WO2022253083A1

WO2022253083A1 - Isolation method, apparatus and system for public and private network services

Info

Publication number: WO2022253083A1
Application number: PCT/CN2022/095079
Authority: WO
Inventors: 朱浩仁; 诸华林; 徐艺珊
Original assignee: 华为技术有限公司
Priority date: 2021-05-31
Filing date: 2022-05-25
Publication date: 2022-12-08
Also published as: CN115484595A

Abstract

Disclosed in embodiments of the present application are an isolation method, apparatus and system for public and private network services. The method comprises: a control plane network element of a private network obtains a key of the private network, wherein the key of the private network is a root key of the private network or a key derived based on the root key of the private network, the root key of the private network is different from a root key of the public network, the key of the private network is used for the user plane security of an air interface, and the root key of the public network is used for the control plane security of the air interface; the control plane network element of the private network receives a first message from a terminal device, the first message comprising a session establishment request; the control plane network element of the private network determines that the session establishment request corresponds to the private network; and the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network. In the embodiments of the present application, the key for establishing the user plane security of the air interface is different from the key for establishing the control plane security of the air interface, the establishment of the user plane security is more independent, and the security of the service can be improved.

Description

Method, device and system for isolating public and private network services

This application claims the priority of the Chinese patent application submitted to the State Intellectual Property Office of China on May 31, 2021, the application number is 202110605645.8, and the application name is "A method, device and system for isolating public and private network services", the entire content of which Incorporated in this application by reference.

technical field

The present application relates to the technical field of communications, and in particular to a method, device and system for isolating public and private network services.

Background technique

In order to improve the information security of data services, data services with higher security requirements will exchange information in a specific private network. Today, industrial scenarios not only require private network business data not to leave the park, but also require the integrity and encryption of private network business data to be strictly guaranteed.

From a cost perspective, sharing hardware between public and private networks is an effective means to reduce costs. Generally, the private network and the public network will share access network (radio access network, RAN) nodes, 5G core part (5th-Generation Core, 5GC) control plane, and the private network has an independent user plane function (UPF) Network element; or, private network and public network share RAN nodes, 5GC control plane and 5GC user plane, and private network relies on public network slice or closed access group (closed access group, CAG) feature to isolate from public network. In the above method, since the public network and the private network are shared, the security of the private network service will be affected.

Contents of the invention

The present application provides a method, device and system for isolating public and private network services, which are used to ensure the security of private network services.

In a first aspect, the present application provides a method for isolating public and private network services. The method includes: the control plane network element of the private network obtains the key of the private network, and the key of the private network is the root key of the private network or A key derived from the root key of the private network. The root key of the private network is different from the root key of the public network. The key of the private network is used for user plane security of the air interface. The root key of the public network The control plane security for the air interface; the control plane network element of the private network receives a first message from the terminal device, and the first message includes a session establishment request; the control plane network element of the private network determines that the session establishment request corresponds to The private network; the network element of the control plane of the private network establishes the security of the user plane of the air interface according to the key of the private network. In this way, the user plane security key for the air interface is different from the control plane security key for the air interface, and the user plane security is established more independently, which can improve service security.

With reference to the first aspect, in a possible implementation manner, the method further includes: the control plane network element of the private network receives the non-access stratum NAS key of the public network from the mobility management network element of the public network ; The control plane network element of the private network uses the NAS key of the public network to parse the first message to obtain the session establishment request.

With reference to the first aspect, in a possible implementation manner, the control plane network element of the private network receives the non-access stratum NAS key of the public network from the mobility management network element of the public network, including: the private network The control plane network element of the network receives a second message from the mobility management network element of the public network, the second message includes second information and the NAS key of the public network, and the second information is used to indicate that the private network is authorized to The control plane NEs have permission to use the NAS key of the public network.

With reference to the first aspect, in a possible implementation manner, the first message includes first information, where the first information is used to indicate that the session establishment request corresponds to the private network, and the control plane network element of the private network determines that the The session establishment request corresponding to the private network includes: the control plane network element of the private network determining that the session establishment request corresponds to the private network according to the first information.

With reference to the first aspect, in a possible implementation manner, receiving the first message from the terminal device by the control plane network element of the private network includes: the control plane network element of the private network transmits the message between the private network and the terminal device The first connection between receives the first message from the terminal device; the control plane network element of the private network determines that the session establishment request corresponds to the private network, including: the control plane network element of the private network determines according to the first connection The session establishment request corresponds to the private network.

With reference to the first aspect, in a possible implementation manner, the method further includes: the control plane network element of the private network receives a first connection establishment request from the terminal device, and the first connection establishment request is used to request establishment of the The first connection; the control plane network element of the private network establishes the first connection according to the first connection establishment request; the control plane network element of the private network receives the second connection establishment request from the terminal device, and the second connection The establishment request is used to request establishment of a second connection between the public network and the terminal device; the control plane network element of the private network sends the second connection establishment request to the mobility management network element of the public network.

With reference to the first aspect, in a possible implementation manner, the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, including: the control plane network element of the private network according to the private key The key generation security parameter of the private network; the control plane network element of the private network sends the security parameter to the terminal device and/or the access network device, and the security parameter is used for the terminal device and/or the access network device to generate the Air interface user plane key.

With reference to the first aspect, in a possible implementation manner, the control plane network element of the private network stores the private network key; or, the control plane network element of the private network obtains the private network key, including : The control plane network element of the private network obtains the key of the private network from the authentication, authorization, and accounting AAA server.

In the second aspect, the embodiment of the present application provides another method for isolating public and private network services. The method includes: the terminal device sends a first message to the control plane network element of the private network, and the first message includes information corresponding to the private network. Session establishment request; the terminal establishes user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the root key of the private network The key or a key derived based on the root key of the private network, the key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface. In this way, the user plane security key for the air interface is different from the control plane security key for the air interface, and the user plane security is established more independently, which can improve service security.

With reference to the second aspect, in a possible implementation manner, the method further includes: the terminal device sends a first connection establishment request to a control plane network element of the private network, and the first connection establishment request is used to request establishment of the private network. network and the terminal device, the first connection is used to transmit the first message; wherein, there is a second connection between the terminal device and the public network, and the second connection is used to transmit the public network signaling.

With reference to the second aspect, in a possible implementation manner, the method further includes: the terminal device sends a second connection establishment request to a mobility management network element of the public network, where the second connection establishment request is used to request establishment of the A second connection between the public network and the terminal device; the terminal generates the control plane key of the air interface according to the root key of the public network.

With reference to the second aspect, in a possible implementation manner, the method further includes: the terminal device receiving security parameters from the control plane network element of the private network; the terminal establishing an air interface user plane The security includes: the terminal device generates the user plane key of the air interface according to the security parameter and the private network key; the terminal device establishes the user plane security of the air interface according to the user plane key of the air interface.

In a third aspect, the present application provides yet another method for isolating public and private network services. The method includes: the access network device receives a third message from the terminal device, the third message includes a first connection establishment request, and the first connection establishment request The request is used to request establishment of the first connection between the private network and the terminal device; the access network device discovers the control plane network element of the private network according to the third message, and the control plane network element of the private network is used to establish the first connection A connection: the access network device sends the first connection establishment request to the control plane network element of the private network. Through this method, the access network device can discover the control plane network element of the private network according to the third message, and send the first message for requesting establishment of a connection between the private network and the terminal device to the control plane network element of the private network. A connection establishment request triggers the establishment of a connection between the private network and the terminal device, which can realize the security isolation of public network and private network services and improve the security of private network services.

With reference to the third aspect, in a possible implementation manner, the method further includes: the access network device receiving a fourth message from the terminal device, where the fourth message includes a second connection establishment request, and the second connection establishment The request is used to request establishment of a second connection between the public network and the terminal device; the access network device sends the second connection establishment request to the mobility management network element of the public network according to the fourth message.

With reference to the third aspect, in a possible implementation manner, the third message includes routing information of the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the control network element.

In a fourth aspect, the embodiment of the present application provides a method for isolating public and private network services. The method includes: a mobility management network element of the public network obtains a non-access stratum NAS key of the public network; The network element sends the NAS key of the public network to the control plane network element of the private network. In this way, the control plane network element of the private network can obtain the NAS key of the public network, so as to analyze the received first message.

With reference to the fourth aspect, in a possible implementation manner, the mobility management network element of the public network sends the NAS key of the public network to the control plane network element of the private network, including: the mobility management network element of the public network The element sends a second message to the control plane network element of the private network, the second message includes second information and the NAS key of the public network, and the second information is used to indicate that the control plane network element of the private network is authorized to use the The permission of the NAS key on the public network.

In a fifth aspect, the present application provides a method for isolating public and private network services. The method includes: the control plane network element of the private network obtains a key of the private network, and the key of the private network is the root key of the private network or A key derived from the root key of the private network. The root key of the private network is different from the root key of the public network. The key of the private network is used for user plane security of the air interface. The root key of the public network It is used for the control plane security of the air interface; the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network. In this way, the user plane security key for the air interface is different from the control plane security key for the air interface, and the user plane security is established more independently, which can improve service security.

With reference to the fifth aspect, in a possible implementation manner, before the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, the method further includes: the control plane network element of the private network A network element receives a first message from a terminal device, where the first message includes a session establishment request; a control plane network element of the private network determines that the session establishment request corresponds to the private network.

With reference to the fifth aspect, in a possible implementation manner, the method further includes: the control plane network element of the private network receives the non-access stratum NAS key of the public network from the mobility management network element of the public network; The control plane network element of the private network uses the NAS key of the public network to parse the first message to obtain the session establishment request.

With reference to the fifth aspect, in a possible implementation, the receiving the NAS key of the public network by the control plane network element of the private network includes: receiving the mobility management network key from the public network by the control plane network element of the private network. The second message of the element, the second message includes the second information and the NAS key of the public network, and the second information is used to indicate the authority granted to the control plane network element of the private network to use the NAS key of the public network.

With reference to the fifth aspect, in a possible implementation manner, before the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, the method further includes: the control plane network element of the private network The network element receives a first message from the terminal device through the first connection between the private network and the terminal device, where the first message includes a session establishment request.

With reference to the fifth aspect, in a possible implementation manner, before the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, the method further includes: the control plane network element of the private network The network element determines according to the first connection that the session establishment request corresponds to the private network.

With reference to the fifth aspect, in a possible implementation manner, the method further includes: the control plane network element of the private network receives a first connection establishment request from the terminal device, and the first connection establishment request is used to request establishment of the second connection establishment request. A connection; the control plane network element of the private network establishes the first connection according to the first connection establishment request; the control plane network element of the private network receives a second connection establishment request from the terminal device, and the second connection establishment The request is used to request establishment of a second connection between the public network and the terminal device; the control plane network element of the private network sends the second connection establishment request to the mobility management network element of the public network.

With reference to the fifth aspect, in a possible implementation manner, the first message includes first information, where the first information is used to indicate that the session establishment request corresponds to the private network, and the control plane network element of the private network determines that the The session establishment request corresponding to the private network includes: the control plane network element of the private network determining that the session establishment request corresponds to the private network according to the first information.

With reference to the fifth aspect, in a possible implementation manner, the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, including: the control plane network element of the private network according to the private key The key generation security parameter of the private network; the control plane network element of the private network sends the security parameter to the terminal device and/or the access network device, and the security parameter is used for the terminal device and/or the access network device to generate the air interface user plane key.

With reference to the fifth aspect, in a possible implementation manner, the private network control plane network element stores the private network key; or, the private network control plane network element obtains the private network key, including: The control plane network element of the private network obtains the key of the private network from the authentication, authorization and accounting AAA server.

In a sixth aspect, the present application provides a control plane network element of a private network, and the control plane network element of a private network has a function of implementing the behavior in the method embodiment of the first aspect above. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the control plane network element of the private network includes a processing unit and a transceiver unit, wherein: the processing unit is used to obtain the key of the private network, and the key of the private network is the key of the private network The root key or a key derived based on the root key of the private network. The root key of the private network is different from the root key of the public network. The key of the private network is used for the security of the user plane of the air interface. The root key is used for the control plane security of the air interface; the transceiver unit is used to receive the first message from the terminal device, and the first message includes a session establishment request; the processing unit is also used to determine that the session establishment request corresponds to on the private network; the processing unit is also used to establish the user plane security of the air interface according to the key of the private network.

With reference to the sixth aspect, in a possible implementation manner, the transceiver unit is further configured to: receive a non-access stratum NAS key of the public network from a mobility management network element of the public network; The NAS key parses the first message to obtain the session establishment request.

With reference to the sixth aspect, in a possible implementation manner, the transceiver unit is specifically configured to: receive a second message from a mobility management network element of the public network, where the second message includes the second information and the A NAS key, the second information is used to indicate the authority granted to the control plane network element of the private network to use the NAS key of the public network.

With reference to the sixth aspect, in a possible implementation manner, the first message includes first information, where the first information is used to indicate that the session establishment request corresponds to the private network, and the processing unit is specifically configured to: according to the first A message confirms that the session establishment request corresponds to the private network.

With reference to the sixth aspect, in a possible implementation manner, the transceiver unit is specifically configured to: receive the first message from the terminal device through the first connection between the private network and the terminal device; the processing unit specifically uses In: determining according to the first connection that the session establishment request corresponds to the private network.

With reference to the sixth aspect, in a possible implementation manner, the transceiver unit is further configured to receive a first connection establishment request from a terminal device, where the first connection establishment request is used to request establishment of the first connection; the processing unit is further configured to establish the first connection according to the first connection establishment request; the transceiver unit is further configured to receive a second connection establishment request from the terminal device, and the second connection establishment request is used to request establishment of the public network and The second connection between terminal devices; the transceiver unit is further configured to send the second connection establishment request to a mobility management network element of the public network.

With reference to the sixth aspect, in a possible implementation manner, the processing unit is specifically configured to: generate a security parameter according to the key of the private network; the transceiver unit is also configured to: send the terminal device and/or the access network device The security parameter is sent, and the security parameter is used for the terminal device and/or the access network device to generate the user plane key of the air interface.

With reference to the sixth aspect, in a possible implementation manner, the control plane network element of the private network stores the key of the private network; or, the processing unit is specifically configured to: from the authentication, authorization and accounting AAA server Obtain the key of the private network.

Regarding the sixth aspect or the technical effects brought about by various possible designs of the sixth aspect, reference may be made to the introduction of the first aspect or the technical effects of various possible designs of the first aspect.

In a seventh aspect, an embodiment of the present application provides a terminal device, where the terminal device has a function of implementing the behavior in the method embodiment of the second aspect above. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the terminal device includes a transceiver unit and a processing unit: the transceiver unit is configured to send a first message to a control plane network element of the private network, where the first message includes a session establishment corresponding to the private network Request; the processing unit is used to establish the user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the private network The root key of the private network or a key derived based on the root key of the private network, the key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface.

With reference to the seventh aspect, in a possible implementation manner, the transceiver unit is further configured to: send a first connection establishment request to a control plane network element of the private network, where the first connection establishment request is used to request establishment of the private network A first connection with the terminal device, where the first connection is used to transmit the first message; wherein, there is a second connection between the terminal device and the public network, and the second connection is used to transmit the information of the public network signaling.

With reference to the seventh aspect, in a possible implementation manner, the transceiver unit is further configured to send a second connection establishment request to a mobility management network element of the public network, where the second connection establishment request is used to request establishment of the public network The second connection with the terminal device; the processing unit is further configured to generate the control plane key of the air interface according to the root key of the public network.

With reference to the seventh aspect, in a possible implementation manner, the transceiver unit is further configured to receive security parameters from the control plane network element of the private network; the processing unit is specifically configured to The key generates the user plane key of the air interface; the user plane security of the air interface is established according to the user plane key of the air interface.

Regarding the seventh aspect or the technical effects brought about by various possible designs of the seventh aspect, reference may be made to the introduction of the second aspect or the technical effects of various possible implementation manners of the second aspect.

In an eighth aspect, the embodiment of the present application provides an access network device, and the access network device has a function of implementing the behavior in the method embodiment of the first aspect above. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the access network device includes a transceiver unit and a processing unit, where: the transceiver unit is configured to receive a third message from the terminal device, the third message includes a first connection establishment request, and the first A connection establishment request is used to request to establish a first connection between the private network and the terminal device; the processing unit is used to discover the control plane network element of the private network according to the third message, and the control plane network element of the private network uses for establishing the first connection; the transceiving unit is further configured to send the first connection establishment request to the control plane network element of the private network.

With reference to the eighth aspect, in a possible implementation manner, the transceiver unit is further configured to receive a fourth message from the terminal device, where the fourth message includes a second connection establishment request, and the second connection establishment request is used to request Establishing a second connection between the public network and the terminal device; the transceiver unit is further configured to send the second connection establishment request to a mobility management network element of the public network according to the fourth message.

With reference to the eighth aspect, in a possible implementation manner, the third message includes routing information of the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the control network element.

For the technical effects brought about by the eighth aspect or various possible designs of the eighth aspect, reference may be made to the introduction of the technical effects of the third aspect or various possible implementation manners of the third aspect.

In a ninth aspect, the present application provides a mobility management network element of a public network, where the mobility management network element of the public network has a function of implementing the behavior in the method embodiment of the fourth aspect above. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the mobility management network element of the public network includes a transceiver unit and a processing unit, wherein: the processing unit is used to obtain a non-access stratum NAS key of the public network; the transceiver unit is used to Send the NAS key of the public network to the control plane network element of the private network. These modules can perform the corresponding functions in the method examples of the fourth aspect above. For details, refer to the detailed description in the method examples, and details will not be repeated here.

Regarding the ninth aspect or the technical effects brought about by various possible designs of the ninth aspect, reference may be made to the introduction of the fourth aspect or the technical effects of various possible implementation manners of the fourth aspect.

In a tenth aspect, the present application provides a control plane network element of a private network, and the control plane network element of a private network has a function of implementing the behavior in the method embodiment of the fifth aspect above. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the control plane network element of the private network includes a transceiver unit and a processing unit, wherein: the processing unit is used to obtain the key of the private network, and the key of the private network is the root of the private network key or a key derived based on the root key of the private network. The root key of the private network is different from the root key of the public network. The key of the private network is used for the security of the user plane of the air interface. The root key is used for the control plane security of the air interface; the processing unit is also used for establishing the user plane security of the air interface according to the private network key. These modules can perform the corresponding functions in the method examples of the fifth aspect above. For details, refer to the detailed description in the method examples, which will not be repeated here.

Regarding the technical effects brought about by the tenth aspect or various possible designs of the tenth aspect, reference may be made to the introduction of the fifth aspect or the technical effects of various possible implementation manners of the fifth aspect.

In an eleventh aspect, the present application provides a communication device. The communication device may be the control plane network element of the private network in the design of the above method or a chip arranged in the control plane network element of the private network. The communication device includes a communication interface and a processor, and optionally, a memory. Wherein, the memory is used to store computer programs or instructions, and the processor is coupled with the memory and the communication interface. When the processor executes the computer programs or instructions, the communication device executes the method described above by the control plane network element of the private network. method of execution.

In a twelfth aspect, a communication device is provided. The communication device may be the access network device designed in the above method or a chip set in the access network device. The communication device includes a communication interface and a processor, and optionally, a memory. Wherein, the memory is used to store computer programs or instructions, and the processor is coupled to the memory and the communication interface, and when the processor executes the computer programs or instructions, the communication device executes the method performed by the access network device in the above method embodiment .

In a thirteenth aspect, a communication device is provided. The communication device may be the terminal device designed in the above method or a chip provided in the terminal device. The communication device includes a communication interface and a processor, and optionally, a memory. Wherein, the memory is used to store computer programs or instructions, and the processor is coupled to the memory and the communication interface. When the processor executes the computer programs or instructions, the communication device executes the method performed by the terminal device in the above method embodiments.

In a fourteenth aspect, a communication device is provided. The communication device may be the mobility management network element of the public network in the design of the above method or a chip set on the mobility management network element of the public network. The communication device includes a communication interface and a processor, and optionally, a memory. Wherein, the memory is used to store computer programs or instructions, and the processor is coupled to the memory and the communication interface. When the processor executes the computer programs or instructions, the communication device executes the mobility management network element of the public network in the above method embodiments. The method executed.

Wherein, the communication interface in the communication device of the tenth aspect to the fourteenth aspect may be a transceiver in the communication device, for example, realized by an antenna, a feeder, and a codec in the communication device, or, if the communication device is configured For a chip in a communication device, the communication interface may be an input/output interface of the chip, such as an input/output pin or the like.

In a fifteenth aspect, a communication system is provided, and the communication system includes a control plane network element of a private network and an access network device. The control plane network element of the private network is used to execute the first aspect or any method designed in the first aspect, or to execute the fifth aspect or any method designed in the fifth aspect. The access network device is configured to execute the third aspect or any method designed in the third aspect. In a possible design, the system further includes a mobility management network element of the public network, and the mobility management network element of the public network is used to execute the fourth aspect or any one of the methods designed in the fourth aspect.

In a sixteenth aspect, the present application provides a chip system, the chip system includes a processor, used to implement the control plane network element of the private network or the access network device or the mobility management network of the public network in the methods of the above aspects element or end device functionality. In a possible design, the chip system further includes a memory for storing program instructions and/or data. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

In a seventeenth aspect, a computer program product is provided, and the computer program product includes: computer program code, when the computer program code runs in parallel, the network element of the control plane of the private network or the access network device in the above aspects can Or a method executed by a mobility management network element of a public network or a terminal device is executed.

In an eighteenth aspect, the present application provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium. When the computer program is run, the control plane network element of the private network or the A method performed by an access network device or a mobility management network element of a public network or a terminal device.

In the embodiment of the present application, the key used to establish the security of the user plane of the air interface is different from the key used to establish the security of the control plane of the air interface. The establishment of security of the user plane is more independent, which can improve the security of services.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following briefly introduces the drawings that are required in the description of the embodiments or the prior art.

FIG. 1 is a schematic diagram of a network architecture of a 5G system provided in an embodiment of the present application;

FIG. 2 is a schematic diagram of another 5G system network architecture provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of a non-3GPP network architecture in a 5G system provided by an embodiment of the present application;

FIG. 4 is a schematic structural diagram of a communication system provided by an embodiment of the present application;

FIG. 5 is a flow chart of a method for isolating public and private network services provided by an embodiment of the present application;

FIG. 6 is a schematic flow diagram of establishing user plane security and control plane security of the air interface provided by an embodiment of the present application;

FIG. 7 is a flow chart of another method for isolating public and private network services provided by an embodiment of the present application;

FIG. 8 is a flow chart of another method for isolating public and private network services provided by an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a communication device 900 provided by an embodiment of the present application;

FIG. 10 is a schematic structural diagram of another communication device 1000 provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a chip provided by an embodiment of the present application.

Detailed ways

The embodiments of the present application can be applied to the network architecture of the 4th Generation mobile communication technology (4G), such as the long term evolution (Long term evolution, LTE) system, and can also be applied to the 5th generation mobile communication technology (the In the 5th Generation mobile communication technology (5G) network architecture, such as the NR system, or the sixth generation mobile communication technology network architecture after the 5G network architecture or other similar communication systems, there is no specific limitation.

The technical solutions in the embodiments of the present application are described in more detail below.

In order to better understand the technical solutions provided by the embodiments of the present application, a 5G communication system is used as an example for introduction below. Firstly, the technical terms involved in the embodiments of the present application are introduced.

1. The network architecture of the fifth generation communication (5 ^th generation, 5G) system

Referring to FIG. 1 , it is a schematic diagram of a network architecture of a 5G system provided by an embodiment of the present application. The network architecture includes user equipment (user equipment, UE), access network (access network, AN) equipment, core network elements, and data network (data network, DN).

Terminal equipment, including equipment that provides voice and/or data connectivity to users, specifically, equipment that provides voice to users, or equipment that provides data connectivity to users, or equipment that provides voice and data connectivity to users equipment. Examples may include a handheld device with wireless connectivity, or a processing device connected to a wireless modem. The terminal device can communicate with the core network via the RAN, exchange voice or data with the RAN, or exchange voice and data with the RAN. The terminal equipment may include user equipment (user equipment, UE), wireless terminal equipment, mobile terminal equipment, device-to-device communication (device-to-device, D2D) terminal equipment, vehicle to everything (vehicle to everything, V2X) terminal equipment , machine-to-machine/machine-type communications (machine-to-machine/machine-type communications, M2M/MTC) terminal equipment, Internet of things (internet of things, IoT) terminal equipment, subscriber unit, subscriber station station), mobile station (mobile station), remote station (remote station), access point (access point, AP), remote terminal (remote terminal), access terminal (access terminal), user terminal (user terminal), user Agent (user agent), or user equipment (user device), etc. For example, it may include mobile phones (or "cellular" phones), computers with mobile terminal equipment, portable, pocket, hand-held, computer built-in mobile devices, and the like. For example, personal communication service (PCS) telephone, cordless telephone, session initiation protocol (session initiation protocol, SIP) telephone, wireless local loop (wireless local loop, WLL) station, personal digital assistant (personal digital assistant, PDA), and other equipment. Also includes constrained devices, such as devices with low power consumption, or devices with limited storage capabilities, or devices with limited computing capabilities, etc. For example, it includes barcodes, radio frequency identification (radio frequency identification, RFID), sensors, global positioning system (global positioning system, GPS), laser scanners and other information sensing devices.

As an example but not a limitation, in this embodiment of the present application, the terminal device may also be a wearable device. Wearable devices can also be called wearable smart devices or smart wearable devices, etc., which is a general term for the application of wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes Wait. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are not only a hardware device, but also achieve powerful functions through software support, data interaction, and cloud interaction. Generalized wearable smart devices include full-featured, large-sized, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, etc., and only focus on a certain type of application functions, and need to cooperate with other devices such as smart phones Use, such as various smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.

The various terminal devices described above, if they are located on the vehicle (for example, placed in the vehicle or installed in the vehicle), can be considered as vehicle-mounted terminal devices. ).

In this embodiment of the present application, the terminal device may further include a relay (relay). Or it can be understood that all devices capable of performing data communication with the base station can be regarded as terminal devices.

In this embodiment of the present application, the device for realizing the function of the terminal device may be the terminal device, or may be a device capable of supporting the terminal device to realize the function, such as a chip or a chip system, and the device may be installed in the terminal device. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. In the technical solutions provided in the embodiments of the present application, the technical solutions provided in the embodiments of the present application are described by taking the terminal equipment as an example for realizing the terminal functions.

The AN device may also be a radio access network (radio access network, RAN) device. The access network device may be a device deployed in the wireless access network and capable of performing wireless communication with the terminal device. It is mainly responsible for wireless resource management, quality of service (QoS) management, data compression and encryption on the air interface side. Access network equipment may include base stations in various forms, for example: macro base stations, micro base stations (also called small stations), relay stations, access points, and so on. In systems using different radio access technologies, the names of equipment with base station functions may be different, for example, in the fifth generation (5G) system, it is called gNB; in the LTE system, it is called It is an evolved Node B (evolved NodeB, eNB or eNodeB); in the third generation (3rd generation, 3G) system, it is called Node B (Node B), etc. Exemplarily, the access network device involved in the embodiment of the present application may be a base station in 5G or a base station in long term evolution (LTE), where the base station in 5G may also be called a transmission and reception point (transmission reception point (TRP) or next generation Node B (gNB).

In the embodiment of the present application, the device for implementing the function of the access network device may be the access network device, or a device capable of supporting the access network device to realize the function, such as a chip or a chip system, and the device may be installed in the access network equipment. In the technical solution provided by the embodiment of the present application, the technical solution provided by the embodiment of the present application is described by taking the access network device as an example for realizing the function of the access network device.

Among them, the core network elements may include: access and mobility management function (access and mobility management function, AMF), authentication server function (authentication server function, AUSF), unified data management (unified data management, UDM), session Management function (session management function, SMF), policy control function (policy control function, PCF), application function (application, AF), user plane function (user plane function, UPF) network element and network slice selection function (network slice selection function, NSSF) network element.

The AMF network element is mainly responsible for signaling processing, such as access control, mobility management, attachment and detachment, and gateway selection. When the AMF network element provides services for the session in the terminal device, it will provide the session with storage resources on the control plane, and store the session ID, the SMF network element ID associated with the session ID, and the like. Generally speaking, UE and AMF can communicate through N1 non-access stratum (nonaccess stratum, NAS) message, and communication messages between UE and AMF can also be transferred through N2 message of RAN. RAN and AMF communicate through N2 messages.

AUSF network element: has an authentication service function, and is used to process authentication requests for ^3rd generation partnership project (3GPP) access and non-3GPP access.

UDM network element: used to manage user subscription information and complete user authentication and authorization.

The SMF network element is responsible for user plane network element selection, user plane network element redirection, Internet protocol (internet protocol, IP) address allocation, bearer establishment, modification and release, and QoS control.

The PCF network element is used to generate and manage users, sessions, and quality of service (quality of service, QoS) flow processing policies. It mainly supports the provision of a unified policy framework to control network behavior, provides policy rules to the network functions of the control layer, and is responsible for obtaining user subscription information related to policies.

The AF network element mainly supports interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing some third-party services to the network side, and can be located in the operator's network or outside the operator's network.

The UPF network element is used to process user packets, such as forwarding and charging. It can be responsible for the forwarding and receiving of user data in the terminal device. It can receive user data from the data network and transmit it to the terminal device through the access network device; the UPF network element can also receive user data from the terminal device through the access network device and forward it to the data network. The transmission resources and scheduling functions that provide services for terminal equipment in the UPF network element are managed and controlled by the SMF network element.

The NSSF network element is used to support flexible selection of slices based on information such as user requested and contracted network slice selection assistance information (NSSAI), user location area, slice capacity, and slice current load.

Authentication, authorization, and accounting (authentication, authorization, accounting, AAA) server (not shown in Figure 1): a server program capable of processing user access requests, providing verification authorization and account services, the main purpose is to manage user access to network servers, and to Services are provided to users with access rights.

DN is responsible for providing services for UE, including operator services, Internet services, third-party services, etc., such as providing Internet access functions and SMS functions for UEs.

The schematic diagram of the network architecture shown in FIG. 1 also includes interfaces between various network elements, for example, N1 represents the interface between the UE and the AMF network element, N2 represents the interface between the AMF network element and the RAN device, and so on. In a possible implementation manner, some interfaces may be implemented in the form of service interfaces, as shown in FIG. 2 for details.

The UE, (R)AN equipment, UPF network element, and DN in Figure 1 are generally referred to as user layer network functional entities. User data traffic can pass through the protocol data unit session (protocol data unit Session) established between UE and DN. PDU Session) for transmission, the transmission will pass through the two network functions (entities) of (R)AN and UPF; while other parts are called control layer network functions and entities, which are mainly responsible for authentication and authentication, registration management, session Management, mobility management, policy control and other functions, so as to realize reliable and stable transmission of user layer traffic.

2. The network architecture of non-3GPP (non-3GPP) in 5G

Referring to FIG. 3 , it is a schematic diagram of a non-3GPP network architecture in 5G provided by an embodiment of the present application. Compared with the 3GPP system architecture (see FIG. 1 ), a non-3GPP interworking function (N3IWF) network element is newly added in the network architecture.

Each network element included in FIG. 3 is introduced. It should be noted that for some network elements, reference may be made to the description in the foregoing content, and details are not repeated here.

The N3IWF network element is used to support the non-3GPP access network to connect to the 5G core network. The N3IWF network element is connected to the 5G core network user plane (user plane, UP) and control plane (CP, control plane) functions through the N2 and N3 interfaces respectively. If the selected N3IWF network element is located in the same public land mobile network (PLMN) as the 3GPP access, UEs connected to the same 5G core network of the PLMN through 3GPP access and non-3GPP access at the same time will be operated by the same AMF service. In the case of untrusted non-3GPP access, the functions of the N3IWF network element include: supporting the establishment of an Internet security protocol (internet protocol security, IPsec) tunnel with the UE, the N3IWF network element terminates the IKEv2/IPsec protocol with the UE through the NWu, And through the N2 relay to authenticate the UE and authorize it to access the information required by the 5G core network; relay the uplink and downlink control plane NAS (N1) signaling between the UE and the AMF; establish an IPsec security association (IPsec SA ) to support PDU session traffic; relay uplink and downlink user plane data packets between UE and UPF, and so on.

Among them, the untrusted non-3GPP access network (Untrusted non-3GPP Access Network) equipment is used to support the interconnection and intercommunication between the terminal equipment and the 3GPP core network using non-3GPP technology. Among them, non-3GPP technologies such as: Wireless Fidelity (Wireless Fidelity, Wi-Fi), Worldwide Interoperability for Microwave Access (WiMAX), Code Division Multiple Access (CDMA) network, etc., compared to Trusted non-3GPP access network equipment can directly access the 3GPP core network. This network element needs to be interconnected with the 3GPP core network through a secure tunnel established by a security gateway. The security gateway is, for example: Evolved Packet Data Gateway (Evolved Packet Data Gateway, ePDG) or non-3GPP interworking function (Non-3GPP InterWorking Function, N3IWF) network element.

3. Network architecture of 5G Alliance for Connected Industries and Automation (5G-ACIA)

5G-ACIA defines four private network deployment scenarios, which are further introduced below.

1) Scenario 1: Completely independent private network. In this scenario, the private network deploys completely independent RAN nodes and 5GC devices (including control plane network elements and user plane network elements), and the private network can communicate with the public network through the firewall;

2) Scenario 2: RAN nodes share the private network. In this scenario, the private network has RAN nodes shared with the public network, but has independent 5GC equipment (including control plane network elements and user plane network elements);

3) Scenario 3: RAN node/5GC control plane share the private network. In this scenario, the private network has the RAN node and 5GC control plane shared with the public network, but the private network has an independent user plane network element UPF;

4) Scenario 4: RAN node/5GC share the private network. In this scenario, the private network and the public network share the RAN node and 5GC (including the control plane and user plane). At this time, the private network isolation depends on the slicing or CAG characteristics of the public network. isolation.

From the perspective of cost, sharing hardware between the public network and private network is an effective means to reduce costs. Therefore, the network architectures of Scenario 3 and Scenario 4 above are mainly used. However, in these two network architectures, the security of the user plane of private network services completely depends on the public network. The user plane key of the private network is derived from the root key of the public network. The root key of the public network is stored on the public network, and the user plane key of the private network is also derived from the public network. Exemplarily, the AMF of the public network is deduced according to the key K _amf of the public network, and is used to derive an intermediate key between the air interface control plane key and the air interface user plane key, such as K _gnb . Among them, k _amf is a key derived from the root key of the public network. Then the AMF sends the K _gnb to the access network device, and then the access network device further deduces the air interface user plane key and the air interface control plane key according to the K _gnb . Based on this, the air interface user plane key used in the private network depends on the public network key, and the key is exposed on the public network. If the public network key is leaked or leaked during the derivation process, the security of private network services will be affected.

Based on this, a method for isolating public and private network services provided by the embodiment of the present application is proposed. In the embodiment of this application, the control plane network element of the private network establishes the user plane security of the private network according to the key of the private network. The key of the private network is different from the key of the public network. The key of the private network is used for air interface The user plane security of the public network is used for the control plane security of the air interface. Optionally, the air interface is used for communication between the terminal device and the private network. In this way, the control plane network elements of the private network are not shared by the public network, and the control plane network elements of the private network use independent private network keys to establish the security of the user plane of the private network, which can make public network services and Private network services are isolated from each other to improve the security of private network services.

Referring to FIG. 4 , it is a schematic structural diagram of a communication system provided by an embodiment of the present application. In the communication system shown in Figure 4, it includes: terminal equipment (such as UE), access network (RAN) equipment, private network control plane network elements, public network mobility management (AMF) network elements, public network A session management function (SMF) network element and a user plane function (UPF) network element. It should be noted that all devices/network elements included in the communication system are not shown in FIG. 4 , and more devices/network elements may be included in the communication system. For example, the devices/network elements shown in FIG. 1 or 3 may also be included. The device/NE shown in the figure.

The name of the device/network element shown in Figure 4 may change with the development of the mobile communication field, and the embodiment of the present application does not limit the name of each device/network element; in addition, a device/network element may also be It evolves into multiple devices/network elements, and the multiple devices/network elements jointly realize the functions realized by the one device/network element. The name of the message between network elements or the name of each parameter in the message in the following embodiments of the present application is just an example, and other names may also be used in specific implementation, which is not specifically limited in the embodiment of the present application.

Each device/network element included in FIG. 4 is specifically introduced below.

The access network equipment and user plane function network elements can be shared by the public network and the private network, or can be exclusively used by the private network. It should be noted that access network equipment and user plane functional network elements are exclusive to the private network, which means that the access network equipment and user plane functional network elements only provide user plane services for private network services of terminal equipment. In the case that the access network equipment and user plane functional network elements are exclusively used by the private network, the mobility management functions of the private network and the public network, as well as the session management function of the public network are still in charge of the control plane network elements of the public network. In addition, the data of the user plane of the public network will not be processed by the functional network element of the user plane of the private network, but will be processed by the functional network element of the user plane of the public network (not shown in FIG. 4 ).

The functions of the terminal device, the mobility management (AMF) network element of the public network, the session management function (SMF) network element of the public network, and the user plane function (UPF) network element can refer to the content of the above embodiment corresponding to FIG. 1 or FIG. 3 The introduction in , will not be repeated here.

The control plane network element of the private network may optionally be named as a local control plane (local control plane, L-CP) network element, or may be named by another name, which is not limited in this embodiment of the present application. The control plane network element of the private network is a control plane network element deployed locally in the private network, and has functions of relaying N2 messages (or called signaling) and managing private network service sessions. The relaying of the N2 message by the control plane network element of the private network means that the control plane network element of the private network can forward the N2 message sent between the access network device and the mobility management (AMF) network element of the public network. In a possible implementation manner, the control plane network elements of the private network include a first network element and a second network element, or, the first network element and the second network element are two independent network elements; the first network element and the second network element jointly realize the functions realized by the control plane network element of the private network. Exemplarily, the first network element (example, may be named Proxy network element) can realize the function of relaying N2 message, and the second network element (example, named local session management function (local session management function, L-SMF (network element) can implement the function of managing private network service sessions. Optionally, the relevant configuration and policy information of private network service session management may be preconfigured or delivered from the public network to the control plane network element of the private network.

In a possible implementation manner, for the communication system shown in FIG. 4 , the mobility management functions of the private network and the public network and the session management function of the public network are still in charge of the control plane network element of the public network.

FIG. 4 also illustrates the equipment/network elements involved in the transmission of the session management (session management, SM) message of the private network and the session management message of the public network in the embodiment of the present application. Wherein, the session management message is information used to manage information on the user plane. Exemplarily, the session management message may include a session establishment request message, a session modification message, a session deletion message, and the like.

Taking the private network session management message as an example, the private network session management message may include one or more of N1 session management message, N2SM message or N4SM message. The N1SM message is used during the interaction process between the control plane network element of the private network and the UE; it can also be an N2SM message, and the N2SM message is used during the interaction process between the private network control plane network element and the RAN device; it can also be an N4SM message , the N4SM message is used in the interaction process between the control plane network element of the private network and the UPF network element.

Taking the session management message of the public network as an example, the session management message of the public network may include one or more of N1SM message, N2SM message or N4SM message. The N1SM message is used in the interaction process between the control plane network element of the public network (for example, it can be an AMF network element) and the UE; it can also be an N2SM message, and the N2SM message is used between the control plane network element of the public network and the RAN device It can also be an N4SM message, and the N4SM message is used during the interaction between the control plane network element of the public network and the UPF network element.

For example, if the session management message of the private network is a session establishment request of the private network, the session management message of the private network is generated by the terminal device, passes through the access network device, the control plane network element of the private network, After the session establishment request of the private network is passed, the control plane network element of the private network instructs the functional network element of the user plane to establish a private network session. If the session management message of the public network is a session establishment request of the public network, the session management message of the public network is generated by the terminal device, and passes through the access network device, the control plane network element of the private network, and the mobility management of the public network After the network element and the network element with the session management function of the public network pass the session establishment request of the public network, the network element with the session management function of the public network instructs the network element with the user plane function to establish a session with the public network.

Based on the network architecture and related equipment introduced in the above content, a method for isolating public and private network services provided by the embodiment of the present application will be introduced below. It should be noted that, in the drawings of the embodiments of the present application, the steps shown in the various embodiments and the sequence of the steps are for example, and do not constitute a limitation to the embodiments of the present application. It should be understood that performing some of the steps in the illustration or adjusting the order of the steps for specific implementation falls within the protection scope of the present application.

Referring to FIG. 5 , FIG. 5 is a flow chart of a method for isolating public and private network services provided by an embodiment of the present application. This method can be implemented based on the network architecture shown in FIG. 4 . The method includes the following steps.

S101. The control plane network element of the private network obtains the key of the private network.

Wherein, the key of the private network is the root key of the private network or a key derived based on the root key of the private network. In other words, the key of the private network can be the root key of the private network or the intermediate key of the private network, and the intermediate key is a key derived from the root key of the private network. Among them, the root key of the private network can be the master session key (master session key, MSK), the extended master session key (extended master session key, EMSK), and the intermediate key of the private network can be the local control plane key (local control plane key, KL-CP (Kl-cp)) or K _gnb , the role of the K _L-CP can be compared to a mobility management key (access and mobility management function key, KAMF (K _amf )).

The key of the public network may be the root key of the public network or the intermediate key of the public network, and the intermediate key is a key derived from the root key of the public network. Among them, the root key of the public network can be the master session key (master session key, MSK), the extended master session key (extended master session key, EMSK), the intermediate key of the public network can be K _amf or K _gnb .

The root key of the private network is different from the root key of the public network. The private network key is used for user plane security of the air interface, and the root key of the public network is used for control plane security of the air interface. Optionally, the air interface is an air interface used for communication between the terminal device and the private network. In this embodiment of the application, the root key of the public network is stored in the public network; the root key of the private network is stored in the private network, and the business key derived from the private network is also stored in the private network. In this way, the control plane network elements of the private network are not shared by the public network, and the private network key is no longer stored in the public network. Even if the public network key is leaked or leaked during the derivation process, it will not affect the private network security of network services.

In a possible implementation manner, the control plane network element of the private network stores the key of the private network. Then, the control plane network element of the private network can read the key of the private network from its own storage medium.

In yet another possible implementation manner, the private network key is stored in the AAA server. The control plane network element of the private network can obtain the key of the private network from the AAA server. Optionally, the AAA server can grant the control plane network element of the private network the permission to access and read the key of the private network, and verify the permission of the access device (or user) through the AAA server, which can prevent other devices or The user reads the key of the private network to improve the security of the private network key.

In yet another possible implementation, the key of the private network is stored in another network element (for example, the network element may be a network element exclusive to the private network), and the control plane network element of the private network may Obtain the key of the private network from the other network element. Exemplarily, the other network element may store the root key of the private network, and send the intermediate key derived from the root key of the private network to the control plane network element of the private network.

S102. The terminal device sends a first message to the control plane network element of the private network, where the first message includes a session establishment request. Specifically, the process of the terminal device sending the first message to the control plane network element of the private network may be as follows:

Step a1: the terminal device sends a first message to the RAN device.

Step a2: The RAN device forwards the first message to the control plane network element of the private network.

In this process, the RAN device may be an intermediate forwarding node of the first message, and does not perceive the content of the first message.

S103. After the control plane network element of the private network receives the first message from the terminal device, the control plane network element of the private network determines that the session establishment request corresponds to the private network.

It should be noted that the order in which the control plane network element of the private network obtains the key of the private network and receives the first message is not limited by this embodiment of the present application. In a possible implementation manner, the control plane network element of the private network may obtain the NAS key of the public network, and use the NAS key to parse the first message to obtain the session establishment request. If the session establishment request includes the first information, the control plane network element of the private network determines according to the first information that the session establishment request corresponds to the private network. Wherein, the first information is used to indicate that the session establishment request corresponds to a private network. For example, reference may be made to the introduction of the embodiment corresponding to FIG. 7 , which will not be described in detail here.

In a possible implementation manner, the control plane network element of the private network may establish a connection between the private network and the terminal device. If the control plane network element of the private network receives the first message from the terminal device through the connection between the private network and the terminal device, the control plane network element of the private network determines that the session is established according to the connection between the private network and the terminal device The request corresponds to the private network. For example, reference may be made to the introduction of the embodiment corresponding to FIG. 8 , which will not be described in detail here.

S104. The control plane network element of the private network establishes user plane security of the air interface according to the key of the private network.

Optionally, the control plane network element of the private network can establish the user plane security of the air interface according to the key of the private network: the control plane network element of the private network generates security parameters according to the key of the private network; The network element sends the security parameter to the terminal device and/or the access network device. Wherein, the security parameter is used for the terminal device and/or the access network device to generate an air interface user plane key. Optionally, the security parameter sent by the control plane network element of the private network to the terminal device may be the same as or different from the security parameter of the access network device.

Through the method of the embodiment corresponding to Fig. 5, the control plane network element of the private network can determine whether the session establishment request corresponds to the public network or the private network, and if the session establishment request corresponds to the private network, establish The user plane of the private network is secure; if the session establishment request corresponds to the public network, the session establishment request is forwarded to the mobility management network element of the public network for processing. In this way, it can be ensured that the user plane key of the private network is derived from the key of the private network, and the security isolation of public network and private network services can be realized, and the security of private network services can be improved.

For example, refer to FIG. 6 , which is a schematic flowchart of establishing user plane security and control plane security of a private network provided by an embodiment of the present application.

In step b1, the control plane network element of the private network generates a first security parameter according to the key of the private network, and the first security parameter is used to deduce the user plane key of the air interface of the terminal device.

For example, the first security parameter may be included in the session security context. The first security parameter includes an intermediate key used to generate a user plane key for the air interface.

When the control plane network element of the private network executes step b1, it can be implemented in the following ways:

The control plane network element of the private network may generate the first security parameter according to the key and auxiliary parameters of the private network. The first security parameter includes an intermediate key. The intermediate key in the embodiment of this application refers to the key generated from the root key after one or more derivations. After the network element receives the intermediate key, it can further perform key derivation, and finally obtain the key for integrity protection and/or encryption. Exemplarily, the access network device uses the intermediate key to deduce the key used for integrity protection and/or encryption of the user plane of the air interface. For example, in a 4G communication system, the intermediate key may be k _eNB . Exemplarily, the intermediate key may also be called K _npn .

It can be understood that the control plane network element of the private network generates the first security parameter according to the private network key and auxiliary parameters, which may include deriving an intermediate key according to the private network key and auxiliary parameters.

As an example, the user plane key of the air interface may include K _UPenc and/or K _UPint . K _UPenc is used to protect user plane services through encryption algorithms. K _UPint is used to protect user plane services through specific integrity algorithms.

Exemplarily, the auxiliary parameter may include single network slice selection assistance information (single network slice selection assistance information, S-NSSAI), data network name (data network name, DNN) or downlink NAS message count (downlink NAS count, DL NAS Count ), or one or more items in other preset auxiliary parameters. DL NAS Count can be sent by the control plane NE of the public network to the control plane NE of the private network.

In step b2, the control plane network element of the private network sends the first security parameter to the access network device providing access service for the terminal device.

Optionally, the control plane network element of the private network also sends auxiliary parameters to the access network device.

Step b3, the access network device deduces the user plane key of the air interface according to the first security parameter.

Step b4, the control plane network element of the private network sends auxiliary parameters to the terminal device, and the auxiliary parameters are used by the terminal device to deduce and generate the intermediate key of the user plane key of the air interface.

In an example, the control plane network element of the private network may send the auxiliary parameters to the mobility management network element, and the mobility management network element sends the auxiliary parameters to the terminal device, for example, the mobility management network element sends the auxiliary parameters to the terminal device through the N1 interface. In another example, the control plane network element of the private network can send auxiliary parameters to the mobility management network element, the mobility management network element sends the auxiliary parameters to the access network equipment, and the access network equipment sends auxiliary parameters to the terminal equipment, such as The network access device may send auxiliary parameters to the terminal device through an RRC connection reconfiguration message.

It should be noted that, the present application does not limit the execution order of step b2 and step b4.

Step b5, after the terminal device receives the auxiliary parameters from the control plane network element of the private network, the terminal device generates an intermediate key according to the root key of the private network and the auxiliary parameters, and deduces the user plane key of the air interface according to the intermediate key.

As an example, the root key of the private network is stored on the terminal device. As another example, the terminal device can also obtain the root key of the private network through online signing. For example, the terminal device can temporarily access the cellular network, and access the private network ( For example, the root key is obtained from the control plane network element of the private network; or the terminal device obtains the root key from the private network through a user plane connection established by a non-3GPP network (such as a WiFi network).

In the application example, after both the access network device and the terminal device have completed the deduction of the user plane key of the air interface, when transmitting uplink and downlink service data, the user plane key of the air interface can be used to encrypt and decrypt service data, That is, it can be understood as establishing the user plane security of the air interface. When the terminal device sends uplink service data to the access network device, the user plane key of the air interface can be used to encrypt the uplink service data and then sent to the access network device, so that the user plane key of the air interface can be used to protect the Security of uplink business data. When the access network device sends downlink service data to the terminal device, the user plane key of the air interface can be used to encrypt the downlink service data before sending it to the terminal device, so that the user plane key of the air interface can be used on the air interface to protect the downlink service Data Security.

Exemplarily, the following describes the derivation process of the air interface control plane key, as shown in FIG. 6 .

In step c1, the network element of the control plane of the public network obtains the key of the public network of the terminal device.

Step c2, the control plane network element of the public network generates a second security parameter according to the key of the public network, and the second security parameter is used to deduce the air interface control plane key of the terminal device.

The second security parameter includes an intermediate key. Exemplarily, the access network device uses the intermediate key to deduce the key used for integrity protection and/or encryption of the control plane of the air interface. For example, in a 4G communication system, the intermediate key may be k _eNB . Exemplarily, the intermediate key may also be called K _npn .

It can be understood that the control plane network element of the public network generates the second security parameter according to the public network key and auxiliary parameters, which may include deriving an intermediate key according to the public network key and auxiliary parameters.

Step c3, the control plane network element of the public network sends the second security parameter to the access network device.

Step c4, the access network device deduces the control plane key of the air interface according to the second security parameter.

Step c5, the control plane network element of the public network sends auxiliary parameters for deriving the control plane key of the air interface to the terminal device.

In an example, the control plane network element of the public network may send the auxiliary parameters used for deriving the control plane key of the air interface to the terminal device through the N1 interface. In another example, the control plane network element of the public network can send auxiliary parameters to the access network device, and the access network device sends auxiliary parameters used to deduce the control plane key of the air interface to the terminal device, such as the access network device Auxiliary parameters for deriving the control plane key of the air interface may be sent to the terminal device through an RRC connection reconfiguration message.

In the embodiment of the present application, the auxiliary parameters used for deriving the air interface user plane key and the auxiliary parameters used for deriving the air interface control plane key may be the same or different, which is not limited in the embodiment of the present application.

It should be noted that, the present application does not limit the execution order of step c3 and step c5.

Step c6, the terminal device generates an intermediate key according to the public network root key and auxiliary parameters, and deduces an air interface control plane key according to the intermediate key.

It should be noted that the control plane network element of the public network can still send auxiliary parameters for deriving the NAS control plane key to the terminal device. The terminal device uses the public network root key and auxiliary parameters to generate an intermediate key, and deduces the NAS control plane key based on the intermediate key.

In the above solution provided by the embodiment of the present application, the security parameters of the control plane key used for deriving the air interface and the security parameters of the user plane key for the air interface are independently generated, that is, the control plane network element of the public network generates the security parameters used for deriving the air interface. The security parameters of the control plane key, as well as the security parameters of the user plane key generated by the control plane network element of the private network and used to deduce the user plane key of the air interface, because the private network network element is not shared by the public network, the private network key can be guaranteed It is not known by the public network, thereby ensuring the security of the private network. Further, when the user plane key of the air interface is used to securely transmit the service data, the security of the service data transmission of the air interface is improved.

It should be noted that the security parameters used to deduce the control plane key of the air interface and the user plane key of the air interface may also be the same. For example, in step b3, the access network device may also deduce the air interface key according to the first security parameter. control plane key. In step b4, the auxiliary parameters may also be used by the terminal device to deduce and generate an intermediate key for the control plane key of the air interface. In step b5, the terminal device can also generate an intermediate key according to the private network root key and auxiliary parameters, and then use the intermediate key to deduce the air interface control plane key. In this case, the above step c4-step c6 may not be executed.

In some embodiments of the present application, step b2, when the control plane network element of the private network sends the first security parameter to the access network device, may be implemented in any of the following possible ways:

In a first possible implementation manner, the control plane network element of the private network may send the first security parameter to the access network device through the control plane network element of the public network. For example, the control plane network element of the public network may include a public network mobility management network element.

In a second possible implementation manner, the control plane network element of the private network may send the first security parameter to the access network device through the user plane network element of the private network. For example, the private network user plane network element may include a private network UPF.

In a possible implementation manner, in order to improve the security of the first security parameter, no matter whether the control plane network element of the private network transfers the first security parameter to the access network device through the control plane network element of the public network, or transmits the first security parameter through the private network The user plane network element transfers the first security parameter to the access network device, and the private network control plane network element can encrypt the first security parameter, and then pass the encrypted first security parameter through the public network control plane network element or The user plane network element of the private network sends it to the access network device. After receiving the encrypted first security parameter, the access network device may decrypt it using a decryption key to obtain the first security parameter. For example, the decryption key may be a symmetric key to the encryption key.

The key used to encrypt the first security parameter may be called a security parameter key, a tunnel key, or another name, which is not specifically limited in this application. For example, the decryption key may be a symmetric key of the encryption key, and the decryption key may also be a security parameter key.

Referring to FIG. 7 , it is a flow chart of another method for isolating public and private network services provided in the embodiment of the present application. This method can be implemented based on the network architecture shown in FIG. 4 . The method includes the following steps.

S201. The terminal device registers in the network.

Specifically, the terminal device is registered in the public network. During the registration process of the terminal device to the network, after the RAN device selects the AMF network element, it can discover the control plane network element of the private network (which may be called the L-CP network element) according to the information pre-configured by the operator. In this way, the AMF network element can perceive the existence of the control plane network element of the private network.

In a possible implementation manner, the control plane network element of the private network may indicate that it is a relay node during the process of establishing the N2 tunnel with the AMF network element. For example, the control plane network element of the private network sends first indication information to the AMF network element, where the first indication information is used to indicate that the control plane network element of the private network is a relay node between the RAN device and the AMF network element.

S202. A mobility management (AMF) network element of the public network acquires a NAS key of the public network.

During the process of the terminal device registering with the public network, the mobility management network element of the public network can obtain the NAS key of the public network corresponding to the terminal device.

S203. The mobility management network element of the public network sends the NAS key of the public network to the control plane network element of the private network.

Correspondingly, the control plane network element of the private network receives the NAS key of the public network from the mobility management network element of the public network.

In the process of registering the terminal device to the public network, the mobility management network element of the public network records the corresponding relationship between the terminal device and the corresponding control plane network element of the private network. The mobility management network element of the public network sends the NAS key of the public network corresponding to the terminal device to the control plane network element of the private network corresponding to the terminal device, so that the control plane network element of the private network can use the NAS key of the public network The key parses the received NAS message.

In a possible implementation, the way that the mobility management network element of the public network sends the NAS key of the public network to the control plane network element of the private network is as follows: the mobility management network element of the public network sends the private network control plane key The network element sends a second message, the second message includes the second information and the NAS key of the public network, and the second information is used to indicate the permission granted to the control plane network element of the private network to use the NAS key of the public network. Exemplarily, the second message may be the NAS context of the terminal device (that is, the terminal device corresponding to the control plane network element of the private network). Exemplarily, the configuration information of the mobility management network element of the public network includes authorization information that allows the mobility management network element of the public network to send the NAS context. Optionally, the configuration information may be pre-stored, or delivered by the network to the mobility management network element of the public network. After the mobility network element of the public network obtains the NAS key of the public network, it can send the NAS context to the control plane network element of the private network according to the configuration information.

S204. The terminal device sends a first message to the control plane network element of the private network, where the first message includes a session establishment request.

Correspondingly, the control plane network element of the private network receives a first message from the terminal device, where the first message includes a session establishment request.

Specifically, the process of the terminal device sending the first message to the control plane network element of the private network may be as follows:

Step a1: the terminal device sends a first message to the RAN device.

In the case that the session establishment request corresponds to a private network, the first message includes first information, and the first information is used to indicate that the session establishment request corresponds to a private network. In some possible implementations, the first information may be: the first parameter, network slice selection assistance information (network slice selection assistance information, NSSAI) of the private network, or data network name (data network name, DNN) of the private network one or more of . Wherein, the network slice selection support information of the private network is the network slice selection support information dedicated to the private network, and the data network name of the private network is a data network name dedicated to the private network. The first parameter is used to indicate that the key of the private network is used to derive the user plane key of the air interface. Exemplarily, the first parameter may be named as a local credential derivative request (LCDR).

In a possible implementation manner, the first message may further include a second parameter, where the second parameter is used to instruct the terminal device to use an independent key to derive the user plane key when establishing user plane security. Wherein, using an independent key means that the key of the user plane key derived from the air interface is different from the key derived from the control plane key of the air interface, or it can be expressed as that the network element/device that derives the user plane key of the air interface is different from The network element/device that derives the control plane key of the air interface is different, or it can be expressed that the control plane key of the air interface of the terminal device and the user plane key of the air interface are isolated from each other. Exemplarily, the second parameter may be named user plane key separation indication (user plane separation request, UPSR). Optionally, the first parameter and the second parameter may also be represented by one parameter, and the one parameter may indicate meanings indicated by the first parameter and the second parameter.

S205. The control plane network element of the private network uses the NAS key of the public network to parse the first message, so as to obtain a session establishment request.

S206. The control plane network element of the private network determines according to the first information that the session establishment request corresponds to the private network.

That is to say, if the first message includes the first information, the control plane network element of the private network determines that the session establishment request corresponds to the private network. Exemplarily, the control plane network element of the private network uses the NAS key to inspect the received first message, if the first message is a session management NAS message, and the session management NAS message includes first information (first parameter, NSSAI of the private network or DNN of the private network), the control plane network element of the private network determines that the session management NAS message corresponds to the private network according to the first information.

S207. When the control plane network element of the private network determines that the session establishment request corresponds to the private network, the control plane network element of the private network establishes user plane security of the air interface according to the key of the private network.

Exemplarily, when the control plane network element of the private network determines that the session establishment request corresponds to the private network, the control plane network element of the private network may, according to the first parameter in the first message, the second parameter, local configuration information or One or more items in the subscription information corresponding to the terminal device determine that the user plane security of the air interface is established using the key of the private network.

Optionally, the control plane network element of the private network determines to use the key of the private network to establish the user plane security of the air interface according to the first parameter or the second parameter in the first message. It can be understood that: if the first message includes the first parameter or the second parameter, the control plane network element of the private network determines to use the key of the private network to establish the user plane security of the air interface.

Optionally, the control plane network element of the private network determines to use the key of the private network to establish the user plane security of the air interface according to the local configuration information. It can be understood as: if the local configuration information indicates that when the control plane network element of the private network determines that the session establishment request corresponds to the private network, the operation of establishing the user plane security of the air interface using the key of the private network is triggered. Then, when the control plane network element of the private network determines that the session establishment request corresponds to the private network, it is determined that the user plane security of the air interface is established using the key of the private network.

Optionally, the control plane network element of the private network determines to use the key of the private network to establish the user plane security of the air interface according to the subscription information corresponding to the terminal device. It can be understood as: if the subscription information corresponding to the terminal device indicates that when the control plane network element of the private network determines that the session establishment request corresponds to the private network, trigger the establishment of the air interface corresponding to the terminal device using the key of the private network safe operation of the user plane. Then, when the control plane network element of the private network determines that the session establishment request corresponds to the private network, it is determined that the user plane security of the air interface is established using the key of the private network. In this manner, the subscription information corresponds to the terminal device, and different terminal devices may have different subscription information.

It may be indicated in the subscription information of some other terminal devices that the message sent by the terminal device does not trigger the operation of using the key of the private network to establish the user plane security of the air interface corresponding to the terminal device. In this case, in a possible implementation manner, the control plane network element of the private network forwards the first message to the control plane network element of the public network (for example, the AMF network element of the public network). In the subsequent process, the control plane network element of the public network performs the next step processing on the first message. Exemplarily, in this case, it may be triggered to use the key of the public network to establish the user of the air interface corresponding to the terminal device. safe operation. In yet another possible implementation manner, in response to the first message, the control plane network element of the private network feeds back a message of session establishment failure to the terminal device. Optionally, the feedback message may include a cause value of the creation failure ( cause value). Since different terminal devices may have different functions, in this manner, terminal devices with different functions may adopt different processing methods for the first message.

Wherein, the manner in which the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network can refer to the introduction in the above step S104 , and will not be repeated here.

It should be noted that, when the control plane network element of the private network determines that the session establishment request corresponds to the public network, the control plane network element of the private network forwards the first message to the AMF network element of the public network. In the subsequent process, the AMF network element of the public network performs the next processing on the first message. Wherein, the control plane network element of the private network may determine that the session establishment request corresponds to the public network according to the NSSAI/DNN included in the first message, or determine that the session establishment request corresponds to the public network according to the fact that the first parameter is not included in the first message.

In some embodiments, the control plane network elements of the private network include a first network element and a second network element, or, the first network element and the second network element are two independent network elements; the first network element and the second network element The network elements jointly realize the functions realized by the network elements of the control plane of the private network.

In this embodiment, the function of the control plane network element of the private network to receive and/or receive messages from other devices, or to forward messages to other devices may be implemented by the first network element. The function of managing private network service sessions may be implemented by the second network element. Corresponding to the above described embodiment, the operation of step S203 may be: the mobility management network element of the public network sends the NAS key of the public network to the first network element, and correspondingly, the first network element receives the mobility key from the public network. NAS key of the public network of the management NE. The operation of step S204 may be: the terminal device sends the first message to the first network element, and correspondingly, the first network element receives the first message from the terminal device. The execution subject of step S205 and step S206 may be the first network element.

The execution method of step S207 can refer to the following process:

Step d1: When the first network element determines that the session establishment request corresponds to a private network, the first network element forwards the first message to the second network element.

Exemplarily, the first network element inspects the received first message using the NAS key, if the first message is a session management NAS message, and the session management NAS message includes first information (first parameter, private network NSSAI or DNN of the private network), the first network element determines that the session management NAS message corresponds to the private network according to the first information. Step d2: According to one or more items of the first parameter, the second parameter, the local configuration information in the first message, or the subscription information corresponding to the terminal device, the second network element determines to use the key of the private network to establish the air interface. User plane security.

Optionally, according to the first parameter or the second parameter in the first message, the second network element determines to use the key of the private network to establish the user plane security of the air interface. It can be understood that: if the first message includes the first parameter or the second parameter, the second network element determines to use the key of the private network to establish the user plane security of the air interface.

Optionally, the second network element determines to use the key of the private network to establish the user plane security of the air interface according to the local configuration information. It can be understood as: if the local configuration information indicates that the second network element receives the message, it triggers an operation of using the private network key to establish the user plane security of the air interface. Then, when the second network element receives the first message, it determines to use the key of the private network to establish the user plane security of the air interface.

Optionally, the second network element determines to use the private network key to establish user plane security of the air interface according to the subscription information corresponding to the terminal device. It can be understood as: if the subscription information corresponding to the terminal device indicates that the second network element receives the message sent by the terminal device, it triggers the operation of using the private network key to establish the user plane security of the air interface corresponding to the terminal device. Then, after receiving the first message sent by the terminal device, the second network element determines to use the key of the private network to establish the user plane security of the air interface. In this manner, the subscription information corresponds to the terminal device, and different terminal devices may have different subscription information.

It may be indicated in the subscription information of some other terminal devices that the message sent by the terminal device does not trigger the operation of using the key of the private network to establish the user plane security of the air interface corresponding to the terminal device. In this case, in a possible implementation manner, the second network element forwards the first message to the first network element, and instructs the first network element to forward the first message to the control plane of the public network A network element (for example, an AMF network element of the public network). In the subsequent process, the first message is processed by the network element of the control plane of the public network. Exemplarily, in this implementation manner, an operation of establishing user plane security for an air interface corresponding to the terminal device using a public network key may be triggered. In yet another possible implementation manner, in response to the first message, the second network element (which may be sent by the first network element) feeds back a message of session establishment failure to the terminal device. Optionally, the feedback message may include Cause value (cause value) of creation failure. Since different terminal devices may have different functions, in this manner, terminal devices with different functions may adopt different processing methods for the first message.

Step d3: the second network element establishes user plane security of the air interface according to the key of the private network.

For the user plane security of the air interface established by the second network element according to the key of the private network, reference may be made to the introduction in step S104 in the above content, which will not be repeated here. Optionally, the second network element may store a private network key. Optionally, the second network element may obtain the private network key from the AAA server. Optionally, the second network element may obtain the private network key or a derived key of the private network key from another network element storing the private network key.

Referring to FIG. 8 , it is a flow chart of another method for isolating public and private network services provided in the embodiment of the present application. This method can be implemented based on the network architecture shown in FIG. 4 . The method includes the following steps.

S301. The terminal device initiates a registration process.

In step S301, the implementation manner of establishing the N2 tunnel between the access network device and the public network can refer to the content introduced in the above step S201, and will not be repeated here.

It should be noted that the terminal device in the embodiment of the present application corresponds to a piece of network subscription information. Exemplarily, the terminal device in the embodiment of the present application corresponds to a subscriber identification module (SIM) card, and with the evolution of communication technology, the SIM card can also be a built-in chip subscriber identification (embedded-SIM, eSIM) card, etc. For example, a dual-card dual-standby terminal device may be regarded as two terminal devices in the embodiment of the present application.

S302. The terminal device sends a fourth message to the access network device, where the fourth message includes the second connection establishment request.

Exemplarily, the fourth message may be an uplink radio resource control (radio resource control, RRC) message. The fourth message is used to trigger establishment of a connection between the public network and the terminal device. Wherein, the fourth message may include a second connection establishment request, and the second connection establishment request is used to request establishment of a connection between the public network and the terminal device. Wherein, the connection between the public network and the terminal device may be a NAS connection of the public network. The connection between the public network and the terminal device may be used to transmit signaling interacted between the terminal device and a control plane network element (for example, an AMF network element) of the public network, and the interactive signaling may include establishing (or modifying, Delete) session connection related signaling, mobility management related signaling, and so on.

S303. After the access network device receives the fourth message from the terminal device, the access network device sends a second connection establishment request to the mobility management network element of the public network.

Exemplarily, the process of the access network device sending the second connection establishment request to the mobility management network element of the public network may be:

Step e1: the access network device sends the second connection establishment request to the control plane device of the private network.

Correspondingly, the control plane network element of the private network receives the second connection establishment request from the terminal device.

Optionally, the second connection establishment request is carried in the N2 message. Since the control plane network element of the private network is a relay node between the RAN device and the control plane network element (exemplary, AMF network element) of the public network, it will The received N2 message is forwarded; therefore, the message sent by the RAN device to the control plane network element of the public network through the N2 tunnel will be forwarded by the control plane network element of the private network.

Step e2: the control plane network element of the private network sends the second connection establishment request to the mobility management network element of the public network.

It should be noted that, in the actual transmission process, what the control plane network element of the private network sends to the control plane network element of the public network is the N2 message carrying the second connection establishment request. Optionally, before the control plane network element of the private network sends the second connection establishment request to the mobility management network element of the public network, the control plane network element of the private network determines that the N2 message corresponds to the public network.

In a possible implementation manner, the N2 message includes the first indication identifier, which indicates that the N2 message corresponds to the public network. Wherein, the first indication is used to indicate that the N2 message corresponds to the public network, that is, the control plane network element of the private network does not need to process the message, but only needs to forward the N2 message. In this case, the control plane network element of the private network may determine that the N2 message corresponds to the public network according to the first indicator.

In yet another possible implementation, if the N2 message does not contain the second indicator, or the N2 message is not a special (or called a specific, preset) form of N2 message (specific N2Message), it means that the N2 message Corresponds to the public network. Wherein, the second indication identifier or the special form of the message is used to indicate that the N2 message corresponds to a private network, that is to say, the control plane network element of the private network needs to perform the next processing on the N2 message. Exemplarily, this kind of N2 message may be the N2 message including the first connection establishment request described in the subsequent content. In this case, the control plane network element of the private network may determine that the N2 message corresponds to the public network according to the fact that the N2 message does not include the second indicator, or the N2 message is not a special N2 message.

In yet another possible implementation, in step S301, the control plane network element of the private network discovered by the RAN device to implement the relay function (for the convenience of description, it is called the control plane network element of the first type of private network ) and the control plane network element of the private network discovered by the RAN device according to the routing information in the subsequent step S306 (for the sake of description, referred to as the control plane network element of the second type of private network) are different control plane network elements. In this case, the control plane network element of the first type of private network forwards the received N2 message, and the control plane network element of the second type of private network responds to the connection request in the received N2 message, Further establish the connection between the private network and the terminal device.

S304. After the mobility management network element of the public network receives the second connection establishment request from the access network device, the mobility management network element of the public network establishes a connection between the public network and the terminal device according to the second connection establishment request. connect.

It can be understood that after the mobility management network element of the public network establishes the connection between the public network and the terminal device, the NAS security of the public network can be established by using the key of the public network. That is to say, based on the key of the public network, the mobility management network element and the terminal device of the public network agree on a key corresponding to the NAS control plane of the public network.

S305. The terminal device sends a third message to the access network device, where the third message includes the first connection establishment request.

Exemplarily, the third message may be an uplink radio resource control (radio resource control, RRC) message. The third message is used to trigger the establishment of the connection between the private network and the terminal device. Optionally, the third message includes a first connection establishment request and routing information of a control plane network element of the private network, where the first connection establishment request is used to request establishment of a connection between the private network and the terminal device, and the private network The routing information of the control plane network elements of the private network is used to discover the control plane network elements of the private network.

Exemplarily, the connection between the private network and the terminal device may be a NAS connection of the private network. Exemplarily, the third message may include the second indication information, the routing information of the control plane network element of the private network, and the first connection establishment request. Wherein, the second indication information is used to instruct the access network device to discover the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the control plane network element of the private network.

Exemplarily, the first connection establishment request may be an Initial UE NAS message, or other newly defined (or called specific, specific, or preset) NAS message. If the first connection establishment request is an Initial UE NAS message, then the third message also includes a third indication message, and the third indication message is used to indicate that the Initial UE NAS message corresponds to a private network. If the first connection establishment request is another newly defined NAS message, then this newly defined NAS message may indicate that the NAS message corresponds to a private network.

Optionally, before the terminal device sends the third message to the access network device, the terminal device may determine to establish a private network NAS connection according to the private network-specific DNN or private network-specific NSSAI to transmit the private network session management message. Exemplarily, the private network-specific DNN or private network-specific NSSAI may be included in the policy information pre-configured in the terminal device or issued by the network device.

Exemplarily, the policy information may instruct the terminal device to establish a private network if there is a private network-specific DNN or a private network-specific NSSAI in the policy information during the process of registering the terminal device to the network (for example, when the terminal is powered on). NAS connection to transmit private network session management messages. In another example, the policy message may instruct the terminal device to establish a private network NAS connection to Transmit private network session management messages. It should be noted that the execution of the above step S302 and step S305 has no sequence, that is, step S302 may be executed first, and then step S305 may be executed; or step S305 may be executed first, and then step S302 may be executed.

S306. After the access network device receives the third message from the terminal device, the access network device discovers the control plane network element of the private network according to the third message, and sends the first connection establishment request to the control plane network element of the private network .

Wherein, the control plane network element of the private network is used to establish a connection between the private network and the terminal device. It should be noted that the control plane network element of the private network discovered by the access network device in S306 may be the same as or different from the control plane network element of the private network discovered by the access network device during the registration process of the terminal device.

Optionally, the first connection establishment request is carried in an N2 message.

S307. After the control plane network element of the private network receives the first connection establishment request from the access network device, the control plane network element of the private network establishes a connection between the private network and the terminal device according to the first connection establishment request.

Wherein, the connection between the private network and the terminal device may be used to transmit the signaling interacted between the terminal device and the control plane network element of the private network (for example, it may be an L-CP network element). The signaling may include related signaling for establishing (or modifying, deleting) a session connection, and so on. For example, the connection between the private network and the terminal device may be used for the first message in S308. Optionally, before the control plane network element of the private network establishes the connection between the private network and the terminal device according to the first connection establishment request, the private network control plane network element determines the N2 message carrying the first connection establishment request Corresponds to the private network. It should be noted that the determination method can refer to the introduction in the above step e2. In short, if the control plane network element of the private network determines that the N2 message does not correspond to the public network, it can determine that the N2 message corresponds to the private network. Alternatively, the control plane network element of the private network in step S307 is the control plane network element of the second type of private network introduced in the above step e2.

It can be understood that after the control plane network element of the private network establishes the connection between the private network and the terminal device, the NAS security of the private network can be established by using the key of the private network. That is to say, the control plane network elements and terminal devices of the private network agree on the NAS control plane key corresponding to the private network based on the private network key.

S308. The terminal device sends the first message to the control plane network element of the private network through the connection between the private network and the terminal device.

For the introduction of the first message, reference may be made to the introduction of the first message in the above embodiment corresponding to FIG. 5 or FIG. 7 , which will not be repeated here.

It should be noted that, during the process of the terminal device sending the first message to the control plane network element of the private network through the connection between the private network and the terminal device, the first message may be forwarded by the access network device.

S309. After the control plane network element of the private network receives the first message from the terminal device through the connection between the private network and the terminal device, the control plane network element of the private network according to the connection between the private network and the terminal device It is determined that the session establishment request in the first message corresponds to a private network.

That is to say, if the control plane network element of the private network determines that the session establishment request is sent through the connection between the private network and the terminal device, then the control plane network element of the private network determines that the session establishment request corresponds to the private network.

Exemplarily, the control plane network element of the private network may determine one or more items of the first parameter in the first message, the second parameter, local configuration information, or the subscription information corresponding to the terminal device in the first message. The session establishment request corresponds to the private network or determines to use the key of the private network to establish the user plane security of the air interface. It should be noted that, for the method of determining that the session establishment request corresponds to the private network, refer to the introduction in S206 above, and for determining the user plane security of the air interface using the key of the private network, refer to the introduction in S207 above, which will not be repeated here. .

S310. The control plane network element of the private network establishes user plane security of the air interface according to the key of the private network.

Specifically, the manner in which the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network may refer to the introduction in the above step S104 , which will not be repeated here.

It should be noted that, in the foregoing embodiments, the terminal device respectively establishes a connection with the public network and a connection with the private network. In this case, the terminal device can obtain the root key of the private network and the root key of the public network. The root key of the private network is different from the root key of the public network. The user plane key of the private network is generated using the key, and the user plane key of the public network is generated according to the root key of the public network.

In this embodiment, the function of the control plane network element of the private network to receive and/or receive messages from other devices, or to forward messages to other devices, or to establish a connection between the private network and the terminal device can be implemented by the first network element . The function of managing private network service sessions may be implemented by the second network element. Corresponding to the embodiment described above, the operation in step e1 may be: the access network device sends the second connection establishment request to the first network element, and correspondingly, the first network element receives the second connection establishment request from the access network device Connection establishment request. The operation of step S306 may be: the access network device discovers the first network element according to the first message, and sends the first connection establishment request to the first network element, and correspondingly, the first network element receives the first network element from the access network device A first connection establishment request, where the first message includes a session establishment request. The operation of step S308 may be: the terminal device sends the first message to the first network element through the connection between the private network and the terminal device, and correspondingly, the first network element receives the message from the terminal device through the connection between the private network and the terminal device. The first message for this end device. In addition, the execution subject of step e2 and step S307 may be the first network element.

The execution method of step S310 can refer to the following process:

Step f1: When the first network element determines that the session establishment request corresponds to a private network, the first network element forwards the first message to the second network element. Optionally, the first network element may directly forward the first message received through the connection between the private network and the terminal device to the second network element.

Exemplarily, if the first network element determines that the session establishment request is sent through the connection between the private network and the terminal device, the first network element determines that the session establishment request corresponds to the private network. Step f2: According to one or more items of the first parameter, the second parameter, the local configuration information in the first message, or the subscription information corresponding to the terminal device, the second network element determines to use the key of the private network to establish the air interface. User plane security.

It should be noted that the implementation of step f2 can refer to the introduction of step d2 in the above content, and will not be repeated here.

Step f3: the second network element establishes user plane security of the air interface according to the key of the private network.

The user plane security of the air interface established by the second network element according to the key of the private network can refer to the introduction in the above content, and will not be repeated here. Optionally, the second network element may store a private network key. Optionally, the second network element may obtain the private network key from the AAA server. Optionally, the second network element may obtain the private network key or a derived key of the private network key from another network element storing the private network key.

It should be noted that, for the execution manners of the steps in the embodiments corresponding to FIG. 7 and FIG. 8 , reference may be made to the introduction of the embodiment corresponding to FIG. 5 . In addition, various implementation modes of the present application can be combined to achieve different technical effects. For example, each possible implementation in the embodiment corresponding to FIG. 5 can be applied to the embodiment corresponding to FIG. 7 and FIG. 8 and this embodiment on the premise that it does not conflict with the embodiment corresponding to FIG. corresponding possible implementations.

In the above-mentioned embodiments provided by the present application, the method provided in the embodiments of the present application is carried out from the perspective of interaction between the control plane network elements, terminal devices, access network devices, and public network mobility management network elements of the private network. introduced. In order to realize the various functions in the method provided by the above-mentioned embodiments of the present application, the control plane network elements, terminal devices, access network devices of the private network, and the mobility management network elements of the public network may include hardware structures, software modules, and hardware structure , software modules, or hardware structure plus software modules to realize the above functions. A certain function among the above-mentioned functions may be implemented in the form of a hardware structure, a software module, or a hardware structure plus a software module.

The following describes the devices used to implement the above methods in the embodiments of the present application with reference to the accompanying drawings. Therefore, all the content above can be used in subsequent embodiments, and repeated content will not be repeated.

Referring to FIG. 9 , it is a schematic structural diagram of a communication device 900 provided by an embodiment of the present application. The communication device 900 can correspond to the control plane network element, terminal device, access network device or The functions or steps implemented by the mobility management network element of the public network.

The communication device 900 may include a transceiver unit 901 or a processing unit 902 . Optionally, a storage unit may also be included, and the storage unit may be used to store instructions (code or program) and/or data. The transceiver unit 901 or the processing unit 902 may be coupled with the storage unit, for example, the processing unit 902 may read instructions (code or program) or/or data in the storage unit to implement a corresponding method. Each of the above units can be set independently, or can be partially or fully integrated. Optionally, the transceiving unit 901 may include a sending unit or a receiving unit, the sending unit is configured to perform a sending operation, and the receiving unit is configured to perform a receiving operation.

It should be understood that the processing unit 902 may be a processor or a controller, such as a general-purpose central processing unit (central processing unit, CPU), a general-purpose processor, digital signal processing (digital signal processing, DSP), an application specific integrated circuit (application specific integrated circuits, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may realize or execute various exemplary logical blocks, units or circuits described in connection with the disclosure of this application. The processor may also be a combination of computing functions, for example, a combination of one or more microprocessors, a combination of DSP or microprocessors, and the like. The transceiver unit 901 is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented as a chip, the transceiver unit 901 is an interface circuit for the chip to receive signals from other chips or devices, or an interface circuit for the chip to send signals to other chips or devices.

The communication device 900 may be a control plane network element, a terminal device, or an access network device of a private network or a mobility management network element of a public network in the above embodiments. A control plane network element, a terminal device, or an access network of a private network The device or the mobility management network element of the public network can also be the control plane network element, terminal device, and access network device used for the private network or the mobility management network element of the public network. The control plane network element and terminal device of the private network Or, a chip of an access network device or a mobility management network element of a public network.

For example, when the communication device 900 is a control plane network element of a private network, a terminal device, or an access network device or a mobility management network element of a public network, the processing unit 902 may be, for example, a processor, and the transceiver unit 901 may be, for example, a transceiver device. Optionally, the transceiver may include a radio frequency circuit or an input/output interface, and the storage unit may be, for example, a memory. For example, when the communication device 900 is a chip used for a control plane network element of a private network, a terminal device, or an access network device or a mobility management network element of a public network, the processing unit 902 may be a processor, for example, and the transceiver unit 901 For example, it may be an input/output interface, a pin, or a circuit. The processing unit 902 can execute the computer-executed instructions stored in the storage unit. Optionally, the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit can also be a control plane network element or a terminal of the private network. A storage unit located outside the chip within a device or an access network device or a mobility management network element of the public network, such as a read-only memory (ROM) or other types of static memory that can store static information or instructions Storage device, random access memory (random access memory, RAM), etc.

In some embodiments, the communication device 900 can correspondingly realize the behavior and function of the control plane network element (or called L-SMF) of the private network in the above method embodiments. For example, the communication device 900 may be a control plane network element of the private network, or may be a component (such as a chip or a circuit) applied to the control plane network element of the private network.

Wherein, the transceiver unit 901 can be used to support the communication between the control plane network element of the private network and other network entities, for example, support the control plane network element of the private network and the mobility management network element of the public network shown in FIGS. 4-8 , Communication between access network devices, terminal devices, etc. The processing unit 902 is used to control and manage the actions of the control plane network elements of the private network. For example, the processing unit 902 is used to support the control plane network elements of the private network to execute the transmission and reception of the control plane network elements of the private network as shown in Figures 4-8. other operations.

Specifically, the processing unit 902 is configured to obtain the key of the private network, the key of the private network is the root key of the private network or a key derived based on the root key of the private network, the root key of the private network The key is different from the root key of the public network. The key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface. Exemplarily, for the operations performed by the processing unit 902, reference may be made to the introduction of step S101 in the method shown in FIG. 5 above.

The transceiving unit 901 is configured to receive a first message from a terminal device, where the first message includes a session establishment request. Exemplarily, for operations performed by the transceiving unit 901, reference may be made to the introduction of step S102 in the method shown in FIG. 5 above.

The processing unit 902 is further configured to determine that the session establishment request corresponds to the private network. Exemplarily, for the operations performed by the processing unit 902, reference may be made to the introduction of step S103 in the method shown in FIG. 5 above.

The processing unit 902 is further configured to establish user plane security of the air interface according to the private network key. Exemplarily, for the operations performed by the processing unit 902, reference may be made to the introduction of step S104 in the method shown in FIG. 5 above.

In a possible implementation manner, the transceiver unit 901 is further configured to: receive the non-access stratum NAS key of the public network from the mobility management network element of the public network; use the NAS key of the public network to resolve the The first message to get the session establishment request.

In a possible implementation manner, the transceiving unit 901 is specifically configured to: receive a second message from a mobility management network element of the public network, where the second message includes second information and a NAS key of the public network, the The second information is used to indicate the authority granted to the control plane network element of the private network to use the NAS key of the public network.

In a possible implementation manner, the first message includes first information, and the first information is used to indicate that the session establishment request corresponds to the private network, and the processing unit 902 is specifically configured to: determine the session The establishment request corresponds to the private network.

In a possible implementation manner, the transceiver unit 901 is specifically configured to: receive the first message from the terminal device through the first connection between the private network and the terminal device; the processing unit 902 is specifically configured to: A connection determines that the session establishment request corresponds to the private network.

In a possible implementation manner, the transceiver unit 901 is further configured to receive a first connection establishment request from the terminal device, where the first connection establishment request is used to request establishment of the first connection; the processing unit 902 is further configured to The first connection establishment request is to establish the first connection; the transceiver unit 901 is also configured to receive a second connection establishment request from the terminal device, and the second connection establishment request is used to request to establish a connection between the public network and the terminal device the second connection; the transceiver unit 901 is further configured to send the second connection establishment request to the mobility management network element of the public network.

In a possible implementation manner, the processing unit 902 is specifically configured to: generate a security parameter according to the key of the private network; the transceiver unit 901 is also configured to: send the security parameter to the terminal device and/or access network device, The security parameter is used for the terminal device and/or the access network device to generate an air interface user plane key.

In a possible implementation manner, the control plane network element of the private network stores the key of the private network; or, the processing unit 902 is specifically configured to: obtain the key of the private network from an authentication, authorization and accounting AAA server key.

The operations performed by each unit of the control plane network element of the private network shown in this embodiment can refer to the relevant content of the control plane network element of the private network in the above method embodiment corresponding to Figure 4-Figure 8, and will not be detailed here. stated. Each of the above units may be implemented in hardware, software or a combination of software and hardware. In one embodiment, the functions of the transceiver unit 901 and the processing unit 902 in the above content may be implemented by one or more processors in the communication device 900 . With this communication device, the key for establishing the security of the user plane of the air interface is different from the key for establishing the security of the control plane of the air interface, and the establishment of security of the user plane is more independent, which can improve the security of services.

In other embodiments, the communications apparatus 900 can correspondingly implement the behavior and functions of the terminal device in the foregoing method embodiments. For example, the communication apparatus 900 may be a terminal device, or may be a component (such as a chip or a circuit) applied in the terminal device.

Among them, the transceiver unit 901 can be used to support the communication between the terminal device and other network entities, for example, support the mobility management between the terminal device and the control plane network element of the private network, the access network device, and the public network shown in Fig. 4-8 Communication between network elements, etc. The processing unit 902 is used to control and manage the actions of the terminal device, for example, the processing unit 902 is used to support the terminal device to perform operations of the terminal device in FIGS. 4-8 except for sending and receiving.

Specifically, the transceiver unit 901 is configured to send a first message to a control plane network element of the private network, where the first message includes a session establishment request corresponding to the private network. Exemplarily, for operations performed by the transceiving unit 901, reference may be made to the introduction in step S308 in the method shown in FIG. 8 above.

The processing unit 902 is configured to establish the user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the root of the private network The key or a key derived based on the root key of the private network, the key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface. Exemplarily, for the operations performed by the processing unit 902, reference may be made to the introduction of step b5 in the method shown in FIG. 6 above.

In a possible implementation manner, the transceiver unit 901 is further configured to: send a first connection establishment request to the control plane network element of the private network, where the first connection establishment request is used to request establishment of a connection between the private network and the terminal device. The first connection between; wherein, there is a second connection between the terminal device and the public network.

In a possible implementation manner, the transceiver unit 901 is further configured to send a second connection establishment request to the mobility management network element of the public network, where the second connection establishment request is used to request to establish a connection between the public network and the terminal device. The second connection among them; the processing unit 902 is further configured to generate an air interface control plane key according to the root key of the public network.

In a possible implementation manner, the transceiver unit 901 is further configured to receive security parameters from the control plane network element of the private network; the processing unit 902 is specifically configured to generate the security parameter of the air interface according to the security parameters and the key of the private network. User plane key: establish the user plane security of the air interface according to the user plane key of the air interface.

For the operations performed by each unit of the terminal device shown in this embodiment, reference may be made to the relevant content of the terminal device in the above method embodiments corresponding to FIGS. 4-8 , which will not be described in detail here. Each of the above units may be implemented in hardware, software or a combination of software and hardware. In one embodiment, the functions of the transceiver unit 901 and the processing unit 902 in the above content may be implemented by one or more processors in the communication device 900 . Through this communication device, the connection between the private network and the terminal device can be established, and the user plane key of the air interface can be generated according to the root key of the private network; thus, the security isolation of the public network and the private network can be realized, and the private network can be improved. security of network services.

In some other embodiments, the communications apparatus 900 can correspondingly implement the behaviors and functions of the access network device in the foregoing method embodiments. For example, the communication apparatus 900 may be an access network device, or may be a component (such as a chip or a circuit) applied in the access network device.

Among them, the transceiver unit 901 can be used to support the communication between the access network equipment and other network entities, for example, support the communication between the access network equipment and the control plane network elements of the private network and the mobility management network of the public network shown in FIG. 4-FIG. Communication between elements, terminal devices, etc. The processing unit 902 is used to control and manage the actions of the access network device, for example, the processing unit 902 is used to support the access network device to perform operations of the access network device in Figures 4-8 except for sending and receiving.

Specifically, the transceiver unit 901 is configured to receive a third message from the terminal device, where the third message includes a first connection establishment request, and the first connection establishment request is used to request establishment of a first connection between the private network and the terminal device. connect. Exemplarily, for operations performed by the transceiving unit 901, reference may be made to the introduction in step S305 in the method shown in FIG. 8 above.

The processing unit 902 is configured to discover a control plane network element of the private network according to the third message, and the control plane network element of the private network is used to establish the first connection. Exemplarily, for operations performed by the transceiving unit 901, reference may be made to the introduction in step S306 in the method shown in FIG. 8 above.

The transceiver unit 901 is further configured to send the first connection establishment request to the control plane network element of the private network. Exemplarily, for operations performed by the transceiving unit 901, reference may be made to the introduction in step S306 in the method shown in FIG. 8 above.

In a possible implementation manner, the transceiver unit 901 is further configured to receive a fourth message from the terminal device, where the fourth message includes a second connection establishment request, and the second connection establishment request is used to request establishment of the public network and the The second connection between terminal devices; the transceiving unit 901 is further configured to send the second connection establishment request to the mobility management network element of the public network according to the fourth message.

In a possible implementation manner, the third message includes routing information of the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the control plane network element of the private network.

For the operations performed by each unit of the access network device shown in this embodiment, reference may be made to the relevant content of the access network device in the above method embodiments corresponding to FIGS. 4-8 , which will not be described in detail here. Each of the above units may be implemented in hardware, software or a combination of software and hardware. In one embodiment, the functions of the transceiver unit 901 and the processing unit 902 in the above content may be implemented by one or more processors in the communication device 900 . Through this communication device, the control plane network element of the private network can be discovered according to the third message, and the first connection establishment request for establishing a connection between the private network and the terminal device can be sent to the control plane network element of the private network. request, and then trigger the establishment of a connection between the private network and the terminal device, which can realize the security isolation of public network and private network services and improve the security of private network services.

Referring to FIG. 10 , it is a schematic structural diagram of a communication device 1000 provided by an embodiment of the present application. Wherein, the communication device 1000 may be a control plane network element of a private network, a terminal device, an access network device, or a mobility management network element of a public network, and can implement the control plane network element of a private network, Functions or steps of terminal equipment, access network equipment or mobility management network elements of the public network. Wherein, the communication device 1000 may be a system on a chip. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices.

The communication device 1000 includes at least one processor 1002, and the processor 1002 may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits used to control the program execution of the program of this application, for implementing or supporting the communication device 1000 realizes the functions of the control plane network element of the private network, the terminal device, the access network device or the mobility management network element of the public network in the method provided by the embodiment of the present application. For details, refer to the detailed description in the method example, and details are not repeated here.

The communication device 1000 may also include at least one memory 1001 for storing program instructions and/or data. The memory 1001 is coupled to the processor 1002 . The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. Processor 1002 may cooperate with memory 1001 . The processor 1002 may execute program instructions and/or data stored in the memory 1001, so that the communication device 1000 implements a corresponding method. At least one of the at least one memory may be included in the processor 1002 .

The communication device 1000 may also include a communication interface 1003, using any device such as a transceiver for communicating with other devices or communication networks, such as Ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), wired access network, etc. The communication interface 1003 is used to communicate with other devices through a transmission medium, so that the devices used in the communication device 1000 can communicate with other devices. Exemplarily, when the communication device 1000 is a private network element, the other device is a public network element or a private network user plane network element or an access network device or a terminal device; or, when the communication device is a public network When the other device is a private network element (private network session management network element or private network authentication network element) or a private network user plane network element or an access network device or a terminal device. The processor 1002 can use the communication interface 1003 to send and receive data. The communication interface 1003 may specifically be a transceiver.

The embodiment of the present application does not limit the specific connection medium among the communication interface 1003, the processor 1002, and the memory 1001. In the embodiment of the present application, in FIG. 10, the memory 1001, the processor 1002, and the communication interface 1003 are connected through the bus 1004. The bus is represented by a thick line in FIG. 10, and the connection mode between other components is only for schematic illustration. , is not limited. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 10 , but it does not mean that there is only one bus or one type of bus.

In this embodiment of the application, the processor 1002 may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement Or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software units in the processor.

Memory 1001 can be ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, and can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk Storage media or other magnetic storage devices, or any other media that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation. The memory may exist independently and be connected to the processor through the bus 1004 . Memory can also be integrated with the processor.

Wherein, the memory 1001 is used to store computer-executed instructions for implementing the solution of the present application, and the execution is controlled by the processor 1002 . The processor 1002 is configured to execute computer-executed instructions stored in the memory 1001, so as to implement the method for isolating public and private network services provided in the above-mentioned embodiments of the present application.

Optionally, the computer-executed instructions in the embodiments of the present application may also be referred to as application program codes, which is not specifically limited in the embodiments of the present application.

For the case where the communication device may be a chip or a chip system, refer to the schematic structural diagram of the chip shown in FIG. 11 . The chip 110 shown in FIG. 11 includes a processor 1101 and an interface 1102 . Wherein, the number of processors 1101 may be one or more, and the number of interfaces 1102 may be more than one.

For the case where the chip is used to implement the functions of the control plane network element of the private network in the embodiment of this application:

Processor 1101, configured to obtain the key of the private network, the key of the private network is the root key of the private network or a key derived based on the root key of the private network, the root key of the private network is related to The root key of the public network is different. The key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface. Exemplarily, for the operations performed by the processor 1101, reference may be made to the introduction of step S101 in the method shown in FIG. 5 above.

The interface 1102 is configured to receive a first message from a terminal device, where the first message includes a session establishment request. Exemplarily, for the operations performed by the interface 1102, reference may be made to the introduction of step S102 in the method shown in FIG. 5 above.

The processor 1101 is further configured to determine that the session establishment request corresponds to the private network. Exemplarily, for the operations performed by the processor 1101, reference may be made to the introduction of step S103 in the method shown in FIG. 5 above.

The processor 1101 is further configured to establish user plane security of the air interface according to the private network key. Exemplarily, for the operations performed by the processor 1101, reference may be made to the introduction of step S104 in the method shown in FIG. 5 above.

For the case where the chip is used to implement the functions of the terminal device in the embodiment of this application:

The interface 1102 is configured to send a first message to a control plane network element of the private network, where the first message includes a session establishment request corresponding to the private network. Exemplarily, the operations performed by the interface 1102 may refer to the introduction in step S308 in the method shown in FIG. 8 above.

The processor 1101 is configured to establish the user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the key of the private network The root key or a key derived based on the root key of the private network, the key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface. Exemplarily, for operations performed by the processor 1101, reference may be made to the introduction of step b5 in the method shown in FIG. 6 above.

For the case where the chip is used to implement the functions of the access network device in the embodiment of this application:

The interface 1102 is configured to receive a third message from the terminal device, where the third message includes a first connection establishment request, and the first connection establishment request is used to request establishment of a first connection between the private network and the terminal device. Exemplarily, the operations performed by the interface 1102 may refer to the introduction in step S305 in the method shown in FIG. 8 above.

The processor 1101 is configured to discover a control plane network element of the private network according to the third message, and the control plane network element of the private network is used to establish the first connection. Exemplarily, for operations performed by the processor 1101, reference may be made to the introduction in step S306 in the method shown in FIG. 8 above.

The interface 1102 is further configured to send the first connection establishment request to the control plane network element of the private network. Exemplarily, the operations performed by the interface 1102 may refer to the introduction in step S306 in the method shown in FIG. 8 above.

Optionally, the chip further includes a memory 1103, and the memory 1103 is used to store necessary program instructions and data of the terminal device.

The embodiment of the present application also provides a communication system. Specifically, the communication system includes a control plane network element of a private network, a mobility management network element of a public network, and an access network device. Exemplarily, the communication system includes a control plane network element of a private network, a mobility management network element of a public network, and an access network device for realizing the above-mentioned related functions in FIGS. 4-8 .

The control plane network element of the private network is used to realize the functions of the control plane network element of the private network related to the above-mentioned FIG. 4 to FIG. 8 . The mobility management network element of the public network is used to realize the functions of the mobility management network element part of the public network related to FIG. 4 to FIG. 8 . The access network device is used to implement the functions of the above-mentioned part of the access network device in Fig. 4-Fig. 8 . For details, please refer to relevant descriptions in the foregoing method embodiments, and details are not repeated here.

An embodiment of the present application also provides a computer-readable storage medium, including instructions, which, when run on a computer, cause the computer to execute the control plane network elements of the private network and the mobility management network of the public network in Figures 4-8. A method performed by an element, an access network device or a terminal device.

An embodiment of the present application also provides a computer program product, including instructions, which, when run on a computer, cause the computer to execute the control plane network element of the private network, the mobility management network element of the public network, and A method performed by an access network device or a terminal device.

An embodiment of the present application provides a chip system, the chip system includes a processor, and may also include a memory for implementing the control plane network element of the private network, the mobility management network element of the public network, and the access network device in the foregoing method Or the functionality of the terminal equipment. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)) etc.

Those of ordinary skill in the art can understand that: the first, second and other numbers involved in the present application are only for convenience of description, and are not used to limit the scope and order of the embodiments of the present application.

The corresponding relationships shown in the tables in this application can be configured or predefined. The values of the information in each table are just examples, and may be configured as other values, which are not limited in this application. When configuring the corresponding relationship between the information and each parameter, it is not necessarily required to configure all the corresponding relationships shown in the tables. For example, in the table in this application, the corresponding relationship shown in some rows may not be configured. For another example, appropriate deformation adjustments can be made based on the above table, for example, splitting, merging, and so on. The names of the parameters shown in the titles of the above tables may also adopt other names understandable by the communication device, and the values or representations of the parameters may also be other values or representations understandable by the communication device. When the above tables are implemented, other data structures can also be used, for example, arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables can be used Wait.

Predefinition in this application can be understood as definition, predefinition, storage, prestorage, prenegotiation, preconfiguration, curing, or prefiring.

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims

A method for isolating public and private network services, characterized in that the method comprises:

The control plane network element of the private network obtains the key of the private network, the key of the private network is the root key of the private network or a key derived based on the root key of the private network, and the key of the private network The root key is different from the root key of the public network, the key of the private network is used for the user plane security of the air interface, and the root key of the public network is used for the control plane security of the air interface;

The control plane network element of the private network receives a first message from the terminal device, where the first message includes a session establishment request;

The control plane network element of the private network determines that the session establishment request corresponds to the private network;

The control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network.
The method according to claim 1, further comprising:

The control plane network element of the private network receives the non-access stratum NAS key of the public network from the mobility management network element of the public network;

The control plane network element of the private network uses the NAS key of the public network to parse the first message to obtain the session establishment request.
The method according to claim 2, wherein the control plane network element of the private network receives the non-access stratum NAS key of the public network from the mobility management network element of the public network, comprising:

The control plane network element of the private network receives a second message from the mobility management network element of the public network, the second message includes second information and the NAS key of the public network, and the second information It is used to indicate the permission granted to the control plane network element of the private network to use the NAS key of the public network.
The method according to any one of claims 1-3, wherein the first message includes first information, and the first information is used to indicate that the session establishment request corresponds to the private network, and the The control plane network element of the private network determining that the session establishment request corresponds to the private network includes:

The control plane network element of the private network determines according to the first information that the session establishment request corresponds to the private network.
The method according to any one of claims 1-3, wherein the receiving the first message from the terminal device by the control plane network element of the private network includes:

The control plane network element of the private network receives a first message from the terminal device through the first connection between the private network and the terminal device;

The control plane network element of the private network determines that the session establishment request corresponds to the private network, including:

The control plane network element of the private network determines according to the first connection that the session establishment request corresponds to the private network.
The method according to claim 5, wherein the method further comprises:

The control plane network element of the private network receives a first connection establishment request from the terminal device, where the first connection establishment request is used to request establishment of the first connection;

The control plane network element of the private network establishes the first connection according to the first connection establishment request;

The control plane network element of the private network receives a second connection establishment request from the terminal device, where the second connection establishment request is used to request establishment of a second connection between the public network and the terminal device;

The control plane network element of the private network sends the second connection establishment request to the mobility management network element of the public network.
The method according to any one of claims 1-6, wherein the control plane network element of the private network establishes the user plane security of the air interface according to the key of the private network, including:

The control plane network element of the private network generates a security parameter according to the key of the private network;

The control plane network element of the private network sends the security parameter to the terminal device and/or the access network device, and the security parameter is used for the terminal device and/or the access network device to generate the air interface user plane key.
The method according to any one of claims 1-7, wherein the control plane network element of the private network stores the key of the private network;

Alternatively, the control plane network element of the private network obtains the key of the private network, including:

The control plane network element of the private network obtains the key of the private network from the authentication, authorization and accounting AAA server.
A method for isolating public and private network services, characterized in that the method comprises:

The terminal device sends a first message to a control plane network element of the private network, where the first message includes a session establishment request corresponding to the private network;

The terminal device establishes the user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the The root key of the private network or a key derived based on the root key of the private network, the key of the private network is used for the user plane security of the air interface, and the root key of the public network is used for the security of the air interface Control surface security.
The method according to claim 9, characterized in that the method further comprises:

The terminal device sends a first connection establishment request to a control plane network element of the private network, where the first connection establishment request is used to request establishment of a first connection between the private network and the terminal device, the The first connection is used to transmit the first message; wherein, there is a second connection between the terminal device and the public network, and the second connection is used to transmit signaling of the public network.
The method according to claim 9 or 10, characterized in that the method further comprises:

The terminal device sends a second connection establishment request to a mobility management network element of the public network, where the second connection establishment request is used to request establishment of a second connection between the public network and the terminal device;

The terminal generates the control plane key of the air interface according to the root key of the public network.
The method according to any one of claims 9-11, further comprising: the terminal device receiving security parameters from a control plane network element of the private network;

The terminal establishes the user plane security of the air interface according to the key of the private network including:

The terminal device generates a user plane key of the air interface according to the security parameter and the key of the private network;

The terminal device establishes user plane security of the air interface according to the user plane key of the air interface.
A method for isolating public and private network services, characterized in that the method comprises:

The access network device receives a third message from the terminal device, where the third message includes a first connection establishment request, and the first connection establishment request is used to request establishment of a first connection between a private network and the terminal device;

The access network device discovers the control plane network element of the private network according to the third message, and the control plane network element of the private network is used to establish the first connection;

The access network device sends the first connection establishment request to the control plane network element of the private network.
The method according to claim 13, further comprising:

The access network device receives a fourth message from the terminal device, where the fourth message includes a second connection establishment request, and the second connection establishment request is used to request establishment of a connection between the public network and the terminal device second connection;

The access network device sends the second connection establishment request to the mobility management network element of the public network according to the fourth message.
The method according to claim 13 or 14, wherein the third message includes routing information of the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the Describe the control plane network elements of the private network.
A control plane network element of a private network, characterized in that the control plane network element of the private network includes a processing unit and a transceiver unit, wherein:

The processing unit is configured to obtain the key of the private network, the key of the private network is the root key of the private network or a key derived based on the root key of the private network, the private network The root key of the network is different from the root key of the public network, the key of the private network is used for the security of the user plane of the air interface, and the root key of the public network is used for the security of the control plane of the air interface;

The transceiving unit is configured to receive a first message from a terminal device, where the first message includes a session establishment request;

The processing unit is further configured to determine that the session establishment request corresponds to the private network;

The processing unit is further configured to establish user plane security of the air interface according to the private network key.
The control plane network element of the private network according to claim 16, wherein the transceiver unit is also used for:

receiving a non-access stratum NAS key of the public network from a mobility management network element of the public network;

Parsing the first message by using the NAS key of the public network to obtain the session establishment request.
The control plane network element of the private network according to claim 17, wherein the transceiver unit is specifically used for:

receiving a second message from the mobility management network element of the public network, where the second message includes second information and the NAS key of the public network, and the second information is used to indicate the The authority of the control plane network element to use the NAS key of the public network.
The control plane network element of a private network according to any one of claims 16-18, wherein the first message includes first information, and the first information is used to indicate that the session establishment request corresponds to the For the private network, the processing unit is specifically used for:

Determine according to the first information that the session establishment request corresponds to the private network.
The control plane network element of the private network according to any one of claims 16-18, wherein the transceiver unit is specifically used for:

receiving a first message from the terminal device via a first connection between the private network and the terminal device;

The processing unit is specifically used for:

It is determined according to the first connection that the session establishment request corresponds to the private network.
The control plane network element of a private network according to claim 20, wherein the transceiver unit is further configured to receive a first connection establishment request from a terminal device, and the first connection establishment request is used to request establishment of the the first connection;

The processing unit is further configured to establish the first connection according to the first connection establishment request;

The transceiver unit is further configured to receive a second connection establishment request from the terminal device, where the second connection establishment request is used to request establishment of a second connection between the public network and the terminal device;

The transceiving unit is further configured to send the second connection establishment request to a mobility management network element of the public network.
The control plane network element of the private network according to any one of claims 16-21, wherein the processing unit is specifically used for:

generating security parameters according to the key of the private network;

The transceiver unit is also used for:

Sending the security parameter to the terminal device and/or the access network device, where the security parameter is used by the terminal device and/or the access network device to generate a user plane key for the air interface.
The control plane network element of the private network according to any one of claims 16-22, wherein the control plane network element of the private network stores the key of the private network;

Alternatively, the processing unit is specifically used for:

Obtain the key of the private network from the authentication, authorization and accounting AAA server.
A terminal device, characterized in that the terminal device includes a transceiver unit and a processing unit:

The transceiver unit is configured to send a first message to a control plane network element of a private network, where the first message includes a session establishment request corresponding to the private network;

The processing unit is configured to establish the user plane security of the air interface according to the key of the private network; wherein, the root key of the private network is different from the root key of the public network, and the key of the private network is the The root key of the private network or a key derived based on the root key of the private network, the key of the private network is used for the user plane security of the air interface, and the root key of the public network is used for all The security of the control surface of the above-mentioned air interface.
The terminal device according to claim 24, wherein the transceiver unit is also used for:

Sending a first connection establishment request to the control plane network element of the private network, where the first connection establishment request is used to request establishment of a first connection between the private network and the terminal device, and the first connection uses for transmitting the first message; wherein, there is a second connection between the terminal device and the public network, and the second connection is used for transmitting signaling of the public network.
The terminal device according to claim 24 or 25, wherein the transceiver unit is further configured to send a second connection establishment request to the mobility management network element of the public network, and the second connection establishment request is used for requesting establishment of a second connection between the public network and the terminal device;

The processing unit is further configured to generate a control plane key of the air interface according to the root key of the public network.
The terminal device according to any one of claims 24-26, wherein the transceiver unit is further configured to receive security parameters from a control plane network element of the private network;

The processing unit is specifically used for:

generating a user plane key of the air interface according to the security parameter and the key of the private network;

Establishing user plane security of the air interface according to the user plane key of the air interface.
An access network device, characterized in that the access network device includes a transceiver unit and a processing unit, wherein:

The transceiver unit is configured to receive a third message from the terminal device, the third message includes a first connection establishment request, and the first connection establishment request is used to request establishment of a first connection between the private network and the terminal device a connection;

The processing unit is configured to discover a control plane network element of the private network according to the third message, and the control plane network element of the private network is used to establish the first connection;

The transceiving unit is further configured to send the first connection establishment request to a control plane network element of the private network.
The access network device according to claim 28, wherein the transceiver unit is further configured to receive a fourth message from the terminal device, the fourth message includes a second connection establishment request, and the second The connection establishment request is used to request establishment of a second connection between the public network and the terminal device;

The transceiving unit is further configured to send the second connection establishment request to a mobility management network element of the public network according to the fourth message.
The access network device according to claim 28 or 29, wherein the third message includes routing information of the control plane network element of the private network, and the routing information of the control plane network element of the private network is used to discover the control plane network element of the private network.
A communication device, characterized in that it includes a processor and an interface circuit, the interface circuit is used to receive signals from other communication devices other than the communication device and transmit them to the processor or transfer signals from the processor The signal is sent to other communication devices other than the communication device, and the processor is used to implement the method according to any one of claims 1-8 through logic circuits or executing code instructions, or according to claims 9-12 The method according to any one, or the method according to any one of claims 13-15.
A computer-readable storage medium, characterized in that the computer-readable storage medium is used to store instructions, and when the instructions are executed, the method according to any one of claims 1-8, or the method according to any one of claims 1-8 The method described in any one of claims 9-12, or the method described in any one of claims 13-15 is implemented.
A computer program product, characterized in that the computer program product includes a computer program or an instruction, and when the computer program or instruction is run on a computer, the computer executes the method according to any one of claims 1-8 , or the method according to any one of claims 9-12, or the method according to any one of claims 13-15.
A communication system, characterized in that the communication system comprises the control plane network element of the private network according to any one of claims 16-23, and the access network according to any one of claims 28-30 equipment.