WO2023245388A1 - 安全通信方法及装置 - Google Patents

安全通信方法及装置 Download PDF

Info

Publication number
WO2023245388A1
WO2023245388A1 PCT/CN2022/099964 CN2022099964W WO2023245388A1 WO 2023245388 A1 WO2023245388 A1 WO 2023245388A1 CN 2022099964 W CN2022099964 W CN 2022099964W WO 2023245388 A1 WO2023245388 A1 WO 2023245388A1
Authority
WO
WIPO (PCT)
Prior art keywords
target application
application server
akma
service request
authentication
Prior art date
Application number
PCT/CN2022/099964
Other languages
English (en)
French (fr)
Inventor
梁浩然
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to CN202280002198.XA priority Critical patent/CN117616792A/zh
Priority to PCT/CN2022/099964 priority patent/WO2023245388A1/zh
Publication of WO2023245388A1 publication Critical patent/WO2023245388A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the field of communication technology, and in particular to a secure communication method and device.
  • the user equipment User Equipment
  • AF Application Function
  • the element provides an initial shared session key, thereby ensuring secure communication between the UE and the AF network element.
  • This technology is called application authentication and encryption based on the 3rd Generation Partnership Project (3GPP) credentials.
  • Key management Authentication and Key management for Applications based on 3GPP credentials, AKMA).
  • This application proposes a secure communication method and device, provides an effective solution to support authentication agents in AKMA scenarios, and can meet more business needs while ensuring communication security.
  • the first embodiment of the present application provides a secure communication method.
  • the method is applied to the AKMA authentication agent.
  • the method includes: receiving a service request from a target application server (targetAS) sent by the user equipment UE, where the service request carries There is the identification information of the target application server and the AKMA key identifier (A-KID) of the UE; perform authentication and authorization on the UE according to the A-KID and the identification information of the target application server, and determine whether The UE is authorized to access the target application server; in response to authorizing the UE to access the target application server, the service request and the authentication result of the UE are forwarded to the target application server.
  • targetAS target application server
  • A-KID AKMA key identifier
  • the method before receiving the service request of the target application server sent by the user equipment UE, the method further includes: receiving a session establishment request sent by the UE, the session establishment request carrying The A-KID of the UE; establishing a TLS connection with the UE according to the A-KID of the UE; and receiving the service request of the target application server sent by the UE, including: receiving the service request of the target application server through the established TLS connection.
  • the service request sent by the UE before receiving the service request of the target application server sent by the user equipment UE, the method further includes: receiving a session establishment request sent by the UE, the session establishment request carrying The A-KID of the UE; establishing a TLS connection with the UE according to the A-KID of the UE; and receiving the service request of the target application server sent by the UE, including: receiving the service request of the target application server through the established TLS connection.
  • the service request sent by the UE before receiving the service request of the target application server sent by the user equipment UE.
  • the identification information of the target application server at least includes: the fully qualified domain name (Fully Qualified Domain Name, FQDN), Ua* security protocol identification, IP address, and port number of the target application server.
  • performing authentication and authorization on the UE according to the A-KID and the identification information of the target application server, and determining whether to authorize the UE to access the target application server includes: according to The A-KID determines whether a transport layer security protocol TLS connection has been established with the UE; in response to a TLS connection being established with the UE, based on the preset policy of the AKMA authentication agent and the target application server identification information, Determine whether the UE is authorized to access the target application server.
  • the authentication and authorization of the UE according to the identification information of the A-KID and the target application server, and determining whether to authorize the UE to access the target application server also includes: In response to the TLS connection not being established with the UE, establish a TLS connection with the UE according to the A-KID, and require the UE to send a service request of the target application server after the TLS connection is established, wherein, The service request carries the identification information of the target application server and the A-KID of the UE.
  • establishing a TLS connection with the UE according to the A-KID includes: sending an AKMA application key request to the AKMA anchor function AAnF, where the key request Carrying the A-KID and the application function identifier of the AKMA authentication agent, the application function identifier of the AKMA authentication agent includes: FQDN, Ua* security protocol identifier; receiving the AAnF according to the A-KID and the The application function identification of the AKMA authentication agent returns the first key K AF ; based on the first key K AF and the second key K AF on the UE side, perform mutual authentication with the UE and establish TLS connection with the UE.
  • the method further includes: after sending the service request and the authentication result of the UE to the target application server, sending an authentication result of the target application server to the UE. Service response.
  • the service request and the authentication result of the UE are sent to the target application server, including: based on AKMA authentication
  • the agent's default policy determines whether the target application server has the right and needs to obtain the identity information of the UE; in response to the target application server having the right and need to obtain the identity information of the UE, the UE's identity information is The identity information, the service request and the authentication result of the UE are sent to the target application server; otherwise, the service request and the authentication result of the UE are sent to the target application server.
  • the method further includes: after sending the identity information of the UE, the service request and the authentication result of the UE to the target application server, through the target Apply the service response information returned by the server to send corresponding authorization information and service response to the UE.
  • the method in response to the target application server having the right and need to obtain the identity information of the UE, the identity information of the UE, the service request and the authentication result of the UE are sent.
  • the method includes: in response to the target application server not being in the 3GPP operator domain, sending the general public user identity GPSI of the UE to the target application server.
  • the AKMA authentication agent and the target application server have the same application function identifier
  • the application function identifier includes: the FQDN corresponding to the application function and the Ua* security protocol identifier.
  • the second aspect embodiment of the present application provides a secure communication method, applied to user equipment UE.
  • the method includes: sending a service request of the target application server to the AKMA authentication agent, wherein the service request carries the The identification information of the target application server and the AKMA key identifier A-KID of the UE; and receiving the response information returned by the AKMA authentication agent.
  • the method before sending the service request of the target application server to the AKMA authentication agent, the method further includes: obtaining the AKMA anchor key based on the key K AUSF of the authentication service function AUSF network element. KAKMA and the A-KID, wherein the KAKMA is used to obtain the key K AF in combination with the identification information of the target application server, and the key K AF is used to establish a TLS connection with the AKMA authentication agent.
  • sending a service request of the target application server to the AKMA authentication agent includes: obtaining the address of the AKMA authentication agent through the identification information of the target application server, wherein the address of the target application server
  • the identification information at least includes: FQDN, Ua* security protocol identification, IP address, and port number of the target application server.
  • receiving the response information returned by the AKMA authentication agent includes: receiving error code information sent by the AKMA authentication agent or a service response returned by the target application server.
  • a third aspect embodiment of the present application provides a secure communication method, applied to a target application server.
  • the method includes: receiving a service request from a user equipment UE and an authentication result of the UE sent by the AKMA authentication agent.
  • the service request carries the identification information of the target application server and the AKMA key identifier A-KID of the UE; according to the authentication result of the UE, the service request is sent to the UE through the AKMA authentication agent. service response.
  • sending a service response to the service request to the UE through the AKMA authentication agent according to the authentication result of the UE includes: in response to the UE passing the AKMA authentication The authentication authorization of the agent returns a service response to the UE through the AKMA authentication agent.
  • the receiving a service request from the user equipment UE and the authentication result of the UE sent by the AKMA authentication agent includes: receiving the service request of the UE sent by the AKMA authentication agent, the The authentication result of the UE and the identity information of the UE.
  • the fourth aspect of the present application provides a secure communication device for application authentication and key management AKMA authentication agent, including: a receiving module for receiving a service request from a target application server sent by the user equipment UE, wherein the service request carries the identification information of the target application server and the AKMA key identifier A-KID of the UE; an authentication module is used to perform authentication on the UE according to the A-KID and the identification information of the target application server. Authentication and authorization, determining whether to authorize the UE to access the target application server; a sending module, configured to forward the service request and the authentication result of the UE to the UE in response to authorizing the UE to access the target application server. Describe the target application server.
  • the fifth aspect embodiment of the present application provides a secure communication device, applied to user equipment UE, including: a sending module, configured to send a service request of the target application server to the application authentication and key management AKMA authentication agent, wherein: The service request carries the identification information of the target application server and the AKMA key identifier A-KID of the UE; a receiving module is configured to receive the response information returned by the AKMA authentication agent.
  • the sixth aspect embodiment of the present application provides a secure communication device, which is characterized in that it is applied to a target application server and includes: a receiving module, configured to receive the application authentication and key management AKMA authentication agent from the user equipment UE. Service request and authentication result of the UE, the service request carries the identification information of the target application server and the AKMA key identifier A-KID of the UE; a sending module, configured to authenticate according to the UE As a result, a service response of the service request is sent to the UE through the AKMA authentication agent.
  • the seventh aspect embodiment of the present application provides a secure communication system, including: application authentication and key management AKMA authentication agent, user equipment UE, and target application server, wherein the AKMA authentication agent receives all the information sent by the UE.
  • the service request of the target application server wherein the service request carries the identification information of the target application server and the AKMA key identifier A-KID of the UE; the AKMA authentication agent based on the A-KID and The identification information of the target application server authenticates and authorizes the UE, determines whether the UE is authorized to access the target application server, and in response to authorizing the UE to access the target application server, the service request and the The authentication result of the UE is forwarded to the target application server; the target application server sends a service response of the service request to the UE through the AKMA authentication agent according to the authentication result of the UE.
  • An eighth embodiment of the present application provides a communication device.
  • the communication device includes: a transceiver; a memory; and a processor, respectively connected to the transceiver and the memory, and configured to control the transceiver by executing computer-executable instructions on the memory.
  • wireless signal transceiver and can implement the method as in the first aspect embodiment or the second aspect embodiment or the third aspect embodiment of the present application.
  • a ninth embodiment of the present application provides a computer storage medium, wherein the computer storage medium stores computer-executable instructions; after the computer-executable instructions are executed by a processor, the implementation of the first or third embodiment of the present application can be achieved.
  • the embodiments of this application provide a secure communication method and device, in which the UE first sends the service request of the target application server to the AKMA authentication agent, and after passing the AKMA authentication agent authentication and authorization, forwards the service request and the UE's authentication result to The target application server performs processing.
  • the same AKMA authentication agent can correspond to multiple target application servers. In this way, the UE can communicate with multiple target application servers through an AKMA authentication agent. On the premise of ensuring communication security, it improves the communication between the UE and multiple targets. Communication efficiency between application servers.
  • Figure 1 is a schematic flow chart of a secure communication method according to an embodiment of the present application
  • Figure 2 is a schematic flow chart of a secure communication method according to an embodiment of the present application.
  • Figure 3 is a schematic flowchart of a secure communication method according to an embodiment of the present application.
  • Figure 4 is a schematic flow chart of a secure communication method according to an embodiment of the present application.
  • Figure 5 is a schematic flow chart of a secure communication method according to an embodiment of the present application.
  • Figure 6 is a schematic flowchart of a secure communication method according to an embodiment of the present application.
  • Figure 7 is a schematic flow chart of a secure communication method according to an embodiment of the present application.
  • Figure 8 is a schematic flow chart of a secure communication method according to an embodiment of the present application.
  • Figure 9 is a sequence diagram of a secure communication method according to an embodiment of the present application.
  • Figure 10 is a block diagram of a secure communication device according to an embodiment of the present application.
  • Figure 11 is a block diagram of a secure communication device according to an embodiment of the present application.
  • Figure 12 is a block diagram of a secure communication device according to an embodiment of the present application.
  • Figure 13 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • Figure 14 is a schematic structural diagram of a chip provided by an embodiment of the present application.
  • first, second, third, etc. may be used to describe various information in the embodiments of the present disclosure, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • first information may also be called second information, and similarly, the second information may also be called first information.
  • word “if” as used herein may be interpreted as "when” or "when” or "in response to determining.”
  • AKMA Application authentication and key management
  • An important feature introduced in 5G security technology is to use the authentication and security mechanism of the operator network to provide authentication and session key capabilities for third-party applications to ensure session security between the user equipment (UE) and the application server.
  • AKMA technology provides end-to-end security protection from users to applications for 5g networks.
  • AUSF Authentication Server Function
  • AUSF is used to receive the AMF (access and mobility management function, AMF) request for authentication of the UE, request the key from UDM, and then forward the key issued by UDM to AMF for authentication processing.
  • AMF access and mobility management function
  • AKMA, AAnF and AUSF may be network function modules on the core network side.
  • the 3rd Generation Partnership Project (3GPP) SA3 specifies authentication and key management for 3GPP Credentials (AKMA)-based applications in 3GPP TS 33.535 [1].
  • AKMA 3GPP Credentials
  • the AKMA feature has been used as a solution to protect UE and application function (AF) communication in ProSe, MSGin5G and other scenarios.
  • 3GPP TS 33.222 specifies the use of an authentication agent in the general authentication mechanism (General Bootstrapping Architecture, GBA), where the authentication agent (AP) is an agent that resides between the UE and the application server (Application Server, AS). It helps reduce the consumption of authentication vectors and/or minimize sequence number (SQN) synchronization failures, and relieves the AS of security tasks. This is beneficial when different application servers (or application functions in AKMA) reside in the same trust domain or the same edge node. Through the AP, these application servers can rely on the AP to execute the AKMA program, which has a cost-saving advantage over the situation where each application server executes the AKMA program independently.
  • GBA General Bootstrapping Architecture
  • Figure 1 shows a schematic flowchart of a secure communication method according to an embodiment of the present application. As shown in Figure 1, this method is applied to the AKMA authentication agent and can include the following steps.
  • Step 101 The AKMA authentication agent receives the service request of the target application server sent by the UE.
  • the identification information of the target application server may at least include: FQDN, Ua* security protocol identification, IP address, port number, etc. of the target application server.
  • the identification information of the target application server may include: application function identifier (AS-ID), domain name system (Domain Name System, DNS) name, IP address of the target application server, port number of the target application server, etc.
  • the application function identifier may be composed of the FQDN of the target application server and the Ua* security protocol identifier.
  • the Ua* security protocol identifier may be used to determine the security protocol that the target application server will use with the UE.
  • Step 102 The AKMA authentication agent authenticates and authorizes the UE based on the A-KID of the UE and the identification information of the target application server, and determines whether to authorize the UE to access the target application server.
  • the AKMA authentication agent can perform authentication and authorization based on the pre-configured policy, the UE's A-KID and the identification information of the target application server, and determine whether to authorize the UE to access the identification information. The corresponding target application server. If the UE is not authorized to access the target application server through authentication, an error code may be returned to the UE to inform the UE of the failure to access the target application server. If the UE is authorized to access the target application server through authentication, the process shown in step 103 is performed.
  • Step 103 In response to authorizing the UE to access the target application server, the AKMA authentication agent forwards the service request and the UE's authentication result to the target application server.
  • the target application server After receiving the service request from the UE and the authentication result of the UE forwarded by the AKMA authentication agent, the target application server can confirm that the UE has been authenticated and authorized by the AKMA authentication agent based on the authentication result of the UE, and can then safely process the UE. service request, and returns the service response of the service request to the UE through the AKMA authentication agent. Correspondingly, after forwarding the service request and the UE's authentication result to the target application server, the AKMA authentication agent may send the service response of the target application server to the UE.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • Figure 2 shows a schematic flowchart of a secure communication method according to an embodiment of the present application.
  • the method is applied to the AKMA authentication agent, based on the embodiment shown in Figure 1, as shown in Figure 2, and the method may include the following steps.
  • Step 202 The AKMA authentication agent establishes a TLS connection between the AKMA authentication agent and the UE based on the A-KID of the UE.
  • the application function identifier of the AKMA authentication agent (has the same application function identifier as the target application server) includes: FQDN, Ua* security protocol identifier; AKMA authentication The agent receives the first key K AF returned by AAnF based on the UE's A-KID and the application function identification of the AKMA authentication agent; and then executes the AKMA authentication agent based on the first key K AF and the second key K AF on the UE side.
  • the TLS connection between the AKMA authentication agent and the UE can be accurately established, ensuring the smooth progress of subsequent secure communications between the UE and the AKMA authentication agent. Only when a TLS connection is established between the UE and the AKMA authentication agent can the AKMA authentication agent forward the UE's service request to the target application server, thereby effectively ensuring the security of the communication between the UE and the target application server.
  • the AKMA authentication agent sends an AKMA application key request carrying the A-KID of the UE to AAnF.
  • AAnF finds the corresponding first anchor key K AKMA based on the A-KID. Then AAnF can obtain the
  • the first anchor key K AKMA is derived from the AKMA application key of the AKMA authentication agent, that is, the first key K AF on the side of the AKMA authentication agent.
  • the second anchor key K AKMA can be obtained in advance based on the key K AUSF of the AUSF network element.
  • the second anchor key K AKMA is used to combine with the identification information of the target application server (such as FQDN and other information)
  • the second key K AF is derived.
  • mutual authentication between the AKMA authentication agent and the UE can be performed (such as judging the KMA authentication agent side). Whether the first key K AF and the second key K AF on the UE side are the same), and establish a TLS connection between the AKMA authentication agent and the UE.
  • Step 203 Through the established TLS connection, the AKMA authentication agent receives the service request of the target application server sent by the UE.
  • the service request carries the identification information of the target application server and the A-KID of the UE.
  • Step 204 The AKMA authentication agent authenticates and authorizes the UE based on the A-KID of the UE and the identification information of the target application server, and determines whether to authorize the UE to access the target application server.
  • step 204 The specific implementation process of step 204 is the same as step 102, and will not be described again here.
  • Step 205 In response to the AKMA authentication agent authorizing the UE to access the target application server, the AKMA authentication agent forwards the service request and the UE's authentication result to the target application server.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • Figure 3 shows a schematic flowchart of a secure communication method according to an embodiment of the present application.
  • the method is applied to the AKMA authentication agent, based on the embodiment shown in Figure 1, as shown in Figure 3, and the method may include the following steps.
  • Step 301 The AKMA authentication agent receives the service request of the target application server sent by the UE.
  • the service request may carry the identification information of the target application server and the A-KID of the UE.
  • the AKMA authentication agent in response to the service request of the target application server sent by the UE, the AKMA authentication agent first determines whether the AKMA authentication agent has established a secure TLS connection with the UE, and performs corresponding steps based on the determination result.
  • the UE attempts to connect to the target application server supported by the AKMA authentication agent.
  • the AKMA authentication agent needs to check whether a TLS connection has been established with the UE. If the AKMA authentication agent has established a TLS connection with the UE, it means that the AKMA authentication agent and the UE can trust each other. , based on the preset policy of the AKMA authentication agent and the identification information of the target application server, the UE can be authorized to access the target application server.
  • the preset policy can be set according to actual business needs. If the target application corresponding to the identification The server has no access restrictions, and the AKMA authentication agent has established a TLS connection with the UE, then the AKMA authentication agent can authorize the UE to access the target application server.
  • Step 303b parallel to step 303a: in response to the AKMA authentication agent not establishing a TLS connection with the UE, establish a TLS connection between the AKMA authentication agent and the UE based on the UE's A-KID, and require the UE to send the target after the TLS connection is established.
  • the AKMA authentication agent does not establish a TLS connection with the UE, it is necessary to establish a TLS connection between the AKMA authentication agent and the UE based on the UE's A-KID, and require the UE to resend the service request.
  • This is because the first When sending once, there is no TLS connection, and the message may be tampered with during the process.
  • A-KID can be verified by the network side, tampering can be discovered by the AKMA authentication agent. The tampering of the identification information of the target application server cannot be detected and can only be transmitted after the TLS secure connection is established. Therefore, a TLS connection is established between the AKMA authentication agent and the UE, and the UE is required to resend the service request, carrying the identification information of the target application server and the UE's A-KID.
  • the application function identifier of the AKMA authentication agent (has the same application function identifier as the target application server) includes: FQDN, Ua* security protocol identifier; AKMA authentication The agent receives the first key K AF returned by AAnF based on the UE's A-KID and the application function identification of the AKMA authentication agent; and then executes the AKMA authentication agent based on the first key K AF and the second key K AF on the UE side.
  • the specific implementation process is similar to the example content in step 202, and will not be described again here.
  • the TLS connection between the AKMA authentication agent and the UE can be accurately established, ensuring the smooth progress of subsequent secure communications between the UE and the AKMA authentication agent. Only when a TLS connection is established between the UE and the AKMA authentication agent can the AKMA authentication agent forward the UE's service request to the target application server, thereby effectively ensuring the security of the communication between the UE and the target application server.
  • Step 304b The AKMA authentication agent receives the service request of the target application server sent by the UE, and determines whether to authorize the UE to access the target application server according to the preset policy of the AKMA authentication agent and the identification information of the target application server carried in the service request.
  • Step 305 In response to the AKMA authentication agent authorizing the UE to access the target application server, the AKMA authentication agent forwards the service request and the UE's authentication result to the target application server.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • Figure 4 is a schematic flowchart of a secure communication method according to an embodiment of the present application. The method is applied, based on the embodiment shown in Figure 1, as shown in Figure 4, and the method may include the following steps.
  • Step 401 The AKMA authentication agent receives the service request of the target application server sent by the UE.
  • the service request may carry the identification information of the target application server and the A-KID of the UE.
  • Step 402 The AKMA authentication agent authenticates and authorizes the UE according to the A-KID of the UE and the identification information of the target application server, and determines whether to authorize the UE to access the target application server.
  • step 402 The specific implementation process of step 402 is the same as step 102, and will not be described again here.
  • Step 403 In response to the AKMA authentication agent authorizing the UE to access the target application server, based on the preset policy of the AKMA authentication agent, determine whether the target application server has the right and whether it needs to obtain the UE's identity information.
  • the preset policy can be pre-configured to determine whether the target application server has the right and needs to obtain the UE's identity information to meet specific business scenario requirements. For example, the target application server needs the identity information of the UE in order to obtain the service corresponding to the identity information and return it to the UE, etc.
  • Step 404 In response to the target application server having the right and need to obtain the UE's identity information, the UE's identity information, the UE's service request and the UE's authentication result are sent to the target application server; otherwise, the UE's service request and the UE's authentication result are sent to the target application server. The results are sent to the target application server.
  • the identity information of the UE may include: the UE's Generic Public User Identifier (Generic Public Subscription Identifier, GPSI) and/or User Permanent Identifier (Subscription Permanent Identifier, SUPI), etc.
  • the AKMA authentication agent sends the UE's service request, the UE's SUPI/GPSI and the UE's authentication result to the target application server; and if the target application server does not need the UE's identity information, then The AKMA authentication agent sends the UE's service request and the UE's authentication result to the target application server.
  • the above response indicates that the target application server has the right and needs to obtain the UE's identity information
  • the UE's identity information, the UE's service request and the UE's authentication result are sent to the target application server.
  • the UE's identity information, UE's service request and UE's authentication result may be sent to the target application server.
  • the UE's GPSI may be sent to the target application server.
  • the AKMA authentication agent can only send the UE's general public user identity, that is, the UE's GPSI, to the target application server.
  • the method in this embodiment may also include: sending the corresponding service response information to the UE through the service response information returned by the target application server. authorization information and service response.
  • the UE side can learn in time that its identity information needs to be obtained, and can feed it back to the user.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • FIG 5 is a schematic flowchart of a secure communication method according to an embodiment of the present application. As shown in Figure 1, the method is applied to user equipment (UE) and may include the following steps.
  • UE user equipment
  • Step 501 The UE sends a service request of the target application server to the AKMA authentication agent.
  • the service request may carry the identification information of the target application server and the A-KID of the UE, that is, the AKMA key identifier.
  • the identification information of the target application server may at least include: FQDN, Ua* security protocol identification, IP address, port number, etc. of the target application server.
  • the identification information of the target application server may include: application function identifier, DNS name, IP address of the target application server, port number of the target application server, etc.
  • the application function identifier may be composed of the FQDN of the target application server and the Ua* security protocol identifier.
  • the AKMA authentication agent can have the same application function identifier as the target application server.
  • the application function identifier includes: the FQDN corresponding to the application function and the Ua* security protocol identifier, so that the target application server can be shared with the AKMA authentication agent.
  • the same domain name address so accordingly optional, step 501 may specifically include: obtaining the address of the AKMA authentication agent through the identification information of the target application server; and then sending a service request based on the address of the AKMA authentication agent.
  • the service request sent to the target application server is first sent to the AKMA authentication agent, and authentication and authorization is performed through the AKMA authentication agent. Only when access to the target application server is authorized, the AKMA authentication agent can forward the service request to the target application server, which improves the security of communication between the UE and the target application server.
  • the specific authentication and authorization process please refer to the implementation process of the method shown in Figures 1 to 4, and will not be described again here.
  • Step 502 The UE receives the response information returned by the AKMA authentication agent.
  • step 502 may specifically include: the UE receiving error code information sent by the AKMA authentication agent or a service response returned by the target application server.
  • the UE After authentication and authorization by the AKMA authentication agent, if the UE fails to access the target application server through authentication and authorization, the UE will receive an error code returned by the AKMA authentication agent to inform the UE of the failure to access the target application server. If the UE accesses the target application server through authentication and authorization, the UE can receive a service response from the target application server through the AKMA authentication proxy.
  • the AKMA authentication agent determines that the target application server has the right and needs to obtain the UE's identity information, it will send the UE's identity information, the UE's service request and the UE's authentication result to the target application server.
  • the UE will After receiving the service response information returned by the AKMA authentication agent through the target application server, the corresponding authorization information and service response are sent to the UE. Then, the UE side can know in time that its identity information needs to be obtained, and can feedback it to the user.
  • the UE first sends the service request of the target application server to the AKMA authentication agent. After being authenticated and authorized by the AKMA authentication agent, the UE forwards the service request and the UE's authentication result to the target application server for processing. , which is equivalent to providing an effective solution to support authentication agents in AKMA scenarios.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, which improves the communication security between the UE and multiple target application servers while ensuring communication security. Communication efficiency can meet more business needs.
  • Figure 6 shows a schematic flowchart of a secure communication method according to an embodiment of the present application.
  • the method is applied to user equipment (UE). Based on the embodiment shown in Figure 5, as shown in Figure 6, the method may include the following steps.
  • Step 601 Based on the key K AUSF of the AUSF network element, obtain the AKMA anchor key K AKMA and the A-KID of the UE.
  • K AKMA can be used to obtain the key K AF in combination with the identification information of the target application server.
  • the key K AF is used to establish a TLS connection with the AKMA authentication agent.
  • the UE before initiating communication with the AKMA authentication agent, the UE can derive K AKMA and the UE's A-KID based on the key K AUSF of the AUSF network element.
  • the UE initiates communication with the AKMA authentication agent, it can The derived A-KID is included in the application session establishment request message (for details, please refer to Article 6.1 of 3GPP TS 33.535).
  • the UE can obtain the key K AF before or after sending the message, for example, by combining KAKMA with the identification information of the target application server to obtain the key K AF on the UE side.
  • the AKMA authentication agent receives the application session establishment request initiated by the UE and can obtain the UE's A-KID.
  • the AKMA authentication agent sends an AKMA application key request carrying the UE's A-KID to AAnF. If the AKMA authentication agent is not operated by 3GPP In the business domain, the AKMA authentication agent can send requests to AAnF through the network exposure function (NEF). After AAnF determines that it can provide services to the AKMA authentication agent based on the preset policy, AAnF determines whether the corresponding K AKMA can be found based on the A-KID. If it can find the K AKMA , and AAnF does not have a ready-made key on the AKMA authentication agent side.
  • NEF network exposure function
  • AAnF can derive the AKMA application key of the AKMA authentication agent from the K AKMA , that is, the key K AF on the AKMA authentication agent side. If the corresponding K AKMA cannot be found based on the A-KID, an error response is fed back to the AKMA authentication agent, and then the AKMA authentication agent can feedback the session establishment failure response information to the UE, so that the UE can subsequently send the AKMA authentication agent with the latest A-KID. New application session establishment request to be retried.
  • the AKMA authentication agent After the AKMA authentication agent obtains the key K AF on the AKMA authentication agent side, it can use the key K AF to authenticate the UE, such as comparing the key K AF on the UE side. If the authentication is successful, the UE and the AKMA authentication agent can be established. TLS connection between them, the two parties can achieve secure communication in the future.
  • Step 602 The UE sends a service request of the target application server to the AKMA authentication agent.
  • the service request may carry identification information of the target application server and the A-KID of the UE.
  • the AKMA authentication agent After the TLS connection between the UE and the AKMA authentication agent is successfully established, the AKMA authentication agent, after receiving the UE's service request, authorizes the UE to access the target application server according to the preset policy, and combines the UE's service request with the UE's authentication result. Sent to the target application server for processing.
  • Step 603 The UE receives the response information returned by the AKMA authentication agent.
  • the UE first sends the service request of the target application server to the AKMA authentication agent. After being authenticated and authorized by the AKMA authentication agent, the UE forwards the service request and the UE's authentication result to the target application server for processing. , which is equivalent to providing an effective solution to support authentication agents in AKMA scenarios.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, which improves the communication security between the UE and multiple target application servers while ensuring communication security. Communication efficiency can meet more business needs.
  • Figure 7 shows a schematic flowchart of a secure communication method according to an embodiment of the present application. As shown in Figure 7, this method is applied to the target application server and may include the following steps.
  • Step 701 The target application server receives the UE's service request and the UE's authentication result sent by the AKMA authentication agent.
  • the UE's service request may carry the identification information of the target application server and the UE's A-KID, that is, the AKMA key identifier.
  • the identification information of the target application server may at least include: FQDN, Ua* security protocol identification, IP address, port number, etc. of the target application server.
  • the identification information of the target application server may include: application function identifier, DNS name, IP address of the target application server, port number of the target application server, etc.
  • the application function identifier may be composed of the FQDN of the target application server and the Ua* security protocol identifier.
  • Step 702 The target application server sends a service response of the service request to the UE through the AKMA authentication agent according to the authentication result of the UE.
  • step 702 may specifically include: in response to the UE's authentication authorization through the AKMA authentication agent, the target application server returns a service response to the UE through the AKMA authentication agent.
  • the target application server can confirm that the UE has been authenticated and authorized by the AKMA authentication agent based on the authentication result of the UE, and thus can securely Process the service request and send a service response to the service request to the UE through the AKMA authentication agent.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • Step 801 The target application server receives the UE's service request, the UE's authentication result, and the UE's identity information sent by the AKMA authentication agent.
  • the AKMA authentication agent After receiving the UE's service request, the AKMA authentication agent authenticates and authorizes the UE based on the UE's A-KID and the identification information of the target application server, determines that the UE is authorized to access the target application server, and responds to authorizing the AKMA authentication agent UE to access the target application server, Based on the preset policy of the AKMA authentication agent, it is judged whether the target application server has the authority and needs to obtain the UE's identity information. If the target application server has the authority and needs to obtain the UE's identity information, then the target application server will receive the message sent by the AKMA authentication agent.
  • the UE's identity information may include: the UE's GPSI/SUPI.
  • Step 802 The target application server sends a service response of the service request to the UE through the AKMA authentication agent according to the authentication result of the UE.
  • the target application server can process the UE's service request, such as processing the service request based on the UE's identity information, and then feed back the service response information of the service request to the AKMA authentication agent.
  • the AKMA authentication agent sends corresponding authorization information and service response to the UE through the service response information returned by the target application server.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • FIG. 9 is a sequence diagram of a secure communication method according to an embodiment of the present application.
  • the method is applied to a secure communication system.
  • the system includes: AKMA authentication agent, user equipment (UE), and target application server.
  • the AKMA authentication agent receives the service request of the target application server sent by the UE, wherein the service request carries the target The identification information of the application server and the A-KID of the UE; the AKMA authentication agent authenticates and authorizes the UE based on the A-KID and the identification information of the target application server, determines whether to authorize the UE to access the target application server, and responds to authorizing the UE to access the target application server, Then the service request and the authentication result of the UE are forwarded to the target application server; the target application server sends the service response of the service request to the UE through the AKMA authentication agent according to the authentication result of the UE.
  • the method includes the following steps.
  • Step 901 The UE sends an application session establishment request to the AKMA authentication agent.
  • the application session establishment request carries the UE's A-KID.
  • the UE Before the UE initiates communication with the AKMA authentication agent, it can derive K AKMA and the UE's A-KID based on the key K AUSF of the AUSF network element.
  • the UE When the UE initiates communication with the AKMA authentication agent, it can make an application session establishment request.
  • the derived A-KID is included in the message.
  • Step 902 The AKMA authentication agent sends an AKMA application key request to AAnF.
  • Step 903 AAnF obtains the key K AF of the AKMA authentication agent side according to the A-KID of the UE.
  • AAnF determines whether the corresponding K AKMA can be found based on the A-KID. If it can find the K AKMA , and AAnF does not have a ready-made key on the AKMA authentication agent side. K AF , then AAnF can derive the AKMA application key of the AKMA authentication agent from the K AKMA , that is, the key K AF on the AKMA authentication agent side.
  • Step 905 The AKMA authentication agent returns a response to the session establishment request to the UE.
  • Step 906 Perform mutual authentication between the AKMA authentication agent and the UE based on the key K AF on the AKMA authentication agent side and the key K AF on the UE side.
  • Step 907 In response to successful mutual authentication between the AKMA authentication agent and the UE, establish a TLS connection between the AKMA authentication agent and the UE.
  • Step 909 The AKMA authentication agent forwards the UE's service request and the UE's authentication result to the target application server.
  • the UE By applying the secure communication method provided by this embodiment, it is equivalent to providing an effective solution to support the authentication agent in the AKMA scenario.
  • the UE first sends the service request of the target application server to the AKMA authentication agent, and then authenticates through the AKMA authentication agent. After authorization, the service request and the UE's authentication result are forwarded to the target application server for processing.
  • the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent, ensuring Under the premise of communication security, the communication efficiency between the UE and multiple target application servers is improved, and more business needs can be met.
  • the identification information of the target application server at least includes: FQDN, Ua* security protocol identification, IP address, and port number.
  • the authentication module 1020 is used to determine whether a TLS connection has been established with the UE; in response to the TLS connection having been established with the UE, according to the preset policy of the AKMA authentication agent and the target application server identification information, Determine whether the UE is authorized to access the target application server.
  • the authentication module 1020 is also configured to send an AKMA application key request to the AKMA anchor function AAnF, where the key request carries the application function identifier of the A-KID and the AKMA authentication agent,
  • the application function identifier of the AKMA authentication agent includes: FQDN, Ua* security protocol identifier; receiving the first key K AF returned by the AAnF according to the A-KID and the application function identifier of the AKMA authentication agent; based on the The first key K AF and the second key K AF on the UE side perform mutual authentication with the UE and establish a TLS connection with the UE.
  • the sending module 1030 is specifically configured to send the UE's general public user identity GPSI to the target application server in response to the fact that the target application server is not within the 3GPP operator domain.
  • the device may include: a sending module 1110, configured to send a service request of the target application server to the application authentication and key management AKMA authentication agent, where the service request carries the identification information of the target application server and the UE The AKMA key identifier A-KID; the receiving module 1120 is used to receive the response information returned by the AKMA authentication agent.
  • a sending module 1110 configured to send a service request of the target application server to the application authentication and key management AKMA authentication agent, where the service request carries the identification information of the target application server and the UE
  • the AKMA key identifier A-KID the receiving module 1120 is used to receive the response information returned by the AKMA authentication agent.
  • This embodiment is equivalent to providing an effective solution to support authentication agents in AKMA scenarios, and the same AKMA authentication agent can correspond to multiple target application servers, so that the UE can communicate with multiple target application servers through one AKMA authentication agent. , on the premise of ensuring communication security, it improves the communication efficiency between the UE and multiple target application servers, and can meet more business needs.
  • the device may include: a receiving module 1210, configured to receive a service request from the user equipment UE and an authentication result of the UE sent by the application authentication and key management AKMA authentication agent.
  • the service request carries the target application server.
  • the sending module 1220 is configured to send a service response of the service request to the UE through the AKMA authentication agent according to the authentication result of the UE.
  • FIG 13 is a schematic structural diagram of a communication device 1300 provided in this embodiment.
  • the communication device 1300 may be a network device, a user equipment, a chip, a chip system, or a processor that supports network equipment to implement the above method, or a chip, a chip system, or a processor that supports user equipment to implement the above method. Processor etc.
  • the device can be used to implement the method described in the above method embodiment. For details, please refer to the description in the above method embodiment.
  • the IC collection may also include storage components for storing data and computer programs;
  • the chip also includes a memory 1403, which is used to store necessary computer programs and data.
  • This application also provides a readable storage medium on which instructions are stored. When the instructions are executed by a computer, the functions of any of the above method embodiments are implemented.
  • This application also provides a computer program product, which, when executed by a computer, implements the functions of any of the above method embodiments.
  • a computer program product includes one or more computer programs.
  • the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer program may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer program may be transmitted from a website, computer, server or data center via a wireline (e.g.
  • At least one in this application can also be described as one or more, and the plurality can be two, three, four or more, which is not limited by this application.
  • the technical feature is distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc.
  • the technical features described in “first”, “second”, “third”, “A”, “B”, “C” and “D” are in no particular order or order.
  • machine-readable medium and “computer-readable medium” refer to any computer program product, apparatus, and/or means for providing machine instructions and/or data to a programmable processor (for example, magnetic disks, optical disks, memories, programmable logic devices (PLD)), including machine-readable media that receive machine instructions as machine-readable signals.
  • machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor.
  • the systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., A user's computer having a graphical user interface or web browser through which the user can interact with implementations of the systems and technologies described herein), or including such backend components, middleware components, or any combination of front-end components in a computing system.
  • the components of the system may be interconnected by any form or medium of digital data communication (eg, a communications network). Examples of communication networks include: local area network (LAN), wide area network (WAN), and the Internet.
  • Computer systems may include clients and servers.
  • Clients and servers are generally remote from each other and typically interact over a communications network.
  • the relationship of client and server is created by computer programs running on corresponding computers and having a client-server relationship with each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请提出了一种安全通信方法及装置,涉及通信技术领域。通过应用本安全通信方法,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后将服务请求和UE的认证结果转发给目标应用服务器进行处理。本申请提出了一种在AKMA场景中支持认证代理的有效解决方案,在保证通信安全的前提下,可满足更多的业务需求。

Description

安全通信方法及装置 技术领域
本申请涉及通信技术领域,特别涉及一种安全通信方法及装置。
背景技术
在5G网络环境下,移动终端与移动网络之间通过认证与密钥协商(Authentication and KeyAgreement,AKA)技术,可以为应用的用户设备(User Equipment,UE)和应用功能(Application Function,AF)网元提供初始的共享会话密钥,从而保证了UE与AF网元之间的安全通信,这种技术称之为基于第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)凭证的应用认证和密钥管理(Authentication and Key management for Applications based on 3GPP credentials,AKMA)。
但是,目前尚缺乏用于在AKMA场景中支持认证代理(Authentication Proxy,AP)的有效解决方案。
发明内容
本申请提出了一种安全通信方法及装置,提供了一种在AKMA场景中支持认证代理的有效解决方案,在保证通信安全的前提下,可满足更多的业务需求。
本申请的第一方面实施例提供了一种安全通信方法,方法应用于AKMA认证代理,方法包括:接收用户设备UE发送的目标应用服务器(targetapplicationserver,targetAS)的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符(A-KID);根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器;响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器。
在本申请的一些实施例中,所述接收用户设备UE发送的目标应用服务器的服务请求之前,所述方法还包括:接收所述UE发送的会话建立请求,所述会话建立请求中携带有所述UE的A-KID;根据所述UE的A-KID,建立与所述UE之间的TLS连接;所述接收UE发送的目标应用服务器的服务请求,包括:通过建立的TLS连接,接收所述UE发送的所述服务请求。
在本申请的一些实施例中,所述目标应用服务器的标识信息至少包括:所述目标应用服务器的完全限定域名(Fully Qualified Domain Name,FQDN)、Ua*安全协议标识、IP地址、端口号。
在本申请的一些实施例中,所述根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,包括:根据所述A-KID,确定是否已与所述UE建立了传输层安全协议TLS连接;响应于已与所述UE建立了TLS连接,则根据AKMA认证代理的预设策略及目标应用服务器标识信息,确定是否授权所述UE访问所述目标应用服务器。
在本申请的一些实施例中,所述根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,还包括:响应于未与所述UE建立TLS 连接,则根据所述A-KID,建立与所述UE之间的TLS连接,并要求UE在TLS连接建立后发送所述目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的A-KID。
在本申请的一些实施例中,所述根据所述A-KID,建立与所述UE之间的TLS连接,包括:向AKMA锚定功能AAnF发送AKMA应用密钥请求,所述密钥请求中携带有所述A-KID及所述AKMA认证代理的应用功能标识,所述AKMA认证代理的应用功能标识包括:FQDN、Ua*安全协议标识;接收所述AAnF根据所述A-KID及所述AKMA认证代理的应用功能标识返回的第一密钥K AF;基于所述第一密钥K AF和所述UE侧的第二密钥K AF,执行与所述UE之间的相互认证并建立与所述UE之间的TLS连接。
在本申请的一些实施例中,所述方法还包括:在所述将所述服务请求和所述UE的认证结果发送给所述目标应用服务器之后,向所述UE发送所述目标应用服务器的服务响应。
在本申请的一些实施例中,所述响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果发送给所述目标应用服务器,包括:基于AKMA认证代理的预设策略,判断所述目标应用服务器是否有权及是否需要获取所述UE的身份信息;响应于所述目标应用服务器有权且需要获取所述UE的身份信息,则将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器,否则,将所述服务请求和所述UE的认证结果发送给所述目标应用服务器。
在本申请的一些实施例中,所述方法还包括:在所述将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器之后,通过所述目标应用服务器返回的服务响应信息,向所述UE发送相应的授权信息及服务响应。
在本申请的一些实施例中,所述响应于所述目标应用服务器有权且需要获取所述UE的身份信息,则将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器,包括:响应于所述目标应用服务器不在3GPP运营商域内,则将所述UE的通用公共用户标识GPSI发送给所述目标应用服务器。
在本申请的一些实施例中,所述AKMA认证代理与所述目标应用服务器具有相同的应用功能标识,所述应用功能标识包括:应用功能所对应的FQDN以及Ua*安全协议标识。
本申请的第二方面实施例提供了一种安全通信方法,应用于用户设备UE,所述方法包括:向AKMA认证代理发送目标应用服务器的服务请求,其中,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;接收所述AKMA认证代理返回的响应信息。
在本申请的一些实施例中,在所述向AKMA认证代理发送目标应用服务器的服务请求之前,所述方法还包括:基于鉴权服务功能AUSF网元的密钥K AUSF,获取AKMA锚密钥K AKMA以及所述A-KID,其中,所述K AKMA用于结合所述目标应用服务器的标识信息获取密钥K AF,所述密钥K AF用于与所述AKMA认证代理建立TLS连接。
在本申请的一些实施例中,所述向AKMA认证代理发送目标应用服务器的服务请求,包括:通过目标应用服务器的标识信息,获取所述AKMA认证代理的地址,其中,所述目标应用服务器的标识信息至少包括:所述目标应用服务器的FQDN、Ua*安全协议标识、IP地址、端口号。
在本申请的一些实施例中,所述接收所述AKMA认证代理返回的响应信息,包括:接收所述AKMA认证代理发送的错误代码信息、或所述目标应用服务器返回的服务响应。
本申请的第三方面实施例提供了一种安全通信方法,应用于目标应用服务器,所述方法包括:接收AKMA认证代理发送的来自用户设备UE的服务请求和所述UE的认证结果,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
在本申请的一些实施例中,所述根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应,包括:响应于所述UE通过所述AKMA认证代理的认证授权,通过所述AKMA认证代理向所述UE返回服务响应。
在本申请的一些实施例中,所述接收AKMA认证代理发送的来自用户设备UE的服务请求和所述UE的认证结果,包括:接收所述AKMA认证代理发送的所述UE的服务请求、所述UE的认证结果、以及所述UE的身份信息。
本申请的第四方面提供了一种安全通信装置,应用于应用认证和密钥管理AKMA认证代理,包括:接收模块,用于接收用户设备UE发送的目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;认证模块,用于根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器;发送模块,用于响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器。
本申请的第五方面实施例提供了一种安全通信装置,应用于用户设备UE,包括:发送模块,用于向应用认证和密钥管理AKMA认证代理发送目标应用服务器的服务请求,其中,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;接收模块,用于接收所述AKMA认证代理返回的响应信息。
本申请的第六方面实施例提供了一种安全通信装置,其特征在于,应用于目标应用服务器,包括:接收模块,用于接收应用认证和密钥管理AKMA认证代理发送的来自用户设备UE的服务请求和所述UE的认证结果,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;发送模块,用于根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
本申请的第七方面实施例提供了一种安全通信系统,包括:应用认证和密钥管理AKMA认证代理、用户设备UE、目标应用服务器,其中,所述AKMA认证代理接收所述UE发送的所述目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;所述述AKMA认证代理根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器;所述目标应用服务器根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
本申请的第八方面实施例提供了一种通信设备,该通信设备包括:收发器;存储器;处理器,分别与收发器及存储器连接,配置为通过执行存储器上的计算机可执行指令,控制收发器的无线信号收发,并能够实现如本申请第一方面实施例或第二方面实施例或第三方面实施例的方法。
本申请的第九方面实施例提供了一种计算机存储介质,其中,计算机存储介质存储有计算机可执行指令;计算机可执行指令被处理器执行后,能够实现如本申请第一方面实施例或第二方面实施例或第三方面实施例的方法。
本申请实施例提供了一种安全通信方法及装置,其中,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率。
本申请附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本申请的实践了解到。
附图说明
本申请上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:
图1为根据本申请实施例的一种安全通信方法的流程示意图;
图2为根据本申请实施例的一种安全通信方法的流程示意图;
图3为根据本申请实施例的一种安全通信方法的流程示意图;
图4为根据本申请实施例的一种安全通信方法的流程示意图;
图5为根据本申请实施例的一种安全通信方法的流程示意图;
图6为根据本申请实施例的一种安全通信方法的流程示意图;
图7为根据本申请实施例的一种安全通信方法的流程示意图;
图8为根据本申请实施例的一种安全通信方法的流程示意图;
图9为根据本申请实施例的一种安全通信方法的时序图;
图10为根据本申请实施例的一种安全通信装置的框图;
图11为根据本申请实施例的一种安全通信装置的框图;
图12为根据本申请实施例的一种安全通信装置的框图;
图13为根据本申请实施例的一种通信装置的结构示意图;
图14为本申请实施例提供的一种芯片的结构示意图。
具体实施方式
下面详细描述本申请的实施例,实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本申请,而不能理解为对本申请的限制。需要说明的是,在不冲突的情况下,本申请的实施例及实施例中的特征可以相互组合。
在本公开实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”和“该”也旨 在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
为了便于理解,首先介绍本实施例涉及的术语。
1、基于3GPP凭证的应用认证与密钥管理(AKMA)
5G安全技术中引入了一个重要的特性,即利用运营商网络的认证和安全机制为第三方应用提供认证和会话密钥能力,以保障用户设备(UE)与应用服务器之间的会话安全。
2、AKMA锚点功能(AKMA anchor Function,AAnF)
位于归属网络,主要用于生成UE与应用服务器之间的会话密钥,以及维护和UE之间的安全上下文。AKMA技术为5g网络提供了用户到应用的端到端的安全保护。
3、鉴权服务功能(Authentication Server Function,AUSF)
AUSF用于接收AMF(access and mobility management function,AMF)对UE进行身份验证的请求,通过向UDM请求密钥,再将UDM下发的密钥转发给AMF进行鉴权处理。
下面各实施例中,AKMA、AAnF和AUSF可为核心网侧的网络功能模块。
第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)SA3在3GPP TS 33.535[1]中为基于3GPP凭证(AKMA)的应用程序指定了身份验证和密钥管理。AKMA特性已被用作ProSe、MSGin5G等场景下保护UE与应用功能(AF)通信的解决方案。
3GPP TS 33.222指定在通用认证机制(GeneralBootstrappingArchitecture,GBA)中使用认证代理,其中认证代理(AP)是驻留在UE和应用服务器(ApplicationServer,AS)之间的代理。它有助于减少认证向量的消耗和/或最小化序列号(SQN)同步失败,并减轻AS的安全任务。当不同的应用服务器(或AKMA中的应用程序功能)驻留在同一信任域或同一边缘节点中时这是有益的。通过AP,这些应用服务器可以依赖AP来执行AKMA程序,这比每个应用服务器单独执行AKMA程序的情况更具有节省成本的优势。由于在移动边缘计算(Mobile Edge Computing,MEC)中采用了AKMA作为解决方案,并且不同的应用服务器可能驻留在同一个边缘云中或属于同一个服务供应商,因此考虑在AKMA中引入类似代理的可行性是有益的。但是,在AKMA场景中没有支持身份验证代理(AP)的现有解决方案。
为此,本实施例提出了一种安全通信方法及装置,提供了一种在AKMA场景中支持认证代理的有效解决方案,在保证通信安全的前提下,可满足更多的业务需求。
下面结合附图对本申请所提供的安全通信方法及装置进行详细地介绍。
图1示出了根据本申请实施例的一种安全通信方法的流程示意图。如图1所示,该方法应用于AKMA认证代理,且可以包括以下步骤。
步骤101、AKMA认证代理接收UE发送的目标应用服务器的服务请求。
其中,服务请求中可携带有目标应用服务器的标识信息和UE的A-KID,该A-KID为AKMA密钥标识符,UE侧在发送该服务请求之前,可事先基于鉴权服务功能(Authentication Server Function,AUSF)网元的密钥K AUSF,生成AKMA锚密钥(K AKMA)以及A-KID,以便在发送服务请求时携带有该A-KID。
可选的,目标应用服务器的标识信息至少可包括:目标应用服务器的FQDN、Ua*安全协议标识、IP地址、端口号等。例如,目标应用服务器的标识信息可包括:应用功能标识(AS-ID)、域名系统(Domain Name System,DNS)名称、目标应用服务器的IP地址、目标应用服务器的端口号等。其中,应用功能标识可由目标应用服务器的FQDN和Ua*安全协议标识组成,Ua*安全协议标识可用于确定目标应用服务器将与UE一起使用的安全协议。
在本实施例中,AKMA认证代理可与目标应用服务器具有相同的应用功能标识,该应用功能标识包括:应用功能所对应的FQDN以及Ua*安全协议标识,这样目标应用服务器就可与AKMA认证代理共用相同的域名地址,使得在UE向目标应用服务器发送服务请求时,将向目标应用服务器发送的服务请求先发送给了AKMA认证代理,并通过AKMA认证代理进行认证授权,具体执行步骤102所示的过程。
步骤102、AKMA认证代理根据UE的A-KID和目标应用服务器的标识信息对UE进行认证授权,确定是否授权UE访问目标应用服务器。
AKMA认证代理在收到UE向目标应用服务器发送的服务请求之后,可根据预先配置的策略、UE的A-KID和目标应用服务器的标识信息进行认证授权,确定是否授权该UE访问与该标识信息对应的目标应用服务器。如果UE未通过认证授权访问该目标应用服务器,则可向UE返回错误代码,以告知UE访问目标应用服务器失败。而如果UE通过认证授权访问该目标应用服务器,则执行步骤103所示的过程。
步骤103、响应于授权UE访问目标应用服务器,则AKMA认证代理将服务请求和UE的认证结果转发给目标应用服务器。
目标应用服务器在接收到AKMA认证代理转发的来自UE的服务请求和该UE的认证结果后,可根据该UE的认证结果,确认该UE是被AKMA认证代理认证授权过的,进而可安全处理该服务请求,并通过AKMA认证代理返回该服务请求的服务响应给UE。相应的,AKMA认证代理在将服务请求和UE的认证结果转发给目标应用服务器之后,可向UE发送该目标应用服务器的服务响应。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图2示出了根据本申请实施例的一种安全通信方法的流程示意图。该方法应用于AKMA认证代理,基于图1所示实施例,如图2所示,且该方法可以包括以下步骤。
步骤201、AKMA认证代理接收UE发送的会话建立请求,会话建立请求中携带有UE的A-KID。
步骤202、AKMA认证代理根据UE的A-KID,建立AKMA认证代理与UE之间的TLS连接。
可选的,根据UE的A-KID,建立AKMA认证代理与UE之间的TLS连接的过程具体可包括:AKMA认证代理向AKMA锚定功能(AAnF)发送AKMA应用密钥请求,该密钥请求中可携带有UE的A-KID及AKMA认证代理的应用功能标识,该AKMA认证代理的应用功能标识(与目标应用服务器具有相同的应用功能标识)包括:FQDN、Ua*安全协议标识;AKMA认证代理接收AAnF根据UE的A-KID及AKMA认证代理的应用功能标识返回的第一密钥K AF;然后基于该第一密钥K AF和UE侧的第二密钥K AF,执行AKMA认证代理与UE之间的相互认证,并建立AKMA认证代理与UE之间的TLS连接。通过这种可选方式,可准确建立AKMA认证代理与UE之间的TLS连接,保证后续UE与AKMA认证代理之间安全通信的顺利进行。在UE与AKMA认证代理之间建立TLS连接的前提下,才能实现AKMA认证代理转发UE的服务请求给目标应用服务器,进而有效保证了UE与目标应用服务器之间通信的安全性。
例如,在AKMA认证代理侧,AKMA认证代理向AAnF发送携带有该UE的A-KID的AKMA应用密钥请求,AAnF根据该A-KID找到对应的第一锚密钥K AKMA,进而AAnF可从该第一锚密钥K AKMA派生出AKMA认证代理的AKMA应用密钥,即AKMA认证代理侧的第一密钥K AF。而在UE侧,可事先基于AUSF网元的密钥K AUSF,可获取第二锚密钥K AKMA,该第二锚密钥K AKMA用于结合目标应用服务器的标识信息(如FQDN等信息)推衍出第二密钥K AF,后续可基于该第一密钥K AF和UE侧的第二密钥K AF,执行AKMA认证代理与UE之间的相互认证(如判断KMA认证代理侧的第一密钥K AF和UE侧的第二密钥K AF是否相同),并建立AKMA认证代理与UE之间的TLS连接。
步骤203、通过建立的TLS连接,AKMA认证代理接收UE发送的目标应用服务器的服务请求,服务请求中携带有目标应用服务器的标识信息和UE的A-KID。
步骤204、AKMA认证代理根据UE的A-KID和目标应用服务器的标识信息对UE进行认证授权,确定是否授权UE访问目标应用服务器。
步骤204的具体实现过程与步骤102相同,此处不再赘述。
步骤205、响应于AKMA认证代理授权UE访问目标应用服务器,则AKMA认证代理将服务请求和UE的认证结果转发给目标应用服务器。
步骤205的具体实现过程与步骤103相同,此处不再赘述。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图3示出了根据本申请实施例的一种安全通信方法的流程示意图。该方法应用于AKMA认证代理,基于图1所示实施例,如图3所示,且该方法可以包括以下步骤。
步骤301、AKMA认证代理接收UE发送的目标应用服务器的服务请求。
服务请求中可携带有目标应用服务器的标识信息和UE的A-KID。
在本实施例中,AKMA认证代理响应于UE发送的目标应用服务器的服务请求,首先判断AKMA认证代理是否已与UE建立了安全的TLS连接,并根据判断结果执行相应的步骤。
步骤302、根据UE的A-KID,确定AKMA认证代理是否已与UE建立了TLS连接。
步骤303a、响应于AKMA认证代理已与UE建立了TLS连接,则AKMA认证代理根据AKMA认证代理的预设策略和目标应用服务器的标识信息,确定是否授权UE访问目标应用服务器。
UE尝试连接AKMA认证代理支持的该目标应用服务器,AKMA认证代理需要检查是否与该UE建立了TLS连接,如果AKMA认证代理已与UE建立了TLS连接,说明AKMA认证代理与UE之间可以相互信任,可根据AKMA认证代理的预设策略和目标应用服务器的标识信息,对UE能否访问目标应用服务器进行授权,该预设策略可根据实际业务需求进行设定,如果与该标识对应的目标应用服务器并没有访问限制,并且AKMA认证代理已与UE建立了TLS连接,则AKMA认证代理可授权UE访问目标应用服务器。
与步骤303a并列的步骤303b、响应于AKMA认证代理未与UE建立TLS连接,则根据UE的A-KID,建立AKMA认证代理与UE之间的TLS连接,并要求UE在TLS连接建立后发送目标应用服务器的服务请求,其中,服务请求中携带有目标应用服务器的标识信息和UE的A-KID。
在本实施例中,如果AKMA认证代理未与UE建立TLS连接,则需要根据UE的A-KID,建立AKMA认证代理与UE之间的TLS连接,并要求UE重发服务请求,这是因为第一次发的时候,没有TLS连接,过程中消息可能会被篡改。而由于A-KID可以由网络侧验证,篡改能被AKMA认证代理发现。而目标应用服务器的标识信息篡改,无法被发现,只能在TLS安全连接建立之后传输。因此在建立AKMA认证代理与UE之间的TLS连接,并要求UE重发服务请求,并且携带目标应用服务器的标识信息和UE的A-KID。
可选的,根据UE的A-KID,建立AKMA认证代理与UE之间的TLS连接的过程具体可包括:AKMA认证代理向AKMA锚定功能(AAnF)发送AKMA应用密钥请求,该密钥请求中可携带有UE的A-KID及AKMA认证代理的应用功能标识,该AKMA认证代理的应用功能标识(与目标应用服务器具有相同的应用功能标识)包括:FQDN、Ua*安全协议标识;AKMA认证代理接收AAnF根据UE的A-KID及AKMA认证代理的应用功能标识返回的第一密钥K AF;然后基于该第一密钥K AF和UE侧的第二密钥K AF,执行AKMA认证代理与UE之间的相互认证,并建立AKMA认证代理与UE之间的TLS连接。具体实现过程与步骤202中的示例内容类同,在此不再赘述。
通过这种可选方式,可准确建立AKMA认证代理与UE之间的TLS连接,保证后续UE与AKMA认证代理之间安全通信的顺利进行。在UE与AKMA认证代理之间建立TLS连接的前提下,才能实现AKMA认证代理转发UE的服务请求给目标应用服务器,进而有效保证了UE与目标应用服务器之间通信的安全性。
步骤304b、AKMA认证代理接收UE发送的目标应用服务器的服务请求,并根据AKMA认证代理的预设策略和服务请求中携带的目标应用服务器的标识信息,确定是否授权UE访问目标应用服务器。
步骤305、响应于AKMA认证代理授权UE访问目标应用服务器,AKMA认证代理将服务请求和UE的认证结果转发给目标应用服务器。
应当注意的是,虽然图3所示实施例是在图1所示实施例的基础上进行描述,类似地,该图3所示实施例也可基于图2所示实施例,在此不再进行赘述。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证 授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图4为根据本申请实施例的一种安全通信方法的流程示意图。该方法应用于,基于图1所示实施例,如图4所示,且该方法可以包括以下步骤。
步骤401、AKMA认证代理接收UE发送的目标应用服务器的服务请求。
服务请求中可携带有目标应用服务器的标识信息和UE的A-KID。
步骤402、AKMA认证代理根据UE的A-KID和目标应用服务器的标识信息对UE进行认证授权,确定是否授权UE访问目标应用服务器。
步骤402的具体实现过程与步骤102相同,此处不再赘述。
步骤403、响应于AKMA认证代理授权UE访问目标应用服务器,则基于AKMA认证代理的预设策略,判断目标应用服务器是否有权及是否需要获取UE的身份信息。
预设策略可进行预先配置,以便确定目标应用服务器是否有权及是否需要获取UE的身份信息,以满足具体的业务场景需求。如目标应用服务器需要UE的身份信息,才能获取该身份信息相应的服务返回给UE等。
步骤404、响应于目标应用服务器有权且需要获取UE的身份信息,则将UE的身份信息、UE的服务请求和UE的认证结果发送给目标应用服务器,否则,将UE的服务请求和UE的认证结果发送给目标应用服务器。
UE的身份信息可包括:UE的通用公共用户标识(Generic Public Subscription Identifier,GPSI)和/或用户永久标识(Subscription Permanent Identifier,SUPI)等。例如,如果目标应用服务器需要获取UE的身份信息,AKMA认证代理向目标应用服务器发送UE的服务请求、UE的SUPI/GPSI和UE的认证结果;而如果目标应用服务器不需要UE的身份信息,那么AKMA认证代理将UE的服务请求和UE的认证结果发送给目标应用服务器。
如果目标应用服务器不在第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)运营商域内,为了相应的业务需求,可选的,上述响应于目标应用服务器有权且需要获取UE的身份信息,则将UE的身份信息、UE的服务请求和UE的认证结果发送给目标应用服务器,具体可包括:响应于目标应用服务器不在3GPP运营商域内,则可将UE的GPSI发送给目标应用服务器。例如,如果目标应用服务器不在3GPP运营商域中,AKMA认证代理可只向目标应用服务器发送UE的通用公共用户标识,即UE的GPSI。
进一步可选的,在将UE的身份信息、UE的服务请求和UE的认证结果发送给目标应用服务器之后,本实施例方法还可包括:通过目标应用服务器返回的服务响应信息,向UE发送相应的授权信息及服务响应。通过这种可选方式,使得在UE侧及时了解到需要获取其身份信息,并可反馈给用户等。
应当注意的是,虽然图4所示实施例是在图1所示实施例的基础上进行描述,类似地,该图4所示实施例也可基于图2和/图3所示实施例,在此不再进行赘述。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图5为根据本申请实施例的一种安全通信方法的流程示意图。如图1所示,该方法应用于用户设备(UE),且可以包括以下步骤。
步骤501、UE向AKMA认证代理发送目标应用服务器的服务请求。
其中,服务请求中可携带有目标应用服务器的标识信息和UE的A-KID,即AKMA密钥标识符。可选的,目标应用服务器的标识信息至少可包括:目标应用服务器的FQDN、Ua*安全协议标识、IP地址、端口号等。例如,目标应用服务器的标识信息可包括:应用功能标识、DNS名称、目标应用服务器的IP地址、目标应用服务器的端口号等。其中,应用功能标识可由目标应用服务器的FQDN和Ua*安全协议标识组成。
对于本实施例,AKMA认证代理可与目标应用服务器具有相同的应用功能标识,该应用功能标识包括:应用功能所对应的FQDN以及Ua*安全协议标识,这样目标应用服务器就可与AKMA认证代理共用相同的域名地址,因此相应可选的,步骤501具体可包括:通过目标应用服务器的标识信息获取AKMA认证代理的地址;然后根据该AKMA认证代理的地址发送服务请求。
通过这种可选方式,使得在UE向目标应用服务器发送服务请求时,将向目标应用服务器发送的服务请求先发送给了AKMA认证代理,并通过AKMA认证代理进行认证授权,并在AKMA认证代理授权访问该目标应用服务器的情况下,AKMA认证代理才可将服务请求转发给目标应用服务器,提高了UE与目标应用服务器之间通信的安全性。其中,具体的认证授权过程可参见如图1至图4所示方法的实现过程,在此不再赘述。
步骤502、UE接收AKMA认证代理返回的响应信息。
可选的,步骤502具体可包括:UE接收AKMA认证代理发送的错误代码信息、或目标应用服务器返回的服务响应。例如,经过AKMA认证代理的认证授权,如果UE未通过认证授权访问该目标应用服务器,UE会接收到AKMA认证代理返回的错误代码,以告知UE访问目标应用服务器失败。而如果UE通过认证授权访问该目标应用服务器,UE可通过AKMA认证代理接收到来自目标应用服务器的服务响应。并且如果过程中,AKMA认证代理确定目标应用服务器有权且需要获取该UE的身份信息,则会将UE的身份信息、UE的服务请求和UE的认证结果发送给目标应用服务器,相应的,UE会接收到AKMA认证代理通过目标应用服务器返回的服务响应信息,向该UE发送的相应授权信息及服务响应。进而可在UE侧及时了解到需要获取其身份信息,并可反馈给用户等。
通过应用本实施例提供的安全通信方法,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,进而相当于提供了一种在AKMA场景中支持认证代理的有效解决方案。并且同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通 信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图6示出了根据本申请实施例的一种安全通信方法的流程示意图。该方法应用于用户设备(UE),基于图5所示实施例,如图6所示,该方法可以包括以下步骤。
步骤601、基于AUSF网元的密钥K AUSF,获取AKMA锚密钥K AKMA以及UE的A-KID。
其中,K AKMA可用于结合目标应用服务器的标识信息获取密钥K AF,该密钥K AF用于与AKMA认证代理建立TLS连接。
对于本实施例,UE在发起与AKMA认证代理的通信之前,可基于AUSF网元的密钥K AUSF,派生出K AKMA以及UE的A-KID,当UE发起与AKMA认证代理的通信时,可在应用会话建立请求消息中包含派生的该A-KID(具体可参见3GPP TS 33.535的第6.1条)。UE可以在发送消息之前或之后得到密钥K AF,如通过K AKMA结合目标应用服务器的标识信息获得UE侧的密钥K AF
AKMA认证代理接收到该UE发起的应用会话建立请求,可获取UE的A-KID,AKMA认证代理向AAnF发送携带有该UE的A-KID的AKMA应用密钥请求,如果AKMA认证代理不在3GPP运营商域中,AKMA认证代理可通过网络能力开放功能(network exposure function,NEF)向AAnF发送请求。AAnF依据预置策略判定可向该AKMA认证代理提供服务后,AAnF根据该A-KID判断是否能够找到对应的K AKMA,如果能找到K AKMA,并且AAnF还没有现成的AKMA认证代理侧的密钥K AF,那么AAnF可从该K AKMA派生出AKMA认证代理的AKMA应用密钥,即AKMA认证代理侧的密钥K AF。而如果根据A-KID不能找到对应的K AKMA,向AKMA认证代理反馈错误响应,进而AKMA认证代理可向UE反馈会话建立失败的响应信息,使得UE后续可AKMA认证代理发送具有最新A-KID的新应用会话建立请求进行重试。
在AKMA认证代理得到AKMA认证代理侧的密钥K AF之后,可使用该密钥K AF对UE进行认证,如比对UE侧的密钥K AF,如果认证成功即可建立UE与AKMA认证代理之间的TLS连接,后续双方可实现安全通信。
步骤602、UE向AKMA认证代理发送目标应用服务器的服务请求。
其中,服务请求中可携带有目标应用服务器的标识信息和UE的A-KID。
在UE与AKMA认证代理之间的TLS连接建立成功后,AKMA认证代理在接收到UE的服务请求后,根据预设策略授权了UE访问该目标应用服务器,将UE的服务请求和UE的认证结果发送给目标应用服务器进行处理。
步骤603、UE接收AKMA认证代理返回的响应信息。
关于上述步骤602至603的描述和具体细节,可以参考参见如图1至图3所示方法的实现过程,在此不再赘述。
通过应用本实施例提供的安全通信方法,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,进而相当于提供了一种在AKMA场景中支持认证代理的有效解决方案。并且同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通 信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图7示出了根据本申请实施例的一种安全通信方法的流程示意图。如图7所示,该方法应用于目标应用服务器,且可以包括以下步骤。
步骤701、目标应用服务器接收AKMA认证代理发送的UE的服务请求和UE的认证结果。
其中,UE的服务请求中可携带有目标应用服务器的标识信息和UE的A-KID,即AKMA密钥标识符。可选的,目标应用服务器的标识信息至少可包括:目标应用服务器的FQDN、Ua*安全协议标识、IP地址、端口号等。例如,目标应用服务器的标识信息可包括:应用功能标识、DNS名称、目标应用服务器的IP地址、目标应用服务器的端口号等。应用功能标识可由目标应用服务器的FQDN和Ua*安全协议标识组成。
步骤702、目标应用服务器根据UE的认证结果,通过AKMA认证代理向UE发送服务请求的服务响应。
可选的,步骤702具体可包括:目标应用服务器响应于UE通过AKMA认证代理的认证授权,通过AKMA认证代理向UE返回服务响应。例如,目标应用服务器在接收到AKMA认证代理转发的来自UE的服务请求和该UE的认证结果后,可根据该UE的认证结果,确认该UE是被AKMA认证代理认证授权过的,进而可安全处理该服务请求,并可通过AKMA认证代理向UE发送服务请求的服务响应。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图8示出了根据本申请实施例的一种安全通信方法的流程示意图。该方法应用于目标应用服务器,基于图7所示实施例,如图8所示,该方法可以包括以下步骤。
步骤801、目标应用服务器接收AKMA认证代理发送的UE的服务请求、UE的认证结果、以及UE的身份信息。
AKMA认证代理在接收UE的服务请求后,根据UE的A-KID和目标应用服务器的标识信息对UE进行认证授权,确定授权UE访问目标应用服务器,响应于授权AKMA认证代理UE访问目标应用服务器,则基于AKMA认证代理的预设策略,判断目标应用服务器是否有权及是否需要获取UE的身份信息,如果目标应用服务器有权且需要获取UE的身份信息,那么目标应用服务器会接收到AKMA认证代理发送的UE的服务请求、UE的认证结果、以及UE的身份信息,该UE的身份信息可包括:UE的GPSI/SUPI。
步骤802、目标应用服务器根据UE的认证结果,通过AKMA认证代理向UE发送服务请求的服务响应。
如果UE被AKMA认证代理授权访问目标应用服务器,该目标应用服务器可处理该UE的服务请求,如根据UE的身份信息进行服务请求的处理,然后反馈AKMA认证代理该服务请求的服务响应信 息。AKMA认证代理通过目标应用服务器返回的服务响应信息,向UE发送相应的授权信息及服务响应。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图9为根据本申请实施例的一种安全通信方法的时序图。该方法应用于一种安全通信系统,该系统包括:AKMA认证代理、用户设备(UE)、目标应用服务器,AKMA认证代理接收UE发送的目标应用服务器的服务请求,其中,服务请求中携带有目标应用服务器的标识信息和UE的A-KID;AKMA认证代理根据A-KID和目标应用服务器的标识信息对UE进行认证授权,确定是否授权UE访问目标应用服务器,响应于授权UE访问目标应用服务器,则将服务请求和UE的认证结果转发给目标应用服务器;目标应用服务器根据UE的认证结果,通过AKMA认证代理向UE发送所述服务请求的服务响应。
参见图9,该方法包括如下步骤。
步骤901、UE向AKMA认证代理发送应用会话建立请求。
应用会话建立请求中携带有UE的A-KID。UE在发起与AKMA认证代理的通信之前,可基于AUSF网元的密钥K AUSF,派生出K AKMA以及UE的A-KID,当UE发起与AKMA认证代理的通信时,可在应用会话建立请求消息中包含派生的该A-KID。
步骤902、AKMA认证代理向AAnF发送AKMA应用密钥请求。
应用密钥请求中携带有UE的A-KID。AKMA认证代理接收到该UE发起的应用会话建立请求,可获取UE的A-KID,AKMA认证代理向AAnF发送携带有该UE的A-KID的AKMA应用密钥请求。
步骤903、AAnF根据UE的A-KID获取AKMA认证代理侧的密钥K AF
AAnF依据预置策略判定可向该AKMA认证代理提供服务后,AAnF根据该A-KID判断是否能够找到对应的K AKMA,如果能找到K AKMA,并且AAnF还没有现成的AKMA认证代理侧的密钥K AF,那么AAnF可从该K AKMA派生出AKMA认证代理的AKMA应用密钥,即AKMA认证代理侧的密钥K AF。而如果根据A-KID不能找到对应的K AKMA,向AKMA认证代理反馈错误响应,进而AKMA认证代理可向UE反馈会话建立失败的响应信息,使得UE后续可AKMA认证代理发送具有最新A-KID的新应用会话建立请求进行重试。
步骤904、AAnF将密钥K AF发送给AKMA认证代理。
步骤905、AKMA认证代理向UE返回会话建立请求的响应。
步骤906、基于AKMA认证代理侧的密钥K AF和UE侧的密钥K AF,执行AKMA认证代理与UE之间的相互认证。
例如,通过比较基于AKMA认证代理侧的密钥K AF和UE侧的密钥K AF,如果两侧的密钥K AF一致,可确定AKMA认证代理与UE之间相互认证成功。
步骤907、响应于AKMA认证代理与UE之间相互认证成功,则建立AKMA认证代理与UE之间的TLS连接。
步骤908、UE向AKMA认证代理发送目标应用服务器的服务请求。
由于AKMA认证代理与UE之间已建立了的TLS连接,AKMA认证代理根据预设策略和目标应用服务器的标识信息确定是否授权UE访问目标应用服务器,如果AKMA认证代理确定授权UE访问目标应用服务器,会执行步骤909所示的过程。
步骤909、AKMA认证代理将UE的服务请求和UE的认证结果转发给目标应用服务器。
目标应用服务器在接收到AKMA认证代理转发的来自UE的服务请求和该UE的认证结果后,可根据该UE的认证结果,确认该UE是被AKMA认证代理认证授权过的,进而可安全处理该服务请求,并通过AKMA认证代理返回该服务请求的服务响应给UE。
步骤910、AKMA认证代理向UE返回目标应用服务器的服务响应。
通过应用本实施例提供的安全通信方法,相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,UE将目标应用服务器的服务请求先发送给AKMA认证代理,在通过AKMA认证代理认证授权后,将服务请求和UE的认证结果转发给目标应用服务器进行处理,同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
上述本申请提供的实施例中,分别从网络设备、用户设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,网络设备和用户设备可以包括硬件结构、软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。
与上述几种实施例提供的安全通信方法相对应,本申请还提供一种安全通信装置,由于本申请实施例提供的安全通信装置与上述几种实施例提供的安全通信方法相对应,因此安全通信方法的实施方式也适用于本实施例提供的安全通信装置,在本实施例中不再详细描述。
图10为本申请实施例提供的一种安全通信装置的结构示意图,该安全通信装置可用于AKMA认证代理。
如图10所示,该装置可以包括:接收模块1010,用于接收UE发送的目标应用服务器的服务请求,其中,服务请求中携带有目标应用服务器的标识信息和UE的AKMA密钥标识符A-KID;认证模块1020,用于根据A-KID和目标应用服务器的标识信息对UE进行认证授权,确定是否授权UE访问目标应用服务器;发送模块1030,用于响应于授权UE访问目标应用服务器,则将服务请求和UE的认证结果转发给目标应用服务器。
在一些实施例中,接收模块1010,还用于接收用户设备UE发送的目标应用服务器的服务请求之前,接收所述UE发送的会话建立请求,所述会话建立请求中携带有所述UE的A-KID;根据所述UE的A-KID,建立与所述UE之间的TLS连接;所述接收UE发送的目标应用服务器的服务请求,包括:通过建立的TLS连接,接收所述UE发送的所述服务请求。
在一些实施例中,目标应用服务器的标识信息至少包括:FQDN、Ua*安全协议标识、IP地址、端口号。
在一些实施例中,认证模块1020,用于确定是否已与UE建立了TLS连接;响应于已与所述UE建立了TLS连接,则根据AKMA认证代理的预设策略及目标应用服务器标识信息,确定是否授权所述UE访问所述目标应用服务器。
在一些实施例中,认证模块1020,还用于响应于未与所述UE建立TLS连接,则根据所述A-KID,建立与所述UE之间的TLS连接,并要求UE在TLS连接建立后发送所述目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的A-KID。
在一些实施例中,认证模块1020,还用于向AKMA锚定功能AAnF发送AKMA应用密钥请求,所述密钥请求中携带有所述A-KID及所述AKMA认证代理的应用功能标识,所述AKMA认证代理的应用功能标识包括:FQDN、Ua*安全协议标识;接收所述AAnF根据所述A-KID及所述AKMA认证代理的应用功能标识返回的第一密钥K AF;基于所述第一密钥K AF和所述UE侧的第二密钥K AF,执行与所述UE之间的相互认证并建立与所述UE之间的TLS连接。
在一些实施例中,发送模块1030,还用于在将服务请求和UE的认证结果发送给目标应用服务器之后,向UE发送目标应用服务器的服务响应。
在一些实施例中,发送模块1030,具体还用于基于AKMA认证代理的预设策略,判断目标应用服务器是否有权及是否需要获取UE的身份信息;响应于目标应用服务器有权且需要获取UE的身份信息,则将UE的身份信息、服务请求和UE的认证结果发送给目标应用服务器;否则,将服务请求和UE的认证结果发送给目标应用服务器。
在一些实施例中,发送模块1030,具体还用于在将UE的身份信息、服务请求和UE的认证结果发送给目标应用服务器之后,通过目标应用服务器返回的服务响应信息,向UE发送相应的授权信息及服务响应。
在一些实施例中,发送模块1030,具体还用于响应于目标应用服务器不在3GPP运营商域内,则将UE的通用公共用户标识GPSI发送给目标应用服务器。
在一些实施例中,AKMA认证代理与目标应用服务器具有相同的应用功能标识,应用功能标识包括:应用功能所对应的FQDN以及Ua*安全协议标识。
本实施例相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,并且同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图11为本申请实施例提供的一种安全通信装置的结构示意图。该安全通信装置可用于用户设备(UE)。
如图11所示,该装置可以包括:发送模块1110,用于向应用认证和密钥管理AKMA认证代理发送目标应用服务器的服务请求,其中,服务请求中携带有目标应用服务器的标识信息和UE的AKMA密钥标识符A-KID;接收模块1120,用于接收AKMA认证代理返回的响应信息。
在一些实施例中,发送模块1110,还用于在向AKMA认证代理发送目标应用服务器的服务请求之前,基于鉴权服务功能AUSF网元的密钥K AUSF,获取AKMA锚密钥K AKMA以及A-KID;其中,K AKMA用于结合目标应用服务器的标识信息获取密钥K AF,密钥K AF用于与AKMA认证代理建立传输层安全协议TLS连接。
在一些实施例中,发送模块1110,具体还用于通过目标应用服务器的标识信息获取AKMA认证代理的地址,其中,目标应用服务器的标识信息至少包括:目标应用服务器的FQDN、Ua*安全协议标识、IP地址、端口号;根据AKMA认证代理的地址发送服务请求。
在一些实施例中,接收模块1120,具体用于接收AKMA认证代理发送的错误代码信息、或目标应用服务器返回的服务响应。
本实施例相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,并且同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
图12为本申请实施例提供的一种安全通信装置的结构示意图。该安全通信装置可用于目标应用服务器。
如图12所示,该装置可包括:接收模块1210,用于接收应用认证和密钥管理AKMA认证代理发送的来自用户设备UE的服务请求和UE的认证结果,服务请求中携带有目标应用服务器的标识信息和UE的AKMA密钥标识符A-KID;发送模块1220,用于根据UE的认证结果,通过AKMA认证代理向UE发送服务请求的服务响应。
在一些实施例中,发送模块1220,具体用于响应于UE通过AKMA认证代理的认证授权,通过AKMA认证代理向UE返回服务响应。
在一些实施例中,接收模块1210,具体用于接收AKMA认证代理发送的UE的服务请求、UE的认证结果、以及UE的身份信息。
本实施例相当于提供了一种在AKMA场景中支持认证代理的有效解决方案,并且同一AKMA认证代理可对应多个目标应用服务器,这样UE通过一个AKMA认证代理可与多个目标应用服务器进行通信,在保证通信安全的前提下,提高了UE与多个目标应用服务器之间的通信效率,可满足更多的业务需求。
请参见图13,图13是本实施例提供的一种通信装置1300的结构示意图。通信装置1300可以是网络设备,也可以是用户设备,也可以是支持网络设备实现上述方法的芯片、芯片系统、或处理器等,还可以是支持用户设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法,具体可以参见上述方法实施例中的说明。
通信装置1300可以包括一个或多个处理器1301。处理器1301可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中 央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。
可选的,通信装置1300中还可以包括一个或多个存储器1302,其上可以存有计算机程序1304,处理器1301执行计算机程序1304,以使得通信装置1300执行上述方法实施例中描述的方法。可选的,存储器1302中还可以存储有数据。通信装置1300和存储器1302可以单独设置,也可以集成在一起。
可选的,通信装置1300还可以包括收发器1305、天线1306。收发器1305可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器1305可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。
可选的,通信装置1300中还可以包括一个或多个接口电路1307。接口电路1207用于接收代码指令并传输至处理器1301。处理器1301运行代码指令以使通信装置1300执行上述方法实施例中描述的方法。
在一种实现方式中,处理器1301中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。
在一种实现方式中,处理器1301可以存有计算机程序1303,计算机程序1303在处理器1301上运行,可使得通信装置1300执行上述方法实施例中描述的方法。计算机程序1303可能固化在处理器1301中,该种情况下,处理器1301可能由硬件实现。
在一种实现方式中,通信装置1300可以包括电路,该电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。
以上实施例描述中的通信装置可以是网络设备或者用户设备,但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图13的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如该通信装置可以是:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;
(3)ASIC,例如调制解调器(Modem);
(4)可嵌入在其他设备内的模块;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;
(6)其他等等。
对于通信装置可以是芯片或芯片系统的情况,可参见图14所示的芯片的结构示意图。图14所示的芯片包括处理器1401和接口1402。其中,处理器1401的数量可以是一个或多个,接口1402的数量可以是多个。
可选的,芯片还包括存储器1403,存储器1403用于存储必要的计算机程序和数据。
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行计算机程序时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。
如本文使用的,术语“机器可读介质”和“计算机可读介质”指的是用于将机器指令和/或数据提供给可编程处理器的任何计算机程序产品、设备、和/或装置(例如,磁盘、光盘、存储器、可编程逻辑装置(PLD)),包括,接收作为机器可读信号的机器指令的机器可读介质。术语“机器可读信号”指的是用于将机器指令和/或数据提供给可编程处理器的任何信号。
可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如,作为数据服务器)、或者包括中间件部件的计算系统(例如,应用服务器)、或者包括前端部件的计算系统(例如,具有图形用户界面或者网络浏览器的用户计算机,用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系 统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如,通信网络)来将系统的部件相互连接。通信网络的示例包括:局域网(LAN)、广域网(WAN)和互联网。
计算机系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。
应该理解,可以使用上面所示的各种形式的流程,重新排序、增加或删除步骤。例如,本申请中记载的各步骤可以并行地执行也可以顺序地执行也可以不同的次序执行,只要能够实现本申请申请的技术方案所期望的结果,本文在此不进行限制。
此外,应该理解,本申请所述的各种实施例可以单独实施,也可以在方案允许的情况下与其他实施例组合实施。
本领域普通技术人员可以意识到,结合本文中所申请的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (24)

  1. 一种安全通信方法,其特征在于,应用于应用认证和密钥管理AKMA认证代理,所述方法包括:
    接收用户设备UE发送的目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器;
    响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器。
  2. 根据权利要求1所述的方法,其特征在于,所述接收用户设备UE发送的目标应用服务器的服务请求之前,所述方法还包括:
    接收所述UE发送的会话建立请求,所述会话建立请求中携带有所述UE的A-KID;
    根据所述UE的A-KID,建立与所述UE之间的TLS连接;
    所述接收UE发送的目标应用服务器的服务请求,包括:
    通过建立的TLS连接,接收所述UE发送的所述服务请求。
  3. 根据权利要求1所述的方法,其特征在于,所述根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,包括:
    根据所述A-KID,确定是否已与所述UE建立了传输层安全协议TLS连接;
    响应于已与所述UE建立了TLS连接,则根据AKMA认证代理的预设策略及目标应用服务器标识信息,确定是否授权所述UE访问所述目标应用服务器。
  4. 根据权利要求3所述的方法,其特征在于,所述根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,还包括:
    响应于未与所述UE建立TLS连接,则根据所述A-KID,建立与所述UE之间的TLS连接,并要求UE在TLS连接建立后发送所述目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的A-KID。
  5. 根据权利要求2或4所述的方法,其特征在于,所述根据所述A-KID,建立与所述UE之间的TLS连接,包括:
    向所述AKMA的锚定功能AAnF发送AKMA应用密钥请求,所述密钥请求中携带有所述A-KID及所述AKMA认证代理的应用功能标识,所述AKMA认证代理的应用功能标识包括:完全限定域名FQDN、Ua*安全协议标识;
    接收所述AAnF根据所述A-KID及所述AKMA认证代理的应用功能标识返回的第一密钥K AF
    基于所述第一密钥K AF和所述UE侧的第二密钥K AF,执行与所述UE之间的相互认证并建立与所述UE之间的TLS连接。
  6. 根据权利要求1所述的方法,其特征在于,所述目标应用服务器的标识信息至少包括:FQDN、Ua*安全协议标识、IP地址、端口号。
  7. 根据权利要求1所述的方法,其特征在于,在所述将所述服务请求和所述UE的认证结果发送给所述目标应用服务器之后,所述方法还包括:
    向所述UE发送所述目标应用服务器的服务响应。
  8. 根据权利要求1所述的方法,其特征在于,所述响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果发送给所述目标应用服务器,包括:
    基于AKMA认证代理的预设策略,判断所述目标应用服务器是否有权及是否需要获取所述UE的身份信息;
    响应于所述目标应用服务器有权且需要获取所述UE的身份信息,则将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器;
    否则,将所述服务请求和所述UE的认证结果发送给所述目标应用服务器。
  9. 根据权利要求8所述的方法,其特征在于,在所述将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器之后,所述方法还包括:
    通过所述目标应用服务器返回的服务响应信息,向所述UE发送相应的授权信息及服务响应。
  10. 根据权利要求8所述的方法,其特征在于,所述响应于所述目标应用服务器有权且需要获取所述UE的身份信息,则将所述UE的身份信息、所述服务请求和所述UE的认证结果发送给所述目标应用服务器,包括:
    响应于所述目标应用服务器不在3GPP运营商域内,则将所述UE的通用公共用户标识GPSI发送给所述目标应用服务器。
  11. 根据权利要求1所述的方法,其特征在于,所述AKMA认证代理与所述目标应用服务器具有相同的应用功能标识,所述应用功能标识包括:应用功能所对应的FQDN以及Ua*安全协议标识。
  12. 一种安全通信方法,其特征在于,应用于用户设备UE,所述方法包括:
    向应用认证和密钥管理AKMA认证代理发送目标应用服务器的服务请求,其中,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    接收所述AKMA认证代理返回的响应信息。
  13. 根据权利要求12所述的方法,其特征在于,在所述向AKMA认证代理发送目标应用服务器的服务请求之前,所述方法还包括:
    基于鉴权服务功能AUSF网元的密钥K AUSF,获取AKMA锚密钥K AKMA以及所述A-KID;
    其中,所述K AKMA用于结合所述目标应用服务器的标识信息获取密钥K AF,所述密钥K AF用于与所述AKMA认证代理建立传输层安全协议TLS连接。
  14. 根据权利要求12所述的方法,其特征在于,所述向AKMA认证代理发送目标应用服务器的服务请求,包括:
    通过目标应用服务器的标识信息获取所述AKMA认证代理的地址,其中,所述目标应用服务器的标识信息至少包括:所述目标应用服务器的完全限定域名FQDN、Ua*安全协议标识、IP地址、端口号;
    根据所述AKMA认证代理的地址发送所述服务请求。
  15. 根据权利要求12所述的方法,其特征在于,所述接收所述AKMA认证代理返回的响应信息,包括:
    接收所述AKMA认证代理发送的错误代码信息、或所述目标应用服务器返回的服务响应。
  16. 一种安全通信方法,其特征在于,应用于目标应用服务器,所述方法包括:
    接收应用认证和密钥管理AKMA认证代理发送的用户设备UE的服务请求和所述UE的认证结果,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
  17. 根据权利要求16所述的方法,其特征在于,所述根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应,包括:
    响应于所述UE通过所述AKMA认证代理的认证授权,通过所述AKMA认证代理向所述UE返回服务响应。
  18. 根据权利要求16或17所述的方法,其特征在于,所述接收AKMA认证代理发送的UE的服务请求和所述UE的认证结果,包括:
    接收所述AKMA认证代理发送的所述UE的服务请求、所述UE的认证结果、以及所述UE的身份信息。
  19. 一种安全通信装置,其特征在于,应用于应用认证和密钥管理AKMA认证代理,包括:
    接收模块,用于接收用户设备UE发送的目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    认证模块,用于根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器;
    发送模块,用于响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器。
  20. 一种安全通信装置,其特征在于,应用于用户设备UE,包括:
    发送模块,用于向应用认证和密钥管理AKMA认证代理发送目标应用服务器的服务请求,其中,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    接收模块,用于接收所述AKMA认证代理返回的响应信息。
  21. 一种安全通信装置,其特征在于,应用于目标应用服务器,包括:
    接收模块,用于接收应用认证和密钥管理AKMA认证代理发送的来自用户设备UE的服务请求和所述UE的认证结果,所述服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    发送模块,用于根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
  22. 一种安全通信系统,其特征在于,包括:应用认证和密钥管理AKMA认证代理、用户设备UE、目标应用服务器,其中,
    所述AKMA认证代理接收所述UE发送的所述目标应用服务器的服务请求,其中,服务请求中携带有所述目标应用服务器的标识信息和所述UE的AKMA密钥标识符A-KID;
    所述AKMA认证代理根据所述A-KID和所述目标应用服务器的标识信息对所述UE进行认证授权,确定是否授权所述UE访问所述目标应用服务器,响应于授权所述UE访问所述目标应用服务器,则将所述服务请求和所述UE的认证结果转发给所述目标应用服务器;
    所述目标应用服务器根据所述UE的认证结果,通过所述AKMA认证代理向所述UE发送所述服务请求的服务响应。
  23. 一种通信设备,其中,包括:收发器;存储器;处理器,分别与所述收发器及所述存储器连接,配置为通过执行所述存储器上的计算机可执行指令,控制所述收发器的无线信号收发,并能够实现权利要求1-18中任一项所述的方法。
  24. 一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被处理器执行后,能够实现权利要求1-18中任一项所述的方法。
PCT/CN2022/099964 2022-06-20 2022-06-20 安全通信方法及装置 WO2023245388A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202280002198.XA CN117616792A (zh) 2022-06-20 2022-06-20 安全通信方法及装置
PCT/CN2022/099964 WO2023245388A1 (zh) 2022-06-20 2022-06-20 安全通信方法及装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/099964 WO2023245388A1 (zh) 2022-06-20 2022-06-20 安全通信方法及装置

Publications (1)

Publication Number Publication Date
WO2023245388A1 true WO2023245388A1 (zh) 2023-12-28

Family

ID=89378988

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/099964 WO2023245388A1 (zh) 2022-06-20 2022-06-20 安全通信方法及装置

Country Status (2)

Country Link
CN (1) CN117616792A (zh)
WO (1) WO2023245388A1 (zh)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020095938A1 (en) * 2018-11-06 2020-05-14 Nec Corporation Apparatus and method
CN111866871A (zh) * 2019-04-29 2020-10-30 华为技术有限公司 通信方法和装置
WO2022035369A1 (en) * 2020-08-13 2022-02-17 Telefonaktiebolaget Lm Ericsson (Publ) Authentication in a communication network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020095938A1 (en) * 2018-11-06 2020-05-14 Nec Corporation Apparatus and method
CN111866871A (zh) * 2019-04-29 2020-10-30 华为技术有限公司 通信方法和装置
WO2022035369A1 (en) * 2020-08-13 2022-02-17 Telefonaktiebolaget Lm Ericsson (Publ) Authentication in a communication network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS) (Release 17)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.535, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V17.5.0, 24 March 2022 (2022-03-24), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 25, XP052144806 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS) (Release 17)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.222, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V17.0.0, 25 June 2021 (2021-06-25), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 37, XP052029774 *
SAMSUNG, VERIZON: "New AAnF application key get service without SUPI", 3GPP DRAFT; S3-220569, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20220214 - 20220225, 28 February 2022 (2022-02-28), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052118211 *
ZTE: "Update the solution #6", 3GPP DRAFT; S3-213340, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20210927 - 20210930, 20 September 2021 (2021-09-20), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052060177 *

Also Published As

Publication number Publication date
CN117616792A (zh) 2024-02-27

Similar Documents

Publication Publication Date Title
US11716621B2 (en) Apparatus and method for providing mobile edge computing services in wireless communication system
US20230171618A1 (en) Communication method and apparatus
US9049184B2 (en) System and method for provisioning a unique device credentials
JP6936393B2 (ja) パラメータ保護方法及びデバイス、並びに、システム
US9515824B2 (en) Provisioning devices for secure wireless local area networks
WO2021218595A1 (zh) 一种地址获取方法及装置
JP2015511467A (ja) モバイル・デバイスのため、発見された位置決めサーバへのセキュアなアクセスをイネーブルすること
US20220345888A1 (en) Methods and devices for establishing secure communication for applications
US20230232228A1 (en) Method and apparatus for establishing secure communication
TW202228415A (zh) 一種金鑰標識的生成方法以及相關裝置
US20230396602A1 (en) Service authorization method and system, and communication apparatus
US20230232318A1 (en) Authentication method and apparatus therefor
WO2023245388A1 (zh) 安全通信方法及装置
WO2022110836A1 (zh) 通信的方法及通信装置
WO2023245387A1 (zh) 用户设备ue漫游条件下的应用认证与密钥管理akma应用程序密钥请求方法及装置
CN115942305A (zh) 一种会话建立方法和相关装置
CA3182259A1 (en) Secure communication method, related apparatus, and system
WO2023216274A1 (zh) 密钥管理方法、装置、设备和存储介质
WO2023216272A1 (zh) 密钥管理方法、装置、设备及存储介质
WO2018120150A1 (zh) 网络功能实体之间的连接方法及装置
WO2024092624A1 (en) Encryption key transfer method and device for roaming users in communication networks
WO2024065706A1 (zh) 一种构建连接的方法及装置
WO2024092529A1 (en) Determining authentication credentials for a device-to-device service
WO2024026698A1 (zh) 一种用户设备接入移动网络的方法及其装置
WO2023141945A1 (en) Authentication mechanism for access to an edge data network based on tls-psk

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280002198.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22947169

Country of ref document: EP

Kind code of ref document: A1