WO2022088029A1 - 密钥获取方法和通信装置 - Google Patents
密钥获取方法和通信装置 Download PDFInfo
- Publication number
- WO2022088029A1 WO2022088029A1 PCT/CN2020/125224 CN2020125224W WO2022088029A1 WO 2022088029 A1 WO2022088029 A1 WO 2022088029A1 CN 2020125224 W CN2020125224 W CN 2020125224W WO 2022088029 A1 WO2022088029 A1 WO 2022088029A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- network element
- identifier
- key
- remote
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 199
- 230000006854 communication Effects 0.000 title claims abstract description 195
- 238000004891 communication Methods 0.000 title claims abstract description 191
- 230000006870 function Effects 0.000 claims description 253
- 238000012795 verification Methods 0.000 claims description 137
- 238000007726 management method Methods 0.000 claims description 65
- 238000004590 computer program Methods 0.000 claims description 31
- 238000013523 data management Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 description 58
- 230000004044 response Effects 0.000 description 36
- 230000008569 process Effects 0.000 description 34
- 238000013475 authorization Methods 0.000 description 25
- 238000010586 diagram Methods 0.000 description 10
- 230000011664 signaling Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 7
- 238000009795 derivation Methods 0.000 description 6
- ORQBXQOJMQIAOY-UHFFFAOYSA-N nobelium Chemical compound [No] ORQBXQOJMQIAOY-UHFFFAOYSA-N 0.000 description 6
- CNQCVBJFEGMYDW-UHFFFAOYSA-N lawrencium atom Chemical compound [Lr] CNQCVBJFEGMYDW-UHFFFAOYSA-N 0.000 description 5
- 239000000463 material Substances 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/75—Temporary identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/42—Anonymization, e.g. involving pseudonyms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
Definitions
- the present application relates to the field of communications, and in particular, to a key acquisition method and a communication device.
- D2D communication allows direct communication between terminal devices, and can share spectrum resources with cell users under the control of a cell network, thereby effectively improving the utilization rate of spectrum resources.
- the remote terminal equipment can use the relay terminal equipment (Relay UE).
- Auxiliary communication that is, establishing a PC5 connection between the remote terminal equipment and the relay terminal equipment, establishing a connection between the relay terminal equipment and the mobile network, and realizing the connection between the remote terminal equipment and the mobile network through the PC5 connection and the relay terminal equipment. Get service.
- a secure connection needs to be established between the remote terminal device and the relay terminal device, that is, the data transmitted between the remote terminal device and the relay terminal device is encrypted and protected. / or integrity protection. Since the indirect communication connection is dynamically established on demand, the shared security information (such as keys) cannot be preconfigured between the remote terminal device and the relay terminal device, and the remote terminal device cannot be established based on the preconfigured shared security information. Secure connection to relay end devices.
- Embodiments of the present application provide a key acquisition method and a communication device, which are used to share a key between a remote terminal device and a relay terminal device.
- a method for obtaining a key including: a remote terminal device sends a first identifier and a relay service code to a relay terminal device, and the first identifier is a remote terminal device corresponding to the relay service code.
- the identifier or the first identifier is an anonymous identifier of the remote terminal device; the remote terminal device generates the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter
- the root key of communication, the remote authentication service function network element is the authentication service function network element serving the remote terminal device, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element.
- the remote terminal device sends a first identifier and a relay service code to the relay terminal device, where the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier. It is the anonymous identifier of the remote terminal device.
- the remote terminal device generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter.
- the first identifier is used for the remote AUSF network element to determine the corresponding first shared key, or for the PKMF network element to determine the corresponding second shared key, and the second shared key is also determined by the first shared key and/or relay service code generation, so that the remote terminal device and the remote AUSF network element or PKMF network element can use the same method to generate the root key for the communication between the remote terminal device and the relay terminal device, so that the remote terminal device can communicate with the relay terminal device.
- the key is shared between the terminal device and the relay terminal device.
- the first identifier is the subscription hidden identifier SUCI of the remote terminal device.
- the SUPI of the remote terminal device will not be exposed during the air interface transmission.
- the method further includes: acquiring the first identifier by the remote terminal device.
- acquiring the first identifier by the remote terminal device includes: sending the relay service code by the remote terminal device; and receiving the first identifier corresponding to the relay service code by the remote terminal device.
- the first identifier corresponding to the relay service code may be acquired from the remote AUSF network element.
- the method further includes: the remote terminal device generates a temporary identifier according to the first shared key and the relay service code; and the remote terminal device obtains the first identifier according to the temporary identifier.
- This embodiment discloses one way of generating the first identification.
- the remote terminal device generates the temporary identifier according to the first shared key and the relay service code, including: the remote terminal device generates the temporary identifier according to the first shared key, the relay service code and the second freshness parameter to generate a temporary ID.
- This embodiment discloses a way of generating a temporary identification.
- acquiring the first identifier by the remote terminal device includes: the remote terminal device generates the first identifier according to the second freshness parameter, the routing indication and the home network identifier. This embodiment discloses one way of generating the first identification.
- the method further includes: the remote terminal device sends a relay service code; and the remote terminal device receives a second freshness parameter corresponding to the relay service code.
- the second freshness parameter may come from the remote AUSF network element and is used to generate the first identifier, and the second freshness parameter may be a random number generated by the remote AUSF network element or a value of a counter maintained locally by the remote AUSF network element.
- the second freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the same initial value and counting rule are used to keep the values of the two counters consistent.
- the first identifier includes a routing indication and a home network identifier. It is convenient for the PKMF network element to determine the UDM network element or the remote AUSF network element through the routing instruction and the home network identifier.
- the method further includes: the remote terminal device sends first verification information to the relay terminal device, where the first verification information consists of a first temporary key, and all or all of the messages carrying the first verification information or Part of the cell is generated, and the first temporary key is generated from the first shared key.
- the first verification information is used to send to the remote AUSF network element.
- the remote AUSF network element After receiving the first verification information, the remote AUSF network element generates third verification information in the same manner as the remote terminal device, and the remote AUSF network element compares the first verification information. information and third verification information to verify the remote terminal device and verify whether the remote terminal device is authorized to access the network through the relay terminal device to obtain services.
- the first temporary key is composed of at least one of the relay service code, the third freshness parameter, the second identifier of the remote terminal device, and the first identifier, and the first shared secret key.
- key generation wherein the third freshness parameter is generated by the remote terminal device.
- the method further includes: the remote terminal device sends second verification information to the relay terminal device, where the second verification information is generated from the first freshness parameter, the relay service code and the first shared key.
- the second verification information is used for sending to the PKMF network element.
- the PKMF network element After receiving the second verification information, the PKMF network element generates fourth verification information in the same manner as the remote terminal device, and the PKMF network element compares the second verification information with the fourth verification information In order to verify the remote terminal equipment, it is verified whether the remote terminal equipment is authorized to access the network through the relay terminal equipment to obtain services.
- the at least one first freshness parameter includes a first random number, and further includes: the remote terminal device sends the first random number to the relay terminal device.
- the first random number is sent to the remote AUSF network element or the PKMF network element.
- the at least one first freshness parameter includes a second random number, and further includes: the remote terminal device receives the second random number from the relay terminal device.
- the second random number may come from a remote AUSF network element or a PKMF network element.
- the at least one first freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the same initial value and counting rule are used to keep the values of the two counters consistent.
- the first shared key is the key Kausf (or another key generated by the key) negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- the remote terminal device generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter , including: the remote terminal device generates a second shared key according to the first shared key and the relay service code, and generates a root key according to the second shared key and at least one first freshness parameter, and the second shared key It is the key shared by the remote terminal device and the adjacent service key management function network element.
- the remote terminal device and the PKMF network element generate the root key in the same way.
- a method for obtaining a key including: a network element with a remote authentication service function obtains one of a first identifier or a second identifier of a remote terminal device, and a relay service code; the second identifier is The permanent identity identifier of the remote terminal device, the first identifier is the identifier corresponding to the relay service code of the remote terminal device; the remote authentication service function network element obtains the first shared key corresponding to the first identifier or the second identifier; The first shared key is a key shared by the remote terminal device and the remote authentication service function network element; the remote authentication service function network element is based on the first shared key, the relay service code, and at least one first freshness parameters to generate the root key for communication between the remote terminal device and the relay terminal device; the remote authentication service function network element sends the root key.
- the remote AUSF network element acquires one of the first identifier or the second identifier of the remote terminal device, and the relay service code; the second identifier is the permanent identifier of the remote terminal device.
- the first identifier is the identifier corresponding to the relay service code of the remote terminal device; the remote AUSF network element obtains the first shared key corresponding to the first identifier or the second identifier; the first shared key is the remote The key shared by the terminal device and the remote AUSF network element; the remote AUSF network element generates the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter The root key of the communication; the remote AUSF sends the root key.
- the first identifier is used by the remote AUSF network element to determine the corresponding first shared key, so that the remote terminal device and the remote AUSF network element can use the same method to generate the root of the communication between the remote terminal device and the relay terminal device.
- the key is shared between the remote terminal device and the relay terminal device.
- the remote authentication service function network element acquiring one of the first identifier or the second identifier of the remote terminal device includes: the remote authentication service function network element receiving the first identifier of the remote terminal device. one of the ID or the second ID.
- One of the first identification or the second identification of the remote terminal equipment may come from the remote terminal equipment or a PKMF network element.
- the remote authentication service function network element acquiring one of the first identifier or the second identifier of the remote terminal device includes: the remote authentication service function network element according to the first shared key, the middle Following the service code, a temporary identification is generated; the network element of the remote authentication service function generates a first identification according to the temporary identification.
- This embodiment discloses one way of generating the first identification. After the first identifier is generated, it can be sent to the remote terminal device.
- the network element of the remote authentication service function generates the temporary identifier according to the first shared key and the relay service code, including: the remote terminal device according to the first shared key, the relay service code and the The second freshness parameter generates a temporary identifier.
- This embodiment discloses a way of generating a temporary identification.
- the remote authentication service function network element acquiring one of the first identifier or the second identifier of the remote terminal device includes: the remote authentication service function network element according to the second freshness parameter, route Indicates and the home network identifier of the remote terminal device to generate the first identifier.
- This embodiment discloses one way of generating the first identification. After the first identifier is generated, it can be sent to the remote terminal device.
- the second freshness parameter is a value of a counter maintained locally by the remote authentication service function network element.
- the remote AUSF network element and the remote terminal device maintain their respective counters locally, the same initial value and counting rule are used to keep the values of the two counters consistent.
- the method further includes: the remote authentication service function network element receives the relay service code; and the remote authentication service function network element sends the second freshness parameter.
- the second freshness parameter may be sent to the remote terminal device for generating the first identifier, and the second freshness parameter may be a random number generated by the remote AUSF network element or a value of a counter maintained locally by the remote AUSF network element.
- the method further includes: the remote authentication service function network element receives the relay service code; and the remote authentication service function network element sends the first identifier.
- the relay service code comes from the remote terminal device, and the first identifier is used for sending to the remote terminal device.
- the first identifier includes a routing indication and a home network identifier. It is convenient for the PKMF network element to determine the UDM network element or the remote AUSF network element through the routing instruction and the home network identifier.
- the method further includes: the remote authentication service function network element receives the first verification information; the remote authentication service function network element generates a first temporary key according to the first shared key; The temporary key, and all or part of the information elements of the message carrying the first verification information, obtain the third verification information; the remote authentication service function network element compares the first verification information and the third verification information to perform verification on the remote terminal equipment. verify. That is, it is verified whether the remote terminal device is authorized to access the network through the relay terminal device to obtain services.
- the remote authentication service function network element generates the first temporary key according to the first shared key, including: the remote authentication service function network element generates the first temporary key according to the relay service code, the third freshness parameter , at least one of the second identifier and the first identifier of the remote terminal device, and the first shared key to generate the first temporary key, and the third freshness parameter is generated for the remote terminal device.
- This embodiment discloses one way of generating the first temporary key.
- the at least one first freshness parameter includes a first random number, and further includes: the remote authentication service function network element receiving the first random number.
- the first random number comes from the remote terminal device.
- the at least one first freshness parameter includes a second random number, and further includes: sending the second random number by the remote authentication service function network element. The second random number is sent to the remote terminal device.
- the at least one first freshness parameter is the value of a counter maintained locally by the remote authentication service function network element.
- the remote AUSF network element and the remote terminal device maintain their respective counters locally, the same initial value and counting rule are used to keep the values of the two counters consistent.
- the method further includes: the remote authentication service function network element sends the first identifier to the unified data management network element. It is used for other network elements (eg, PKMF network elements) to obtain the remote AUSF network element instance identifier and/or the SUPI of the remote terminal equipment from the UDM network element.
- the remote AUSF network element instance identifier is used to determine the remote AUSF network element serving the remote terminal equipment.
- the first shared key is the key Kausf (or another key generated by the key) negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- a method for obtaining a key comprising: a network element with a key management function of a nearby service receives a first identifier and a relay service code of a remote terminal device, and the first identifier is the connection between the remote terminal device and the relay.
- the identifier corresponding to the service code or the first identifier is the anonymous identifier of the remote terminal device; the adjacent service key management function network element obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, and the root key is determined by The first shared key, the relay service code, and at least one first freshness parameter are generated, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element; adjacent service key management The functional network element sends the root key.
- the PKMF network element receives the first identifier and the relay service code of the remote terminal device, and the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier is the anonymous identifier of the remote terminal device; the PKMF network element obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, and the root key consists of the first shared key, the relay service code, and at least A first freshness parameter is generated, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element; the PKMF network element sends the root key.
- the first identifier is used by the PKMF network element to determine the corresponding second shared key, so that the remote terminal device and the PKMF network element can use the same method to generate the root key for the communication between the remote terminal device and the relay terminal device, so as to realize The key is shared between the remote terminal equipment and the relay terminal equipment.
- the network element of the adjacent service key management function obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, including: the adjacent service key management function network element to the unified data
- the management function network element sends the first identification; the adjacent service key management function network element receives the identification information of the remote authentication service function network element from the unified data management function network element; the adjacent service key management function network element sends the corresponding identification information to the corresponding network element.
- the remote authentication service function network element sends the first identifier; the adjacent service key management function network element receives the root key from the remote authentication service function network element.
- the network element of the adjacent service key management function obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, including: the adjacent service key management function network element to the unified data
- the management function network element sends the first identification; the adjacent service key management function network element receives the identification information of the remote authentication service function network element and the permanent identification of the remote terminal equipment from the unified data management function network element; the adjacent service key management The functional network element sends the permanent identity identifier of the remote terminal device to the corresponding remote authentication service functional network element according to the identification information; the adjacent service key management functional network element receives the root key from the remote authentication service functional network element.
- This embodiment discloses a way for the PKMF network element to obtain the root key.
- the network element of the adjacent service key management function obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, including: The authentication service function network element receives at least one second shared key, the second shared key is the key shared by the remote terminal device and the adjacent service key management function network element, and the second shared key consists of the first shared key and the The relay service code is generated; the adjacent service key management function network element generates a root key for the communication between the remote terminal device and the relay terminal device according to the second shared key corresponding to the first identifier and at least one first freshness parameter key.
- This embodiment discloses a way for the PKMF network element to obtain the root key.
- the method further includes: the adjacent service key management function network element receives the second verification information; the adjacent service key management function network element generates the fourth verification information according to the first freshness parameter and the second shared key. Verification information; the adjacent service key management function network element compares the second verification information and the fourth verification secret information to verify the remote terminal device. That is, it is verified whether the remote terminal device is authorized to access the network through the relay terminal device to obtain services.
- the at least one first freshness parameter includes a first random number, and further includes: receiving the first random number by an adjacent service key management function network element.
- the first random number comes from the remote terminal device.
- the at least one first freshness parameter includes a second random number, and further includes: sending the second random number by an adjacent service key management function network element. The second random number is sent to the remote terminal device.
- the at least one first freshness parameter is the value of a counter maintained locally by the network element of the adjacent service key management function.
- the same initial value and counting rule are used to keep the values of the two counters consistent.
- the first shared key is the key Kausf (or another key generated by the key) negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- a communication device including a transceiver module and a processing module; the transceiver module is used to send a first identifier and a relay service code to a relay terminal device, and the first identifier is a connection between the remote terminal device and the relay.
- the identifier corresponding to the service code or the first identifier is the anonymous identifier of the remote terminal device; the processing module is configured to generate the remote terminal device according to the first shared key, the relay service code, and at least one first freshness parameter
- the root key for communicating with the relay terminal device, the remote authentication service function network element is the authentication service function network element serving the remote terminal device, and the first shared key is shared by the remote terminal device and the remote authentication service function network element 's key.
- the first identifier is the SUCI of the remote terminal device.
- the processing module and the transceiver module are further configured to acquire the first identifier.
- the transceiver module is further configured to send a relay service code; and receive a first identifier corresponding to the relay service code.
- the processing module is further configured to generate a temporary identification according to the first shared key and the relay service code; and obtain the first identification according to the temporary identification.
- the processing module is further configured to generate a temporary identifier according to the first shared key, the relay service code and the second freshness parameter.
- the processing module is further configured to generate the first identifier according to the second freshness parameter, the routing indication and the home network identifier.
- the transceiver module is further configured to send a relay service code; and receive a second freshness parameter corresponding to the relay service code.
- the second freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the first identifier includes a routing indication and a home network identifier.
- the transceiver module is further configured to send first verification information to the relay terminal device, where the first verification information consists of the first temporary key, and all or part of the information of the message carrying the first verification information meta-generated, the first temporary key is generated from the first shared key.
- the first temporary key is composed of at least one of the relay service code, the third freshness parameter, the second identifier of the remote terminal device, and the first identifier, and the first shared secret key.
- key generation wherein the third freshness parameter is generated by the remote terminal device.
- the transceiver module is further configured to send second verification information to the relay terminal device, where the second verification information is generated from the first freshness parameter, the relay service code and the first shared key.
- the at least one first freshness parameter includes a first random number
- the transceiver module is further configured to send the first random number to the relay terminal device.
- the first random number is sent to the remote AUSF network element or the PKMF network element.
- the at least one first freshness parameter includes a second random number
- the transceiver module is further configured to receive the second random number from the relay terminal device.
- the second random number may come from a remote AUSF network element or a PKMF network element.
- the at least one first freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- the processing module is further configured to generate a second shared key according to the first shared key and the relay service code, and generate a root key according to the second shared key and the at least one first freshness parameter
- the second shared key is the key shared by the remote terminal device and the adjacent service key management function network element.
- a communication device comprising a transceiver module and a processing module; the processing module is used to obtain one of a first identification or a second identification of a remote terminal device, and a relay service code; the second identification is The permanent identity identifier of the remote terminal device, the first identifier is the identifier corresponding to the relay service code of the remote terminal device; the processing module is further configured to obtain the first shared key corresponding to the first identifier or the second identifier; the first identifier
- the shared key is a key shared by the remote terminal device and the remote authentication service function network element; the remote authentication service function network element, according to the first shared key, the relay service code, and at least one first freshness parameter,
- the root key for communication between the remote terminal device and the relay terminal device is generated; the transceiver module is used for sending the root key.
- the transceiver module is further configured to receive one of the first identifier or the second identifier of the remote terminal device.
- the processing module is further configured to generate a temporary identifier according to the first shared key and the relay service code; the remote authentication service function network element generates the first identifier according to the temporary identifier.
- the processing module is further configured to generate a temporary identifier according to the first shared key, the relay service code and the second freshness parameter.
- the processing module is further configured to generate the first identifier according to the second freshness parameter, the routing indication and the home network identifier of the remote terminal device.
- the second freshness parameter is a value of a counter maintained locally by the remote authentication service function network element.
- the transceiver module is further configured to receive the relay service code and send the second freshness parameter.
- the transceiver module is further configured to receive the relay service code; and send the first identifier.
- the first identifier includes a routing indication and a home network identifier.
- the transceiver module is further configured to receive the first verification information; the processing module is further configured to generate a first temporary key according to the first shared key; and according to the first temporary key, and carry All or part of the information elements of the message of the first verification information, obtain the third verification information; compare the first verification information and the third verification information to verify the remote terminal device.
- the processing module is further configured to, according to at least one of the relay service code, the third freshness parameter, the second identifier, and the first identifier of the remote terminal device, and the first shared secret key to generate the first temporary key, and the third freshness parameter is generated for the remote terminal device.
- the at least one first freshness parameter includes a first random number
- the transceiver module is further configured to receive the first random number
- the at least one first freshness parameter includes a second random number
- the transceiver module is further configured to send the second random number
- the at least one first freshness parameter is the value of a counter maintained locally by the remote authentication service function network element.
- the transceiver module is further configured to send the first identifier to the unified data management network element.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- a communication device including a transceiver module and a processing module; the transceiver module is used to receive a first identifier and a relay service code of a remote terminal device, and the first identifier is a relay service of the remote terminal device.
- the identifier corresponding to the code or the first identifier is the anonymous identifier of the remote terminal device; the processing module is used to obtain the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, and the root key is determined by the first shared key.
- a relay service code, and at least one first freshness parameter is generated, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element; the transceiver module is also used for sending the root key.
- the transceiver module is further configured to send the first identification to the unified data management function network element; receive identification information of the remote authentication service function network element from the unified data management function network element; The corresponding remote authentication service function network element sends the first identifier; and the root key is received from the remote authentication service function network element.
- the transceiver module is further configured to send the first identification to the unified data management function network element; receive the identification information of the remote authentication service function network element and the identification information of the remote terminal equipment from the unified data management function network element Permanent identification; according to the identification information, send the permanent identification of the remote terminal device to the corresponding remote authentication service function network element; receive the root key from the remote authentication service function network element.
- the transceiver module is further configured to receive at least one second shared key from the remote authentication service function network element, where the second shared key is the remote terminal device and the adjacent service key management function network element shared key, the second shared key is generated by the first shared key and the relay service code; the processing module is further configured to, according to the second shared key corresponding to the first identifier, and at least one first freshness parameter, Generate a root key for communication between the remote terminal device and the relay terminal device.
- the method further includes: the transceiver module is further configured to receive second verification information; the processing module is further configured to generate fourth verification information according to the first freshness parameter and the second shared key; The verification information and the fourth verification secret information are used to verify the remote terminal device.
- the at least one first freshness parameter includes a first random number
- the transceiver module is further configured to receive the first random number
- the at least one first freshness parameter includes a second random number
- the transceiver module is further configured to send the second random number
- the at least one first freshness parameter is the value of a counter maintained locally by the network element of the adjacent service key management function.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- a communication device comprising a processor, the processor is connected to a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the communication device performs the first aspect and its The method of any embodiment.
- a communication device comprising a processor, the processor is connected to a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the communication device performs the second aspect and its The method of any one of the embodiments.
- a communication device including a processor, the processor is connected to a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the communication device performs the third aspect and its The method of any one of the embodiments.
- a computer-readable storage medium is provided, and a computer program is stored in the computer-readable storage medium, which, when executed on a computer, causes the computer to execute the first aspect and any one of the embodiments thereof. method.
- a computer-readable storage medium is provided, and a computer program is stored in the computer-readable storage medium, which, when executed on a computer, causes the computer to execute as described in the second aspect and any one of the embodiments thereof Methods.
- a twelfth aspect provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, which, when executed on a computer, causes the computer to execute the method described in the third aspect and any one of the embodiments thereof Methods.
- a thirteenth aspect provides a computer program product comprising instructions which, when run on a computer or processor, cause the computer or processor to perform the method of the first aspect and any one of the embodiments.
- a fourteenth aspect provides a computer program product comprising instructions which, when executed on a computer or processor, cause the computer or processor to perform the method of the second aspect and any one of the embodiments thereof.
- a fifteenth aspect provides a computer program product comprising instructions that, when executed on a computer or processor, cause the computer or processor to perform the method of the third aspect and any one of the embodiments thereof.
- a sixteenth aspect provides a communication system, including the communication device according to the fourth aspect and any one thereof, the communication device according to the fifth aspect and any one thereof, and the sixth aspect and The communication device according to any one thereof; or, including the communication device according to the seventh aspect, the communication device according to the eighth aspect and any one thereof, and the ninth aspect and any one thereof the communication device described.
- FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic flowchart 1 of a method for obtaining a key provided by an embodiment of the present application
- FIG. 3 is a second schematic flowchart of a method for obtaining a key provided by an embodiment of the present application
- FIG. 4 is a schematic flowchart three of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 5 is a fourth schematic flowchart of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 6 is a schematic flowchart five of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 7 is a sixth schematic flowchart of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 8 is a seventh schematic flowchart of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 9 is a schematic flowchart eight of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 10 is a ninth schematic flowchart of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 11 is a schematic flowchart tenth of a method for obtaining a key provided by an embodiment of the present application.
- FIG. 12 is a schematic structural diagram 1 of a communication device according to an embodiment of the present application.
- FIG. 13 is a second schematic structural diagram of a communication device according to an embodiment of the present application.
- FIG. 14 is a third schematic structural diagram of a communication device according to an embodiment of the present application.
- FIG. 15 is a fourth schematic structural diagram of a communication device according to an embodiment of the present application.
- FIG. 16 is a fifth schematic structural diagram of a communication device provided by an embodiment of the present application.
- FIG. 17 is a sixth schematic structural diagram of a communication device according to an embodiment of the present application.
- the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
- the evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
- TDD time division duplexing
- FDD frequency division duplexing
- Figure 1 provides a 5G communication system architecture, including an access network and a core network.
- the access network is used to implement functions related to wireless access, and the access network includes a 3GPP access network and a non-3GPP access network.
- the communication system includes: a terminal device 101, a (radio) access network ((R)AN) network element 102, a user plane function (UPF) network element 103, a data network (data network) , DN) 104, access and mobility management function (AMF) network element 105, session management function (session management function, SMF) network element 106, policy control network element (policy control function, PCF) Network element 107, unified data management (UDM) network element 108, application function (AF) network element 109, authentication server function (authentication server function, AUSF) network element 110, and network slice selection A network slice selection function (NSSF) network element 111, a network exposure function (NEF) network element 112, a network function repository (NRF) network element 113,
- the name of the interface between each network element in FIG. 1 is just an example, and the name of the interface may be other names in specific implementation, which is not limited.
- the interface between the terminal device 101 and the AMF network element 105 may be the N1 interface
- the interface between the (R)AN network element 102 and the AMF network element 105 may be the N2 interface
- the (R)AN network element 102 and the UPF network element The interface between the elements 103 may be the N3 interface
- the interface between the UPF network element 103 and the SMF network element 106 may be the N4 interface
- the interface between the UPF network element 103 and the DN 104 may be the N6 interface.
- the terminal device 101 may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem; it may also include subscriber units, cellular phones , smart phone (smart phone), wireless data card, personal digital assistant (personal digital assistant, PDA) computer, tablet computer, wireless modem (modem), handheld device (handheld), laptop computer (laptop computer), cordless Telephone (cordless phone) or wireless local loop (wireless local loop, WLL) station, machine type communication (machine type communication, MTC) terminal, user equipment (user equipment, UE), mobile station (mobile station, MS), terminal device (terminal device) or relay user equipment, etc.
- the relay user equipment may be a 5G home gateway (residential gateway, RG).
- the devices mentioned above may be collectively referred to as terminal devices.
- a remote terminal device may access the 3GPP network through a relay terminal device (relay UE), and perform indirect communication with the network device and the application server.
- AN network element 102 is a device that provides wireless access for terminal equipment 101, including RAN network element and AN network element, wherein the RAN network element is mainly a 3GPP network wireless network device, and the AN network element can be defined by non-3GPP access network equipment.
- This application takes the RAN network element as an example, but it is not intended to be limited to this.
- the RAN network element is mainly responsible for functions such as radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side. It may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small cells), relay stations, access points, and the like. In systems using different radio access technologies, the names of devices with base station functions may be different.
- NodeB in a long term evolution (LTE) system, it is called an evolved NodeB (evolved NodeB, eNB or eNodeB); in a 3rd generation (3G) communication system, it is called a Node B ( Node B) etc.
- LTE long term evolution
- eNB evolved NodeB
- 3G 3rd generation
- the AN network element allows the terminal equipment and the 3GPP core network to use non-3GPP technology for interconnection and intercommunication, wherein the non-3GPP technology includes, for example: Wireless Fidelity (Wi-Fi), worldwide interoperability for microwave access, WiMAX), code division multiple access (code division multiple access, CDMA) networks, etc.
- Wi-Fi Wireless Fidelity
- WiMAX worldwide interoperability for microwave access
- CDMA code division multiple access
- the UPF network element 103 is mainly responsible for processing user packets, such as forwarding and charging.
- the user data can be received from the data network and transmitted to the terminal equipment through the RAN network element; the UPF network element can also receive user data from the terminal equipment through the RAN network element and forward it to the DN.
- the transmission resources and scheduling functions that provide services for terminal equipment in the UPF network element are managed and controlled by the SMF network element.
- DN 104 refers to a network that provides data transmission services for users, such as IP multimedia services (IP multi-media service, IMS), the Internet (Internet), and the like.
- the terminal device 101 accesses the DN 104 by establishing a protocol data unit (protocol data unit, PDU) session between the terminal device, the RAN network element 102, the UPF network element 103, and the DN 104.
- PDU protocol data unit
- the path of the user plane is: the terminal device to the (R)AN network element, to the UPF network element, and then to the DN.
- the AMF network element 105 is mainly responsible for mobility management in the mobile network, such as user location update, user registration in the network, user handover, and the like.
- the SMF network element 106 is mainly responsible for session management in the mobile network, such as session establishment, modification, and release.
- specific functions include: assigning IP addresses to users, selecting UPF network elements that provide packet forwarding functions, and the like.
- the PCF network element 107 provides a unified policy framework to control network behavior, and provides policy rules to control layer network functions, such as QoS policies, slice selection policies, and the like. At the same time, it is responsible for obtaining user subscription information related to policy decisions.
- the UDM network element 108 is used for generating authentication credential, user identification processing (such as storing and managing user permanent identity, etc.), access authorization control and contract data management, and the like.
- the AF network element 109 may also be called a server, and is responsible for interacting with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing some services of a third party to the network side.
- the AUSF network element 110 is used to authenticate and authorize users.
- the NSSF network element 111 is used to centrally manage the slicing function.
- the NEF network element 112 is responsible for the isolation of internal and external networks, and is used to support the opening of capabilities and events, including open monitoring (Monitoring) capabilities, policy/billing capabilities, and analysis and reporting capabilities.
- the NRF network element 113 is responsible for maintaining the text of the available network function instances and the services supported by the network function for other network function network elements to perform service discovery or network function network element discovery.
- the NSSAAF network element 114 is used to support network slice-specific authentication and authorization procedures, and can communicate with an AAA (authentication, authorization and accounting, authentication, authorization and accounting) server or an AAA proxy.
- AAA authentication, authorization and accounting, authentication, authorization and accounting
- the SCP network element 115 is used for supporting indirect communication, proxy discovery, sending routing messages to the target network function network element or the next hop SCP, and the like.
- DDNMF 5G direct discovery name management function
- the indirect communication connection establishment process based on layer 3 (for IP-type PDU sessions, the relay terminal device forwards data based on the IP address) includes:
- the remote terminal device and the relay terminal device are respectively registered to the network, and obtain authorization information from the network side.
- the obtained authorization information includes:
- Indication information used to indicate whether to authorize access to the 5GC through the relay terminal device.
- Parameters used for ProSe Relay Discovery are used to enable the establishment of connections with relay terminal equipment, including, for example, relay service code (relay service code), PDU session parameters (such as data network name ( data network name, DNN), single setwork slice selection assistance information (S-NSSAI), access type preference, PDU session type, session and business continuity mode).
- relay service code relay service code
- PDU session parameters such as data network name (data network name, DNN), single setwork slice selection assistance information (S-NSSAI), access type preference, PDU session type, session and business continuity mode.
- the obtained authorization information includes:
- PLMN public land mobile network
- Parameters used for ProSe Relay Discovery including: indication information, used to indicate authorization as a relay (UE-to-Network relay) between the UE and the network; relay service code, PDU session parameters (eg DNN, S-NSSAI, Access Type Preference, PDU Session Type, Session and Service Continuity Mode).
- indication information used to indicate authorization as a relay (UE-to-Network relay) between the UE and the network
- relay service code eg DNN, S-NSSAI, Access Type Preference, PDU Session Type, Session and Service Continuity Mode.
- the relay terminal device establishes a PDU session.
- the session can be a PDU session dedicated to serving remote terminal equipment; for an IP type PDU session, the SMF network element on the network side assigns an IP address (which can be an IPv4 address or an IPv6 prefix, etc.) to the PDU session, and the relay terminal equipment uses this PDU sessions transmit data for remote end devices.
- IP address which can be an IPv4 address or an IPv6 prefix, etc.
- This step is optional.
- the remote terminal device discovers the relay terminal device through the relay discovery process.
- the remote terminal device establishes a PC5 communication link with the relay terminal device.
- the relay terminal equipment If the PDU session established by the relay terminal equipment cannot meet the session requirements of the remote terminal equipment (such as DNN, S-NSSAI, etc.), the relay terminal equipment establishes a new PDU session for the remote terminal equipment, and the PDU session is used for the remote terminal equipment. The transmission data between the terminal device and the application server. Or if the relay terminal device does not establish a PDU session for transmitting the service of the remote terminal device, a new PDU session is established, and the PDU session is used for data transmission between the remote terminal device and the application server.
- the remote terminal equipment such as DNN, S-NSSAI, etc.
- the relay terminal device allocates an IP address for PC5 communication to the remote terminal device.
- the relay terminal device sends the ID and IP information (IP info) of the remote terminal device to the AMF network element and the SMF network element.
- the IP information is an address allocated by the relay terminal device to the remote terminal device for network-side communication.
- This step may be performed through a PDU session modification procedure.
- the SMF network element assigns the IP address to the relay terminal equipment as IPv4
- the IP information is expressed as a specific port number (TCP/UDP port), which means that the relay terminal equipment uses the IPv4 address and the specific port number Transmission of data from remote terminal equipment.
- IPv6 prefix IPv6 prefix
- the IP information is represented as a longer IPv6 prefix, which means that the relay terminal device uses the longer IPv6 prefix to transmit the data of the remote terminal device .
- the relay terminal device forwards the uplink and downlink data of the remote terminal device according to the IP address.
- the IP address used by the remote terminal device on the PC5 communication link is IP3, the IP address corresponding to the PDU session of the relay terminal device is IP1, and the IP information (IP info) allocated by the relay terminal device to the remote terminal device for IP1-1. Then the remote terminal device transmits data to the server by using IP3, the server transmits data to the remote terminal device by using IP1-1, and the relay terminal device needs to bind the association relationship between IP3 and IP1-1.
- the relay terminal device receives the IP1-1 data packet from the UPF network element, learns that the data belongs to the remote terminal, and then modifies the IP address to IP3, and sends it to the remote terminal device through the PC5 link.
- the relay terminal device modifies the IP address to IP1-1, sends it to the UPF network element through the PDU session, and then sends it to the server.
- a secure connection needs to be established between the remote terminal device and the relay terminal device, that is, the data transmitted between the remote terminal device and the relay terminal device is encrypted and protected and/or integrity protection. Since the indirect communication connection is dynamically established on demand, shared security information (such as a key) cannot be preconfigured between the remote terminal device and the relay terminal device, and then the remote terminal device and the relay terminal device can be established based on the preconfigured shared security information. A secure connection between relay end devices. Therefore, it is necessary to dynamically establish shared security information (eg keys) between the remote terminal equipment and the relay terminal equipment.
- shared security information eg keys
- An embodiment of the present application provides a method for obtaining a key, as shown in FIG. 3 , including:
- the remote terminal device accesses the 3GPP network and obtains the relay discovery and key material; the relay terminal device accesses the 3GPP network and obtains the discovery and key material.
- the remote terminal device sends a key request to the AUSF network element through the AMF network element.
- the key request includes the remote access indication of the adjacent service, the 5G Globally Unique Temporary Identity (GUTI) or the User Concealed Identifier (SUCI).
- GUI 5G Globally Unique Temporary Identity
- SUCI User Concealed Identifier
- the AUSF network element sends an authentication request to the UDM network element.
- the authentication request includes the remote access indication of the proximity service, 5G-GUTI or SUCI.
- the UDM network element sends an authentication response to the AUSF network element.
- the authentication response includes the user's subscription permanent identifier (SUPI).
- SUPI subscription permanent identifier
- the AUSF network element generates a root key (REAR Key) using the latest key (Kausf) shared between the remote terminal device and the AUSF network element.
- RRR Key root key
- Kausf latest key
- the AUSF network element sends a key response to the remote terminal device.
- the key response includes the root key and the identifier of the relay terminal device.
- the remote terminal device discovers the relay terminal device.
- the remote terminal device sends a direct communication request to the relay terminal device.
- the direct communication request includes the relay service code, 5G-GUTI and message authentication code (MAC).
- the relay terminal device sends a key request to the AUSF network element.
- the key request includes the relay service code, 5G-GUTI and MAC.
- the AUSF network element performs authentication and authorization checking.
- the AUSF network element After authorization, the AUSF network element generates the key K NR_ProSe of the remote terminal device.
- K NR_ProSe KDF (root key REAR key, 5G-GUTI, relay service code or service identifier, freshness parameter, other possible parameters).
- KDF key derivation function
- the AUSF network element sends a key response to the relay terminal device.
- the key response includes KNR_ProSe and freshness parameters.
- the relay terminal device sends a direct security mode command to the remote terminal device.
- the direct security mode command includes a freshness parameter to generate K NR_ProSe .
- the remote terminal device generates the key K NR_ProSe according to the direct security mode command.
- the remote terminal device sends a direct security mode command completion message to the relay terminal device according to the direct security mode command.
- the identifier of the relay terminal device is used in the key derivation process, but since there are one or more terminal devices that can provide relay services, the network cannot obtain the relay terminal device before the remote terminal device discovers the relay terminal device. The identity of the terminal device that is serving the service cannot be derived, so the corresponding key cannot be deduced. In addition, it is not defined how to determine the AUSF network element for deriving the key, nor how the relay terminal device discovers the AUSF network element for which the remote terminal device deduces the key. If the relay terminal device arbitrarily selects an AUSF network element, if the AUSF network element does not store the key obtained by the remote terminal device, the MAC generated by the remote terminal device cannot be verified.
- the embodiment of the present application provides a method for obtaining a key, as shown in FIG. 4 , including:
- the remote terminal equipment interacts with the proximity service (ProSe) function network element to obtain the relay discovery parameters and the address of the proximity service key management function (ProSe key management function, PKMF) network element.
- ProSe proximity service
- PKMF proximity service key management function
- the remote terminal device obtains the discovery key material from the relayed PKMF network element.
- the relay terminal equipment interacts with the Proximity Service (ProSe) function network element to obtain the relay discovery parameters and the address of the PKMF network element.
- ProSe Proximity Service
- the relay terminal device obtains the network element discovery key material from the PKMF.
- the remote terminal device sends a key request to the PKMF network element.
- the key request includes indication information for requesting the relay communication key.
- indication information for requesting the relay communication key.
- the PKMF network element sends a response message to the remote terminal device, and the response message includes the PRUK and the corresponding PRUK Id.
- the remote terminal device discovers the relay terminal device.
- the remote terminal device sends a direct communication request to the relay terminal device.
- the direct communication request includes one of a PRUK ID or an international mobile subscriber identity (IMSI), and a relay service code.
- IMSI international mobile subscriber identity
- the relay terminal device sends a key request to the PKMF network element.
- the key request includes one of PRUK ID or IMSI, relay service code and first random number.
- the PKMF network element identifies the terminal device according to the PRUK ID or IMSI, and performs authorization check.
- the PKMF network element determines whether the remote terminal device needs a new PRUK. If necessary, the PKMF network element interacts with the home subscriber server (HSS) network element to obtain the user's generic bootstrapping information (GPI) (generic bootstrapping architecture (GBA)) push information (Push Info) ), GBA push information) or authentication vector.
- HSS home subscriber server
- the PKMF network element sends a key response to the relay terminal device.
- the key response includes the key Kd, the random number for generating the key Kd, the GPI, and the identifier of the remote terminal device.
- the relay terminal device sends a direct security mode command to the remote terminal device.
- the direct security mode command includes the random number and GPI of the generated key Kd.
- the remote terminal device sends the direct security mode completion to the relay terminal device.
- the solution is based on the 4G communication system, and the key deduction is based on the GBA mechanism.
- 5G does not support the GBA mechanism.
- the remote terminal device may use the user's permanent identity identifier (ie, IMSI) when communicating with the relay terminal device, which may cause the user's privacy to be leaked.
- IMSI user's permanent identity identifier
- the embodiment of the present application provides another key acquisition method.
- the remote terminal device and the relay terminal device can establish a communication root key.
- the relay terminal device can obtain the root key for establishing the security of the PC5 interface under the condition of ensuring user privacy.
- the remote AUSF network element refers to the AUSF network element serving the remote terminal equipment, and the remote AUSF network element stores a key shared with the remote terminal equipment.
- the relay AUSF network element refers to the AUSF network element serving the relay terminal equipment.
- the remote AMF network element refers to the AMF network element serving the remote terminal equipment, and the relay AMF network element refers to the AMF network element serving the relay terminal equipment.
- the remote PCF network element refers to the PCF network element serving the remote terminal equipment, and the relay PCF network element refers to the PCF network element serving the relay terminal equipment.
- the remote NRF network element refers to the NRF network element that serves the remote terminal equipment.
- the remote UDM network element refers to the UDM network element that serves the remote terminal equipment.
- generating a certain identifier, a certain key or certain verification information according to the parameter A refers to inputting a certain algorithm (such as a key derivation function (KDF)
- KDF key derivation function
- PKMF network element is a new functional module, which can be deployed independently or co-located with other functional network elements.
- the PKMF network element is used to manage the security information of adjacent services, such as obtaining the shared key between the remote terminal device and the relay terminal device, and performing functions such as authorization checking.
- the key acquisition method on the terminal side includes:
- the remote terminal device sends the first identifier of the remote terminal device and the relay service code to the relay terminal device.
- the remote terminal device sends the first verification information to the relay terminal device.
- the remote terminal device sends the second verification information to the relay terminal device.
- the above information may be carried in the same message (eg, direct communication request) or in different messages, and is finally forwarded by the relay terminal device to the remote AUSF network element, the relay AUSF network element or the PKMF network element.
- connection service Used to identify a connection service that provides services for relays to connect to applications.
- the same terminal device can be configured with different relay service codes to access different applications or services.
- the first identifier may be the identifier (for example, P-KID) of the remote terminal equipment corresponding to the relay service code (for example, the format may be Username@realm), or the first identifier may be the anonymous identifier of the remote terminal equipment (for example, SUCI), so that the permanent identity of the remote terminal device (such as SUPI) will not be exposed during air interface transmission.
- the first identifier may be in one-to-one correspondence with the relay service code, that is, for different relay service codes, the remote terminal device may use different first identifiers for communication.
- the first identifier of the remote terminal device is used for the AUSF network element or the PKMF network element to determine the corresponding remote terminal device, thereby determining the corresponding first shared key, Alternatively, determine other identifiers of the remote terminal device (for example, SUPI), and the first shared key is the key shared by the remote terminal device and the remote AUSF network element (or other keys generated by the key).
- the first shared key may be Kausf, and the key Kausf is negotiated and shared in advance with the remote AUSF network element when the remote terminal device accesses the network.
- the first shared key may be a key for ProSe communication further deduced according to Kausf.
- the remote terminal device can obtain the first identifier in the following ways:
- the remote terminal device can send at least one relay service code to the remote authentication service function network element through the remote AMF network element;
- the end AMF network element sends the first identifier to the remote terminal device; correspondingly, the remote terminal device receives the first identifier corresponding to the relay service code from the remote authentication service function network element.
- Manner 2 The remote terminal device generates a temporary identifier according to the first shared key (eg Kausf) and the relay service code, and then obtains the first identifier according to the temporary identifier.
- the first shared key eg Kausf
- the manner in which the remote terminal device generates the temporary identifier according to the first shared key (such as Kausf) and the relay service code includes:
- a first shared key eg Kausf
- a relay service code are input into a certain algorithm (eg, key derivation function (KDF)), and a temporary identifier is obtained by calculation.
- KDF key derivation function
- the remote terminal device may also generate a temporary identifier according to at least one of the second freshness parameter, the SUPI of the remote terminal device, the first shared key (eg Kausf), and the relay service code. That is, the input parameters for calculating the above-mentioned temporary identification may also include the second freshness parameter or other parameters (eg, SUPI of the remote terminal device, etc.).
- the remote terminal device generates an adjacent service root key according to the first shared key, and then generates a temporary identifier according to the adjacent service root key and the relay service code.
- the remote terminal device first deduces an adjacent service root key according to the first shared key (eg Kausf).
- the input parameters of the algorithm for generating the proximity service root key may include the character string "ProSe", the SUPI of the remote terminal device, and the like. Then, the remote terminal device uses the adjacent service root key and the relay service code as the input of the KDF to generate the temporary identification.
- the remote terminal device may also generate a temporary identifier according to at least one of the second freshness parameter, the SUPI of the remote terminal device, the proximity service root key, and the relay service code. That is, the input parameters for calculating the above-mentioned temporary identification may also include the second freshness parameter or other parameters (eg, SUPI of the remote terminal device, etc.). That is, the manner in which the remote terminal device obtains the first identifier according to the temporary identifier includes:
- the remote terminal device generates a first identifier according to the temporary identifier, the routing indication and the home network identifier of the remote terminal device, and the first identifier may include the routing instruction and the home network identifier.
- the temporary identifier, the routing instruction and the home network identifier of the remote terminal device can be combined to obtain a character string as the temporary identifier.
- the Username in the first identifier Username@realm can be Including temporary identification and routing indication, realm may include the home network identification of the remote terminal equipment.
- the remote terminal device uses the above temporary identifier as the first identifier.
- the remote terminal device generates the first identifier according to the second freshness parameter, the routing indication and the home network identifier of the remote terminal device, and the first identifier may include the routing indication and the home network identifier.
- a string can be obtained by combining the second freshness parameter, the routing indication and the home network identifier of the remote terminal device as a temporary identifier.
- the first identifier in Username@realm The Username may include the second freshness parameter and the routing indication, and the realm may include the home network identifier of the remote terminal device.
- Mode 4 The remote terminal device generates a second shared key according to the first shared key (such as Kausf) and the relay service code, and the second shared key is the key Kp shared by the remote terminal device and the PKMF network element; The end terminal device then generates the first identifier according to the second shared key Kp and the second freshness parameter.
- first shared key such as Kausf
- the relay service code is used to generate a key based on the granularity of the relay service code to ensure that different relay service codes (services) correspond to different temporary identifiers, thereby preventing attackers from using the same
- the first identifier of is associated with two different services being performed by a terminal device.
- the second freshness parameter is used to ensure that the same relay service code is used at different times.
- the network can generate different The temporary identifier is used to prevent an attacker from associating a terminal device with the same first identifier on the air interface to perform the same service at different times.
- the second freshness parameter may include the values of the counters maintained locally by the remote terminal device and the remote AUSF network element respectively.
- the remote terminal device and the remote AUSF network element maintain their respective counters locally, the same initial value and count are used. rules to keep the values of these two counters consistent.
- the remote AUSF network element does not need to send the second freshness parameter to the remote terminal device.
- the remote terminal device may send the relay service code to the remote AUSF network element; the remote AUSF network element generates the first identifier according to the second freshness parameter for the relay service code, and sends the first identifier to the remote terminal device.
- Two freshness parameters correspondingly, the remote terminal device receives the second freshness parameter corresponding to the relay service code from the remote AUSF network element.
- the second freshness parameter may include a random value generated by the remote AUSF network element or a value of a counter maintained locally by the remote AUSF network element, and the specific generation method is not limited.
- the first verification information is generated from the first temporary key and all or part of the information elements of a message (eg, a direct communication request) carrying the first verification information.
- the first temporary key is generated by the first shared key (eg Kausf). Specifically, the first temporary key can be deduced directly according to Kausf, or an intermediate key can be deduced according to Kausf, and the first temporary key can be further deduced based on the intermediate key.
- the first temporary key consists of at least one of the relay service code, the third freshness parameter, the second identifier (for example, SUPI) of the remote terminal device, and the first identifier, and the first shared key.
- the third freshness parameter is generated by the remote terminal device, and may be, for example, a third random number.
- the first temporary key Kt is obtained by calculating an algorithm.
- the first verification information is used to send to the remote AUSF network element.
- the remote AUSF network element After receiving the first verification information, the remote AUSF network element generates third verification information in the same manner as the remote terminal device, and the remote AUSF network element compares the first verification information. information and third verification information to verify the remote terminal device and verify whether the remote terminal device is authorized to access the network through the relay terminal device to obtain services.
- the second verification information is generated from the first freshness parameter, the relay service code and the first shared key (eg Kausf).
- the remote terminal device generates the second shared key Kp according to the relay service code and the first shared key (eg Kausf), and then generates the second verification information according to the first freshness parameter and the second shared key Kp .
- the remote terminal device generates the second ID according to the second identifier (for example, SUPI) of the remote terminal device, at least one of the proximity service (ProSe) characters, the relay service code, and the first shared key (for example, Kausf). Two shared keys Kp.
- the remote terminal device generates the second shared key Kp according to the first shared key (eg Kausf) and other parameters, and then generates the second shared key Kp according to the first freshness parameter, the relay service code and the second shared key Kp. 2. Verification information.
- the second verification information is used for sending to the PKMF network element.
- the PKMF network element After receiving the second verification information, the PKMF network element generates fourth verification information in the same manner as the remote terminal device, and the PKMF network element compares the second verification information with the fourth verification information In order to verify the remote terminal equipment, it is verified whether the remote terminal equipment is authorized to access the network through the relay terminal equipment to obtain services.
- the remote terminal device generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key (eg Kausf), the relay service code, and at least one first freshness parameter.
- the first shared key eg Kausf
- the relay service code e.g., the relay service code
- the relay service code For example, using the first shared key (eg Kausf), the relay service code, and, at least one first freshness parameter, as the input of the key derivation function KDF, output the root of the communication between the remote terminal device and the relay terminal device key.
- the first shared key eg Kausf
- the relay service code e.g. Kausf
- at least one first freshness parameter as the input of the key derivation function KDF, output the root of the communication between the remote terminal device and the relay terminal device key.
- the first shared key eg Kausf
- the relay service code e.g., the relay service code
- at least one first freshness parameter, etc. the root key for the communication between the remote terminal device and the relay terminal device is output.
- the remote terminal device can also generate the second shared key Kp according to the first shared key (eg Kausf) and the relay service code, and then generate the remote terminal according to the second shared key Kp and at least one first freshness parameter.
- the root key for the device to communicate with the relay terminal device.
- the remote terminal device may also generate a second shared key Kp according to the first shared key (eg Kausf), and then generate the remote terminal according to the relay service code, the second shared key Kp and at least one first freshness parameter.
- the root key for the device to communicate with the relay terminal device.
- the at least one first freshness parameter may include a value of a counter maintained locally by one of the remote AUSF network element or PKMF network element and the terminal device, and one of the remote AUSF network element or PKMF network element and the terminal device.
- the device maintains its own counters locally, it adopts the same initial value and counting rules to keep the values of the two counters consistent.
- one of the remote AUSF network element or the PKMF network element and the terminal device separately maintain counters for each relay server code.
- the at least one first freshness parameter includes a first random number.
- the remote terminal device may also send the first random number to the relay terminal device. The first random number is finally sent to the remote AUSF network element or the PKMF network element, and correspondingly, the remote AUSF network element or the PKMF network element receives the first random number.
- the at least one first freshness parameter includes a second random number
- the remote terminal device may also receive the second random number from the relay terminal device.
- the second random number may come from the remote AUSF network element or the PKMF network element, that is, the remote AUSF network element or the PKMF network element may send the second random number.
- the remote terminal device sends a first identifier and a relay service code to the relay terminal device, where the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier. It is the anonymous identifier of the remote terminal device.
- the remote terminal device generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter.
- the first identifier is used for the remote AUSF network element to determine the corresponding first shared key, or for the PKMF network element to determine the corresponding second shared key, and the second shared key is also determined by the first shared key and/or relay service code generation, so that the remote terminal device and the remote AUSF network element or PKMF network element can use the same method to generate the root key for the communication between the remote terminal device and the relay terminal device, so that the remote terminal device can communicate with the relay terminal device.
- the key is shared between the terminal device and the relay terminal device.
- the steps performed by the remote AUSF network element in the key acquisition method on the network side include:
- the remote AUSF network element acquires one of the first identifier or the second identifier of the remote terminal device, and the relay service code.
- the remote AUSF network element receives the first random number.
- the remote AUSF network element may also receive the first verification information.
- first verification information reference is made to the foregoing description, which will not be repeated here.
- the second identifier may be a permanent identity identifier (eg, SUPI) of the remote terminal device
- the first identifier may be an identifier (eg, P-KID) of the remote terminal device corresponding to the relay service code.
- the remote AUSF network element can receive the relay service code from the remote terminal equipment, and forward it through, for example, the remote AMF network element, the relay terminal equipment, and the PKMF network element. See the previous description for the relay service code, which will not be repeated here.
- the remote AUSF network element obtains one of the first identifier or the second identifier of the remote terminal device, including the following methods:
- the remote AUSF network element receives one of the first identifier or the second identifier of the remote terminal device.
- the remote AUSF network element may receive one of the first identification or the second identification of the remote terminal device from the PKMF network element.
- the method further includes: the remote AUSF network element may adopt the same method as the remote terminal equipment in step S501 (for example, the second method and the third method). ) to generate the first identifier.
- the remote AUSF network element may generate the first identifier in the same manner as the remote terminal device in step S501 (eg, manner 2 and manner 3).
- the remote AUSF network element may generate a temporary identifier according to the first shared key and the relay service code; and then generate the first identifier according to the temporary identifier.
- the remote terminal device may generate the first identifier in the second manner of step S501.
- the remote AUSF network element Similar to the remote terminal equipment, the remote AUSF network element generates a temporary identifier according to the first shared key and the relay service code, which may include: the remote terminal equipment according to the first shared key, the relay service code and the second The freshness parameter, which generates a temporary identifier.
- the remote terminal device For details, refer to how the remote terminal device generates the temporary identifier in the second method of step S501.
- the remote AUSF network element may generate the first identifier according to the second freshness parameter, the routing indication, and the home network identifier of the remote terminal device.
- the second freshness parameter please refer to the above description, which will not be repeated here.
- the remote AUSF network element may send the second freshness parameter, and forward it to the remote terminal device through the relay terminal device, so that the remote terminal device receives the second freshness parameter.
- the remote AUSF network element After the remote AUSF network element generates the first identifier, it can send the first identifier corresponding to the relay service code to the relay terminal device, and the relay terminal device forwards it to the remote terminal device, so that the remote terminal device obtains the first identifier.
- the identifier corresponds to the first method of obtaining the first identifier by the remote terminal device in step S501.
- the remote AUSF network element may also send the first identifier to the UDM network element for other network elements (eg PKMF network element) to obtain the remote AUSF network element instance identifier and/or the SUPI of the remote terminal device from the UDM network element.
- the remote AUSF network element instance identifier is used to determine the remote AUSF network element serving the remote terminal equipment.
- the remote AUSF network element obtains the first shared key corresponding to the first identifier or the second identifier.
- the remote AUSF network element can locally query the first shared key corresponding to the first identifier or the second identifier.
- the remote AUSF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter.
- the first freshness parameter here may be the value of a counter maintained locally by the remote terminal device and the remote AUSF network element.
- the remote AUSF network element can generate the root key in the same manner as the remote terminal device. For details, refer to the relevant description in step S502, which is not repeated here.
- a first temporary key may be generated according to the first shared key; and according to the first temporary key, And, all or part of the information elements of the message carrying the first verification information are obtained to obtain the third verification information; by comparing the first verification information and the third verification information to verify the remote terminal equipment, the root key can be generated after the verification is passed. .
- the remote AUSF network element performs verification reference may be made to the foregoing description of the first verification information, which will not be repeated here.
- the remote AUSF network element can be based on at least one of the relay service code, the third freshness parameter, the second identifier, and the first identifier of the remote terminal equipment, and the first A shared key is generated to generate a first temporary key.
- the remote terminal device refers to the relevant description of the remote terminal device, which will not be repeated here.
- the remote AUSF network element generates the second shared key Kp in the same manner as the remote terminal device.
- the second shared key Kp is generated, and the second shared key Kp is sent to the PKMF network element.
- the remote terminal device generates the second shared key Kp.
- the remote AUSF network element sends the root key.
- the remote AUSF network element can send the root key to the PKMF network element, and send the root key to the relay terminal device through the PKMF network element.
- the remote AUSF network element may also send at least one first freshness parameter for generating the root key.
- the at least one first freshness parameter includes a second random number, and the remote AUSF network element may send the second random number, which is forwarded to the remote terminal device through the relay remote device.
- the remote AUSF network element acquires one of the first identifier or the second identifier of the remote terminal device, and the relay service code; the second identifier is the permanent identifier of the remote terminal device.
- the first identifier is the identifier corresponding to the relay service code of the remote terminal device; the remote AUSF network element obtains the first shared key corresponding to the first identifier or the second identifier; the first shared key is the remote The key shared by the terminal device and the remote AUSF network element; the remote AUSF network element generates the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter The root key of the communication; the remote AUSF sends the root key.
- the first identifier is used by the remote AUSF network element to determine the corresponding first shared key, so that the remote terminal device and the remote AUSF network element can use the same method to generate the root of the communication between the remote terminal device and the relay terminal device.
- the key is shared between the remote terminal device and the relay terminal device.
- the steps performed by the PKMF network element in the key acquisition method on the network side include:
- the PKMF network element receives the first identifier and the relay service code of the remote terminal device.
- the PKMF network element receives the first random number.
- the PKMF network element receives the second verification information.
- the second verification information see the foregoing description, which will not be repeated here.
- the first identifier may be an identifier of the remote terminal device corresponding to the relay service code (eg, P-KID), or the first identifier may be an anonymous identifier (eg, SUCI) of the remote terminal device.
- the PKMF network element may receive the first identifier and the relay service code from the remote terminal device through the relay terminal device.
- the PKMF network element acquires the root key for communication between the remote terminal device and the relay terminal device according to the first identifier.
- the PKMF network element sends the first identification to the UDM network element; correspondingly receives the identification information of the remote AUSF (for example, the remote AUSF network element instance identification) from the UDM network element; the PKMF network element according to the identification information, send the first identifier to the corresponding remote AUSF network element; correspondingly, receive the root key from the remote AUSF network element.
- the identification information of the remote AUSF for example, the remote AUSF network element instance identification
- the PKMF network element sends the first identifier to the UDM network element; correspondingly, the identifier information of the remote AUSF network element and the permanent identity identifier of the remote terminal device (for example, SUPI) are received from the UDM network element. ); the PKMF network element sends the permanent identity of the remote terminal device to the corresponding remote AUSF network element according to the identification information; correspondingly, receives the root key from the remote AUSF network element.
- the above two embodiments correspond to the step S601 in which the remote AUSF network element obtains one of the first identifier or the second identifier of the remote terminal device.
- the PKMF network element receives at least one second shared key from the remote AUSF network element; the PKMF network element corresponds to the second shared key according to the first identifier, and at least one first fresh key properties parameters to generate the root key for the communication between the remote terminal device and the relay terminal device.
- the PKMF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the relay service code, the second shared key corresponding to the first identifier, and at least one first freshness parameter.
- the fourth verification information can be generated according to the first freshness parameter and the second shared key;
- the verification information and the third verification information are used to verify the remote terminal device, and the root key can be generated after the verification is passed.
- the PKMF network element performs verification reference may be made to the foregoing description of the second verification information, which will not be repeated here.
- the first freshness parameter here may be the value of a counter maintained locally by the remote terminal device and the PKMF network element.
- the PKMF network element sends the root key.
- the PKMF network element may also send at least one first freshness parameter for generating the root key.
- at least one of the first freshness parameters includes a second random number, and the PKMF network element may send the second random number and forward it to the remote terminal device through the relay remote device.
- the PKMF network element receives the first identifier and the relay service code of the remote terminal device, and the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier is the anonymous identifier of the remote terminal device; the PKMF network element obtains the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, and the root key consists of the first shared key, the relay service code, and at least A first freshness parameter is generated, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element; the PKMF network element sends the root key.
- the first identifier is used by the PKMF network element to determine the corresponding second shared key, so that the remote terminal device and the PKMF network element can use the same method to generate the root key for the communication between the remote terminal device and the relay terminal device, so as to realize The key is shared between the remote terminal equipment and the relay terminal equipment.
- the embodiment of the present application provides another key acquisition method.
- the remote terminal device actively requests the remote AUSF network element for the first identifier corresponding to the relay service code, so that the remote AUSF network element can generate the corresponding key according to the relay service code.
- a first identifier where the first identifier is used to discover the remote UDM network element, and the generated first identifier is stored in the remote UDM network element.
- the remote terminal device initiates a direct communication request to the relay terminal device, and the direct communication request includes the first identifier.
- the relay terminal device initiates a key request containing the first identifier to the network side through signaling.
- the PKMF network element determines the remote AUSF network element corresponding to the first identifier through the remote UDM network element, and obtains the remote AUSF network element from the remote AUSF network element.
- the key acquisition method includes:
- a remote terminal device accesses a network, and acquires information for communicating through a relay terminal device from a remote PCF network element or other related network elements.
- the above information includes: indication information for indicating whether the terminal device is authorized to access the 5GC through the relay (that is, the terminal device acts as a remote terminal device); relay service code and the like.
- the relay terminal device accesses the network, and obtains information for providing communication as the relay terminal device from the relay PCF network element or other related network elements.
- the above information includes: indication information used to indicate whether the terminal device is authorized to act as a relay; relay service code and the like.
- steps S801 and S802 are not limited.
- the remote terminal device sends a key request to the remote AUSF network element through the remote AMF network element.
- the key request includes at least one relay service code.
- the remote AMF network element performs an authorization check to check whether the remote terminal device is authorized to act as the remote terminal device of the relay terminal device or whether the remote terminal device is authorized to obtain the corresponding relay service code through the relay terminal device.
- an authorization check to check whether the remote terminal device is authorized to act as the remote terminal device of the relay terminal device or whether the remote terminal device is authorized to obtain the corresponding relay service code through the relay terminal device.
- the remote AUSF network element generates a first identifier (eg, P-KID) of the remote terminal device corresponding to each relay service code.
- the remote AUSF network element sends the first identifier of the remote terminal device to the remote UDM network element.
- the remote UDM network element stores the first identifier of the remote terminal device locally as the context of the remote terminal device.
- the remote UDM network element stores the context of the remote terminal device in the unified data repository (unified data repository, UDR) network element
- the first identifier of the remote terminal device is also stored in the terminal device context of the UDR network element.
- the remote AUSF network element sends a key request response to the remote terminal device through the remote AMF network element.
- the key request response includes: a first identifier corresponding to the relay service code, or a second freshness parameter used to generate the first identifier.
- the remote terminal device receives the first identifier corresponding to the relay service code from the remote AUSF network element through the remote AMF network element, or the second freshness parameter used to generate the first identifier.
- the key request response may include the first identification corresponding to the relay service code, or the second freshness parameter used to generate the first identification . If the second freshness parameter is not used in the process of generating the first identifier, the key request response includes the first identifier corresponding to the relay service code.
- the key request response may also include multiple first identifiers (or second fresh identifiers). properties parameter) respectively corresponding to multiple relay service codes, that is, the first identifier (or the second freshness parameter) in the key request response corresponds to the relay service code one-to-one; or, the key request response includes multiple first An identifier (or the second freshness parameter), which is not corresponding to the relay service code, is freely selected by the remote terminal device and corresponds.
- the remote terminal device acquires the first identifier.
- step S806 the remote terminal device directly stores it.
- the remote terminal device If the second freshness parameter is received in step S806, the remote terminal device generates the first identifier in the same manner as the remote AUSF network element, for example, according to the second or third manner in step S501 to generate the first identifier. It should be noted that the process of generating the first identifier by the remote terminal device may be performed before step S809.
- the remote terminal device performs a discovery process to discover the relay terminal device.
- the remote terminal device sends a direct communication request to the relay terminal device.
- the direct communication request includes the first identification (eg P-KID) of the remote terminal device and the relay service code. If there are multiple relay service codes, the remote terminal device can determine the corresponding first identifier through the relay service codes.
- the direct communication request may further include a first random number (Nonce 1).
- the direct communication request may further include first verification information.
- step S501 for how to generate the first verification information.
- the relay terminal device sends a key request to the relay AMF network element.
- the key request includes a first identifier (eg P-KID) and a relay service code.
- the key request may further include the first random number.
- the key request may further include first verification information (eg MAC-I).
- first verification information eg MAC-I
- the relay AMF network element selects a relay AUSF network element, and sends a proximity service key request to the relay AUSF network element.
- the proximity service key request includes the first identifier (for example, P-KID), the relay service code, and the identifier (relay UE ID) of the relay terminal device (for example, SUPI).
- the adjacent service key request may further include a first random number.
- the proximity service key request may further include first verification information (eg MAC-I).
- first verification information eg MAC-I
- the relay AMF network element performs authorization checking, that is, checking whether the relay terminal device is authorized to act as the relay terminal device or whether the relay terminal device is authorized to provide the connection service corresponding to the relay service code to the remote terminal device.
- the relay AUSF network element selects a PKMF network element, and sends a proximity service key request to the PKMF network element.
- the information carried in the adjacent service key request is the same as the information carried in the adjacent service key request in step S811.
- the PKMF network element selects a remote UDM network element according to the first identifier (eg P-KID) in the proximity service key request, and sends a network element discovery request to the remote UDM network element.
- the first identifier eg P-KID
- the network element discovery request includes a first identifier (eg P-KID).
- the remote UDM network element acquires the remote AUSF network element instance identifier according to the first identifier (eg P-KID), and sends the identifier to the PKMF network element.
- the AUSF network instance identifier can be an identifier that can uniquely identify the remote AUSF, such as a fully qualified domain name (FQDN) or an AUSF address, which is not limited here.
- the PKMF network element may also acquire the second identifier (for example, SUPI) of the remote terminal device.
- SUPI the second identifier
- the PKMF network element authorizes the remote terminal device and the relay terminal device.
- the PKMF network element determines whether to authorize the remote terminal device to pass through the relay terminal according to the second identifier (such as SUPI) of the remote terminal device and the relay service code.
- the device obtains the service corresponding to the relay service code.
- the PKMF network element judges whether the relay terminal device is authorized to provide the service corresponding to the relay service code as a relay according to the identifier of the relay terminal device (relay UE ID, such as SUPI) and the relay service code. If the authorization is passed, the follow-up process will continue, otherwise, the rejection process will be initiated.
- relay UE ID such as SUPI
- PKMF authorization process is optional, and may occur after step S815.
- the PKMF network element sends an adjacent service key request to the remote AUSF network element.
- the proximity service key request includes the second identifier (for example, SUPI) or the first identifier of the remote terminal device, and the relay service code.
- the adjacent service key request may further include a first random number.
- the proximity service key request may further include first verification information (eg MAC-I).
- first verification information eg MAC-I
- the remote AUSF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter.
- the at least one first freshness parameter here may include the first random number (Nonce 1), or may include the second random number (Nonce 2) generated by the remote AUSF network element, or may include the first random number and the first random number.
- Two random numbers or can include the value of the counter maintained locally by the remote AUSF network element.
- the counter maintained locally by the remote AUSF network element adopts the same initial value and counting rule as the counter maintained locally by the remote terminal device, so that the The values of the two counters remain the same.
- the specific implementation manner of the first freshness parameter is not limited.
- the remote AUSF network element if the adjacent service key request includes the first verification information, the remote AUSF network element generates the third verification information in the same manner as the terminal device, and performs verification by comparing the first verification information and the third verification information. . After the verification is passed, the root key is generated.
- the remote AUSF network element sends a proximity service key response to the PKMF network element.
- the adjacent service key response may include a root key, and optionally, a second random number.
- the PKMF network element sends an adjacent service key response to the relay AUSF network element.
- the adjacent service key response may include a root key, and optionally, a second random number.
- the relay AUSF network element sends a proximity service key response to the relay terminal device through the relay AMF network element.
- the adjacent service key response may include a root key, and optionally, a second random number.
- the relay terminal device sends a security mode command to the remote terminal device.
- the security mode command includes a second random number.
- the relay terminal device generates a fourth random number, and includes the fourth random number in the security mode command message.
- the remote terminal device uses the same method as the remote AUSF network element to generate the root key.
- the relay terminal device may generate a session key between the relay terminal device and the remote terminal device according to the received root key. Further optionally, the relay terminal device may generate an encryption key and/or an integrity protection key for the signaling plane and/or the user plane according to the session key.
- the relay terminal device may generate an encryption key and/or an integrity protection key for the signaling plane and/or the user plane according to the received root key.
- the security mode command message includes a message verification code, and the message verification code is generated according to the integrity protection key of the signaling plane.
- the remote terminal device sends a complete message of the security mode command to the relay terminal device.
- the remote terminal device acquires the first identifier corresponding to the relay service code, and through the first identifier, the relay terminal device can obtain the remote terminal device and the relay from the network side through the signaling plane.
- the root key for end-device communication.
- the PKMF network element first performs authorization checking on the remote terminal device and the relay terminal device to ensure that only authorized terminal devices acquire the root key.
- the root key is generated according to parameters such as the first shared key Kausf and the relay service code.
- the embodiment of the present application provides another key acquisition method.
- the remote terminal device actively requests the remote AUSF network element for the first identifier corresponding to the relay service code, so that the remote AUSF network element can generate the corresponding key according to the relay service code.
- the first identifier and the second shared key are sent to the PKMF network element.
- the remote terminal device initiates a direct communication request to the relay terminal device, and the direct communication request includes the first identifier.
- the relay terminal device initiates a key request including the first identifier to the network side through signaling, and the PKMF network element obtains the corresponding second shared key Kp according to the first identifier, and generates a communication between the remote terminal device and the relay terminal device. root key.
- the remote AUSF network element pushes the first identifier and the second shared key Kp of the remote terminal device to the PKMF network element in advance. Or the remote AUSF network element pushes the second shared key Kp to the PKMF network element in advance, and the PKMF generates the first identifier of the remote terminal device.
- the key acquisition method includes:
- a remote terminal device accesses a network, and acquires information for communicating through a relay terminal device from a remote PCF network element or other related network elements.
- step S801 This step is the same as step S801 and will not be repeated here.
- the relay terminal device accesses the network, and obtains information for providing communication as the relay terminal device from the relay PCF network element or other related network elements.
- step S802 This step is the same as step S802 and will not be repeated here.
- the remote terminal device sends a key request to the remote AUSF network element through the remote AMF network element.
- step S803 This step is the same as step S803 and will not be repeated here.
- the remote AUSF network element generates a second shared key Kp.
- step S603 for the process of generating the second shared key Kp.
- the remote AUSF network element generates a first identifier (eg, P-KID) of the terminal device corresponding to each relay service code.
- a first identifier eg, P-KID
- the process of generating the first identifier refer to step S601.
- the remote AUSF network element selects the PKMF network element, and sends a near service information provision message to the PKMF network element.
- the way for the remote AUSF network element to select the PKMF network element includes but is not limited to the following possible ways:
- the remote AUSF network element determines the PKMF network element according to the relay service code. For example, the remote AUSF network element sends the relay service code to the remote NRF network element or the remote PCF network element to obtain the corresponding relay service code. PKMF network element. Or the relay service code includes routing information, and the remote AUSF network element selects the PKMF network element according to the routing information.
- the remote terminal device includes the discovery information of the PKMF network element in the key request (obtaining the information from the remote PCF network element or other related network elements in step S901), and forwards it to the remote terminal by the remote AMF network element. end AUSF network element.
- the remote AMF network element includes the discovery information of the PKMF network element in the key request (the information is obtained from the remote PCF network element or other related network elements in step S901).
- the above-mentioned discovery information of the PKMF network element is used for the AUSF network element to determine the PKMF network element, and the discovery information of the PKMF network element may be routing information, address information of the PKMF network element, or an identifier of the PKMF network element.
- the proximity service information providing message includes the second identifier (eg, SUPI) of the remote terminal device, the second shared key Kp, and optionally, the relay service code and the first identifier of the remote terminal device.
- the PKMF network element stores the received second identifier of the remote terminal device (for example, SUPI), the first identifier of the remote terminal device (if received), and the second shared key Kp, and optionally, the relay can also be stored. service code.
- the PKMF network element may store the above information after judging that the remote terminal device is authorized to obtain the relay service code.
- the PKMF network element if the proximity service information providing message does not contain the first identifier, the PKMF network element generates the first identifier. In this case, optionally, the PKMF network element sends the generated first identifier or the second freshness parameter to the remote AUSF network element.
- the remote AUSF network element sends a key request response to the remote terminal device through the remote AMF network element.
- This step is the same as step S806.
- the remote terminal device acquires the first identifier.
- step S807 This step is the same as step S807. It should be noted that the process of generating the first identifier by the remote terminal device may be performed before step S909.
- the remote terminal device performs a discovery process to discover the relay terminal device.
- This step is the same as step S808.
- the remote terminal device sends a direct communication request to the relay terminal device.
- step S809 The difference between this step and step S809 is that the remote terminal device may generate the second verification information instead of the first verification information, and the process of generating the second verification information refers to step S501. And the direct communication request optionally includes the second verification information instead of the first verification information. Other content is the same.
- the relay terminal device sends a key request to the relay AMF network element.
- step S810 The difference between this step and step S810 is that the key request optionally includes the second verification information instead of the first verification information. Other content is the same.
- the relay AMF network element selects a relay AUSF network element, and sends a proximity service key request to the relay AUSF network element.
- step S811 The difference between this step and step S811 is that the adjacent service key request optionally includes the second verification information instead of the first verification information. Other content is the same.
- the relay AUSF network element selects a PKMF network element, and sends a proximity service key request to the PKMF network element.
- step S812 The difference between this step and step S812 is that the method of selecting the PKMF network element by the relay AUSF network element is the same as the method of selecting the PKMF network element by the remote AUSF network element in step S905; verification information, instead of including the first verification information. Other content is the same.
- the PKMF network element authorizes the remote terminal equipment and the relay terminal equipment.
- This step is the same as step S814. This step is optional.
- the PKMF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the second shared key Kp and at least one first freshness parameter.
- the first freshness parameter here may include a first random number (Nonce 1), or, may include a second random number (Nonce 2) generated by PKMF, or, include a first random number and a second random number, or, It can include the values of the counters maintained locally by the remote terminal device and the PKMF network element respectively.
- the remote terminal device and the PKMF network element maintain their respective counters locally, they use the same initial value and counting rule, so that the two counters are equal to each other. The value remains the same.
- step S702 For the process of generating the root key, refer to step S702.
- the PKMF network element if the proximity service key request includes the second verification information, the PKMF network element generates the fourth verification information in the same manner as the terminal device, and performs verification by comparing the second verification information with the fourth verification information. After the verification is passed, the root key is generated.
- step S913 is not limited.
- the PKMF network element sends an adjacent service key response to the relay AUSF network element.
- This step is the same as step S818.
- the relay AUSF network element sends a proximity service key response to the relay terminal device through the relay AMF network element.
- This step is the same as step S819.
- the relay terminal device sends a security mode command to the remote terminal device.
- This step is the same as step S820.
- the remote terminal device sends a complete message of the security mode command to the relay terminal device.
- This step is the same as step S821.
- the remote terminal device acquires the first identifier corresponding to the relay service code, and through the first identifier, the relay terminal device can obtain the remote terminal device and the relay from the network side through the signaling plane.
- the root key for end-device communication.
- the PKMF network element first performs authorization checking on the remote terminal device and the relay terminal device to ensure that only authorized terminal devices acquire the root key.
- the root key is generated according to parameters such as the first shared key Kausf and the relay service code.
- the embodiment of this application provides another key acquisition method.
- the remote terminal device actively requests the PKMF network element for the first identifier corresponding to the relay service code through the remote AMF network element, and then the PKMF network element sends the remote AUSF network element to the remote AUSF network element.
- the first identifier is requested, so that the remote AUSF network element can generate the corresponding first identifier and the second shared key according to the relay service code, and send them to the PKMF network element.
- the remote terminal device initiates a direct communication request to the relay terminal device, and the direct communication request includes the first identifier.
- the relay terminal device initiates a key request containing the first identifier to the network side through signaling, and the PKMF network element obtains the corresponding second shared key according to the first identifier, and generates the root of the communication between the remote terminal device and the relay terminal device. key.
- the difference from Figure 9 is that the remote AMF network element communicates directly with the PKMF network element.
- the key acquisition method includes:
- a remote terminal device accesses a network, and acquires information for communicating through a relay terminal device from a remote PCF network element or other related network elements.
- step S801 This step is the same as step S801 and will not be repeated here.
- the relay terminal device accesses the network, and obtains information for providing communication as the relay terminal device from the relay PCF network element or other related network elements.
- step S802 This step is the same as step S802 and will not be repeated here.
- the remote terminal device sends a key request to the remote AMF network element.
- the key request includes at least one relay service code.
- the remote AMF network element performs an authorization check, that is, to check whether the remote terminal device is authorized to act as the remote terminal device of the relay terminal device, or to check whether the remote terminal device is authorized to obtain the corresponding relay service code through the relay terminal device. service.
- the remote AMF network element selects a PKMF network element, and sends a key request to the PKMF network element.
- the manner in which the remote AMF network element selects the PKMF network element is the same as the manner in which the remote AUSF network element selects the PKMF network element in step S905.
- the key request includes the relay service code, the remote AUSF network element instance identifier, and the second identifier (for example, SUPI) of the remote terminal device.
- step S1003 If the key request in step S1003 includes multiple relay service codes and corresponds to different PKMF network elements, the remote AMF network element sends the key request to each PKMF network element respectively.
- the PKMF network element sends an adjacent service security information request to the remote AUSF network element.
- the request includes the second identifier (for example, SUPI) of the remote terminal device and the relay service code.
- SUPI the second identifier
- the PKMF network element determines whether to authorize the remote terminal device to obtain the service corresponding to the relay service code through the relay terminal device according to the second identifier (for example, SUPI) of the remote terminal device and the relay service code. .
- SUPI the second identifier
- the remote AUSF network element generates a first identifier (eg, P-KID) of the terminal device corresponding to each relay service code, and generates a second shared key Kp.
- a first identifier eg, P-KID
- This step is the same as step S904.
- the remote AUSF network element sends a proximity service security information response to the PKMF network element.
- the proximity service security information response includes the second shared key Kp, and optionally, the relay service code, the second identifier (eg, SUPI) of the remote terminal device, and the first identifier of the remote terminal device.
- the PKMF network element sends a key request response to the remote terminal device through the remote AMF network element.
- step S806 For the information included in the key request response, reference may be made to step S806, which will not be repeated here.
- the remote terminal device acquires the first identifier.
- step S807 This step is the same as step S807. It should be noted that, the process of generating the first identifier by the remote terminal device may be performed before step S1011.
- the remote terminal device performs a discovery process to discover the relay terminal device.
- This step is the same as step S808.
- the remote terminal device sends a direct communication request to the relay terminal device.
- step S909 This step is the same as step S909.
- the relay terminal device sends a key request to the relay AMF network element.
- step S910 This step is the same as step S910.
- the relay AMF network element selects a PKMF network element, and sends a proximity service key request to the PKMF network element.
- the manner in which the relay AMF network element selects the PKMF network element is the same as the manner in which the remote AMF network element selects the PKMF network element in step S1004.
- the information carried in the adjacent service key request is the same as the information carried in the adjacent service key request in step S912.
- the relay AMF network element performs authorization check, that is, to check whether the relay terminal device is authorized to act as the relay terminal device of the remote relay device or to check whether the relay terminal device is authorized to provide the relay service code to the remote terminal device.
- authorization check that is, to check whether the relay terminal device is authorized to act as the relay terminal device of the remote relay device or to check whether the relay terminal device is authorized to provide the relay service code to the remote terminal device.
- the corresponding connection service is
- the PKMF network element authorizes the remote terminal device and the relay terminal device.
- This step is the same as step S814.
- the PKMF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the second shared key Kp and at least one first freshness parameter.
- This step is the same as step S914.
- the PKMF network element sends a proximity service key response to the relay terminal device through the relay AMF network element.
- the information carried in the adjacent service key response is the same as the information carried in the adjacent service key response in step S818.
- the relay terminal device sends a security mode command to the remote terminal device.
- This step is the same as step S820.
- This step is the same as step S821.
- the remote terminal device acquires the first identifier corresponding to the relay service code, and through the first identifier, the relay terminal device can obtain the remote terminal device and the relay from the network side through the signaling plane.
- the root key for end-device communication.
- the PKMF network element first performs authorization checking on the remote terminal device and the relay terminal device to ensure that only authorized terminal devices acquire the root key.
- the root key is generated according to parameters such as the first shared key Kausf and the relay service code.
- the embodiment of the present application provides another key acquisition method.
- the remote terminal device initiates a direct communication request to the relay terminal device, and the direct communication request includes the SUCI of the remote terminal device.
- the relay terminal device initiates a key request containing SUCI to the network side through signaling.
- the PKMF network element determines the remote AUSF network element corresponding to the SUCI through the remote UDM network element, and obtains the remote terminal equipment and the intermediate network element from the remote AUSF network element.
- the root key for communication between end devices is that the PKMF network element determines the remote AUSF network element through the SUCI of the remote terminal device.
- the key acquisition method includes:
- a remote terminal device accesses a network, and acquires information for communicating through a relay terminal device from a remote PCF network element or other related network elements.
- step S801 This step is the same as step S801 and will not be repeated here.
- the relay terminal device accesses the network, and obtains information for providing communication as the relay terminal device from the relay PCF network element or other related network elements.
- step S802 This step is the same as step S802 and will not be repeated here.
- the remote terminal device performs a discovery process to discover the relay terminal device.
- This step is the same as step S808.
- S1104 The remote terminal device sends a direct communication request to the relay terminal device.
- step S809 The difference between this step and step S809 is that the first identifier in the direct communication request may be the SUCI of the remote terminal device.
- the relay terminal device sends a key request to the relay AMF network element.
- step S810 The difference between this step and step S810 is that the first identifier in the key request may be the SUCI of the remote terminal device.
- the relay AMF network element selects a relay AUSF network element, and sends a proximity service key request to the relay AUSF network element.
- step S811 The difference between this step and step S811 is that the first identifier in the proximity service key request may be the SUCI of the remote terminal device.
- the relay AUSF network element selects a PKMF network element, and sends a proximity service key request to the PKMF network element.
- step S812 The difference between this step and step S812 is that the first identifier in the proximity service key request may be the SUCI of the remote terminal device.
- the PKMF network element selects the remote UDM network element according to the first identifier (for example, SUCI) in the adjacent service key request, and sends a terminal equipment identifier (UE ID) request to the remote UDM network element.
- the first identifier for example, SUCI
- UE ID terminal equipment identifier
- the terminal equipment identification request includes a first identification (eg SUCI).
- the remote UDM network element obtains the second identifier (eg SUPI) of the remote terminal device and the instance identifier of the remote AUSF network element serving the remote terminal device according to the first identifier (eg SUCI), and sends them to the PKMF network element.
- the second identifier eg SUPI
- the instance identifier of the remote AUSF network element serving the remote terminal device eg SUCI
- the PKMF network element authorizes the remote terminal device and the relay terminal device.
- This step is the same as step S814.
- the PKMF network element sends a request for a proximity service key to the remote AUSF network element.
- This step is the same as step S815.
- the remote AUSF network element generates a root key for communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter.
- This step is the same as step S816.
- the remote AUSF network element sends a proximity service key response to the PKMF network element.
- This step is the same as step S817.
- the PKMF network element sends an adjacent service key response to the relay AUSF network element.
- This step is the same as step S818.
- the relay AUSF network element sends a proximity service key response to the relay terminal device through the relay AMF network element.
- This step is the same as step S819.
- the relay terminal device sends a security mode command to the remote terminal device.
- This step is the same as step S820.
- S1116 The remote terminal device sends a complete message of the security mode command to the relay terminal device.
- This step is the same as step S821.
- steps S811 and S812 are optional, and the remote AMF network element can directly select the PKMF network element and send the adjacent service key request to the PKMF network element.
- the content carried in the adjacent service key request is the same as that in step S811.
- the information carried in the adjacent service key request is the same.
- the remote terminal device generates SUCI, so that the relay terminal device can use the SUCI to acquire the root key of the communication between the remote terminal device and the relay terminal device from the PKMF network element.
- the PKMF network element can determine the remote AUSF network element according to the SUCI, and obtains the root key of the communication between the remote terminal device and the relay terminal device from the remote AUSF network element.
- an embodiment of the present application further provides a communication device, where the communication device is used to implement the above-mentioned various methods.
- the communication apparatus may be the remote terminal equipment in the above method embodiments, or an apparatus including the above-mentioned remote terminal equipment, or a chip or a functional module in the remote terminal equipment.
- the communication device may be the remote AUSF network element in the foregoing method embodiments, or a device including the foregoing remote AUSF network element, or a chip or functional module in the remote AUSF network element.
- the communication device may be the PKMF network element in the foregoing method embodiments, or a device including the foregoing PKMF network element, or a chip or functional module in the PKMF network element.
- the communication apparatus includes corresponding hardware structures and/or software modules for executing each function.
- the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
- the communication device may be divided into functional modules according to the foregoing method embodiments.
- each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
- the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
- FIG. 12 shows a schematic structural diagram of a communication device 120 .
- the communication apparatus 120 may be the remote terminal device in FIG. 1 .
- the communication device 120 includes a processing module 1201 and a transceiver module 1202 .
- the processing module 1201 may also be called a processing unit, and is used to implement the processing function of the remote terminal device in the foregoing method embodiments. For example, step S502 in FIG. 5 is performed, and the processing functions of the remote terminal device in FIG. 8 to FIG. 11 are performed.
- the transceiver module 1202 which may also be referred to as a transceiver unit, is used to implement the transceiver function of the remote terminal device in the foregoing method embodiments. For example, step S501 in FIG. 5 is performed, and the sending and receiving functions of the remote terminal equipment in FIG. 8 to FIG. 11 are performed.
- the transceiver module 1202 may be referred to as a transceiver circuit, a transceiver, a transceiver, or a communication interface.
- the transceiver module 1202 is configured to send a first identifier and a relay service code to the relay terminal device, where the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier is the remote terminal.
- the anonymous identification of the device; the processing module 1201 is configured to generate a root key for the communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter, and the remote terminal device communicates with the relay terminal device.
- the terminal authentication service function network element is the authentication service function network element serving the remote terminal device, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element.
- the first identifier is the SUCI of the remote terminal device.
- the processing module 1201 and the transceiver module 1202 are further configured to acquire the first identifier.
- the transceiver module 1202 is further configured to send a relay service code; and receive a first identifier corresponding to the relay service code.
- the processing module 1201 is further configured to generate a temporary identification according to the first shared key and the relay service code; and obtain the first identification according to the temporary identification.
- the processing module 1201 is further configured to generate a temporary identifier according to the first shared key, the relay service code and the second freshness parameter.
- the processing module 1201 is further configured to generate the first identifier according to the second freshness parameter, the routing indication and the home network identifier.
- the transceiver module 1202 is further configured to send a relay service code; and receive a second freshness parameter corresponding to the relay service code.
- the second freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the first identifier includes a routing indication and a home network identifier.
- the transceiver module 1202 is further configured to send the first verification information to the relay terminal device, where the first verification information consists of the first temporary key, and all or part of the message carrying the first verification information Cells are generated, and the first temporary key is generated from the first shared key.
- the first temporary key is composed of at least one of the relay service code, the third freshness parameter, the second identifier of the remote terminal device, and the first identifier, and the first shared secret key.
- key generation wherein the third freshness parameter is generated by the remote terminal device.
- the transceiver module 1202 is further configured to send second verification information to the relay terminal device, where the second verification information is generated from the first freshness parameter, the relay service code and the first shared key.
- the at least one first freshness parameter includes a first random number
- the transceiver module 1202 is further configured to send the first random number to the relay terminal device.
- the first random number is sent to the remote AUSF network element or the PKMF network element.
- the at least one first freshness parameter includes a second random number
- the transceiver module 1202 is further configured to receive the second random number from the relay terminal device.
- the second random number may come from a remote AUSF network element or a PKMF network element.
- the at least one first freshness parameter is the value of a counter maintained locally by the remote terminal device.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- the processing module 1201 is further configured to generate a second shared key according to the first shared key and the relay service code, and generate a root root according to the second shared key and the at least one first freshness parameter key, and the second shared key is the key shared by the remote terminal device and the adjacent service key management function network element.
- FIG. 13 shows a schematic structural diagram of a communication device 130 .
- the communication apparatus 130 may be the AUSF network element in FIG. 1 .
- the communication device 130 includes a processing module 1301 and a transceiver module 1302 .
- the processing module 1301 may also be referred to as a processing unit, and is used to implement the processing function of the remote AUSF network element in the above method embodiments, and the processing function of the remote AUSF network element in FIG. 8 to FIG. 11 . For example, steps S601-S603 in FIG. 6 are performed.
- the transceiver module 1302 which may also be referred to as a transceiver unit, is used to implement the transceiver function of the remote AUSF network element in the above method embodiments. For example, steps S601 and S604 in FIG. 6 are performed, and the sending and receiving functions of the remote AUSF network elements in FIG. 8 to FIG. 11 are performed.
- the transceiver module 1302 may be referred to as a transceiver circuit, a transceiver, a transceiver, or a communication interface.
- the processing module 1301 is configured to obtain one of the first identifier or the second identifier of the remote terminal device, and the relay service code; the second identifier is the permanent identifier of the remote terminal device, and the first identifier is The identifier corresponding to the relay service code of the remote terminal device; the processing module 1301 is further configured to obtain the first shared key corresponding to the first identifier or the second identifier; the first shared key is the remote terminal device and the remote authentication The key shared by the service function network element; the remote authentication service function network element generates a communication between the remote terminal device and the relay terminal device according to the first shared key, the relay service code, and at least one first freshness parameter. Root key; the transceiver module 1302 is used to send the root key.
- the transceiver module 1302 is further configured to receive one of the first identifier or the second identifier of the remote terminal device.
- the processing module 1301 is further configured to generate a temporary identifier according to the first shared key and the relay service code; the remote authentication service function network element generates the first identifier according to the temporary identifier.
- the processing module 1301 is further configured to generate a temporary identifier according to the first shared key, the relay service code and the second freshness parameter.
- the processing module 1301 is further configured to generate the first identifier according to the second freshness parameter, the routing indication and the home network identifier of the remote terminal device.
- the second freshness parameter is a value of a counter maintained locally by the remote authentication service function network element.
- the transceiver module 1302 is further configured to receive the relay service code and send the second freshness parameter.
- the transceiver module 1302 is further configured to receive a relay service code; and send the first identifier.
- the first identifier includes a routing indication and a home network identifier.
- the transceiver module 1302 is further configured to receive the first verification information; the processing module 1301 is further configured to generate a first temporary key according to the first shared key; and according to the first temporary key, and , all or part of the information elements of the message carrying the first verification information are obtained to obtain the third verification information; the first verification information and the third verification information are compared to verify the remote terminal device.
- the processing module 1301 is further configured to, according to at least one of the relay service code, the third freshness parameter, the second identifier, and the first identifier of the remote terminal device, and the first shared The key is to generate the first temporary key, and the third freshness parameter is generated for the remote terminal device.
- the at least one first freshness parameter includes a first random number
- the transceiver module 1302 is further configured to receive the first random number
- the at least one first freshness parameter includes a second random number
- the transceiver module 1302 is further configured to send the second random number
- the at least one first freshness parameter is the value of a counter maintained locally by the remote authentication service function network element.
- the transceiver module 1302 is further configured to send the first identifier to the unified data management network element.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- FIG. 14 shows a schematic structural diagram of a communication device 140 .
- the communication device 140 includes a processing module 1401 and a transceiver module 1402 .
- the processing module 1401 may also be called a processing unit, and is used to implement the processing function of the PKMF network element in the above method embodiments.
- step S702 in FIG. 7 is executed, and the processing function of the PKMF network element in FIG. 8 to FIG. 11 is performed.
- the transceiver module 1402 which may also be called a transceiver unit, is used to implement the transceiver function of the PKMF network element in the above method embodiments.
- the transceiver module 1402 may be referred to as a transceiver circuit, a transceiver, a transceiver, or a communication interface.
- the transceiver module 1402 is configured to receive the first identifier and the relay service code of the remote terminal device, where the first identifier is the identifier of the remote terminal device corresponding to the relay service code or the first identifier is the remote terminal device.
- the anonymous identifier the processing module 1401 is configured to obtain the root key of the communication between the remote terminal device and the relay terminal device according to the first identifier, and the root key consists of the first shared key, the relay service code, and at least one first The freshness parameter is generated, and the first shared key is the key shared by the remote terminal device and the remote authentication service function network element; the transceiver module 1402 is further configured to send the root key.
- the transceiver module 1402 is further configured to send the first identification to the unified data management function network element; receive identification information of the remote authentication service function network element from the unified data management function network element; according to the identification information, Send the first identifier to the corresponding remote authentication service function network element; receive the root key from the remote authentication service function network element.
- the transceiver module 1402 is further configured to send the first identification to the unified data management function network element; receive the identification information of the remote authentication service function network element and the remote terminal equipment from the unified data management function network element According to the identification information, send the permanent identity of the remote terminal device to the corresponding remote authentication service function network element; receive the root key from the remote authentication service function network element.
- the transceiver module 1402 is further configured to receive at least one second shared key from the remote authentication service function network element, where the second shared key is the remote terminal device and the adjacent service key management function network meta-shared key, the second shared key is generated from the first shared key and the relay service code; the processing module 1401 is further configured to correspond to the second shared key according to the first identifier, and at least one first freshness parameter to generate the root key for the communication between the remote terminal device and the relay terminal device.
- the method further includes: the transceiver module 1402 is further configured to receive second verification information; the processing module 1401 is further configured to generate fourth verification information according to the first freshness parameter and the second shared key; compare The second verification information and the fourth verification secret information are used to verify the remote terminal device.
- the at least one first freshness parameter includes a first random number
- the transceiver module 1402 is further configured to receive the first random number
- the at least one first freshness parameter includes a second random number
- the transceiver module 1402 is further configured to send the second random number
- the at least one first freshness parameter is the value of a counter maintained locally by the network element of the adjacent service key management function.
- the first shared key is the key Kausf negotiated with the remote authentication service function network element when the remote terminal device accesses the network.
- Module herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
- the function/implementation process of the processing module may be implemented by the processor in the communication device calling the computer-executed instructions stored in the memory.
- the function/implementation process of the transceiver module can be implemented through a transceiver or a communication interface in the communication device.
- an embodiment of the present application further provides a communication device.
- the communication device 150 includes a processor 1501 , a memory 1502 and a transceiver 1503 .
- the processor 1501 is coupled to the memory 1502 .
- the processor 1501 executes the memory 1502
- the methods corresponding to the remote terminal equipment in FIG. 2-FIG. 11 are executed.
- an embodiment of the present application further provides a communication device.
- the communication device 160 includes a processor 1601, a memory 1602, and a communication interface 1603.
- the processor 1601 is coupled to the memory 1602. When the processor 1601 executes the memory 1602
- the method corresponding to the AUSF network element eg, the remote AUSF network element, the relay AUSF network element in FIG. 2-FIG. 11 is executed.
- an embodiment of the present application further provides a communication device.
- the communication device 170 includes a processor 1701, a memory 1702, and a communication interface 1703.
- the processor 1701 is coupled to the memory 1702.
- the processor 1701 executes the memory 1702
- the method corresponding to the PKMF network element in FIG. 2-FIG. 11 is executed.
- Embodiments of the present application also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when it runs on a computer or a processor, the computer or the processor causes the computer or the processor to execute the programs in FIGS. 2 to 11 .
- Embodiments of the present application also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when it runs on a computer or a processor, the computer or the processor causes the computer or the processor to execute the programs in FIGS. 2 to 11 .
- Methods corresponding to AUSF network elements eg, remote AUSF network elements, relay AUSF network elements).
- Embodiments of the present application also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when it runs on a computer or a processor, the computer or the processor causes the computer or the processor to execute the programs in FIGS. 2 to 11 .
- Embodiments of the present application also provide a computer program product containing instructions, when the instructions are executed on a computer or processor, the computer or processor can execute the methods corresponding to the remote terminal devices in FIG. 2-FIG. 11 .
- the embodiment of the present application also provides a computer program product containing instructions, when the instructions are run on a computer or a processor, the computer or processor is made to execute the AUSF network elements in FIG. 2-FIG. 11 (for example, a remote AUSF network element, Relay AUSF network element) corresponding method.
- a remote AUSF network element for example, a remote AUSF network element, Relay AUSF network element
- Embodiments of the present application also provide a computer program product containing instructions, when the instructions are run on a computer or processor, the computer or processor can execute the methods corresponding to the PKMF network elements in FIG. 2-FIG. 11 .
- An embodiment of the present application provides a chip system, where the chip system includes a processor, which is used for the communication device to execute the method corresponding to the remote terminal device in FIG. 2 to FIG. 11 , or to execute the AUSF network element ( For example, the method corresponding to the remote AUSF network element, the relay AUSF network element), or the method corresponding to the PKMF network element in FIG. 2-FIG. 11 is performed.
- the chip system includes a processor, which is used for the communication device to execute the method corresponding to the remote terminal device in FIG. 2 to FIG. 11 , or to execute the AUSF network element ( For example, the method corresponding to the remote AUSF network element, the relay AUSF network element), or the method corresponding to the PKMF network element in FIG. 2-FIG. 11 is performed.
- the chip system further includes a memory for storing necessary program instructions and data.
- the chip system may include chips, integrated circuits, or chips and other discrete devices, which are not specifically limited in this embodiment of the present application.
- the communication device, chip, computer storage medium, computer program product or chip system provided in this application are all used to execute the method described above, therefore, the beneficial effects that can be achieved can refer to the embodiments provided above The beneficial effects of , will not be repeated here.
- the processor involved in the embodiments of the present application may be a chip.
- it can be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or a central processing unit.
- It can be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (DSP), or a microcontroller (MCU) , it can also be a programmable logic device (PLD) or other integrated chips.
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- SoC system on chip
- CPU central processor unit
- NP network processor
- DSP digital signal processing circuit
- MCU microcontroller
- PLD programmable logic device
- the memory involved in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
- the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory may be random access memory (RAM), which acts as an external cache.
- RAM random access memory
- DRAM dynamic random access memory
- SDRAM synchronous DRAM
- SDRAM double data rate synchronous dynamic random access memory
- ESDRAM enhanced synchronous dynamic random access memory
- SLDRAM synchronous link dynamic random access memory
- direct rambus RAM direct rambus RAM
- the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
- the disclosed systems, devices and methods may be implemented in other manners.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
- the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
- the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- a software program it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
- the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
- the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server or data center via wired (eg coaxial cable, optical fiber, Digital Subscriber Line, DSL) or wireless (eg infrared, wireless, microwave, etc.) means.
- the computer-readable storage medium can be any available medium that can be accessed by a computer, or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium.
- the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)), and the like.
- a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape
- an optical medium eg, a DVD
- a semiconductor medium eg, a Solid State Disk (SSD)
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (46)
- 一种密钥获取方法,其特征在于,包括:远端终端设备向中继终端设备发送第一标识和中继服务码,所述第一标识为所述远端终端设备的与所述中继服务码对应的标识或者所述第一标识为所述远端终端设备的匿名标识;所述远端终端设备根据第一共享密钥、所述中继服务码,以及,至少一个第一新鲜性参数,生成所述远端终端设备与所述中继终端设备通信的根密钥,所述远端认证服务功能网元为服务所述远端终端设备的认证服务功能网元,所述第一共享密钥为所述远端终端设备与所述远端认证服务功能网元共享的密钥。
- 根据权利要求1所述的方法,其特征在于,所述第一标识为所述远端终端设备的订阅隐藏标识SUCI。
- 根据权利要求1所述的方法,其特征在于,还包括:所述远端终端设备获取所述第一标识。
- 根据权利要求3所述的方法,其特征在于,所述远端终端设备获取所述第一标识,包括:所述远端终端设备发送所述中继服务码;所述远端终端设备接收与所述中继服务码对应的所述第一标识。
- 根据权利要求3所述的方法,其特征在于,还包括:所述远端终端设备根据所述第一共享密钥、所述中继服务码,生成临时标识;所述远端终端设备根据所述临时标识获取所述第一标识。
- 根据权利要求5所述的方法,其特征在于,所述远端终端设备根据所述第一共享密钥、所述中继服务码生成临时标识,包括:所述远端终端设备根据所述第一共享密钥、所述中继服务码和第二新鲜性参数,生成所述临时标识。
- 根据权利要求3所述的方法,其特征在于,所述远端终端设备获取所述第一标识,包括:所述远端终端设备根据第二新鲜性参数、路由指示和家乡网络标识,生成所述第一标识。
- 根据权利要求6或7所述的方法,其特征在于,还包括:所述远端终端设备发送所述中继服务码;所述远端终端设备接收所述中继服务码对应的所述第二新鲜性参数。
- 根据权利要求6或7所述的方法,其特征在于,所述第二新鲜性参数为所述远端终端设备本地维护的计数器的值。
- 根据权利要求3-9任一项所述的方法,其特征在于,所述第一标识包括路由指示和家乡网络标识。
- 根据权利要求1-10任一项所述的方法,其特征在于,还包括:所述远端终端设备向所述中继终端设备发送第一验证信息,所述第一验证信息由第一临时密钥,以及,携带所述第一验证信息的消息的全部或部分信元生成,所述第一临时密钥由所述第一共享密钥生成。
- 根据权利要求11所述的方法,其特征在于,所述第一临时密钥由所述中继服务码、第三新鲜性参数、所述远端终端设备的第二标识以及所述第一标识中的至少一项,以及,所述第一共享密钥生成,其中,所述第三新鲜性参数为所述远端终端设备生成。
- 根据权利要求1-12任一项所述的方法,其特征在于,还包括:所述远端终端设备向所述中继终端设备发送第二验证信息,所述第二验证信息由所述第一新鲜性参数、所述中继服务码和所述第一共享密钥生成。
- 根据权利要求1-13任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数包括第一随机数,还包括:所述远端终端设备向所述中继终端设备发送所述第一随机数。
- 根据权利要求1-14任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数包括第二随机数,还包括:所述远端终端设备从所述中继终端设备接收所述第二随机数。
- 根据权利要求1-13任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数为所述远端终端设备本地维护的计数器的值。
- 根据权利要求1-16任一项所述的方法,其特征在于,所述第一共享密钥为所述远端终端设备接入网络时与所述远端认证服务功能网元协商的密钥Kausf。
- 根据权利要求1-17任一项所述的方法,其特征在于,所述远端终端设备根据第一共享密钥、所述中继服务码,以及,至少一个第一新鲜性参数,生成所述远端终端设备与所述中继终端设备通信的根密钥,包括:所述远端终端设备根据所述第一共享密钥和所述中继服务码生成第二共享密钥,根据所述第二共享密钥以及所述至少一个第一新鲜性参数,生成所述根密钥,所述第二共享密钥为所述远端终端设备与临近业务密钥管理功能网元共享的密钥。
- 一种密钥获取方法,其特征在于,包括:远端认证服务功能网元获取远端终端设备的第一标识或第二标识中的一个,以及,中继服务码;所述第二标识为所述远端终端设备的永久身份标识,所述第一标识为所述远端终端设备的与所述中继服务码对应的标识;所述远端认证服务功能网元获取所述第一标识或所述第二标识对应的第一共享密钥;所述第一共享密钥为所述远端终端设备与所述远端认证服务功能网元共享的密钥;所述远端认证服务功能网元根据所述第一共享密钥、所述中继服务码,以及,至少一个第一新鲜性参数,生成所述远端终端设备与中继终端设备通信的根密钥;所述远端认证服务功能网元发送所述根密钥。
- 根据权利要求19所述的方法,其特征在于,所述远端认证服务功能网元获取远端终端设备的第一标识或第二标识中的一个,包括:所述远端认证服务功能网元接收所述远端终端设备的第一标识或第二标识中的一个。
- 根据权利要求19所述的方法,其特征在于,所述远端认证服务功能网元获取远端终端设备的第一标识或第二标识中的一个,包括:所述远端认证服务功能网元根据所述第一共享密钥、所述中继服务码,生成临时 标识;所述远端认证服务功能网元根据所述临时标识生成所述第一标识。
- 根据权利要求21所述的方法,其特征在于,所述远端认证服务功能网元根据所述第一共享密钥、所述中继服务码,生成临时标识,包括:所述远端终端设备根据所述第一共享密钥、所述中继服务码和第二新鲜性参数,生成所述临时标识。
- 根据权利要求19所述的方法,其特征在于,所述远端认证服务功能网元获取远端终端设备的第一标识或第二标识中的一个,包括:所述远端认证服务功能网元根据第二新鲜性参数、路由指示和所述远端终端设备的家乡网络标识,生成所述第一标识。
- 根据权利要求22或23所述的方法,其特征在于,所述第二新鲜性参数为所述远端认证服务功能网元本地维护的计数器的值。
- 根据权利要求22或23所述的方法,其特征在于,还包括:所述远端认证服务功能网元接收所述中继服务码;所述远端认证服务功能网元发送所述第二新鲜性参数。
- 根据权利要求19-25任一项所述的方法,其特征在于,还包括:所述远端认证服务功能网元接收所述中继服务码;所述远端认证服务功能网元发送所述第一标识。
- 根据权利要求19-26任一项所述的方法,其特征在于,所述第一标识包括路由指示和家乡网络标识。
- 根据权利要求19-27任一项所述的方法,其特征在于,还包括:所述远端认证服务功能网元接收第一验证信息;所述远端认证服务功能网元根据所述第一共享密钥,生成第一临时密钥;并根据所述第一临时密钥,以及,携带所述第一验证信息的消息的全部或部分信元,得到第三验证信息;所述远端认证服务功能网元比较所述第一验证信息和所述第三验证信息以对所述远端终端设备进行验证。
- 根据权利要求28所述的方法,其特征在于,所述远端认证服务功能网元根据所述第一共享密钥,生成第一临时密钥,包括:所述远端认证服务功能网元根据所述中继服务码、第三新鲜性参数、所述第二标识以及所述远端终端设备的第一标识中的至少一项,以及,所述第一共享密钥,生成所述第一临时密钥,所述第三新鲜性参数为所述远端终端设备生成。
- 根据权利要求19-29任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数包括第一随机数,还包括:所述远端认证服务功能网元接收所述第一随机数。
- 根据权利要求19-30任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数包括第二随机数,还包括:所述远端认证服务功能网元发送所述第二随机数。
- 根据权利要求19-30任一项所述的方法,其特征在于,所述至少一个第一新 鲜性参数为所述远端认证服务功能网元本地维护的计数器的值。
- 根据权利要求19-32任一项所述的方法,其特征在于,还包括:所述远端认证服务功能网元向统一数据管理网元发送所述第一标识。
- 根据权利要求19-33任一项所述的方法,其特征在于,所述第一共享密钥为所述远端终端设备接入网络时与所述远端认证服务功能网元协商的密钥Kausf。
- 一种密钥获取方法,其特征在于,包括:临近业务密钥管理功能网元接收远端终端设备的第一标识和中继服务码,所述第一标识为所述远端终端设备的与所述中继服务码对应的标识或者所述第一标识为所述远端终端设备的匿名标识;所述临近业务密钥管理功能网元根据所述第一标识获取所述远端终端设备与所述中继终端设备通信的根密钥,所述根密钥由第一共享密钥、所述中继服务码,以及,至少一个第一新鲜性参数生成,所述第一共享密钥为所述远端终端设备与远端认证服务功能网元共享的密钥;所述临近业务密钥管理功能网元发送所述根密钥。
- 根据权利要求35所述的方法,其特征在于,所述临近业务密钥管理功能网元根据所述第一标识获取所述远端终端设备与所述中继终端设备通信的根密钥,包括:所述临近业务密钥管理功能网元向统一数据管理功能网元发送所述第一标识;所述临近业务密钥管理功能网元从所述统一数据管理功能网元接收所述远端认证服务功能网元的标识信息;所述临近业务密钥管理功能网元根据所述标识信息,向对应的所述远端认证服务功能网元发送所述第一标识;所述临近业务密钥管理功能网元从所述远端认证服务功能网元接收所述根密钥。
- 根据权利要求35所述的方法,其特征在于,所述临近业务密钥管理功能网元根据所述第一标识获取所述远端终端设备与所述中继终端设备通信的根密钥,包括:所述临近业务密钥管理功能网元向统一数据管理功能网元发送所述第一标识;所述临近业务密钥管理功能网元从所述统一数据管理功能网元接收所述远端认证服务功能网元的标识信息以及所述远端终端设备的永久身份标识;所述临近业务密钥管理功能网元根据所述标识信息,向对应的所述远端认证服务功能网元发送所述远端终端设备的永久身份标识;所述临近业务密钥管理功能网元从所述远端认证服务功能网元接收所述根密钥。
- 根据权利要求35所述的方法,其特征在于,所述临近业务密钥管理功能网元根据所述第一标识获取所述远端终端设备与所述中继终端设备通信的根密钥,包括:所述临近业务密钥管理功能网元从远端认证服务功能网元接收至少一个第二共享密钥,所述第二共享密钥为所述远端终端设备与所述临近业务密钥管理功能网元共享的密钥,所述第二共享密钥由所述第一共享密钥和所述中继服务码生成;所述临近业务密钥管理功能网元根据所述第一标识对应的所述第二共享密钥,以及,至少一个第一新鲜性参数,生成所述远端终端设备与中继终端设备通信的根密钥。
- 根据权利要求38所述的方法,其特征在于,还包括:所述临近业务密钥管理功能网元接收第二验证信息;所述临近业务密钥管理功能网元根据所述第一新鲜性参数和所述第二共享密钥,生成第四验证信息;所述临近业务密钥管理功能网元比较所述第二验证信息和所述第四验证密信息以对所述远端终端设备进行验证。
- 根据权利要求35-39任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数包括第一随机数,还包括:所述临近业务密钥管理功能网元接收所述第一随机数。
- 根据权利要求35-40任一项所述的方法,其特征在一地,所述至少一个第一新鲜性参数包括第二随机数,还包括:所述临近业务密钥管理功能网元发送所述第二随机数。
- 根据权利要求35-39任一项所述的方法,其特征在于,所述至少一个第一新鲜性参数为所述临近业务密钥管理功能网元本地维护的计数器的值。
- 根据权利要求35-42任一项所述的方法,其特征在于,所述第一共享密钥为所述远端终端设备接入网络时与所述远端认证服务功能网元协商的密钥Kausf。
- 一种通信装置,其特征在于,包括处理器,所述处理器与存储器相连,所述存储器用于存储计算机程序,所述处理器用于执行存储器中存储的计算机程序,以使得所述通信装置执行如权利要求1-18任一项所述的方法。
- 一种通信装置,其特征在于,包括处理器,所述处理器与存储器相连,所述存储器用于存储计算机程序,所述处理器用于执行存储器中存储的计算机程序,以使得所述通信装置执行如权利要求19-34任一项所述的方法。
- 一种通信装置,其特征在于,包括处理器,所述处理器与存储器相连,所述存储器用于存储计算机程序,所述处理器用于执行存储器中存储的计算机程序,以使得所述通信装置执行如权利要求35-43任一项所述的方法。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA3197006A CA3197006A1 (en) | 2020-10-30 | 2020-10-30 | Key obtaining method and communication apparatus |
EP20959191.6A EP4224777A4 (en) | 2020-10-30 | 2020-10-30 | KEY ACQUISITION METHOD AND COMMUNICATION APPARATUS |
PCT/CN2020/125224 WO2022088029A1 (zh) | 2020-10-30 | 2020-10-30 | 密钥获取方法和通信装置 |
CN202080106820.2A CN116458109A (zh) | 2020-10-30 | 2020-10-30 | 密钥获取方法和通信装置 |
US18/309,567 US20230319556A1 (en) | 2020-10-30 | 2023-04-28 | Key obtaining method and communication apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/125224 WO2022088029A1 (zh) | 2020-10-30 | 2020-10-30 | 密钥获取方法和通信装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/309,567 Continuation US20230319556A1 (en) | 2020-10-30 | 2023-04-28 | Key obtaining method and communication apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022088029A1 true WO2022088029A1 (zh) | 2022-05-05 |
Family
ID=81383491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/125224 WO2022088029A1 (zh) | 2020-10-30 | 2020-10-30 | 密钥获取方法和通信装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20230319556A1 (zh) |
EP (1) | EP4224777A4 (zh) |
CN (1) | CN116458109A (zh) |
CA (1) | CA3197006A1 (zh) |
WO (1) | WO2022088029A1 (zh) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023216932A1 (zh) * | 2022-05-13 | 2023-11-16 | 华为技术有限公司 | 通信方法和装置 |
WO2023216081A1 (zh) * | 2022-05-09 | 2023-11-16 | 北京小米移动软件有限公司 | 一种通信方法、装置及存储介质 |
WO2024001086A1 (zh) * | 2022-06-27 | 2024-01-04 | 中国电信股份有限公司 | 一种基于共享密钥进行数据通信的方法、装置、设备和介质 |
WO2024020868A1 (zh) * | 2022-07-27 | 2024-02-01 | 北京小米移动软件有限公司 | 密钥生成方法及装置、通信设备及存储介质 |
WO2024066667A1 (zh) * | 2022-09-30 | 2024-04-04 | 大唐移动通信设备有限公司 | 密钥管理方法、装置及设备 |
WO2024065549A1 (zh) * | 2022-09-29 | 2024-04-04 | 北京小米移动软件有限公司 | 直连通信密钥生成方法及装置 |
WO2024087071A1 (zh) * | 2022-10-26 | 2024-05-02 | 华为技术有限公司 | 一种通信方法、装置及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109716810A (zh) * | 2017-01-06 | 2019-05-03 | 华为技术有限公司 | 授权验证方法和装置 |
CN109842880A (zh) * | 2018-08-23 | 2019-06-04 | 华为技术有限公司 | 路由方法、装置及系统 |
US20190223063A1 (en) * | 2018-01-12 | 2019-07-18 | Qualcomm Incorporated | Method and apparatus for multiple registrations |
-
2020
- 2020-10-30 EP EP20959191.6A patent/EP4224777A4/en active Pending
- 2020-10-30 CA CA3197006A patent/CA3197006A1/en active Pending
- 2020-10-30 WO PCT/CN2020/125224 patent/WO2022088029A1/zh active Application Filing
- 2020-10-30 CN CN202080106820.2A patent/CN116458109A/zh active Pending
-
2023
- 2023-04-28 US US18/309,567 patent/US20230319556A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109716810A (zh) * | 2017-01-06 | 2019-05-03 | 华为技术有限公司 | 授权验证方法和装置 |
US20190223063A1 (en) * | 2018-01-12 | 2019-07-18 | Qualcomm Incorporated | Method and apparatus for multiple registrations |
CN109842880A (zh) * | 2018-08-23 | 2019-06-04 | 华为技术有限公司 | 路由方法、装置及系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4224777A4 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023216081A1 (zh) * | 2022-05-09 | 2023-11-16 | 北京小米移动软件有限公司 | 一种通信方法、装置及存储介质 |
WO2023216932A1 (zh) * | 2022-05-13 | 2023-11-16 | 华为技术有限公司 | 通信方法和装置 |
WO2024001086A1 (zh) * | 2022-06-27 | 2024-01-04 | 中国电信股份有限公司 | 一种基于共享密钥进行数据通信的方法、装置、设备和介质 |
WO2024020868A1 (zh) * | 2022-07-27 | 2024-02-01 | 北京小米移动软件有限公司 | 密钥生成方法及装置、通信设备及存储介质 |
WO2024065549A1 (zh) * | 2022-09-29 | 2024-04-04 | 北京小米移动软件有限公司 | 直连通信密钥生成方法及装置 |
WO2024066667A1 (zh) * | 2022-09-30 | 2024-04-04 | 大唐移动通信设备有限公司 | 密钥管理方法、装置及设备 |
WO2024087071A1 (zh) * | 2022-10-26 | 2024-05-02 | 华为技术有限公司 | 一种通信方法、装置及系统 |
Also Published As
Publication number | Publication date |
---|---|
US20230319556A1 (en) | 2023-10-05 |
CA3197006A1 (en) | 2022-05-05 |
EP4224777A1 (en) | 2023-08-09 |
EP4224777A4 (en) | 2023-11-01 |
CN116458109A (zh) | 2023-07-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022088029A1 (zh) | 密钥获取方法和通信装置 | |
US11743970B2 (en) | Session establishment method and apparatus, and packet sending method and apparatus | |
JP7035163B2 (ja) | ネットワークセキュリティ管理方法および装置 | |
WO2020029938A1 (zh) | 安全会话方法和装置 | |
WO2020048512A1 (zh) | 通信方法和装置 | |
US11375367B2 (en) | System and method for deriving a profile for a target endpoint device | |
CN112534851B (zh) | 委托数据连接 | |
EP3304856A1 (en) | Unified authentication for integrated small cell and wi-fi networks | |
KR102094216B1 (ko) | 이동 통신 시스템 환경에서 프락시미티 기반 서비스 단말 간 발견 및 통신을 지원하기 위한 보안 방안 및 시스템 | |
WO2021208861A1 (zh) | 授权方法、策略控制功能设备和接入和移动管理功能设备 | |
WO2020253701A1 (zh) | 管理背景数据传输策略的方法、装置和系统 | |
CN112566149A (zh) | 配置业务的方法、通信装置和通信系统 | |
EP4221005A1 (en) | Multipath transmission method and communication apparatus | |
EP4262257A1 (en) | Secure communication method and device | |
CN113811025A (zh) | 一种释放中继连接的方法、设备及系统 | |
CN113938911A (zh) | 一种通信方法、设备及系统 | |
EP4181542A1 (en) | Proximity service communication method, management network element, terminal device, and communication system | |
CN116723507B (zh) | 针对边缘网络的终端安全方法及装置 | |
WO2020253408A1 (zh) | 二级认证的方法和装置 | |
CN116567620A (zh) | 通信方法及装置 | |
WO2020221019A1 (zh) | 一种密钥协商方法及装置 | |
WO2023160390A1 (zh) | 通信方法与装置 | |
WO2024092624A1 (en) | Encryption key transfer method and device for roaming users in communication networks | |
WO2024032218A1 (zh) | 通信方法和通信装置 | |
CN113412679B (zh) | 通信方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20959191 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 3197006 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202080106820.2 Country of ref document: CN |
|
ENP | Entry into the national phase |
Ref document number: 2020959191 Country of ref document: EP Effective date: 20230505 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |