WO2023016160A1 - Procédé d'établissement de session et appareil associé - Google Patents

Procédé d'établissement de session et appareil associé Download PDF

Info

Publication number
WO2023016160A1
WO2023016160A1 PCT/CN2022/104840 CN2022104840W WO2023016160A1 WO 2023016160 A1 WO2023016160 A1 WO 2023016160A1 CN 2022104840 W CN2022104840 W CN 2022104840W WO 2023016160 A1 WO2023016160 A1 WO 2023016160A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
akma
session establishment
layer
network element
Prior art date
Application number
PCT/CN2022/104840
Other languages
English (en)
Chinese (zh)
Inventor
吴义壮
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023016160A1 publication Critical patent/WO2023016160A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a method for establishing a session and a related device.
  • 3GPP defines the authentication and key management for application (authentication and key management for application, AKMA) architecture and process based on signing certificates.
  • the UE initiates an AKMA application session establishment request according to the AKMA initiation message or configuration sent by the AF, so that the AF initiates the process of obtaining an application key from the network.
  • the UE may re-initiate a new application session establishment request. If the establishment of the application session initiated by the UE fails, a new establishment process will be initiated again, which will cause additional signaling overhead.
  • the embodiment of the present application provides a session establishment method and a related device, the method can avoid the situation that the session establishment fails multiple times, so as to prevent additional signaling overhead.
  • the first aspect of the embodiment of the present application provides a method for establishing a session, including: a user equipment UE sends a first session establishment request to an application function AF network element, the first session establishment request carries a first key identifier, and the first key identifier Authentication and key management for identifying UE applications AKMA anchor key Kakma; UE receives the first session establishment response to the first session establishment request from the AF network element; indicates the first session establishment in the first session establishment response In the case of failure, the UE obtains the second key identifier, which can be specifically understood as that the upper layer of the UE obtains the second key identifier from the lower layer; when the first key identifier is different from the second key identifier, the UE sends the AF network
  • the element sends a second session establishment request to request establishment of a second session with the AF, where the second session establishment request carries a second key identifier.
  • the failure to establish the first session may be caused by the out-of-sync context between the UE and the network, that is, there is no Kakma corresponding to the first key identifier in the authentication and key management anchor function of the application, but there may be a Kakma corresponding to the second key The Kakma corresponding to the key identifier. Therefore, in the case that the first key identifier is different from the second key identifier, the UE sends a second session establishment request carrying the second key identifier to the AF network element, and may successfully establish a connection with the AF. The second session in between, so as to avoid the situation that the second session establishment request carries the same second key identifier as the first key identifier, which causes the second session establishment to fail again, and prevents the second session establishment from causing additional failure. Signaling overhead.
  • the method further includes: the UE stores the first key identifier in the context of the first layer, and the first layer is an application layer; correspondingly, the UE obtains the first key identifier from the context of the first layer key identifier; since the context of the first layer is usually stored in the storage space of the first layer, it can also be said that the UE stores the first key identifier in the storage space of the first layer; correspondingly, the UE can use the first
  • the first key ID is used to establish the first session, so it is considered that the UE stores the first key ID in the context of the first session, and the first session’s
  • the context may be a part of the context of the first layer; correspondingly, the UE may obtain the first key identifier from the context of the first session; wherein, the operation of storing the first key identifier by the UE is generally performed before sending the first session request .
  • the UE stores the first key identifier in the context of the first layer, so as to obtain the first key identifier and compare the first key identifier with the second key identifier to determine whether they are different when the first session establishment fails.
  • obtaining the second key identifier by the UE includes: the UE obtains the second key identifier from the context of the second layer.
  • the second layer is the lower layer of the application layer.
  • the second layer may be a non-access (NAS) layer; specifically, the UE obtains the second key identifier from the context of the second layer, and it can also be understood that the UE obtains the second key identifier from the storage space of the second layer.
  • NAS non-access
  • the UE obtains the second key identifier from the context of the second layer, so that the first key identifier and the second key identifier can be compared, and the second session is sent if the first key identifier is different from the second key identifier Create a request.
  • the method further includes: the first session establishment response carries the first key identifier, and accordingly, the UE can acquire the first key identifier from the first session establishment response.
  • the first session establishment response carries the first key identifier, so that the UE can obtain the first key identifier from the first session establishment response without pre-storing the first key identifier, saving the operation of storage, and saving storage space.
  • the method further includes: when the first key identifier is the same as the second key identifier, the UE stops establishing the session with the AF network element.
  • the establishment of the first session fails, which may be because there is no Kakma corresponding to the first key ID in the authentication and key management anchor function of the application, so the first key ID and the second key ID are the same
  • the UE stops the session establishment with the AF network element which can prevent the session establishment from failing again and causing additional The problem of signaling overhead.
  • the UE stops establishing a session with the AF network element it can be understood that the UE no longer initiates the AKMA service process to establish a session with the AF.
  • the method further includes: when the first key identifier is the same as the second key identifier, the UE sends a third session establishment request to the AF network element, and the third session establishment request indicates that the application does not support
  • the authentication and key management AKMA service can be specifically understood as indicating that the UE does not support the AKMA service; it should be noted that the third session establishment request can indicate that the UE does not support the AKMA service in various ways, for example, the third session establishment request carries Indicates that the UE does not support the indication information of the AKMA service, the indication information may be one or more binary bits (such as 01) located in the message header; for another example, the third session establishment request does not carry the indication information indicating that the AKMA service is supported, the The indication information may also be one or more binary bits (for example, 00) in the message header.
  • the reason for the failure of the first session establishment may be that the UE has not subscribed to the AKMA service, that is, the UE does not support the AKMA service.
  • the UE can establish a session with the AF in other ways; therefore, the third session establishment The request indicates that the UE does not support the AKMA service, so that the AF establishes a session with the UE in other ways, so as to avoid another session establishment failure caused by still establishing the session through the AKMA service.
  • the method further includes: the first layer of the UE acquires the AKMA anchor key and the first key identifier from the second layer of the UE, the first layer is the application layer, and the second layer is the The lower layer: the first layer of the UE deduces the AKMA application key according to the identification of the AF network element and the AKMA anchor key.
  • the first layer of the UE Since the first layer of the UE obtains the AKMA anchor key from the second layer of the UE, the first layer of the UE can choose the time to deduce the AKMA application key by itself.
  • the method further includes: the first layer of the UE obtains the AKMA application key and the first key identifier from the second layer of the UE, the first layer is the application layer, and the second layer is the lower layer of the application layer .
  • the AKMA application key is obtained from the second layer of the UE, so that the first layer of the UE does not need to obtain the AKMA anchor key from the second layer of the UE to prevent malicious programs from obtaining the AKMA anchor key during the acquisition process And deduce the key of other applications according to the AKMA anchor key.
  • the method further includes: the first layer of the UE sends a first information request to the second layer of the UE, where the first information request is used to obtain the AKMA anchor key and the first key identifier, The first layer is the application layer; in response to the first information request, the second layer of the UE sends the AKMA anchor key and the first key identifier to the first layer of the UE, and the second layer is the lower layer of the application layer; the second layer of the UE The first layer deduces the AKMA application key according to the identification of the AF network element and the AKMA anchor key.
  • the AKMA anchor key and the first key identifier can be obtained through a first information request, which can reduce signaling overhead.
  • the method further includes: the first layer of the UE sends a second information request to the second layer of the UE, where the second information request is used to obtain the AKMA application key and the first key identifier, and the first The second information request carries the identification of the AF network element, the first layer is the application layer; in response to the second information request, the second layer of the UE deduces the AKMA application key according to the identification of the AF network element and the AKMA anchor key; the first layer of the UE The second layer sends the AKMA application key and the first key identifier to the first layer of the UE.
  • the AKMA application key and the first key identifier can be obtained through a first information request, which can reduce signaling overhead; and, the AKMA application key is deduced by the second layer of the UE, so The second layer of the UE does not need to send the AKMA anchor key to the first layer of the UE, so as to prevent malicious programs from obtaining the AKMA anchor key and deriving keys of other applications based on the AKMA anchor key.
  • the method further includes: the first layer of the UE sends a third information request to the second layer of the UE, wherein the third information request is used to obtain the first key identifier, and the first layer is an application layer ;
  • the second layer of the UE sends the first key identifier to the first layer of the UE, and the second layer is the lower layer of the application layer;
  • the first layer of the UE sends the fourth information to the second layer of the UE ask;
  • the second layer of the UE sends the AKMA anchor key to the first layer of the UE, wherein the fourth information request is used to obtain the AKMA anchor key; the first layer of the UE according to the AF network element The identity and the AKMA anchor key are used to derive the AKMA application key.
  • the AKMA anchor key is used to deduce the AKMA application key, and the AKMA application key is used for data transmission after the session establishment is successful, so if the session establishment fails, the AKMA application is not required key, it is not necessary to obtain the AKMA anchor key; and in this embodiment, since the AKMA anchor key and the first key identifier are obtained separately through two information requests, then the AKMA anchor key The operation of obtaining the AKMA anchor key can be performed successfully when the first session is established; and if the first session fails to be established, the operation of obtaining the AKMA anchor key is not performed, thereby avoiding the situation where the first session fails to be established but the AKMA anchor key is obtained.
  • the method further includes: the first layer of the UE sends a fifth information request to the second layer of the UE, wherein the fifth information request is used to obtain the first key identifier, and the first layer is an application layer ;
  • the second layer of the UE sends the first key identifier to the first layer of the UE, and the second layer is the lower layer of the application layer;
  • the first layer of the UE sends the sixth information to the second layer of the UE request, the sixth information request carries the identity of the AF network element, wherein the sixth information request is used to obtain the AKMA application key;
  • the second layer of the UE uses the identity of the AF network element and the AKMA anchor key
  • the AKMA application key is deduced from the key; the second layer of the UE sends the AKMA application key and the first key identifier to the first layer of the UE.
  • the AKMA application key Since sending a session request only requires a key identifier, the AKMA application key is used for data transmission after the session is established successfully, so if the session establishment fails, it is not necessary to obtain the AKMA application key; and in this embodiment, because the AKMA anchor The key and the first key identifier are obtained separately through two information requests, then the acquisition operation of the AKMA application key can be successfully executed when the first session is established; and if the first session fails to be established, the AKMA application key will not be executed. key acquisition operation, so as to avoid the situation that the first session establishment fails but the AKMA application key is acquired.
  • the AKMA application key is obtained by deriving the second layer of the UE, so the second layer of the UE does not need to send the AKMA anchor key to the first layer of the UE to prevent malicious programs from obtaining the AKMA anchor key.
  • the anchor key obtains the key information of other applications.
  • the second aspect of the embodiment of the present application provides a method for establishing a session, including: an application function AF network element receives a first session establishment request from a user equipment UE, and the first session establishment request carries a first key identifier; on the network side If there is no AKMA anchor key corresponding to the first key identifier, the AF network element sends a first session establishment response to the UE, and the first session establishment response indicates that the first session establishment failed, and carries the first key identifier .
  • the first session establishment response carries the first key identifier, so that the UE can obtain the first key identifier from the first session establishment response without pre-storing the first key identifier, saving the operation of storage, and saving storage space.
  • the method further includes: the AF network element sends an application key acquisition request to the application authentication and key management anchor function network element, and the application key acquisition request carries the first key identifier; the AF network element Receive the application key acquisition response sent by the network element of the authentication and key management anchor function of the application, and the application key acquisition response indicates that the key acquisition fails.
  • the AF network element can search locally whether there is a context associated with the first key representation, and if there is no context associated with the first key representation, it can be determined that the first session cannot be established;
  • this implementation method provides another way for AF to determine that the first session cannot be established, that is, to obtain the first key identifier from the AAnF network element. If the key acquisition fails, it is determined that the first session cannot be established, especially for AF A scenario where there is no context associated with the first key representation in .
  • the method further includes: carrying the first key identifier in the application key acquisition response.
  • the first key identification is carried in the application key acquisition response, so that the AF network element carries the first key identification in the first session establishment response corresponding to the first session establishment request; in this way, the UE can obtain the second key identification Compared with the key identifier, it is judged whether the UE initiates the session establishment with the AF network element again.
  • the AF network element receives the second session establishment request from the user equipment UE, and the second session establishment request carries the second key identifier.
  • the third aspect of the embodiment of the present application provides a method for establishing a session, including: the unified data management UDM network element determines that the UE supports the AKMA service according to the authentication and key management AKMA subscription information of the user equipment UE application, wherein the subscription information It may be stored in the UDM network element before the main authentication process, or it may be stored in the UDM network element after the main authentication process; the UDM network element sends the first data transmission to the access and mobility management function AMF network element message, the first data transmission message includes first indication information, the first indication information indicates that the UE supports the AKMA service, and the first indication information is used to determine that the session between the UE and the application function AF network element is supported through the AKMA service.
  • the UE supports the AKMA service it can be understood that the UE supports the use of the AKMA service, or the UE authorizes the use of the AKMA service, or the UE subscribes to the AKMA service.
  • the UDM network element sends the first indication information to the AMF network element, so that the AMF network element transmits the first indication information to the UE, so that the UE can perceive whether it supports the AKMA service, so as to avoid Whether it supports the AKMA service itself, and initiates a session establishment request when the AKMA service is not supported, thereby causing additional signaling overhead.
  • the method further includes: the UDM network element obtains first verification data from the AUSF network element, and the first verification data is used to verify the integrity of the first indication information.
  • the UDM network element can send the AUSF network element The element sends a request message to instruct the AUSF network element to calculate the first verification data and receive the first verification data returned by the AUSF network element; the first data transmission message also carries the first verification data, so that the AMF network element can use the first verification data Verification data is sent to UE.
  • the UDM network element obtains the first verification data from the AUSF network element, and sends the first verification data to the AMF network element, so that the UE can verify the integrity of the first indication information according to the first verification data.
  • the method further includes: the UDM network element acquires second verification data from the authentication service function AUSF network element, the second verification data is used to determine that the UE has successfully received the first indication information, and the acquisition of the second verification data
  • the process is similar to the acquisition process of the first verification data, which can be understood by referring to the acquisition process of the first verification data in the above embodiment; the UDM network element receives the third verification data from the AMF network element, and the third verification data is generated by the UE , and is used to determine that the UE has successfully received the first indication information; when the second verification data is consistent with the third verification data, the UDM network element determines that the UE has successfully received the first indication information.
  • the UDM network element obtains the second verification data from the authentication service function AUSF network element, and receives the third verification data from the AMF network element. If the second verification data is consistent with the third verification data, it can be determined that the UE has successfully received the first indication. information.
  • the fourth aspect of the embodiment of the present application provides a method for establishing a session, including: a mobility management function AMF network element receives a first data transmission message from a unified data management UDM network element, the first data transmission message includes first indication information, The first indication information indicates that the UE supports the AKMA service, and the first indication information is used to determine the establishment of a session between the UE and the application function AF network element through the AKMA service; the AMF network element sends a second data transmission message to the UE, and the second data transmission message carrying the first indication information.
  • the AMF network element receives the first indication information, and transmits the first indication information to the UE, so that the UE can perceive whether it supports the AKMA service, so as to avoid being unable to perceive whether it supports the AKMA service, and not supporting the AKMA service. In this case, a session establishment request is initiated, which leads to the problem of additional signaling overhead.
  • the first data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the second data transmission message also carries the first verification data.
  • the AMF network element receives the first verification data, and delivers the first verification data to the UE, so that the UE can verify the integrity of the first indication information according to the first verification data.
  • the method further includes: the AMF network element receives third verification data from the UE, and the third verification data is used to determine that the UE has successfully received the first indication information; the AMF network element sends the third verification data to the UDM network element verify the data.
  • the AMF network element receives the third verification data, and delivers the third verification data to the UDM network element, so that the UDM network element can determine according to the third verification data that the UE has successfully received the first indication information.
  • the fifth aspect of the embodiment of the present application provides a method for establishing a session, including: the user equipment UE receives the second data transmission message from the access and mobility management function AMF network element, and the second data transmission message carries the first indication information ; When the first indication information indicates that the UE supports the AKMA service, the UE derives a first key identifier, and the first key identifier is used to establish a session between the UE and the application function AF network element.
  • the UE When the first indication information indicates that the UE supports the AKMA service, the UE deduces the first key identifier, so that the UE can send the first session establishment request carrying the first key identifier; if the first indication information indicates that the UE does not support AKMA service, or if the UE does not receive the first indication information indicating that the UE supports the AKMA service, the UE will not perform deduction; correspondingly, the UE will not obtain the first key identifier, so it cannot send
  • the identified first session establishment request can avoid the situation that multiple session establishment failures are caused because the UE does not support the AKMA service.
  • the UE includes a global subscriber identity module USIM and a mobile device ME, wherein the mobile device ME can be understood as a terminal device without a USIM inserted; when the first indication information indicates that the UE supports the AKMA service, the UE Deriving the first key identifier includes: when the first indication information indicates that the UE supports the AKMA service, the USIM sends a target instruction to the ME, where the target instruction includes AKMA key material, wherein the target instruction can directly instruct the ME to derive the first key ID, the target instruction can also instruct ME to deduce the first key ID by carrying the first indication information; the AKMA key material can be understood as the parameters required for deriving the first key ID and the AKMA anchor key, for example, The AKMA key material may include SUPI; in response to the target instruction, the ME deduces the first key identity according to the AKMA key material.
  • SUPI SUPI
  • the USIM When the first indication information indicates that the UE supports the AKMA service, the USIM will send the target command to the ME to instruct the ME to deduce the first key identifier; otherwise, the USIM will not send the target command to the ME, so that the ME will not deduce Correspondingly, the UE will not get the first key identifier, so it cannot send the first session establishment request carrying the first key identifier, so as to avoid multiple times due to the fact that the UE does not support the AKMA service The case where session establishment fails.
  • the UE includes a global subscriber identity module USIM and a mobile device ME; when the first indication information indicates that the UE supports the AKMA service, deriving the first key identity by the UE includes: ME sending seventh information to the USIM request, the seventh information request is used to request the AKMA key material, where the AKMA key material can be understood as the parameters required for deriving the first key identifier and the AKMA anchor key, for example, the AKMA key material can include SUPI: When the first indication information indicates that the UE supports the AKMA service, in response to the seventh information request, the USIM sends the AKMA key material to the ME; the ME deduces the first key identifier according to the AKMA key material.
  • SUPI SUPI
  • the USIM will send the first indication information to the ME to instruct the ME to deduce the first key identity if the seventh information request for requesting the AKMA key material is received. ; Otherwise, if the UE does not support the AKMA service, even if the seventh information request for requesting the AKMA key material is received, the USIM will not send the AKMA key material to the ME, so that the ME will not deduce the first AKMA key material based on the AKMA key material. Correspondingly, the UE will not get the first key identifier, so it cannot send the first session establishment request carrying the first key identifier, so as to avoid multiple sessions due to the fact that the UE does not support the AKMA service Build fails.
  • the second data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the method further includes: the UE generates an Integrity fourth verification data; if the first verification data is consistent with the fourth verification data, the UE determines the integrity of the first indication information.
  • the UE generates fourth verification data for verifying the integrity of the first indication information, and compares the first verification data with the fourth verification data, so that when the first verification data is consistent with the fourth verification data, it can be determined that the first Indicates the integrity of the information.
  • the method further includes: the UE generates third verification data, and the third verification data is used to determine that the UE has successfully received the first indication information; and the UE sends the third verification data to the AMF network element.
  • the UE sends the third verification data to the AMF network element, so that the AMF network element passes the third verification data to the UDM network element, so that the UDM network element can determine that the UE has successfully received the first indication information according to the third verification data.
  • the sixth aspect of the embodiment of the present application provides a user equipment, including: a transceiver unit, configured to send a first session establishment request to an application function AF network element, where the first session establishment request carries a first key identifier; For receiving the first session establishment response to the first session establishment request from the AF network element; the processing unit is configured to obtain the second key identifier when the first session establishment response indicates that the first session establishment fails; the transceiver unit , used to send a second session establishment request to the AF network element when the first key identifier is different from the second key identifier, where the second session establishment request carries the second key identifier.
  • the processing unit is further configured to store the first key identifier in the context of the first layer, where the first layer is an application layer; and obtain the first key identifier from the context of the first layer.
  • the processing unit is further configured to obtain the second key identifier from the context of the second layer, which is a lower layer of the application layer.
  • the first session establishment response carries the first key identifier.
  • the processing unit is further configured to stop establishment of the session with the AF network element when the first key identifier is the same as the second key identifier.
  • the transceiver unit is further configured to send a third session establishment request to the AF network element under the condition that the first key identifier is the same as the second key identifier, and the third session establishment request indicates that it does not support AKMA service.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to obtain the AKMA anchor key and the first key identifier from the second subunit; the first subunit deduces the AKMA application key according to the identifier of the AF network element and the AKMA anchor key.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to obtain the AKMA application key and the first key identifier from the second subunit.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to send the first information request to the second subunit; the second subunit is used to send the AKMA anchor key and the first key identifier to the first subunit in response to the first information request; the first The subunit is used to deduce the AKMA application key according to the identity of the AF network element and the AKMA anchor key.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to send a second information request to the second subunit, and the second information request carries the identification of the AF network element; the second subunit is used to respond to the second information request, according to the identification of the AF network element and the AKMA anchor Deriving the AKMA application key from the point key; the second subunit is used to send the AKMA application key and the first key identifier to the first subunit.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to send the third information request to the second subunit; the second subunit is used to send the first key identifier to the first subunit in response to the third information request; the first subunit is used to send the first key identifier to the second subunit
  • the second subunit sends the fourth information request; the second subunit is used to send the AKMA anchor point key to the first subunit in response to the fourth information request; the first subunit is used to send the AKMA anchor point according to the identity of the AF network element Key derivation AKMA application key.
  • the processing unit includes a first subunit and a second subunit, the first subunit belongs to the first layer, and the first layer is the application layer; the second subunit belongs to the second layer, and the second layer is The lower layer of the application layer.
  • the first subunit is used to send a fifth information request to the second subunit; in response to the fifth information request, the second subunit is used to send the first key identifier to the first subunit; the first subunit is used to send the first key identifier to the second subunit
  • the second subunit sends the sixth information request, and the sixth information request carries the identification of the AF network element; the second subunit is used to respond to the sixth information request, deduce the AKMA application key according to the identification of the AF network element and the AKMA anchor key ;
  • the second subunit is used to send the AKMA application key and the first key identifier to the first subunit.
  • the seventh aspect of the embodiment of the present application provides a communication device, including: a transceiver unit, configured to receive a first session establishment request from a user equipment UE, where the first session establishment request carries a first key identifier; a transceiver unit configured to If there is no AKMA anchor key corresponding to the first key identifier on the network side, send a first session establishment response to the UE, where the first session establishment response indicates that the first session establishment failed and carries the first key
  • the identifier is also used to receive a second session establishment request from the user equipment UE, where the second session establishment request carries the second key identifier.
  • the transceiver unit is also used to send an application key acquisition request to the application authentication and key management anchor function network element, and the application key acquisition request carries the first key identifier; receiving the application authentication and the application key acquisition response sent by the key management anchor function network element, and the application key acquisition response indicates that the key acquisition failed.
  • the application key acquisition response carries the first key identifier.
  • the transceiver unit is further configured to receive a second session establishment request from the UE, where the second session establishment request carries the second key identifier.
  • the eighth aspect of the embodiment of the present application provides a communication device, including: a processing unit, configured to manage AKMA subscription information based on the key of the user equipment UE, and determine that the UE supports the AKMA service; A network element with a property management function AMF sends a first data transmission message, where the first data transmission message includes first indication information,
  • the first indication information indicates that the UE supports the AKMA service, and the first indication information is used to determine to establish a session between the UE and the application function AF network element through the AKMA service.
  • the transceiver unit is also used to obtain the first verification data from the AUSF network element, and the first verification data is used to verify the integrity of the first indication information; correspondingly, the first data
  • the transmission message also carries the first verification data.
  • the transceiver unit is also used to obtain second verification data from the authentication service function AUSF network element, and the second verification data is used to determine that the UE has successfully received the first indication information;
  • Three verification data, the third verification data is generated by the UE, and is used to determine that the UE has successfully received the first indication information;
  • the processing unit is also used to determine that the UE has successfully received the second verification data and the third verification data when the second verification data is consistent The first indication information is received.
  • the ninth aspect of the embodiment of the present application provides a communication device, including: a transceiver unit, configured to receive a first data transmission message from a unified data management UDM network element, the first data transmission message includes first indication information, and the first indication The information indicates that the UE supports the AKMA service, and the first indication information is used to determine to establish a session between the UE and the application function AF network element through the AKMA service; the transceiver unit is used to send a second data transmission message to the UE, and the second data transmission message contains Carry the first indication information.
  • the first data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the second data transmission message also carries the first verification data.
  • the transceiver unit is further configured to receive third verification data from the UE, where the third verification data is used to determine that the UE has successfully received the first indication information; and send the third verification data to the UDM network element.
  • the tenth aspect of the embodiment of the present application provides a user equipment, including: a first transceiver unit, configured to receive a second data transmission message from an access and mobility management function AMF network element, the second data transmission message carries the first Indication information; a processing unit, configured to deduce a first key identifier when the first indication information indicates that the UE supports AKMA service, and the first key identifier is used to establish a session between the UE and the application function AF network element.
  • the UE includes a global subscriber identity module USIM and a mobile device ME, the USIM includes a second transceiver unit, and the ME includes a third transceiver unit; when the first indication information indicates that the UE supports the AKMA service, the second transceiver unit Next, the second transceiving unit is used to send a target instruction to the ME, and the target instruction includes AKMA key material; in response to the target instruction, the processing unit is used to deduce the first key identifier according to the AKMA key material.
  • the UE includes a global subscriber identity module USIM and a mobile device ME
  • the USIM includes a second transceiver unit
  • the ME includes a third transceiver unit
  • the third transceiver unit is configured to send a seventh information request to the USIM, the second The seventh information request is used to request the AKMA key material
  • the second transceiver unit is used to, in the case where the first indication information indicates that the UE supports the AKMA service, in response to the seventh information request, the USIM sends the AKMA key material to the ME
  • the processing unit for deriving the first key identifier according to the AKMA key material.
  • the second data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the processing unit is also used to generate a verification data for verifying the first indication information Integrity of the fourth verification data; if the first verification data is consistent with the fourth verification data, determine the integrity of the first indication information.
  • the processing unit is further configured to generate third verification data, and the third verification data is used to determine that the UE has successfully received the first indication information; the first transceiver unit is also configured to send the third verification data to the AMF network element verify the data.
  • the eleventh aspect of the embodiments of the present application provides user equipment, where the communication device includes: a processor, a memory, and a transceiver connected to the processor.
  • Computer programs or computer instructions are stored in the memory, and the processor is also used to call and run the computer programs or computer instructions stored in the memory, so that the processor implements any one of the implementation manners in the first aspect or the fifth aspect.
  • a twelfth aspect of the embodiments of the present application provides a communication device, and the communication device includes: a processor, a memory, and a transceiver connected to the processor.
  • Computer programs or computer instructions are stored in the memory, and the processor is also used to call and run the computer programs or computer instructions stored in the memory, so that the processor implements any one of the implementation manners in the second aspect to the fourth aspect.
  • the thirteenth aspect of the embodiments of the present application provides a computer program product including computer instructions, which is characterized in that, when running on a computer, the computer executes any one of the implementation manners of the first aspect to the fifth aspect.
  • the fourteenth aspect of the embodiments of the present application provides a computer-readable storage medium, including computer instructions, and when the computer instructions are run on the computer, the computer executes any one of the implementation manners of the first aspect to the fifth aspect.
  • the fifteenth aspect of the embodiment of the present application provides a communication device.
  • the communication device includes entities such as network equipment, terminal equipment or chips.
  • the processor is coupled to the memory through an interface.
  • the sixteenth aspect of the embodiment of the present application provides a communication system, the communication system includes the user equipment of the sixth aspect and/or the communication device of the seventh aspect; or includes the communication device of the eighth aspect, the communication device of the ninth aspect and/or Or the user equipment of the tenth aspect.
  • the communication system includes the communication device of the seventh aspect, and the communication system also includes an authentication and key management anchor function AAnF network element; the communication device of the seventh aspect is also used to find whether the AAnF network element There is an AKMA anchor key corresponding to the first key identifier.
  • the communication system also includes a network opening function NEF network element; the communication device in the seventh aspect is also used to find whether there is an AKMA corresponding to the first key identifier from the AAnF network element through the NEF network element.
  • Anchor key a network opening function NEF network element
  • the seventeenth aspect of the embodiments of the present application further provides a processor configured to execute the foregoing various methods.
  • the process of sending the above information and receiving the above information in the above method can be understood as the process of outputting the above information by the processor and the process of receiving the input of the above information by the processor.
  • the processor When outputting the above information, the processor outputs the above information to the transceiver for transmission by the transceiver. After the above information is output by the processor, other processing may be required before reaching the transceiver.
  • the processor receives the above-mentioned input information
  • the transceiver receives the above-mentioned information and inputs it into the processor. Furthermore, after the transceiver receives the above information, the above information may need to be processed before being input to the processor.
  • the above-mentioned processor may be a processor dedicated to performing these methods, or may be a processor that executes computer instructions in a memory to perform these methods, such as a general-purpose processor.
  • the above-mentioned memory can be a non-transitory (non-transitory) memory, such as a read-only memory (read only memory, ROM), which can be integrated with the processor on the same chip, or can be respectively arranged on different chips.
  • ROM read-only memory
  • the eighteenth aspect of the embodiment of the present application provides a chip system, the chip system includes a processor and an interface, the interface is used to obtain a program or instruction, and the processor is used to call the program or instruction to implement or support the network
  • the device implements the functions involved in the first, second, third, fourth and/or fifth aspects, for example, determining or processing at least one of the data and information involved in the above methods.
  • the chip system further includes a memory, and the memory is configured to store necessary program instructions and data of the network device.
  • the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
  • FIG. 1(a) is a schematic diagram of a network architecture of a communication system
  • Figure 1(b) is a schematic diagram of the network architecture involved in the AKMA process
  • FIG. 2 is a schematic diagram of the hardware structure of the communication device in the embodiment of the present application.
  • FIG. 3 is a schematic diagram of a UE access process through forwarding
  • FIG. 4 is a schematic flow diagram of a session establishment process between UE and AF;
  • FIG. 5 is a schematic diagram of a first embodiment of a method for establishing a session provided in an embodiment of the present application
  • FIG. 6 is a schematic diagram of a first embodiment in which a UE obtains a first A-KID and an AKMA application key;
  • FIG. 7 is a schematic diagram of a second embodiment in which the UE obtains the first A-KID and the AKMA application key;
  • FIG. 8 is a schematic diagram of a third embodiment in which the UE obtains the first A-KID and the AKMA application key;
  • FIG. 9 is a schematic diagram of a fourth embodiment in which the UE obtains the first A-KID and the AKMA application key;
  • Fig. 10(a) is a schematic diagram of the second embodiment of the session establishment method provided by the embodiment of the present application.
  • Fig. 10(b) is a schematic diagram of the third embodiment of the method for establishing a session provided by the embodiment of the present application.
  • FIG. 11 is a schematic diagram of an embodiment of deriving the first A-KID by the UE.
  • FIG. 12 is a schematic structural diagram of an embodiment of a user equipment provided in an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of an embodiment of a communication device provided by an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of an embodiment of a communication device provided by an embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of an embodiment of a communication device provided by an embodiment of the present application.
  • Fig. 16 is a schematic structural diagram of another embodiment of user equipment provided by the embodiment of the present application.
  • At least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • WCDMA Wideband Code Division Multiple Access
  • general packet radio service general packet radio service, GPRS
  • long term evolution Long Term Evolution
  • LTE long term evolution
  • LTE frequency division duplex frequency division duplex, FDD
  • LTE time division duplex time division duplex
  • TDD time division duplex
  • UMTS universal mobile telecommunications system
  • WiMAX global interconnected microwave access Access
  • the part operated by an operator in various communication systems may be referred to as an operator network.
  • the operator network can also be called the public land mobile network (PLMN) network, which is a network established and operated by the government or an operator approved by the government for the purpose of providing land mobile communication services for the public, mainly A mobile network operator (MNO) is a public network that provides mobile broadband access services for users.
  • PLMN public land mobile network
  • MNO mobile network operator
  • the operator network or PLMN network described in the embodiments of the present application may be a network conforming to the requirements of the third generation partnership project (3rd generation partnership project, 3GPP) standard, referred to as a 3GPP network.
  • 3GPP third generation partnership project
  • 3GPP networks are operated by operators, including but not limited to the fifth-generation mobile communication (5th-generation, 5G) network (referred to as 5G network), the fourth-generation mobile communication (4th-generation, 4G) network (referred to as 4G network) Or a third-generation mobile communication technology (3rd-generation, 3G) network (3G network for short). Also includes future 6G networks.
  • 5G network the fifth-generation mobile communication
  • 4G network the fourth-generation mobile communication (4th-generation, 4G) network
  • 3G network for short
  • 3G network for short.
  • an operator network such as a mobile network operator (mobile network operator, MNO) network
  • MNO mobile network operator
  • FIG. 1(a) is a schematic diagram of a network architecture of a communication system, which may include: a user equipment 110 (user equipment, UE), an operator network part and a data network (data network, DN) section.
  • a user equipment 110 user equipment, UE
  • a data network data network, DN
  • the UE 110 involved in the embodiment of the present application is a device with a wireless transceiver function, and can communicate with one or more A core network (core network, CN) for communication.
  • UE 110 may also be called an access terminal, terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, user terminal, wireless network device, user agent, or user device, among others.
  • UE110 can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; it can also be deployed on water (such as ships, etc.); it can also be deployed in the air (such as aircraft, balloons and satellites, etc.).
  • the UE 110 can be a cellular phone (cellular phone), a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a wireless local loop (wireless local loop, WLL) station , personal digital assistant (PDA), which can be a handheld device with wireless communication capabilities, a computing device or other device connected to a wireless modem, a vehicle device, a wearable device, a drone device or the Internet of Things, the Internet of Vehicles Terminals in the fifth generation mobile communication (fifth generation, 5G) network and any form of terminal in the future network, relay user equipment or terminals in the future evolution of the public land mobile network (PLMN) etc., where the relay user equipment may be, for example, a 5G residential gateway (residential gateway, RG).
  • 5G fifth generation mobile communication
  • PLMN public land mobile network
  • UE110 can be a virtual reality (virtual reality, VR) terminal, an augmented reality (augmented reality, AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self driving), telemedicine ( Wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home terminal etc.
  • VR virtual reality
  • AR augmented reality
  • a wireless terminal in industrial control industrial control
  • self driving self driving
  • telemedicine Wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home terminal etc.
  • the embodiment of the present application does not limit this.
  • the operator network may include a unified data management (unified data management, UDM) network element 134, an authentication server function (authentication server function, AUSF) 136, an access and mobility management function (access and mobility management function, AMF) 137, Session management function (session management function, SMF) 138, user plane function (user plane function, UPF) 139, (R)AN 140, etc.
  • unified data management UDM
  • UDM unified data management
  • AUSF authentication server function
  • AMF access and mobility management function
  • Session management function session management function, SMF
  • user plane function user plane function
  • UPF user plane function
  • the data network DN 120 which may also be called a protocol data network (protocol data network, PDN), is usually a network outside the operator's network, such as a third-party network.
  • the operator's network can access multiple data networks DN 120, and various services can be deployed on the data network DN 120, which can provide data and/or voice services for the UE 110.
  • the data network DN 120 can be a private network of a certain smart factory, the sensor installed in the workshop of the smart factory can be UE110, the control server of the sensor is deployed in the data network DN 120, and the control server can provide services for the sensor.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server based on the instructions.
  • the data network DN 120 can be a company's internal office network, and the mobile phone or computer of the company's employees can be UE110, and the employee's mobile phone or computer can access information and data resources on the company's internal office network.
  • the UE 110 can establish a connection with the operator network through an interface provided by the operator network (for example, N1, etc.), and use services such as data and/or voice provided by the operator network.
  • the UE 110 can also access the data network DN 120 through the operator network, and use operator services deployed on the data network DN 120, and/or services provided by a third party.
  • the above-mentioned third party may be a service party other than the operator's network and the UE 110 , and may provide the UE 110 with other services such as data and/or voice.
  • the specific form of expression of the above-mentioned third party can be determined based on actual application scenarios, and is not limited here.
  • the (R)AN 140 can be regarded as a sub-network of the operator's network, and is an implementation system between service nodes and UE110 in the operator's network. To access the operator network, the UE 110 first passes through the (R)AN 140, and then can be connected to a service node of the operator network through the (R)AN 140.
  • the access network device (RAN device) in the embodiment of this application is a device that provides wireless communication functions for the UE110, and can also be called a network device.
  • the RAN device includes but is not limited to: a next-generation base station node ( next generation node base station, gNB), evolved node B (evolved node B, eNB) in long term evolution (long term evolution, LTE), radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit, BBU ), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), small base station equipment (pico), mobile switching center, or network equipment in the future network, etc.
  • a next-generation base station node next generation node base station, gNB
  • evolved node B evolved node B
  • eNB evolved node B
  • LTE long term evolution
  • RNC radio network controller
  • node B node
  • the names of devices that function as access network devices may be different.
  • the above-mentioned devices providing wireless communication functions for the UE 110 are collectively referred to as access network devices or RAN or AN for short. It should be understood that the specific type of the access network device is not limited herein.
  • the access and mobility management function AMF (also called AMF network element, AMF network function or AMF network function entity) 137 is a control plane network function provided by the operator network, and is responsible for access control of UE110 accessing the operator network And mobility management, such as including mobile status management, assigning temporary user IDs, authenticating and authorizing users, and other functions.
  • Session management function SMF also called SMF network element, SMF network function or SMF network function entity
  • SMF network function entity 138 is a control plane network function provided by the operator network, responsible for managing the protocol data unit (protocol data unit, PDU) session of UE110 .
  • the PDU session is a channel for transmitting PDUs, and the terminal equipment needs to transmit PDUs with the data network DN 120 through the PDU session.
  • the PDU session is established, maintained and deleted by the SMF network function 138 .
  • SMF network functions 138 include session management (such as session establishment, modification and release, including tunnel maintenance between user plane functions UPF 139 and (R)AN 140), selection and control of UPF network functions 139, service and session continuity (service and session continuity, SSC) mode selection, roaming and other session-related functions.
  • session management such as session establishment, modification and release, including tunnel maintenance between user plane functions UPF 139 and (R)AN 140
  • UPF network functions 139 selection and control of UPF network functions 139
  • service and session continuity service and session continuity, SSC) mode selection
  • roaming other session-related functions.
  • the user plane function UPF (also called UPF network element, UPF network function or UPF network function entity) 139 is a gateway provided by the operator, and is a gateway for communication between the operator network and the data network DN 120.
  • the UPF network function 139 includes data packet routing and transmission, data packet detection, service usage reporting, service quality (quality of service, QoS) processing, lawful interception, uplink data packet detection, downlink data packet storage and other user plane related functions.
  • the unified data management network element UDM (also called UDM network element, UDM network function or UDM network function entity) 134 is a control plane function provided by the operator, responsible for storing the permanent identity (subscriber permanent identity) of the subscriber in the operator network.
  • identifier, SUPI the subscriber’s public subscription identifier (generic public subscription identifier, GPSI), credential (credential) and other information.
  • SUPI will be encrypted first during transmission, and the encrypted SUPI is called a hidden user subscription identifier (subscription concealed identifier, SUCI).
  • the information stored in the UDM 134 can be used for authentication and authorization of the UE 110 to access the operator's network.
  • the subscribers of the above-mentioned operator network can specifically be users who use the services provided by the operator network, such as users who use the mobile phone chip card of "China Telecom", or users who use the mobile phone chip card of "China Mobile”.
  • the credential of the above-mentioned contracted user may be: a long-term key stored in the mobile phone chip card or a small file stored in encrypted information related to the mobile phone chip card, for authentication and/or authorization.
  • permanent identifiers, credentials, security contexts, authentication data (cookies), and information related to token equivalent verification/authentication and authorization are not distinguished and limited in this embodiment of the application for the convenience of description.
  • Authentication server function (authentication server function, AUSF) (also called AUSF network element, AUSF network function or AUSF network function entity) 136 is a control plane function provided by an operator, usually used for primary authentication, that is, UE 110 (signed User) and the authentication between the operator network.
  • AUSF 136 After the AUSF 136 receives the authentication request initiated by the subscriber, it can authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM network function 134, or generate the authentication and authorization information of the subscriber through the UDM network function 134. / or authorization information.
  • the AUSF network function 136 may feed back authentication information and/or authorization information to the subscriber.
  • AKMA application authentication and key management
  • AKMA Anchor Key Kakma this key is also called the AKMA Root Key
  • AF Application Function
  • Network Exposure Function Network Exposure Function, NEF
  • AF application function
  • AKMA Authentication and key management for Application
  • AAnF Anchor Function
  • the network storage function (Network Repository Function, NRF) 132 is used for network function (Network Function, NF) registration, management, or status detection, and realizes the automatic management of all NFs.
  • NRF Network Repository Function
  • NF Network Function
  • Policy control entity Policy control function, PCF
  • PCF 133 interacts with AF 135 to obtain service quality (Quality of Service, Qos) parameters, or provide QoS parameters to AF 135, and then realize a function that can affect application program data transmission .
  • service quality Quality of Service, Qos
  • AF 135 can interact with NEF 131 and can interact with PCF 133.
  • AKMA authentication and key management for Application
  • AF135 needs to interact with AAnF 130 to obtain Kaf and Kaf's valid time.
  • the location of the AF 135 can be inside the 5G core network. In this case, the AF 135 can be called an operator-trusted AF; it can also be outside the 5G core network.
  • the AF 135 can be called an operator-untrusted AF. If the AF is inside the 5G core network, it can directly interact with the PCF 133. If the AF 135 is outside the 5G core network, the NEF 131 forwards the interaction content between the AF 135 and the PCF 133 as an intermediate node. For example, forwarding through NEF.
  • Authentication and key management AKMA anchor function AAnF 130 is located in HPLMN (Home Public Land Mobile Network, local public land mobile network), AAnF 130 will interact with AUSF 136 to obtain the AKMA root key (Kakma), and is responsible for generating AF for AF 135 135 The Kaf used and the effective time of Kaf.
  • HPLMN Home Public Land Mobile Network, local public land mobile network
  • Nausf, Nudm, Namf, Nsmf, Nnrf, Nnef, Naanf, Naf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • interface serial numbers refer to the meanings defined in the 3GPP standard protocol, which will not be repeated here.
  • UE110 is used as an example for UE, and the names of the interfaces between various network functions in FIG. 1(a) are only examples.
  • the system The name of the interface of the architecture may also be another name, which is not specifically limited in this embodiment of the present application.
  • the names of the above network elements may be different; for example, the names of the AMF network elements in 5G and 6G are different
  • a method for establishing a session can be applied to various communication systems, for example, it can be Internet of Things (Internet of Things, IoT), Narrow Band Internet of Things (NB-IoT), Long Term Evolution ( long term evolution, LTE), it can also be the fifth generation (5G) communication system, it can also be a hybrid architecture of LTE and 5G, it can also be a 5G new radio (new radio, NR) system, and new technologies emerging in future communication development. communication systems, etc.
  • the 5G communication system of the present application may include at least one of a non-standalone (NSA) 5G communication system and a standalone (standalone, SA) 5G communication system.
  • NSA non-standalone
  • SA standalone
  • the communication system may also be a public land mobile network (public land mobile network, PLMN) network, a device-to-device (device-to-device, D2D) network, a machine-to-machine (machine to machine, M2M) network or other networks.
  • PLMN public land mobile network
  • D2D device-to-device
  • M2M machine to machine
  • the embodiments of the present application may also be applicable to other future-oriented communication technologies, such as 6G and the like.
  • the network architecture and business scenarios described in this application are to illustrate the technical solution of this application more clearly, and do not constitute a limitation to the technical solution provided by this application.
  • Those of ordinary skill in the art know that with the evolution of network architecture and new business scenarios The various network functions involved in this application may change, and the technical solution provided by this application is also applicable to similar technical problems.
  • the architecture involved in the AKMA process is shown in Figure 1(b).
  • the interface between the UE and the AF is Ua*.
  • the name of the interface may also be other names, which will not be described in detail. It should be noted that the network elements in this architecture can be understood with reference to the relevant description in FIG. 1( a ).
  • FIG. 2 is a schematic diagram of a hardware structure of a communication device in an embodiment of the present application.
  • the communication apparatus may be a possible implementation manner of the network device or the terminal device in the embodiment of the present application.
  • the communication device includes at least a processor 204 , a memory 203 , and a transceiver 202 , and the memory 203 is further used to store instructions 2031 and data 2032 .
  • the communication device may further include an antenna 206 , an I/O (input/output, Input/Output) interface 210 and a bus 212 .
  • the transceiver 202 further includes a transmitter 2021 and a receiver 2022 .
  • the processor 204 , the transceiver 202 , the memory 203 and the I/O interface 210 are communicatively connected to each other through the bus 212 , and the antenna 206 is connected to the transceiver 202 .
  • the processor 204 can be a general-purpose processor, such as but not limited to, a central processing unit (Central Processing Unit, CPU), and can also be a special-purpose processor, such as but not limited to, a digital signal processor (Digital Signal Processor, DSP), application Application Specific Integrated Circuit (ASIC) and Field Programmable Gate Array (Field Programmable Gate Array, FPGA), etc.
  • the processor 204 may also be a neural network processing unit (neural processing unit, NPU).
  • the processor 204 may also be a combination of multiple processors.
  • the processor 204 may be used to execute the relevant steps of the method for generating the key identifier in the subsequent method embodiments.
  • the processor 204 may be a processor specially designed to perform the above steps and/or operations, or may be a processor that performs the above steps and/or operations by reading and executing the instructions 2031 stored in the memory 203.
  • the processor 204 The data 2032 may be needed during the execution of the above steps and/or operations.
  • the transceiver 202 includes a transmitter 2021 and a receiver 2022.
  • the transmitter 2021 is used to send signals through the antenna 206.
  • the receiver 2022 is used for receiving signals through at least one antenna among the antennas 206 .
  • the transmitter 2021 can be specifically used to execute through at least one antenna among the antennas 206, for example, the generation method of the key identifier in the subsequent method embodiments is applied to the network device or a terminal device, the operations performed by the receiving module or the sending module in the network device or terminal device.
  • the transceiver 202 is used to support the communication device to perform the aforementioned receiving function and sending function.
  • a processor having a processing function is considered to be the processor 204 .
  • the receiver 2022 may also be called an input port, a receiving circuit, etc., and the transmitter 2021 may be called a transmitter or a transmitting circuit, etc.
  • the processor 204 can be used to execute the instructions stored in the memory 203 to control the transceiver 202 to receive messages and/or send messages, so as to complete the functions of the communication device in the method embodiments of the present application.
  • the function of the transceiver 202 may be considered to be realized by a transceiver circuit or a dedicated chip for transceiver.
  • receiving a message by the transceiver 202 may be understood as an input message by the transceiver 202
  • sending a message by the transceiver 202 may be understood as an output message by the transceiver 202.
  • Memory 203 can be various types of storage media, such as random access memory (Random Access Memory, RAM), read-only memory (Read Only Memory, ROM), non-volatile RAM (Non-Volatile RAM, NVRAM), can Programmable ROM (Programmable ROM, PROM), erasable PROM (Erasable PROM, EPROM), electrically erasable PROM (Electrically Erasable PROM, EEPROM), flash memory, optical memory and registers, etc.
  • the memory 203 is specifically used to store instructions 2031 and data 2032.
  • the processor 204 can read and execute the instructions 2031 stored in the memory 203 to perform the steps and/or operations described in the method embodiments of the present application.
  • the data 2032 may be required during operations and/or steps in the method embodiments.
  • the communication device may further include an I/O interface 210, which is used for receiving instructions and/or data from peripheral devices and outputting instructions and/or data to peripheral devices.
  • I/O interface 210 is used for receiving instructions and/or data from peripheral devices and outputting instructions and/or data to peripheral devices.
  • FIG. 3 is a schematic diagram of a UE access process through forwarding. Take Figure 3 as an example to illustrate the AKMA process, specifically:
  • step 301 a primary authentication process is performed between the UE and the core network.
  • a primary authentication (Primary authentication) process is performed between the UE and the core network.
  • the main authentication process needs to use an authentication vector (authentication vector, AV), and the authentication vector is used in the main authentication process to transmit the verification parameters of the main authentication process.
  • the AUSF acquires the authentication vector.
  • the main authentication process is also referred to as an authentication process, which is not limited here.
  • an authentication process which is not limited here.
  • step 302 the AUSF sends an authentication vector acquisition request message to the UDM.
  • the AUSF sends an authentication vector acquisition request message to the UDM, such as "Numd_UEAuthentication Get Request".
  • the authentication vector acquisition request message is used to request an authentication vector from the UDM.
  • the authentication vector acquisition request message carries SUPI or SUCI. Specifically, when the message sent by the AMF to the AUSF carries SUPI, the authentication vector acquisition request message carries the SUPI; when the message sent by the AMF to the AUSF carries SUCI, the authentication vector acquisition request message carries the SUCI.
  • SUCI can be understood as an encrypted form of SUPI.
  • the specific generation method of SUCI can refer to 3GPP standard TS 33.501.
  • the ciphertext part of SUCI is calculated by encrypting part or all of the contents of SUPI by the universal subscriber identity module (USIM) or mobile equipment (ME) to obtain the encrypted part in SUCI.
  • USIM universal subscriber identity module
  • ME mobile equipment
  • step 303 the AUSF receives the authentication vector acquisition response message sent by the UDM.
  • step 303 after the UDM receives the authentication vector acquisition request message in step 302, the UDM determines the corresponding authentication vector.
  • the UDM sends an authentication vector acquisition response message to the AUSF, and the authentication vector acquisition response message carries an authentication vector.
  • the authentication vector gets a response message such as: "Num_UEAuthentication_Get Response".
  • the UDM determines whether the UE corresponding to the main authentication process supports the AKMA service based on the subscription information corresponding to the SUPI.
  • the authentication vector acquisition response message carries AKMA service indication information and routing indicator (Routing InDicator, RID).
  • the AKMA service indication information can be "AKMA Indication” or "AKMA ID”.
  • Application examples are not limited.
  • the AKMA service indication information is used to indicate that the AUSF needs to generate the AKMA anchor key Kakma and A-KID for this UE. It can also be understood as: the AKMA service indication information is used to indicate that the UE supports the AKMA service.
  • the authentication vector acquisition request message does not carry the AKMA service indication information and the RID.
  • the fact that the UE does not support the AKMA service may mean that the UE has not subscribed to the AKMA service, or it may mean that the UE cannot use the AKMA process to establish a shared key with the AF.
  • AKMA indication and AKMA ID can use the same information element or different information elements, which is not limited here.
  • step 304a the UE generates an AKMA anchor key Kakma based on the AUSF root key.
  • step 304a when the UE's primary authentication process is successfully completed, the UE generates an AKMA anchor key (Kakma) based on the same root key (Kausf) used by the AUSF.
  • the root key (Kausf) is shared by the UE and the AUSF of.
  • the UE generates an AKMA anchor key (Kakma) based on the same root key (Kausf) used by the AUSF.
  • the process of generating Kakma may also be called the process of deriving Kakma, and the method of deriving Kakma may refer to TS33.535, which will not be described in detail here.
  • step 304b the UE generates an application authentication and key management-key temporary identity A-KID.
  • step 304b after the main authentication process of the UE is successfully completed, before the UE initiates the AKMA service, the UE generates the authentication and key management-key temporary identity of the application based on the same root key (Kausf) used by the AUSF (AKMA-Key Identifier, A-KID).
  • the A-KID is used to identify the AKMA anchor key Kakma of the UE.
  • the UE before the UE initiates the AKMA service, the UE generates an A-KID based on the same root key (Kausf) used by the AUSF. Specifically, the UE generates the key management-key temporary identity (AKMA Temporary UE Identifier, A-TID) part of the A-KID based on the same root key (Kausf) used by the AUSF.
  • AKMA Temporary UE Identifier, A-TID key management-key temporary identity
  • the A-KID format is "username@exmaple".
  • the "username” part includes the routing identifier, and authentication and key management-key temporary identity identifier (AKMA Temporary UE Identifier, A-TID).
  • the "example” section includes home network identifiers such as mobile country code (MCC) and mobile network code (MNC).
  • MCC mobile country code
  • MNC mobile network code
  • A-TID is a temporary identifier generated based on Kausf.
  • the process of generating the A-TID may also be referred to as the process of deriving the A-TID. Since the method of deriving the A-TID is a relatively mature technology, it will not be described in detail here.
  • step 304a and step 304b is not limited.
  • step 305a the AUSF generates an AKMA anchor key Kakma based on the AUSF root key.
  • Step 305a is similar to the aforementioned step 304a, and will not be repeated here.
  • the difference from 304a is that after the AUSF receives the authentication vector acquisition response message, if the message carries AKMA service indication information, the AUSF uses the Kausf obtained by the AUSF to generate Kakma and A-KID. If the AV acquisition response message does not carry AKMA service indication information, the AUSF may not generate Kakma and A-KID.
  • Step 305b AUSF generates authentication and key management-key temporary identity A-KID.
  • step 305b when in step 303, the AV acquisition response message sent by the UDM carries AKMA service indication information, the AUSF determines that an A-KID needs to be generated based on the AKMA service indication information.
  • step 306 the AUSF sends an AKMA anchor key registration request message to the AAnF.
  • step 306 after the AUSF selects an AAnF, the AUSF sends an AKMA anchor key registration request message to the AAnF.
  • AKMA anchor key registration request message such as: "Naanf_AKMA_AnchorKey_Register Request”.
  • the AKMA anchor key registration request message carries SUPI, A-KID and Kakma.
  • AAnF will save A-KID and Kakma.
  • step 307 the AUSF receives the AKMA anchor key registration response message sent by the AAnF.
  • the AAnF sends an AKMA anchor key registration response message to the AUSF based on the AKMA anchor key registration request message in step 306.
  • the AKMA anchor key registration response message is, for example: "Naanf_AKMA_AnchorKey_Register Response”.
  • UDM will detect the subscription information of the UE, which indicates that the UE supports the AKMA service; where the UE supports the AKMA service, it can be understood that the UE subscribes to the AKMA service or the UE authorizes the use of the AKMA service Or the UE supports the use of AKMA services, etc.
  • the AAnF will register the AKMA anchor key, and accordingly, the AAnF will store Kakma and A-KID.
  • RID is provided by UDM and represented by 1 to 4 decimal numbers.
  • the session establishment process between UE and AF includes:
  • step 401 the UE sends a session establishment request to the AF.
  • the session establishment request carries the A-KID.
  • Step 402 in the case that the AF does not include the active context associated with the A-KID, the AF sends a key acquisition request to the AAnF, and the request includes the A-KID.
  • the request may be "Naanf_AKMA_ApplicationKey_Get request”.
  • the AF can directly send a key acquisition request to AAnF; when the AF is not trusted by the operator, the AF can send a key acquisition request to AAnF through the NEF.
  • AF sends a key acquisition request to AAnF through NEF, specifically: AF sends a first key acquisition request to NEF, NEF generates a key acquisition request according to the first key acquisition request, and sends a key acquisition request to AAnF .
  • Step 403 AAnF judges whether there is a Kakma corresponding to A-KID.
  • Step 404 if there is a Kakma corresponding to A-KID, AAnF deduces Kaf according to Kakma.
  • Step 405 AAnF sends a key acquisition response to the AF, and the key acquisition response carries Kaf and the termination time of Kaf.
  • the key get response can be "Naanf_AKMA_ApplicationKey_Get Response”.
  • Step 406 in the case that the key acquisition response carries the Kaf and the termination time of the Kaf, the AF sends a session establishment response to the UE, and the session establishment response indicates that the session establishment is successful.
  • Step 407 if the Kakma corresponding to the A-KID does not exist, AAnF sends a key acquisition response to the AF.
  • the key acquisition response indicates that key acquisition fails, for example, the key acquisition response carries failure indication information or may also be called error indication information.
  • Step 408 the AF receives the key acquisition response, and if the key acquisition response indicates that the key acquisition fails, the AF sends a session establishment response to the UE, and the session establishment response indicates that the session establishment fails.
  • step 404 to step 406 represent the processing process when there is a Kakma corresponding to A-KID in AAnF
  • step 407 and step 408 represent the processing process when there is no Kakma corresponding to A-KID in AAnF
  • two dotted boxes are usually shown; during the session establishment process, one of the two processing processes will be executed.
  • the session establishment between the UE and the AF will fail, and the AF sends a session establishment response to the UE indicating that the session establishment fails.
  • the UE After the session establishment fails, the UE will reacquire the A-KID, and then execute step 401 again, thereby triggering the process shown in Figure 4 again. If there is no Kakma corresponding to the A-KID in the AAnF, the session establishment between the UE and the AF It will still fail, resulting in a large signaling overhead between the UE and the AF. Furthermore, in addition to using the AKMA service, the UE can also establish a session with the AF through other methods. If the UE fails to establish a session through the AKMA service many times, it will delay the establishment of the session between the UE and the AF through other methods, resulting in UE delay. Accessing the AF to obtain services may even cause the UE to fail to obtain services from the AF.
  • the embodiment of the present application provides a method for establishing a session, which enables the UE to combine the first A-KID used to establish the first session with the obtained second A-KID comparison, when the two A-KIDs are different, the UE sends a second session establishment request carrying the second A-KID; in this way, it can be relieved that the UE repeatedly passes through the same AKMA service without authorizing the AKMA service. - Signaling overhead caused by the KID requesting to establish a session with the AF.
  • the first scenario is: the UE has not subscribed to the AKMA service.
  • the second scenario is: after the UE uses the A-KID to initiate an application session establishment request, the network side generates a new A-KID.
  • the UE uses the A-KID to initiate an application session establishment request. This may cause AUSF to generate a new Kausf, and deduce a new A-KID based on the new Kausf and send it to AAnF. At this time, the AAnF cannot obtain the key according to the A-KID sent by the UE. In this way, even if the UE subscribes to the AKMA service, there will be no Kakma corresponding to the unupdated A-KID in the UE in the AAnF, so the establishment of the session between the UE and the AF will fail.
  • the session request will be sent again to Avoid session establishment failure due to the Kausf in the UE not being updated in time.
  • the embodiment of the present application provides a first embodiment of a method for establishing a session, including:
  • step 501 the UE acquires a first key identifier.
  • the key identifier can be expressed in multiple manners, for example, the key identifier can be A-KID; correspondingly, the first key identifier can be expressed as the first A-KID.
  • the method provided in the embodiment of this application will be described below by taking the key identifier as A-KID as an example.
  • the first key identifier is used to identify the key associated with the UE or acquire the key associated with the UE.
  • the UE obtains the first A-KID first, and the first A-KID is used to identify the AKMA anchor key Kakma of the UE, so that AAnF can search for the UE according to the first A-KID Kakma.
  • the UE can also obtain the AKMA application key Kaf, which is a shared key between the UE and the AF, and the UE and the AF can establish a secure connection between the UE and the AF based on the Kaf.
  • Kaf a shared key between the UE and the AF
  • the acquisition operation of Kaf can be performed before initiating the session request, and can also be performed after the session is established successfully.
  • the embodiment of the present application does not make specific limitations on this; The process of obtaining Kaf is introduced, and other situations are similar.
  • the successful establishment of the above session can also be understood as the successful establishment of a shared key between the UE and the AF, that is, the UE and the AF have the same key Kaf.
  • the obtaining of the first A-KID by the UE mainly means that the first layer of the UE obtains the first A-KID from the second layer of the UE.
  • the first layer is usually the application layer
  • the second layer is usually the lower layer of the application layer
  • the second layer can include multiple layers, for example, the second layer can be the NAS layer, operating system layer or middleware layers etc.
  • the first layer may also be called the upper layer
  • the second layer may be called the lower layer or the bottom layer.
  • Step 502 the UE stores the first A-KID.
  • step 502 can be understood as: the first layer of the UE stores the first A-KID in the context of the first layer. Different contexts can be stored in different storage spaces, or different contexts can be stored in different locations of the same storage space.
  • step 502 can also be understood as: the first layer of the UE uses the first A-KID as the context of the first session, where the context of the first session can be passed through the first ID lookup for the session.
  • the context of the first session refers to information related to the first session, such as an identifier of the first session, a UE identifier, an AF identifier, and the like.
  • the establishment of the first session between the UE and the AF can be understood as the establishment of the first connection between the UE and the AF; or the establishment of the first session context or the first context between the UE and the AF, which can be used between the UE and the AF to communicate.
  • a first connection context is established between the UE and the AF.
  • a shared key is established between the UE and the AF.
  • step 502 the purpose of the UE storing the first A-KID is to obtain the first A-KID again in step 505; in addition, there are other ways to realize the reacquisition of the first A-KID, so , step 502 is optional.
  • the embodiment of the present application does not specifically limit the execution order between step 502 and step 503, and the execution order between step 502 and step 504, as long as step 502 is executed before step 505.
  • Step 503 the user equipment UE sends a first session establishment request to the application function AF network element, and the first session establishment request carries a first key identifier A-KID.
  • the application function AF network element receives the first session establishment request from the user equipment UE, and the first session establishment request carries the first key identifier A-KID.
  • AAnF may send a key acquisition response carrying the first key identifier A-KID to AF, so that AF sends to UE A first session establishment response carrying the first key identifier A-KID; similarly, if the AF communicates with the AAnF through the NEF, the AAnF may send the first key acquisition response carrying the first key identifier A-KID to the NEF, Correspondingly, the NEF also sends a second key acquisition response carrying the first key identifier A-KID to the AF, so that the AF sends a first session establishment response carrying the first key identifier A-KID to the UE.
  • Step 504 when the AKMA anchor key corresponding to the first A-KID does not exist on the network side, the AF network element sends a first session establishment response to the UE, and the first session establishment response indicates that the first session establishment fails.
  • the AF receives an application key acquisition response from the NEF or AAnF indicating that the key acquisition fails, and the AF sends a first session establishment response to the UE, and the first session establishment response indicates that the first session establishment fails.
  • the UE receives a first session establishment response to the first session establishment request from the AF network element.
  • the first session establishment response carries the first A-KID, so that the UE can obtain the first A-KID from the first session establishment response, and the first A-KID is used to determine whether to initiate the session again.
  • the first A-KID may be from AAnF or acquired locally by AF from AF.
  • both performing step 502 and/or carrying the first A-KID in the first session establishment response may enable the UE to acquire the first A-KID for requesting establishment of the first session.
  • the AF may not add the first A-KID to the first session establishment response. If it is selected to add the first A-KID in the first session establishment response, step 502 may not be performed.
  • Step 505 if the first session establishment response indicates that the first session establishment fails, the UE acquires the first A-KID again.
  • the purpose of the UE acquiring the first A-KID again is to compare whether the first A-KID used to establish the first session is the same as the latest second A-KID.
  • step 505 may include: the UE acquires the stored first A-KID. Specifically, the UE obtains the first A-KID from the context of the first layer, or in other words, the UE obtains the first A-KID from the context of the first session, or in other words, the UE first layer obtains the first A-KID from the first layer storage Obtain the first A-KID in the space.
  • step 505 may include: the UE obtains the first A-KID from the first session establishment response.
  • Step 506 if the first session establishment response indicates that the first session establishment fails, the UE obtains the second A-KID.
  • step 506 includes: the UE acquires the second A-KID from the context of the second layer, which is a lower layer of the application layer.
  • step 506 is similar to step 501, the difference is that step 501 is executed before requesting to establish the first session, and step 506 is executed when the first session fails to be established, so step 506 obtains
  • the second A-KID of may be different from the first A-KID acquired through step 501; therefore, step 506 can be understood with reference to the relevant description of step 501.
  • the second A-KID can be regarded as the latest A-KID that the first layer of the UE can obtain from the second layer of the UE; , the A-KID provided by the second layer of the UE.
  • the A-KID provided by the second layer of the UE may be the A-KID stored in the second layer, or the A-KID deduced after receiving the request, or the second A-KID after receiving the request.
  • the layer determines that the main authentication process is being executed, and waits for the deduced A-KID after the main authentication is completed.
  • Step 507 when the first A-KID is different from the second A-KID, the UE sends a second session establishment request to the AF network element, and the second session establishment request carries the second A-KID.
  • the failure to establish the first session may be because there is no Kakma corresponding to the first A-KID in AAnF, but there may be a Kakma corresponding to the second A-KID. Therefore, when the first A-KID is different from the second A-KID, the UE uses the second A-KID to initiate a session establishment request again, that is, the UE sends the second A-KID carrying the second A-KID to the AF network element. Session establishment request.
  • the UE will not send the second session establishment request carrying the second A-KID to the AF network element, so as to avoid the second session establishment request carrying The second A-KID that is the same as the first A-KID causes the situation that the establishment of the second session fails again, thereby reducing signaling overhead.
  • the UE may use a method other than the AKMA service to request to establish a session with the AF network element, such as step 508 .
  • the UE no longer initiates a session request to the AF network element, such as step 509 .
  • the UE terminates using the AKMA service to establish a connection with the AF.
  • the UE sends a fourth session request to the AF, where the fourth session request indicates that the UE does not support the AKMA service.
  • the fourth session request indicates to use other security mechanisms than the AKMA service, such as GBA, certificate mechanism and so on.
  • Step 508 when the first A-KID is the same as the second A-KID, the UE sends a third session establishment request to the AF network element, and the third session establishment request indicates that the UE does not support the AKMA service.
  • the third session establishment request indicates that the UE does not support the AKMA service. Specifically, the third session establishment request indicates that the UE does not use the AKMA service for this request to establish a session, or the third session establishment request indicates that the UE has not authorized the AKMA service, or the third session establishment request indicates that the UE has not authorized the AKMA service.
  • the request indicates that the UE supports the establishment of a connection using a generic bootstrapping architecture (Generic Bootstrapping Architecture, GBA), a certificate mechanism, and the like.
  • GBA Generic Bootstrapping Architecture
  • an indication information may be added to the message header of the third session establishment request, and the indication information indicates that the UE supports the AKMA service to establish a session; the indication information may use a specific bit or a multi-bit binary value representation, for example, this indication information can be represented by 00.
  • the manner in which the third session establishment request indicates that the UE does not support the AKMA service may include multiple manners.
  • the first way if the UE does not support the AKMA service, the above indication information is not added to the message header of the third session establishment request, so that the third session establishment request indicates that the UE does not support the AKMA service; for example, when the above indication information is When 00, if the message header of the third session establishment request does not include the indication information 00, it means that the UE does not support the AKMA service.
  • the second way if the UE does not support the AKMA service, add another indication information different from the above indication information in the message header of the third session establishment request, and this other indication information is used to indicate that the UE does not support the AKMA service ; For example, when the above indication information is 00, a binary value 01 may be added to the message header of the third session establishment request, and the binary value 01 indicates that the UE does not support the AKMA service.
  • the third session establishment request may also directly carry other methods used to establish the session, such as GBA or a certificate mechanism.
  • the reason for the failure of the first session establishment may be that the UE has not subscribed to the AKMA service, that is, the UE does not support the AKMA service.
  • the UE can establish a session with the AF in other ways; therefore , the third session establishment request indicates that the UE does not support the AKMA service, so that the AF establishes a session with the UE in other ways, so as to avoid another session establishment failure caused by still establishing the session through the AKMA service.
  • Step 509 when the first A-KID is the same as the second A-KID, the UE stops establishing the session with the AF network element.
  • the failure to establish the first session may be due to the fact that there is no Kakma corresponding to the first A-KID in AAnF, so if the first A-KID is the same as the second A-KID, if the The second session establishment request of the second A-KID may cause the session establishment to fail again, thereby generating additional signaling overhead.
  • the UE can stop the session establishment with the AF network element; optionally, after stopping the session establishment, it can determine the cause of the session establishment failure, and then take corresponding measures, and then initiate the session establishment again .
  • the reason for the failure of the first session establishment may be that the UE has not subscribed to the AKMA service. If the first A-KID is the same as the second A-KID, the UE stops establishing the session with the AF network element, and then signs the AKMA service. ; After subscribing to the AKMA service, the UE can send a session establishment request to the AF again, so as to establish a session with the AF through the AKMA service.
  • step 508 and step 509 are executed when the first A-KID is the same as the second A-KID, so when the first A-KID is the same as the second A-KID, select step 508 and one of step 509 can be executed.
  • step 507 the UE will receive a second session establishment response to the second session establishment request; if the second session establishment response still indicates that the session The same operations are performed after the establishment fails, and the details are not described in detail.
  • the method for the UE to obtain the first A-KID will be introduced below with reference to FIG. 6 to FIG. 9 , and at the same time, the method for the UE to obtain the AKMA application key will also be introduced.
  • step 501 includes:
  • step 601 the first layer of the UE sends a first information request to the second layer of the UE, where the first layer is an application layer.
  • the first information request is used to acquire the AKMA anchor key and the first A-KID.
  • Step 602 in response to the first information request, the second layer of the UE sends the AKMA anchor key and the first A-KID to the first layer of the UE, and the second layer is a lower layer of the application layer.
  • step 603 the first layer of the UE deduces the AKMA application key according to the AF network element identifier and the AKMA anchor key.
  • the AKMA anchor key and the first A-KID can be obtained through a first information request, which can reduce signaling overhead.
  • step 501 includes:
  • Step 701 the first layer of the UE sends a second information request to the second layer of the UE, the second information request carries the identifier of the AF network element, and the first layer is the application layer.
  • the second information request is used to obtain the AKMA application key and the first A-KID.
  • Step 702 in response to the second information request, the second layer of the UE derives the AKMA application key according to the identifier of the AF network element and the AKMA anchor key.
  • step 703 the second layer of the UE sends the AKMA application key and the first A-KID to the first layer of the UE.
  • the AKMA application key and the first A-KID can be obtained through a first information request, which can reduce signaling overhead; and, the AKMA application key is derived from the second layer of the UE, so The second layer of the UE does not need to send the AKMA anchor key to the first layer of the UE, so as to prevent malicious programs from intercepting the AKMA anchor key and stealing a large amount of information according to the AKMA anchor key.
  • step 501 includes:
  • Step 801 the first layer of the UE sends a third information request to the second layer of the UE, the first layer being the application layer;
  • the third information request is used to obtain the first A-KID.
  • Step 802 in response to the third information request, the second layer of the UE sends the first A-KID to the first layer of the UE, and the second layer is the lower layer of the application layer;
  • Step 803 the first layer of the UE sends a fourth information request to the second layer of the UE;
  • the fourth information request is used to acquire the AKMA anchor key.
  • Step 804 in response to the fourth information request, the second layer of the UE sends the AKMA anchor key to the first layer of the UE;
  • Step 805 the first layer of the UE deduces the AKMA application key according to the AF network element identifier and the AKMA anchor key.
  • the AKMA anchor key is used to deduce the AKMA application key, which is used for data transmission after the session establishment is successful, so if the session establishment fails, the AKMA application key is not required. key, it is not necessary to obtain the AKMA anchor key.
  • the operation of obtaining the AKMA anchor key can be successfully performed when the first session is established. If the establishment of the first session fails, the AKMA anchor key acquisition operation is not performed, thereby avoiding the situation where the first session establishment fails but the AKMA anchor key is acquired.
  • step 501 includes:
  • Step 901 the first layer of the UE sends a fifth information request to the second layer of the UE, the first layer being the application layer;
  • Step 902 in response to the fifth information request, the second layer of the UE sends the first A-KID to the first layer of the UE, and the second layer is the lower layer of the application layer;
  • the fifth information request is used to acquire the first A-KID.
  • Step 903 the first layer of the UE sends a sixth information request to the second layer of the UE, and the sixth information request carries the identifier of the AF network element;
  • Step 904 in response to the sixth information request, the second layer of the UE deduces the AKMA application key according to the identity of the AF network element and the AKMA anchor key;
  • the sixth information request is used to acquire the AKMA application key.
  • Step 905 the second layer of the UE sends the AKMA application key and the first A-KID to the first layer of the UE.
  • the AKMA application key is obtained by deriving the second layer of the UE, so the second layer of the UE does not need to send the AKMA anchor key to the first layer of the UE to prevent malicious programs from intercepting the AKMA anchor key. Situations where the anchor key steals a large amount of information.
  • the embodiments shown in FIG. 6 and FIG. 8 can be briefly summarized as follows: the first layer of the UE obtains the AKMA anchor key and the first key identifier from the second layer of the UE, the first layer is the application layer, and the second layer The layer is the lower layer of the application layer; the first layer of the UE deduces the AKMA application key according to the identification of the AF network element and the AKMA anchor key.
  • the first layer of the UE Since the first layer of the UE obtains the AKMA anchor key from the second layer of the UE, the first layer of the UE can choose the time to deduce the KMA application key by itself.
  • the first layer of the UE obtains the AKMA application key and the first key identifier from the second layer of the UE, the first layer is the application layer, and the second layer is the application lower layer.
  • the AKMA application key is obtained from the second layer of the UE, so that the first layer of the UE does not need to obtain the AKMA anchor key from the second layer of the UE to prevent malicious programs from intercepting the AKMA anchor key during the acquisition process And the case of stealing a large amount of information based on the AKMA anchor key.
  • the UE after determining that the establishment of the first session fails, the UE performs corresponding operations to avoid multiple session establishment failures.
  • AKMA service capabilities so that if the UE perceives that the AKMA service is not supported, it will not or cannot send a session establishment request, thereby avoiding multiple session establishment failures caused by the UE not supporting the AKMA service. This is described in detail below.
  • the embodiment of the application also provides a second embodiment of a method for establishing a session, which enables the UE to perceive that it supports AKMA services, specifically including:
  • step 10A the UDM network element detects the AKMA subscription information of the UE.
  • the UDM network element detects the UE’s AKMA subscription information may include the following two situations: The first situation is that the UE has signed the AKMA service before the UE enters the main authentication process, and correspondingly, there is a UE in the UDM network element.
  • the AKMA subscription information is that before the UE enters the main authentication process, the UE has not signed the AKMA service, and after the UE completes the registration through the main authentication process, the UE has signed the AKMA service.
  • the UDM network element will A change in the subscription information will be detected, that is, the detected AKMA subscription information.
  • the UDM network element will send the first indication information to the UE through the AMF network element to notify the UE to support the AKMA service, so that the UE perceives that it supports AKMA Serve.
  • the UDM network element sends first indication information to the UE, where the first indication information indicates that the UE supports the AKMA service.
  • the UDM network element sends the first indication information to the UE through the AMF network element.
  • the UE will receive the first indication information.
  • the UDM network element may also obtain verification data from the AUSF network element.
  • the verification data may include the first verification data and the second verification data, which will be described in detail below.
  • Step 10C when the first indication information indicates that the UE supports the AKMA service, the UE deduces the first A-KID.
  • the UE may also generate verification data and compare it with the verification data sent by the UDM network element to verify the integrity of the first indication information, and perform deduction when the first indication information is complete.
  • step 10D the UE sends a first session establishment request including the first A-KID to request establishment of a session with the AF.
  • the UE perceives that it supports the AKMA service through the first indication information, and then generates the first A-KID for establishing the session; if the first indication information is not received, the UE may not generate the first A-KID, In this way, the session establishment cannot be requested through the AKMA service, thereby avoiding session establishment failure caused by not signing up for the AKMA service and preventing unnecessary signaling overhead.
  • the UE If the UE receives the first session establishment response, and the first session establishment response indicates that the first session establishment fails, it can obtain the second A-KID, and then send the session establishment request again, and stop when the number of session request transmissions reaches the target number Session establishment; alternatively, the method from step 506 to step 509 in the embodiment shown in FIG. 5 can be used for processing, which is not limited in this embodiment of the present application.
  • the embodiment of the present application also provides a third embodiment of a method for establishing a session, which embodiment includes:
  • Step 1001 the UDM network element acquires first verification data from the AUSF network element, and the first verification data is used to verify the integrity of the first indication information.
  • the UDM network element can send a "Nausf_UPU Protection" message to the AUSF network element, which carries SUPI, UE Parameters Update (UE Parameters Update, UPU) data and an acknowledgment indication (ACK indication), wherein,
  • the UPU data includes first indication information.
  • the AUSF network element obtains Kausf according to SUPI, and uses Kausf to protect the integrity of UPU data, that is, generates UPU-MAC-IAUSF (first authentication data) according to Kausf, where the full name of MAC is Message Authentication code.
  • the AUSF sends a "Nausf_UPU Protection" response to the UDM network element, and the response carries UPU-MAC-I AUSF and Counter UPU , where CounterUPU is used to generate UPU-MAC-I AUSF .
  • Step 1002 the UDM network element acquires second verification data from the authentication service function AUSF network element, and the second verification data is used to determine that the UE has successfully received the first indication information.
  • the acquisition method of the second verification data is similar to the acquisition method of the first verification data, which can be understood with reference to the relevant description of step 1001; correspondingly, the AUSF network element generates UPU-MAC-IUE (second verification data) according to Kausf, "Nausf_UPU Protection" response also carries UPU-MAC-I UE .
  • the UDM network element will save the UPU-MAC-I UE when receiving the "Nausf_UPU Protection" response.
  • step 1001 and step 1002 are optional and may be performed in combination.
  • Step 1003 the unified data management UDM network element determines that the UE supports the AKMA service according to the key management AKMA subscription information of the user equipment UE.
  • the UE can sign up for the AKMA service before the main authentication process in step 301, and correspondingly, the AKMA subscription information is stored in the UDM network element; the UE can also sign up for the AKMA service after the main authentication process in step 301 (or It is understood that the UE is registered to the network) to sign up for the AKMA service.
  • the UDM network element can detect that the subscription information of the UE has changed after the main authentication process, and the changed subscription information includes the AKMA subscription information; based on this, The UDM network element can then determine that the UE supports the AKMA service.
  • the UDM network element can send a "Nudm_UEAKMA_Info_notify" message to the AUSF network element, which contains instructions indicating that the UE Support AKMA service information and RID, so that the AUSF network element registers the AKMA anchor key in AAnF.
  • Step 1004 the UDM network element sends a first data transmission message to the access and mobility management function AMF network element, the first data transmission message includes first indication information, and the first indication information indicates that the UE supports the AKMA service.
  • the first data transmission message may be a "Nudm_SDM_Nofitication" message.
  • the "Nudm_SDM_Nofitication” message carries UPU data, and the UPU data includes first indication information.
  • the mobility management function AMF network element receives the first data transmission message from the unified data management UDM network element, the first data transmission message includes first indication information, and the first indication information indicates that the user equipment UE supports the AKMA service;
  • the first data transmission message further carries first verification data.
  • the Nudm_SDM_Nofitication message when the first data transmission message is a "Nudm_SDM_Nofitication" message, the Nudm_SDM_Nofitication" message not only carries the UPU data including the first indication information, but also carries the first verification data UPU-MAC-IAUSF and CounterUPU.
  • Step 1005 the AMF network element sends a second data transmission message to the UE, and the second data transmission message carries the first indication information.
  • the user equipment UE receives the second data transmission message from the access and mobility management function AMF network element, and the second data transmission message carries the first indication information.
  • the second data transmission message may be a DL NAS transmission message.
  • the second data transmission message also carries the first verification data.
  • the second data transmission message also carries the UPU data containing the first indication information, the first verification data UPU-MAC-IAUSF and CounterUPU.
  • Step 1006 when the first indication information indicates that the UE supports the AKMA service, the UE derives a first A-KID, and the first A-KID is used to establish a session between the UE and the application function AF network element.
  • the UE since the UE has received the first indication information, if the first indication information indicates that the UE supports the AKMA service, the UE can perceive that it has the capability of the AKMA service.
  • the UE deduces the first A-KID only when the first indication information indicates that the UE supports the AKMA service, so that the UE can send the first session establishment request carrying the first A-KID; if the first If the indication information indicates that the UE does not support the AKMA service, or the UE does not receive the first indication information indicating that the UE supports the AKMA service, the UE will not perform deduction; correspondingly, the UE will not obtain the first A-KID, so it cannot The first session establishment request carrying the first A-KID is sent, thereby avoiding multiple session establishment failures caused by the UE not supporting the AKMA service.
  • step 1006 There are many methods for implementing step 1006, which are not limited in this embodiment of the present application, and two of the methods are described below.
  • the UE includes a global subscriber identity module USIM and a mobile equipment ME.
  • the mobile equipment ME can be understood as a terminal equipment without a USIM inserted.
  • the UE after receiving the first indication information, the UE will store the first indication information in the USIM.
  • step 1006 includes:
  • the USIM sends a target instruction to the ME, and the target instruction includes the AKMA key material;
  • the ME In response to the target instruction, the ME derives the first A-KID from the AKMA key material.
  • the target instruction can directly instruct ME to deduce the first A-KID, and the target instruction can also instruct ME to deduce the first A-KID by carrying the first indication information;
  • the AKMA key material can be understood as used to deduce the first A-KID and the parameters required by the AKMA anchor key, for example, the AKMA key material may include SUPI; in response to the target instruction, the ME deduces the first A-KID according to the AKMA key material.
  • the AKMA key material may also include the RID; if the AKMA key material does not contain the RID, the ME may set the RID as the default value.
  • the process for the ME to deduce according to the SUPI may specifically include: the ME deduces the first A-KID according to the SUPI, the RID and the locally stored Kausf.
  • ME can also deduce the AKMA anchor key.
  • the USIM When the first indication information indicates that the UE supports AKMA service, the USIM will send the target command to the ME to instruct the ME to deduce the first A-KID; otherwise, the USIM will not send the target command to the ME, so that the ME will not deduce The first A-KID.
  • the UE will not get the first A-KID, so it cannot send the first session establishment request carrying the first A-KID, so as to avoid multiple sessions caused by the UE not supporting the AKMA service. The case where session establishment fails.
  • the UE includes a global subscriber identity module USIM and a mobile equipment ME.
  • the mobile equipment ME can be understood as a terminal equipment without a USIM inserted.
  • the UE after receiving the first indication information, the UE will store the first indication information in the USIM.
  • step 1006 includes:
  • step 1006a the ME sends a seventh information request to the USIM, where the seventh information request is used to request AKMA key material.
  • the first layer (namely the application layer) of the UE determines to use the AKMA service, it will request the AKMA service information from the bottom layer of the ME, and the AKMA service information may include the AKMA anchor key, the first A-KID or Kakma.
  • the bottom layer of the ME After the bottom layer of the ME receives the above request, it will send the seventh information request to the USIM to request the AKMA key material.
  • the AKMA key material may be understood as parameters required for deriving the first A-KID and the AKMA anchor key, for example, the AKMA key material may include SUPI and RID.
  • Step 1006b when the first indication information indicates that the UE supports the AKMA service, in response to the seventh information request, the USIM sends the AKMA key material to the ME.
  • the AKMA key material may include the user permanent identifier SUPI; if the RID is configured in the USIM, the AKMA key material may also include the RID; if the AKMA key material does not contain the RID, the ME may set the RID as a default value.
  • step 1006c the ME derives the first A-KID according to the AKMA key material.
  • the process for the ME to deduce the AKMA key material may specifically include: the ME deduces the first A-KID according to the SUPI, the RID and the locally stored Kausf.
  • ME can also deduce the AKMA anchor key.
  • the USIM when the first indication information indicates that the UE supports the AKMA service, if the seventh information request for requesting the AKMA key material is received, the USIM will send the first indication information to the ME to indicate that the ME Deduce the first A-KID; otherwise, if the UE does not support the AKMA service, even if the seventh information request for AKMA key material is received, the USIM will not send the AKMA key material to the ME, so that the ME will not send the AKMA key material according to The AKMA key material deduces the first A-KID. Correspondingly, the UE will not get the first A-KID, so it cannot send the first session establishment request carrying the first A-KID, so as to avoid the UE not supporting AKMA The service caused multiple session establishment failures.
  • the UE will also perform step 1007 and step 1008 .
  • Step 1007 the UE generates fourth verification data for verifying the integrity of the first indication information.
  • the UE may use the UPU data containing the first indication information, CounterUPU and locally stored Kausf deduces the fourth verification data UPU-MAC-IAUSF.
  • Step 1008 when the first verification data is consistent with the fourth verification data, the UE determines the integrity of the first indication information.
  • the verification is successful, indicating that the data is complete.
  • Step 1007 and step 1008 are optional and will be executed only after step 1001 is executed.
  • Step 1009 the UE generates third verification data, and the third verification data is used to determine that the UE has successfully received the first indication information.
  • the third verification data may be expressed as UPU-MAC-IUE.
  • Step 1010 the UE sends third verification data to the AMF network element.
  • the UE may transmit an uplink NAS message to the AMF network element, where the uplink NAS transmission message carries the third verification data.
  • the AMF network element receives third verification data from the UE, where the third verification data is used to determine that the UE has successfully received the first indication information.
  • Step 1011 the AMF network element sends the third verification data to the UDM network element.
  • the AMF network element may send a "Nudm_SDM_info" message to the UDM network element, and the "Nudm_SDM_info” message carries the third verification data.
  • the UDM network element receives the third verification data from the AMF network element, the third verification data is generated by the UE, and is used to determine that the UE has successfully received the first indication information.
  • the UDM network element can verify whether the UE has successfully received the first indication information according to the third verification data; specifically, the UDM network element can compare whether the second verification data is consistent with the third verification data , to verify whether the UE successfully receives the first indication information.
  • the second verification data UPU-MAC-I UE is generated by the AUSF network element, and the third verification data UPU-MAC-I UE is generated by the UE, so it can be compared with the second verification data UPU-MAC-I UE 3. Verify whether the data UPU-MAC-I UE is consistent, to verify whether the UE successfully receives the first indication information.
  • Step 1012 when the second verification data is consistent with the third verification data, the UDM network element determines that the UE has successfully received the first indication information.
  • steps 1009 to 1012 are optional and are performed when step 1002 is performed.
  • the embodiment of the present application provides an embodiment of a user equipment, including: a transceiver unit 10, configured to send a first session establishment request to an application function AF network element, and the first session establishment request carries the first The key identifier A-KID; the transceiver unit 10, configured to receive the first session establishment response from the AF network element to the first session establishment request; the processing unit 20, configured to indicate that the first session establishment failed in the first session establishment response In the case of obtaining the second A-KID; the transceiver unit 10 is configured to send a second session establishment request to the AF network element when the first A-KID is different from the second A-KID, and the second session establishment request carrying the second A-KID.
  • the processing unit 20 is further configured to store the first A-KID in the context of the first layer, where the first layer is an application layer; obtain the first A-KID from the context of the first layer .
  • the processing unit 20 is further configured to obtain the second A-KID from the context of the second layer, which is a lower layer of the application layer.
  • the first session establishment response carries the first A-KID.
  • the processing unit 20 is further configured to stop establishment of the session with the AF network element when the first A-KID is the same as the second A-KID.
  • the transceiver unit 10 is further configured to send a third session establishment request to the AF network element when the first A-KID is the same as the second A-KID, and the third session establishment request indicates to the UE AKMA service is not supported.
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is configured to acquire the AKMA anchor key and the first key identifier from the second subunit 202; the first subunit 201 deduces the AKMA application key according to the identifier of the AF network element and the AKMA anchor key.
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is configured to acquire the AKMA application key and the first key identifier from the second subunit 202 .
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is used to send the first information request to the second subunit 202; the second subunit 202 is used to send the AKMA anchor key and the first A- KI: the first subunit 201 is used to deduce the AKMA application key according to the AF network element identifier and the AKMA anchor key.
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is configured to send a second information request to the second subunit 202, and the second information request carries the identifier of the AF network element; the second subunit 202 is configured to respond to the second information request, according to the identifier of the AF network element and the AKMA anchor key to derive the AKMA application key; the second subunit 202 is configured to send the AKMA application key and the first A-KID to the first subunit 201 .
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is used to send a third information request to the second subunit 202; the second subunit 202 is used to send the first A-KID to the first subunit 201 in response to the third information request; the first subunit 201 is used to send the fourth information request to the second subunit 202; the second subunit 202 is used to send the AKMA anchor key to the first subunit 201 in response to the fourth information request; the first subunit 201 is used to send the AKMA anchor key according to The AF network element identification and the AKMA anchor key are used to derive the AKMA application key.
  • the processing unit 20 includes a first subunit 201 and a second subunit 202, the first subunit 201 belongs to the first layer, and the first layer is an application layer; the second subunit 202 belongs to the second layer , the second layer is the lower layer of the application layer.
  • the first subunit 201 is used to send the fifth information request to the second subunit 202; in response to the fifth information request, the second subunit 202 is used to send the first A-KID to the first subunit 201; the first subunit 201 is configured to send a sixth information request to the second subunit 202, the sixth information request carrying the identification of the AF network element; the second subunit 202 is configured to respond to the sixth information request, according to the identification of the AF network element and the AKMA anchor point Key derivation of the AKMA application key; the second subunit 202 is configured to send the AKMA application key and the first A-KID to the first subunit 201 .
  • the embodiment of the present application provides a communication device, including:
  • the transceiver unit 30 is configured to receive a first session establishment request from the user equipment UE, and the first session establishment request carries a first key identifier A-KID; If the corresponding AKMA anchor key is identified, a first session establishment response is sent to the UE, where the first session establishment response indicates that the first session establishment fails and carries the first key identifier.
  • the transceiver unit 30 is also configured to send an application key acquisition request to the application authentication and key management anchor function network element, where the application key acquisition request carries the first key identifier;
  • the application key acquisition response sent by the authentication and key management anchor function network element indicates that the key acquisition failed.
  • the application key acquisition response carries the first key identifier.
  • the transceiving unit 30 is further configured to receive a second session establishment request from the UE, where the second session establishment request carries the second key identifier.
  • the embodiment of the present application provides a communication device, including: a processing unit 40, configured to manage AKMA subscription information based on the key of the user equipment UE, and determine that the UE supports the AKMA service; a transceiver unit 50, configured to Send a first data transmission message to the access and mobility management function AMF network element, the first data transmission message includes first indication information, the first indication information indicates that the UE supports the AKMA service, and the first indication information is used to determine the AKMA service establishment Session between UE and application function AF network element.
  • the transceiver unit 50 is also configured to obtain first verification data from the AUSF network element, and the first verification data is used to verify the integrity of the first indication information; correspondingly, the first data transmission message also includes Carry the first verification data.
  • the transceiver unit 50 is also configured to obtain second verification data from the authentication service function AUSF network element, and the second verification data is used to determine that the UE has successfully received the first indication information; receiving the AMF network element The third verification data, the third verification data is generated by the UE, and is used to determine that the UE has successfully received the first indication information; the processing unit 40 is further configured to determine when the second verification data and the third verification data are consistent The UE successfully receives the first indication information.
  • the embodiment of the present application provides a communication device, including: a transceiver unit 60, configured to receive a first data transmission message from a unified data management UDM network element, the first data transmission message includes first indication information , the first indication information indicates that the user equipment UE supports the AKMA service; the transceiver unit 60 is configured to send a second data transmission message to the UE, where the second data transmission message carries the first indication information.
  • the first data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the second data transmission message also carries the first verification data.
  • the transceiving unit 60 is further configured to receive third verification data from the UE, where the third verification data is used to determine that the UE has successfully received the first indication information; and send the third verification data to the UDM network element.
  • the embodiment of the present application provides a user equipment, including: a first transceiver unit 70, configured to receive a second data transmission message from an access and mobility management function AMF network element, and the second data transmission The message carries the first indication information; the processing unit 80 is configured to deduce the first A-KID when the first indication information indicates that the UE supports the AKMA service, and the first A-KID is used to establish the UE and the application function AF network element between conversations.
  • the UE includes a global subscriber identity module USIM and a mobile device ME
  • the USIM includes a second transceiver unit 90
  • the ME includes a third transceiver unit 100
  • the second transceiver unit 90 indicates that the UE supports AKMA in the first indication information
  • the second transceiving unit 90 is configured to send a target instruction to the ME, and the target instruction includes AKMA key material; in response to the target instruction, the processing unit 80 is configured to deduce the first A-KID according to the AKMA key material.
  • the UE includes a global subscriber identity module USIM and a mobile device ME
  • the USIM includes a second transceiver unit 90
  • the ME includes a third transceiver unit 100
  • the third transceiver unit 100 is used to send the seventh information to the USIM Request, the seventh information request is used to request AKMA key material
  • the second transceiver unit 90 is used to, in the case where the first indication information indicates that the UE supports the AKMA service, in response to the seventh information request, the USIM sends the AKMA key to the ME Material
  • a processing unit 80 configured to deduce the first A-KID according to the AKMA key material.
  • the second data transmission message also carries first verification data, and the first verification data is used to verify the integrity of the first indication information; the processing unit 80 is also used to generate a verification data for verifying the first indication.
  • the fourth verification data of the integrity of the information if the first verification data is consistent with the fourth verification data, determine the integrity of the first indication information.
  • the processing unit 80 is also used to generate third verification data, and the third verification data is used to determine that the UE has successfully received the first indication information; the first transceiver unit 70 is also used to send the AMF network element The third verification data.
  • each functional module in each embodiment of the present application can be integrated into a processing In the controller, it can also be physically present separately, or two or more modules can be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.
  • the units in any of the above communication devices and user equipment may be one or more integrated circuits configured to implement the above method, for example: one or more specific integrated circuits (application specific integrated circuit, ASIC), Or, one or more microprocessors (digital signal processor, DSP), or, one or more field programmable gate arrays (field programmable gate array, FPGA), or a combination of at least two of these integrated circuit forms.
  • the processing element can be a general-purpose processor, such as a central processing unit (central processing unit, CPU) or other processors that can call programs.
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • SOC system-on-a-chip
  • the present application also provides a communication system, which includes at least one or more of user equipment or communication devices.
  • the communication system also includes an AAnF network element.
  • the communication system also includes a network element with a network opening function NEF.
  • An embodiment of the present application also provides a computer-readable storage medium, including instructions, which, when run on a computer, enable the computer to control a network device or a terminal device to execute any one of the implementation manners shown in the foregoing method embodiments.
  • the embodiment of the present application also provides a computer program product, the computer program product includes computer program code, and when the computer program code is run on the computer, the computer is made to execute any one of the implementation manners shown in the foregoing method embodiments.
  • the embodiment of the present application also provides a chip system, including a memory and a processor, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the chip performs any implementation as shown in the foregoing method embodiments Way.
  • the embodiment of the present application also provides a chip system, including a processor, and the processor is configured to call and run a computer program, so that the chip executes any one of the implementation manners shown in the foregoing method embodiments.
  • the technical solutions provided by the embodiments of the present application may be fully or partially implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part.
  • the computer may be a general computer, a dedicated computer, a computer network, an AI node, an access network device, a terminal device or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
  • the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a digital video disc (digital video disc, DVD)), or a semiconductor medium.
  • the various embodiments may refer to each other, for example, the methods and/or terms between the method embodiments may refer to each other, such as the functions and/or terms between the device embodiments Or terms may refer to each other, for example, functions and/or terms between the apparatus embodiment and the method embodiment may refer to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation de la présente demande concernent un procédé d'établissement de session et un appareil associé. Le procédé comprend les étapes suivantes : un équipement utilisateur (UE) envoie, à un élément réseau à fonction d'application (AF), une première demande d'établissement de session qui comporte un premier identifiant de clé, puis reçoit, de l'élément réseau AF, une première réponse d'établissement de session à la première demande d'établissement de session ; lorsque la première réponse d'établissement de session indique que l'établissement d'une première session a échoué, l'UE acquiert un second identifiant de clé, puis compare le premier identifiant de clé au second identifiant de clé ; et lorsque le premier identifiant de clé est différent du second identifiant de clé, l'UE envoie, à l'élément réseau AF, une seconde demande d'établissement de session qui comportent le second identifiant de clé afin d'établir une seconde session. De cette manière, une situation dans laquelle l'établissement d'une seconde session a de nouveau échoué en raison d'un premier identifiant de clé qui est identique à un second identifiant de clé peut être évitée, ce qui permet d'empêcher des surdébits de signalisation supplémentaires.
PCT/CN2022/104840 2021-08-08 2022-07-11 Procédé d'établissement de session et appareil associé WO2023016160A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110905128.2 2021-08-08
CN202110905128.2A CN115942305A (zh) 2021-08-08 2021-08-08 一种会话建立方法和相关装置

Publications (1)

Publication Number Publication Date
WO2023016160A1 true WO2023016160A1 (fr) 2023-02-16

Family

ID=85200527

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/104840 WO2023016160A1 (fr) 2021-08-08 2022-07-11 Procédé d'établissement de session et appareil associé

Country Status (2)

Country Link
CN (1) CN115942305A (fr)
WO (1) WO2023016160A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116600289B (zh) * 2023-07-17 2023-09-29 中国电信股份有限公司 应用密钥获取方法、装置、通信设备、存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768795A (zh) * 2019-10-30 2020-02-07 迈普通信技术股份有限公司 一种会话建立方法及装置
WO2020215104A2 (fr) * 2019-10-24 2020-10-22 Futurewei Technologies, Inc. Procédés et appareil de traduction de contexte de transport
CN112399412A (zh) * 2019-08-19 2021-02-23 阿里巴巴集团控股有限公司 会话建立的方法及装置、通信系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112399412A (zh) * 2019-08-19 2021-02-23 阿里巴巴集团控股有限公司 会话建立的方法及装置、通信系统
WO2020215104A2 (fr) * 2019-10-24 2020-10-22 Futurewei Technologies, Inc. Procédés et appareil de traduction de contexte de transport
CN110768795A (zh) * 2019-10-30 2020-02-07 迈普通信技术股份有限公司 一种会话建立方法及装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE: "A new A-KID derivation after a new primary authentication", 3GPP DRAFT; S3-202902, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20201109 - 20201120, 30 October 2020 (2020-10-30), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051949479 *

Also Published As

Publication number Publication date
CN115942305A (zh) 2023-04-07

Similar Documents

Publication Publication Date Title
US20180062847A1 (en) Method, apparatus, and system for providing encryption or integrity protection in a wireless network
US20240064514A1 (en) Delegated data connection
US20230319556A1 (en) Key obtaining method and communication apparatus
CN112753234A (zh) 3gpp专用lan
WO2021136211A1 (fr) Procédé et dispositif pour déterminer un résultat d'autorisation
US11871223B2 (en) Authentication method and apparatus and device
US20230048066A1 (en) Slice authentication method and apparatus
US11848909B2 (en) Restricting onboard traffic
US20230362636A1 (en) Key identifier generation method and related apparatus
WO2023016160A1 (fr) Procédé d'établissement de session et appareil associé
WO2020253408A1 (fr) Appareil et procédé d'authentification secondaire
TWI828235B (zh) 用於使用使用者裝備識別符進行認證之方法、設備及電腦程式產品
WO2023011630A1 (fr) Procédé et appareil de vérification d'autorisation
US20220272533A1 (en) Identity authentication method and communications apparatus
WO2021254172A1 (fr) Procédé de communication et appareil associé
WO2021195816A1 (fr) Procédé, appareil et système de communication
US20240179525A1 (en) Secure communication method and apparatus
US20240179519A1 (en) Communication method and related apparatus
US20230354028A1 (en) Method, system, and apparatus for generating key for inter-device communication
US20230336992A1 (en) Method and apparatus for authenticating user equipment in wireless communication system
WO2023160390A1 (fr) Procédé et appareil de communication
WO2020215272A1 (fr) Procédé de communication, appareil de communication et système de communication
JP2022502908A (ja) Nasメッセージのセキュリティ保護のためのシステム及び方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22855143

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE