WO2023208183A2 - Procédé de transmission d'informations, et dispositif - Google Patents

Procédé de transmission d'informations, et dispositif Download PDF

Info

Publication number
WO2023208183A2
WO2023208183A2 PCT/CN2023/091526 CN2023091526W WO2023208183A2 WO 2023208183 A2 WO2023208183 A2 WO 2023208183A2 CN 2023091526 W CN2023091526 W CN 2023091526W WO 2023208183 A2 WO2023208183 A2 WO 2023208183A2
Authority
WO
WIPO (PCT)
Prior art keywords
parameter
node
kid
user equipment
application
Prior art date
Application number
PCT/CN2023/091526
Other languages
English (en)
Chinese (zh)
Other versions
WO2023208183A3 (fr
Inventor
王珂
黄晓婷
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202210475203.0A external-priority patent/CN117014136A/zh
Priority claimed from CN202210475173.3A external-priority patent/CN117014869A/zh
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2023208183A2 publication Critical patent/WO2023208183A2/fr
Publication of WO2023208183A3 publication Critical patent/WO2023208183A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present disclosure relates to the field of communication technology, and in particular, to an information transmission method and device.
  • the computing power network should empower life and industry, allowing users to access high computing power networks through low-configuration terminals, enjoy rich cloud business applications, and meet the industry's processing and communication needs for accurate real-time interaction.
  • Various smart terminals will become the computing power network
  • the demander of services includes terminals connected to the 5th Generation (5G) network.
  • the computing power network must provide a new shared service model, fully activate the existing computing power, create a ubiquitous computing power distribution, and evolve from the cloud and the center to the edge and end-side ubiquity.
  • mid-range computing must integrate the terminal's own Computing power is integrated into unified management and scheduling, and smart terminals will also become providers of computing power network services.
  • the computing power network service demander sends necessary business data to the computing power service provider, who performs calculation and analysis, and sends the results back to the demander.
  • the relevant data may have privacy protection requirements, and confidentiality may be required during the data transmission process. and integrity protection.
  • the present disclosure provides an information transmission method and device, which can derive relevant keys based on the synchronized first parameters between user equipment and nodes, ensuring the confidentiality of the information transmission process, thereby achieving user privacy protection.
  • An information transmission method applied to application layer authentication and key management AKMA anchor point function AAnF, the method includes:
  • the first application key acquisition response carries the first parameter provided by the K AF and the AAnF; the first parameter is sent to the node by the node.
  • User equipment
  • the first application key acquisition request is generated by the node after receiving a message sent by the user equipment and sent to the AAnF; the message carries the AKMA key identification A-KID.
  • the K AF of the user equipment including:
  • K AF of the user equipment is derived based on the AKMA anchor key K AKMA stored locally in the AAnF, the first parameter, the length of the first parameter and A-KID.
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier SUPI.
  • Embodiments of the present disclosure also provide an information transmission method, which is applied to user equipment.
  • the method includes:
  • the node sends the first application key acquisition to the target application layer authentication and key management AKMA anchor function AAnF based on the A-KID request, the first application key acquisition request carries the A-KID, and after obtaining the first application key acquisition response fed back by the AAnF, a message response is generated; wherein, the first application key acquisition response The AAnF deduces the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID and then feeds it back to the node; the first application key acquisition response carries the K AF and the first parameter;
  • the AKMA application layer key K AF of the user equipment is derived.
  • the above methods also include:
  • Embodiments of the present disclosure also provide an information transmission method, applied to nodes, and the method includes:
  • the A-KID send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF, where the first application key acquisition request carries the A-KID;
  • a message response is generated; wherein the first application key acquisition response is to derive the AKMA application layer of the user equipment based on the first parameter and A-KID.
  • the key K AF is fed back to the node, and the first application key acquisition response carries the K AF and the first parameter provided by the AAnF;
  • the user equipment after sending the message response to the user equipment, it also includes:
  • the data packet is transmitted with the user equipment, and the data packet is encrypted using K AF ; the K AF is generated by the user equipment according to the first parameter and A-KID.
  • Embodiments of the present disclosure also provide an application layer authentication and key management anchor point functional device, including:
  • a transceiver module configured to receive a first application key acquisition request sent by a node, where the first application key acquisition request carries an AKMA key identifier A-KID; to obtain a first parameter, based on the first parameter and A-KID , derive the AKMA application layer key K AF of the user equipment; and send a first application key acquisition response to the node, where the first application key acquisition response carries the K AF and the third key provided by the AAnF.
  • a parameter; the first parameter is sent by the node to the user equipment.
  • An embodiment of the present disclosure also provides a user equipment, including:
  • a transceiver module configured to send a message to the first node requested by the user equipment.
  • the message carries the AKMA key identifier A-KID, so that the node authenticates and manages the key to the target application layer based on the A-KID.
  • the AKMA anchor function AAnF sends a first application key acquisition request, which carries the A-KID, and generates a message response after obtaining the first application key acquisition response fed back by the AAnF.
  • the first application key acquisition response is fed back to the node after the AAnF deduces the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID; the third An application key acquisition response carries the K AF and the first parameter; receives a message response sent by the node, the message response carries the first parameter; according to the first parameter and A-KID, The AKMA application layer key K AF of the user device is derived.
  • An embodiment of the present disclosure also provides a node, including:
  • a transceiver module configured to receive a message sent by the user equipment, the message carrying the AKMA key identifier A-KID; and sending the first application to the target application layer authentication and key management AKMA anchor function AAnF according to the A-KID.
  • Key acquisition request the first application key acquisition request carries the A-KID; after receiving the first application key acquisition response fed back by the AAnF, a message response is generated; wherein, the first application key acquisition The response is to derive the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID and then feed it back to the node.
  • the first application key acquisition response carries the K AF and the The first parameter provided by the AAnF; sending the message response to the user equipment.
  • An embodiment of the present disclosure also provides a communication device, including: a processor and a memory storing a computer program. When the computer program is run by the processor, the method as described above is executed.
  • Embodiments of the present disclosure also provide a computer-readable storage medium that stores instructions that, when executed on a computer, cause the computer to perform the method as described above.
  • the first application key acquisition request sent by the node is received through AAnF, and the first application key acquisition request carries the AKMA key identification A-KID; the first parameter is obtained, and the first parameter is obtained according to the first parameter and A-KID, derive the AKMA application layer key K AF of the user equipment; send a first application key acquisition response to the node, the first application key acquisition response carries the K AF and the AAnF provided the first parameter.
  • the first application key acquisition response carries the K AF and the first parameter provided by the AAnF; so that the connection between the terminal and the node (such as AF or AAnF)
  • the first parameter can be synchronized to derive the relevant key to ensure the confidentiality of the information transmission process, thereby achieving user privacy protection.
  • Figure 1 is a schematic flowchart of an information transmission method provided by an embodiment of the present disclosure
  • Figure 2 is a schematic flowchart of a specific information transmission method for generating a first parameter by AAnF according to an embodiment of the present disclosure
  • Figure 3 is a specific flow diagram of an information transmission method in which a node generates a first parameter provided by an embodiment of the present disclosure
  • Figure 4 is a schematic flowchart of an information transmission method applied to user equipment provided by an embodiment of the present disclosure
  • Figure 5 is a schematic flowchart of an information transmission method applied to nodes provided by an embodiment of the present disclosure
  • Figure 6 is a module diagram of AAnF provided by an embodiment of the present disclosure.
  • embodiments of the present disclosure provide an information transmission method applied to application layer authentication and key management (Authentication and Key Management for Application, AKMA) anchor function (AKMA anchor Function, AAnF), as described Methods include:
  • Step 11 Receive the first application key acquisition request sent by the node.
  • the first application key acquisition request is generated by the node after receiving the message sent by the user equipment and sent to AAnF; the message carries AKMA Key identifier (AKMA Key IDentifier, A-KID); the first application key acquisition request carries the A-KID; here, the node can be an application function (Application Function, AF);
  • AF Application Function
  • Step 12 Obtain the first parameter, and derive the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID; here, the first parameter can be obtained from the local network element or the operator network element.
  • One parameter may be a default service identifier.
  • Step 13 Send a first application key acquisition response to the node.
  • the first application key acquisition response carries the first parameter provided by the K AF and the AAnF, so that the node sends a message to the user equipment.
  • Response; the first parameter is sent by the node to the user equipment.
  • the first application key acquisition response carrying the first parameter can be sent to the node, so that the node can forward the first parameter to the user equipment, thereby realizing the information transmission process between the terminal and the node (such as The first parameter can be synchronized between AF or AAnF), and the relevant keys can be further deduced, thereby achieving data security protection and avoiding the leakage of user privacy.
  • the message carrying the AKMA key identification can be an application session establishment request.
  • the request is contained in the first data packet generated by the user equipment.
  • the user equipment sends the data packet carrying the A-KID message to the router entrance. After searching for the corresponding node through the router, it sends the message carrying the A-KID to the target.
  • Application functions can be performed.
  • the user equipment Before interacting with the node, the user equipment derives K AKMA and A-KID from the authentication service function (Authentication Server Function, AUSF) key K AUSF .
  • the A-KID parameter is included in the Application Session Establishment Request message; the node is an application server based on application layer authentication and key management AKMA.
  • the node can perform AAnF selection according to the relevant AAnF selection process and send the Naanf_AKMA_ApplicationKey_Get message (i.e., the first application key acquisition request) to AAnF, and the message carries A-KID.
  • step 12 deriving the K AF of the user equipment based on the first parameter and A-KID includes:
  • AAnF should check whether AAnF can provide services to the node based on the configured local policy or the authorization information or policy provided by the Network Repository Function (NRF). If successful, the first parameter is generated for the node.
  • the same first parameter can be generated for the same node;
  • AAnF should reject the following process:
  • AAnF can determine whether the user is authorized to use AKMA by whether it can find the corresponding K AKMA through A-KID;
  • the AAnF If there is a valid KAKMA in the AAnF, the AAnF sends a first application key acquisition response to the node;
  • the node rejects the message sent by the user equipment and sends a message response to the user equipment.
  • the message response carries: K The reason why the AKMA request failed;
  • the AAnF derives the K AF of the user equipment from the KAKMA .
  • KDF Key Derivation Function
  • -P0 first parameter (service number, service identification);
  • -L0 The length of the first parameter (service number, service identification).
  • the input key (KEY) should be K AKMA .
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier (Subscription Permanent Identifier, SUPI). That is, the first application key acquisition response carries the first parameter, the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI.
  • SUPI Subscribescription Permanent Identifier
  • the message response carries the first parameter.
  • the message response here can be an application session establishment response.
  • the node forwards the message response carrying the first parameter to the user equipment.
  • the user equipment receives the message response.
  • the message response carries the first parameter.
  • the user equipment can be further deduced based on the first parameter and the effective KAKMA .
  • K AF so that subsequent data packets can be safely transmitted according to K AF , protecting the communication between user equipment and nodes.
  • the specific method of secure transmission of data packets according to K AF is not limited to encryption and decryption of transmitted data packets. It may be authentication, certificate generation, integrity verification, etc. to ensure the security of information during transmission and reasonably protect user privacy.
  • the information transmission process of obtaining the first parameter by the application layer authentication and key management AKMA anchor function AAnF includes:
  • Step 21 The user equipment interacts with AAnF to perform the main authentication process and the establishment process of valid K AKMA ;
  • Step 22 The user equipment sends the data packet carrying the A-KID message to the router entrance;
  • Step 23 After the router finds the computing power node (i.e. node), it sends the message carrying A-KID to the node;
  • Step 24 The node receives the message, and generates a first application key acquisition request based on the A-KID carried in the message, and sends it to the target AAnF;
  • Step 25 After receiving the first application key acquisition request carrying A-KID from the node, the target AAnF generates the first parameter, and derives the K AF of the user equipment based on the K AKMA and the first parameter;
  • Step 26 The target AAnF sends the first application key acquisition response to the node.
  • the first application key acquisition response carries: the K AF of the user equipment, the life cycle of the K AF , the user permanent identifier SUPI and the first parameter. .
  • Step 27 The node generates a message response and sends the message response to the user equipment (User Equipment, UE);
  • Step 28 The user equipment receives the first parameter in the message response, and derives the K AF of the user equipment based on the first parameter and KAKMA ;
  • Step 29 Use K AF to encrypt and decrypt subsequent data packets, and transmit them on the user equipment UE and nodes, thereby achieving user privacy and security protection.
  • the first parameter can also be generated by a node.
  • the specific process includes:
  • Step 31 The user equipment interacts with AAnF to perform the main authentication process and the K AKMA establishment process;
  • Step 32 The user equipment UE sends the data packet carrying the A-KID message to the router entrance;
  • Step 33 After the router finds the computing power node, it sends the message carrying the A-KID to the node;
  • Step 34 After receiving the message carrying the A-KID from the user equipment UE, the node generates the first parameter
  • Step 35 The node generates a first application key acquisition request and sends it to the target AAnF;
  • Step 36 After receiving the first application key acquisition request from the node, the target AAnF deduces the K AF of the user equipment according to the A-KID and the first parameter carried in the first application key acquisition request; generates the first user equipment A key acquisition response is sent to the node.
  • the first key acquisition response carries the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI;
  • Step 37 The node receives the first key acquisition response sent by the target AAnF and generates a session establishment response, where the session establishment response carries the first parameter;
  • Step 38 The user equipment UE receives the first parameter in the message response, and derives the K AF of the user equipment based on the first parameter and KAKMA ;
  • Step 39 Use K AF to encrypt and decrypt subsequent data packets, and send them to the user equipment UE and nodes for transmission to achieve user privacy and security protection.
  • the above embodiments of the present disclosure do not require the UE to establish an additional secure key acquisition channel, are more suitable for the dynamic allocation of computing power nodes in the computing power network, and can prevent different AFs from sending wrong AF_IDs to illegally obtain the UE's access to AFb.
  • Risks of K AF for example, AFa and AFb send the AF_ID of AFb; the UE can update K AF by generating different first parameters without reinitiating authentication.
  • the same first parameter can be assigned to the same AF, reducing storage space consumption; it is possible to derive relevant keys based on the same first parameter between user equipment and nodes, ensuring the confidentiality of the information transmission process and achieving user privacy protection. .
  • embodiments of the present disclosure also provide an information transmission method, applied to user equipment (UE), the method includes:
  • Step 41 Send a message to the node requested by the user equipment.
  • the message carries the AKMA key identifier A-KID, so that the node authenticates and manages the AKMA anchor point function to the target application layer based on the A-KID.
  • AAnF sends a first application key acquisition request, the first application key acquisition request carries the A-KID, and after obtaining the first application key acquisition response fed back by the AAnF, a message response is generated; wherein, The first application key acquisition response is fed back to the node after the AAnF deduces the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID; the first application key The acquisition response carries the K AF and the first parameter;
  • Step 42 Receive the message response sent by the node; the message response carries the first parameter; and derive the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID.
  • the K AF of the user equipment including:
  • K AF of the user equipment is derived based on the AKMA anchor key K AKMA stored locally in the AAnF, the first parameter, the length of the first parameter and A-KID.
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier SUPI.
  • the above methods also include:
  • the embodiment of this method is a method on the user equipment side corresponding to the above-mentioned method on the AAnF side. All implementation methods in the above-mentioned method embodiment are applicable to this embodiment, and the same technical effect can be achieved.
  • embodiments of the present disclosure also provide an information transmission method, applied to nodes, and the method includes:
  • Step 51 Receive a message sent by the user equipment, the message carrying the AKMA key identification A-KID;
  • Step 52 Send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF according to the A-KID, where the first application key acquisition request carries the A-KID;
  • Step 53 After receiving the first application key acquisition response fed back by the AAnF, generate a message response; wherein the first application key acquisition response is derived from the user equipment based on the first parameter and A-KID.
  • the AKMA application layer key K AF is fed back to the node, and the first application key acquisition response carries the K AF and the first parameter provided by the AAnF;
  • Step 54 Send the message response to the user equipment.
  • the K AF of the user equipment including:
  • K AF of the user equipment is derived based on the AKMA anchor key K AKMA stored locally in the AAnF, the first parameter, the length of the first parameter and A-KID.
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier SUPI.
  • the above methods also include:
  • the specific method of secure transmission of data packets according to K AF is not limited to encryption and decryption of transmitted data packets, but may also be authentication, certificate generation, integrity Sexuality verification, etc.
  • the embodiment of this method is a node-side method corresponding to the above-mentioned AAnF-side method. All implementation methods in the above-mentioned method embodiment are applicable to this embodiment, and the same technical effect can be achieved.
  • Embodiments of the present disclosure also provide an information transmission method, applied to user equipment (UE), the method includes:
  • Step 61 Provide a first parameter;
  • the first parameter may be a preset service identifier generated by the user equipment or generated by other target objects and built into the application of the user equipment;
  • Step 62 Send a message to the node requested by the user equipment, the message carrying the first parameters and the AKMA key identification A-KID, so that the node sends a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF according to the first parameter and A-KID, the The first application key acquisition request carries the first parameter and the AKMA key identification A-KID, and after obtaining the first application key acquisition response fed back by the AAnF, a message response is generated;
  • Step 63 Receive the message response sent by the node.
  • the user equipment after the user equipment generates the first parameter (Service Number, service identification), it sends a message to the node.
  • the message may be an application session establishment request, and the above message response may be Application session establishment response; the message carries: the first parameter and AKMA key identification (A-KID), application layer authentication and key management AKMA and receives the message response sent by the target application function, thereby realizing the information transmission process
  • A-KID AKMA key identification
  • the terminal and the node such as AF or AAnF
  • have the same preset service identification, and the relevant keys can be further deduced to achieve data security protection and avoid leakage of user privacy.
  • the message carrying A-KID is contained in the first data packet generated by the user equipment.
  • the user equipment sends the data packet carrying the first parameter and the message A-KID to the router entrance, and searches for the corresponding data packet through the router.
  • a message carrying the first parameter and the A-KID is sent to the node.
  • the node may be the target application function AF.
  • the first application key acquisition response is that when the first parameter matches the node, the AAnF obtains the response based on the first parameter and A- KID, which is fed back to the node after deriving the K AF of the user equipment.
  • AAnF deduces the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID, and then generates the first application key. key response, and feeds back the first application key response to the node.
  • deriving the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID may include:
  • Step 6211 According to the locally stored AAnF, K AKMA , the first parameter, the The length of the first parameter and A-KID are used to derive the K AF of the user equipment.
  • the first One parameter can reduce the storage overhead of the corresponding table
  • the policy when the user equipment generates the first parameter, the policy can be generated based on the subsequent node allocation of the computing power network. For example, if the same computing power services of different user equipment are mostly routed to the same node or nodes, and If the operator has an agreement requiring the computing power service to be routed to a specific node, the user equipment UE can generate a specific first parameter for the specific node.
  • the first application key acquisition response carries the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI.
  • the node can generate a message response based on the AKMA application layer key K AF of the user equipment carried in the first application key acquisition response, the life cycle of K AF and the user permanent identifier SUPI, and send it to the user equipment.
  • step 6211 when deriving the K AF of the user equipment, AAnF checks whether the first parameter in the first application key acquisition request matches the node, that is, checks the first Whether the parameter exists in the corresponding table, if not, then additionally record the corresponding relationship between the first parameter and the node;
  • the first parameter can be used as the primary key, and the process of whether the first parameter matches the node is as follows:
  • AAnF derives K AF from K AKMA , and AAnF sends the first application key acquisition response to the node,
  • the first application key acquisition response carries the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI.
  • the first first parameter of the node can be set to the first parameter by default;
  • Judgment 1 If the first parameter does not exist in Table 2, record the corresponding relationship between the first parameter and the node authentication identity;
  • Judgment 2 If the first parameter exists in Table 2, and the node authentication identity is consistent with the corresponding node in Table 2, then AAnF derives K AF from K AKMA and sends the first application key acquisition response to the node , the first application key acquisition response carries the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI.
  • step 63 after receiving the message response sent by the node, it may also include:
  • Step 63-1 According to the K AF , perform secure transmission of data packets with the node. Specifically, the data packets may be encrypted using the K AF .
  • the user equipment and the node use data packets encrypted by K AF for data transmission to ensure data security.
  • the first parameter, the length of the first parameter and A-KID provided by the network storage function NRF check whether the target AAnF can provide services to the node, and if so, generate the first parameter for the node.
  • the target AAnF should reject the following process:
  • the target AAnF can determine whether the user is authorized to use the AKMA application identity authentication and key management service by whether it can find the corresponding K AKMA through the A-KID;
  • the target AAnF If there is a valid KAKMA in the target AAnF, the target AAnF sends a first application key acquisition request to the node;
  • the node rejects the message sent by the user equipment UE and sends a message response to the user equipment UE.
  • the message response carries: K The reason why the AKMA request failed;
  • the target AAnF derives the K AF of the user equipment from the KAKMA .
  • -P0 first parameter (service number, service identification);
  • -L0 The length of the first parameter (service number, service identification).
  • the input KEY should be K AKMA .
  • the process of generating the information transmission method of the first parameter by the user equipment UE may include:
  • Step 71 Execute the main authentication process and K AKMA establishment process
  • Step 72 The user equipment UE generates the first parameter and sends the data packet carrying the first parameter and the A-KID message to the router portal;
  • Step 73 After searching for the computing power node, the router sends the message carrying the first parameter and A-KID to the node;
  • Step 74 The node generates a first application key acquisition request based on the first parameter and A-KID carried in the message, and the first application key request carries the first parameter and A-KID;
  • Step 75 AAnF checks whether the first parameter carried in the first application key acquisition request exists. In the correspondence table, if it does not exist, the corresponding relationship between the first parameter and the node authentication identity is additionally recorded;
  • Step 76 AAnF derives K AF of the user equipment based on K AKMA and the first parameter;
  • Step 77 AAnF sends a first application key acquisition response to the node, where the first application key acquisition response carries the K AF of the user equipment, the life cycle of the K AF and the user permanent identifier SUPI;
  • Step 78 The node obtains the K AF of the user equipment, the life cycle of K AF and the user permanent identifier SUPI carried in the response based on the first application key, generates an application session establishment response, and sends it to the user equipment UE;
  • Step 79 When subsequent data packets are transmitted between the user equipment UE and the node, K AF is used for encryption and decryption, thereby achieving user privacy and security protection.
  • the nodes may be computing power nodes.
  • the method described in the above-mentioned embodiments is highly efficient and has low requirements on the end side. .
  • the above embodiments of the present disclosure are more suitable for the characteristics of dynamic allocation of computing power nodes in the computing power network, do not require the UE to establish an additional secure key acquisition channel, are more suitable for the characteristics of dynamic allocation of computing power nodes in the computing power network, and can avoid AFa
  • an application layer authentication and key management anchor point function device 80 which includes:
  • the transceiver module 81 is configured to receive a first application key acquisition request sent by a node.
  • the first application key acquisition request carries an application layer authentication and key management AKMA key identification A-KID; the node is a user equipment. the requested application function AF; and obtain the first parameter, and derive the AKMA application layer key K AF of the user equipment according to the first parameter and the A-KID; and send a first application key acquisition response to the node,
  • the first application key acquisition response carries the first parameter provided by the K AF and the AAnF; the first parameter is sent by the node to the user equipment.
  • the first application key acquisition request is generated by the node after receiving a message sent by the user equipment and sent to the AAnF; the message carries the AKMA key identification A-KID.
  • the K AF of the user equipment including:
  • K AF of the user equipment is derived based on the AKMA anchor key K AKMA stored locally in the AAnF, the first parameter, the length of the first parameter and A-KID.
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier SUPI.
  • this AAnF is an AAnF corresponding to the above-mentioned method applied to AAnF. All the implementation methods in the above-mentioned method embodiments applied to AAnF are applicable to the embodiments of this AAnF and can also achieve the same technical effect.
  • the AAnF may also include a processing module 82 for processing data sent and received by the transceiver module 81.
  • An embodiment of the present disclosure also provides a user equipment, including:
  • a transceiver module configured to send a message to the node requested by the user equipment.
  • the message carries the AKMA key identifier A-KID, so that the node authenticates and manages the AKMA anchor to the target application layer based on the A-KID.
  • the point function AAnF sends a first application key acquisition request, the first application key acquisition request carries the A-KID, and after obtaining the first application key acquisition response fed back by the AAnF, a message response is generated; wherein , the first application key acquisition response is fed back to the node after the AAnF deduces the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID; the first application The key acquisition response carries the K AF and the first parameter; receives a message response sent by the node, and the message response carries the first parameter; and deduces according to the first parameter and A-KID.
  • the AKMA application layer key K AF of the user equipment The AKMA application layer key K AF of the user equipment.
  • the transceiver module is also used for:
  • the user equipment is a user equipment corresponding to the above-mentioned method applied to user equipment. All implementations in the embodiments of the above-mentioned method applied to user equipment are applicable to the embodiment of the user equipment, and can also achieve Same technical effect.
  • An embodiment of the present disclosure also provides a node, including:
  • a transceiver module configured to receive a message sent by the user equipment, the message carrying the AKMA key identifier A-KID; and sending the first application to the target application layer authentication and key management AKMA anchor function AAnF according to the A-KID.
  • Key acquisition request the first application key acquisition request carries the A-KID; after receiving the first application key acquisition response fed back by the AAnF, a message response is generated; Wherein, the first application key acquisition response is fed back to the node after deriving the AKMA application layer key K AF of the user equipment based on the first parameter and A-KID.
  • the acquisition response carries the first parameter provided by the K AF and the AAnF; and sends the message response to the user equipment.
  • the K AF of the user equipment including:
  • K AF of the user equipment is derived based on the AKMA anchor key K AKMA stored locally in the AAnF, the first parameter, the length of the first parameter and A-KID.
  • the first application key acquisition response also carries the life cycle of the K AF and the user permanent identifier SUPI.
  • the user equipment after sending the message response to the user equipment, it also includes:
  • the data packet is transmitted with the user equipment, and the data packet is encrypted using K AF ; the K AF is generated by the user equipment according to the first parameter and A-KID.
  • the node is a node corresponding to the above-mentioned method applied to the node. All implementation methods in the embodiments of the above-mentioned method applied to the node are applicable to the embodiment of the node, and the same technical effect can be achieved.
  • An embodiment of the present disclosure also provides a communication device, including: a processor and a memory storing a computer program.
  • a communication device including: a processor and a memory storing a computer program.
  • the computer program is run by the processor, the method as described above is executed. All implementations in the above method embodiment are applicable to this embodiment and can achieve the same technical effect.
  • Embodiments of the present disclosure also provide a computer-readable storage medium that includes stored instructions that, when executed on a computer, cause the computer to perform the method described above. All implementations in the above method embodiment are applicable to this embodiment and can achieve the same technical effect.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in various embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present disclosure is essentially or the part that contributes to the relevant technology or the part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium and includes several The instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present disclosure.
  • the aforementioned storage media include: U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk and other media that can store program codes.
  • each component or each step can be decomposed and/or recombined.
  • These decompositions and/or recombinations should be considered equivalent versions of the present disclosure.
  • the steps for executing the above series of processes can naturally be executed in chronological order in the order described, but they do not necessarily need to be executed in chronological order, and some steps may be executed in parallel or independently of each other.
  • the objects of the present disclosure can also be achieved by running a program or a set of programs on any computing device.
  • the computing device may be a well-known general-purpose device. Therefore, the object of the present disclosure can also be achieved only by providing a program product containing a program code for implementing the method or apparatus. That is, such a program product also constitutes the present disclosure, and a storage medium storing such a program product also constitutes the present disclosure. Obviously, the storage medium may be any known storage medium or any storage medium developed in the future. It should also be pointed out that in the apparatus and method of the present disclosure, obviously, each component or each step can be decomposed and/or recombined. These decompositions and/or recombinations should be considered equivalent versions of the present disclosure. Furthermore, the steps for executing the above series of processes can naturally be executed in chronological order in the order described, but do not necessarily need to be executed in chronological order. Certain steps can be performed in parallel or independently of each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé de transmission d'informations et un dispositif. Un procédé pour un côté fonction d'ancrage d'authentification et de gestion de clé pour application (AKMA) (fonction AAnF) consiste à : recevoir une première demande d'acquisition de clé d'application envoyée par un nœud, la première demande d'acquisition de clé d'application portant un identifiant de clé AKMA (A-KID) (11) ; acquérir un premier paramètre, et dériver une clé de couche d'application AKMA (KAF) d'un équipement utilisateur selon le premier paramètre et l'A-KID (12) ; et envoyer une première réponse d'acquisition de clé d'application au nœud, la première réponse d'acquisition de clé d'application portant le premier paramètre fourni par l'AANF et la KAF ; et le premier paramètre est envoyé à l'équipement utilisateur par le nœud (13).
PCT/CN2023/091526 2022-04-29 2023-04-28 Procédé de transmission d'informations, et dispositif WO2023208183A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202210475203.0A CN117014136A (zh) 2022-04-29 2022-04-29 一种信息传输方法及设备
CN202210475173.3 2022-04-29
CN202210475203.0 2022-04-29
CN202210475173.3A CN117014869A (zh) 2022-04-29 2022-04-29 一种信息传输方法及设备

Publications (2)

Publication Number Publication Date
WO2023208183A2 true WO2023208183A2 (fr) 2023-11-02
WO2023208183A3 WO2023208183A3 (fr) 2023-12-21

Family

ID=88517915

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/091526 WO2023208183A2 (fr) 2022-04-29 2023-04-28 Procédé de transmission d'informations, et dispositif

Country Status (1)

Country Link
WO (1) WO2023208183A2 (fr)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3077175A1 (fr) * 2018-01-19 2019-07-26 Orange Technique de determination d'une cle destinee a securiser une communication entre un equipement utilisateur et un serveur applicatif
CN113162758B (zh) * 2020-01-23 2023-09-19 中国移动通信有限公司研究院 一种密钥生成方法及设备
WO2021165000A1 (fr) * 2020-02-20 2021-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Optimisation de génération de matériau de clé pour une authentification et une gestion de clé pour des applications
CN115413414A (zh) * 2020-03-30 2022-11-29 三星电子株式会社 在无线通信系统中用于提供akma服务的方法和装置

Also Published As

Publication number Publication date
WO2023208183A3 (fr) 2023-12-21

Similar Documents

Publication Publication Date Title
CN110995418B (zh) 云存储认证方法及系统、边缘计算服务器、用户路由器
EP2767029B1 (fr) Communication sécurisée
CN110752924B (zh) 一种基于安全多方计算的密钥安全管理方法
CN106411926B (zh) 一种数据加密通信方法及系统
CN111428225A (zh) 数据交互方法、装置、计算机设备及存储介质
CN108809633B (zh) 一种身份认证的方法、装置及系统
CN111050322A (zh) 基于gba的客户端注册和密钥共享方法、装置及系统
CN108111497A (zh) 摄像机与服务器相互认证方法和装置
WO2008006312A1 (fr) Procédé de fourniture de service push de gaa et dispositif associé
CN109586908A (zh) 一种安全报文传输方法及其系统
CN110808834B (zh) 量子密钥分发方法和量子密钥分发系统
CN110493177B (zh) 基于非对称密钥池对和序列号的量子通信服务站aka密钥协商方法和系统
CN103780609A (zh) 一种云数据的处理方法、装置和云数据安全网关
CN115632779B (zh) 一种基于配电网的量子加密通信方法及系统
CN112332986B (zh) 一种基于权限控制的私有加密通信方法及系统
CN110635894B (zh) 一种基于帧协议格式的量子密钥输出方法及其系统
CN114938312B (zh) 一种数据传输方法和装置
WO2016000473A1 (fr) Procédé, système et dispositif d'accès à une affaire
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
CN106537962B (zh) 无线网络配置、接入和访问方法、装置及设备
WO2023208183A2 (fr) Procédé de transmission d'informations, et dispositif
CN113132982A (zh) 数据转发方法、装置、计算机设备和存储介质
CN114285557B (zh) 通信解密方法、系统和装置
WO2011127732A1 (fr) Procédé et système pour l'authentification d'accès multiple dans un réseau de prochaine génération
US20230336998A1 (en) Safe mode configuration method, device and system, and computer-readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23795615

Country of ref document: EP

Kind code of ref document: A2