WO2022228455A1 - Procédé de communication et appareil associé - Google Patents

Procédé de communication et appareil associé Download PDF

Info

Publication number
WO2022228455A1
WO2022228455A1 PCT/CN2022/089520 CN2022089520W WO2022228455A1 WO 2022228455 A1 WO2022228455 A1 WO 2022228455A1 CN 2022089520 W CN2022089520 W CN 2022089520W WO 2022228455 A1 WO2022228455 A1 WO 2022228455A1
Authority
WO
WIPO (PCT)
Prior art keywords
security context
key
terminal device
authentication
access
Prior art date
Application number
PCT/CN2022/089520
Other languages
English (en)
Chinese (zh)
Inventor
李�赫
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022228455A1 publication Critical patent/WO2022228455A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a communication method and related apparatus.
  • AKMA authentication and key management
  • UE user equipment
  • AF application function
  • AKMA application authentication and key management
  • UDM Unified Data Management
  • the authentication vector acquisition request message carries the Permanent identity identifier (subscriber permanent identifier, SUPI) or subscription concealed identifier (subscription concealed identifier, SUCI)
  • the authentication vector acquisition request message is used to trigger the primary authentication (Primary authentication) between the UE and the network side (core network). )process.
  • the AKMA anchor key Kakma is generated based on the intermediate key Kausf
  • the AKMA key temporary identity identifier (AKMA-Key Identifier, A-KID) is generated based on the intermediate key Kausf.
  • A-KID AKMA-Key Identifier
  • other keys can also be derived, for example, the key Kaf used by the application server AF.
  • the above-mentioned key derived based on the intermediate key Kausf is referred to as a security context.
  • the validity time of Kausf, and the validity time of various keys in the security context may not be consistent.
  • the security context is derived based on the intermediate key Kausf#1.
  • the Kaf#1 is invalid, and the AF and the UE cannot continue to use the Kaf#1.
  • Kausf#1 is still in the valid time, and the new Kaf derived from this Kausf#1 is consistent with Kaf#1 and still cannot be used. Therefore, Kausf needs to be updated, and a new Kaf#2 is generated based on the new Kausf#2.
  • the security context needs to be updated, otherwise it cannot continue to be used. Therefore, the complexity of the key update is relatively large, which affects the performance of the device.
  • an embodiment of the present application proposes a communication method, including:
  • the access and mobility management function AMF generates a second security context, the second security context is inconsistent with the first security context, and the first security context is the security context currently used by the access and mobility management function; the The ingress and mobility management functions determine whether to activate the second security context.
  • the first security context is a security context corresponding to the first intermediate key, and the first intermediate key is Kausf.
  • the first security context is the currently used security context.
  • the security context may also be a security context corresponding to Kamf.
  • the AMF After the AMF receives the request message from other network elements, the AMF generates the second security context.
  • the other network elements include but are not limited to: Authentication Management Function AUSF, Network Open Function NEF, Authentication and Key Management Anchor Function AAnF, Edge Configuration Server ECS, Edge Enablement Server EES, Mobile Edge Computing MEC or Application Function AF.
  • the AMF can then determine whether to activate the second security context. Specifically, the AMF can use the second security context.
  • the AMF may also update the first security context, and the updated security context is the second security context.
  • the security context in this embodiment of the present application includes materials used for security functions, such as keys, algorithms, and counters.
  • the security context can be divided into: native security context and 5G security context.
  • the native security context refers to the security context generated through the main authentication process.
  • the 5G security context refers to the security context for the 5G system.
  • 5G security context includes but is not limited to 5G NAS security context, 5G AS security context and 5G AKMA security context.
  • the 5G NAS security context is used for security protection between UE and AMF
  • the AS security context is used for security protection between UE and base station.
  • the 5G AKMA security context includes keys (or security materials, or security keys) such as Kakma, A-KID, Kaf, etc.
  • the 5G AKMA security context is generated on the AUSF side after the main authentication process and sent to the AAnF, and on the UE side before the AKMA service is initiated.
  • the AMF does not blindly activate the security context, and after generating a new security context, the AMF determines whether to activate it. This reduces the complexity of key update and improves device performance.
  • the access and mobility management function determining whether to activate the second security context includes: the access and mobility management function reporting to all The terminal device sends a second authentication request message containing a second key identifier, and the second authentication request message is used to trigger a second authentication (also referred to as the second key identifier) between the terminal device and the network.
  • the access and mobility management function determines whether it is necessary to activate the second security context generated in the second authentication process; In the case of two security contexts, the access and mobility management function sends a second non-access stratum security mode command NAS SMC message to the terminal device, and the second NAS SMC message includes the first key identifier;
  • the first key identifier is the key identifier of the first security context currently used by the access and mobility management function. The first key identifier does not match the second key identifier.
  • activation may also be replaced by update.
  • Deactivating the second security context may mean not updating the second security context; or not using the second security context after generating the second security context; or not generating the second security context, which is not limited here.
  • the first security context can continue to be used without activating the second security context.
  • the AMF initiates the second main authentication process: the AMF requests the AUSF to authenticate the UE; the AUSF requests the UDM for an authentication vector; the UDM generates the authentication vector, and according to the selected The main authentication method determines whether to send the generated authentication vector or the processed authentication vector to the AUSF.
  • the AMF obtains the authentication vector from the AUSF, the AMF sends a second authentication request message to the UE.
  • the second authentication request message The second key identifier is included, and the second authentication request message is used to trigger the second authentication between the UE and the network (also referred to as the second primary authentication procedure).
  • the key identifier is ngKSI as an example for description. It can be understood that the key identifier may also be other identifiers, which is not limited here. For the specific process, please refer to the description in Section 6.1.3 of the standard TS 33.501 version 17.1.0.
  • the AMF sends the first key identifier to the UE through a second NAS SMC message ("NAS Security Mode Command" message). That is, the second NAS SMC message carries the first key identifier (eg, ngKSI#1). Specifically, the AMF puts the encryption algorithm and/or the integrity protection algorithm used by the first key identifier into the second NAS SMC message as the selected security algorithm.
  • the second NAS SMC message uses K NASint-1 corresponding to the first key identifier for integrity protection and/or K NASenc-1 for confidentiality protection.
  • the access and mobility management function sends the second authentication request including the second key identifier to the terminal device Before the message, the method further includes:
  • the access and mobility management function sends a first authentication request message containing the first key identifier to the terminal device, and the first authentication request message is used to trigger an exchange between the terminal device and the network.
  • the first authentication between; after the first authentication is successful, send a first NAS SMC message to the terminal device to activate the first security context generated in the first authentication process, the The first NAS SMC message includes the first key identifier.
  • the AMF sends a first authentication request message to the UE, where the first authentication request message includes a first key identifier, and the first authentication request message is used to trigger the first authentication ( Also known as the first primary authentication process).
  • the first key identifier is ngKSI#1
  • the first key identifier corresponds to the first intermediate key.
  • the intermediate key is Kausf as an example for description. Then the first intermediate key is Kausf#1.
  • the AMF After the AMF receives the registration request message, the AMF initiates the main authentication process: the AMF requests the AUSF to authenticate the UE; the AUSF requests the UDM for the authentication vector; the UDM generates the authentication vector, and determines to send the generated authentication vector according to the selected primary authentication method.
  • the authentication vector or the processed authentication vector is sent to the AUSF.
  • the AMF After the AMF obtains the authentication vector from the AUSF, the AMF sends the first authentication request message to the UE, and the first authentication request message includes the first key identifier.
  • the key identifier is ngKSI as an example for description. It can be understood that the key identifier may also be other identifiers, which is not limited here.
  • the specific process please refer to the description in Section 6.1.3 of Standard TS 33.501 Version 17.1.0.
  • the AMF sends a first authentication request message to the UE, where the first authentication request message includes a first key identifier, and the first authentication request message is used to trigger the first authentication ( Also known as the first primary authentication process).
  • the access and mobility management function sends the first authentication request including the first key identifier to the terminal device Before the message, the method further includes:
  • the access and mobility management function receives a registration request message from the terminal device.
  • the UE sends a registration request message to the AMF, and the registration request message is forwarded by the network device.
  • the registration request message carries the UE's Subscription Concealed Identifier (SUCI).
  • SUCI Subscription Concealed Identifier
  • the registration request message may be "Registration Request”.
  • the registration request message triggers the first authentication, that is, the initial authentication of the terminal device.
  • a first security context is generated in the first authentication, and the first security context is activated.
  • the AMF does not need to determine whether to activate the first security context.
  • the computing burden of the device is reduced, and the key complexity is reduced.
  • the access and mobility management function determines whether the second security context generated in the second authentication process needs to be activated, including:
  • the access and mobility management function determines not to update the non-access stratum NAS key and/or the access stratum AS key.
  • the access and mobility management function determines to activate the second security context. Specifically, when the AMF determines to update the 5G NAS security context or the 5G AS security context, for example, the NAS COUNT is about to be overturned. The AMF determines to activate the second security context.
  • the access and mobility management function determines to update the non-access stratum NAS key context and/or the access stratum AS key context of the terminal device, the access and mobility management function determines to activate the first 2.
  • Security context
  • the access and mobility management function determines that the second authentication is triggered by the first network element, then the access and mobility management function does not activate the second security context, and the first network element includes the following: Either: Authentication Management Function AUSF, Network Open Function NEF, Authentication and Key Management Anchor Function AAnF, Edge Configuration Server ECS, Edge Enablement Server EES, Mobile Edge Computing MEC or Application Function AF. That is, after the AMF receives the message for requesting to update the key from the first network element, the AMF does not activate the second security context.
  • the access and mobility management function determines that the second authentication only needs to authenticate the terminal device, and the access and mobility management function does not activate the second security context;
  • the access and mobility management function determines that the second authentication is triggered by the terminal device, and the access and mobility management function does not activate the second security context.
  • the AMF determines not to activate the second security context according to the local policy.
  • An exemplary scenario is as follows: when the operator configures the following scenarios, the UE authentication is triggered and the second security context is not activated. open connection); AMF data is migrated, that is, migrated from AMF#1 to AMF#2.
  • Whether to activate the second security context is determined through various means, which improves the implementation flexibility of the solution.
  • the method further includes:
  • the access and mobility management function determines that activation of the second security context is required, the access and mobility management function sends the second key identifier to the terminal device.
  • the AMF determines to initiate the main authentication process, the AMF requests the AUSF to authenticate the UE, the AUSF requests the authentication vector from the UDM, the UDM sends the authentication vector to the AUSF, and the AUSF sends the authentication vector to the AMF after processing.
  • the AMF generates a second key identifier after receiving the processed authentication vector, and sends the second key identifier to the UE along with the processed authentication vector.
  • the AMF sends the second key identifier to the UE through an "Authentication Request" message.
  • the second key identifier may be ngKSI#2.
  • the method further includes:
  • the access and mobility management function determines that the second security context needs to be activated, the access and mobility management function sends first indication information to the terminal device, where the first indication information is related to The second network element is associated, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element;
  • the second network element includes any one of the following: an authentication management function AUSF, a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • the first indication information comes from AAnf.
  • the AAnF sends a second key request message to the AUSF, where the second key request message carries the first indication information.
  • the AUSF sends the first indication information to the AMF.
  • the AMF sends the first indication information to the UE.
  • the first indication information is associated with the second network element, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element.
  • the second network element includes any of the following but not limited to NEF, AAnF, ECS, EES or AF.
  • the first indication information may be identification information (AF_ID) of the AF.
  • the method further includes:
  • the access and mobility management function determines that the second security context needs to be activated, the access and mobility management function activates the non-access stratum NAS key of the second intermediate key, the first The second security context corresponds to the second intermediate key;
  • the access and mobility management function does not activate the access stratum AS key of the second intermediate key.
  • the AMF determines whether to update the AS key. If the primary authentication triggers the process because the NAS key needs to be updated, for example, the NAS counter value is about to roll over. In order to save the complexity of the UE, the AMF may determine not to update the AS key. Then, when the AMF activates the second security context, it does not activate the AS key corresponding to the second key identifier. That is, the second security context activated by the AMF does not include the AS key, and the AMF only activates the NAS key corresponding to the second key identifier. For example, the AMF does not activate the AS key corresponding to ngKSI#2, and the AS key includes but is not limited to: the key K gNB .
  • AMF does not generate K gNB corresponding to ngKSI#2 (AMF does not generate new K gNB #2, and old K gNB #1 corresponds to ngKSI#1), or after AMF generates K gNB #2, it does not send the K gNB #2 gNB #2 to network equipment (eg base station).
  • AMF does not generate new K gNB #2, and old K gNB #1 corresponds to ngKSI#1
  • AMF does not send the K gNB #2 gNB #2 to network equipment (eg base station).
  • the access and mobility management function sends the second authentication request including the second key identifier to the terminal device Before the message, the method further includes:
  • the access and mobility management function receives a third authentication request message sent by the first network element, wherein the third authentication request message carries the permanent identification information of the terminal device, and the third authentication request message The message is used to trigger the second authentication between the terminal device and the network;
  • the first network element includes any one of the following: an authentication management function AUSF, a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • the third authentication request message instructs the AMF to determine whether to activate the second security context. Specifically, the third authentication request message is used to request the AMF to trigger the main authentication process.
  • the third authentication request message carries the permanent identity information of the UE.
  • the third authentication request message carries indication information, where the indication information is used to indicate a reason value that needs to trigger the main authentication process.
  • the AMF may determine, according to the third authentication request message or the indication information carried in the third authentication request message, that the primary authentication process is to update the AKMA-related key, and the AMF determines not to activate the second security context.
  • the third authentication request message may be "initial primary authentication Request".
  • the AMF determines whether the second security context needs to be activated according to the indication information. If the AMF determines that the NAS COUNT is about to be rolled over, that is, the rollover of the NAS COUNT requires the activation of the second security context, the AMF determines that the second security context is to be activated.
  • the third authentication request message carries indication information, where the indication information is used to indicate a reason value that needs to trigger the main authentication process.
  • the first network element is AAnF.
  • the AAnF may directly send a third authentication request message to the AMF, where the third authentication request message carries the permanent identification information of the UE, and optionally carries the AF ID. Before the AAnF sends this message, the AAnF needs to determine the AMFs that can serve the UE. The AAnF determines the AMF serving the UE from the UDM according to the UE's permanent identity information.
  • the access and mobility management function sends the second NAS SMC message to the terminal device, including:
  • the access and mobility management function selects a security algorithm to perform integrity protection and confidentiality protection on the second NAS SMC message sent by the access and mobility management function to the terminal device; If the security algorithm selected by the mobility management function is the same as the security algorithm corresponding to the first security context, the access and mobility management function determines not to activate the second security context; The terminal device sends the second NAS SMC message, where the second NAS SMC message includes the first key identifier. The AMF determines whether to activate the second security context according to whether the selected security algorithm (the security algorithm for processing the second NAS SMC message) is the same as the security algorithm corresponding to the currently used first security context.
  • the AMF sends a second NAS SMC message to the UE, where the second NAS SMC message includes the first key identifier.
  • the NAS key identified by the first key identifier is the key currently being used by the AMF and the UE. Through the first key identifier, the UE is notified to not activate the second security context.
  • the method further includes:
  • the access and mobility management function sends a second non-access stratum security mode command NAS SMC message to the terminal device, the second NAS SMC message includes second indication information, and the second indication information indicates the
  • the terminal device generates Kamf#2, and activates the second security context corresponding to Kamf#2, where Kamf#2 is the updated Kamf.
  • the AMF determines that the second security context does not need to be activated.
  • the second NAS SMC message includes second indication information (Kamf change), which indicates that the UE needs to generate a new Kamf, which is called Kamf#2 (the original used by the UE The Kamf is called Kamf#1).
  • the AMF carries the first key identifier in the second NAS SMC message,
  • the primary authentication process does not occur, but the AMF generates Kamf#2 and the second key identifier, and the AMF determines that the second security context does not need to be activated.
  • the AMF sends the second indication information to the UE, and the second indication information informs the UE that a new Kamf needs to be generated, which is called Kamf#2. If the AMF obtains the second key identifier, the second NAS SMC message carries the first key identifier and the second indication information.
  • the second NAS SMC message further includes third indication information, where the third indication information instructs the terminal device to continue using the first security
  • the NAS security context in the context and the AS security context in the first security context instructs the terminal device to continue using the first security
  • the NAS security context in the context and the AS security context in the first security context instructs the terminal device to continue using the first security
  • the second NAS SMC message may also carry a third indication information.
  • the third indication information is used to inform the UE that the currently used NAS security context and AS security context do not need to be updated.
  • the currently used NAS security context may also be referred to as the NAS security context in the first security context
  • the currently used AS security context may also be referred to as the AS security context in the first security context.
  • the NAS security context may be a 5G NAS security context
  • the AS security context may be a 5G AS security context.
  • the specific form of the third indication information is not specifically limited in this embodiment. It may be bit indication information, or enumeration type information, or it may be indicated by whether it appears or not. For example, a third indication appears in the second NAS SMC message. The information does not update the currently used 5G NAS security context and 5G AS security context. If it does not appear in the second NAS SMC message, it indicates that the UE needs to update the currently used 5G NAS security context and 5G AS security context.
  • the AMF determines that the second security context does not need to be activated.
  • the second NAS SMC message includes second indication information (Kamf change indicator), and the second indication information indicates that the UE needs to generate a new Kamf, which is called Kamf#2 (the original Kamf of the UE).
  • the Kamf used is called Kamf#1).
  • the AMF carries the first key identifier in the second NAS SMC message, and optionally, the second NAS SMC message also carries third indication information.
  • the primary authentication process does not occur, but the AMF generates Kamf#2 and the second key identifier, and the AMF determines that the second security context does not need to be activated.
  • the AMF sends the second indication information to the UE, and the second indication information informs the UE that a new Kamf needs to be generated, which is called Kamf#2. If the AMF obtains the second key identifier, the second NAS SMC message carries the first key identifier and the second indication information, or the second NAS SMC message carries the second key identifier and the third indication information and second indication information.
  • the second security context includes one or more of the following: Kseaf#2, Kamf#2, Kaf#2, Kakma#2, KNASint #2 , K NASenc#2 , K gNB#2 , K RRCint#2 , K RRCenc#2 , or K N3IWF#2 .
  • an embodiment of the present application proposes a communication method, including:
  • the terminal device receives a second non-access stratum security mode command NAS SMC message from the access and mobility management function AMF, and the second NAS SMC message carries the key identifier from the AMF; when the When the key identifier is the same as the first key identifier of the first security context being used by the terminal device, the terminal device determines not to activate the second security context, which is the same as the first security context. Inconsistent context.
  • the security context in this embodiment of the present application includes materials used for security functions, such as keys, algorithms, and counters.
  • the security context can be divided into: native security context and 5G security context.
  • the native security context refers to the security context generated through the main authentication process.
  • the 5G security context refers to the security context for the 5G system.
  • 5G security context includes but is not limited to 5G NAS security context, 5G AS security context and 5G AKMA security context.
  • 5G NAS security context is used for security protection between UE and AMF
  • AS security context is used for security protection between UE and base station.
  • the 5G AKMA security context includes keys (or security materials, or security keys) such as Kakma, A-KID, Kaf, etc.
  • the 5G AKMA security context is generated on the AUSF side after the main authentication process and sent to the AAnF, and on the UE side before the AKMA service is initiated.
  • the UE does not blindly activate the security context, and after generating a new security context, the UE determines whether to activate it. This reduces the complexity of key update and improves device performance.
  • the terminal device determining not to activate the second security context includes: the terminal device determining not to activate the NAS in the second security context The security context and/or the AS security context in the second security context.
  • the UE may not activate part of the NAS security context in the second security context and/or the AS security context in the second security context to improve the implementation flexibility of the solution.
  • the method further includes: the terminal device verifies the password from the AMF Whether the security algorithm corresponding to the key identifier is the same as the security algorithm corresponding to the first security context, and the security algorithm corresponding to the key identifier from the AMF is the security algorithm selected by the access and mobility management function; When the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm corresponding to the first security context, the terminal device determines not to update the first security context.
  • the UE After the UE receives the second NAS SMC message, if the second NAS SMC message is encrypted and protected, the UE decrypts and protects the message using the key currently being used by the UE.
  • the UE After the UE receives the second NAS SMC message, the UE performs integrity protection verification on the message using the key currently being used by the UE. And verify whether the security algorithm carried in the second NAS SMC message is the same as the security algorithm carried by the UE in the registration request message, and the security algorithm includes: the integrity protection algorithm and the encryption algorithm of the UE. After all verifications are passed, the UE determines the key to be used subsequently according to the first key identifier.
  • the different schemes are described below:
  • the terminal device when the key identifier from the AMF is the same as the key identifier of the UE, and the security algorithm corresponding to the key identifier is the same as the security algorithm corresponding to the first intermediate key, the terminal device continues to use the first security algorithm context, the terminal device does not perform any processing, wherein the first security context corresponds to the first intermediate key;
  • the terminal device uses the second intermediate key to generate the second security context, and the terminal device activates the second security context;
  • the terminal device when the key identifier from the AMF is the same as the key identifier of the UE, and the security algorithm corresponding to the key identifier is different from the security algorithm corresponding to the first intermediate key, then the terminal device according to the first intermediate key The key generates a third security context, and the terminal device activates the third security context.
  • the UE when the key identifier from the AMF is the first key identifier, the UE needs to use the key corresponding to the first key identifier, that is, the UE needs to use the first security context and the first intermediate key .
  • the UE can continue to use the original intermediate key (the first intermediate key) and the first security context.
  • the UE may reactivate the first intermediate key and the first security context, which is not limited here.
  • the UE can compare whether the key identifier from the AMF in the second NAS SMC message is the same as the key identifier of the intermediate key currently being used by the UE, and the UE also needs to verify the second NAS SMC message. Whether the security algorithm corresponding to the key identifier is the same as the security algorithm currently being used by the UE. If all are the same, and the UE verifies that the integrity protection of the NAS SMC is correct, the UE can continue to use the current 5G NAS security context without performing any operations. That is, with the current key and security algorithm, the NAS COUNT does not need to be reset to 0 either.
  • the UE can compare whether the key identifier from the AMF in the second NAS SMC message is the same as the key identifier of the intermediate key currently being used by the UE, and the UE also needs to verify that the second NAS SMC message contains the same key identifier. Whether the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm currently being used by the UE. If only the latter is different (that is, the key identifiers are the same, but the security algorithms are inconsistent), the UE needs to use the Kamf#1 corresponding to the Kausf#1 identified by ngKSI#1, and use the new security algorithm carried in the second NAS SMC message to generate the first Three security contexts.
  • the third security context may be a new 5G NAS security context (corresponding to the first intermediate key), specifically, a new K NAS-int and a new K NASenc are generated, and the NAS COUNT is reset to 0.
  • the UE verifies the integrity protection of the second NAS SMC message using the newly generated K NAS-int . It can be understood that, because the second NAS SMC message carries ngKSI#1, only the first intermediate key corresponding to ngKSI#1 can be used to further derive the subkey. So just generate a new NAS key and that's it.
  • the UE performs an activation operation on the key identified by the first key identifier, which may include at least one of the following steps: generating Kseaf#1 according to the Kausf#1 identified by the key identifier #1, generating Kseaf#1, Use Kseaf#1 to generate Kamf#1, then use Kamf#1 and the selected security algorithm carried in the second NAS SMC message to generate K NASint#1 and K NASenc#1 , and encrypt the K NASint#1 and K NASenc#1 algorithms and integrity protection algorithms are used for specific functions, but the NAS COUNT remains the same.
  • the UE only compares whether the key identifier from the AMF carried in the second NAS SMC message is the same as the key identifier corresponding to the key currently being used. If the integrity protection check of the SMC message is successful, no operation is performed and the current 5G NAS security context continues to be used.
  • the UE further checks whether the third indication information is received. If the UE receives the third indication information, the UE only generates a new Kamf (generates Kamf#2), and does not update the 5G NAS and/or 5G AS security context.
  • the terminal device will continue to use the first security context, that is, only the Kamf#2 needs to be generated , and no other processing will be performed. That is to say, the terminal device can continue to use the 5G NAS security context and 5G AS security context generated based on Kausf#1.
  • the terminal device only needs to generate Kamf#2, and no other processing is required.
  • the AMF when the access and mobility management function determines that the second security context needs to be activated, the AMF sends the NAS SMC#2 to the UE,
  • the NAS SMC#2 also includes first indication information.
  • the first indication information is associated with the second network element, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element;
  • the second network element includes Any of the following: Network Open Function NEF, Authentication and Key Management Anchor Function AAnF, Edge Configuration Server ECS, Edge Enablement Server EES, Mobile Edge Computing MEC or Application Function AF.
  • the first indication information comes from AAnf.
  • the AAnF sends a second key request message to the AUSF, where the second key request message carries the first indication information.
  • the AUSF sends the first indication information to the AMF.
  • the AMF sends the first indication information to the UE.
  • the first indication information is associated with the second network element, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element.
  • the second network element includes any of the following but not limited to NEF, AAnF, ECS, EES or AF.
  • the first indication information may be identification information (AF_ID) of the AF.
  • an embodiment of the present application provides a communication device, including:
  • a processing module configured to generate a second security context, where the second security context is inconsistent with the first security context, and the first security context is the security context currently used by the access and mobility management function;
  • the processing module is further configured to determine whether to activate the second security context.
  • a transceiver module configured to send a second authentication request message containing a second key identifier to the terminal device, where the second authentication request message is used to trigger a second authentication between the terminal device and the network ;
  • the processing module is further configured to determine whether the second security context generated in the second authentication process needs to be activated after the second authentication is successful;
  • the transceiver module is further configured to send a second non-access stratum security mode command NAS SMC message to the terminal device without activating the second security context, where the second NAS SMC message includes the first NAS SMC message. a key identifier; wherein the first key identifier is the key identifier of the first security context currently used by the access and mobility management function.
  • the transceiver module is further configured to send a first authentication request message containing the first key identifier to the terminal device, where the first authentication request message is used to trigger the connection between the terminal device and the network the first authentication;
  • the transceiver module is further configured to, after the first authentication succeeds, send a first NAS SMC message to the terminal device to activate the first security context generated in the first authentication process, so the The first NAS SMC message includes the first key identifier.
  • the transceiver module is further configured to receive a registration request message from the terminal device.
  • the processing module is further configured to determine not to activate the second security context when it is determined not to update the non-access stratum NAS key and/or the access stratum AS key,
  • the processing module is further configured to determine to activate the second security context when it is determined that the non-access stratum NAS counter rolls over,
  • the processing module is further configured to determine to activate the second security context when it is determined to update the non-access stratum NAS key context and/or the access stratum AS key context of the terminal device;
  • the processing module is further configured to not activate the second security context when it is determined that the second authentication is triggered by a first network element, and the first network element includes any one of the following: an authentication management function AUSF, Network Open Function NEF, Authentication and Key Management Anchor Function AAnF, Edge Configuration Server ECS, Edge Enablement Server EES, Mobile Edge Computing MEC or Application Function AF;
  • the processing module is further configured to not activate the second security context when it is determined that the second authentication only needs to authenticate the terminal device;
  • the processing module is further configured to not activate the second security context when it is determined that the second authentication is triggered by the terminal device.
  • the transceiver module is further configured to send the second key identifier to the terminal device after it is determined that the second security context is activated.
  • the transceiver module is further configured to, after determining to activate the second security context, send first indication information to the terminal device, where the first indication information is associated with the second network element, and the first indication information indicates The terminal device updates the communication key between the terminal device and the second network element;
  • the second network element includes any one of the following: an authentication management function AUSF, a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • the transceiver module is further configured to activate, by the access and mobility management function, the non-access stratum NAS key of the second intermediate key after determining to activate the second security context, the second security context corresponding to the second intermediate key;
  • the access and mobility management function does not activate the access stratum AS key of the second intermediate key.
  • the transceiver module is further configured to receive a third authentication request message sent by the first network element, wherein the third authentication request message carries the permanent identification information of the terminal device, and the third authentication request message for triggering the second authentication between the terminal device and the network;
  • the first network element includes any one of the following: AUSF, NEF, AAnF, ECS, EES or AF.
  • the processing module is further configured to select a security algorithm to perform integrity protection and confidentiality protection on the second NAS SMC message sent by the access and mobility management function to the terminal device;
  • the processing module is further configured to determine that the second security context is not activated when the security algorithm selected by the access and mobility management function is the same as the security algorithm corresponding to the first security context;
  • the transceiver module is further configured to send the second NAS SMC message to the terminal device, where the second NAS SMC message includes the first key identifier.
  • the transceiver module is further configured to send a second non-access stratum security mode command NAS SMC message to the terminal device, where the second NAS SMC message includes second indication information, and the second indication information indicates the terminal
  • the device generates Kamf#2, and activates the second security context corresponding to Kamf#2, which is the updated Kamf.
  • the second NAS SMC message further includes third indication information, where the third indication information instructs the terminal device to continue to use the NAS security context in the first security context and the AS security context in the first security context .
  • the second security context includes one or more of the following: Kseaf#2, Kamf#2, Kaf#2, Kakma#2, K NASint#2 , K NASenc#2 , K gNB#2 , K RRCint#2 , K RRCenc#2 or K N3IWF#2 .
  • an embodiment of the present application provides a communication device, including:
  • transceiver module for receiving a second non-access stratum security mode command NAS SMC message from the access and mobility management function AMF, where the second NAS SMC message carries the key identifier from the AMF;
  • a processing module configured to determine that the second security context is not activated when the key identifier is the same as the first key identifier of the first security context being used by the terminal device, and the second security context is the same as the first security context.
  • the first security context described above is inconsistent.
  • the processing module is further configured to determine not to activate the NAS security context in the second security context and/or the AS security context in the second security context.
  • the processing module is further configured to verify whether the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm corresponding to the first security context, and the security algorithm corresponding to the key identifier from the AMF is the same a security algorithm selected for the access and mobility management function;
  • the processing module is further configured to determine not to update the first security context when the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm corresponding to the first security context.
  • the transceiver module is further configured to receive first indication information sent by the access and mobility management function, where the first indication information is associated with a second network element, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element;
  • the second network element includes any one of the following: a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • an embodiment of the present application provides a communication device, which can implement the functions performed by the terminal device and the network device in the methods involved in the first and second aspects above.
  • the communication device includes a processor, a memory, a receiver connected to the processor and a transmitter connected to the processor; the memory is used for storing program codes and transmitting the program codes to the processor; the processor is used for Drive the receiver and the transmitter to execute the methods in the first and second aspects according to the instructions in the program code; the receiver and the transmitter are respectively connected to the processor to execute the methods in the above aspects. Operation of equipment and network equipment. Specifically, the transmitter can perform the operation of sending, and the receiver can perform the operation of receiving.
  • the receiver and the transmitter can be a radio frequency circuit, and the radio frequency circuit can receive and send messages through an antenna; the receiver and the transmitter can also be a communication interface, and the processor and the communication interface are connected through a bus, and the processing The server implements receiving or sending messages through this communication interface.
  • an embodiment of the present application provides a communication apparatus, where the communication apparatus may include entities such as network equipment or chips, or the communication apparatus may include entities such as terminal equipment or chips, and the communication apparatus includes: a processor and a memory; The memory is used to store instructions; the processor is used to execute the instructions in the memory, so that the communication device performs the method according to any one of the aforementioned first or second aspects.
  • embodiments of the present application provide a computer-readable storage medium that stores one or more computer-executable instructions.
  • the processor executes the first aspect or the second method described above. Any of the possible implementations of the aspect.
  • an embodiment of the present application provides a computer program product (or a computer program) that stores one or more computer-executable instructions, and when the computer-executable instructions are executed by the processor, the processor executes the aforementioned first aspect or any possible implementation manner of the second aspect.
  • the present application provides a chip system, where the chip system includes a processor for supporting a computer device to implement the functions involved in the above aspects.
  • the chip system further includes a memory for storing necessary program instructions and data of the computer device.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the present application provides a communication system, where the communication system includes the communication apparatus in the fourth and fifth aspects above.
  • FIG. 1 is a schematic diagram of a network architecture of a communication system
  • FIG. 2 is a schematic diagram of a hardware structure of a communication device in an embodiment of the present application.
  • FIG. 3 is a schematic diagram of an access flow of a UE through forwarding
  • Fig. 4 is the generation flow schematic diagram of key Kaf
  • FIG. 5 is a schematic flowchart of the NAS SMC involved in the embodiment of the application.
  • FIG. 6 is a schematic flowchart of a communication method proposed by an embodiment of the present application.
  • FIG. 7 is a schematic diagram of an application scenario proposed by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another application scenario proposed by an embodiment of the present application.
  • FIG. 9 is a schematic diagram of another application scenario proposed by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of an embodiment of a communication device in an embodiment of the present application.
  • FIG. 11 is a schematic diagram of an embodiment of a communication apparatus in an embodiment of the present application.
  • At least one item (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple .
  • WCDMA Wideband Code Division Multiple Access
  • GPRS general packet radio service
  • LTE Long Term Evolution
  • FDD frequency division duplex
  • TDD LTE time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX world wide interoperability for microwave access
  • the part of various communication systems that is operated by an operator may be referred to as an operator network.
  • the operator network also known as the public land mobile network (PLMN) network, is a network established and operated by the government or government-approved operators for the purpose of providing land mobile communication services to the public.
  • a mobile network operator (MNO) is a public network that provides users with mobile broadband access services.
  • the operator network or PLMN network described in the embodiments of this application may be a network that meets the requirements of the 3rd generation partnership project (3rd generation partnership project, 3GPP) standard, which is referred to as a 3GPP network for short.
  • 3rd generation partnership project 3rd generation partnership project
  • 3GPP networks are operated by operators, including but not limited to fifth-generation (5th-generation, 5G) networks (referred to as 5G networks), fourth-generation (4th-generation, 4G) networks (referred to as 4G networks) Or the third-generation mobile communication technology (3rd-generation, 3G) network (referred to as 3G network). Also includes future 6G networks.
  • 5G networks fifth-generation (5th-generation, 5G) networks
  • 4G networks fourth-generation, 4G networks
  • 3G network third-generation mobile communication technology
  • 3G network third-generation mobile communication technology
  • 3G network third-generation mobile communication technology
  • FIG. 1 is a schematic diagram of a network architecture of a communication system.
  • the network architecture may include: a terminal device (also referred to as a user equipment part, an operator network part, and a data network (DN) part) .
  • DN data network
  • the terminal equipment part includes a terminal equipment 110, and the terminal equipment 110 may also be referred to as user equipment (user equipment, UE).
  • the terminal device 110 involved in the embodiments of the present application can communicate with a device in the (radio) access network ((R)AN) 140 through the access network device in the (R)AN) 140 . or multiple core networks (core networks, CN) to communicate.
  • Terminal equipment 110 may also be referred to as an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless network device, user agent or user device, and the like.
  • the terminal device 110 can be deployed on land, including indoor or outdoor, hand-held or vehicle-mounted; can also be deployed on water (such as ships, etc.); and can also be deployed in the air (such as planes, balloons, satellites, etc.).
  • the terminal device 110 may be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (WLL) ) station, a personal digital assistant (PDA), which can be a handheld device with wireless communication capabilities, a computing device or other device connected to a wireless modem, an in-vehicle device, a wearable device, a drone device, or the Internet of Things,
  • 5G fifth generation
  • PLMN public land mobile network
  • the terminal, etc., where the relay user equipment may be, for example, a 5G residential gateway (RG).
  • the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving, remote Wireless terminal in medical (remote medical), wireless terminal in smart grid (smart grid), wireless terminal in transportation safety, wireless terminal in smart city, wireless terminal in smart home (smart home) wireless terminals, etc.
  • This embodiment of the present application does not limit this.
  • the terminal device 110 includes an unmanned aerial vehicle and an unmanned aerial vehicle remote controller as an example for description.
  • drones involved in the embodiments of the present application may also include: a vehicle that can travel autonomously, or a vehicle that travels based on the control instructions of a remote controller; a ship that can travel autonomously , or ships sailing based on the control commands of the remote control.
  • the operator network may include unified data management (UDM) 134, authentication server function (AUSF) 136, access and mobility management function (AMF) 137, session management Function (session management function, SMF) 138, user plane function (user plane function, UPF) 139 and (R)AN 140 and so on.
  • UDM unified data management
  • AUSF authentication server function
  • AMF access and mobility management function
  • SMF session management Function
  • user plane function user plane function
  • UPF user plane function
  • the data network DN 120 which may also be referred to as a protocol data network (PDN), is usually a network outside the operator's network, such as a third-party network.
  • the operator network can access multiple data networks DN 120, and multiple services can be deployed on the data network DN 120, which can provide services such as data and/or voice for the terminal device 110.
  • the data network DN 120 can be a private network of a smart factory, the sensors installed in the workshop of the smart factory can be terminal devices 110, and the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensor.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server based on the instructions.
  • the data network DN 120 can be an internal office network of a company, and the mobile phones or computers of employees of the company can be terminal devices 110, and the mobile phones or computers of employees can access information, data resources, etc. on the internal office network of the company.
  • the terminal device 110 may establish a connection with the operator's network through an interface (eg, N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network.
  • the terminal device 110 can also access the data network DN 120 through the operator network, and use the operator services deployed on the data network DN 120, and/or services provided by third parties.
  • the above-mentioned third party may be a service provider other than the operator network and the terminal device 110 , and may provide other data and/or voice services for the terminal device 110 .
  • the specific expression form of the above third party can be specifically determined based on the actual application scenario, which is not limited here.
  • the (R)AN 140 can be regarded as a sub-network of the operator's network, and is an implementation system between the service node and the terminal device 110 in the operator's network.
  • the terminal device 110 To access the operator network, the terminal device 110 first passes through the (R)AN 140, and then can be connected to the service node of the operator network through the (R)AN 140.
  • the access network device (RAN device) in this embodiment of the application is a device that provides wireless communication functions for the terminal device 110, and may also be referred to as a network device.
  • the RAN device includes but is not limited to: next-generation base stations in the 5G system Node (next generation node base station, gNB), evolved node B (evolved node B, eNB) in long term evolution (long term evolution, LTE), radio network controller (radio network controller, RNC), node B (node B) B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit) , BBU), transmission point (transmitting and receiving point, TRP), transmitting point (transmitting point, TP), small base station equipment (pico), mobile switching center, or network equipment in future networks, etc.
  • next-generation base stations in the 5G system Node node base station, gNB
  • evolved node B evolved node B
  • eNB evolved node B
  • long term evolution long term evolution, LTE
  • radio network controller radio
  • the names of devices with access network device functions may be different.
  • the above-mentioned apparatuses for providing wireless communication functions for the terminal device 110 are collectively referred to as access network devices or simply referred to as RAN or AN. It should be understood that the specific type of the access network device is not limited herein.
  • the Access and Mobility Management Function AMF (also referred to as AMF network element, AMF network function or AMF network function entity) 137 is a control plane network function provided by the operator's network and is responsible for the connection of the terminal device 110 to the operator's network. Access control and mobility management, including functions such as mobility status management, assigning user temporary identities, authenticating and authorizing users.
  • the session management function SMF (also referred to as SMF network element, SMF network function or SMF network function entity) 138 is a control plane network function provided by the operator network, responsible for managing the protocol data unit (PDU) of the terminal device 110 ) session.
  • the PDU session is a channel for transmitting PDUs, and the terminal device needs to transfer PDUs to and from the data network DN 120 through the PDU session.
  • the PDU session is established, maintained and deleted by the SMF network function 138.
  • SMF network functions 138 include session management (eg session establishment, modification and release, including tunnel maintenance between user plane functions UPF 139 and (R)AN 140), selection and control of UPF network functions 139, service and session continuity ( Service and session continuity, SSC) mode selection, roaming and other session-related functions.
  • session management eg session establishment, modification and release, including tunnel maintenance between user plane functions UPF 139 and (R)AN 140
  • selection and control of UPF network functions 139 selection and control of UPF network functions 139
  • service and session continuity Service and session continuity, SSC) mode selection, roaming and other session-related functions.
  • the user plane function UPF (may also be referred to as UPF network element, UPF network function or UPF network function entity) 139 is a gateway provided by the operator, and is a gateway for the operator network to communicate with the data network DN 120.
  • the UPF network function 139 includes user plane-related functions such as data packet routing and transmission, data packet detection, service usage reporting, quality of service (QoS) processing, legal interception, uplink data packet detection, and downlink data packet storage.
  • QoS quality of service
  • the unified data management network element UDM (also referred to as UDM network element, UDM network function or UDM network function entity) 134 is a control plane function provided by the operator, and is responsible for storing the permanent identity (subscriber permanent identity) of the subscriber in the operator's network.
  • identifier, SUPI the permanent identity (subscriber permanent identity) of the subscriber in the operator's network.
  • SUPI the publicly used subscription identifier (generic public subscription identifier, GPSI) of the contracting user, credential (credential) and other information.
  • the SUPI will be encrypted first in the transmission process, and the encrypted SUPI is called a hidden user subscription identifier (SUCI).
  • This information stored by UDM 134 can be used for authentication and authorization of terminal device 110 to access the operator's network.
  • the above-mentioned subscribers of the operator's network may specifically be users who use the services provided by the operator's network, such as users using "China Telecom” mobile phone SIM cards, or users using “China Mobile” mobile phone SIM cards, etc.
  • the above-mentioned credential of the signing user may be: a long-term key stored in the mobile phone core card or a small file stored with information related to encryption of the mobile phone core card, etc., for authentication and/or authorization.
  • permanent identifiers, credentials, security contexts, authentication data (cookies), and tokens are equivalent to verification/authentication, and authorization-related information are not differentiated and limited in the embodiments of the present application for convenience of description.
  • the authentication management function (authentication server function, AUSF) (also referred to as AUSF network element, AUSF network function or AUSF network function entity) 136 is a control plane function provided by the operator, usually used for main authentication, that is, the terminal device 110 Authentication between the (subscriber) and the operator network.
  • AUSF authentication server function
  • AUSF network element also referred to as AUSF network function or AUSF network function entity
  • AUSF network element also referred to as AUSF network element, AUSF network function or AUSF network function entity
  • AUSF network function entity is a control plane function provided by the operator, usually used for main authentication, that is, the terminal device 110 Authentication between the (subscriber) and the operator network.
  • the AUSF 136 After the AUSF 136 receives the authentication request initiated by the subscribed user, it can authenticate and/or authorize the subscribed user through the authentication information and/or authorization information stored in the UDM network function 134, or generate the authentication and/or
  • an AKMA Anchor Key is generated for the Authentication and Key Management for Application (AKMA) Anchor Function, AAnF) 130
  • the key Kakma this key management key is also called the AKMA intermediate key, and is responsible for generating the key Kaf and the validity time of Kaf used by the AF 135 for the application function (AF) 135.
  • the Network Exposure Function (NEF) 131 acts as an intermediate network element for the external application function (application Function, AF) 135 and the authentication and key management for Application (AKMA) anchor function within the core network.
  • Application Function application Function
  • AKMA authentication and key management for Application
  • the Network Repository Function (NRF) 132 is used for network function (Network Function, NF) registration, management, or state detection, and realizes the automatic management of all NFs. When each NF starts, it must register with the NRF. Only registration can provide services, and registration information includes NF type, address, or service list.
  • Network Function Network Function
  • PCF Policy control function
  • AF 135 Quality of Service (Quality of Service, QoS) parameters
  • QoS Quality of Service
  • the application function AF 135 interacts with the 3rd Generation Partnership Project (3GPP) core network to provide application layer services. For example: provide data routing on the application layer and provide the ability to access the network.
  • AF 135 can interact with NEF 131 and can interact with PCF 133.
  • the AF135 needs to interact with the AAnF 130 to obtain the AF intermediate key (Kaf) and the valid time of the Kaf.
  • the location of AF 135 can be inside the 5G core network or outside the 5G core network. If the AF is inside the 5G core network, it can directly interact with the PCF 133. If the AF 135 is outside the 5G core network, the NEF 131 acts as an intermediate node to forward the interactive content between the AF 135 and the PCF 133. Such as forwarding through NEF.
  • AKMA anchor function AAnF 130, AAnF 130 will interact with AUSF 136 to obtain the AKMA intermediate key (Kakma), and is responsible for generating the valid time of the key Kaf and Kaf used by AF 135 for AF 135.
  • Nausf, Nudm, Namf, Nsmf, Nnrf, Nnef, Naanf, Naf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • these interface serial numbers refer to the meanings defined in the 3GPP standard protocol, which will not be repeated here.
  • the terminal device 110 is used as an example for the UE, and the interface names between various network functions in FIG. 1 are only an example.
  • the interface names of the system architecture Other names may also be used, which are not specifically limited in this embodiment of the present application.
  • the mobility management network function is the AMF network function 137 as an example for description. It may also be other network functions with the above-mentioned AMF network function 137 in the future communication system. Alternatively, the mobility management network function in this application may also be a mobility management network element (Mobility Management Entity, MME) in LTE, or the like. Further, the AMF network function 137 is referred to as AMF for short, and the terminal device 110 is referred to as UE, that is, the AMF described later in the embodiments of the present application can be replaced by a mobility management network function, and the UE can be replaced by a terminal device. .
  • MME Mobility Management Entity
  • a method for generating a key identifier provided by this application can be applied to various communication systems, for example, it can be the Internet of Things (Internet of Things, IoT), the narrowband Internet of Things (NB-IoT), Long term evolution (LTE), it can also be the fifth generation (5G) communication system, it can also be a hybrid architecture of LTE and 5G, it can also be a 5G new radio (NR) system and it will appear in the future communication development. new communication systems, etc.
  • the 5G communication system of the present application may include at least one of a non-standalone (NSA) 5G communication system and an independent (standalone, SA) 5G communication system.
  • the communication system may also be a public land mobile network (PLMN) network, a device-to-device (D2D) network, a machine-to-machine (M2M) network, or other networks.
  • PLMN public land mobile network
  • D2D device-to-device
  • M2M machine-to-machine
  • embodiments of the present application may also be applicable to other future-oriented communication technologies, such as 6G and the like.
  • the network architecture and service scenarios described in this application are for the purpose of illustrating the technical solutions of this application more clearly, and do not constitute a limitation on the technical solutions provided by this application.
  • the appearance of each network function involved in this application may be changed, and the technical solutions provided in this application are also applicable to similar technical problems.
  • FIG. 2 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application.
  • the communication apparatus may be a possible implementation manner of the network device or the terminal device in the embodiment of the present application.
  • the communication apparatus includes at least a processor 204 , a memory 203 , and a transceiver 202 , and the memory 203 is further configured to store instructions 2031 and data 2032 .
  • the communication device may further include an antenna 206 , an I/O (input/output, Input/Output) interface 210 and a bus 212 .
  • the transceiver 202 further includes a transmitter 2021 and a receiver 2022.
  • the processor 204 , the transceiver 202 , the memory 203 and the I/O interface 210 are communicatively connected to each other through the bus 212 , and the antenna 206 is connected to the transceiver 202 .
  • the processor 204 can be a general-purpose processor, such as, but not limited to, a central processing unit (Central Processing Unit, CPU), or can be a special-purpose processor, such as, but not limited to, a digital signal processor (Digital Signal Processor, DSP), application Application Specific Integrated Circuit (ASIC) and Field Programmable Gate Array (FPGA), etc.
  • the processor 204 may also be a neural network processing unit (NPU).
  • the processor 204 may also be a combination of multiple processors.
  • the processor 204 may be configured to execute the relevant steps of the method for generating the key identifier in the subsequent method embodiments.
  • the processor 204 may be a processor specially designed to perform the above steps and/or operations, or may be a processor that performs the above steps and/or operations by reading and executing the instructions 2031 stored in the memory 203, the processor 204 Data 2032 may be required in performing the steps and/or operations described above.
  • the transceiver 202 includes a transmitter 2021 and a receiver 2022 .
  • the transmitter 2021 is used to transmit signals through the antenna 206 .
  • the receiver 2022 is used to receive signals through at least one of the antennas 206 .
  • the transmitter 2021 may be specifically configured to be executed by at least one antenna among the antennas 206.
  • the method for generating the key identifier in the subsequent method embodiments is applied to a network device or terminal device, the operation performed by the receiving module or the sending module in the network device or terminal device.
  • the transceiver 202 is configured to support the communication device to perform the aforementioned receiving function and sending function.
  • a processor with processing capabilities is considered processor 204 .
  • the receiver 2022 may also be called an input port, a receiving circuit, and the like, and the transmitter 2021 may be called a transmitter or a transmitting circuit, and the like.
  • the processor 204 may be configured to execute the instructions stored in the memory 203 to control the transceiver 202 to receive messages and/or send messages, so as to complete the function of the communication device in the method embodiment of the present application.
  • the function of the transceiver 202 may be implemented by a transceiver circuit or a dedicated chip for transceiver.
  • receiving a message by the transceiver 202 may be understood as an input message by the transceiver 202
  • sending a message by the transceiver 202 may be understood as an output message by the transceiver 202 .
  • the memory 203 may be various types of storage media, such as random access memory (Random Access Memory, RAM), read only memory (Read Only Memory, ROM), non-volatile RAM (Non-Volatile RAM, NVRAM), and Programmable ROM (Programmable ROM, PROM), Erasable PROM (Erasable PROM, EPROM), Electrically Erasable PROM (Electrically Erasable PROM, EEPROM), Flash memory, optical memory and registers, etc.
  • the memory 203 is specifically used to store the instructions 2031 and the data 2032, and the processor 204 can perform the steps and/or operations described in the method embodiments of the present application by reading and executing the instructions 2031 stored in the memory 203. Data 2032 may be required during the operations and/or steps of a method embodiment.
  • the communication apparatus may further include an I/O interface 210, and the I/O interface 210 is used for receiving instructions and/or data from peripheral devices, and outputting instructions and/or data to peripheral devices.
  • I/O interface 210 is used for receiving instructions and/or data from peripheral devices, and outputting instructions and/or data to peripheral devices.
  • UE or USIM
  • UDM or Authentication Credential Respository and Processing Function (ARPF) or Unified Data Repoitory (UDR)
  • ARPF Authentication Credential Respository and Processing Function
  • UDR Unified Data Repoitory
  • the UDM or ARPF On the network device side, the UDM or ARPF generates the key CK and the key IK based on the UE's long-term key K.
  • the authentication methods selected by UDM are different, and the methods of generating the intermediate key Kausf are different.
  • the authentication method selected by the UDM is 5G authentication and key agreement (5G Authentication and Key Agreement, 5G AKA)
  • the UDM or ARPF generates the intermediate key Kausf according to the key CK and the key IK.
  • UDM sends the generated intermediate key Kausf to AUSF.
  • UDM When the authentication method selected by UDM is the Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA'), the UDM or ARPF will use the key CK and key IK, generate key CK' and key IK'.
  • the UDM sends the generated key CK' and key IK' to the AUSF.
  • the AUSF generates the intermediate key Kausf based on the key CK' and the key IK'.
  • Security contexts include, but are not limited to: Kseaf, Kamf, Kaf, Kakma, K NASint , K NASenc , K gNB , K RRCint , K RRCenc or K N3IWF .
  • AUSF generates the key Kseaf based on the intermediate key Kausf, and sends the key Kseaf to SEAF.
  • SEAF generates the key Kamf based on the key Kseaf and sends the key Kamf to the AMF.
  • the AMF generates a non-access stratum (NAS) key and an access stratum (access stratum, AS) intermediate key K gNB according to the key Kamf .
  • the AMF delivers the K gNB to the base station, and the base station further generates the AS security context according to the K gNB , such as K RRCint and K RRCenc.
  • the USIM On the terminal device side, first, the USIM generates the key CK and the key IK based on the UE's long-term key K. The USIM sends the key CK and the key IK to the UE.
  • the UE Similar to the network side, there are differences in the way of generating the intermediate key Kausf under different authentication methods.
  • the authentication method used is 5G AKA
  • the UE When the authentication method used is 5G AKA, the UE generates the intermediate key Kausf according to the key CK and the key IK.
  • the authentication method used is EAP-AKA'
  • the UE When the authentication method used is EAP-AKA', the UE generates the key CK' and the key IK' according to the key CK and the key IK.
  • the UE generates the intermediate key Kausf according to the key CK' and the key IK'.
  • the UE generates the key Kseaf according to the intermediate key Kausf.
  • the UE generates the key Kamf according to the key Kseaf.
  • the UE generates the NAS key and K gNB according to the key Kamf .
  • the UE further generates K RRCint and K RRCenc according to K gNB .
  • FIG. 3 is a schematic diagram of an access flow of a UE through forwarding. Take Figure 3 as an example to illustrate the AKMA process, specifically:
  • a primary authentication (Primary authentication) process is performed between the UE and the core network.
  • the main authentication process needs to use an authentication vector (authentication vector, AV), and the authentication vector is used to transfer the verification parameters of the main authentication process in the main authentication process.
  • the AUSF obtains the authentication vector.
  • the main authentication process is also called an authentication process, which is not limited here.
  • the AUSF sends an authentication vector acquisition request message to the UDM.
  • the AUSF sends an authentication vector acquisition request message to the UDM, where the authentication vector acquisition request message is, for example, "Numd_UEAuthentication Get Request".
  • the authentication vector acquisition request message is used to request an authentication vector from the UDM.
  • the authentication vector acquisition request message carries SUPI or SUCI. Specifically, when the message sent by the AMF to the AUSF carries SUPI, the authentication vector acquisition request message carries SUPI; when the message sent by the AMF to the AUSF carries SUCI, the authentication vector acquisition request message carries SUCI.
  • SUCI can be understood as an encrypted form of SUPI.
  • the specific generation method of SUCI can refer to 3GPP standard TS 33.501.
  • the part of SUPI other than the mobile country code (MCC) can be encrypted and calculated by the universal subscriber identity module (USIM) or mobile equipment (ME) to obtain the SUCI encryption part.
  • MCC mobile country code
  • USIM universal subscriber identity module
  • ME mobile equipment
  • SUCI also includes routing identifier RID, MCC, MNC and other contents.
  • the AUSF receives the authentication vector acquisition response message sent by the UDM.
  • step 303 after the UDM receives the authentication vector acquisition request message in step 302, the UDM determines the corresponding authentication vector.
  • the UDM sends an authentication vector acquisition response message to the AUSF, where the authentication vector acquisition response message carries the authentication vector.
  • the authentication vector acquisition response message is, for example: "Num_UEAuthentication_Get Response".
  • the UDM determines whether the UE corresponding to the main authentication process supports the AKMA service based on the user subscription data corresponding to the SUPI.
  • the authentication vector acquisition response message carries the AKMA service indication information, and the AKMA service indication information is "AKMA Indication".
  • the AKMA service indication information is used to indicate that the AUSF needs to generate the AKMA anchor key Kakma for this UE. It can also be understood as: the AKMA service indication information is used to indicate that the UE supports the AKMA service.
  • the authentication vector acquisition request message does not carry the AKMA service indication information.
  • the UE generates an AKMA anchor key Kakma based on the AUSF intermediate key.
  • step 304a after the UE's primary authentication process is successfully completed, the UE generates an AKMA anchor key (Kakma) based on the same intermediate key (Kausf) used by the AUSF.
  • the UE generates an AKMA anchor key (Kakma) based on the same intermediate key (Kausf) used by the AUSF.
  • the UE generates an authentication and key management-key temporary identity identifier A-KID.
  • step 304b after the UE's main authentication process is successfully completed, before the UE initiates the AKMA service, the UE generates authentication and key management-key temporary identity (AKMA) based on the same intermediate key (Kausf) used by the AUSF. -Key Identifier, A-KID).
  • the A-KID is used to identify the UE's AKMA anchor key Kakma.
  • the UE before the UE initiates the AKMA service, the UE generates an A-KID based on the same intermediate key (Kausf) used by the AUSF. Specifically, the UE generates the key management-key temporary identifier (AKMA Temporary UE Identifier, A-TID) part in the A-KID based on the same intermediate key (Kausf) used by the AUSF.
  • AKMA Temporary UE Identifier, A-TID key management-key temporary identifier
  • the A-KID is generated based on the routing identifier RID.
  • A-KID format is "username@exmaple”.
  • the "username” part includes the routing identifier, and the Authentication and Key Management-Key Temporary Identifier (AKMA Temporary UE Identifier, A-TID).
  • the "example” part includes home network identifiers such as: mobile country code (MCC) and mobile network code (MNC).
  • MCC mobile country code
  • MNC mobile network code
  • A-TID is a temporary identification based on Kausf.
  • step 304a and step 304b is not limited.
  • the AUSF generates the AKMA anchor key Kakma based on the AUSF intermediate key.
  • Step 305a is similar to the aforementioned step 304a, and will not be repeated here.
  • the difference from 304a is that after the AUSF receives the authentication vector acquisition response message, if the message carries the AKMA service indication information, the AUSF uses the Kausf acquired by the AUSF to generate Kakma and A-KID. If the authentication vector acquisition response message does not carry the AKMA service indication information, the AUSF may not generate Kakma and A-KID.
  • the AUSF generates an authentication and key management-key temporary identity identifier A-KID.
  • step 305b when in step 303, the authentication vector acquisition response message sent by the UDM carries the AKMA identification information, the AUSF determines that an A-KID needs to be generated based on the AKMA identification information.
  • the AUSF sends an AKMA anchor key registration request message to the AAnF.
  • step 306 after the AUSF selects an AAnF, the AUSF sends an AKMA anchor key registration request message to the AAnF.
  • the AKMA anchor key registration request message is for example: "Naanf_AKMA_AnchorKey_Register Request”. Specifically, the AKMA anchor key registration request message carries SUPI, A-KID and Kakma.
  • the AUSF receives the AKMA anchor key registration response message sent by the AAnF.
  • the AAnF sends an AKMA anchor key registration response message to the AUSF based on the AKMA anchor key registration request message in step 306.
  • the AKMA anchor key registration response message is for example: "Naanf_AKMA_AnchorKey_Register Response”.
  • AUSF deletes Kakma and A-KID.
  • step 308 after the AUSF receives the AKMA anchor key registration response message sent from the AAnF, the AUSF deletes the Kakma and the A-KID.
  • RIDs are included in SUCI.
  • the current standard specifies that RID is used for AMF to look up AUSF and AUSF to look up UDM.
  • the RID is used to generate the A-KID.
  • RID is also used to select AAnF.
  • the RID is stored in the USIM.
  • the 5G UE uses the 5G USIM, the 5G UE obtains the RID to be used from the 5G USIM.
  • the value of the RID can be a non-default value or a default value.
  • the RID is included in the context of the UE. It can be understood that after the AMF obtains the RID from the SUCI, the RID is stored in the AMF.
  • the key Kaf is a key derived based on the intermediate key Kausf, which is included in the security context.
  • Figure 4 is a schematic diagram of the generation process of the key Kaf, specifically:
  • the main authentication process is performed and Kakma is generated.
  • Step 401 is the main authentication process and generates Kakma.
  • steps please refer to each step shown in FIG. 3 above, which will not be repeated here.
  • the UE sends an A-KID to the AF.
  • step 402 the UE sends an "Application Session Establishment Request" message to the AF.
  • the A-KID is carried in the message.
  • AAnF searches for the corresponding Kakma according to the A-KID, and the A-KID of the Kakma is consistent with the A-KID in the message.
  • the AF sends the A-KID and the AF_ID to the AAnF.
  • the AF sends a "Naanf_AKMA_ApplicationKey_Get_Request” message to the AAnF.
  • the message carries A-KID and AF identification information (AF_ID).
  • the A-KID comes from the aforementioned "Application Session Establishment Request” message.
  • the AF_ID is used to generate Kaf.
  • AAnF determines Kakma according to the A-KID, and uses Kakma to generate Kaf.
  • the AAnF determines the Kakma according to the A-KID. Then use Kakma to generate Kaf. And determine the validity time of Kaf (also known as expiration time).
  • AAnF sends Kaf to AF.
  • step 405 the AAnF sends a "Naanf_AKMA_ApplicationKey_Get Response" message to the AF, where the message carries the generated Kaf and the expiration time of the Kaf.
  • the AF returns a response message to the UE.
  • step 406 the AF replies a response message to the UE, and the response message may be an "Application Session Establishment Response" message.
  • Kakma is generated using Kausf after the main authentication is completed. So without a new Kausf being generated, there will be no new Kakma being generated. So it can be understood that the effective time of Kakma is consistent with that of Kausf.
  • the update time of Kausf depends on the frequency of the main authentication, and the time of the main authentication depends on the network configuration or trigger conditions. Therefore, the validity time of Kausf (also known as expiration time, validity period or life time) is uncertain. The validity time of Kakma generated based on this Kausf is also uncertain.
  • Kaf is generated based on the Kakma (and AF_ID).
  • the valid time of this Kaf is set by AAnF, so the valid time of this Kaf may not be consistent with the valid time of Kausf.
  • Kaf has a separate validity period
  • Kaf expires.
  • the Kaf needs to be updated, otherwise there is a possibility that there is no key available between the UE and the AF.
  • Kakma Because the generation of Kaf needs to use Kakma, so if Kakma is not updated, then Kakma will generate the same Kaf. Therefore, when Kaf expires, if a new Kausf is generated, AAnF can generate a new Kaf for AF. But if no new Kausf is generated, AAnF will only generate expired Kaf again. At this time, if the UE and the AF continue to use the expired Kaf, it becomes meaningless to set the validity period of the Kaf, which is inconsistent with the original design of the validity period. For example: use Kakma#1 to generate Kaf#1, and generate Kakma#1 based on Kausf#1.
  • Kaf#1 When Kaf#1 expires, AF and UE need to use a new Kaf (Kaf#2).
  • Kausf When Kausf is not updated, that is, Kausf is still Kausf#1, the Kaf generated based on Kausf#1 is still Kaf#1. Therefore, the UE and AF cannot continue to use the Kaf.
  • Kausf is generated in AUSF during the main authentication process, or sent to AUSF after UDM is generated.
  • the UE can generate the same Kausf obtained by AUSF using the same method as AUSF or UDM. It is currently discussed how to ensure that the UE and the AUSF hold the same Kausf. The conclusion of the discussion is that the AUSF saves the new Kausf after determining that the authentication is successful, and the UE side saves the new Kausf after receiving the Non-access stratum security mode common (NAS SMC) message.
  • NAS SMC Non-access stratum security mode common
  • the main authentication process occurs first, followed by the NAS SMC process.
  • the NAS SMC process needs to be forced to occur after the main authentication process, and the idle time between the main authentication process and the NAS SMC process should be as small as possible.
  • the NAS SMC process can be used to activate the native security context, which refers to the security context generated through the main authentication process.
  • the security context includes keys, algorithms, counters, and other materials used for security functions.
  • the 5G security context refers to the security context for the 5G system. 5G security context includes but is not limited to 5G NAS security context, 5G AS security context and 5G AKMA security context.
  • the 5G NAS security context is used for security protection between UE and AMF, and the AS security context is used for security protection between UE and base station.
  • the 5G AKMA security context includes keys (or security materials, or security keys) such as Kakma, A-KID, Kaf, etc.
  • the 5G AKMA security context is generated on the AUSF side after the main authentication process and sent to the AAnF, and on the UE side before the AKMA service is initiated. Specifically, a new Kausf is generated in the main authentication process, and other new keys (eg, NAS keys) are generated based on the new Kausf. If the new key is to be activated, it must be activated through the NAS SMC process.
  • the activation key means that the UE and AMF start to use the key for security protection.
  • FIG. 5 is a schematic flowchart of a NAS SMC involved in an embodiment of the present application.
  • the NAS SMC process includes:
  • step 501 the AMF starts an integrity protection process.
  • the AMF sends a NAS SMC message to the UE.
  • the AMF In step 502, the AMF generates a 5G key identifier (Key Set Identifier in 5G, ngKSI) in the main authentication process, and the 5G key identifier is used to identify the 5G security context.
  • the 5G key identifier carried in the NAS SMC message is used to inform the UE which set of keys to use for security protection in the future.
  • the AMF sends a NAS SMC message to the UE, the NAS SMC message carries the 5G key identifier (Key Set Identifier in 5G, ngKSI), and the NAS SMC message also includes other information, such as: the selected encryption algorithm and/or the selected complete Security algorithm, security algorithm for replay, etc.
  • Security algorithm includes: encryption algorithm and integrity protection algorithm, which will not be described here.
  • step 503 the AMF starts the decryption process of the uplink.
  • step 504 the UE verifies the integrity of the NAS SMC message, specifically, the UE also verifies whether the uplink encryption, downlink decryption and integrity protection are successfully activated.
  • the UE sends a NAS SMC completion response to the AMF.
  • step 505 after the UE completes the verification of the NAS SMC message, the UE sends a NAS SMC completion response to the AMF.
  • the NAS SMC Completion Response may be a NAS message.
  • step 506 the AMF starts the downlink encryption process.
  • NAS SMC did not necessarily happen after the main authentication process.
  • the UE and AMF continue to use the old key. That is to say, even if a new partial native key is generated after the main authentication process, AMF does not continue to generate the complete native key because there is no NAS SMC process.
  • some native keys can be understood as keys other than NAS keys and AS keys, such as Kausf, Kseaf, Kamf.
  • the complete native key means that the NAS key and the AS key are further generated.
  • the AMF and/or the UE will further generate the NAS key only after going through the NAS SMC process; the base station and/or the UE will further generate the AS key only after going through the AS SMC process.
  • the currently used key is not necessarily the key generated by the previous main authentication process, because there may not be a NAS SMC process after the previous main authentication process. Therefore, the key currently used in the NAS message is not directly related to whether the main authentication process occurs, but is related to whether the NAS SMC process occurs.
  • the current key used to protect NAS messages is related to which ngKSI is carried in the NAS SMC process. For example, three primary authentications have occurred, and the key after the first primary authentication is currently used. The NAS SMC did not occur in the second primary authentication, but the NAS SMC occurred after the third primary authentication. If the NAS SMC after the third primary authentication carries the ng-KSI generated by the second primary authentication, the activated key is the second set of primary authentication-related keys.
  • FIG. 6 is a schematic flowchart of a communication method proposed by an embodiment of the present application, including:
  • the UE sends a registration request message to the AMF.
  • the UE sends a registration request message to the AMF, and the registration request message is forwarded by the network device.
  • the registration request message carries the UE's Subscription Concealed Identifier (SUCI).
  • the registration request message may be "Registration Request”.
  • the AMF sends the first key identifier to the UE.
  • the AMF After the AMF receives the registration request message, the AMF initiates the main authentication process: the AMF requests the AUSF to authenticate the UE; the AUSF requests the UDM for the authentication vector; the UDM generates the authentication vector, and determines to send the generated authentication vector according to the selected primary authentication method.
  • the authentication vector or the processed authentication vector is sent to the AUSF.
  • the AMF After the AMF obtains the authentication vector from the AUSF, the AMF sends the first authentication request message to the UE, and the first authentication request message includes the first key identifier.
  • the key identifier is ngKSI as an example for description. It can be understood that the key identifier may also be other identifiers, which is not limited here.
  • the specific process please refer to the description in Section 6.1.3 of Standard TS 33.501 Version 17.1.0.
  • the AMF sends a first authentication request message to the UE, where the first authentication request message includes a first key identifier, and the first authentication request message is used to trigger the first authentication ( Also known as the first primary authentication process).
  • the first key identifier is ngKSI#1, and the first key identifier corresponds to the first intermediate key.
  • the intermediate key is Kausf as an example for description. Then the first intermediate key is Kausf#1.
  • the UE interacts with the AMF to complete the first primary authentication process.
  • the UE receives the first authentication request message (including the first key identifier), and the UE receives the authentication vector. Then the UE starts to authenticate the network side; after verifying that the network side is true, the UE will reply a message to the AMF to continue the main authentication process, and finally complete the two-way authentication from the UE to the AMF and the AUSF.
  • the specific main authentication process standard TS 33.501 version 17.1.0 is described in Section 6.1.3, which will not be repeated here. Since the main authentication process is related to the first intermediate key and the first key identifier, the main authentication process is called the first main authentication process.
  • the AUSF stores the first intermediate key corresponding to the first key identifier.
  • AUSF stores Kasuf#1.
  • Kausf#1 is stored. It should be noted that the AUSF will not receive the first key identifier, therefore, the AUSF finally only stores the correspondence between Kausf#1 and the permanent identifier of the UE.
  • the AMF initiates the NAS SMC process.
  • the specific NAS SMC process is the same as the process shown in the aforementioned Figure 5, and will not be repeated here.
  • the NAS SMC process related to the first main authentication process is referred to as NAS SMC process #1.
  • the AMF sends the first NAS SMC message to the UE, and the first NAS SMC message carries the first key identifier.
  • the AMF uses the NAS integrity protection key corresponding to the first key identifier to perform integrity protection verification on the first NAS SMC message.
  • the UE uses the NAS integrity protection key corresponding to the first key identifier to perform integrity protection verification on the first NAS SMC message. If the verification is successful, the UE performs confidentiality protection and integrity protection on the message by using the NAS encryption key and the NAS integrity protection key corresponding to the first key identifier. The UE side completes the activation process of the NAS key corresponding to the first key identifier. The UE replies with a "NAS Security Mode Complete" message to the AMF. The AMF uses the NAS integrity protection key and the NAS encryption key corresponding to the first key identifier to decrypt and verify the integrity of the message ("NAS Security Mode Complete" message). If the verification is successful, the AMF side completes the activation process of the NAS key corresponding to the first key identifier.
  • the AMF uses the NAS integrity protection key corresponding to ngKSI#1 to perform integrity protection on the first NAS SMC message.
  • the AMF triggers the second main authentication process.
  • the second main authentication process belongs to the re-authentication process.
  • the triggering conditions of the second main authentication process include but are not limited to: AMF according to local policies Triggered, or the NAS counter (count) needs to be rolled over, or other network functions (or network elements) are triggered.
  • the network function includes but is not limited to: AUSF or AAnF.
  • the AMF may determine whether to activate the second security context through the triggering cause of the primary authentication process.
  • the main authentication process There are various ways to trigger the main authentication process, including but not limited to:
  • the main authentication process is only used to authenticate the UE.
  • the AMF periodically authenticates the UE according to local policies and operator configuration.
  • the triggering reason for the main authentication process is to update the 5G NAS security context or the 5G AS security context.
  • NAS COUNT is about to flip.
  • the main authentication process is triggered by requests from other functional network elements.
  • the AMF receives a message for requesting key update from network elements such as AUSF, NEF, AAnF, ECS, and EES.
  • the main authentication process is initiated.
  • the main authentication process is triggered by the terminal device.
  • the terminal device carries indication information through the registration request message, which is used to indicate that a certain key needs to be updated.
  • steps 605 to 607b are optional. Steps 605 to 607b are to illustrate the method of triggering the AMF to generate the second security context.
  • the AMF may also generate a second security context. For example, the AMF may generate a new Kamf through Kamf#1 in the first security context, and the Kamf is called Kamf#2. Kamf#2 represents the second security context as an intermediate key.
  • AMF can further generate new 5G NAS keys and new 5G AS keys according to Kamf#2. For example, a new Kamf is generated through the horizontal Kamf deduction method in Section A.13 of the standard 33.501. In this case, the AMF may or may not generate a new second key identifier.
  • the purpose of generating the second key identifier is to combine the existing technology, a Kamf should be in a one-to-one correspondence with a key identifier, and the newly generated Kamf should have a new key identifier, the new key identifier. character is used to identify the newly generated Kamf. This situation usually occurs in the context of AMF changes. If the second key identifier is not generated, it may happen that the AMF does not change, that is, the Kamf generated by the current AMF continues to be used by itself.
  • the AMF sends the second key identifier to the UE.
  • the AMF initiates the second main authentication process: the AMF requests the AUSF to authenticate the UE; the AUSF requests the UDM for the authentication vector; the UDM generates the authentication vector, and according to the selected main authentication The method determines whether to send the generated authentication vector or the processed authentication vector to the AUSF.
  • the AMF obtains the authentication vector from the AUSF, the AMF sends a second authentication request message to the UE, and the second authentication request message includes the second authentication request message.
  • the key identifier, the second authentication request message is used to trigger the second authentication between the UE and the network (also referred to as the second main authentication process).
  • the key identifier is ngKSI as an example for description. It can be understood that the key identifier may also be other identifiers, which is not limited here.
  • the specific process please refer to the description in Section 6.1.3 of Standard TS 33.501 Version 17.1.0.
  • the second key identifier is ngKSI#2, and the second key identifier corresponds to the second intermediate key.
  • the intermediate key is Kausf as an example for description. Then the second intermediate key is Kausf#2.
  • the AMF sends the second key identifier to the UE through an "Authentication Request" message.
  • the second key identifier may be ngKSI#2.
  • the UE and the AMF interact to complete the second primary authentication process.
  • the UE, AMF and AUSF continue to complete the second primary authentication process.
  • the specific main authentication process is similar to the foregoing step 603, and will not be repeated here.
  • the AUSF stores the intermediate key corresponding to the second key identifier.
  • the intermediate key corresponding to the second key identifier is called the second intermediate key. key.
  • the second intermediate key may be Kausf#2. Specifically, after the AUSF verifies that the UE is authentic, Kausf#1 is stored. It should be noted that the AUSF will not receive the second key identifier, so the AUSF finally only stores the correspondence between Kausf#2 and the permanent identifier of the UE.
  • the AMF determines whether to activate the second security context.
  • the AMF determines whether to activate the security context corresponding to the second intermediate key.
  • the security context of the intermediate key corresponding to the second intermediate key is referred to as the second security context.
  • the second security context includes but is not limited to: the 5G NAS security context and/or the 5G AS security context generated based on the intermediate key. Therefore, the AMF determines whether to activate the second security context, which refers to whether to activate the 5G NAS security context and/or the 5G AS security context generated based on the intermediate key.
  • the AMF determines whether to activate the second security context.
  • the second security context does not need to be activated. That is, there is no need to further use the 5G NAS key and 5G AS key generated based on Kausf#2, or the UE and AMF do not need to further generate the 5G NAS key and 5G AS key generated based on Kausf#2.
  • An exemplary scenario is as follows: when the operator configures the following scenarios, the UE authentication is triggered and the second security context is not activated. open connection); AMF data is migrated, that is, migrated from AMF#1 to AMF#2.
  • the AMF determines that the second security context needs to be activated. For example, the AMF determines that the primary authentication procedure is triggered because the NAS COUNT rolls over, or because the base station requests a new key. For example, when the NAS COUNT is about to be overturned, the AMF will trigger the main authentication process to generate a new 5G NAS security context, and activate the generated 5G NAS security context through the NAS SMC process.
  • the main authentication process occurs, and the main authentication process is triggered by the request of other functional network elements. For example, when the main authentication procedure is requested by the AUSF for updating the Kakma-based, the AMF determines that the second security context does not need to be activated. For another example, if the main authentication process is triggered by the SMF and the UDM in order to synchronize the UE state, the AMF determines that the second security context does not need to be activated. For another example, if the initial registration request message sent by the terminal device is the main authentication process triggered by the AMF because the 5G security context of the UE cannot be found, the AMF determines not to activate the second security context.
  • the second security context does not need to be activated by default.
  • the main authentication process occurs, and when the AMF cannot clearly activate the second security context, the AMF may activate the second security context by default. For example, when the AMF cannot determine whether to activate the second security context, the AMF activates the second security context by default. Or AMF may continue to use the first security context by default. For example, when the AMF cannot determine whether to activate the second security context, the AMF continues to use the first security context by default. It should be noted that the AMF may make a judgment according to at least one of the above conditions. When multiple conditions appear at the same time, comprehensive consideration is required. Specifically, for example, if a triggering condition that requires activation of the second security context occurs, the AMF must activate the second security context. For example, when the AMF is authenticated by the local policy and finds that the NAS COUNT is about to be rolled over, the AMF determines that the second security context needs to be activated according to the about to roll over of the NAS COUNT.
  • the main authentication process occurs, and the main authentication process is triggered by the terminal device. Then the AMF needs to determine whether the NAS key or the AS key needs to be updated. If the update is not required, the second security context may not be activated; if the update is required, the second security context is activated; in the case of uncertainty The second security context is activated by default.
  • the primary authentication process does not occur, and the AMF receives a request message for updating the key of the first network element, and the AMF triggers the second authentication according to the request message for updating the key.
  • the first network element includes any one of the following but is not limited to: AAnF, an edge configuration server (Elastic Compute Service, ECS), an edge enabling server EES, or a mobile edge computing MEC functional network element. Then, after the AMF generates the second security context, it is determined not to activate the second security context.
  • step 608 when the AMF determines that the second security context needs to be activated, the process proceeds to step 609; when the AMF determines that the second security context does not need to be activated, the process proceeds to step 612.
  • the AMF sends the second key identifier to the UE. In the case that the main authentication process does not occur, the AMF sends the first key identifier and the second indication information to the UE.
  • the AMF determines to activate the second security context, in the NAS SMC process #2, the AMF sends the second key identifier to the UE.
  • the AMF is triggered according to the primary authentication because the NAS key needs to be replaced, so it is determined to update the current key. Therefore, AMF generates Kseaf#2 according to Kausf#2. Use Kseaf#2 to generate Kamf#2. AMF selects an encryption algorithm and an integrity protection algorithm, and further generates K NASint#2 and K NASenc#2 . Optionally, the AMF may further generate K gNB #2, and send K gNB #2 to a network device (eg, a base station) through an N2 message.
  • a network device eg, a base station
  • the AMF sends the second key identifier to the UE through a second NAS SMC message ("NAS Security Mode Command" message). That is, the second key identifier (eg ngKSI#2) is carried in the second NAS SMC message.
  • the second key identifier eg ngKSI#2
  • the UE After receiving the key identifier, the UE determines the key to be used subsequently according to the key identifier.
  • the UE needs to use the key material corresponding to the second key identifier, that is, the UE needs to use the 5G NAS key generated based on the second intermediate key.
  • the UE generates Kseaf#2 according to Kausf#2.
  • Kamf#2 and the selected security algorithm carried in the NAS SMC to generate K NASint#2 and K NASenc#2 .
  • the UE uses K NASint#2 to verify the integrity protection of the NAS SMC.
  • the UE also needs to verify whether the security algorithm carried in the second NAS SMC message is the same as that carried in the registration request message by the UE. After the verification is passed, the UE starts to use K NASint#2 and K NASenc#2 to perform integrity protection and encryption protection on the subsequently sent NAS messages, and perform integrity protection verification and decryption on the subsequently received NAS messages.
  • the UE stores the second intermediate key corresponding to the second key identifier.
  • the UE After the UE receives the NAS SMC message, the UE stores the second key identifier, and the UE stores the second intermediate key corresponding to the second key identifier.
  • the UE stores ngKSI#2 and Kausf#2 (Kausf#2 corresponds to ngKSI#2).
  • the activation operation is as follows: create a security function function, and put the updated key into the security function for use.
  • the UE deletes or stops the security function used before.
  • the UE replies with a NAS SMP message ("NAS Security Mode complete” message) to the AMF.
  • AMF does not activate the new AS key.
  • Step 611 is an optional step.
  • AMF determines whether to update the AS key. If the primary authentication triggers the process because the NAS key needs to be updated, for example, the NAS counter value is about to roll over. In order to save the complexity of the UE, the AMF may determine not to update the AS key. Then, when the AMF activates the second security context, it does not activate the AS key corresponding to the second key identifier. That is, the second security context activated by the AMF does not include the AS key, and the AMF only activates the NAS key corresponding to the second key identifier. For example, the AMF does not activate the AS key corresponding to ngKSI#2, and the AS key includes but is not limited to: the key K gNB .
  • AMF does not generate K gNB corresponding to ngKSI#2 (AMF does not generate new K gNB #2, and old K gNB #1 corresponds to ngKSI#1), or after AMF generates K gNB #2, it does not send the K gNB #2 gNB #2 to network equipment (eg base station).
  • AMF does not generate new K gNB #2, and old K gNB #1 corresponds to ngKSI#1
  • AMF does not send the K gNB #2 gNB #2 to network equipment (eg base station).
  • the AMF sends the first key identifier to the UE.
  • the AMF sends the second key identifier and the third indication information to the UE.
  • the second NAS SMC message may also carry a third indication information.
  • the third indication information is used to inform the UE that the currently used NAS security context and AS security context do not need to be updated.
  • the currently used NAS security context may also be referred to as the NAS security context in the first security context
  • the currently used AS security context may also be referred to as the AS security context in the first security context.
  • the NAS security context may be a 5G NAS security context
  • the AS security context may be a 5G AS security context.
  • the specific form of the third indication information is not specifically limited in this embodiment. It may be bit indication information, or enumeration type information, or it may be indicated by whether it appears or not. For example, a third indication appears in the second NAS SMC message. The information does not update the currently used 5G NAS security context and 5G AS security context. If it does not appear in the second NAS SMC message, it indicates that the UE needs to update the currently used 5G NAS security context and 5G AS security context.
  • the AMF sends a second NAS SMC message to the UE, where the second NAS SMC message includes the first key identifier.
  • the NAS key identified by the first key identifier is the key currently being used by the AMF and the UE.
  • the AMF preliminarily determines that the current key does not need to be updated according to the triggering cause of the primary authentication. Further, the AMF may select a security algorithm, the security algorithm includes: an encryption algorithm and an integrity protection algorithm, and compare whether the security algorithm is the same as the currently used security algorithm identified by the current first key identifier. If it is the same, it is finalized to do nothing, i.e. not update the key. If different, the key needs to be updated through the NAS SMC process #2 to activate the second security context. Exemplarily, the AMF sends the first key identifier to the UE through a second NAS SMC message ("NAS Security Mode Command" message).
  • NAS Security Mode Command NAS Security Mode Command
  • the second NAS SMC message carries the first key identifier (eg, ngKSI#1). Specifically, the AMF puts the encryption algorithm and/or the integrity protection algorithm used by the first key identifier into the second NAS SMC message as the selected security algorithm.
  • the second NAS SMC message uses K NASint-1 corresponding to the first key identifier for integrity protection and/or K NASenc-1 for confidentiality protection.
  • the AMF determines that the second security context does not need to be activated.
  • the second NAS SMC message includes second indication information (Kamf change), which indicates that the UE needs to generate a new Kamf, which is called Kamf#2 (the original used by the UE The Kamf is called Kamf#1).
  • the AMF carries the first key identifier in the second NAS SMC message, and optionally, the second NAS SMC message also carries third indication information.
  • the primary authentication process does not occur, but the AMF generates Kamf#2 and the second key identifier, and the AMF determines that the second security context does not need to be activated.
  • the AMF sends the second indication information to the UE, and the second indication information informs the UE that a new Kamf needs to be generated, which is called Kamf#2. If the AMF obtains the second key identifier, the second NAS SMC message carries the first key identifier and the second indication information, or the second NAS SMC message carries the second key identifier and the third indication information and second indication information.
  • the UE After the UE receives the second NAS SMC message, if the second NAS SMC message is encrypted and protected, the UE decrypts and protects the message using the key currently being used by the UE.
  • the UE After the UE receives the second NAS SMC message, the UE performs integrity protection verification on the message using the key currently being used by the UE. And verify whether the security algorithm carried in the second NAS SMC message is the same as the security algorithm carried by the UE in the registration request message, and the security algorithm includes: the integrity protection algorithm and the encryption algorithm of the UE. After all verifications are passed, the UE determines the key to be used subsequently according to the first key identifier.
  • the different schemes are described below:
  • the terminal device when the key identifier from the AMF is the same as the key identifier of the UE, and the security algorithm corresponding to the key identifier is the same as the security algorithm corresponding to the first intermediate key, the terminal device continues to use the first security algorithm context, the terminal device does not perform any processing, wherein the first security context corresponds to the first intermediate key;
  • the terminal device uses the second intermediate key to generate the second security context, and the terminal device activates the second security context;
  • the terminal device when the key identifier from the AMF is the same as the key identifier of the UE, and the security algorithm corresponding to the key identifier is different from the security algorithm corresponding to the first intermediate key, then the terminal device according to the first intermediate key The key generates a third security context, and the terminal device activates the third security context.
  • the UE when the key identifier from the AMF is the first key identifier, the UE needs to use the key corresponding to the first key identifier, that is, the UE needs to use the first security context and the first intermediate key .
  • the UE can continue to use the original intermediate key (the first intermediate key) and the first security context.
  • the UE may reactivate the first intermediate key and the first security context, which is not limited here.
  • the UE can compare whether the key identifier from the AMF in the second NAS SMC message is the same as the key identifier of the intermediate key currently being used by the UE, and the UE also needs to verify the second NAS SMC message. Whether the security algorithm corresponding to the key identifier is the same as the security algorithm currently being used by the UE. If all are the same, and the UE verifies that the integrity protection of the NAS SMC is correct, the UE may continue to use the current 5G NAS security context without updating the first security context. That is, with the current key and security algorithm, the NAS COUNT does not need to be reset to 0 either.
  • the UE can compare whether the key identifier from the AMF in the second NAS SMC message is the same as the key identifier of the intermediate key currently being used by the UE, and the UE also needs to verify that the second NAS SMC message contains the same key identifier. Whether the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm currently being used by the UE. If only the latter is different (that is, the key identifiers are the same, but the security algorithms are inconsistent), the UE needs to use the Kamf#1 corresponding to the Kausf#1 identified by ngKSI#1, and use the new security algorithm carried in the second NAS SMC message to generate the first Three security contexts.
  • the third security context may be a new 5G NAS security context (corresponding to the first intermediate key), specifically, a new K NAS-int and a new K NASenc are generated, and the NAS COUNT is reset to 0.
  • the UE verifies the integrity protection of the second NAS SMC message using the newly generated K NAS-int . It can be understood that, because the second NAS SMC message carries ngKSI#1, only the first intermediate key corresponding to ngKSI#1 can be used to further derive the subkey. So just generate a new NAS key and that's it.
  • the UE may activate the key identified by the first key identifier according to the description in step 610, which may include at least one of the following steps: generating the key identified by the key identifier #1 according to Kausf#1 , generate Kseaf#1, use Kseaf#1 to generate Kamf#1, and then use Kamf#1 and the selected security algorithm carried in the second NAS SMC message to generate K NASint#1 and K NASenc#1 , K NASint#1, K NASint#1 , K NASenc#1 encryption algorithm and integrity protection algorithm are used for specific functions, but the NAS COUNT remains unchanged.
  • the UE only compares whether the key identifier from the AMF carried in the second NAS SMC message is the same as the key identifier corresponding to the key currently being used. If the integrity protection check of the SMC message is successful, the first security context will not be updated, and the current 5G NAS security context will continue to be used.
  • the UE further checks whether the third indication information is received. If the UE receives the third indication information, the UE only generates a new Kamf (generates Kamf#2), and does not update the 5G NAS and/or 5G AS security context.
  • the terminal device will continue to use the first security context, that is, only the Kamf#2 needs to be generated , and no other processing will be performed. That is to say, the terminal device can continue to use the 5G NAS security context and 5G AS security context generated based on Kausf#1.
  • the terminal device only needs to generate Kamf#2, and no other processing is required.
  • FIG. 7 is a schematic diagram of an application scenario proposed by an embodiment of the present application, including:
  • the UE sends a registration request message to the AMF.
  • the AMF sends the first key identifier to the UE.
  • the UE interacts with the AMF to complete the first primary authentication process.
  • Steps 701-704 are the same as the aforementioned steps 601-604, and are not repeated here.
  • the AUSF stores Kausf#1, and generates Kakma#1 according to the Kausf#1.
  • AUSF#1 AUSF storing Kausf#1 in step 705.
  • the UE After the NAS SMC process #1 ends, the UE generates Kakma#1 according to Kausf#1.
  • the UE After the UE generates Kakma#1, the UE sends an A-KID to the AF, and the A-KID corresponds to Kakma#1, so the A-KID is called A-KID#1.
  • the A-KID#1 is used to generate a corresponding Kaf, which is called Kaf#1.
  • the AF sends a first key request message to AAnF, where the first key request message carries A-KID#1.
  • the AF determines that Kaf#1 is about to expire, the AF sends a first key request message to the AAnF, where the first key request message carries A-KID#1.
  • the AF when the AF has the identification information of the UE, the AF carries the identification information of the UE in the first key request message.
  • the identification information of the UE may be GPSI; when the AF is an AF within the operator, the identification information of the UE may be SUPI.
  • the A-KID#1 is obtained when the UE accesses the AF for the first time, and the AF stores the A-KID#1.
  • the AAnF determines whether A-KID#1 exists according to the first key request message.
  • the AAnF determines whether A-KID#1 exists according to the first key request message. When the first key request message carries A-KID#1, the AAnF checks whether the same A-KID as the A-KID#1 exists locally.
  • the AAnF further determines whether Kakma#2 exists, and Kakma#2 is the updated Kakma.
  • Kakma#1 is relative to the key generated by the first intermediate key (Kausf#1), so Kakma#2 is the updated Kakma, which is generated by the second intermediate key (Kausf#2).
  • step 710 If A-KID#1 exists, go to step 710 .
  • the AAnF determines whether there is Kakma#2 by using the identification information of the UE carried in the first key request message. If so, go to step 717 (steps 710-716b are not executed). If not, a failure message code is returned in the response message (in step 717, steps 710-716b are not performed), indicating that Kakma could not be found.
  • the first key request request message may be a "Naanf_AKMA_ApplicationKey_Get request" message.
  • the AAnF sends a second key request message to the AUSF, where the second key request message carries the permanent identification information of the UE.
  • the second key request message carries the first indication information.
  • the first indication information is associated with the second network element, and the first indication information instructs the terminal device to update the communication key between the terminal device and the second network element.
  • the second network element includes any of the following but not limited to NEF, AAnF, ECS, EES or AF.
  • the first indication information may be identification information of the AF.
  • the AAnF Before the AAnF sends the second key request message, the AAnF selects the AUSF.
  • the AAnF can determine the AUSF that provides the server for the UE in various ways. The following are respectively explained:
  • the AAnF determines the AUSF that serves the UE from the UDM according to the permanent identification information (SUPI) of the UE corresponding to the A-KID#1.
  • This AUSF is called AUSF#1.
  • the UDM determines an AUSF according to the identification information of the UE, and Kausf#1 is stored in the AUSF. Since the AUSF receives the indication information sent by the UDM that the UE supports the AKMA service (that is, the foregoing steps 302-303 have been performed between AUSF#1 and the UDM), the AUSF confirms that the UE supports the AKMA service.
  • the AKMA service indication information may be "AKMA Indication (AKMA Ind)" or "AKMA ID", which is not limited.
  • the AAnF requests the NRF to acquire an AUSF according to the RID in A-KID#1, and the AUSF can provide services for the UE.
  • the AUSF may be AUSF#1, or may be another AUSF (eg, AUSF#2). If the AUSF is AUSF#2, since the AUSF#2 has not received the indication information that the UE supports the AKMA service, the AUSF#2 cannot confirm whether the UE supports the AKMA service.
  • the foregoing steps 302-303 need to be passed between AUSF#2 and the UDM, so that AUSF#2 obtains the AKMA service indication information of the UE.
  • the second key request message is used to instruct the AMF to determine not to activate the second security context.
  • the second key request message carries indication information, where the indication information is used to instruct the AMF to determine not to activate the second security context.
  • the second key request message carries the identification information of the AF, where the identification information of the AF is used to indicate that the AMF does not activate the second security context.
  • the identification information of the UE may be SUPI or SUCI, and the identification information of the AF may be AF_ID.
  • the identification information of the UE is used to notify the AUSF to determine the data related to the UE (for example, Kausf#1 and the AKMA service indication information of the UE).
  • the identification information of the AF is also used to inform the AUSF of which AF's key needs to be updated.
  • the second key request message may not include the first indication information, and the first indication information may be sent to the UE in other ways, which is not limited here.
  • the AAnF may directly send a third authentication request message to the AMF, where the third authentication request message carries the permanent identification information of the UE, and optionally carries the AF ID. Before the AAnF sends this message, the AAnF needs to determine the AMFs that can serve the UE. The AAnF determines the AMF serving the UE from the UDM according to the UE's permanent identity information. When the AAnF directly sends the user third authentication request message to the AMF, steps 711 and 712 are not executed.
  • the AUSF determines an AMF serving the UE.
  • the AUSF determines the AMF serving the UE from the UDM according to the UE's permanent identity information.
  • the AUSF Before the AUSF determines the AMF serving the UE, the AUSF first determines that the UE supports the AKMA service.
  • the AAnF may determine that the UE supports the AKMA service in various ways. The following are respectively explained:
  • the AUSF After determining AUSF #1 for the first method of selecting AUSF in step 710 . Since the AUSF receives the indication information sent by the UDM that the UE supports the AKMA service (that is, the foregoing steps 302-303 have been performed between AUSF#1 and the UDM), the AUSF confirms that the UE supports the AKMA service.
  • the AKMA service indication information may be "AKMA Indication (AKMA Ind)" or "AKMA ID", which is not limited.
  • AUSF#2 After determining the AUSF for the second method of selecting AUSF in step 710, if the AUSF is not AUSF#1, since the AUSF#2 has not received the indication information that the UE supports the AKMA service, the AUSF#2 It cannot be confirmed whether the UE supports the AKMA service. Then AUSF#2 needs to request the UDM whether the UE supports the AKMA service. This process may be that AUSF#2 sends a request message to the UDM, the request message is used to request the UDM whether the U supports AKMA, and the message carries the permanent identifier SUPI of the user. The UDM can directly reply a response message indicating support or non-support, or carry AKMA indication information in the response message.
  • AUSF#2 determines whether the UE supports the AKMA service according to the response message or the indication information in the response message. For example, if the response message is a success message or carries AKMA indication information, it is determined that the UE supports the AKMA service. In another possible implementation manner, the foregoing steps 302-303 need to be passed between AUSF#2 and the UDM, so that AUSF#2 obtains the AKMA service indication information of the UE. This process may occur in the second main authentication process, or may be issued before step 712 . If it occurs before step 712, it means that the AUSF needs to determine that the UE can support the AKMA service, and then proceed to step 712, that is, request to trigger the main authentication process. If this process occurs in the step-master authentication process, after receiving the authentication response message, the AUSF should first check whether the message carries AKMA indication information, and if so, continue the process. If not carried, terminate the process.
  • the purpose of determining whether the UE supports AKMA is to prevent an AAnF from randomly carrying SUPI to initiate a key update process. Because the main authentication process affects the current service of the UE, certain deterministic checks are required.
  • the AUSF After the AUSF determines the AMF serving the UE, the AUSF replies to the AAnF with a response message corresponding to the second key request message.
  • the AUSF sends a third authentication request message to the AMF, and after receiving the third authentication request message, the AMF sends a response message to the AUSF.
  • the third authentication request message instructs the AMF to determine whether to activate the second security context. Specifically, the third authentication request message is used to request the AMF to trigger the main authentication process.
  • the third authentication request message carries the permanent identity information of the UE.
  • the third authentication request message carries indication information, where the indication information is used to indicate a reason value that needs to trigger the main authentication process.
  • the AMF may determine, according to the third authentication request message or the indication information carried in the third authentication request message, that the primary authentication process is to update the AKMA-related key, and the AMF determines not to activate the second security context.
  • the third authentication request message may be "initial primary authentication Request".
  • the AMF determines whether the second security context needs to be activated according to the indication information. If the AMF determines that the NAS COUNT is about to be rolled over, that is, the rollover of the NAS COUNT requires the activation of the second security context, the AMF determines that the second security context is to be activated.
  • the final purpose of the third authentication request message is to request to update Kakma, that is, to request to obtain Kakma#2.
  • the indication information carried in the third authentication request message is the identification information of the AF, and the AMF may determine not to activate the second security context according to the indication of the identification information of the AF. That is, the indication information is used for the AMF to judge that the second security context is not activated.
  • the AUSF obtains the authentication vector from the UDM, and the specific manner is the same as the foregoing steps 302-303, which will not be repeated here.
  • the AUSF may also instruct the AMF to determine whether to activate the second security context through other messages, which is not limited here.
  • the third authentication request message is just an example.
  • the AMF After receiving the third authentication request message, the AMF triggers the second main authentication process.
  • the AMF receives the third authentication request message sent by the AUSF.
  • the AMF may also receive a third authentication request message sent by the first network element, where the third authentication request message carries the permanent identification information of the terminal device, and the third authentication request message is used to trigger the second authentication request message between the UE and the network. Authentication.
  • the first network element includes any one of but not limited to: AUSF, NEF, AAnF, ECS, EES or AF.
  • the AMF sends the second key identifier to the UE.
  • Step 715 is a part of step 713. Specifically, the AMF determines to initiate the main authentication process, the AMF requests the AUSF to authenticate the UE, the AUSF requests the authentication vector from the UDM, the UDM sends the authentication vector to the AUSF, and the AUSF authenticates the UE. The vector is processed and sent to the AMF. The AMF generates a second key identifier after receiving the processed authentication vector, and sends the second key identifier to the UE along with the processed authentication vector.
  • the AMF sends the second key identifier to the UE through an "Authentication Request" message.
  • the second key identifier may be ngKSI#2.
  • the UE interacts with the AMF to complete the second primary authentication process (the AUSF obtains the second key identifier).
  • the UE, AMF and AUSF continue to complete the second primary authentication process.
  • step 716a and step 720 are executed respectively. It should be noted that the execution order of step 716a and step 720 is not limited here.
  • the AUSF stores the intermediate key corresponding to the second key identifier, and the second intermediate key is Kausf#2.
  • the AUSF generates Kakma#2 and A-KID#2 based on the second intermediate key.
  • the AUSF sends the UE's Permanent Identity Information (SUPI), A-KID#2 and Kakma#2 to the AAnF.
  • SUPI Permanent Identity Information
  • A-KID#2 A-KID#2
  • Kakma#2 Kakma#2
  • AAnF uses Kakma#2 to generate Kaf#2.
  • the AAnF sends a first key request response message to the AF, where the first key request message carries the expiration time of A-KID#2, Kaf#2, and Kaf#2.
  • the AAnF sends a first key request response message to the AF, where the first key request response message may be a "Naanf_AKMA_ApplicationKey_Get response" message.
  • the first key request message carries the expiration time of A-KID#2, Kaf#2 and Kaf#2.
  • AF stores A-KID#2 and Kaf#2.
  • the AMF determines whether to activate the second security context.
  • the AMF may be determined in step 712 , and may be determined at any time between steps 712 and 721 . For example, it is determined in step 720 .
  • Step 720 can be understood as an action immediately before sending 721 . For details, please refer to the description in step 712.
  • the AMF determines not to activate the second security context after comprehensive judgment according to the third authentication request message from the AUSF.
  • the AMF sends the first key identifier to the UE.
  • the AMF sends the first key identifier to the UE through a NAS SMC message ("NAS Security Mode Command" message). That is, the NAS SMC message carries the first key identifier (eg, ngKSI#1).
  • NAS SMC message carries the first key identifier (eg, ngKSI#1).
  • the AMF may also send indication information for updating Kakma to the UE, where the indication information for updating Kakma is used to instruct the UE to generate Kakma#2 and A-KID#2.
  • the indication information for updating the Kakma may be the identification information (AF_ID) of the AF, or may be an indication information.
  • the identification information of the AF can also be used to instruct the UE to generate a new Kaf, that is, Kaf#2 (the UE generates Kaf#2 according to the AF_ID).
  • the UE stores the Kausf#2 corresponding to the second key identifier.
  • NAS SMP message "NAS Security Mode complete" message
  • the NAS SMP message uses the integrity protection key and encryption key corresponding to the second key identifier (ngKSI#2) to perform confidentiality protection and integrity protection.
  • the UE generates Kakma#2 and Kaf#2 based on Kausf#2, and updates the key corresponding to the identification information of the AF to Kaf#2.
  • the UE generates Kakma#2 and Kaf#2 according to the indication information for updating the Kakma.
  • the UE sends a first activation request message to the AF, where the first activation request message carries A-KID#2, and the first activation request message instructs the AF to activate Kaf#2.
  • the UE After the UE generates a new Kaf (ie, Kaf#2), the UE initiates the activation process of the Kaf#2. Specifically, the UE sends a first activation request message to the AF, where the first activation request message carries A-KID#2, and the first activation request message instructs the AF to activate Kaf#2.
  • the UE determines which AF to send the first activation request message with according to the AF ID carried by the NAS SMC, that is, initiates the Kaf update process.
  • the first activation request message carries A-KID#2.
  • the time interval between step 724 and step 723 may be as small as possible to ensure the normal operation of the AF.
  • the first activation request message may be an "application session reestablishment request" message.
  • the AF sends a first activation response message to the UE.
  • the AF determines whether the Kaf#2 corresponding to the A-KID#2 has been stored locally according to the A-KID#2, and if so, activates the Kaf#2.
  • the activation operation is as follows: create a security function function, and put the updated key into the security function for use. AF removes or stops the safety function used before (put the safety function of Kaf#1).
  • the AF After the activation is successful, the AF sends a first activation response message to the UE.
  • the first activation response message may be an "application session reestablishment response" message.
  • FIG. 8 is a schematic diagram of another application scenario proposed by the embodiment of the present application.
  • the AF itself activates Kaf#2, and the local Kaf#2 of the UE is instructed to activate by the AF.
  • the application scenarios include:
  • the UE sends a registration request message to the AMF.
  • the AMF sends the first key identifier to the UE.
  • the UE interacts with the AMF to complete the first primary authentication process.
  • the AF sends a first key request message to the AAnF, where the first key request message carries the A-KID#1.
  • the AAnF determines whether A-KID#1 exists according to the first key request message.
  • the AAnF sends a second key request message to the AUSF, where the second key request message carries the permanent identification information of the UE.
  • the AUSF determines the AMF that serves the UE.
  • the AUSF sends a third authentication request message to the AMF, and after receiving the third authentication request message, the AMF sends a response message to the AUSF.
  • the AMF sends the second key identifier to the UE.
  • the UE and the AMF interact to complete the second primary authentication process (the AUSF obtains the second key identifier).
  • AAnF uses Kakma#2 to generate Kaf#2.
  • the AAnF sends a first key request response message to the AF, where the first key request message carries the expiration time of A-KID#2, Kaf#2, and Kaf#2.
  • the AMF determines whether to activate the second security context.
  • the NAS SMC process #2 carries the first key identifier.
  • the UE stores the Kausf#2 corresponding to the second key identifier.
  • Steps 801-822 are the same as the aforementioned steps 701-722, and are not repeated here.
  • the AF sends a second activation request message to the UE, where the second activation request message carries A-KID#2, and the second activation request message instructs the UE to generate a new Kaf.
  • the UE If the UE has not generated A-KID#2, the UE generates Kakma#2 and A-KID#2 based on Kausf#2. If the UE has generated A-KID#2, the UE compares the locally generated A-KID# 2 is the same as the A-KID#2 from the AF, if it is the same, the key corresponding to the identification information of the AF is updated to Kaf#2.
  • the AF sends a second activation response message to the UE.
  • the AF After the AF activates Kaf#2 successfully, the AF sends a second activation response message to the UE.
  • the activation operation is as follows: create a security function function, and put the updated key into the security function for use. AF removes or stops the safe function used before (put the safe function of Kaf#1).
  • an embodiment of the present application further proposes an application scenario, please refer to FIG. 9
  • FIG. 9 is a schematic diagram of another application scenario proposed by an embodiment of the present application.
  • the AMF does not initiate the NAS SMC process, so that the UE does not store the new intermediate key for a long time.
  • the application scenarios include:
  • the UE sends a registration request message to the AMF.
  • the AMF sends the first key identifier to the UE.
  • the UE interacts with the AMF to complete the first primary authentication process.
  • the AF sends a first key request message to AAnF, where the first key request message carries A-KID#1.
  • the AAnF determines whether A-KID#1 exists according to the first key request message.
  • the AAnF sends a second key request message to the AUSF, where the second key request message carries the permanent identification information of the UE.
  • the AUSF determines the AMF that serves the UE.
  • the AUSF sends a third authentication request message to the AMF, and after receiving the third authentication request message, the AMF sends a response message to the AUSF.
  • the AMF sends the second key identifier to the UE.
  • the UE interacts with the AMF to complete the second primary authentication process (the AUSF obtains the second key identifier).
  • AAnF uses Kakma#2 to generate Kaf#2.
  • the AAnF sends a first key request response message to the AF, where the first key request message carries the expiration time of A-KID#2, Kaf#2, and Kaf#2.
  • Steps 901-919 are the same as the aforementioned steps 701-719, and are not repeated here.
  • the AMF determines not to initiate the NAS SMC process.
  • AMF determines not to initiate the NAS SMC process to ensure that the existing key structure is not affected and the complexity of key update is reduced.
  • the AMF Since the AMF does not initiate the NAS SMC process, the AMF does not send the NAS SMC message to the UE. Therefore, the UE only caches Kausf#2. Specifically, the Kausf#2 is stored in the cache area of the UE, and the Kausf#2 is not stored in the long-term storage area of the UE.
  • the AF sends a second activation request message to the UE, where the second activation request message carries A-KID#2, and the second activation request message instructs the AF to generate a new Kaf.
  • the AF After the AF receives the new Kaf (ie, Kaf#2), the AF initiates the activation process of the Kaf#2. Specifically, the AF sends a second activation request message to the UE, where the second activation request message carries A-KID#2, and the activation request message instructs the UE to generate Kaf#2.
  • the time interval between step 922 and step 919 may be as small as possible to ensure the normal operation of the AF.
  • the second activation request message may be an "application session reestablishment request" message.
  • the UE generates Kakma#2 and A-KID#2 based on Kausf#2. If the A-KID#2 locally generated by the UE is the same as the A-KID#2 from the AF, the key corresponding to the identification information of the AF is updated for Kaf#2.
  • the AF sends a second activation response message to the UE.
  • the AF After the AF activates Kaf#2 successfully, the AF sends a second activation response message to the UE.
  • the activation operation is as follows: create a security function function, and put the updated key into the security function for use. AF removes or stops the safe function used before (put the safe function of Kaf#1).
  • the communication apparatus includes corresponding hardware structures and/or software modules for executing each function.
  • the present application can be implemented in hardware or in the form of a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • the communication device may be divided into functional modules according to the foregoing method examples.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one transceiver module.
  • the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
  • FIG. 10 is a schematic diagram of an embodiment of the communication device in the embodiment of the present application.
  • the communication apparatus can be deployed in a network device or a chip or a chip system, and the communication apparatus 1000 includes:
  • a processing module 1001 configured to generate a second security context, where the second security context is inconsistent with the first security context, and the first security context is the security context currently used by the access and mobility management function;
  • the processing module 1001 is further configured to determine whether to activate the second security context.
  • the transceiver module 1002 is configured to send a second authentication request message including a second key identifier to the terminal device, where the second authentication request message is used to trigger a second authentication between the terminal device and the network. right;
  • the processing module 1001 is further configured to, after the second authentication succeeds, determine whether to activate the second security context generated in the second authentication process;
  • the transceiver module 1002 is further configured to send a second non-access stratum security mode command NAS SMC message to the terminal device without activating the second security context, where the second NAS SMC message includes a first key identifier; wherein the first key identifier is the key identifier of the first security context currently used by the access and mobility management function.
  • the transceiver module 1002 is further configured to send a first authentication request message including the first key identifier to the terminal device, where the first authentication request message is used to trigger the communication between the terminal device and the network. the first authentication between
  • the transceiver module 1002 is further configured to, after the first authentication succeeds, send a first NAS SMC message to the terminal device to activate the first security context generated in the first authentication process,
  • the first NAS SMC message includes the first key identifier.
  • the transceiver module 1002 is further configured to receive a registration request message from the terminal device.
  • the processing module 1001 is further configured to determine not to activate the second security context when it is determined not to update the non-access stratum NAS key and/or the access stratum AS key,
  • the processing module 1001 is further configured to determine to activate the second security context when it is determined that the non-access stratum NAS counter rolls over,
  • the processing module 1001 is further configured to determine to activate the second security context when it is determined to update the non-access stratum NAS key context and/or the access stratum AS key context of the terminal device;
  • the processing module 1001 is further configured to not activate the second security context when it is determined that the second authentication is triggered by a first network element, and the first network element includes any one of the following: an authentication management function AUSF , Network Open Function NEF, Authentication and Key Management Anchor Function AAnF, Edge Configuration Server ECS, Edge Enablement Server EES, Mobile Edge Computing MEC or Application Function AF;
  • the processing module 1001 is further configured to not activate the second security context when it is determined that the second authentication only needs to authenticate the terminal device;
  • the processing module 1001 is further configured to not activate the second security context when it is determined that the second authentication is triggered by the terminal device.
  • the transceiver module 1002 is further configured to send the second key identifier to the terminal device after it is determined that the second security context is activated.
  • the transceiver module 1002 is further configured to, after determining to activate the second security context, send first indication information to the terminal device, where the first indication information is associated with a second network element, and the first indication information instructing the terminal device to update the communication key between the terminal device and the second network element;
  • the second network element includes any one of the following: an authentication management function AUSF, a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • the transceiver module 1002 is further configured to activate, by the access and mobility management function, a non-access stratum NAS key of a second intermediate key after determining to activate the second security context, the second security context corresponding to the second intermediate key;
  • the access and mobility management function does not activate the access stratum AS key of the second intermediate key.
  • the transceiver module 1002 is further configured to receive a third authentication request message sent by the first network element, wherein the third authentication request message carries the permanent identification information of the terminal device, and the third authentication request message The message is used to trigger the second authentication between the terminal device and the network;
  • the first network element includes any one of the following: AUSF, NEF, AAnF, ECS, EES or AF.
  • the processing module 1001 is further configured to select a security algorithm to perform integrity protection and confidentiality protection on the second NAS SMC message sent by the access and mobility management function to the terminal device;
  • the processing module 1001 is further configured to determine not to activate the second security context when the security algorithm selected by the access and mobility management function is the same as the security algorithm corresponding to the first security context;
  • the transceiver module 1002 is further configured to send the second NAS SMC message to the terminal device, where the second NAS SMC message includes the first key identifier.
  • the transceiver module 1002 is further configured to send a second non-access stratum security mode command NAS SMC message to the terminal device, where the second NAS SMC message includes second indication information, and the second indication information indicates the The terminal device generates Kamf#2, and activates the second security context corresponding to Kamf#2, where Kamf#2 is the updated Kamf.
  • the second NAS SMC message further includes third indication information, where the third indication information instructs the terminal device to continue to use the NAS security context in the first security context and the AS security context in the first security context .
  • the second security context includes one or more of the following: Kseaf#2, Kamf#2, Kaf#2, Kakma#2, K NASint#2 , K NASenc#2 , K gNB#2 , K RRCint#2 , K RRCenc#2 or K N3IWF#2 .
  • FIG. 11 is a schematic diagram of an embodiment of a communication device according to an embodiment of the present application.
  • the communication apparatus can be deployed in a terminal device or a chip or a chip system, and the communication apparatus 1100 includes:
  • a transceiver module 1101 configured to receive a second non-access stratum security mode command NAS SMC message from the access and mobility management function AMF, where the second NAS SMC message carries the key identifier from the AMF;
  • the processing module 1102 is configured to determine not to activate the second security context when the key identifier is the same as the first key identifier of the first security context being used by the terminal device, and the second security context is the same as the first security context.
  • the first security contexts are inconsistent.
  • the processing module 1102 is further configured to determine not to activate the NAS security context in the second security context and/or the AS security context in the second security context.
  • the processing module 1102 is further configured to verify whether the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm corresponding to the first security context, and the security algorithm corresponding to the key identifier from the AMF is the same.
  • algorithm is the security algorithm selected by the access and mobility management function;
  • the processing module 1102 is further configured to determine not to update the first security context when the security algorithm corresponding to the key identifier from the AMF is the same as the security algorithm corresponding to the first security context.
  • the transceiver module 1101 is further configured to receive first indication information sent by the access and mobility management function, where the first indication information is associated with a second network element, and the first indication information indicates the terminal device updating the communication key between the terminal device and the second network element;
  • the second network element includes any one of the following: a network opening function NEF, an authentication and key management anchor function AAnF, an edge configuration server ECS, an edge enabling server EES, a mobile edge computing MEC or an application function AF.
  • the communication device in the foregoing embodiment may be a network device, or may be a chip applied in the network device, or other combined devices or components that can implement the functions of the foregoing network device.
  • the transceiver module may be a transceiver, the transceiver may include an antenna and a radio frequency circuit, etc., and the processing module may be a processor, such as a baseband chip.
  • the transceiver module may be a radio frequency unit, and the processing module may be a processor.
  • the transceiver module may be an input port of the chip system, the transceiver module may be an output interface of the chip system, and the processing module may be a processor of the chip system, such as a central processing unit (CPU) .
  • CPU central processing unit
  • the communication device in the above-mentioned embodiment may be a terminal device, or a chip applied in the terminal device or other combined devices, components, etc. that can realize the functions of the above-mentioned terminal device.
  • the transceiver module may be a transceiver, the transceiver may include an antenna and a radio frequency circuit, and the like, and the processing module may be a processor, such as a baseband chip.
  • the transceiver module may be a radio frequency unit, and the processing module may be a processor.
  • the transceiver module may be an input port of the chip system, the transceiver module may be an output interface of the chip system, and the processing module may be a processor of the chip system, such as a central processing unit.
  • An embodiment of the present application further provides a processing apparatus, where the processing apparatus includes a processor and an interface; the processor is configured to execute the finite field encoding or decoding method according to any of the foregoing method embodiments.
  • the above-mentioned processing device may be a chip, and the processor may be implemented by hardware or software.
  • the processor When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software, The processor may be a general-purpose processor, and is implemented by reading software codes stored in a memory, which may be integrated in the processor, or located outside the processor, and exists independently.
  • the hardware processing circuit can be composed of discrete hardware components or an integrated circuit. In order to reduce power consumption and reduce size, it is usually implemented in the form of integrated circuits.
  • the hardware processing circuit may include ASIC (application-specific integrated circuit, application-specific integrated circuit), or PLD (programmable logic device, programmable logic device); wherein, PLD may include FPGA (field programmable gate array, field programmable gate array) , CPLD (complex programmable logic device, complex programmable logic device) and so on.
  • These hardware processing circuits can be a single semiconductor chip packaged separately (such as packaged into an ASIC); they can also be integrated with other circuits (such as CPU, DSP) and packaged into a semiconductor chip, for example, can be formed on a silicon substrate
  • a variety of hardware circuits and CPUs are individually packaged into a chip, which is also called SoC, or circuits and CPUs for implementing FPGA functions can also be formed on a silicon substrate and individually enclosed into a single chip. Also known as SoPC (system on a programmable chip, programmable system on a chip).
  • the present application also provides a communication system, which includes at least one or more of a sender, a receiver, and an intermediate node.
  • An embodiment of the present application further provides a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to control a network device to execute any one of the implementations shown in the foregoing method embodiments.
  • An embodiment of the present application also provides a computer program product, the computer program product includes computer program code, and when the computer program code runs on a computer, the computer can execute any one of the implementations shown in the foregoing method embodiments.
  • An embodiment of the present application further provides a chip system, including a memory and a processor, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the chip executes any one of the implementations shown in the foregoing method embodiments. Way.
  • Embodiments of the present application further provide a chip system, including a processor, where the processor is configured to call and run a computer program, so that the chip executes any one of the implementations shown in the foregoing method embodiments.
  • the device embodiments described above are only schematic, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be A physical unit, which can be located in one place or distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • the connection relationship between the modules indicates that there is a communication connection between them, which may be specifically implemented as one or more communication buses or signal lines.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website, computer, communication device, computing equipment or data center to another website site, computer, communication device, computing device, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) transmission.
  • wire eg, coaxial cable, fiber optic, digital subscriber line (DSL)
  • wireless eg, infrared, wireless, microwave, etc.
  • the computer-readable storage medium can be any available medium that can be stored by a computer, or a data storage device such as a communication device, a data center, or the like that includes one or more available media integrated.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of units is only a logical function division.
  • there may be other division methods for example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • Units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium.
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods in the various embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon des modes de réalisation, la présente demande concerne un procédé de communication et un appareil associé, le procédé comprenant : la génération d'un second contexte de sécurité, par une fonction de gestion d'accès et de mobilité, le second contexte de sécurité étant incompatible avec un premier contexte de sécurité, et le premier contexte de sécurité étant le contexte de sécurité actuellement utilisé par la fonction de gestion d'accès et de mobilité ; et la détermination, par la fonction de gestion d'accès et de mobilité détermine, s'il faut activer le second contexte de sécurité. Selon les modes de réalisation de la présente demande, lorsqu'un dispositif terminal a uniquement besoin de réaliser une authentification, ni le côté dispositif terminal ni le côté réseau n'ont besoin de mettre à jour un nouveau contexte de sécurité, ce qui réduit la complexité de mise à jour de clé et améliore la performance du dispositif.
PCT/CN2022/089520 2021-04-28 2022-04-27 Procédé de communication et appareil associé WO2022228455A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110469602.1A CN115250469A (zh) 2021-04-28 2021-04-28 一种通信方法以及相关装置
CN202110469602.1 2021-04-28

Publications (1)

Publication Number Publication Date
WO2022228455A1 true WO2022228455A1 (fr) 2022-11-03

Family

ID=83697001

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/089520 WO2022228455A1 (fr) 2021-04-28 2022-04-27 Procédé de communication et appareil associé

Country Status (2)

Country Link
CN (1) CN115250469A (fr)
WO (1) WO2022228455A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021027439A1 (fr) * 2019-08-14 2021-02-18 Mediatek Singapore Pte. Ltd. Appareils et procédés de distribution d'algorithmes de sécurité de strate de non-accès (nas) entre systèmes
CN112654046A (zh) * 2019-09-29 2021-04-13 华为技术有限公司 用于注册的方法和装置

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021027439A1 (fr) * 2019-08-14 2021-02-18 Mediatek Singapore Pte. Ltd. Appareils et procédés de distribution d'algorithmes de sécurité de strate de non-accès (nas) entre systèmes
CN112654046A (zh) * 2019-09-29 2021-04-13 华为技术有限公司 用于注册的方法和装置

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3 Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 17)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.501, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V17.1.0, 6 April 2021 (2021-04-06), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 256, XP052000595 *
INTEL: "Correction of handling of 5G security contexts during EPS to 5GS idle mode mobility", 3GPP DRAFT; S3-194076, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Reno, USA; 20191118 - 20191122, 11 November 2019 (2019-11-11), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051824392 *
MEDIATEK INC., HUAWEI, HISILICON: "Correct NAS uplink COUNT for KgNB/KeNB derivation", 3GPP DRAFT; S3-210786, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20210118 - 20210129, 1 February 2021 (2021-02-01), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052182087 *

Also Published As

Publication number Publication date
CN115250469A (zh) 2022-10-28

Similar Documents

Publication Publication Date Title
TWI724132B (zh) 無線通訊的方法、用於無線通訊的裝置以及用於執行該方法的電腦程式軟體
US10798082B2 (en) Network authentication triggering method and related device
WO2019019736A1 (fr) Procédé de mise en œuvre de sécurité, et appareil et système associés
WO2020248624A1 (fr) Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès
CN109691154B (zh) 基于密钥刷新的按需网络功能重新认证
WO2019134704A1 (fr) Procédé et appareil de mise à jour de clef
CN109788480B (zh) 一种通信方法及装置
US10142840B2 (en) Method and apparatus for operating a user client wireless communication device on a wireless wide area network
KR102205625B1 (ko) 사이퍼링 및 무결성 보호의 보안
US20210045050A1 (en) Communications method and apparatus
WO2020056433A2 (fr) Communication sécurisée de demande de commande de ressource radio (rrc) sur porteuse radio de signal zéro (srb0)
TWI799064B (zh) 一種金鑰標識的生成方法以及相關裝置
JP6651613B2 (ja) ワイヤレス通信
WO2022134089A1 (fr) Procédé et appareil de génération de contexte de sécurite, et support de stockage lisible par ordinateur
WO2022228455A1 (fr) Procédé de communication et appareil associé
CN114600487B (zh) 身份认证方法及通信装置
WO2020147602A1 (fr) Procédé, appareil et système d'authentification
CN115942305A (zh) 一种会话建立方法和相关装置
WO2019213925A1 (fr) Procédé de mise à jour de clé, dispositif, et support de stockage
WO2023213191A1 (fr) Procédé de protection de sécurité et appareil de communication
US20240179519A1 (en) Communication method and related apparatus
CN113904781B (zh) 切片认证方法及系统
US9043873B1 (en) Method and apparatus for rejecting untrusted network
WO2023217685A1 (fr) Procédé d'assemblage d'un réseau de communication
CN116528234A (zh) 一种虚拟机的安全可信验证方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22794925

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22794925

Country of ref document: EP

Kind code of ref document: A1