authentication request is an online service;
    所述保存所述第一公钥包括:The storing of the first public key includes:
    根据所述上线指示,保存所述第一公钥。According to the online instruction, the first public key is saved.
  7. 一种用户签约数据的获取方法,其特征在于,包括:A method for obtaining user subscription data, comprising:
    第一网络中的第一网元从第二网络接收私有网络的标识;The first network element in the first network receives the identifier of the private network from the second network;
    所述第一网元根据所述私有网络的标识向第三网络发送终端设备的用户签约数据获取请求;sending, by the first network element, a request for obtaining user subscription data of the terminal device to a third network according to the identifier of the private network;
    所述第一网元接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;receiving, by the first network element, a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the first user subscription data of the terminal device in the private network;
    所述第一网元向所述终端设备发送所述第一用户签约数据。The first network element sends the first user subscription data to the terminal device.
  8. 根据权利要求7所述的方法,其特征在于,所述第一网元从第二网络接收私有网络的标识之前,还包括:The method according to claim 7, wherein before the first network element receives the identifier of the private network from the second network, the method further comprises:
    所述第一网元接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;The first network element receives a registration request from the terminal device, and the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier;
    所述第一网元根据所述注册请求确定所述第一网络中的第一鉴权服务器;determining, by the first network element, a first authentication server in the first network according to the registration request;
    所述第一网元通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;sending, by the first network element, an authentication request of the terminal device to the second network through the first authentication server;
    其中,根据所述注册请求确定所述第一鉴权服务器,包括:Wherein, determining the first authentication server according to the registration request includes:
    所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或The user hidden identifier includes an identifier of the second network, and the first authentication server is determined according to the identifier of the second network; or
    所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或The user hidden identifier includes a routing indication, and the first authentication server is determined according to the routing indication; or
    根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或The first authentication server is determined according to the online indication, which is used to indicate that the type of the registration request is an online service; or
    根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或The first authentication server is determined according to the registration type, and the registration type is an online service; or
    根据所述切片标识确定所述第一鉴权服务器。The first authentication server is determined according to the slice identifier.
  9. 根据权利要求8所述的方法,其特征在于,所述注册请求包括第一公钥,所述第一网元从第二网络接收私有网络的标识之前,还包括:The method according to claim 8, wherein the registration request includes a first public key, and before the first network element receives the identifier of the private network from the second network, further comprising:
    向所述第二网络发送所述第一公钥,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到。The first public key is sent to the second network, and the first user subscription data is obtained by encrypting the second user subscription data with the first public key.
  10. 根据权利要求8或9所述的方法,其特征在于,所述注册请求包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The method according to claim 8 or 9, wherein the registration request includes a user hidden identifier, and the user hidden identifier includes the first public key.
  11. 一种用户签约数据的获取装置,其特征在于,包括:A device for acquiring user subscription data, comprising:
    处理单元,用于生成第一公钥和第一私钥;a processing unit for generating a first public key and a first private key;
    发送单元,用于向第一网络发送注册请求,所述注册请求包括所述第一公钥;a sending unit, configured to send a registration request to the first network, where the registration request includes the first public key;
    接收单元,用于接收第一用户签约数据,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到;a receiving unit, configured to receive first user contract data, the first user contract data is obtained by encrypting the second user contract data with the first public key;
    所述处理单元,还用于使用所述第一私钥解密所述第一用户签约数据获取到所述第二用户签约数据。The processing unit is further configured to decrypt the first user contract data by using the first private key to obtain the second user contract data.
  12. 根据权利要求11所述的装置,其特征在于,所述注册请求还包括上线指示,所述上线指示用于指示所述注册请求的类型为上线业务。The apparatus according to claim 11, wherein the registration request further comprises an online indication, and the online indication is used to indicate that the type of the registration request is an online service.
  13. 根据权利要求11或12所述的装置,其特征在于,所述注册请求还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The apparatus according to claim 11 or 12, wherein the registration request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  14. 一种通信装置,其特征在于,包括:A communication device, comprising:
    接收单元,用于接收来自第一网络的、针对终端设备的鉴权请求,所述鉴权请求包括第一公钥;a receiving unit, configured to receive an authentication request for the terminal device from the first network, where the authentication request includes the first public key;
    处理单元,用于保存所述第一公钥;a processing unit, configured to save the first public key;
    发送单元,用于向所述第一网络发送私有网络的标识;a sending unit, configured to send the identifier of the private network to the first network;
    所述发送单元,还用于向第三网络发送所述第一公钥。The sending unit is further configured to send the first public key to a third network.
  15. 根据权利要求14所述的装置,其特征在于,所述鉴权请求中还包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The apparatus according to claim 14, wherein the authentication request further includes a user hidden identifier, and the user hidden identifier includes the first public key.
  16. 根据权利要求14或15所述的装置,其特征在于,所述鉴权请求还包括上线指示,所述上线指示用于指示所述鉴权请求的类型为上线业务;The device according to claim 14 or 15, wherein the authentication request further comprises an online indication, and the online indication is used to indicate that the type of the authentication request is an online service;
    所述处理单元,用于根据所述上线指示,保存所述第一公钥。The processing unit is configured to save the first public key according to the online instruction.
  17. 一种通信装置,其特征在于,包括:A communication device, comprising:
    接收单元,用于从第二网络接收私有网络的标识;a receiving unit, configured to receive the identifier of the private network from the second network;
    处理单元,用于根据所述私有网络的标识,确定终端设备的用户签约数据获取请求;a processing unit, configured to determine a user subscription data acquisition request of the terminal device according to the identifier of the private network;
    发送单元,用于向第三网络发送所述用户签约数据获取请求;a sending unit, configured to send the user subscription data acquisition request to a third network;
    所述接收单元,还用于接收所述第三网络返回的用户签约数据获取响应,所述用户签约数据获取响应包括所述终端设备在所述私有网络的第一用户签约数据;The receiving unit is further configured to receive a user subscription data acquisition response returned by the third network, where the user subscription data acquisition response includes the first user subscription data of the terminal device in the private network;
    所述发送单元,还用于向所述终端设备发送所述第一用户签约数据。The sending unit is further configured to send the first user subscription data to the terminal device.
  18. 根据权利要求17所述的装置,其特征在于:The device of claim 17, wherein:
    所述接收单元,还用于接收来自所述终端设备的注册请求,所述注册请求携带以下至少一项:用户隐藏标识符,上线指示,注册类型,切片标识;The receiving unit is further configured to receive a registration request from the terminal device, where the registration request carries at least one of the following: a user hidden identifier, an online indication, a registration type, and a slice identifier;
    所述处理单元,还用于根据所述注册请求确定所述第一网络中的第一鉴权服务器;The processing unit is further configured to determine a first authentication server in the first network according to the registration request;
    所述发送单元,还用于通过所述第一鉴权服务器向所述第二网络发送所述终端设备的鉴权请求;The sending unit is further configured to send the authentication request of the terminal device to the second network through the first authentication server;
    其中,所述处理单元,具体用于所述用户隐藏标识符中包括所述第二网络的标识,根据所述第二网络的标识确定所述第一鉴权服务器;或The processing unit is specifically configured to include the identifier of the second network in the user hidden identifier, and determine the first authentication server according to the identifier of the second network; or
    所述处理单元,具体用于所述用户隐藏标识符中包括路由指示,根据所述路由指示确定所述第一鉴权服务器;或The processing unit is specifically configured to include a routing indication in the user hidden identifier, and determine the first authentication server according to the routing indication; or
    所述处理单元,具体用于根据所述上线指示确定所述第一鉴权服务器,所述上线指示用于指示所述注册请求的类型为上线业务;或The processing unit is specifically configured to determine the first authentication server according to the online instruction, and the online instruction is used to indicate that the type of the registration request is an online service; or
    所述处理单元,具体用于根据所述注册类型确定所述第一鉴权服务器,所述注册类型为上线业务;或The processing unit is specifically configured to determine the first authentication server according to the registration type, where the registration type is an online service; or
    所述处理单元,具体用于根据所述切片标识确定所述第一鉴权服务器。The processing unit is specifically configured to determine the first authentication server according to the slice identifier.
  19. 根据权利要求18所述的装置,其特征在于,所述注册请求包括第一公钥,所述发送单元还用于向所述第二网络发送所述第一公钥,所述第一用户签约数据由第二用户签约数据采用所述第一公钥加密得到。The apparatus according to claim 18, wherein the registration request includes a first public key, and the sending unit is further configured to send the first public key to the second network, and the first user signs a contract The data is obtained by encrypting the second user subscription data using the first public key.
  20. 根据权利要求18或19所述的装置,其特征在于,所述注册请求包括用户隐藏标识符,所述用户隐藏标识符中包括所述第一公钥。The apparatus according to claim 18 or 19, wherein the registration request includes a user hidden identifier, and the user hidden identifier includes the first public key.
  21. 一种通信装置,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1~3任一项所述的方法。A communication device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, when the processor executes the computer program, any one of claims 1 to 3 is implemented the method described.
  22. 一种通信装置,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求4~6任一项所述的方法。A communication device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, when the processor executes the computer program, any one of claims 4 to 6 is implemented the method described.
  23. 一种通信装置,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求7~10任一项所述的方法。A communication device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, when the processor executes the computer program, any one of claims 7 to 10 is implemented the method described.
  24. 一种通信装置,其特征在于,包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令,并根据所述指令实现如权利要求1~3任一项所述的方法。A communication device, characterized by comprising a processor, which is configured to be coupled to a memory, read instructions in the memory, and implement the method according to any one of claims 1 to 3 according to the instructions.
  25. 一种通信装置,其特征在于,包括处理器,所述处理器用于与存储器耦合,并读 取存储器中的指令,并根据所述指令实现如权利要求4~6任一项所述的方法。A communication device, characterized by comprising a processor, which is configured to be coupled with a memory, and read instructions in the memory, and implement the method according to any one of claims 4 to 6 according to the instructions.
  26. 一种通信装置,其特征在于,包括处理器,所述处理器用于与存储器耦合,并读取存储器中的指令,并根据所述指令实现如权利要求7~10任一项所述的方法。A communication device is characterized by comprising a processor, which is configured to be coupled with a memory, read instructions in the memory, and implement the method according to any one of claims 7 to 10 according to the instructions.
  27. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如权利要求1~3任一项所述的方法、或实现如权利要求4~6任一项所述的方法、或实现如权利要求7~10任一项所述的方法。A computer-readable storage medium on which a computer program is stored, characterized in that, when the program is executed by a processor, the method according to any one of claims 1 to 3 or any one of claims 4 to 6 is implemented. One of the methods, or implementing the method according to any one of claims 7 to 10.
  28. 一种计算机程序产品,用于当在计算设备上执行时,实现如权利要求1~3任一项所述的方法、或实现如权利要求4~6任一项所述的方法、或实现如权利要求7~10任一项所述的方法。A computer program product for implementing, when executed on a computing device, the method of any one of claims 1 to 3, or the method of any one of claims 4 to 6, or the The method of any one of claims 7-10.
PCT/CN2021/108022 2020-08-07 2021-07-23 User subscription data obtaining method and apparatus WO2022028259A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010790909.7 2020-08-07
CN202010790909.7A CN114071452B (en) 2020-08-07 2020-08-07 Method and device for acquiring user subscription data

Publications (1)

Publication Number Publication Date
WO2022028259A1 true WO2022028259A1 (en) 2022-02-10

Family

ID=80119902

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/108022 WO2022028259A1 (en) 2020-08-07 2021-07-23 User subscription data obtaining method and apparatus

Country Status (2)

Country Link
CN (1) CN114071452B (en)
WO (1) WO2022028259A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022876A (en) * 2022-05-30 2022-09-06 中国电信股份有限公司 User subscription data updating method, device and system
US20240080666A1 (en) * 2022-09-01 2024-03-07 T-Mobile Innovations Llc Wireless communication network authentication for a wireless user device that has a circuitry identifier

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116980876A (en) * 2022-04-22 2023-10-31 维沃移动通信有限公司 Signing method, signing device, communication equipment, internet of things equipment and network element
CN117676558A (en) * 2022-09-06 2024-03-08 华为技术有限公司 Network information processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492367A (en) * 2018-10-17 2019-03-19 平安国际融资租赁有限公司 Electronic contract signature processing method, device, computer equipment and storage medium
CN109919579A (en) * 2019-02-27 2019-06-21 上海棕榈电脑系统有限公司 Electronic document contracting method, device, storage medium and equipment
CN110881185A (en) * 2018-09-05 2020-03-13 华为技术有限公司 Communication method and device
CN110971641A (en) * 2018-09-30 2020-04-07 维沃移动通信有限公司 Network service control method and communication equipment
US20200245235A1 (en) * 2019-01-24 2020-07-30 Lg Electronics Inc. Method for selecting non-public network in wireless communication system and apparatus thereof

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778381B (en) * 2009-12-31 2012-07-04 卓望数码技术(深圳)有限公司 Digital certificate generation method, user key acquisition method, mobile terminal and device
CN110198538B (en) * 2018-02-26 2022-02-18 北京华为数字技术有限公司 Method and device for obtaining equipment identifier
CN110636506A (en) * 2018-06-22 2019-12-31 维沃移动通信有限公司 Network access method, terminal and network side network element
CN111465011B (en) * 2019-01-18 2021-07-16 华为技术有限公司 Cross-network access method, device, storage medium and communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881185A (en) * 2018-09-05 2020-03-13 华为技术有限公司 Communication method and device
CN110971641A (en) * 2018-09-30 2020-04-07 维沃移动通信有限公司 Network service control method and communication equipment
CN109492367A (en) * 2018-10-17 2019-03-19 平安国际融资租赁有限公司 Electronic contract signature processing method, device, computer equipment and storage medium
US20200245235A1 (en) * 2019-01-24 2020-07-30 Lg Electronics Inc. Method for selecting non-public network in wireless communication system and apparatus thereof
CN109919579A (en) * 2019-02-27 2019-06-21 上海棕榈电脑系统有限公司 Electronic document contracting method, device, storage medium and equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on enhanced support of non-public networks (Release 17)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 23.700-07, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.4.0, 19 June 2020 (2020-06-19), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 159, XP051924076 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022876A (en) * 2022-05-30 2022-09-06 中国电信股份有限公司 User subscription data updating method, device and system
US20240080666A1 (en) * 2022-09-01 2024-03-07 T-Mobile Innovations Llc Wireless communication network authentication for a wireless user device that has a circuitry identifier

Also Published As

Publication number Publication date
CN114071452B (en) 2023-04-04
CN114071452A (en) 2022-02-18

Similar Documents

Publication Publication Date Title
US11829774B2 (en) Machine-to-machine bootstrapping
WO2022028259A1 (en) User subscription data obtaining method and apparatus
US11451950B2 (en) Indirect registration method and apparatus
TWI388180B (en) Key generation in a communication system
WO2022057736A1 (en) Authorization method and device
JP7127689B2 (en) CORE NETWORK DEVICE, COMMUNICATION TERMINAL, AND COMMUNICATION METHOD
WO2021227866A1 (en) Network authentication method and apparatus, and system
CN108012264A (en) The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations
Sun et al. Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet
WO2019029531A1 (en) Method for triggering network authentication, and related device
TW202112101A (en) Key generation and terminal provisioning method and apparatus, and devices
CN113841366B (en) Communication method and device
US20220174497A1 (en) Communication Method And Apparatus
WO2022095047A1 (en) Wireless communication method, terminal device, and network device
WO2023179679A1 (en) Channel key-based encryption method and apparatus
EP4187953A1 (en) Communication method, apparatus and system
CN114978556A (en) Slice authentication method, device and system
CN115515130A (en) Method and device for generating session key
WO2021134344A1 (en) Method for controlling communication access, ap and communication device
US20240080666A1 (en) Wireless communication network authentication for a wireless user device that has a circuitry identifier
US20230276231A1 (en) Authentication Between Wireless Devices and Edge Servers
JP7131721B2 (en) AMF node and method
US20240251239A1 (en) Technologies for non-seamless wireless local area access offload
WO2023202631A1 (en) Subscription method and apparatus, and communication device, internet of things device and network element
JP2022074396A (en) Information processor, and information processing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21854339

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21854339

Country of ref document: EP

Kind code of ref document: A1