WO2022094812A1 - 一种切片隔离方法、装置及系统 - Google Patents

一种切片隔离方法、装置及系统 Download PDF

Info

Publication number
WO2022094812A1
WO2022094812A1 PCT/CN2020/126579 CN2020126579W WO2022094812A1 WO 2022094812 A1 WO2022094812 A1 WO 2022094812A1 CN 2020126579 W CN2020126579 W CN 2020126579W WO 2022094812 A1 WO2022094812 A1 WO 2022094812A1
Authority
WO
WIPO (PCT)
Prior art keywords
slice
key
attribute
user equipment
information
Prior art date
Application number
PCT/CN2020/126579
Other languages
English (en)
French (fr)
Inventor
雷中定
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/126579 priority Critical patent/WO2022094812A1/zh
Priority to EP20960274.7A priority patent/EP4228305A4/en
Priority to CN202080106568.5A priority patent/CN116349197A/zh
Publication of WO2022094812A1 publication Critical patent/WO2022094812A1/zh
Priority to US18/310,121 priority patent/US20230269577A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition

Definitions

  • the present application relates to the field of wireless communication technologies, and in particular, to a method, device, and system for slice isolation.
  • the Global System for Mobile Communications Association defines the common attributes of common slice templates, referred to as slice attributes. Use multiple slices at the same time. Some network resources may be shared among multiple slices, and if proper isolation is not performed, there is a risk of information leakage from each other.
  • the existing 3rd generation partnership project (3GPP) standard allows user equipment to access different slices in a time-sharing manner.
  • the access and mobility management function AMF
  • the access and mobility management function may also use a different AMF. Therefore, the user equipment may access slice 1 at a certain time, and after using and completing the services on slice 1, the user equipment exits slice 1 and the network, and then the user equipment may access slice 2 again.
  • the user equipment and The security context corresponding to slice 1 may be retained and used in the network.
  • slice 2 may obtain and use the currently saved security context, which will cause the relevant information of slice 1 to be acquired by slice 2, and the information of slice 1 may be leaked.
  • Embodiments of the present application provide a slice isolation method, device, and system, so as to avoid information leakage between slices and ensure control signaling and data security between slices.
  • a method for isolating slices including the first network device acquiring information of a first slice of a user equipment; If they do not match, the first network device obtains a second key, and the second key is used to perform information on the information of the second slice or/and the information when the user equipment accesses the second slice. safety protection.
  • the second key is a key used by the user equipment and the network when the user equipment accesses the second slice.
  • the second key is used to perform security protection on the information of the second slice and/or the information when the user equipment accesses the second slice.
  • the second key is the key of the first network device (such as AMF), exemplarily, the second key is when the user equipment accesses the second slice , the key of the first network device.
  • the second key is a key for the second slice, or the second key is a key for the second slice.
  • the "information" involved in the embodiments of this application includes, but is not limited to, slice-related control signaling and user data.
  • the first network device can re-acquire the second key when the information of the currently saved first slice does not match the information of the second slice requested to be accessed, so as to ensure the second slice
  • the information of the second slice is protected by the second key, and can only be decrypted correctly by using the second key, avoiding that the information of the second slice can also be obtained by using other keys, and ensuring the information security between slices.
  • the information of the first slice includes attributes of the first slice
  • the information of the second slice includes attributes of the second slice; if the information of the first slice is the same as the If the information of the second slice requested to be accessed by the user equipment does not match, the first network device obtains the second key, including:
  • the first network device obtains the second key.
  • the attribute of the slice can be used to describe whether the slice can be shared with other slices. Therefore, when the attributes of the slice do not match, it is determined that the first slice and the second slice cannot be shared by the user equipment, so that the user equipment is connected to the first slice.
  • the key used when slicing is distinguished from the key used when the user equipment accesses the second slice, so as to avoid information leakage between slices.
  • obtaining the second key by the first network device includes:
  • the first network device generates the second key according to the first key, wherein the first key is used to access the information of the first slice or/and the user equipment to access the second key. All slice-time information is securely protected.
  • the first key is a key used by the user equipment and the network when the user equipment accesses the first slice.
  • the first key is used to perform security protection on the information of the slice and/or the information when the user equipment accesses the first slice.
  • the first key is the key of the first network device. Exemplarily, the first key is when the user equipment accesses the first slice, the The key of the first network device.
  • the first key is a key for the first slice, or the first key is a key for the first slice.
  • generating the second key according to the first key can not only ensure the security of information between slices, but also reduce the amount of data exchanged between the user equipment and the network equipment.
  • the first network device generates the second key according to the first key, including:
  • the first network device If the isolation requirement of the first slice is higher than the isolation requirement of the second slice, the first network device generates the second key according to the first key.
  • the isolation requirements of the previously accessed slice are higher than the isolation requirements of the slice to be accessed this time, and a new key is generated based on the currently saved key, which is the basis for ensuring information security between slices.
  • the amount of data exchanged between user equipment and network equipment is reduced.
  • obtaining the second key by the first network device includes:
  • the first network device re-authenticates the user equipment
  • the first network device If the first network device successfully re-authenticates the user equipment, the first network device generates or receives the second key.
  • the first network device can ensure information security between slices by re-performing network authentication on the user equipment.
  • the second key may be generated by the first network device, or may be generated by other network devices. If the second key is generated by another network device, the first network device may obtain the second key from the other network device, that is, the first network device receives the second key from the other network device. the second key.
  • the first network device re-authenticates the user equipment, including:
  • the first network device performs network authentication on the user equipment again.
  • the isolation requirements of the previously accessed slice are lower than the isolation requirements of the slice to be accessed this time, and re-authentication of the network to generate a new key can further improve the security of information between slices.
  • the attributes of the first slice do not match the attributes of the second slice, including:
  • the attributes of the first slice or the attributes of the second slice are not allowed to be shared with slices of any other attribute; or
  • the attribute of the first slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the second slice is different from the SST of the attribute of the first slice; or
  • the attribute of the second slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the first slice is different from the SST of the attribute of the second slice; or
  • the attributes of the first slice are only allowed to be shared by slices with the same slice differentiation factor SD, and the SD of the attributes of the second slice is different from the SD of the attributes of the first slice; or
  • the attributes of the second slice are only allowed to be shared by slices having the same slice differentiation factor SD, and the SD of the attributes of the first slice is different from the SD of the attributes of the second slice.
  • the first network device may also send a registration accept message to the user equipment.
  • the first network device and the user equipment may continue to complete the registration process.
  • the attributes of the first slice match the attributes of the second slice, including:
  • the attributes of the first slice or the attributes of the second slice are allowed to be shared with slices of any other attribute; or
  • the attribute of the first slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the second slice is the same as the SST of the attribute of the first slice;
  • the attribute of the second slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the first slice is the same as the SST of the attribute of the first slice; or
  • the attribute of the first slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the second slice is the same as the SD of the attribute of the first slice;
  • the attribute of the second slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the first slice is the same as the SD of the attribute of the second slice; or
  • the second slice and the first slice are mapped to the same single network slice selection assistance information S-NSSAI.
  • the attribute of the first slice does not match the attribute of the second slice, including all cases where the above attribute matching is not satisfied.
  • a method for isolating slices including the user equipment sending a first request message to a first network device, where the first request message is used to request access to a second slice; A first indication message of the network device, where the first indication message is used to instruct the user equipment to obtain a second key; the user equipment obtains the second key, and the second key is used to The information of the second slice or/and the information when the user equipment accesses the second slice is subjected to security protection.
  • the first network device can re-acquire the second key when the information of the currently saved first slice does not match the information of the second slice requested to be accessed, so as to ensure the second slice
  • the information of the second slice is protected by the second key, and can only be decrypted correctly by using the second key, avoiding that the information of the second slice can also be obtained by using other keys, and ensuring the information security between slices.
  • obtaining the second key by the user equipment includes:
  • the user equipment obtaining, by the user equipment, a first key, where the first key is used to perform security protection on the information of the first slice or/and the information when the user equipment accesses the first slice;
  • the user equipment generates the second key according to the first key.
  • Generating the second key according to the first key can not only ensure information security between slices, but also reduce the amount of data exchanged between the user equipment and the network equipment.
  • obtaining the second key by the user equipment includes:
  • the user equipment If the re-authentication between the user equipment and the first network device is successful, the user equipment generates or receives the second key.
  • the first network device can ensure data security between slices by performing network authentication on the user equipment again.
  • the second key may be generated by the user equipment, or may be generated by a network device (eg, the first network device). If the second key is generated by a network device, the user equipment may obtain the second key in the network device, that is, the user equipment receives the second key from the network device.
  • the user equipment may also receive a registration acceptance message from the first network device.
  • the first network device and the user equipment may continue to complete the registration process.
  • a slice isolation method including a first network device receiving a deregistration request message, or sending a deregistration request message, wherein the first network device deletes a third key of the user equipment, and the third The key is used to perform security protection on the information of the third slice or/and the information when the user equipment accesses the third slice, where the third slice is the last slice accessed by the user equipment.
  • the third key is a key used by the user equipment and the network when the user equipment accesses the third slice.
  • the third key is used to perform security protection on the information of the third slice and/or the information when the user equipment accesses the third slice.
  • the third key is the key of the first network device.
  • the third key is the third key when the user equipment accesses the third slice.
  • the third key is a key for the third slice, or the third key is a key for the third slice.
  • the first network device deletes the third key of the deregistered user equipment, and regenerates the key for the subsequently accessed slice, thereby avoiding information leakage between slices.
  • deleting the third key of the user equipment by the first network device includes: if the first network device determines that the attribute of the third slice is not allowed to be shared with any attribute slice, The first network device deletes the third key of the user equipment. Deleting the key for the exclusive slice with high isolation requirements prevents subsequent access slices from using the exclusive key, thereby ensuring data security between slices.
  • the first network device may also send a de-registration accept message to the user equipment.
  • the first network device may also send a de-registration accept message to the user equipment.
  • a slice isolation method including sending a deregistration request message by a user equipment, or receiving a deregistration request message, wherein the user equipment deletes a third key of the user equipment, and the third slice is the The slice last accessed by the user equipment, and the third key is used to perform security protection on the information of the third slice or/and the information when the user equipment accesses the third slice.
  • the user equipment deletes the third key of the deregistered user equipment, and regenerates the key for the subsequently accessed slice, thereby avoiding information leakage between slices.
  • deleting, by the user equipment, the third key of the user equipment includes: if the user equipment determines that the third slice attribute is not allowed to be shared with any attribute slice, the user equipment deletes the third key the third key of the user equipment.
  • a slice isolation method comprising: a second network device receiving redirection information from a first network device, where the redirection information includes information of a fourth slice of user equipment and/or the user equipment request Information of the fifth slice accessed;
  • the second network device re-authenticates the user equipment.
  • the second network device When the slice requesting access has the isolation requirement, the second network device re-authenticates the user equipment, and generates a new key, which prevents the user equipment from accessing the fourth slice and the user equipment from accessing the fourth slice.
  • the information leakage caused by using the same key in the fifth slice ensures the information security between slices.
  • the second network device continues to The user equipment performs authentication.
  • a communication device in a sixth aspect, has the function of implementing any of the above aspects or the implementation method in any of the aspects. This function can be implemented by hardware or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • a communication device comprising: a processor and a memory; the memory is used to store computer-executed instructions, and when the device is running, the processor executes the computer-executed instructions stored in the memory, so that the device executes A method of implementation as in any of the above aspects or in any of the aspects.
  • a communication apparatus comprising: comprising units or means for performing the steps of any of the above aspects.
  • a communication device comprising a processor and an interface circuit, the processor is configured to communicate with other devices through the interface circuit, and execute any method provided in any of the above aspects.
  • the processor includes one or more.
  • a communication device including a processor, which is connected to a memory and used to invoke a program stored in the memory to execute the method in any implementation manner of any of the foregoing aspects.
  • the memory may be located within the device or external to the device.
  • the processor includes one or more.
  • a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, which, when executed on a computer, cause a processor to perform the method described in any of the foregoing aspects.
  • a twelfth aspect provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of the preceding aspects.
  • a thirteenth aspect provides a chip system, including: a processor configured to execute the methods described in the above aspects.
  • a fourteenth aspect provides a communication system, comprising a first network device for executing the first aspect or any method for implementing the first aspect, and a user for executing the second aspect or any method for implementing the second aspect equipment.
  • a fifteenth aspect provides a communication system, comprising a first network device for executing the above third aspect or any implementation method of the third aspect, and a user for executing the above fourth aspect or any implementation method of the fourth aspect equipment.
  • a sixteenth aspect provides a communication system, including a first network device, a second network device and user equipment for executing the fifth aspect or any of the implementation methods of the fifth aspect.
  • a seventeenth aspect provides a chip system
  • the chip system includes a transceiver for implementing the functions of a network device or user equipment in the method of any of the above aspects, for example, for example, receiving or sending data and/or data involved in the above method information.
  • the chip system further includes a memory for storing program instructions and/or data.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • FIG. 1 is a schematic diagram of a possible network architecture according to an embodiment of the present application
  • FIGS. 2A and 2B are schematic diagrams of a slice access scenario
  • Figure 3 Figure 4, Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, Figure 10 are schematic diagrams of a slice isolation process according to an embodiment of the present application.
  • FIG. 11 and FIG. 12 are schematic diagrams of a communication device according to an embodiment of the present application.
  • the word "exemplary” is used to mean serving as an example, illustration or illustration. Any embodiment or design described in this application as "exemplary” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of the word example is intended to present a concept in a concrete way.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • UE User equipment
  • terminal equipment is a device with wireless transceiver functions that access device) communicates with one or more core network (core network, CN) devices (or may also be referred to as core devices).
  • core network CN
  • core devices or may also be referred to as core devices.
  • User equipment may also be referred to as an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, user agent, user device, or the like.
  • User equipment can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons and satellites, etc.).
  • the user equipment may be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (WLL) station, personal digital assistant (PDA), etc.
  • SIP session initiation protocol
  • PDA personal digital assistant
  • the user equipment may also be a handheld device with a wireless communication function, a computing device or other device connected to a wireless modem, an in-vehicle device, a wearable device, a drone device, or a terminal in the Internet of Things, the Internet of Vehicles, the fifth generation Mobile communication (5th-generation, 5G) network and any form of terminal in future network, relay user equipment or terminal in future evolved PLMN, etc.
  • the relay user equipment may be, for example, a 5G home gateway (residential gateway, RG).
  • the user equipment can be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in self driving, telemedicine Wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home wireless terminals, etc.
  • VR virtual reality
  • AR augmented reality
  • This embodiment of the present application does not limit the type or type of the terminal device.
  • the network device may support at least one wireless communication technology, such as long term evolution (LTE), new radio (NR), wideband code division multiple access (WCDMA), and the like.
  • LTE long term evolution
  • NR new radio
  • WCDMA wideband code division multiple access
  • network equipment may include access network equipment.
  • the network equipment includes, but is not limited to: a next-generation base station or a next-generation node B (generation nodeB, gNB), an evolved node B (evolved node B, eNB), a radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved node B, or home node B, HNB ), baseband unit (BBU), transmitting and receiving point (TRP), transmitting point (TP), mobile switching center, small station, micro station, etc.
  • generation nodeB, gNB next-generation node B
  • eNB evolved node B
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • home base station for example, home evolved node B, or home node B, HNB
  • the network device may also be a wireless controller, a centralized unit (CU), and/or a distributed unit (DU) in a cloud radio access network (CRAN) scenario, or the network device may It is a relay station, an access point, a vehicle-mounted device, a terminal, a wearable device, and a network device in future mobile communications or a network device in a future evolved public land mobile network (PLMN).
  • CU centralized unit
  • DU distributed unit
  • CRAN cloud radio access network
  • PLMN public land mobile network
  • the network device may include a core network (CN) device, and the core network device includes, for example, an AMF and the like.
  • CN core network
  • PLMN public land mobile network
  • MNO public mobile network operator
  • 3GPP networks generally include, but are not limited to, 5G, 4th-generation (4th-generation, 4G) networks, and the like.
  • a PLMN is used as an example for description in this embodiment of the present application.
  • the technical solutions provided in the embodiments of the present application may also be applied to an LTE system, an LTE frequency division duplex (FDD) system, an LTE time division duplex (TDD), and a universal mobile communication system (universal mobile communication system).
  • telecommunication system, UMTS worldwide interoperability for microwave access (WiMAX) communication system, 5G communication system or NR, and other communication systems in the future such as 6G, etc.
  • WiMAX worldwide interoperability for microwave access
  • the 5G network has also adjusted its network architecture compared to the 4G network. For example, the 5G network splits the mobility management entity (MME) in the 4G network into multiple network functions including AMF and session management function (SMF).
  • MME mobility management entity
  • SMF session management function
  • the 5G network architecture shown in FIG. 1 is used as an example to describe the application scenarios used in the present application.
  • Figure 1 shows the 5G network architecture based on the service-oriented architecture in the non-roaming scenario defined in the 3GPP standardization process.
  • the network architecture may include: a terminal equipment (also referred to as user equipment) part, a PLMN part and a data network (data network, DN) part.
  • PLMN may include: network exposure function (NEF) 131, network storage function (network function repository function, NRF) 132, policy control function (policy control function, PCF) 133, unified data management function (unified data management, UDM) 134, Authentication Server Function (AUSF) 136, AMF 137, Session Management Function (SMF) 138, User Plane Function (UPF) 139, Access Network (AN, AN) ) 140, a network slice selection function (NSSF) 141, a network slice specific authentication and authorization function (NSSAAF) 142, and the like.
  • NEF network exposure function
  • NRF network storage function repository function
  • PCF policy control function
  • PCF policy control function
  • UDM unified data management function
  • AUSF Authentication Server Function
  • SMF Session Management Function
  • UPF User Plane Function
  • NSSAAF network slice specific authentication and authorization function
  • the data network DN 120 which may also be referred to as a packet data network (PDN), may typically be deployed outside the PLMN, such as a third-party network.
  • the PLMN can access multiple data networks DN 120, and multiple services can be deployed on the data network DN 120, so as to provide the terminal device 110 with services such as data and/or voice.
  • the data network DN 120 can be a private network of a smart factory, the sensors installed in the workshop of the smart factory can be the terminal equipment 110, and the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain the instruction of the control server, and transmit the collected sensor data to the control server according to the instruction.
  • the data network DN 120 may be an internal office network of a company, and the mobile phones or computers of employees of the company may be terminal devices 110, and the mobile phones or computers of the employees can access information, data resources, etc. on the internal office network of the company.
  • the terminal device 110 can establish a connection with the PLMN through an interface provided by the PLMN (for example, the N1 interface in FIG. 1 , etc.), and use services such as data and/or voice provided by the PLMN.
  • the terminal device 110 can also access the data network DN 120 through the PLMN, and use the operator services deployed on the data network DN 120, and/or services provided by third parties.
  • the above-mentioned third party may be a service party other than the PLMN and the terminal device 110 , and may provide other data and/or voice services for the terminal device 110 .
  • the specific expression form of the above third party can be specifically determined according to the actual application scenario, and is not limited here.
  • the application function (AF) 135 may or may not be affiliated to the PLMN. However, under normal circumstances, the AF is affiliated to a third party and not to the PLMN, but has an agreement relationship with the PLMN. AF is used to support functions that affect data routing through applications, access the network open function NEF, and interact with the policy framework for policy control.
  • the AN 140 also called a radio (Radio) AN, is a sub-network of the PLMN, and is an implementation system between a service node (or network function) and the terminal device 110 in the PLMN.
  • the terminal device 110 To access the PLMN, the terminal device 110 first passes through the AN 140, and then connects with the service node in the PLMN through the AN 140.
  • the AN 140 in the embodiment of the present application may refer to the access network itself, or may refer to the access network equipment, which is not distinguished here.
  • the access network device is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as an access device, a (R)AN device, or a network device.
  • the access network equipment includes but is not limited to: gNB in 5G system, eNB, RNC, NB in LTE system, base station controller BSC, BTS, HNB, BBU, TRP, TP, small base station equipment (pico), mobile switching center, or network equipment in future networks, etc. It is understandable that the present application does not limit the specific type of the access network device. In systems using different wireless access technologies, the names of devices with access network device functions may be different.
  • the access device may include CUs, DUs, and the like.
  • the CU can also be divided into CU-control plane (CP) and CU-user plan (UP), etc.
  • the access device may also be an open radio access network (open radio access network, O-RAN or Open RAN) architecture, etc. This application does not limit the specific deployment method of the access device .
  • the network opening function NEF (may also be referred to as a network opening function entity) 131 is a control plane function provided by an operator.
  • Network Open Function NEF 131 An external two-way interface to open the network's capabilities to third parties in a secure manner.
  • the NEF network function 131 can act as a relay for communicating with a third-party network entity.
  • the NEF network function 131 can also serve as a translator of the identification information of the subscriber, as well as the translation of the identification information of the third party's network function.
  • the NEF network function 131 when the NEF network function 131 sends the subscriber permanent identifier (SUPI) of the subscriber from the PLMN to the third party, the SUPI can be translated into its corresponding generic public subscription identifier (GPSI) for external public use. ). Conversely, the NEF network function 131 forwards the external information to the PLMN network, preventing other network functions inside the PLMN from directly contacting the outside.
  • SUPI subscriber permanent identifier
  • GPSI generic public subscription identifier
  • the network storage function NRF 132 is a control plane function provided by the operator and can be used to maintain real-time information of all network function services in the network.
  • the policy control function PCF 133 is a control plane function provided by the operator, which supports a unified policy framework to govern network behavior, provide policy rules, and contract information related to policy decision-making to other control functions.
  • the unified data management UDM 134 is a control plane function provided by the operator, and is responsible for storing information such as SUPI, security context, and subscription data of subscribers in the PLMN.
  • the above-mentioned PLMN subscribers may specifically be users who use services provided by the PLMN, such as users who use the terminal equipment core card of China Telecom, or users who use the terminal equipment core card of China Mobile.
  • the SUPI of the subscriber may be the number of the core card of the terminal device, or the like.
  • the above-mentioned security context may be data (cookie) or token (token) stored on a local terminal device (for example, a mobile phone).
  • the contract data of the above-mentioned contract user may be the supporting services of the terminal device chip card, such as the data package of the mobile phone chip card, and the like.
  • the authentication server function AUSF 136 is a control plane function provided by the operator, and is usually used for primary authentication, that is, network authentication between the terminal device 110 (subscriber) and the PLMN.
  • Access and Mobility Management Function AMF 137 is a control plane network function provided by the PLMN, responsible for the access control and mobility management of the terminal device 110 accessing the PLMN, including, for example, mobility status management, assignment of user temporary identities, authentication and authorization user functions.
  • the session management function SMF 138 is a control plane network function provided by the PLMN, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device 110.
  • the PDU session is a channel for transmitting PDUs, and the terminal device needs to transmit data to and from the DN 120 through the PDU session.
  • PDU sessions may be established, maintained, deleted, etc. by the SMF 138.
  • SMF 138 includes session management (such as session establishment, modification and release, including tunnel maintenance between UPF 139 and AN 140, etc.), UPF 139 selection and control, service and session continuity (service and session continuity, SSC) mode selection , roaming and other session-related functions.
  • the user plane function UPF 139 is a gateway provided by the operator and is the gateway for the PLMN to communicate with the DN 120.
  • UPF 139 includes user plane-related functions such as data packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, legal interception, upstream packet detection, and downstream data packet storage.
  • QoS quality of service
  • the network slice selection function (NSSF) 141 is a control plane network function provided by the PLMN, and is responsible for determining the network slice instance, selecting the AMF network function 137, and so on.
  • the network slice specific authentication and authorization function (NSSAAF) 142 is a control plane network function provided by the PLMN to support slice authentication between the terminal device 110 and the DN.
  • the network function in the PLMN shown in FIG. 1 may also include a unified data repository (unified data repository, UDR), etc. (not shown in the figure), and the embodiment of the present application does not limit other network functions included in the PLMN.
  • unified data repository UDR
  • UDR unified data repository
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, Nnssf, Nnssaaf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the terminal device 110 is used as an example for the UE, and the interface names between various network functions in FIG. 1 are only an example. In the specific implementation, the interface names of the system architecture Other names may also be used, which are not limited in this application.
  • the mobility management network function in this application may be the AMF 137 shown in FIG. 1, or may be other network functions having the above-mentioned access and mobility management function AMF 137 in the future communication system.
  • the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) or the like in the LTE system.
  • MME mobility management entity
  • the access and mobility management function AMF 137 is referred to as AMF
  • the unified data management UDM 134 is referred to as UDM
  • the terminal device 110 is referred to as user equipment or UE, that is, in the embodiments of the present application.
  • the AMF described later can be replaced by the mobility management network function
  • the UDM can be replaced by the unified data management
  • the user equipment or the UE can be replaced by the terminal device. It can be understood that other network functions not shown are also applicable to this alternative method.
  • the network architecture shown in Figure 1 (eg, 5G network architecture) adopts a service-based architecture and common interfaces, and traditional network element functions are divided into several self-contained and self-managed based on network function virtualization (NFV) technology.
  • NFV network function virtualization
  • Reusable network function service module by flexibly defining the service module set, customized network function reconstruction can be realized, and the external business process can be formed through a unified service invocation interface.
  • the schematic diagram of the network architecture shown in FIG. 1 can be understood as a schematic diagram of a service-based 5G network architecture in a non-roaming scenario.
  • Network slicing technology can enable operators to respond more flexibly and quickly to customer needs and support flexible allocation of network resources.
  • Slice means network slicing.
  • a simple understanding is to cut the operator's physical network into multiple virtual end-to-end networks. ) are logically independent, and the failure of any one virtual network will not affect other virtual networks.
  • relatively independent management and operation and maintenance between businesses are required, and tailored business functions and analysis capabilities are provided.
  • Instances of different service types can be deployed on different network slices, and different instances of the same service type can also be deployed on different network slices.
  • a slice can consist of a set of network functions (NF) and/or sub-networks, etc.
  • NF network functions
  • the sub-networks AN 140, AMF 137, SMF 138, and UPF 139 in FIG. 1 may form a slice.
  • each network function in Fig. 1 is schematically drawn, and in actual network deployment, there may be multiple, dozens or hundreds of each network function or sub-network.
  • Many slices can be deployed in PLMN, and each slice can have different performance to meet the needs of different applications and different vertical industries. Operators can "tailor-made" a slice according to the needs of customers in different vertical industries. Operators can also allow some industry customers to enjoy greater autonomy and participate in some management and control functions of slices.
  • slice-level authentication is a network control function with limited participation by industry customers, that is, authentication and authorization of terminal devices to access slices, that is, “slice-level authentication”, also known as “secondary authentication”, “secondary authentication” This application is abbreviated as “slice authentication”.
  • a terminal device Before a terminal device is allowed to access a network or slice, it needs to perform mutual authentication with the network and/or slice and obtain authorization from the network and/or slice. Generally, the network needs to authenticate and authorize the terminal device once or twice before it can access the network or slice.
  • the PLMN is authenticated based on the SUPI contracted with the PLMN used by the terminal device. This authentication is called primary authentication.
  • the PLMN needs to be authenticated based on the contract identification with the DN used by the terminal device, that is, slice authentication or secondary authentication.
  • the UE 110 can provide the requested slice to the core network.
  • the slice requested by the UE 110 may include a requested network slice selection assistance information set (requested network slice selection assistance information, requested NSSAI).
  • the NSSAI may include one or more single network slice selection assistance information (S-NSSAI), one S-NSSAI is used to identify a network slice type, it can also be understood that S-NSSAI is used to identify Slice, or it can be understood as S-NSSAI is the identification information of the slice.
  • S-NSSAI single network slice selection assistance information
  • a slice in this application may also be referred to as a network slice, a network slice instance, or S-NSSAI, etc., and this application does not limit the name of the slice.
  • the present application does not make a strict distinction between slices or S-NSSAI, etc., and the two are equally applicable.
  • the format of S-NNSAI includes at least two parts:
  • Slice type or service type (slice/service type, SST).
  • SST is used to distinguish the expected different characteristics of slices in terms of characteristics and services; at present, the 3GPP standard defines 4 types of slice standards, namely enhanced mobile broadband (eMBB), high reliability and ultra-low latency communication (ultra-reliable low-latency communication, URLLC), massive internet of things (MIoT), vehicle to everyting (V2X).
  • eMBB enhanced mobile broadband
  • URLLC ultra-low latency communication
  • MIoT massive internet of things
  • V2X vehicle to everyting
  • SD refers to an optional feature of subdivision, which is used to further distinguish different slices.
  • Both SST and SD can have non-standardized, PLMN-defined types.
  • the core network function (such as the AMF network function 137 or the NSSF network function 141) according to the subscription data of the UE 110, the network slice requested by the UE 110, the roaming agreement and the local configuration and other information, Select the set of network slices that UE 110 is allowed to access.
  • the set of network slices to which access is allowed may be represented by an allowed (allowed) NSSAI, and the S-NSSAI included in the allowed NSSAI may be the S-NSSAI that the current PLMN allows the UE 110 to access.
  • the data network DN 120 (such as the DN serving the vertical industry) outside the PLMN, for the access to the DN 120 DN 120
  • the UE 110 also has authentication and authorization requirements.
  • a commercial company provides a game platform and provides game services for game players through PLMN.
  • the PLMN needs to authenticate or authorize the identity (SUPI) of the UE 110, that is, first-level authentication.
  • the game player is a customer of the commercial company, and the commercial company also needs to authenticate or authorize the identity of the game player.
  • the authentication can be slice-based authentication, or the authentication is based on slices.
  • this authentication may be called slice authentication (slice authentication), or network slice-specific authentication and authorization (NSSAA).
  • slice authentication may be, for example, authentication performed between a terminal device and a third-party network (such as a DN or its authentication server).
  • the slice authentication result will determine whether the PLMN authorizes the terminal device to access the slice provided by the PLMN.
  • the method applied to slice authentication in this application is also applicable to scenarios such as session-based secondary authentication (secondary authentication) or slice-based secondary authentication, and will not be described in detail here.
  • GST The generic network slice template
  • GSMA defines the concept of GST.
  • the main function of GST is to formulate a set of standard network slice templates, so that operators can tailor the network slices that need to be established, used and operated on the basis of ensuring interconnection and interoperability. And improve efficiency and safety.
  • the 3GPP standard organization is formulating relevant standards for this general slicing template, so that 5G networks can better support and meet the requirements for slicing characteristics and slicing performance specified by the general slicing template by evolving the system architecture and process.
  • GSMA currently defines many attributes (GST Attributes, or GST attributes for short) of the general slice template, and one of the GST attributes is concerned by the embodiments of this application, and is also a GST attribute that is being studied and formulated in the 3GPP standards organization.
  • GST attributes are called shared attributes, or simultaneous use of the network slice, which can also be called exclusive attributes, mutually exclusive attributes, and so on. This property mainly describes whether the slice can be used simultaneously with other slices.
  • Attributes of slices involved in the embodiments of the present application, also called slice attributes refer to GST attributes, including shared attributes.
  • the network usually deploys slices of various types and attributes at the same time, and whether the UE can use multiple slices at the same time is a security issue that needs to be considered in the communication process, the essence of the shared attribute can also be regarded as the inter-slice. Isolate the problem.
  • Some network resources may be shared among multiple slices to improve the efficiency of network resource usage. If these network resources, such as network elements or NFs, are not properly isolated, there is a risk of information leakage from each other. This problem is more important for users/industries with highly sensitive data or high requirements for network security and privacy. It is usually hoped that their slices can not be used by UEs at the same time as other slices to prevent information leakage between slices. On the contrary, for some common business data, the security provided by the existing network slices is sufficient to meet the requirements, without the need for additional security mechanisms and costs to enhance the isolation between slices.
  • GSMA further gives advice on attribute subdivision for GST shared attributes.
  • the shared attributes may have the following divisions:
  • custom slice operator-defined (referred to as "custom slice").
  • the embodiment of the present application mainly studies the problem of resource sharing and security isolation between slices, and does not limit the specific division of the above-mentioned GST attributes.
  • Rule 1 Allow UE to access multiple slices at the same time: UE can access up to 8 slices at the same time in the same PLMN. When the UE accesses 2-8 slices in the same PLMN, these slices need to share the same AMF.
  • Rule 2 Allow the UE to access different slices successively (time-sharing): When the UE accesses different slices successively, the UE may use the same AMF or different AMFs, depending on many factors, such as the UE's Movement position, load level of AMF, etc.
  • exclusive slices For "exclusive slices", the existing 3GPP standards do not define a unified exclusive slice isolation method, but leave it to operators to customize and implement by themselves when deploying slices. For example, a simple method is that, in the case of deploying dedicated slices, the operator can adopt a private policy to prohibit UEs from accessing multiple slices. Of course, this method sacrifices the original flexible deployment of network slicing and the convenience of UE.
  • the core security issue of GST-specific slice attributes is to ensure safe isolation between slices.
  • Scenario A Shared AMF: UE accesses different (or the same) slices successively.
  • the UE accesses slice 1 at a certain moment, and after using and completing the services on slice 1, the UE exits slice 1 and the network, and completes the de-registration process with the network. After a period of time, the UE needs to use the services of slice 2, and accesses slice 2 again through the network.
  • the core network part of the slice usually mainly includes network functions such as AMF, SMF, and UPF.
  • AMF Access Management Function
  • SMF Session Management Function
  • UPF User Plane Function
  • the UE uses slice 1 and slice 2 for a period of time (non-simultaneous), and the UE also completes the de-registration, the UE and the network will still retain and use the same set of security contexts, such as: AMF key Kamf , used to derive encryption/integrity protection keys. This is because the network optimizes network performance by reusing the security context.
  • AMF key Kamf used to derive encryption/integrity protection keys.
  • the UE does not access two different slices at the same time, it still uses the same set of security contexts. If one of the slices is required to be isolated from other slices, there is still a risk of leaking the information of this slice, because its security context is the same as that of the other slice, and the security context of the other slice can also be obtained by using the security context of the other slice. Information for this slice. Therefore, for scenarios where different slices are not accessed at the same time, security isolation between slices (such as key isolation) should also be performed.
  • Scenario B AMF is not shared: UE accesses different (or the same) slices successively, or AMF redirection occurs.
  • the UE accesses slice 1 through AMF1 at a certain moment, and after using and completing the services on slice 1, the UE exits slice 1 and the network, and completes the de-registration process with the network.
  • the UE re-registers to the network through AMF2 and accesses slice 2.
  • the network usually requires the AMF1 to save the UE's security context, such as the key Kamf, and transmit it to the AMF2.
  • the security context used can still be the same, and there is also no security isolation at the key level between slice 1 and slice 2.
  • the UE performs AMF re-allocation (AMF re-allocation).
  • AMF re-allocation AMF re-allocation
  • This scenario occurs when the UE is connected or not deregistered.
  • the network device first processes the UE's request by the source (Source) AMF, and initiates the network authentication process. ), determine to use the target (target) AMF to continue processing the slice that the UE requests to access. This process is called the redirection process of the UE.
  • the redirection procedure can also be triggered due to the movement of the UE's location.
  • the UE uses the source AMF at the beginning to access the network, and saves the information of the UE (including the security context of the UE) in the source AMF. It should be noted that, at this time, the UE may have accessed slice 1 or may not have accessed slice 1 yet.
  • the security context stored in the source AMF can be transferred to the target AMF. That is to say, although the UE does not access slice 1 and slice 2 at the same time, the security context used by the UE in slice 2 can be obtained in both AMFs. Therefore, slice 2 and slice 1 do not achieve security isolation at the key level.
  • the present application proposes a slice isolation method to avoid information leakage between slices.
  • the first network device obtains the information of the first slice of the user. If the information of the first slice does not match the information of the second slice that the user equipment requests to access, the first network The device may acquire a second key, where the second key is used for security protection of the information of the second slice and/or the information of the user equipment.
  • the key ie, the second key
  • the key used by the network and the user equipment is the same as when the user equipment accesses other slices (eg, the first slice).
  • the keys used by the network and users are different, which avoids information leakage between slices.
  • the first network device receives a deregistration request message from the user equipment, the first network device deletes the third key, and the third key is the network device when the user equipment accesses the third slice. and the key used by the user equipment, and the third slice is the last slice accessed by the user equipment.
  • the key used by the user equipment is the last slice accessed by the user equipment.
  • the first network device sends a redirection message of the user equipment to other network devices, if the slice information obtained by the first network device and the slice information requested by the user equipment to access are not identical. If matched, the first network device may initiate re-authentication for the user equipment.
  • the authentication process is re-initiated for the user equipment, and the key is regenerated. The regenerated key is different from the key saved in the source AMF, so as to avoid using the same key when accessing different slices, avoiding information leakage between slices.
  • the slice isolation method provided in this embodiment of the present application can be applied to the communication system shown in FIG. 1 .
  • the slice isolation process provided during the registration process is shown in Figure 3, and the process includes:
  • S301 The user equipment sends a first request message to a first network device, and the first network device receives the first request message, where the first request message is used to request access to the second slice.
  • the first network device is an AMF.
  • the first request message may be a registration request (Registration Request) message.
  • the first request message includes identification information of the user equipment and information of the second slice.
  • the identification information of the user equipment is the identity identifier of the user equipment, such as a globally unique temporary identifier (GUTI) of the user equipment, and/or a hidden identifier (subscription concealed identifier, SUCI) of the user equipment ), the SUCI may be obtained by performing privacy protection processing (such as encryption processing) on the SUPI.
  • GUI globally unique temporary identifier
  • SUCI subscription concealed identifier
  • the information of the second slice includes identification information of the second slice, and optionally, the information of the second slice may further include attributes of the second slice.
  • the identifier information of the second slice includes S-NSSAI or NSSAI, and the NSSAI is a slice identifier set, which may include identifiers of multiple slices (that is, multiple S-NSSAIs), and the second slice may be the multiple slice identifiers.
  • the attributes of the second slice may be determined by common attribute values.
  • the second slice is a normal slice
  • the shared attribute value is 1
  • the second slice is a type 1 slice
  • the shared attribute value is 2
  • the second slice is a type 2 slice
  • the shared attribute value is 3
  • the second slice is an exclusive slice
  • the first network device may check whether there is a security context or context (including a security context) of the user equipment. For example, the first network device determines whether the user equipment has accessed the network before (eg, determines whether the user's identity identifier is a GUTI). If it is determined that the user equipment has not accessed a network device before, the first network device determines that the context of the user equipment does not exist, and the first network device may perform network authentication on the user equipment, so that the user equipment The device is connected to the network.
  • a security context or context including a security context
  • the first network device determines which network device or network function the user equipment used to access the network when the user equipment previously accessed the network (for example, the GUTI can determine the previous access to the network)
  • the network equipment, wherein the content of GUTI includes network identity and network function (AMF) identity).
  • the first network device acquires the information of the first slice of the user equipment.
  • the first network device directly obtains the information of the first slice of the user equipment in the first network device; if the user equipment The last time the device accesses the network through another network device (not the first network device), and the first network device obtains the information of the first slice of the user equipment in the other network device.
  • the context or security context of the user equipment includes the information of the first slice.
  • the context or security context of the user equipment includes an attribute of the first slice and/or a first key (such as Kamf), and the first key is the access point of the user equipment. The key used by the user equipment and the network when the first slice is selected.
  • the first slice of the user equipment is any one of one or more slices subscribed by the user equipment, or the first slice is the one that the user equipment has previously accessed or has recently accessed, or The currently accessed slice.
  • the information of the first slice includes identification information of the first slice.
  • the information of the first slice may further include at least one of the following: the attribute of the first slice, the The security context of the first slice, and/or the first key, the first key is used for information about the first slice or/and when the user equipment accesses the first slice. information security.
  • the first network device may acquire the information of the first slice when acquiring the context or the security context of the user equipment.
  • the context or security context of the user equipment includes information of the first slice, and the first network device obtains the information of the first slice in the context or security context of the user equipment.
  • the first network device acquires the information of the first slice from the first network device or other network devices.
  • the second key is a key used by the user equipment and the network when the user equipment accesses the second slice.
  • the first network device obtains the second key.
  • the attributes of the first slice do not match the attributes of the second slice, including the attributes of the first slice being incompatible with the attributes of the second slice, or the attributes of the first slice Mutually exclusive with the properties of the second slice.
  • the attributes of the first slice do not match/incompatible/mutually exclude the attributes of the second slice, including at least one of the following:
  • the shared attributes of the first slice and/or the shared attributes of the second slice are not allowed to be shared with other slices with arbitrary attributes.
  • the first slice and/or the second slice are dedicated slices.
  • the first slice is an exclusive slice
  • the second slice is a slice with arbitrary attributes.
  • the second slice is an exclusive slice
  • the first slice is a slice with arbitrary attributes.
  • the first slice is an exclusive slice
  • the second slice is an exclusive slice
  • the first slice and the second slice are different exclusive slices.
  • the attribute of the first slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the second slice is different from the SST of the attribute of the first slice.
  • the attribute of the second slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the first slice is different from the SST of the attribute of the second slice.
  • the attribute of the first slice is only allowed to be shared by slices with the same slice differentiation factor SD, and the SD of the attribute of the second slice is different from the SD of the attribute of the first slice.
  • the attribute of the second slice is only allowed to be shared by slices with the same slice differentiation factor SD, and the SD of the attribute of the first slice is different from the SD of the attribute of the second slice.
  • the first slice in 12) and 14) is not an exclusive slice, but is incompatible with the shared attributes of the second slice.
  • the attribute of the first slice is a type 1 slice
  • the second slice The attribute of is a type 2 slice, or the attribute of the first slice is a type 2 slice, and the attribute of the second slice is a type 1 slice.
  • the second slice is not an exclusive slice, but is incompatible with the shared attributes of the first slice, for example, the attribute of the second slice is a type 1 slice, and the The attribute is a type 2 slice, or the attribute of the second slice is a type 2 slice, and the attribute of the first slice is a type 1 slice.
  • the first network device when the first network device obtains the second key, the first network device generates the second key according to the first key, wherein the first key
  • the key is used to perform security protection on the information of the first slice or/and the information when the user equipment accesses the first slice.
  • the first network device is an AMF, and the AMF generates a second slice key according to Kamf (used to perform security protection on the information of the first slice or/and the information when the user equipment accesses the first slice) .
  • the first network device when the first network device obtains the second key, the first network device re-initiates network authentication or initiates slice authentication for the user equipment; If the authentication re-initiated by the user equipment is successful or the slice authentication initiated by the user equipment is successful, the first network device generates or receives the second key.
  • the first network device is an AMF
  • the AMF includes a security anchor function (SEcurity Anchor Function or SEAF).
  • SEAF Security Anchor Function
  • the security anchor function SEAF When the network authentication is successful, the security anchor function SEAF generates a second key.
  • the AMF does not include the SEAF function, that is, the AMF and the SEAF are separately deployed in different network devices.
  • the security anchor function SEAF sends the second key to the AMF after generating the second key. This process ensures that the second key is independent of the first key, and the first key cannot be obtained based on the second key, nor can the second key be obtained based on the first key.
  • corresponding isolation requirements may be set according to different sharing attributes, and the isolation requirements corresponding to different sharing attributes are not limited in this embodiment of the present application.
  • the larger the value of the shared attribute the higher the isolation requirement.
  • the isolation requirement of the exclusive slice is the highest, the isolation requirement of the type 2 slice is second, and the isolation requirement of the type 1 slice is higher than that of the type 2 slice.
  • the requirements are low, and the isolation requirements for the common slice are the lowest.
  • the first network device when the first network device obtains the second key, if the isolation requirement of the first slice is higher than the isolation requirement of the second slice The first key generates the second key; if the isolation requirement of the first slice is lower than the isolation requirement of the second slice, the first network device performs network authentication on the user equipment again, if If the re-authentication is successful, the first network device generates or receives the second key.
  • the process of generating the second key according to the first key is simple, the execution steps are few, and the interaction between the user equipment and the network is also less.
  • the first network device sends first indication information to the user equipment, and the user equipment receives the first indication information, where the first indication information is used to instruct the user equipment to obtain the second key.
  • the first indication information may be used to instruct the user equipment to generate the second key according to the first key.
  • the first indication message may be non-access stratum (non access stratum, NAS) security mode command (security mode command, SMC) signaling.
  • NAS non access stratum
  • SMC security mode command
  • Step S304 is an optional step. If the first network device initiates network authentication for the user equipment again, step S304 need not be performed. It should be noted that, in the process of re-authenticating the user equipment initiated by the first network device, the first network device (for example, including AMF and SEAF) will send one or more other messages, such as An authentication request message, etc., and the user equipment will also reply with one or more messages, which is not limited here.
  • the first network device for example, including AMF and SEAF
  • the user equipment will also reply with one or more messages, which is not limited here.
  • the user equipment acquires a first key, and the first key is used to access information about the first slice or/and the user equipment to access all security protection is performed on the information during the first slice; the user equipment generates the second key according to the first key.
  • the first key may be stored in the user equipment.
  • the user equipment performs re-authentication with the first network device; if the re-authentication between the user equipment and the first network device succeeds, the user equipment generates the second The key, the key and the first key cannot be obtained by mutual deduction.
  • the first network device and the user equipment obtain the second key in the same way (including using the same parameters to generate), so as to ensure that the first network device and the user equipment use The same key secures the communication information.
  • the first network device may also send a registration acceptance message to the user equipment, and the user equipment receives the Sign up to receive messages.
  • the attributes of the first slice match the attributes of the second slice, including that the attributes of the first slice are compatible with the attributes of the second slice, or the attributes of the first slice are compatible with the attributes of the second slice.
  • the properties of the second slice are not mutually exclusive.
  • the attributes of the first slice are matched/compatible/not mutually exclusive with the attributes of the second slice, including at least one of the following:
  • the attributes of the first slice or the attributes of the second slice are allowed to be shared with other slices with arbitrary attributes.
  • the first slice and/or the second slice are ordinary slices.
  • the attribute of the first slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the second slice is the same as the SST of the attribute of the first slice.
  • the first slice and the second slice are both type 1 slices and have the same SST.
  • the attribute of the second slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the first slice is the same as the SST of the attribute of the first slice.
  • the first slice and the second slice are both type 1 slices and have the same SST.
  • the attribute of the first slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the second slice is the same as the SD of the attribute of the first slice.
  • the first slice and the second slice are both type 2 slices and have the same SD.
  • the attribute of the second slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the first slice is the same as the SD of the attribute of the second slice.
  • the first slice and the second slice are both type 2 slices and have the same SD.
  • the second slice and the first slice are mapped to the same single network slice selection assistance information S-NSSAI.
  • the first slice and the second slice may be mapped to the same S-NSSAI slice in the home network (Home PLMN).
  • the first slice and the second slice may have different slice identifiers S-NSSAI or different SST types, SD in respective PLMNs.
  • the attribute of the first slice is not identified in the information of the first slice, it may be considered that the attribute of the first slice is allowed to be shared with slices of any other attribute.
  • the first slice can be considered as an ordinary slice.
  • the information of the first slice does not identify the attribute of the second slice, it may be considered that the attribute of the second slice is allowed to be shared with other slices of any attribute.
  • the second slice can be considered as an ordinary slice.
  • the user equipment is a legacy device, that is, an original device .
  • the 5G standard has R15 version, R16 version, and R17 version. If the GST shared attribute is newly introduced in the R17 version, the devices of the R15 and R16 versions can be called legacy devices.
  • legacy devices can still be used in the network, and slices accessed by legacy devices can be regarded as ordinary slices.
  • S401 The user equipment sends a registration request to the first AMF.
  • the registration request includes the identity identifier of the user equipment (such as GUTI or SUCI, etc.) and the identification information of the second slice for which access is requested (such as S-NSSAI, which may be any S-NSSAI among the NSSAIs for which access is requested. NSSAI).
  • the registration request includes the attribute of the second slice.
  • the first AMF determines whether the security context (security context) of the user equipment is stored.
  • the first AMF determines whether a valid security context of the user is stored in the first AMF according to the identity identifier GUTI of the user equipment, if so, skip S403 and execute S404, if not , and execute S403.
  • the security context is a valid security context, which means that the first AMF can successfully verify the message authentication code (message authentication code, MAC) in the registration request message by using the security context (such as the first key Kamf).
  • message authentication code messages authentication code, MAC
  • Optional step S403 The AMF initiates the user equipment to perform network authentication or primary authentication (Primary Authentication) with the first AMF and UDM.
  • Optional step S404 the first AMF acquires information of slices subscribed by the user equipment, that is, acquires and retrieves subscription information.
  • the first AMF obtains the information of the slice subscribed by the user equipment (such as the slice identifier NSSAI, which may include one or more S-NSSAI). For example, the first AMF first searches locally whether there is information about the slice subscribed by the user equipment, if so, the first AMF locally obtains the information about the slice subscribed by the user equipment, if not, the The first AMF sends a request message to the UDM, and obtains the information of the slice subscribed by the user equipment in the UDM.
  • the slice identifier NSSAI which may include one or more S-NSSAI
  • the first AMF retrieves and acquires the shared attribute information of the subscribed slice from the acquired information of the slice subscribed by the user equipment.
  • Optional step S405 the first AMF checks the attributes of the subscribed slice.
  • the contracted slices may be one or more slices, and the one or more slices respectively correspond to one or more slice attributes, that is, each slice corresponds to attribute information of one slice respectively.
  • the first AMF skips S406-S409 and executes S410.
  • the first AMF skips S406-S409 and executes S410, or the first AMF S407 may also be performed.
  • the first AMF executes S406.
  • Optional step S406 the first AMF acquires first slice information (that is, information of the first slice), and compares the attributes of the first slice with the attributes of the second slice requested to be accessed.
  • first slice information that is, information of the first slice
  • the first AMF acquires the first slice information from the local (the storage unit of the first AMF itself) or the UDM (may also be other NFs).
  • the first slice information is slice information stored in the context of the user equipment.
  • the first slice information includes one or more S-NSSAIs, which are used to represent slices indicated by the one or more S-NSSAIs that the user equipment is accessing or has accessed.
  • the first slice information further includes attribute information of the first slice (corresponding to one or more S-NSSAIs).
  • the first AMF returns to execute S403.
  • the first slice if it is determined according to the attributes of the first slice and the attributes of the second slice that the attributes of the first slice do not match the attributes of the second slice, the first slice The AMF returns to execute S403.
  • the first AMF executes S407.
  • the first slice determines whether it is determined according to the attributes of the first slice and the attributes of the second slice that the attributes of the first slice do not match the attributes of the second slice. If it is determined according to the attribute of the first slice and the attribute of the second slice that the attribute of the first slice matches the attribute of the second slice, the first AMF skips S407-S409 and executes S410.
  • the acquired attributes of the first slice may be one or more copies
  • the acquired attributes of the second slice may be one or more copies
  • the first slice (S The number of -NSSAI) and the number of said second slices (S-NSSAI) may be the same or different.
  • the attributes of each slice correspond to a slice (S-NSSAI) respectively, that is, each slice (S-NSSAI) corresponds to an attribute.
  • the user equipment accessed 2 slices last time, the identifiers are S-NSSAI-1 and S-NSSAI-2 respectively, and the attribute value of slice S-NSSAI-1 is 0, that is, a normal slice, slice S-NSSAI-
  • the attribute value of 2 is 2, that is, only slices with the same SD value are allowed (the two slices were shared by the user equipment last time, which implies that the SD value of the slice S-NSSAI-1 and the slice S-NSSAI-2 SD values are the same).
  • the identifiers and attribute values of the slice S-NSSAI-1 and the slice S-NSSAI-2 are stored, and the shared key Kamf is also stored.
  • the attribute value of the slice S-NSSAI-3 is 3, that is, a dedicated slice.
  • the first AMF can obtain two attributes of the first slice and one attribute of the second slice.
  • the specificity requirement of the second slice requested for access is higher than the specificity requirement of the first slice, that is, the isolation requirement of the second slice is higher than the isolation requirement of the first slice.
  • the attribute of the second slice is an exclusive slice (the attribute value is 3), and the attribute of the first slice is a non-exclusive slice (the attribute value is 0 or 1 or 2).
  • the attribute value of the second slice is 1 or 2
  • the attribute value of the first slice is a normal slice (the attribute value is 0).
  • the specificity requirement of the second slice requested for access is lower than the specificity requirement of the first slice, that is, the isolation requirement of the second slice is lower than the isolation requirement of the first slice.
  • the attribute of the first slice is an exclusive slice (the attribute value is 3), and the attribute of the second slice is a non-exclusive slice (the attribute value is 0 or 1 or 2).
  • the attribute value of the first slice is 1 or 2
  • the attribute value of the second slice is a normal slice (the attribute value is 0).
  • 33) includes the situations shown in 31) and 32), and the other situations can be referred to the relevant descriptions in FIG. 3, which are not listed one by one here.
  • the second slice requested for access and the first slice can be used simultaneously.
  • the second slice and the first slice are the same exclusive slice.
  • the second slice and the first slice are ordinary slices.
  • the first AMF returns to execute S403, and adopts a stronger isolation mode to ensure the security of information between slices.
  • the first AMF executes S407, that is, adopts the same execution method as 32).
  • the first AMF executes S407, and adopts a less costly isolation method to ensure the security of information between slices.
  • the first AMF executes S40, that is, adopts the same execution method as 31) and 33).
  • the first AMF skips S407-S409 and executes S410, and no isolation is required between slices.
  • Optional step S407 the first AMF starts a key update process to update the key Kamf stored at the AMF.
  • the first AMF generates the second key (updated key Kamf) according to the first key (eg, key Kamf).
  • Optional step S408 the first AMF notifies the user equipment to update the first key Kamf, and sends the required key update parameters to the user equipment.
  • the message sent by the S408 may be a "non access stratum" (non access stratum, NAS) security mode command (security mode command, SMC) message.
  • S410 The user equipment completes other sub-processes in the registration process, and can participate in relevant standard processes, which will not be described in detail here.
  • S411 The first AMF sends a registration acceptance message to the user equipment.
  • the S406 may be simplified as the first AMF checks whether the second slice needs to be isolated, and if necessary, returns to S403, or returns to S707 (executes S707-S709), If not required, the first AMF executes S410.
  • the first AMF determines that the user equipment has accessed the network once (for example, by including the GUTI in the registration request), and once accessed the network through the second AMF (for example, the GUTI includes the ID of the AMF). That is, the AMF previously accessed by the user equipment has changed (the second AMF and the first AMF are not the same AMF).
  • the first AMF can be regarded as a new (new) AMF, or a target (target) AMF.
  • the second AMF may be regarded as an old (old) AMF, or a source/initial (Source/Initial) AMF.
  • the first AMF sends a request message (such as a user terminal context transfer request message UE context transfer request) to the second AMF to obtain the information of the first slice stored by the second AMF.
  • a request message such as a user terminal context transfer request message UE context transfer request
  • the request message may include information of the second slice that the user equipment requests to access.
  • S504 The second AMF compares the stored attributes of the first slice with the attributes of the second slice requested to be accessed. In an optional implementation manner, S504 is optional, that is, the second AMF does not perform the comparison.
  • the second AMF sends a response message (such as a user terminal context transfer response message UE context transfer response) to the first AMF.
  • a response message such as a user terminal context transfer response message UE context transfer response
  • the second AMF may determine which information is carried in the response message of S505 according to the comparison result of S504.
  • the attribute of the first slice matches the attribute of the second slice
  • the response message may include the security context of the first slice (for example, including the first key Kamf) and the like.
  • the response message may include an insecure context but not a secure context (such as the first key Kamf).
  • the response message may include a context that does not affect slice isolation (either a secure or non-secure context may be used, such as SUPI of the user equipment, etc.), but does not include a context that affects slice isolation (such as the first key Kamf) .
  • the response message includes identification information (NSSAI) and attributes of the first slice.
  • the response message includes indication information, informing the first AMF that the user equipment has passed security authentication, the security context of the user equipment exists but does not match the attribute of the second slice, and the user equipment cannot be sent.
  • a security context (such as the first key Kamf), instructing the first AMF to re-authenticate (network authentication or slice authentication, where network authentication includes primary authentication and optional slice authentication).
  • the second AMF first updates the first key Kamf (after the update is the second key Kamf) or performs re-authentication, and then updates the updated security context (such as the second key Kamf and the required key for updating the key Kamf) parameter, optionally also including key indication information, which is used to indicate that the key has been updated or that the key is the second key) is carried in the response message and sent to the first AMF, possibly the The first AMF will also update the key or perform re-authentication for slice isolation.
  • the second AMF may consider that the attributes of the first slice do not match the attributes of the second slice.
  • S505 may be performed according to the existing process.
  • the second AMF includes indication information in the S505 message, instructing the first AMF to perform primary authentication again (that is, not to generate the second key based on the first key), or to update the Kamf key (ie sending the first key, instructing the first AMF to generate the second key based on the first key).
  • S506 The first AMF processes the response message.
  • the first AMF decides and executes the subsequent process according to the response message.
  • response message includes the first key or/and the second key, first slice identification information and attributes, compare the attributes of the first slice with the attributes of the second slice requested for access.
  • the first AMF executes S507.
  • the first AMF executes S508.
  • the first slice if it is determined according to the attributes of the first slice and the attributes of the second slice that the attributes of the first slice do not match the attributes of the second slice, the first slice The AMF executes S507.
  • the first slice executes S508.
  • the first AMF skips S507-S508 and executes S509.
  • the first AMF executes S508.
  • the first AMF is performed according to the indication information included in the S505 message. That is, if the first AMF is instructed to perform primary authentication again, S507 is performed; or if the first AMF is instructed to perform Kamf key update, then S508 is performed.
  • the first AMF initiates primary authentication (Primary Authentication) between the user equipment and the network.
  • S504 and S506 may alternatively be performed, or both may be performed.
  • the first AMF in the above S506 may re-determine independently of the second AMF (S504). This is because the first AMF and the second AMF may be in different PLMNs or different security domains, or the first AMF does not necessarily fully trust the judgment result of the second AMF.
  • the first AMF may also obtain the information of the first slice through another NF (non-second AMF, such as an unstructured data storage function (UDSF)).
  • non-second AMF such as an unstructured data storage function (UDSF)
  • UDSF unstructured data storage function
  • the first AMF may also indirectly interact with the second AMF through other NFs (eg UDSF), which is not limited here.
  • the slice isolation process provided in the deregistration process is shown in Figure 6.
  • the process includes:
  • S601a The user equipment sends a deregistration request message to a first network device, and the first network device receives the deregistration request message.
  • S601b The first network device sends a deregistration request message to the user equipment, and the user equipment receives the deregistration request message.
  • the deregistration process is initiated by the first network device.
  • S601a and S601b may be executed alternatively.
  • the first network device deletes the third key stored locally (ie, the first network device) in the context of the user equipment, where the third key is used for information about the third slice or the user equipment Security protection is performed on information when accessing a third slice, where the third slice is a slice (corresponding to an S-NSSAI identifier) or multiple slices (corresponding to multiple S-NSSAI identifiers) that the user equipment accesses last Or any/each slice in the NSSAI including multiple S-NSSAI) (when multiple slices are allowed to be accessed at the same time, the attributes of these slices are compatible by default, and a set of keys can be shared).
  • the third slice is a slice (corresponding to an S-NSSAI identifier) or multiple slices (corresponding to multiple S-NSSAI identifiers) that the user equipment accesses last Or any/each slice in the NSSAI including multiple S-NSSAI) (when multiple slices are allowed to be accessed at the same time, the attributes of these slices are compatible by default, and a set of
  • the first network device may determine that the attribute of the third slice is not allowed to be shared with any other attribute slice (that is, the third slice is an exclusive slice, and the attribute value is 3), and the first network device The third key in the context of the user equipment stored locally is deleted.
  • the first network device may determine that the user equipment is subscribed to slices with multiple attributes (such as locally stored user subscription information or user subscription information of the user obtained from UDM), wherein There is a slice incompatible with the third slice attribute, the first network device deletes the third key in the context of the user equipment stored locally.
  • attributes such as locally stored user subscription information or user subscription information of the user obtained from UDM
  • the first network device may determine that the attribute of the third slice is not allowed to be shared with any other attribute slice (that is, the third slice is an exclusive slice, and the attribute value is 3), and The first network device may determine that the user equipment only subscribes to the slice (such as locally stored user subscription information or the user's user subscription information obtained from the UDM), and the first network device retains (ie does not delete) the local the stored third key in the context of the user equipment.
  • the attribute of the third slice is not allowed to be shared with any other attribute slice (that is, the third slice is an exclusive slice, and the attribute value is 3), and the first network device deletes the locally stored attribute in the context of the user equipment. the third key.
  • the first network device sends instruction information to other network devices or network functions (such as UDM, other AMFs, etc.), instructing the network device or network function to delete the stored information in the context of the user equipment.
  • other network devices or network functions such as UDM, other AMFs, etc.
  • the first network device sends indication information to the user equipment, instructing the user equipment to delete the stored third key.
  • execution sequence of S602 and S603 is not limited.
  • the user equipment may determine that the attribute of the third slice is not allowed to be shared with slices of any other attribute, and the user equipment deletes the third key.
  • the user equipment receives the indication information from the first network device, and the user equipment deletes the third key.
  • the first network device A de-registration acceptance message may also be sent to the user equipment, and the user equipment receives the de-registration acceptance message; or when the first network device initiates a de-registration process, the user equipment may also send the first The network device sends a de-registration accept message, and the first network device receives the de-registration accept message.
  • S602 and S603 may be performed before the deregistration process, during the deregistration process, or after the deregistration process.
  • the user equipment accesses the dedicated slice, the user equipment needs to re-authenticate with the network (optionally, and slice authentication), and generate a new key for access. Enter the dedicated secret.
  • the user equipment initiates the deregistration process, and the slice isolation process is shown in Figure 7, including the following steps:
  • S701 The user equipment sends a deregistration request message (Deregistration Request) to the AMF, and the AMF receives the deregistration request message.
  • Deregistration Request a deregistration request message
  • the AMF confirms the stored attribute of the third slice in the context of the user equipment.
  • the third slice is a slice (corresponding to an S-NSSAI identifier) last accessed by the user equipment, or among multiple slices (corresponding to multiple S-NSSAI identifiers or NSSAIs including multiple S-NSSAIs) Any/every slice of (when multiple slices are allowed to be accessed at the same time, it indicates that the attributes of these slices are compatible and can share a set of keys).
  • the AMF can acquire the attributes of the third slice locally or in the UDM (or other NFs). For example, the AMF first determines whether there is an attribute of the third slice in the context of the user equipment stored locally, and if so, the AMF obtains the attribute of the third slice in the context of the user equipment, if it does not exist , the AMF obtains the attribute of the third slice in the UDM.
  • S703 Performing processes such as PDU session release, N4 session release (N4 session release), and policy termination (policy termination).
  • S704 The AMF sends a deregistration accept message (Deregistration Accept), and the user equipment receives the deregistration accept message.
  • S705a The AMF checks the attribute of the third slice.
  • S705b The user equipment checks the attribute of the third slice.
  • the AMF and the user retains the third key, and executes S706.
  • the AMF and the user equipment delete the third key, and execute S706 .
  • S706 The user equipment and the AMF release signal connection.
  • S702 can also be executed during the execution of S703 (with multiple interactive messages), or executed through existing messages in S703 (for example, by adding information elements), without the need for new Add separate interactive messages.
  • S705a and S705b are not described, and S705a and S705b may be executed before S704, or may be executed after S706.
  • the network device initiates the deregistration process, and the slice isolation process is shown in Figure 8, including the following steps:
  • Optional step S801 The UDM sends a de-registration notification message, and the AMF receives the de-registration notification message.
  • the UDM initiates a deregistration process.
  • the de-registration notification message may include attributes of the third slice or attributes of all subscribed slices of the user equipment.
  • the de-registration notification message may further include indication information to instruct the AMF to delete the third key. That is, the UDM determines the security sensitivity or isolation requirement according to the information of the third slice or the information of the slice subscribed by the user equipment.
  • S802 The AMF sends a deregistration request message to the user equipment, and the user equipment receives the deregistration request message.
  • the AMF may also initiate a deregistration process by itself.
  • the de-registration request message is an optional message, that is, the de-registration process may or may not notify the user equipment. If the deregistration request message is sent, optionally, the AMF may further instruct the user equipment to delete the third key.
  • the AMF determines whether to delete the third key according to the attribute of the third slice sent by the UDM (see S705a above), or the AMF determines whether to delete the third key according to the indication information of the UDM. the third key.
  • S804 The user equipment sends a de-registration accept message, and the AMF receives the de-registration accept message.
  • S805a The AMF checks the attribute of the third slice.
  • S805b The user equipment checks the attribute of the third slice.
  • the S805a can be performed in any step (including before step S801, so the AMF can initiate the de-registration process by itself).
  • the S805b can be performed in any step after S802.
  • the slice isolation method shown in FIG. 7 and FIG. 8 is applicable to both time-sharing AMF and non-shared AMF.
  • the slice isolation process provided in the AMF redirection process is shown in Figure 9.
  • the process includes:
  • the first network device sends a redirection message to a second network device, and the second network device receives the redirection message.
  • the first network device during the AMF redirection process may be understood as a source network device, and the second network device during the AMF redirection process may be understood as a target network device.
  • the redirection message includes information of the fourth slice of the user equipment and/or information of the fifth slice that the user equipment requests to access.
  • the fourth slice is the currently saved slice that the user has previously accessed or has currently accessed.
  • the information of the fourth slice includes identification information of the fourth slice, and optionally includes a fourth key and/or attributes of the fourth slice, where the fourth key is used to identify the fourth slice.
  • the information of the slice or/and the information when the user equipment accesses the fourth slice is for security protection.
  • the information of the fifth slice includes identification information of the fifth slice, and optional attributes of the fifth slice.
  • a typical scenario of AMF redirection is: the user equipment has completed network-level authentication (first-level authentication) with the first network device, and a security context (eg, the fourth key kamf) has been generated.
  • the first network device decides to serve the user equipment by another suitable second AMF.
  • the interaction between the user equipment and the first network device is converted into the interaction between the user equipment and the second network device.
  • the first network device may also check whether the currently saved security context of the user equipment has been used to secure the information of the slice (eg, the fourth slice) or whether there is information of the fourth slice. If no, that is, the fourth slice does not exist, the first network device may assume that the attribute of the (non-existing) fourth slice is a common slice that can match any slice, and then execute S901. If so, the fourth slice exists.
  • the currently saved security context of the user equipment has been used to secure the information of the slice (eg, the fourth slice) or whether there is information of the fourth slice. If no, that is, the fourth slice does not exist, the first network device may assume that the attribute of the (non-existing) fourth slice is a common slice that can match any slice, and then execute S901. If so, the fourth slice exists.
  • the first network device executes S901 ;
  • the first network device If the information of the fourth slice does not match the information of the fifth slice, and the isolation requirement of the fourth slice is higher or not lower than the isolation requirement of the fifth slice (for example, the fourth slice has an isolation requirement (non-ordinary slice) and the fifth slice is an ordinary slice), the first network device generates the fifth key according to the fourth key, and then executes S901;
  • the first network device executes S901.
  • the first network device In an optional manner, if the information of the fourth slice does not match the information of the fifth slice, the first network device generates the fifth key according to the fourth key, and then executes S901 .
  • the second network device If the second network device successfully re-authenticates the user equipment, the second network device generates the fifth key.
  • the second network device continues to register the user equipment.
  • the second network device continues to The user device is registered.
  • the first network device may compare the information of the fourth slice with the information of the fifth slice, and/or the second network device may also compare the information of the fourth slice Compare with the information of the fifth slice, and when the compared slice information does not match, perform S902 to re-authenticate to generate a fifth key (not based on the fourth key) or generate a fifth key according to the fourth key .
  • the slice isolation process is shown in Figure 10, which is mainly applicable to non-shared AMF, including the following steps:
  • S1001 The user equipment sends a registration request message to the access network device.
  • the registration request message is used to request access to the fifth slice.
  • the access network device sends an initial message (Initial UE message) to an initial/source (Initial/Source) AMF.
  • the initial/source (Initial/Source) AMF may be the first network device.
  • the initial message includes the registration request message.
  • the source AMF initiates network authentication with the user equipment (not shown in FIG. 10 ), and establishes a security context (including the key Kamf) of the user equipment to securely protect the user equipment and the network messages (such as encryption and integrity protection of NAS messages).
  • the source AMF determines that AMF redirection needs to be performed, and a target (target) AMF serves the user equipment.
  • the target (target) AMF may be the second network device.
  • the source AMF compares the information of the fourth slice currently saved with the information of the fifth slice that the user requests to access.
  • the first network device executes S1004, if all If the information of the fourth slice does not match the information of the fifth slice, and the fourth slice has an isolation requirement (non-ordinary slice), the first network device generates the fifth slice according to the fourth key. key, and then execute S1004; if the information of the fourth slice does not match the information of the fifth slice, and the fourth slice does not have an isolation requirement (ordinary slice), the first network device executes S1004.
  • the first network device (initial AMF) generates the fifth key according to the fourth key, and then executes S1004;
  • the first network device executes S1004.
  • the first network device (initial AMF) generates the fifth key according to the fourth key , and then execute S1004.
  • the source AMF sends a redirected message (Rerouted message) to the target AMF.
  • the redirection message includes the information of the fourth slice and/or the information of the fifth slice.
  • the information of the fourth slice includes identification information of the fourth slice, and optionally includes the fourth key and/or the attribute of the fourth slice.
  • the fourth key is used to perform security protection on the information of the fourth slice or/and the information when the user equipment accesses the fourth slice.
  • the information of the fifth slice includes identification information of the fifth slice, and optional attributes of the fifth slice.
  • the source AMF may forward the redirection message via the access network device. (as shown in S1004a and S1004b). If forwarded by the access network device, the redirection message of S1004b may be different from the redirection message of S1004.
  • S1005 The target AMF compares the information of the fourth slice currently saved with the information of the fifth slice that the user requests to access.
  • the second network device first re-authenticates the user equipment and generates a fifth key , and then execute S1006.
  • the re-authentication process is similar to that of S1003, except that the target AMF initiates network authentication with the user equipment.
  • the target AMF generates the fifth key according to the fourth key, and then executes S1006;
  • the target AMF executes S1006.
  • the target AMF generates the fifth key according to the fourth key, and then executes S1006.
  • the target AMF initiates network authentication (first-level authentication) with the user equipment and generates a fifth key (not Based on the fourth key), then S1006 is performed. If the information of the fourth slice matches the information of the fifth slice, the second network device performs S1006.
  • the second network device performs S1006.
  • S1006 The second network device continues to register the user equipment.
  • the comparison process of S1003 and S1005 can be performed both, or one of them can be selectively performed.
  • the slice isolation method provided by the embodiments of the present application can ensure safe isolation between slices and avoid information leakage between slices.
  • the embodiments of the present application can ensure the security of a scenario under a shared network infrastructure, and can also ensure the security of a local network.
  • the communication apparatus 1100 may exist in the form of software or hardware.
  • the communication apparatus 1100 may include: a processing unit 1102 and a transceiver unit 1103 .
  • the transceiver unit 1103 may include a receiving unit and a sending unit.
  • the processing unit 1102 is used to control and manage the operation of the communication device 1100 .
  • the transceiver unit 1103 is used to support the communication between the communication device 1100 and other network entities.
  • the communication device 1100 may further include a storage unit 1101 for storing program codes and data of the communication device 1100 .
  • the processing unit 1102 may be a processor or a controller, for example, a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA, or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure.
  • the processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
  • the storage unit 1101 may be a memory.
  • the transceiver unit 1103 is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented in the form of a chip, the transceiver unit 1103 is an interface circuit used by the chip to receive signals from other chips or devices, or an interface circuit used by the chip to send signals to other chips or devices.
  • the communication apparatus 1100 may be user equipment and/or network equipment in any of the foregoing embodiments, and may also be a chip for user equipment and/or network equipment.
  • the processing unit 1102 may be, for example, a processor
  • the transceiver unit 1103 may be, for example, a transceiver.
  • the transceiver may include a radio frequency circuit
  • the storage unit may be, for example, a memory.
  • the processing unit 1102 may be, for example, a processor, and the transceiver unit 1103 may be, for example, an input/output interface, a pin, or a circuit.
  • the processing unit 1102 can execute computer-executed instructions stored in a storage unit.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit may also be in the user equipment and/or the network device.
  • a storage unit located outside the chip such as ROM or other types of static storage devices that can store static information and instructions, RAM, etc.
  • the communication apparatus 1100 may be applied to a first network device.
  • the transceiver unit 1103 is configured to acquire information of the first slice of the user equipment
  • the processing unit 1102 is configured to obtain a second key if the information of the first slice does not match the information of the second slice requested to be accessed by the user equipment, and the second key is used to The information of the second slice or/and the information when the user equipment accesses the second slice is subjected to security protection.
  • the information of the first slice includes an attribute of the first slice
  • the information of the second slice includes an attribute of the second slice
  • the processing unit 1102 is specifically configured to, when the first network device obtains the second key if the information of the first slice does not match the information of the second slice requested to be accessed by the user equipment, if If the attribute of the first slice does not match the attribute of the second slice, the second key is obtained.
  • the processing unit 1102 when acquiring the second key, is specifically configured to generate the second key according to the first key, wherein the first key is used to The information of the first slice or/and the information when the user equipment accesses the first slice is subjected to security protection.
  • the processing unit 1102 when generating the second key according to the first key, is specifically configured to: if the isolation requirement of the first slice is higher than that of the second slice requirements, the second key is generated based on the first key.
  • the processing unit 1102 when acquiring the second key, is specifically configured to: re-authenticate the user equipment; if the user equipment is successfully re-authenticated, generate the second key .
  • the processing unit 1102 when the processing unit 1102 re-authenticates the user equipment, it is specifically configured to: if the isolation requirement of the first slice is lower than the isolation requirement of the second slice, re-authenticate the user The device re-authenticates the network.
  • the attributes of the first slice do not match the attributes of the second slice, including:
  • the attributes of the first slice or the attributes of the second slice are not allowed to be shared with slices of any other attribute; or
  • the attribute of the first slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the second slice is different from the SST of the attribute of the first slice; or
  • the attribute of the second slice is only allowed to be shared by slices with the same service type SST, and the SST of the attribute of the first slice is different from the SST of the attribute of the second slice; or
  • the attributes of the first slice are only allowed to be shared by slices with the same slice differentiation factor SD, and the SD of the attributes of the second slice is different from the SD of the attributes of the first slice; or
  • the attributes of the second slice are only allowed to be shared by slices having the same slice differentiation factor SD, and the SD of the attributes of the first slice is different from the SD of the attributes of the second slice.
  • the transceiver unit 1103 is further configured to send a registration acceptance message to the user equipment if the attribute of the first slice matches the attribute of the second slice.
  • the attributes of the first slice match the attributes of the second slice, including:
  • the attributes of the first slice or the attributes of the second slice are allowed to be shared with slices of any other attribute; or
  • the attribute of the first slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the second slice is the same as the SST of the attribute of the first slice;
  • the attribute of the second slice is only allowed to be shared by slices with the same SST, and the SST of the attribute of the first slice is the same as the SST of the attribute of the first slice; or
  • the attribute of the first slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the second slice is the same as the SD of the attribute of the first slice;
  • the attribute of the second slice is only allowed to be shared by slices with the same SD, and the SD of the attribute of the first slice is the same as the SD of the attribute of the second slice; or
  • the second slice and the first slice are mapped to the same single network slice selection assistance information S-NSSAI.
  • the communication apparatus 1100 may be applied to user equipment.
  • the transceiver unit 1103 is configured to send a first request message to a first network device, where the first request message is used to request access to a second slice; and receive a first indication message from the first network device , the first instruction message is used to instruct the user equipment to obtain the second key;
  • the processing unit 1102 is configured to acquire the second key, where the second key is used to perform information on the second slice or/and the information when the user equipment accesses the second slice. safety protection.
  • the processing unit 1102 when acquiring the second key, is specifically configured to acquire a first key, where the first key is used for information on the first slice or/and The user equipment performs security protection on the information when the user equipment accesses the first slice; and generates the second key according to the first key.
  • the processing unit 1102 when acquiring the second key, is specifically configured to re-authenticate with the first network device; if the re-authentication with the first network device succeeds, the The user equipment generates the second key.
  • the transceiver unit 1103 is further configured to receive a registration acceptance message from the first network device.
  • the communication apparatus 1100 can be applied to the first network device.
  • the transceiver unit 1103 is configured to receive a deregistration request message, or send a deregistration request message;
  • the processing unit 1102 is configured to delete the third key of the user equipment, where the third slice is the last slice accessed by the user equipment, and the third key is used for the encryption of the third slice.
  • the information or/and the information when the user equipment accesses the third slice is protected for security.
  • the processing unit 1102 when deleting the third key of the user equipment, is specifically configured to delete the third key of the user equipment if it is determined that the third slice attribute is not allowed to be shared with any attribute slice Three keys.
  • the transceiving unit 1103 is further configured to send a de-registration acceptance message to the user equipment if it is determined that the third slice attribute is allowed to be shared with other attribute slices.
  • the transceiver unit 1103 is further configured to send a de-registration acceptance message to the user equipment if the slice attribute of the third slice is not obtained.
  • the communication apparatus 1100 may be applied to user equipment.
  • the transceiver unit 1103 is configured to send a deregistration request message, or receive a deregistration request message;
  • the processing unit 1102 is configured to delete the third key of the user equipment, where the third slice is the last slice accessed by the user equipment, and the third key is used for the encryption of the third slice.
  • the information or/and the information when the user equipment accesses the third slice is protected for security.
  • the processing unit 1102 when deleting the third key of the user equipment, is specifically configured to delete the third key of the user equipment if it is determined that the third slice is not allowed to be shared with any attribute slice key.
  • the communication apparatus 1100 may be applied to a second network device.
  • the transceiver unit 1103 is configured to receive redirection information from the first network device, where the redirection information includes information of the fourth slice of the user equipment and/or the fifth slice that the user equipment requests to access Information;
  • the processing unit 1102 is configured to re-authenticate the user equipment if the information of the fourth slice does not match the information of the fifth slice and the fifth slice has an isolation requirement.
  • the processing unit 1102 is further configured to continue processing the information of the fourth slice if the information of the fourth slice does not match the information of the fifth slice, and the fifth slice is allowed to be shared with any other attribute slice.
  • the user equipment performs authentication.
  • the communication device 1200 includes: a processor 1202 , a communication interface 1203 , and a memory 1201 .
  • the communication device 1200 may further include a communication line 1204 .
  • the communication interface 1203, the processor 1202 and the memory 1201 can be connected to each other through a communication line 1204;
  • the communication line 1204 can be a peripheral component interconnect (PCI for short) bus or an extended industry standard architecture (extended industry standard architecture). , referred to as EISA) bus and so on.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the communication line 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 12, but it does not mean that there is only one bus or one type of bus.
  • the processor 1202 may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits for controlling the execution of the programs of the present application.
  • the communication interface 1203 using any device such as a transceiver, is used to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), wired access networks, and the like.
  • devices or communication networks such as Ethernet, RAN, wireless local area networks (WLAN), wired access networks, and the like.
  • the memory 1201 can be a ROM or other types of static storage devices that can store static information and instructions, a RAM or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory).
  • read-only memory EEPROM
  • compact disc read-only memory CD-ROM
  • optical disc storage including compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.
  • magnetic disk A storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation.
  • the memory may exist independently and be connected to the processor through communication line 1204 .
  • the memory can also be integrated with the processor.
  • the memory 1201 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 1202 .
  • the processor 1202 is configured to execute the computer-executed instructions stored in the memory 1201, so as to implement the method for registering a terminal device provided by the foregoing embodiments of the present application.
  • the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.
  • Embodiments of the present application further provide a computer storage medium storing a computer program, and when the computer program is executed by a computer, the computer can be used to execute the above-mentioned slice isolation method.
  • Embodiments of the present application also provide a computer program product including instructions, which, when run on a computer, enables the computer to execute the slice isolation method provided above.
  • An embodiment of the present application further provides a communication system, where the communication system includes a first network device and user equipment.
  • the communication system further includes a second network device.
  • At least one item (single, species) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple.
  • “Plurality” means two or more, and other quantifiers are similar.
  • occurrences of the singular forms "a”, “an” and “the” do not mean “one or only one” unless the context clearly dictates otherwise, but rather “one or more” in one".
  • "a device” means to one or more such devices.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • software it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center is by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that a computer can access, or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.
  • a general-purpose processor may be a microprocessor, or alternatively, the general-purpose processor may be any conventional processor, controller, microcontroller, or state machine.
  • a processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors in combination with a digital signal processor core, or any other similar configuration. accomplish.
  • a software unit may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.
  • a storage medium may be coupled to the processor such that the processor may read information from, and store information in, the storage medium.
  • the storage medium can also be integrated into the processor.
  • the processor and storage medium may be provided in the ASIC.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请实施例提供一种切片隔离方法、装置及系统,用以避免切片间的信息泄露,保证切片间的信息安全。该方法包括:第一网络设备获取用户设备的第一切片的信息;若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,所述第二密钥用于对所述第二切片的信息和/或所述用户设备接入所述第二切片时的信息进行安全保护。

Description

一种切片隔离方法、装置及系统 技术领域
本申请涉及无线通信技术领域,尤其涉及一种切片隔离方法、装置及系统。
背景技术
全球移动通信系统协会(global system for mobile communications association,GSMA)定义了通用切片模板的共用属性,简称切片的属性,切片的属性用于描述切片能否与其他切片同时使用,即描述用户设备是否可以同时使用多个切片。多个切片之间可能会共享一些网络资源,如果没有进行适当的隔离,会存在互相泄露信息的风险。
现有第三代合作伙伴项目(3rd generation partnership project,3GPP)标准中允许用户设备可以先后分时接入不同的切片,当用户设备先后接入不同的切片时,用户设备有可能会使用同一个访问和移动管理功能(access and mobility management function,AMF),也可能使用不同的AMF。因此用户设备可能在某一时刻接入了切片1,使用并完成了切片1上的业务后,用户设备退出了切片1和网络,之后用户设备可能又接入了切片2,此时用户设备和网络中可能保留并使用着切片1对应的安全上下文,此时切片2可能获取并使用当前保存的安全上下文,就导致切片1的相关信息被切片2获取到,切片1的信息存在泄漏的风险。
发明内容
本申请实施例提供一种切片隔离方法、装置及系统,用以避免切片间的信息泄露,保证切片间的控制信令和数据安全。
第一方面,提供一种切片隔离方法,包括第一网络设备获取用户设备的第一切片的信息;若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
所述第二密钥为所述用户设备接入所述第二切片时,用户设备和网络所使用的密钥。所述第二密钥用于对所述第二切片的信息和/或所述用户设备接入所述第二切片时的信息进行安全保护。一种可能的理解,所述第二密钥为所述第一网络设备(如AMF)的密钥,示例性的,所述第二密钥为所述用户设备接入所述第二切片时,所述第一网络设备的密钥。另一种可能的理解,所述第二密钥为针对所述第二切片的密钥,或所述第二密钥为所述第二切片的密钥。
可以理解,本申请实施例中涉及到的“信息”包括但不限于切片相关的控制信令和用户数据。
通过上述方法,所述第一网络设备可以在当前保存的第一切片的信息和请求接入的第二切片的信息不匹配时,重新获取所述第二密钥,保证所述第二切片的信息通过所述第二密钥进行保护,仅能利用所述第二密钥正确解密,避免了利用其他密钥也可获取所述第二切片的信息,保证切片间的信息安全。
在一种可能的设计中,所述第一切片的信息包括所述第一切片的属性,所述第二切片 的信息包括第二切片的属性;若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,包括:
若所述第一切片的属性与所述第二切片的属性不匹配,则所述第一网络设备获取所述第二密钥。
切片的属性可以用来描述该切片是否能够与其他切片共用,因此在切片的属性不匹配时,确定第一切片和第二切片不能被用户设备共用,从而将所述用户设备接入第一切片时所使用的密钥和所述用户设备接入第二切片时所使用的密钥进行区分,避免切片间的信息泄露。
在一种可能的设计中,所述第一网络设备获取第二密钥,包括:
所述第一网络设备根据第一密钥生成所述第二密钥,其中,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。
所述第一密钥为所述用户设备接入所述第一切片时,用户设备和网络所使用的密钥。所述第一密钥用于对所述切片的信息和/或所述用户设备接入所述第一切片时的信息进行安全保护。一种可能的理解,所述第一密钥为所述第一网络设备的密钥,示例性的,所述第一密钥为所述用户设备接入所述第一切片时,所述第一网络设备的密钥。另一种可能的理解,所述第一密钥为针对所述第一切片的密钥,或所述第一密钥为所述第一切片的密钥。
在该设计中,根据所述第一密钥生成第二密钥,不仅可以保证切片间的信息安全,还可以减少用户设备与网络设备之间交互的数据量。
在一种可能的设计中,所述第一网络设备根据所述第一密钥生成所述第二密钥,包括:
若所述第一切片的隔离要求高于所述第二切片的隔离要求,所述第一网络设备根据所述第一密钥生成所述第二密钥。
根据切片隔离要求的不同,在之前接入的切片的隔离要求高于本次欲接入的切片的隔离要求,基于当前保存的密钥生成新的密钥,在保证切片间的信息安全的基础上,减少用户设备与网络设备之间交互的数据量。
在一种可能的设计中,所述第一网络设备获取第二密钥,包括:
所述第一网络设备对所述用户设备重新进行认证;
若第一网络设备对所述用户设备重新认证成功,则所述第一网络设备生成或者接收所述第二密钥。
所述第一网络设备通过对用户设备重新进行网络认证,从而可以保证切片间的信息安全。所述第二密钥可以由所述第一网络设备生成,也可以由其他网络设备生成。若所述第二密钥由其他网络设备生成,所述第一网络设备可以在所述其他网络设备中获取所述第二密钥,即所述第一网络设备接收来自所述其他网络设备的所述第二密钥。
在一种可能的设计中,所述第一网络设备对所述用户设备重新进行认证,包括:
若所述第一切片的隔离要求低于所述第二切片的隔离要求,所述第一网络设备对所述用户设备重新进行网络认证。
根据切片隔离要求的不同,在之前接入的切片的隔离要求低于本次欲接入的切片的隔离要求,重新进行网络认证再生成新的密钥,可以进一步提高切片间信息的安全。
在一种可能的设计中,所述第一切片的属性与所述第二切片的属性不匹配,包括:
所述第一切片的属性或第二切片的属性不允许与其他任意属性的切片共用;或者
所述第一切片的属性仅允许具有相同业务类型SST的切片共用,所述第二切片的属性 的SST与所述第一切片的属性的SST不同;或者
所述第二切片的属性仅允许具有相同业务类型SST的切片共用,所述第一切片的属性的SST与所述第二切片的属性的SST不同;或者
所述第一切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD不同;或者
所述第二切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD不同。
在一种可能的设计中,若所述第一切片的属性与所述第二切片的属性匹配,所述第一网络设备还可以向所述用户设备发送注册接受消息。
在所述第一切片的属性和所述第二切片的属性相匹配时,所述第一网络设备可以和所述用户设备继续完成注册过程。
在一种可能的设计中,所述第一切片的属性与所述第二切片的属性匹配,包括:
所述第一切片的属性或第二切片的属性允许与其他任意属性的切片共用;或者
所述第一切片的属性仅允许具有相同SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST相同;或者
所述第二切片的属性仅允许具有相同SST的切片共用,所述第一切片的属性的SST与所述第一切片的属性的SST相同;或者
所述第一切片的属性仅允许具有相同SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD相同;或者
所述第二切片的属性仅允许具有相同SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD相同;或者
所述第二切片和所述第一切片映射到同一单网络切片选择辅助信息S-NSSAI。
在一种可能的设计中,所述第一切片的属性与所述第二切片的属性不匹配,包括所有不满足上述属性匹配的情况。
第二方面,提供一种切片隔离方法,包括用户设备向第一网络设备发送第一请求消息,所述第一请求消息用于请求接入第二切片;所述用户设备接收来自所述第一网络设备的第一指示消息,所述第一指示消息用于指示所述用户设备获取第二密钥;所述用户设备获取所述第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
通过上述方法,所述第一网络设备可以在当前保存的第一切片的信息和请求接入的第二切片的信息不匹配时,重新获取所述第二密钥,保证所述第二切片的信息通过所述第二密钥进行保护,仅能利用所述第二密钥正确解密,避免了利用其他密钥也可获取所述第二切片的信息,保证切片间的信息安全。
在一种可能的设计中,所述用户设备获取所述第二密钥,包括:
所述用户设备获取第一密钥,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护;
所述用户设备根据所述第一密钥生成所述第二密钥。
根据所述第一密钥生成第二密钥,不仅可以保证切片间的信息安全,还可以减少用户设备与网络设备之间交互的数据量。
在一种可能的设计中,所述用户设备获取所述第二密钥,包括:
所述用户设备与所述第一网络设备重新进行认证;
若所述用户设备与所述第一网络设备重新认证成功,则所述用户设备生成或接收所述第二密钥。
所述第一网络设备通过对用户设备重新进行网络认证,从而可以保证切片间的数据安全。所述第二密钥可以由所述用户设备生成,也可以由网络设备(如所述第一网络设备)生成。若所述第二密钥由网络设备生成,所述用户设备可以在所述网络设备中获取所述第二密钥,即所述用户设备接收来自所述网络设备的所述第二密钥。
在一种可能的设计中,所述用户设备还可以接收来自所述第一网络设备的注册接受消息。在所述第一切片的属性和所述第二切片的属性相匹配时,所述第一网络设备可以和所述用户设备继续完成注册过程。
第三方面,提供一种切片隔离方法,包括第一网络设备接收去注册请求消息,或者发送去注册请求消息,所述第一网络设备删除所述用户设备的第三密钥,所述第三密钥用于对第三切片的信息或/和所述用户设备接入所述第三切片时的信息进行安全保护,所述第三切片为所述用户设备最后接入的切片。
所述第三密钥为所述用户设备接入所述第三切片时,用户设备和网络所使用的密钥。所述第三密钥用于对所述第三切片的信息和/或所述用户设备接入所述第三切片时的信息进行安全保护。一种可能的理解,所述第三密钥为所述第一网络设备的密钥,示例性的,所述第三密钥为所述用户设备接入所述第三切片时,所述第一网络设备的密钥。另一种可能的理解,所述第三密钥为针对所述第三切片的密钥,或所述第三密钥为所述第三切片的密钥。
通过上述方法,第一网络设备删除去注册的用户设备的第三密钥,而为后续接入的切片重新生成密钥,从而避免切片间的信息泄露。
在一种可能的设计中,所述第一网络设备删除所述用户设备的第三密钥,包括:若所述第一网络设备确定所述第三切片属性不允许与任意属性切片共用,所述第一网络设备删除所述用户设备的第三密钥。通过对隔离要求高的专属切片删除密钥,避免后续接入的切片使用该专属密钥,从而保证切片间的数据安全。
在一种可能的设计中,若所述第一网络设备确定所述第三切片属性允许与其他属性切片共用,所述第一网络设备还可以向所述用户设备发送去注册接受消息。
在一种可能的设计中,若所述第一网络设备未获取到所述第三切片的切片属性,所述第一网络设备还可以向用户设备发送去注册接受消息。
第四方面,提供一种切片隔离方法,包括用户设备发送去注册请求消息,或者接收去注册请求消息,所述用户设备删除所述用户设备的第三密钥,所述第三切片为所述用户设备最后接入的切片,所述第三密钥用于对所述第三切片的信息或/和所述用户设备接入所述第三切片时的信息进行安全保护。通过上述方法,用户设备删除去注册的用户设备的第三密钥,而为后续接入的切片重新生成密钥,从而避免切片间的信息泄露。
在一种可能的设计中,所述用户设备删除所述用户设备的第三密钥,包括:若所述用户设备确定所述第三切片属性不允许与任意属性切片共用,所述用户设备删除所述用户设备的第三密钥。通过对隔离要求高的专属切片删除密钥,避免后续接入的切片使用该专属密钥,从而保证切片间的信息安全。
第五方面,提供一种切片隔离方法,包括:第二网络设备接收来自第一网络设备的重 定向信息,所述重定向信息包括用户设备的第四切片的信息和/或所述用户设备请求接入的第五切片的信息;
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片具有隔离要求,则所述第二网络设备对所述用户设备重新认证。
在请求接入的切片具有隔离要求时,第二网络设备对用户设备进行重新认证,生成新的密钥,避免了所述用户设备接入所述第四切片和所述用户设备接入所述第五切片时使用同一密钥造成的信息泄露,保证切片间的信息安全。
在一种可能的设计中,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片允许与其他任意属性切片共用,则所述第二网络设备继续对所述用户设备进行认证。
第六方面,提供一种通信装置,该装置具有实现上述任意方面或任意方面中的实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第七方面,提供一种通信装置,包括:处理器和存储器;该存储器用于存储计算机执行指令,当该装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该装置执行如上述任意方面或任意方面中的实现方法。
第八方面,提供一种通信装置,包括:包括用于执行以上任意方面各个步骤的单元或手段(means)。
第九方面,提供一种通信装置,包括处理器和接口电路,所述处理器用于通过接口电路与其它装置通信,并执行以上任意方面提供的任意方法。该处理器包括一个或多个。
第十方面,提供一种通信装置,包括处理器,用于与存储器相连,用于调用所述存储器中存储的程序,以执行上述任意方面的任意实现方式中的方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器包括一个或多个。
第十一方面,提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得处理器执行上述任意方面所述的方法。
第十二方面,提供一种包括指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述任意方面所述的方法。
第十三方面,提供一种芯片系统,包括:处理器,用于执行上述各方面所述的方法。
第十四方面,提供一种通信系统,包括用于执行上述第一方面或第一方面任一实现方法的第一网络设备、用于执行上述第二方面或第二方面任一实现方法的用户设备。
第十五方面,提供一种通信系统,包括用于执行上述第三方面或第三方面任一实现方法的第一网络设备、用于执行上述第四方面或第四方面任一实现方法的用户设备。
第十六方面,提供一种通信系统,包括第一网络设备、用于执行上述第五方面或第五方面任一实现方法的第二网络设备及用户设备。
第十七方面,提供一种芯片系统,该芯片系统包括收发器用于实现上述任一方面的方法中网络设备或用户设备的功能,例如,例如接收或发送上述方法中所涉及的数据和/或信息。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存程序指令和/或数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。
上述第六方面至第十七方面中任一方面及其任一方面中任意一种可能的实现可以达 到的技术效果,请参照上述任意方面可以带来的技术效果描述,这里不再重复赘述。
附图说明
图1为本申请实施例的一种可能的网络架构示意图;
图2A、图2B为一种切片接入场景示意图;
图3、图4、图5、图6、图7、图8、图9、图10为本申请实施例的一种切片隔离流程示意图;
图11、图12为本申请实施例的一种通信装置示意图。
具体实施方式
下面将结合附图对本申请作进一步地详细描述。
本申请将围绕可包括多个设备、组件、模块等的系统来呈现各个方面、实施例或特征。应当理解和明白的是,各个系统可以包括另外的设备、组件、模块等,并且/或者可以并不包括结合附图讨论的所有设备、组件、模块等。此外,还可以使用这些方案的组合。
另外,在本申请实施例中,“示例的”一词用于表示作例子、例证或说明。本申请中被描述为“示例”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用示例的一词旨在以具体方式呈现概念。
本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
以下对本申请实施例的部分用语进行解释说明,以便于本领域技术人员理解。
1)用户设备(user equipment,UE),也称终端设备,是一种具有无线收发功能的设备,可以经无线接入网(radio access network,RAN)中的接入网设备(或者也可以称为接入设备)与一个或多个核心网(core network,CN)设备(或者也可以称为核心设备)进行通信。
用户设备也可称为接入终端、终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、用户代理或用户装置等。用户设备可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。用户设备可以是蜂窝电话(cellular phone)、无绳电话、会话启动协议(session initiation protocol,SIP)电话、智能电话(smart phone)、手机(mobile phone)、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)等。或者,用户设备还可以是具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它设备、车载设备、可穿戴设备、无人机设备或物联网、车联网中的终端、第五代移动通信(5th-generation,5G)网络以及未来网络中的任意形态的终端、中继用户设备或者未来演进的PLMN中的终端等。其中,中继用户设备例如可以是5G家庭网关(residential gateway,RG)。例如用户设备可以是虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电 网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。本申请实施例对终端设备的类型或种类等并不限定。
2)网络设备,指可以为终端提供无线接入功能的设备。其中,网络设备可以支持至少一种无线通信技术,例如长期演进(long term evolution,LTE)、新无线(new radio,NR)、宽带码分多址(wideband code division multiple access,WCDMA)等。
例如网络设备可以包括接入网设备。示例的,网络设备包括但不限于:5G网络中的下一代基站或下一代节点B(generation nodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved node B、或home node B,HNB)、基带单元(baseband unit,BBU)、收发点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心、小站、微型站等。网络设备还可以是云无线接入网络(cloud radio access network,CRAN)场景下的无线控制器、集中单元(centralized unit,CU)、和/或分布单元(distributed unit,DU),或者网络设备可以为中继站、接入点、车载设备、终端、可穿戴设备以及未来移动通信中的网络设备或者未来演进的公共移动陆地网络(public land mobile network,PLMN)中的网络设备等。
又如,网络设备可以包括核心网(CN)设备,核心网设备例如包括AMF等。
本申请中的“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。
本申请中所涉及的多个,是指两个或两个以上。
另外,需要理解的是,在本申请的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。
本申请实施例的技术方案可以应用于各种通信系统。一个通信系统中,由运营者运营的部分可称为公共陆地移动网络(public land mobile network,PLMN)(也可以称为运营商网络等)。PLMN是由政府或其所批准的经营者,为公众提供陆地移动通信业务目的而建立和经营的网络,主要是移动网络运营商(mobile network operator,MNO)为用户提供移动宽带接入服务的公共网络。本申请实施例中所描述的PLMN,具体可为符合3GPP标准要求的网络,简称3GPP网络。3GPP网络通常包括但不限于5G、第四代移动通信(4th-generation,4G)网络等。为了方便描述,本申请实施例中将以PLMN为例进行说明。或者,本申请实施例提供的技术方案还可以应用于LTE系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、通用移动通信系统(universal mobile telecommunication system,UMTS)、全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统、5G通信系统或NR以及未来的其他通信系统如6G等。
随着移动带宽接入服务的扩展,移动网络也会随之发展以便更好地支持多样化的商业模式,满足更加多样化的应用业务以及更多行业的需求。为了给更多的行业提供更好、更完善的服务,5G网络相对于4G网络也做了网络架构调整。例如,5G网络将4G网络中的 移动管理实体(mobility management entity,MME)进行拆分,拆分为包括AMF和会话管理功能(session management function,SMF)等多个网络功能。
为了便于理解本申请实施例,以图1所示的5G网络架构为例对本申请使用的应用场景进行说明。图1为3GPP标准化过程中定义的非漫游场景下基于服务化架构的5G网络架构。所述网络架构中可以包括:终端设备(也可以称为用户设备)部分、PLMN部分和数据网络(data network,DN)部分。
PLMN可以包括:网络开放功能(network exposure function,NEF)131、网络存储功能(network function repository function,NRF)132、策略控制功能(policy control function,PCF)133、统一数据管理功能(unified data management,UDM)134、认证服务器功能(authentication server function,AUSF)136、AMF137、会话管理功能(session management function,SMF)138、用户面功能(user plane function,UPF)139、接入网(access network,AN)140、网络切片选择功能(network slice selection function,NSSF)141、网络切片认证授权功能(network slice specific authentication and authorization function,NSSAAF)142等。上述PLMN中,除接入网140部分之外的部分可以称为核心网部分。
数据网络DN 120,也可以称为分组数据网络(packet data network,PDN),通常可以部署在PLMN之外,例如第三方网络。示例性的,PLMN可以接入多个数据网络DN 120,数据网络DN 120上可部署多种业务,从而为终端设备110提供数据和/或语音等服务。例如,数据网络DN 120可以是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备110,数据网络DN 120中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,数据网络DN 120可以是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备110,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。终端设备110可通过PLMN提供的接口(例如图1中的N1接口等)与PLMN建立连接,使用PLMN提供的数据和/或语音等服务。终端设备110还可通过PLMN访问数据网络DN 120,使用数据网络DN 120上部署的运营商业务,和/或第三方提供的业务。其中,上述第三方可为PLMN和终端设备110之外的服务方,可为终端设备110提供其他数据和/或语音等服务。其中,上述第三方的具体表现形式,具体可根据实际应用场景确定,在此不做限制。
应用功能(application function,AF)135可以隶属于PLMN,也可以不隶属于PLMN。不过通常情况下,AF隶属于第三方而不属于PLMN,但同PLMN有协议关系。AF用于支持通过应用来影响数据路由的功能以及接入网络开放功能NEF、与策略框架交互进行策略控制等。
示例性的,下面对PLMN中的网络功能进行简要介绍。
AN 140,也称无线(Radio)AN,是PLMN的子网络,是PLMN中业务节点(或网络功能)与终端设备110之间的实施系统。终端设备110要接入PLMN,首先是经过AN 140,进而通过AN 140与PLMN中的业务节点连接。本申请实施例中的AN 140,可以指代接入网本身,也可以指接入网设备,此处不作区分。接入网设备是一种为终端设备110提供无线通信功能的设备,也可以称为接入设备、(R)AN设备或网络设备等。该接入网设备包括但不限于:5G系统中的gNB、LTE系统中的eNB、RNC、NB、基站控制器BSC、BTS、HNB、BBU、TRP、TP、小基站设备(pico)、移动交换中心,或者未来网络中的网络设备 等。可理解,本申请对接入网设备的具体类型不作限定。采用不同无线接入技术的系统中,具备接入网设备功能的设备的名称可能会有所不同。
可选的,在接入设备的一些部署中,接入设备可以包括CU和DU等。在接入设备的另一些部署中,CU还可以划分为CU-控制面(control plane,CP)和CU-用户面(user plan,UP)等。在接入设备的又一些部署中,接入设备还可以是开放的无线接入网(open radio access network,O-RAN或Open RAN)架构等,本申请对于接入设备的具体部署方式不作限定。
网络开放功能NEF(也可以称为网络开放功能实体)131是由运营商提供的控制面功能。网络开放功能NEF 131以安全的方式对第三方开放网络的能力的对外双向接口。在其他网络功能(如应用功能AF135等)需要与第三方的网络通信时,NEF网络功能131可作为与第三方的网络实体进行通信的中继。NEF网络功能131还可作为签约用户的标识信息的翻译,以及第三方的网络功能的标识信息的翻译。比如,NEF网络功能131将签约用户的用户永久标识符(subscriber permanent identifier,SUPI)从PLMN发送到第三方时,可以将SUPI翻译成其对应的外部公开使用的签约标识(generic public subscription identifier,GPSI)。反之,NEF网络功能131将外部信息转发送到PLMN网络,防止PLMN内部的其他网络功能与外部直接接触。
网络存储功能NRF 132,是由运营商提供的控制面功能,可用于维护网络中所有网络功能服务的实时信息。
策略控制功能PCF 133是由运营商提供的控制面功能,它支持统一的策略框架来治理网络行为、向其他控制功能提供策略规则、策略决策相关的签约信息等。
统一数据管理UDM 134是由运营商提供的控制面功能,负责存储PLMN中签约用户的SUPI、安全上下文(security context)、签约数据等信息。上述PLMN的签约用户具体可为使用PLMN提供的业务的用户,例如使用中国电信的终端设备芯卡的用户,或者使用中国移动的终端设备芯卡的用户等。示例性的,签约用户的SUPI可为终端设备芯卡的号码等。上述安全上下文可以为存储在本地终端设备(例如手机)上的数据(cookie)或者令牌(token)等。上述签约用户的签约数据可以为该终端设备芯卡的配套业务,例如该手机芯卡的流量套餐等。
认证服务器功能AUSF 136是由运营商提供的控制面功能,通常用于一级认证,即终端设备110(签约用户)与PLMN之间的网络认证。
接入与移动性管理功能AMF 137是由PLMN提供的控制面网络功能,负责终端设备110接入PLMN的接入控制和移动性管理,例如包括移动状态管理,分配用户临时身份标识,认证和授权用户等功能。
会话管理功能SMF 138是由PLMN提供的控制面网络功能,负责管理终端设备110的协议数据单元(protocol data unit,PDU)会话。PDU会话是一个用于传输PDU的通道,终端设备需要通过PDU会话与DN 120互相传输数据。PDU会话可以由SMF 138负责建立、维护和删除等。SMF 138包括会话管理(如会话建立、修改和释放,包含UPF 139和AN 140之间的隧道维护等)、UPF 139的选择和控制、业务和会话连续性(service and session continuity,SSC)模式选择、漫游等会话相关的功能。
用户面功能UPF 139是由运营商提供的网关,是PLMN与DN 120通信的网关。UPF 139包括数据包路由和传输、包检测、业务用量上报、服务质量(quality of service,QoS)处 理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。
网络切片选择功能(network slice selection function,NSSF)141,是由PLMN提供的控制面网络功能,用于负责确定网络切片实例,选择AMF网络功能137等。
网络切片认证授权功能(network slice specific authentication and authorization function,NSSAAF)142,是由PLMN提供的控制面网络功能,用于支持终端设备110与DN进行的切片认证。
图1所示的PLMN中的网络功能还可以包括统一数据存储(unified data repository,UDR)等(图中未示出),本申请实施例对于PLMN中包括的其他网络功能不作限定。
图1中Nnef、Nausf、Nnrf、Npcf、Nudm、Naf、Namf、Nsmf、Nnssf、Nnssaaf、N1、N2、N3、N4,以及N6为接口序列号。示例性的,上述接口序列号的含义可参见3GPP标准协议中定义的含义,本申请对于上述接口序列号的含义不做限制。需要说明的是,图1中仅以终端设备110为UE作出了示例性说明,图1中的各个网络功能之间的接口名称也仅仅是一个示例,在具体实现中,该系统架构的接口名称还可能为其他名称,本申请对此不作限定。
本申请中的移动性管理网络功能可以是图1所示的AMF 137,也可以是未来通信系统中的具有上述接入与移动性管理功能AMF 137的其他网络功能。或者,本申请中的移动性管理网络功能还可以是LTE系统中的移动管理实体(mobility management entity,MME)等。
为方便说明,本申请实施例中将接入与移动性管理功能AMF 137简称为AMF,将统一数据管理UDM 134简称为UDM,将终端设备110称为用户设备或UE,即本申请实施例中后文所描述的AMF均可替换为移动性管理网络功能,UDM均可替换为统一数据管理,用户设备或UE均可替换为终端设备。可理解,其他未示出的网络功能同样适用该替换方法。
图1中示出的网络架构(例如5G网络架构)采用基于服务的架构和通用接口,传统网元功能基于网络功能虚拟化(network function virtualization,NFV)技术拆分成若干个自包含、自管理、可重用的网络功能服务模块,通过灵活定义服务模块集合,可以实现定制化的网络功能重构,对外通过统一的服务调用接口组成业务流程。图1中示出的网络架构示意图可以理解为一种非漫游场景下基于服务的5G网络架构示意图。在该架构中,根据特定场景需求,将不同网络功能按需有序组合,可以实现网络的能力与服务的定制化,从而为不同业务部署专用网络,实现5G网络切片(network slicing)。网络切片技术可以使运营商能够更加灵活、快速地响应客户需求,支持网络资源的灵活分配。
下面先对网络设备中的切片进行说明。
切片(slice)即网络切片,简单理解就是将运营商的物理网络切割成多个虚拟的端到端的网络,每个虚拟网络之间(包括网络内的设备、接入网、传输网和核心网)是逻辑独立的,任何一个虚拟网络发生故障都不会影响到其它虚拟网络。为了满足多样性需求和切片间的隔离,需要业务间相对独立的管理和运维,并提供量身定做的业务功能和分析能力。不同业务类型的实例可以部署在不同的网络切片上,相同业务类型的不同实例也可部署在不同的网络切片上。切片可以由一组网络功能(network function,NF)和/或子网络等构成。比如,图1中的子网络AN 140、AMF 137、SMF 138、UPF 139可以组成一个切片。可理 解,图1中的每种网络功能只示意性地画出了一个,而在实际网络部署中,每种网络功能或子网络可以有多个、数十个或上百个。PLMN中可以部署很多切片,每个切片可以有不同的性能来满足不同应用、不同垂直行业的需求。运营商可以根据不同垂直行业客户的需求,“量身定做”一个切片。运营商也可以允许一些行业客户享有较大的自主权,参与切片的部分管理、控制功能。其中,切片级的认证就是由行业客户有限参与的一种网络控制功能,即对终端设备接入切片进行认证和授权,即“切片级认证”,也可称为“二级认证”、“二次认证”等,本申请简称为“切片认证”。
终端设备在被允许接入网络或切片之前,需要与网络和/或切片进行双向认证并得到该网络和/或切片的授权。一般的,网络需要对终端设备经过一次或者两次的认证与授权才能接入网络或切片。首先,PLMN要基于终端设备所使用的与PLMN签约的SUPI进行认证,这种认证被称为一级认证(primary authentication)。其次,PLMN要基于终端设备所使用的与DN的签约标识进行认证,即切片认证或二级认证等。
如以图1为例,当核心网中部署了切片,UE 110需要接入到某个切片时,UE 110可以提供请求的切片给核心网。其中,UE 110请求的切片可以包括请求的网络切片选择辅助信息集合(requested network slice selection assistance information,requested NSSAI)。该NSSAI可以包括一个或多个单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI),一个S-NSSAI用于标识一个网络切片类型,也可以理解为,S-NSSAI用于标识切片,或者可以理解为S-NSSAI是切片的标识信息。可理解,本申请中切片还可以称为网络切片、网络切片实例或S-NSSAI等,本申请对于该切片的名称不作限定。为方便理解,在后文的描述中,本申请对切片或S-NSSAI等不做严格区分,二者可以同样适用。
在3GPP标准中,S-NNSAI的格式至少包括两个部分:
1、切片类型或业务类型(slice/service type,SST)。
SST用来区分切片在特征、业务等方面的所预期的不同特性;目前,3GPP标准定义了4种切片标准类型,即增强的移动宽带(enhanced mobile broadband,eMBB)、高可靠超低时延通信(ultra-reliable low-latency communication,URLLC)、大规模物联网(massive internet of things,MIoT)、车联网(vehicle to everyting,V2X)。
2、切片差异化因素(slice differentiator,SD)。
SD指的是细分的可选特征,用于进一步区别不同的切片。
SST和SD都可以有非标准化的、PLMN自定义的类型。
进一步的,UE 110向网络发送注册请求后,核心网网络功能(如AMF网络功能137或NSSF网络功能141)根据UE 110的签约数据、UE 110请求的网络切片、漫游协议以及本地配置等信息,为UE 110选择允许接入的网络切片集合。其中,允许接入的网络切片集合可以用允许的(allowed)NSSAI来表示,允许的NSSAI中包括的S-NSSAI可以为当前PLMN允许该UE 110接入的S-NSSAI。
举例说明一级认证和二级认证,示例性的,随着垂直行业和物联网的发展,PLMN之外的数据网络DN 120(如服务于垂直行业的DN),对于接入到该DN 120的UE 110同样有认证与授权的需求。比如,某商业公司提供了游戏平台,通过PLMN为游戏玩家提供游戏服务。一方面,由于玩家使用的UE 110是通过PLMN接入游戏平台,因此PLMN需要对该UE 110的身份(SUPI)进行认证或授权等,即一级认证。游戏玩家是商业公司的客 户,该商业公司也需要对游戏玩家的身份进行认证或授权。如对游戏玩家的身份进行认证或授权,这种认证可以是基于切片的认证,或者说认证是以切片为单位。该情况下,这种认证可以被称为切片认证(slice authentication),或称为基于网络切片的认证(network slice-specific authentication and authorization,NSSAA)。需要说明的是,切片认证的实际含义如可以是:终端设备与第三方网络(如DN或其认证服务器)之间执行的认证。切片认证结果将会决定PLMN是否授权终端设备接入该PLMN提供的切片。还应理解,本申请中应用于切片认证的方法也同样适用于基于会话的二次认证(secondary authentication)或基于切片的二次认证等场景,在此不再详述。
下面对通用切片模板(generic network slice template,GST)进行说明。
GSMA定义了GST的概念,GST的主要作用是制定一套标准的网络切片模板,以便运营商在保证互联互通基础上,按需裁剪所需建立、使用、运营的网络切片,既方便互联互通、又提高效率及安全性。3GPP标准组织针对该通用切片模板,正在制定相关标准,以便5G网络可以通过演进系统架构、流程,更好的支持并满足通用切片模板所规定的对切片特性、切片性能的要求。
GSMA目前定义了通用切片模板的许多属性(GST Attributes,或简称GST属性),其中的一种GST属性是本申请实施例所关心的,也是3GPP标准组织中正在研究制定相关标准的GST属性。这类GST属性称为共用属性,或可被同时使用的网络切片(simultaneous use of the network slice),也可称为专属属性、互斥属性等。该属性主要描述该切片是否能与其他切片同时使用。在本申请实施例中所涉及的切片的属性,也称切片属性,指GST属性,包括共用属性。因为网络通常会同时部署各种类型、各种属性的切片,而UE是否可以同时使用多个切片是在通信过程中需要考虑的安全问题,因此该共用属性的实质也可以看作是切片间的隔离问题。
多个切片之间有可能会共享一些网络资源以提高网络资源的使用效率。这些网络资源如网元或NF等,如果没有进行适当的隔离,会存在互相泄露信息的风险。这个问题对于拥有较高敏感性的数据、或对网络安全隐私要求比较高的用户/行业比较重要,通常希望其切片能够做到不同时与其他切片被UE使用,以防止切片间信息泄露。相反,对于一些普通业务数据,现有网络切片所提供的安全性足以满足需求,而不需要额外增加安全机制、费用,来增强切片间的隔离。
GSMA对GST共用属性还进一步给出了属性细分的建议。例如在本申请实施例中,共用属性可以存在以下划分:
共用属性取值为0时:可以与其他任意切片共用(简称“普通切片”);
共用属性取值为1时:仅可与具有相同SST类型的切片共用(简称“1型切片”);
共用属性取值为2时:仅可与具有相同SD的切片共用(简称“2型切片”);
共用属性取值为3时:不允许与其他任意切片共用(简称“专属切片”);
共用属性取值为4-15时:运营商自定义(简称“自定义切片”)。
需要说明的是,本申请实施例主要针对GST属性中的共用属性为例来进行描述。为了方便起见,下述描述中并不严格区分“属性”和“共用属性”,他们可以互换。
本申请实施例主要研究切片间资源共享和安全隔离的问题,对于上述GST属性的具体划分不作限制。现有3GPP标准中存在以下切片的接入规则:
规则1:允许UE同时接入多个切片:UE在同一个PLMN中,可以同时接入至多8个切片。当UE接入同一个PLMN中的2-8个切片时,这些切片需要共享同一个AMF。
规则2:允许UE可以先后(分时)接入不同切片:当UE先后接入不同的切片时,UE有可能会使用同一个AMF,也可能使用不同的AMF,取决于许多因素,如UE的运动位置、AMF的负载程度等等。
对于“专属切片”而言,现有3GPP标准不定义统一的专属切片隔离方法,而是留给运营商在部署切片时,进行自定义,自行考虑实现。例如,一种简单的方法是,对于部署专属切片的情况,运营商可以采用私有策略,禁止UE接入多切片。当然,这种方法是牺牲了网络切片原有的灵活部署及UE的便利性。
目前3GPP正在研究制定的标准中,正在探讨如何通过对网络、对UE进行配置,从而网络进行自动化的判断、避免出现一个UE同时接入专属切片(GST公用属性值=3)和其他切片(任意公用属性值)的情况,或如何做到完全符合GST共用属性的限定要求。
GST专用切片属性的核心安全问题是保证切片间的安全隔离。
实际通信场景中,存在UE同时接入多个切片的场景(上述规则1),也存在先后(非同时)接入多个切片的场景(上述规则2)。在现有3GPP仅针对上述规则1所述的场景进行讨论,而实际上述规则2所述的场景也需要保证切片间的安全隔离。
下面对上述规则2所述的场景可能存在的切片间信息泄露问题进行简单描述。需要说明的是,切片间的信息可以包括切片间的控制信令、用户数据等。以下述2个典型的场景为例。
场景A:共享AMF:UE先后接入不同(或相同)的切片。
例如,UE在某一个时刻接入了切片1,使用并完成了切片1上的业务后,UE退出了切片1和网络,完成了与网络间的去注册(de-registration)流程。一段时间之后,UE需要使用切片2的业务,通过所述网络又接入了切片2。
切片的核心网部分通常主要包括AMF、SMF和UPF等网络功能。在现有3GPP标准中,通常的实现方法是切片1和切片2使用不同的SMF、UPF,但切片1和切片2会使用同一个AMF(如上述规则1描述)。如图2A所示,切片1使用SMF1和UPF1,切片2使用SMF2和UPF2,但是切片1和切片2使用了同一个AMF。并且,虽然UE使用切片1和切片2之间相隔一段时间(非同时),而且UE中间还完成了去注册,但是UE和网络仍会保留并使用同一套安全上下文,如包括:AMF密钥Kamf,用于推演加密/完整性保护的密钥。这是由于网络通过重复使用安全上下文,可优化网络性能。
由此可见,虽然UE非同时接入2个不同切片,但使用的仍然是同一套安全上下文。如果其中一个切片是要求与其他切片隔离的切片,则该切片的信息仍然存在泄露的风险,因为其安全上下文与另一个切片的安全上下文是相同的,使用另一个切片的安全上下文也可以获取到该切片的信息。因此,对于非同时接入不同切片的场景,也应该进行切片间的安全隔离(如密钥隔离)。
场景B:不共享AMF:UE先后接入不同(或相同)的切片,或者发生了AMF重定向。
例如,UE在某一个时刻通过AMF1接入了切片1,使用并完成了切片1上的业务后,UE退出了切片1和网络,完成了与网络间的去注册(de-registration)流程。UE通过AMF2重新注册到网络并接入切片2。虽然UE接入的是AMF2,但是由于网络性能优化的需求, 网络通常会要求AMF1保存UE的安全上下文,如密钥Kamf,并传递给AMF2。也就是说即使UE在非同时、非共享AMF的情况下接入了不同的切片,但是使用的安全上下文仍可以是相同的,切片1和切片2之间同样没有进行密钥层面的安全隔离。
又如,UE进行AMF重定向(AMF re-allocation)的场景。这种场景发生在UE处于连接状态或没有去注册的情况下。如图2B所示,当UE向网络注册时,网络设备先由源(Source)AMF处理UE的请求,并发起网络认证的流程,在认证完成并获取了UE请求接入的切片信息(如NSSAI)后,确定使用目标(target)AMF继续处理UE请求接入的切片。这个过程称为UE的重定向流程。重定向流程也可以因为UE位置的移动而触发。
在重定向流程中,UE刚开始接入网络使用的是源AMF,并在源AMF中保存UE的信息(包括UE的安全上下文)。需要说明的是,此时UE可以是已经接入了切片1或者可以是还没有接入切片1。当网络决定转换使用目标AMF来为UE继续服务时,存储在源AMF的安全上下文可以被转移到目标AMF。也就是说,UE虽然没有同时接入切片1和切片2,但是UE在切片2所使用的安全上下文却可以在两个AMF中都获取到。因此切片2和切片1并没有实现密钥层面的安全隔离。
根据场景A和场景B的描述可知,在UE非同时接入多切片时,切片间可能存在信息泄露的风险。
鉴于此,本申请提出一种切片隔离方法来避免切片间的信息泄露。在注册过程中,第一网络设备获取用户的第一切片的信息,若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,所述第一网络设备可以获取第二密钥,所述第二密钥用于对所述第二切片的信息和/或所述用户设备的信息进行安全保护。这里可以保证用户设备接入了待请求接入的第二切片之后,网络和用户设备所使用的密钥(即第二密钥)与用户设备接入其他切片(如,第一切片)时网络和用户所使用的密钥不同,避免了切片间的信息泄露。或者在去注册过程中,第一网络设备接收来自用户设备的去注册请求消息,所述第一网络设备删除第三密钥,所述第三密钥是用户设备接入第三切片时,网络和用户设备所使用的密钥,所述第三切片为所述用户设备最后一次接入的切片。这里通过删除用户设备之前用于接入其他切片时使用的密钥,可以保证网络和用户设备在后续接入的切片中所使用的密钥与先前接入其他切片时所使用的密钥不同,避免了切片间的信息泄露。或者在AMF重定向过程中,所述第一网络设备向其他网络设备发送用户设备的重定向消息,若所述第一网络设备获取到的切片的信息和用户设备请求接入的切片的信息不匹配,所述第一网络设备可以对所述用户设备发起重新认证。这里在AMF重定向过程中对用户设备重新发起认证流程,重新生成密钥,重新生成的密钥与源AMF中保存的密钥不同,从而避免了接入不同切片时使用相同的密钥,避免了切片间的信息泄露。
本申请实施例提供的切片隔离方法可以应用于图1所示的通信系统中。
注册过程中提供的切片隔离过程如图3所示,该过程包括:
S301:用户设备向第一网络设备发送第一请求消息,所述第一网络设备接收所述第一请求消息,所述第一请求消息用于请求接入第二切片。
示例性的,第一网络设备为AMF。
所述第一请求消息可以为注册请求(Registration Request)消息。所述第一请求消息包括所述用户设备的标识信息和所述第二切片的信息。
所述用户设备的标识信息为所述用户设备的身份识别符,如用户设备的全球唯一临时标识符(globally unique temporary identifier,GUTI),和/或用户设备的隐藏标识符(subscription concealed identifier,SUCI),所述SUCI可以是对所述SUPI进行隐私保护处理(如加密处理)而得到的。
所述第二切片的信息包括所述第二切片的标识信息,可选的,所述第二切片的信息还可以包括所述第二切片的属性。所述第二切片的标识信息包括S-NSSAI或NSSAI,所述NSSAI为切片标识集合,可以包括多个切片的标识(即多个S-NSSAI),所述第二切片可以是所述多个S-NSSAI中的任意一个S-NSSAI所标识的切片。所述第二切片的属性可以通过共用属性值确定。例如共用属性值为0时,所述第二切片为普通切片,共用属性值为1时,所述第二切片为1型切片,共用属性值为2时,所述第二切片为2型切片,共用属性值为3时,所述第二切片为专属切片。
一种可能的示例中,所述第一网络设备接收到所述第一请求消息后,可以检查是否存在所述用户设备的安全上下文或上下文(包括安全上下文)。如所述第一网络设备确定所述用户设备之前是否接入过网络(如判断用户的身份标识符是否为GUTI)。如果确定所述用户设备之前未接入过网络设备,所述第一网络设备确定所述用户设备的上下文不存在,所述第一网络设备可以对所述用户设备进行网络认证,使得所述用户设备接入网络。如果确定所述用户设备之前曾接入过网络,所述第一网络设备还确定所述用户设备之前接入网络时通过哪个网络设备或哪个网络功能接入网络(如通过GUTI可以确定之前接入的网络设备,其中GUTI的内容包括了网络标识和网络功能(AMF)标识)。
S302:第一网络设备获取用户设备的第一切片的信息。
如果所述用户设备最近一次通过所述第一网络设备接入网络,所述第一网络设备直接在所述第一网络设备中获取所述用户设备的第一切片的信息;如果所述用户设备最近一次通过其他网络设备(非所述第一网络设备)接入网络,所述第一网络设备在其他网络设备中获取所述用户设备的第一切片的信息。可选的,所述用户设备的上下文或者安全上下文中包括所述第一切片的信息。以及可选的,所述用户设备的上下文或者安全上下文中包括所述第一切片的属性和/或第一密钥(如Kamf),所述第一密钥为所述用户设备接入所述第一切片时,所述用户设备和网络所使用的密钥。
所述用户设备的第一切片为所述用户设备签约的一个或多个切片中的任一切片,或者所述第一切片为所述用户设备之前接入过或最近接入过的或当前接入的切片。所述第一切片的信息包括所述第一切片的标识信息,可选的,所述第一切片的信息还可以包括以下至少一种:所述第一切片的属性,所述第一切片的安全上下文,和/或第一密钥,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。
在一种可能的示例中,所述第一网络设备可以在获取到所述用户设备的上下文或者安全上下文时,获取第一切片的信息。可选的,所述用户设备的上下文或者安全上下文包括所述第一切片的信息,所述第一网络设备在所述用户设备的上下文或者安全上下文中获取所述第一切片的信息。或者可选的,所述第一网络设备在所述第一网络设备或其他网络设备中获取所述第一切片的信息。
S303:若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户 设备接入所述第二切片时的信息进行安全保护。
所述第二密钥为所述用户设备接入所述第二切片时,所述用户设备和网络所使用的密钥。
若所述第一切片的信息包括所述第一切片的属性,所述第二切片的信息包括所述第二切片的属性,则在S303中,若所述第一切片的属性与所述第二切片属性不匹配,则所述第一网络设备获取所述第二密钥。
其中所述第一切片的属性与所述第二切片的属性不匹配,包括所述第一切片的属性与所述第二切片的属性不相容,或者所述第一切片的属性与所述第二切片的属性互斥。
所述第一切片的属性与所述第二切片的属性不匹配/不相容/互斥,包括以下至少一种:
11)所述第一切片的共用属性和/或第二切片的共用属性不允许与其他任意属性的切片共用。
示例性的,所述第一切片和/或所述第二切片为专属切片。例如,所述第一切片为专属切片,所述第二切片为任意属性的切片。又如,所述第二切片为专属切片,所述第一切片为任意属性的切片。又如,所述第一切片为专属切片,所述第二切片为专属切片,所述第一切片和所述第二切片为不同的专属切片。
12)所述第一切片的属性仅允许具有相同业务类型SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST不同。
13)所述第二切片的属性仅允许具有相同业务类型SST的切片共用,所述第一切片的属性的SST与所述第二切片的属性的SST不同。
14)所述第一切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD不同。
15)所述第二切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD不同。
其中12)和14)中所述第一切片非专属切片,但与所述第二切片的共用属性不相容,例如所述第一切片的属性为1型切片,所述第二切片的属性为2型切片,或者所述第一切片的属性为2型切片,所述第二切片的属性为1型切片。13)和15)中所述第二切片非专属切片,但与所述第一切片的共用属性不相容,例如所述第二切片的属性为1型切片,所述第一切片的属性为2型切片,或者所述第二切片的属性为2型切片,所述第一切片的属性为1型切片。
在一种可能的示例中,所述第一网络设备获取所述第二密钥时,所述第一网络设备根据所述第一密钥生成所述第二密钥,其中,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。例如,第一网络设备是AMF,AMF根据Kamf(用于对第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护)生成第二切片密钥。
在另一种可能的示例中,所述第一网络设备获取所述第二密钥时,所述第一网络设备对所述用户设备重新发起网络认证或者发起切片认证;若第一网络设备对所述用户设备重新发起的认证成功或者发起的切片认证成功,则所述第一网络设备生成或者收到所述第二密钥。例如,第一网络设备是AMF,AMF中包括了安全锚点功能(SEcurity Anchor Function或SEAF)。网络认证成功时,安全锚点功能SEAF生成第二密钥。又例如,AMF中不包括SEAF功能,即AMF与SEAF分开部署在不同的网络设备中。网络认证成功时,安全 锚点功能SEAF生成第二密钥后,将第二密钥发送给AMF。这个流程确保第二密钥与第一密钥是独立的,无法基于第二密钥获取到第一密钥,也不能基于第一密钥获取到第二密钥。
在又一种可能的示例中,可以根据不同的共用属性,设置对应的隔离要求,在本申请实施例中对不同共用属性对应的隔离要求不做限制。例如,共用属性值越大,隔离要求越高,如所述专属切片的隔离要求最高,所述2型切片的隔离要求次之,所述1型切片的隔离要求较所述2型切片的隔离要求低,所述普通切片的隔离要求最低。
在该示例中,所述第一网络设备获取所述第二密钥时,若所述第一切片的隔离要求高于所述第二切片的隔离要求,所述第一网络设备根据所述第一密钥生成所述第二密钥;若所述第一切片的隔离要求低于所述第二切片的隔离要求,所述第一网络设备对所述用户设备重新进行网络认证,若重新认证成功,所述第一网络设备生成或收到所述第二密钥。
其中,相比于重新认证,根据所述第一密钥生成所述第二密钥的过程简单,执行步骤少,所述用户设备与网络交互也少。
S304:所述第一网络设备向所述用户设备发送第一指示信息,所述用户设备接收所述第一指示信息,所述第一指示信息用于指示所述用户设备获取第二密钥。
所述第一指示信息可以用于指示所述用户设备根据所述第一密钥生成所述第二密钥。
在一种实现方式中,第一指示消息可以是非接入层(non access stratum,NAS)安全模式命令(security mode command,SMC)信令。
步骤S304为可选步骤,如果所述第一网络设备对所述用户设备发起重新进行网络认证,则不必执行步骤S304。需要说明的是,在所述第一网络设备发起的对所述用户设备重新进行网络认证的过程中,所述第一网络设备(如包括AMF和SEAF)会发送其他一条或多条消息,如认证请求消息等,而所述用户设备也会回复一条或多条消息,这里不作限定。
S305:所述用户设备获取所述第二密钥。
在一种可能的示例中,在该S305中,所述用户设备获取第一密钥,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护;所述用户设备根据所述第一密钥生成所述第二密钥。
所述用户设备中可以保存有所述第一密钥。
在另一种可能的示例中,所述用户设备与所述第一网络设备进行重新认证;若所述用户设备与所述第一网络设备重新认证成功,则所述用户设备生成所述第二密钥,该密钥与第一密钥不能相互推演获得。
需要注意的是,所述第一网络设备和所述用户设备采用相同的方式获取(包括使用相同参数生成)所述第二密钥,以保证后续所述第一网络设备和所述用户设备采用相同的密钥对通信信息进行安全保护。
在该注册过程中,若所述第一切片的属性与所述第二切片的属性匹配,所述第一网络设备还可以向所述用户设备发送注册接受消息,所述用户设备接收所述注册接受消息。
其中所述第一切片的属性与所述第二切片的属性匹配,包括所述第一切片的属性与所述第二切片的属性相容,或者所述第一切片的属性与所述第二切片的属性不互斥。
所述第一切片的属性与所述第二切片的属性匹配/相容/不互斥,包括以下至少一种:
21)所述第一切片的属性或第二切片的属性允许与其他任意属性的切片共用。
示例性的,所述第一切片和/或所述第二切片为普通切片。
22)所述第一切片的属性仅允许具有相同SST的切片共用,所述第二切片的属性的 SST与所述第一切片的属性的SST相同。
例如所述第一切片和所述第二切片均为1型切片,且SST相同。
23)所述第二切片的属性仅允许具有相同SST的切片共用,所述第一切片的属性的SST与所述第一切片的属性的SST相同。
例如所述第一切片和所述第二切片均为1型切片,且SST相同。
24)所述第一切片的属性仅允许具有相同SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD相同。
例如所述第一切片和所述第二切片均为2型切片,且具有相同SD。
25)所述第二切片的属性仅允许具有相同SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD相同。
例如所述第一切片和所述第二切片均为2型切片,且具有相同SD。
26)所述第二切片和所述第一切片映射到同一单网络切片选择辅助信息S-NSSAI。
所述第一切片和所述第二切片可以映射到归属网络(Home PLMN)中相同的S-NSSAI切片。所述第一切片和所述第二切片在各自的PLMN中可以有不同的切片标识S-NSSAI或不同的SST类型、SD。
27)多个类型的切片,但切片的属性可以相容的其他可能。
若所述第一切片的信息中未标识所述第一切片的属性,则可以认为所述第一切片的属性允许与其他任意属性的切片共用。例如,可以认为所述第一切片为普通切片。或者若所述第一切片的信息中未标识所述第二切片的属性,则可以认为所述第二切片的属性允许与其他任意属性的切片共用。例如,可以认为所述第二切片为普通切片。
若所述第一切片的信息中未标识所述第一切片的属性,或者所述第二切片的信息中未标识所述第二切片的属性,则用户设备为legacy设备即原有设备。例如5G标准有R15版本、R16版本、R17版本。如果GST共用属性是R17版本中新引入的,则R15、R16版本的设备可以被称为legacy设备。为了“向后兼容”性,legacy设备仍可以在网络中使用,legacy设备接入的切片可以被看作是普通切片。
下面以两个具体的实施例对图3所示的切片隔离过程进一步说明。
用户设备最近一次接入网络时通过第一AMF接入网络,切片隔离过程参见图4(分时共享AMF),包括以下步骤:
S401:用户设备向第一AMF发送注册请求。
所述注册请求包括所述用户设备的身份标识符(如GUTI或者SUCI等)和请求接入的第二切片的标识信息(如S-NSSAI,可以是请求接入的NSSAI中的任意一个S-NSSAI)。可选的,所述注册请求包括所述第二切片的属性。
S402:第一AMF确定是否存储了所述用户设备的安全上下文(secutity context)。
例如,所述第一AMF根据所述用户设备的身份标识符GUTI,确定是否在所述第一AMF中保存了所述用户的有效的安全上下文,如果有,跳过S403,执行S404,如果没有,执行S403。
所述安全上下文为有效的安全上下文,指所述第一AMF使用所述安全上下文(如第一密钥Kamf)可以验证成功所述注册请求消息中的消息认证码(message authentication code,MAC)。
可选的步骤S403:AMF发起所述用户设备与所述第一AMF、UDM进行网络认证或一级认证(Primary Authentication)。
在执行所述S403之后,跳过S404-S409,执行S410,执行现有标准流程中的其他注册步骤。
可选的步骤S404:所述第一AMF获取用户设备签约的切片的信息,即获取、检索签约信息(subscription information)。
所述第一AMF从本地(所述第一AMF自身的存储单元)或UDM(也可以为其他NF)中获取所述用户设备签约的切片的信息(如切片标识NSSAI,可以包括一个或多个S-NSSAI)。例如,所述第一AMF先在本地查找是否存在所述用户设备签约的切片的信息,如果存在,所述第一AMF在本地获取所述用户设备签约的切片的信息,如果不存在,所述第一AMF向所述UDM发送请求消息,在所述UDM获取所述用户设备签约的切片的信息。
所述第一AMF在获取的所述用户设备签约的切片的信息中,检索、获取所述签约的切片的共用属性信息。
可选的步骤S405:所述第一AMF检查所述签约的切片的属性。
例如可选的,检查所述签约的切片的信息中是否包括所述签约的切片的属性信息。所述签约的切片可以是一个或多个切片,所述一个或多个切片分别对应一个或多个切片属性,也就是说,每个切片分别对应一个切片的属性信息。
若所述签约的切片只包含了单一的切片属性,所述第一AMF跳过S406-S409,执行S410。
若所述签约的切片信息中包括多于一个切片属性,且所述多于一个的切片属性为相容的属性,所述第一AMF跳过S406-S409,执行S410,或者所述第一AMF也可以执行S407。
其余情况所述第一AMF执行S406。
可选的步骤S406:所述第一AMF获取第一切片信息(即第一切片的信息),比较所述第一切片的属性和请求接入的所述第二切片的属性。
所述第一AMF从本地(所述第一AMF自身的存储单元)或UDM(也可以为其他NF)中获取所述第一切片信息。所述第一切片信息为保存在所述用户设备的上下文中的切片信息。所述第一切片信息包括一个或多个S-NSSAI,用来表示所述用户设备正在接入或曾经接入的所述一个或多个S-NSSAI指示的切片。所述第一切片信息还包括所述第一切片(对应于一个或多个S-NSSAI)的属性信息。一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,且所述第一切片的隔离要求高于或不低于所述第二切片的隔离要求,所述第一AMF返回执行S403。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,所述第一AMF返回执行S403。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,且所述第一切片的隔离要求低于或者不高于所述第二切片的隔离要求,所述第一AMF执行S407。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,所述第一AMF执行S407。若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性匹配, 所述第一AMF跳过S407-S409,执行S410。
需要说明的是,获取到的所述第一切片的属性可以为一份或多份,获取到的所述第二切片的属性可以为一份或多份,所述第一切片(S-NSSAI)的数量和所述第二切片(S-NSSAI)的数量可以相同或不同。每份切片的属性分别对应一个切片(S-NSSAI),即每个切片(S-NSSAI)都对应一个属性。例如,所述用户设备上一次接入2个切片,标识分别为S-NSSAI-1和S-NSSAI-2,切片S-NSSAI-1的属性值为0,即普通切片,切片S-NSSAI-2的属性值为2,即仅允许相同SD值共用的切片(这2个切片上一次被所述用户设备共用,隐含了切片S-NSSAI-1的SD值与切片S-NSSAI-2的SD值相同)。所述AMF中对应所述用户设备的上下文中保存有切片S-NSSAI-1和切片S-NSSAI-2的标识以及属性值,还保存共用的密钥Kamf。如所述用户设备本次请求接入另一个切片S-NSSAI-3,切片S-NSSAI-3的属性值为3,即专属切片。在这个例子中,所述第一AMF可以获取到2个第一切片的属性,以及1个第二切片的属性。
对于属性值为“0”-“3”的场景,由于属性“3”不可以与其他属性共存(即不相容),而属性“0”可以与所有属性相容,因此对于多份S-NSSAI的场景,包括了4个可能单一属性(1种属性时)+3个可能的相容属性(2种属性时)+1个可能的相容属性(3种属性时)=8种可能的相容属性组合。对于分别包括多份S-NSSAI的第一切片属性信息和第二切片属性信息中,两处切片信息的组合就会有8x 8=64种可能的属性组合。为了便于描述,在本申请实施例中,以保存有1个第一切片的信息,以及所述用户设备请求接入1个第二切片的场景为例进行说明,对于多个切片或多种属性值的情况,可以参照该场景所示的情况,不一一进行说明。具体可以归纳为以下情况:
31)请求接入的第二切片的专属性要求高于第一切片的专属性,即所述第二切片的隔离要求高于所述第一切片的隔离要求。
如所述第二切片的属性为专属切片(属性值为3),所述第一切片的属性为非专属性切片(属性值为0或1或2)。
又如,所述第二切片的属性值为1或2,所述第一切片的属性为普通切片(属性值为0)。
32)请求接入的第二切片的专属性要求低于第一切片的专属性,即所述第二切片的隔离要求低于所述第一切片的隔离要求。
如所述第一切片的属性为专属切片(属性值为3),所述第二切片的属性为非专属性切片(属性值为0或1或2)。
又如,所述第一切片的属性值为1或2,所述第二切片的属性为普通切片(属性值为0)。
33)请求接入的第二切片与所述第一切片不相容的其他情况。
其中33)包括31)和32)所示的情况,其余情况可以参见图3中的相关描述,在此不一一列出。
34)请求接入的第二切片与所述第一切片可以被同时使用。
如所述第二切片和所述第一切片为同一个专属切片。又如所述第二切片和所述第一切片为普通切片。以及所述第二切片和所述第一切片属性相容的其他情况,其他情况可以参见图3中的相关描述,在此不一一列出。
针对31)和33),所述第一AMF返回执行S403,采用较强的隔离方式,保证切片间 信息的安全性。在另一种可选实现方式中,所述第一AMF执行S407,即与32)采用同样执行方法。
针对32),所述第一AMF执行S407,采用代价较小的隔离方式,保证切片间信息的安全性。在另一种可选实现方式中,所述第一AMF执行S40,即与31)和33)采用同样执行方法。
针对34),所述第一AMF跳过S407-S409,执行S410,切片之间无需隔离。
可选的步骤S407:所述第一AMF启动密钥更新流程来更新存储在AMF处的密钥Kamf。
在该S407中,所述第一AMF根据第一密钥(如密钥Kamf)生成所述第二密钥(更新的密钥Kamf)。
可选的步骤S408:所述第一AMF通知所述用户设备更新第一密钥Kamf,并将所需的密钥更新参数发送给所述用户设备。该S408发送的消息可以是“非接入层”(non access stratum,NAS)安全模式命令(security mode command,SMC)消息。可选的步骤S409:所述用户设备根据收到的密钥更新参数,更新存储的第一密钥Kamf生成第二密钥Kamf(即原本存储的Kamf密钥为第一密钥,更新后的Kamf密钥为第二密钥)。
S410:所述用户设备完成注册流程中的其他子流程,可参加相关标准流程,此处不详细介绍。
S411:所述第一AMF向所述用户设备发送注册接受消息。
另一种可能的方式中,所述S406可以简化为所述第一AMF检查所述第二切片是否需要进行隔离,如果需要就重新返回执行S403,或重新执行返回S707(执行S707-S709),如果不需要,所述第一AMF执行S410。
用户设备最近一次接入网络时通过第二AMF接入网络,所述用户设备本次接入网络通过第一网络设备接入,切片隔离过程参见图5(非共享AMF),包括以下步骤:
S501的过程参见上述S401。
S502:所述第一AMF确定所述用户设备曾经接入过网络(如通过注册请求中包括GUTI),且曾经通过第二AMF接入网络(如GUTI包括所述AMF的ID)。即所述用户设备之前接入的AMF已经发生了改变(第二AMF与第一AMF不是同一个AMF)。
所述第一AMF可以看作是新(new)AMF,或目标(target)AMF。所述第二AMF可以看作是旧(old)AMF,或源/初始(Source/Initial)AMF。
S503:所述第一AMF向所述第二AMF发送请求消息(如用户终端上下文转换请求消息UE context transfer request),获取所述第二AMF存储的第一切片的信息。
所述请求消息中可以包括所述用户设备请求接入的第二切片的信息。
S504:所述第二AMF比较保存的所述第一切片的属性和请求接入的所述第二切片的属性。在一种可选实现方式中,S504为可选执行,即第二AMF不执行该比较。
S505:所述第二AMF向所述第一AMF发送响应消息(如用户终端上下文转换响应消息UE context transfer response)。
所述第二AMF可以根据所述S504的比较结果,确定在S505的响应消息中携带哪些信息。
例如,所述第一切片的属性和所述第二切片的属性匹配,所述响应消息中可以包括所述第一切片的安全上下文(如包括第一密钥Kamf)等。
又如,所述第一切片的属性和所述第二切片的属性不匹配,所述响应消息中可以包括 非安全的上下文,而不包括安全上下文(如第一密钥Kamf)。或者所述响应消息中可以包括不影响切片隔离的上下文(安全或非安全的上下文均可以,如所述用户设备的SUPI等),而不包括影响切片隔离的上下文(如第一密钥Kamf)。可选的,所述响应消息中包括所述第一切片的标识信息(NSSAI)及属性。可选的,所述响应消息包括指示信息,告知所述第一AMF所述用户设备已经通过了安全认证,所述用户设备的安全上下文存在但与第二切片的属性不匹配,不能发送所述安全上下文(如第一密钥Kamf),指示所述第一AMF重新进行认证(网络认证或切片认证,其中网络认证包括一级认证和可选的切片认证)。又或者所述第二AMF先更新第一密钥Kamf,(更新后为第二密钥Kamf)或进行重新认证,然后将更新后的安全上下文(如第二密钥Kamf以及更新密钥所需参数,可选的还包括密钥指示信息,用来指示该密钥已经更新或者指示该密钥为第二密钥)携带在所述响应消息中发送给所述第一AMF,可能的所述第一AMF为了切片隔离,还会更新密钥或进行重新认证。
又如,如果所述第二AMF无法判断所述第一切片的属性和所述第二切片的属性是否匹配,如所述第二AMF没有存储所述第一切片的属性,或者所述第一AMF发送的请求消息中不包括所述第二切片的属性等情况,此时所述第二AMF可以认为所述第一切片的属性和所述第二切片的属性不匹配。
在一种可选方式中,如果第二AMF不执行S504,即第二AMF认为第一切片属性和第二切片属性相匹配(相容),S505可以按照现有流程执行。
在一种可选方式中,第二AMF在S505消息中包括指示信息,指示第一AMF重新进行一级认证(即不基于第一密钥而生成第二密钥),或者进行Kamf密钥更新(即发送第一密钥,指示第一AMF基于第一密钥生成第二密钥)。
S506:所述第一AMF对所述响应消息进行处理。
所述第一AMF根据所述响应消息,决定并执行后续的流程。
如果所述响应消息包括所述第一密钥或/和第二密钥、第一切片标识信息及属性,比较所述第一切片的属性和请求接入的第二切片的属性。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,且所述第一切片的隔离要求高于或不低于所述第二切片的隔离要求,所述第一AMF执行S507。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,且所述第一切片的隔离要求低于或者不高于所述第二切片的隔离要求,所述第一AMF执行S508。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,所述第一AMF执行S507。
一种可选的方式,若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性不匹配,所述第一AMF执行S508。
若根据所述第一切片的属性和所述第二切片的属性,确定所述第一切片的属性和所述第二切片的属性匹配,所述第一AMF跳过S507-S508,执行S509。
一种可选的方式,如果所述响应消息包括所述第二密钥Kamf以及更新密钥所需参数,所述第一AMF执行S508。
在一种可选方式中,第一AMF根据S505消息中包括的指示信息执行。即,如果指示 第一AMF重新进行一级认证,则执行S507;或者如果指示第一AMF进行Kamf密钥更新则执行S508。
S507的过程参见上述S403。
所述第一AMF发起所述用户设备与网络进行一级认证(Primary Authentication)。
在执行所述S507之后,执行现有标准流程生成所述第二密钥(跳过S508中的密钥更新流程),执行S509,执行现有标准流程中的其他注册步骤。
S508的过程参见上述S407-S409。
S509-S510的过程参见上述S410-S411。
可选的,S504和S506可以择一执行,或者都执行。需要说明的是,上述S506中所述第一AMF可以独立于所述第二AMF(S504)重新进行了判断。是因为所述第一AMF和所述第二AMF有可能处于不同的PLMN或不同的安全域,或者所述第一AMF不一定完全信任所述第二AMF的判断结果。
另外,所述第一AMF也可以通过其他NF(非第二AMF,如非结构化数据存储功能(unstructured data storage function,UDSF))获取所述第一切片的信息。所述第一AMF也可以通过其他NF(如UDSF)与所述第二AMF间接交互,这里对此不做限制。
去注册过程中提供的切片隔离过程如图6所示,该过程包括:
S601a:用户设备向第一网络设备发送去注册请求消息,所述第一网络设备接收所述去注册请求消息。
在该S601a中,去注册过程由所述用户设备发起。
S601b:第一网络设备向用户设备发送去注册请求消息,所述用户设备接收所述去注册请求消息。
在该S601b中,去注册过程由所述第一网络设备发起。
可以理解,所述S601a和S601b可以择一执行。
S602:所述第一网络设备删除本地(即第一网络设备)存储的所述用户设备上下文中的第三密钥,所述第三密钥用于对第三切片的信息或者所述用户设备接入第三切片时的信息进行安全保护,所述第三切片为所述用户设备最后接入的一个切片(对应于一S-NSSAI标识)或多个切片(对应于多个S-NSSAI标识或包括多个S-NSSAI的NSSAI)中的任意/每一个切片(当允许同时接入多切片时,这些切片属性默认是相容的,可以共用一套密钥)。
在S602中,所述第一网络设备可以确定所述第三切片的属性不允许与其他任意属性切片共用(即所述第三切片为专属切片,属性值为3),所述第一网络设备删除本地存储的所述用户设备的上下文中的所述第三密钥。
可选的,在S602中,所述第一网络设备可以确定所述用户设备签约了多个属性的切片(如本地存储的用户签约信息或向UDM获取的所述用户的用户签约信息),其中存在与第三切片属性不相容的切片,所述第一网络设备删除本地存储的所述用户设备的上下文中的所述第三密钥。
可选的,在S602中,所述第一网络设备可以确定所述第三切片的属性不允许与其他任意属性切片共用(即所述第三切片为专属切片,属性值为3),且所述第一网络设备可以确定所述用户设备仅签约该切片(如本地存储的用户签约信息或向UDM获取的所述用户的用户签约信息),所述第一网络设备保留(即不删除)本地存储的所述用户设备的上下 文中的所述第三密钥。
所述第三切片的属性不允许与其他任意属性切片共用(即所述第三切片为专属切片,属性值为3),所述第一网络设备删除本地存储的所述用户设备的上下文中的所述第三密钥。
可选的,所述第一网络设备向其他网络设备或网络功能(如UDM、其他AMF等)发送指示信息,指示所述网络设备或网络功能删除存储的所述用户设备的上下文中的所述第三密钥。
可选的,所述第一网络设备向所述用户设备发送指示信息,指示所述用户设备删除存储的所述第三密钥。
S603:所述用户设备删除所述第三密钥。
可选的,所述S602和S603的执行先后顺序不做限定。
在一种可能的示例中,在该S603中,所述用户设备可以确定所述第三切片的属性不允许与其他任意属性的切片共用,所述用户设备删除所述第三密钥。
在另一种可能的示例中,在该S603中,所述用户设备接收来自所述第一网络设备的指示信息,所述用户设备删除所述第三密钥。
在该去注册过程中,若所述第三切片的属性允许与其他属性的切片共用或未获取所述第三切片的属性,当所述用户设备发起去注册流程时,所述第一网络设备还可以向所述用户设备发送去注册接受消息,所述用户设备接收所述去注册接受消息;或者当所述第一网络设备发起去注册流程时,所述用户设备还可以向所述第一网络设备发送去注册接受消息,所述第一网络设备接收所述去注册接受消息。
可以理解,所述S602和S603可以在去注册过程之前、去注册的过程中、或者去注册过程之后执行。
需要说明的是,在去注册过程完整之后,如果所述用户设备接入专属切片,所述用户设备需要和网络重新进行一次认证(可选的,和切片认证),生成新的密钥以便接入所述专属密。
在实施例中通过删除敏感/重要的安全上下文,可以避免这类安全上下文被重复使用,保证切片间信息的安全性。
下面以两个具体的实施例对图6所示的切片隔离过程进一步说明。
用户设备发起去注册流程,切片隔离过程参见图7所示,包括以下步骤:
S701:所述用户设备向AMF发送去注册请求消息(Deregistration Request),所述AMF接收所述去注册请求消息。
S702:所述AMF确认存储的所述用户设备的上下文中第三切片的属性。所述第三切片为所述用户设备最后接入的一个切片(对应于一S-NSSAI标识),或者多个切片(对应于多个S-NSSAI标识或包括多个S-NSSAI的NSSAI)中的任意/每一个切片(当允许同时接入多切片时,表明这些切片属性是相容的,可以共用一套密钥)。
所述AMF可以在本地或UDM(也可以为其他NF)中获取第三切片的属性。例如所述AMF先确定本地存储的所述用户设备的上下文中是否存在第三切片的属性,如果存在,所述AMF在所述用户设备的上下文中获取所述第三切片的属性,如果不存在,所述AMF在所述UDM中获取所述第三切片的属性。
S703:进行PDU会话释放、N4会话释放(N4session release)、中止策略(policy termination)等流程。
S704:所述AMF发送去注册接受消息(Deregistration Accept),所述用户设备接收所述去注册接受消息。
S705a:所述AMF检查所述第三切片的属性。
S705b:所述用户设备检查所述第三切片的属性。
若仅签约了属性相容的切片(如所述第三切片的属性为普通切片,允许与其他属性的切片共用),或者未获取到所述第三切片的属性,所述AMF和所述用户设备保留所述第三密钥,执行S706。
若签约了属性不相容的切片(如所述第三切片的属性为专属切片,不允许与任意属性的切片共用),所述AMF和所述用户设备删除所述第三密钥,执行S706。
S706:所述用户设备和所述AMF释放信号连接。
需要说明的是,S702也可以在S703(有多条交互消息)的执行过程中执行,或通过S703中的现有消息执行(如通过增加信息元(information elements)的方式),而不必须新增单独的交互消息。
另外,S705a和S705b的执行先后顺序不做说明,并且S705a、S705b可以在S704之前执行,或者可以在S706之后执行。
网络设备发起去注册流程,切片隔离过程参见图8所示,包括以下步骤:
可选的步骤S801:UDM发送去注册通知消息,所述AMF接收所述去注册通知消息。
在S801中,UDM发起去注册流程。
可选的,所述去注册通知消息可以包括第三切片的属性或者包括用户设备所有签约的切片的属性。可选的,所述去注册通知消息还可以包括指示信息,指示所述AMF删除第三密钥。即UDM根据所述第三切片的信息或者用户设备签约的切片的消息判断安全敏感性或隔离要求。
S802:所述AMF向用户设备发送去注册请求消息,所述用户设备接收所述去注册请求消息。
所述AMF也可以自行发起去注册流程。
所述去注册请求消息为可选的消息,即所述去注册流程可以通知所述用户设备,也可以不通知所述用户设备。如果发送所述去注册请求消息,可选的,所述AMF还可以指示所述用户设备删除所述第三密钥。这里所述AMF根据所述UDM发送的所述第三切片的属性,判断是否删除所述第三密钥(可以参见上述S705a),或者所述AMF根据所述UDM的指示信息,确定是否删除所述第三密钥。
S803的过程可以参见上述S703。
S804:所述用户设备发送去注册接受消息,所述AMF接收所述去注册接受消息。
S805a:所述AMF检查所述第三切片的属性。
参见上述S702及S802或上述S705a获取、检查第三切片的属性。
S805b:所述用户设备检查所述第三切片的属性。
参见上述S705b。
S806的过程可以参见上述S706。
所述S805a可以在任何一个步骤执行(包括在步骤S801之前,因此AMF可以自行发起去注册流程)。所述S805b可以在S802之后的任何一个步骤执行。
所述图7和图8所示的切片隔离方法既适用于分时共享AMF,又适用于非共享AMF。
AMF重定向过程中提供的切片隔离过程如图9所示,该过程包括:
S901:第一网络设备向第二网络设备发送重定向消息,所述第二网络设备接收所述重定向消息。
所述第一网络设备在AMF重定向过程中,可以理解为源网络设备,所述第二网络设备在AMF重定向过程,可以理解为目标网络设备。
所述重定向消息包括用户设备的第四切片的信息和/或所述用户设备请求接入的第五切片的信息。所述第四切片为当前保存的用户之前接入或当前已接入的切片。
所述第四切片的信息包括所述第四切片的标识信息,以及可选的包括第四密钥和/或所述第四切片的属性,所述第四密钥用于对所述第四切片的信息或/和所述用户设备接入所述第四切片时的信息进行安全保护。所述第五切片的信息包括所述第五切片的标识信息,以及可选的所述第五切片的属性。
AMF重定向的一个典型场景为:用户设备已经和所述第一网络设备完成了网络级认证(一级认证),并生成了安全上下文(如第四密钥kamf)。所述第一网络设备决定由另一个合适的第二AMF服务所述用户设备。这时所述用户设备与所述第一网络设备的交互就转换为所述用户设备与所述第二网络设备的交互。
在S901之前,所述第一网络设备还可以检查当前保存的所述用户设备的安全上下文是否已经用于对切片(如第四切片)的信息进行安全保护或者是否有第四切片的信息。如果否,即不存在第四切片,所述第一网络设备可以假设(不存在的)第四切片的属性为可以与任何切片匹配的普通切片,然后执行S901。如果是,则存在所述第四切片。
若所述第四切片的信息与所述第五切片的信息匹配(类似地,如果不存在第五切片信息,则视为可以与任何切片匹配的普通切片),所述第一网络设备执行S901;
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求高于或不低于所述第五切片的隔离要求(例如第四切片存在隔离要求(非普通切片)而第五切片为普通切片),所述第一网络设备根据所述第四密钥生成所述第五密钥,然后执行S901;
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求低于或者不高于所述第五切片的隔离要求(例如第四切片不存在隔离要求的普通切片而第五切片为专属切片),所述第一网络设备执行S901。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,所述第一网络设备根据所述第四密钥生成所述第五密钥,然后执行S901。
S902:若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片具有隔离要求,则所述第二网络设备对所述用户设备重新认证。
若所述第二网络设备对所述用户设备重新认证成功,所述第二网络设备生成所述第五密钥。
若所述第四切片的信息与所述第五切片的信息匹配,所述第二网络设备继续对所述用户设备进行注册。
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片不具有隔离要求(即允许与其他任意属性切片共用),所述第二网络设备继续对所述用户设备进行注册。
需要说明的是,所述第一网络设备可以对所述第四切片的信息与所述第五切片的信息进行比较,和/或所述第二网络设备也可以对所述第四切片的信息与所述第五切片的信息进 行比较,并分别在比较的切片信息不匹配时,执行S902重新认证生成第五密钥(不基于第四密钥)或根据第四密钥生成第五密钥。
下面以一个具体的实施例对图9所示的切片隔离过程进一步说明。
切片隔离过程参见图10所示,主要适用于非共享AMF,包括以下步骤:
S1001:用户设备向接入网设备发送注册请求消息。
所述注册请求消息用于请求接入第五切片。
S1002:所述接入网设备向初始/源(Initial/Source)AMF发送初始消息(Initial UE message)。所述初始/源(Initial/Source)AMF可以为第一网络设备。
所述初始消息包括所述注册请求消息。
S1003:所述源AMF发起与所述用户设备的网络认证(图10中未示出),并建立所述用户设备的安全上下文(包括密钥Kamf),用来安全保护所述用户设备与网络间交互的消息(如对NAS消息进行加密和完整性保护)。所述源AMF确定需要进行AMF重定向,由目标(target)AMF来服务所述用户设备。所述目标(target)AMF可以为第二网络设备。所述源AMF比较当前保存的第四切片的信息和用户请求接入的第五切片的信息。
若所述第四切片的信息与所述第五切片的信息匹配(如果不存在第五切片信息,则视为可以与任何切片匹配的普通切片),所述第一网络设备执行S1004,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片存在隔离要求(非普通切片),所述第一网络设备根据所述第四密钥生成所述第五密钥,然后执行S1004;若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片不存在隔离要求(普通切片),所述第一网络设备执行S1004。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求高于或不低于所述第五切片的隔离要求(例如第四切片存在隔离要求(非普通切片)而第五切片为普通切片),所述第一网络设备(初始AMF)根据所述第四密钥生成所述第五密钥,然后执行S1004;
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求低于或者不高于所述第五切片的隔离要求(例如第四切片不存在隔离要求的普通切片而第五切片为专属切片),所述第一网络设备(初始AMF)执行S1004。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,所述第一网络设备(初始AMF)根据所述第四密钥生成所述第五密钥,然后执行S1004。
S1004:所述源AMF向所述目标AMF发送重定向消息(Rerouted message)。
所述重定向消息包括所述第四切片的信息和/或所述第五切片的消息。所述第四切片的信息包括所述第四切片的标识信息,以及可选的包括所述第四密钥和/或所述第四切片的属性。所述第四密钥用于对所述第四切片的信息或/和所述用户设备接入所述第四切片时的信息进行安全保护。所述第五切片的信息包括所述第五切片的标识信息,以及可选的所述第五切片的属性。
可选的,所述源AMF可以经过所述接入网设备转发所述重定向消息。(如S1004a和S1004b所示)。如果经过所述接入网设备转发,S1004b的重定向消息与所述S1004的重定向消息可以不同。
S1005:所述目标AMF比较当前保存的第四切片的信息和用户请求接入的第五切片的 信息。
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片具有隔离要求,则所述第二网络设备先对所述用户设备重新认证并生成第五密钥,然后进行执行S1006。该重新认证的过程与S1003的相似,区别在于由所述目标AMF发起与所述用户设备的网络认证。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求高于或不低于所述第五切片的隔离要求(例如第四切片存在隔离要求(非普通切片)而第五切片为普通切片),所述目标AMF根据所述第四密钥生成所述第五密钥,然后执行S1006;
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片的隔离要求低于或者不高于所述第五切片的隔离要求(例如第四切片不存在隔离要求的普通切片而第五切片为专属切片),所述目标AMF执行S1006。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,所述目标AMF根据所述第四密钥生成所述第五密钥,然后执行S1006。
一种可选的方式,若所述第四切片的信息与所述第五切片的信息不匹配,所述目标AMF发起与用户设备的网络认证(一级认证)并生成第五密钥(不基于第四密钥),然后执行S1006。若所述第四切片的信息与所述第五切片的信息匹配,所述第二网络设备,执行S1006。
若所述第四切片的信息与所述第五切片的信息不匹配,且所述第四切片不具有隔离要求(即允许与其他任意属性切片共用),所述第二网络设备,执行S1006。
S1006:所述第二网络设备继续对所述用户设备进行注册。
S1003和S1005的比较过程可以都执行,也可以择一执行。
结合上述各实施例,可知本申请实施例提供的切片隔离适用于下述表1所示的场景。
表1
Figure PCTCN2020126579-appb-000001
基于上述实施例可知,本申请实施例提供的切片隔离方法能够保证切片间的安全隔离,避免切片间的信息泄露。本申请实施例可以保证共享网络基础设施下场景的安全,也可以保证局部网络的安全。
可以理解的是,本申请提供的各实施例之间可以单独使用,也可以结合使用。
如图11所示,为本申请所涉及的通信装置的一种可能的示例性框图,该通信装置1100可以以软件或硬件的形式存在。通信装置1100可以包括:处理单元1102和收发单元1103。作为一种实现方式,该收发单元1103可以包括接收单元和发送单元。处理单元1102用于对通信装置1100的动作进行控制管理。收发单元1103用于支持通信装置1100与其他网络 实体的通信。通信装置1100还可以包括存储单元1101,用于存储通信装置1100的程序代码和数据。
其中,处理单元1102可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包括一个或多个微处理器组合,DSP和微处理器的组合等等。存储单元1101可以是存储器。收发单元1103是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该收发单元1103是该芯片用于从其它芯片或装置接收信号的接口电路,或者,是该芯片用于向其它芯片或装置发送信号的接口电路。
该通信装置1100可以为上述任一实施例中的用户设备和/或网络设备,还可以为用于用户设备和/或网络设备的芯片。例如,当通信装置1100为用户设备和/或网络设备时,该处理单元1102例如可以是处理器,该收发单元1103例如可以是收发器。可选的,该收发器可以包括射频电路,该存储单元例如可以是存储器。例如,当通信装置1100为用于用户设备和/或网络设备的芯片时,该处理单元1102例如可以是处理器,该收发单元1103例如可以是输入/输出接口、管脚或电路等。该处理单元1102可执行存储单元存储的计算机执行指令,可选地,该存储单元为该芯片内的存储单元,如寄存器、缓存等,该存储单元还可以是该用户设备和/或网络设备内的位于该芯片外部的存储单元,如ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM等。
在第一个实施例中,该通信装置1100可以应用于第一网络设备。
具体的,所述收发单元1103,用于获取用户设备的第一切片的信息;
所述处理单元1102,用于若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则获取第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
在一个实现方式中,所述第一切片的信息包括所述第一切片的属性,所述第二切片的信息包括第二切片的属性;
所述处理单元1102在若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥时,具体用于若所述第一切片的属性与所述第二切片的属性不匹配,则获取所述第二密钥。
在一个实现方式中,所述处理单元1102在获取第二密钥时,具体用于根据所述第一密钥生成所述第二密钥,其中,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。
在一个实现方式中,所述处理单元1102在根据所述第一密钥生成所述第二密钥时,具体用于若所述第一切片的隔离要求高于所述第二切片的隔离要求,根据所述第一密钥生成所述第二密钥。
在一个实现方式中,所述处理单元1102在获取第二密钥时,具体用于:对所述用户设备重新进行认证;若对所述用户设备重新认证成功,则生成所述第二密钥。
在一个实现方式中,所述处理单元1102在对所述用户设备进行重新认证时,具体用于若所述第一切片的隔离要求低于所述第二切片的隔离要求,对所述用户设备重新进行网络认证。
在一个实现方式中,所述第一切片的属性与所述第二切片的属性不匹配,包括:
所述第一切片的属性或第二切片的属性不允许与其他任意属性的切片共用;或者
所述第一切片的属性仅允许具有相同业务类型SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST不同;或者
所述第二切片的属性仅允许具有相同业务类型SST的切片共用,所述第一切片的属性的SST与所述第二切片的属性的SST不同;或者
所述第一切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD不同;或者
所述第二切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD不同。
在一个实现方式中,所述收发单元1103,还用于若所述第一切片的属性与所述第二切片的属性匹配,向所述用户设备发送注册接受消息。
在一个实现方式中,述第一切片的属性与所述第二切片的属性匹配,包括:
所述第一切片的属性或第二切片的属性允许与其他任意属性的切片共用;或者
所述第一切片的属性仅允许具有相同SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST相同;或者
所述第二切片的属性仅允许具有相同SST的切片共用,所述第一切片的属性的SST与所述第一切片的属性的SST相同;或者
所述第一切片的属性仅允许具有相同SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD相同;或者
所述第二切片的属性仅允许具有相同SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD相同;或者
所述第二切片和所述第一切片映射到同一单网络切片选择辅助信息S-NSSAI。
该通信装置1100可以应用于用户设备。
具体的,所述收发单元1103,用于向第一网络设备发送第一请求消息,所述第一请求消息用于请求接入第二切片;接收来自所述第一网络设备的第一指示消息,所述第一指示消息用于指示所述用户设备获取第二密钥;
所述处理单元1102,用于获取所述第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
在一个实现方式中,所述处理单元1102在获取所述第二密钥时,具体用于获取第一密钥,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护;根据所述第一密钥生成所述第二密钥。
在一个实现方式中,所述处理单元1102在获取所述第二密钥时,具体用于与所述第一网络设备重新进行认证;若与所述第一网络设备重新认证成功,则所述用户设备生成所述第二密钥。
在一个实现方式中,所述收发单元1103,还用于接收来自所述第一网络设备的注册接受消息。
在第二个实施例中,该通信装置1100可以应用于第一网络设备。
具体的,所述收发单元1103,用于接收去注册请求消息,或者发送去注册请求消息;
所述处理单元1102,用于删除所述用户设备的第三密钥,所述第三切片为所述用户设 备最后接入的切片,所述第三密钥用于对所述第三切片的信息或/和所述用户设备接入所述第三切片时的信息进行安全保护。
在一个实现方式中,所述处理单元1102在删除所述用户设备的第三密钥时,具体用于若确定所述第三切片属性不允许与任意属性切片共用,删除所述用户设备的第三密钥。
在一个实现方式中,所述收发单元1103,还用于若确定所述第三切片属性允许与其他属性切片共用,向所述用户设备发送去注册接受消息。
在一个实现方式中,所述收发单元1103,还用于若未获取到所述第三切片的切片属性,向所述用户设备发送去注册接受消息。
该通信装置1100可以应用于用户设备。
具体的,所述收发单元1103,用于发送去注册请求消息,或者接收去注册请求消息;
所述处理单元1102,用于删除所述用户设备的第三密钥,所述第三切片为所述用户设备最后接入的切片,所述第三密钥用于对所述第三切片的信息或/和所述用户设备接入所述第三切片时的信息进行安全保护。
在一个实现方式中,所述处理单元1102在删除所述用户设备的第三密钥时,具体用于若确定所述第三切片不允许与任意属性切片共用,删除所述用户设备的第三密钥。
在第三个实施例中,该通信装置1100可以应用于第二网络设备。
具体的,所述收发单元1103,用于接收来自第一网络设备的重定向信息,所述重定向信息包括用户设备的第四切片的信息和/或所述用户设备请求接入的第五切片的信息;
所述处理单元1102,用于若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片具有隔离要求,对所述用户设备重新认证。
在一个实现方式中,所述处理单元1102,还用于若所述第四切片的信息与所述第五切片的信息不匹配,且所述第五切片允许与其他任意属性切片共用,继续对所述用户设备进行认证。
可以理解的是,该通信装置用于上述切片隔离方法时的具体实现过程以及相应的有益效果,可以参考前述方法实施例中的相关描述,这里不再赘述。
如图12所示,为本申请提供的一种通信装置示意图,该通信装置可以是上述移动性管理网元、或终端设备。该通信装置1200包括:处理器1202、通信接口1203、存储器1201。可选的,通信装置1200还可以包括通信线路1204。其中,通信接口1203、处理器1202以及存储器1201可以通过通信线路1204相互连接;通信线路1204可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。所述通信线路1204可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1202可以是一个CPU,微处理器,ASIC,或一个或多个用于控制本申请方案程序执行的集成电路。
通信接口1203,使用任何收发器一类的装置,用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN),有线接入网等。
存储器1201可以是ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc  read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路1204与处理器相连接。存储器也可以和处理器集成在一起。
其中,存储器1201用于存储执行本申请方案的计算机执行指令,并由处理器1202来控制执行。处理器1202用于执行存储器1201中存储的计算机执行指令,从而实现本申请上述实施例提供的终端设备的注册方法。
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。
本申请实施例还提供了一种计算机存储介质,存储有计算机程序,该计算机程序被计算机执行时,可以使得所述计算机用于执行上述切片隔离方法。
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述提供的切片隔离方法。
本申请实施例还提供了一种通信系统,所述通信系统包括第一网络设备和用户设备。可选的所述通信系统还包括第二网络设备。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。“至少一个”、“任意一个”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个、种),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。“多个”是指两个或两个以上,其它量词与之类似。此外,对于单数形式“a”,“an”和“the”出现的元素(element),除非上下文另有明确规定,否则其不意味着“一个或仅一个”,而是意味着“一个或多于一个”。例如,“a device”意味着对一个或多个这样的device。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信 号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。

Claims (28)

  1. 一种切片隔离方法,其特征在于,包括:
    第一网络设备获取用户设备的第一切片的信息;
    若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
  2. 如权利要求1所述的方法,其特征在于,所述第一切片的信息包括所述第一切片的属性,所述第二切片的信息包括第二切片的属性;
    若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥,包括:
    若所述第一切片的属性与所述第二切片的属性不匹配,则所述第一网络设备获取所述第二密钥。
  3. 如权利要求1或2所述的方法,其特征在于,所述第一网络设备获取第二密钥,包括:
    所述第一网络设备根据所述第一密钥生成所述第二密钥,其中,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。
  4. 如权利要求3所述的方法,其特征在于,所述第一网络设备根据所述第一密钥生成所述第二密钥,包括:
    若所述第一切片的隔离要求高于所述第二切片的隔离要求,所述第一网络设备根据所述第一密钥生成所述第二密钥。
  5. 如权利要求1或2所述的方法,其特征在于,所述第一网络设备获取第二密钥,包括:
    所述第一网络设备对所述用户设备重新进行认证;
    若第一网络设备对所述用户设备重新认证成功,则所述第一网络设备生成所述第二密钥。
  6. 如权利要求5所述的方法,其特征在于,所述第一网络设备对所述用户设备进行重新认证,包括:
    若所述第一切片的隔离要求低于所述第二切片的隔离要求,所述第一网络设备对所述用户设备重新进行网络认证。
  7. 如权利要求2-6任一项所述的方法,其特征在于,所述第一切片的属性与所述第二切片的属性不匹配,包括:
    所述第一切片的属性或第二切片的属性不允许与其他任意属性的切片共用;或者
    所述第一切片的属性仅允许具有相同业务类型SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST不同;或者
    所述第二切片的属性仅允许具有相同业务类型SST的切片共用,所述第一切片的属性的SST与所述第二切片的属性的SST不同;或者
    所述第一切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD不同;或者
    所述第二切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD不同。
  8. 如权利要求2-7任一项所述的方法,其特征在于,还包括:
    若所述第一切片的属性与所述第二切片的属性匹配,所述第一网络设备向所述用户设备发送注册接受消息。
  9. 如权利要求8所述的方法,其特征在于,所述第一切片的属性与所述第二切片的属性匹配,包括:
    所述第一切片的属性或第二切片的属性允许与其他任意属性的切片共用;或者
    所述第一切片的属性仅允许具有相同SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST相同;或者
    所述第二切片的属性仅允许具有相同SST的切片共用,所述第一切片的属性的SST与所述第一切片的属性的SST相同;或者
    所述第一切片的属性仅允许具有相同SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD相同;或者
    所述第二切片的属性仅允许具有相同SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD相同;或者
    所述第二切片和所述第一切片映射到同一单网络切片选择辅助信息S-NSSAI。
  10. 一种切片隔离方法,其特征在于,包括:
    用户设备向第一网络设备发送第一请求消息,所述第一请求消息用于请求接入第二切片;
    所述用户设备接收来自所述第一网络设备的第一指示消息,所述第一指示消息用于指示所述用户设备获取第二密钥;
    所述用户设备获取所述第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
  11. 如权利要求10所述的方法,其特征在于,所述用户设备获取所述第二密钥,包括:
    所述用户设备获取第一密钥,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护;
    所述用户设备根据所述第一密钥生成所述第二密钥。
  12. 如权利要求10所述的方法,其特征在于,所述用户设备获取所述第二密钥,包括:
    所述用户设备与所述第一网络设备重新进行认证;
    若所述用户设备与所述第一网络设备重新认证成功,则所述用户设备生成所述第二密钥。
  13. 如权利要求10-12任一项所述的方法,其特征在于,还包括:
    所述用户设备接收来自所述第一网络设备的注册接受消息。
  14. 一种通信装置,其特征在于,包括收发单元和处理单元;
    所述收发单元,用于备获取用户设备的第一切片的信息;
    所述处理单元,用于若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则获取第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备 接入所述第二切片时的信息进行安全保护。
  15. 如权利要求14所述的装置,其特征在于,所述第一切片的信息包括所述第一切片的属性,所述第二切片的信息包括第二切片的属性;
    所述处理单元在若所述第一切片的信息与所述用户设备请求接入的第二切片的信息不匹配,则所述第一网络设备获取第二密钥时,具体用于若所述第一切片的属性与所述第二切片的属性不匹配,则获取所述第二密钥。
  16. 如权利要求14或15所述的装置,其特征在于,所述处理单元在获取第二密钥时,具体用于根据所述第一密钥生成所述第二密钥,其中,所述第一密钥用于对所述第一切片的信息或/和所述用户设备接入所述第一切片时的信息进行安全保护。
  17. 如权利要求16所述的装置,其特征在于,所述处理单元在根据所述第一密钥生成所述第二密钥时,具体用于若所述第一切片的隔离要求高于所述第二切片的隔离要求,根据所述第一密钥生成所述第二密钥。
  18. 如权利要求14或15所述的装置,其特征在于,所述处理单元在获取第二密钥时,具体用于:对所述用户设备重新进行认证;若对所述用户设备重新认证成功,则生成所述第二密钥。
  19. 如权利要求18所述的装置,其特征在于,所述处理单元在对所述用户设备进行重新认证时,具体用于若所述第一切片的隔离要求低于所述第二切片的隔离要求,对所述用户设备重新进行网络认证。
  20. 如权利要求15-19任一项所述的装置,其特征在于,所述第一切片的属性与所述第二切片的属性不匹配,包括:
    所述第一切片的属性或第二切片的属性不允许与其他任意属性的切片共用;或者
    所述第一切片的属性仅允许具有相同业务类型SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST不同;或者
    所述第二切片的属性仅允许具有相同业务类型SST的切片共用,所述第一切片的属性的SST与所述第二切片的属性的SST不同;或者
    所述第一切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD不同;或者
    所述第二切片的属性仅允许具有相同切片差异化因素SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD不同。
  21. 如权利要求15-20任一项所述的装置,其特征在于,所述收发单元,还用于若所述第一切片的属性与所述第二切片的属性匹配,向所述用户设备发送注册接受消息。
  22. 如权利要求21所述的装置,其特征在于,所述第一切片的属性与所述第二切片的属性匹配,包括:
    所述第一切片的属性或第二切片的属性允许与其他任意属性的切片共用;或者
    所述第一切片的属性仅允许具有相同SST的切片共用,所述第二切片的属性的SST与所述第一切片的属性的SST相同;或者
    所述第二切片的属性仅允许具有相同SST的切片共用,所述第一切片的属性的SST与所述第一切片的属性的SST相同;或者
    所述第一切片的属性仅允许具有相同SD的切片共用,所述第二切片的属性的SD与所述第一切片的属性的SD相同;或者
    所述第二切片的属性仅允许具有相同SD的切片共用,所述第一切片的属性的SD与所述第二切片的属性的SD相同;或者
    所述第二切片和所述第一切片映射到同一单网络切片选择辅助信息S-NSSAI。
  23. 一种通信装置,其特征在于,包括收发单元和处理单元;
    所述收发单元,用于向第一网络设备发送第一请求消息,所述第一请求消息用于请求接入第二切片;接收来自所述第一网络设备的第一指示消息,所述第一指示消息用于指示所述用户设备获取第二密钥;
    所述处理单元,用于获取所述第二密钥,所述第二密钥用于对所述第二切片的信息或/和所述用户设备接入所述第二切片时的信息进行安全保护。
  24. 如权利要求23所述的装置,其特征在于,所述处理单元在获取所述第二密钥时,具体用于获取第一密钥,所述第一密钥用于对所述第一切片的信息进行安全保护;根据所述第一密钥生成所述第二密钥。
  25. 如权利要求23所述的装置,其特征在于,所述处理单元在获取所述第二密钥时,具体用于与所述第一网络设备重新进行认证;若与所述第一网络设备重新认证成功,则所述用户设备生成所述第二密钥。
  26. 如权利要求23-25任一项所述的装置,其特征在于,所述收发单元,还用于接收来自所述第一网络设备的注册接受消息。
  27. 一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令在计算机上运行时,如权利要求1-9任一项所述的方法或者如权利要求10-13任一项所述的方法被执行。
  28. 一种通信系统,其特征在于,所述通信系统包括执行如权利要求1-9任一项所述方法的第一网络设备,以及执行如权利要求10-13任一项所述方法的用户设备。
PCT/CN2020/126579 2020-11-04 2020-11-04 一种切片隔离方法、装置及系统 WO2022094812A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
PCT/CN2020/126579 WO2022094812A1 (zh) 2020-11-04 2020-11-04 一种切片隔离方法、装置及系统
EP20960274.7A EP4228305A4 (en) 2020-11-04 2020-11-04 SLICE ISOLATION METHOD, APPARATUS AND SYSTEM
CN202080106568.5A CN116349197A (zh) 2020-11-04 2020-11-04 一种切片隔离方法、装置及系统
US18/310,121 US20230269577A1 (en) 2020-11-04 2023-05-01 Slice isolation method, apparatus, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/126579 WO2022094812A1 (zh) 2020-11-04 2020-11-04 一种切片隔离方法、装置及系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/310,121 Continuation US20230269577A1 (en) 2020-11-04 2023-05-01 Slice isolation method, apparatus, and system

Publications (1)

Publication Number Publication Date
WO2022094812A1 true WO2022094812A1 (zh) 2022-05-12

Family

ID=81456857

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/126579 WO2022094812A1 (zh) 2020-11-04 2020-11-04 一种切片隔离方法、装置及系统

Country Status (4)

Country Link
US (1) US20230269577A1 (zh)
EP (1) EP4228305A4 (zh)
CN (1) CN116349197A (zh)
WO (1) WO2022094812A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022877A (zh) * 2022-07-14 2022-09-06 中国联合网络通信集团有限公司 终端鉴权方法、装置、电子设备及计算机可读存储介质
WO2023236093A1 (en) * 2022-06-08 2023-12-14 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice isolation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110431820A (zh) * 2017-03-17 2019-11-08 高通股份有限公司 网络接入隐私
WO2020092695A1 (en) * 2018-11-01 2020-05-07 Qualcomm Incorporated Encrypting network slice selection assistance information
CN111465012A (zh) * 2019-01-21 2020-07-28 华为技术有限公司 通信方法和相关产品
CN111787533A (zh) * 2020-06-30 2020-10-16 中国联合网络通信集团有限公司 加密方法、切片管理方法、终端及接入和移动性管理实体

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018053271A1 (en) * 2016-09-16 2018-03-22 Idac Holdings, Inc. Unified authentication framework

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110431820A (zh) * 2017-03-17 2019-11-08 高通股份有限公司 网络接入隐私
WO2020092695A1 (en) * 2018-11-01 2020-05-07 Qualcomm Incorporated Encrypting network slice selection assistance information
CN111465012A (zh) * 2019-01-21 2020-07-28 华为技术有限公司 通信方法和相关产品
CN111787533A (zh) * 2020-06-30 2020-10-16 中国联合网络通信集团有限公司 加密方法、切片管理方法、终端及接入和移动性管理实体

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
QUALCOMM INCORPORATED, T-MOBILE USA: "KI #7, New Sol: Compatibility of S-NSSAIs operating frequency bands with UE Radio Capabilities", 3GPP DRAFT; S2-2007330, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20201012 - 20201023, 2 October 2020 (2020-10-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051938370 *
See also references of EP4228305A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023236093A1 (en) * 2022-06-08 2023-12-14 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice isolation
CN115022877A (zh) * 2022-07-14 2022-09-06 中国联合网络通信集团有限公司 终端鉴权方法、装置、电子设备及计算机可读存储介质
CN115022877B (zh) * 2022-07-14 2024-08-06 中国联合网络通信集团有限公司 终端鉴权方法、装置、电子设备及计算机可读存储介质

Also Published As

Publication number Publication date
EP4228305A1 (en) 2023-08-16
CN116349197A (zh) 2023-06-27
US20230269577A1 (en) 2023-08-24
EP4228305A4 (en) 2023-12-06

Similar Documents

Publication Publication Date Title
CN110881185B (zh) 一种通信的方法及装置
US20200128614A1 (en) Session processing method and device
CN111901135B (zh) 一种数据分析方法及装置
WO2021012736A1 (zh) 一种会话管理网元的选择方法、装置及系统
WO2021037175A1 (zh) 一种网络切片的管理方法及相关装置
WO2021017550A1 (zh) 一种事件报告的发送方法、装置及系统
WO2020177523A1 (zh) 终端设备的注册方法及装置
WO2018232570A1 (zh) 一种注册及会话建立的方法、终端和amf实体
EP3713372A1 (en) Method and device for creating user group
WO2020207156A1 (zh) 认证方法、装置及设备
CN109922472A (zh) 用户策略的获取
KR20180109899A (ko) 로밍 연결을 확립하기 위한 방법
CN111328112B (zh) 一种安全上下文隔离的方法、装置及系统
WO2020253408A1 (zh) 二级认证的方法和装置
US20230269577A1 (en) Slice isolation method, apparatus, and system
EP3952213A1 (en) Communication method, apparatus, and system
WO2021063298A1 (zh) 实现外部认证的方法、通信装置及通信系统
WO2022222745A1 (zh) 一种通信方法及装置
CN116746181A (zh) 一种密钥标识的生成方法以及相关装置
WO2023016160A1 (zh) 一种会话建立方法和相关装置
CN113382410B (zh) 通信方法和相关装置及计算机可读存储介质
CN112449377B (zh) 一种网络数据的上报方法及装置
WO2018120150A1 (zh) 网络功能实体之间的连接方法及装置
WO2023083174A1 (zh) 签约更新的方法、装置、网元及介质
WO2024093923A1 (zh) 通信方法和通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20960274

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202347031893

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2020960274

Country of ref document: EP

Effective date: 20230510

NENP Non-entry into the national phase

Ref country code: DE