WO2022148469A1 - Procédé, appareil et système de protection de sécurité - Google Patents
Procédé, appareil et système de protection de sécurité Download PDFInfo
- Publication number
- WO2022148469A1 WO2022148469A1 PCT/CN2022/071229 CN2022071229W WO2022148469A1 WO 2022148469 A1 WO2022148469 A1 WO 2022148469A1 CN 2022071229 W CN2022071229 W CN 2022071229W WO 2022148469 A1 WO2022148469 A1 WO 2022148469A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- amf
- user
- target
- target amf
- security context
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 192
- 230000008569 process Effects 0.000 claims abstract description 72
- 230000006870 function Effects 0.000 claims description 85
- 238000004891 communication Methods 0.000 claims description 60
- 230000004044 response Effects 0.000 claims description 35
- 238000007726 management method Methods 0.000 claims description 34
- 239000000284 extract Substances 0.000 claims description 5
- 238000013523 data management Methods 0.000 claims description 3
- 230000011664 signaling Effects 0.000 abstract description 12
- 238000004904 shortening Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 11
- 230000008878 coupling Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 238000009795 derivation Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000007774 longterm Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
- H04W8/04—Registration at HLR or HSS [Home Subscriber Server]
Definitions
- the present application relates to the field of communications, and in particular, to a security protection method, device, and system.
- the terminal may perform access and mobility management function (AMF) redirection during the process of registering with the network.
- AMF access and mobility management function
- redirection or handover may perform redirection or handover, and the redirection or handover process also has the problems of high signaling overhead and prolonged network access.
- the embodiments of the present application provide a security protection method, device, and system, which can reduce signaling interaction in the process of core network element redirection or handover, reduce signaling overhead, and shorten network access delay.
- the embodiments of the present application provide a security protection method, including:
- the target network element receives the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal;
- the target network element responds to the above-mentioned first request.
- the first request may be a registration request of the terminal.
- the above network element may be a mobility management network function, such as AMF; the above network element may also be a network element that undergoes redirection or handover and needs to acquire the security context of the terminal or establish a secure connection with the terminal.
- the initial network element is the first network element that processes the first request
- the target network element is the network element that provides services for the terminal after redirection or handover occurs.
- the initial network element and the target network element may be the same type of network element, or may be different types of network elements capable of providing the same type of service for the terminal.
- the first request includes the user temporary identifier of the terminal.
- the response of the target network element to the first request can be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal and the security context corresponding to the user temporary identifier, and can also be understood as determining the user permanent identifier corresponding to the user temporary identifier of the terminal.
- the identifier is the above-mentioned user permanent identifier received by the target network element and the security context corresponding to the user's temporary identifier is the above-mentioned security context received by the target network element.
- the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the terminal from the initial network element through a direct interface the first request of the terminal, the security context of the terminal, and the user permanent identity of the terminal.
- the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal from the core network element.
- the target network element receiving the first request of the terminal from the initial network element, the security context of the terminal, and the user permanent identifier of the terminal include: the target network element receives the first request of the terminal from the access network device. A request; the target network element receives the first request from the terminal of the initial network element; in response to the first request, the target network element sends an acquisition request to the NF, and the acquisition request is used to request to acquire the security context and the corresponding terminal from the NF.
- the user permanent identifier, the acquisition request includes the user temporary identifier of the terminal; the target network element receives the user temporary identifier of the terminal, the security context of the terminal, and the user permanent identifier of the terminal from the core network element.
- the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element uses the security context and the permanent user identifier.
- the method further includes: the target network element does not initiate an authentication process.
- the target network element may determine not to initiate the authentication process according to the local policy.
- the method further includes: the target network element does not send a request for acquiring the context.
- the target network element may determine not to send the request for obtaining the context according to the local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element.
- the context includes the security context.
- the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not send a request for acquiring the security context.
- the target network element responding to the first request includes: in response to the security context of the terminal and the permanent identifier of the terminal, the target network element does not initiate an authentication process.
- the response of the target network element to the above-mentioned first request includes: the target network element determines whether to use or trust the above-mentioned security context and/or the above-mentioned user permanent identifier according to a local policy.
- the response of the target network element to the above-mentioned first request includes: the target network element determines to use the above-mentioned security context and/or user permanent identifier according to a local policy.
- the method further includes: the target network element does not initiate an authentication process.
- the method further includes: the target network element does not send a request for acquiring the context.
- the response of the target network element to the first request includes: the target network element determines whether to initiate an authentication process according to a local policy.
- the response of the target network element to the above-mentioned first request includes: the target network element determines not to initiate an authentication process according to a local policy.
- the response of the target network element to the above-mentioned first request includes: the target network element determines whether to send a request for acquiring the context according to a local policy.
- the response of the target network element to the above-mentioned first request includes: the target network element determines not to send the request for acquiring the context according to a local policy. Not sending the request for acquiring the context may be not sending the request for acquiring the context to the original network element.
- the context includes the security context.
- the target network element can trust the above information from the initial network element; the target network element can directly use the above information to respond to the first request without It is necessary to initiate an authentication process to obtain the security context or the user's permanent identity. Similarly, it is not necessary to send a request for obtaining the context, which effectively reduces the signaling process of the target network element after receiving the first request, and effectively shortens the time between the terminal and the target. The delay required by the network element to establish or update a secure connection.
- the target network element acquires and uses the security context and the user permanent identifier from the initial network element, so as to avoid acquiring the security context and the user permanent identifier from the original network element. This avoids the problem that after the security context between the initial network element and the terminal is updated, the target network element obtains the security context before the update from the original network element, resulting in failure to successfully establish communication with the terminal based on the security context.
- the response of the target network element to the above-mentioned first request includes: the target network element determines not to use the security context or the user permanent identifier according to a local policy.
- the method further includes: the target network element initiates an authentication process.
- the target network element determines to initiate an authentication process according to a local policy.
- the target network element does not need to initiate the authentication process after receiving any first request, but only needs to initiate the authentication process when the target network element determines that the authentication process needs to be initiated according to the local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
- the method further includes: the target network element receives the first indication information.
- the first indication information is used to indicate that the first request is forwarded through the initial network element.
- the response of the target network element to the first request includes: the target network element determines, according to the first indication information, to respond to the security context of the terminal and the permanent identifier of the terminal.
- the response of the target network element to the above-mentioned first request includes: the target network element determines, according to the first indication information, to judge according to the local policy.
- the first indication information is generated by the initial network element and forwarded to the target network element through the access network device; or, the first indication information is generated by the access network device and sent to the target network element.
- the target network element extracts the user temporary identifier from the first request.
- the target network element uses the temporary user identifier of the terminal to index the security context of the terminal and the permanent user identifier of the terminal in the acquired security context and user permanent identifier.
- the method further includes: after the target network element acquires the permanent user identifier of the terminal, the target network element deletes the temporary user identifier of the terminal.
- the embodiments of the present application provide a security protection method, including:
- the initial access management function network element receives a first request of the terminal, where the first request includes a user temporary identifier of the terminal;
- the initial network element obtains the context of the terminal and the permanent user identifier of the terminal corresponding to the above-mentioned temporary user identifier;
- the initial network element sends the above-mentioned first request to the target network element through the access network device;
- the initial network element sends the user temporary identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal to the first network element.
- the method further includes: the initial network element sends first indication information to the access network device, where the first indication information is used to indicate that the above-mentioned first request is forwarded by the initial network element.
- the method further includes: the initial network element extracts the user temporary identifier in the first request.
- the embodiments of the present application provide a security protection method, including:
- the first network element obtains the temporary user identifier of the terminal, the permanent user identifier of the terminal, and the security context of the terminal;
- the first network element sends the above-mentioned user temporary identifier, user permanent identifier, and security context to the target access management function network element.
- the method further includes: the first network element receives an acquisition request from the target network element, where the acquisition request includes the above-mentioned temporary user identifier;
- the first network element sending the user temporary identifier, the user permanent identifier, and the security context to the target access management function network element includes: in response to the acquisition request, the first network element sends the user temporary identifier and the user temporary identifier to the target network element, and the User permanent ID and security context corresponding to the user temporary ID.
- an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the first aspect. the corresponding method described.
- an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used to store computer-executed instructions, and the processor is used to execute the computer-executed instructions stored in the memory, so that the device executes as described in the second aspect. the corresponding method described.
- an embodiment of the present application provides a communication device, including a processor and a memory, the memory is used for storing computer-executable instructions, and the processor is used for executing the computer-executable instructions stored in the memory, so that the device performs as described in the third aspect. the corresponding method described.
- an embodiment of the present application provides a communication apparatus for implementing the method of the first aspect.
- the communication device can implement the function of the target network element in the first aspect.
- the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
- the hardware or software includes one or more modules or units corresponding to the above functions.
- an embodiment of the present application provides a communication device for implementing the method of the second aspect.
- the communication apparatus can implement the function of the initial network element in the second aspect.
- the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
- the hardware or software includes one or more modules or units corresponding to the above functions.
- an embodiment of the present application provides a communication apparatus for implementing the method of the third aspect.
- the communication apparatus may implement the function of the first network element in the second aspect.
- the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
- the hardware or software includes one or more modules or units corresponding to the above functions.
- an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed, the instructions in any one of the first to third aspects are executed. method is implemented.
- an embodiment of the present application provides a computer program product, the computer program product includes instructions, when the instructions are executed, the method according to any one of the first aspect to the third aspect is implemented .
- an embodiment of the present application provides a communication system, including the device described in the fourth aspect or the seventh aspect, and the device described in the fifth aspect or the eighth aspect.
- the communication system further includes the apparatus described in the sixth aspect or the ninth aspect.
- the technical effects of the second to twelfth aspects may refer to the beneficial effects of the first aspect.
- FIG. 1 is a schematic diagram of a communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic flowchart of a security protection method provided by an embodiment of the present application.
- FIG. 3 is a schematic flowchart of a registration method provided by an embodiment of the present application.
- FIG. 4 is a schematic flowchart of another security protection method provided by an embodiment of the present application.
- FIG. 5 is a schematic flowchart of another security protection method provided by an embodiment of the present application.
- FIG. 6 is a schematic flowchart of a further security protection method provided by an embodiment of the present application.
- FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of still another communication apparatus provided by an embodiment of the present application.
- FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application, and each part involved in FIG. 1 is as follows:
- a terminal device may also be called a user equipment (user equipment, UE), a terminal, and the like.
- a terminal device is a device with wireless transceiver function, which can communicate with one or more core networks (core network, CN) through the access network device in the (radio) access network ((R)AN). ) to communicate. It can be deployed on land, including indoor or outdoor, handheld, wearable or vehicle-mounted; it can also be deployed on water, such as ships; it can also be deployed in the air, such as on airplanes, balloons, or satellites.
- core network CN
- R radio access network
- the terminal device can be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, an industrial control (industrial control) wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, and so on.
- a mobile phone mobile phone
- a tablet computer Pad
- a computer with wireless transceiver function a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, an industrial control (industrial control) wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety , wireless terminals in smart cities, wireless terminals in smart homes, and so on.
- VR virtual reality
- AR augmented reality
- industrial control industrial control
- the (radio) access network (R)AN) is used to provide network access functions for authorized user equipment in a specific area, and can use different quality transmission tunnels according to the level of user equipment, service requirements, etc. .
- (R)AN can manage radio resources, provide access services for user equipment, and then complete the forwarding of control information and/or data information between user equipment and a core network (core network, CN).
- the access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device.
- the access network equipment may include: next generation node basestation (gNB) in 5G system, evolved node B (evolved node B, eNB) in long term evolution (LTE), wireless Network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB , or home node B, HNB), base band unit (BBU), transmission point (transmitting and receiving point, TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, Or network equipment in the future network, etc.
- gNB next generation node basestation
- eNB evolved node B
- eNB evolved node B
- LTE long term evolution
- RNC wireless Network controller
- node B node B
- BSC base station controller
- base transceiver station base transceiver station
- BTS home base
- UPF User plane function
- QoS quality of service
- the data network (DN) network function is used to provide a network for transmitting data.
- Access and mobility management function (AMF) network function can be used to implement mobility management entity (mobility management entity, MME) function in addition to session management Other functions other than that, such as lawful interception and access authorization/authentication.
- MME mobility management entity
- the AMF network function is hereinafter referred to as AMF.
- the AMF may include an initial AMF (initial AMF), an old AMF (old AMF), and a target AMF (target AMF).
- the initial AMF can be understood as the first AMF to process the UE registration request in this registration.
- the initial AMF is selected by the (R)AN, but the initial AMF may not be able to serve the UE.
- the original AMF can be understood as the UE
- the target AMF can be understood as the AMF that serves the UE after the UE is redirected.
- the UE carries network slice selection information in the registration request message. After the UE completes the registration request from the initial AMF, the initial AMF cannot serve the network slice and needs to be redirected to the target AMF to serve the UE.
- NSSF Network slice selection function
- Network storage network functions such as the network repository function (NRF) can be used to maintain real-time information on all network function services in the network.
- NRF network repository function
- the authentication server function (AUSF) is used to authenticate services, generate keys to realize two-way authentication of user equipment, and support a unified authentication framework.
- Unified data management (UDM) network function which can be used to handle user equipment identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is hereinafter referred to as UDM.
- the mobility management network function in the embodiment of the present application may be the AMF network function shown in FIG. 1 , or may be other network functions having the above-mentioned AMF network function in the future communication system.
- the mobility management network function in this application may also be a mobility management entity (mobility management entity, MME) in long term evolution (long term evolution, LTE), or the like.
- MME mobility management entity
- LTE long term evolution
- the mobility management network function is an AMF network function as an example for description.
- the AMF network function is referred to as AMF for short
- the terminal device is referred to as UE or terminal, that is, the AMF described later in the embodiments of the present application can be replaced by the mobility management network function, and the UE or terminal can be replaced by a terminal. equipment.
- the embodiments of the present application take the redirection of the mobility management network function as an example to introduce the security protection method proposed by the present application.
- the security protection method of the present application can also be applied to the handover of the mobility management network function. It can be understood that when other core network elements are redirected or switched, and the core network element and the terminal need to establish a secure connection, the actions performed by the mobility management network function in the following methods can be replaced by the core network element. network element execution.
- the above-mentioned network functions or functions can be either network elements in hardware devices, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (eg, a cloud platform).
- Figure 2 is a schematic flow chart of a security protection. Specifically include:
- the target AMF receives the first request from the terminal of the initial AMF, the security context of the terminal, and the user permanent identity of the terminal.
- the above-mentioned first request includes the user temporary identifier of the terminal.
- the user temporary identity may be a temporary identity generated by the terminal, such as SUCI.
- the user temporary identity may also be a temporary identity generated by the core network for the terminal, such as a GUTI, and the terminal obtains the temporary identity from the core network.
- the first request is used to request to establish a secure connection between the terminal and the core network, or the first request is used to request to establish a secure connection between the terminal and the AMF that receives the first request.
- Establishing a secure connection includes establishing a security context. The above establishment can also be replaced by an update.
- the first request may be a registration request of the terminal, where the registration request is used for requesting to register the terminal with the core network, or the request is used for requesting to register the terminal with an AMF capable of serving the terminal.
- the first request may also be other requests of the terminal, such as a handover request.
- the security context is used to describe the information required for security protection of the communication between the core network and the terminal.
- the security context includes one or more of the following information: AMF key, AMF key identifier, security capability of the terminal, encryption protection algorithm, integrity protection algorithm, and NAS COUNT.
- the security context of the terminal is the security context of the terminal that has been acquired by the initial AMF.
- the above-mentioned initial AMF receives the above-mentioned first request from the terminal, initiates a main authentication process for the terminal, and the initial AMF obtains the security context of the terminal through the main authentication process.
- the initial AMF can encrypt and protect information such as signaling sent to the terminal according to the security context.
- the first request of the terminal, the security context of the terminal, and the permanent user identifier of the terminal are carried in a message. It can be understood that, by acquiring the message, the target AMF can learn that the security context and the permanent user identifier carried in the message correspond to the temporary user identifier in the first request.
- the initial AMF sends the message to the target AMF through the direct interface.
- the above-mentioned first request of the terminal, the security context of the terminal, and the user permanent identifier of the terminal are carried in different messages respectively.
- the security context or the user permanent identifier and the terminal identifier are carried in one message, so that the target AMF can know the received security context and the user permanent identifier corresponding to the terminal.
- the terminal identifier may be the above-mentioned temporary user identifier, and the terminal identifier may be other information that enables the target AMF to identify the terminal, such as session information or tunnel identifier information corresponding to the terminal.
- the initial AMF may send the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal to the target AMF through the core network element.
- the initial AMF sends the first request of the terminal to the target AMF through the access network device.
- the target AMF may extract the user temporary identity from the first request.
- the target AMF may use the user temporary identity index of the terminal or obtain the security context of the terminal and the user permanent identity of the terminal.
- the target AMF may use the user temporary identifier to request the NF to obtain the security context of the terminal and the permanent user identifier of the terminal.
- the above-mentioned core network elements may be UDM, NSSF, or other core network elements capable of storing and forwarding the above-mentioned information.
- the core network element is hereinafter referred to as a network function NF.
- the NF after acquiring the temporary user identifier of the terminal, the security context of the terminal, and the permanent user identifier of the terminal, the NF sends the acquired information to the target AMF. That is, the NF directly pushes the information to the target AMF after obtaining the above information.
- the NF acquires the security context of the terminal and the permanent user identifier of the terminal, and sends the acquired information to the target AMF when receiving an acquisition request from the target AMF.
- the acquisition request includes the user temporary identifier, and the user temporary identifier is used to request the security context and user permanent identifier corresponding to the terminal from the NF.
- the target AMF receives the above-mentioned first request; in response to the above-mentioned first request, the target AMF sends the acquisition request to the NF; the target AMF receives the terminal's security context and the terminal's user permanent identity from the NF.
- S220 The target AMF responds to the first request.
- the response manner includes triggering the authentication process or not triggering the authentication process.
- the target AMF can send an authentication request to the AUSF.
- the target AMF responds to the above-mentioned first request in any of the following ways:
- Manner 1 In response to the security context of the terminal and the permanent identity of the terminal, the target AMF uses the security context and the permanent identity of the user.
- Using the security context can be understood as performing security protection on signaling according to the information in the security context, such as performing encryption protection or performing integrity protection.
- the use of the security context can also be understood as sending signaling to the terminal for security protection according to the information in the security context.
- Using the user permanent identification can be understood as the user permanent identification as the user's unique permanent identification in the core network, can also be understood as charging according to the user permanent identification, can also be understood as obtaining or implementing the user permanent identification according to the user permanent identification. Other services of the terminal.
- the target AMF may not trigger the authentication process and not send the request for acquiring the context. For example, when the target AMF receives the RR message carried in the first request, and the message carries SUCI, the target AMF may choose not to trigger the authentication process.
- the first manner further includes: the target AMF does not initiate an authentication process. It can be understood that, after the target AMF acquires the above-mentioned security context and user permanent identifier, it no longer needs to acquire the security context and user permanent identifier of the terminal by initiating an authentication process.
- the first manner further includes: the target AMF does not send a request for acquiring the security context.
- the target AMF obtains the above-mentioned security context and user permanent identity, it is no longer necessary to send a request for obtaining the security context to the original AMF.
- the original AMF is the original AMF serving the terminal, the security context of the terminal is established on the original AMF, and the permanent user identifier of the terminal is stored.
- the target AMF determines whether to use the above-mentioned security context or the above-mentioned user permanent identifier according to the local policy.
- Another way of expressing mode 4 may be: the target AMF judges whether to trust the security context and user permanent identity received from the initial AMF according to a local policy.
- the local policy is the policy information locally configured by the target AMF or received from other core network elements.
- Exemplary local policies may include:
- the target AMF trusts the initiating AMF; alternatively, the target AMF and the initiating AMF are in the same security domain; or,
- the security requirement of the network slice where the target AMF provides services for the terminal is not to repeatedly initiate the authentication process; or,
- the security requirement of the above network slice is not to send a context acquisition request to the original AMF; or,
- the target AMF does not initiate the authentication process after acquiring the security context; or,
- the target AMF does not send an acquire context request to the original AMF after acquiring the security context.
- Mode 4 may be replaced with the target AMF determining to use the security context or the user permanent identifier according to the local policy.
- the target AMF does not initiate an authentication process.
- the method further includes: the target AMF does not send a request for acquiring the context.
- Mode 5 The target AMF determines whether to initiate an authentication process according to a local policy.
- Mode 5 can be replaced with the target AMF determining not to initiate the authentication process according to the local policy.
- Manner 5 further includes: the target AMF judges whether to send the request for acquiring the context according to the local policy.
- the target AMF determines whether to send a request for obtaining the context according to the local policy.
- Mode 6 can be replaced with the target AMF determining not to send a request for acquiring the security context according to the local policy.
- Manner 6 further includes: the target AMF determines whether to initiate an authentication process according to a local policy.
- the target AMF can trust the above-mentioned information from the initial AMF; the target AMF can directly use the above-mentioned information to carry out the first request. It does not need to initiate an authentication process to obtain the security context or user permanent identity, and similarly does not need to send a request to obtain the context, thus effectively reducing the signaling process of the target AMF after receiving the first request, effectively shortening the The delay required for the terminal to establish or update the connection with the target AMF.
- the target AMF needs to obtain the user permanent identifier corresponding to the user temporary identifier after obtaining the user temporary identifier, before using the user permanent identifier to obtain from the NF.
- the user permanently identifies the corresponding security context.
- the security context of the terminal can be understood as using the user temporary identifier of the terminal as the identity identifier, so that the target AMF can directly use the user temporary identifier to obtain the corresponding security context. Simplifies the process for the target AMF to obtain the security context.
- the target AMF obtains and uses the security context and the user permanent identity from the initial AMF, so that the security context and the user permanent identity can be avoided from the original AMF.
- the security context between the initial AMF and the terminal may be updated, but the target AMF obtains the security context before the update from the original AMF, and cannot successfully establish communication with the terminal based on the security context.
- the target AMF obtains the security context from the initial AMF to ensure that the obtained security context is the updated security context of the initial AMF, avoiding the problem that the target AMF and the terminal cannot successfully establish communication.
- the target AMF can also avoid receiving the security context from multiple channels such as the original AMF and the initial AMF, so as to avoid judging and selecting multiple security contexts.
- the processing logic for determining the security context of the terminal by the target AMF is simplified.
- the target AMF may delete the temporary user identifier of the terminal after acquiring the permanent user identifier of the terminal.
- the target AMF can provide services for the terminal based on the user's permanent identity of the terminal.
- the mode four of S220 target AMF judges whether to use above-mentioned security context or above-mentioned user permanent identification according to local policy, also comprises:
- Mode 4 may be replaced with the target AMF determining not to use the security context or the user permanent identifier according to the local policy.
- Exemplary local policies at this time may include:
- the target AMF does not trust the originating AMF; or,
- the initiating AMF should not know the AMF key used by the target AMF; or,
- the target AMF needs to use the authentication process to obtain the AMF key of the target AMF; or,
- the target AMF and the originating AMF are in different security domains; or,
- the security requirement of the network slice where the target AMF provides services for the terminal is that the authentication process needs to be repeatedly initiated; or,
- the security requirement of the above network slicing is that a context acquisition request needs to be sent to the original AMF; or,
- the target AMF needs to initiate an authentication process after obtaining the security context; or,
- the target AMF After acquiring the security context, the target AMF needs to send a context acquisition request to the original AMF.
- the target AMF initiates an authentication process.
- the target AMF sends an authentication request to the AUSF, and the message carries SUCI.
- the message it is also possible to choose to use the user permanent identifier to replace SUCI, which reduces the computational cost of UDM parsing SUCI.
- the fifth method in S220 the target AMF judges whether to initiate the authentication process according to the local policy, and further includes:
- Mode 5 can be replaced with the target AMF determining to initiate the authentication process according to the local policy.
- the target AMF does not need to initiate an authentication process after receiving any first request, but only needs to initiate an authentication process when the target AMF determines that it needs to initiate an authentication process according to a local policy. While reducing the signaling overhead caused by unnecessary authentication procedures, the security of the communication connection is guaranteed.
- S210 further includes:
- the target AMF receives indication information #1, the indication information #1 is used to indicate that the first request is forwarded by the initial AMF, or used to indicate that the security context of the terminal and the user permanent identity of the terminal received from the initial AMF are the initial AMF. Obtained by the authentication process, or used to indicate redirection, or used to indicate that the security context of the terminal has been generated, or used to instruct the target AMF to obtain the security context from the NF, or used to instruct the target AMF to skip the authentication process, or Used to instruct the target AMF to skip requesting the context from the original AMF, or to indicate that the initial AMF and the terminal have performed a security interaction of NAS messages, or to indicate that the initial AMF and the terminal have established a security context, or to indicate that the initial AMF and the UE succeeded master authentication.
- the indication information #1 may be carried in a message with the above-mentioned first request. After receiving the message, the target AMF learns that the indication information #1 acts on the first request.
- the indication information #1 and the above-mentioned first request are respectively carried in different messages, and the indication information #1 and the above-mentioned terminal identifier are sent to the target AMF together.
- the indication information #1 may be exemplarily embodied in the following manner:
- a parameter #1 or the value of a specific field in a parameter, or a cell structure to represent the indication information.
- Implicit indication for example: the complete registration request message, the terminal's mobility management context, the terminal's security context, and the combination of the terminal's user permanent identity can be understood as indication information #1; or, the information provided by the NSSF carried in the message , indicating that a NAS Reroute due to slicing has occurred.
- the target AMF receives the routing information of the NF from the initial AMF, or the information obtained by the initial AMF from the NSSF, and the routing information or the information obtained from the NSSF can be understood as the indication information #1.
- the above S220 further includes: the target AMF determines, according to the indication information #1, to respond to the security context of the terminal and the permanent identifier of the terminal.
- the above S220 further includes: the target AMF determines to judge according to the local policy according to the indication information #1.
- the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1; or, the target AMF can be determined according to the local policy and can be replaced by the target AMF determined according to the indication information #1. .
- FIG. 3 is a schematic flowchart of a terminal registering with the core network. Specifically include:
- S301 The UE sends a registration request (registration request, RR) message to an initial AMF (initial AMF), where the RR message includes a subscriber concealed identifier (SUCI).
- registration request registration request
- RR registration request
- SUCI subscriber concealed identifier
- the RR message includes SUCI and plaintext IEs.
- the plaintext IEs do not include network slice selection assistance information (requested network slice selection assitance information, requested NSSAI) requested by the UE.
- the UE involved in the embodiment of the present application sends the RR message to the initial AMF, which means that the UE sends the RR message to the (R)AN, and the (R)AN sends the RR message to the initial AMF, because in this step
- the (R)AN plays the role of transparent transmission, and for the sake of brevity of description, it may be directly described as the UE sending the RR message to the initial AMF in the embodiments of the present application and/or in the drawings.
- S302 The initial AMF initiates a primary authentication process for primary authentication.
- the initial AMF initiates the main authentication process to perform authentication and key negotiation, and obtain the NAS security context of the UE and the user permanent identifier (SUPI) of the UE.
- SUPI user permanent identifier
- the initial AMF sends a non access stratum security mode command (NAS SMC) message to the UE, the NAS SMC message can be used to establish a NAS security context between the UE and the initial AMF, and the NAS SMC message There is integrity protection.
- NAS SMC non access stratum security mode command
- the NAS SMC message may include indication information for instructing the UE to send a complete initial NAS message.
- NAS SMP non-access stratum security mode complete
- the UE If the UE receives the indication information instructing the UE to send the complete initial NAS message in the NAS SMC message, the UE carries the complete initial NAS message (that is, the RR message) in the NAS SMP message, and the complete RR message includes the requested NSSAI.
- NAS security context is established between the UE and the initial AMF.
- S305 The initial AMF determines to perform NAS redirection (or called NAS reroute).
- NAS redirection AMF redirection
- NAS re-direction and NAS reroute represent the same process.
- the initial AMF calls the service operation #1 provided by the NSSF (for example, called the Nnssf_NSSelection_Get service operation).
- the NSSF returns a response in response to service operation #1 (for example, called Nnssf_NSSelection_Get Response), and the response carries the AMF set (AMF set) or AMF address list that can serve the requested NSSAI.
- the initial AMF calls the service operation #2 of the NRF (for example, the service operation called Nnrf_NFDiscovery_Request), and the Nnrf_NFDiscovery_Request service operation is used to obtain the address of the target AMF.
- the NRF sends the response of the service operation #2, which includes the address of the target AMF.
- calling a certain service operation provided by a certain network function can also be understood as requesting the certain service operation provided by the network function.
- Receiving the invocation of the certain service operation can also be understood as receiving the request of the certain service operation.
- Figure 4 shows a method for establishing a NAS security connection between a target AMF and a terminal. Specifically include:
- the initial AMF invokes the service operation #3 provided by the target AMF (such as the Namf_Communication_N1MessageNotify service operation), and the service operation #3 carries the above-mentioned RR message, the above-mentioned NAS security context, and the above-mentioned SUPI.
- the service operation #3 provided by the target AMF (such as the Namf_Communication_N1MessageNotify service operation)
- the service operation #3 carries the above-mentioned RR message, the above-mentioned NAS security context, and the above-mentioned SUPI.
- the target AMF responds to the RR message.
- Figure 5 shows another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
- the initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
- the redirect NAS message includes the above-mentioned RR message.
- the redirected NAS message further includes indication information #1.
- the redirected NAS message includes the AMF set or the AMF address list obtained by the initial AMF from the NSSF in S305, and the AMF set or the AMF address list may be understood as the indication information #1.
- the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
- the SUCI, the NAS security context, and the SUPI are carried in the same message.
- the NAS security context and the SUPI are respectively carried in different messages.
- the NAS security context or SUPI needs to be carried in the same message as SUCI, respectively.
- the NF determines that the above-mentioned terminal identity, NAS security context, and SUPI are associated with each other.
- a service on UDM can be defined.
- the service name is UDM UE context update service
- the input includes: SUCI, NAS security context, SUPI, and target AMF routing information.
- Output None.
- the above target AMF routing information is used to address the target AMF.
- the target AMF routing information can be obtained from the originating AMF.
- the timing relationship between S501 and S502 is not limited.
- the indication information #1 may be received from the initial AMF in S501, or may be generated by the (R)AN.
- S504 The NF sends SUCI, NAS security context, and SUPI to the target AMF.
- the timing relationship between S503 and S504 is not limited.
- S505 The target AMF responds to the RR message.
- the service name is UDM_AMF UE context update service
- the input includes: SUCI, NAS security context, SUPI, target AMF routing information.
- Output None. It can be understood that the service is aimed at UDM and AMF, and the service exemplarily provided in S502 is aimed at UDM and UE.
- Figure 6 shows yet another method for establishing a NAS security connection between the target AMF and the terminal. Specifically include:
- the initial AMF sends a redirect NAS message (reroute NAS message) to the (R)AN.
- the initial AMF sends SUCI, NAS security context, and SUPI to the NF.
- the timing relationship between S601 and S602 is not limited.
- the (R)AN sends the above-mentioned RR message and indication information #1 to the target AMF.
- the request #1 is used to request the NF to obtain the above-mentioned NAS security context and user permanent identity.
- the request #1 includes SUCI.
- the target AMF extracts SUCI from the above registration request message.
- S605 The NF sends the NAS security context and SUPI to the target AMF.
- the NF can query the NAS security context and SUPI corresponding to the SUCI according to the SUCI in the sending request #1.
- the NF sends SUCI, NAS security context, and SUPI to the target AMF.
- the NF can carry the NAS security context and SUPI in the response message of the above request #1, so that the target AMF knows that the NAS security context and SUPI correspond to the above.
- SUCI SUCI.
- S606 The target AMF responds to the RR message.
- the RR message in S310 may include 5G-GUTI, plaintext IEs and NAS container (NAS container). ).
- the requested NSSAI may be included in the NAS container.
- the UE performs integrity protection on the RR message based on the existing NAS security context.
- the interval between S301 and S302 further includes:
- the initial AMF invokes the first service operation provided by the original AMF (old AMF) (for example, the Namf_Communication_UEContextTransfer service operation), and the Namf_Communication_UEContextTransfer service operation can be used to request the context of the UE.
- the Namf_Communication_UEContextTransfer includes the RR message received by the initial AMF.
- the original AMF responds to the service operation, and verifies the integrity of the RR message included in the received service operation request.
- the original AMF successfully verifies the integrity of the RR message, it sends a Namf_Communication_UEContextTransfer Response (such as the response to the first service operation) to the initial AMF, which carries the UE context, and the UE context includes the UE's security context.
- the security context of the UE includes any one or more of the following:
- AMF AMF key
- ngKSI key set identifier
- the security algorithm includes an integrity protection algorithm and an encryption algorithm, which are selected by the original AMF and used between the UE and the UE;
- UE security capabilities that is, the identifier set of the encryption algorithm and the integrity protection algorithm implemented on the UE;
- a horizontal KAMF derivation indication (KeyAMFHDerivationInd indication), which can be transmitted as information outside the security context; the KeyAMFHDerivationInd indication is used to indicate that the KAMF is generated through horizontal KAMF derivation.
- the initial AMF may determine whether to perform horizontal KAMF derivation according to a local policy. If the initial AMF is derived from the horizontal KAMF according to the local policy, the new KAMF is different from the KAMF received from the original AMF. Similarly, the initial AMF may update other parameters in the above security context according to local policies.
- SUCI can be replaced with 5G-GUTI.
- the security context obtained from the initial AMF refers to the security context after the initial AMF is updated.
- the target AMF can respond to the received information according to the content introduced in S220 above. responds to the first request. For example, when the target AMF receives or does not receive the horizontal KAMF derivation indication, the target AMF uses the security context received from the initial AMF instead of requesting and obtaining the security context from the original AMF.
- each network element or network function such as the initial AMF, the target AMF, and the original AMF, etc., in order to realize the above functions, includes corresponding hardware structures and/or software modules for executing each function.
- the present application can be implemented in hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
- each network element or network function may be divided into functional modules according to the foregoing method examples.
- each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
- the above-mentioned integrated modules can be implemented in the form of hardware, or can be implemented in the form of software function modules.
- FIG. 7 shows a communication apparatus 70 provided by an embodiment of the present application.
- the communication device 70 can be a mobility management network function; as an example, the communication device 70 can also be an access network device; as an example, the communication device 70 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection methods shown in FIGS. 2-6 .
- the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.
- the apparatus 70 includes at least one processor 720, configured to implement the functions of the relevant network elements or network functions in the methods provided in the embodiments of the present application.
- the apparatus 70 may also include a transceiver 710 . In this embodiment of the present application, the transceiver may be used to communicate with other devices through a transmission medium.
- the apparatus 70 may further include at least one memory 730 for storing program instructions and/or data.
- Memory 730 is coupled to processor 720 .
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
- Processor 720 may cooperate with memory 730 .
- Processor 720 may execute program instructions stored in memory 730 . At least one of the at least one memory may be included in the processor.
- the specific connection medium between the transceiver 710, the processor 720, and the memory 730 is not limited in the embodiments of the present application.
- the memory 730, the processor 720, and the transceiver 710 are connected through a bus 740 in FIG. 7.
- the bus is represented by a thick line in FIG. 7, and the connection between other components is only for schematic illustration. , is not limited.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
- the processor may include a baseband processor and a central processing unit (CPU), the baseband processor is mainly used for processing communication protocols and communication data, and the CPU It is mainly used to control the entire device, execute software programs, and process data of software programs.
- the baseband processor is mainly used for processing communication protocols and communication data
- the CPU It is mainly used to control the entire device, execute software programs, and process data of software programs.
- the processor may also be a network processor (network processor, NP) or a combination of CPU and NP.
- the processor may further include a hardware chip.
- the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general-purpose array logic (generic array logic, GAL) or any combination thereof.
- Memory may include volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
- the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory may be random access memory (RAM), which acts as an external cache.
- RAM random access memory
- SRAM static random access memory
- DRAM dynamic random access memory
- SDRAM synchronous DRAM
- SDRAM double data rate synchronous dynamic random access memory
- double data rate SDRAM double data rate SDRAM
- DDR SDRAM enhanced synchronous dynamic random access memory
- ESDRAM enhanced synchronous dynamic random access memory
- SCRAM synchronous link dynamic random access memory
- direct rambus RAM direct rambus RAM
- Embodiments of the present application further provide a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed, the program includes part or all of the steps of any of the registration methods described in the above method embodiments.
- FIG. 8 shows a communication apparatus 80 provided by an embodiment of the present application.
- the communication device 80 can be a mobility management network function; as an example, the communication device 80 can also be an access network device; as an example, the communication device 80 can also be an NF. That is, the communication device may be a related device involved in implementing the security protection method shown in FIG. 2 to FIG. 6 .
- the device may also be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.
- the device 80 divides the communication device into functional units in the above method embodiments. For example, each functional unit may be divided corresponding to each function, or two or more units may be integrated into one processing module.
- the above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of software function modules. It should be noted that the division of units in the embodiments of the present application is schematic, and is only a logical function division, and other division methods may be used in actual implementation.
- the communication device 80 may include a processing unit 801 and a transceiver unit 802 .
- the processing unit 801 is specifically used for the function of responding to the first request in S220, S402, S505, and S606.
- the transceiver unit 802 is specifically used for the functions of sending and receiving information involved in FIG. 2 to FIG. 6 .
- the functions/implementation process of the transceiver unit 802 and the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer execution instructions stored in the memory 730 .
- the function/implementation process of the processing unit 801 in FIG. 8 may be implemented by the processor 710 in the communication device 70 shown in FIG. 7 calling the computer-executed instructions stored in the memory 730, and the function of the transceiver unit 802 in FIG. 8
- the implementation process may be implemented by the transceiver 710 in the communication device 70 shown in FIG. 7 .
- the disclosed apparatus may be implemented in other manners.
- the apparatus embodiments described above are only illustrative, for example, the division of the units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units or components may be combined or Integration into another system, or some features can be ignored, or not implemented.
- the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical or other forms.
- the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
- the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
- the integrated unit if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable memory.
- the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art, or all or part of the technical solution, and the computer software product is stored in a memory.
- a computer device which may be a personal computer, a server, or a network device, etc.
- the aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.
- "Plural” means two or more. "And/or”, which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character “/" generally indicates that the associated objects are an "or" relationship.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
L'invention concerne un procédé, un appareil et un système de protection de sécurité. Le procédé comprend : la réception par une AMF cible, à partir d'une AMF initiale, d'une première demande d'un terminal, d'un contexte de sécurité du terminal et d'un identifiant permanent d'abonnement du terminal (S210); et la réponse par l'AMF cible à la première demande (S220). Étant donné qu'une AMF initiale acquiert un contexte de sécurité d'un terminal et un identifiant permanent d'abonnement du terminal au moyen d'un processus d'authentification, une AMF cible peut se fier aux informations mentionnées ci-dessus en provenance de l'AMF initiale; et l'AMF cible peut directement répondre à une première demande à l'aide des informations reçues de l'AMF initiale et n'a pas besoin de lancer le processus d'authentification pour acquérir le contexte de sécurité ou l'identifiant permanent d'abonnement ni, de manière similaire, d'envoyer une demande d'acquisition d'un contexte, ce qui permet de réduire efficacement un processus de signalisation après la réception par l'AMF cible de la première demande et d'écourter efficacement un délai requis pour établir ou mettre à jour une connexion entre le terminal et l'AMF cible.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110033323.0 | 2021-01-11 | ||
CN202110033323 | 2021-01-11 | ||
CN202210021323.3A CN114765827A (zh) | 2021-01-11 | 2022-01-10 | 一种安全保护方法、装置和系统 |
CN202210021323.3 | 2022-01-10 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022148469A1 true WO2022148469A1 (fr) | 2022-07-14 |
Family
ID=82357980
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/071229 WO2022148469A1 (fr) | 2021-01-11 | 2022-01-11 | Procédé, appareil et système de protection de sécurité |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2022148469A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115996357A (zh) * | 2023-03-23 | 2023-04-21 | 南昌龙旗智能科技有限公司 | 虚拟位置处理方法及虚拟设备 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101420691A (zh) * | 2008-11-24 | 2009-04-29 | 华为技术有限公司 | 鉴权方法、通信系统及装置 |
CN101594608A (zh) * | 2008-05-30 | 2009-12-02 | 华为技术有限公司 | 提供安全上下文的方法、移动性管理网元及移动通信系统 |
CN110167025A (zh) * | 2018-02-13 | 2019-08-23 | 华为技术有限公司 | 一种通信方法及通信装置 |
CN110446233A (zh) * | 2018-05-04 | 2019-11-12 | 华为技术有限公司 | 切换方法、设备及系统 |
CN110881184A (zh) * | 2018-09-05 | 2020-03-13 | 华为技术有限公司 | 通信方法和装置 |
CN111866974A (zh) * | 2019-04-29 | 2020-10-30 | 华为技术有限公司 | 用于移动注册的方法和装置 |
-
2022
- 2022-01-11 WO PCT/CN2022/071229 patent/WO2022148469A1/fr active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594608A (zh) * | 2008-05-30 | 2009-12-02 | 华为技术有限公司 | 提供安全上下文的方法、移动性管理网元及移动通信系统 |
CN101420691A (zh) * | 2008-11-24 | 2009-04-29 | 华为技术有限公司 | 鉴权方法、通信系统及装置 |
CN110167025A (zh) * | 2018-02-13 | 2019-08-23 | 华为技术有限公司 | 一种通信方法及通信装置 |
CN110446233A (zh) * | 2018-05-04 | 2019-11-12 | 华为技术有限公司 | 切换方法、设备及系统 |
CN110881184A (zh) * | 2018-09-05 | 2020-03-13 | 华为技术有限公司 | 通信方法和装置 |
CN111866974A (zh) * | 2019-04-29 | 2020-10-30 | 华为技术有限公司 | 用于移动注册的方法和装置 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115996357A (zh) * | 2023-03-23 | 2023-04-21 | 南昌龙旗智能科技有限公司 | 虚拟位置处理方法及虚拟设备 |
CN115996357B (zh) * | 2023-03-23 | 2023-10-31 | 南昌龙旗智能科技有限公司 | 虚拟位置处理方法及虚拟设备 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11228905B2 (en) | Security implementation method, related apparatus, and system | |
WO2021155758A1 (fr) | Procédé et dispositif d'acquisition de clé | |
WO2022257549A1 (fr) | Procédé et dispositif de découpage en tranches de réseau, et support de stockage | |
US11533610B2 (en) | Key generation method and related apparatus | |
US20220217611A1 (en) | Service Configuration Method, Communication Apparatus, and Communication System | |
US11871223B2 (en) | Authentication method and apparatus and device | |
WO2021136211A1 (fr) | Procédé et dispositif pour déterminer un résultat d'autorisation | |
WO2021047454A1 (fr) | Procédé d'acquisition d'informations de localisation, procédé de configuration de service de localisation et dispositif de communication | |
WO2021197175A1 (fr) | Procédé de découverte de serveur d'application et dispositif associé | |
TWI799064B (zh) | 一種金鑰標識的生成方法以及相關裝置 | |
US20220210859A1 (en) | Data transmission method and apparatus | |
EP4185009A1 (fr) | Procédé, appareil et système d'acheminement de paquets | |
WO2017152360A1 (fr) | Procédé et dispositif pour une configuration de sécurité de support radio | |
US20240244497A1 (en) | Communication method and apparatus | |
WO2022199451A1 (fr) | Procédé et appareil de commutation de session | |
WO2022148469A1 (fr) | Procédé, appareil et système de protection de sécurité | |
WO2021180209A1 (fr) | Procédé de transmission d'informations de radiomessagerie et appareil de communication | |
WO2020042026A1 (fr) | Procédé et dispositif de communication sans fil | |
WO2023186028A1 (fr) | Procédé et appareil de communication | |
WO2021073382A1 (fr) | Appareil et procédé d'enregistrement | |
WO2019163810A1 (fr) | Système de communication sans fil, dispositif mandataire de sécurité et dispositif de relais | |
WO2023016160A1 (fr) | Procédé d'établissement de session et appareil associé | |
CN114765827A (zh) | 一种安全保护方法、装置和系统 | |
US20230362885A1 (en) | Wireless communication method, device and storage medium | |
EP4274310A1 (fr) | Procédé et appareil d'intercommunication de réseau |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22736630 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 22736630 Country of ref document: EP Kind code of ref document: A1 |