WO2023213208A1 - Communication method and communication apparatus - Google Patents

Abstract

Provided in the embodiments of the present application are a communication method and a communication apparatus, relating to the technical field of communications. According to first authentication information used for access authentication performed between a terminal device and a first network, a first unified data management unit determines second authentication information used for access authentication performed between the terminal device and a second network, the first unified data management unit belonging to the first network, and the first network being different from the second network; and the first unified data management unit sends the second authentication information to a second unified data management unit, the second unified data management unit belonging to the second network. In the present application, the second authentication information for access to the second network is determined on the basis of the first authentication information for access to the first network, thus reducing the complexity of access authentication, and improving the data processing efficiency.

Description

A communication method and communication device

Cross-references to related applications

This application claims priority to the Chinese patent application filed with the China Patent Office on May 6, 2022, with the application number 202210489861.5 and the application title "A communication method and communication device", the entire content of which is incorporated into this application by reference. .

Technical field

The embodiments of the present application relate to the field of communication technology, and in particular, to a communication method and a communication device.

Background technique

Isolated e-utran operation for public safety (IOPS) technology is introduced into the long term evolution (LTE) system in the 3rd generation mobile communications partnership project (3GPP) R13 version. The definition of IOPS scenarios in LTE standard technical specification (technical specification, TS) 23.401 and TS33.401 mainly focuses on user equipment (user equipment, UE) switching from macro network access to IOPS network.

When the UE performs primary authentication with the macro network and the IOPS network, it needs to use different international mobile subscriber identity (IMSI) and different root keys when signing with the macro network. That is, the macro network core network will only store the IMSI and root key used when the UE performs primary authentication with the macro network, and the IOPS core network will only store the IMSI and root key used when the UE performs primary authentication with the IOPS network. UE When performing primary authentication with different networks, enable the corresponding IMSI and root key.

Contents of the invention

This application provides a communication method and communication device to reduce the complexity of access authentication and improve data processing efficiency.

In the first aspect, this application provides a communication method, including:

The first unified data management unit determines the second authentication information used by the terminal device for access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network. The first unified data management unit belongs to the first unified data management unit. A network; the first network is different from the second network; the first unified data management unit sends the second authentication information to the second unified data management unit, and the second unified data management unit belongs to the second network.

In this application, the first unified data management unit determines the second authentication information used by the terminal device to perform access authentication with the second network based on the first authentication information used by the terminal device to perform access authentication with the first network, which can be understood as the first unified data management unit. The data management unit determines the second authentication information with reference to the first authentication information, or deduce the second authentication information based on certain parameters in the first authentication information. This application does not limit how to determine the second authentication information. Among them, the first network and the second network are two different networks. Usually, if the terminal can access the two networks, it needs to pre-configure two different sets of authentication information to perform access authentication with the corresponding networks respectively. However, in this application, The first unified data management unit can determine the authentication information of another network based on the authentication information of a certain network. In this way, the terminal can pre-configure only one set of authentication information. This method reduces the complexity of access authentication and reduces the number of device data. The calculation amount is reduced, and there is no need to store a large amount of authentication information in the terminal device and the unified data management unit. It can also reduce the data storage in the terminal device and the unified data management unit. reserves, saving the storage space of the equipment, and further adopting the solution of this application can improve the data processing efficiency.

In an optional manner, when the first unified data management unit determines that the terminal device has the authority to access the first network, the second authentication information is determined based on the first authentication information.

In this application, the existence of the permission of the terminal device to access the first network can be understood as the terminal device supports receiving communication services under the first network, such as sending data, receiving data, etc. through the first network. The first unified data management unit can be Other network elements, such as access and mobility management network elements, obtain whether the terminal device has the permission to access the first network. If it is determined that there is, the second authentication information is determined based on the first authentication information. If it is determined that there is no access to the first network. The authority can be determined by the second authentication information. Before determining the second authentication information based on the first authentication information, this application determines that the terminal device has the authority to access the first network to avoid calculating the number of users who do not support receiving services under the first network. Second authentication information of the terminal device.

In an optional manner, the first unified data management unit receives indication information from the access and mobility management network element, and the indication information is used to trigger the first unified data management unit to determine the second authentication information.

In this application, the first unified data management network element can determine the second authentication information based on the indication information only after receiving the indication information. This method can accurately determine the timing of the second authentication information and ensure Data processing efficiency.

In an optional manner, the first unified data management unit uses the first authentication information as an input parameter to generate the second authentication information.

The second authentication information derived in this way can adapt to the needs of the two networks, avoiding the use of two different sets of authentication information and different networks for access authentication, which can improve data processing efficiency.

In an optional manner, the first authentication information includes one or more of the following: confidentiality key CK, integrity key IK, sequence number (SQN), AUSF key K _AUSF , SEAF Key K _SEAF , AMF key K _AMF .

Including the above parameters in the first authentication information can ensure that the first unified data management unit deduce the second authentication information.

In an optional manner, the first unified data management unit sends the identification information and the second authentication information of the terminal device to the second unified data management unit, and the identification information of the terminal device is associated with the second authentication information.

In this application, since the second unified data management unit may receive the second authentication information of multiple terminal devices, the first unified data management unit sends the identification information and the second authentication information of the terminal devices to the second unified data management unit, There is a corresponding relationship between the identification information of the terminal device and the second authentication information, which facilitates the second unified data management unit to know the corresponding relationship between the second authentication information and the terminal device.

In an optional manner, the first unified data management unit receives a second unified data management unit identifier from the access and mobility management network element, and the second unified data management unit identifier is used to identify a specific second unified data management unit. network element. In this application, since there may be multiple second unified data management units, the first unified data management unit receives the second unified data management unit identifier from the access and mobility management network element, so that the first unified data management unit knows when obtaining After receiving the second authentication information, send the second authentication information to which second unified data management unit.

In an optional manner, the first unified data management unit sends the second authentication information to the second unified data management unit through the access and mobility management network element and the wireless access network device; or, the first unified data management unit The unit sends the second authentication information to the second unified data management unit through the Network Exposure Function (NEF).

In an optional manner, the second authentication information is securely protected through key protection information.

In this way, the security of the transmission of the second authentication information can be ensured.

In an optional manner, the first unified data management unit receives the second network data from the access and mobility management network element. The first unified data management unit determines the key protection information according to the identification information of the second network.

In this application, the second network identification information may be associated with the key protection information, and different second networks may correspond to different key protection information. In this way, the communication between the first unified data management unit and different second networks can be ensured. The security of data transmission between.

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

In the second aspect, this application provides a communication method, including:

The access and mobility management network element determines the identification information of the second network; the first unified data management unit belongs to the first network; the first network is different from the second network; the access and mobility management network element sends a message to the first unified data management unit The identification information of the second network.

In this application, after receiving the identification information of the second network, the first unified data management network element determines that the terminal device and the second network are connected based on the first authentication information used for access authentication between the terminal device and the first network. Access the second authentication information used for authentication. This method can accurately determine the timing of the second authentication information and ensure the efficiency of data processing.

In an optional manner, the access and mobility management network element triggers indication information, and the indication information is used to instruct the first unified data management unit to determine based on the first authentication information used for access authentication between the terminal device and the first network. Second authentication information used for access authentication between the terminal device and the second network; the access and mobility management network element sends instruction information to the first unified data management unit.

In this application, when the first unified data management network element receives the instruction information, it determines the access authentication information used by the terminal device and the second network based on the first authentication information used by the terminal device and the first network. This method can accurately determine the timing of the second authentication information and ensure the efficiency of data processing.

In an optional manner, the access and mobility management network element determines the identification information of the second network based on the existence of a second network co-deployed with the wireless access network device accessed by the terminal device.

It should be noted that there is a second network co-deployed with the wireless access network device, that is, the second network that the wireless access network device can connect to. However, in actual application, the connection may or may not be created. The access and mobility management network element can determine the identification information of the second network based on this. This method can prevent the wireless access network device accessed by the terminal device from not supporting switching to the second network, resulting in a waste of processing resources in determining the second authentication message.

In an optional manner, the access and mobility management network element obtains the capability information of the terminal device from the terminal device, and the access and mobility management network element determines that the terminal device has access to the second network based on the capability information of the terminal device. The access and mobility management network element determines the identification information of the second network based on the terminal device having the ability to access the second network and the accessed wireless access network device having a co-deployed second network.

This method can prevent the wireless access network device accessed by the terminal device from not supporting switching to the second network, and the terminal device not supporting the ability to access the second network, resulting in a waste of processing resources for determining the second authentication message.

In an optional manner, the access and mobility management network element receives a request message for the identification information of the second network from the first unified data management unit; the access and mobility management network element determines the identification information of the second network based on the request message. Identification information.

It should be noted that, after receiving the request message of the second network identification of the first unified data management unit, the access and mobility management network element queries whether the wireless access network device accessed by the terminal device has a co-deployed second network. , if there is a co-deployed second network, the second network identification information can be directly sent to the first unified data management unit. If the wireless access network device accessed by the terminal device does not have a co-deployed second network, then the second network is replied to. A unified data management network element refuses to respond. This method can prevent the access and mobility management network element from not storing network identification information and failing to send the second authentication. Message to accurate second network. It should be noted that the access and mobility management network elements have a co-deployed second network, that is, the second network to which the wireless access network device can be connected. However, in actual application, the connection may or may not be created. The access and mobility management network elements can determine the identification information of the second network based on this; the access and mobility management network elements do not have a co-deployed second network, that is, the wireless access network device has no second network to which it can connect.

In an optional manner, the access and mobility management network element sends instruction information to the terminal device for instructing the terminal device to generate the second authentication information.

In this way, the terminal device knows that the second authentication information has been generated, and the terminal device can be ready to access the second network at any time.

In an optional manner, the second authentication information is securely protected through key protection information.

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

In a third aspect, this application provides a communication method, including:

The second unified data management unit receives the second authentication information used by the terminal device from the first unified data management network element to perform access authentication with the second network; the second unified data management unit accesses the terminal device according to the second authentication information. Certification.

In an optional manner, the second authentication information is determined by the first unified data management unit based on the first authentication information used for access authentication between the terminal device and the first network; the first unified data management unit belongs to the first network ; The second unified data management unit belongs to the second network; the first network is different from the second network.

In an optional manner, the second authentication information is protected by key protection information.

In an optional manner, before the second unified data management unit performs access authentication on the terminal device according to the second authentication information, the second unified data management unit uses the key decryption information to perform the second authentication on the protection of the key protection information. The information is decrypted to determine the second authentication information.

In an optional manner, the key decryption information is associated with the identification information of the second network.

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

In the fourth aspect, embodiments of the present application provide a communication device. The communication device may be a first unified data management unit or a chip provided inside the first unified data management unit. It may also be an access and mobility management network element or a The chip provided inside the access and mobility management network element may also be a second unified data management unit or a chip provided inside the second unified data management unit. The communication device has the function of implementing any one of the above first to third aspects. For example, the communication device includes a module or unit corresponding to the steps involved in any one of the above first to third aspects, or Means, the functions or units or means can be implemented by software, or by hardware, or by hardware executing corresponding software.

In a possible design, the communication device includes a processing unit and a transceiver unit, where the transceiver unit can be used to send and receive signals to achieve communication between the communication device and other devices. For example, the transceiver unit is used to receive signals from Configuration information of the terminal device; the processing unit can be used to perform some internal operations of the communication device. The transceiver unit may be called an input-output unit, a communication unit, etc., the transceiver unit may be a transceiver, and the processing unit may be a processor. When the communication device is a module (such as a chip) in a communication device, the transceiver unit may be an input-output interface, an input-output circuit, or an input-output pin, etc., and may also be called an interface, a communication interface, or an interface circuit, etc.; The processing unit may be a processor, a processing circuit or a logic circuit, etc.

In yet another possible design, the communication device includes a processor and may also include a transceiver, and the transceiver For sending and receiving signals, the processor executes program instructions to complete the method in any possible design or implementation manner from the first aspect to the third aspect. Wherein, the communication device may further include one or more memories, the memory being used to couple with the processor, and the memory may store the necessary computer programs to implement the functions involved in any one of the above-mentioned first to third aspects. or instructions. The processor can execute the computer program or instructions stored in the memory. When the computer program or instructions are executed, the communication device implements any of the possible designs or implementations of the first to third aspects. method.

In yet another possible design, the communication device includes a processor, which may be coupled to a memory. The memory may store necessary computer programs or instructions to implement the functions involved in any one of the above-mentioned first to third aspects. The processor can execute the computer program or instructions stored in the memory. When the computer program or instructions are executed, the communication device implements any of the possible designs or implementations of the first to third aspects. method.

In yet another possible design, the communication device includes a processor and an interface circuit, wherein the processor is configured to communicate with other devices through the interface circuit and execute any possible design of the first to third aspects above, or Methods in the implementation.

It can be understood that in the above fourth aspect, the processor can be implemented by hardware or software. When implemented by hardware, the processor can be a logic circuit, an integrated circuit, etc.; when implemented by software, the processor can be implemented by software. The processor may be a general-purpose processor implemented by reading software code stored in memory. In addition, the above processors may be one or more, and the memories may be one or more. The memory can be integrated with the processor, or the memory can be provided separately from the processor. During the specific implementation process, the memory and the processor can be integrated on the same chip, or they can be respectively provided on different chips. The embodiments of this application do not limit the type of memory and the arrangement method of the memory and the processor.

In a fifth aspect, embodiments of the present application provide a communication system that includes the first unified data management unit, the access and mobility management network element, and the second unified data management unit in the above first to third aspects.

In a sixth aspect, the present application provides a chip system, which includes a processor and may also include a memory, for implementing the method described in any of the possible designs of the first aspect to the third aspect. The chip system can be composed of chips or include chips and other discrete devices.

In a seventh aspect, the present application also provides a computer-readable storage medium. Computer-readable instructions are stored in the computer-readable storage medium. When the computer-readable instructions are run on a computer, the computer executes the steps from the first aspect to the third aspect. Any of three possible design approaches.

In an eighth aspect, the present application provides a computer program product containing instructions that, when run on a computer, cause the computer to execute the methods of the embodiments of the first to third aspects.

For the technical effects that can be achieved by the above-mentioned second aspect to the eighth aspect, please refer to the description of the technical effects that can be achieved by the corresponding possible design solutions in the above-mentioned first aspect, which will not be repeated here in this application.

Description of the drawings

Figure 1 shows a schematic diagram of a communication system provided by an embodiment of the present application;

Figure 2A shows a schematic diagram of an application scenario;

Figure 2B shows a schematic diagram of another application scenario;

Figure 3 shows a schematic flow chart of UE switching from macro network to IOPS network;

Figure 4 shows a schematic flowchart of a communication method provided by an embodiment of the present application;

Figure 5 shows a schematic flowchart of another communication method provided by an embodiment of the present application;

Figure 6 shows a schematic flowchart of another communication method provided by an embodiment of the present application;

Figure 7 shows a schematic flowchart of another communication method provided by an embodiment of the present application;

Figure 8 shows a schematic structural diagram of a communication device provided by an embodiment of the present application;

Figure 9 shows a schematic structural diagram of a communication device provided by an embodiment of the present application;

Figure 10 shows a schematic structural diagram of a communication device provided by an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present application clearer, the present application will be described in further detail below in conjunction with the accompanying drawings. The specific operation methods in the method embodiments can also be applied to the device embodiments or system embodiments. Among them, in the description of this application, unless otherwise stated, the meaning of "plurality" is two or more. Therefore, the implementation of the device and the method can be referred to each other, and repeated descriptions will not be repeated.

Figure 1 exemplarily shows a schematic diagram of a mobile communication network architecture. The network architecture includes terminal equipment, access network equipment, access and mobility management functions, session management functions, user plane functions, policy control functions, and network slice selection. Functions, network slice specific authentication and authorization functions, network warehouse functions, network data analysis functions, unified data management functions, unified data storage functions, authentication service functions, network capability opening functions, terminal wireless capability management functions, binding support functions, application functions, and the data network (DN) connecting the operator's network. The terminal device can access the wireless network through the access node at the current location. The terminal device can send service data to the data network through access network equipment and user plane functions, and receive service data from the data network.

Access and mobility management functions are mainly used for the attachment of terminal devices in mobile networks, mobility management, tracking area update processes, etc. In the 5G communication system, the access and mobility management function can be the access and mobility management function (AMF). In future communication systems (such as 6G communication systems), the access and mobility management function It can still be AMF, or it can also have other names, which is not limited by this application.

The session management function is mainly used for session management in mobile networks, such as session establishment, modification, and release. Specific functions include assigning Internet protocol addresses to terminal devices and selecting user plane functions that provide packet forwarding functions. In a 5G communication system, the session management function can be a session management function (SMF). In a future communication system (such as a 6G communication system), the session management function can still be an SMF, or it can have other names. This application is not limited.

The user plane function is mainly used to process user messages, such as forwarding and accounting. In the 5G communication system, the user plane function can be user plane function (UPF). In future communication systems (such as 6G communication system), the user plane function can still be UPF, or it can have other names. This application is not limited.

Policy control function, including policy control function, billing policy control function, quality of service (QoS) control, etc. In a 5G communication system, the policy control function can be a policy control function (PCF). In a future communication system (such as a 6G communication system), the policy control function can still be a PCF, or it can have other names. This application is not limited.

The network slice selection function is mainly used to select appropriate network slices for the services of terminal devices. In the 5G communication system, the network slice selection function can be the network slice selection function (NSSF). In future communication systems (such as 6G communication systems), the network slice selection function can still be the NSSF, or it can With other names, this application is not limited.

network slice-specific authentication and authorization capabilities authorization function (NSSAAF) is mainly used for verification and authorization of terminal devices accessing specific network slices.

The network warehouse function is mainly used to provide registration and discovery of network functions or services provided by network functions. In a 5G communication system, the network repository function can be a network repository function (NRF). In a future communication system (such as a 6G communication system), the network repository function can still be an NRF, or it can have other names. This application is not limited.

The network data analysis function can collect data from various network functions, such as policy control function, session management function, user plane function, access management function, and application function (through the network capability opening function), and conduct analysis and prediction. In 5G communication systems, the network data analysis function can be network data analysis function (NWDAF). In future communication systems (such as 6G communication systems), the network data analysis function can still be NWDAF, or it can With other names, this application is not limited.

The unified data management function is mainly used to manage the contract information of terminal devices. In the 5G communication system, the unified data management function can be a unified data management (UDM) function. In future communication systems (such as 6G communication systems), the unified data management function can still be a UDM function, or it can With other names, this application is not limited.

The unified data storage function is mainly used to store structured data information, including contract information, policy information, and network data or business data defined in standard formats. In the 5G communication system, the unified data storage function can be the unified data storage (unified data repository, UDR) function. In future communication systems (such as 6G communication systems), the unified data storage function can still be the UDR function, or it can With other names, this application is not limited.

The authentication service function is mainly used for security authentication of terminal equipment. In the 5G communication system, the authentication service function can be the authentication server function (AUSF). In future communication systems (such as 6G communication systems), the authentication service function can still be the AUSF, or it can have other names. , this application is not limited.

The network capability exposure function can controlly expose some network functions to applications. In a 5G communication system, the network capability opening function may be NEF. In future communication systems (such as 6G communication systems), the network capability opening function may still be NEF, or may have other names, which is not limited by this application.

The terminal wireless capability management function is used to store and manage the wireless capabilities of terminal devices in the network. In the 5G communication system, the terminal radio capability management function can be the terminal radio capability management function (UE radio capability management function, UCMF). In future communication systems (such as 6G communication systems), the terminal radio capability management function can still be the UCMF. , or it may also have other names, which is not limited by this application.

The binding support function is used to maintain the correspondence between the Internet Protocol (IP) addresses and service functions of the interconnection between user networks. In the 5G communication system, the binding support function may be the binding support function (BSF). In future communication systems (such as 6G communication systems), the binding support function may still be the BSF, or it may have Other names are not limited by this application.

The application function can provide service data of various applications to the control plane function of the operator's communication network, or obtain network data information and control information from the control plane function of the communication network. In a 5G communication system, the application function may be an application function (AF). In a future communication system (such as a 6G communication system), the application function may still be an AF, or may have other names. This application does not limited.

Data network is mainly used to provide data transmission services for terminal devices. The data network can be a private network, such as a local area network, or a public data network (PDN), such as the Internet. Operators consolidate and deploy proprietary networks, such as configured IP multimedia core network subsystem (IMS) services.

The terminal (that is, terminal equipment) involved in the embodiment of this application is an entity on the user side that is used to receive or transmit signals, and is used to send uplink signals to network equipment or receive downlink signals from network equipment. Including devices that provide voice and/or data connectivity to users, which may include, for example, UEs, handheld devices with wireless connectivity capabilities, or processing devices connected to wireless modems. The terminal device can communicate with the core network via the radio access network (RAN) and exchange voice and/or data with the RAN. The terminal equipment may include UE, vehicle wireless communication technology (vehicle to X, V2X) terminal equipment, wireless terminal equipment, mobile terminal equipment, device-to-device communication (device-to-device, D2D) terminal equipment, machine-to-machine/ Machine-to-machine/machine-type communications (M2M/MTC) terminal equipment, IoT terminal equipment, subscriber unit (subscriber unit), subscriber station (subscriber station), mobile station (mobile station), remote station ( remote station), AP, remote terminal, access terminal, user terminal, user agent, or user device, wearable device, vehicle-mounted device, Drones etc.

As an example and not a limitation, in this embodiment of the present application, the terminal device may also be a wearable device. Wearable devices can also be called wearable smart devices or smart wearable devices. It is a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes. wait. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are not just hardware devices, but also achieve powerful functions through software support, data interaction, and cloud interaction. Broadly defined wearable smart devices include full-featured, large-sized devices that can achieve complete or partial functions without relying on smartphones, such as smart watches or smart glasses, and those that only focus on a certain type of application function and need to cooperate with other devices such as smartphones. Used, such as various smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.

It should be noted that the functions in the embodiments of this application may also be called network elements, network functions or functional entities, devices, etc. For example, the access and mobility management functions may also be called access and mobility management network elements, or access and mobility management network functions, or access and mobility management functional entities, etc. The names of each function are not limited in this application. Those skilled in the art can replace the names of the above functions with other names to perform the same function, which all fall within the scope of protection of this application.

Figure 2A shows a schematic diagram of an application scenario provided by this application. This scenario takes an IOPS network and a macro network as an example. Of course, in actual applications, it can also be a private network and a macro network. This application does not specifically limit it. Usually the terminal device is in Provides communication services to public safety users through LTE access network equipment with IOPS function (IOPS-capable eNB) without backhaul communication. There is no backhaul communication, that is, the link between the access network equipment and the LTE macro network core network (macro EPC) is interrupted. In the event of disasters such as earthquakes or failure of backhaul optical fiber, the backhaul communication is interrupted. At this time, the LTE access network equipment with IOPS function (IOPS-capable eNodeBs) establishes a backhaul connection with the IOPS network, forming a network that can be used for Provides a locally connected IOPS network (IOPS network). The terminal device receives communication services in IOPS mode (IOPS mode) through the IOPS network to ensure reliable transmission of data. In addition, LTE access network equipment (IOPS-Incapable eNodeBs) without IOPS functionality cannot establish a backhaul connection to the IOPS network.

Figure 2B shows a schematic diagram of another application scenario provided by this application. This scenario takes an IOPS network as an example. Of course, it can also be a private network in actual application. This application does not specifically limit it. If there is no IOPS-capable eNB, it is a public security When users provide communication services (that is, No infrastructure), when eNodeB is deployed (eNodeB Deployed), access network equipment (Nomadlc eNodeB) with IOPS function is used (the access network equipment is removable and similar to user Prepare a small access network device) to establish a backhaul connection with the IOPS network, forming an IOPS core network (Local EPC) that can be used to provide local connections, forming an IOPS network that can be used to provide local connections. ).

The definition of IOPS scenarios in the existing LTE standard technical specifications (TS) TS 23.401 and TS 33.401 mainly focuses on the process of UE switching from macro network access to IOPS network access. LTE has the following basic assumptions for IOPS scenarios:

1. There is isolation between the macro network EPC and the core network that supports IOPS mode (that is, the local IOPS mode EPC, also called Local EPC, or L-EPC). The RAN node supports both macro network and IOPS. The RAN node has IOPS. Functional eNB node (IOPS-capable eNB). IOPS-capable eNB is connected to both macro network EPC and L-EPC.

2. The IOPS mode has an exclusive identifier, such as a public land mobile network identifier (PLMN ID). All L-EPCs of the same public safety agency/operator have the same PLMN ID. When the IOPS mode is turned on, the IOPS-capable eNB will broadcast the PLMN ID corresponding to the IOPS to assist UEs that support the IOPS mode to access the IOPS mode.

3. Only authorized UEs with IOPS function (IOPS-enabled UE) can access the IOPS network.

4. The main function of L-EPC is to provide routing functions for communication between IOPS-enabled UEs.

5. IOPS-enabled UE has two UMTS user identity module applications (universal mobile telecommunications system subscriber identity module application, USIM app). The two USIM apps correspond to IOPS mode and normal mode respectively. The USIM app of IOPS has the root key K, PLMN ID and International Mobile Subscriber Identity (IMSI) dedicated to IOPS PLMN.

The process of switching the UE from the macro network to the IOPS network in the existing TS 23.401 is shown in Figure 3, as follows:

Step 1. The UE accesses the macro network EPC and performs communication services.

Step 2. The eNB detects that the backhaul link with the macro network is disconnected. This eNB is IOPS-capable. The eNB will not be described in details below.

eNB activates the IOPS mode based on the operator's local policy decision.

Step 3. After L-EPC is activated, the eNB establishes a backhaul link with L-EPC.

Step 4. After eNB establishes the backhaul link with L-EPC, it broadcasts the PLMN ID of the IOPS network.

Step 5. The UE detects the IOPS PLMN ID broadcast and activates the IOPS-specific USIM app.

Step 6. The UE determines that it needs to access the corresponding L-EPC based on the IOPS PLMN ID, and conducts the access process (including access authentication) and session establishment with the L-EPC.

Step 7. The UE and L-EPC execute the access process (attach process) and establish a local protocol data network (packet data network, PDN) link.

Step 8. The UE accesses L-EPC and performs communication services.

In the existing technology, when the UE performs primary authentication with the macro network and the IOPS network, it needs to use different IMSIs and different root keys when contracting with the macro network. That is, the macro network core network will only store the IMSI and root key used when the UE performs primary authentication with the macro network, and the IOPS core network will only store the IMSI and root key used when the UE performs primary authentication with the IOPS network. UE When performing primary authentication with different networks, enable the corresponding IMSI and root key. This method is complex to operate.

However, since macro network subscriptions and user subscriptions in the IOPS network are relatively isolated, and it is impossible to accurately predict when the IOPS mode will be enabled, users need to promptly log in to the local IOPS core network after adding/deleting/modifying their macro network subscriptions. The corresponding additions/deletions/modifications of the contracts need to be made, and there are a large number of locally deployed IOPS core networks. Therefore, there are problems such as heavy workload and difficulty in maintenance to update the contracts in the local IOP core network.

Based on this, this application provides a communication method to reduce the complexity of access authentication, and on the basis of reducing the complexity of access authentication, reduce the amount of data storage of the device and save the storage space of the device. Referring to Figure 4 is a schematic diagram of a communication method provided by an embodiment of the present application. This method can be implemented through a first unified data management unit and a second unified data management unit. The execution of the interaction of units can also be achieved with the help of other network elements, such as AMF, which is not specifically limited here. Among them, the first unified data management network element takes the first UDM as an example, and the second unified data management network element takes the second UDM is taken as an example to illustrate. However, in actual application, the unified data management network element can also be other network elements. Network elements that can be used to store authentication information for accessing the network and can further process the authentication information can be For the same data management network element, perform the following:

Step 401: The first UDM determines the second authentication information used by the terminal device for access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network.

Among them, the first UDM belongs to the first network; the first network is different from the second network.

It should be noted that the first network and the second network may be mutually isolated networks. The first network may be an IOPS network or a private network, and the second network may be a macro network; or the first network may be a macro network, and the second network may be an IOPS network or the private network. For example, the first network may be an IOPS network, The second network is a macro network; the first network is a private network (such as a campus network, a campus network, etc.), and the second network is a macro network; the first network is a macro network, and the second network is an IOPS network; the first network is a macro network. network, the second network is a private network, etc. This application is not specifically limited here.

Among them, the access authentication between the terminal device and the first network can be understood as the main authentication between the terminal device and the first network. The main authentication between the terminal device and the first network is used to authenticate each other's identities between the terminal device and the first network. After the primary authentication is passed, the terminal can proceed with the subsequent registration process and session establishment process with the first network. Assuming that the first network is a macro network, this represents the primary authentication between the terminal device and the macro network; assuming that the first network is an IOPS network, this represents the primary authentication between the terminal device and the IOPS network. The access authentication between the terminal device and the second network can be understood as the main authentication between the terminal device and the second network. Assuming that the second network is an IOPS network, it means the main authentication between the terminal device and the IOPS network; assuming that the second network is Macro network means the main authentication between the terminal device and the macro network. This application does not describe how to perform the main authentication process here. It can be understood by referring to the existing technology.

In addition, the first UDM determines the second authentication information used by the terminal device to perform access authentication with the second network based on the first authentication information used by the terminal device to perform access authentication with the first network. It can be understood that the first UDM refers to the first authentication information. Determine the second authentication information, or deduce the second authentication information based on certain parameters in the first authentication information. This application does not limit how to determine the second authentication information. For example, the first network is a macro network, and the second network is In the IOPS network, the first UDM can determine the second authentication information of the terminal device and the IOPS network based on the first authentication information of the terminal device and the macro network; the first network is the IOPS network and the second network is the macro network. The first UDM can determine the second authentication information of the terminal device and the IOPS network based on the first authentication information of the terminal device and the macro network. The first authentication information of the device and the IOPS network determines the second authentication information of the terminal device and the macro network, which is not specifically limited in this application.

Optionally, the first UDM uses the first authentication information as an input parameter to generate the second authentication information. The second authentication information derived in this way can adapt to the access authentication requirements of the two networks, avoiding the use of two different sets of authentication information and different networks for access authentication, which can improve data processing efficiency.

Optionally, the first authentication information includes one or more of the following: CK, IK, SQN, K _AUSF , K _SEAF , _KAMF . The first UDM obtains the second authentication information by deducing the key generated by the terminal device using the first network master authentication. The first UDM may obtain the second authentication information by further deducing based on the CK and IK generated by the first UDM and the UE in the main authentication process. The derivation The specific method is as follows:

Use CK and IK as the inputs of the key derivation function (KDF) to obtain the output information of the key derivation function as the second authentication information, or use CK and IK as the inputs of the key derivation function to obtain the key derivation The output information of the function and the SQN parameter are used as the second authentication information.

It can also be further deduced based on one or more of K _AUSF , K _SEAF and _KAMF generated by the first UDM and UE in the main authentication process. At this time, the first UDM needs to obtain K _AUSF from AUSF, SEAF or AMF first. , K _SEAF and K _AMF and then further generate the first authentication information. The deduction method is as follows:

Use one or more of K _AUSF , K _SEAF and _KAMF as the input of the key derivation function (KDF), obtain the output information of the key derivation function as the second authentication information, or use K _AUSF , K One or more of _SEAF and _KAMF are used as inputs to the key derivation function, and the output information of the key derivation function is obtained together with the SQN parameter as the second authentication information.

When this application is actually applied, the deduction method is not limited. One of the above deduction methods can be used for deduction, and other deduction methods can also be used for deduction, such as the first UDM and the second UDM agreeing on deduction rules for deduction, etc. This application There is no specific limitation here.

In order to ensure the security of the second authentication information during transmission, the first UDM can protect the second authentication information through the key protection information and obtain the second authentication information protected by the key protection information. The key protection information may be preset by the first UDM. Usually the second network may include multiple, and the identification information of different second networks can be indicated by different identifiers, such as: PLMN1, PLMN2, NID (network identifier, network ID) or other identifiers, etc. Different second network identifiers The information can correspond to different key protection information, for example: PLMN1 corresponds to key protection information 1, PLMN2 corresponds to key protection information 2, etc., NID3 corresponds to key protection information 3, etc. If the first UDM obtains the identification information of the second network, it can know which key protection information is used to encrypt and protect the second authentication information. Usually, the identification information of the second network may come from the access and mobility management network element. However, it may also be broadcast by the access wireless network device connected to the terminal device, which is not specifically limited in this application.

In addition, the second network identification information may be determined by the access and mobility management network element, and then the first UDM is received from the access and mobility management network element, wherein the access and mobility management network element may determine the second network identification information in the following manner Network identification information:

Method 1: The access and mobility management network element determines the identification information of the second network based on the existence of a second network co-deployed with the wireless access network device accessed by the terminal device.

It should be noted that there is a second network co-deployed with the wireless access network device, that is, the second network that the wireless access network device can connect to. However, in actual application, the connection may or may not be created. The access and mobility management network element can determine the identification information of the second network based on this.

Method 2: The access and mobility management network element determines that the terminal device has the ability to access the second network based on the capability information of the terminal device; the access and mobility management network element determines that the terminal device has the ability to access the second network and the access There is a co-deployed second network for the wireless access network equipment, and the identification information of the second network is determined.

Method 3: The access and mobility management network element receives a request message for the identification information of the second network from the first UDM; the access and mobility management network element determines the identification information of the second network based on the request message.

It should be noted that, after receiving the request message of the second network identifier of the first UDM, the access and mobility management network element queries whether the wireless access network device accessed by the terminal device has a co-deployed second network. If so, The second network identification information can be directly sent to the first UDM. If the wireless access network device accessed by the terminal device does not have a co-deployed second network, a rejection response of the first UDM will be replied. In this way, access and The mobility management network element does not store the network identification information, resulting in the failure to send the second authentication message to the accurate second network. It should be noted that the access and mobility management network elements have a co-deployed second network, that is, the second network to which the wireless access network device can be connected. However, in actual application, the connection may or may not be created. The access and mobility management network elements can determine the identification information of the second network based on this; the access and mobility management network elements do not have a co-deployed second network, that is, the wireless access network device has no second network to which it can connect.

In addition, after the access and mobility management network element determines the identification information of the second network, the indication information can be triggered. The indication information is used to trigger the first UDM to determine the second authentication information. In this application, when the first UDM receives the indication information Next, the second authentication information is determined based on the instruction information. This method can accurately determine the timing of the second authentication information and ensure the efficiency of data processing. In addition, the instruction information can also be used to instruct the first UDM to transfer the second authentication information to the second UDM, or instruct other operations, which is not specifically limited in this application.

Optionally, when the first UDM determines that the terminal device has the right to access the first network, the first UDM may determine the second authentication information based on the first authentication information.

It should be noted that the fact that the terminal device has the permission to access the first network can be understood as the terminal device supports receiving communication services under the first network, that is, the terminal device has the permission to access the first network, for example, to send data through the first network, By receiving data, etc., the first unified data management unit can obtain from other network elements such as access and mobility management network elements whether the terminal device has permission to access the first network. If it is determined that it exists, determine the second authentication information based on the first authentication information. Authentication information, if it is determined that there is no authority to access the first network, the second authentication information can be determined. Before determining the second authentication information based on the first authentication information, this application determines that the terminal device has the authority to access the first network, Avoid calculating second authentication information for a terminal device that does not support receiving services under the first network.

Step 402: The first UDM sends the second authentication information to the second UDM.

Among them, the second UDM belongs to the second network. Correspondingly, the second UDM receives the second authentication information.

Optionally, the first UDM may send the identification information and the second authentication information of the terminal device to the second UDM, and the identification information of the terminal device is associated with the second authentication information.

In this application, since the second UDM may receive the second authentication information of multiple terminal devices, the first UDM sends the identification information of the terminal device and the second authentication information to the second UDM, where the identification information of the terminal device and There is a corresponding relationship between the second authentication information, which facilitates the second UDM to know the corresponding relationship between the second authentication information and the terminal device.

Optionally, before the first UDM sends the second authentication information to the second UDM, the first UDM obtains the identification information of the second UDM from the access and mobility management network element, and the identification information of the second UDM is used to identify the second UDM. UDM. In this application, since there may be multiple second UDMs, before the first UDM sends the second authentication information to the second UDM, the terminal can be determined based on the identification information of the second UDM obtained from the access and mobility management network element. The identification information of the device and the second authentication information are sent to the second UDM, so that the first UDM knows which second UDM the second authentication information is sent to.

Optionally, the first UDM can send the second authentication information to the second UDM through access and mobility management network elements and wireless access network equipment; or, the first UDM can send the second authentication information to the second UDM through NEF. . Of course, when the function is actually applied, the first UDM can also send the second authentication information to the second UDM through other methods, which is not specifically limited in this application.

Optionally, if in step 401, in order to ensure the security of the second authentication information during transmission, the first UDM can protect the second authentication information through key protection information, then in this step, the first UDM will use key protection information. The second authentication information protected by the key protection information is sent to the second UDM.

Step 403: The second UDM performs access authentication on the terminal device according to the second authentication information.

Optionally, after the second authentication information is protected by the key protection information, and before the second UDM performs access authentication on the terminal device based on the second authentication information, obtain the second authentication protected by the key protection information from the first UDM. information, the second UDM decrypts the second authentication information protected by the key protection information through the key decryption information, and determines the second authentication information. The key decryption information may be preset by the second UDM. The key decryption information and key protection information may be symmetric keys or asymmetric keys, which are not specifically limited in this application. Usually, the identification information of the second network is related to the decryption protection information, that is, different identification information of the second network can correspond to different decryption protection information. Key protection information, such as: PLMN1 corresponds to key decryption information 1, PLMN2 corresponds to key decryption information 2, etc. If the second UDM obtains the identification information of the second network, it can know which key decryption information is specifically used to decrypt the second authentication information.

Among them, the first network and the second network are two different networks. Usually, if the terminal can access the two networks, it needs to deduce two different sets of authentication information to conduct access authentication with the corresponding networks respectively. However, in this application, the third network A unified data management unit can determine the authentication information of another network based on the authentication information of a certain network. In this way, the complexity of access authentication can be reduced, and the amount of device data calculation can be reduced, and between the terminal device and the unified data management unit There is no need to store a large amount of authentication information, it can also reduce the amount of data storage in the terminal device and the unified data management unit, save the storage space of the device, and further adopt the solution of this application to improve data processing efficiency.

In order to better illustrate the solution of the present application, Figure 5 takes the data interaction between UE, RAN, AMF, AUSF, first UDM and second UDM as an example to illustrate. In this embodiment, the AMF will send instruction information to the first UDM so that the first UDM determines the second authentication information. The first network is the macro network and the second network is the IOPS network (that is, the IOPS core network described below. ), the first UDM belongs to the macro network, and the second UDM belongs to the IOPS network as an example. The details are as follows:

Step 0a. The AMF determines that the RAN connected to the AMF can establish a connection with the IOPS core network.

The information in this step can be obtained when the device is powered on and connected when the IOPS network is set up, or it can be configured by the network administrator. The specific method is not limited.

Optionally, the AMF also obtains the network identification information of the IOPS core network (that is, the identification information of the second network) co-deployed with the RAN (that is, the wireless access network equipment) connected to the AMF. The network identification information of the IOPS core network is used It is used to identify the network where the IOPS core network is located, and can further be used to identify the IOPS core network. It should be noted that the IOPS core network deployed by RAN is the IOPS core network that RAN can connect to. However, in actual application, the connection may or may not be created. For detailed description, please refer to Wireless Access in Step 401 above. The description of the IOPS core network where the network equipment is deployed is not specified here. Further, after the AMF obtains the network identification information of the IOPS core network deployed with the RAN connected to the AMF, the AMF maintains the corresponding relationship between the identification of the RAN and the network identification of the IOPS core network. Furthermore, the RAN may have multiple co-deployed IOPS core networks, and the preconfiguration information may also include priority information to indicate the priorities of the multiple co-deployed IOPS core networks of the RAN. The AMF may determine based on the priority information. Select which IOPS core network.

It should also be noted that if the RAN node has a co-deployed IOPS core network, it can be understood that the RAN node supports the ability to access the IOPS core network, or can connect to the IOPS network. If the RAN node does not have a co-deployed IOPS core network, It can be understood that the RAN node does not support the ability to access the IOPS core network, or cannot connect to the IOPS network.

Step 0b. The first UDM pre-configures the key protection key required to protect the second authentication information during transmission (ie, the key protection information described above).

For a specific description of the key protection key, please refer to the description of the key protection information in step 401 above. Specifically, protecting the second authentication information during transmission is to use a key protection key to protect the second authentication information before sending the second authentication information, and obtain the protected second authentication information, wherein the key protection key is used Protecting the second authentication information may include confidentiality protection and/or integrity protection of the second authentication information, thereby ensuring the security of the second authentication information during the transmission of the second authentication information.

Optionally, the first UDM also configures a corresponding relationship between the key protection key and the network identification information of the IOPS core network.

Step 0c. The second UDM is pre-configured to obtain the key required to obtain the second authentication information (that is, as described above key to decrypt the information).

That is, the key is used to obtain the second authentication information. For the specific description of key acquisition, please refer to the description of the key decryption information in step 403 above. Using the key to obtain the second authentication information, specifically using the key to obtain the key and the protected second authentication information to obtain the second authentication information. Further, using the key to obtain the key and the protected second authentication information to obtain the second authentication information may be to use the key to obtain the key to decrypt the protected second authentication information to obtain the second authentication information, and/or use the key to obtain the second authentication information. Obtaining a key verifies the integrity of the protected secondary authentication information.

The key acquisition key corresponds to the key protection key in step 0b, that is, it can be a symmetric key with the preconfigured key in the first UDM, or it can be an asymmetric key with each other. The key decryption key can be used to decrypt information encrypted by the preconfigured key protection key in the first UDM, and can also be used to verify the integrity of the information protected by the configured key protection key in the first UDM.

Step 1. The UE requests access to the macro network and sends a registration request message to the AMF.

The UE carries IOPS capability information in the registration request message, and this message is used to indicate that the UE supports the IOPS function.

It should be noted that the registration request message is a NAS (non-access stratum, non-access stratum) message. The UE needs to carry the NAS message in an AS (access stratum, access stratum) message and send it to the RAN node. The RAN node Send NAS messages to AMF over the backhaul network. The UE supports the IOPS function. Specifically, the UE may have the ability to access the IOPS network, or the UE may have the ability to communicate with the IOPS network.

Optionally, the UE does not carry IOPS capability information in the registration request. In this case, the UE does not need to indicate the support for the IOPS function to the AMF, which reduces the UE's processing burden on the registration request.

Step 2. The AMF determines that it is necessary to instruct the first UDM to initiate key transfer based on the IOPS capability information obtained from the UE and the ability of the RAN node accessed by the UE to support connection to the IOPS core network.

Instructing the first UDM to initiate key transfer in step 2 above can be understood as instructing the first UDM to determine the second authentication information based on the first authentication information and send the second authentication information to the second UDM.

It should be noted that AMF can determine the corresponding RAN based on the backhaul network that accepts the NAS message, and then determine the RAN node's ability to support access to the IOPS network based on the preconfigured information in 0a. Optionally, the AMF also determines the network identification information of the IOPS core network corresponding to the RAN accessed by the UE based on the preconfiguration information in step 0a. Specifically, the AMF may determine the identification information of the corresponding RAN based on the backhaul network that accepts the NAS message, and further determine the corresponding IOPS core network based on the identification information of the RAN and the corresponding relationship between the identification information of the RAN and the second network identification information in step 0a. network identification information. If multiple IOPS core networks are deployed in the RAN, the AMF can determine the network identification information of the corresponding IOPS core network based on the priority information obtained by the AMF in step 0a. Considering the actual deployment situation, the RAN accessed by the UE may be connected to multiple IOPS core networks. In this case, the AMF can determine the network identifiers and information of multiple local IOPS core networks and send them to the first UDM.

Optionally, if the UE's registration request in step 1 does not carry IOPS capability information, the AMF determines the need to instruct the first UDM to initiate key transfer only based on the ability of the RAN node accessed by the UE to support connection to the IOPS core network.

Optionally, the AMF may determine the need to instruct the first UDM to initiate key transfer based only on the IOPS capability information obtained from the UE. This method may simplify the processing logic of the AMF.

Step 3. The AMF sends an IOPS instruction to the first UDM to instruct the first UDM to obtain the root key K _IOPS (that is, the second authentication information) required for the authentication of the UE and the IOPS core network owner in the IOPS mode, and send the second authentication information to the first UDM. The second authentication information is sent to the second UDM.

Optionally, the IOPS indication is also used to instruct the first UDM to simultaneously obtain other parameters required for primary authentication between the UE and the IOPS core network in IOPS mode. The other parameters may include one or more of the five-tuple information used for primary authentication. for example SQN parameters (that is, an example of the above-mentioned first authentication information), and determine the second authentication information based on the determined parameters. At this time, in addition to the root key K _IOPS , the second authentication information also includes the SQN parameters.

Optionally, the AMF also sends the network identification information of the IOPS core network corresponding to the RAN accessed by the UE to the first UDM.

Among them, the IOPS indication in step 3 can be passed through the UE and macro network master authentication process. After receiving the registration request, AMF interacts with the first UDM to trigger the master authentication message. Specifically, AMF sends the UE authentication request (Nausf_UEAuthentication_Authenticate Request) of AUSF to The AUSF is further sent to the first UDM by the AUSF through the UDM's UE authentication acquisition request (Nudm_UEAuthentication_Get Request) (this message is exemplarily described in Figure 5). It can also be used to obtain the UE subscription information after the registration process. The Nudm_SDM_Get message obtained by the contract information management is sent to the first UDM, or the message of other AMF interacting with the first UDM can carry the IOPS indication, which is not limited here.

Optionally, the AMF can use a new service message to instruct the first UDM to obtain the root key K _IOPS (that is, the second authentication information) required for authentication between the UE and the IOPS core network owner in the IOPS mode. In this case, the AMF The IOPS indication is not sent to the first UDM but is implicitly indicated by the new service message.

Step 4. After the first UDM determines that the UE has the authority to access the IOPS network based on the UE contract information, it deduces and obtains the authentication key between the UE and the IOPS core network owner in IOPS mode based on the key generated by the UE and the macro network owner authentication (first authentication information). The required root key K _IOPS (secondary authentication information).

It should be noted that the UE has the authority to access the IOPS network, which can be understood to mean that the UE has the authority to access the IOPS network. It can also be understood that the UE supports receiving communication services under the IOPS network. For detailed description, please refer to the first terminal device in step 401. There is a description of the rights to access the first network.

It should also be noted that if K _IOPS is deduced from one or more of CK, IK, K _AUSF , K _SEAF and _KAMF generated in the main authentication process, then the first authentication information at this time is the deduced K _IOPS One or more of CK, IK, K _AUSF , K _SEAF and _KAMF used.

The first UDM obtains the protected second authentication information using the key protection K _IOPS in step 0b. Protecting K _IOPS using a key protection key may be confidentiality protection and/or integrity protection of K _IOPS .

The specific method of deduction can be understood by referring to the above description and will not be repeated here.

It should be noted that if the AMF sends the IOPS indication in step 3 to the first UDM in the main authentication process, the first UDM needs to obtain the main authentication success indication through the UDM's UE authentication result confirmation request Nudm_UEAuthentication_ResultConfirmation Request message. , and then trigger step 4.

Optionally, if the IOPS indication is also used to instruct the first UDM to simultaneously acquire other parameters required for authentication between the UE and the IOPS core network owner in IOPS mode, as described in step 3, use the key protection key to protect the K _IOPS acquisition. When the second authentication information is protected, a key protection key is also used to protect other parameters required for the main authentication, where the other parameters may include one or more of the five-tuple information used for the main authentication, For example, SQN parameters. It should be noted that in this case, in addition to the key generated by the authentication between the UE and the macro network master, the first authentication information also includes other parameters required for the master authentication, such as SQN parameters.

Optionally, if the first UDM also obtains the network identification information of the IOPS core network corresponding to the RAN accessed by the UE from the AMF in step 3, the first UDM protects the key and the IOPS core network according to the key configured in 0b. The corresponding relationship between the network identification information and the network identification information of the IOPS core network obtained from the AMF is used to determine the key protection key, and further use the key protection key protection to obtain the protected second authentication information.

Step 4a. If K _IOPS is further deduced from one or more of K _AUSF , K _SEAF or _KAMF generated in the main authentication process, the UE stores K _AUSF , K _SEAF or _KAMF in the USIM app accordingly.

This step is optional.

Step 5. The first UDM sends a key transfer request message to the AMF.

It carries the second authentication information protected in step 4.

The key transfer request message includes the identification information of the UE and the protected second authentication information, so that the first AMF determines the IOPS core network information corresponding to the RAN accessed by the UE based on the identification information of the UE, where the IOPS core network information includes the IOPS The network identification information of the core network determines which IOPS core network where the second UDM is located to which the identification information of the UE and the protected second authentication information are sent. The AMF determines the network identification information of the IOPS core network corresponding to the RAN accessed by the UE. Specifically, the AMF can determine the corresponding backhaul network based on the identification information of the UE, and further determine the identification information of the RAN corresponding to the backhaul network, so as to determine the network identification information of the IOPS core network corresponding to the RAN. The corresponding relationship between the identification and the identification of the RAN and the second network identification information in step 0a is determined to determine the network identification information of the corresponding IOPS core network.

The key transfer request message includes the identification information of the UE and the protected second authentication information, so that the second UDM can determine which UE the second authentication information to be obtained belongs to, and perform primary authentication in the subsequent IOPS network where the UE and the second UDM are located. When , the corresponding second authentication information may be determined according to the identification information of the UE. It should be noted that the first UDM determines the identification information of the UE in the primary authentication. For details, please refer to the existing technology in TS 33.501. The identification information of the UE may be the SUPI information of the UE.

Optionally, it may also carry key transfer instruction information and/or network identification information of the IOPS core network. The key transfer indication information is used to instruct the AMF network element that this message is used to transfer the second authentication information to the IOPS network, and the network identification information of the IOPS core network is used to assist the AMF in determining which IOPS network the key transfer request message needs to be sent to.

In actual application, the first UDM can forward the key transfer request to the second UDM through AMF, RAN, forward it through NEF, or send it to the second UDM through other methods, such as between the first UDM and the second UDM. Direct link forwarding. If the first UDM does not forward the key transfer request to the second UDM through the AMF or RAN, then step 6 and step 7 are skipped after this step, and step 8 is performed directly.

Step 6. The AMF determines to forward the UE's identification information and the protected second authentication information to the second UDM.

It should be noted that if step 4 is triggered after obtaining the primary authentication success indication based on the UE authentication result confirmation request Nudm_UEAuthentication_ResultConfirmation Request message of the UDM, the AMF can determine the second UDM based on the network identification information of the IOPS core network in step 5, and Forward the identification information of the UE and the protected second authentication information to the second UDM; if step 4 is triggered based on the message that the AMF interacts with the first UDM, the AMF performs the following steps according to the key transfer request message included in the key transfer request message from the first UDM: The UE identification information and the IOPS core network information corresponding to the RAN accessed by the UE determine the second UDM, where the IOPS core network information includes the network identification information of the IOPS core network, and forwards the UE identification information and the protected second UDM to the second UDM. Certification Information.

Optionally, if step 4 is triggered based on the message of interaction between the AMF and the first UDM, the key transfer request message sent by the first UDM to the AMF in step 5 may not include the identification information of the UE. At this time, the AMF and the first UDM The information exchanged by UDM includes request messages and reply messages. The AMF sends a request message to the first UDM. The request message carries the identification information of the UE. The first UDM sends a reply message to the AMF according to the request message. When the AMF receives the first UDM After replying to the message, the AMF can determine the identification information of the UE based on the association between the request message and the reply message. Further, the AMF can determine the second UDM based on the identity information of the UE and the IOPS core network information corresponding to the RAN accessed by the UE, and send it to the UE. The second UDM forwards the identification information of the UE and the protected second authentication information.

The AMF determines to forward the identification information of the UE and the protected second authentication information to the second UDM, and also includes: Based on the identity information of the UE, the RAN to which the UE accesses is determined, and the AMF sends a key transfer message to the RAN. The key transfer message carries the identification information of the UE and the protected second authentication information.

Optionally, the key transfer indication information may also be carried, and the indication information is used to instruct the RAN to forward the key transfer message.

Optionally, if the AMF obtains the network identification information of the IOPS core network from the second UDM, when the AMF sends the key transfer message to the RAN, it also sends the network identification information of the IOPS core network to the RAN.

Optionally, if the AMF obtains the network identification information of the IOPS core network from the second UDM, the AMF further determines which IOPS network the key transfer request message needs to be sent to based on the network identification information of the IOPS core network.

Optionally, it may also carry key transfer instruction information and/or network identification information of the IOPS core network. The key transfer indication information is used to instruct the AMF network element that this message is used to transfer the second authentication information to the IOPS network, and the network identification information of the IOPS core network is used to assist the AMF in determining which IOPS network the key transfer request message needs to be sent to.

In addition, step 6 can also be triggered according to the key transfer request message (step 5), implicitly triggered according to the protected second authentication information, or triggered according to the key transfer instruction information carried in step 5.

Step 6a. The AMF triggers sending an IOPS key indication to the UE. The IOPS key indication is used to instruct the UE to obtain and store the root key K _IOPS required for the UE and IOPS core network master authentication in IOPS mode based on the key deduction generated by the master authentication. The K _IOPS .

This step is an optional step, that is, the access and mobility management network element sends instruction information to the terminal device for instructing the terminal device to generate the second authentication information. In this way, the terminal device knows that the second authentication information has been generated, and the terminal device can be ready to access the second network at any time.

Step 7. The RAN sends a key transfer message to the IOPS network.

It should be noted that the RAN sends a key transfer message to the IOPS network. Specifically, the RAN sends the key transfer message to the IOPS network so that the second UDM in the IOPS network obtains the key transfer message. The RAN needs to send the key transfer message to the second UDM through the second AMF. The second UDM sends a key transfer message, where the second AMF and the second UDM belong to the same IOPS network.

Among them, the RAN obtains the key transfer message from the AMF, and the key transfer message includes the protected second authentication information and the identification information of the UE.

Optionally, when the RAN sends a key transfer message to the IOPS network, it may also carry key transfer indication information. The key transfer indication information is used to instruct the IOPS network. The message carries the key transfer message. Specifically, the RAN sends the key transfer message to the IOPS network. The second AMF sends a message, which carries the key transfer message and the key transfer indication information. The key transfer indication information is used to indicate to the second AMF that the message carries the key transfer message.

Optionally, if the AMF also sends the network identification information of the IOPS core network when sending the key transfer message to the RAN, the RAN determines the second UDM based on the network identification information of the IOPS core network.

Step 8. The second UDM determines that it needs to obtain the second authentication information (K _IOPS ) according to the key transfer message. The second UDM forms and stores the corresponding relationship between the second authentication information and the identification information of the UE, that is, the corresponding relationship between K _IOPS and SUPI. .

Specifically, after determining that it needs to obtain K _IOPS according to the key transfer message, the second UDM obtains the identification information of the UE and the protected second authentication information in the key transfer message. The second UDM uses the key preconfigured in step 0c. The key is used to obtain the second authentication information, specifically using the key to obtain the key and the protected second authentication information to obtain the second authentication information. Further, using the key to obtain the key and the protected second authentication information to obtain the second authentication information may be to use the key to obtain the key to decrypt the protected second authentication information to obtain the second authentication information, and/or use the key to obtain the second authentication information. Obtaining a key verifies the integrity of the protected secondary authentication information. Further, the second UDM determines the corresponding relationship between the second authentication information and the identification information of the UE, that is, the corresponding relationship between K _IOPS and SUPI. When the UE subsequently accesses the IOPS network, the second UDM The K _IOPS information is determined using the corresponding relationship between the SUPI of the UE and the second authentication information and the identification information of the UE, and is used as the root key for primary authentication to perform the main authentication process with the UE.

Step 9. The UE uses K _IOPS as the root key for primary authentication to perform the primary authentication process with the second UDM.

In this embodiment, the AMF instructs the first UDM to determine the second authentication information based on the network deployment (whether the RAN can connect to the IOPS) and/or the UE capabilities. The second authentication information is based on the information required for primary authentication between the UE and the network where the first UDM is located. Information acquisition, specifically the root key for primary authentication between the UE and the IOPS network is further deduced and determined based on the key obtained for primary authentication between the UE and the macro network (that is, the derived key of the macro network root key), and further determined by the first UDM Send the second authentication information to the second UDM. Subsequently, the UE and the IOPS core network can use the derived key of the macro network root key for the main authentication process, eliminating the need to pre-configure the UE root key for the local IOPS core network, which can reduce the complexity of data processing and improve data processing. efficiency.

In order to better illustrate the solution of the present application, Figure 6 takes the data interaction between UE, RAN, AMF, AUSF, first UDM and second UDM as an example for explanation. In this embodiment, the first UDM determines the second authentication information after determining the UE's permission to access the IOPS network based on the UE's subscription information. However, unlike the embodiment solution corresponding to Figure 5, in this embodiment, the AMF will not provide the third authentication information to the IOPS network. A UDM sends indication information. In this example, the first network is the macro network, the second network is the IOPS network (that is, the IOPS core network described below), the first UDM belongs to the macro network, and the second UDM belongs to the IOPS network. To explain, the details are as follows:

Steps 0a/0b/0c are the same as steps 0a/0b/0c in Figure 5 above. The difference is that in this implementation: in step 0a, the AMF does not need to obtain the network identification information of the IOPS core network connected to the RAN connected to the AMF; 0b There is no need to configure the corresponding relationship between the key protection key and the network identification information of the IOPS core network.

Step 1. The UE requests access to the macro network and sends a registration request message to the AMF.

Reference may be made to the description of Step 1 in the above-mentioned Figure 5 and will not be repeated here.

Step 2. After receiving the registration request, AMF exchanges messages with the first UDM.

In this step, the interaction message between AMF and UDM can be an indirect interaction with UDM, that is, during the main authentication process between UE and macro network, AMF interacts with the first UDM to trigger the main authentication message after receiving the registration request. Specifically, AMF sends AUSF The UE authentication request Nausf_UEAuthentication_Authenticate Request is sent to AUSF, which is further sent to the first UDM by AUSF through UDM's UE authentication acquisition request Nudm_UEAuthentication_Get Request. The AMF and UDM interaction message can also be the UDM that AMF will use to obtain UE subscription information after the registration process. The Nudm_SDM_Get message obtained by the contract information management is sent to the first UDM, or it can also be a message for other AMFs to interact with the UDM, which is not limited here.

Step 3. After the first UDM determines that the UE has the authority to access the IOPS network based on the UE contract information, it deduces based on the key generated by the UE and the macro network owner authentication (first authentication information) to obtain the authentication key between the UE and the IOPS core network owner in the IOPS mode. The required root key K _IOPS (secondary authentication information).

It can be understood with reference to step 4 in the above-mentioned embodiment of FIG. 4 and will not be described again here.

Step 3a. If K _IOPS is further derived from one or more of K _AUSF , K _SEAF or _KAMF generated in the main authentication process, the UE shall store K _AUSF , K _SEAF or _KAMF in the USIM app accordingly.

This step is optional.

Step 4. The first UDM sends a key transfer request message to the AMF.

It carries the second authentication information protected in step 4.

The key transfer request message includes the identification information of the UE and the protected second authentication information, so that the second The AMF determines the IOPS core network information corresponding to the RAN that the UE accesses based on the identification information of the UE, where the IOPS core network information includes the network identification information of the IOPS core network, that is, it determines to send the identification information of the UE and the protected second authentication information to Which IOPS core network the second UDM is located on. The key transfer request message includes the identification information of the UE and the protected second authentication information, so that the second UDM can determine which UE the second authentication information to be obtained belongs to, and perform primary authentication in the subsequent IOPS network where the UE and the second UDM are located. When , the corresponding second authentication information may be determined according to the identification information of the UE. It should be noted that the first UDM determines the identification information of the UE in the primary authentication. For details, please refer to the existing technology in TS 33.501. The identification information of the UE may be the SUPI information of the UE.

Optionally, it may also carry key transfer instruction information and/or network identification information of the IOPS core network. The key transfer indication information is used to instruct the AMF network element that this message is used to transfer the second authentication information to the IOPS network, and the network identification information of the IOPS core network is used to assist the AMF in determining which IOPS network the key transfer request message needs to be sent to.

In actual application, the first UDM can forward the key transfer request to the second UDM through AMF, RAN, forward it through NEF, or send it to the second UDM through other methods, such as between the first UDM and the second UDM. Direct link forwarding. If the first UDM does not forward the key transfer request to the second UDM through the AMF or RAN, step 5 and step 6 will be skipped after this step, and step 7 will be performed directly.

Step 5. Based on the key transfer request message and the IOPS core network corresponding to the RAN accessed by the UE, the AMF determines to forward the protected second authentication information to the second UDM.

In this step, the AMF forwards the protected second authentication information to the IOPS core network corresponding to the RAN accessed by the UE, so that the second UDM in the IOPS core network can obtain the second authentication information. Under the premise that the RAN accessed by the UE has a corresponding IOPS core network, this step can be triggered in any one or more of the following ways: triggered according to the key transfer request message (that is, step 4), triggered according to the protected third The second authentication information triggers implicitly or according to the key transfer instruction carried in step 4.

If the RAN accessed by the UE does not have an IOPS core network, the AMF can send a key transfer failure message to the UDM along with the corresponding cause value information.

Step 5a. The AMF triggers sending an IOPS key indication to the UE. The IOPS key indication is used to instruct the UE to obtain and store the root key K _IOPS required for the UE and IOPS core network master authentication in IOPS mode based on the key deduction generated by the master authentication. The K _IOPS .

This step is an optional step, that is, the access and mobility management network element sends instruction information to the terminal device for instructing the terminal device to generate the second authentication information. In this way, the terminal device knows that the second authentication information has been generated, and the terminal device can be ready to access the second network at any time.

Step 6. The RAN sends a key transfer message to the IOPS network.

It should be noted that the RAN sends a key transfer message to the IOPS network. Specifically, the RAN sends the key transfer message to the IOPS network so that the second UDM in the IOPS network obtains the key transfer message. The RAN needs to send the key transfer message to the second UDM through the second AMF. The second UDM sends a key transfer message, where the second AMF and the second UDM belong to the same IOPS network.

Among them, the RAN obtains the key transfer message from the AMF, and the key transfer message includes the protected second authentication information and the UE's identification information (SUPI).

Optionally, when the RAN sends a key transfer message to the IOPS network, it may also carry key transfer indication information. The key transfer indication information is used to instruct the IOPS network. The message carries the key transfer message. Specifically, the RAN sends the key transfer message to the IOPS network. The second AMF sends a message, which carries the key transfer message and the key transfer indication information. The key transfer indication information is used to indicate to the second AMF that the message carries the key transfer message.

Step 7. The second UDM determines that it needs to obtain the second authentication information (K _IOPS ) according to the key transfer message. The second UDM forms and stores the corresponding relationship between the second authentication information and the identification information of the UE, that is, the corresponding relationship between K _IOPS and SUPI. .

Specifically, after determining that it needs to obtain K _IOPS according to the key transfer message, the second UDM obtains the identification information of the UE and the protected second authentication information in the key transfer message. The second UDM uses the key preconfigured in step 0c. The key is used to obtain the second authentication information, specifically using the key to obtain the key and the protected second authentication information to obtain the second authentication information. Further, using the key to obtain the key and the protected second authentication information to obtain the second authentication information may be to use the key to obtain the key to decrypt the protected second authentication information to obtain the second authentication information, and/or use the key to obtain the second authentication information. Obtaining a key verifies the integrity of the protected secondary authentication information. Further, the second UDM determines the corresponding relationship between the second authentication information and the identification information of the UE, that is, the corresponding relationship between K _IOPS and SUPI. When the UE subsequently accesses the IOPS network, the second UDM uses the UE's SUPII and the corresponding relationship between the second authentication information and the UE's identification information to determine the K _IOPS information, and uses it as the root key for primary authentication to perform the main authentication process with the UE. .

Step 8. The UE uses K _IOPS as the root key for primary authentication to perform the primary authentication process with the second UDM.

In this embodiment, after the first UDM determines the UE's permission to access the IOPS network based on the UE's subscription information, it determines the second authentication information. The second authentication information is obtained based on the information required for primary authentication between the UE and the network where the first UDM is located. Specifically, The root key for primary authentication between the UE and the IOPS network is further deduced and determined based on the key obtained for primary authentication between the UE and the macro network (i.e., the derived key of the macro network root key), and is further deduced and determined by the first UDM for the second authentication. The information is sent to the second UDM. Subsequently, the UE and the IOPS core network can use the derived key of the macro network root key for the main authentication process, eliminating the need to pre-configure the UE root key for the local IOPS core network, which can reduce the complexity of data processing and improve data processing. efficiency.

In order to better illustrate the solution of the present application, Figure 7 takes the data interaction between UE, RAN, AMF, AUSF, first UDM and second UDM as an example for explanation. In this embodiment, the first UDM determines the second authentication information after determining the UE's permission to access the IOPS network based on the UE's subscription information. However, unlike the embodiment solution corresponding to Figure 5, in this embodiment, the AMF will not provide the third authentication information to the IOPS network. A UDM sends indication information. In this example, the first network is the macro network, the second network is the IOPS network (that is, the IOPS core network described below), the first UDM belongs to the macro network, and the second UDM belongs to the IOPS network. To explain, the details are as follows:

Steps 0a/0b/0c are the same as steps 0a/0b/0c in the above-mentioned Figure 6, and steps 1-2 are the same as steps 1-2 in the above-mentioned Figure 6, and will not be described again here.

Step 3. After the first UDM determines that the UE has the authority to access the IOPS network based on the UE subscription information, it triggers a network identification request acquisition message to be sent to the AMF to request the network identification information of the IOPS core network corresponding to the RAN that the UE accesses.

It should be noted that if the AMF interacts with the UDM indirectly in step 2, that is, during the main authentication process between the UE and the macro network, the AMF interacts with the first UDM to trigger the main authentication message after receiving the registration request (specifically, the AMF will AUSF The UE authentication request Nausf_UEAuthentication_Authenticate Request is sent to the AUSF, which is further sent to the first UDM by the AUSF through the UDM's UE authentication acquisition request Nudm_UEAuthentication_Get Request). Then the UDM needs to obtain the primary authentication success indication through the UDM's UE authentication result confirmation request Nudm_UEAuthentication_ResultConfirmation Request message. and then perform this step again.

Step 4. The first UDM requests the AMF to obtain the network identification information of the IOPS core network corresponding to the RAN accessed by the UE.

Specifically, UDM sends a network identification information acquisition request to the AMF, which carries the UE's SUPI information.

Optionally, it also carries the network identifier to obtain instruction information.

The AMF determines that it is necessary to obtain network identification information. The AMF determines whether the RAN corresponding to the UE accessed by the SUPI has a corresponding local IOPS core network. If it exists, it determines the network identification information of the local IOPS core network (taking into account the actual deployment situation, the UE access The RAN may be connected to multiple IOPS core networks. In this case, the AMF can determine the network identification information of multiple local IOPS core networks and send it to the first UDM); if it does not exist, send reply information to the first UDM and carry Corresponding cause value information. The AMF determines the network identification information of the IOPS core network corresponding to the RAN accessed by the UE. Specifically, the AMF can determine the corresponding backhaul network based on the identification information of the UE, and further determine the identification information of the RAN corresponding to the backhaul network, so as to determine the network identification information of the IOPS core network corresponding to the RAN. The corresponding relationship between the identification and the identification of the RAN and the second network identification information in step 0a is determined to determine the network identification information of the corresponding IOPS core network.

It should be noted that AMF may determine the need to obtain IOPS network identification information based on the network identification information acquisition request message, or may determine the need to obtain IOPS network identification information based on the network identification information acquisition instruction information in the message, which is not specifically limited in this application.

Step 5. AMF replies to the request information of the first UDM.

It carries the network identification information of the IOPS core network determined in step 4.

Step 6. The first UDM deduces and obtains the root key K _IOPS (second authentication information) required for authentication between the UE and the IOPS core network owner in IOPS mode based on the key (first authentication information) generated by the authentication between the UE and the macro network owner.

The details can be understood with reference to step 3 in the embodiment of FIG. 6 and step 4 in FIG. 5 , and will not be described again here.

Step 6a. For details, please refer to step 3a in the embodiment of Figure 6 mentioned above.

Step 7 is the same as step 5 in the above embodiment of Figure 5.

Steps 8-11. Steps 6-9 in the above embodiment of Figure 5.

In this embodiment, the first UDM generates an IOPS key based on the UE's subscription information, and further sends it to the second UDM by the first UDM. Subsequently, the UE and the IOPS core network can use the derived key of the macro network root key for the main authentication process, eliminating the need to pre-configure the UE root key for the local IOPS core network. In addition, different UDMs can be sent to multiple second UDMs. The key allows the UE to access any IOPS core network when multiple IOPS core networks are deployed, which can reduce the complexity of data processing and improve data processing efficiency.

The above mainly introduces the solutions provided by the embodiments of the present application from the perspective of device interaction. It can be understood that, in order to implement the above functions, each device may include a corresponding hardware structure and/or software module to perform each function. Those skilled in the art should easily realize that, with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein, the embodiments of the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

Embodiments of the present application can divide the device into functional units according to the above method examples. For example, each functional unit can be divided corresponding to each function, or two or more functions can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.

In the case of using an integrated unit, FIG. 8 shows a possible exemplary block diagram of the communication device involved in the embodiment of the present application. As shown in FIG. 8 , the communication device 800 may include: a processing unit 801 and a transceiver unit 802 . The processing unit 801 is used to control and manage the operations of the communication device 800 . The transceiver unit 802 is used to support the communication device 800 Communication with other devices. Optionally, the transceiver unit 802 may include a receiving unit and/or a sending unit, respectively configured to perform receiving and sending operations. Optionally, the communication device 800 may also include a storage unit for storing program codes and/or data of the communication device 800 . The transceiver unit may be called an input-output unit, a communication unit, etc., the transceiver unit may be a transceiver, and the processing unit may be a processor. When the communication device is a module (such as a chip) in a communication device, the transceiver unit may be an input-output interface, an input-output circuit, or an input-output pin, etc., and may also be called an interface, a communication interface, or an interface circuit, etc.; The processing unit may be a processor, a processing circuit or a logic circuit, etc. Specifically, the device may be the above-mentioned first UDM, AMF, second UDM, etc.

In one embodiment, the processing unit 801 of the communication device 800 is configured to determine the second authentication used by the terminal device to perform access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network. Information, the communication device belongs to the first network; the first network is different from the second network; the transceiver unit 802 is used to send the second authentication information to the second unified data management unit, and the second unified data management unit belongs to the second network.

In an optional manner, the processing unit 801 is configured to determine the second authentication information according to the first authentication information when it is determined that the terminal device has the authority to access the first network.

In an optional manner, the transceiver unit 802 is configured to receive indication information from the access and mobility management network element, where the indication information is used to trigger the communication device to determine the second authentication information.

In an optional manner, the processing unit 801 is configured to use the first authentication information as an input parameter to generate second authentication information.

In an optional manner, the first authentication information includes one or more of the following: CK, IK, SQN, KAUSF, KSEAF, and KAMF.

In an optional manner, the transceiver unit 802 is configured to send the identification information of the terminal device and the second authentication information to the second unified data management unit, and the identification information of the terminal device is associated with the second authentication information.

In an optional manner, the transceiver unit 802 is configured to send the second authentication information to the second unified data management unit through the access and mobility management network element and the wireless access network device; or, the transceiver unit 802 is configured to use The second authentication information is sent to the second unified data management unit through NEF.

In an optional manner, the second authentication information is securely protected through key protection information.

In an optional manner, the transceiver unit 802 is configured to receive the identification information of the second network from the access and mobility management network element; the processing unit 801 is configured to determine the key protection information according to the identification information of the second network .

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

In one embodiment, the processing unit 801 of the communication device 800 is used to determine the identification information of the second network; the first unified data management unit belongs to the first network; the first network is different from the second network; the transceiver unit 802 is used to Send the identification information of the second network to the first unified data management unit.

In an optional manner, the processing unit 801 triggers indication information. The indication information is used to instruct the first unified data management unit to determine whether the terminal device is connected to the first network based on the first authentication information used for access authentication between the terminal device and the first network. The second authentication information transceiver unit 802 used by the second network for access authentication is used to send instruction information to the first unified data management unit.

In an optional manner, the processing unit 801 is configured to determine the identification information of the second network based on the existence of a second network co-deployed with the radio access network device accessed by the terminal device.

In an optional manner, the processing unit 801 is configured to determine, based on the capability information of the terminal device, that the terminal device has the ability to access the second network; based on the terminal device having the ability to access the second network and the accessed wireless Access Network The device has a co-deployed second network, and the identification information of the second network is determined.

In an optional manner, the transceiver unit 802 is configured to receive a request message for the identification information of the second network from the first unified data management unit; the processing unit 801 is configured to query the identification information of the second network based on the request message. .

In an optional manner, the transceiver unit 802 is configured to send instruction information to the terminal device for instructing the terminal device to generate the second authentication information.

In an optional manner, the second authentication information is securely protected through key protection information.

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

In one embodiment, the transceiver unit 802 of the communication device 800 is used to receive the second authentication information from the first unified data management network element used for access authentication between the terminal equipment and the second network; the processing unit 801 is used to perform the access authentication according to the The second authentication information performs access authentication on the terminal device.

In an optional manner, the second authentication information is determined by the first unified data management unit based on the first authentication information used for access authentication between the terminal device and the first network; the first unified data management unit belongs to the first network ; The second unified data management unit belongs to the second network; the first network is different from the second network.

In an optional manner, the second authentication information is protected by key protection information.

In an optional manner, the processing unit 801 is configured to decrypt the second authentication information protected by the key protection information through the key decryption protection information before performing access authentication on the terminal device according to the second authentication information, and determine Second authentication information.

In an optional manner, the key decryption protection information is associated with the identification information of the second network.

In an optional manner, the first network is an IOPS network or a private network, and the second network is a macro network; or the first network is a macro network, and the second network is an IOPS network or a private network.

As shown in Figure 9, a communication device 900 further provided by this application is shown. The communication device 900 may be a chip or a system on a chip. The communication device may be located in the device involved in any of the above method embodiments, such as the first UDM, AMF, and the second UDM, etc., to perform actions corresponding to the device.

Optionally, the chip system may be composed of chips, or may include chips and other discrete devices.

Communication device 900 includes processor 910.

The processor 910 is configured to execute the computer program stored in the memory 920 to implement the actions of each device in any of the above method embodiments.

Communication device 900 may also include memory 920 for storing computer programs.

Optionally, memory 920 and processor 910 are coupled. Coupling is an indirect coupling or communication connection between devices, units or modules, which can be in electrical, mechanical or other forms, and is used for information interaction between devices, units or modules. Optionally, the memory 920 is integrated with the processor 910 .

There can be one or more processors 910 and memories 920 without limitation.

Optionally, in practical applications, the communication device 900 may or may not include the transceiver 930 , as shown by a dotted box in the figure, and the communication device 900 may interact with other devices through the transceiver 930 . The transceiver 930 may be a circuit, a bus, a transceiver, or any other device that may be used for information exchange.

In a possible implementation, the communication device 900 may be the first UDM, AMF and second UDM in the implementation of the above methods.

The specific connection medium between the above-mentioned transceiver 930, processor 910 and memory 920 is not limited in the embodiment of the present application. In the embodiment of the present application, in Figure 9, the memory 920, the processor 910 and the transceiver 930 are connected through a bus. The bus is represented by a thick line in Figure 9. The connection methods between other components are only schematically illustrated and are not limiting. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 9, but it does not mean that there is only one bus or one type of bus. In the embodiment of the present application, the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or Execute each method, step and logical block diagram disclosed in the embodiment of this application. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the methods disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware processor for execution, or can be executed by a combination of hardware and software modules in the processor.

In the embodiment of the present application, the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., or it may be a volatile memory (volatile memory), such as Random-access memory (RAM). Memory may also be, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory in the embodiment of the present application can also be a circuit or any other device capable of performing a storage function, used to store computer programs, program instructions and/or data.

Based on the above embodiments, referring to Figure 10, the embodiment of the present application also provides another communication device 1000, including: an interface circuit 1010 and a logic circuit 1020; the interface circuit 1010 can be understood as an input and output interface, and can be used to perform any of the above methods. For the transceiver steps of each device in the embodiment, the logic circuit 1020 can be used to run codes or instructions to perform the method performed by each device in any of the above embodiments, which will not be described again.

Based on the above embodiments, embodiments of the present application also provide a computer-readable storage medium that stores instructions. When the instructions are executed, each device in any of the above method embodiments is executed. is implemented, for example, so that the method executed by the first UDM or the second UDM in the embodiment shown in FIG. 4 is implemented. The computer-readable storage medium may include: U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk and other various media that can store program codes.

Based on the above embodiments, embodiments of the present application provide a communication system. The communication system includes the first UDM, AMF and second UDM mentioned in any of the above method embodiments, and can be used to execute each of the above method embodiments. The method the device performs.

Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing apparatus produce a A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction apparatus, the instructions The device implements one process or multiple processes in the flow chart and/or one or more blocks in the block diagram Functions specified in the box.

These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

Claims (44)

1. A communication method, characterized by including:

   According to the first authentication information used by the terminal device to perform access authentication with the first network, the first unified data management unit determines the second authentication information used by the terminal device to perform access authentication with the second network. The first unified data The management unit belongs to the first network; the first network is different from the second network;

   The first unified data management unit sends the second authentication information to a second unified data management unit, and the second unified data management unit belongs to the second network.
2. The method according to claim 1, characterized in that the first unified data management unit determines that the terminal device is connected to the second network based on the first authentication information used for access authentication between the terminal device and the first network. Secondary authentication information used for authentication, including:

   When the first unified data management unit determines that the terminal device has the authority to access the first network, the second authentication information is determined based on the first authentication information.
3. The method of claim 1, further comprising:

   The first unified data management unit receives indication information from the access and mobility management network element, and the indication information is used to trigger the first unified data management unit to determine the second authentication information.
4. The method according to any one of claims 1 to 3, characterized in that the first unified data management unit determines whether the terminal device is connected to the first network based on the first authentication information used for access authentication between the terminal device and the first network. The second authentication information used by the second network for access authentication includes:

   The first unified data management unit uses the first authentication information as an input parameter to generate the second authentication information.
5. The method according to any one of claims 1-4, characterized in that the first authentication information includes one or more of the following: confidentiality key CK, integrity key IK, serial number SQN, AUSF Key K _AUSF , SEAF key K _SEAF , AMF key K _AMF .
6. The method according to any one of claims 1-5, characterized in that the first unified data management unit sends the second authentication information to the second unified data management unit, including:

   The first unified data management unit sends the identification information of the terminal device and the second authentication information to the second unified data management unit, and the identification information of the terminal device is associated with the second authentication information.
7. The method according to any one of claims 1-6, wherein the first unified data management unit sending the second authentication information to the second unified data management unit includes:

   The first unified data management unit sends the second authentication information to the second unified data management unit through access and mobility management network elements and wireless access network equipment; or,

   The first unified data management unit sends the second authentication information to the second unified data management unit through the network opening function NEF.
8. The method according to any one of claims 1 to 7, characterized in that the second authentication information is securely protected through key protection information.
9. The method according to claim 8, characterized in that, the method further includes:

   The first unified data management unit receives the identification information of the second network from the access and mobility management network element;

   The first unified data management unit determines the key protection information according to the identification information of the second network.
10. The method according to any one of claims 1 to 9, characterized in that the first network is a public safety isolated operation IOPS network or a private network, and the second network is a macro network; or, the first network is the macro network, and the second network is the IOPS network or the private network.
11. A communication method, characterized by including:

    The access and mobility management network element determines the identification information of the second network;

    The access and mobility management network element sends the identification information of the second network to the first unified data management unit;

    Wherein, the first unified data management unit belongs to a first network, and the first network is different from the second network.
12. The method according to claim 11, characterized in that the access and mobility management network element determines the identification information of the second network, including:

    The access and mobility management network element triggers indication information, the indication information is used to instruct the first unified data management unit to determine the Second authentication information used for access authentication between the terminal device and the second network;

    The access and mobility management network element sends the identification information of the second network to the first unified data management unit, including:

    The access and mobility management network element sends the indication information to the first unified data management unit.
13. The method according to claim 11, characterized in that the access and mobility management network element determines the identification information of the second network, including:

    The access and mobility management network element determines the identification information of the second network based on the existence of the second network co-deployed with the wireless access network device accessed by the terminal device.
14. The method according to claim 13, characterized in that the access and mobility management network element determines the identification information of the second network, including:

    The access and mobility management network element determines that the terminal device has the ability to access the second network based on the capability information of the terminal device;

    The access and mobility management network element determines the second network based on the fact that the terminal device has the ability to access the second network and the accessed wireless access network device is co-deployed with the second network. Identification information.
15. The method according to claim 11, characterized in that the access and mobility management network element determines the identification information of the second network, including:

    The access and mobility management network element receives a request message for the identification information of the second network from the first unified data management unit;

    The access and mobility management network element determines the identification information of the second network based on the request message.
16. The method according to any one of claims 11-15, further comprising:

    The access and mobility management network element sends instruction information for instructing the terminal device to generate second authentication information to the terminal device.
17. The method according to any one of claims 11 to 16, characterized in that the first network is a public safety isolated operation IOPS network or a private network, and the second network is a macro network; or, the first network is the macro network, and the second network is the IOPS network or the private network.
18. A communication device, characterized by including:

    A processing unit configured to determine, based on the first authentication information used by the terminal device for access authentication with the first network, the second authentication information used by the terminal device for access authentication with the second network, and the communication device belongs to the a first network; the first network is different from the second network;

    A transceiver unit, configured to send the second authentication information to a second unified data management unit, where the second unified data management unit belongs to the second network.
19. The apparatus according to claim 18, characterized in that, when the processing unit determines that the terminal device has the authority to access the first network, determine the second authentication information based on the first authentication information. Certification Information.
20. The device according to claim 18, characterized in that the transceiver unit is also used for:

    Receive indication information from the access and mobility management network element, where the indication information is used to trigger the communication device to determine the second authentication information.
21. The device according to any one of claims 18 to 20, characterized in that the processing unit is configured to use the first authentication information as an input parameter to generate the second authentication information.
22. The device according to any one of claims 18-21, characterized in that the first authentication information includes one or more of the following: confidentiality key CK, integrity key IK, serial number SQN, AUSF Key K _AUSF , SEAF key K _SEAF , AMF key K _AMF .
23. The device according to any one of claims 18-22, characterized in that the transceiver unit is configured to: send the identification information of the terminal device and the second authentication information to the second unified data management unit , the identification information of the terminal device is associated with the second authentication information.
24. The device according to any one of claims 18-23, characterized in that the transceiver unit is configured to: send the second authentication information to the the second unified data management unit; or, the communication device sends the second authentication information to the second unified data management unit through the network opening function NEF.
25. The device according to any one of claims 18 to 24, wherein the second authentication information is securely protected by key protection information.
26. The device according to claim 25, characterized in that the transceiver unit is used for:

    Receive identification information of the second network from the access and mobility management network element;

    The processing unit is configured to determine the key protection information according to the identification information of the second network.
27. The device according to any one of claims 18 to 26, wherein the first network is a public safety isolated operation IOPS network or a private network, and the second network is a macro network; or, the first network is the macro network, and the second network is the IOPS network or the private network.
28. A communication device, characterized by including:

    a processing unit, used to determine the identification information of the second network; the first unified data management unit belongs to the first network; the first network is different from the second network;

    A transceiver unit configured to send identification information of the second network to the first unified data management unit.
29. The device according to claim 28, characterized in that the processing unit is used for:

    Trigger instruction information, the instruction information is used to instruct the first unified data management unit to determine whether the terminal device and the second network are connected according to the first authentication information used for access authentication between the terminal device and the first network. Secondary authentication information used for access authentication;

    The transceiver unit is configured to send the instruction information to the first unified data management unit.
30. The device according to claim 28, characterized in that the processing unit is used for:

    The identification information of the second network is determined according to the existence of the second network co-deployed with the radio access network device accessed by the terminal device.
31. The device according to claim 30, characterized in that the processing unit is used for:

    Determine that the terminal device has the ability to access the second network according to the capability information of the terminal device;

    The identification information of the second network is determined according to the fact that the terminal device has the ability to access the second network and the accessed radio access network device is co-deployed with the second network.
32. The device according to claim 28, characterized in that the transceiver unit is used for:

    Receive a request message for the identification information of the second network from the first unified data management unit;

    The processing unit is configured to determine identification information of the second network based on the request message.
33. The device according to any one of claims 28-32, characterized in that the transceiver unit is used for:

    Instruction information used to instruct the terminal device to generate second authentication information is sent to the terminal device.
34. The device according to any one of claims 28-33, wherein the first network is a public safety isolated operation IOPS network or a private network, and the second network is a macro network; or, the first network is the macro network, and the second network is the IOPS network or the private network.
35. A communication device, characterized by comprising: at least one processor and memory;

    The memory is used to store computer programs or instructions;

    The at least one processor is configured to execute the computer program or instructions, so that the method according to any one of claims 1-10 or any one of claims 11-17 is executed.
36. A chip system, characterized in that the chip system includes: a processing circuit; the processing circuit is coupled with a storage medium;

    The processing circuit is used to execute some or all of the computer programs or instructions in the storage medium. When the part or all of the computer programs or instructions are executed, it is used to implement any one of claims 1-10 or the right The method described in any one of claims 11-17.
37. A computer-readable storage medium, characterized in that the computer-readable storage medium stores instructions, and when the instructions are executed by a computer, the results are as follows: any one of claims 1-10 or any one of claims 11-17 The method described in the item is executed.
38. A computer program product containing a computer program or instructions, which when run on a computer causes the method described in any one of claims 1 to 10 or any one of claims 11 to 17 to be executed.
39. A communication method, characterized by including:

    According to the first authentication information used by the terminal device to perform access authentication with the first network, the first unified data management unit determines the second authentication information used by the terminal device to perform access authentication with the second network, wherein the second Authentication information is securely protected through key protection information;

    The first unified data management unit sends the second authentication information to the second unified data management unit; and

    The second unified data management unit receives the second authentication information.
40. The method of claim 39, further comprising:

    The access and mobility management network element sends the identification information of the second network to the first unified data management unit;

    The first unified data management unit determines the key protection information according to the identification information of the second network.
41. A communication method, characterized by including:

    The access and mobility management network element sends the identification information of the second network to the first unified data management unit; wherein the first unified data management unit belongs to the first network, and the first network is different from the second network;

    The first unified data management unit determines key protection information based on the identification information of the second network;

    The first unified data management unit determines the second authentication information used by the terminal device for access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network; and

    The first unified data management unit sends second authentication information to the second unified data management unit; wherein the second authentication information is securely protected by the key protection information.
42. A communication system, characterized by including a first unified data management unit and a second unified data management unit, wherein:

    The first unified data management unit is used for:

    Determine second authentication information used by the terminal device for access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network, wherein the second authentication information is protected by a key Information security protection;

    Send the second authentication information to the second unified data management unit;

    The second unified data management unit is used for:

    Receive the second authentication information.
43. The system of claim 42, further comprising:

    Access and mobility management network element, configured to send identification information of the second network to the first unified data management unit;

    The first unified data management unit is also used for:

    The key protection information is determined according to the identification information of the second network.
44. A communication system, characterized by including an access and mobility management network element and a first unified data management unit, wherein:

    The access and mobility management network element is used for:

    Send the identification information of the second network to the first unified data management unit; wherein the first unified data management unit belongs to the first network, and the first network is different from the second network;

    The first unified data management unit is used for:

    Determine key protection information according to the identification information of the second network;

    Determine the second authentication information used by the terminal device for access authentication with the second network based on the first authentication information used by the terminal device for access authentication with the first network; and

    Send second authentication information to the second unified data management unit; wherein the second authentication information is securely protected by the key protection information.